DEBRETABOR UNIVERSITY

Department of Electrical and computer Engineering

Stream of Electronics Communication
Engineering
THREE MONTH INTERNSHIP REPORT
TITLE: Design and Implement Secure Enterprise Network Using Packet
Tracer
Host Company- Awash Bank, A.A HQ IT Department
Department Advisor Name- Mr. Yosef. B
Supervisor Name- Mr. Bereket Ayalew

Prepared by:
Yisak Nesiro 1587
Birhan Bayu 1068

Submission date- 2 Nov,2024

Debretabor, Ethiopia
 Declaration
We are students of electrical and computer engineering in Debretabor University. we have
completed our internship training at Awash bank HQ for the past three months (from April 1 to
June 30 2024 G.C). For anyone who is concerned to this report, we declare that this paper is our
maximum effort work from we were practice in Awash bank during internship period. All the
information is collected from the place that we have worked in. We announce and certify that
our work is made to be original according to the internship report writing guide line given by the
school of electrical and computer engineering and we would like to assure with our signature.
Name of students Signature Date
Birhan Bayu ……… ………
Yisak Nesiro ……… ………

Approved by Signature Date

Mr. Yosef. B ------------ -------

2
 Acknowledgment
First and for most we would like to thank our university of DTU and hosting company of
AWASH BANK. Then we are extremely grateful to the Department of Electrical and Computer
Engineering and for giving us the opportunity to carry out this project which is an integral part of
the curriculum. We have to express our heartily gratitude to the Awash Bank for hosting us to
apply this internship there. Next, we would like to thank Mr. henok, who Is Network
administrator manager of Awash Bank of HQ, who gave us permission for our request to
Internship program. In addition, we would like to thanks the networking staff of Awash Bank
Mr. Bereket, Mr. Habtu, Mr. mihiret, Mr. alemayehu and all other staffs for their friendly advice,
special supports and leadership during our internship period. Again, we would like to thank our
advisor Mr. Yosef B.for his support, guidance with his knowledge and idea. Finally, we extend
our gratefulness to one and all who are directly or indirectly involved in the successful
completion of this project work.

3
Table of Contents
Declaration........................................................................................................................................i

Acknowledgment.............................................................................................................................ii

Acronyms.....................................................................................................................................viii

Executive Summary.........................................................................................................................x

CHAPTER ONE..............................................................................................................................1

1.BACKGROUND OF THE COMPANY......................................................................................1

1.1. introduction...........................................................................................................................1

1.2. Background history of Awash bank......................................................................................1

1.3. Vision and Mission of Awash bank......................................................................................2

1.3.1. Vision..............................................................................................................................2

1.3.2. Mission...........................................................................................................................2

1.4. Core values of an organization..............................................................................................3

1.5. Main service of Awash bank.................................................................................................3

1.6. Organizational structure........................................................................................................4

CHAPTER TWO.............................................................................................................................5

2. OVERALL INTERNSHIP EXPERIENCE................................................................................5

2.1. Objectives of the Internship..................................................................................................5

2.2. How We get the company.....................................................................................................5

2.3. Section of the office..............................................................................................................6

2.4. The work task we have been executing.................................................................................6

2.5. Skills and Knowledges that we Gained.................................................................................6

2.5.1. Basics of computer networking and configuration.........................................................6

2.5.2. Hierarchy model...........................................................................................................10

2.5.3. Technical practice on switches.....................................................................................11

4
 2.5.4. technical practice on router...........................................................................................11

2.6. Tools that we have been using............................................................................................13

2.7. Challenges and problems that we have faced and Measures Taken....................................15

CHAPTER THREE.......................................................................................................................17

3.THE OVERALL BENEFITS OF INTERNSHIP.......................................................................17

3.1. Improving theoretical knowledge........................................................................................17

3.2. Improving Practical Skills...................................................................................................18

3.3. leadership skill.....................................................................................................................18

3.4. Work ethics issue................................................................................................................18

3.5. Entrepreneurship skill.........................................................................................................19

3.6. Interpersonal communication skill......................................................................................19

CHAPTER FOUR.........................................................................................................................20

4.1. Abstract...............................................................................................................................20

4.2. Introduction.........................................................................................................................20

4.3. Background information.....................................................................................................21

4.4. Objective.............................................................................................................................22

4.4.1. General objective..........................................................................................................22

4.4.2. Specific objective...........................................................................................................22

4.5. Significance of the project...................................................................................................23

4.6. Scope of the project.............................................................................................................23

4.7. Limitation............................................................................................................................23

4.8. Literature review.................................................................................................................24

4.9. System design and analysis.................................................................................................25

4.9.1. Overview......................................................................................................................25

4.10. Methodology.....................................................................................................................25

5
 4.10.1. Network Design and Beautification...........................................................................26

4.10.2. Basic Settings to all devices + SSH + Standard ACL for SSH..................................27

4.10.3. VLAN Assignment + All Access and Trunk Ports on L2 and L3 Switches..............27

4.10.4. STP Portfast And BPDU guard configurations..........................................................29

4.10.5. Ether channel..............................................................................................................29

4.10.6 HSRP and Inter VLAN................................................................................................29

4.10.7 OSPF on Firewalls, Routers and Layer3 Switches......................................................31

4.10.8. Firewall Interface Security Levels and Zones............................................................32

4.10.9. Firewall Inspection Policy Configurations.................................................................33

4.10.10. Wireless Network Configurations............................................................................34

4.10.11 VOIP Configurations.................................................................................................35

4.11. System design....................................................................................................................37

4.12 Material Requirement.........................................................................................................39

4.12.1. Hardware Requirements:............................................................................................39

4.12.2. Software Requirement................................................................................................40

4.13. Result and discussion........................................................................................................41

4.13.1. Result..........................................................................................................................41

4.13.2. Discussion...................................................................................................................43

4.14. Conclusion and recommendation.....................................................................44

CHAPTER FIVE...........................................................................................................................45

5. GENERAL CONCLUSION AND RECOMMENDATION.....................................................45

5.1 General conclusion...............................................................................................................45

5.2 General Recommendation....................................................................................................45

5.2.1 To the company.............................................................................................................45

5.2.2. To the University..........................................................................................................46

6
References......................................................................................................................................47

APPENDEX..................................................................................................................................48

7
 List of figures
Fig. 1.1. Organizational structure of awash bank (2)......................................................................4
Fig.2.1.OSI vs TCP/IP Model........................................................................................................10
Fig.2.2. three level hierarchy model..............................................................................................10
Fig.2.2. layer 2 switch....................................................................................................................13
Fig.2.3. layer 3 switch....................................................................................................................14
Fig.2.4. cisco router.......................................................................................................................14
Fig.2.5. serial port console cable...................................................................................................15
Fig.2.6. different types of fiber optics cable..................................................................................15
Fig 4.2 Methodology block diagram.............................................................................................26
Fig 4.3 Overall system design.......................................................................................................37
Fig 4.4 logical diagram of project..................................................................................................41
Figure 4.5 Encryption of password................................................................................................42
Fig 4.6 User Authentication on WLC............................................................................................42
Fig 4.7 Phone call Checkup over IP Phone...................................................................................43
Fig 4.8 Wireless Lan Controller User Interface on PC..................................................................43

8
 Acronyms

Autonomous systems ASes

Automated teller machine ATM
Local area network LAN
Wide area network WAN
Open system interconnection OSI
Transmission control protocol TCP
Internet protocol IP
Information Technology IT
Data link layer DLL
Logical link control LLL
Media access control MAC
Address resolution protocol ARP
Demilitarized zone DMZ
Virtual local area network VLAN
Secure shell protocol SSH
File transfer protocol FTP
Head Quarter HQ
Hypertext transfer protocol HTTP
Interior gateway protocol IGP
Exterior gateway protocol EGPP
Enhanced interior gateway routing protocol EIGRP
Intermediate system-intermediate system IS-IS
Routing information protocol RIP
Open shortest path first OSPF
Broader gateway protocol BGP
Designated router DR
Backup designated protocol BDP
Link state advertisement LSA
Network address translation NAT

9
Access list ACL
Application centric infrastructure ACI
Edge Router ER

10
 Executive Summary
The report contains all about the information that we have in last three months in Awash Bank.
During this training, we have learned and practiced numerous knowledge and skills about wired
and wireless network configuration and installation in Awash Bank. Internship is a program that
allows students to get practical knowledge from the working environment as well as
to experience the ability to work with people. It enables us to put into the skill, technique, and
knowledge that are important for success in our future work. As the main purpose of this
internship is, to create a linkage between the theory and practical issue we have gained different
practical knowledge in networking.
This report consists four main chapters. we have included in the first chapter background history,
vision and mission, main services of the organization. The second chapter of this report consists
basic concept of networking, networking devise with configuration. The third chapter of the
report describes the overall benefits we gained from this internship. It further briefs about the
theoretical and practical knowledge’s acquired and also the team, interpersonal and leader ships
skills we developed during the internship. Finally, the last chapter explains the conclusion and
recommendations for the concerned bodies.

11
 CHAPTER ONE

1.BACKGROUND OF THE COMPANY

1.1. introduction
We have performed our Industry Internship at Awash Bank from April 1- June 30/2023 G.C
Academic year. During this training, We have learned and practiced numerous knowledge and
skills about wired network configuration and installation in Awash Bank. Internship is a program
that allows students to get practical knowledge from the working environment as well as to
experience the ability to work with people. It enables us to put into the skill, technique, and
knowledge that are important for success in our future work. As the main purpose of this
internship is, to create a linkage between the theory and practical issue We have gained different
practical knowledge in networking. Thus, this document contains all the basic information about
our work experience, basic information about the organization we stayed, how we get oriented
on our work, our duties and responsibilities, recommendation for the internship and other topics.
This report focuses for the most part on the major project and the smaller project are more briefly
described. The conclusion section provide a summary of key conclusion derived from our
internship experience.

1.2. Background history of Awash bank

(1) Awash Bank, Ethiopia’s pioneering private bank, was established on November 10, 1994
after the downfall of the socialist regime. The Bank was established by 486 founding
shareholders with a paid-up capital of Birr 24.2 million and started banking operations on Feb.
13, 1995. Since embarking operation, the Bank has registered remarkable growth.
Notwithstanding global and domestic challenges, Awash Bank has exhibited a superior
operational and financial performances among private banks operating in Ethiopia. Awash Bank
is currently working towards strengthening its capital base, technological capabilities, human
resources and customer base. Our name derives from the Awash River, which is extensively used
in Ethiopia for small to large-scale irrigation schemes, hydroelectricity generation and for
industrial activities. By that token, the tagline “nurturing like the river” implies Awash Bank’s
immense contribution to the country’s socio-economic development. We also serve the

1
population by encouraging the habit of saving, the provision of credit facilities and facilitating
efficient and fast payment systems. One of the core values of our bank is accessibility. We
always strive to improve our accessibility by means of different service delivery channels.
Currently, we are the most accessible private bank in the country, with a large footprint
of extensive branch network. In addition to branch networks, we provide our customers the
convenience of 24/7 service through ATMs, point of sale terminals, internet, mobile and agency
banking. Corporate social responsibility lies at the heart of Awash Bank’s activities since its
establishment. The Bank’s intent is to change the socio-economic situation of the communities
within which it operates by ploughing back funds to improve education, health and the
environmental and social wellbeing of the disadvantaged strata. The positive impact of our
activities is clearly indicated in the number of elementary schools built in collaboration with
NGOs, the health facilities improved and the trees planted in different parts of the country and
the like. Our success is measured by realization of our organizational goals and the objectives
specified in our strategy. In this regard, we have crafted a10-year strategic roadmap with
the theme ‘Transforming AIB: Vision 2025. It has ambitious financial and non-financial targets.
Never the less, our performance so far indicates that the Bank is on the verge of attaining those
targets much before 2025. Awash Bank has recorded above average banking industry growth
rates in most key financial performance indicators in the last decade. Indeed, Awash Bank has
recorded the fastest growth rate among private banks operating in the country. We own this
impressive achievement to the visionary leadership of our Board of Directors, dedicated
management team, committed staff and loyal customers.

