PHASE I (20 points total)—Due Week 3

Tasks to Do.

Task 1: Subnet the 10.150.0.0/16 network for NY and assign the first nonzero subnets to Services followed by Engineering. You may need to re-subnet for Executive and Native&Management subnets to avoid wasting IP addresses. Ensure that you re-subnet only the first unused subnet and nothing else. Assign the nonzero subnets to Executive and Native&Management. (5 points)

New York Office IP IP Address Subnet Mask Network AddressVLAN 15 10.150.1.129/26 255.255.255.192 10.150.1.128VLAN 25 10.150.1.1/25 255.255.255.128 10.150.1.0VLAN 35 10.150.0.129/25 255.255.255.128 10.150.0.128VLAN 99 10.150.1.193/28 255.255.255.240 10.150.1.192

Task 2: Subnet the 10.150.100.0 /25 network for IL and assign the last IP address on the first three nonzero subnets to the Loopback 1, Loopback 2, and Loopback 3 interfaces of the router. We will use a loopback or virtual interface to simulate the LAN subnets. This will speed up configuration and allows us to create our topology without rewiring. (3 points)

Illinois Branch IP IP Address Subnet Mask Network AddressLoopback 1 10.150.100.62/26 255.255.255.192 10.150.100.0Loopback 2 10.150.100.126/26 255.255.255.192 10.150.100.64Loopback 3 10.150.100.190/26 255.255.255.192 10.150.100.128

Task 3: Subnet the 10.150.200.0 /25 network for CA and assign the last IP address on the first three nonzero subnets to the Loopback 1, Loopback 2, and Loopback 3 interfaces of the router. We will use a loopback or virtual interface to simulate the LAN subnets. This will speed up configuration and allows us to create our topology without rewiring. (3 points)

California Branch IP IP Address Subnet Mask Network AddressLoopback 1 10.150.200.30/27 255.255.255.224 10.150.200.0Loopback 2 10.150.200.62/27 255.255.255.224 10.150.200.32Loopback 3 10.150.200.94/27 255.255.255.224 10.150.200.64

Task 4: Use the following network address (10.1.255.0/25) to find the WAN subnets between NY and IL and NY and CA respectively. Note that there are only two IP addresses per subnet for each WAN link. Assign the first WAN subnet to NY to IL and the second WAN subnet to NY to CA. (2 points)

WAN Subnets IP Address Subnet Mask Network AddressNY to IL 10.1.255.1/30 255.255.255.252 10.1.255.0

NY to CA 10.1.255.2/30 255.255.255.252 10.1.255.0

Task 5: Use Microsoft Visio to design the current network topology. Remember to use Loopback interfaces for the subnets in NY, IL, and CA. Use point-to-point interfaces to connect the remote branch offices to NY. See the sample network diagram below. Replace the phrase “IP Address” by the correct IP address for each interface on the routers. Include the WAN IP addresses on the diagram as well. (7 points)

First Major Deliverable in the Project: IP scheme for all three locations (fill in the IP tables above) and the Visio Diagram.

PHASE II (30 points total)—Due Week 5

Now that you have completed your first major deliverable in the project, let us move on to the next phase in the project. You need to plan to implement the network. You will configure the switches first.

Task 1: Configure SW1. (3.5 points possible)

Configuration Task Required Information >enable#configure terminal

Points

Switch name SW1 #hostname SW1 ¼Secret Password Netw204 #enable password Netw204 ¼Disable DNS lookup #no ip domain-lookup ¼Username and Password

User= Admin1, Password=cisco123

username Admin1 privilege 15 secret cisco123

¼

Message of the Day (MOTD) Banner

Unauthorized Access is Highly Prohibited!

#banner motd ^Unauthorized Access is Highly Prohibited!^

¼

VTY Enable SSH and Disable Telnet. #line vty 0 15(c- line)#transport input ssh(config-line)#exit

½

Encrypt the clear text passwords

Use the correct command to encrypt clear text passwords.

