PHASE I (20 points total)Due Week 3

Tasks to Do.
Task 1: Subnet the 10.150.0.0/16 network for NY and assign the first
nonzero subnets to Services followed by Engineering. You may need to resubnet for Executive and Native&Management subnets to avoid wasting IP
addresses. Ensure that you re-subnet only the first unused subnet and
nothing else. Assign the nonzero subnets to Executive and
Native&Management. (5 points)
New York Office
IP
VLAN 15
VLAN 25
VLAN 35
VLAN 99

IP Address

Subnet Mask

Network Address

10.150.1.129/26
10.150.1.1/25
10.150.0.129/25
10.150.1.193/28

255.255.255.192
255.255.255.128
255.255.255.128
255.255.255.240

10.150.1.128
10.150.1.0
10.150.0.128
10.150.1.192

Task 2: Subnet the 10.150.100.0 /25 network for IL and assign the last IP
address on the first three nonzero subnets to the Loopback 1, Loopback 2,
and Loopback 3 interfaces of the router. We will use a loopback or virtual
interface to simulate the LAN subnets. This will speed up configuration and
allows us to create our topology without rewiring. (3 points)
Illinois Branch IP
Loopback 1
Loopback 2
Loopback 3

IP Address
10.150.100.62/2
6
10.150.100.126/
26
10.150.100.190/
26

Subnet Mask
255.255.255.192

Network Address
10.150.100.0

255.255.255.192

10.150.100.64

255.255.255.192

10.150.100.128

Task 3: Subnet the 10.150.200.0 /25 network for CA and assign the last IP
address on the first three nonzero subnets to the Loopback 1, Loopback 2,
and Loopback 3 interfaces of the router. We will use a loopback or virtual
interface to simulate the LAN subnets. This will speed up configuration and
allows us to create our topology without rewiring. (3 points)
California Branch
IP
Loopback 1
Loopback 2
Loopback 3

IP Address

Subnet Mask

Network Address

10.150.200.30/2
7
10.150.200.62/2
7
10.150.200.94/2
7

255.255.255.224

10.150.200.0

255.255.255.224

10.150.200.32

255.255.255.224

10.150.200.64

Task 4: Use the following network address (10.1.255.0/25) to find the WAN
subnets between NY and IL and NY and CA respectively. Note that there are
only two IP addresses per subnet for each WAN link. Assign the first WAN
subnet to NY to IL and the second WAN subnet to NY to CA. (2 points)

WAN Subnets
NY to IL
NY to CA

IP Address
10.1.255.1/30
10.1.255.2/30

Subnet Mask
255.255.255.252
255.255.255.252

Network Address
10.1.255.0
10.1.255.0

Task 5: Use Microsoft Visio to design the current network topology.

Remember to use Loopback interfaces for the subnets in NY, IL, and CA. Use
point-to-point interfaces to connect the remote branch offices to NY. See the
sample network diagram below. Replace the phrase IP Address by the
correct IP address for each interface on the routers. Include the WAN IP
addresses on the diagram as well. (7 points)

First Major Deliverable in the Project: IP scheme for all three locations
(fill in the IP tables above) and the Visio Diagram.

PHASE II (30 points total)Due Week 5

Now that you have completed your first major deliverable in the project, let
us move on to the next phase in the project. You need to plan to implement
the network. You will configure the switches first.

Task 1: Configure SW1. (3.5 points possible)

Configuration
Task
Switch name
Secret Password
Disable DNS
lookup
Username and
Password

Required Information
SW1
Netw204

User= Admin1,
Password=cisco123

Message of the
Day (MOTD)
Banner
VTY

Unauthorized Access is
Highly Prohibited!

Encrypt the clear

text passwords

Use the correct

command to encrypt
clear text passwords.
Use the information
provided to create the
VLANs. (I also added
Names)

Create the
required VLANs.

Enable SSH and Disable

Telnet.