1.3. Vision and Mission of Awash bank

1.3.1. Vision
“To be the first Choice World Class Bank”

1.3.2. Mission
“To provide innovative, Competitive and Diversified banking service accessible to the society
with qualified and committed staff in a profitable and socially responsible manner’’

2
1.4. Core values of an organization
• Corporate Citizenship-We value the importance of our role in national development
endeavor and step-up for commitment We abide by the law of Ethiopia and other
countries in which we do business. We care about society's welfare and the environment.
• Customer Satisfaction-We strive to excel in our business and satisfy our customers.
• Quality Service-We are committed to offer quality service to our customers' and aspire
to be branded with quality in the minds of our customers and the general public.
• Innovation-We encourage new ideas that can improve customers' experience and the
Bank's performance.
• Teamwork-We recognize the importance of teamwork for our success. we respect
diversity of viewpoints.
• Integrity-We are committed to the highest ideal of honor and integrity.
• Employees-We recognize our employees as valuable organizational resources.
• Public Confidence-We understand that the sustainability of our business depends on our
ability to maintain and build up the public's confidence.

1.5. Main service of Awash bank

Deposit products
• Saving Accounts
• Current Accounts
• Fixed term Accounts
• Special Saving Account
Special Deposit Accounts
• Special Saving Account for Elders
• Lucy Women Special Saving Account
• Smart Children Account
• Student Solution Account
• Investment Solution Account
• Check Payment Solution Scheme
• Wadiah Student Solution Account
• Salary Solution Account

3
 • Provident Fund Solution Account
Digital Channels
• Mobile Banking
• Agency Banking
• Debit Card Services
• Internet Banking

1.6. Organizational structure

Fig. 1.1. Organizational structure of awash bank (2)

4
 CHAPTER TWO

2. OVERALL INTERNSHIP EXPERIENCE

2.1. Objectives of the Internship
The internship program has its own general and specific objective.
General Objective

The general objective of this internship program is to introduce the practical and tangible world
to the engineering student by relating the theoretical knowledge what we know in Debretabor
University for the past four years.

Specific Objective

• The internship aimed to make the students to be a confident and seeking

potential for their future life.
• To Show and make them adapt the outside working environment
• To develops the ability to communicate and work with people.
• To play a great role by improving their practical, theoretical, interpersonal
interaction, team playing, entrepreneurship, leader ship skills, understanding
about work ethics, responsibility, punctuality etc.
• To allow the students problem solver for any engineering aspect related to the
course.

2.2. How We get the company

We are fifth year electronic communication engineering student in Debretabor university. our
faculty gives the internship opportunity at fifth year of the first semester, the campus gave us a
request paper to go out and to do an internship. Immediately After we take the request paper of
internship from the university industry linkage (UIL) at the beginning of April, we started to
search and choose the proper company which is related to our stream electronic communication
engineering for our internship period. Then we sent the papers to the organizations that could
related with the field we studied. But most of the organizations didn’t answer us and some of
them told us that they won’t accept us for their own reasons.

5
After a lot of fatigues through Mr. henok goodwill we get place in awash bank accepts our
request. he introduced us with the overall working system of the team and also, he assigned to us
a supervisor Mr. Bereket. Finally, we agree to start our internship based on our schedule at the
middle of April.

2.3. Section of the office

 Network administration

In this office there are a lot of tasks are done around networking. The networks of awash bank
controlled in this office starting from configuration and installation for new branch, maintenance
when system corrupted both in branch and main network that comes from ISP.so this section is
more secure.

2.4. The work task we have been executing

When we start our internship, our supervisor introduced over all networks of awash bank but
most of them are hidden for us because of security issue even not all employees are knowing all
networks, they do only the task that they take from chief. after we accomplish the introduction
our supervisor gives a reading assignment, in the next day we present the assignment that we
have read. after we have present supervisor revise in more detail definition with their
configuration. our day to day activity is like this sometimes we observe networking devise like
switch, router and a types cable. let’s see the concept that we have gain from internship in detail.

2.5. Skills and Knowledges that we Gained

2.5.1. Basics of computer networking and configuration
What is computer network?
(3)A computer network is a collection of interconnected devices that share resources and
information. These devices can include computers, servers, printers, and other hardware.
Networks allow for the efficient exchange of data, enabling various applications such as email,
file sharing, and internet browsing.
Basic Terminologies of Computer Networks
 Network: A network is a collection of computers and devices that are connected together
to enable communication and data exchange.

6
  Nodes: Nodes are devices that are connected to a network. These can include computers,
Servers, Printers, router, switch and other devices.
 Protocol: A protocol is a set of rules and standards that govern how data is transmitted
over a network. Examples of protocols include TCP/IP, HTTP or HTTPS, and FTP.
 Topology: Network topology refers to the physical and logical arrangement of nodes on
a network. The common network topologies include bus, star, ring, mesh, and tree.
 Service Provider Networks: These types of Networks give permission to take Network
Capacity and Functionality on lease from the Provider. Service Provider Networks
include Wireless Communications, Data Carriers, etc. e.g. Telecommunication,
Safaricom
 IP Address: An IP address is a unique numerical identifier that is assigned to every
device on a network. IP addresses are used to identify devices and enable communication
between them.
 DNS: The domain name system (DNS) is a protocol that is used to translate human-
readable domain names (such as www.google.com) into IP addresses that computers can
understand.
 Firewall: A firewall is a security device that is used to monitor and control incoming and
outgoing network traffic. Firewalls are used to protect networks from unauthorized access
and other security threats.
Types of Enterprise Computer Networks
LAN: A Local Area Network (LAN) is a network that covers a small area, such as an office or a
home. LANs are typically used to connect computers and other devices within a building or a
campus.
WAN: A Wide Area Network (WAN) is a network that covers a large geographic area, such as a
city, country, or even the entire world. WANs are used to connect LANs together and are
typically used for long-distance communication.
Cloud Networks: Cloud Networks can be visualized with a Wide Area Network (WAN) as they
can be hosted on public or private cloud service providers and cloud networks are available if
there is a demand. Cloud Networks consist of Virtual Routers, Firewalls, etc.
OSI vs TCP/IP Network models

7
OSI stands for Open Systems Interconnection. It is a reference model that specifies standards for
communications protocols and also the functionalities of each layer. The OSI has been
developed by the International Organization. For Standardization and it is 7-layer architecture.
Each layer of OSI has different functions and each layer has to follow different protocols. The 7
layers are as follows:
Physical Layer: The lowest layer of the OSI Model is responsible with transmitting individual
bit over medium like fibre, coaxial copper, wireless.
➔ fibre between data center devices, branches
Data link Layer: It’s responsible for transmitting frame from one node to other.
Network Layer: It’s responsible for receiving frames from the data link layer, and delivering
them to their intended destinations among based on the addresses contained inside the frame.
The network layer finds the destination by using logical addresses, such as IP (internet protocol).
• Ipv4 addressing: It uniquely identifies a network interface in a device. IP is a part of the
TCP/IP suite, where IP is the principal set of rules for communication on the Internet.
• Subnetting: is the practice of dividing a network into two or more smaller networks. It
increases routing efficiency, enhances the security of the network, and reduces the size of
the broadcast domain.
• Network address translation (NAT): is a technique commonly used by internet service
providers (ISPs) and organizations to enable multiple devices to share a single public IP
address. By using NAT, devices on a private network can communicate with devices on a
public network without the need for each device to have its own unique IP address.
Transport Layer: it manages the delivery and error checking of data packets. It regulates the
size, sequencing, and ultimately the transfer of data between systems and hosts. It can be either
UTP or TCP
Session Layer: it controls the conversations between different computers.
Presentation Layer: The presentation layer formats or translates data for the application layer
based on the syntax or semantics that the application accepts.
Application Layer: is the highest abstraction layer of the TCP/IP model that provides the
interfaces and protocols needed by the users.
This layer uses a number of protocols (HTTP, FTP, SMTP, DNS, TELNET, SNMP)

8
TCP/IP (Transmission Control Protocol/Internet Protocol) is a suite of communication protocols
that define the standards for transmitting data over computer networks, including the internet.
The TCP/IP protocol is the foundation of the internet and enables devices to communicate with
each other using a common language.
TCP/IP Layers
Network Access Layer: It is the lowest layer of the TCP/IP Model. It is the combination of the
Physical Layer and the Data link layer which present in the OSI Model. Its main responsibility is
to the transmission of information over the same network between two devices.
Internet/Network Layer: It is the third layer of the TCP/IP Model and also known as the
Network layer. The main responsibility of this layer is to send the packets from any network, and
they arrive at the goal irrespective of the route they take.
Transport Layer: It is responsible for the reliability, flow control, and correction of data that is
being sent over the network. There are two protocols used in this layer are User Datagram
Protocol and Transmission control protocol.
Application Layer: An application layer is the topmost layer within the TCP/IP model. When
one application layer protocol needs to communicate with another application layer, it forwards
its information to the transport layer.

9
 Fig.2.1.OSI vs TCP/IP Model

2.5.2. Hierarchy model

Because networks can be extremely complicated, with multiple protocols and diverse
technologies, Cisco has developed a layered hierarchical model for designing a reliable network
infrastructure. This three-layer model helps you design, implement, and maintain a scalable,
reliable, and cost-effective network. Each of layers has its own features and functionality, which
reduces network complexity.

Fig.2.2. three level hierarchy model

 Access - controls user and workgroup access to the resources on the network. This layer
usually incorporates Layer 2 switches and access points that provide connectivity
between workstations and servers. You can manage access control and policy, create
separate collision domains, and implement port security at this layer.
 Distribution - serves as the communication point between the access layer and the core.
Its primary functions are to provide routing, filtering, and WAN access and to determine
how packets can access the core. This layer determines the fastest way that network
service requests are accessed for example, how a file request is forwarded to a server and,
if necessary, forwards the request to the core layer. This layer usually consists of routers
and multilayer switches.
 Core - also referred to as the network backbone, this layer is responsible for transporting
large amounts of traffic quickly. The core layer provides interconnectivity between
distribution layer devices it usually consists of high-speed devices, like high end routers

10
 and switches with redundant links.

