Network Design and Security Documentation (Melbourne Branch)

– PrfTech

Introduction
We can also see the excellent extensibility in the smart factory around Warehouse 5. In this
expansion, two new branch offices in Sydney and Melbourne are being established. The
Melbourne office is a two-story space with capacity for 300 employees, while the Sydney office
is a four-story building that can fit up to 1,000 employees.

Our goal with this project is to establish a robust network solution that provides reliable
connectivity, centralized management, and secure access between both locations. As proposed,
the design of the network is in accordance with industry best practices, applying Cisco’s
hierarchical model to provision expeditious yet maintainable LAN topologies. These components
include logical and physical network topologies, an IP addressing plan, VLAN segmentation,
BYOD support with Wireless LAN Controllers (WLCs), and a secure Wide Area Network
(WAN) link between sites.
The final report outlines all stages of the network setup, including analysis, planning, design, and
implementation, giving an overall view of how the network will align with PrfTech’s business
operations and future growth within the Australian region.

Representing the interests of PrfTech, a prestigious IT organization based in the United States
and operating worldwide, the company now welcomes new branches in Australia, located in
Sydney and Melbourne. The network will support business operations and future growth;
therefore, each branch must be equipped with a robust, secure, and scalable Local Area Network
(LAN). The hard copy documents create a network of the Melbourne branch and the security
implementation. The Melbourne office is a two-story building that can hold up to 300
employees and encompasses a range of departments, including Human Resources (HR),
Information Technology (IT), Sale, and Marketing.
This document will explain how the physical and logical-network will be utilized, placements
for hardware, IP addressing to be used, cabling specification, as well as a detailed network
security plan. Overall, we want to provide high availability, redundancy, and performance, and
security to all employees in the Melbourne branch (including servers) and systems.

Configuration:
R1:
Router(config)#do show run
Building configuration...

Current configuration : 2689 bytes

!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
!
!
ip dhcp pool hr
network 10.0.0.0 255.255.255.0
default-router 10.0.0.1
dns-server 8.8.8.8
domain-name wr
ip dhcp pool It
network 10.0.1.0 255.255.255.0
default-router 10.0.1.1
dns-server 8.8.8.8
domain-name wr
ip dhcp pool Sales
network 10.0.2.0 255.255.255.0
default-router 10.0.2.1
dns-server 8.8.8.8
ip dhcp pool market
network 10.0.3.0 255.255.255.0
default-router 10.0.3.1
dns-server 8.8.8.8
!
!
!
ip cef
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip address 10.0.0.1 255.255.255.0
ip helper-address 10.0.4.10
!
interface FastEthernet0/0.20
encapsulation dot1Q 20
ip address 10.0.1.1 255.255.255.0
ip helper-address 10.0.4.10
!
interface FastEthernet0/0.30
encapsulation dot1Q 30
ip address 10.0.2.1 255.255.255.0
ip helper-address 10.0.4.10
!
interface FastEthernet0/0.40
encapsulation dot1Q 40
ip address 10.0.3.1 255.255.255.0
ip helper-address 10.0.4.10
!
interface FastEthernet0/0.50
encapsulation dot1Q 50
ip address 10.0.4.1 255.255.255.0
ip helper-address 10.0.4.10
!
interface FastEthernet1/10
switchport mode access
!
interface FastEthernet1/11
switchport mode access
!
interface FastEthernet1/12
switchport mode access
!
interface FastEthernet1/13
switchport mode access
!
interface FastEthernet1/14
switchport mode access
!
interface FastEthernet1/15
switchport mode access
!
interface Vlan1
no ip address
!
router eigrp 4
network 10.0.0.0
network 20.0.0.0
no auto-summary
!
ip classless
!
ip flow-export version 9
!
!
!
!
!
!
!
!
line con 0
!
line aux 0

R2:

Router(config)#do show run

Building configuration...

