Zeker, ik help je graag bij het ontwerpen van een veilige en gesegmenteerde netwerkconfiguratie. Hier is een gedetailleerd voorstel gebaseerd op je apparatuur en vereisten: 1. Subnetindeling en VLAN-configuratie - VLANs en Subnets: - VLAN 10 (Administratie): 192.168.10.0/24 - VLAN 20 (Productie): 192.168.20.0/24 - VLAN 30 (Marketing): 192.168.30.0/24 - VLAN 40 (Financiën): 192.168.40.0/24 - VLAN 50 (Servers): 192.168.50.0/24 - Configureer VLANs op je Cisco Catalyst 9300 switches: ```plaintext vlan 10 name Administratie vlan 20 name Productie vlan 30 name Marketing vlan 40 name Financiën vlan 50 name Servers ``` 2. Inter-VLAN Routing en Beveiliging - Gebruik je Cisco ISR router als Layer 3 switch of router om routing tussen VLANs te verzorgen. - Maak voor elke VLAN een SVI (Switched Virtual Interface): ```plaintext interface vlan 10 ip address 192.168.10.1 255.255.255.0 interface vlan 20 ip address 192.168.20.1 255.255.255.0 interface vlan 30 ip address 192.168.30.1 255.255.255.0 interface vlan 40 ip address 192.168.40.1 255.255.255.0 interface vlan 50 ip address 192.168.50.1 255.255.255.0 ``` - Zorg dat de router de juiste routes heeft en dat alle VLANs via de router bereikbaar zijn. 3. ACL's voor Toegangscontrole - Beperk communicatie tussen marketing (VLAN 30) en financiën (VLAN 40): ```plaintext ip access-list extended ACL_MARKETING_FIN permit ip 192.168.30.0 0.0.0.255 any deny ip 192.168.30.0 0.0.0.255 192.168.40.0 0.0.0.255 permit ip any any ``` - Alleen IT (bijvoorbeeld VLAN 10 en VLAN 50) heeft toegang tot servers (VLAN 50): ```plaintext ip access-list extended ACL_IT_SERVERS permit ip 192.168.10.0 0.0.0.255 192.168.50.0 0.0.0.255 permit ip 192.168.50.0 0.0.0.255 192.168.10.0 0.0.0.255 deny ip any 192.168.50.0 0.0.0.255 permit ip any any ``` - Pas deze ACL's toe op de juiste interfaces: ```plaintext interface vlan 30 ip access-group ACL_MARKETING_FIN in interface vlan 40 ip access-group ACL_MARKETING_FIN in interface vlan 10 ip access-group ACL_IT_SERVERS in interface vlan 50 ip access-group ACL_IT_SERVERS in ``` 4. Firewall instellingen (Fortinet) - Configureer firewall policies om verkeer tussen VLANs te beheren volgens de ACL's. - Zorg dat verkeer van onbetrouwbare VLANs naar kritieke systemen wordt beperkt. - Implementeer NAT indien nodig, vooral voor externe toegang. 5. Extra beveiligingsmaatregelen - Segmenteer management- en gebruikersnetwerken strikt. - Implementeer 802.1X voor port-based toegang. - Gebruik VLAN-naamgeving en documentatie voor overzicht. - Overweeg het gebruik van private VLANs voor extra isolatie binnen VLANs. - Configureer logging en monitoring op alle apparaten. 6. Overige aanbevelingen - Maak gebruik van QoS om kritieke applicaties prioritair te behandelen. - Zorg voor regelmatige updates van firmware en patches. - Test je configuratie grondig voordat je deze in productie neemt. Door deze configuraties en maatregelen toe te passen, creëer je een netwerk dat niet alleen goed gesegmenteerd is, maar ook voldoet aan je beveiligingsvereisten en beheersbaarheid. Als je specifieke configuratiecommando’s of verdere hulp nodig hebt, laat het gerust weten!