>enable
#configure terminal
#hostname SW1
#enable password
Netw204
#no ip domain-lookup

Points

username Admin1
privilege 15 secret
cisco123
#banner motd
^Unauthorized Access is
Highly Prohibited!^
#line vty 0 15
(c- line)#transport input
ssh
(config-line)#exit
#service passwordencryption

(c-if)#interface vlan 15
(c-if)#name Executive
(c-if)#interface vlan 25
(c-if)#name Engineering
(c-if)#interface vlan 35
(c-if)#name Services
(c-if)#interface vlan 99

(c-if)#name
Native&Management
Assign the
management IP
address.

Enable the
802.1Q Trunk
ports.

Assign the IP Address

just before the last valid
IP Address on the
Native&Management
VLAN. VLAN 99 is the
Native VLAN.
Use the correct
switchport command to
set the Trunk port.

Configure all
other ports as
access ports.

Use the interface range

command.

Assign F0/5 to the

correct VLAN as
per the diagram.

See the network

diagram you drew for
part 1.
switchport mode
access is redundant if
this is continuing
from the previous
command

Shutdown all
unused ports.

Disable all unused ports

in software.

#interface vlan 99
(c-if)#ip address
10.150.1.205
255.255.255.240

#interface fastethernet
0/2
(c-if)#switchport trunk
encapsulation dot1q
(c-if)#switchport mode
trunk
(c-if)#no shutdown
(c-if)#interface
fastethernet 0/1
(c-if)#switchport trunk
encapsulation dot1q
(c-if)#switchport mode
trunk
(c-if)#no shutdown
(c-if)#exit
#interface range fa0/2,
fa0/1, fa0/5, fa0/3
(c-if)#switchport mode
access
#interface fastethernet
0/5
(c-if)# witchport mode
access
(c-if)#switchport access
vlan 25
(c-if)#exit

I dont know all the ports

because I am not using
the software but in the
even this was a live
production network I
would use #show vlan for

port information,
#interface range {port
range}, and #shutdown
commands to shutdown
unused ports.
Task 2: Configure SW2. (3.5 points possible)
Configuration
Task
Switch name
Secret
Password
Disable DNS
lookup
Username and
Password

Required Information

Message of the
Day (MOTD)
Banner
VTY

Unauthorized Access is
Highly Prohibited!

Encrypt the
clear text
passwords
Create the
required
VLANs.

Use the correct command

to encrypt clear text
passwords.
Use the information
provided to create the
VLANs.

Assign the
management
IP address.

Assign the IP Address just

before the last valid IP
Address on the
Native&Management
VLAN. VLAN 999 is the

SW2
Netw204

User= Admin1,
Password=cisco123

Enable SSH and Disable

Telnet.

>enable
#configure terminal
#hostname SW2
#enable password
Netw204
#no ip domain-lookup

Points

username Admin1
privilege 15 secret
cisco123
#banner motd
^Unauthorized Access is
Highly Prohibited!^
#line vty 0 15
(c- line)#transport input
ssh
(c-line)#exit
#service passwordencryption

(c-if)#interface vlan 15
(c-if)#name Executive
(c-if)#interface vlan 25
(c-if)#name Engineering
(c-if)#interface vlan 35
(c-if)#name Services
(c-if)#interface vlan 99
(c-if)#name
Native&Management

#interface vlan 99
(c-if)#ip address
10.150.1.205
255.255.255.240

Enable the
802.1Q Trunk
ports.

Native VLAN.
Use the correct switchport
command to set the Trunk
port.

Configure all
other ports as
access ports.

Use the interface range

command.

Assign F0/3 to
the correct
VLAN as per
the diagram.

See the network diagram

you drew for part 1.

Shutdown all
unused ports.

Disable all unused ports in

software.

#interface fastethernet
0/2
(c-if)#switchport trunk
encapsulation dot1q
(c-if)#switchport mode
trunk
(c-if)#no shutdown
(c-if)#interface
fastethernet 0/1
(c-if)#switchport trunk
encapsulation dot1q
(c-if)#switchport mode
trunk
(c-if)#no shutdown
(c-if)#exit
#interface range fa0/2,
fa0/1, fa0/5, fa0/3
(c-if)#switchport mode
access
#interface fastethernet
0/3
(c-if)# witchport mode
access
(c-if)#switchport access
vlan 15
(c-if)#exit
Again I dont know all
the ports because I am
not using the software
but in the even this was
a live production network
I would use #show vlan
for port information,
#interface range {port
range}, and #shutdown
commands to shutdown
unused ports.

