TASK 1: Foundational Network Design & Static Routing

Objective:

Design a basic network topology to implement static routing, VLAN segmentation, DHCP, and NAT.

Topology Requirements:

• 3 Routers: R1 (Head Office), R2 (Site A), R3 (Site B)

• 3 Switches: One per branch/office
• 2 PCs per branch (in different VLANs)
i.e. Router -> Switch -> VLAN 1 -> PC1
-> VLAN 2 -> PC 2
• 1 Server in Head Office (with DHCP) should serve as a WEB server.
• 1 Server in Head Office (with Static IP) should serve as a DNS server.
• IP Scheme: Use VLSM to subnet 192.168.9.0/24
• Configure DHCP Server on R1 to assign IPs to all VLANs
• Static routing on all routers

Validation Checklist:

• All PCs get IPs via DHCP

• VLANs configured correctly
• Static routes allow full connectivity

TASK 2: Dynamic Routing & ACLs

Objective:

Enhance Task 1 by implementing dynamic routing with EIGRP & OSPF protocol, switch-level security, and
access control.

Topology Enhancements:

• Replace Static Routing with Dynamic Routing:

o Use OSPF for Head office & EIGRP for both Sites A & B, enable communication between all
routers.
• Access Control Lists:
o Block VLAN 2 of SITE A & B from accessing the WEB Server only in Head Office.
o Allow only VLAN 1 of SITE A & B to access the DNS & WEB server.
o Allow Head Office to access both DNS & WEB server.

Validation Checklist:

• All devices are reachable (except restricted by ACLs)

• OSPF & EIGRP neighbors formed
• VLAN 2 of Site A & B are blocked from accessing WEB server.
 TASK 3: LAN Design with OSPF & VLAN Scaling using three TIER architecture

Objective:

Design a scalable LAN with multiple VLANs, implement OSPF routing, and ensure inter-VLAN routing.

Topology Requirements:

• 6 Switches (3 with each router. i.e, 1 Distribution Switch (LAYER 3 Switch) and 2 Access Layer
Switches (LAYER 2 Switch))
• 2 Routers (CORE Layer) running OSPF area 0
• 4 VLANs (10, 20, 30, 40), split across two switches in each section
• DHCP setup for VLANs (enabled on Distribution switch)
• Use OSPF for dynamic routing between routers

NOTE: Three TIER architecture includes: core layer -> Distribution Layer -> Access Layer

Validation Checklist:

• VLANs assigned to correct interfaces

• Trunk links between switches configured
• PCs in different VLANs can reach each other
• Routers running OSPF (verify with show IP route and show IP protocols)
• DHCP works for all VLANs

TASK 4: Multi-Area OSPF, HSRP & Layer 2 Redundancy

Objective:

Scale the previous topology into a multi-area OSPF design with HSRP for gateway redundancy and Layer 2
redundancy using EtherChannel and STP.

Topology Enhancements:

• 4 Routers in total:
o Area 0 (Backbone) and Area 1 (LAN side)
• Use Multi-area OSPF
• 2 Distribution switches with HSRP configured for VLANs (gateway redundancy)
• Add 2 Access switches connected via EtherChannel to distribution switches
• Enable STP (Rapid PVST) to prevent loops

Validation Checklist:

• HSRP working (check virtual IP failover with router shutdown)

• EtherChannel active (show etherchannel summary)
• OSPF routing tables populated correctly in both areas
• STP running, root bridge properly elected
• PC-to-PC communication works even if one switch or router fails
 TASK 5: Multi-AS External Routing Simulation via BGP

Objective:

Set up external BGP routing between three different organizations (ASNs). Ensure reachability and
influence outbound routing decisions.

Topology Requirements:

Devices:

• 3 Routers representing different ASes:

• R1 (AS 65001)
• R2 (AS 65002)
• R3 (AS 65003)
• 1 End device per router (PC or server for testing reachability)

Connections:

• R1 ↔ R2
• R2 ↔ R3

BGP Configuration

• Configure eBGP sessions between:

o R1 ↔ R2
o R2 ↔ R3
• Advertise each router’s LAN network using network statements
• Ensure all LANs are reachable across AS boundaries
• Verify routing tables (show ip bgp, show ip route)

Validation Checklist:

• BGP neighbors established

• All PCs can ping each other
• Path preference works (check via show ip bgp)
• BGP configuration uses correct ASNs and Ips
 TASK 6: Enterprise Multi-Site Network with ASA Firewall

Objective:

To design, implement, and validate a secure and scalable enterprise network in Cisco Packet Tracer using
multi-tier architecture with WAN, HQ, Branch A, Branch B, and Data Center (DMZ). The solution must
integrate BGP and OSPF routing, ASA Firewall with ACLs, VLAN segmentation, and server-based services,
enforcing strict access control policies.

