Enterprise Network Configuration Guide

1. VLSM Addressing Plan (Network: 192.168.10.0)

Department VLAN Hosts Network ID Subnet Mask Usable Range Gateway
Service1060192.168.10.0255.255.255.192.2 - .62192.168.10.1
IT-PCS2020192.168.10.64255.255.255.224.66 - .94192.168.10.65
Admin3010192.168.10.96255.255.255.240.98 - .110192.168.10.97
Server Farm--192.168.11.0255.255.255.0.2 - .254192.168.11.1
Serial Link-2200.200.200.0255.255.255.252.1 - .2N/A

2. Router CLI Configuration

A. HQ Core Router (Gateway & DHCP Relay)

enable
configure terminal
hostname HQ-Core-Router

# Sub-interfaces for Inter-VLAN Routing
interface gig0/0.10
 encapsulation dot1Q 10
 ip address 192.168.10.1 255.255.255.192
 ip helper-address 192.168.11.2
 exit

interface gig0/0.20
 encapsulation dot1Q 20
 ip address 192.168.10.65 255.255.255.224
 ip helper-address 192.168.11.2
 exit

interface gig0/0.30
 encapsulation dot1Q 30
 ip address 192.168.10.97 255.255.255.240
 ip helper-address 192.168.11.2
 exit

interface gig0/0
 no shutdown

# Serial Link to Server Site
interface Serial0/3/0
 ip address 200.200.200.1 255.255.255.252
 clock rate 64000
 no shutdown

# Static Route to Server Network
ip route 192.168.11.0 255.255.255.0 200.200.200.2

B. Server Core Router

enable
configure terminal
hostname Server-Router

interface gig0/0
 ip address 192.168.11.1 255.255.255.0
 no shutdown

interface Serial0/3/0
 ip address 200.200.200.2 255.255.255.252
 no shutdown

# Static Route back to HQ Departments
ip route 192.168.10.0 255.255.255.0 200.200.200.1

3. Centralized Server Setup (GUI Configuration)

Perform these settings in the Desktop > IP Config and Services tabs of the servers.

A. DHCP Server (192.168.11.2)

Pool NameGatewayDNS ServerStart IPSubnet Mask
VLAN10_Service192.168.10.1192.168.11.4192.168.10.2255.255.255.192
VLAN20_IT192.168.10.65192.168.11.4192.168.10.66255.255.255.224
VLAN30_Admin192.168.10.97192.168.11.4192.168.10.98255.255.255.240

B. DNS Server (192.168.11.4)

Service: ON
Record 1: puc.com -> Type: A Record -> Address: 192.168.11.3
Record 2: mail.puc.com -> Type: A Record -> Address: 192.168.11.2

C. Email Server (192.168.11.2)

Service: SMTP & POP3 ON
Domain Name: puc.com
Users:
1. User: admin | Pass: 123
2. User: it | Pass: 123
3. User: service | Pass: 123

4. End-User Device (PC) Setup

1. Open PC Desktop > IP Configuration.
2. Toggle the radio button from Static to DHCP.
3. Ensure the PC receives an IP from its correct subnet (e.g., VLAN 10 should get 192.168.10.X).
4. In the Email app, use:
- Email: admin@puc.com
- Incoming/Outgoing Server: 192.168.11.2

5. Full Switch & Access Layer Configuration

A. HQ Core Switch (Trunking & VLAN Creation)

This switch acts as the backbone, connecting Floor 1, Floor 2, and the Core Router.

enable
configure terminal
hostname HQ-Core-SW

# Create VLAN Database
vlan 10
 name Service
vlan 20
 name IT
vlan 30
 name Admin
exit

# Set Trunking on ports to Router (Fa0/1) and Floor Switches (Fa0/2-3)
interface range fa0/1 - 3
 switchport mode trunk
 switchport trunk native vlan 1
 no shutdown

B. HQ Floor Switches (Floor 1 & 2 Access Ports)

Run these commands on both Floor 1 and Floor 2 switches to assign users to their departments.

enable
configure terminal
# Create VLANs first so the switch recognizes them
vlan 10
vlan 20
vlan 30
exit

# Assigning Service PCs (60 Hosts)
interface range fa0/3 - 5
 switchport mode access
 switchport access vlan 10

# Assigning IT-PCs (20 Hosts)
interface range fa0/6 - 10
 switchport mode access
 switchport access vlan 20

# Assigning Admin PCs (10 Hosts)
interface range fa0/11 - 15
 switchport mode access
 switchport access vlan 30

# Link back to Core Switch
interface fa0/1
 switchport mode trunk

6. Final Network Verification Commands

Verification Task CLI Command Expected Result
Check VLANs show vlan brief All ports assigned to 10, 20, 30
Check Trunking show interface trunk Fa0/1 - Fa0/3 should be "trunking"
Check DHCP on PC ipconfig (CMD) Address from 192.168.10.x range
Check DNS nslookup puc.com Resolves to 192.168.11.3
💡 Presentation Note: During the live demo, show the ip helper-address on the router sub-interfaces. This is what allows the Broadcast DHCP packets to cross the router to the 192.168.11.2 server.

