NETWORK INFRASTRUCTURE PROJECT REPORT
TICKET-002
NETWORK INFRASTRUCTURE DESIGN AND DEPLOYMENT
ABC SOLUTIONS INC
TABLE OF CONTENTS
1. PROJECT OVERVIEW
Project Name:
Network Infrastructure Expansion
Network Infrastructure Expansion
Engineer:
Nguyen Kien Doanh
Nguyen Kien Doanh
Date:
October 9, 2025
October 9, 2025
Context: Executing CEO’s Ticket #NET-LAB-002 to upgrade network infrastructure for 2-floor office expansion and R&D department setup.
2. BUSINESS REQUIREMENTS (TICKET #NET-LAB-002)
Ticket Information:
- • Sender: Chief Executive Officer (CEO)
- • Date Sent: April 9, 2026
- • Priority: Very High
- • Subject: Upgrade and expand network infrastructure to meet company growth
2.1. Seven Core Requirements from CEO
- Office Expansion to 2 Floors: Departments will have employees distributed across both floors, requiring the network system to ensure employees connect to the correct department network regardless of floor.
- Establish R&D Department: New department with 10 specialists, requiring complete isolation from other departments for security purposes.
-
Add Device Networks:
- Security Camera Network (IP cameras)
- Office Device Network (printers, scanners)
- Guest Wi-Fi Network – Internet only, isolated from internal resources
- Enhance Internal Network Performance: Ensure handling of large files and 24/7 camera video without causing bottlenecks.
-
Internet Access Policy:
- Allowed: IT, R&D, Guest Wi-Fi
- Blocked: Sales, Marketing, Camera, Printers
-
Server Farm Access Policy:
- IT: Full access
- Sales/Marketing: FTP only (port 21)
- R&D, Device Networks, Guest: Completely blocked
- DHCP Reservation for IT: IT computers need fixed IP from DHCP (by MAC address).
3. SYSTEM DESIGN (DESIGN DOCUMENT)
3.1. VLAN and IP Planning
| VLAN ID | VLAN Name | Subnet | Gateway | Number of Hosts | Description |
|---|---|---|---|---|---|
| VLAN 10 | Sales | 172.16.10.0/24 | 172.16.10.1 | 254 hosts | Sales Department |
| VLAN 20 | Marketing | 172.16.20.0/24 | 172.16.20.1 | 254 hosts | Marketing Department |
| VLAN 30 | IT | 172.16.30.0/24 | 172.16.30.1 | 254 hosts | IT Department |
| VLAN 40 | Server Farm | 172.16.40.0/24 | 172.16.40.1 | 254 hosts | Centralized Servers |
| VLAN 50 | R&D | 172.16.50.0/24 | 172.16.50.1 | 254 hosts | Research & Development |
| VLAN 60 | Camera | 172.16.60.0/24 | 172.16.60.1 | 254 hosts | Security Camera System |
| VLAN 70 | Printers | 172.16.70.0/24 | 172.16.70.1 | 254 hosts | Office Devices |
| VLAN 80 | Guest WiFi | 172.16.80.0/24 | 172.16.80.1 | 254 hosts | Guest Wi-Fi Access |
3.2. Topology and Equipment
Hierarchical Network Architecture
- Core Layer: SW-CORE-L3 (Layer 3 Switch) – Inter-VLAN Routing
-
Access Layer: 4 Layer 2 Switches to support 2-floor office:
- SW-F1-01, SW-F1-02 (Floor 1)
- SW-F2-01, SW-F2-02 (Floor 2)
- WAN Gateway: Router R1-Edge – Internet gateway, NAT
- WAN Connection: Router ↔ Core Switch (10.0.0.0/30)
3.2.1. Network Topology Diagram
📊 NETWORK INFRASTRUCTURE OVERVIEW
Figure 1: Network infrastructure overview for ABC Solutions Inc.
