Part I – Networking & Administration

1. Introduction

1.1. Project Background

1.2. Educational Objectives

1.3. Technical Objectives of the Network

1.4. Methodology

2. Needs Analysis

2.1. Company Overview

2.2. User and Equipment Distribution

3. Network Design

3.1. Overview

3.2. Hierarchical Architecture (Core, Access Layers, etc.)

3.3. Implementation

• 3.3.1. Introduction

• 3.3.2. Cisco Packet Tracer Simulation Tool

• 3.3.3. Logical Network Diagram (Topology)

3.4. IP Addressing Plan (CIDR/VLSM)

3.5. VLAN Assignment by Department

3.6. Wi-Fi and WLC: SSID and VLAN Mapping

3.7. Inter-VLAN Routing and NAT/PAT

4. Deployment and Configuration

4.1. Device Configuration via CLI (Routers, Switches, VTP, EtherChannel, STP, Routing, HSRP)

4.2. Centralized DHCP for VLANs

4.3. Server Configuration (FTP, Mail)

4.4. Access Management (SSH, Telnet, HTTP/HTTPS)

4.5. QoS Prioritization (VoIP, Executive Traffic)

Part II – Security

5. Network Security Measures

5.1. Access Layer Security (Port Security, STP, BPDU Guard, etc.)

5.2. Traffic Control using ACLs

5.3. Service Security (AAA, RADIUS)

5.4. Monitoring and Detection (Syslog, SNMP, NTP)

6. Testing and Validation

6.1. Connectivity Tests (Ping, Traceroute, DNS)

6.2. Internet Access Tests (via NAT)

6.3. Access Tests to Internal and External Servers

6.4. Security Tests (Restricted Access, Port Security, DHCP Spoofing)

7. Conclusion

---

Introduction

In a context where information systems play a central role in business operations, the design and security of network infrastructures have become essential skills.

The rapid advancement of information technologies has led to increasingly complex network architectures. Their management, performance, and security are critical to how organizations function.

This project is part of the Advanced Networking and Security training program. It aims to apply technical skills in designing, configuring, securing, and administering a professional computer network.

The exercise covers both theory and practice—from initial planning to simulated implementation.

---

1.1 Project Context

The goal is to design a network for a small to medium-sized IT company with around 100 employees across five floors.

The company needs a hierarchical and secure infrastructure to support departments like:

• Human Resources

• Finance

• Development

• Technical Support

Tasks assigned include:

• Designing a logical network topology

• Creating an IP addressing plan

• Segmenting the network into departmental VLANs

• Configuring network equipment (switches, routers, firewalls)

• Deploying and managing services (DNS, DHCP, Web, LDAP)

• Implementing strong security (firewalls, ACLs, SSL, monitoring)

Completing this project not only validates the technical knowledge acquired throughout the training but also addresses a realistic requirement for a secure and efficient network in a modern business environment.

1.2 Educational Objectives

This project strengthens students’ theoretical and practical knowledge in designing, configuring, securing, and managing professional computer networks.
Students apply multidisciplinary skills through a real-world case study.

• Deepen understanding of hierarchical network design for a multi-department SME

• Implement key network protocols and services (DHCP, DNS, HTTP, LDAP, FTP, Samba) in Linux

• Apply VLANs and IP subnetting to boost performance and security

• Configure and manage switches and routers in Cisco Packet Tracer

• Reinforce cybersecurity skills with ACLs, SSL/TLS, firewalls, and monitoring tools

• Develop analytical and problem-solving abilities for network incidents

• Promote teamwork and project management through full deliverables (documentation, presentation, video)

---

1.3 Technical Objectives of the Network

Design, simulate, configure, and secure a network that meets a modern SME’s needs.

• Build a hierarchical architecture (Core, Distribution, Access) for 100 employees over five floors

• Create an IP addressing plan with VLSM for efficient use of addresses

• Segment the network with VLANs by department (HR, Finance, IT, Support, Management)

• Configure inter-VLAN switching and routing on multilayer switches or routers

• Deploy essential services

  • DHCP for dynamic IPs

  • DNS for name resolution

  • Apache for internal or external web pages

  • LDAP for centralized authentication

  • Samba/FTP for file sharing

  • SSL/TLS to encrypt traffic

• Implement security measures

  • ACLs for traffic filtering

  • Firewall rules

  • SSL on critical services

  • Secured admin access (SSH, strong passwords, local firewalls)

• Set up monitoring (Nagios, Zabbix, or SNMP) to track devices and links

• Validate the full design in Cisco Packet Tracer

---

1.4 Methodology

A structured, project-management approach guided each phase.

1. Needs Analysis and Scope

   • Understand context and goals

   • Identify constraints, user count, required services, security policies

   • Draft initial specifications

2. Network Architecture Design

   • Define logical and physical topology

   • Plan IP addressing (VLSM)

   • Design VLAN segmentation by department

3. Simulation and Configuration (Packet Tracer)

   • Build the topology

   • Configure switches, routers, APs

   • Implement routing, DHCP, DNS, ACLs, and more

4. Service Deployment and Administration

   • Deploy services (FTP, SSL)

   • Configure firewalls, users, permissions, certificates

5. Network Security Implementation

   • Apply ACLs, segmentation, SSL

   • Secure remote access (SSH, strong passwords)

   • Monitor traffic and set up supervision tools

6. Testing, Validation, Documentation

   • Verify network and service operation

   • Run security, connectivity, and performance tests

   • Produce detailed documentation, final report, presentation, video

---

2. Needs Analysis

2.1 Company Description

The simulated SME operates in information technology, focusing on software development, technical support, cybersecurity, and data management.
It hosts 100 employees across five floors.