Of course. This is an excellent use case for leveraging your existing enterprise-grade equipment. Here is a comprehensive network design and configuration guide to achieve advanced segmentation and access control based on your requirements. ### Core Design Philosophy: The Principle of Least Privilege The goal is to move from a flat, "router-on-a-stick” model to a more secure, firewall-centric model where all inter-VLAN traffic is inspected and controlled by the Fortinet firewall. This is often called a **collapsed core** or **firewall-as-a-router** design. --- ### 1. Logical Network Design & Subnetting First, we need to define new VLANs to properly segment the departments. Your existing VLANs are a good start, but we need more granularity. **Proposed VLANs and IP Subnets:** * **VLAN 10 - Network Infrastructure (Existing):** `10.10.10.0/24` * Switches, routers, firewall management interfaces, wireless LAN controllers. * **VLAN 20 - Servers (Renamed from "Production"):** `10.10.20.0/24` * All servers (File, Database, Application). * **VLAN 30 - IT Department:** `10.10.30.0/24` * Workstations and devices for the IT team. * **VLAN 40 - Finance Department:** `10.10.40.0/24` * Workstations and devices for the Finance team. * **VLAN 50 - Marketing Department:** `10.10.50.0/24` * Workstations and devices for the Marketing team. * **VLAN 60 - Guest WiFi:** `10.10.60.0/24` * For visitors and non-corporate devices. This should have very restricted access. *Note: Using a consistent IP scheme like `10.10.VLAN.0/24` makes management intuitive.* --- ### 2. Physical Topology & Routing Changes The most critical change is to make the **Fortinet Firewall the default gateway for all VLANs** instead of the Cisco ISR router. The router will be relegated to its strength: WAN connectivity. **New Data Flow:** 1. A host in VLAN 50 (Marketing) wants to talk to a host in VLAN 40 (Finance). 2. The packet is sent to its default gateway, which is now the Fortinet firewall's internal interface. 3. The firewall checks its policy rules. 4. Since the rule likely denies this communication, the packet is dropped, and a log entry is created. 5. If the traffic were allowed, the firewall would route it to the destination VLAN. **Physical Connectivity:** * Create an **Inter-Switch Link (ISL)** between your core Catalyst 9300 switch and the Fortinet firewall using a **Link Aggregation Group (LAG / LACP)** for redundancy and bandwidth. * The ISR router will connect to the Fortinet firewall on a dedicated "WAN" zone interface. --- ### 3. Switch Configuration (Cisco Catalyst 9300) The switches will handle Layer 2 segmentation. We'll create the new VLANs and assign switch access ports appropriately. **Step 1: Create VLANs on the switches.** ```cisco ! Create the new VLANs configure terminal vlan 30 name IT-Department vlan 40 name Finance-Department vlan 50 name Marketing-Department vlan 60 name Guest-WiFi exit ``` **Step 2: Configure Access Ports for End-Users.** *Assign each physical port to the correct VLAN based on which department's device is connected.* ```cisco ! Example: Configure interface GigabitEthernet1/0/1 for a Finance user interface GigabitEthernet1/0/1 description Finance-User-PC switchport mode access switchport access vlan 40 spanning-tree portfast ! Prevents lengthy delay when PC boots up exit ``` **Step 3: Configure the Uplink to the Firewall as a Trunk.** *This trunk will carry all VLANs to the firewall.* ```cisco ! Configure the interface connected to the Fortinet firewall interface Port-channel1 description Uplink-to-Fortinet-Firewall switchport mode trunk switchport trunk native vlan 99 ! Use an unused VLAN for the native (untagged) VLAN for security. switchport trunk allowed vlan 10,20,30,40,50,60 ! Explicitly allow only the necessary VLANs exit ``` --- ### 4. Firewall Configuration (Fortinet) This is where the primary access control is implemented. We will use **Firewall Policies** based on source/destination zones or interfaces. **Step 1: Create Zones (Recommended for Scalability).