Complete Network Implementation

Advanced Networking · 2025
RoutingACLDHCPDNS

Objective

Build a complete multi-site enterprise network in Cisco Packet Tracer connecting a headquarters site and a branch office over a simulated WAN link. The implementation covered OSPFv2 dynamic routing, per-VLAN inter-site reachability, centralized DHCP and DNS services, extended ACLs for traffic filtering, NAT overload for internet access, and end-to-end connectivity verification across all segments.

Tools & Technologies

  • Cisco IOS 15.x — router and switch operating system
  • OSPFv2 — dynamic interior routing protocol
  • 802.1Q Inter-VLAN routing — Layer 3 switch SVIs
  • Extended ACLs — stateless traffic filtering
  • DHCP (IOS) — centralized address assignment
  • DNS (IOS) — hostname resolution for internal zones
  • NAT overload (PAT) — many-to-one internet access
  • HSRP — default gateway redundancy at HQ
  • Cisco Packet Tracer 8.2 — simulation environment

Architecture Overview

flowchart TD Internet[ISP / Internet\n203.0.113.0/30] -->|Serial WAN| HQ HQ[HQ Router\nRtr-HQ\n10.1.0.1] -->|OSPFv2| Branch[Branch Router\nRtr-BR\n10.2.0.1] HQ --> L3SW[HQ Layer 3 Switch\nSVI per VLAN] L3SW --> V10[VLAN 10\nServers\n10.1.10.0/24] L3SW --> V20[VLAN 20\nUsers\n10.1.20.0/24] L3SW --> V30[VLAN 30\nMgmt\n10.1.30.0/24] Branch --> BrSW[Branch Switch] BrSW --> BV10[VLAN 10\nBranch Staff\n10.2.10.0/24] style Internet fill:#181818,stroke:#1e1e1e,color:#888 style HQ fill:#1a1a2e,stroke:#00d4ff,color:#e0e0e0 style Branch fill:#1a1a2e,stroke:#00d4ff,color:#e0e0e0 style L3SW fill:#181818,stroke:#1e1e1e,color:#888 style BrSW fill:#181818,stroke:#1e1e1e,color:#888 style V10 fill:#1a1a2e,stroke:#00ff88,color:#e0e0e0 style V20 fill:#1a1a2e,stroke:#00ff88,color:#e0e0e0 style V30 fill:#1a1a2e,stroke:#00ff88,color:#e0e0e0 style BV10 fill:#1a1a2e,stroke:#00ff88,color:#e0e0e0

Step-by-Step Process

01
OSPFv2 Dynamic Routing Setup

Configured OSPF area 0 on both routers and the Layer 3 switch, advertising all internal networks. Used passive interfaces on end-user segments to suppress OSPF hellos on non-router ports.

! HQ Router OSPFv2
router ospf 1
 router-id 1.1.1.1
 network 10.1.0.0 0.0.0.255 area 0
 network 10.1.10.0 0.0.0.255 area 0
 network 10.1.20.0 0.0.0.255 area 0
 network 10.1.30.0 0.0.0.255 area 0
 passive-interface GigabitEthernet0/1.10
 passive-interface GigabitEthernet0/1.20

! Branch Router OSPFv2
router ospf 1
 router-id 2.2.2.2
 network 10.2.0.0 0.0.0.255 area 0
 network 10.2.10.0 0.0.0.255 area 0
 passive-interface GigabitEthernet0/1

! Verify adjacency
show ip ospf neighbor
show ip route ospf
02
Centralized DHCP Server Configuration

Configured DHCP pools on the HQ router for all subnets including the branch VLAN. Branch router uses ip helper-address to relay DHCP requests to HQ.

! HQ Router DHCP Pools
ip dhcp excluded-address 10.1.10.1 10.1.10.10
ip dhcp excluded-address 10.1.20.1 10.1.20.10
ip dhcp excluded-address 10.2.10.1 10.2.10.10

ip dhcp pool HQ-SERVERS
 network 10.1.10.0 255.255.255.0
 default-router 10.1.10.1
 dns-server 10.1.10.5

ip dhcp pool HQ-USERS
 network 10.1.20.0 255.255.255.0
 default-router 10.1.20.1
 dns-server 10.1.10.5
 lease 1

ip dhcp pool BRANCH-STAFF
 network 10.2.10.0 255.255.255.0
 default-router 10.2.10.1
 dns-server 10.1.10.5

! Branch router — relay DHCP to HQ
interface GigabitEthernet0/1
 ip helper-address 10.1.0.1
03
Extended ACL Implementation

Applied extended ACLs to enforce traffic policy: branch staff can reach HQ servers on HTTP/HTTPS only; HQ management VLAN has full access; no direct branch-to-branch traffic.