Departments and needs:

• Executive Management (4th floor)

  • Strategic oversight and decision-making

  • Requires restricted access and secure communication

• HR and Finance (3rd floor)

  • Personnel records, payroll, recruitment, accounting

  • High confidentiality requirements

• Development (2nd floor)

  • Software projects for internal and client work

  • Needs file sharing and access to Git servers

• Sales & Marketing (1st floor)

  • Service promotion, client management, business growth

  • Access to CRM tools and external platforms

• IT and Network Services (Ground floor)

  • Infrastructure, servers, security, internal support

  • Elevated system privileges

Each floor functions as a separate VLAN or subnet to ensure segmentation and tailored security.
An in-house data center hosts Web, DNS, DHCP, and FTP servers with secure Internet connectivity.

This structure demands a modular, secure, scalable, and manageable network that preserves data confidentiality, integrity, and availability.

2.2 User and Equipment Distribution

As part of the network design, the distribution of users and equipment was determined based on the company’s internal structure. Each department is located on a specific floor and has its own unique requirements in terms of connectivity, network services, and security.

The distribution is as follows:

2.2 User and Equipment Distribution

Each floor hosts a specific department with tailored devices and network requirements.

3. Network Design

3.1 Introduction

Designing a standard network architecture is critical for ensuring speed and stability.
Poor design leads to unforeseen issues that affect performance.
Network design requires a detailed, careful process.

This chapter outlines the design process for a typical configuration model.

---

3.3 Implementation

3.3.1 Introduction

This section covers configuring the standard model using Cisco Packet Tracer.
It also includes testing and validation of the setup.

3.3.2 Presentation of the Simulator "Cisco Packet Tracer"

Cisco Packet Tracer is a simulation tool that lets students explore network behavior.
It supports simulation, visualization, creation, evaluation, and collaboration.
The tool helps teach and learn complex networking technologies.

3.3.3 Logical Diagram (Topology)

3.4 IP Addressing Plan (CIDR/VLSM)

The list shown in the table below presents the VLANs, the IP addresses used, and the addressing between two routers:

3.5. VLAN Assignment by Department

The list of VLANs and the addressing plan are considered key points for the successful implementation of the LAN network. VLANs are distributed according to the nature of the traffic data, voice, or administration.

In this model, the method of VLAN creation is static. These VLANs are assigned as access VLANs on ports. The membership of a VLAN depends on the port to which a user is connected.

A summary table of VLAN assignments by department, with their IP addresses (VLAN interfaces on the core switches):

Port Assignment Diagram (excerpt for access switches):

3.6. Wi-Fi and WLC: SSID and VLAN Mapping
Open the browser on the administrator's PC. Connect to the WLC's IP address via HTTPS.

https://192.168.2.200

Create with the username Enset and the password Enset123.

Click on the Controller menu, then on Interfaces in the left-hand menu. You will see the default virtual interface and the management interface to which you are connected.

Click on the New button in the top-right corner of the page.

Enter the name of the new interface. Call it ENSET. Set the VLAN ID to 80. This is the VLAN that will carry the traffic for the WLAN we will create later.

We configure the interface to use physical port 1. Multiple VLAN interfaces can use the same physical port because these physical interfaces act like dedicated trunk ports.

Packet Sniffer – Configuring an Enterprise WLAN (WPA2) on a Wireless LAN Controller (WLC)

• IP Address: 192.168.2.200

• Subnet Mask: 255.255.255.0

• Gateway: 192.168.2.1

• Primary DHCP Server: 192.168.2.1

  

  Create a new WLAN.

  Create a new WLAN. Use the newly created VLAN interface for the new WLAN.

  Enter the profile name for the new WLAN. Use the profile name ENSET. Set the SSID to SSID-80 and N ID to 1. Click Apply.

  

  Create a New WLAN on the Access Point

  Enter the SSID, as well as the authentication type and encryption type for the new WLAN network.
  Use the SSID name "ENSET 2" and set the authentication to WPA2-PSK with the password "12345678".

  

  We will open a window on a laptop Wireless App to connect the PC to the Access Point.

  

  3.7. Inter-VLAN Routing and NAT/PAT

  Inter-VLAN Routing

  • Allows communication between multiple VLANs.

  • VLANs are isolated by default.

  • Uses a router or Layer 3 switch to route packets between VLANs.

NAT (Network Address Translation)

• Translates private IP addresses to public IP addresses.

• Enables devices in a local network to access the internet or other networks.

PAT (Port Address Translation) or NAT Overload

• Allows multiple devices to share one public IP.

• Differentiates connections using port numbers.

• Most common NAT type.

---

4. Implementation and Configuration

4.1. Configuration of Devices via CLI

EtherChannel Configuration

• Switch(config)# hostname Switch

  switch-core1(config)# interface range f0/2-3

• switch-core1(config-if-range)# switchport mode trunk

• switch-core1(config-if-range)# channel-protocol lacp

• switch-core1(config-if-range)# channel-group 1 mode active

  switch-core1(config)# interface port-channel 1

• switch-core1(config-if)# switchport mode trunk

• switch-core1(config-if)# switchport trunk encapsulation dot1q

  switch-core1(config)# interface port-channel 2

• switch-core1(config-if)# switchport mode trunk ! Error: trunk encapsulation must not be "Auto"

• switch-core1(config-if)# switchport trunk encapsulation dot1q Hostname and Port-Channel Configuration on Another Switch

