This repository contains a comprehensive network security implementation focused on Attack Surface Reduction and Management Plane Protection (MPP). The project is designed to demonstrate a professional engineering approach to network architecture, moving beyond basic connectivity to focus on security-first design principles.
The design of this infrastructure is based on three core pillars:
In a flat network environment, a single compromised host may lead to a total network breach. 802.1Q VLANs were implemented to establish logical boundaries:
- VLAN 10 (Engineering): Production environment for technical staff.
- VLAN 20 (HR): Isolated subnet for administrative and sensitive personnel data.
- VLAN 99 (Management): A restricted out-of-band management subnet.
The Router-on-a-Stick (RoAS) architecture was utilized. By configuring sub-interfaces on a single physical 802.1Q trunk link, a scalable routing solution was achieved, balancing cost-efficiency with high-performance Layer 3 switching capabilities.
The router is considered the "brain" of the network. To ensure its protection:
- SSHv2 Implementation: Insecure Telnet was replaced with encrypted SSHv2 (1024-bit RSA).
- ACL-Based Access Control: Instead of allowing SSH from unrestricted sources, a Standard Access Control List (ACL 10) was applied to the Virtual Type Terminal (VTY) lines. Administrative sessions are thus restricted exclusively to the Management subnet.
Critical configuration snippets that define the security logic are provided below to demonstrate technical proficiency:
vlan 10,20,99
interface GigabitEthernet0/1
switchport mode trunk
switchport trunk allowed vlan 10,20,99
interface GigabitEthernet0/0.99
encapsulation dot1Q 99
ip address 192.168.99.1 255.255.255.0
Rigorous testing was conducted to ensure design integrity. The following verification steps are documented to confirm the operational status and security posture of the network:
The overall topology and trunking protocol were verified to ensure stable Layer 2 and Layer 3 foundations.
Network Topology Overview:
Trunking and Interface Status: The operational states of the trunk links and sub-interfaces were confirmed via CLI to ensure proper encapsulation and connectivity:
The restriction of the Management Plane was validated through the following technical tests:
- Authorized Access Test: An SSH session was successfully established from a device within VLAN 99, confirming that authorized administrative paths remain functional as defined in the security policy.
- Unauthorized Intrusion Test: An SSH attempt from VLAN 10 and VLAN 20 was explicitly rejected by the Router's ACL. This result proves the effectiveness of the hardening strategy and the successful enforcement of the "Least Privilege" principle.
assets/: Technical CLI evidence, verification screenshots, and topology captures.Segmented-Enterprise-Network-Security.pkt: The Cisco Packet Tracer source file, provided for detailed architectural review and peer testing.