CAMPUS NETWORK TOPOLOGY CONFIGURATIONS

CONFIGURATIONS ON SWITCHES

We had to setup the hostnames and passwords for the switches per each department. The
configurations carried out on the switches are the same except for the hostnames. For example,
the Engineering Department’s hostname is ENGHSC-SW and the password is cisco. Password
encryption was also enabled to secure it using the command use service password-encryption.
Timeout was also set up using the command exec timeout - 3mins 0 secs (the switch will logout
the user if they are idle for this time)

1. SSH and Domain Configuration

SSH Version: Configuring SSH version 2 ensures secure remote access to the switch, protecting
against eavesdropping and unauthorized access.

Domain Name: A domain name is necessary for generating cryptographic keys for SSH, which is
essential for secure communications.

Commands used to configure ssh and domain on switches

ip ssh version 2

no ip domain-lookup

ip domain-name cisco.com

2. Spanning Tree Protocol (STP)

Spanning Tree Mode: Using Per VLAN Spanning Tree (PVST) allows for better load balancing
and redundancy by maintaining separate spanning tree instances for each VLAN, which helps
prevent loops and ensures efficient traffic management in the campus network.

Extended System ID: This configuration helps avoid bridge ID collisions in networks with
multiple VLANs, enhancing stability and reliability.

Commands used

spanning-tree mode pvst

spanning-tree extend system-id

3. Interface Configuration
 Trunk Ports: Configuring trunk ports allows multiple VLANs to be carried over a single link,
which is essential for inter-switch communication and efficient use of network resources.

Access Ports: Assigning access ports to specific VLANs and enabling PortFast allows devices to connect
quickly without waiting for STP to converge, improving user experience. BPDU Guard protects against
potential network loops caused by misconfigured devices. STP portfast and bduguard configs on all
access points starting with dmz switch (for connections to immidiately turn green)

Commands used

interface FastEthernet0/1-2

switchport mode trunk

interface FastEthernet0/3-20

switchport access vlan 20

spanning-tree portfast

spanning-tree bpduguard enable

interface FastEthernet0/21-24

switchport access vlan 50

spanning-tree portfast

spanning-tree bpduguard enable

4. VLAN Configuration

Vlan Assignment Plus All Access And Trunk Ports On Multilayer Switches

To create the trunk

vlan 10

name Management

vlan 20

name LAN

vlan 50
 name WLAN

exit

int range gig1/0/2-6

switchport mode trunk

exit

do wrShutdown Command: Shutting down unused interfaces prevents unauthorized access and
reduces the attack surface of the network.

interface GigabitEthernet0/1-2 (blackhole ports assigned to vlan 199)

switchport access vlan 199

shutdown

5. Banner and Access Control

Message of the Day (MOTD): Displaying a warning banner helps deter unauthorized access by
informing users of the security policy.

Access Control List (ACL): Implementing ACLs restricts access to the switch based on defined
criteria, enhancing security by controlling which devices can communicate with the switch. To
perform Standard ACL for SSH (used to protect devices from unauthorised remote access) to
allow the management network to access these device remotely we have to create access lists

Commands used

banner motd ^CUNAUTHORISED ACCESS IS PROHIBITED!!!!!^C

access-list 2 permit 0.0.0.0 255.255.255.0

access-list 2 deny any

line con 0

exec-timeout 3 0

Bind the access list together

1. access-list 2 permit 192.168.10.0 255.255.255.0

2. access-list 2 deny any

 using access-class 2 in command

6. Line Configuration

Console and VTY Line Configuration: Securing console and VTY lines with passwords and
restricting access to SSH only ensures that remote management is secure and that only
authorized users can access the switch.

Commands used

line vty 0 4

access-class 2 in

login local

transport input ssh

line vty 5 15

access-class 2 in

login local

transport input ssh

Multilayer switches configurations

VLAN Interfaces Configuration

VLAN Interfaces:

Vlan10:

MAC Address: 00d0.bc76.3501

IP Address: 192.168.10.3/24

IP Helper Addresses: 10.20.20.6 and 10.20.20.5

Standby IP: 192.168.10.1

Vlan20:

MAC Address: 00d0.bc76.3502

IP Address: 172.16.0.3/16

IP Helper Addresses: 10.20.20.5 and 10.20.20.6

Standby IP: 172.16.0.1

Vlan50:

MAC Address: 00d0.bc76.3503

IP Address: 10.10.0.3/16

IP Helper Addresses: 10.20.20.5 and 10.20.20.6

Standby IP: 10.10.0.1

Reasons for VLAN Configuration

MAC Address Assignment: Each VLAN interface is assigned a unique MAC address. This is
important for Layer 2 communication and helps in identifying the VLAN interface on the
network.

