CCNA4 CapstoneProject 17

Information Systems Department
CCNA 4 Scaling Networks Capstone Project
PNG Sea Food Corporation Enterprise Network
Course Code IS404

Course Title Data Communications III
Year level 4 Semester 1 Date
Submitted By: Submitted To:

(Write your names and ID no. here) Picky Airi
CCNA Instructor
Information Systems Dept.
Weight 20%
PNG Seafood Corporation Capstone Project | Version: 17.1 | Updated: 07.03.17 |

CCNA4
1 | Page
Table of Contents
Introduction:..................................................................................................... 2
Phase 1: Identifying Requirements, Putting the Network Together......................2
Scenario........................................................................................................... 2
Gathering Information...................................................................................... 3
Objective.......................................................................................................... 4
Requirements Document.................................................................................. 4
Phase 1: Brainstorming....................................................................................... 5
Requirements................................................................................................... 5
Items Needed................................................................................................... 5
Equipment List................................................................................................. 6
IP Addressing Scheme...................................................................................... 6
Port List............................................................................................................ 9
Physical Layout.............................................................................................. 10
Logical Layout................................................................................................ 10
Phase 2: Configuring the Switch Infrastructure.................................................11
Scenario......................................................................................................... 11
Requirements................................................................................................. 11
Phase 3: Configuring the Internet Connection and VPN Tunnel.........................14
Scenario......................................................................................................... 14
Requirements................................................................................................. 15
Phase 4: Routing Using OSPF............................................................................17
Scenario......................................................................................................... 17
Requirements................................................................................................. 17
Phase 5: Routing Using EIGRP...........................................................................19
Scenario......................................................................................................... 19
Requirements................................................................................................. 20
Phase 6: Services and Security.........................................................................21
Scenario......................................................................................................... 21
Requirements................................................................................................. 21
Appendix A: Configuring IKE..............................................................................22
Documentation:............................................................................................. 22
Configuring IKE Phase 1:................................................................................ 22
Configuring IKE Phase 2:................................................................................ 23
Verify:............................................................................................................. 23

CCNA4
2 | Page
Appendix B: Configuring Cisco IP Phones..........................................................23
Appendix C: Equipment Images........................................................................27
Introduction:
The following project outline and documentation is an adaptation of the CBTNuggets:

CCNA Labs-Cisco For Real World by Jeremy Ciaora from CBT Nuggets. The CCNA Labs-
Cisco For Real World project is a well-developed and designed challenge for
understanding how everything that you have learnt in CCNA1-4 all work together to
building a real world network.
The Cisco for real world lab has been adapted to serve as your capstone project. Certain
names and components have been modified with additional configuration to suit our
purposes. A series of videos for this project from the original CBTNugget labs have been
added in the project resources folder on Moodle to serve as guide to complete this task.
Several additional resources have also been added for reference.
Although the CBT Nuggets lab challenge was built in GNS3, you will actually be building
and configuring this network in Packet Tracer 7.0.
Your task is to work in pairs or groups of three (3) maximum to design and build the
required network in Packet Tracer while at the same time documenting the design and
configurations.
To help you organize your group and plan each task, a table has been provided below with
the key requirements for each phase. Plan your work for the remaining weeks to complete
this task.

CCNA4
3 | Page
Wee Task Resource (video,
k chapters)
5 Phase 1: Identifying
Requirements
understanding the
requirements
Phase 1: Brainstorming
Drawing your diagrams
6 Phase 2: Configuring the
Switch Infrastructure
7 Phase 3: Configuring the
Internet Connection and VPN
Tunnel
8 Phase 4: Routing Using OSPF
9 Phase 5: Routing Using EIGRP
10 Phase 6: Services and
Security
11 Appendix A: Configuring IKE
12 Appendix B: Configuring IP
Phones
13
14 Finalize project document +
Packet tracer file for
submission

CCNA4
4 | Page
Phase 1: Identifying Requirements, Putting the
Network Together
Scenario
PNG Seafood Corporation is growing significantly. Due to space limitations, five

employees currently share single cubicles, at the same time. While this is great
for team building, these space limitations are now impacting business
productivity. PNGSeafood has now leased an additional office building located at
the Amele Integrated Agro-fisheries farm roughly 20km from their headquarters
in the heart of Madang town. While this office will eventually connect to the HQ
office, it will initially be set up independently.
Gathering Information
To help guide this initial configuration, youve assembled a list of requirements based on
various meetings with management.
The new office will initially house 75 employees, each with their own Cisco IP Phone
and PC. This office may eventually scale to 200 employees over 5 years.

CCNA4
5 | Page
The Windows admins are planning to install a new pair of redundant servers at the
new office. They plan to manage all the IP addresses for DHCP on these servers and
are waiting for you to tell them what IP address range they should use.
o Windows admins: Jeff Service - (602) 555-1293, Mike Pack (480) 555-9382.
The new office is a two story building with the Main Distribution Frame (MDF) in the
northwest corner of the first floor. Because of a workmans strike, poor planning, and
other human issues, the Intermediate Distribution Frame (IDF) on the second floor
was installed in the southeast corner of the second floor, beyond the reach of typical
Ethernet standards. The majority of the employees (roughly 50) will sit on the main
floor while the remainder will sit on the second floor. The building contractor has
already run the cabling - a single Cat6 Ethernet connection to each cubical / office
space which terminates to patch panels in the MDF/IDF area.
PNG Seafood Corp is planning to use a Voice over IP (VoIP) phone system for the new
office. Each user will have an assigned IP Phone in their cubical / office space. The
installation / management of the phone system itself are also your responsibility;
ensure the network should be prepared to support the additional devices.
The new office will need WIFI implementations, so to keep budgets in check the
company would like to use off-the-shelf Cisco Small Business WAPs. These WAPs are
to host two wireless networks: SF-CORP and SF-PUB. Those connecting to SF-CORP
should have access to the corporate network and resources. Of course, high-end
security is mandatory for this wireless network. Those connecting to SF-PUB should
not be prompted for any security requirements but should be limited to Internet
access only.
PNG Seafood Corporation would like you to assess the network and make
recommendations on Internet connectivity options. They would also like to begin
evaluating network connections between their offices.
During the discussions, PNG Seafood Corporation found that you work primarily from
your home office. Because of the value NuggetLabs places on your technical prowess,
they have offered to provide an office space located in the MDF for you to use as a lab
environment; a "home-away-from-home you can use. However, this lab environment
must be completely isolated from the corporate network to not cause any
interference to day-to-day operations.
Priorit Clien Task Tim Assigned

