PHASE I (20 points total)—Due Week 3

Tasks to Do.
Task 1: Subnet the 10.150.0.0/16 network for NY and assign the first
nonzero subnets to Services followed by Engineering. You may need to re-
subnet for Executive and Native&Management subnets to avoid wasting IP
addresses. Ensure that you re-subnet only the first unused subnet and
nothing else. Assign the nonzero subnets to Executive and
Native&Management. (5 points)
New York Office IP Address Subnet Mask Network Address
IP
VLAN 15 10.150.1.129/26 255.255.255.192 10.150.1.128
VLAN 25 10.150.1.1/25 255.255.255.128 10.150.1.0
VLAN 35 10.150.0.129/25 255.255.255.128 10.150.0.128
VLAN 99 10.150.1.193/28 255.255.255.240 10.150.1.192

Task 2: Subnet the 10.150.100.0 /25 network for IL and assign the last IP
address on the first three nonzero subnets to the Loopback 1, Loopback 2,
and Loopback 3 interfaces of the router. We will use a loopback or virtual
interface to simulate the LAN subnets. This will speed up configuration and
allows us to create our topology without rewiring. (3 points)
Illinois Branch IP IP Address Subnet Mask Network Address
Loopback 1 10.150.100.62/2 255.255.255.192 10.150.100.0
6
Loopback 2 10.150.100.126/ 255.255.255.192 10.150.100.64
26
Loopback 3 10.150.100.190/ 255.255.255.192 10.150.100.128
26

Task 3: Subnet the 10.150.200.0 /25 network for CA and assign the last IP
address on the first three nonzero subnets to the Loopback 1, Loopback 2,
and Loopback 3 interfaces of the router. We will use a loopback or virtual
interface to simulate the LAN subnets. This will speed up configuration and
allows us to create our topology without rewiring. (3 points)
California Branch IP Address Subnet Mask Network Address
IP
Loopback 1 10.150.200.30/2 255.255.255.224 10.150.200.0
7
Loopback 2 10.150.200.62/2 255.255.255.224 10.150.200.32
7
Loopback 3 10.150.200.94/2 255.255.255.224 10.150.200.64
7
Task 4: Use the following network address (10.1.255.0/25) to find the WAN
subnets between NY and IL and NY and CA respectively. Note that there are
only two IP addresses per subnet for each WAN link. Assign the first WAN
subnet to NY to IL and the second WAN subnet to NY to CA. (2 points)

WAN Subnets IP Address Subnet Mask Network Address

NY to IL 10.1.255.1/30 255.255.255.252 10.1.255.0
NY to CA 10.1.255.2/30 255.255.255.252 10.1.255.0

Task 5: Use Microsoft Visio to design the current network topology.

Remember to use Loopback interfaces for the subnets in NY, IL, and CA. Use
point-to-point interfaces to connect the remote branch offices to NY. See the
sample network diagram below. Replace the phrase “IP Address” by the
correct IP address for each interface on the routers. Include the WAN IP
addresses on the diagram as well. (7 points)
 First Major Deliverable in the Project: IP scheme for all three locations
(fill in the IP tables above) and the Visio Diagram.

PHASE II (30 points total)—Due Week 5

Now that you have completed your first major deliverable in the project, let
us move on to the next phase in the project. You need to plan to implement
the network. You will configure the switches first.

Task 1: Configure SW1. (3.5 points possible)

Configuration Required Information >enable Points
Task #configure terminal
Switch name SW1 #hostname SW1 ¼
Secret Password Netw204 #enable password ¼
Netw204
Disable DNS #no ip domain-lookup ¼
lookup
Username and User= Admin1, username Admin1 ¼
Password Password=cisco123 privilege 15 secret
cisco123
Message of the Unauthorized Access is #banner motd ¼
Day (MOTD) Highly Prohibited! ^Unauthorized Access is
Banner Highly Prohibited!^
VTY Enable SSH and Disable #line vty 0 15 ½
Telnet. (c- line)#transport input
ssh
(config-line)#exit
Encrypt the clear Use the correct #service password- ¼
text passwords command to encrypt encryption
clear text passwords.
Create the Use the information (c-if)#interface vlan 15 ¼
required VLANs. provided to create the (c-if)#name Executive
VLANs. (I also added (c-if)#interface vlan 25
Names) (c-if)#name Engineering
(c-if)#interface vlan 35
(c-if)#name Services
(c-if)#interface vlan 99
 (c-if)#name
Native&Management

