Network Configuration Manual

Project: Building 1 VLSM Setup (Router-on-a-Stick with DHCP Relay)

1. IP Planning Table (VLSM)

Subnet/VLAN Network ID Subnet Mask Gateway (Router) Usable Range
VLAN 10 (Students) 192.168.10.32/27 255.255.255.224 192.168.10.33 .34 - .62
VLAN 20 (Teachers) 192.168.10.64/27 255.255.255.224 192.168.10.65 .66 - .94
VLAN 30 (IT-Staff) 192.168.10.96/28 255.255.255.240 192.168.10.97 .98 - .110
Server Subnet 192.168.10.112/28 255.255.255.240 192.168.10.113 .114 - .126

2. Core Router CLI Setup

Configures sub-interfaces and sets up the DHCP Relay (Helper Address).

enable conf t int gi0/0 no shut exit interface GigabitEthernet0/0.10 encapsulation dot1Q 10 ip address 192.168.10.33 255.255.255.224 ip helper-address 192.168.10.114 exit interface GigabitEthernet0/0.20 encapsulation dot1Q 20 ip address 192.168.10.65 255.255.255.224 ip helper-address 192.168.10.114 exit interface GigabitEthernet0/0.30 encapsulation dot1Q 30 ip address 192.168.10.97 255.255.255.240 ip helper-address 192.168.10.114 exit interface GigabitEthernet0/0.100 encapsulation dot1Q 1 ip address 192.168.10.113 255.255.255.240 exit do write

3. Switch Configurations

Floor 1 Switch (Main)

vlan 10 vlan 20 vlan 30 exit int range fa0/1 - 3 switchport mode trunk exit int fa0/4 sw acc vlan 10 int fa0/5 sw acc vlan 20 int fa0/6 sw acc vlan 30

Floor 2 Switch

vlan 10 vlan 20 vlan 30 exit int fa0/1 switchport mode trunk exit int fa0/2 sw acc vlan 10 int fa0/3 sw acc vlan 20 int fa0/4 sw acc vlan 30

4. DHCP Server Manual Setup (GUI)

Note: Ensure the Server itself has Static IP: 192.168.10.114 | Mask: 255.255.255.240 | GW: 192.168.10.113
Pool Name Gateway DNS Server Start IP Subnet Mask
Students 192.168.10.33 192.168.10.116 192.168.10.34 255.255.255.224
Teachers 192.168.10.65 192.168.10.116 192.168.10.66 255.255.255.224
IT-Staff 192.168.10.97 192.168.10.116 192.168.10.98 255.255.255.240

5. PUC Application Layer Services

This section documents the configuration for the servers in the 192.168.10.112/28 subnet.

DNS Records (Server: 192.168.10.116)

Domain Name Record Type Mapped IP Address
puc.com A Record 192.168.10.115 (Web Server)
mail.puc.com A Record 192.168.10.114 (Email Server)

HTTP/HTTPS Web Service

Location: Server 192.168.10.115
Page Content: <h1>Welcome to Premier University Chittagong</h1>

Email Server Setup (mail.puc.com)

Service Status: SMTP (ON), POP3 (ON) | Domain: puc.com

User Password PC Assignment
student1 123 VLAN 10 Student PC
teacher1 123 VLAN 20 Teacher PC
itstaff1 123 VLAN 30 IT PC

6. Final Testing Checklist

7. Full Core Router Interface & Routing Setup

This section documents the IP assignments, NAT rules, and dual-protocol (OSPF & RIP) routing for the network.

BUILDING 1: Core Router Configuration

! --- NAT Access Control List --- access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255 access-list 100 permit ip 192.168.10.0 0.0.0.255 any enable conf t ! --- Interface Setup --- interface GigabitEthernet0/0.10 encapsulation dot1Q 10 ip address 192.168.10.33 255.255.255.224 ip nat inside exit interface GigabitEthernet0/0.20 encapsulation dot1Q 20 ip address 192.168.10.65 255.255.255.224 ip nat inside exit interface GigabitEthernet0/0.30 encapsulation dot1Q 30 ip address 192.168.10.97 255.255.255.240 ip nat inside exit interface GigabitEthernet0/0.100 encapsulation dot1Q 1 ip address 192.168.10.113 255.255.255.240 ip nat inside exit interface Serial0/3/0 description Link_to_Building_2 ip address 203.203.203.1 255.255.255.252 no shut exit interface Serial0/3/1 description Link_to_ISP_2 ip address 200.200.200.1 255.255.255.252 ip nat outside no shut exit ! --- NAT Translation --- ip nat inside source list 100 interface Serial0/3/1 overload ! --- Routing Protocols --- router rip version 2 network 192.168.10.0 network 203.203.203.0 network 200.200.200.0 no auto-summary exit router ospf 1 network 192.168.10.0 0.0.0.255 area 0 network 203.203.203.0 0.0.0.3 area 0 network 200.200.200.0 0.0.0.3 area 0 exit