y t e
1 SF Initial Meeting with SF Corporate
Create initial questionnaire for on-site visit 30
Discuss upcoming branch office rollout 180
(goals, staff involvement, key contacts)
1 SF Create SF Proposal
Requirements Document 15
Equipment Order 240
VLAN / Subnet List 30
Switchport Connections 30
Physical Visio Diagram 30
Logical Visio Diagram 30

CCNA4
6 | Page
Objective
Based on this information, PNG Seafood Corporation would like you to create a proposal,
design, and implementation plan for their new office by next Friday. The submission
should include the following elements:
Requirements Document
Equipment Order
VLAN(s) - Necessary
IP Subnet(s) - Necessary
Switch Port Connections
Any Necessary Visio Diagrams
Requirements Document
Based on company meeting, February 28th, 2017
Attendees
Bob Phaman [CEO - BobP@pngseafood.com (602) 555.2791]
Sarah Belittle [CTO - SarahB@pngseafood.com (602) 555.8329]
Jeff Service [Windows Admin Lead - .JeffS@pngseafood.com (602) 555.1293]
Mike Pack [Desktop Support - MikeP@pngseafood.com (480) 555.9382]
Amele Construction Company (various reps) [support@amele.com]
Requirements
Network must initially handle 75 users between two floors
Network must handle both VoIP and Data traffic
Network should handle public(unsecure) and private (secure) WIFI
Private office / lab area created in MDF, separate from the network
Suggest options for Internet connectivity
Assumptions
Each user will have one workstation
Each user will have one IP phone
Network should handle 10/100 mbps Ethernet connections to the desktop
Dual fiber optic cabling run completed from MDF to IDF
Internet connectivity options will be suggested, agreed upon, and installed before the
move in date
All cable runs terminate to the IDF or MDF
Each cubical / office will have at least one Cat6 Ethernet connection
Jomba Consulting Inc. will be ordering all necessary equipment and patch cables for
the operation
Windows servers will have redundant connections
IDF will be initially set up with a 48 port switch (allowing approx. 48% growth)
MDF will be initially set up with two 48 port switches (allowing approx. 44% growth)
PCs and IP Phones will be located no more than 3m from the wall connection, 1.5-2m
on average.
Single Internet router (no redundancy) is acceptable
Single core L3 switch (no redundancy) is acceptable
PSTN calling for VoIP network will be handled via SIP Trunk over the Internet
MDF and IDF have sufficient power and cooling for the equipment to be installed

CCNA4
7 | Page
CCNA4
8 | Page
Phase 1: Brainstorming
Requirements
Two stories
o First Floor MDF - initially housing 50 users, servers, etc...
o Second Floor lDF - initially housing 25 users
WIFI
o Full coverage for first and second floor
o Need to perform a wireless site survey (onsite)
o Power over Ethernet switches or couplers
VoIP
o IP Phone per cubical / office
o Need additional 1.5-3m Cat 5E / 6 Ethernet cabling as PC patch
Priorit Clien Task Tim Assigned

y t e
2 SF Onsite Visit
WiFi Site Survey 120
Get with Windows guys to determine cabinet 60
Items Needed
MDF - two 48-port PoE switches, one of them should be Layer 3 capable
o Cisco LAN Access Switches
o Cisco 2960 Model Comparison
o Cisco 3750-X Model Comparison
o First Choice L2 Switch - WS-C2960S-48FPS-L
48-port, L2 switching
740W PoE (15W per port)
(4) 1G SFP Uplinks
o First Choice L3 Switch - WS-C3750X48PF-S
48-port, L3 Switching
740W PoE (1.5W per port)
(4) 1G SFP Uplinks
o Mounting- wall mount? Server cabinet? (determine server needs)
o Cabling- need plenty of spare 1.5m, 2m, and 3m cables for cubicles. Offices,
server connections
o Fiber optic connection: Patch cables and two SFPs
MDF - one Internet router
o Cisco Routers
o Cisco 2900 Series
o First Choice Router Cisco 2901
(2) 1 Gbps built-in interfaces
(4) card slots (expansion using serial, ethernet, etc...)
Voice capabilities (on-board DSPs)
IDF - one 48-port PoE switch
o First Choice L2 Switch - WS-C2960S-48FPS-L
48-port, L2 switching
740W PoE (15W per port)
(4) 1G SFP Uplinks
Building - Wireless access points
CCNA4
9 | Page
o Cisco Small Business WIFI options
o First Choice - WAP4410N
802.11n/g/b
1Gbps, PoE Capable (802.3af)
Supports 4 VLANs, 4 SSlDs

CCNA4
10 | P a g e
Equipment List
Name Device Function Location T1 1G 10G

SF-B1-SW1 3750X Core L3 Switch MDF 48
SF-B1-SW2 2960S L2 Switch MDF 48
SF-B1-SW3 2960S L2 Switch IDF 48
SF-B1-RT1 2901 Internet Router MDF 2
SF-B1-WI1 WAP4410 WiFi Access Point Ceiling 1
N
N
N
Name Device Qty Function T1 1G 10G

