Capstone Project II

Advanced Enterprise Network Lab

Multi-Area OSPF, VLANs, Trunking, and Standard ACL Security

Objective

Configure an advanced enterprise network deploying 4 branch routers (R1, R2, R3, R4) running Multi-Area OSPF. R1 supports 4 distinct VLANs representing active corporate departments (Engineering, Sales, Management, Development) with a Router-on-a-Stick setup linking to SW1. Each VLAN hosts 2 PCs per department. R4 connects to SW2 serving the IT Department (also 2 PCs). R3 hosts the centralized Application Server.

Network security is enforced using a Standard ACL applied on R3, permitting the IT Department subnet unrestricted server access while denying all other corporate subnets (Engineering, Sales, Management, Development) from reaching the server. Standard ACLs filter by source IP only and must be placed as close to the destination as possible.

Design Change: Standard ACL (vs Extended) Standard ACLs match on source IP address only — they cannot distinguish protocol or port. Therefore the policy is simplified: IT subnet (192.168.99.0/24) is explicitly permitted to the server; all other corporate subnets are denied. The ACL is applied outbound on R3 Gi0/2 (closest to the destination server), which is best-practice placement for Standard ACLs.

Network Topology Diagram

SW1 802.1Q Trunk R1 Area 1 Gi0/1 Trunk R2 ABR 1↔0 10.1.2.0/30 Area 1 R3 ABR 0↔2 10.2.3.0/30 Area 0 R4 Area 2 10.3.4.0/30 Area 2 Server 172.16.100.10 /24 ACL outbound Gi0/2 SW2 VLAN 99 - IT Gi0/1 192.168.99.0/24 PC-ENG-1 192.168.10.10 PC-ENG-2 192.168.10.20 PC-SALES-1 192.168.20.10 PC-SALES-2 192.168.20.20 PC-MGMT-1 192.168.30.10 PC-MGMT-2 192.168.30.20 PC-DEV-1 192.168.40.10 PC-DEV-2 192.168.40.20 VLAN 10 VLAN 20 VLAN 30 VLAN 40 PC-IT-1 192.168.99.10 PC-IT-2 192.168.99.20 VLAN 99 LEGEND Backbone link (/30) ACL-secured link Router Switch / PC OSPF Area 1 OSPF Area 0 (Backbone) OSPF Area 2 Std ACL Applied outbound Gi0/2

IP Addressing Table

Device Interface IP Address Subnet Mask Description
R1 Gi0/0 10.1.2.1 255.255.255.252 (/30) Link to R2 — OSPF Area 1
R1 Gi0/1.10 192.168.10.1 255.255.255.0 Engineering Gateway VLAN 10
R1 Gi0/1.20 192.168.20.1 255.255.255.0 Sales Gateway VLAN 20
R1 Gi0/1.30 192.168.30.1 255.255.255.0 Management Gateway VLAN 30
R1 Gi0/1.40 192.168.40.1 255.255.255.0 Software Dev Gateway VLAN 40
PC-ENG-1 / 2 NIC 192.168.10.10 / .20 255.255.255.0 Engineering endpoints VLAN 10
PC-SALES-1 / 2 NIC 192.168.20.10 / .20 255.255.255.0 Sales endpoints VLAN 20
PC-MGMT-1 / 2 NIC 192.168.30.10 / .20 255.255.255.0 Management endpoints VLAN 30
PC-DEV-1 / 2 NIC 192.168.40.10 / .20 255.255.255.0 Dev endpoints VLAN 40
SW1 Gi0/1 802.1Q Trunk to R1
R2 Gi0/0 / Gi0/1 10.1.2.2 / 10.2.3.1 255.255.255.252 ABR — Area 1 ↔ Area 0
R3 Gi0/0 10.2.3.2 255.255.255.252 Link to R2 — Area 0
R3 Gi0/1 10.3.4.1 255.255.255.252 Link to R4 — Area 2
R3 Gi0/2 172.16.100.1 255.255.255.0 Gateway to Central Server — Area 0 ★ ACL applied here
Server NIC 172.16.100.10 255.255.255.0 Central Application Server
R4 Gi0/0 / Gi0/1 10.3.4.2 / 192.168.99.1 255.255.255.252 / .0 Area 2 — IT Department Gateway
PC-IT-1 / 2 NIC 192.168.99.10 / .20 255.255.255.0 IT endpoints VLAN 99
SW2 Gi0/1 Access link to R4 — VLAN 99

Task 1 — R1 & SW1: VLANs, Trunk & PC Assignments

Create VLANs on SW1, configure the trunk to R1, set access ports for all 8 corporate PCs (2 per VLAN), then bring up Router-on-a-Stick subinterfaces on R1.

