Branch 1 Network Topology Documentation

Section	VLAN	Subnet Address	Subnet Mask	Gateway
Users PC	20	192.168.11.0 /26	255.255.255.192	192.168.11.1
Client PC	10	192.168.11.64 /27	255.255.255.224	192.168.11.65
Server Section	1 (Native)	192.168.11.96 /28	255.255.255.240	192.168.11.110
Admin PC	30	192.168.11.112 /28	255.255.255.240	192.168.11.113

Server Type	IP Address	Services Configuration
DNS Server	192.168.11.99	A-Record: `www.b1.com` -> 192.168.11.98 A-Record: `mail.b1.com` -> 192.168.11.97
HTTP/HTTPS	192.168.11.98	HTTP/HTTPS: ON. Edit index.html for web visibility.
Email + DHCP	192.168.11.97	Email: Domain: `b1.com`, Users: user1, client1, admin1. DHCP: Pools for VLAN 10, 20, 30.

6. Core & ISP Serial Connections

Link Description	Subnet	Interface	IP Address
B1 to Connection-Router	202.202.202.0/30	Se0/3/0	202.202.202.1
B1 to ISP-Router	203.203.203.0/30	Se0/3/1	203.203.203.1
B2 to Connection-Router	201.201.201.0/30	Se0/3/1	201.201.201.2
B2 to ISP-Router	200.200.200.0/30	Se0/3/0	200.200.200.2

Building 1 Core Router (Serial Update)

conf t
int se0/3/0
 ip address 202.202.202.1 255.255.255.252
 no shut
exit
int se0/3/1
 ip address 203.203.203.1 255.255.255.252
 no shut
exit

Connection Router (Full CLI)

enable
conf t
int se0/3/0
 ip address 202.202.202.2 255.255.255.252
 no shut
exit
int se0/3/1
 ip address 201.201.201.1 255.255.255.252
 no shut
exit
router ospf 1
 network 202.202.202.0 0.0.0.3 area 0
 network 201.201.201.0 0.0.0.3 area 0
exit
router rip
 version 2
 network 202.202.202.0
 network 201.201.201.0
exit

ISP Router (Full CLI)

enable
conf t
int se0/3/1
 ip address 203.203.203.2 255.255.255.252
 no shut
exit
int se0/3/0
 ip address 200.200.200.1 255.255.255.252
 no shut
exit
router ospf 1
 network 203.203.203.0 0.0.0.3 area 0
 network 200.200.200.0 0.0.0.3 area 0
exit
router rip
 version 2
 network 203.203.203.0
 network 200.200.200.0
exit

7. Building 2 Branch Topology (SR PCs)

Network: 192.168.10.0 /24 | Gateway: 192.168.10.1

Building 2 Router CLI

enable
conf t
int gi0/0
 ip address 192.168.10.1 255.255.255.0
 ip helper-address 192.168.11.97
 no shut
exit
int se0/3/1
 ip address 201.201.201.2 255.255.255.252
 no shut
exit
int se0/3/0
 ip address 200.200.200.2 255.255.255.252
 no shut
exit
router ospf 1
 network 192.168.10.0 0.0.0.255 area 0
 network 201.201.201.0 0.0.0.3 area 0
 network 200.200.200.0 0.0.0.3 area 0
exit
router rip
 version 2
 network 192.168.10.0
 network 201.201.201.0
 network 200.200.200.0
exit

Building 2 Switch (B2-SW) CLI

enable
conf t
vlan 1
exit
int fa0/1
 switchport mode trunk
exit
int range fa0/2 - 10
 switchport mode access
 switchport access vlan 1
exit

8. Dynamic Routing (OSPF & RIPv2)

Configured on all routers for redundancy between Building 1 and Building 2.