Assign the Assign the IP Address #interface vlan 99 ¼

management IP just before the last valid (c-if)#ip address
address. IP Address on the 10.150.1.205
Native&Management 255.255.255.240
VLAN. VLAN 99 is the
Native VLAN.
Enable the Use the correct #interface fastethernet ¼
802.1Q Trunk switchport command to 0/2
ports. set the Trunk port. (c-if)#switchport trunk
encapsulation dot1q
(c-if)#switchport mode
trunk
(c-if)#no shutdown
(c-if)#interface
fastethernet 0/1
(c-if)#switchport trunk
encapsulation dot1q
(c-if)#switchport mode
trunk
(c-if)#no shutdown
(c-if)#exit
Configure all Use the interface range #interface range fa0/2, ¼
other ports as command. fa0/1, fa0/5, fa0/3
access ports. (c-if)#switchport mode
access
Assign F0/5 to the See the network #interface fastethernet ¼
correct VLAN as diagram you drew for 0/5
per the diagram. part 1. (c-if)# witchport mode
switchport mode access
access is redundant if (c-if)#switchport access
this is continuing vlan 25
from the previous (c-if)#exit
command

Shutdown all Disable all unused ports I don’t know all the ports ¼
unused ports. in software. because I am not using
the software but in the
even this was a live
production network I
would use #show vlan for
 port information,
#interface range {port
range}, and #shutdown
commands to shutdown
unused ports.

Task 2: Configure SW2. (3.5 points possible)

Configuration Required Information >enable Points
Task #configure terminal
Switch name SW2 #hostname SW2 ¼
Secret Netw204 #enable password ¼
Password Netw204
Disable DNS #no ip domain-lookup ¼
lookup
Username and User= Admin1, username Admin1 ¼
Password Password=cisco123 privilege 15 secret
cisco123
Message of the Unauthorized Access is #banner motd ¼
Day (MOTD) Highly Prohibited! ^Unauthorized Access is
Banner Highly Prohibited!^
VTY Enable SSH and Disable #line vty 0 15 ½
Telnet. (c- line)#transport input
ssh
(c-line)#exit
Encrypt the Use the correct command #service password- ¼
clear text to encrypt clear text encryption
passwords passwords.
Create the Use the information (c-if)#interface vlan 15 ¼
required provided to create the (c-if)#name Executive
VLANs. VLANs. (c-if)#interface vlan 25
(c-if)#name Engineering
(c-if)#interface vlan 35
(c-if)#name Services
(c-if)#interface vlan 99
(c-if)#name
Native&Management

Assign the Assign the IP Address just #interface vlan 99 ¼

management before the last valid IP (c-if)#ip address
IP address. Address on the 10.150.1.205
Native&Management 255.255.255.240
VLAN. VLAN 999 is the
 Native VLAN.
Enable the Use the correct switchport #interface fastethernet ¼
802.1Q Trunk command to set the Trunk 0/2
ports. port. (c-if)#switchport trunk
encapsulation dot1q
(c-if)#switchport mode
trunk
(c-if)#no shutdown
(c-if)#interface
fastethernet 0/1
(c-if)#switchport trunk
encapsulation dot1q
(c-if)#switchport mode
trunk
(c-if)#no shutdown
(c-if)#exit
Configure all Use the interface range #interface range fa0/2, ¼
other ports as command. fa0/1, fa0/5, fa0/3
access ports. (c-if)#switchport mode
access
Assign F0/3 to See the network diagram #interface fastethernet ¼
the correct you drew for part 1. 0/3
VLAN as per (c-if)# witchport mode
the diagram. access
(c-if)#switchport access
vlan 15
(c-if)#exit
Shutdown all Disable all unused ports in Again I don’t know all ¼
unused ports. software. the ports because I am
not using the software
but in the even this was
a live production network
I would use #show vlan
for port information,
#interface range {port
range}, and #shutdown
commands to shutdown
unused ports.
 >enable
Configuration Required #configure
Item or Task Information terminal Points