>enable
Configuration
Item or Task

Required
Information

Configure
802.1Q
subinterface .
15 on G0/1

Description Executive
LAN
Assign VLAN 15.
Assign the last valid IP
address to this
interface.

Configure
802.1Q
subinterface .
25 on G0/1

Description Engineering
LAN
Assign VLAN 25.
Assign the last valid IP
address to this
interface.

Configure
802.1Q
subinterface .
35 on G0/1

Description Services
LAN
Assign VLAN 35.
Assign the first
available address to
this interface.

Configure
802.1Q
subinterface .
99 on G0/1

Description
Native&Management
LAN
Assign VLAN 99.
Assign the last valid IP
address to this
interface.

Activate
Interface G0/1

#configure
terminal

Points

leaving out (c-if) for

space
#interface gigabitethernet
0/1.15
#encapsulation dot1q 15
#ip address 10.150.1.190
255.255.255.192
#description Executive LAN
#interface gigabitethernet
0/1.25
#encapsulation dot1q 15
#ip address 10.150.1.106
255.255.255.128
#description Engineering
LAN
#interface gigabitethernet
0/1.35
#encapsulation dot1q 15
#ip address 10.150.0.129
255.255.255.128
#description Services LAN
#interface gigabitethernet
0/1.99
#encapsulation dot1q 15
#ip address 10.150.1.206
255.255.255.240
#description
Native&Management LAN

#interface gigabitethernet
0/1
(c-if)#no shutdown

#router ospf 204

#router-id 1.1.1.1

Bring up interfaces
OSPF Process
ID

204

Router ID

1.1.1.1

Advertise
directly
connected
networks.

Use classless network

addresses
Assign all directly
connected networks to
Area 0

Set all LAN

interfaces as
passive.

Type necessary
commands to do so.

Change the
default cost
reference
bandwidth to
support Gigabit
interface
calculations.
1000
Set the serial
interface
bandwidth.
Adjust the
metric cost of
S0/0/0.

#network 10.150.0.0
0.0.255.255 area 0
#network 10.150.100.0
0.0.0.127 area 0
#network 10.150.200.0
0.0.0.127 area 0
#passive-interface
fastethernet 0/0
#end
#router ospf 204
#auto-cost reference
bandwidth 1000
#end

#interface range serial 2/0,

3/0
(c-if)#bandwidth 768

768 Kb/s
#ip ofsf cost 7500

Cost: 7500

Configuration
Task

Required
Information

Points
#interface loopback 1
#ip address
10.150.100.62
255.255.255.192
#interface loopback 2
#ip address
10.150.100.126
255.255.255.192
#interface loopback 3
#ip address
10.150.100.190
255.255.255.192
#interface serial 2/0
#ip address 10.1.255.1
255.255.255.252

Assign IP
addresses to
appropriate
interfaces
including
Loopback and
serial
interfaces.

Activate the
nonLoopback
interfaces.

#interface serial 2/0

#no shutdown

OSPF Process
ID

#router ospf 204

#router-id 2.2.2.2

#network 10.150.0.0
0.0.255.255 area 0
#network 10.150.100.0
0.0.0.127 area 0

204

Router ID

2.2.2.2

Advertise
directly
connected
networks.

Use classless
network addresses.
Assign interfaces to
Area 0.
Use a single
summary address for
the LAN (loopback)
interfaces.

Set all LAN

(Loopback)
interfaces as
passive.

#passive-interface
fastethernet 0/0
#end

Change the
default cost
reference
bandwidth to
support Gigabit
interface
calculations.
Set the serial
interface
bandwidth.

#router ospf 204

#auto- cost reference
bandwidth 1000

1000

256 Kb/s

#interface serial 2/0

#bandwidth 256

Note: You will probably notice that all the Loopback IP addresses show up
as /32. To change that /32 to the real subnet mask of the Loopback interfaces
you need to type the following command on each Loopback interface in the
routers.
Interface Loopback 1
ip ospf network point-to-point
Task 5: Configure the CA Router. (4 points)

Configura
tion Task

Required
Information

Points
#interface loopback 1
#ip address 10.150.200.30
255.255.255.224
#interface loopback 2
#ip address 10.150.200.62
255.255.255.224
#interface loopback 3
#ip address 10.150.200.94
255.255.255.224
#interface serial 3/0
#ip address 10.1.255.2
255.255.255.252

Assign IP
addresses
to
appropriat
e
interfaces
including
Loopback
and serial
interfaces.