SF-B1-SW1 WS-C3750X- 1 Core L3 Switch 48
48PF-S
4 Port Gigabit C3KX-NM-1G 1 4
SFP
Redundant PSU C3KX-PWR- 1
715WAC
SMARTnet 1
Fibre SFP (SX) GLC-SX-MM 4
Rack Mount Kit C3KX-RACK-KIT 1
IP Addressing Scheme
PNG Seafood Corporation Branch IP Subnet and VLAN
Network Mask VLAN Description

10.1.0-63.0 255.255.192.0 Corporate Office
10.1.64.0 255.255.254.0 VLAN 64 Client VoIP
10.1.65.0
10.1.66.0 255.255.254.0 VLAN 66 Client Data
10.1.67.0
10.1.68.0 255.255.255.0 VLAN 68 Server
10.1.69.0 255.255.255.0 VLAN 69 Public WiFi
10.1.70.0 255.255.255.0 VLAN 70 Lab
10.1.71.0 255.255.255.0 VLAN 71 Network
Management
107.20.176.240 255.255.255.240 VLAN 10 Internet DMZ
Branch 1 Summary: 10.1.64.0/21 (255.255.248.0)
VLAN 64 Client VoIP

IP Address Mask VLAN Description
10.1.64.0 255.255.254. 64 Client VoIP Network
0
10.1.64.1 SF-B1-SW1 VLAN 64 IP (Default Gateway)
10.1.64.2-10 Reserved
10.1.64.11 to Client VoIP DHCP Scope
10.1.65.245
10.1.65.246- Reserved
254

CCNA4
11 | P a g e
10.1.65.255 Client VoIP Broadcast
VLAN 66 Client Data

10.1.66.0 255.255.254. 66 Client Data Network
0
10.1.66.2-10 Reserved
10.1.66.11 to Client Data DHCP Scope
10.1.67.245
10.1.67.246- Reserved
254
10.1.67.255 Client Data Broadcast
VLAN 68 Server
10.1.68.0 255.255.255. 68 Server Network
0
10.1.68.2-5 Reserved
10.1.68.6 SF-B1-DC01
10.1.68.7 SF-B1-DC02
10.1.68.8 SF-B1-CUCMBE
10.1.68.251- Reserved
254
10.1.68.255 Server Broadcast
VLAN 71 Network Management

10.1.71.0 255.255.255. 71 Management Network
0
10.1.71.1 SF-B1-SW1
10.1.71.2 SF-B1-SW2
10.1.71.3 SF-B1-SW3
10.1.71.4 SF-B1-RT1
10.1.71.5 SF-B1-WI1
10.1.71.6 SF-B1-WI2
10.1.71.7 SF-B1-WI3
10.1.71.255 Management Broadcast
VLAN 10 Internet DMZ

107.20.176.2 255.255.255. 10 DMZ Network
40 240
107.20.176.2 ISP Gateway
41
107.20.176.2 SF-B1-RT1 External IP (Fa0/0)
42
107.20.176.2 Unused
43
107.20.176.2 Unused
44
107.20.176.2 Unused
45
107.20.176.2 Unused

CCNA4
12 | P a g e
46
107.20.176.2 Unused
47
107.20.176.2 Unused
48
107.20.176.2 Unused
49
107.20.176.2 Unused
50
107.20.176.2 Unused
51
107.20.176.2 Unused
52
107.20.176.2 Unused
53
107.20.176.2 Unused
54
107.20.176.2 DMZ Broadcast
55

CCNA4
13 | P a g e
Port List
NL-B1-SW1
Physical VLAN / TRUNK Remote Remote Notes
/ IP Device Interface
G0/1 Trunk SF-B1-SW2 G0/1 EtherChannel 1
2 Trunk SF-B1-SW2 G0/2 EtherChannel 1
3 V10 ISP - CCT ID 392021
4 V10 SF-B1-RT1 G0/0 External Interface
5 V10 Reserved
6 V10 Reserved
7 V68 SF-B1-DC01 LAN1 Windows Server 2008 R2
9

NL-B1-SW2
Physical VLAN / TRUNK Remote Remote Notes
/ IP Device Interface
G0/1 Trunk SF-B1-SW1 G0/1 EtherChannel 1
2 Trunk SF-B1-SW1 G0/2 EtherChannel 1
3 V68 Reserved
4 V68 Reserved
5 V68 Reserved
6 V68 Reserved
9 V64v,66d Client NIC
10 V64v,66d Client NIC


CCNA4
14 | P a g e
Physical Layout
Two stories
o First Floor MDF - initially housing 50 users:
A floor plan of the first floor with cubicles and computers, printers
identified.
A physical diagram of the MDF rack unit (provided)
o Second Floor lDF - initially housing 25 users:
A floor plan of the first floor with cubicles and computers, printers
identified.
A physical diagram of the IDF rack unit (provided)
Diagrams required (use Visio or similar software)
1st floor, floor plan
2nd floor, floor plan
Branch physical layout
Branch logical layout
Floor Plans
1st floor plan
2nd floor plan
Physical Layout
Physical layout of MDF and IDF
Logical Layout
Logical layout