🔐 SECURITY POLICIES (ACL RULES)
✅ Internet Access (Router ACL):
- VLAN 30 (IT) → Internet
- VLAN 50 (R&D) → Internet
- VLAN 80 (Guest) → Internet
- VLAN 10,20 (Sales/Mktg) → Blocked
- VLAN 40,60,70 (Server/Devices) → Blocked
🔒 Server Farm Access (Core ACL):
- VLAN 30 (IT) → Full Access
- VLAN 10,20 (Sales/Mktg) → FTP Only (TCP 21)
- VLAN 50 (R&D) → Blocked
- VLAN 60,70,80 (Devices/Guest) → Blocked
⛔ Internal Isolation (Core ACL):
- VLAN 50 (R&D) ↔ All Internal VLANs
- VLAN 80 (Guest) ↔ All Internal VLANs
🖥️ Server to Departments (Core ACL):
- VLAN 40 (Server) → All Departments
- VLAN 40 (Server) → Guest (VLAN 80)
📌 Diagram Notes:
- Trunk links: Use 802.1Q encapsulation, allow VLANs 10,20,30,40,50,60,70,80
- WAN connection: Point-to-point /30 subnet (10.0.0.0/30) between Router and Core Switch
- Management: All switches use VLAN 30 as management VLAN
- Redundancy: Can expand with additional trunk links for EtherChannel/Link Aggregation
3.3. Security Policy Table (ACL Requirements)
| Security Requirement | ACL Solution | Deployment Location |
|---|---|---|
| Only IT, R&D, Guest allow Internet | ACL allow VLAN 30, 50, 80 → Internet | Router (LAN Interface) |
| Sales/Marketing FTP only to Server Farm | ACL allow TCP 21 from VLAN 10,20 → VLAN 40 | Core Switch (SVI 10,20) |
| IT full access to Server Farm | ACL allow all from VLAN 30 → VLAN 40 | No ACL needed (default) |
| R&D complete isolation | ACL block VLAN 50 ↔ all internal VLANs | Core Switch (SVI 50) |
| Server Farm connects to all departments | ACL allow from VLAN 40 → all (except Guest) | Core Switch (SVI 40) |
| Guest Internet only | ACL block VLAN 80 → all internal VLANs | Core Switch (SVI 80) |
| Camera/Printer no Internet | ACL block VLAN 60,70 → Internet | Router (LAN Interface) |
3.4. Routing Diagram
Routing Methods:
- Inter-VLAN Routing: Core Switch L3 using Switch Virtual Interfaces (SVI)
- Static Routes: Router → Internal VLANs (172.16.x.0/24 via 10.0.0.2)
- Default Route: Core Switch → Router (0.0.0.0/0 via 10.0.0.1)
- NAT: Router performs NAT Overload (PAT) for Internet connectivity
4. IMPLEMENTATION (IMPLEMENTATION DOCUMENT)
4.1. Lab Preparation (EVE-NG)
Install ishare2 and Download Images:
# Install ishare2
wget -O /usr/sbin/ishare2 https://raw.githubusercontent.com/ishare2-org/ishare2-cli/main/ishare2
chmod +x /usr/sbin/ishare2 && ishare2
# Download required images:
ishare2 pull qemu 1346 # Cisco vIOS (Router)
ishare2 pull qemu 1355 # Cisco vIOSL2 (Switch L3)
ishare2 pull iol 12 # IOL (Switch L2)
ishare2 pull qemu 866 # Linux VMs4.2. Detailed Implementation Steps
Step 1: Configure Core Switch Layer 3 (SW-CORE-L3)
Main Tasks:
- Hostname, basic security
- Enable IP routing
- Create 8 VLANs (10,20,30,40,50,60,70,80)
- Configure SVI for each VLAN (Gateway)
- Configure WAN port (Gi0/0: 10.0.0.2/30)
- Configure Trunk ports to Access Switches
- Default route to Router
- Configure internal ACLs
- SSH, VTY configuration
Step 2-5: Configure 4 Access Switches
| Device | Management IP | Location | Port Distribution |
|---|---|---|---|