Activate
the
nonLoopba
ck
interfaces.

#interface serial 3/0

#no shutdown

OSPF
Process ID

#router ospf 204

#router-id 3.3.3.3

204

Router ID

3.3.3.3

Advertise
directly
connected
networks.

Use classless
network
addresses.
Assign
interfaces to
Area 0.
Use a single
summary
address for the
LAN (loopback)
interfaces.

Set all LAN

(Loopback)
interfaces
as passive.

#network 10.150.0.0
0.0.255.255 area 0
#network 10.150.200.0
0.0.0.127 area 0

#passive-interface fastethernet
0/0
#end

Change
the default
cost
reference
bandwidth
to support
Gigabit
interface
calculation
s.
Set the
serial
interface
bandwidth.

#router ospf 204

#auto- cost reference
bandwidth 1000

1000

256 Kb/s

#interface serial 3/0

#bandwidth 256
#end

Task 6: Verify OSPF Configuration (6 points)

Question

Points

Type the command that displays all connected OSPFv2

routers. Capture the output for your project and
explains what you see.

#show
ip ospf
neighb
or

Type the command that displays the OSPF process ID,

router ID, routing networks, address summarization,
and passive interfaces configured on a router. Capture
the output for your project and explain what you see.

#show
ip ospf

What command displays only OSPF routes?

#show
ip route
ospf

What command displays detail information about the

OSPF interfaces, including the authentication method?

#show
ip ospf
inerfac
e

What command displays the OSPF link states types?

#show
ip ospf
databa
se [link
state
id]

What command displays the OSPF database?

#show
ip ospf
databa
se

Task 7: Summarize the output of the commands used in Task 6. How can
you tell that the network is working correctly? (3 points)

You would be able to see link state and the ospf routers would for
adjacencies with their neighbors and this would be visible in the ospf
database. The ip route command would show the routes of the packet sent
from one network over to the neighboring network. To see if the overall
network is up and the interfaces are properly turned on, you would ping
addresses on the network to see if the packets go through. Tracert would
be the command a network admin would use to see the route these packets
take to get to their destination addess.

PHASE III (70 Points Total)Due Week 7

Task 1: Configure the NY router as a DHCPv4 server for the executive and
engineering VLAN. (4 points)

Configuration
Task

Required
Information

>enable
#config t

Reserve the first 10

IP addresses in
VLAN 15 for static
configurations.

#ip dhcp excluded-address

10.150.1.130 10.150.1.140

Reserve the first 10

IP addresses in
VLAN 25 for static
configurations.

#ip dhcp excluded-address

10.150.1.2 10.150.1.12

Create a DHCP pool

for VLAN 15.

Name:
EXECUTIVE
DNS-Server:
192.168.1.45
DomainName:
hitech.net
Set the
default
gateway.

#ip dhcp pool EXECUTIVE

#network 10.150.1.129/26
#dns-server 192.168.1.45
#domain-name hitech.net
#default-router 10.150.0.0
#lease 7

Create a DHCP pool

for VLAN 25.

Name:
ENGINEERING
DNS-Server:
192.168.1.45
DomainName:
engineering.c
om
Set the
default
gateway.

#ip dhcp pool ENGINEERING

#network 10.150.1.1/25
#dns-server 192.168.1.45
#domain-name
engineering.net
#default-router 10.150.0.0
#lease 7

Points
(1
point)

(1
point)

(1
point)

(1
point)

Task 2: Restrict Access to the VTY Lines to only come from

Native&Management VLAN. (15 points)
Configuration
Task

Required
Information

>enable

Configure a
named access
list to only
allow
Native&Manag
ement VLAN to
SSH to the
routers.

ACL Name:
NETMGMT
Telnet is port
22, so If we
are only
allowing ssh
connections
then we
would
eliminate
that line in
the list.