# Building 1 Router Dynamic Update
router ospf 1
 network 192.168.11.0 0.0.0.255 area 0
 network 202.202.202.0 0.0.0.3 area 0
 network 203.203.203.0 0.0.0.3 area 0
exit
router rip
 version 2
 network 192.168.11.0
 network 202.202.202.0
 network 203.203.203.0
exit

9. Application Layer Connectivity: Building 2 (SR)

Service	Configuration / Target	Status
Web Browsing	URL: `www.b1.com` (Resolves to 192.168.11.98)	✅ OPERATIONAL
DNS Lookup	Server: `192.168.11.99` (Cross-Router Query)	✅ OPERATIONAL
Email (SMTP/POP3)	Server: `192.168.11.97` \| Domain: `b1.com`	✅ OPERATIONAL

Verification Commands for Connectivity

# Run these on Building 2 Router to verify path to servers
ping 192.168.11.97
ping 192.168.11.98
ping 192.168.11.99

# Run on SR PC Command Prompt
nslookup www.b1.com

12. ACL Definitions and Logic

Access Control Lists (ACLs) are used to filter network traffic based on a set of rules. In this topology, we used two specific types:

Standard ACL: Filters traffic based only on the Source IP address. It is typically applied as close to the destination as possible.
Usage: Used here to completely block VLAN 10 from reaching Building 2.
Extended ACL: Filters traffic based on Source IP, Destination IP, Protocol (TCP/UDP/ICMP), and Port Numbers (80, 443, etc.). It is applied as close to the source as possible.
Usage: Used here to create different rules for Ping (ICMP) and Web Browsing (HTTP) for VLAN 20 and VLAN 30.

13. Final Security CLI (Building 1 Core Router)

Ensure you are in Global Configuration Mode (conf t) before pasting this code. Comments (#) have been removed to prevent CLI errors.

enable
conf t

access-list 10 deny 192.168.11.64 0.0.0.31
access-list 10 permit any

access-list 120 permit icmp 192.168.11.0 0.0.0.63 192.168.10.0 0.0.0.255
access-list 120 deny tcp 192.168.11.0 0.0.0.63 192.168.10.0 0.0.0.255 eq 80
access-list 120 deny tcp 192.168.11.0 0.0.0.63 192.168.10.0 0.0.0.255 eq 443
access-list 120 deny icmp 192.168.11.112 0.0.0.15 192.168.10.0 0.0.0.255
access-list 120 permit tcp 192.168.11.112 0.0.0.15 192.168.10.0 0.0.0.255 eq 80
access-list 120 permit tcp 192.168.11.112 0.0.0.15 192.168.10.0 0.0.0.255 eq 443
access-list 120 permit ip any any

interface GigabitEthernet0/0.10
 ip access-group 10 in
exit

interface GigabitEthernet0/0.20
 ip access-group 120 in
exit

interface GigabitEthernet0/0.30
 ip access-group 120 in
exit

do write

14. ACL Verification Results

Source Subnet	Destination	Test Type	Expected Result
VLAN 10 (11.64)	192.168.10.0	Ping/Browse	❌ DENIED (Standard ACL)
VLAN 20 (11.0)	192.168.10.0	Ping (ICMP)	✅ PERMITTED
VLAN 20 (11.0)	192.168.10.0	Web (HTTP)	❌ DENIED
VLAN 30 (11.112)	192.168.10.0	Ping (ICMP)	❌ DENIED
VLAN 30 (11.112)	192.168.10.0	Web (HTTP)	✅ PERMITTED

16. Full Topology Integrated Logic

This section documents the end-to-end workflow of how the different branches and services interact across the entire network.

A. The Routing Engine (Redundancy Logic)

Primary Path (OSPF): Used for high-speed routing between Building 1 and Building 2 via the Connection Router.
Secondary Path (RIPv2): Acts as a floating backup through the ISP Router. If the Serial 0/3/0 link on Building 1 fails, the network automatically reroutes all traffic through Serial 0/3/1.