| SW-F1-01 | 172.16.30.11 | Floor 1 | e0/0: Trunk, e1/0-3: Sales, e2/0-3: Marketing… |
| SW-F1-02 | 172.16.30.12 | Floor 1 | e0/0: Trunk, e3/0-3: IT, e4/0-3: R&D… |
| SW-F2-01 | 172.16.30.13 | Floor 2 | e0/0: Trunk, e5/0-3: Camera, e6/0-3: Printers… |
| SW-F2-02 | 172.16.30.14 | Floor 2 | e0/0: Trunk, e7/0-3: Guest WiFi… |
Port Allocation for SW-F1-01 (Example)
| Port Range | VLAN | Description |
|---|---|---|
| e0/0 | Trunk | Uplink to Core |
| e1/0-3 | VLAN 10 | Sales |
| e2/0-3 | VLAN 20 | Marketing |
| e3/0-3 | VLAN 30 | IT |
| e4/0-3 | VLAN 50 | R&D |
| e5/0-3 | VLAN 60 | Camera |
| e6/0-3 | VLAN 70 | Printers |
| e7/0-3 | VLAN 80 | Guest WiFi |
Step 6: Configure DHCP Server (on Core Switch)
DHCP Pools Configuration:
- Excluded addresses: .1-.49 for each subnet (reserved)
- VLAN 10 (Sales): 172.16.10.50-200
- VLAN 20 (Marketing): 172.16.20.50-200
- VLAN 50 (R&D): 172.16.50.50-150
- VLAN 60 (Camera): 172.16.60.50-200
- VLAN 70 (Printers): 172.16.70.50-150
- VLAN 80 (Guest): 172.16.80.100-250
- DHCP Reservation for IT department (by MAC address)
Step 7: Configure Server Farm
Server Farm Configuration:
- Static IP: 172.16.40.30/24
- Gateway: 172.16.40.1
- DNS: 8.8.8.8
Step 8: Configure Router (R1-Edge)
| Interface | IP Address | Purpose | NAT |
|---|---|---|---|
| Gi0/0 (LAN) | 10.0.0.1/30 | Connect Core Switch | NAT Inside |
| Gi0/1 (WAN) | DHCP from ISP | Internet Connection | NAT Outside |
Router Configuration Tasks: Configure interfaces, Static routes to VLANs, ACL for Internet access, NAT Overload (PAT).
4.3. Detailed CLI Configuration Commands
4.3.1. Core Switch – Basic & VLAN Configuration
! ===== BASIC CONFIGURATION =====
Switch> enable
Switch# configure terminal
Switch(config)# hostname SW-CORE-L3
SW-CORE-L3(config)# no ip domain-lookup
SW-CORE-L3(config)# clock timezone GMT+7 7 0
SW-CORE-L3(config)# enable secret cisco
SW-CORE-L3(config)# line console 0
SW-CORE-L3(config-line)# password cisco
SW-CORE-L3(config-line)# login
SW-CORE-L3(config-line)# logging synchronous
SW-CORE-L3(config-line)# exec-timeout 5 0
SW-CORE-L3(config-line)# exit
! ===== ENABLE IP ROUTING =====
SW-CORE-L3(config)# ip routing
! ===== CREATE VLANs =====
SW-CORE-L3(config)# vlan 10
SW-CORE-L3(config-vlan)# name SALES
SW-CORE-L3(config-vlan)# exit
SW-CORE-L3(config)# vlan 20
SW-CORE-L3(config-vlan)# name MARKETING
SW-CORE-L3(config-vlan)# exit
SW-CORE-L3(config)# vlan 30
SW-CORE-L3(config-vlan)# name IT
SW-CORE-L3(config-vlan)# exit
SW-CORE-L3(config)# vlan 40
SW-CORE-L3(config-vlan)# name SERVER-FARM
SW-CORE-L3(config-vlan)# exit
SW-CORE-L3(config)# vlan 50
SW-CORE-L3(config-vlan)# name R&D
SW-CORE-L3(config-vlan)# exit
SW-CORE-L3(config)# vlan 60
SW-CORE-L3(config-vlan)# name CAMERA
SW-CORE-L3(config-vlan)# exit
SW-CORE-L3(config)# vlan 70
SW-CORE-L3(config-vlan)# name PRINTERS
SW-CORE-L3(config-vlan)# exit
SW-CORE-L3(config)# vlan 80
SW-CORE-L3(config-vlan)# name GUEST
SW-CORE-L3(config-vlan)# exit
! ===== SSH & SECURITY CONFIGURATION =====
SW-CORE-L3(config)# ip domain-name pnet.local
SW-CORE-L3(config)# username admin privilege 15 secret Pls@1234!