Current configuration : 2103 bytes

!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
!
!
ip dhcp pool 1
network 10.0.5.0 255.255.255.0
default-router 10.0.5.1
dns-server 8.8.8.8
domain-name wr
ip dhcp pool 2
network 10.0.6.0 255.255.255.0
default-router 10.0.6.1
dns-server 8.8.8.8
!
!
!
ip cef
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.0.5.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.0.6.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
ip address 20.1.1.1 255.0.0.0
!
interface Serial0/0/1
no ip address
clock rate 2000000
shutdown
!
interface Serial0/1/0
no ip address
clock rate 2000000
shutdown
!
interface Serial0/1/1
no ip address
clock rate 2000000
shutdown
!
interface FastEthernet1/0
switchport mode access
shutdown
!
interface FastEthernet1/1
switchport mode access
shutdown
!
interface FastEthernet1/2
switchport mode access
shutdown
!
interface FastEthernet1/3
switchport mode access
shutdown
!
interface FastEthernet1/4
switchport mode access
shutdown
!
interface FastEthernet1/5
switchport mode access
shutdown
!
interface FastEthernet1/6
switchport mode access
shutdown
!
interface FastEthernet1/7
switchport mode access
shutdown
!
interface FastEthernet1/8
switchport mode access
shutdown
!
interface FastEthernet1/9
switchport mode access
shutdown
!
interface FastEthernet1/10
switchport mode access
shutdown
!
interface FastEthernet1/11
switchport mode access
shutdown
!
interface FastEthernet1/12
switchport mode access
shutdown
!
interface FastEthernet1/13
switchport mode access
shutdown
!
interface FastEthernet1/14
switchport mode access
shutdown
!
interface FastEthernet1/15
switchport mode access
shutdown
!
interface Vlan1
no ip address
shutdown
!
router eigrp 4
network 20.0.0.0
network 10.0.0.0
no auto-summary
!
ip classless
!
ip flow-export version 9
!
!
!
!
!

MLS-1:
Switch#show run
Building configuration...

Current configuration : 1380 bytes

!
version 12.2(37)SE1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Switch
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/3
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/4
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!

Switch#show vlan

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------
1 default active Fa0/4, Fa0/5, Fa0/6, Fa0/7
Fa0/8, Fa0/9, Fa0/10, Fa0/11
Fa0/12, Fa0/13, Fa0/14, Fa0/15
Fa0/16, Fa0/17, Fa0/18, Fa0/19
Fa0/20, Fa0/21, Fa0/22, Fa0/23
Fa0/24, Gig0/1, Gig0/2
10 hr active
20 it active
30 sales active
40 market active
50 wlc active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
10 enet 100010 1500 - - - - - 0 0
20 enet 100020 1500 - - - - - 0 0
30 enet 100030 1500 - - - - - 0 0
40 enet 100040 1500 - - - - - 0 0
50 enet 100050 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0

Switch#show int tr
Port Mode Encapsulation Status Native vlan
Fa0/1 on 802.1q trunking 1
Fa0/2 on 802.1q trunking 1
Fa0/3 on 802.1q trunking 1

Port Vlans allowed on trunk

Fa0/1 1-1005
Fa0/2 1-1005
Fa0/3 1-1005
Port Vlans allowed and active in management domain
Fa0/1 1,10,20,30,40,50
Fa0/2 1,10,20,30,40,50
Fa0/3 1,10,20,30,40,50

Port Vlans in spanning tree forwarding state and not pruned

Fa0/1 1,10,20,30,40,50
Fa0/2 1,10,20,30,40,50
Fa0/3 1,10,20,30,40,50

MLS-2:
Switch#show run
Building configuration...