CCNA4
15 | P a g e
Phase 2: Configuring the Switch Infrastructure
Figure 1. The logical layout of the network design. Source: CBTNuggets Labs. Replace
this image with your PT diagram
Scenario
All the equipment you suggested has been purchased, delivered, and installed at the PNG
Seafood branch office facility. You must now begin with the configuration of the switch
infrastructure based on the following requirements. The network design must be
done in Packet Tracer version 7.0 and all configurations as well.
If you still do not have PT version 7.0, download here.
Note: VLAN Database mode must be used to configure any VLANs on the switches
Hint: SF_B1_SW1#vlan database
Requirements
To help guide this initial configuration, you've assembled a list of requirements.
Each switch will need a base configuration, which includes:

o Hostname
o Passwords (CON, VTY, Enable) should be set to cisco
o Logon banner
o Three hour console port timeout
o Synchronous logging on the console port
o Telnet / SSH enabled (use pngseafood.com as your domain and admin / cisco for
SSH credentials)
o HTTP management disabled
o DNS name resolution set to 4.2.2.2 and 4.2.2.3

CCNA4
16 | P a g e
o Clock set, NTP configured (use 64.73.32.135 as the NTP sewer)
o Management VLAN / IP address (use the following table)
VLAN 71 Network Management

10.1.71.1 255.255.255. 71 SF-B1-SW1
0
10.1.71.2 255.255.255. 71 SF-B1-SW2
0
10.1.71.3 255.255.255. 71 SF-B1-SW3
0
Configure the necessary VLANs on SW1, SW2, and SW3. If a VLAN is not necessary on
a switch, it should not be configured.
o VLAN 64: Client Voice
o VLAN 66: Client Data
o VLAN 68: Server
o VLAN 69: Public WIFI
o VLAN 70: Private LAB
o VLAN 71: Management
o VLAN 10: Internet DMZ
NL-B1-SW1 NL-B1-SW2 NL-B1-SW3
All VLANs VLAN 64, 66, 69, 71 VLAN 64, 66, 69, 71
Configure Etherchannel connections between (SW1 and SW2) and (SW1 and SW3).
Use Packet Tracer 7.0 to determine appropriate physical connections. The
Etherchannel should be hardcoded as ON (does not use any LACP or PAGP
negotiation).
Configure the links between the switches to forward traffic for all necessary VLANs. lf
a VLAN does switch, the trunk should not forward traffic for it.
Assign the necessary ports to VLANs based on the following table.
Port NL-B1-SW1 NL-B1-SW2 NL-B1-SW3

Fa1/0 Trunk Trunk Trunk
1 Trunk Trunk Trunk
2 Trunk VLANs 64, 66 (Client) VLANs 64, 66 (Client)
3 Trunk VLANs 64, 66 (Client) VLANs 64, 66 (Client)
4 13 VLAN 68 (Server) VLANs 64, 66 (Client) VLANs 64, 66 (Client)
14 VLAN 70 (Lab) VLANs 64, 66 (Client) VLANs 64, 66 (Client)
15 Routed Port VLANs 66, 69, 71 (WAP) VLANs 66, 69, 71 (WAP)
Create a routed interface on SF-B1-SW1 for each of the VLANs. This interface should
be assigned the first IP address from each of the VLAN subnets listed in the following
table. Ensure each interface is functional (not shut down).
Note: The 10.1.254.0/30 subnet should be configured as a routed interface on
F1/15
Network Mask VLAN Description

10.1.64.0 255.255.254.0 VLAN 64 Client VoIP
10.1.65.0
10.1.66.0 255.255.254.0 VLAN 66 Client Data
10.1.67.0
10.1.68.0 255.255.255.0 VLAN 68 Server

CCNA4
17 | P a g e
10.1.69.0 255.255.255.0 VLAN 69 Public WiFi
10.1.70.0 255.255.255.0 VLAN 70 Lab
10.1.71.0 255.255.255.0 VLAN 71 Network
Management
10.1.254.0 255.255.255.252 n/a Point-to-Point
Configure SF_B1_SW1 as the root of the Spanning Tree network for all VLANs. Enable
all interfaces not being used for a switch uplink for Portfast.
Configure the Server and PC with the following configuration:
Server PC1 PC2

Interface: NIC NIC NIC
IP Address: 10.1.68.50 10.1.66.50 10.1.66.51
Gateway: 10.1.68.1 10.1.66.1 10.1.66.1
Testing
o PC1 should be able to ping PC2
o PC1 and PC2 should both be able to perform a ping and traceroute to the Server
o The show spanning-tree output should reveal that SF_B1_SW1 is the root bridge
o You should be able to Telnet and SSH to each switch, PC, or Server using the
management interface IP

CCNA4
18 | P a g e
Phase 3: Configuring the Internet Connection and
VPN Tunnel
Figure 2 The logical layout of the network design. Source: CBTNuggets Labs. Replace
Scenario
Following your advice, the PNGSeafood branch office has installed a 50Mbps Digital
Subscriber Line (DSL) connection. They will be using a VPN connection to connect back to
the corporate office.
Requirements
To help guide this initial configuration, youve assembled the following list of objectives:
The PNGSeafood branch office router (SF_B1_RT1) needs a base configuration which
includes the following:
o Hostname
o Passwords (CON, VTY, AUX, Enable) should be set to cisco
o Logon banner
o Three hour console port timeout
o Synchronous logging on the console port
o Telnet / SSH enabled (use PNGSeafood.com as your domain and admin/cisco for
SSH credentials)
CCNA4
19 | P a g e
o HTTP management disabled
o DNS name resolution set to 4.2.2.2 and 4.2.2.3
o Clock set, NTP configured (use 64.73.32.135 as the NTP server)
The IP addresses for SF_B1_RT1 should be configured as follows:
Fa 0/0 Fa 0/1
10.1.254.2 / 30 172.30.100.230 /
24
Configure a static default route on SF_B1_RT1 using the IP address of the ISP router
(172.30.100.1) to reach the Internet. Once this default route is in place, SF_B1_RT1
should be able to ping Internet address (i.e. 4.2.2.2, 8.8.8.8)
Configure a static default route on SF_B1_SW1 using the inside IP address of

