Prioritizing subnets based on host requirements to minimize IP waste.
| VLAN / Unit | Required | Allocated | Network Address | CIDR | Subnet Mask |
|---|---|---|---|---|---|
| VLAN 10 (Management) | 40 | 62 | 192.168.10.0 | /26 | 255.255.255.192 |
| VLAN 20 (Cashier) | 20 | 30 | 192.168.10.64 | /27 | 255.255.255.224 |
| VLAN 30 (Client) | 10 | 14 | 192.168.10.96 | /28 | 255.255.255.240 |
| Router Serial Link | 2 | 2 | 200.200.200.0 | /30 | 255.255.255.252 |
| Server Farm LAN | - | 254 | 192.168.11.0 | /24 | 255.255.255.0 |
Configured with Router-on-a-Stick for Inter-VLAN routing and DHCP Relay (Helper-Address).
enable
configure terminal
hostname Main-Branch-Router
interface GigabitEthernet0/0/0
no shutdown
exit
interface GigabitEthernet0/0/0.10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.192
ip helper-address 192.168.11.2
exit
interface GigabitEthernet0/0/0.20
encapsulation dot1Q 20
ip address 192.168.10.65 255.255.255.224
ip helper-address 192.168.11.2
exit
interface GigabitEthernet0/0/0.30
encapsulation dot1Q 30
ip address 192.168.10.97 255.255.255.240
ip helper-address 192.168.11.2
exit
interface Serial0/3/1
ip address 200.200.200.1 255.255.255.252
no shutdown
exit
ip route 192.168.11.0 255.255.255.0 200.200.200.2
end
Handles the server subnet and return routes to the branch VLANs.
enable
configure terminal
hostname Server-Farm-Router
interface GigabitEthernet0/0/0
ip address 192.168.11.1 255.255.255.0
no shutdown
exit
interface Serial0/3/0
ip address 200.200.200.2 255.255.255.252
clock rate 64000
no shutdown
exit
ip route 192.168.10.0 255.255.255.192 200.200.200.1
ip route 192.168.10.64 255.255.255.224 200.200.200.1
ip route 192.168.10.96 255.255.255.240 200.200.200.1
end
Acting as the Distribution Switch. All ports are Trunks.
vlan 10
name Management
vlan 20
name Cashier
vlan 30
name Client
exit
interface range fa0/1 - 3
switchport mode trunk
no shutdown
Access layer configuration for end-user PCs.
vlan 10
name Management
vlan 20
name Cashier
vlan 30
name Client
exit
interface fa0/1
switchport mode trunk
exit
interface range fa0/2 - 10
switchport access vlan 10
switchport mode access
exit
interface range fa0/11 - 15
switchport access vlan 20
switchport mode access
exit
interface range fa0/16 - 20
switchport access vlan 30
switchport mode access
exit
| Pool Name | Gateway | DNS Server | Start IP | Max Users |
|---|---|---|---|---|
| VLAN10_Mgmt | 192.168.10.1 | 192.168.11.4 | 192.168.10.2 | 60 |
| VLAN20_Cashier | 192.168.10.65 | 192.168.11.4 | 192.168.10.66 | 28 |
| VLAN30_Client | 192.168.10.97 | 192.168.11.4 | 192.168.10.98 | 12 |
DNS Settings: A-Record for www.mainbranch.com pointing to 192.168.11.3
Expansion for the 192.168.12.0/24 network connected via Main Router Gig0/1.
enable
configure terminal
interface GigabitEthernet0/1
description LINK_TO_BRANCH_2_F2_SW
ip address 192.168.12.1 255.255.255.0
ip helper-address 192.168.11.2
no shutdown
exit
enable
configure terminal
hostname F2-SW
interface fa0/1
description UPLINK_TO_MAIN_ROUTER
switchport mode access
exit
interface range fa0/2 - 10
description BRANCH_2_USER_PCS
switchport mode access
no shutdown
exit
Configured via the Services > EMAIL tab in Packet Tracer.
mainbranch.com| User | Password | Access For |
|---|---|---|
| admin | admin123 | Management PCs |
| cashier | cash123 | Cashier PCs |
| staff | staff123 | Branch 2 PCs |
Configured via Services > HTTP. Index.html updated to display enterprise branding.