2.5.3. Technical practice on switches

Virtual Local Area Network (VLAN)
(4)VLANs (Virtual LANs) are logical grouping of devices in the same broadcast domain.
VLANs are usually configured on switches by placing some interfaces into one broadcast
domain and some interfaces into another. Each VLAN acts as a subgroup of the switch ports in
an Ethernet LAN.
Inter-VLAN
Each VLAN is its own subnet and broadcast domain, which means that frames broadcasted onto
the network are switched only between the ports within the same VLAN. For inter-VLAN
communication, an OSI layer 3 device (usually a router) is needed. This layer 3 device needs to
have an IP address in each VLAN and have a connected route to each of those subnets. The hosts
in each subnet can then be configured to use the router’s IP addresses as their default gateway.
Spanning Tree Protocol (STP)
STP is a network protocol designed to prevent layer 2 loops. It is standardized as IEEE 802.D
protocol. STP blocks some ports on switches with redundant links to prevent broadcast storms
and ensure a loop-free logical topology. With STP in place, you can have redundant links
between switches in order to provide redundancy.
EtherChannel
EtherChannel is a technology wherein we bundle physical interfaces together to create a single
logical link. It is also known as Link Aggregation. It provides fault-tolerant and high-speed links
between Cisco switches and routers and is often seen in the backbone network. The approved
open standard is called 802.3ad, which works with other vendors and is often called LAG.
Its advantage is for load balancing, increase bandwidth and redundancy.
2.5.4. technical practice on router
routing
IP routing is the process of sending packets from a host on one network to another host on a
different remote network. This process is usually done by routers. Routers examine the
destination IP address of a packet, determine the next-hop address, and forward the packet.

11
Routers use routing tables to determine the next hop address to which the packet should be
forwarded.
Types of routing

1. Static Routing:
• Manual configuration: Network administrators manually define routes for each
destination network.
• Simple networks: Suitable for small, static networks with few changes.
• Limited scalability: Difficulty in managing large networks or frequent topology
changes.
• Less efficient: Can lead to suboptimal routing choices if not configured carefully.

2. Default Routing:
• Single default route: All traffic destined for unknown networks is sent to a single
default gateway.
• Simplicity: Easy to configure and manage.
• Less flexibility: Limited control over traffic flow.
• Potential inefficiency: May not always select the most efficient path.
3. Dynamic Routing:
• Automatic route updates: Routers exchange routing information with each other
to discover and update routes dynamically.
• Scalability: Well-suited for large and complex networks.
• Efficiency: Can adapt to network changes and select optimal routes.
• Complexity: Requires more configuration and management overhead.

Dynamic Routing Protocols:

 Distance Vector Protocols:

• RIP (Routing Information Protocol): Simple but less efficient, often used in
small networks.
• EIGRP (Enhanced Interior Gateway Routing Protocol): More efficient and
scalable than RIP, commonly used in Cisco networks.

12
  Link-State Protocols:
• OSPF (Open Shortest Path First): Highly scalable and efficient, widely used in
large networks.
• IS-IS (Intermediate System-to-Intermediate System): Similar to OSPF but
with a different focus on hierarchical networks.
 Path Vector Protocol:
• BGP (Border Gateway Protocol): Used for routing between autonomous
systems (ASes) on the internet.

2.6. Tools that we have been using

Cisco Packet Tracer: is a comprehensive networking simulation software tool for teaching and
learning how to create network topologies and imitate modern computer networks. The tool
offers a unique combination of realistic simulation and visualization experiences, assessment and
activity authoring capabilities, and multi-user collaboration and competition opportunities. Its
innovative features help students and teachers collaborate, solve problems, and learn networking
concepts in an engaging and dynamic social environment.
Layer 2 Switch: an OSI Layer 2 device, which means that it can inspect received traffic and
make forwarding decisions. Each port on a switch is a separate collision domain and can run in a
full duplex mode. a switch manages the flow of data across a network by inspecting the
incoming frame’s destination MAC address and forwarding the frame only to the host for which
the data was intended. Each switch has a dynamic table (called the MAC address table) that
maps MAC addresses to ports. With this information, a switch can identify which system is
sitting on which port and where to send the received frame.

Fig.2.2. layer 2 switch

13
Layer 3 Switch: A Layer 3 switch is a special network device that has the functionality of a
router and a switch combined into one chassis. It works in our network by simply allowing
connected devices that are on the same subnet or virtual LAN (VLAN) to exchange information
at lightning speed, just like a switch that operates in the data link layer of the OSI model, but it
also has the IP routing intelligence of a router built into it.

Fig.2.3. layer 3 switch

Router: a router is most commonly an OSI Layer 3 device, since its forwarding decision is based
on the information of the OSI Layer 3 the destination IP address. Routers divide broadcast
domains, provide full duplex communication, and have traffic filtering capabilities.in awash
bank routers are used for branch communication, interface for ISP, interfaces for DMZ zone,
used for vlan communication.

Fig.2.4. cisco router

Console cable: also known as Cisco cables, rollover cables and management cables - are
designed for a specific purpose. They connect Cisco networking devices to terminals or PCs for
configuration. Typically, the Cisco end will connect via RJ45, and the terminal end will
conclude in a serial connection.

14
 Fig.2.5. serial port console cable

Fiber optics cable: also known as optical fiber cable, is a type of Ethernet cable which consists of
one or more optic fibers that are used to transmit data. It is an assembly similar to an electrical
cable while it is used to carry light and the fiber optic cable price is much higher than that of
copper cable. The cables used in awash bank data center networking because data center needs
more security.

Fig.2.6. different types of fiber optics cable

2.7. Challenges and problems that we have faced and Measures

Taken
When our advisor is free, by seeing and understanding what we need to see and understand from
him. but most of the time he is busy When he is busy, we practice what we have seen and try to
learn somethings by reading important documents in soft copy practice a configuration on packet
tracer.
The staff members weren’t able to believe us to observe and test all required things due to
security.
Lack of awareness they do not expect that students can solve a big problem for such a big
company. To measure this problem, we are studying cisco certified network associate (CCNA)
for further knowledge.
15
There is no permission to connect your own electronics material such us phone, laptop, flash and
so on to company network and computer. even if we haven’t constant desktop for studying and
doing our task gives by supervisor.so this problem is not measure by us because this is done for
their network security. most of the time we study in home and when there is a question we ask
our supervisor.

16
 CHAPTER THREE
3.THE OVERALL BENEFITS OF INTERNSHIP
During these three months of our internship program at Awash Bank we obtain many benefits we
can able to understand the objective of our stream, how it is broad and essential for the planet.
From internship many experiences we gained when what theoretically learned is brought to
practical one. There for internship enables students comparing theoretical knowledge with
practical world. in general, we have going the following important and interesting benefits.
Which are:
• Improving theoretical knowledge
• Improving Practical Skills
• Leadership skill
• Work ethics related issue
• Entrepreneur ship skill
• Interpersonal communication skills
These used benefits are discussed below briefly

3.1. Improving theoretical knowledge

The internship program has given a chance to enhance theoretical knowledge to a great extent.
It is very interesting because every time the system invites as to study more to reach the new
one. In the theory class, we learned about communication system and what it means, when it
supported by practice it made our knowledge more and broadened our view. it strengthened what
we learned in the class and made me have more understanding. In addition to Practical skill it
helped out to know thing that we didn’t know at the theory level.it also made our remember what
we had forgotten. When we learn in class it was a general thing, but when it’s practical it makes
sense.
In addition to this, we understood that knowing the theory is an important and important thing to
do any practice, so in addition to the theoretical knowledge we know now we have realized that
we need to read and understand a lot.

17
3.2. Improving Practical Skills
The first and foremost important of internship is for students to have practical skill. When we
started working in the company everything is new for ours. we had only theoretical knowledge
of the work. It was really fascinating and inspiring to see and experience the lessons we have
been learning for the past 4 years and so we tried to experience and learn every works as much
as we can practice skills we gland in the company are-
• How the networking configuration works
• Designing networking
• Working on software
• How to sharing
• Able to secure

3.3. leadership skill

During the internship program we haven’t worked as a leader but we have learned a lot of
leadership skills from the people that have been in a leading position in organization.
In our internship time we have developed good leadership skill, these are
• How able to be a good leader who keeps an open line of communication with team
members and shares clear messages and makes complex idea easy to understand for
everyone.
• Being empathetic leadership who focuses on identifying with others and understanding
their perspective.
• Being strategic and critical thinker to be a strong leader. A great leader who brings
positivity in to the work environment which in turn uplifts the employee and encourages
them to perform better.
• Be best leader who get out of their comfort zone and quickly adapt to change work
condition.
• Time management

3.4. Work ethics issue

Work ethics is a set of value centered on the importance of doing work and reflected especially
in a desire or determination to work hard. it is a belief in work as a moral good.

18
These are what we understand at internship time-
• Responsibility
• Office discipline
• Punctuality
• Reliability
• Honesty
• Cooperation

3.5. Entrepreneurship skill

The internship period is a good opportunity to develop entrepreneurship skills. Some of the gaps
seen in the workplace made me think of new ideas and ideas to solve problems and create jobs.
we understood how to turn lessons in to action. Now a day, since technology is expanding, we
understood that we have to move our self from idea to action and go with technology.
The following are some of these skills
• Asking our self about what we are doing and trying to answer
• Focus on the cause of the problem
• Ability to connect ideas
• Turning idea into action

3.6. Interpersonal communication skill

Interpersonal skill is behavior that help our to interact with others effectively in our work place.
When we communicate with others, we are not only share ideas or solve problem, we also
connect and strengthen our bond with others.
Some of interpersonal skills are-
• Communication
• Conflict resolution
• Listening
• Negotiation
• Meditation
• Problem-solving
• Leadership
• Decision making
• Team/collaborat

19
 CHAPTER FOUR
PROJECT TITLE: - DESIGN SECURE ENTERPRICE NETWORK
USING PACKET TRACER

4.1. Abstract
This project outlines a comprehensive approach to strengthening network security in an
enterprise environment, simulated using Packet Tracer. As organizations depend on digital
infrastructure, securing network devices like routers is crucial. Our solution incorporates a multi-
layered security strategy, including strong password policies, encryption via SSH, and
administrative closure of unused ports. VLANs are used to segment traffic and enhance security,
while ACLs are configured to control packet forwarding based on predefined rules. Additionally,
firewall inspection policies and interface security zones are implemented to protect the network.
The system also covers essential configurations such as STP port fast, BPDU guards, Ether-
channel, HSRP, inter-VLAN routing, DMZ setup, DHCP server configuration, OSPF routing,
wireless network, and VoIP setups. By integrating these techniques, the project not only secures
the network but also improves traffic flow, reducing latency and optimizing performance. This
robust framework ensures business continuity and guards against evolving cyber threats,
enhancing the integrity and resilience of enterprise operations.

4.2. Introduction
In today's interconnected world, networks have become the lifeblood of businesses and
individuals alike. The exponential growth of digital technologies has transformed the way we
communicate, collaborate, and conduct business. However, this digital revolution has also
brought forth new challenges, particularly in the realm of cyber security.
Cyber threats, ranging from simple phishing attacks to sophisticated, targeted intrusions, pose
significant risks to organizations of all sizes. As cybercriminals continue to innovate, it is
imperative to implement robust security measures to protect sensitive data, maintain operational
integrity, and ensure business continuity.
This project aims to address these challenges by designing and implementing a secure network
infrastructure. By employing a multi-layered security approach, we seek to safeguard our
network from unauthorized access, data breaches, and other cyber threats.

