INE 2810 Mission 2
Version 1.2
Missions
1. Set up the router to connect to your network upstream ISP and test the connection.
First you need to configure your router.
As your router only has one Ethernet port, you need to set that Ethernet port into two sub-interfaces. One sub-interface will connect to your upstream ISP router and binds to the IP address that prescribed in your enterprise background information. The other sub-interface will be connected to your DMZ and you can decide its IP address. For each sub-interface, you need to specify a VLAN ID to it. You can choose any VLAN ID number between 2 and 999. For easy documentation and management, usually we name the sub-interfaces number same as the VLAN ID number that it binds to. For the VLAN encapsulation type of the sub-interface, you need to choose dot1Q.
Here is an example from other company. Note, their setting is different from ours.
interface FastEthernet0
no ip address
shutdown
speed auto
!
interface
FastEthernet0.250
description Interface to uplink
encapsulation dot1Q 250
ip address 10.32.204.1 255.255.255.252
!
interface
FastEthernet0.801
description Interface to DMZ
encapsulation dot1Q 801
ip address 10.11.64.254 255.255.255.0
!
Now come to your switch.
You need to partition your switch into three VLAN. One is for the upstream, one is for the DMZ and one is for your internal network. You can choose any VLAN ID number between 2 and 999 for your internal network. VLAN ID numbers in upstream and DMZ MUST match with the ones that you had set in your router.
Here is your switch port connection:
|
Port 1 |
Connected host 1 in DMZ |
|
Port 2 |
Connected host 2 in DMZ |
|
Port 3 |
Connected firewall interface in DMZ |
|
Port 4 |
Connected host 1 in internal private network |
|
Port 5 |
Connected host 2 in internal private network |
|
Port 6 |
Connected firewall interface in internal private network |
|
Port 7 |
Connected to uplink |
|
Port 8 |
Connected to router interface |
|
Port 9 |
Connected Host 2 sniffer interface in internal private network |
Set the correct VLAN ID number to each port. You need to set the switch port connecting to router interface to be VLAN trunk so that your switch knows that this switch port carries the VLANs of the upstream and DMZ.
You can leave port 9 alone, as it is not used in this mission.
Here is an example from another company. Note, their setting is different from ours.
!
interface
FastEthernet0/1
switchport access vlan 800
!
interface
FastEthernet0/2
description port to uplink
switchport access vlan 249
!
interface
FastEthernet0/3
description port to router Ethernet port
switchport mode trunk
If you set your router and switch correctly, you should ping your ISP router IP at your router. Try to ping your ISP router and see if the connection to your ISP is OK. Before make the test, make sure your router Ethernet port is not shutdown. If it is shutdown, bring it up by setting ¡§no shutdown¡¨.
2. Configure all your host network interfaces
Login your host console and configure your host network interface. The hosts connected to DMZ needed to have IP in the range specified in your enterprise background information. As for the hosts in internal private network, you can choose any IP range in 172.16/12.
If you configure the switch correctly, hosts in DMZ can ping each other; similarly, hosts in private network can ping each other. As you may not configure the firewall, hosts in DMZ cannot ping hosts in private network and vice verse.
3. Test your connection to other branch offices
Set your default gateway of your router and your DMZ hosts. Then collaborate with other TOs in other branch offices in your enterprise to make a ping test at the DMZ hosts. That is, at your DMZ hosts try to ping the DMZ hosts in other branch offices.
As you have not set the access-list of your router at this moment, it is danger to open your DMZ hosts¡¦ access to the public. Therefore, after the ping test, just remove the default gateway setting of your router and your DMZ hosts.
Note. Do not just follow the examples. You need to understand it. If you just copy the example without any modification, I am sure you cannot get it work.
References:
- man ifconfig, man route
- using search engine at http://www.cisco.com
- Cisco-TAC > Technical Tips > LAN Technologies > How LAN Switches Work