Lab Network Design

The infrastructure design goal is to segment the network into four logical groups: the Instructor Network, the Student Network, the Quarantine Network, and the Public Network. The Instructor Network contains the administrative and instructional hosts. The Student Network contains all the workstation in the lab. The Quarantine Network contains hosts running known malicious software. The Public Network contains hosts that are accessible across the public Internet. The logical implementation of the lab network is shown below.

Network Design - Logical

Hardware

  • Mikrotik CCR1009-7G-1C-1S+ Router
    • The Mikrotik router contains 1 SFP+ port and 8 gigabit Ethernet ports.
  • HP ProCurve 2910al-48G Switch
  • Comcast Modem

Subnets

The following subnets are present in the lab network. Devices are either statically assigned (in the case of the public network) or dynamically assigned addresses with DHCP.

  • Public Network (VLAN 10): 96.71.204.40/29
    • Static IPs in the range 96.71.204.41-96.71.204.45
  • Quarantine Network (VLAN 20): 10.1.20.0/24
    • Dynamic (DHCP) IPs in the range 10.1.20.2-10.1.20.254
  • Student Network (VLAN 30): 10.1.30.0/24
    • Dynamic (DHCP) IPs in the range 10.1.30.2-10.1.30.254
  • Instructor Network (VLAN 40): 10.1.40.0/24
    • Dynamic (DHCP) IPs in the range 10.1.40.2-10.1.40.254

VLAN Mapping

To achieve the design goal of network separation with unique security needs, but to allow networks to span multiple ports, we used VLANs to create three subnets that are firewalled from each other, and then bridge VLANs across ports. The following VLAN IDs are used for the three subnets that are present behind the class router:

  • VLAN10 - Public VLAN
  • VLAN20 - Quarantine VLAN
  • VLAN30 - Student VLAN
  • VLAN40 - Instructor VLAN

Physical Network and Bridge Design

The physical implementation of the lab network is shown below.

Network Design - Physical

The Quarantine VLAN is connected to ETHER2, the Student VLAN is connected to ETHER3, and the Instructor VLAN is connected to ETHER4. Any device connected directly to any of these three untagged interface would get an IP address from its respective DHCP server.

The router ports are assigned as followed:

  • SFP+: All four VLANs (VLAN10, VLAN20, VLAN30, VLAN40) are bridged onto the SFP+ interface, which is connected to the ESXi host. This allows the instructor to create virtual machines on the ESXi host and assign them to either the Public Network, Instructor Network, Student Network, or the Quarantine Network as desired.
  • ETHER1: Three VLANs (VLAN20, VLAN30, VLAN40) are bridged onto the ETHER1 interface. This allows the wireless access point to assign clients to VLANs as desired.
  • ETHER2: Untagged Quarantine VLAN
  • ETHER3: Untagged Student VLAN
  • ETHER4: Untagged Instructor VLAN
  • ETHER5: Two VLANS (VLAN 20 - Quarantine, and VLAN 30 - Student) are bridged onto the ETHER5 interface. The Student VLAN is untagged and the Quarantine VLAN is tagged. This allows a student device in the lab the option of accessing the quarantine network in a controlled manner.
  • ETHER6: Bridged to ETHER7 (public network)
  • ETHER7: Connected to the Comcast modem for WAN access.

Firewall Configuration

The following firewall configuration is used:

  • Traffic from VLAN20 to VLAN30 and VLAN40 is dropped.
  • Traffic from VLAN30 to VLAN20 and VLAN40 is dropped.
  • Traffic from VLAN40 to VLAN20 and VLAN30 is dropped.
  • Traffic from all internet subnets uses NAT/IP masquerading to ETHER7 and the Comcast modem.
  • The public network does not pass through the firewall, and is bridged directly to the Comcast modem.

Network Testing

Host connected to ETHER1 (Tagged Student, Tagged Red, Tagged Instructor VLAN):

  • NO DHCP
  • Able to tag onto VLAN20, VLAN30, VLAN40 and receive address from respective VLAN
  • When tagged onto a VLAN, should only be able to ping machines in the respective tagged VLAN

Host connected to ETHER2 (Untagged Red VLAN):

  • DHCP with address from 10.1.20.x range
  • Should be able to ping machines in VLAN20 but not on VLAN30 and VLAN40

Host connected to ETHER3 (Untagged Student VLAN):

  • DHCP with address from 10.1.30.x range
  • Should be able to ping machines on VLAN30 but not VLAN20 and VLAN40

Host connected to ETHER4 (Untagged Instructor VLAN):

  • DHCP with address from 10.1.40.x range
  • Should be able to ping machines on VLAN40 but not VLAN20 and VLAN30

Host connected to ETHER5 (Untagged Student VLAN, Tagged Quarantine VLAN):

  • DHCP with address from 10.1.30.x range
  • Able to be tagged onto VLAN30 and receive IP address from Quarantine VLAN

Host connected to ETHER6:

  • Comcast modem DHCP for address 10.1.10.x range (unused)
  • Assigned static IP, publicly accessible