20
Multi-access control is a security technology that can regulate who uses resources in a computing
environment. It is a method to improve network security by limiting the availability of network
resources of terminal devices. Access control list (ACL) is one of multiple access control
technologies. It is very powerful security feature of Cisco IOS. By using ACL, I can deny
unwanted access to the network while allowing internal users appropriate access to necessary
services. SSH, or Secure Shell, is a cryptographic network protocol that provides a secure way to
access remote computers. It's like a secure tunnel that protects your data as it travels between
your device and the remote system. Firewall inspection policies are a set of rules defined within
a firewall to scrutinize network traffic. They act as the gatekeeper, determining which traffic is
allowed to pass through the firewall and which is blocked. By analyzing various parameters of
network packets, such as source and destination IP addresses, ports, protocols, and payload
content, firewalls can effectively filter and control network traffic.

4.3. Background information

Asset protection is the only objective of security. The networks of today are more open thanks to
the development of personal computers, LANs, and the vast Internet. It will be crucial to strike a
balance between being open and isolated as e-business and Internet applications expand. The
Internet started to generate countless security vulnerabilities as LANs and personal PCs
proliferated. There were introduced firewall devices, which are pieces of hardware or software
that impose an access control policy between two or more networks. Businesses were able to use
this technology to balance security and straightforward outbound access to the Internet, which
was mostly used for e-mail and web browsing. Network security is the most vital component in
information security because it is responsible for securing all information passed through
networked computers. Network security refers to all hardware and software functions,
characteristics, features, operational procedures, accountability measures, access controls,
administrative and management policy required to provide an acceptable level of protection for
hardware, software, and information in a network. Network security, in order for it to be
successful in preventing information loss, must follow three fundamental precepts. First, a secure
network must have integrity such that all of the information stored therein is always correct and
protected against fortuitous data corruption as well as willful alterations. Next, to secure a
network there must be confidentiality, or the ability to share information on the network with
only those people for whom the viewing is intended. Finally, network security requires

21
availability of information to its necessary recipients at the predetermined times without
exception. The three principles that network security must adhere to evolved from years of
practice and experimentation that make up network history.
Statement of problem
During Our internship at Awash Bank, We saw on Monitoring and problem solving around
secure network design and the implementation of an enterprise network. In our practice at the
Awash Bank, we focused on various aspects of network management, including Monitoring,
configuration, and maintenance.
We identified several challenges within Awash Bank, such as Using only one ISP, network
security, network speed, and network design like Using Router at Distribution layer Using router
on-stick Inter VLAN rather than Using the Scalable SVI inter VLAN Routing. We decided to
address the issue of network design, as it is a fundamental aspect for any organization. One of
the primary challenges we faced was budget constraints, as the costs associated with designing a
robust network system can be significant.
To enhance the network design, we proposed Using two ISP. This design approach offers a cost-
effective solution while enabling the integration of network systems. It ensures good security and
leverages high-quality devices at lower prices. Additionally, ensuring the availability of the
necessary equipment is crucial for the successful installation of all network components.

4.4. Objective
4.4.1. General objective
To design and Implement secure network system for Finance Company
4.4.2. Specific objective
 To configure basic security measures on the routers, switches and
servers like hostname, password, banner message, password
encryption, disabling unused port, use DHCP address range for used
port, etc.
 To Create VLANs (Virtual Local Area Network).
 To configure firewall Inspection Policies
 To configure firewall interface security zones and levels
 To configure wireless network configuration

22
  To configure VOIP
 To configure Spanning tree port fast and BPDU guards
 To configures Inter VLAN’s, OSPF, Ether-channel, HSRP
 Configure NAT

 To configure extended access control list technique.

 To improve the security of router, switches, and servers also create

DMZ Zone

 To simulate the network on CISCO packet tracer.

4.5. Significance of the project

This project's importance involves enhancing the security of network equipment such as
servers, routers, and switches, controlling traffic flow, and increase reliability of data. This in
turn increase both speed and data rate of the packet sent/ received in the network as well as
Load balancing. One of the important points is security and authentication to oppose
unauthorized access.

4.6. Scope of the project

The extent of this project covers basic security measures to decrease the vulnerability of
network device such as routers, switches, and servers from the outsider’s or intruders. By
configuring password, encrypting password, limiting virtual users (limiting users/admins
who uses virtual technology to access network devices remotely), shutting down all unused
ports administratively, creating VLAN, making banner message, using DHCP address range
for used ports, static address for DMZ/server farm and Internal servers by configuring access
control list, Inspection Policies and Interface security levels to Firewalls. Passing through all
the above steps we can secure the routers or we can secure our network generally. Extra
intelligence frameworks are excluded from this project like, an SSH/Telnet client like Putty
(Software which is used to remotely access and configure network device). After all, the
project can be applicable mainly in Enterprise especially financial Institutions by overcoming
the intruders or hackers from easily accessing the network.

23
4.7. Limitation
The limitation of using multiple access control technologies to protect network devices is
that we cannot achieve a complete security solution. Security is not absolute; it’s an ongoing
process. It’s essential to strike a balance between protection and availability, allowing for a
reasonable level of defense against threats. While Cisco Packet Tracer is a useful
configuration tool, it cannot match the performance of a fully deployed network.

4.8. Literature review

In today's digital landscape, the importance of secure enterprise network design cannot be
overstated. Organizations face increasing threats from cyber-attacks, necessitating robust
strategies for protecting sensitive data and maintaining operational integrity. Secure network
architecture is foundational for enterprise security, as highlighted by Cisco Systems (3). The
Cisco Secure Network Architecture emphasizes integrating security at every layer of the network
through a defense-in-depth strategy. This approach implements multiple security measures to
safeguard data from various threats, incorporating policies, procedures, and technologies that
ensure data confidentiality and integrity. Essential security principles in network design, such as
the least privilege and separation of duties, are critical for mitigating risks. (5) Stallings outlines
that these principles dictate that users should only have access to information necessary for their
roles, reducing the risk of insider threats. Similarly, Maughan (6) emphasizes a layered security
approach, deploying firewalls, intrusion detection systems, and encryption to create multiple
barriers against potential breaches. The use of Virtual Local Area Networks (VLANs) further
enhances security within enterprise networks, as discussed by (6). VLANs help isolate different
types of traffic, minimizing the risk of sensitive information exposure. By segmenting networks,
organizations can manage traffic more effectively and enforce tailored security policies for
specific user groups or applications. (5)supports this notion, illustrating the benefits of VLAN
implementation in maintaining a secure and organized network environment. Inter-VLAN
routing plays a crucial role in facilitating communication between different VLANs while
maintaining security. Layer 3 switches are instrumental in this regard, as they combine switching
and routing capabilities to manage traffic efficiently. (7)Sullivan emphasizes the advantages of
Layer 3 switching in terms of speed and scalability, enabling organizations to expand their
networks without compromising security. Additionally, (8) discusses how Layer 3 switches can

24
enforce access control lists (ACLs) to regulate traffic between VLANs, further enhancing
security measures. (8) provides a comprehensive framework for improving cybersecurity across
critical infrastructure, outlining best practices for risk management and emphasizing the need for
continuous monitoring and assessment of security measures. (8) complements this by discussing
specific strategies for enterprise network security, including the establishment of security zones
and the implementation of robust authentication mechanisms.
As organizations evolve, so too do the threats they face. (7) note that emerging technologies,
such as cloud computing and the Internet of Things (IoT), introduce new vulnerabilities that
must be addressed in network design.

4.9. System design and analysis

4.9.1. Overview

Layer 3 password ACL

switch Encryption

End user Switch VLAN

Figure 4.1 Overview diagram

Admin can access all layer 3 Switches, switches and end user by using IP address of
management VLAN. The password that be created and encryption is done crypto command it
must be hidden from any one even authorized and unauthorized user. The ACL filter any IP
address in and out of the router through the command that be upload in it deny or permit.
VLAN connect in building or department it simply

4.10. Methodology
We observed and identified the problem of Awash bank then, gathered all necessary data and

25
information needed for design of the Data
system.
collection
And also,
method
we identified and install a software
that suitable for the design of the project i.e., Cisco packet tracer. Finally, designing the
network diagram on Cisco packet tracer, configuring all the devices, make password
encryption, create VLAN, router, Layer3 switch, switch, Wireless LAN controller
(WLC),VOIP and firewall configuration for Simulation of the network.

Observation

Literature review

Develop network design

Simulating using Cisco packet

Result and conclusion

Fig 4.2 Methodology block diagram

4.10.1. Network Design and Beautification

This section outlines the approach to network design and beautification, emphasizing both
functionality and aesthetics.

26
Network Design involves careful planning to ensure a robust infrastructure. Key components
include selecting the appropriate topology (e.g., star or mesh) to optimize data flow, specifying
hardware like routers and switches based on performance needs, and developing an effective IP
addressing scheme to avoid conflicts. Additionally, incorporating redundancy ensures fault
tolerance and network reliability, while scalability allows for future growth without significant
reconfiguration.

Beautification focuses on creating a visually appealing environment. Effective cable

management reduces clutter and improves airflow, making maintenance easier. Strategic
placement of devices enhances accessibility and integrates seamlessly with the workspace
design. Thoughtful use of lighting and clear signage can guide users and elevate the overall
aesthetic.

By balancing technical efficiency with aesthetic considerations, we aim to create a network

infrastructure that is both functional and visually pleasing, fostering a positive user experience.

4.10.2. Basic Settings to all devices + SSH + Standard ACL for SSH

This section outlines the essential configurations required for all network devices, focusing on
establishing secure management access and controlling network traffic.

Basic Settings to All Devices involve standardizing configurations across the network. This
includes setting device hostnames, configuring domain names, and ensuring consistent time
settings using protocols like NTP. Additionally, enabling password protection for console and
auxiliary access is crucial for maintaining device security.

Secure Shell (SSH) is implemented to facilitate secure remote management of devices. Unlike
Telnet, SSH encrypts data during transmission, protecting sensitive information from
interception. The setup involves generating SSH keys, enabling the SSH server on devices, and
configuring user authentication to ensure only authorized personnel can access network devices.

27
Standard Access Control Lists (ACLs) are employed to restrict SSH access to specific IP
addresses or networks. By defining rules within the ACL, we can permit or deny traffic based on
source addresses, enhancing security by limiting management access to trusted hosts only.

4.10.3. VLAN Assignment + All Access and Trunk Ports on L2 and L3 Switches
A VLAN is a logical group of workstations, servers, and network devices that appear to be on
the same Local Area Network (LAN) despite their geographical distribution. In a nutshell,
hardware on the same VLANs enable traffic between equipment to be separate and more secure.
For example, you might have an Engineering, Marketing, and Accounting department. Each
department has workers on different floors of the building or in other building, but they still need
to access and communicate information within their own department. It is essential for sharing
documents and web services.
Access and trunk ports are essential components in the configuration of Layer 2 (L2) and Layer 3
(L3) switches, particularly for VLAN management. Access ports connect end devices like
computers and printers and carry traffic for a single VLAN, tagging all packets with the same
VLAN ID. This ensures effective segmentation within the network.
In contrast, trunk ports connect switches and can carry traffic for multiple VLANs
simultaneously. They use protocols like IEEE 802.1Q to tag packets with their respective VLAN
IDs, allowing for efficient communication between different VLANs. On Layer 3 switches, trunk
ports facilitate inter-VLAN routing, enabling traffic to flow seamlessly without requiring
external routers. Proper configuration of access and trunk ports is crucial for optimizing network

performance, maintaining security, and ensuring effective VLAN segmentation.