Current configuration : 1441 bytes

!
version 12.2(37)SE1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Switch
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/3
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/4
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/5
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12

Switch#show vlan

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------
1 default active Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/15, Fa0/16, Fa0/17
Fa0/18, Fa0/19, Fa0/20, Fa0/21
Fa0/22, Fa0/23, Fa0/24, Gig0/1
Gig0/2
10 hr active
20 it active
30 sales active
40 market active
50 wlc active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
10 enet 100010 1500 - - - - - 0 0
20 enet 100020 1500 - - - - - 0 0
30 enet 100030 1500 - - - - - 0 0
40 enet 100040 1500 - - - - - 0 0
50 enet 100050 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

Remote SPAN VLANs

------------------------------------------------------------------------------

Primary Secondary Type Ports

------- --------- ----------------- ------------------------------------------
Switch#
Switch#
Switch#show int tr
Port Mode Encapsulation Status Native vlan
Fa0/1 on 802.1q trunking 1
Fa0/2 on 802.1q trunking 1
Fa0/3 on 802.1q trunking 1
Fa0/4 on 802.1q trunking 1
Fa0/5 on 802.1q trunking 1

Port Vlans allowed on trunk

Fa0/1 1-1005
Fa0/2 1-1005
Fa0/3 1-1005
Fa0/4 1-1005
Fa0/5 1-1005

Port Vlans allowed and active in management domain

Fa0/1 1,10,20,30,40,50
Fa0/2 1,10,20,30,40,50
Fa0/3 1,10,20,30,40,50
Fa0/4 1,10,20,30,40,50
Fa0/5 1,10,20,30,40,50

Port Vlans in spanning tree forwarding state and not pruned

Fa0/1 1,10,20,30,40,50
Fa0/2 20,30,40,50
Fa0/3 10,30,40,50
Fa0/4 10,20,40,50
Fa0/5 10,20,30,50

MLS:
Switch#show run
Building configuration...

Current configuration : 1441 bytes

!
version 12.2(37)SE1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Switch
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/3
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/4
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/5
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!

Switch#show vlan

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------
1 default active Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/15, Fa0/16, Fa0/17
Fa0/18, Fa0/19, Fa0/20, Fa0/21
Fa0/22, Fa0/23, Fa0/24, Gig0/1
Gig0/2
10 hr active
20 it active
30 sales active
40 market active
50 wlc active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
10 enet 100010 1500 - - - - - 0 0
20 enet 100020 1500 - - - - - 0 0
30 enet 100030 1500 - - - - - 0 0
40 enet 100040 1500 - - - - - 0 0
50 enet 100050 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

Remote SPAN VLANs

------------------------------------------------------------------------------

Switch#how int tr
^
% Invalid input detected at '^' marker.
Switch#
Switch#show int tr
Port Mode Encapsulation Status Native vlan
Fa0/1 on 802.1q trunking 1
Fa0/2 on 802.1q trunking 1
Fa0/3 on 802.1q trunking 1
Fa0/4 on 802.1q trunking 1
Fa0/5 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/1 1-1005
Fa0/2 1-1005
Fa0/3 1-1005
Fa0/4 1-1005
Fa0/5 1-1005

Port Vlans allowed and active in management domain

Fa0/1 1,10,20,30,40,50
Fa0/2 1,10,20,30,40,50
Fa0/3 1,10,20,30,40,50
Fa0/4 1,10,20,30,40,50
Fa0/5 1,10,20,30,40,50

Port Vlans in spanning tree forwarding state and not pruned

Fa0/1 1,10,20,30,40,50
Fa0/2 1,10,20,30,40,50
Fa0/3 1,10,20,30,40,50
Fa0/4 1,10,20,30,40,50
Fa0/5 1,10,20,30,40,50

Testing:

Cisco Packet Tracer PC Command Line 1.0

C:\>
ping 10.0.0.1

Pinging 10.0.0.1 with 32 bytes of data:

Reply from 10.0.0.1: bytes=32 time=149ms TTL=255

Reply from 10.0.0.1: bytes=32 time=65ms TTL=255
Reply from 10.0.0.1: bytes=32 time=107ms TTL=255
Reply from 10.0.0.1: bytes=32 time=76ms TTL=255

Ping statistics for 10.0.0.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 65ms, Maximum = 149ms, Average = 99ms

C:\>ping 10.0.1.1

Pinging 10.0.1.1 with 32 bytes of data:

