Divide the 172.16.10.0/24 network into eight subnets
| Subnet Number | Network Address | Usable Host Address Range | Broadcast Address |
|---|---|---|---|
| 1 | 172.16.10.0/27 | 172.16.10.1 - 172.16.10.30 | 172.16.10.31 |
| 2 | 172.16.10.32/27 | 172.16.10.33 - 172.16.10.62 | 172.16.10.63 |
| 3 | 172.16.10.64/27 | 172.16.10.65 - 172.16.10.94 | 172.16.10.95 |
| 4 | 172.16.10.96/27 | 172.16.10.97 - 172.16.10.126 | 172.16.10.127 |
| 5 | 172.16.10.128/27 | 172.16.10.129 - 172.16.10.158 | 172.16.10.159 |
| 6 | 172.16.10.160/27 | 172.16.10.161 - 172.16.10.190 | 172.16.10.191 |
| 7 | 172.16.10.192/27 | 172.16.10.193 - 172.16.10.222 | 172.16.10.223 |
| 8 | 172.16.10.224/27 | 172.16.10.225 - 172.16.10.254 | 172.16.10.255 |
The new value of the subnet mask will be 255.255.255.224 /27
32 Adresses will exist per subnet, including the network address and broadcast adress.
Now that we have the network structured in the desired subnets, we can implement VLANs and Trunk using Cisco OS commands on the S1-Office1 and S2-Office1 switches.
Create and name VLANs as follows:
VLAN 10: Management
VLAN 20: Marketing
VLAN 30: Accounting
VLAN 100: Native
On S1-Office1 and S2office1, configure the interfaces as access mode and assign VLANS as follows:
VLAN 10: fa0/1-10
VLAN 20: fa0/11-20
VLAN 30: fa0/21-24
enable
conf t
vlan 10
name Management
exit
vlan 20
name Marketing
exit
vlan 30
name Accounting
exit
vlan 100
name Native
exit
do show vlan brief
enable
conf t
int range fa 0/1-10
switchport mode access
switchport access vlan 10
exit
int range fa 0/11-20
switchport mode access
switchport access vlan 20
exit
int range fa 0/21-24
switchport mode access
switchport access vlan 30
exit
do show vlan brief
S1
enable
conf t
int range gig 0/1-2
switchport mode trunk
switchport trunk native vlan 100
switchport trunk allowed vlan 1,20,30,100
exit
exit
show interfaces trunk
copy running-config startup-config
S2
enable
conf t
int gig 0/1
switchport mode trunk
switchport trunk native vlan 100
switchport trunk allowed vlan 1,20,30,100
exit
exit
show interfaces trunk
enable
conf t
int range fa 0/1-24
switchport nonegotiate
exit
do show interfaces switchport
Assign the first usable ip address and apropiate subnet mask of subnet 1 to the router 3 interface connected to office3 network.
172.16.10.32/27 172.16.10.33 - 172.16.10.62 172.16.10.63
R3
enable
conf t
int gig 0/0
ip address 172.16.10.1 255.255.255.224
exit
Assign the first usable ip address and appropiate subnet mask of subnet 2 to the R3 interface connected to the office2 network.
172.16.10.32/27 172.16.10.33 - 172.16.10.62 172.16.10.63
R3
enable
conf t
int gig 0/1
ip address 172.16.10.33 255.255.255.224
exit
Assign the first and second usable ip address and appropiate subnet mask of subnet 3 to the R1 <-> R2 WAN link.
172.16.10.64/27 172.16.10.65 - 172.16.10.94 172.16.10.95
R1
enable
conf t
int se 0/0/1
ip address 172.16.10.65 255.255.255.224
exit
R2
enable
conf t
int se 0/0/1
ip address 172.16.10.66 255.255.255.224
exit
Assign the first and second usable ip address and appropiate subnet mask of subnet 4 to the R1 <-> R3 WAN link.
172.16.10.96/27 172.16.10.97 - 172.16.10.126 172.16.10.127
R1
enable
conf t
int se 0/0/0
ip address 172.16.10.97 255.255.255.224
exit
R3
enable
conf t
int se 0/0/0
ip address 172.16.10.98 255.255.255.224
exit
Assign the first and second usable ip address and appropiate subnet mask of subnet 5 to the R2 <-> R3 WAN link.
172.16.10.128/27 172.16.10.129 - 172.16.10.158 172.16.10.159
R2
enable
conf t
int se 0/0/0
ip address 172.16.10.129 255.255.255.224
exit
R3
enable
conf t
int se 0/0/1
ip address 172.16.10.130 255.255.255.224
exit
Assign IPs to the CEO devices in the subnet 172.16.10.160/27, with usable IPs ranging from 172.16.10.161 to 172.16.10.190, a subnet mask of 255.255.255.224, and the default gateway set to 172.16.10.161. Note that a router-on-a-stick setup is required for Layer 3 connectivity.