** * **Zone: "Internal-Servers"** (VLAN 20) * **Zone: "Internal-Clients"** (VLANs 30, 40, 50) * **Zone: "Infrastructure"** (VLAN 10) * **Zone: "Guest"** (VLAN 60) * **Zone: "WAN"** (Interface to ISR router) *Assign the corresponding VLAN sub-interfaces to these zones.* **Step 2: Critical Firewall Policies (Applied in order from top to bottom).** 1. **IT to Servers (Allow):** * Source Zone: `Internal-Clients` | Source Address: `10.10.30.0/24` (IT Subnet) * Destination Zone: `Internal-Servers` * Service: `ALL` (or be more specific, e.g., RDP, SSH, HTTP/S based on need) * Action: `ACCEPT` * This satisfies "only IT has access to servers." 2. **Finance to Internet (Allow, but restrict servers):** * Source Zone: `Internal-Clients` | Source Address: `10.10.40.0/24` * Destination Zone: `WAN` * Service: `ALL` * Action: `ACCEPT` * *Note: Finance can reach the internet but cannot reach the Servers zone because there is no specific rule allowing it. The implicit deny at the end will block it.* 3. **Marketing to Internet (Allow, but restrict servers and finance):** * Source Zone: `Internal-Clients` | Source Address: `10.10.50.0/24` * Destination Zone: `WAN` * Service: `ALL` * Action: `ACCEPT` * *Note: Marketing cannot reach Finance or Servers due to the lack of a permit rule.* 4. **Explicit Deny between Marketing and Finance:** * *While the implicit deny will handle this, an explicit rule is good practice for logging.* * Source Zone: `Internal-Clients` | Source Address: `10.10.50.0/24` * Destination Zone: `Internal-Clients` | Destination Address: `10.10.40.0/24` * Service: `ALL` * Action: `DENY` * Logging: `Enable` * Create a mirror rule from Finance to Marketing. 5. **Implicit Deny All Rule:** * This exists by default on the Fortinet and will block any traffic not explicitly permitted by the rules above. --- ### 5. Router Configuration (Cisco ISR) The ISR's role is simplified. It will handle dynamic routing (like BGP or OSPF) with your ISP if needed, and the Fortinet will have a static route pointing to the ISR for all internet-bound traffic (`0.0.0.0/0`). **Example ISR Configuration Snippet:** ```cisco interface GigabitEthernet0/0/0 description Link-to-Fortinet-WAN-Zone ip address 192.168.255.2 255.255.255.252 ! Use a small /30 subnet for the point-to-point link no shutdown ! ip route 0.0.0.0 0.0.0.0 <Your-ISP-Next-Hop-Address> ! Default route to the internet ``` **Corresponding Fortinet Static Route:** * Destination: `0.0.0.0/0` * Gateway: `192.168.255.2` (ISR's IP address) * Interface: `wan-interface` --- ### 6. Additional Security Enhancements & Best Practices 1. **Dynamic ARP Inspection (DAI) & DHCP Snooping:** Configure these on the Catalyst switches to prevent ARP poisoning and rogue DHCP servers. 2. **802.1X (Network Access Control):** For the highest level of security, implement 802.1X. This ensures that only authorized devices can connect to switch ports and be placed into the correct VLAN automatically. 3. **Switch Management:** Restrict management access (SSH, HTTPS) to VLAN 10 (Infrastructure) only. 4. **Firewall Logging:** Enable logging on all firewall policies, especially the DENY rules, for monitoring and troubleshooting. 5. **Regular Backups:** Automate backups of the configuration for all your Cisco and Fortinet devices. ### Summary of Achieved Goals * **Marketing <-> Finance Restriction:** Achieved by the lack of a permit rule and an explicit deny rule on the firewall. * **Only IT Accesses Servers:** Achieved by a firewall policy that only permits the IT subnet (`10.10.30.0/24`) to reach the Servers zone (`10.10.20.0/24`). * **Enhanced Security:** Moving routing and ACLs to the stateful firewall provides deep packet inspection and logging capabilities far superior to basic router ACLs. * **Improved Manageability:** A logical VLAN and IP scheme makes troubleshooting and policy creation much easier. This design provides a strong, scalable foundation for a secure enterprise network.