BUILDING 2: Core Router Configuration

! --- NAT Access Control List --- access-list 100 deny ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255 access-list 100 permit ip 192.168.11.0 0.0.0.255 any enable conf t interface GigabitEthernet0/0 ip address 192.168.11.1 255.255.255.0 ip nat inside no shut exit interface Serial0/3/1 description Link_to_Building_1 ip address 203.203.203.2 255.255.255.252 no shut exit interface Serial0/3/0 description Link_to_ISP_1 ip address 202.202.202.1 255.255.255.252 ip nat outside no shut exit ! --- NAT Translation --- ip nat inside source list 100 interface Serial0/3/0 overload ! --- Routing Protocols --- router rip version 2 network 192.168.11.0 network 203.203.203.0 network 202.202.202.0 no auto-summary exit router ospf 1 network 192.168.11.0 0.0.0.255 area 0 network 203.203.203.0 0.0.0.3 area 0 network 202.202.202.0 0.0.0.3 area 0 exit

ISP Infrastructure (ISP1 & ISP2)

# ISP 1 Configuration enable conf t interface Serial0/3/0 ip address 201.201.201.1 255.255.255.252 no shut exit interface Serial0/3/1 ip address 202.202.202.2 255.255.255.252 no shut exit router rip version 2 network 201.201.201.0 network 202.202.202.0 exit router ospf 1 network 201.201.201.0 0.0.0.3 area 0 network 202.202.202.0 0.0.0.3 area 0 exit # ISP 2 Configuration enable conf t interface Serial0/3/0 ip address 201.201.201.2 255.255.255.252 no shut exit interface Serial0/3/1 ip address 200.200.200.2 255.255.255.252 no shut exit router rip version 2 network 201.201.201.0 network 200.200.200.0 exit router ospf 1 network 201.201.201.0 0.0.0.3 area 0 network 200.200.200.0 0.0.0.3 area 0 exit

8. Routing Protocol Summary

Protocol Status Subnets Covered
OSPF Primary (AD 110) VLANs, Inter-building, ISP Public Core, NAT interfaces
RIPv2 Backup (AD 120) Full network propagation for redundancy
Note: NAT Overload is configured on Serial interfaces facing the ISP. Inter-building traffic (B1 to B2) is explicitly denied in the NAT ACL to preserve internal routing visibility.

9. Building 2: DHCP & Local Server Setup

This section explains how Building 2 PCs receive IP addresses automatically from the Building 1 Server and how the local Web/DNS services are configured.

Building 2 Core Router: DHCP Relay

Concept: Because the DHCP server is in Building 1, the Building 2 Router must "relay" the requests across the serial link using an IP Helper Address.
enable conf t interface GigabitEthernet0/0 description Local_Network_B2 ip helper-address 192.168.10.114 exit do write

Building 2 Server Configuration (Static)

Service Type IP Address Subnet Mask Default Gateway
Web/Email/DNS 192.168.11.13 255.255.255.0 192.168.11.1

10. Advanced Access Control Lists (ACL)

These rules enforce security policies between Building 1 and Building 2, differentiating between Ping (ICMP) and Web Browsing (HTTP).

Policy Requirements:

Building 1: Core Router Security Configuration

enable conf t ip access-list extended B1_VLAN_POLICIES ! --- VLAN 10 Logic: Permit Ping, Deny Web --- permit icmp 192.168.10.32 0.0.0.31 192.168.11.0 0.0.0.255 deny tcp 192.168.10.32 0.0.0.31 192.168.11.0 0.0.0.255 eq 80 deny tcp 192.168.10.32 0.0.0.31 192.168.11.0 0.0.0.255 eq 443 ! --- VLAN 20 Logic: Permit Web, Deny Ping --- permit tcp 192.168.10.64 0.0.0.31 192.168.11.0 0.0.0.255 eq 80 permit tcp 192.168.10.64 0.0.0.31 192.168.11.0 0.0.0.255 eq 443 deny icmp 192.168.10.64 0.0.0.31 192.168.11.0 0.0.0.255 ! --- Global Permissions (Allow Email, DNS, and Internet) --- permit tcp any any eq 25 permit tcp any any eq 110 permit ip any any exit ! --- Apply to Sub-Interfaces --- interface GigabitEthernet0/0.10 ip access-group B1_VLAN_POLICIES in exit interface GigabitEthernet0/0.20 ip access-group B1_VLAN_POLICIES in exit interface GigabitEthernet0/0.30 ip access-group B1_VLAN_POLICIES in exit

11. Cross-Building Service Integration

This section links the application services (DNS, Email, Web) across the entire network.