• Switch(config)# hostname SWITCH-CORE2

  SWITCH-CORE2(config)# interface range f0/4-5

• SWITCH-CORE2(config-if-range)# channel-group 1 mode auto

  SWITCH-CORE2(config)# interface range f0/2-3

• SWITCH-CORE2(config-if-range)# channel-group 2 mode auto

  SWITCH-CORE2(config)# interface port-channel 1

• SWITCH-CORE2(config-if)# switchport mode trunk ! Error: trunk encapsulation must not be "Auto"

• SWITCH-CORE2(config-if)# switchport trunk encapsulation dot1q

  SWITCH-CORE2(config)# interface port-channel 2

• SWITCH-CORE2(config-if)# switchport mode trunk ! Error: trunk encapsulation must not be "Auto"

• SWITCH-CORE2(config-if)# switchport trunk encapsulation dot1q

• Access Switch Port-Channel Setup

  Switch(config)# hostname switch-acces1

  switch-acces1(config)# interface range f0/1-4

• switch-acces1(config-if-range)# channel-group 1 mode auto

  switch-acces1(config)# interface port-channel 1

• switch-acces1(config-if)# switchport mode trunk

  VTP Configuration

  Server Mode

• Switch(config)# vtp domain ENSET

• Switch(config)# vtp mode server

• Switch(config)# vtp password cisco123

• Switch(config)# vtp version 2

  Client Mode

• Switch-Core2> enable

• Switch-Core2# configure terminal

• Switch-Core2(config)# vtp domain MonDomaine

• Switch-Core2(config)# vtp mode client

• Switch-Core2(config)# vtp password secret123

• Switch-Core2(config)# vtp version 2

  VLAN Creation on Core Switch

• switch-core(config)# vlan 10

• switch-core(config-vlan)# name RESP

  switch-core(config)# vlan 20

• switch-core(config-vlan)# name IT

  switch-core(config)# vlan 30

• switch-core(config-vlan)# name MKT

  switch-core(config)# vlan 40

• switch-core(config-vlan)# name FIN

  switch-core(config)# vlan 50

• switch-core(config-vlan)# name HR

  switch-core(config)# vlan 60

• switch-core(config-vlan)# name PURCHASE

  switch-core(config)# vlan 70

• switch-core(config-vlan)# name SERVER

  switch-core(config)# vlan 80

• switch-core(config-vlan)# name ACCESS-POINT

  switch-core(config)# vlan 90

• switch-core(config-vlan)# name VOICE

  switch-core(config)# exit

• VLAN Interface Configuration

  On Core Switch:

• switch-core(config)# interface vlan 10

• switch-core(config-if)# ip address 192.168.10.2 255.255.255.0

• switch-core(config-if)# no shutdown

  switch-core(config)# interface vlan 20

• switch-core(config-if)# ip address 192.168.20.2 255.255.255.0

• switch-core(config-if)# no shutdown

  (repeat for VLANs 30, 40, 50, 60, 70, 80, 90)

  On Secondary Core Switch

• SWITCH-CORE2(config)# interface vlan 10

• SWITCH-CORE2(config-if)# ip address 192.168.10.3 255.255.255.0

• SWITCH-CORE2(config-if)# no shutdown

  SWITCH-CORE2(config)# interface vlan 20

• SWITCH-CORE2(config-if)# ip address 192.168.20.3 255.255.255.0

• SWITCH-CORE2(config-if)# no shutdown

  (repeat for VLANs 30, 40, 50, 60, 70, 80, 90)

  Access Port Configuration:

• switch-acces1(config)# interface range f0/12-13 switch-acces1(config-if-range)# switchport mode access switch-acces1(config-if-range)# switchport access vlan 70

  switch-acces1(config)# interface f0/5 switch-acces1(config-if)# switchport mode access switch-acces1(config-if)# switchport access vlan 10 switch-acces1(config-if)# switchport voice vlan 90

  switch-acces1(config)# interface f0/6 switch-acces1(config-if)# switchport mode access switch-acces1(config-if)# switchport access vlan 20

  ... (repeat for ports f0/7 to f0/11) Spanning Tree Protocol Configuration On Core Switch plaintext Copy Edit switch-core(config)# spanning-tree vlan 10 root primary switch-core(config)# spanning-tree vlan 20 root primary switch-core(config)# spanning-tree vlan 30 root primary switch-core(config)# spanning-tree vlan 40 root primary switch-core(config)# spanning-tree vlan 50 root primary switch-core(config)# spanning-tree vlan 60 root primary switch-core(config)# spanning-tree vlan 70 root primary switch-core(config)# spanning-tree vlan 80 root primary On Secondary Core Switch plaintext Copy Edit SWITCH-CORE2(config)# spanning-tree vlan 10 root secondary SWITCH-CORE2(config)# spanning-tree vlan 20 root secondary SWITCH-CORE2(config)# spanning-tree vlan 30 root secondary SWITCH-CORE2(config)# spanning-tree vlan 40 root secondary SWITCH-CORE2(config)# spanning-tree vlan 50 root secondary SWITCH-CORE2(config)# spanning-tree vlan 60 root secondary SWITCH-CORE2(config)# spanning-tree vlan 70 root secondary SWITCH-CORE2(config)# spanning-tree vlan 80 root secondary HSRP Configuration On Core Switch plaintext Copy Edit switch-core(config)# interface vlan 10 switch-core(config-if)# ip address 192.168.10.2 255.255.255.0 switch-core(config-if)# standby 10 ip 192.168.10.1 switch-core(config-if)# standby 10 priority 110 switch-core(config-if)# standby 10 preempt

  ... (repeat for VLANs 20, 30, 40, 50, 60, 70, 80, 90) On Secondary Core Switch plaintext Copy Edit SWITCH-CORE2(config)# interface vlan 10 SWITCH-CORE2(config-if)# ip address 192.168.10.3 255.255.255.0 SWITCH-CORE2(config-if)# standby 10 ip 192.168.10.1 SWITCH-CORE2(config-if)# standby 10 priority 100 SWITCH-CORE2(config-if)# standby 10 preempt

  ... (repeat for VLANs 20, 30, 40, 50, 60, 70) Copy Edit

  You said: join all together

  ChatGPT said: markdown Copy Edit

  3.7 Inter-VLAN Routing and NAT/PAT

  Inter-VLAN Routing

  • Allows communication between multiple VLANs.

