Best Practice to setup a lab at my job

amb1s1

Hi, I work as a helpdesk in one of the 500 fortune company. I'm close friend with the network engineer department and they just told me that they were going to let me make my own lab with 4 layer 3 switch and 2 routers. I have access to VPN and I can remote into my work computer, so I would like to setup the lab for use during my time off. Again this is a big company, so I don't want to do nothing stupid. I would like to know what is the proper way to setup this lab. I don't want to ask the engineer since I want to impress them. Thanks

networker050184

Not sure what you are asking here. Can you be a little more specific? Do you need to know how to set up the VPN or what?

Bl8ckr0uter

Our lab is on its own VLAN, on a different physical switch, and on a different subnet than our production gear. If for any reason you have to plug the switch into the production switch stack, raise the STP priority and set the device in client mode BEFORE you plug it in.

ColbyG

Ask the engineers, they should have an idea how to set it all up if they haven't already.

burbankmarc

You could isolate the lab entirely and just ssh into your work pc then console in. You would need a console server. Also, if your work machine is running windows then you'd have to RDP or something like that.

amb1s1

networker050184 wrote: »

Not sure what you are asking here. Can you be a little more specific? Do you need to know how to set up the VPN or what?

No Im not setting VPN, because we already have vpn to get into our network.

amb1s1

burbankmarc wrote: »

You could isolate the lab entirely and just ssh into your work pc then console in. You would need a console server. Also, if your work machine is running windows then you'd have to RDP or something like that.

I was thinking about this.

fly351

amb1s1 wrote: »

No Im not setting VPN, because we already have vpn to get into our network.

Hmm so your going to setup a test/lab network, but it is really going to be part of the production network? I don't think that is a very good idea...

amb1s1

knwminus wrote: »

Our lab is on its own VLAN, on a different physical switch, and on a different subnet than our production gear. If for any reason you have to plug the switch into the production switch stack, raise the STP priority and set the device in client mode BEFORE you plug it in.

I would be using this in a room that we have at the helpdesk for our lab, so its going to be connect into a wall outlet. So, do I need to plug one of the switch to the wall outlet or the router? I know if I plug the switch the port on both side has to be setup as access. I don't want no BPDU going around.

networker050184

Ask the engineers man.

amb1s1

networker050184 wrote: »

Ask the engineers man.

I'm going to do that.

Heero

my guess is that you would be best off connecting one of the routers to the wall outlet, and run NAT with no routing protocol to the outside world, just a static default route. Use that router as your point of access. If you need to access other devices, telnet or ssh into gateway router, and then through gateway router you can get to the rest. Or you could set up port forwarding and just use a different port number for SSH for each device. There are a lot of options.

You really should not do any of this without written consent from the network team/guy that you are working for. Routing updates, STP, and other stuff could mess with their network, and though when properly configured your gateway device should not interfere, it could, and the network guy would probably want to set policy on the first hop device to block that type of stuff, that way you cant mess up the production network.

sides14

I second the written consent - preferably by someone in management. It would suck to get fired for inappropriate use of company resources.

billscott92787

Considering your close friends with the engineer, it sounds like he may be doing you a favor. I would get written consent of the manager of your department. In addition, I would say that is going to be hard to accomplish, since your PC at work is part of the production network. My advice would be isolate the test lab from the rest of the network in it's own separate VLAN. Have an access sever like mark said. But, I wouldn't suggest making your computer the access computer, because technically if you do that, you would have to have the lab on the same VLAN that your computer is on. If someone gains access to your machine, it's almost like a backdoor into your company. I would suggest setting up a machine or server that you can connect to once connected to your VPN, you connect to that lab machine, then the lab.

amb1s1

I spoke with the engineers and they told me to not worry about the configuration because they are going to set it up for me. They have a room where each engineer have their own labs and I'm pretty short is insulated, but I had a bad gut feeling and I ask the engineers to not do the lab for and I asked them that I'm just going to play with two switches for now for my BCMSN.

billscott92787 wrote: »

If someone gains access to your machine, it's almost like a backdoor into your company.

Is not that the case even if I don't built a lab. If someone get access to my computer, they will have a backdoor to the network. Maybe you didn't understand, when I talk about my computer I mean my desktop pc. I was thinking to have a PC on my job connected to my lab via console cable, the I VPN in from my home and then remoter in to the PC. Maybe I'm wrong, but I again I'm not planning on doing that. Thanks