diff --git a/network/switch.go b/network/switch.go index 965db05c..59f1628d 100644 --- a/network/switch.go +++ b/network/switch.go @@ -104,6 +104,7 @@ func (sw *Switch) ConfigureTeamEthernet(teams [6]*model.Team) error { "ip dhcp pool dhcp%d\n"+ "network 10.%s.0 255.255.255.0\n"+ "default-router 10.%s.%d\n"+ + "dns-server 8.8.8.8 8.8.4.4\n"+ "lease 7\n"+ "interface Vlan%d\nip address 10.%s.%d 255.255.255.0\nip access-group %s in\n", teamPartialIp, diff --git a/network/switch_test.go b/network/switch_test.go index 38041917..bdc4f9b3 100644 --- a/network/switch_test.go +++ b/network/switch_test.go @@ -46,7 +46,7 @@ func TestConfigureSwitch(t *testing.T) { t, "password\nenable\npassword\nterminal length 0\nconfig terminal\n"+ "ip dhcp excluded-address 10.2.54.1 10.2.54.19\nip dhcp excluded-address 10.2.54.200 10.2.54.254\nip dhcp pool dhcp50\n"+ - "network 10.2.54.0 255.255.255.0\ndefault-router 10.2.54.4\nlease 7\n"+ + "network 10.2.54.0 255.255.255.0\ndefault-router 10.2.54.4\ndns-server 8.8.8.8 8.8.4.4\nlease 7\n"+ "interface Vlan50\nip address 10.2.54.4 255.255.255.0\nip access-group DS-FMS in\n"+ "end\nexit\n", command2, @@ -64,22 +64,22 @@ func TestConfigureSwitch(t *testing.T) { t, "password\nenable\npassword\nterminal length 0\nconfig terminal\n"+ "ip dhcp excluded-address 10.11.14.1 10.11.14.19\nip dhcp excluded-address 10.11.14.200 10.11.14.254\nip dhcp pool dhcp10\n"+ - "network 10.11.14.0 255.255.255.0\ndefault-router 10.11.14.4\nlease 7\n"+ + "network 10.11.14.0 255.255.255.0\ndefault-router 10.11.14.4\ndns-server 8.8.8.8 8.8.4.4\nlease 7\n"+ "interface Vlan10\nip address 10.11.14.4 255.255.255.0\nip access-group DS-FMS in\n"+ "ip dhcp excluded-address 10.2.54.1 10.2.54.19\nip dhcp excluded-address 10.2.54.200 10.2.54.254\nip dhcp pool dhcp20\n"+ - "network 10.2.54.0 255.255.255.0\ndefault-router 10.2.54.4\nlease 7\n"+ + "network 10.2.54.0 255.255.255.0\ndefault-router 10.2.54.4\ndns-server 8.8.8.8 8.8.4.4\nlease 7\n"+ "interface Vlan20\nip address 10.2.54.4 255.255.255.0\nip access-group DS-FMS in\n"+ "ip dhcp excluded-address 10.2.96.1 10.2.96.19\nip dhcp excluded-address 10.2.96.200 10.2.96.254\nip dhcp pool dhcp30\n"+ - "network 10.2.96.0 255.255.255.0\ndefault-router 10.2.96.4\nlease 7\n"+ + "network 10.2.96.0 255.255.255.0\ndefault-router 10.2.96.4\ndns-server 8.8.8.8 8.8.4.4\nlease 7\n"+ "interface Vlan30\nip address 10.2.96.4 255.255.255.0\nip access-group DS-FMS in\n"+ "ip dhcp excluded-address 10.15.3.1 10.15.3.19\nip dhcp excluded-address 10.15.3.200 10.15.3.254\nip dhcp pool dhcp40\n"+ - "network 10.15.3.0 255.255.255.0\ndefault-router 10.15.3.4\nlease 7\n"+ + "network 10.15.3.0 255.255.255.0\ndefault-router 10.15.3.4\ndns-server 8.8.8.8 8.8.4.4\nlease 7\n"+ "interface Vlan40\nip address 10.15.3.4 255.255.255.0\nip access-group DS-FMS in\n"+ "ip dhcp excluded-address 10.16.78.1 10.16.78.19\nip dhcp excluded-address 10.16.78.200 10.16.78.254\nip dhcp pool dhcp50\n"+ - "network 10.16.78.0 255.255.255.0\ndefault-router 10.16.78.4\nlease 7\n"+ + "network 10.16.78.0 255.255.255.0\ndefault-router 10.16.78.4\ndns-server 8.8.8.8 8.8.4.4\nlease 7\n"+ "interface Vlan50\nip address 10.16.78.4 255.255.255.0\nip access-group DS-FMS in\n"+ "ip dhcp excluded-address 10.15.38.1 10.15.38.19\nip dhcp excluded-address 10.15.38.200 10.15.38.254\nip dhcp pool dhcp60\n"+ - "network 10.15.38.0 255.255.255.0\ndefault-router 10.15.38.4\nlease 7\n"+ + "network 10.15.38.0 255.255.255.0\ndefault-router 10.15.38.4\ndns-server 8.8.8.8 8.8.4.4\nlease 7\n"+ "interface Vlan60\nip address 10.15.38.4 255.255.255.0\nip access-group DS-FMS in\n"+ "end\nexit\n", command2, diff --git a/switch_config.txt b/switch_config.txt index 0ece2617..c595328d 100644 --- a/switch_config.txt +++ b/switch_config.txt @@ -17,6 +17,8 @@ ip routing ! ip dhcp excluded-address 10.0.100.1 10.0.100.125 ip dhcp excluded-address 10.0.100.200 10.0.100.225 +ip dhcp excluded-address 10.0.200.1 10.0.200.19 +ip dhcp excluded-address 10.0.200.200 10.0.200.254 ! ip dhcp pool dhcppool network 10.0.100.0 255.255.255.0 @@ -25,7 +27,15 @@ ip dhcp pool dhcppool default-router 10.0.100.3 lease 7 ! -ip route 0.0.0.0 