  • VLANs are isolated by default.

  • Uses a router or Layer 3 switch to route packets between VLANs.

NAT (Network Address Translation)

• Translates private IP addresses to public IP addresses.

• Enables local devices to access the Internet or other external networks.

PAT (Port Address Translation) / NAT Overload

• A type of NAT.

• Allows multiple devices to share a single public IP.

• Differentiates sessions using port numbers.

• Most common NAT method.

4 Implementation and Configuration

4.1 Device Configuration via CLI

EtherChannel Configuration

• Switch(config)# hostname Switch

  switch-core1(config)# interface range f0/2-3

• switch-core1(config-if-range)# switchport mode trunk

• switch-core1(config-if-range)# channel-protocol lacp

• switch-core1(config-if-range)# channel-group 1 mode active

  switch-core1(config)# interface port-channel 1

• switch-core1(config-if)# switchport mode trunk

• switch-core1(config-if)# switchport trunk encapsulation dot1q

  switch-core1(config)# interface port-channel 2

• switch-core1(config-if)# switchport mode trunk

• switch-core1(config-if)# switchport trunk encapsulation dot1q

  Hostname and EtherChannel on SWITCH-CORE2:

• Switch(config)# hostname SWITCH-CORE2

  SWITCH-CORE2(config)# interface range f0/4-5

• SWITCH-CORE2(config-if-range)# channel-group 1 mode auto

  SWITCH-CORE2(config)# interface range f0/2-3

• SWITCH-CORE2(config-if-range)# channel-group 2 mode auto

  SWITCH-CORE2(config)# interface port-channel 1

• SWITCH-CORE2(config-if)# switchport mode trunk

• SWITCH-CORE2(config-if)# switchport trunk encapsulation dot1q

  SWITCH-CORE2(config)# interface port-channel 2

• SWITCH-CORE2(config-if)# switchport mode trunk

• SWITCH-CORE2(config-if)# switchport trunk encapsulation dot1q Hostname and EtherChannel on Access Switches :

• Switch(config)# hostname switch-acces1

  switch-acces1(config)# interface range f0/1-4

• switch-acces1(config-if-range)# channel-group 1 mode auto

  switch-acces1(config)# interface port-channel 1

• switch-acces1(config-if)# switchport mode trunk

  Switch(config)# hostname Switch-acces2

  Switch-acces2(config)# interface range f0/1-4

• Switch-acces2(config-if-range)# channel-group 2 mode auto

  Switch-acces2(config)# interface port-channel 2

• Switch-acces2(config-if)# switchport mode trunk

  VTP Configuration

  Server Mode:

• Switch(config)# vtp domain ENSET

• Switch(config)# vtp mode server

• Switch(config)# vtp password cisco123

• Switch(config)# vtp version 2

  Client Mode:

• Switch-Core2> enable

• Switch-Core2# configure terminal

• Switch-Core2(config)# vtp domain MonDomaine

• Switch-Core2(config)# vtp mode client

• Switch-Core2(config)# vtp password secret123

• Switch-Core2(config)# vtp version 2

  switch-acces1# configure terminal

• switch-acces1(config)# vtp domain MonDomaine

• switch-acces1(config)# vtp mode client

• switch-acces1(config)# vtp password secret123

  Switch-acces2# configure terminal

• Switch-acces2(config)# vtp domain MonDomaine

• Switch-acces2(config)# vtp mode client

• Switch-acces2(config)# vtp password secret123

  VLAN Creation on Core :

• switch-core(config)# vlan 10

• switch-core(config-vlan)# name RESP

• switch-core(config)# vlan 20

• switch-core(config-vlan)# name IT

• switch-core(config)# vlan 30

• switch-core(config-vlan)# name MKT

• switch-core(config)# vlan 40

• switch-core(config-vlan)# name FIN

• switch-core(config)# vlan 50

• switch-core(config-vlan)# name HR

• switch-core(config)# vlan 60

• switch-core(config-vlan)# name PURCHASE

• switch-core(config)# vlan 70

• switch-core(config-vlan)# name SERVER

• switch-core(config)# vlan 80

• switch-core(config-vlan)# name ACCESS-POINT

• switch-core(config)# vlan 90

• switch-core(config-vlan)# name VOICE

• switch-core(config)# exit

  VLAN Interface Configuration (Core Switch):

• switch-core(config)# interface vlan 10

• switch-core(config-if)# ip address 192.168.10.2 255.255.255.0

• switch-core(config-if)# no shutdown

  switch-core(config)# interface vlan 20

• switch-core(config-if)# ip address 192.168.20.2 255.255.255.0

• switch-core(config-if)# no shutdown

  switch-core(config)# interface vlan 30

• switch-core(config-if)# ip address 192.168.30.2 255.255.255.0

• switch-core(config-if)# no shutdown

  (repeat for VLANs 40, 50, 60, 70, 80, 90)

