1. Simple Network 2. SOHO Network 3. Hotel Network 4. Campus Network 5. Bank Network 6. Company Network 7. Hospital Network 8. VoIP Network 9. Finance Network 10. Secure Telecom Network 11. Secure Healthcare Network 12. Secure Campus Network 13. Secure Company Network 14. upcoming 15. upcoming

Design and Implementation of a Secure Campus Area Network System (Project #12)

Project #12 Case Study and Requirements
Martin Luther King University stands as a prominent institution with a vast footprint, encompassing two campuses strategically positioned 100 miles apart within the United States. The university's organizational structure revolves around four key faculties: Health and Sciences, Business, Engineering/Computing, and Art/Design, both in the main and branch campuses. This diverse array of faculties accommodates the dynamic needs of both students and staff, fostering a rich academic environment. To ensure seamless connectivity and technological cohesion, an integral component of the university is its Information Technology (IT) department situated at the main campus. This central hub orchestrates the management of both campuses, overseeing the intricate network that binds them together. Currently, the university caters to a substantial community, boasting a collective headcount of approximately 30,000 users spread across the two campuses. In anticipation of significant growth on the horizon, the university envisions a doubling of user counts within each department by the year 2025. This foresight underscores the necessity for a robust and scalable infrastructure, prompting a strategic emphasis on scalability throughout the design and implementation phases.

At the heart of the technological infrastructure lies the main campus, which hosts a server farm, often referred to as the Demilitarized Zone (DMZ). Within this fortified zone, essential servers such as DHCP, DNS, FTP, WEB, Email, and SMTP are strategically housed. Recognizing the importance of secure resource access, users at the branch campus are equipped with the capability to securely connect to and utilize these centralized servers. This safeguarded connectivity ensures that educational, informational, and communication resources are readily available to all users, irrespective of their physical location.
As an integral part of the University's ICT infrastructure, the following components have been incorporated:
  • Internet Services Provider (ISP): The company has established a subscription with Airtel to ensure internet connectivity.
  • Network Security: Two Cisco ASA Firewalls from the 5500-X series have been acquired to enhance network security. Each campus will have its firewall but the main campus will contain the DMZ or the server farm.
  • Network Routing: Both the firewalls and the core switches will be used instead of a router.
  • Switching Infrastructure: The network includes two Catalyst 3850 48-Port Switches for each campus, and Catalyst 2960 48-Port Switches per faculty to ensure robust local network connectivity.
  • Server Hardware and Virtualization: Two physical servers will be utilized for virtualization through the hypervisor to achieve multiple virtual machines for various services. For redundancy or failover, we will have two DHCP servers running at the same time..
  • Wireless Infrastructure: Two Cisco Wireless LAN Controllers (WLC) and various Lightweight Access Points (LAPs) will centralize the management of the wireless network.
  • Site-to-site IPsec VPN: Configure IPsec VPN on the two firewalls to enable secure communication between the main and the branch campus.
Cloud computing as an important technology is used to connect clients across the world to University services and resources thus the University system is linked to the Google Cloud platform to facilitate service delivery thus this is one of the core business functions of the firm. The proposed network should allow the team access to these resources.

Due to security requirements, it has been decided that all LAN and WLAN users will be on a separate network segment within the same local area network. The firewall will be used to set security zones and filter traffic that moves in and out of the zones based on the configured inspection policies. Finally, the two campuses should have a secure tunnel of communication via an IPsec VPN.