SW-CORE-L3(config)# crypto key generate rsa modulus 2048
SW-CORE-L3(config)# ip ssh version 2
SW-CORE-L3(config)# ip ssh time-out 60
SW-CORE-L3(config)# ip ssh authentication-retries 3
SW-CORE-L3(config)# line vty 0 15
SW-CORE-L3(config-line)# login local
SW-CORE-L3(config-line)# transport input ssh
SW-CORE-L3(config-line)# exec-timeout 10 0
SW-CORE-L3(config-line)# exit
! Disable HTTP/HTTPS services
SW-CORE-L3(config)# no ip http server
SW-CORE-L3(config)# no ip http secure-server4.3.2. Core Switch – SVI Configuration
! ===== CONFIGURE SVIs (GATEWAYS) =====
SW-CORE-L3(config)# interface vlan 10
SW-CORE-L3(config-if)# description GW-for-Sales
SW-CORE-L3(config-if)# ip address 172.16.10.1 255.255.255.0
SW-CORE-L3(config-if)# no shutdown
SW-CORE-L3(config-if)# exit
!
SW-CORE-L3(config)# interface vlan 20
SW-CORE-L3(config-if)# description GW-for-Marketing
SW-CORE-L3(config-if)# ip address 172.16.20.1 255.255.255.0
SW-CORE-L3(config-if)# no shutdown
SW-CORE-L3(config-if)# exit
!
SW-CORE-L3(config)# interface vlan 30
SW-CORE-L3(config-if)# description GW-for-IT
SW-CORE-L3(config-if)# ip address 172.16.30.1 255.255.255.0
SW-CORE-L3(config-if)# no shutdown
SW-CORE-L3(config-if)# exit
!
SW-CORE-L3(config)# interface vlan 40
SW-CORE-L3(config-if)# description GW-for-Server-Farm
SW-CORE-L3(config-if)# ip address 172.16.40.1 255.255.255.0
SW-CORE-L3(config-if)# no shutdown
SW-CORE-L3(config-if)# exit
!
SW-CORE-L3(config)# interface vlan 50
SW-CORE-L3(config-if)# description GW-for-R&D
SW-CORE-L3(config-if)# ip address 172.16.50.1 255.255.255.0
SW-CORE-L3(config-if)# no shutdown
SW-CORE-L3(config-if)# exit
!
SW-CORE-L3(config)# interface vlan 60
SW-CORE-L3(config-if)# description GW-for-Camera
SW-CORE-L3(config-if)# ip address 172.16.60.1 255.255.255.0
SW-CORE-L3(config-if)# no shutdown
SW-CORE-L3(config-if)# exit
!
SW-CORE-L3(config)# interface vlan 70
SW-CORE-L3(config-if)# description GW-for-Printers
SW-CORE-L3(config-if)# ip address 172.16.70.1 255.255.255.0
SW-CORE-L3(config-if)# no shutdown
SW-CORE-L3(config-if)# exit
!
SW-CORE-L3(config)# interface vlan 80
SW-CORE-L3(config-if)# description GW-for-Guest
SW-CORE-L3(config-if)# ip address 172.16.80.1 255.255.255.0
SW-CORE-L3(config-if)# no shutdown
SW-CORE-L3(config-if)# exit4.3.3. Core Switch – Trunk & WAN Ports Configuration
! ===== WAN PORT (to Router) =====
SW-CORE-L3(config)# interface gigabitEthernet 0/0
SW-CORE-L3(config-if)# description WAN-to-Router
SW-CORE-L3(config-if)# no switchport
SW-CORE-L3(config-if)# ip address 10.0.0.2 255.255.255.252
SW-CORE-L3(config-if)# no shutdown
SW-CORE-L3(config-if)# exit
!
! ===== TRUNK PORTS (to Access Switches) =====
SW-CORE-L3(config)# interface gigabitEthernet 0/1
SW-CORE-L3(config-if)# description Trunk-to-SW-F1-01
SW-CORE-L3(config-if)# switchport trunk encapsulation dot1q
SW-CORE-L3(config-if)# switchport mode trunk
SW-CORE-L3(config-if)# switchport trunk allowed vlan 10,20,30,40,50,60,70,80
SW-CORE-L3(config-if)# no shutdown
SW-CORE-L3(config-if)# exit
!