IP Addressing: Each VLAN interface has a unique IP address and subnet mask, which allows
devices within the same VLAN to communicate with each other and with devices in other
VLANs through routing. This segmentation improves network performance and security by
isolating broadcast domains.

IP Helper Addresses: The ip helper-address command is used to forward DHCP requests from
clients in the VLAN to the specified DHCP servers (10.20.20.5 and 10.20.20.6). This is crucial
for enabling DHCP services across different subnets, allowing devices to obtain IP addresses
dynamically.

Standby IP Configuration: The standby command configures Hot Standby Router Protocol
(HSRP) for redundancy. The standby IP address serves as a virtual gateway for devices in the
VLAN, ensuring that if the primary router fails, the standby router can take over without
disrupting network connectivity.

OSPF Configuration (all multilayer switches, routers, firewalls are ospf configured)

OSPF Router Configuration:

Router ID: 2.1.2.1

Log Adjacency Changes: This command enables logging of OSPF adjacency changes, which is
useful for troubleshooting.

Network Statements: The network commands define which interfaces participate in OSPF and
specify the area (area 0) for OSPF routing.

Reasons for OSPF Configuration

Dynamic Routing: OSPF (Open Shortest Path First) is a dynamic routing protocol that allows
the switch to automatically learn and advertise routes to other OSPF-enabled devices. This is
essential for maintaining efficient routing in larger networks.
Router ID: The router ID uniquely identifies the OSPF router within the OSPF domain, which is
important for OSPF operations and route calculations.

Area Configuration: By specifying the networks and associating them with area 0, the
configuration ensures that all VLANs can communicate with each other and with external
networks, facilitating efficient routing and reducing administrative overhead.

router ospf 15

router-id 2.1.2.1

log-adjacency-changes

network 10.20.20.32 0.0.0.3 area 0

network 192.168.10.0 0.0.0.255 area 0

network 172.16.0.0 0.0.255.255 area 0

network 10.10.0.0 0.0.255.255 area 0

Etherchannel (is the channel which used between multilayer switches)

Commands used

int range gig 1/0/21-23

channel-group 1 mode active

ex

interface Port-channel 1

switchport mode trunk

ex

do wr

Command to show etherchannels

end

show etherchannel port-channel

The etherchannel ports cannot all turn green because we have the spanning tree protocol between
multilayer switches and switches.
 FIREWALL CONFIGURATIONS

router ospf 15

router-id 3.2.4.1

network 105.100.50.0 255.255.255.252 area 0

network 10.20.20.36 255.255.255.252 area 0

network 10.20.20.0 255.255.255.224 area 0

network 10.20.20.32 255.255.255.252 area 0

web browser access

username = admin

password = Cisco123

Policy Implementation

The Inspection Policy is implemented through Access Lists (ACLs) in the configuration and is
designed to control and filter network traffic based on specific criteria. This policy is particularly
implemented in a campus network environment where security, performance, and resource
management are critical.

Access List Configuration:

The access list named RES-ACCESS is an extended ACL that permits various types of traffic:

 ICMP Ports: Allows ping requests, which are essential for network diagnostics.
 UDP and TCP Ports: Permits UDP traffic for BootP (port 67) and DHCP (port 68), which are
crucial for dynamic IP address assignment.
 Domain Name Services: Allows both UDP (port 53) and TCP (port 53) for DNS queries,
enabling name resolution for users and devices.
 Web Traffic: Permits HTTP (port 80) and HTTPS (port 443) traffic, allowing users to access
web services.
 Email Services: Allows SMTP (port 25) for sending emails.
 FTP: Permits FTP traffic on ports 20 and 21 for file transfers.
 Additional Ports: Allows traffic on ports 5746, 5247, 12222, and 12223, which may be used for
specific applications or services within the network.

Access Group Application:

The access group RES-ACCESS is applied to the DMZ and OUTSIDE interfaces. This means
that the rules defined in the access list will filter incoming traffic on these interfaces, providing a
layer of security by controlling what types of traffic are allowed into the network from external
sources.
 Reasons for Implementation in Campus Networks

 Enhanced Security: By explicitly permitting only necessary traffic, the policy minimizes the
risk of unauthorized access and potential attacks. This is crucial in a campus environment where
sensitive data may be transmitted.
 Traffic Management: The ACL helps manage bandwidth by controlling the types of traffic that
can enter the network, ensuring that critical services (like DNS and DHCP) are prioritized and
protected from excessive or malicious traffic.
 Compliance and Monitoring: Implementing ACLs allows for better compliance with security
policies and regulations. It also facilitates monitoring of network traffic, making it easier to
identify and respond to suspicious activities.