Reply from 10.0.1.1: bytes=32 time=6ms TTL=255
Reply from 10.0.1.1: bytes=32 time=32ms TTL=255
Reply from 10.0.1.1: bytes=32 time=45ms TTL=255
Reply from 10.0.1.1: bytes=32 time=6ms TTL=255

Ping statistics for 10.0.1.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 6ms, Maximum = 45ms, Average = 22ms

C:\>ping 10.0.2.1

Pinging 10.0.2.1 with 32 bytes of data:

Reply from 10.0.2.1: bytes=32 time=98ms TTL=255

Reply from 10.0.2.1: bytes=32 time=46ms TTL=255
Reply from 10.0.2.1: bytes=32 time=53ms TTL=255
Reply from 10.0.2.1: bytes=32 time=6ms TTL=255

Ping statistics for 10.0.2.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 6ms, Maximum = 98ms, Average = 50ms

C:\>ping 10.0.3.1

Pinging 10.0.3.1 with 32 bytes of data:

Reply from 10.0.3.1: bytes=32 time=155ms TTL=255

Reply from 10.0.3.1: bytes=32 time=92ms TTL=255
Reply from 10.0.3.1: bytes=32 time=53ms TTL=255
Reply from 10.0.3.1: bytes=32 time=78ms TTL=255

Ping statistics for 10.0.3.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 53ms, Maximum = 155ms, Average = 94ms

C:\>ping 10.0.4.1

Pinging 10.0.4.1 with 32 bytes of data:

Reply from 10.0.4.1: bytes=32 time=88ms TTL=255

Reply from 10.0.4.1: bytes=32 time=95ms TTL=255
Reply from 10.0.4.1: bytes=32 time=45ms TTL=255
Reply from 10.0.4.1: bytes=32 time=16ms TTL=255
Ping statistics for 10.0.4.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 16ms, Maximum = 95ms, Average = 61ms

C:\>ping 10.0.5.1

Pinging 10.0.5.1 with 32 bytes of data:

Reply from 10.0.5.1: bytes=32 time=9ms TTL=254

Reply from 10.0.5.1: bytes=32 time=64ms TTL=254
Reply from 10.0.5.1: bytes=32 time=84ms TTL=254
Reply from 10.0.5.1: bytes=32 time=14ms TTL=254

Ping statistics for 10.0.5.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 9ms, Maximum = 84ms, Average = 42ms

C:\>ping 10.0.5.2

Pinging 10.0.5.2 with 32 bytes of data:

Reply from 10.0.5.2: bytes=32 time=87ms TTL=126

Reply from 10.0.5.2: bytes=32 time=77ms TTL=126
Reply from 10.0.5.2: bytes=32 time=31ms TTL=126
Reply from 10.0.5.2: bytes=32 time=47ms TTL=126

Ping statistics for 10.0.5.2:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 31ms, Maximum = 87ms, Average = 60ms

C:\>ping 10.0.5.3

Pinging 10.0.5.3 with 32 bytes of data:

Request timed out.

Reply from 10.0.5.3: bytes=32 time=7ms TTL=126
Reply from 10.0.5.3: bytes=32 time=11ms TTL=126
Reply from 10.0.5.3: bytes=32 time=14ms TTL=126

Ping statistics for 10.0.5.3:

Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
 Minimum = 7ms, Maximum = 14ms, Average = 10ms

C:\>ping 10.0.6.1

Pinging 10.0.6.1 with 32 bytes of data:

Reply from 10.0.6.1: bytes=32 time=87ms TTL=254

Reply from 10.0.6.1: bytes=32 time=49ms TTL=254
Reply from 10.0.6.1: bytes=32 time=90ms TTL=254
Reply from 10.0.6.1: bytes=32 time=25ms TTL=254

Ping statistics for 10.0.6.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 25ms, Maximum = 90ms, Average = 62ms

Physical Network Layout

2.1 General Office Structure in Melbourne
The two-floor branch in Melbourne. It includes the arrangement of departments, servers, core
network hardware, and user access terminals to ensure stable availability of the network. The
allocation of departments and functional zones is as follows:

Branches:
Human Resources (HR)
Information Technology (IT)
Sales Department
Marketing Department
More Fun Jobs in Conference Rooms/Open Workspaces
All departments have wired Ethernet access as well as wireless access points throughout the
building.