  VLAN Interface Configuration (SWITCH-CORE2):

• SWITCH-CORE2(config)# interface vlan 10

• SWITCH-CORE2(config-if)# ip address 192.168.10.3 255.255.255.0

• SWITCH-CORE2(config-if)# no shutdown

  SWITCH-CORE2(config)# interface vlan 20

• SWITCH-CORE2(config-if)# ip address 192.168.20.3 255.255.255.0

• SWITCH-CORE2(config-if)# no shutdown

  (repeat for VLANs 30, 40, 50, 60, 70, 80, 90)

  Interface Access Mode and VLAN Assignment (switch-acces1):

• switch-acces1(config)# interface range f0/12-13

• switch-acces1(config-if-range)# switchport mode access

• switch-acces1(config-if-range)# switchport access vlan 70

  switch-acces1(config)# interface f0/5

• switch-acces1(config-if)# switchport mode access

• switch-acces1(config-if)# switchport access vlan 10

• switch-acces1(config-if)# switchport voice vlan 90

  switch-acces1(config)# interface f0/6

• switch-acces1(config-if)# switchport mode access

• switch-acces1(config-if)# switchport access vlan 20

  (repeat for f0/7 to f0/11 with VLANs 30, 40, 50, 60, 80)

  Interface Access Mode and VLAN Assignment (switch-acces2)

• Switch-acces2(config)# interface f0/5

• Switch-acces2(config-if)# switchport mode access

• Switch-acces2(config-if)# switchport access vlan 10

• Switch-acces2(config-if)# switchport voice vlan 90

  Switch-acces2(config)# interface f0/6

• Switch-acces2(config-if)# switchport mode access

• Switch-acces2(config-if)# switchport access vlan 20

  (repeat for f0/7 to f0/12 with VLANs 30, 40, 50, 60, 80, 70)

  Spanning Tree Protocol (STP) Configuration

• switch-core(config)# spanning-tree vlan 10 root primary

• switch-core(config)# spanning-tree vlan 20 root primary

• switch-core(config)# spanning-tree vlan 30 root primary

• switch-core(config)# spanning-tree vlan 40 root primary

• switch-core(config)# spanning-tree vlan 50 root primary

• switch-core(config)# spanning-tree vlan 60 root primary

• switch-core(config)# spanning-tree vlan 70 root primary

• switch-core(config)# spanning-tree vlan 80 root primary

  SWITCH-CORE2(config)# spanning-tree vlan 10 root secondary

• SWITCH-CORE2(config)# spanning-tree vlan 20 root secondary

• SWITCH-CORE2(config)# spanning-tree vlan 30 root secondary

• SWITCH-CORE2(config)# spanning-tree vlan 40 root secondary

• SWITCH-CORE2(config)# spanning-tree vlan 50 root secondary

• SWITCH-CORE2(config)# spanning-tree vlan 60 root secondary

• SWITCH-CORE2(config)# spanning-tree vlan 70 root secondary

• SWITCH-CORE2(config)# spanning-tree vlan 80 root secondary

  HSRP Configuration:

• switch-core(config)# interface vlan 10

• switch-core(config-if)# ip address 192.168.10.2 255.255.255.0

• switch-core(config-if)# standby 10 ip 192.168.10.1

• switch-core(config-if)# standby 10 priority 110

• switch-core(config-if)# standby 10 preempt

  (repeat for VLANs 20, 30, 40, 50, 60, 70, 80, 90)

  SWITCH-CORE2# configure terminal

  SWITCH-CORE2(config)# interface vlan 10

• SWITCH-CORE2(config-if)# ip address 192.168.10.3 255.255.255.0

• SWITCH-CORE2(config-if)# standby 10 ip 192.168.10.1

  SWITCH-CORE2(config-if)# interface vlan 20

• SWITCH-CORE2(config-if)# ip address 192.168.20.3 255.255.255.0

• SWITCH-CORE2(config-if)# standby 20 ip 192.168.20.1

• SWITCH-CORE2(config-if)# standby 20 priority 100

• SWITCH-CORE2(config-if)# standby 20 preempt

  (repeat for VLANs 30, 40, 50, 60, 70, 80, 90)

  CONFIGURATION ENTRE LES ROUTERS:

  Router(config)# interface S0/0/0

• Router(config-if)# ip address 1.1.1.1 255.255.255.252

• Router(config-if)# no shutdown

• Router(config-if)# clock rate 64000

  Router(config)# interface S0/1/0

• Router(config-if)# ip address 1.1.1.2 255.255.255.252

• Router(config-if)# no shutdown

  Configuration d’OSPF:

  Router(config)# router ospf 1

• Router(config-router)# router-id 1.1.1.1

• Router(config-router)# reload or use "clear ip ospf process" command for this to take effect Router(config-router)# network 192.168.1.0 0.0.0.255 area 0

• Router(config-router)# network 192.168.2.0 0.0.0.255 area 0

• Router(config-router)# network 1.1.1.0 0.0.0.3 area 0

• Router(config-router)# network 192.168.1.0 0.0.0.255 area 0

  Router# conf t Router(config)# router ospf 1

• Router(config-router)# router-id 2.2.2.2

• Router(config-router)# reload or use "clear ip ospf process" command for this to take effect

  Router(config-router)# network 192.168.3.0 0.0.0.255 area 0

• Router(config-router)# network 1.1.1.0 0.0.0.3 area 0

  RIP V2 Configuration:

  Router(config)# router rip

• Router(config-router)# network 192.168.1.0

• Router(config-router)# network 1.0.0.0

• Router(config-router)# version 2

• Router(config-router)# no auto-summary

  Router(config)# router rip

• Router(config-router)# network 1.0.0.0

• Router(config-router)# network 192.168.3.0

• Router(config-router)# version 2

• Router(config-router)# no auto-summary

• 4.2. Centralized DHCP for VLANs

  Centralized DHCP allows a single DHCP server, located on a main network or in a specific VLAN, to provide IP addresses to clients in multiple VLANs through DHCP relay agents (DHCP Relay).