SW-CORE-L3(config)# interface gigabitEthernet 0/2
SW-CORE-L3(config-if)# description Trunk-to-SW-F1-02
SW-CORE-L3(config-if)# switchport trunk encapsulation dot1q
SW-CORE-L3(config-if)# switchport mode trunk
SW-CORE-L3(config-if)# switchport trunk allowed vlan 10,20,30,40,50,60,70,80
SW-CORE-L3(config-if)# no shutdown
SW-CORE-L3(config-if)# exit
!
SW-CORE-L3(config)# interface gigabitEthernet 0/3
SW-CORE-L3(config-if)# description Trunk-to-SW-F2-01
SW-CORE-L3(config-if)# switchport trunk encapsulation dot1q
SW-CORE-L3(config-if)# switchport mode trunk
SW-CORE-L3(config-if)# switchport trunk allowed vlan 10,20,30,40,50,60,70,80
SW-CORE-L3(config-if)# no shutdown
SW-CORE-L3(config-if)# exit
!
SW-CORE-L3(config)# interface gigabitEthernet 1/0
SW-CORE-L3(config-if)# description Trunk-to-SW-F2-02
SW-CORE-L3(config-if)# switchport trunk encapsulation dot1q
SW-CORE-L3(config-if)# switchport mode trunk
SW-CORE-L3(config-if)# switchport trunk allowed vlan 10,20,30,40,50,60,70,80
SW-CORE-L3(config-if)# no shutdown
SW-CORE-L3(config-if)# exit
!
! ===== DEFAULT ROUTE =====
SW-CORE-L3(config)# ip route 0.0.0.0 0.0.0.0 10.0.0.14.3.4. Core Switch – ACL Configuration
! ===== ACLs FOR INTERNAL SECURITY =====
! ACL for SALES & MARKETING (Only FTP to Server Farm)
SW-CORE-L3(config)# ip access-list extended ACL-SALES-MARKETING-OUT
SW-CORE-L3(config-ext-nacl)# remark === Only FTP to Server Farm ===
SW-CORE-L3(config-ext-nacl)# permit tcp any 172.16.40.0 0.0.0.255 eq 21
SW-CORE-L3(config-ext-nacl)# deny ip any 172.16.40.0 0.0.0.255
SW-CORE-L3(config-ext-nacl)# permit ip any any
SW-CORE-L3(config-ext-nacl)# exit
! Apply to VLAN 10 & 20
SW-CORE-L3(config)# interface vlan 10
SW-CORE-L3(config-if)# ip access-group ACL-SALES-MARKETING-OUT in
SW-CORE-L3(config-if)# exit
!
SW-CORE-L3(config)# interface vlan 20
SW-CORE-L3(config-if)# ip access-group ACL-SALES-MARKETING-OUT in
SW-CORE-L3(config-if)# exit
!
! ACL for R&D (Complete Isolation)
SW-CORE-L3(config)# ip access-list extended ACL-R&D-OUT
SW-CORE-L3(config-ext-nacl)# remark === Deny all internal, allow Internet ===
SW-CORE-L3(config-ext-nacl)# deny ip any 172.16.0.0 0.0.255.255
SW-CORE-L3(config-ext-nacl)# permit ip any any
SW-CORE-L3(config-ext-nacl)# exit
SW-CORE-L3(config)# interface vlan 50
SW-CORE-L3(config-if)# ip access-group ACL-R&D-OUT in
SW-CORE-L3(config-if)# exit
!
! ACL for GUEST (Internet Only)
SW-CORE-L3(config)# ip access-list extended ACL-GUEST-OUT
SW-CORE-L3(config-ext-nacl)# remark === Guest only to Internet ===
SW-CORE-L3(config-ext-nacl)# deny ip any 172.16.0.0 0.0.255.255
SW-CORE-L3(config-ext-nacl)# permit ip any any
SW-CORE-L3(config-ext-nacl)# exit
SW-CORE-L3(config)# interface vlan 80
SW-CORE-L3(config-if)# ip access-group ACL-GUEST-OUT in
SW-CORE-L3(config-if)# exit
!
