This lab uses a network simulator to design a multi-VLAN topology, configure 802.1Q trunks, and implement Router-on-a-Stick (ROAS) with strict inter-VLAN ACLs to prevent unauthorized lateral movement.
Create distinct VLANs for Users (10), Servers (20), and Management (99). Assign switch ports to these VLANs and configure the uplink to the router as an 802.1Q trunk.
💡 Pro-tip: Always assign unused switch ports to a 'Blackhole' VLAN (e.g., VLAN 666) and shut them down. This prevents unauthorized users from plugging into a live network jack.
Restricting the allowed VLANs on a trunk prevents VLAN hopping attacks and ensures that unnecessary broadcast traffic doesn't traverse the link.
Configure sub-interfaces on the router for each VLAN. Apply an inbound ACL on the User VLAN sub-interface to block SMB (445) and RDP (3389) traffic destined for the Server VLAN.
⚠️ Remember that ACLs are processed top-down. Ensure your 'permit icmp' (for testing) or 'permit established' rules are placed correctly so you don't accidentally block legitimate return traffic.
| VLAN | ID | Subnet |
|---|---|---|
| Users | 10 | 192.168.10.0/24 |
| Servers | 20 | 192.168.20.0/24 |
| Management | 99 | 192.168.99.0/24 |
Verify exercises to earn ★ 240 XP and unlock next lab level.