Ultimate Guide to Configuring a Secured Network Using Cisco Packet Tracer
Designing a secure and efficient network requires thoughtful configuration, especially when departments have different access levels. In this guide, we walk you through setting up a network step-by-step, covering VLANs, inter-VLAN routing, DHCP, NAT, firewall rules, and wireless settings. The network diagram below shows a sample configuration for a company using Cisco Packet Tracer.
Network Diagram Overview
The network consists of the following elements:
Router: Responsible for routing between VLANs and connecting to the internet (IP:
203.1.1.1).Firewall (ASA 5505): Provides protection between internal and external networks.
Security Levels:
100 (Inside): Trusted internal network.
0 (Outside): Untrusted external network.
1-99 (DMZ): Semi-trusted zone for public-facing servers.
Switches: Manage VLANs and trunk connections for inter-device communication.
Departments:
Administration (VLAN 50): Full access to all servers.
IT Team (VLAN 10), HR Team (VLAN 30), Finance Team (VLAN 40): Limited access.
Server Room (VLAN 20): Hosts DNS, DHCP, FTP, and email servers.
Wireless Network: A wireless router (
192.168.1.2) provides connectivity for mobile devices.
Step 1: Switch Configuration
1.1 Create VLANs
To isolate network traffic, create VLANs on all switches for each department and assign them a unique ID:
| VLAN ID | Department | Network |
| 10 | IT Team | 10.0.0.0/24 |
| 20 | Server Room | 20.0.0.0/24 |
| 30 | HR Team | 30.0.0.0/24 |
| 40 | Finance Team | 40.0.0.0/24 |
| 50 | Wireless (Admin) | 192.168.1.0/24 |
Commands:
Switch> enable
Switch# configure terminal
Switch(config)# vlan 10
Switch(config-vlan)# name IT_Team
Switch(config-vlan)# exit
Switch(config)# vlan 20
Switch(config-vlan)# name Server_Room
Switch(config-vlan)# exit
1.2 Assign Ports to VLANs
To assign ports to specific VLANs:
Switch(config)# interface fa0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
Switch(config-if)# exit
Repeat for other VLANs and ports.
1.3 Trunk Ports
For switch-to-switch and switch-to-router connections, enable trunk ports:
Switch(config)# interface fa0/24
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk allowed vlan 10,20,30,40,50
Switch(config-if)# exit
Step 2: Router Configuration for Inter-VLAN Routing
Configure subinterfaces on the router to allow communication between VLANs.
Commands:
Router> enable
Router# configure terminal
Router(config)# interface gig0/0.10
Router(config-subif)# encapsulation dot1Q 10
Router(config-subif)# ip address 10.0.0.1 255.255.255.0
Router(config-subif)# exit
Repeat the process for VLANs 20, 30, 40, and 50.
Step 3: DHCP Configuration
Enable DHCP for dynamic IP assignment in VLANs that require it (e.g., Administration, IT, HR, Finance).
Example (VLAN 50 - Wireless):
Router(config)# ip dhcp pool VLAN50
Router(dhcp-config)# network 192.168.1.0 255.255.255.0
Router(dhcp-config)# default-router 192.168.1.1
Router(dhcp-config)# dns-server 8.8.8.8
Router(dhcp-config)# exit
Repeat for other VLANs (except the server room).
Step 4: NAT Configuration for Internet Access
Configure Network Address Translation (NAT) to allow VLANs to access the internet:
Commands:
Router(config)# interface gig0/1
Router(config-if)# ip address 203.1.1.1 255.255.255.0
Router(config)# ip nat inside source list 1 interface gig0/1 overload
Router(config)# access-list 1 permit 10.0.0.0 0.0.0.255
Router(config)# access-list 1 permit 30.0.0.0 0.0.0.255
Router(config)# access-list 1 permit 40.0.0.0 0.0.0.255
Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255
Step 5: Firewall Configuration for Access Control
The firewall blocks unauthorized access while allowing the Administration department full access to the servers.
Access Control List (ACL) Configuration:
Router(config)# access-list 100 permit ip 172.168.1.0 0.0.0.255 20.0.0.0 0.0.0.255
Router(config)# access-list 100 deny ip 10.0.0.0 0.0.0.255 20.0.0.0 0.0.0.255
Router(config)# access-list 100 deny ip 30.0.0.0 0.0.0.255 20.0.0.0 0.0.0.255
Router(config)# access-list 100 deny ip 40.0.0.0 0.0.0.255 20.0.0.0 0.0.0.255
Router(config)# access-list 100 permit ip any any
Router(config)# interface gig0/0.20
Router(config-if)# ip access-group 100 in
Step 6: Wireless Router Configuration
Set up the wireless router:
SSID: CompanySecure
IP Address: 192.168.1.2
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.1.1
Ensure WPA2 Personal security is enabled.
Step 7: Server Configuration
Assign static IP addresses for the servers in VLAN 20:
| Server | IP Address |
| DNS Server | 20.0.0.1 |
| DHCP Server | 20.0.0.2 |
| Email Server | 20.0.0.3 |
| FTP Server | 20.0.0.5 |
Secure the Servers:
DNS Server: Restrict queries to known IPs only.
Email Server: Enable SMTP authentication and TLS.
FTP Server: Use SFTP/FTPS instead of standard FTP.
Example (DNS Server Configuration):
nano /etc/named.conf
allow-query { 172.168.1.0/24; 20.0.0.0/24; };
systemctl restart named
Step 8: VPN Configuration for Remote Access
To allow secure remote access to the servers, configure the VPN:
Firewall(config)# ip local pool VPNPOOL 192.168.1.100-192.168.1.200
Firewall(config)# crypto ikev1 policy 10
Firewall(config-ikev1-policy)# authentication pre-share
Firewall(config)# tunnel-group RemoteVPN type remote-access
Firewall(config)# tunnel-group RemoteVPN ipsec-attributes
Firewall(config-ipsec)# ikev1 pre-shared-key cisco123
Step 9: Testing and Verification
Inter-VLAN Traffic: Test that only the administration VLAN has access to the servers.
NAT Configuration: Ensure devices have internet access.
VPN Access: Verify remote users can securely connect to VLAN 20.
Step 10: Maintenance and Monitoring
Use SNMP and Syslog: For monitoring traffic and logs.
Firmware Updates: Regularly update network devices.
Security Audits: Periodically check for vulnerabilities.
By following this comprehensive guide, you can build a secure, efficient network with proper access control, dynamic addressing, and secure server communication.