SF_B1_RT1 to reach the Internet.
Configure NAT in such a way that the following requirements are met:
o Subnets provisioned for the branch office are able to reach the Internet using a
pool of public BP addresses from 172.30.100.231 to 172.30.100.235 (simulated
public for purposes of the lab).
o NOTE: NAT should be configured so only the specific subnets at the Branch office
are processed by NAT on SF_B1_RT1
o The email server (10.1.68.S0) is reachable from the public IP address
172.30.100.236.
Testing - at this point. you should be able to accomplish the following:

o Ping the Internet address 4.2.2.2 or 8.8.8.8 from any device in the SF branch
network (test using PC1)
o Verify NAT entries appear for the connections oh SF_B1_RT1
o Telnet to the Server (10.1.68.50) from its public IP address (172.30.101.236) from
the corporate office (SF_CORP_RT1).
NOTE: Since the server does not have a VTY password configured, the message,
"Password required but none set" is expected and indicates a successful test.
Configure a VPN connection between the PNGSeafood branch office facility and the
corporate site using the following information (NOTE: this is beyond the current CCNA
exam requirements; you will need to configure both SF_B1_RT1 and SF_CORP T1 for
this exercise):
o Interesting traffic: all subnets at both offices should forward over the VPN
connection
o Pre-shared key between sites: CCNA4-Key!!!
o Phase 1 (ISAKMP) Settings:
Encryption: AES-128
Hashing: SHA1
Protection: DH2
o Phase 2 (IPSEC) Settings:
Encryption: AES-128
Hashing: SHA1
No PFS
o NAT: Be sure to adjust NAT appropriately for the VPN connection
Testing

CCNA4
20 | P a g e
o SF_B1_SW1 should be able to ping any of the VLAN interfaces on SF_CORP_SW1
including:
VLAN 2: CORP_VOICE (10.1.2.1)
VLAN 3: CORP_DATA (10.1.3.1)
o SF_CORP_SW1 should be able to ping any of the VLAN interfaces on SF_B1_SW1
including:
VLAN 64: Client VOICE (10.1.64.1)
VLAN 66: Client DATA (10.1.66.1)

CCNA4
21 | P a g e
Phase 4: Routing Using OSPF
Scenario
Now that the PNGSeafood branch facility Internet and VPN connection is functional, you
would like to implement OSPF routing between both offices. Because PNGSeafood is a
growing organization, you intend to design their OSPF network for scalability,
implementing the corporate office as the backbone and their first branch office as a
different area (which allows for summarization in the network).
NOTE: To stay (somewhat) within CCNA Exam requirements, assume the ISP has created
a private, MPLS connection on the 172.30.100.0/24 network between the PNGSeafood
Branch Office and the PNGSeafood Corporate Office.
Requirements
To help guide this configuration, youve assembled the following list of objectives:
Configure the PNGSeafood corporate office to support OSPF

o The SF_CORP_RT1 router (the OSPF ABR) should use the Router-
o OSPF should run on both SF_CORP_RT1 and SF_CORP_SW1 (Router ID 1.1.1.2).1
o All VLAN interfaces on SF_CORP_SW1 should be configured as passive with the
exception of VLAN 1.
CCNA4
22 | P a g e
o All networks internal to the corporate office should be in Area 0. Networks
connecting to the branch office should be in Area 1.
o Devices should use secure (hashed) OSPF authentication to ensure rogue devices
cannot join as an OSPF neighbor. Use the password "cisco" when forming all
neighbor relationships. Only non-passive interfaces need be configured for OSPF
authentication.
o Use only one OSPF network statement with an exact wildcard mask to advertise
the corporate network. Use one additional OSPF network statement with a
wildcard mask of 0.0.0.0 to form neighbors in Area 1.
Configure the PNGSeafood branch office to support OSPF.

o The SF_B1_RT1 router should use the Router ID 1.1.2.1.
o OSPF should run on both SF_B1_RT1 and SF_B1_SW1 (Router ID 1.1.2.2).
o All networks in use at the branch office should be in Area 1. You may not use
network commands under the OSPF routing process to advertise these networks.
o All VLAN interfaces on SF_B1_SW1 should be configured as passive with the
exception of F1/15.
o Devices should use secure (hashed) OSPF authentication to ensure rogue devices
cannot join as an OSPF neighbor. Use the password "cisco" when forming all
neighbor relationships. Only non-passive interfaces need be configured for OSPF
authentication.
Testing
o Verify OSPF neighbors have formed between all relevant Cisco devices
o Verify all OSPF - appear on all relevant Cisco devices
Advertise a default route from both routers

o Remove the static default route from both SF_B1_SW1 and SF_CORP _SW1
o Configure SF_B1_RT1 and SF_CORP_RT1 to advertise a default route
unconditionally to SF_B1_SW1 and SF_CORP_SW1.
o Verify an OSPF default route now exists on both L3 switches.
On the OSPF ABR, configure two-way summarization

o The corporate office should summarize all internal, Area 0 networks into a single
route when advertise to other OSPF areas.
o Devices internal to the corporate office should receive a single, summarized
branch office route representing all internal branch office networks (with the
exception of the 10.1.254.0/30 link between SF_CORP_SW1 and SF_CORP_RT1).
Optimize OSPF
o Ensure SF_CORP_RT1 and SF_B1_RT1 become the designated OSPF router for their
respective Ethernet segments. SF_CORP_SW1 and SF_B1_SW1 should be
exempted from the DR election completely.
o Use an OSPF hello timer of 1 second between all OSPF neighbors.

