As mentioned before, Acacia School’s LAN will consist of two
networks, both a student network and an administrative network.
These will be serviced
out of two interfaces on the school’s router, Ethernet 0 and Ethernet 1. Ethernet 0 will service the student network, and Ethernet 1 will service the administrative
network. The school has asked that all users on the student network be denied access to the administrative LAN, but that administrative users be permitted full
access to both networks. An exception to these provisions has been made. DNS and E-Mail services are located on the administrative LAN. In this way, users
on the student LAN will not access the router's services unless web related services are requested. Therefore, HTTP will also be permitted. All users on the
student LAN seeking these services will be permitted.
At the district level, another security measure is required. The district obviously doesn’t want users from the global Internet worming their way into the
WAN. Therefore, at the District Office Data Center, an Access Control List will be applied to the interface that connects to the Internet. Since web services
requested by users on the global Internet would also be permitted, HTTP will also be allowed into the District WAN. Therefore, this ACL permits only HTTP,
DNS and E-Mail packets.
This access control list (ACL) will stop all traffic other than HTTP, DNS and E-Mail from the student network (subnet 100) from reaching the
administrative network (subnet 101):
access-list 101 permit tcp 150.72.100.0 0.0.0.255 150.72.101.0
0.0.0.255 equ domain
access-list 101 permit tcp 150.72.100.0 0.0.0.255 150.72.101.0 0.0.0.255
equ smtp
access-list 101 permit tcp 150.72.100.0 0.0.0.255 150.72.101.0 0.0.0.255
equ http
(implicit deny any discards all other traffic)
This ACL will then be applied to interface E0 of Acacia’s router. From interface configuration mode on E0, the command tcp access-group 101 in will be
entered to enable the ACL.
At the district level, the same security measures are requested. Therefore, a similar ACL will placed on one of the high end routers at the District Office
Data Center:
access-list 101 permit tcp 150.72.100.0 0.0.0.255 150.72.101.0
0.0.0.255 equ domain
access-list 101 permit tcp 150.72.100.0 0.0.0.255 150.72.101.0 0.0.0.255
equ smtp
access-list 101 permit tcp 150.72.100.0 0.0.0.255 150.72.101.0 0.0.0.255
equ http
(implicit deny any discards all other traffic)
At the District Office Data Center, the S0 port on the router will connect out to the Internet. Therefore, from interface configuration mode on S0, the
command tcp access-group 102 in will be entered. This ACL is to be a double firewall, blocking both packets entering the router and packets attempting to go
out an interface. Therefore, on every interface of the router, the command tcp access-group 102 out should be entered.