SW1(config)# vlan 10
SW1(config-vlan)# name Engineering
SW1(config-vlan)# vlan 20
SW1(config-vlan)# name Sales
SW1(config-vlan)# vlan 30
SW1(config-vlan)# name Management
SW1(config-vlan)# vlan 40
SW1(config-vlan)# name Software_Developers
SW1(config-vlan)# exit

! --- Trunk to R1 ---
SW1(config)# interface GigabitEthernet0/1
SW1(config-if)# switchport mode trunk
SW1(config-if)# switchport trunk allowed vlan 10,20,30,40
SW1(config-if)# exit

! --- Engineering PCs: Fa0/1 and Fa0/2 ---
SW1(config)# interface range FastEthernet0/1 - 2
SW1(config-if-range)# switchport mode access
SW1(config-if-range)# switchport access vlan 10
SW1(config-if-range)# exit

! --- Sales PCs: Fa0/3 and Fa0/4 ---
SW1(config)# interface range FastEthernet0/3 - 4
SW1(config-if-range)# switchport mode access
SW1(config-if-range)# switchport access vlan 20
SW1(config-if-range)# exit

! --- Management PCs: Fa0/5 and Fa0/6 ---
SW1(config)# interface range FastEthernet0/5 - 6
SW1(config-if-range)# switchport mode access
SW1(config-if-range)# switchport access vlan 30
SW1(config-if-range)# exit

! --- Dev PCs: Fa0/7 and Fa0/8 ---
SW1(config)# interface range FastEthernet0/7 - 8
SW1(config-if-range)# switchport mode access
SW1(config-if-range)# switchport access vlan 40

! R1 — Router-on-a-Stick subinterfaces
R1(config)# interface GigabitEthernet0/1
R1(config-if)# no shutdown
R1(config-if)# exit
R1(config)# interface GigabitEthernet0/1.10
R1(config-subif)# encapsulation dot1Q 10
R1(config-subif)# ip address 192.168.10.1 255.255.255.0
R1(config-subif)# exit
R1(config)# interface GigabitEthernet0/1.20
R1(config-subif)# encapsulation dot1Q 20
R1(config-subif)# ip address 192.168.20.1 255.255.255.0
R1(config-subif)# exit
R1(config)# interface GigabitEthernet0/1.30
R1(config-subif)# encapsulation dot1Q 30
R1(config-subif)# ip address 192.168.30.1 255.255.255.0
R1(config-subif)# exit
R1(config)# interface GigabitEthernet0/1.40
R1(config-subif)# encapsulation dot1Q 40
R1(config-subif)# ip address 192.168.40.1 255.255.255.0

Task 2 — Backbone Links IP Configuration

Assign point-to-point /30 subnets on all inter-router links and the /24 server gateway on R3.

R1(config)# interface GigabitEthernet0/0
R1(config-if)# ip address 10.1.2.1 255.255.255.252
R1(config-if)# no shutdown

R2(config)# interface GigabitEthernet0/0
R2(config-if)# ip address 10.1.2.2 255.255.255.252
R2(config-if)# no shutdown
R2(config-if)# exit
R2(config)# interface GigabitEthernet0/1
R2(config-if)# ip address 10.2.3.1 255.255.255.252
R2(config-if)# no shutdown

R3(config)# interface GigabitEthernet0/0
R3(config-if)# ip address 10.2.3.2 255.255.255.252
R3(config-if)# no shutdown
R3(config-if)# exit
R3(config)# interface GigabitEthernet0/1
R3(config-if)# ip address 10.3.4.1 255.255.255.252
R3(config-if)# no shutdown
R3(config-if)# exit
R3(config)# interface GigabitEthernet0/2
R3(config-if)# ip address 172.16.100.1 255.255.255.0
R3(config-if)# no shutdown

Task 3 — R4 & SW2: IT Department

Configure VLAN 99 on SW2, assign both IT PCs to access ports, and bring up R4's interfaces.

SW2(config)# vlan 99
SW2(config-vlan)# name IT_Department
SW2(config-vlan)# exit

! --- IT PC-1: Fa0/1 ---
SW2(config)# interface FastEthernet0/1
SW2(config-if)# switchport mode access
SW2(config-if)# switchport access vlan 99
SW2(config-if)# exit

! --- IT PC-2: Fa0/2 ---
SW2(config)# interface FastEthernet0/2
SW2(config-if)# switchport mode access
SW2(config-if)# switchport access vlan 99
SW2(config-if)# exit

! --- Uplink to R4 (access mode, VLAN 99) ---
SW2(config)# interface GigabitEthernet0/1
SW2(config-if)# switchport mode access
SW2(config-if)# switchport access vlan 99

R4(config)# interface GigabitEthernet0/0
R4(config-if)# ip address 10.3.4.2 255.255.255.252
R4(config-if)# no shutdown
R4(config-if)# exit
R4(config)# interface GigabitEthernet0/1
R4(config-if)# ip address 192.168.99.1 255.255.255.0
R4(config-if)# no shutdown

Task 4 — Multi-Area OSPF Deployment

Advertise all networks end-to-end. R2 is ABR for Area 1↔0; R3 is ABR for Area 0↔2.