Description Executive leaving out (c-if) for

Configure LAN space
802.1Q Assign VLAN 15. #interface gigabitethernet
½
subinterface . Assign the last valid IP 0/1.15
15 on G0/1 address to this #encapsulation dot1q 15
interface. #ip address 10.150.1.190
Description Engineering 255.255.255.192
Configure LAN #description Executive LAN
802.1Q Assign VLAN 25. #interface gigabitethernet
0/1.25 ½
subinterface . Assign the last valid IP
25 on G0/1 address to this #encapsulation dot1q 15
interface. #ip address 10.150.1.106
255.255.255.128
Description Services
LAN #description Engineering
Configure
LAN
802.1Q Assign VLAN 35.
#interface gigabitethernet ½
subinterface . Assign the first
35 on G0/1 0/1.35
available address to
this interface. #encapsulation dot1q 15
#ip address 10.150.0.129
Description
255.255.255.128
Native&Management
Configure LAN #description Services LAN
802.1Q #interface gigabitethernet
Assign VLAN 99. ½
subinterface . 0/1.99
99 on G0/1 Assign the last valid IP
address to this #encapsulation dot1q 15
interface. #ip address 10.150.1.206
255.255.255.240
#description
Native&Management LAN
Activate
#interface gigabitethernet ½
Interface G0/1
0/1
(c-if)#no shutdown
Bring up interfaces
OSPF Process 204 #router ospf 204 ½
ID #router-id 1.1.1.1
Router ID 1.1.1.1 #network 10.150.0.0 ½
0.0.255.255 area 0
Use classless network
addresses #network 10.150.100.0
Advertise
0.0.0.127 area 0
directly Assign all directly ½
connected connected networks to #network 10.150.200.0
networks. Area 0 0.0.0.127 area 0
#passive-interface
fastethernet 0/0
Set all LAN ½
interfaces as Type necessary #end
passive. commands to do so.
Change the #router ospf 204
default cost #auto-cost reference
reference bandwidth 1000
bandwidth to ½
#end
support Gigabit
interface
calculations. 1000
#interface range serial 2/0,
3/0
Set the serial ½
interface (c-if)#bandwidth 768
bandwidth. 768 Kb/s
Adjust the #ip ofsf cost 7500
metric cost of ½
S0/0/0. Cost: 7500
Configuration Required
Task Information Points

#interface loopback 1
#ip address
10.150.100.62
255.255.255.192
#interface loopback 2
#ip address
10.150.100.126
½
255.255.255.192
Assign IP #interface loopback 3
addresses to
#ip address
appropriate
10.150.100.190
interfaces
255.255.255.192
including
Loopback and #interface serial 2/0
serial #ip address 10.1.255.1
interfaces. 255.255.255.252
Activate the #interface serial 2/0 ½
nonLoopback #no shutdown
interfaces.

OSPF Process #router ospf 204 ½

ID 204
#router-id 2.2.2.2 ½
Router ID 2.2.2.2
Use classless #network 10.150.0.0
network addresses. 0.0.255.255 area 0
Assign interfaces to #network 10.150.100.0
Area 0. 0.0.0.127 area 0 ½
Advertise Use a single
directly summary address for
connected the LAN (loopback)
networks. interfaces.
#passive-interface
Set all LAN
fastethernet 0/0 ½
(Loopback)
interfaces as #end
passive.
Change the #router ospf 204
default cost #auto- cost reference
reference bandwidth 1000 ½
bandwidth to
support Gigabit
interface
calculations. 1000
Set the serial #interface serial 2/0 ½
interface #bandwidth 256
bandwidth. 256 Kb/s

Note: You will probably notice that all the Loopback IP addresses show up
as /32. To change that /32 to the real subnet mask of the Loopback interfaces
you need to type the following command on each Loopback interface in the
routers.
Interface Loopback 1
ip ospf network point-to-point
Task 5: Configure the CA Router. (4 points)
Configura Required
tion Task Information Points

#interface loopback 1
#ip address 10.150.200.30
255.255.255.224
Assign IP #interface loopback 2
addresses #ip address 10.150.200.62
to 255.255.255.224 ½
appropriat #interface loopback 3
e
#ip address 10.150.200.94
interfaces
255.255.255.224
including
Loopback #interface serial 3/0
and serial #ip address 10.1.255.2
interfaces. 255.255.255.252
Activate #interface serial 3/0
the #no shutdown ½
nonLoopba
ck
interfaces.