#ip access-list extended NETMGMT

#10 permit tcp 10.150.1.193
0.0.0.15 5 any eq 22
#20 permit tcp 10.150.1.193
0.0.0.15 5 any eq 23
#500 deny ip any any log (this
logs all the attempts to ssh)

#conf t

Point
s

#line vty 0-15

Apply the
named ACL to
the VTY lines.

Verify ACL is
working as
expected.

#ip access-class NETMGMT in

#end
#show access-list
then go to an unauthorized device
and try to SSH to the router, it
should give out a connection
refused by remote host error
message.

Task 3: Configure static and dynamic NAT on NY. (25 points)

Configuration
Task
Create a local
database with
one user
account. Use
the command
username
webadmin
privilege 15
secret
cisco123.
Enable HTTP
server service.

Required
Information

Points

Username:
webadmin
Password:
cisco123
Privilege level: 15
#ip http server
ip http ?

ip http
authentication ?

Create a static
NAT to the web
server.

Inside Global
Address:
209.107.23.66 -->

Assign the
inside and
outside
interface for
the static NAT.

#conf t
#username webadmin privilege 15
secret cisco 123

Configure the
HTTP server to
use the local
database for
authentication.

Configure NYs
Loopback 0
interface with
the following IP
address. This is
a simulated
internal web
server.

>enable

#ip http authentication local

2

#ip inside source static

2
209.107.23.66
#interface loopback 0
#192.168.1.200 255.255.255.255
1

192.168.1.200/32

192.168.1.200
209.107.23.66 /
26

#interface fa 0/0
#ip nat inside
#interface serial 2/0
#ip nat outside

Configure the
dynamic NAT
inside private
ACL.

Access List: 10
#ip access-list extended 10
Allow the
#access-list 10 permit
executive
10.150.1.129
and 0.0.0.63
engineering
#access-list 10 permit 10.150.1.1
networks on NY to
be translated.
#access-list 10 permit
Allow
a
summary
10.150.100.0 0.0.0.63
of the LANs
#access-list 10 permit
(loopback)
10.150.200.0 0.0.0.31
networks on IL and
#access-list 10 deny 10.150.1.193
CA to be
translated.
Do not allow the
Services and
Native&Manageme
nt VLANs to be
translated.

Define the pool

of usable public
IP addresses.

Pool Name:
THE_NET
Pool of addresses
include:
209.107.23.68
209.107.23.75

Define the
dynamic NAT
translation.

#ip nat pool THE_NET

209.107.23.73

#ip nat inside source list 10 pool

2

Task 4: Secure the network services. (16 points)

Configuration Task

Configure an
extended ACL to
allow Internet
hosts WWW
access to the
simulated web
server on NY by
accessing the
static NAT
address
(209.107.23.66 /
26) that you
configured in
Task 3;
allow Internet
hosts DNS
access to the
simulated web
server on NY by
accessing the
static NAT
address
(209.107.23.66 /
26) that you
configured in
Task 3; and
prevent traffic
from the
Internet from
pinging internal
networks, while
continuing to
allow LAN
interfaces to
ping the
Internet hosts.
Apply ACL to the
appropriate
interface(s).

Required
Informatio
n

>enable

ACL No.:
105

#ip access-list extended

105
#105 permit tcp
209.107.23.66 0.0.0.63 any
eq 80
#105 permit tcp
207.107.23.66 0.0.0.63 any
eq 953
#105 deny icmp any any
redirect log
#105 deny icmp any any
echo
#105 deny icmp any any
mask-request log in

10

#ip access-class 105 in

#conf t

Point
s

Task 5: Verify that your project meets the above requirements. Write a
summary of what you did and explain what you have learned in the process.
(10 points)
I created access control lists to permit only those assigned to the VLAN to
gain remote access to the VLAN. Then we moved forward to set up a NAT
service on the router to translate local addresses to public IP addresses. We
had to first define the inside interface and the outer interface. We created a
pool of usable ip addresses for dynamic translating. Last we secured the
network services with an extended ACL that allowed certain hosts to access
the web server. In the process I have learned to use my resources because
not everything will always stick in my brain, but this was ultimately great
practice.