Table 1 Description of cables in the connection

VLAN No. VLAN NAME IP address

10 Management 192.168.10.0/24
20 LAN 172.16.0.0/16
50 WLAN 10.20.0.0/16
70 VOIP 172.30.0.0/16
90 INSIDE-SERVER 10.11.11.32/27

28
 199 BLACK-HOLE -

DMZ: The DMZ will be Assigned IP addresses from the range 10.11.11.0/27
PUBLIC Addresses: Addresses from the range 105.100.50.0/30 from Ethiotelecom and
197.200.100.0/30 from safaricom.
4.10.4. STP Portfast And BPDU guard configurations
This section addresses the configuration of Spanning Tree Protocol (STP) features, specifically
PortFast and BPDU Guard, to enhance network stability and security.

STP PortFast is a feature that allows switch ports connected to end devices (like computers or
printers) to bypass the usual STP listening and learning states, transitioning directly to the
forwarding state. This minimizes the time it takes for devices to connect to the network,
improving user experience. PortFast should only be enabled on ports that connect to end devices,
as it can lead to network loops if applied to switch-to-switch connections.

BPDU Guard is a protective mechanism that works in conjunction with PortFast. When
enabled, BPDU Guard will disable a port if it receives a Bridge Protocol Data Unit (BPDU).
This is crucial in preventing misconfigurations or rogue switches from impacting the network's
STP topology. By configuring BPDU Guard on PortFast-enabled ports, we ensure that any
accidental connection to another switch will trigger a port shutdown, thus maintaining network
stability.

4.10.5. Ether channel

This section covers the implementation of EtherChannel, a network technology that allows the
aggregation of multiple physical links into a single logical link. This enhances both bandwidth
and redundancy between switches or other networking devices.

EtherChannel enables the combination of up to eight physical Ethernet links, effectively

increasing throughput and providing load balancing across the links. This aggregation reduces
the risk of bottlenecks and improves overall network performance.

29
4.10.6 HSRP and Inter VLAN
This section focuses on the implementation of Hot Standby Router Protocol (HSRP) and Inter-
VLAN routing, both of which are crucial for ensuring high availability and efficient
communication across VLANs in a network.

Hot Standby Router Protocol (HSRP) is a Cisco proprietary redundancy protocol designed to
ensure high availability for IP networks. HSRP enables multiple routers to work together as a
single virtual router, providing a reliable default gateway for devices within a VLAN. Key
features include:

1) Active and Standby Routers: HSRP designates one router as the active router, which
handles traffic, while a standby router is ready to take over if the active router fails. This
minimizes downtime and ensures continuous network service.
2) Virtual IP Address: HSRP uses a virtual IP address that serves as the default gateway
for end devices. This allows for seamless failover without requiring reconfiguration on
client devices.
3) Priority and Preemption: Routers can be assigned priority values, influencing which
router becomes active. Preemption allows a higher-priority router to reclaim the active
role when it comes back online.
4) Inter-VLAN Routing is the process of enabling communication between different
VLANs within a network. This is essential in environments where devices in separate
VLANs need to communicate. Inter-VLAN routing can be achieved through:
5) Router-on-a-Stick: This method involves using a single router with a sub interface for
each VLAN. The router handles traffic between VLANs, enabling devices in different
VLANs to communicate.
6) Layer 3 Switches: Modern networks often use Layer 3 switches, which can perform
routing functions directly. This approach provides faster communication between VLANs
without the need for an external router.

By effectively implementing HSRP and Inter-VLAN routing, we can enhance network reliability
and facilitate efficient communication across different segments of the network. This ensures
that devices remain connected and that failover mechanisms are in place to minimize disruptions.

30
4.10.7 OSPF on Firewalls, Routers and Layer3 Switches

This section discusses the implementation of Open Shortest Path First (OSPF), a widely used
link-state routing protocol, across firewalls, routers, and Layer 3 switches in a network
infrastructure.

Overview of OSPF: OSPF is designed to provide efficient and dynamic routing within large and
complex networks. It uses a hierarchical structure, dividing the network into areas to optimize
route management and reduce overhead. OSPF is well-suited for both large enterprise networks
and service provider environments.

OSPF Configuration on Routers: Configuring OSPF on routers involves enabling the protocol
and defining OSPF areas. Key steps include:

1. Router ID: Assigning a unique router ID to each OSPF-enabled router, which identifies
it within the OSPF domain.
2. Area Configuration: Defining OSPF areas, typically starting with Area 0 (the backbone
area) and then adding other areas to improve scalability.
3. Network Statements: Specifying which interfaces participate in OSPF by using network
statements to associate IP address ranges with OSPF areas.

OSPF on Layer 3 Switches: Layer 3 switches can also implement OSPF to facilitate routing
between VLANs. The configuration process is similar to that of routers, focusing on enabling
OSPF and defining VLAN interfaces as OSPF-enabled networks.

OSPF on Firewalls: Implementing OSPF on firewalls provides dynamic routing capabilities

between different security zones. This is essential for managing traffic between internal networks
and external connections while maintaining security policies. Key considerations include:

1) Interface Configuration: Enabling OSPF on relevant interfaces while ensuring

appropriate access control lists (ACLs) are in place to control routing updates.
2) Security Policies: Ensuring that OSPF routing does not compromise the security posture
of the network by carefully managing which routes are advertised and accepted.

31
 4.10.8. Firewall Interface Security Levels and Zones

This section explores the configuration of security levels and zones in firewall systems, which
are critical for managing network security and controlling traffic flow.

Security Levels: In a firewall, interfaces are assigned security levels that determine the level of
trust associated with each interface. This is typically represented on a scale from 0 to 100, where:

 Level 0: Represents the least trusted interface, such as the internet-facing interface. This zone is
highly scrutinized and closely monitored.
 Level 100: Represents the most trusted interface, such as the internal network. Traffic from this
zone is considered safe and subject to fewer restrictions.

The assignment of security levels helps the firewall determine the rules for allowing or denying
traffic between interfaces. For example, traffic is generally allowed from a higher security level
to a lower security level, while traffic in the reverse direction is restricted unless explicitly
permitted.

Security Zones: Firewalls can also be configured into zones, which are logical groupings of
interfaces that share similar security policies. Common zones include:

 Inside Zone: Represents the trusted internal network where devices are typically considered
secure.
 Outside Zone: Represents the untrusted external network, usually the internet, where threats are
more prevalent.
 DMZ (Demilitarized Zone): An optional zone that hosts publicly accessible services (e.g., web
servers) while providing a buffer between the internal network and the outside world.

Traffic Control: Configuring security levels and zones enables granular control over traffic
flow. Rules can be established to dictate how traffic is permitted or denied between zones. This
setup helps in:

1. Access Control: Defining which devices or users can communicate across zones based on
established security policies.

32
2. Threat Mitigation: Reducing the attack surface by isolating less secure areas (like the DMZ)
from the trusted internal network.

4.10.9. Firewall Inspection Policy Configurations

This section outlines the configuration of firewall inspection policies, which are essential for
managing and controlling the flow of traffic through a network firewall while ensuring security
and compliance.

Overview of Inspection Policies: Firewall inspection policies define how different types of
traffic are handled by the firewall. These policies analyze incoming and outgoing traffic to
enforce security measures, detect threats, and maintain network integrity. The primary goals are
to prevent unauthorized access, protect sensitive data, and ensure legitimate traffic is permitted.

Configuration Steps:

1. Traffic Classification: The first step involves identifying and classifying traffic types
(e.g., HTTP, HTTPS, FTP, DNS). This classification helps in applying appropriate
inspection rules tailored to the nature of the traffic.
2. Stateful Inspection: Implementing stateful inspection allows the firewall to track the
state of active connections and make decisions based on the context of the traffic. This
means that the firewall can recognize and permit return traffic for established sessions,
enhancing security without hindering performance.
3. Policy Definition: Each inspection policy should clearly define rules for various traffic
types. This includes:
 Permit/Deny Rules: Establishing which traffic is allowed or blocked based on
source, destination, and application type.
 Deep Packet Inspection (DPI): Enabling deeper analysis of packets to detect
malicious content or anomalies beyond the header information.
4. Logging and Alerts: Configuring logging for traffic that matches inspection policies
helps in monitoring network activity and detecting potential threats. Alerts can also be set
up to notify administrators of suspicious activities or policy violations.

33
 5. Policy Testing and Optimization: After configuration, it’s important to test the
inspection policies to ensure they function as intended. Continuous monitoring and
optimization may be necessary to adapt to evolving threats and changing network
conditions.

Benefits of Inspection Policies: Properly configured inspection policies enhance overall

network security by providing a robust mechanism for filtering and controlling traffic. They help
in mitigating risks associated with malware, unauthorized access, and data breaches, ensuring
that the network remains secure and compliant with organizational policies.

4.10.10. Wireless Network Configurations

In this section, we detail the configuration of the wireless network, which is critical for providing
secure and reliable connectivity. The following steps outline the methodology for setting up the
wireless network:

1. SSID Configuration: Assign a unique Service Set Identifier (SSID) to the wireless
network to allow users to identify and connect to it easily. Default SSIDs should be
avoided to enhance security.
2. Security Protocols: Implement robust security measures by utilizing WPA2 or WPA3
with AES encryption. This ensures secure communication and prevents unauthorized
access. Appropriate authentication methods, such as Pre-Shared Key (PSK) or Extensible
Authentication Protocol (EAP), should also be configured.
3. Channel Selection: Analyze the wireless environment to select the optimal channel for
the network. This minimizes interference from neighboring networks and improves
overall performance.
4. Power Settings: Adjust the transmission power of access points to effectively manage
coverage. This helps eliminate dead zones and reduces signal overlap in areas with
multiple access points.
5. Guest Network Configuration: Establish a separate guest network to isolate guest
traffic from the main internal network. This protects sensitive resources while providing
internet access to guests.

34
 6. Quality of Service (QoS): Implement QoS settings to prioritize critical traffic types, such
as voice and video, ensuring consistent performance for these applications.
7. Monitoring and Management: Continuously monitor the wireless network for
performance issues and security threats. Utilize network management tools for real-time
analysis and troubleshooting to maintain optimal network performance.

By following these steps, we aim to create a secure, efficient, and user-friendly wireless network
that meets the needs of all users while protecting organizational resources.

4.10.11 VOIP Configurations

This section outlines the configuration of Voice over IP (VoIP) systems, which are essential for
enabling efficient communication within organizations. Proper configuration ensures high-
quality voice calls and integrates seamlessly with existing network infrastructure. The following
steps are key to setting up VoIP:

1. Network Assessment: Evaluate the existing network infrastructure to ensure it can

support VoIP traffic. This includes assessing bandwidth, latency, and jitter to determine if
upgrades are necessary.
2. Quality of Service (QoS): Implement QoS policies to prioritize VoIP traffic over other
types of network traffic. This ensures that voice calls maintain high quality and are not
affected by bandwidth-heavy applications.
3. IP Phone Configuration: Configure IP phones with necessary settings, including SIP
(Session Initiation Protocol) parameters, user credentials, and network settings. Ensure
that phones are registered with the VoIP server.
4. VoIP Gateway Setup: If integrating with traditional phone lines, configure VoIP
gateways to facilitate communication between VoIP and PSTN (Public Switched
Telephone Network). This involves setting up call routing and signaling protocols.
5. Security Measures: Implement security protocols to protect VoIP communications from
eavesdropping and other threats. This includes enabling encryption (e.g., SRTP for voice
traffic) and configuring firewalls to allow VoIP traffic while blocking unauthorized
access.