2.2 Device Placement

 Core Router,
 Layer 3 Switch,
 Access Switches,
  Wireless APs,
 Distribution
Switch,
 Access Switches,
 Wireless APs,
 IP Phones

2.3 Cabling Strategy:

Cable trays and protective conduits minimize EMI and provide physical security for all cabling.

2.4 Wireless LAN Infrastructure

We deploy three APs per floor with proper placement to avoid any dead zones thereby ensuring
wireless coverage.

SSID Configurations:
Melb-Staff: For employees. It implements WPA3-Enterprise security with RADIUS
authentication.
Melb-Guest: For HR, IT, Sales, Market users. Compliant with internet-only access: WPA2 ·
(PSK).
And it has Client Isolation turned on for lateral communication prevention on the guest network.
2.5 Addressing and VLAN structure
An IP subnet and VLAN dedicated per department This improves network segmentation and
security.

Department VLAN Subnet Subnet Mask Purpose

ID

HR 10 10.0.0.0/24 255.255.255.0 Payroll, employee management

IT 20 10.0.1.0/24 255.255.255.0 Server admin, technical support

Sales 30 10.0.2.0/24 255.255.255.0 CRM and customer data

Marketing 40 10.0.3.0/24 255.255.255.0 Campaigns and content

IEEE 802.1Q is used for trunking from distribution and core switches to access switches for
each VLAN.

Network Security Plan

3.1 Goals of Network Security
Do ensure data confidentiality, integrity, and availability
Defend against unauthorized access and external attacks Fall Region 12 0 Comments
Implement segmentation within internal departments
Without compromising internal resources, secure BYOD and guest access
Make monitoring, logging, and compliance tracking easy

3.2 — VLAN Segmentation and Inter-VLAN Security

Traffic is logically separated in the Layer 3 switch through VLAN configuration. It blocks inter-
department communication unless and until authorized. Access Control Lists (ACLs) are used
on:
Allow necessary inter-VLAN communication (IT to all departments, for example)
Step 5: Deny access from Guest VLAN to internal network
Restrict server VLAN access on per-role basis
3.3 Switch and Port Security
Port-level security policies are implemented to stop rogue devices from connecting to them and
for physical penetration.
Feature
Description
Port Security
Restricts the number of MAC addresses on a port
Sticky MAC
Dynamically learns and binds MAC addresses
DHCP Snooping
Blocks rogue DHCP server from issuing IP addresses
Dynamic ARP Inspection (DAI)
Provides protection from ARP Spoofing Attacks
BPDU Guard
Prevents rogue switch connection in the network

3.4 Protection of Wireless Network

There are various techniques that are used to secure wireless networks:
WPA3-Enterprise (Melb-Staff): WPA3-Enterprise provides robust encryption and RADIUS
authentication.
WPA2-PSK (Melb-Guest): For guests with internet only access.
Client Isolation: Stops communication between devices on guest network.
AP Detection: The WLC periodically monitors for rogue devices.

3.5 Implementation of Firewalls and ACLs

Firewalls and router based ACLs are configured to inspect traffic heading into or out of the local
network.
Block unused TCP/UDP ports
Restrict remote management access to certain IPs
Restrict guest and external access to internal services
IPSec: Create VPN Tunnels between Sydney and Melbourne

3.6 Security of Server and Administrator Access

RADIUS/TACACS+ Authentication: Admin login on routers and switches
SSH Access Only – Telnet has been disabled throughout the network
AAA configuration: Authentication, Authorization, Accounting enabled
Syslog Server: Remember, record every device event for audit and review
Regular Backups [ Backups of server data and configurations as weekly backups.

