Cisco SF200-24p Simulate the internet for lab testing with VPN

Question

I am currently learning about site to site VPNs. I've been following a guide that uses a router to simulate the internet for testing purposes. Unfortunately the steps to configure a router in this way are not explained. https://youtu.be/gSNdr08sAWw?si=UJYSLquR3Xynh9on shows what I would like to achieve. I'd like to configure 2 switch ports each with their own IP address range.

I have access to a Cisco layer 3 switch called sf200-24p. Firstly, can this be configured in this way? If so, what are the terms I need to research. Secondly, if not, could I use VLANS in some way to simulate the internet? Lastly, is there an easier way to do this with a basic router? I do have access to a ASUS rt-66u and also a draytek 2765

Answer 1

Actually, you can use any manage switch to "simulate the Internet". Just create an "Internet" VLAN and connect the WAN router to it. If clients expect DHCP or DNS services then you'd need to provide those as well.

Ideally, don't configure any IP addresses for the Internet VLAN on the switch. If you must and it's a layer-3 switch, make sure it's not routing transparently.

Alternatively, you could connect a test client directly to the router's WAN port - usually that's a single port, so just a single client as well.

Also, you should be aware of possible ICMP redirects from the switch - those might create static routes on your clients that interfere with testing. Perhaps it's best to deactivate the redirects.

Of course, for production use or connection to the real Internet you should harden the WAN-facing VLAN/ports:

• configure no IP address
• deactivate/filter STP BPDUs
• deactivate LLDP/CDP
• disable unwanted VLANs
• disable all protocols with attack potential: MVRP, GVRP, stacking, ...