Preference Over Other Policies

 Granular Control: Extended ACLs provide more granular control compared to standard ACLs,
allowing for specific traffic types and protocols to be managed effectively. This is particularly
important in a campus network where diverse applications and services are used.
 Flexibility: The ability to permit or deny traffic based on various criteria (such as IP addresses,
protocols, and ports) makes ACLs a flexible solution for dynamic network environments.
 Simplicity in Management: While other policies (like role-based access control) may offer
more complex configurations, ACLs are straightforward to implement and manage, making them
suitable for campus networks where IT resources may be limited.

Inspection Policy implementation through Access Lists Commands used

access-list RES-ACCESS extended permit icmp any any

access-list RES-ACCESS extended permit udp any any eq bootps

access-list RES-ACCESS extended permit udp any any eq bootpc

access-list RES-ACCESS extended permit udp any any eq domain

access-list RES-ACCESS extended permit tcp any any eq domain

access-list RES-ACCESS extended permit tcp any any eq www

access-list RES-ACCESS extended permit tcp any any eq smtp

access-list RES-ACCESS extended permit tcp any any eq 20

access-list RES-ACCESS extended permit tcp any any eq ftp

access-group RES-ACCESS in interface DMZ

access-group RES-ACCESS in interface OUTSIDE

access-list RES-ACCESS extended permit tcp any any eq 5746

access-list RES-ACCESS extended permit tcp any any eq 5247

access-list RES-ACCESS extended permit tcp any any eq 12222

access-list RES-ACCESS extended permit tcp any any eq 12223

wr mem

GigabitEthernet1/1 (INSIDE1)

Security Level: 100 (highest security level)

IP Address: 10.20.20.34/30

Purpose: This interface is part of the internal network, allowing devices within this segment to
communicate securely. The high security level indicates that this interface is trusted.

GigabitEthernet1/2 (INSIDE2)

Security Level: 100 (highest security level)

IP Address: 10.20.20.38/30

Purpose: Similar to INSIDE1, this interface is also part of the internal network. Having multiple
inside interfaces can help in segmenting different departments or functions within the
organization while maintaining high security.

GigabitEthernet1/3 (OUTSIDE)

Security Level: 0 (lowest security level)

IP Address: 105.100.50.2/30

Purpose: This interface connects to the external network (the internet). The low security level
indicates that this interface is less trusted, and traffic from this interface is subject to strict
filtering and monitoring.
GigabitEthernet1/4 (DMZ)

Security Level: 70

IP Address: 10.20.20.1/27

Purpose: The DMZ (Demilitarized Zone) is used to host services that need to be accessible from
the outside, such as web servers or email servers. The security level of 70 allows for some level
of trust while still providing a buffer between the internal network and the outside world.

Commands used

interface GigabitEthernet1/1

nameif INSIDE1

security-level 100

ip address 10.20.20.34 255.255.255.252

interface GigabitEthernet1/2

nameif INSIDE2

security-level 100

ip address 10.20.20.38 255.255.255.252

interface GigabitEthernet1/3

nameif OUTSIDE

security-level 0

ip address 105.100.50.2 255.255.255.252

interface GigabitEthernet1/4

nameif DMZ

security-level 70

ip address 10.20.20.1 255.255.255.224

The configuration of NAT (Network Address Translation) plays a significant role in the
implementation of inspection policies on a network device, particularly in how traffic is
managed and secured. It is implemented on the firewall to manage the traffic going out and
coming to the campus network.
INSIDE1-OUTSIDE

Subnet: 192.168.10.0/24

NAT Configuration: This object allows devices within the 192.168.10.0 subnet to be translated
to the outside interface's IP address when accessing external networks. The NAT type is
dynamic, meaning that the internal IP addresses will be translated to the IP address of the outside
interface dynamically.

INSIDE1a-OUTSIDE

Subnet: 192.168.10.0/24

NAT Configuration: Similar to INSIDE1, this object also allows NAT for the same subnet but
is associated with the INSIDE2 interface. This indicates that devices in the 192.168.10.0 subnet
can also access the outside network through INSIDE2.