  Technical operation

  • The Layer 3 switch or router receives the DHCP request from a client in a VLAN.

  • It acts as a DHCP relay agent using the ip helper-address command, forwarding the request to the centralized DHCP server.

  • The DHCP server assigns an IP address based on the VLAN or request source.

    Create a DHCP Pool for Each VLAN

    Exclude IP addresses from DHCP allocation

  • ip dhcp excluded-address 192.168.1.1 192.168.1.10

  • ip dhcp excluded-address 192.168.1.65 192.168.1.70

  • ip dhcp excluded-address 192.168.1.97 192.168.1.102

  • ip dhcp excluded-address 192.168.1.130 192.168.1.135

  • ip dhcp excluded-address 192.168.1.146 192.168.1.150

  • ip dhcp excluded-address 192.168.1.162 192.168.1.167

  • ip dhcp excluded-address 192.168.1.178 192.168.1.183

  • ip dhcp excluded-address 192.168.1.194 192.168.1.199

  • ip dhcp excluded-address 192.168.2.1 192.168.2.10

    DHCP pools configuration:

  • ip dhcp pool VLAN10 network 192.168.1.0 255.255.255.192

  • default-router 192.168.1.2 dns-server 8.8.8.8

    ip dhcp pool VLAN20 network 192.168.1.64 255.255.255.224

  • default-router 192.168.1.66 dns-server 8.8.8.8

    ip dhcp pool VLAN30 network 192.168.1.96 255.255.255.224

  • default-router 192.168.1.98 dns-server 8.8.8.8

    ip dhcp pool VLAN40 network 192.168.1.128 255.255.255.240

  • default-router 192.168.1.130 dns-server 8.8.8.8

    ip dhcp pool VLAN50 network 192.168.1.144 255.255.255.240

  • default-router 192.168.1.146 dns-server 8.8.8.8

    ip dhcp pool VLAN60 network 192.168.1.160 255.255.255.240

  • default-router 192.168.1.162 dns-server 8.8.8.8

    ip dhcp pool VLAN70 network 192.168.1.176 255.255.255.240

  • default-router 192.168.1.178 dns-server 8.8.8.8

    ip dhcp pool VLAN80 network 192.168.1.192 255.255.255.240 d

  • efault-router 192.168.1.194 dns-server 8.8.8.8

    ip dhcp pool VLAN90 network 192.168.2.0 255.255.255.0

  • default-router 192.168.2.2 dns-server 8.8.8.8

4.3. Server Configuration (FTP, Mail)

MAIL
A mail server is a computer system that allows sending, receiving, and storing electronic mail (emails) between users via the Internet or a local network.

Server > Services > SMTP

Enable SMTP

Domain name: ENSET.local

· Go to Services > POP3

· Enable POP3

· Same domain: entreprise.local

· Go to Config > Email

· Create 3 email accounts:

User: abdulrasheed, Password: enset123, Domain: enset.com

User: Roland, Password: enset123, Domain: enset.com

Test :

On a client PC > Configurer dans Desktop > Email

Email : roland@ENSET.com

Nom utilisateur : roland

Password : enset123

Serveur SMTP/POP3 : 192.168.2.2

Test: Send/receive between two PC

FTP (File Transfer Protocol)

FTP transfers files between a client and a server over a TCP/IP network like the Internet or LAN.

Steps to start FTP session from PC0 to FTP server

• Open Desktop > Command Prompt on PC0

• Test connectivity by pinging the FTP server:

• C:> ping 192.168.1.99

Go to the tab Services > FTP

click "ON" to activate the service FTP

create a user account

TEST
From PC0 to the FTP server:
Start an FTP session
Go to Desktop > Command Prompt
C:>ftp 192.168.1.99

4.4. Access Management (SSH, Telnet)

SSH (Secure Shell)
SSH is a secure protocol that allows remote command-line access to network devices.
It encrypts all exchanged data (including passwords).

Telnet
Telnet allows remote command-line access to network devices but is not secure because data (including passwords) is transmitted in clear text.

Configuration :

Telnet

Switch(config)# username admin password cisco123

Switch(config)# line vty 0 4

Switch(config-line)# login local

Switch(config-line)# password cisco

Switch(config-line)# transport input telnet

Switch(config-line)# exit

Switch-acces2(config)#username admin password cisco123

Switch-acces2(config)#

Switch-acces2(config)#line vty 0 4

Switch-acces2(config-line)#login local

Switch-acces2(config-line)#password cisco

Switch-acces2(config-line)#transport input telnet

Switch-acces2(config-line)#exit

switch-acces1(config)#username admin password cisco123

switch-acces1(config)#line vty 0 4

switch-acces1(config-line)#login local

switch-acces1(config-line)#password cisco

switch-acces1(config-line)#transport input telnet

switch-acces1(config-line)#exit

SSH

switch-acces1(config)#ip domain-name ENSET.local

switch-acces1(config)#username admin privilege 15 secret Cisco123

switch-acces1(config)#username admin password cisco

switch-acces1(config)#crypto key generate rsa

How many bits in the modulus [512]: ?