Essential update for the Server-Farm-Router to recognize the new Branch 2 network.
enable
configure terminal
ip route 192.168.12.0 255.255.255.0 200.200.200.1
end
write memory
Implementation of a redundant loop using OSPF (Administrative Distance 110) and RIPv2 (Administrative Distance 120).
hostname ISP1-Router
interface Serial0/3/0
ip address 203.203.203.2 255.255.255.252
no shutdown
exit
interface Serial0/3/1
ip address 201.201.201.1 255.255.255.252
no shutdown
exit
router ospf 1
network 203.203.203.0 0.0.0.3 area 0
network 201.201.201.0 0.0.0.3 area 0
router rip
version 2
network 203.203.203.0
network 201.201.201.0
hostname ISP2-Router
interface Serial0/3/1
ip address 201.201.201.2 255.255.255.252
no shutdown
exit
interface Serial0/3/0
ip address 202.202.202.1 255.255.255.252
no shutdown
exit
interface GigabitEthernet0/0
ip address 192.168.13.1 255.255.255.0
no shutdown
exit
router ospf 1
network 201.201.201.0 0.0.0.3 area 0
network 202.202.202.0 0.0.0.3 area 0
network 192.168.13.0 0.0.0.255 area 0
router rip
version 2
network 201.201.201.0
network 202.202.202.0
network 192.168.13.0
Connecting the remote ISP branch to the backbone via Gig0/0.
hostname ISP-Branch-Router
interface GigabitEthernet0/0
ip address 192.168.13.2 255.255.255.0
no shutdown
exit
router ospf 1
network 192.168.13.0 0.0.0.255 area 0
router rip
version 2
network 192.168.13.0
| Protocol | Code | Admin Distance | Status |
|---|---|---|---|
| OSPF | O | 110 | Active (Primary) |
| RIPv2 | R | 120 | Backup (Redundant) |
Note: If OSPF link fails, RIP routes will automatically populate the routing table to maintain connectivity.
Security policies implemented to control inter-branch traffic and service access.
Blocks all traffic from Management (VLAN 10) to Branch 2.
access-list 10 deny 192.168.10.0 0.0.0.63
access-list 10 permit any
interface GigabitEthernet0/1
ip access-group 10 out
VLAN 20 is restricted to ICMP only, while VLAN 30 is restricted to Web (HTTP) only for Branch 2 destinations.
# VLAN 20: Allow Ping, Block Web
ip access-list extended VLAN20_FILTER
permit icmp 192.168.10.64 0.0.0.31 192.168.12.0 0.0.0.255
deny tcp 192.168.10.64 0.0.0.31 192.168.12.0 0.0.0.255 eq 80
permit ip any any
# VLAN 30: Block Ping, Allow Web
ip access-list extended VLAN30_FILTER
deny icmp 192.168.10.96 0.0.0.15 192.168.12.0 0.0.0.255
permit tcp 192.168.10.96 0.0.0.15 192.168.12.0 0.0.0.255 eq 80
permit ip any any
To verify the Extended ACL policies, a dedicated Web Server was added to Branch 2. This allows for the testing of protocol-specific filtering (Blocking Ping vs. Allowing Web).
192.168.12.10The central DNS Server (192.168.11.4) was updated with a new resource record to allow domain-name testing from all VLANs.
| Domain Name | Record Type | Address (IP) |
|---|---|---|
| www.floor2.com | A-Record | 192.168.12.10 |
This table represents the final expected behavior in Packet Tracer when using the domain name.
| PC Location | Action | Expected Result | ACL Status |
|---|---|---|---|
| VLAN 20 (Cashier) | Browser to www.floor2.com |
CONNECTION FAILED | DENY TCP 80 |
| VLAN 20 (Cashier) | Ping 192.168.12.10 |
REPLY SUCCESS | PERMIT ICMP |
| VLAN 30 (Client) | Browser to www.floor2.com |
WEBPAGE LOADS | PERMIT TCP 80 |
| VLAN 30 (Client) | Ping 192.168.12.10 |
REQUEST TIMED OUT | DENY ICMP |
Configured to translate all internal private traffic (VLANs and Branch 2) into public-facing routable addresses when communicating with ISP1, ISP2, and the ISP Branch.
192.168.10.0/24 or 192.168.12.0/24 has its Source IP translated to the Serial interface IP (203.203.203.1) before reaching the ISP backbone.
# Inside Interfaces (VLANs & Floor 2)
interface GigabitEthernet0/0.10
ip nat inside
interface GigabitEthernet0/0.20
ip nat inside
interface GigabitEthernet0/0.30
ip nat inside
interface GigabitEthernet0/1
ip nat inside
# Outside Interface (ISP Link)
interface Serial0/3/0
ip nat outside
# Permitting All Internal Subnets
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 192.168.12.0 0.0.0.255
# Mapping to Public IP
ip nat inside source list 1 interface Serial0/3/0 overload
To demonstrate NAT during the live presentation, use show ip nat translations after initiating pings to different ISP routers.
| Inside Local (Private) | Inside Global (Public) | Target Destination |
|---|---|---|
| 192.168.10.5 (VLAN 10) | 203.203.203.1 | 201.201.201.2 (ISP2) |
| 192.168.12.10 (Branch 2) | 203.203.203.1 | 192.168.13.2 (ISP Branch) |