INSIDE2-OUTSIDE

Subnet: 172.16.0.0/16

NAT Configuration: This object allows devices within the 172.16.0.0 subnet to be translated to
the outside interface's IP address when accessing external networks, using dynamic NAT.

INSIDE2a-OUTSIDE

Subnet: 172.16.0.0/16

NAT Configuration: This object is similar to INSIDE2 but is associated with the INSIDE2
interface, allowing NAT for the same subnet.

INSIDE3-OUTSIDE

Subnet: 10.10.0.0/16

NAT Configuration: This object allows devices within the 10.10.0.0 subnet to be translated to
the outside interface's IP address when accessing external networks.

INSIDE3a-OUTSIDE

Subnet: 10.10.0.0/16

NAT Configuration: Similar to INSIDE3, this object allows NAT for the same subnet but is
associated with the INSIDE2 interface.

Commands used

object network INSIDE1-OUTSIDE

subnet 192.168.10.0 255.255.255.0

nat (INSIDE1,OUTSIDE) dynamic interface

object network INSIDE1a-OUTSIDE

subnet 192.168.10.0 255.255.255.0

nat (INSIDE2,OUTSIDE) dynamic interface

object network INSIDE2-OUTSIDE

subnet 172.16.0.0 255.255.0.0

nat (INSIDE1,OUTSIDE) dynamic interface

object network INSIDE2a-OUTSIDE

subnet 172.16.0.0 255.255.0.0

nat (INSIDE2,OUTSIDE) dynamic interface

object network INSIDE3-OUTSIDE

subnet 10.10.0.0 255.255.0.0

nat (INSIDE1,OUTSIDE) dynamic interface

object network INSIDE3a-OUTSIDE

subnet 10.10.0.0 255.255.0.0

nat (INSIDE2,OUTSIDE) dynamic interface

route OUTSIDE 0.0.0.0 0.0.0.0 105.100.50.1 1

The configuration below configuration outlines the setup of a class map and policy map for
application layer protocol inspection on a Cisco ASA firewall network device.

Class Map: inspection_default

Purpose: This class map is designed to match traffic that is subject to default inspection. The
command match default-inspection-traffic indicates that it will include all traffic types that the
firewall recognizes for inspection based on its default settings.

Policy Map: global_policy

Type: The policy map is defined as type inspect, which means it is used for application layer
inspection.
Classes: Within this policy map, the inspection_default class is specified, which means that any
traffic matching this class will be inspected according to the rules defined in the policy map.

Inspection Actions:
Inspect DNS: The command inspect dns preset_dns_map applies a predefined inspection policy
for DNS traffic, allowing the firewall to monitor and control DNS queries and responses. The
parameter message-length maximum 512 specifies that DNS messages larger than 512 bytes will
be handled according to the defined policy, which is important for managing DNS over TCP and
ensuring compliance with DNS standards.
Inspect FTP: The command inspect ftp enables inspection of FTP traffic, allowing the firewall
to track and manage FTP sessions effectively.
Inspect TFTP: The command inspect tftp allows for the inspection of TFTP traffic, which is
often used for transferring files in a network environment.
Service Policy
The command service-policy global policy global applies the global policy to all interfaces on
the device, ensuring that the defined inspection rules are enforced across the entire network.
Importance of This Configuration
This configuration is crucial for maintaining network security and performance. By inspecting
DNS, FTP, and TFTP traffic, the firewall can prevent unauthorized access, detect malicious
activities, and ensure that only legitimate traffic is allowed through. The use of a class map and
policy map structure allows for flexible and scalable management of traffic inspection, which is
essential in modern network environments.
Commands used
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect tftp

service-policy global_policy global

TO CONFIGURE OR VIEW THE ACCESS POINTS CONFIGURATONS
DO THE FOLLOWING STEPS
Using the management PCs, open the cmd and ping the management WLAN address 10.10.0.15
command - ping 10.10.0.15
observe if the data is being send and received if so
proceed to the PC's browser type the url http://10.10.0.15 to create the admin account
incase it shows the error SERVER RESET CONNECTION enter the url https://10.10.0.15 and it
will prompt you to
login to the admin account
username - admin
password - Cisco123
after login it will redirect you to the monitor page
you can choose the WIRELESS Option to see the configured ACCESS POINTS
All the access points WIFI will be listed there
If all is working all the wireless devices connected to the networks will be connected to the WIFI
If not check if the devices are connected
they should be connected to the following networks
STUDENTS' WIFI
EMPLOYEE WIFI
ADMIN WIFI
IT WIFI
The passwords for all the networks is Cisco123