35
 6. Testing and Validation: Conduct thorough testing of the VoIP system, including making
test calls to evaluate call quality, connection stability, and latency. Address any issues
before full deployment.
7. User Training and Support: Provide training for users on how to utilize the VoIP
system effectively. Ensure that support resources are available for troubleshooting and
assistance.

By following these steps, we aim to establish a reliable and secure VoIP system that enhances
communication within the organization while optimizing network resources.

36
4.11. System design

Internet

ISP ISP

R R

FW FW
SW

L3 S L3 S WLC R

SW SW SW SW SW
SW

PC PC PC PC PC
SERVER

Fig 4.3 Overall system design

37
In the above diagram, the first step in establishing physical security is to define who is authorized
to install, remove, move, and update network devices such as routers and firewalls. This includes
determining who can connect directly to the router via console or other access ports. A well-
planned network design enhances both security and functionality, ensuring that device placement
and cabling minimize unauthorized access while optimizing performance. It is crucial to
implement a comprehensive password policy for all network devices, including minimum
character lengths for administrator and user passwords, and to enable SSH for secure remote
management. Standard Access Control Lists (ACLs) should be configured to restrict access
based on user roles and responsibilities, providing an additional layer of security. Proper VLAN
assignment and the configuration of access and trunk ports on Layer 2 and Layer 3 switches play
a vital role in segmenting network traffic, limiting access to sensitive resources, and enhancing
overall security. Additionally, implementing Spanning Tree Protocol (STP) features like PortFast
and BPDU Guard prevents network loops, ensuring topology stability. Configuring
EtherChannel increases bandwidth and provides redundancy, which is essential for maintaining a
reliable network. Effective subnetting and IP addressing improve network management and
allow for better control over communication pathways. The implementation of Hot Standby
Router Protocol (HSRP) provides redundancy across VLANs, while Open Shortest Path First
(OSPF) enhances routing efficiency within the network. Firewalls should be configured with
appropriate security levels and zones to control traffic flow, and inspection policies must be
established to analyze traffic and enforce security measures, preventing unauthorized access.
Furthermore, secure wireless configurations and robust VoIP setups are essential to protect
wireless communications and voice traffic. To safeguard access to network devices, it is
imperative to configure and enable secret passwords for console, auxiliary, and VTY ports,
encrypting all passwords using the service password-encryption command to thwart
recovery attempts. Disabling the password recovery feature further protects against unauthorized
access during a router reboot. Lastly, controlling Virtual Terminal Lines (VTYs) is critical; each
VTY should accept connections only through necessary protocols, and the last VTY can be
restricted to specific administrative workstations, ensuring that access remains tightly controlled.
By integrating these strategies, we can establish a secure, efficient, and reliable network
infrastructure that meets organizational needs while minimizing the risks associated with
unauthorized access.

38
4.12 Material Requirement
To carry out the project there are both hardware and software requirements needs to be fulfilled.
4.12.1. Hardware Requirements:

 Routers (Router-PT),

 Layer 3 Switches

 Switches (2960),

 Wireless LAN Controller (WLC)

 Printers

 Computers and PC

 Firewalls

 LAP-PT access points

 IP Phones

 DHCP Server: The Dynamic Host Configuration Protocol (DHCP) is a network

management protocol used on Internet Protocol (IP) networks for automatically
assigning IP addresses and other communication parameters to devices connected
to the network using client–server architecture

 HTTP Server: The Hypertext Transfer Protocol (HTTP) is an application layer

protocol for distributed, collaborative, hypermedia information systems. HTTP is
the foundation of data communication for the World Wide Web, where hypertext
documents include hyperlinks to other resources that the user can easily access, for
example by a mouse click or by tapping the screen in a web browser.

 FTP Server: The File Transfer Protocol (FTP) is a standard communication

protocol used for the transfer of computer files from a server to a client on a
computer network. FTP is built on a client– server model architecture using
separate control and data connections between the client and the server.

 Web Server: A web server is a computer that runs a website. It is a computer

39
 program that distributes web pages on request. The basic purpose of a web server is
to store, process and deliver web pages to the users. This intercommunication is
done using the Hypertext Transfer protocol.
Router: is a component of network that sends data Packets over a network or the Internet to the
destination, through a process known as routing. The process of roughing occurs at layers 3
(network layer such as internet protocol) protocol stack of the seven-layer OSI. Router serve as a
liaison between two or more network to carry data from one network to another.
Layer 3 Switch: is a switch that operates at the network layer of the OSI model and combines
the functionalities of both a switch and a router. Unlike traditional Layer 2 switches, which only
forward data based on MAC addresses, Layer 3 switches can route traffic between different
VLANs (Virtual Local Area Networks) using IP addresses. This capability allows them to
perform inter-VLAN routing, reducing the need for separate routers and improving overall
network efficiency. Layer 3 switches also support advanced routing protocols, enabling them to
handle complex network topologies.
Switch: is a device that sends data in the form of packets from one user to another user by
looking at the physical device address i.e. MAC address or Media Access Control. It determines
to which MAC address the packet belong to and if the packet belong to none of the port then it
sends the packet to all the ports. A switch has an advantage to function as Router as well.
ISP (Internet service provider); is a company that provides its customers access to the internet
and other web services. In addition to maintaining a direct line to the internet, the company
usually maintains web servers.
4.12.2. Software Requirement
Packet tracer
Cisco® Packet Tracer® is software developed by Cisco® and serves to help
simulate the network topology and configuration. Version to be used is
Cisco® Packet Tracer® version 5.3.3.0019. Features that are provided by
packet tracer are to be able to create logical and physical topology and its
configuration on each element. Element – element includes network devices
such as cables, routers, switches, hubs, and end users.

40
4.13. Result and discussion
4.13.1. Result
This chapter is all about results we get while simulating our work on packet tracer software.
Some screenshots are included just for simple understanding of the idea and giving visual
understanding of the designed project.

Fig 4.4 logical diagram of project

41
 Figure 4.5 Encryption of password

Fig 4.6 User Authentication on WLC

42
 Fig 4.7 Phone call Checkup over IP Phone

Fig 4.8 Wireless Lan Controller User Interface on PC

4.13.2. Discussion
We have discussed secure network design for Enterprise Network and configure each network
device to protect from external and internal unauthorized user using some technique that is

43
necessary. Filter every packet in and out of The Firewall’s with in source Ip address correctly.

4.14. Conclusion and recommendation

Conclusion

This project is deal about secure Enterprise network design of the finance company network has
been established in a simulated environment. The routers, Firewalls, DMZ, Switches, WLC,
VOIP, Servers and the computer system were configured accordingly. Packets were sent from
one computer to the other and the transmission of such data to their destination was successful in
an efficient manner. Through the network, emails and files can be sent and received within staff
members as well as outside world of the institution in desired way. In order to provide security to
the network various methods are implemented. Password encryption is also applied on the
switches and router for restricted usage. The authentication is done within the network. The ACL
allows only those files to flow from the server that are allowed for the staff. With addition to this
VLANs are installed for the better security and protection of the network. And also, remote
access is allowed for management VLAN only, The HSRP also used in traffic management.
Recommendation

This project has been successfully done with simulation using packet tracer, but it is better to
implement the hardware design in the future works for the project to be more applicable, relevant
and also it can be extended to additional observing framework by including an SSH/Telnet client
like Putty (Software which is used to remotely access and configure network device). Security
can be provided by creating filters based on source addresses, destination addresses, protocol,
port number and other features are used for packet-based filtering for packets that traverse the
network in the future. In addition, we will add branches by using advanced routing protocols like
SDWAN.

44
 CHAPTER FIVE

5. GENERAL CONCLUSION AND RECOMMENDATION

5.1 General conclusion
It is clear that the internship period is very important and useful. A student who has been on an
internship will definitely know something and get involved.
we were also an intern and we benefited a lot from it. we did networking practice at the
organization. when we practiced networking, we were a stranger to it at the beginning. Later, as
we got used to it and our knowledge about it increased, it become interesting for us. Related to
our study, we learned more about the communication network, networking devices and how they
work. we know that computer network is a part of communication.
This internship was not one sided, in these three months we learn how we develop the ability to
communicate and work with people, reflect knowledge in to practice, developing the skill of
seeing and experiencing the world of work, enhance the idea of solving problems and creating
work. This internship has been a very useful experience for us. we can confidently say that our
understanding of the jobs environment has increased greatly.
The internship was also good to find out what our strengths and weakness are. This helped to
define what skills and knowledge we have to improve the coming time.
In general, in electronic communication engineering stream, we understand that we need to study
and work harder than now.

5.2 General Recommendation

5.2.1 To the company
• The company is not documented, especially for interns and new employees. If there is
something that helps them how they can work and how easily they can adapt to the nature
of the work, they can do their work without being completely dependent on another
worker. Therefore, we recommend the company to be documented.
• It’s good if they prepare complete enough office and seats for intern student.

45
5.2.2. To the University
• Before sending a student to internship, the university should inform the student where
and what kind of place he/she has to go out. facilitate the place where the student has to
go out and work, or if it is possible should expand the laboratory in the campus. we
recommend this.

46
References
1. S.C, Awash Bank. wikipedia. [Online] november 29, 1994. [Cited: Julay 25, 2024.]
https://en.wikipedia.org/wiki/Awash_International_Bank.
2. bank, awash. www.awashbank.com. www.awashbank.com. [Online] october 1, 2024.
http://www.awashbank.com/.
3. cisco. study ccna. ccna.com. [Online] september 26, 2024. https://study-ccna.com/.
4. center, Cisco Certifications & Training. cisco networking academy. www.netacad.com.
[Online] october 1, 2024. https://www.netacad.com/.
5. Maughan, M. Designing secure Networks:a Guide to network security principles. s.l. :
Springer, 2019.
6. W., Stalling. network Security Essentials: Applications And Standards. 2020.
7. Zwick, R. Enterprise network security architecture : A Comprensive Guide to design and
implementation . 2020.
8. Sullivan, D. The Complete Guide to Network Security. s.l. : Packet Publishing, 2021.