CEO1
netsh interface ip set address name="FastEthernet0" static 172.16.10.190 255.255.255.224 172.16.10.161
CEO2
netsh interface ip set address name="FastEthernet0" static 172.16.10.189 255.255.255.224 172.16.10.161
Assign IPs to the Copyrighter devices in the subnet 172.16.10.192/27, with a usable IP range of 172.16.10.193 - 172.16.10.222, a subnet mask of 255.255.255.224, and the default gateway set to 172.16.10.193.
netsh interface ip set address name="FastEthernet0" static 172.16.10.222 255.255.255.224 172.16.10.193
netsh interface ip set address name="FastEthernet0" static 172.16.10.221 255.255.255.224 172.16.10.193
Assign the last usable IP addresses of subnet 172.16.10.224/27 to the Office1 network Dialer end devices, with a usable IP range of 172.16.10.225 - 172.16.10.254, a subnet mask of 255.255.255.224, and the default gateway set to 172.16.10.225.
netsh interface ip set address name="FastEthernet0" static 172.16.10.254 255.255.255.224 172.16.10.225
netsh interface ip set address name="FastEthernet0" static 172.16.10.253 255.255.255.224 172.16.10.225
Assign IPs to Office2 and Office3 devices: For Office2 (Subnet 2 - 172.16.10.32/27), the usable IP range is 172.16.10.33 - 172.16.10.62, the default gateway is 172.16.10.33, and the subnet mask is 255.255.255.224.
//Email Server
netsh interface ip set address name="FastEthernet0" static 172.16.10.30 255.255.255.224 172.16.10.1
//Syslog/NTP Server
netsh interface ip set address name="FastEthernet0" static 172.16.10.29 255.255.255.224 172.16.10.1
//Admin
netsh interface ip set address name="FastEthernet0" static 172.16.10.28 255.255.255.224 172.16.10.1
Configure R1 for Inter-VLAN Routing
S1
enable
conf t
int gig 0/1
switchport mode trunk
exit
S2
enable
conf t
int gig 0/1
switchport trunk native vlan 100
exit
R1
enable
conf t
int gig 0/0
no shutdown
exit
int gig 0/0.10
encapsulation dot1q 10
ip address 172.16.10.161 255.255.255.224
exit
int gig 0/0.20
encapsulation dot1q 20
ip address 172.16.10.193 255.255.255.224
exit
int gig 0/0.30
encapsulation dot1q 30
ip address 172.16.10.225 255.255.255.224
exit
show run
copy running-config startup-config
Port Security - Enable port security on the ports connected to end devices in S1-Office1 and S2-Office1 switches (Note: do not implement port security on trunk ports). Secure authorized MAC addresses using sticky learning, verify the port security configuration with appropriate show commands, and then disable all remaining unused ports and save the configuration.Set the violation mode to restrict
enable
conf t
int fa 0/1
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
exit
int fa 0/11
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
exit
int fa0/21
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
exit
show run or show port-security
enable
conf t
int range fa 0/2-10
shutdown
exit
int range fa 0/12-20
shutdown
exit
copy running-config startup-config
Configure OSPF: Enable OSPF on R1, R2, and R3 to allow communication across all subnets.
R1
enable
conf t
router ospf 1
router-id 1.1.1.1
network 172.16.10.160 0.0.0.31 area 0
network 172.16.10.192 0.0.0.31 area 0
network 172.16.10.224 0.0.0.31 area 0
network 172.16.10.96 0.0.0.31 area 0
network 172.16.10.64 0.0.0.31 area 0
passive-interface gig 0/0
exit
R2
enable
conf t
router ospf 1
router-id 2.2.2.2
network 172.16.10.64 0.0.0.31 area 0
network 172.16.10.128 0.0.0.31 area 0
exit
R3
enable
conf t
router ospf 1
router-id 3.3.3.3
network 172.16.10.128 0.0.0.31 area 0
network 172.16.10.96 0.0.0.31 area 0
network 172.16.10.32 0.0.0.31 area 0
network 172.16.10.0 0.0.0.31 area 0
passive-interface gig 0/0
passive-interface gig 0/1
exit
Configure ACLs on R3 to prevent guests from connecting to the NTP/Syslog server. First, create a numbered extended ACL where traffic from the guest PC to the NTP/Syslog server is denied, while all other network traffic is permitted. Apply the ACL on the correct interface and traffic direction. Then, verify the ACL configuration with a show command (note that IP addresses may vary based on assignments). Finally, test the ACL from the guest PC by pinging both the NTP server and the email server.
enable
conf t
ip access-list extended 100
exit
access-list 100 deny ip host 172.16.10.62 host 172.16.10.29
access-list 100 permit ip any any
interface gig 0/1
ip access-group 100 in
exit
Initial and Security Settings for Network Devices - Configure all network devices with basic security settings to prevent unauthorized access. First, configure the console line to use the local username Admin and password ACDC1973 for access. Then, secure privileged mode access with the password beatles1960. Next, encrypt all passwords on the device and configure the following security message (MOTD Banner): "Only authorized personnel are allowed accessing this device!". Finally, save all running configurations to NVRAM on all routers and switches.
enable
conf t
username Admin password ACDC1973
enable password beatles1960
banner motd #Only authorized personnel are allowed accessing this device!#
line console 0
login local
exit
service password-encryption
exit
copy run start
service password-encryption
Secure Remote Access - Configure SSHv2 services on all routers (R1, R2, and R3) to enable remote administration. First, set the IP domain name to Cyber.local. Then, generate secure keys with a minimum key length of 1024 bits and enable SSHv2. Next, configure the VTY lines to use local login credentials and allow only incoming SSH sessions. Verify the configuration using appropriate show commands. Afterward, set the correct default gateway on the admin PC and test SSH access to the routers using the command ssh -l
enable
conf t
ip domain-name Cyber.local
line vty 0 15
login local
motd-banner
transport input ssh
exit
ip ssh version 2
crypto key generate rsa
exit
exit
copy run start
show ip ssh