You are the network administrator hired by a new organization that wants to have two main departments: the IT department and the Marketing department. Each department must have its own VLAN. You are tasked to implement a Zone-Based Policy Firewall to control traffic between these two departments according to the following requirements:
Both VLANs should be allowed to access the internet.
IT VLAN: This VLAN has servers and administrative workstations. They should be able to communicate with each other and access the internet, but they should be protected from direct access by the Marketing VLAN.
Marketing VLAN: This VLAN has computers that should only be able to access the internet but should not access the IT department VLAN or any server resources.
Based on the above scenario, using Cisco Packet Tracer, create a basic network topology and implement the above ACLs by showing clearly all the policies set. Perform the testing of the above scenario and take the screenshots of the test results.
Answer (2)
To create a network topology that fulfills these requirements using Cisco Packet Tracer, follow these steps:
Network Setup:
Create two VLANs within your network — one for the IT department and one for the Marketing department.
Assign the VLAN ID 10 to the IT department and VLAN ID 20 to the Marketing department.
Assign Devices to VLANs:
Assign all IT department devices (e.g., servers and administrative workstations) to VLAN 10.
Assign all Marketing department devices (e.g., computers) to VLAN 20.
External Internet:
Connect a router to simulate access to the internet.
Ensure both VLANs can route traffic to the internet.
Zone-Based Policy Firewall (ZPF):
Create two security zones: one for the IT VLAN (IT-Zone) and one for the Marketing VLAN (Marketing-Zone).
Define policies for these zones based on the specified requirements.
IT to Internet: Allow traffic from the IT-Zone to the internet.
Marketing to Internet: Allow traffic from the Marketing-Zone to the internet and block access to other zones.
IT to Marketing: Deny traffic from Marketing-Zone to IT-Zone to ensure no access to IT department resources.
Create Access Control Lists (ACLs):
Create an ACL that permits IT department resources to communicate internally and with the internet.
Create an ACL that denies any traffic from the Marketing VLAN to the IT VLAN.
**Apply ZPF and ACLs: **
Bind the defined policies and rules to appropriate interfaces using the zone and policy configuration commands on the router.
**Testing: **
Verify that each department can access the internet as required.
Ensure the IT department devices can communicate with each other.
Test and confirm that Marketing department devices cannot access IT department devices.
By setting up this basic network topology in Cisco Packet Tracer and implementing the specified ACLs and ZPFs, you will ensure that the organization meets its security and operational requirements.
To implement a Zone-Based Policy Firewall in Cisco Packet Tracer for two VLANs (IT and Marketing), you need to set up the VLANs, assign devices, route to the internet, create security zones, define policies, apply ACLs, and test the configuration. The setup ensures that the IT VLAN communicates internally and accesses the internet while the Marketing VLAN accesses the internet only, blocking any access to the IT department. Follow these detailed steps to meet the organization's requirements systematically.
;
