Objective
Configure an advanced architectural network scale deploying 4 branch routers (R1, R2, R3, R4) running Multi-Area OSPF. R1 natively supports 4 distinct VLANs representing active corporate departments (Engineering, Sales, Management, Development) with a Router-on-a-Stick setup linking to SW1. R4 runs a dedicated endpoint connecting to SW2 serving exclusively the IT Department. R3 hosts the centralized Application Server. You must harden the topology using an Extended ACL allowing the IT Department unrestricted access to the server suite while locking other departments down specifically to Server Message Block (SMB via TCP 445) traffic, strictly restricting standard pings (ICMP echo).
Lab Topology
| Device | Interface | IP Address | Subnet Mask | Description |
|---|---|---|---|---|
| R1 | Gi0/0 |
10.1.2.1 |
255.255.255.252 (/30) |
Link to R2 (OSPF Area 1) |
| R1 | Gi0/1.10 |
192.168.10.1 |
255.255.255.0 |
Engineering Gateway |
| R1 | Gi0/1.20 |
192.168.20.1 |
255.255.255.0 |
Sales Gateway |
| R1 | Gi0/1.30 |
192.168.30.1 |
255.255.255.0 |
Management Gateway |
| R1 | Gi0/1.40 |
192.168.40.1 |
255.255.255.0 |
Software Dev Gateway |
| SW1 | Gi0/1 |
- |
- |
802.1Q Trunk to R1 |
| R2 | Gi0/0 |
10.1.2.2 |
255.255.255.252 (/30) |
Link to R1 (OSPF Area 1) |
| R2 | Gi0/1 |
10.2.3.1 |
255.255.255.252 (/30) |
Link to R3 (OSPF Area 0) |
| R3 | Gi0/0 |
10.2.3.2 |
255.255.255.252 (/30) |
Link to R2 (OSPF Area 0) |
| R3 | Gi0/1 |
10.3.4.1 |
255.255.255.252 (/30) |
Link to R4 (OSPF Area 2) |
| R3 | Gi0/2 |
172.16.100.1 |
255.255.255.0 |
Gateway to Central Server (OSPF Area 0) |
| Server | NIC |
172.16.100.10 |
255.255.255.0 |
Central Application Server |
| R4 | Gi0/0 |
10.3.4.2 |
255.255.255.252 (/30) |
Link to R3 (OSPF Area 2) |
| R4 | Gi0/1 |
192.168.99.1 |
255.255.255.0 |
IT Department Gateway |
| SW2 | Gi0/1 |
- |
- |
Access/Trunk Link to R4 |
Task 1 - R1 & SW1: Base VLANs & Routing
Establish the trunk link, provision VLANs on SW1, and define Router-On-A-Stick subinterfaces on R1.
SW1(config)# vlan 10 SW1(config-vlan)# name Engineering SW1(config-vlan)# vlan 20 SW1(config-vlan)# name Sales SW1(config-vlan)# vlan 30 SW1(config-vlan)# name Management SW1(config-vlan)# vlan 40 SW1(config-vlan)# name Software_Developers SW1(config-vlan)# exit SW1(config)# interface GigabitEthernet0/1 SW1(config-if)# switchport mode trunk
R1(config)# interface gigabitEthernet 0/1 R1(config-if)# no shutdown R1(config-if)# exit R1(config)# interface gigabitEthernet 0/1.10 R1(config-subif)# encapsulation dot1Q 10 R1(config-subif)# ip address 192.168.10.1 255.255.255.0 R1(config-subif)# exit R1(config)# interface gigabitEthernet 0/1.20 R1(config-subif)# encapsulation dot1Q 20 R1(config-subif)# ip address 192.168.20.1 255.255.255.0 R1(config-subif)# exit R1(config)# interface gigabitEthernet 0/1.30 R1(config-subif)# encapsulation dot1Q 30 R1(config-subif)# ip address 192.168.30.1 255.255.255.0 R1(config-subif)# exit R1(config)# interface gigabitEthernet 0/1.40 R1(config-subif)# encapsulation dot1Q 40 R1(config-subif)# ip address 192.168.40.1 255.255.255.0
Task 2 - Backbone Links IP Configuration
Assign Point-to-Point /30 Subnets between operational routers (R1-R2, R2-R3, R3-R4) and the /24 Server Gateway.