3.7 Enforcement of BYOD and Guest Policy

Guest VLAN Isolation: Only access to the internet for guests
Web Portal Login: All BYOD users authenticate via a captive portal
Bandwidth Limiting: Rate limits configured on Guest VLAN
MAC Whitelisting: With MAC-based filtering, you can grant more access to registered devices

3.8 Monitoring and Incident Response

SNMP-based Monitoring: Used for Real-Time Visibility
Other Types of Alerts: Intrusion Detection Systems (IDS)
Incident Response Plan: Definitions of your steps for containing and mitigating network
incidents
Regular Audits: Monthly audits to ensure adherence to security protocols

It is recommended that:
Regularly update all firmware and software
Review and test security policies on a quarterly basis
Staff are trained on cybersecurity awareness
VPN and firewall configurations periodically reviewed
The logical and physical security options outlined in this document collectively form a robust
basis for PrfTech's successful penetration of the Australian market.
IP Address Table:
Table 1. Sydney branch network (Router-2)
Allocated Subnet address and Subnet Mask 300
Network address 10.0.5.0/24
Default Gateway address 10.0.5.1
Valid host address range 10.0.5.1- 10.0.6.254
Broadcast address 10.0.6.255

Table 2. Melbourne branch network 1000

Allocated Subnet address and Subnet Mask 1000 Needed
Network address 10.0.0.0 255.255.255.0
Default Gateway address 10.0.0.1
Valid host address range 10.0.0.1 – 10.0.3.254
Broadcast address 10.0.3.255

Table 3. Network between Sydney and

Melbourne
Allocated Subnet address and Subnet Mask 2 Ips
Network address 10.0.7.4/30
Valid host address range 20.0.0.5 – 20.0.0.6
Broadcast address 20.0.0.7

Table 4. Network between Sydney Routers

Allocated Subnet address and Subnet Mask 2 Ip address needed
Network address 10.0.7.0/30
Valid host address range 10.0.7.1 - 10.0.7.2
Broadcast address 10.0.7.3

WLC:
Melbourne Branch Wireless LAN Controller (WLC)
As part of the Bring Your Own Device (BYOD) policy at the Melbourne branch of PrfTech, a
Wireless LAN Controller (WLC) would be integrated into the network to address the
management and security concerns associated with wireless devices. Other infrastructure devices
are also involved, including core switch, firewall, and DHCP server, which are in the main
network server room on the ground floor where the WLC is placed. This allows advantageous
wired connectivity to each deployed wireless AP throughout the building.
The Wireless LAN Controller (WLC) serves as a centralized management device for all the
access points that you have deployed in your office. In place of configuring each AP separately,
the WLC enables IT administrators to configure and monitor all APs from one interface. These
may include wireless SSID broadcasting, security policy enforcement, client authentication,
bandwidth management, and firmware upgrades. The WLC also provides centralized control
over wireless access points (APs), and allows users to roam smoothly between APs without
losing their connections — a critical capability in an enterprise in which users frequently migrate
around the premises with personal devices.
The two-story building will be served by eight enterprise-grade dual-band access points — four
per floor — to provide coverage throughout. APs will be deployed close to the HR and IT
departments on the ground floor and deployed near the Sales and Marketing departments on the
first floor. These APs will connect to the PoE-enabled switches, to draw power and provide the
data connection. There are two main SSIDs that the WLC manages and those are for Staff
(PrfTech-Staff) and guests (PrfTech-Guest). WPA2-Enterprise security on a staff SSID integrated
with a RADIUS server to provide 802.1X authentication. It enables per-user access controls and
VLAN mappings per-department. However, to be secure and to guarantee fair usage, the guest
SSID is a time, and bandwidth limited access to the internet only.
Each WLC is configured to dynamically assign a VLAN to a wireless client based on which
department they belong to. For instance, HR will be on VLAN 10 (Subnet: 192.168.10.0/24), IT
on VLAN 20 (192.168.20.0/24), Sales on VLAN 30, and Marketing on VLAN 40. Guest
accounts are placed into VLAN 50 and given a subnet that allows access only to the internet.
This means traffic between departments is isolated from each other, as is traffic from internal
users and guests, which helps improve security.
For example, security is the most important concern of the WLC deployment. It provides
WPA2/WPA3 enterprise-level wireless encryption, rogue AP detection, MAC address filtering,
client isolation for guests, and automatic AP firmware upgrades. Rogue APs are proactively
scanned, with flagged devices being blocked from the network to eliminate unwanted wireless
connections. Moreover, WLC restricts unauthenticated users, advising the device to authenticate
before allowing the device on the internal wireless LAN and thus makes sure no sensitive
company data is compromised.
Day 1 includes DHCP and the firewall also integrates with the WLC. In this case WLC handle
APs & control of wireless clients while the nether DHCP server assigns the clients the IP
address depends on the VLAN. The firewall provides internal users with access to internal
servers and applications, while guest access is limited through ACL (Access Control Lists) and
NAT (Network Address Translation) rules that prevent unauthorized access.
In this case, a standby WLC will be designed to facilitate high AVAILABILITY and business
continuity; it will take TRENNEN automatically when the primary controller fails to meet less
frustration. This guarantees uninterrupted wireless services, even during hardware failure or
maintenance. It is also scalable; when you want to expand your network, you add new APs, and
they'll automatically be detected and configured by the WLC.
The WLC has an inbuilt dashboard that makes monitoring and troubleshooting easier with real-
time visibility to AP performance, client distribution, signal strength, and interference levels.
Alerts and logs are sent off to a centralized Syslog server and SNMP manager, finding and fixing
issues and optimizing performance before user impact. Wi-Fi heat maps and usage reports are
also available to help you identify blind spots or outlier areas that can be improved upon for the
quality of wireless service provided.
The Wireless LAN Controller is deployed in the Melbourne office for centralized management,
secure wireless access, seamless roaming capabilities, and BYOD support for the organization. It
promotes scale, reduces administrative burden, and maintains the highest level of performance
and security for all the organizations wireless users.

