My HomeLab
My HomeLab is one the first projects I wanted to make since I started to study networking. Implementing all the configurations I studied during the CCNA course on real equipment and seeing them work in real-life helped me prepare further for a future career in networking.
I know that a dedicated Cisco Switch and Router weren't exactly needed to provide network access for 1-2 devices, but I believe a homelab is never created for entire practical reasons, but more for providing a network to test and deploy configurations. Also, it was a great practice for documenting a network.
The two devices I bought for this lab are a Cisco ISR 1841 Router (M-RT = Main Router) and a Cisco Catalyst 2950T Switch (M-SW = Main Switch). The ISR Router has two FastEthernet interfaces, and the Switch provides 24 FastEthernet and 2 GigabitEthernet ports.
You can find the entire configurations for both the Router and the Switch, topologies showcasing IP addressing and logical segmentation of the Network and configuration explanations. I tried to provide a step-by-step description of all the decisions I made, their reasoning and implementation. I also uploaded photos and screenshots, showcasing both the devices and the process of connecting them, as different command outputs reflecting configurations and how they work.
Technologies implemented
Ubuntu Server
This is a list of all the technologies and protocols implemented on the devices, just to give you an idea of what you'll find in the configuration files.
NAT
DHCP
RoaS IVR
IPv4
Portfast
Port-security
ACL
SSH
VLAN
Devices Configuration
Interfaces used:
M-RT fa0/1 = connected to the ISP Router (ISP-R)
M-RT fa0/0 = LAN interfaces. Used as subinterfaces for Inter-VLAN-Routing
M-SW fa0/1 = Access port for main device
M-SW fa0/10 = Trunk between M-SW and M-RT
All M-SW interfaces that aren't used (fa0/2 - 9, fa0/11 - 24, gig0/1-2) are shutdown, placed in a Blackhole VLAN that isn't used elsewhere in the network and isn't permitted on the trunk link.
I like to start configuring devices in the order that makes sense, from Layer 1 to Layer 7 of the OSI Model, so after checking Layer 1 (making the UTP cables, powering the devices and interconnecting them) I focused on Layer 2, basically the Switch.
Initial configurations consisted of securing all access to the Switch, setting up Telnet (the Switch doesn't support encryption so no SSH here), setting all the passwords, an user and the hostname. After that I implemented the planned VLAN configuration. I chose class C private addresses for all LANs and this is a list of their names and network address:
- VLAN 16, name Main-Data-VLAN, network 172.16.1.0/24
- VLAN 17, name Guest-VLAN, network 172.17.1.0/24
- VLAN 19, name Management-VLAN, network 172.19.1.0/24
- VLAN 20, name Blackhole-VLAN, network 172.20.1.0/24
VLAN 16 and 17 are used as Data VLANs, so I configure all ports needed for devices as static access in one of these (the difference between them is that I will deny or permit to the VTY lines of the devices based on this membership, as you will see later). VLAN 19 is used for Management of the Switch, configuring its IP addresses on VLAN 19 interface and VLAN 20 is used as a security feature, moving all unused ports in this VLAN.
After defining and naming the VLANs, I configured the ports: f0/1 Access port for VLAN 16 and f0/10 Trunk port for VLANs 16,17,19. For increased efficiency, all static defined access ports also are configured with Portfast, reducing the time it takes Spanning-tree to move between blocking-listening-learning-forwarding states.
Security features implemented at Layer 2:
- turning off CDP, as it can leak sensitive data and it's best practice to turn it off
- turning DTP off, with the switchport nonegotiate command on the trunk link
- shutting down all unused ports
- shutting down VLAN 1, considered a best practice
- implementing BDPU guard for all access ports
- port-security: all ports allow maximum 2 MAC addresses to communicate before putting the port in err-disabled mode. Also, the MAC addresses are learned as sticky MACs, the IOS writing them in the running-configuration file.
Note: I set the VTP mode as transparent, so all VLAN configuration can be seen in the running-configuration file.
That was all the configuration for Layer 2. Moving up the OSI Model, the Router is next, but before that, for the sake of efficiency, I also configured the VLAN 19 interface with its IP addresses, the Switch default-gateway, and a standard access-list that restricts all access to the VTY lines except for host in the 172.16.1.0/24 network, and applied it.
On the M-RT I configured all initial settings, this time configuring SSH for remote access and forcing it to use version 2, because it is more secure than version 1. I then configured all interfaces: f0/1 with 192.168.1.10 to be in the same network as the ISP-R, and all subinterfaces needed for Inter-VLAN-Routing. I chose f0/0.16, f0/0.17 and f0/0.19 especially to make the configuration easier to understand. I also configured a Loopback interface with IP 10.10.255.1 for Management use, as it's best not to load an used interface with management traffic, and a Loopback interface never goes down, making troubleshooting easier when one interface fails and you're not sure if the whole router failed too.
I configured the M-RT as a DHCP server, allocating addresses for VLAN 16 and 17 networks (VLAN 19 didn't need a DHCP server because there is just a single address in it, the Switch VLAN interface, and I chose to statically define it).
For routing I defined a default route using the ISP-R address as next-hop, and I placed an ACL on the VTY lines, restricting remote SSH access (Telnet is not allowed because of "transport input ssh") to only devices in the VLAN 16 network. I also disabled CDP for security reasons.
The last step was figuring out how to solve a serious problem: I cannot implement routing on the ISP Router. I can add a default route on the M-RT forwarding all traffic outside the LAN to the ISP-R, but I cannot define a route back because that router doesn't have that capability. So I decided to use dynamic NAT, mapping every LAN IP address to a IP in the 192.168.1.0/24 network, for which the ISP-R knows how to return traffic. I defined a NAT pool from 192.168.1.10 to 192.168.1.60, so I have enough addresses to support up to 50 devices communicating in the internet at the same time, and I identified all devices in the LAN using the standard access-list 6, permitting all IPs that respect the form 172.x.1.y (172.0.1.0 0.255.0.255).
If you noticed that on the topology the WAN link has the address 192.168.1.0/25 but I configured everything with a /24, no, this is not a mistake. I keep using the ISP-R as an AP for all wireless devices, so I segmented the /24 network into two logical subnets. The first /25 subnet is used for the wired port, and the ISP-R leases addresses starting from .128 to all DHCP clients, which are mainly wireless clients.