0.0.0.0 10.0.100.1 +ip dhcp pool dhcppool-internet + network 10.0.200.0 255.255.255.0 + dns-server 8.8.8.8 8.8.4.4 + default-router 10.0.200.4 + lease 7 +! +! No static default route - the default route is learned via DHCP on the WAN +! uplink (port 48 / Vlan200). When port 48 is connected, the upstream device +! assigns an IP and gateway which the switch installs automatically. ip route 10.0.0.0 255.0.0.0 Null0 ! lldp run @@ -211,59 +221,103 @@ interface GigabitEthernet1/0/43 switchport mode access ! interface GigabitEthernet1/0/44 - switchport access vlan 100 + description Internet-Only + switchport access vlan 300 switchport mode access ! interface GigabitEthernet1/0/45 - switchport access vlan 100 + description Internet-Only + switchport access vlan 300 switchport mode access ! interface GigabitEthernet1/0/46 - switchport access vlan 100 + description Internet-Only + switchport access vlan 300 switchport mode access ! interface GigabitEthernet1/0/47 - switchport access vlan 100 + description Internet-Only + switchport access vlan 300 switchport mode access ! interface GigabitEthernet1/0/48 - switchport access vlan 100 + description WAN-Uplink + switchport access vlan 200 switchport mode access ! interface Vlan1 ip address 10.0.0.3 255.255.255.0 + ip nat inside ! interface Vlan10 ip address 10.0.1.4 255.255.255.0 ip access-group DS-FMS in + ip nat inside ! interface Vlan20 ip address 10.0.2.4 255.255.255.0 ip access-group DS-FMS in + ip nat inside ! interface Vlan30 ip address 10.0.3.4 255.255.255.0 ip access-group DS-FMS in + ip nat inside ! interface Vlan40 ip address 10.0.4.4 255.255.255.0 ip access-group DS-FMS in + ip nat inside ! interface Vlan50 ip address 10.0.5.4 255.255.255.0 ip access-group DS-FMS in + ip nat inside ! interface Vlan60 ip address 10.0.6.4 255.255.255.0 ip access-group DS-FMS in + ip nat inside ! interface Vlan100 ip address 10.0.100.3 255.255.255.0 + ip nat inside +! +! ===== WAN uplink VLAN ===== +! Port 48 connects to an ethernet hotspot or venue uplink. The switch +! acts as a DHCP client here - the upstream device assigns it one IP +! address. NAT (masquerade) then hides ALL internal traffic behind that +! single IP, so the upstream only ever sees one device. +interface Vlan200 + description WAN-Uplink + ip address dhcp + ip nat outside +! +! ===== Internet-only VLAN ===== +! Ports 44-47. Devices here get internet access but are completely +! blocked from reaching any FMS or team network addresses. +interface Vlan300 + description Internet-Only + ip address 10.0.200.4 255.255.255.0 + ip access-group INTERNET-ONLY in + ip nat inside ! ip classless ip http server ip http secure-server ! +! ===== NAT (PAT / masquerade) ===== +! All traffic from internal 10.x.x.x networks going to the internet is +! translated to the single IP the WAN port received from the upstream +! device. To the outside world, everything looks like one machine. +ip access-list extended NAT-INSIDE + permit ip 10.0.0.0 0.255.255.255 any +! +ip nat inside source list NAT-INSIDE interface Vlan200 overload +! +! ===== Team / FMS access list ===== +! Applied inbound on team VLAN interfaces (Vlan10-60). +! Allows FMS comms and DHCP as before, plus unrestricted internet via NAT. ip access-list extended DS-FMS permit udp any eq 1145 10.0.100.0 0.0.0.255 eq 1160 permit tcp any 10.0.100.0 0.0.0.255 eq 1750 @@ -271,6 +325,21 @@ ip access-list extended DS-FMS permit icmp any 10.0.0.4 0.255.255.0 permit udp any any eq bootpc permit udp any any eq bootps + permit ip any any +! +! ===== Internet-only access list ===== +! Applied inbound on Vlan300 (ports 44-47). +! DHCP is allowed first so devices can get an address. +! Then all RFC-1918 private ranges are blocked (no access to FMS, team +! networks, or anything else internal). Everything else (the internet) is +! allowed and will be NATted through port 48. +ip access-list extended INTERNET-ONLY + permit udp any any eq bootpc + permit udp any any eq bootps + deny ip any 10.0.0.0 0.255.255.255 + deny ip any 172.16.0.0 0.15.255.255 + deny ip any 192.168.0.0 0.0.255.255 + permit ip any any ! snmp-server community 1234Five RO !