Core Network Infrastructure & Routing

1. HQ Core Router (Gateway & Routing)

enable
configure terminal
hostname HQ-Core-Router
interface gig0/0
no shutdown
interface gig0/0.10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.192
ip helper-address 192.168.11.2
interface gig0/0.20
encapsulation dot1Q 20
ip address 192.168.10.65 255.255.255.224
ip helper-address 192.168.11.2
interface gig0/0.30
encapsulation dot1Q 30
ip address 192.168.10.97 255.255.255.240
ip helper-address 192.168.11.2
exit
interface Serial0/3/0
ip address 200.200.200.1 255.255.255.252
clock rate 64000
no shutdown
interface Serial0/3/1
ip address 201.201.201.1 255.255.255.252
no shutdown
router ospf 1
network 192.168.10.0 0.0.0.255 area 0
network 200.200.200.0 0.0.0.3 area 0
network 201.201.201.0 0.0.0.3 area 0
router rip
version 2
network 192.168.10.0
network 200.200.200.0
network 201.201.201.0
no auto-summary
exit

2. Server Core Router

enable
configure terminal
hostname Server-Core-Router
interface gig0/0
ip address 192.168.11.1 255.255.255.0
no shutdown
interface Serial0/3/0
ip address 200.200.200.2 255.255.255.252
no shutdown
interface Serial0/3/1
ip address 203.203.203.1 255.255.255.252
no shutdown
router ospf 1
network 192.168.11.0 0.0.0.255 area 0
network 200.200.200.0 0.0.0.3 area 0
network 203.203.203.0 0.0.0.3 area 0
router rip
version 2
network 192.168.11.0
network 200.200.200.0
network 203.203.203.0
no auto-summary
exit

3. ISP Router

enable
configure terminal
hostname ISP-Router
interface gig0/0
ip address 192.168.13.1 255.255.255.0
no shutdown
interface Serial0/3/1
ip address 201.201.201.2 255.255.255.252
no shutdown
interface Serial0/3/0
ip address 202.202.202.1 255.255.255.252
no shutdown
router ospf 1
network 201.201.201.0 0.0.0.3 area 0
network 202.202.202.0 0.0.0.3 area 0
network 192.168.13.0 0.0.0.255 area 0
router rip
version 2
network 201.201.201.0
network 202.202.202.0
network 192.168.13.0
no auto-summary
exit

4. Branch (BR) Router

enable
configure terminal
hostname Branch-Router
interface gig0/0
ip address 192.168.12.1 255.255.255.0
no shutdown
interface Serial0/3/0
ip address 202.202.202.2 255.255.255.252
no shutdown
interface Serial0/3/1
ip address 203.203.203.2 255.255.255.252
no shutdown
router ospf 1
network 192.168.12.0 0.0.0.255 area 0
network 202.202.202.0 0.0.0.3 area 0
network 203.203.203.0 0.0.0.3 area 0
router rip
version 2
network 192.168.12.0
network 202.202.202.0
network 203.203.203.0
no auto-summary
exit

5. Switching & VLANs (HQ & Branch)

HQ Core Switch 
vlan 10
vlan 20
vlan 30
exit
interface range fa0/1-3
switchport mode trunk
Branch Switch 
interface range fa0/2-10
switchport mode access
interface fa0/1
switchport mode trunk

8. Branch Office (BR) Full Setup

The Branch Office connects to the ISP and the Server Farm via Serial links, using 192.168.12.0/24 for its local user base. It relies on the HQ Server Farm for DHCP, DNS, and Email services.