How many bits in the modulus [512]: 1024

switch-acces1(config)#ip ssh version 2

switch-acces1(config)#line vty 0 4

switch-acces1(config-line)#Login Local

switch-acces1(config-line)#Transport Input Ssh

switch-acces1(config-line)#EXIT

switch-acces1(config)#enable password Cisco123

Switch-acces2(config)#ip domain-name ENSET.local

Switch-acces2(config)#username admin password cisco

Switch-acces2(config)#crypto key generate rsa

The name for the keys will be: Switch-acces2.ENSET.local

Choose the size of the key modulus in the range of 360 to 4096 for your

General Purpose Keys. Choosing a key modulus greater than 512 may take

a few minutes.

How many bits in the modulus [512]: 1024

% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

Switch-acces2(config)#ip ssh version 2

*Mar 1 1:10:41.670: %SSH-5-ENABLED: SSH 1.99 has been enabled

Switch-acces2(config)#line vty 0 4

Switch-acces2(config-line)#Login Local

Switch-acces2(config-line)#Transport Input Ssh

Switch-acces2(config-line)#EXIT

Switch-acces2(config)#enable password Cisco123

Test SSH access
From PC 0 connected to the same network:

4.5. VOIP PROTOCOL CONFIGURATION (VoIP, Responsibilities)

We will need a simple setup with:

• A router (2811) that supports VoIP

• A switch (2960-24TT)

• Two IP Phones (7960)

• Two PCs connected to the IP Phones

Let's configure the DHCP server used to assign an IP address to each IP terminal on the network.

Router(config)#ip dhcp excluded-address 192.168.1.1 192.168.1.10

Router(config)#ip dhcp excluded-address 192.168.1.90 192.168.1.100

Router(config)#ip dhcp pool VLAN10

Router(dhcp-config)#network 192.168.1.0 255.255.255.192 ! (Subnet mask /26)

Router(dhcp-config)#default-router 192.168.1.1

Router(dhcp-config)#dns-server 8.8.8.8

Router(dhcp-config)#option 150 ip 192.168.1.1

Router(dhcp-config)#exit

Router(config)#ip dhcp pool VLAN90

Router(dhcp-config)#network 192.168.1.64 255.255.255.224 ! (Subnet mask /27)

Router(dhcp-config)#default-router 192.168.1.65

Router(dhcp-config)#dns-server 8.8.8.8

Router(dhcp-config)#option 150 ip 192.168.1.65

Router(dhcp-config)#exit

Start the IP Phones by clicking on them, then connect the power adapter to supply power (you can also use PoE switches — Power Over Ethernet — so you don’t have to use a power adapter to power your phones).

Once this step is completed, all connections should be shown in green. Configuration of the telephony service "Call Manager Express" on the Router. We will configure Call Manager Express to enable VoIP support on our network.

Router(config)#telephony-service

Router(config-telephony)#max-dn 2

Router(config-telephony)#max-ephones 2

Router(config-telephony)#ip source-address 192.168.90.1 port 2000

Ephone configuration

Router(config-ephone-dn)#ephone 1

Router(config-ephone)#mac-address 0090.21DB.37A2

Router(config-ephone-dn)#ephone 2

Router(config-ephone)#mac-address 00D0.D32A.22BB

Giving Phone No

Router(config-telephony)#ephone-dn 1

Router(config-ephone-dn)#number 1111

Router(config-ephone)#type 7960

Exit

Router(config-ephone-dn)#ephone-dn 2

Router(config-ephone-dn)#number 2222

Router(config-ephone)#type 7960

Exit

Button Creation

Router(config)#ephone 1

Router(config-ephone)#button1:1

Exit

Router(config)#ephone 2

Router(config-ephone)#button1:2

Exit

Enable DHCP on our computers to obtain their IP addresses. To do this, simply click on the desired computer, go to the "Desktop" tab, then "IP Configuration," and check the DHCP option.

PART 2 – Security

5. Network Security
5.1. Security Measures at the Access Layer (port-security, STP, BPDU Guard...)

Port Security
Port Security is a feature of Cisco switches that allows limiting access to physical ports based on the MAC addresses of connected devices. It is used to strengthen local network security by preventing unauthorized connections.

switch-acces1#CONF T

Enter configuration commands, one per line. End with CNTL/Z.

switch-acces1(config)#interface range f0/5 - 12

switch-acces1(config-if-range)#switchport mode access

switch-acces1(config-if-range)#switchport port-security

switch-acces1(config-if-range)#switchport port-security maximum 2

switch-acces1(config-if-range)#switchport port-security violation shutdown

switch-acces1(config-if-range)#switchport port-security mac-address sticky

Switch-acces2>EN

Switch-acces2#CONF T

Enter configuration commands, one per line. End with CNTL/Z.