OSPF #router ospf 204 ½

Process ID 204
#router-id 3.3.3.3 ½
Router ID 3.3.3.3
Use classless #network 10.150.0.0
network 0.0.255.255 area 0
addresses. #network 10.150.200.0
Assign 0.0.0.127 area 0
interfaces to ½
Area 0.
Use a single
Advertise summary
directly address for the
connected LAN (loopback)
networks. interfaces.
#passive-interface fastethernet
Set all LAN
0/0 ½
(Loopback)
interfaces #end
as passive.
Change #router ospf 204
the default #auto- cost reference
cost bandwidth 1000
reference
bandwidth ½
to support
Gigabit
interface
calculation
s. 1000
Set the #interface serial 3/0
serial #bandwidth 256 ½
interface #end
bandwidth. 256 Kb/s

Task 6: Verify OSPF Configuration (6 points)

 Question Points
Type the command that displays all connected OSPFv2 #show 1
routers. Capture the output for your project and ip ospf
explains what you see. neighb
or
Type the command that displays the OSPF process ID, #show 1
router ID, routing networks, address summarization, ip ospf
and passive interfaces configured on a router. Capture
the output for your project and explain what you see.
What command displays only OSPF routes? #show 1
ip route
ospf
What command displays detail information about the #show 1
OSPF interfaces, including the authentication method? ip ospf
inerfac
e
What command displays the OSPF link states types? #show 1
ip ospf
databa
se [link
state
id]
What command displays the OSPF database? #show 1
ip ospf
databa
se

Task 7: Summarize the output of the commands used in Task 6. How can
you tell that the network is working correctly? (3 points)

You would be able to see link state and the ospf routers would for
adjacencies with their neighbors and this would be visible in the ospf
database. The ip route command would show the routes of the packet sent
from one network over to the neighboring network. To see if the overall
network is up and the interfaces are properly turned on, you would ping
addresses on the network to see if the packets go through. “Tracert” would
be the command a network admin would use to see the route these packets
take to get to their destination addess.
PHASE III (70 Points Total)—Due Week 7
Task 1: Configure the NY router as a DHCPv4 server for the executive and
engineering VLAN. (4 points)

>enable
Configuration Required
Task Information #config t Points

Reserve the first 10 #ip dhcp excluded-address

IP addresses in 10.150.1.130 10.150.1.140 (1
VLAN 15 for static point)
configurations.
Reserve the first 10 #ip dhcp excluded-address
IP addresses in 10.150.1.2 10.150.1.12 (1
VLAN 25 for static point)
configurations.
Name: #ip dhcp pool EXECUTIVE
EXECUTIVE #network 10.150.1.129/26
DNS-Server: #dns-server 192.168.1.45
192.168.1.45 #domain-name hitech.net
Create a DHCP pool Domain- (1
#default-router 10.150.0.0
for VLAN 15. Name: point)
hitech.net #lease 7
Set the
default
gateway.
Name: #ip dhcp pool ENGINEERING
ENGINEERING #network 10.150.1.1/25
DNS-Server: #dns-server 192.168.1.45
192.168.1.45 #domain-name
Create a DHCP pool Domain- engineering.net (1
for VLAN 25. Name: point)
#default-router 10.150.0.0
engineering.c
om #lease 7
Set the
default
gateway.
Task 2: Restrict Access to the VTY Lines to only come from
Native&Management VLAN. (15 points)

>enable
Configuration Required Point
Task Information #conf t s

ACL Name: #ip access-list extended NETMGMT

NETMGMT #10 permit tcp 10.150.1.193
Telnet is port 0.0.0.15 5 any eq 22
22, so If we #20 permit tcp 10.150.1.193
Configure a are only 0.0.0.15 5 any eq 23
named access allowing ssh 5
#500 deny ip any any log (this
list to only connections logs all the attempts to ssh)
allow then we
Native&Manag would
ement VLAN to eliminate
SSH to the that line in
routers. the list.
#line vty 0-15
Apply the #ip access-class NETMGMT in 5
named ACL to
the VTY lines. #end

#show access-list
then go to an unauthorized device
and try to SSH to the router, it 5
Verify ACL is should give out a “connection
working as refused by remote host” error
expected. message.