! ACL for SERVER FARM (Allow to all except Guest)
SW-CORE-L3(config)# ip access-list extended ACL-SERVER-FARM-OUT
SW-CORE-L3(config-ext-nacl)# remark === Deny to Guest, Permit all else ===
SW-CORE-L3(config-ext-nacl)# deny ip any 172.16.80.0 0.0.0.255
SW-CORE-L3(config-ext-nacl)# permit ip any any
SW-CORE-L3(config-ext-nacl)# exit
SW-CORE-L3(config)# interface vlan 40
SW-CORE-L3(config-if)# ip access-group ACL-SERVER-FARM-OUT in
SW-CORE-L3(config-if)# exit
!
! Save configuration
SW-CORE-L3(config)# end
SW-CORE-L3# write memory4.3.5. Access Switch Configuration (Example: SW-F1-01)
! ===== SW-F1-01 CONFIGURATION =====
Switch> enable
Switch# configure terminal
Switch(config)# hostname SW-F1-01
SW-F1-01(config)# no ip routing
SW-F1-01(config)# no ip domain-lookup
SW-F1-01(config)# clock timezone GMT+7 7 0
SW-F1-01(config)# enable secret cisco
SW-F1-01(config)# line console 0
SW-F1-01(config-line)# password cisco
SW-F1-01(config-line)# login
SW-F1-01(config-line)# logging synchronous
SW-F1-01(config-line)# exec-timeout 5 0
SW-F1-01(config-line)# exit
! ===== CREATE VLANs =====
SW-F1-01(config)# vlan 10
SW-F1-01(config-vlan)# name SALES
SW-F1-01(config-vlan)# exit
SW-F1-01(config)# vlan 20
SW-F1-01(config-vlan)# name MARKETING
SW-F1-01(config-vlan)# exit
SW-F1-01(config)# vlan 30
SW-F1-01(config-vlan)# name IT
SW-F1-01(config-vlan)# exit
SW-F1-01(config)# vlan 40
SW-F1-01(config-vlan)# name SERVER-FARM
SW-F1-01(config-vlan)# exit
SW-F1-01(config)# vlan 50
SW-F1-01(config-vlan)# name R&D
SW-F1-01(config-vlan)# exit
SW-F1-01(config)# vlan 60
SW-F1-01(config-vlan)# name CAMERA
SW-F1-01(config-vlan)# exit
SW-F1-01(config)# vlan 70
SW-F1-01(config-vlan)# name PRINTERS
SW-F1-01(config-vlan)# exit
SW-F1-01(config)# vlan 80
SW-F1-01(config-vlan)# name GUEST
SW-F1-01(config-vlan)# exit
! ===== TRUNK PORT (Uplink to Core) =====
SW-F1-01(config)# interface ethernet 0/0
SW-F1-01(config-if)# description Trunk-to-SW-CORE-L3
SW-F1-01(config-if)# switchport mode trunk
SW-F1-01(config-if)# switchport trunk allowed vlan 10,20,30,40,50,60,70,80
SW-F1-01(config-if)# no shutdown
SW-F1-01(config-if)# exit
! ===== ACCESS PORTS (Example for Sales, Marketing, etc) =====
! SALES (VLAN 10)
SW-F1-01(config)# interface range ethernet 1/0 - 3
SW-F1-01(config-if-range)# description Sales-Department
SW-F1-01(config-if-range)# switchport mode access
SW-F1-01(config-if-range)# switchport access vlan 10
SW-F1-01(config-if-range)# spanning-tree portfast
SW-F1-01(config-if-range)# no shutdown
SW-F1-01(config-if-range)# exit
! ... (Configure other ports similarly for VLAN 20, 30, 50, 60, 70, 80) ...
! ===== MANAGEMENT VLAN =====
SW-F1-01(config)# interface vlan 30
SW-F1-01(config-if)# description Management-Interface
SW-F1-01(config-if)# ip address 172.16.30.11 255.255.255.0
SW-F1-01(config-if)# no shutdown
SW-F1-01(config-if)# exit
SW-F1-01(config)# ip default-gateway 172.16.30.1
SW-F1-01(config)# end
SW-F1-01# write memory4.3.6. DHCP Configuration (on Core Switch)
! ===== DHCP SERVER CONFIGURATION =====
! Exclude Gateway and Static IPs
SW-CORE-L3(config)# ip dhcp excluded-address 172.16.10.1 172.16.10.49
SW-CORE-L3(config)# ip dhcp excluded-address 172.16.20.1 172.16.20.49
! ... (Repeat for other VLANs) ...