! Allow branch staff to HQ servers (HTTP/HTTPS only)
ip access-list extended BRANCH-TO-HQ
 permit tcp 10.2.10.0 0.0.0.255 10.1.10.0 0.0.0.255 eq 80
 permit tcp 10.2.10.0 0.0.0.255 10.1.10.0 0.0.0.255 eq 443
 permit icmp 10.2.10.0 0.0.0.255 10.1.0.0 0.0.255.255
 deny ip any any log

! Apply to branch router WAN uplink (inbound from branch LAN)
interface GigabitEthernet0/1
 ip access-group BRANCH-TO-HQ in

! Verify hits
show ip access-lists BRANCH-TO-HQ
04
NAT Overload for Internet Access

Configured PAT (NAT overload) on the HQ router to translate all internal RFC1918 addresses to the single public ISP IP.

! Define inside/outside interfaces
interface GigabitEthernet0/0
 ip nat outside
interface GigabitEthernet0/1
 ip nat inside

! ACL for NAT — all internal subnets
ip access-list standard NAT-INSIDE
 permit 10.1.0.0 0.0.255.255
 permit 10.2.0.0 0.0.255.255

! Configure overload (PAT)
ip nat inside source list NAT-INSIDE interface GigabitEthernet0/0 overload

! Verify translations
show ip nat translations
show ip nat statistics
05
End-to-End Verification

Performed systematic ping tests, traceroute path verification, and service-level testing (DNS resolution, HTTP access) from multiple source/destination VLAN combinations.

! From Branch PC — ping HQ server
ping 10.1.10.20 source 10.2.10.100
traceroute 10.1.10.20

! Verify OSPF routing table completeness
show ip route
! Expected: O routes for all remote subnets

! Test DNS resolution (from HQ user PC)
nslookup server01.hq.local 10.1.10.5

! Verify DHCP assignments
show ip dhcp binding
show ip dhcp pool

! Test internet NAT
ping 8.8.8.8 source 10.1.20.50
show ip nat translations

Complete Workflow

flowchart LR A[IP Addressing\nPlan All Subnets] --> B[Physical Topology\nPT Devices + Links] B --> C[VLAN + L3SW\nSVI Configuration] C --> D[OSPFv2\nBoth Sites] D --> E[DHCP + Helper\nCentralized Pools] E --> F[Extended ACLs\nTraffic Policy] F --> G[NAT Overload\nInternet Access] G --> H[Full Verification\nPing + Traceroute + DNS] style A fill:#1a1a2e,stroke:#00d4ff,color:#e0e0e0 style H fill:#1a1a2e,stroke:#00ff88,color:#e0e0e0 style B fill:#181818,stroke:#1e1e1e,color:#888 style C fill:#181818,stroke:#1e1e1e,color:#888 style D fill:#181818,stroke:#1e1e1e,color:#888 style E fill:#181818,stroke:#1e1e1e,color:#888 style F fill:#181818,stroke:#1e1e1e,color:#888 style G fill:#181818,stroke:#1e1e1e,color:#888

Challenges & Solutions

  • OSPF adjacency stuck in EXSTART — MTU mismatch between serial interfaces. Set ip ospf mtu-ignore on the serial interface to override the mismatch check in the simulation environment.
  • DHCP not reaching branch clients — The ip helper-address was pointing to the wrong IP (the branch router itself rather than the HQ router). Corrected the helper to 10.1.0.1.
  • ACL blocking return traffic — Used stateless ACLs initially; TCP sessions could not complete because return traffic (from servers back to branch) was being dropped. Added permit established lines for TCP return traffic.
  • NAT translations not appearing — NAT inside/outside interface roles were reversed. The public-facing interface must be ip nat outside and LAN interfaces ip nat inside.

Key Takeaways

  • OSPFv2 configuration requires matching router IDs, area numbers, and hello/dead intervals — the adjacency state machine is unforgiving of subtle mismatches.
  • Centralized DHCP with IP helper-address is a scalable pattern; having one DHCP server for an entire enterprise simplifies address management and audit trails.
  • Stateless ACLs must include permit established entries for TCP return traffic — forgetting this causes one-way TCP connectivity that looks like a routing problem.
  • Multi-site network design always starts with a complete addressing table and topology diagram — ad-hoc configuration invariably creates subnet overlaps or routing loops.