#service password-encryption ¼

Create the required VLANs.

Use the information provided to create the VLANs. (I also added Names)

(c-if)#interface vlan 15(c-if)#name Executive(c-if)#interface vlan 25(c-if)#name Engineering(c-if)#interface vlan 35(c-if)#name Services(c-if)#interface vlan 99(c-if)#name Native&Management

¼

Assign the management IP address.

Assign the IP Address just before the last valid IP Address on the Native&Management VLAN. VLAN 99 is the Native VLAN.

#interface vlan 99(c-if)#ip address 10.150.1.205 255.255.255.240

¼

Enable the 802.1Q Trunk ports.

Use the correct switchport command to set the Trunk port.

#interface fastethernet 0/2(c-if)#switchport trunk encapsulation dot1q(c-if)#switchport mode trunk (c-if)#no shutdown(c-if)#interface fastethernet 0/1

¼

(c-if)#switchport trunk encapsulation dot1q(c-if)#switchport mode trunk(c-if)#no shutdown(c-if)#exit

Configure all other ports as access ports.

Use the interface range command.

#interface range fa0/2, fa0/1, fa0/5, fa0/3(c-if)#switchport mode access

¼

Assign F0/5 to the correct VLAN as per the diagram.

See the network diagram you drew for part 1.switchport mode access is redundant if this is continuing from the previous command

#interface fastethernet 0/5(c-if)# witchport mode access(c-if)#switchport access vlan 25(c-if)#exit

¼

Shutdown all unused ports.

Disable all unused ports in software.

I don’t know all the ports because I am not using the software but in the even this was a live production network I would use #show vlan for port information, #interface range {port range}, and #shutdown commands to shutdown unused ports.

¼

Task 2: Configure SW2. (3.5 points possible)

Configuration Task Required Information >enable#configure terminal

Points

Switch name SW2 #hostname SW2 ¼Secret Password Netw204 #enable password Netw204 ¼Disable DNS lookup

#no ip domain-lookup ¼

Username and Password

User= Admin1, Password=cisco123

username Admin1 privilege 15 secret cisco123

¼

Message of the Day (MOTD) Banner

Unauthorized Access is Highly Prohibited!

#banner motd ^Unauthorized Access is Highly Prohibited!^

¼

VTY Enable SSH and Disable Telnet. #line vty 0 15(c- line)#transport input ssh(c-line)#exit

½

Encrypt the clear text passwords

Use the correct command to encrypt clear text passwords.

#service password-encryption ¼

Create the Use the information provided to (c-if)#interface vlan 15 ¼

required VLANs. create the VLANs. (c-if)#name Executive(c-if)#interface vlan 25(c-if)#name Engineering(c-if)#interface vlan 35(c-if)#name Services(c-if)#interface vlan 99(c-if)#name Native&Management

Assign the management IP address.

Assign the IP Address just before the last valid IP Address on the Native&Management VLAN. VLAN 999 is the Native VLAN.

#interface vlan 99(c-if)#ip address 10.150.1.205 255.255.255.240

¼

Enable the 802.1Q Trunk ports.

Use the correct switchport command to set the Trunk port.

#interface fastethernet 0/2(c-if)#switchport trunk encapsulation dot1q(c-if)#switchport mode trunk (c-if)#no shutdown(c-if)#interface fastethernet 0/1(c-if)#switchport trunk encapsulation dot1q(c-if)#switchport mode trunk(c-if)#no shutdown(c-if)#exit

¼

Configure all other ports as access ports.

Use the interface range command.

#interface range fa0/2, fa0/1, fa0/5, fa0/3(c-if)#switchport mode access

¼

Assign F0/3 to the correct VLAN as per the diagram.

See the network diagram you drew for part 1.

#interface fastethernet 0/3(c-if)# witchport mode access(c-if)#switchport access vlan 15(c-if)#exit

¼

Shutdown all unused ports.

Disable all unused ports in software.

