<

Design, configure and operate the IT infrastructure for a SMB (or a startup group) - Part 2

0 Points
47 Views
Last Modified:
In this article, we will configure the network devices (Firewall Sophos and Cisco switches). The simulation will be done on Vmware Workstation and Packet tracer/GNS3

First of all is the diagram that I built on Packet Tracer. It is quite similar like the one we discussed in the first part of an article. Today we will focus on Cisco switches and a Sophos XG Firewall.




1. Cisco Switches

These are the commands which are needed and their purposes on CORE, SERVER and LAN switches:


Descriptions of command CORE switch SERVER switch LAN/User Switch
Rename the default value to desired name
conf terminal
hostname CORE-SW

conf terminal
hostname SERVER-SW
conf terminal
hostname LAN-SW
Configure trunking interfaces
interface range GigabitEthernet0/1 - 2
switchport trunk native vlan 99
switchport trunk encapsulation dot1q
switchport mode trunk

interface GigabitEthernet0/1
switchport trunk native vlan 99
switchport mode trunk
interface GigabitEthernet0/2
switchport trunk native vlan 99
switchport mode trunk
Configure VTP
conf terminal
vtp domain smb.net
vtp version 2
vtp password cisco
vtp mode server

conf terminal
vtp domain smb.net
vtp version 2
vtp password cisco
vtp mode client
conf terminal
vtp domain smb.net
vtp version 2
vtp password cisco
vtp mode client
Configure VLAN
conf terminal
vlan 10
name FARM1
name FARM2
vlan 100
name FARM1
vlan 100
name LAN1
vlan 200
name LAN2
vlan 99
name Management


Configure VLAN interface and interface to Firewall on (Core); VLAN and   accecss interface on Server, LAN switches
Conf terminal
Interface vlan 99
Ip address 192.168.99.1 255.255.255.0

Interface vlan 10
Ip address 10.0.0.254 255.255.255.0

Interface vlan 172
Ip address 172.16.0.254 255.255.255.0

Interface vlan 100
Ip address 192.168.100.254 255.255.255.0

Interface vlan 200
Ip address 192.168.200.254 255.255.255.0

interface FastEthernet0/1
no switchport
IP address 172.16.18.2 255.255.255.252 

Conf terminal
Interface vlan 99
Ip address 192.168.99.2 255.255.255.0

int range f0/1 - 3
switchport mode access
switchport access vlan 10

int range f0/11 - 12
switchport mode access
switchport access vlan 172

Conf terminal
Interface vlan 99
Ip address 192.168.99.3 255.255.255.0

int f0/1
switchport mode access
switchport access vlan 100

int range f0/2 - 3
switchport mode access
switchport access vlan 200

Configure DHCP pools for LAN network
ip dhcp pool VLAN100
network 192.168.100.0 255.255.255.0
default-router 192.168.100.254
dns-server 8.8.8.8

ip dhcp pool VLAN200
network 192.168.200.0 255.255.255.0
default-router 192.168.200.254
dns-server 8.8.8.8



Configure static routing
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1




Above commands are all we need to get all devices connected. After that, we should test the connection and DHCP process, to make sure that the PCs in LAN area can get correct IP addresses and they can ping to Servers.

- Test DHCP on LAN’s PC: OK


- Test ping and traceroute from LAN’s PC to Server farms and exit interface of Core switch: OK


* Configure security features on Cisco switches:

To secure the configuration mode

conf t

enable secret <your_secret_password>


To  enable, configure the SSH access

conf t

ip domain-name smb.net

aaa-new model

username cisco secret <another_secret>

crypto key generate rsa

ip ssh time-out 60

ip ssh authentication-retries 3

ip ssh version 2


line vty 0 4

no transport input

transport input ssh



2. Sophos Firewall

System requirements

- CPU 64 bit 2 core

- RAM 2-6GB (Home version can only utilized maximum 6GB RAM)

- at least 2 NIC


The process of installation is very simple, just need to follow the instructions to finish



Then you can configure the network interfaces (1) here:


Setup the port 3 (g0/1 interface in picture):


Doing the same with WAN inferface (g0/0 in the picture).


After that we can access the Firewall via: https://172.16.18.1:4444, the default username/password is admin/admin, then we can start configuring routing:


We can check all the networks in routing table of Core switch:


Adding route in Configure -> Routing and Save


After all, the routing table should be like this:


By default, it has the Allow all rule at the bottom of Firewall, so you just need to add more rules on top of it:


That was all fundamental steps to get the Firewall works. You can add more rules in Firewall settings as I did in above pictures.


That is the end of part 2, in the next post we will configure the Mail Server (iRedMail).  

I hope you found this article helpful. Part 3 of this series of articles will soon be available. 

I invite you to ask any questions and leave any comments you may have below. 

Cheers ^^


 


0
Comment
Author:Tjno
0 Comments

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Join & Write a Comment

Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month