Network Engineering & Security Capstone

Designing Secure and Scalable Networks

Network Topology

Below is the network topology diagram for my capstone project. It illustrates the segmentation of the network into multiple VLANs, the placement of SVIs, and the overall structure of the network.

Network Topology Diagram

Project Overview

My capstone project focused on designing and implementing a secure, scalable network infrastructure for a multi-department organization. The goal was to ensure robust security, efficient traffic management, and seamless communication across different network segments.

Emphasizing Security

One of the key aspects of my project was the emphasis on network security. I achieved this by:

Key Features of the Network

Layer 3 Security

SVIs and ACLs were used to enforce security policies at the network edge, ensuring that only authorized traffic could pass between VLANs.

VLAN Segmentation

The network was segmented into multiple VLANs to isolate traffic and improve performance. Inter-VLAN routing was configured for necessary communication.

IPSec VPN

An IPSec VPN was set up between sites to ensure secure communication over the internet, protecting sensitive data from interception.

Network Monitoring

Tools like syslog and NTP were configured to monitor network activity and ensure accurate time synchronization across devices.

Detailed Explanations

VLAN Configuration

The network was segmented into multiple VLANs to enhance security and reduce congestion. Each VLAN served a specific purpose:

  • VLAN 10 (Management): Used for network management and monitoring.
  • VLAN 15 (Receptionists): Dedicated to receptionist workstations.
  • VLAN 20 (Dentists): Reserved for dentist workstations and related devices.
  • VLAN 30 (Hygienists): Used for hygienist workstations and devices.
VLANs were configured on Layer 3 switches using the vlan command, and access ports were assigned to the appropriate VLANs using the switchport access vlan command.

Access Control Lists (ACLs)

ACLs were implemented to enforce security policies and restrict traffic between VLANs. For example:

  • ACLs on VLANs 15, 20, and 30 allowed only echo-reply traffic to VLAN 10 (Management).
  • ACLs were applied to the outside interface of the ASA firewall to restrict guest access to only HTTPS traffic (port 443).
ACLs were configured using the ip access-list command and applied to interfaces with the ip access-group command.

Inter-VLAN Routing

Inter-VLAN routing was enabled using Switch Virtual Interfaces (SVIs) on Layer 3 switches. Each VLAN had an SVI with a unique IP address, allowing devices in different VLANs to communicate securely. For example:

  • VLAN 10 SVI: 10.0.10.1
  • VLAN 15 SVI: 10.0.15.1
  • VLAN 20 SVI: 10.0.20.1
  • VLAN 30 SVI: 10.0.30.1
Routing between VLANs was verified using the ping command, ensuring that only authorized traffic could pass between VLANs.

IPSec VPN Setup

An IPSec VPN was configured between two Cisco ASA firewalls to secure communication between Site A and Site B. The VPN tunnel used the following settings:

  • Transform Set: esp-des esp-md5-hmac
  • ISAKMP Policy: Pre-shared key authentication and AES encryption.
  • Access Control: Only HTTPS traffic was allowed through the VPN.
The VPN tunnel was verified using the show crypto ipsec sa command, and connectivity was tested using ping between devices in Site A and Site B.

Network Monitoring

Network monitoring was implemented using the following tools and techniques:

  • Syslog: Configured on the ASA firewall to log ACL violations and other security events.
  • NTP (Network Time Protocol): Used to synchronize the clocks of all network devices for accurate logging and troubleshooting.
  • Packet Tracer Simulation Mode: Used to analyze PDUs and verify traffic flow between VLANs and through the VPN tunnel.
These tools ensured that the network was monitored effectively, and any issues were identified and resolved promptly.