! DHCP Pool for SALES (VLAN 10)
SW-CORE-L3(config)# ip dhcp pool VLAN10-SALES
SW-CORE-L3(dhcp-config)# network 172.16.10.0 255.255.255.0
SW-CORE-L3(dhcp-config)# default-router 172.16.10.1
SW-CORE-L3(dhcp-config)# dns-server 8.8.8.8
SW-CORE-L3(dhcp-config)# exit
!
! ... (Configure other Pools: VLAN20, VLAN50, VLAN60, VLAN70, VLAN80) ...
!
! DHCP Reservation for IT (Example: PC-IT-01)
SW-CORE-L3(config)# ip dhcp pool IT-PC-01-RESERVED
SW-CORE-L3(dhcp-config)# host 172.16.30.50 255.255.255.0
SW-CORE-L3(dhcp-config)# client-identifier 0100.5079.6668.01
SW-CORE-L3(dhcp-config)# default-router 172.16.30.1
SW-CORE-L3(dhcp-config)# dns-server 8.8.8.8
SW-CORE-L3(dhcp-config)# exit4.3.7. Router Configuration (Internet Gateway & NAT)
! ===== ROUTER R1-EDGE CONFIGURATION =====
Router> enable
Router# configure terminal
Router(config)# hostname R1-Edge
! ... (Basic Security Config) ...
! ===== LAN INTERFACE (to Core Switch) =====
R1-Edge(config)# interface gigabitEthernet 0/0
R1-Edge(config-if)# description LAN-to-Core-Switch
R1-Edge(config-if)# ip address 10.0.0.1 255.255.255.252
R1-Edge(config-if)# ip nat inside
R1-Edge(config-if)# no shutdown
R1-Edge(config-if)# exit
!
! ===== WAN INTERFACE (to ISP/Internet) =====
R1-Edge(config)# interface gigabitEthernet 0/1
R1-Edge(config-if)# description WAN-to-ISP
R1-Edge(config-if)# ip address dhcp
R1-Edge(config-if)# ip nat outside
R1-Edge(config-if)# no shutdown
R1-Edge(config-if)# exit
!
! ===== STATIC ROUTES (to Internal VLANs) =====
R1-Edge(config)# ip route 172.16.10.0 255.255.255.0 10.0.0.2
R1-Edge(config)# ip route 172.16.20.0 255.255.255.0 10.0.0.2
! ... (Repeat for all internal subnets) ...
! ===== ACL FOR INTERNET ACCESS =====
! Only IT (30), R&D (50), Guest (80) allowed to Internet
R1-Edge(config)# ip access-list extended ACL-INTERNET-IN
R1-Edge(config-ext-nacl)# remark === Only IT, R&D, Guest can access Internet ===
R1-Edge(config-ext-nacl)# permit ip 172.16.30.0 0.0.0.255 any
R1-Edge(config-ext-nacl)# permit ip 172.16.50.0 0.0.0.255 any
R1-Edge(config-ext-nacl)# permit ip 172.16.80.0 0.0.0.255 any
R1-Edge(config-ext-nacl)# deny ip 172.16.0.0 0.0.255.255 any
R1-Edge(config-ext-nacl)# permit ip any any
R1-Edge(config-ext-nacl)# exit
! Apply ACL to LAN interface (inbound)
R1-Edge(config)# interface gigabitEthernet 0/0
R1-Edge(config-if)# ip access-group ACL-INTERNET-IN in
R1-Edge(config-if)# exit
! ===== NAT CONFIGURATION =====
R1-Edge(config)# ip access-list standard ACL-NAT
R1-Edge(config-std-nacl)# permit 172.16.0.0 0.0.255.255
R1-Edge(config-std-nacl)# exit
R1-Edge(config)# ip nat inside source list ACL-NAT interface gigabitEthernet 0/1 overload
! Save configuration
R1-Edge(config)# end
R1-Edge# write memory4.3.8. Verification Commands
! ===== CORE SWITCH VERIFICATION =====
show vlan brief
show ip interface brief
show ip route
show ip access-lists
show interface trunk
show spanning-tree summary
show ip dhcp binding
show ip dhcp pool
! ===== ROUTER VERIFICATION =====
show ip interface brief
show ip route
show ip nat translations
show ip nat statistics
show ip access-lists
! ===== ACCESS SWITCH VERIFICATION =====
show vlan brief
show interface trunk
show interface status
show spanning-tree5. TESTING & VERIFICATION
5.1. Critical Test Cases
| TC ID | Test Description | Source | Destination | Expected Result | Reason |
|---|---|---|---|---|---|
| TC-001 | R&D ping Sales | PC-R&D-01 | 172.16.10.50 | FAIL | R&D isolated |
