[ LAN User Requirements Document | Site LAN Wiring Plan & Physical Topology | Site LAN Logical Topology | Wiring Closet Diagrams | LAN Electronics Spreadsheet | LAN Media Spreadsheet | IGRP Implementation |IPX Implementation | LAN Pros & Cons | Back to Main]
All Internet connectivity will be supplied through the District Office with the District Office being the single point of contact for all schools and organizations within the district. This connection will be highly controlled and capacity (bandwidth) upgraded as usage dictates. The Internet connection will utilize double firewall implementation with a public network (Ethernet backbone) established for services that will be exposed to the Internet such as master E-mail, Domain Name Services (DNS) and a World Wide Web server. All connectivity that is initiated from the Internet to the internal District network will be protected via Access Control Lists (ACLs) on the routers that make up the double firewall architecture. Any connectivity initiated from the District to the Internet will be permitted to communicate freely. E-mail and DNS services will communicate freely in both directions since these applications poses no security threat. A Web server will be located on the public backbone and partitioned to allow any school to install a Web home page on the Internet. Individual Web servers that need total exposure to the Internet will not be permitted on the internal District network. If schools require an independent web server host, this host will be placed on the public network backbone. The curriculum side of the LAN is allowed access to the www server, E-mail(smtp) server and the DNS server at the district office. All other access is denied.
Commands applied to the Sunset router
Give global access to the www server with:
Access-list 101 permit tcp any 219.17.100.1 0.0.0.0 eq www
Give global access to the DNS server with
Access-list 101 permit udp any 219.17.101.1 0.0.0.0 eq domain
Give global access to the E-mail server with
Access-list 101 permit tcp any 219.17.100.1 0.0.0.0 eq smtp
Deny all students all other access with
Access-list 101 deny ip any any
Apply to interface e0 with
Sunset(config)# ip access-group 101 in
The following is the Show Running Configuration of the Sunset router
Sunset#show run
Building configuration...
Current configuration:
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname Sunset
ip subnet-zero
interface Ethernet0/0
ip address 219.17.101.1 255.255.255.0
ip access-group 101 in
no ip directed-broadcast
interface Ethernet0/1
ip address 219.17.100.1 255.255.255.0
no ip directed-broadcast
i
router igrp 101
network 10.0.0.0
no ip http server
ip classless
access-list 101 permit tcp any host 219.17.100.1 eq www
access-list 101 permit udp any host 219.17.101.1 eq domain
access-list 101 permit tcp any host 219.17.100.1 eq smtp
access-list 101 deny ip any any
line con 0
exec-timeout 0 0
transport input none
line aux 0
line vty 0 4
This ACL is applied to E0 outbound, which is the router
port that connects to the administrative (teacher) network. The first three
access-list statements allow E-Mail, DNS, and WWW access, respectively, then the
fourth and fifth permit any traffic from the administrative network or from
network equipment on the teacher network; any IP address with a third binary
octet of 00000001, or decimal 1, is on the administrative network, while any IP
address with a third binary octet of 00000000, or decimal 0, is a piece of
network equipment. The implicit deny any statement then blocks curriculum
traffic on the administrative network. Then the list is applied to interface E0
outbound.