47
 APPENDEX

Configuration on router telecom

Router>en
Router#conf t
Router(config)#int gig0/0/0
Router(config-if)#ip add 105.100.50.1 255.255.255.252
Router(config-if)#no sh
Router(config-if)#int g0/0/1
Router(config-if)#ip add 105.100.50.5 255.255.255.252
Router(config-if)#no sh
Router(config-if)#int g0/0/2
Router(config-if)#ip add 20.20.20.1 255.255.255.252
Router(config-if)#no sh
Router(config)#int gig0/0/0
Router(config-if)#ip routing
Router(config-if)#no sh
Router(config-if)#router ospf 35
Router(config-router)#router-id 1.1.3.3
Router(config-router)#network 105.10.50.0 0.0.0.3 area 0
Router(config-router)#network 105.10.50.4 0.0.0.3 area 0
Router(config-router)#network 20.20.20.0 0.0.0.3 area 0
Router(config-router)#do wr
Configuration on router safaricom
Router>en
Router#conf t
Router(config)#int gig0/0/0
Router(config-if)#ip add 197.200.100.1 255.255.255.252
Router(config-if)#no sh
Router(config-if)#int g0/0/1
Router(config-if)#ip add 197.200.100.5 255.255.255.252

48
Router(config-if)#no sh
Router(config-if)#int g0/0/2
Router(config-if)#ip add 30.30.30.1 255.255.255.252
Router(config-if)#no sh
Router(config)#int gig0/0/0
Router(config-if)#ip routing
Router(config-if)#no sh
Router(config-if)#router ospf 35
Router(config-router)#router-id 1.1.4.4
Router(config-router)#network 30.30.30.0 0.0.0.3 area 0
Router(config-router)#network 197.200.100.0 0.0.0.3 area 0
Router(config-router)#network 197.200.100.4 0.0.0.3 area 0
Router(config-router)#do wr
Configurations on cluster router
Router>en
Router#conf t
Router(config)#int gig0/0/0
Router(config-if)#ip add 20.20.20.2 255.255.255.252
Router(config-if)#no sh
Router(config-if)#int g0/0/1
Router(config-if)#ip add 30.30.30.2 255.255.255.252
Router(config-if)#no sh
Router(config-if)#int g0/0/2
Router(config-if)#ip add 8.0.0.1 255.0.0.0
Router(config-if)#no sh
Router(config)#int gig0/0/0
Router(config-if)#ip routing
Router(config-if)#no sh
Router(config-if)#router ospf 35
Router(config-router)#router-id 1.1.5.5
Router(config-router)#network 8.0.0.0 0.255.255.255 area 0

49
Router(config-router)#network 20.20.20.0 0.0.0.3 area 0
Router(config-router)#network 30.30.30.0 0.0.0.3 area 0
Router(config-router)#do wr
Configurations on first Firewall
ciscoasa>en
Password:
ciscoasa#conf t
ciscoasa(config)#hostname FRW
FRW(config)#int gig1/3
FRW(config-if)#no sh
FRW(config-if)#ip add 10.2.2.2 255.255.255.252
FRW(config-if)#nameif INSIDE1
FRW(config-if)#SECUrity-level 100
FRW(config-if)#EX
FRW(config)#int gig1/4
FRW(config-if)#no sh
FRW(config-if)#ip add 10.2.2.10 255.255.255.252
FRW(config-if)#nameif INSIDE2
FRW(config-if)#SECURity-level 100
FRW(config-if)#EX
FRW(config)#int gig1/5
FRW(config-if)#no sh
FRW(config-if)#ip add 10.11.11.1 255.255.255.224
FRW(config-if)#nameif DMZ
FRW(config-if)#security-level 70
FRW(config-if)#ex
FRW(config)#int gig1/1
FRW(config-if)#no sh
FRW(config-if)#ip add 105.100.50.2 255.255.255.252
FRW(config-if)#nameif OUTSIDE1
FRW(config-if)#security-level 0

50
FRW(config-if)#EXIT
FRW(config)#int gig1/2
FRW(config-if)#no sh
FRW(config-if)#ip add 197.200.100.2 255.255.255.252
FRW(config-if)#nameif OUTSIDE2
FRW(config-if)#security-level 0
FRW(config-if)#ex
FRW(config)#wr mem
FRW(config)#route outside1 0.0.0.0 0.0.0.0 105.100.50.1
FRW(config)#route outside2 0.0.0.0 0.0.0.0 197.200.100.1 70
FRW(config)#router ospf 35
FRW(config-router)#router-id 1.1.8.8
FRW(config-router)#network 105.100.50.0 255.255.255.252 area 0
FRW(config-router)#network 197.200.100.0 255.255.255.252 area 0
FRW(config-router)#network 10.11.11.0 255.255.255.224 area 0
FRW(config-router)#network 10.2.2.0 255.255.255.224 area 0
FRW(config-network-object)#object network INSIDE1-OUTSIDE1
FRW(config-network-object)#SUBnet 172.16.0.0 255.255.0.0
FRW(config-network-object)#nat (INSIDE1,OUTSIDE1) dynamic interface
FRW(config-network-object)#object network INSIDE2-OUTSIDE1
FRW(config-network-object)#SUBnet 172.16.0.0 255.255.0.0
FRW(config-network-object)#nat (INSIDE2,OUTSIDE1) dynamic interface
FRW(config-network-object)#object network INSIDEw1-OUTSIDEw1
FRW(config-network-object)#SUBnet 10.20.0.0 255.255.0.0
FRW(config-network-object)#nat (INSIDE1,OUTSIDE1) dynamic interface
FRW(config-network-object)#object network INSIDEw2-OUTSIDEw1
FRW(config-network-object)#SUBnet 10.20.0.0 255.255.0.0
FRW(config-network-object)#nat (INSIDE2,OUTSIDE1) dynamic interface
FRW(config-network-object)#object network INSIDE1-OUTSIDE2
FRW(config-network-object)#SUBnet 172.16.0.0 255.255.0.0
FRW(config-network-object)#nat (INSIDE1,OUTSIDE2) dynamic interface

51
FRW(config-network-object)#object network INSIDE2-OUTSIDE2
FRW(config-network-object)#SUBnet 172.16.0.0 255.255.0.0
FRW(config-network-object)#nat (INSIDE2,OUTSIDE2) dynamic interface
FRW(config-network-object)#object network INSIDEw1-OUTSIDEw2
FRW(config-network-object)#SUBnet 172.16.0.0 255.255.0.0
FRW(config-network-object)#nat (INSIDE1,OUTSIDE2) dynamic interface
FRW(config-network-object)#object network INSIDEw2-OUTSIDEw2
FRW(config-network-object)#SUBnet 172.16.0.0 255.255.0.0
FRW(config-network-object)#nat (INSIDE2,OUTSIDE2) dynamic interface
FRW(config-network-object)#object network DMZ-OUTSIDE1
FRW(config-network-object)#SUBnet 10.11.0.0 255.255.0.0
FRW(config-network-object)#nat (DMZ,OUTSIDE1) dynamic interface
FRW(config-network-object)#object network DMZ-OUTSIDE2
FRW(config-network-object)#SUBnet 10.11.0.0 255.255.0.0
FRW(config-network-object)#nat (DMZ,OUTSIDE2) dynamic interface
FRW(config)#access-list RES extended permit tcp any any eq 80
FRW(config)#access-list RES extended permit tcp any any eq 53
FRW(config)#access-list RES extended permit udp any any eq 53
FRW(config)#access-group RES in interface DMZ
FRW(config)#access-group RES in interface OUTSIDE1
FRW(config)#access-group RES in interface OUTSIDE2
Configurations on second Firwall
ciscoasa>en
Password:
ciscoasa#conf t
ciscoasa(config)#hostname FRW
FRW(config)#int gig1/3
FRW(config-if)#no sh
FRW(config-if)#ip add 10.2.2.6 255.255.255.252
FRW(config-if)#nameif INSIDE1
FRW(config-if)#SECUrity-level 100

52
FRW(config-if)#EX
FRW(config)#int gig1/4
FRW(config-if)#no sh
FRW(config-if)#ip add 10.2.2.14 255.255.255.252
FRW(config-if)#nameif INSIDE2
FRW(config-if)#SECURity-level 100
FRW(config-if)#EX
FRW(config)#int gig1/1
FRW(config-if)#no sh
FRW(config-if)#ip add 105.100.50.6 255.255.255.252
FRW(config-if)#nameif OUTSIDE1
FRW(config-if)#security-level 0
FRW(config-if)#EXIT
FRW(config)#int gig1/2
FRW(config-if)#no sh
FRW(config-if)#ip add 197.200.100.6 255.255.255.252
FRW(config-if)#nameif OUTSIDE2
FRW(config-if)#security-level 0
FRW(config-if)#ex
FRW(config)#wr mem
FRW(config)#route outside2 0.0.0.0 0.0.0.0 197.200.100.5
FRW(config)#route outside1 0.0.0.0 0.0.0.0 105.100.50.5 70
FRW(config)#router ospf 35
FRW(config-router)#router-id 1.1.9.9
FRW(config-router)#network 105.100.50.4 255.255.255.252 area 0
FRW(config-router)#network 197.200.100.4 255.255.255.252 area 0
FRW(config-router)#network 10.2.2.4 255.255.255.252 area 0
FRW(config-router)#network 10.2.2.12 255.255.255.252 area 0
FRW(config-network-object)#object network INSIDE1-OUTSIDE1
FRW(config-network-object)#SUBnet 172.16.0.0 255.255.0.0
FRW(config-network-object)#nat (INSIDE1,OUTSIDE1) dynamic interface

53
FRW(config-network-object)#object network INSIDE2-OUTSIDE1
FRW(config-network-object)#SUBnet 172.16.0.0 255.255.0.0
FRW(config-network-object)#nat (INSIDE2,OUTSIDE1) dynamic interface
FRW(config-network-object)#object network INSIDEw1-OUTSIDEw1
FRW(config-network-object)#SUBnet 10.20.0.0 255.255.0.0
FRW(config-network-object)#nat (INSIDE1,OUTSIDE1) dynamic interface
FRW(config-network-object)#object network INSIDEw2-OUTSIDEw1
FRW(config-network-object)#SUBnet 10.20.0.0 255.255.0.0
FRW(config-network-object)#nat (INSIDE2,OUTSIDE1) dynamic interface
FRW(config-network-object)#object network INSIDE1-OUTSIDE2
FRW(config-network-object)#SUBnet 172.16.0.0 255.255.0.0
FRW(config-network-object)#nat (INSIDE1,OUTSIDE2) dynamic interface
FRW(config-network-object)#object network INSIDE2-OUTSIDE2
FRW(config-network-object)#SUBnet 172.16.0.0 255.255.0.0
FRW(config-network-object)#nat (INSIDE2,OUTSIDE2) dynamic interface
FRW(config-network-object)#object network INSIDEw1-OUTSIDEw2
FRW(config-network-object)#SUBnet 172.16.0.0 255.255.0.0
FRW(config-network-object)#nat (INSIDE1,OUTSIDE2) dynamic interface
FRW(config-network-object)#object network INSIDEw2-OUTSIDEw2
FRW(config-network-object)#SUBnet 172.16.0.0 255.255.0.0
FRW(config-network-object)#nat (INSIDE2,OUTSIDE2) dynamic interface
FRW(config)#access-list RES extended permit tcp any any eq 80
FRW(config)#access-list RES extended permit tcp any any eq 53
FRW(config)#access-list RES extended permit udp any any eq 53
FRW(config)#access-group RES in interface OUTSIDE1
FRW(config)#access-group RES in interface OUTSIDE2
Configurations on voip router
Router>EN
Router#CONF T
Router(config)#int fa0/0.70
Router(config-subif)#ip add 172.30.0.1 255.255.0.0