R1(config)# router ospf 1
R1(config-router)# network 10.1.2.0 0.0.0.3 area 1
R1(config-router)# network 192.168.10.0 0.0.0.255 area 1
R1(config-router)# network 192.168.20.0 0.0.0.255 area 1
R1(config-router)# network 192.168.30.0 0.0.0.255 area 1
R1(config-router)# network 192.168.40.0 0.0.0.255 area 1

R2(config)# router ospf 1
R2(config-router)# network 10.1.2.0 0.0.0.3 area 1
R2(config-router)# network 10.2.3.0 0.0.0.3 area 0

R3(config)# router ospf 1
R3(config-router)# network 10.2.3.0 0.0.0.3 area 0
R3(config-router)# network 172.16.100.0 0.0.0.255 area 0
R3(config-router)# network 10.3.4.0 0.0.0.3 area 2

R4(config)# router ospf 1
R4(config-router)# network 10.3.4.0 0.0.0.3 area 2
R4(config-router)# network 192.168.99.0 0.0.0.255 area 2

Task 5 — Standard ACL: Server Access Policy

Standard ACL Limitation to Understand Standard ACLs match source IP only — they cannot filter by destination, protocol, or port. This means we can no longer selectively allow SMB (TCP 445) while blocking ICMP from the same subnet. The policy becomes binary per source: either the source subnet is allowed everything, or it is denied everything to the server. Place Standard ACLs as close to the destination as possible.

The ACL is named SERVER_ACCESS and applied outbound on R3 Gi0/2 — the interface facing the server. This ensures traffic is evaluated just before it reaches 172.16.100.0/24.

Policy logic: IT subnet (192.168.99.0/24) is explicitly permitted full access. All four corporate department subnets (192.168.10.0192.168.40.0/24) are explicitly denied. The implicit deny-all at the end of every ACL catches anything else. 

R3(config)# ip access-list standard SERVER_ACCESS
R3(config-std-nacl)# remark --- PERMIT: IT Department unrestricted access ---
R3(config-std-nacl)# permit 192.168.99.0 0.0.0.255
R3(config-std-nacl)# remark --- DENY: Engineering department ---
R3(config-std-nacl)# deny 192.168.10.0 0.0.0.255
R3(config-std-nacl)# remark --- DENY: Sales department ---
R3(config-std-nacl)# deny 192.168.20.0 0.0.0.255
R3(config-std-nacl)# remark --- DENY: Management department ---
R3(config-std-nacl)# deny 192.168.30.0 0.0.0.255
R3(config-std-nacl)# remark --- DENY: Software Dev department ---
R3(config-std-nacl)# deny 192.168.40.0 0.0.0.255
R3(config-std-nacl)# remark --- Implicit deny all (shown explicitly for clarity) ---
R3(config-std-nacl)# deny any
R3(config-std-nacl)# exit

! Apply outbound on Gi0/2 — closest to the destination (best-practice for Standard ACL)
R3(config)# interface GigabitEthernet0/2
R3(config-if)# ip access-group SERVER_ACCESS out
Why deny each subnet explicitly? While the implicit deny any would catch all corporate subnets anyway, explicitly listing each deny statement is recommended for clarity, auditability, and to confirm exactly which sources are blocked when reviewing show ip access-lists hit counters in production.

Task 6 — Output Verification

Confirm OSPF inter-area convergence, verify ACL hit counters, and test reachability from both IT and corporate endpoints.

! Confirm OSPF routes are learned across all areas
R2# show ip route ospf
R3# show ip ospf neighbor

! Verify ACL entries and hit counters
R3# show ip access-lists SERVER_ACCESS

! IT PC — should reach server successfully
R4# ping 172.16.100.10 source 192.168.99.1     ! Expected: !!!!! (Success)

! Engineering PC — should be denied
R1# ping 172.16.100.10 source 192.168.10.1     ! Expected: UUUUU (Administratively Prohibited)

! Sales PC — should be denied
R1# ping 172.16.100.10 source 192.168.20.1     ! Expected: UUUUU (Administratively Prohibited)

! Confirm ACL is applied correctly on R3 Gi0/2
R3# show ip interface GigabitEthernet0/2
Return to Lab Directory