R1(config)# interface gigabitEthernet 0/0 R1(config-if)# ip address 10.1.2.1 255.255.255.252 R1(config-if)# no shutdown R2(config)# interface gigabitEthernet 0/0 R2(config-if)# ip address 10.1.2.2 255.255.255.252 R2(config-if)# no shutdown R2(config-if)# exit R2(config)# interface gigabitEthernet 0/1 R2(config-if)# ip address 10.2.3.1 255.255.255.252 R2(config-if)# no shutdown R3(config)# interface gigabitEthernet 0/0 R3(config-if)# ip address 10.2.3.2 255.255.255.252 R3(config-if)# no shutdown R3(config-if)# exit R3(config)# interface gigabitEthernet 0/1 R3(config-if)# ip address 10.3.4.1 255.255.255.252 R3(config-if)# no shutdown R3(config-if)# exit R3(config)# interface gigabitEthernet 0/2 R3(config-if)# ip address 172.16.100.1 255.255.255.0 R3(config-if)# no shutdown
Task 3 - R4 & SW2: IT Department Allocation
Allocate the final Gateway boundary interface to R4 processing entirely unrestricted IT traffic network assignments.
SW2(config)# vlan 99 SW2(config-vlan)# name IT_Department SW2(config-vlan)# exit SW2(config)# interface fastEthernet 0/1 SW2(config-if)# switchport mode access SW2(config-if)# switchport access vlan 99 SW2(config-if)# exit SW2(config)# interface gigabitEthernet 0/1 SW2(config-if)# switchport mode access SW2(config-if)# switchport access vlan 99 R4(config)# interface gigabitEthernet 0/0 R4(config-if)# ip address 10.3.4.2 255.255.255.252 R4(config-if)# no shutdown R4(config-if)# exit R4(config)# interface gigabitEthernet 0/1 R4(config-if)# ip address 192.168.99.1 255.255.255.0 R4(config-if)# no shutdown
Task 4 - Multi-Area OSPF Deployment
Route endpoints fully end-to-end globally. R1 handles Area 1; R2 bridges Area 1 to Area 0; R3 bridges Area 0 to Area 2; and R4 handles strictly Area 2.
R1(config)# router ospf 1 R1(config-router)# network 10.1.2.0 0.0.0.3 area 1 R1(config-router)# network 192.168.10.0 0.0.0.255 area 1 R1(config-router)# network 192.168.20.0 0.0.0.255 area 1 R1(config-router)# network 192.168.30.0 0.0.0.255 area 1 R1(config-router)# network 192.168.40.0 0.0.0.255 area 1 R2(config)# router ospf 1 R2(config-router)# network 10.1.2.0 0.0.0.3 area 1 R2(config-router)# network 10.2.3.0 0.0.0.3 area 0 R3(config)# router ospf 1 R3(config-router)# network 10.2.3.0 0.0.0.3 area 0 R3(config-router)# network 172.16.100.0 0.0.0.255 area 0 R3(config-router)# network 10.3.4.0 0.0.0.3 area 2 R4(config)# router ospf 1 R4(config-router)# network 10.3.4.0 0.0.0.3 area 2 R4(config-router)# network 192.168.99.0 0.0.0.255 area 2
Task 5 - Critical Network Security (ACL Filters)
Ensure the sensitive Server infrastructure blocks Ping access systematically from Office users but allows valid SMB shared drive data transfers exclusively. Grant global accessibility for the proprietary IT Support Network.
R3(config)# ip access-list extended SERVER_POLICIES R3(config-ext-nacl)# remark --- IT Network (192.168.99.0/24) Unrestricted Access --- R3(config-ext-nacl)# permit ip 192.168.99.0 0.0.0.255 host 172.16.100.10 R3(config-ext-nacl)# remark --- Regular Corp Departments (192.168.10.x - 40.x) SMB Transfer Access --- R3(config-ext-nacl)# permit tcp 192.168.0.0 0.0.255.255 host 172.16.100.10 eq 445 R3(config-ext-nacl)# remark --- Block Standard Pinging to the Secure Asset Database --- R3(config-ext-nacl)# deny icmp 192.168.0.0 0.0.255.255 host 172.16.100.10 echo R3(config-ext-nacl)# remark --- Inherently allow any generic web traffic through --- R3(config-ext-nacl)# permit ip any any R3(config-ext-nacl)# exit R3(config)# interface gigabitEthernet 0/2 R3(config-if)# ip access-group SERVER_POLICIES out
Task 6 - Output Verification
Validate inter-area propagation utilizing the show ip route checks. Determine validation flags
natively restricting diagnostic pinging targeting the server directly originating fundamentally at End Nodes
residing strictly on R1.
R2# show ip route ospf R3# show ip ospf neighbor R3# show ip access-lists SERVER_POLICIES R4# ping 172.16.100.10 source 192.168.99.1 ! (Successful) R1# ping 172.16.100.10 source 192.168.10.1 ! (Denied / Administratively Prohibited)