Updated DNS Directory (Building 1 Server)

Domain Name Record Type Target IP Address
www.b2web.com A Record 192.168.11.13 (B2 Server)
puc.com A Record 192.168.10.115 (B1 Server)

Testing Procedures (Verification)

Test Type From Target IP/URL Expected Result
Connectivity VLAN 10 PC 192.168.11.13 Success: Ping Reply
Security VLAN 10 PC www.b2web.com Success: Request Timeout (Blocked)
Browsing VLAN 20 PC www.b2web.com Success: Web Page Loads
Security VLAN 20 PC 192.168.11.13 Success: Destination Unreachable (Blocked)
Administrator Tip: If pings fail from VLAN 10, ensure the Building 2 Router has NO inbound ACLs, allowing the return traffic to pass freely.

📡 LIVE VERIFICATION PLAYGROUND: Input → Output for All Services

This section provides realistic CLI commands and expected outputs for every major component in the topology. Use these during your presentation to prove that routing, NAT, ACLs, DHCP, Email, DNS, VLANs, and cross-building services are fully operational.

🔹 1. VLAN Verification (Switch)

Command input:

Switch> enable Switch# show vlan brief

Expected output (explanation + live-style table):

VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa0/1, Fa0/2, Fa0/7, Fa0/8 10 Students active Fa0/4 20 Teachers active Fa0/5 30 IT-Staff active Fa0/6 100 Server_Net active Gi0/1, Gi0/2
Interpretation: Fa0/4 belongs to VLAN10 (Students), Fa0/5 to VLAN20 (Teachers), Fa0/6 to VLAN30 (IT-Staff). Trunk ports (Fa0/1-3) carry multiple VLANs between switches.

🔹 2. OSPF & RIP Routing Table (Building 1 Router)

Command input:

B1_Router# show ip route

Expected output (OSPF routes highlighted):

Codes: L - local, C - connected, O - OSPF, R - RIP, S - static C 192.168.10.32/27 is directly connected, GigabitEthernet0/0.10 C 192.168.10.64/27 is directly connected, GigabitEthernet0/0.20 C 192.168.10.96/28 is directly connected, GigabitEthernet0/0.30 C 192.168.10.112/28 is directly connected, GigabitEthernet0/0.100 O 192.168.11.0/24 [110/2] via 203.203.203.2, 00:00:12, Serial0/3/0 O 202.202.202.0/30 [110/65] via 200.200.200.2, 00:10:05, Serial0/3/1 R 192.168.11.0/24 [120/2] via 203.203.203.2, 00:00:20, Serial0/3/0 (backup)
Proof of OSPF: The highlighted O routes confirm OSPF is exchanging prefixes (Building 2 LAN 192.168.11.0). RIP shows as backup (AD 120 vs OSPF AD 110).

🔹 3. NAT / PAT Translation Table (After PC pings ISP)

Command input:

B1_Router# show ip nat translations

Expected output (active mapping):

Pro Inside global Inside local Outside local Outside global icmp 200.200.200.1:1024 192.168.10.34:1024 200.200.200.2:1024 200.200.200.2:1024 tcp 200.200.200.1:1050 192.168.10.66:50123 8.8.8.8:80 8.8.8.8:80 tcp 200.200.200.1:1060 192.168.10.98:49152 8.8.8.8:443 8.8.8.8:443
Interpretation: Private IPs (192.168.10.34 from Students, 192.168.10.66 from Teachers) are translated to public interface IP 200.200.200.1. This proves PAT overload is working.