54
Router(config-subif)#encapsulation dot1Q 70
Router(config-subif)#ip add 172.30.0.1 255.255.0.0
Router(config-subif)#exit
Router(config)#service dhcp
Router(config)#ip dhcp pool VOIP-POOL
Router(dhcp-config)#NEtwork 172.30.0.0 255.255.0.0
Router(dhcp-config)#default-router 172.30.0.1
Router(dhcp-config)#option 150 ip 172.30.0.1
Router(config)#telephony-service
Router(config-telephony)#max-ephones 30
Router(config-telephony)#max-dn 30
Router(config-telephony)#ip source-address1 172.30.0.1 port 1000
Router(config-telephony)#auto assign 1 to 30
Router(config)#ephone-dn 1
Router(config-ephone-dn)#number 401
Router(config)#ephone-dn 2
Router(config-ephone-dn)#number 402
Router(config)#ephone-dn 3
Router(config-ephone-dn)#number 403
Router(config)#ephone-dn 4
Router(config-ephone-dn)#number 404
Router(config)#ephone-dn 5
Router(config-ephone-dn)#number 405
Router(config)#ephone-dn 6
Router(config-ephone-dn)#number 406
Router(config)#ephone-dn 7
Router(config-ephone-dn)#number 407
Router(config)#ephone-dn 8
Router(config-ephone-dn)#number 408
Router(config)#ephone-dn 9
Router(config-ephone-dn)#number 409

55
Router(config)#ephone-dn 10
Router(config-ephone-dn)#number 410
Configurations on multilayer switch 1
CORE-SW(config)#interface range gig1/0/3-8
CORE-SW(config-if-range)#switchport mode trunk
CORE-SW(config-if-range)#vlan 10
CORE-SW(config-vlan)#name MGT
CORE-SW(config-vlan)#vlan 20
CORE-SW(config-vlan)#name LAN
CORE-SW(config-vlan)#vlan 50
CORE-SW(config-vlan)#name WLAN
CORE-SW(config-vlan)#vlan 70
CORE-SW(config-vlan)#name VOIP
CORE-SW(config-vlan)#vlan 90
CORE-SW(config-vlan)#name INSIDE_SERVERS
CORE-SW(config)#int range gig1/0/9-11
CORE-SW(config-if-range)#channel-group 1 mode passive
Creating a port-channel interface Port-channel 1
CORE-SW(config-if-range)#interface Port-channel 1
CORE-SW(config-if)#switchport mode trunk
CORE-SW(config-if)#do wr
CORE-SW(config)#ip routing
CORE-SW(config)#int gig1/0/1
CORE-SW(config-if)#no switchport
CORE-SW(config-if)#no sh
CORE-SW(config-if)#ip address 10.2.2.1 255.255.255.252
CORE-SW(config-if)#int gig1/0/2
CORE-SW(config-if)#no switchport
CORE-SW(config-if)#no sh
CORE-SW(config-if)#ip address 10.2.2.5 255.255.255.252
CORE-SW(config-vlan)#int vlan 10

56
CORE-SW(config-if)#no sh
CORE-SW(config-if)#ip add 192.168.10.3 255.255.255.0
CORE-SW(config-if)#standby 10 ip 192.168.10.1
CORE-SW(config-if)#ip helper-address 10.11.11.38
CORE-SW(config-if)#exit
CORE-SW(config-vlan)#int vlan 20
CORE-SW(config-if)#no sh
CORE-SW(config-if)#ip add 172.16.0.3 255.255.0.0
CORE-SW(config-if)#standby 20 ip 172.16.0.1
CORE-SW(config-if)#ip helper-address 10.11.11.38
CORE-SW(config-if)#exit
CORE-SW(config-vlan)#int vlan 50
CORE-SW(config-if)#no sh
CORE-SW(config-if)#ip add 10.20.0.2 255.255.0.0
CORE-SW(config-if)#standby 50 ip 10.20.0.1
CORE-SW(config-if)#ip helper-address 10.11.11.38
CORE-SW(config-if)#exit
CORE-SW(config-vlan)#int vlan 90
CORE-SW(config-if)#no sh
COR-SW(config-if)#ip add 10.11.11.34 255.255.255.224
CORE-SW(config-if)#standby 90 ip 10.11.11.33
CORE-SW(config-if)#exit
CORE-SW(config-if)#do wr
CORE-SW(config)#int gig01/0/2
CORE-SW(config)#ip routing
CORE-SW(config)#router ospf 35
CORE-SW(config-router)#router-id 1.1.1.1
CORE-SW(config-router)#network 10.2.2.0 0.0.0.3 area 0
CORE-SW(config-router)#network 10.2.2.4 0.0.0.3 area 0
CORE-SW(config-router)#network 192.168.12.0 0.0.0.255 area 0
CORE-SW(config-router)#network 172.16.0.0 0.0.255.255 area 0

57
CORE-SW(config-router)#network 10.20.0.0 0.0.255.255 area 0
CORE-SW(config-router)#network 10.11.11.32 0.0.0.31 area 0
CORE-SW(config-router)#do wr
CORE-SW(config-router)#do sh star
Configurations on multilayer switch 2
CORE-SW(config)#ip routing
CORE-SW(config)#int gig1/0/1
CORE-SW(config-if)#no switchport
CORE-SW(config-if)#no sh
CORE-SW(config-if)#ip address 10.2.2.9 255.255.255.252
CORE-SW(config-if)#int gig1/0/2
CORE-SW(config-if)#no switchport
CORE-SW(config-if)#no sh
CORE-SW(config-if)#ip address 10.2.2.13 255.255.255.252
CORE-SW(config-vlan)#int vlan 10
CORE-SW(config-if)#no sh
CORE-SW(config-if)#ip add 192.168.10.2 255.255.255.0
CORE-SW(config-if)#standby 10 ip 192.168.10.1
CORE-SW(config-if)#ip helper-address 10.11.11.38
CORE-SW(config-if)#exit
CORE-SW(config-vlan)#int vlan 20
CORE-SW(config-if)#no sh
CORE-SW(config-if)#ip add 172.16.0.2 255.255.0.0
CORE-SW(config-if)#standby 20 ip 172.16.0.1
CORE-SW(config-if)#ip helper-address 10.11.11.38
CORE-SW(config-if)#exit
CORE-SW(config-vlan)#int vlan 50
CORE-SW(config-if)#no sh
CORE-SW(config-if)#ip add 10.20.0.3 255.255.0.0
CORE-SW(config-if)#standby 50 ip 10.20.0.1
CORE-SW(config-if)#ip helper-address 10.11.11.38

58
CORE-SW(config-if)#exit
CORE-SW(config-vlan)#int vlan 90
CORE-SW(config-if)#no sh
CORE-SW(config-if)#ip add 10.11.11.35 255.255.255.224
CORE-SW(config-if)#standby 90 ip 10.11.11.33
CORE-SW(config-if)#exit
CORE-SW(config-if)#do wr
CORE-SW(config)#int gig01/0/6
CORE-SW(config)#ip routing
CORE-SW(config)#router ospf 35
CORE-SW(config-router)#router-id 1.1.2.2
CORE-SW(config-router)#network 10.2.2.8 0.0.0.3 area 0
CORE-SW(config-router)#network 10.2.2.12 0.0.0.3 area 0
CORE-SW(config-router)#network 192.168.12.0 0.0.0.255 area 0
CORE-SW(config-router)#network 172.16.0.0 0.0.255.255 area 0
CORE-SW(config-router)#network 10.20.0.0 0.0.255.255 area 0
CORE-SW(config-router)#network 10.11.11.32 0.0.0.31 area 0
CORE-SW(config-router)#do wr
CORE-SW(config-router)#do sh star
Configuration on switchs one, two, three, four, five
Switch>en
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname SM-SW
SM-SW(config)#line consol 0
SM-SW(config-line)#password cisco
SM-SW(config-line)#login
SM-SW(config-line)#exec-timeout 3 0
SM-SW(config-line)#login
SM-SW(config-line)#logging synchronous
SM-SW(config-line)#exit

59
SM-SW(config)#
SM-SW(config)#enable password cisco
SM-SW(config)#banner motd #no unautorized access!#
SM-SW(config)#no ip domain lookup
SM-SW(config)#service password-encryption
SM-SW(config)#username cisco password cisco
SM-SW(config)#ip domain-name cisco.com
SM-SW(config)#crypto key generate rsa general-keys modulus 1024
SM-SW(config)#ip ssh version 2
SM-SW(config)#line vty 0 15
SM-SW(config-line)#login local
SM-SW(config-line)#transport input ssh
SM-SW(config-line)#exit
SM-SW(config)#do wr
SM-SW(config)#access-list 1 permit 192.168.10.0 0.0.0.255
SM-SW(config)#access-list 1 deny any
SM-SW(config)#line vty 0 15
SM-SW(config-line)#access-class 1 in
SM-SW(config-line)#do wr
SM-SW(config)#interface range fa0/1-2
SM-SW(config-if-range)#switchport mode trunk
SM-SW(config-if-range)#vlan 10
SM-SW(config-vlan)#name MGT
SM-SW(config-vlan)#vlan 20
SM-SW(config-vlan)#name LAN
SM-SW(config-vlan)#vlan 50
SM-SW(config-vlan)#name WLAN
SM-SW(config-vlan)#vlan 70
SM-SW(config-vlan)#name VOIP
SM-SW(config-vlan)#vlan 199
SM-SW(config-vlan)#name BLACKHOLE

60
SM-SW(config)#int range fa0/3-4
SM-SW(config-if-range)#switchport mode access
SM-SW(config-if-range)#switchport access vlan 20
SM-SW(config-if-range)#int rang fa0/5-6
SM-SW(config-if-range)#switchport voice vlan 70
SM-SW(config-if-range)#int fa0/7
SM-SW(config-if)#switchport mode access
SM-SW(config-if)#switchport access vlan 50
SM-SW(config-if)#int range fa0/8-24,gig0/1-2
SM-SW(config-if-range)#switchport mode access
SM-SW(config-if-range)#switchport access vlan 199
SM-SW(config-if-range)#shutdown
SM-SW(config-if-range)#do wr
SM-SW(config)#int range fa0/3-24
SM-SW(config-if-range)#spanning-tree portfast
SM-SW(config-if-range)#spanning-tree bpduguard enable
SM-SW(config-if-range)#do wr
Configuration on Server Switch
SM-SW(config)#interface range fa0/1-2,fa0/7
SM-SW(config-if-range)#switchport mode trunk
SM-SW(config-if-range)#vlan 10
SM-SW(config-vlan)#name MGT
SM-SW(config-vlan)#vlan 20
SM-SW(config-vlan)#name LAN
SM-SW(config-vlan)#vlan 50
SM-SW(config-vlan)#name WLAN
SM-SW(config-vlan)#vlan 70
SM-SW(config-vlan)#name VOIP
SM-SW(config-vlan)#vlan 90
SM-SW(config-vlan)#name INSIDE_SERVERS
SM-SW(config)#int range fa0/3-5

61
SM-SW(config-if-range)#switchport mode access
SM-SW(config-if-range)#switchport access vlan 90
SM-SW(config-if-range)#int fa0/6
SM-SW(config-if-range)#switchport mode access
SM-SW(config-if-range)#switchport access vlan 50
SM-SW(config)#int range fa0/3-6, fa0/8-24
SM-SW(config-if-range)#spanning-tree portfast
SM-SW(config-if-range)#spanning-tree bpduguard enable
SM-SW(config-if-range)#do wr

62