Conclusion:
Main features: Logical / Physical network topologies, IP addressing plans, VLAN segmentation,
BYOD with Wireless LAN Controllers (WLCs), and secured WAN link between sites. The
presented design and simulation of the network for PrfTech’s new Sydney and Melbourne
branches successfully exhibit a secure, scalable and efficient infrastructure that would provide
proper support for both current business requirements and future growth. Through utilization of
Cisco’s layered network design, the design guarantees efficient performance, seamless
management and high availability at each layer across all aspects of networking. By intelligently
designing their IP addressing schema, segmenting users on various VLANs, integrating their
wireless networks, as well as wide area connectivity, both branch offices will support the needs
of up to 1,300 users in total. Data protection and access control is achieved by implementing
mechanisms like ACLs, firewalls, port security, wireless encryption, and VPN technologies.
Ultimately, not only does this project support PrfTech's technical and organizational
requirements, but it allows for a broadly flexible roadmap for future technological
development/enhancement. What is shown in Packet Tracer is a hands-on simulation to confirm
that the network is operating and can be able to run in a realistic setting.
References:
[1] Cisco Systems, “Cisco Enterprise Architecture Model”, Cisco, 2023. [Online]. [Access Date:
October 2023] https://www.cisco.com/c/en/us/solutions/enterprise/design-zone-architecture.html
T. Lammle, CCNA 200-301 Official Cert Guide, First Edition, 2020. [2] Indianapolis, IN, USA:
Wiley; 2020.
[3] W. Stallings, Network Security Essentials: Applications and Standards, 6th ed. Boston, MA,
USA: Pearson. 2020.
[4] IEEE Std 802.11, “Part 11: Wireless LAN Medium Access Control (MAC) and Physical
Layer (PHY) Specifications,” IEEE-SA Standards Board, 2020.
Computer Networks, 5th ed. New York, NY, USA: Pearson, 2010.
Steps 21-24: Infrastructure Design & SimulationDocument two — Huyskamer 3 142 03 October
2023 with orders_DATE_TIME