| TC-008 | R&D ping Router | PC-R&D-01 | 10.0.0.1 | SUCCESS | R&D allows Internet |
| TC-010 | Sales ping Internet | PC-SALES-01 | 8.8.8.8 | FAIL | Sales no Internet |
| TC-017 | Sales FTP Server | PC-SALES-01 | 172.16.40.30:21 | SUCCESS | ACL allows TCP 21 |
| TC-018 | Sales ping Server | PC-SALES-01 | 172.16.40.30 | FAIL | FTP only, no ICMP |
| TC-034 | IT ping Internet | PC-IT-01 | 8.8.8.8 | SUCCESS | IT allows Internet |
| TC-037 | Server ping IT | Server-Farm | 172.16.30.50 | SUCCESS | Server connects all dept |
| TC-040 | Guest ping Sales | Guest-PC | 172.16.10.50 | FAIL | Guest internal isolation |
| TC-042 | Guest ping Internet | Guest-PC | 8.8.8.8 | SUCCESS | Guest allows Internet |
| TC-045 | Camera ping Internet | Camera-01 | 8.8.8.8 | FAIL | Camera no Internet |
5.2. Show Commands for Verification
Core Switch Verification:
show ip routeshow ip interface briefshow vlan briefshow ip access-listsshow ip interface vlan X | include access listshow spanning-tree
Router Verification:
show ip routeshow ip nat translationsshow ip access-listsshow ip interface briefshow ip dhcp binding(if DHCP on router)
6. OPERATIONS & MAINTENANCE
6.1. Adding New Computers
Procedure for adding new PC:
- Identify available port on corresponding Access Switch
- Assign to appropriate department VLAN
- Configure port mode access
- Enable spanning-tree portfast
- Test connectivity and DHCP
- Update documentation
6.2. Adding New VLAN/Department
Expansion procedure:
- Plan new subnet (e.g., 172.16.90.0/24)
- Create VLAN on all switches
- Configure SVI on Core Switch
- Update Trunk allowed VLANs
- Create DHCP pool
- Update ACLs if needed
- Test and verify
6.3. Configuration Backup
Backup Procedure:
- Run
show running-configon each device - Save backup files with timestamp
- Upload to cloud storage or NAS
- Perform weekly backups
- Test restore procedure regularly
7. CONCLUSION
Project Achievement Summary
✅ Successfully completed all requirements from Ticket #NET-LAB-002:
- 2-Floor Expansion: Successfully deployed 4 Access Switches supporting 2-floor office with capability for employees to connect to correct department VLAN regardless of floor.
- R&D Department: Complete isolation of VLAN 50 from all internal VLANs, allowing only Internet access.
- Device Networks: Successfully deployed VLAN 60 (Camera), VLAN 70 (Printers), VLAN 80 (Guest WiFi).
- Network Performance: Core Switch Layer 3 ensures efficient Inter-VLAN routing, supporting high traffic from cameras and file servers.
- Internet Policy: Only IT, R&D, Guest access Internet through Router ACLs.
- Server Farm Policy: IT full access, Sales/Marketing FTP only (TCP 21), other departments blocked.
- DHCP Reservation: IT department receives fixed IP by MAC address.
🔒 Enhanced Security:
- Deployed 8 strict ACLs according to business requirements.
- Complete separation of sensitive networks (R&D, Server Farm).
- Guest network completely isolated from internal resources.
- Camera and Printer networks have no Internet access.
📈 Scalability:
- Hierarchical architecture easily expandable with additional switches.
- VLAN design supports 254 hosts/subnet for future growth.
- Operational procedures thoroughly documented.
- Backup and recovery procedures established.
Project ready for operation: The new network system fully meets the 2-floor office expansion requirements of ABC Solutions Inc., ensuring high network security and optimal performance for the company’s continued growth.