Again I don’t know all the ports because I am not using the software but in the even this was a live production network I would use #show vlan for port information, #interface range {port range}, and #shutdown commands to shutdown unused ports.

¼

Configuration Item or Task Required Information

>enable

#configure terminal Points

Configure 802.1Q subinterface .15 on G0/1

Description Executive LANAssign VLAN 15.Assign the last valid IP address to this interface.

leaving out (c-if) for space#interface gigabitethernet 0/1.15#encapsulation dot1q 15#ip address 10.150.1.190 255.255.255.192#description Executive LAN#interface gigabitethernet 0/1.25#encapsulation dot1q 15#ip address 10.150.1.106 255.255.255.128#description Engineering LAN#interface gigabitethernet 0/1.35#encapsulation dot1q 15#ip address 10.150.0.129 255.255.255.128#description Services LAN#interface gigabitethernet 0/1.99#encapsulation dot1q 15#ip address 10.150.1.206 255.255.255.240#description Native&Management LAN

#interface gigabitethernet 0/1(c-if)#no shutdown

½

Configure 802.1Q subinterface .25 on G0/1

Description Engineering LANAssign VLAN 25.Assign the last valid IP address to this interface.

½

Configure 802.1Q subinterface .35 on G0/1

Description Services LANAssign VLAN 35.Assign the first available address to this interface.

½

Configure 802.1Q subinterface .99 on G0/1

Description Native&Management LANAssign VLAN 99.Assign the last valid IP address to this interface.

½

Activate Interface G0/1

Bring up interfaces

½

OSPF Process ID 204 #router ospf 204#router-id 1.1.1.1#network 10.150.0.0 0.0.255.255 area 0#network 10.150.100.0 0.0.0.127 area 0

½

Router ID 1.1.1.1 ½

Advertise directly connected networks.

Use classless network addressesAssign all directly connected networks to Area 0

½

#network 10.150.200.0 0.0.0.127 area 0#passive-interface fastethernet 0/0#end

Set all LAN interfaces as passive.

Type necessary commands to do so.

½

Change the default cost reference bandwidth to support Gigabit interface calculations. 1000

#router ospf 204#auto-cost reference bandwidth 1000#end

½

Set the serial interface bandwidth. 768 Kb/s

#interface range serial 2/0, 3/0(c-if)#bandwidth 768 ½

Adjust the metric cost of S0/0/0. Cost: 7500

#ip ofsf cost 7500 ½

Configuration Task Required Information Points

Assign IP addresses to appropriate interfaces including Loopback and serial interfaces.

#interface loopback 1#ip address 10.150.100.62 255.255.255.192#interface loopback 2#ip address 10.150.100.126 255.255.255.192#interface loopback 3#ip address 10.150.100.190 255.255.255.192#interface serial 2/0#ip address 10.1.255.1 255.255.255.252

½

Activate the nonLoopback interfaces.

#interface serial 2/0#no shutdown

½

OSPF Process ID 204#router ospf 204 ½

Router ID 2.2.2.2#router-id 2.2.2.2 ½

Advertise directly connected networks.

Use classless network addresses.Assign interfaces to Area 0.Use a single summary address for the LAN (loopback) interfaces.

#network 10.150.0.0 0.0.255.255 area 0#network 10.150.100.0 0.0.0.127 area 0

½

Set all LAN (Loopback) interfaces as passive.

#passive-interface fastethernet 0/0#end

½

Change the default cost reference bandwidth to support Gigabit interface calculations. 1000

#router ospf 204#auto- cost reference bandwidth 1000 ½

Set the serial interface bandwidth. 256 Kb/s

#interface serial 2/0#bandwidth 256

½

Note: You will probably notice that all the Loopback IP addresses show up as /32. To change that /32 to the real subnet mask of the Loopback interfaces you need to type the following command on each Loopback interface in the routers.