You have been hired as a network security engineer to design the network according to the requirements set by the senior management. You will consult an appropriate robust network design model to meet the design requirements. You are required to design and implement a secured, reliable, scalable, and robust network system that is paramount to safeguarding the Confidentiality, Integrity, and Availability of data and communication. The University places a strong emphasis on achieving top-tier performance, redundancy, scalability, and availability within its network infrastructure. As such, your task involves creating a comprehensive network design and executing its implementation. To facilitate this endeavor, the University has designated specific IP address ranges:
  • WLAN: For the management, the IP address range of 192.168.10.0/24 has been allocated.
  • LAN: The WLAN network will operate within the IP address range of 10.10.0.0/16 for the main campus and 10.11.0.0/16 for the branch campus.
  • Voice: For the local area network (LAN), the IP address range of 172.16.0.0/16 for the main campus and 172.17.0.0/16 for the branch campus.
  • DMZ: The Demilitarized Zone (DMZ) will be assigned IP addresses from the range 10.20.20.0/27.
  • Public Addresses: Public IP addresses from the range 105.100.50.0/30 for the main campus and 205.200.100.0/30 for the branch campus.
Technologies Implemented
    1. Design Tool: Utilize Cisco Packet Tracer for designing and implementing the network solution.
    2. Hierarchical Design: Implement a hierarchical model that incorporates redundancy for enhanced network resilience.
    3. ISPs: Establish connectivity to an Airtel ISP Router within the network infrastructure.
    4. WLC: Ensure that each department is equipped with a Wireless Access Point (WAP) to provide WiFi access to employees, corporate users, external auditors, and guests, all centrally managed by a Wireless LAN Controller (WLC).
    5. VoIP: Deploy IP phones in each department to support Voice over IP (VoIP) communication.
    6. VLAN: Maintain VLANs with the following IDs: 10 for Management, 20 for LAN, 50 for WLAN, and finally, 199 for Blackhole in which all unused ports are placed.
    7. EtherChannel: Implement the Link Aggregation Control Protocol (LACP) for EtherChannel configuration, enhancing link aggregation efficiency.
    8. STP PortFast and BPDUguard: Configure Spanning Tree Protocol (STP) PortFast and BPDUguard to expedite port transitions from blocking to forwarding states.
    9. Subnetting: Utilize subnetting techniques to allocate the appropriate number of IP addresses to each network group.
    10. Basic Settings: Configure fundamental device settings, including hostnames, and console passwords, enable passwords, banner messages, password encryption, and disable IP domain lookup.
    11. Inter-VLAN Routing: Enable devices in all departments to communicate with one another by configuring the respective multilayer switch for inter-VLAN routing.
    12. Core Switch: Assign IP addresses to Multilayer switches to enable both routing and switching functionalities.
    13. DHCP Server: Ensure that all devices in the network obtain IP addresses dynamically from Active Directory (AD) servers located at the server farm site.
    14. HSRP: Implement high-availability router protocols such as HSRP to achieve redundancy, load balancing, and failover capabilities.
    15. Static Addressing: Allocate static IP addresses to devices located in the server room.
    16. Routing Protocol: Utilize Open Shortest Path First (OSPF) as the routing protocol to advertise routes on the firewall, routers, and multilayer switches.
    17. Standard ACL for SSH: Establish a simple standard Access Control List (ACL) on the VTY line to permit remote administrative tasks via SSH only for the Senior Network Security Engineer PC.
    18. Cisco ASA Firewall: Configure default static routes, basic settings, security levels, zones, and policies on the Cisco ASA Firewall to define access control and resource utilization within the network.
    19. Site-to-site IPsec VPN on Cisco ASA Firewall: Configure Site-to-site IPsec VPN between the two firewalls to enable secure communication between HQ and branch campus.
    20. Final Testing: Conduct thorough testing to verify proper communication and ensure that all configured elements function as intended.
Network Topology Created
The network topology below satisfy the user requirements above and everything is verified, tested and working fine. You can get source file (Packet Tracer File) or watch on YouTube below.

How to Get Source File or Watch the Project on YouTube

  1. Get Packet Tracer File

    To get this Packet Tracer File with it's case study, kindly join our channel membership first to support us. Joining channel membership is different from subscribing, here you click on join button and it's chargable as low as $1. It is our policy that we only provide exclussive resources to channel members not subscribers. Subscribers are only given a chance to watch the video, follow keenly and design and implement the similar topoloy but they won't get any ready file.

    Join Now

  2. Watch Full Project on YouTube

    Get to watch on how to implement the project from the explanation of a tutor that will take you through a simple and easy to understand steps while following good network design practices.

    Watch Here