B. Centralized Service Management

Service Type	Logic & Location	Execution Process
DHCP Relay	Server in B1 (192.168.11.97)	Routers use `ip helper-address` to forward local broadcasts across the Serial core to the server.
Global DNS	Server in B1 (192.168.11.99)	Building 2 PCs query B1 via the OSPF path to resolve names like `www.b1.com` and `www.b2.com`.
Cross-Branch Web	Servers in B1 & B2	HTTP traffic is permitted or denied based on the source VLAN using the Core Router's ACL 120.

C. Security Enforcement (ACL Logic)

    1. VLAN 10 (Clients): Blocked at the source gateway from entering the core toward Building 2.
    2. VLAN 20 (Users): Allowed to PING Building 2 (ICMP permitted), but HTTP/HTTPS ports (80/443) are filtered out.
    3. VLAN 30 (Admin): Forbidden from PINGING (ICMP denied) to maintain stealth, but allowed full Web Access to the Building 2 Server.

D. Full Verification Script (CLI Proof)

Verification Step	Command / Action	Expected Result
Routing Table	`show ip route`	Routes marked with 'O' and 'R' for both 192.168.10.0 and 192.168.11.0.
DHCP Success	`ipconfig /all` (SR PC)	IP: 192.168.10.x \| Gateway: 192.168.10.1 \| DNS: 192.168.11.99.
DNS Resolution	Browse `www.b2.com`	Successful page load from the Building 2 Local Server.
ACL Interception	VLAN 30 Ping B2	"Destination host unreachable" or "Packet denied by ACL".
Email Sync	Email Client App	Successful SMTP send and POP3 receive between `sr1@b1.com` and `admin1@b1.com`.

Project Summary: This topology demonstrates a high-availability enterprise network. It utilizes Layer 3 Redundancy (OSPF/RIP), Layer 2 Segmentation (VLANs), and Application Layer Integrity (Centralized DNS/Email) while maintaining Zero-Trust Security through granular ACL filtering at the network boundary.

17. Cross-Building Browsing Logic

This explains the process of a PC in Building 2 (SR) accessing a Web Server in Building 1, and vice versa.

Step-by-Step Request Path:

PC Request: User types www.b1.com in the browser.
DNS Resolution: PC asks DNS Server (192.168.11.99) for the IP. The request travels over OSPF serial links.
HTTP Handshake: Once the PC gets the IP (192.168.11.98), it opens a TCP connection on Port 80.
ACL Check: The Core Router checks ACL 120. If the PC is in VLAN 30, it is PERMITTED. If in VLAN 20, it is DENIED.

Building 2 Local Server Setup

Setting	Value	Reason
IP Address	192.168.10.250	Static IP for reliability.
Subnet Mask	255.255.255.0	Standard Class C.
Default Gateway	192.168.10.1	To reach Building 1.
DNS Server	192.168.11.99	To resolve global names.
HTTP Service	ON	Enables Port 80 (Browsing).
HTTPS Service	ON	Enables Port 443 (Secure Browsing).

18. NAT Overload (PAT) Configuration

To simulate real-world internet connectivity, NAT Overload is configured on the edge routers. Internal private IPs are translated to Public Serial IPs when communicating with the ISP.

Internal Subnet	Public Interface (NAT Outside)	Public IP Mapping
192.168.11.0 (B1 VLANs)	Serial 0/3/1	203.203.203.1
192.168.10.0 (B2 SR)	Serial 0/3/0	200.200.200.2

NAT Verification CLI

# Check active translations while pinging ISP
show ip nat translations

# Check NAT statistics
show ip nat statistics

# Clear translations if needed
clear ip nat translation *

Note: NAT happens after the routing decision. If OSPF/RIP finds the path to the ISP, the router then replaces the Source IP header with its own Serial IP before sending the packet to the ISP.

Building 1: Topology Setup Guide

1. VLSM Subnetting (Network: 192.168.11.0)

2. Server Services Configuration

3. Main Router CLI Configuration

4. Switch CLI Configurations

Building 1 Main Switch

Floor 1 Switch

Floor 2 Switch

Server Switch

5. End-Device (PC) Configuration Summary