Topology Requirements:

• Network Structure:
1. WAN (ISP Simulation)
a. 4 Routers (W-R1, W-R2, W-R3, W-R4) in full mesh BGP connectivity
b. Each router simulates a different Autonomous System (AS)
2. Headquarters (HQ)
a. 1 Edge Router (HQ-ER)
b. 1 Layer 3 Distribution Switch (HQ-DIST)
c. 1 Layer 2 Access Switch (HQ-ACCESS)
d. Multiple Departmental Switches (one per VLAN)
e. Connected to ASA Firewall
3. Data Center (DMZ)
a. Connected to ASA Firewall
b. 1 Layer 3 Distribution Switch (DC-DIST)
c. 1 Layer 2 Access Switch (DC-ACCESS)
d. Hosts DNS, Email, Web, and File Servers
4. Branch A
a. 1 Edge Router (BA-ER)
b. 1 Layer 3 Distribution Switch
c. 1 Layer 2 Access Switch
d. 3 VLANs (HR, Support, Sales)
5. Branch B
a. 1 Edge Router (BB-ER)
b. 1 Layer 3 Distribution Switch
c. 1 Layer 2 Access Switch
d. 3 VLANs (HR, Support, Sales)

FOR EXAMPLE
IP Addressing Plan (VLSM)
Zone Subnet Range Usage
HQ VLANS 192.168.1.0/24 6 Departments (Subnet as needed)
Branch A VLANS 192.168.2.0/24 3 Vlans
Branch B VLANS 192.168.3.0/24 3 Vlans
WAN Links 10.10.10.0/24 P2p Links b/w W-R routers (Subnet as needed)
WAN to Local Links (HQ, BA, BB) 11.11.11.0/24 P2p links b/w W-R routers & ER edge routers
DMZ Servers 10.1.1.0/24 4 servers (subnet as needed & leave a room for
more servers)

Routing Configuration
• BGP (External Routing)
o Deployed on W-R1 to W-R4 (full mesh with different ASNs)
o Edge routers at HQ, Branch A, Branch B participate in eBGP
o Edge routers redistribute OSPF into BGP
• OSPF (Internal Routing)
o Deployed inside each site: HQ, Branch A, Branch B
o Area 0 used across internal routers and the ASA
o All internal devices (core switch, ASA, edge router) form OSPF neighbors
• Redistribution
o Implement OSPF ↔ BGP redistribution.

ASA Firewall ACLs

• INBOUND_EXTERNAL
o Allow Branch A & B to access only DNS, Email & Web servers
o ICMP to above servers
o Deny all other traffic
• INBOUND_INTERNAL
o Allow HQ to access DNS, Email, Web, and File Servers
o ICMP to any server
o Deny everything else
• INBOUND_DC
o Allow servers to respond to valid HQ and Branch connections
o Return traffic permitted for:
▪ Web, DNS, Email to Branches
▪ File Server to HQ
o ICMP permitted back to HQ and branches

NOTE: HQ & Branches should not ping each other. They can only communicate via EMAIL server.

Validation Checklist
• Use show vlan and show ip interface brief on switches to verify VLAN creation and interface assignments.
• Check IP settings on end devices (PCs, servers) and interface configurations on routers/switches.
• Use show ip ospf neighbor on routers/firewall to confirm OSPF adjacency.
• Use show ip bgp summary on edge and W routers to verify BGP peer status.
• Use show interface ip brief on the ASA to confirm interface names, IPs, and status.
• Use show access-list and show run access-group to validate ACL rules and interface bindings.
• Use ping or telnet to test reachability to servers.
• Test ftp connection and ping from HQ PC to File Server
• Attempt ping from Branch PC to HQ PC, ensure it is blocked.
• Simulate message exchange via Email Server from Branch to HQ.
• Confirm that unauthorized traffic is denied