Quality of Service and Access Control Lists are the two critical policy layers that make this network more than just a segmented design — they make it a functioning security posture with real performance guarantees. QoS ensures that gaming traffic from VLAN 50 is never starved by a 4K stream or a background update, while ACLs enforce the isolation promises made by the VLAN design: cameras truly cannot reach the internet, and guests truly cannot reach internal hosts. Both policies are applied on the Cisco 892FSP, the single routing chokepoint for all traffic in the network.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/V0rt3xS0urc3/RedTeam-Portfolio/llms.txt
Use this file to discover all available pages before exploring further.
Quality of Service (QoS)
Goal
Minimize latency and jitter for VLAN 50 (GAMING) by guaranteeing a reserved share of WAN bandwidth, regardless of what other devices are doing.Approach: Cisco MQC
The Cisco 892FSP uses Modular QoS CLI (MQC), which separates traffic identification (class-maps) from the action taken on that traffic (policy-maps), then attaches the policy to an interface.Step 1 — Identify Gaming Traffic with a Class-Map
GAMING-NET access group matches traffic sourced from the GAMING VLAN subnet (10.0.50.0/29), so classification is based on source IP rather than relying solely on DSCP markings, which client devices may not set consistently.
Step 2 — Define the Policy-Map
priority percent 40: Reserves 40% of the WAN interface’s outbound bandwidth as a strict-priority queue for GAMING traffic. This bandwidth is guaranteed and served before all other classes.fair-queueonclass-default: All remaining traffic (streaming, browsing, downloads) is scheduled with weighted fair queuing, preventing any single flow from monopolizing the remaining 60%.
Step 3 — Apply to WAN Interface
QoS is applied outbound on the WAN interface, meaning it shapes traffic leaving the home network toward the internet. For latency-sensitive games, the upstream direction (packets sent from the gaming PC to game servers) benefits most from this prioritization.
Access Control Lists (ACLs)
ACLs are applied inbound on each VLAN SVI. Because the Cisco 892FSP routes all inter-VLAN traffic, every packet that crosses a VLAN boundary — whether heading to another internal segment or out to the internet — passes through the SVI ACL of the source VLAN.Camera Isolation — VLAN 10
The camera ACL implements a full deny-all policy. No traffic originating from VLAN 10 is permitted to leave the segment.Guest Isolation — VLAN 40
Guests can reach the internet but are blocked from reaching any internal RFC1918 address space.- The deny line uses a wildcard mask of
0.255.255.255, which matches the entire10.x.x.xaddress space — this blocks guests from reaching any internal VLAN, including cameras, gaming PCs, multimedia devices, and the admin network. - The permit passes all other traffic (internet-bound), allowing normal web browsing, streaming, and app usage.