Switch-acces2(config)#interface range f0/5 - 12

Switch-acces2(config-if-range)#switchport mode access

Switch-acces2(config-if-range)#switchport port-security

Switch-acces2(config-if-range)#switchport port-security maximum 2

Switch-acces2(config-if-range)#switchport port-security violation shutdown

Switch-acces2(config-if-range)#switchport port-security mac-address sticky

STP

Activer portfast sur tous les ports Access

PortFast est configuré sur les ports d'accès connectés à un poste de travail ou à un serveur unique afin de les activer plus rapidement. Sur les ports d'accès connectés des switch-acces1 et switch-acces2, utilisez la commande spanning-tree portfast.

switch-acces1(config)#interface range fastEthernet 0/5-13

switch-acces1(config-if-range)#spanning-tree portfast

Switch-acces2(config)#interface range f0/5-13

Switch-acces2(config-if-range)#spanning-tree portfast

BPDU Guard

BPDU guard est une fonctionnalité qui permet d'empêcher les commutateurs non autorisés et l'usurpation d'identité sur les ports d'accès. Activez la protection BPDU sur les ports d'accès switch-acces1 et switch-acces2.

switch-acces1(config)#interface range fastEthernet 0/5-13

switch-acces1(config-if-range)#spanning-tree bpduguard enable

Switch-acces2(config)#interface range f0/5-13

Switch-acces2(config-if-range)#spanning-tree bpduguard enable

5.2. Flow Control (ACL)

ACLs (Access Control Lists) are used in routers and switches to control network traffic based on specific rules. They allow traffic filtering by permitting or blocking packets based on:

• Source or destination IP address

• Protocol (TCP, UDP, etc.)

• Port numbers

---

Types of ACLs

1. Standard ACL

   • Filters only by source IP address

   • Number range: 1–99 or 1300–1999

2. Extended ACL

   • Filters by source/destination IP, protocol, and port

   • Number range: 100–199 or 2000–2699

3. Named ACL

   • Identified by a name, not a number

   • Easier to read and manage

---

Direction of Application

• in: applies to incoming traffic on an interface

• out: applies to outgoing traffic on an interface

Configuration: ACL

Router(config)# access-list 1 deny 192.168.20.0 0.0.0.255 Router(config)# interface S0/0/0 Router(config-if)# ip access-group 1 in

Router(config)# access-list 2 permit host 192.168.20.1 Router(config)# access-list 2 deny any

Test : Ping pc 1 to router

5.3. Service Security (AAA, RADIUS)

FTP Setup

1. Go to the Services tab > FTP

2. Click "ON" to activate the FTP service

3. Create a user account

---

RADIUS Server Configuration

1. In Cisco Packet Tracer, place a Server

2. Click the server > go to the Services tab > select AAA

   Server On: Enabled

   Network Configuration

   • Client Name: ENSET

   • Client (Router IP): 192.168.1.209

   • Secret: enset

   • Server Type: RADIUS

   • Click Add

User Accounts

• Username: abdulrasheed
  Password: cisco

• Username: roland
  Password: cisco

  Click Add

  

  AAA Activation and RADIUS Configuration

  Activate AAA:

• Router(config)#aaa new-model

  Configure RADIUS Server:

  Router(config)#radius-server host 192.168.1.193 key Cisco

  Set AAA to Use RADIUS with Local Fallback:

• Router(config)#aaa authentication login default group radius local

• Router(config)#aaa authentication enable default group radius

  Enable Telnet (or SSH) Access Using AAA Authentication:

• Router(config)#line vty 0 4

• Router(config-line)#login authentication default

• Router(config-line)#transport input telnet

• Router(config-line)#exit

  Add Local Backup Username in Case RADIUS Fails:

• Router(config)#username admin secret Cisco

  Go to Desktop > Terminal or Telnet, connect to the routeur :

• 

  5.4. Monitoring and Detection (Syslog, SNMP, NTP)

  Configure the Syslog + NTP Server

  Enable Services:

  • Go to the Config tab

  • Select Syslog

  • Turn Syslog Service to ON

Config > NTP : NTP Service ON

• 

  Configure Syslog

  Router(config)#service timestamps log datetime msec

• Router(config)#logging 192.168.1.200

• Router(config)#exit

• Router#

  System Output:

• %SYS-5-CONFIG_I: Configured from console by console
  %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.200 port 514 started - CLI initiated

• Tests & vérification

  

  On the serveur :
  • Services > Syslog
  • You will see a message like :

• 

  Configure NTP (Network Time Protocol)

  Router(config)#ntp server 192.168.3.2

• Tests & Verification

  • After configuration, if the time and date are still incorrect:
    You must modify the date and time on the NTP SERVER manually.

SNMP (Simple Network Management Protocol)

SNMP is a standard protocol used to monitor and manage network devices remotely, such as routers, switches, servers, printers, etc.

Configure an SNMP Agent

switch-core(config)#snmp-server community public RO %SNMP-5-WARMSTART: SNMP agent on host switch-core is undergoing a warm start switch-core(config)#snmp-server community private RW

• SWITCH-CORE2>en

• SWITCH-CORE2#conf t

• SWITCH-CORE2(config)#snmp-server community private RW

• 

  Enter the SNMP parameters that were configured on your router. Click OK to continue:
  • Address: 192.168.1.209
  • Port: 161
  • Read Community: public
  • Write Community: private

• 

  

  6. Connectivity Tests (ping, tracert, DNS)

  Ping between VLANs:
  PC in VLAN 20 to PC in VLAN 30

• 

Traceroute (tracert):

3. 

   Test FTP :

   C:\>ping 192.168.1.199

   

   CONCLUSION

   This project allowed us to design, configure, and secure a complete and hierarchical network infrastructure for an SME with 100 employees, relying on the tools and concepts studied during our training.

   Thanks to Cisco Packet Tracer, we were able to efficiently simulate the various network components, implement essential services (DHCP, DNS, FTP, Mail, Web), ensure segmentation through VLANs, and test inter-VLAN routing as well as Internet access via NAT.

   From a security perspective, we applied robust mechanisms such as ACLs, port-security, DHCP snooping, AAA authentication with RADIUS, and monitoring through Syslog, SNMP, and NTP.

   The tests conducted confirmed the reliability and consistency of the system.