CCNA4
23 | P a g e
Phase 5: Routing Using EIGRP
Scenario
You have just completed your OSPF configuration. To your dismay, one of the other
Microsoft Windows technicians at PNGSeafood has begun to learn Cisco technology by
taking courses from CCNA Academy. Apparently, one of the CCNA Academy instructors
mentioned that EIGRP is the "best routing protocol in the world. The PNGSeafood
technician has taken this to heart and has convinced PNGSeafood management to use
EIGRP rather than OSPF. They would now like you to convert your OSPF configuration to
EIGRP using ideal parameters.
NOTE: To stay (somewhat) within CCNA Exam requirements, assume the ISP has created
a private, MPLS connection on the 172.30.100.0/24 network between the PNGSeafood
Branch Office and the PNGSeafood Corporate Office.

CCNA4
24 | P a g e
Requirements
Remove all OSPF configuration from SF_CORP_RT1, SF_CORP_SW1, SF_B1_RT1, and

SF_B1_SW1.
o Configure the PNGSeafood corporate office to support EIGRP
o EIGRP should run in autonomous system 7 on both SF_CORP_RT1 and
SF_CORP_SW1 advertising all corporate networks
o EIGRP should not use automatic summarization
o All interfaces on SF_CORP_RT1 and SF_CORP_SW1 should be set as passive with
the exception of WAN interfaces and interfaces in VLAN1.
o Devices should use secure EIGRP authentication to ensure rogue devices cannot
join as an EIGRP neighbor. Use the password "cisco" when forming all neighbor
relationships. It is not necessary to configure authentication on passive interfaces.
Configure the PNGSeafood branch office to support EIGRP.

o EIGRP should run autonomous system 7 on both SF_B1_RT1 and SF_B1_SW1.
o EIGRP should not use automatic summarization
o All networks in use at the branch office should be added to the EIGRP routing
process.
o All interfaces on SF_B1_$W1 should be set as passive with the exception of the
interface used to communicate with SF_B1_RT1.
o Devices should use secure EIGRP authentication to ensure rogue devices cannot
join as an EIGRP neighbor. Use the password "cisco" when forming all neighbor
relationships. It is not necessary to configure authentication on passive interfaces.
Testing
o Verify EIGRP neighbors have formed between all relevant Cisco devices
o Verify all EIGRP routes appear on all relevant Cisco devices
Advertise a default route from both routers

o Configure SF_B1_RT1 and SF_CORP_RT1 to advertise a default route using
redistribution to SF_B1_SW1 and SF_CORP_SW1.
o Verify an EIGRP default route now exists on both L3 switches.
Configure two-way summarization using SF_B1_RT1 and SF_CORP_RT1

o The corporate office should summarize all internal networks as a single route
when advertising to the branch office.
o The branch office should summarize all internal networks as a single route when
advertising to the corporate office.

CCNA4
25 | P a g e
Phase 6: Services and Security
Scenario
The PNGSeafood Branch rollout is successful! All devices are communicating the way they
should across the network. As the final phase of the implementation, you need to engage
DHCP services for the VLAN. In addition, you must now rollout security to protect the
Voice VLAN and server VLANs.
Requirements
For testing purposes, assign PC1 to the voice VLAN (64) while keeping PC2 assigned
to the data VLAN (66)
Configure SF_B1_SW1 as a DHCP server for the branch office network using the
following parameters:
o VLANs 64, 66, 69, and 70 should support DHCP services

o In the initial testing phase, each VLAN should initially support DHCP assigned
addresses from the range 10.1.X.10 - 10.1.X.100 with the correct subnet mask
and default gateway.
CCNA4
26 | P a g e
o The voice VLAN should also support DHCP Option 150 (TFTP) to the address
10.1.68.8.
o All devices should use 4.2.2.2 and 4.2.2.3 as their primary and secondary DNS
server respectively.
o Once you have configured DHCP, configure PC1 and PC2 as DHCP clients and
verify they receive the expected IP address assignment.
Configure the following security restrictions for the branch office:
o The Voice VLAN (64) should only be able to access (all else is restricted):
The PNGSeafood Corporate voice subnet (10.1.1.0/24)
The Voice VLAN default gateway (10.1.64.1)
The Internet
o The Data VLAN (66) should only be able to access (all else is restricted):
10.1.68.6 (Full Access - SFB1-DC01)
10.1.68.7 (Full Access - SFB1-DC02)
10.1.68.8 (TCP 21, 80, 443 - SF-B1-WEBO1)
The Data VLAN default gateway (10.1.66.1)
The Internet
o The Public WIFI VLAN (69) and Private Lab VLAN (70) should only be able to
access (all restricted):
Their default gateways
The Internet
Testing
o From PC1 (VLAN 64)

Ping 10.1.64.1 (Voice VLAN gateway - should succeed)
Ping 10.1.66.1 (Data VLAN gateway - should fail)
Ping 10.1.1.1 (Corporate Voice VLAN gateway - should succeed)
Ping 4.2.2.2 (Internet DNS server - should succeed)

Ping 10.1.64.1 (Voice VI.AN gateway - should fail)
Ping 10.1.66.1 (Data VLAN gateway - should succeed)
Ping 10.1.1.1 (Corporate Voice VLAN gateway - should fail)
Ping 4.2.2.2 (Internet DNS server - should succeed)
Access TCP port 80 for 10.1.68.6, 10.1.68.7, and 10.1.68.8. The connection
will timeout (fail), but the access-Iist should register hits on the corresponding
entries.
o Move PC1 to VLAN 69 and renew the DHCP-assigned address

Ping 10.1.69.1 (Public WIFI VLAN gateway - should succeed)
Ping 10.1.66.1 (Data VLAN gateway - should fail)
Ping 10.1.1.1 (Corporate Voice VLAN gateway - should fail)
Ping 4.2.2.2 (lnternet DNS server - should succeed)
Appendix A: Configuring IKE