Interface Loopback 1

ip ospf network point-to-point

Task 5: Configure the CA Router. (4 points)

Configuration Task

Required Information Points

Assign IP addresses to appropriate interfaces including Loopback and serial interfaces.

#interface loopback 1#ip address 10.150.200.30 255.255.255.224#interface loopback 2#ip address 10.150.200.62 255.255.255.224#interface loopback 3#ip address 10.150.200.94 255.255.255.224#interface serial 3/0#ip address 10.1.255.2 255.255.255.252

½

Activate the nonLoopback interfaces.

#interface serial 3/0#no shutdown

½

OSPF Process ID 204

#router ospf 204 ½

Router ID 3.3.3.3#router-id 3.3.3.3 ½

Advertise directly connected networks.

Use classless network addresses.Assign interfaces to Area 0.Use a single summary address for the LAN (loopback) interfaces.

#network 10.150.0.0 0.0.255.255 area 0#network 10.150.200.0 0.0.0.127 area 0

½

Set all LAN (Loopback) interfaces as passive.

#passive-interface fastethernet 0/0#end ½

Change the default cost reference bandwidth to support Gigabit interface calculations. 1000

#router ospf 204#auto- cost reference bandwidth 1000

½

Set the serial interface bandwidth. 256 Kb/s

#interface serial 3/0#bandwidth 256#end

½

Task 6: Verify OSPF Configuration (6 points)

Question Points

Type the command that displays all connected OSPFv2 routers. Capture the output for your project and explains what you see.

#show ip ospf neighbor

1

Type the command that displays the OSPF process ID, router ID, routing networks, address summarization, and passive interfaces configured on a router. Capture the output for your project and explain what you see.

#show ip ospf

1

What command displays only OSPF routes? #show ip route ospf

1

What command displays detail information about the OSPF interfaces, including the authentication method?

#show ip ospf inerface

1

What command displays the OSPF link states types? #show ip ospf database [link state id]

1

What command displays the OSPF database? #show ip ospf database

1

Task 7: Summarize the output of the commands used in Task 6. How can you tell that the network is working correctly? (3 points)

You would be able to see link state and the ospf routers would for adjacencies with their neighbors and this would be visible in the ospf database. The ip route command would show the routes of the packet sent from one network over to the neighboring network. To see if the overall network is up and the interfaces are properly turned on, you would ping addresses on the network to see if the packets go through. “Tracert” would be the command a network admin would use to see the route these packets take to get to their destination addess.

PHASE III (70 Points Total)—Due Week 7

Task 1: Configure the NY router as a DHCPv4 server for the executive and engineering VLAN. (4 points)

Configuration TaskRequired Information

>enable

#config t Points

Reserve the first 10 IP addresses in VLAN 15 for static configurations.

#ip dhcp excluded-address 10.150.1.130 10.150.1.140 (1 point)

Reserve the first 10 IP addresses in VLAN 25 for static configurations.

#ip dhcp excluded-address 10.150.1.2 10.150.1.12 (1 point)

Create a DHCP pool for VLAN 15.

Name: EXECUTIVEDNS-Server: 192.168.1.45Domain-Name: hitech.netSet the default gateway.

#ip dhcp pool EXECUTIVE#network 10.150.1.129/26#dns-server 192.168.1.45#domain-name hitech.net#default-router 10.150.0.0#lease 7

(1 point)

Create a DHCP pool for VLAN 25.

Name: ENGINEERINGDNS-Server: 192.168.1.45Domain-Name: engineering.comSet the default gateway.

#ip dhcp pool ENGINEERING#network 10.150.1.1/25#dns-server 192.168.1.45#domain-name engineering.net#default-router 10.150.0.0#lease 7

(1 point)

Task 2: Restrict Access to the VTY Lines to only come from Native&Management VLAN. (15 points)

Configuration TaskRequired Information

>enable

#conf t Points

Configure a named access list to only allow Native&Management VLAN to SSH to the routers.

ACL Name: NETMGMTTelnet is port 22, so If we are only allowing ssh connections then we would eliminate that line in the list.