Task 3: Configure static and dynamic NAT on NY. (25 points)

 >enable
Configuration Required
Task Information #conf t Points

Create a local #username webadmin privilege 15

database with secret cisco 123
one user
account. Use
the command
Username: 5
username
webadmin
webadmin
privilege 15 Password:
secret cisco123
cisco123. Privilege level: 15
Enable HTTP #ip http server
2
server service. ip http ?
Configure the #ip http authentication local
HTTP server to
use the local 2
database for ip http
authentication. authentication ?
Create a static Inside Global #ip inside source static
NAT to the web Address: 2
server. 209.107.23.66 --> 209.107.23.66
Configure NY’s #interface loopback 0
Loopback 0 #192.168.1.200 255.255.255.255
interface with
the following IP
1
address. This is
a simulated
internal web
server. 192.168.1.200/32
Assign the #interface fa 0/0
inside and #ip nat inside
outside 192.168.1.200  1
#interface serial 2/0
interface for 209.107.23.66 /
the static NAT. 26 #ip nat outside
 Access List: 10 #ip access-list extended 10
Allow the #access-list 10 permit
executive
10.150.1.129
and 0.0.0.63
engineering #access-list 10 permit 10.150.1.1
networks on NY to
be translated. #access-list 10 permit
Configure the Allow a summary
10.150.100.0 0.0.0.63
dynamic NAT of the LANs #access-list 10 permit
(loopback) 5
inside private 10.150.200.0 0.0.0.31
ACL. networks on IL and
CA to be #access-list 10 deny 10.150.1.193
translated.
Do not allow the
Services and
Native&Manageme
nt VLANs to be
translated.
Pool Name: #ip nat pool THE_NET
THE_NET
Define the pool
Pool of addresses 209.107.23.73
of usable public 5
include:
IP addresses.
209.107.23.68 –
209.107.23.75
Define the #ip nat inside source list 10 pool
dynamic NAT 2
translation.
Task 4: Secure the network services. (16 points)
Configuration Task Required >enable Point
Informatio s
#conf t
n
Configure an ACL No.: #ip access-list extended 10
extended ACL to 105 105
 allow Internet #105 permit tcp
hosts WWW 209.107.23.66 0.0.0.63 any
access to the eq 80
simulated web #105 permit tcp
server on NY by 207.107.23.66 0.0.0.63 any
accessing the eq 953
static NAT #105 deny icmp any any
address redirect log
(209.107.23.66 / #105 deny icmp any any
26) that you echo
configured in #105 deny icmp any any
Task 3; mask-request log in
 allow Internet
hosts DNS
access to the
simulated web
server on NY by
accessing the
static NAT
address
(209.107.23.66 /
26) that you
configured in
Task 3; and
 prevent traffic
from the
Internet from
pinging internal
networks, while
continuing to
allow LAN
interfaces to
ping the
Internet hosts.
Apply ACL to the #ip access-class 105 in 6
appropriate
interface(s).
Task 5: Verify that your project meets the above requirements. Write a
summary of what you did and explain what you have learned in the process.
(10 points)
I created access control lists to permit only those assigned to the VLAN to
gain remote access to the VLAN. Then we moved forward to set up a NAT
service on the router to translate local addresses to public IP addresses. We
had to first define the inside interface and the outer interface. We created a
pool of usable ip addresses for dynamic translating. Last we secured the
network services with an extended ACL that allowed certain hosts to access
the web server. In the process I have learned to use my resources because
not everything will always stick in my brain, but this was ultimately great
practice.