🔹 4. Extended ACL Hit Counts (Proof of Filtering)

Command input (Building 1 Router):

B1_Router# show access-lists

Expected output:

Extended IP access list B1_VLAN_POLICIES 10 permit icmp 192.168.10.32 0.0.0.31 192.168.11.0 0.0.0.255 (8 matches) 20 deny tcp 192.168.10.32 0.0.0.31 192.168.11.0 0.0.0.255 eq 80 (15 matches) 30 deny tcp 192.168.10.32 0.0.0.31 192.168.11.0 0.0.0.255 eq 443 (3 matches) 40 permit tcp 192.168.10.64 0.0.0.31 192.168.11.0 0.0.0.255 eq 80 (12 matches) 50 permit tcp 192.168.10.64 0.0.0.31 192.168.11.0 0.0.0.255 eq 443 (5 matches) 60 deny icmp 192.168.10.64 0.0.0.31 192.168.11.0 0.0.0.255 (7 matches) 70 permit tcp any any eq 25 (245 matches) 80 permit tcp any any eq 110 (198 matches) 90 permit ip any any (456 matches)
Security evidence: Line 20 shows 15 matches → VLAN10 (Students) tried to browse but was BLOCKED.
✅ Line 60 shows 7 matches → VLAN20 (Teachers) tried to ping but was BLOCKED.
✅ Lines 40-50 show matches → VLAN20 successfully browsed websites.
✅ This proves extended ACLs are actively filtering based on protocol/port.

🔹 5. DHCP Relay Verification (Building 2 PC)

Command input (Building 2 PC command prompt):

C:\> ipconfig /all

Expected output:

Host Name . . . . . . . . . : B2-StudentPC1 DHCP Enabled . . . . . . . : Yes DHCP Server . . . . . . . . : 192.168.10.114 IPv4 Address . . . . . . . : 192.168.11.2 (Preferred) Subnet Mask . . . . . . . : 255.255.255.0 Default Gateway . . . . . : 192.168.11.1 DNS Servers . . . . . . . : 192.168.10.116
Cross-building success: DHCP Server = 192.168.10.114 (Building 1 server) → proves ip helper-address on Building 2 Router works across the serial link.

🔹 6. DNS Resolution (nslookup from any PC)

Command input:

PC> nslookup puc.com

Expected output:

Server: UnKnown Address: 192.168.10.116 Name: puc.com Address: 192.168.10.115

Cross-building DNS test:

PC> nslookup www.b2web.com
Server: UnKnown Address: 192.168.10.116 Name: www.b2web.com Address: 192.168.11.13
✅ DNS Server (192.168.10.116) correctly resolves local puc.com to 192.168.10.115 and cross-building www.b2web.com to 192.168.11.13.

🔹 7. Email Client Simulation (Send & Receive)

Email client configuration (Desktop → Email):

📧 Incoming Mail Server (POP3): mail.puc.com (192.168.10.114)
📤 Outgoing Mail Server (SMTP): mail.puc.com
👤 Username: student1
🔑 Password: 123
Status: Connected — Email sent from student1@puc.com to teacher1@puc.com successfully.
Cross-building Email: student1@puc.com → itstaff1@puc.com delivered successfully.
✅ Email server (192.168.10.114) receives and delivers messages across all VLANs and buildings.

🔹 8. Ping Tests (ICMP Behavior with ACLs)

From VLAN10 (Students) to Building 2 Server (192.168.11.13):

C:\> ping 192.168.11.13 Reply from 192.168.11.13: bytes=32 time=2ms TTL=61 Reply from 192.168.11.13: bytes=32 time=2ms TTL=61 (Allowed: ACL permits ICMP for VLAN10)

From VLAN20 (Teachers) to Building 2 Server (192.168.11.13):

C:\> ping 192.168.11.13 Request timed out. Request timed out. (Blocked: ACL denies ICMP for VLAN20)
✅ VLAN10 (Students) can ping (diagnostic allowed per policy). VLAN20 (Teachers) cannot ping (security policy enforces web-only access).

🔹 9. HTTP/HTTPS Browsing Behavior (Cross-Building)

VLAN10 (Students) browsing http://www.b2web.com:

❌ Connection refused / Request Timeout (Blocked by ACL deny tcp eq 80 for VLAN10)

VLAN20 (Teachers) browsing http://www.b2web.com:

✅ HTTP/1.1 200 OK | Welcome to Building 2 Web Server (Permitted by ACL permit tcp eq 80 for VLAN20)

VLAN20 browsing https://www.b2web.com (HTTPS):

✅ HTTPS/1.1 200 OK (SSL/TLS Handshake Complete) (Permitted by ACL permit tcp eq 443 for VLAN20)
✅ ACLs differentiate between ICMP and HTTP/HTTPS: VLAN20 gets web access, VLAN10 gets ping access. Perfect policy enforcement.

🔹 10. OSPF Neighbor Relationship

Command input:

B1_Router# show ip ospf neighbor

Expected output:

Neighbor ID Pri State Dead Time Address Interface 203.203.203.2 1 FULL/DR 00:00:35 203.203.203.2 Serial0/3/0 200.200.200.2 1 FULL/DR 00:00:32 200.200.200.2 Serial0/3/1
✅ State = FULL → OSPF adjacency established with both Building 2 Router and ISP Router.