Documentation:

CCNA4
27 | P a g e
1. Document your IKE Phase 1 negotiation criteria (example below)
Encryption algorithm: AES-128
Hashing: SHA-1
Authentication: pre-shared
Key exchange: Diffie-Hellman Group 2
2. Document your IPSec (IKE Phase 2) negotiation criteria (example below)
Encryption algorithm: esp-aes 128
Authentication: esp-sha-hmac
Configuring IKE Phase 1:
1. Enable ISAKMPE
crypto isakmp enable
2. Create ISAKMP Policy

crypto isakmp policy 100
encryption aes 128
authentication pre-shared
group 2
hash sha
3. Configure ISAKMP Identity

crypto isakmp identity <ip address>|<hostname>
4. Configure pre-shared keys

crypto isakmp key <key> address <rempte ip address>
Configuring IKE Phase 2:
1. Create tranSForm sets

crypto ipsec tranSForm-set <name> <methods>
crypto ipsec tranSForm-set CCNA4 esp-aes 128 esp-sha-hmac
2. Configure IPSec lifetime (optional)

crypto ipsec security-association lifetime <secs>|<kbytes>
3. Create mirrored ACLs defining traffic to be encrypted and the traffic expected to
be received encrypted
4. Configure IPSec crypto-map

crypto map <name> <seq> ipsec-isakmp
crypto map MAP 100 ipsec-isakmp

match address <acl>
set peer <remote ip addr>
set pfs <group1|2|5>
set transform-set <set>
Verify:
show crypto isakmp policy

CCNA4
28 | P a g e
Appendix B: Configuring Cisco IP Phones
Requirements
Using the sample configurations given below, configure at least two IP phones,
one at the HQ and one at the Branch office. The two IP Phones should be able to
call each other.
Cisco VOIP Phone Setup
Picky Airi
The following diagram shows that there are four (4) Cisco IP Phones connected; two
phones to the Madang network and two phones to the Lae network.
The current configurations for this setup are shown below;
Task 1: We need to configure FastEthernet 0/0 and DHCP server on

Madang router
Tasks 1: Configure interface FastEthernet 0/0 and DHCP server on MadR1 (2811
router)
#Configure the FA 0/0 interface#

RouterA>enable
RouterA#configure terminal
RouterA(config)#interface FastEthernet0/0
RouterA(config-if)#ip address 192.168.1.1 255.255.255.0
RouterA(config-if)#no shutdown

CCNA4
29 | P a g e
The DHCP server is needed to provide an IP address and the TFTP server location
for each IP phone connected to the Madang network.
MadR1(config)#ip dhcp pool VOICE #Create DHCP pool named VOICE

MadR1(dhcp-config)#network 192.168.1.0 255.255.255.0 #DHCP network 192.168.1.0 with /24
mask
MadR1(dhcp-config)#default-router 192.168.1.1 #The default router IP address
MadR1(dhcp-config)#option 150 ip 192.168.1.1 #Mandatory for voip configuration.
After the configuration, wait a moment and check that Mad IPPhone has
received an IP address by placing your cursor over the phone until a configuration
summary appears.
Tasks 2: Configure the Call Manager Express telephony service on

Madang Router
Tasks 2: Configure the Call Manager Express telephony service on MadR1
You must now configure the Call Manager Express telephony service on MadR1 to
enable voip on your network.
MadR1(config)#telephony-service #Configuring the router for telephony services#

MadR1(config-telephony)#max-dn 3 #Define the maximum number of directory numbers#
MadR1(config-telephony)#max-ephones 5 #Define the maximum number of phones#
MadR1(config-telephony)#ip source-address 192.168.1.1 port 2000 #IP Address source#
MadR1(config-telephony)#auto assign 4 to 6 #Automatically assigning ext numbers to buttons#
MadR1(config-telephony)#auto assign 1 to 5 #Automatically assigning ext numbers to buttons#
Task 4: Configure a voice vlan on Madang Distribution Switch and the

Madang Access Switch
Apply the following configuration on MadDSw interfaces 1 to 5. This

configuration will separate voice and data traffic in different vlans on MadDSw
switch. Data packets will be carried on the access vlan.
MadDSw(config)#interface range fa0/1 5 #Configure interface range#

MadDSw(config-if-range)#switchport mode access
MadDSw(config-if-range)#switchport voice vlan 1 #Define the VLAN on which voice packets will be
handled#
Task 5: Configure the phone directory for Mad IPPhone
Although MadIP Phone is already connected to Madang Access Switch, it

needs additionnal configuration before being able to communicate. You need to
configure MadR1 CME to assign a phone number to this IP phone.

CCNA4
30 | P a g e
MadR1(config)#ephone-dn 1 #Defining the first directory entry#
MadR1(config-ephone-dn)#number 422 #Assign the phone number to this entry#
MadR1#config t
Enter configuration commands, one per line. End with CNTL/Z.
MadR1(config)#ephone-dn 1
MadR1(config-ephone-dn)#%LINK-3-UPDOWN: Interface ephone_dsp DN 1.1, changed state to up
MadR1(config-ephone-dn)#number 422
MadR1(config-ephone-dn)#
Task 5: Verify the configuration
Ensure that the IP Phone receives an IP Address and the phone number 422 from
MadR1 (this can take a short while).

CCNA4
31 | P a g e
Task 6: Configure the phone directory for IT testphone
Connect IT testphone to MadDSw and power the phone ON using the power
adapter (Physical tab). Login to the Madang Router and do the following
configurations.
MadR1(config)#ephone-dn 2 #Defining the first directory entry#

MadR1(config-ephone-dn)#number 433 #Assign the phone number to this entry#
Task 7: Verify the configuration
Ensure that the IT testphone receives an IP Address and a the phone number 433
from MadR1 (this can take a short while).