#ip access-list extended NETMGMT#10 permit tcp 10.150.1.193 0.0.0.15 5 any eq 22#20 permit tcp 10.150.1.193 0.0.0.15 5 any eq 23#500 deny ip any any log (this logs all the attempts to ssh)

5

Apply the named ACL to the VTY lines.

#line vty 0-15

#ip access-class NETMGMT in

#end

5

Verify ACL is working as expected.

#show access-listthen go to an unauthorized device and try to SSH to the router, it should give out a “connection refused by remote host” error message.

5

Task 3: Configure static and dynamic NAT on NY. (25 points)

Configuration Task Required Information

>enable

#conf t Points

Create a local database with one user account. Use the command username webadmin privilege 15 secret cisco123.

Username: webadminPassword: cisco123Privilege level: 15

#username webadmin privilege 15 secret cisco 123

5

Enable HTTP server service. ip http ?

#ip http server 2

Configure the HTTP server to use the local database for authentication. ip http authentication ?

#ip http authentication local

2

Create a static NAT to the web server.

Inside Global Address: 209.107.23.66 -->

#ip inside source static 192.168.1.100209.107.23.66

2

Configure NY’s Loopback 0 interface with the following IP address. This is a simulated internal web server. 192.168.1.200/32

#interface loopback 0#192.168.1.200 255.255.255.255

1

Assign the inside and outside interface for the static NAT.

192.168.1.200 209.107.23.66 /26

#interface fa 0/0#ip nat inside#interface serial 2/0#ip nat outside

1

Configure the dynamic NAT inside private ACL.

Access List: 10Allow the executive and engineering networks on NY to be translated.Allow a summary of the LANs (loopback) networks on IL and CA to be translated.Do not allow the Services and Native&Management VLANs to be translated.

#ip access-list extended 10#access-list 10 permit 10.150.1.129 0.0.0.63#access-list 10 permit 10.150.1.1 0.0.0.127#access-list 10 permit 10.150.100.0 0.0.0.63#access-list 10 permit 10.150.200.0 0.0.0.31#access-list 10 deny 10.150.1.193 0.0.0.15 5

Define the pool of usable public IP addresses.

Pool Name: THE_NETPool of addresses include:209.107.23.68 – 209.107.23.75

#ip nat pool THE_NET 209.107.23.68209.107.23.73

5

Define the dynamic NAT translation.

#ip nat inside source list 10 pool THE_NET 2

Task 4: Secure the network services. (16 points)

Configuration Task Required Information

>enable

#conf t

Points

Configure an extended ACL to

allow Internet hosts WWW access to the simulated web server on NY by accessing the static NAT address (209.107.23.66 /26) that you configured in Task 3;

allow Internet hosts DNS access to the simulated web server on NY by accessing the static NAT address (209.107.23.66 /26) that you configured in Task 3; and

prevent traffic from the Internet from pinging internal networks, while continuing to allow LAN interfaces to ping the Internet hosts.

ACL No.: 105 #ip access-list extended 105#105 permit tcp 209.107.23.66 0.0.0.63 any eq 80#105 permit tcp 207.107.23.66 0.0.0.63 any eq 953#105 deny icmp any any redirect log#105 deny icmp any any echo#105 deny icmp any any mask-request log in

10

Apply ACL to the appropriate interface(s).

#ip access-class 105 in 6

Task 5: Verify that your project meets the above requirements. Write a summary of what you did and explain what you have learned in the process. (10 points)

I created access control lists to permit only those assigned to the VLAN to gain remote access to the VLAN. Then we moved forward to set up a NAT service on the router to translate local

addresses to public IP addresses. We had to first define the inside interface and the outer interface. We created a pool of usable ip addresses for dynamic translating. Last we secured the network services with an extended ACL that allowed certain hosts to access the web server. In the process I have learned to use my resources because not everything will always stick in my brain, but this was ultimately great practice.