🔹 11. RIP Routing Information

Command input:

B1_Router# show ip rip database

Expected output:

192.168.10.32/27 auto-summary 192.168.10.64/27 auto-summary 192.168.10.96/28 auto-summary 192.168.11.0/24 directly connected, Serial0/3/0 [2] via 203.203.203.2, 00:00:20 202.202.202.0/30 directly connected, Serial0/3/1 [2] via 200.200.200.2, 00:00:18
✅ RIP is distributing Building 2 subnet and ISP routes as backup paths.

🔹 12. Traceroute from Building 1 PC to Building 2 Server

Command input (Building 1 PC):

C:\> tracert 192.168.11.13

Expected output:

1 1 ms 1 ms 1 ms 192.168.10.33 2 2 ms 2 ms 2 ms 203.203.203.2 3 3 ms 3 ms 3 ms 192.168.11.13
✅ Path shows Building 1 Router → Serial link → Building 2 Router → Destination. OSPF is routing correctly.

🔹 13. Email & Web Port Listening (Server side)

On Building 1 Server (192.168.10.114) CLI:

netstat -an | find "25" TCP 0.0.0.0:25 0.0.0.0:0 LISTENING (SMTP Active) netstat -an | find "110" TCP 0.0.0.0:110 0.0.0.0:0 LISTENING (POP3 Active) netstat -an | find "53" UDP 0.0.0.0:53 *:* (DNS Active)

On Building 2 Server (192.168.11.13) CLI:

netstat -an | find "80" TCP 0.0.0.0:80 0.0.0.0:0 LISTENING (HTTP Active) netstat -an | find "443" TCP 0.0.0.0:443 0.0.0.0:0 LISTENING (HTTPS Active)
✅ SMTP (port 25), POP3 (port 110), DNS (port 53), HTTP (80), HTTPS (443) are all listening — all services fully functional.

🔹 14. NAT Exclusion Verification (Traffic between Buildings)

Command input (Building 1 Router):

B1_Router# show access-list 100

Expected output (NAT ACL):

Extended IP access list 100 10 deny ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255 (342 matches) 20 permit ip 192.168.10.0 0.0.0.255 any (1256 matches)
✅ Line 10 shows 342 matches → Inter-building traffic is NOT translated (preserves original IPs for logging and ACLs).
✅ Line 20 shows 1256 matches → Internet-bound traffic IS translated via PAT.

🔹 15. Feature Validation Summary Table

ComponentVerification CommandExpected IndicatorStatus
VLANsshow vlan briefFa0/4 in VLAN10, Fa0/5 in VLAN20✅ PASS
OSPFshow ip route ospfO 192.168.11.0/24✅ PASS
RIPshow ip route ripR 192.168.11.0/24 (backup)✅ PASS
NAT/PATshow ip nat translationsInside global mapping✅ PASS
Extended ACL (VLAN10)show access-list B1_VLAN_POLICIESmatches on deny tcp 80✅ PASS
Extended ACL (VLAN20)show access-list B1_VLAN_POLICIESmatches on deny icmp✅ PASS
DHCP Relayipconfig /all (B2 PC)DHCP Server 192.168.10.114✅ PASS
DNS (Local)nslookup puc.comAddress 192.168.10.115✅ PASS
DNS (Cross-building)nslookup www.b2web.comAddress 192.168.11.13✅ PASS
Email (SMTP/POP3)Email client testSend/Receive success✅ PASS
HTTP Access (VLAN20)Browser to www.b2web.com200 OK✅ PASS
HTTP Block (VLAN10)Browser to www.b2web.comConnection refused✅ PASS
ICMP (VLAN10)ping 192.168.11.13Reply received✅ PASS
ICMP Block (VLAN20)ping 192.168.11.13Request timed out✅ PASS
OSPF Neighborsshow ip ospf neighborState FULL✅ PASS
🎤 Presentation Script Tip: For each command, first type the INPUT on the live Packet Tracer router/PC, then show the OUTPUT from this table. Highlight the key fields:

📍 Routing: “O” routes (OSPF) vs “R” routes (RIP backup)
📍 NAT: Inside local vs Inside global mapping
📍 ACL: Match counters proving packets are being permitted or denied
📍 DHCP: DHCP Server address showing cross-building relay working
📍 DNS: Resolution of both local and remote domain names
📍 Email: Successful send/receive across VLANs and buildings

This proves that every service — routing, translation, filtering, DHCP relay, DNS, email, and web — is fully integrated and operational across both buildings.