CCNA4
32 | P a g e
Dial 422 and check if IP phone 1 correctly receives the call.
Task 8: Repeat the same steps on the Lae network with the other two
phones.
Repeating all the above steps for the Cisco IP Phones on the Lae router should
connect the two phones together.

CCNA4
33 | P a g e
Appendix C: Equipment Costs
Find out how much these equipment costs and what will be a possible total cost of
procuring these equipment.
Name Device Function Locati Image Cost

on
SF-B1- 3750X Core L3 MDF
SW1 Switch
SF-B1- 2960S L2 Switch MDF
SW2
SF-B1- 2960S L2 Switch IDF
SW3
SF-B1- 2901 Internet MDF
RT1 Router
SF-B1- WAP4410 WiFi Ceiling
WI1 N Access
Point
WI2 N Access
Point
WI3 N Access
Point
TOTAL (in PGK)
Name Device Qt Function Image Cost

y
SF-B1-SW1 WS-C3750X- 1 Core L3
48PF-S Switch
4 Port C3KX-NM-1G 1
Gigabit SFP
Redundant C3KX-PWR- 1
PSU 715WAC
SMARTnet 1
Fibre SFP GLC-SX-MM 4
(SX)
Rack Mount C3KX-RACK- 1

Kit KIT
TOTAL (in PGK)

CCNA4
34 | P a g e

CCNA4 CapstoneProject 17

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

CCNA4 CapstoneProject 17

Caricato da

Copyright:

Formati disponibili

Information Systems Department

CCNA 4 Scaling Networks Capstone Project

PNG Sea Food Corporation Enterprise Network

Course Code IS404

Submitted By: Submitted To:

PNG Seafood Corporation Capstone Project | Version: 17.1 | Updated: 07.03.17 |

PNG Seafood Corporation Capstone Project | Version: 17.1 | Updated: 07.03.17 |

The following project outline and documentation is an adaptation of the CBTNuggets:

PNG Seafood Corporation Capstone Project | Version: 17.1 | Updated: 07.03.17 |

PNG Seafood Corporation Capstone Project | Version: 17.1 | Updated: 07.03.17 |

PNG Seafood Corporation is growing significantly. Due to space limitations, five

PNG Seafood Corporation Capstone Project | Version: 17.1 | Updated: 07.03.17 |

Priorit Clien Task Tim Assigned

PNG Seafood Corporation Capstone Project | Version: 17.1 | Updated: 07.03.17 |

Based on company meeting, February 28th, 2017

PNG Seafood Corporation Capstone Project | Version: 17.1 | Updated: 07.03.17 |

Priorit Clien Task Tim Assigned

PNG Seafood Corporation Capstone Project | Version: 17.1 | Updated: 07.03.17 |

Name Device Function Location T1 1G 10G

Name Device Qty Function T1 1G 10G

PNG Seafood Corporation Branch IP Subnet and VLAN

Network Mask VLAN Description

VLAN 64 Client VoIP

PNG Seafood Corporation Capstone Project | Version: 17.1 | Updated: 07.03.17 |

VLAN 66 Client Data

VLAN 71 Network Management

VLAN 10 Internet DMZ

PNG Seafood Corporation Capstone Project | Version: 17.1 | Updated: 07.03.17 |

PNG Seafood Corporation Capstone Project | Version: 17.1 | Updated: 07.03.17 |

PNG Seafood Corporation Capstone Project | Version: 17.1 | Updated: 07.03.17 |

1st floor plan

2nd floor plan

Physical layout of MDF and IDF

PNG Seafood Corporation Capstone Project | Version: 17.1 | Updated: 07.03.17 |

If you still do not have PT version 7.0, download here.

To help guide this initial configuration, you've assembled a list of requirements.

Each switch will need a base configuration, which includes:

PNG Seafood Corporation Capstone Project | Version: 17.1 | Updated: 07.03.17 |

VLAN 71 Network Management

NL-B1-SW1 NL-B1-SW2 NL-B1-SW3

Port NL-B1-SW1 NL-B1-SW2 NL-B1-SW3

Network Mask VLAN Description

PNG Seafood Corporation Capstone Project | Version: 17.1 | Updated: 07.03.17 |

Server PC1 PC2

PNG Seafood Corporation Capstone Project | Version: 17.1 | Updated: 07.03.17 |

The IP addresses for SF_B1_RT1 should be configured as follows:

Configure a static default route on SF_B1_SW1 using the inside IP address of

Testing - at this point. you should be able to accomplish the following:

PNG Seafood Corporation Capstone Project | Version: 17.1 | Updated: 07.03.17 |

PNG Seafood Corporation Capstone Project | Version: 17.1 | Updated: 07.03.17 |

Configure the PNGSeafood corporate office to support OSPF

Configure the PNGSeafood branch office to support OSPF.

Advertise a default route from both routers

On the OSPF ABR, configure two-way summarization

PNG Seafood Corporation Capstone Project | Version: 17.1 | Updated: 07.03.17 |

PNG Seafood Corporation Capstone Project | Version: 17.1 | Updated: 07.03.17 |

Remove all OSPF configuration from SF_CORP_RT1, SF_CORP_SW1, SF_B1_RT1, and

Configure the PNGSeafood branch office to support EIGRP.

Advertise a default route from both routers

Configure two-way summarization using SF_B1_RT1 and SF_CORP_RT1

PNG Seafood Corporation Capstone Project | Version: 17.1 | Updated: 07.03.17 |

o VLANs 64, 66, 69, and 70 should support DHCP services

Configure the following security restrictions for the branch office: