Mini project

Stefanokj · ‎05-07-2021

Hi guys, I should help a friend of mine with a small project but now my packettracer memory is a bit out of date.

He should create a small network in a building, there are 5 floors: 4 offices (one per floor) and a secretariat (on the ground floor), from each office it must be possible to connect to the internet and contact the secretariat (and vice versa), it must not be possible to communicate between offices.

What do you recommend? I was thinking of using class C networks, I created a mini model on PT by putting 2 PCs and and a switch per office with a router in the center.
My question is how do I comply with them?

Giuseppe Larosa · ‎05-07-2021

Hello @Stefanokj ,

you are required to build a network where any to any connectivity is not permitted.

Each floor / office must be able to :

go to the internet

reach the secretariat subnet

but it is not allowed to speak with other offices.

Going to the internet = needs for NAT Network address Translation

We can use Private IP addresses from RFC 1918 like 192.168.X.0/24

Floor 1: 192.168.1.0/24

Floor 2: 192.168.2.0/24

Floor 3: 192.168.3.0/24

Floor 4: 192.168.4.0/24

For the Secretary network we can use another subnet like

192.168.17.0/24

We leave space for additional floors or offices

To avoid communication between offices we can use extended ACLs

Example:

For office 1:

access-list 101 remark for office 1

! traffic to the secretariat allowed

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.17.0 0.0.0.255

! traffic to other offices denied a single line matches all other offices

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.15.255

! traffic to internet allowed

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

on the router interface to office 1

interface gi0/0

description office 1

ip address 192.168.1.1 255.255.255.0

ip accesss-group 101 in

A similar ACL should be configured for office 2 and so on.

In real world we use VLANs and VLAN based subinterfaces to avoid the need of a dedicated interface for each subnet.

A router with VLAN based subinterfaces can connect to a switch where different VLANS are defined

on switch side you define the VLANs

For example the following ones

conf t

vlan 10

name office1

exit

vlan 20

name office2

exit

vlan 30

name office3

exit

vlan 40

name office4

exit

vlan 170

name secretary

exit

int gi0/24

desc to router:gi0/0

switchport

switchport mode trunk

switchport trunk allowed vlans 10,20,30,40,170

on router side

interface gi0/0

desc to switch gi0/24

no ip address

interface gi0/0.10

enc dot1q 10

ip address 192.168.1.1 255.255.255.0

ip access-group 101 in

exit

interface gi0/0.20

enc dot1q 20

ip address 192.168.2.1 255.255.255.0

ip access-group 102 in

exit

interface gi0/0.30

enc dot1q 30

ip address 192.168.3.1 255.255.255.0

ip access-group 103 in

exit

interface gi0/0.40

enc dot1q 40

ip address 192.168.4.1 255.255.255.0

ip access-group 104 in

exit

nterface gi0/0.170

enc dot1q 170

ip address 192.168.17.1 255.255.255.0

exit

No ACL is needed on the subinterface for the secretariat as it can speak with anyone

ACL 102-104 are made like ACL 101 but the source address is changed in 192.168.2.0 0.0.0.255 for ACL 102, 192.168.3.0 0.0.0.255 for ACL 103 and so on

Hope to help

Giuseppe