A. Branch Router CLI (Interfaces & DHCP Relay)

enable
configure terminal
hostname Branch-Router

# Local LAN Interface
interface gig0/0
 ip address 192.168.12.1 255.255.255.0
 ip helper-address 192.168.11.2
 no shutdown

# Serial Link to ISP
interface Serial0/3/0
 ip address 202.202.202.2 255.255.255.252
 no shutdown

# Serial Link to Server Site
interface Serial0/3/1
 ip address 203.203.203.2 255.255.255.252
 no shutdown

# Dynamic Routing
router ospf 1
 network 192.168.12.0 0.0.0.255 area 0
 network 202.202.202.0 0.0.0.3 area 0
 network 203.203.203.0 0.0.0.3 area 0

router rip
 version 2
 network 192.168.12.0
 network 202.202.202.0
 network 203.203.203.0
 no auto-summary
exit

B. Branch Switch CLI (Access Layer)

enable
configure terminal
hostname BR-Main-SW

# Configure User Ports (fa0/2 to fa0/10)
interface range fa0/2 - 10
 switchport mode access
 no shutdown

# Uplink to Branch Router
interface fa0/1
 switchport mode trunk
 no shutdown
exit

C. DHCP Server Pool (Added to 192.168.11.2)

In the DHCP Server Services tab, add the following pool to support Branch users:

Pool Name Default Gateway DNS Server Start IP Subnet Mask
BR_Pool 192.168.12.1 192.168.11.4 192.168.12.2 255.255.255.0

D. Branch PC Configuration

  1. Connect PCs to BR-Main-SW ports Fa0/2 through Fa0/10.
  2. On the PC Desktop > IP Configuration, select DHCP.
  3. Wait for "DHCP request successful" to see an IP from the 192.168.12.x range.
  4. Open the Web Browser and navigate to puc.com to verify cross-network DNS/HTTP access.

9. ISP Internal Floor Connection

Connectivity between the ISP Main Router and the ISP Floor Router via the 192.168.13.0/24 subnet.

ISP Main Router CLI

interface gig0/0
 ip address 192.168.13.1 255.255.255.0
 no shutdown
router ospf 1
 network 192.168.13.0 0.0.0.255 area 0
router rip
 version 2
 network 192.168.13.0

ISP Floor Router CLI

interface gig0/0
 ip address 192.168.13.2 255.255.255.0
 no shutdown
router ospf 1
 network 192.168.13.0 0.0.0.255 area 0
router rip
 version 2
 network 192.168.13.0
Verification Command: Run show ip route on either router. You should see the other router's connected networks via O (OSPF) or R (RIP).

10. Security Implementation (Custom ACLs)

This section details the specific security policies implemented to control traffic between the HQ VLANs and the Branch Office (192.168.12.0/24).

A. Standard ACL (VLAN 10 Restriction)

Policy: VLAN 10 is completely restricted from communicating with any Branch client.

# Applied on Branch Router
access-list 10 deny 192.168.10.0 0.0.0.63
access-list 10 permit any
interface gig0/0
 ip access-group 10 out

B. Extended ACL (VLAN 20 & 30 Traffic Control)

Policy: VLAN 20 (Ping Only) and VLAN 30 (Web Only).

# Applied on HQ Core Router
access-list 100 permit icmp 192.168.10.64 0.0.0.31 192.168.12.0 0.0.0.255
access-list 100 deny tcp 192.168.10.64 0.0.0.31 192.168.12.0 0.0.0.255 eq 80
access-list 100 deny icmp 192.168.10.96 0.0.0.15 192.168.12.0 0.0.0.255
access-list 100 permit tcp 192.168.10.96 0.0.0.15 192.168.12.0 0.0.0.255 eq 80
access-list 100 permit ip any any

interface gig0/0.20
 ip access-group 100 in
interface gig0/0.30
 ip access-group 100 in

C. ACL Verification Matrix

Source VLAN Action: PING Action: BROWSE
VLAN 10 (Service) DENY DENY
VLAN 20 (IT) PERMIT DENY
VLAN 30 (Admin) DENY PERMIT

11. Branch Web Server & DNS Setup

A dedicated server has been added to the Branch Network to test cross-site browsing and verify ACL traffic filtering policies.

Branch Server (Static IP)

  • IP Address: 192.168.12.50
  • Subnet Mask: 255.255.255.0
  • Default Gateway: 192.168.12.1
  • DNS Server: 192.168.11.4

DNS Record (On 192.168.11.4)

Add this record to the Central DNS Server to allow domain resolution:

Name: www.branch.com
Type: A Record
Address: 192.168.12.50

Verification of ACL Logic for Branch Server

Use these steps to prove the Extended and Standard ACLs are working as intended:

Source PC Test Action Target Expected Result
VLAN 10 Any Access www.branch.com FAILED (Standard ACL)
VLAN 20 Ping 192.168.12.50 SUCCESS
VLAN 20 Browse Web www.branch.com TIMEOUT (Extended ACL)
VLAN 30 Ping 192.168.12.50 FAILED (Extended ACL)
VLAN 30 Browse Web www.branch.com SUCCESS
Pro Tip: If www.branch.com doesn't load for VLAN 30, ensure the Branch Router has a route back to the DNS Server (192.168.11.4) so the DNS query can be completed before the HTTP request begins.