Final CCNA Lab Project

Enterprise Network Design & Implementation

Prepared by: Marwan Adel
Project Idea
connecting three company branches through a secure and segmented network
using Routing, Switching, VLANs, WAN, Security, and Network Services.
Branches:
• Headquarters (HQ): Cairo, Egypt
• Branch 1: Jeddah, Saudi Arabia

• Branch 2: Riyadh, Saudi Arabia

Topology:
Network Design and Planning
At the beginning, I used draw.io to design and plan the network topology for my final lab. This step was
very important for several reasons:
1. Simplifying the design process: Having a clear topology diagram helped me visualize the entire
network (HQ, branches, routers, and switches).
2. Interface mapping: The diagram allowed me to easily identify which interfaces should be
connected to specific devices, reducing configuration errors.
3. Subnetting and VLAN planning: It made it easier to allocate IP addresses and assign VLANs to
different departments.
4. Clear overall view: By drawing the complete network before implementing it on Cisco Packet
Tracer, I saved time and effort during the configuration phase.
What Has Been Implemented
Switches & Routers.‫للـ‬Configuration •
VLANs + Inter-VLAN Routing‫• إنشاء‬
IP.‫لتوزيع الـ‬DHCP •
RIP v2.‫باستخدام‬Routing •
.‫ لربط الفروع‬Frame Relay ‫عن طريق‬WAN Connection •
Access-Lists +Port Security + SSH.‫باستخدام‬Security •
(DHCP, TFTP, Syslog, SNMP).‫• تشغيل السيرفرات‬
TFTP Server.‫ على‬Router ‫ لكل‬Configurations ‫للـ‬Backup •
🔹 Network Summary

Device Hostname Role Main Configurations / Services

Sub-Interfaces (VLAN 2,3,4,5,10,15) – DHCP – ACLs – SSH – RIP – SNMP –
Router 1 R1 HQ Router (Cairo)
Syslog – TFTP Backup – Frame Relay
Branch Router Sub-Interfaces – DHCP – SSH – RIP – SNMP – Syslog – TFTP Backup – Frame
Router 2 R2
(Jeddah) Relay
Branch Router Sub-Interfaces – DHCP – SSH – RIP – SNMP – Syslog – TFTP Backup – Frame
Router 3 R3
(Riyadh) Relay
Switch 1 SW-1 HQ Switch VLANs (2,3,4,5,10,15) – Port Security – Trunk
Switch 2 SW-2 Branch Switch VLANs + Access Ports – Port Security – Trunk
Switch 3 SW-3 Branch Switch VLANs + Access Ports – Port Security – Trunk
Server 1 TFTP Backup Server Stores router configurations
Server 2 Syslog Logging Server Receives and stores logs from routers
Server 3 SNMP Monitoring Server Network monitoring via SNMP
Frame
CLOUD WAN Connectivity Provides inter-branch connection (Cairo ↔ Jeddah ↔ Riyadh)
Relay
Configuration Steps
🔹 SW-1 Configuration

Hostname‫تغيير الـ‬
Switch> enable
Switch# configure terminal
Switch(config)# hostname SW-1
VLANs‫إنشاء الـ‬
SW-1(config)# vlan 2
SW-1(config-vlan)# vlan 3
SW-1(config-vlan)# vlan 4
SW-1(config-vlan)# vlan 5
SW-1(config-vlan)# vlan 10
SW-1(config-vlan)# vlan 15
 VLAN‫ لكل‬Ports ‫تخصيص الـ‬
Port F0/2 → VLAN 2 (IT)
Port F0/3 → VLAN 3 (Sales)
Port F0/4 → VLAN 4 (HR)
Port F0/5 → VLAN 5 (Manager)
Port F0/8 → VLAN 10 (Customers)
Ports F0/21 – F0/24 → VLAN 15 (Servers)
SW-1(config)# interface f0/2
SW-1(config-if)# switchport access vlan 2
SW-1(config-if)# switchport mode access
SW-1(config)# interface f0/3
SW-1(config-if)# switchport access vlan 3
SW-1(config-if)# switchport mode access
SW-1(config)# interface f0/4
SW-1(config-if)# switchport access vlan 4
SW-1(config-if)# switchport mode access
SW-1(config)# interface f0/5
SW-1(config-if)# switchport access vlan 5
SW-1(config-if)# switchport mode access
SW-1(config)# interface f0/8
SW-1(config-if)# switchport access vlan 10
SW-1(config-if)# switchport mode access
SW-1(config)# interface range f0/21-24
SW-1(config-if-range)# switchport access vlan 15
SW-1(config-if-range)# switchport mode access
R1‫ لالتصال بالراوتر‬Trunk Port ‫🔹 تفعيل الـ‬

SW-1(config)# interface f0/1

SW-1(config-if)# switchport mode trunk

🔹 Note
"In this step, we configured VLANs on switch SW-1 and assigned
the appropriate interfaces for each department, in addition to
configuring the trunk port towards Router R1."
 SW-1‫ على‬Port Security ‫🔹 تفعيل‬
‫ صغير ويخلي أكتر من جهاز يدخل على الشبكة‬Hub/Switch ‫ منع توصيل أكثر من جهاز على نفس البورت مثالً مستخدم يركب‬:‫الغرض‬
Violation‫( لو حصل‬shutdown) ‫( ويغلق نفسه‬sticky) ‫ أوتوماتيك‬MAC Address ‫كمان بنخلي البورت يتعلم الـ‬
Configuration
F0/3 (Sales)‫على بورت‬
SW-1(config)# interface f0/3
SW-1(config-if)# switchport port-security
SW-1(config-if)# switchport port-security maximum 1
SW-1(config-if)# switchport port-security violation shutdown
SW-1(config-if)# switchport port-security mac-address sticky
F0/4 (HR)‫على بورت‬
SW-1(config)# interface f0/4
SW-1(config-if)# switchport port-security
SW-1(config-if)# switchport port-security maximum 1
SW-1(config-if)# switchport port-security violation shutdown
SW-1(config-if)# switchport port-security mac-address sticky

F0/5 (Manager)‫على بورت‬

SW-1(config)# interface f0/5
SW-1(config-if)# switchport port-security
SW-1(config-if)# switchport port-security maximum 1
SW-1(config-if)# switchport port-security violation shutdown
SW-1(config-if)# switchport port-security mac-address sticky
F0/21 – F0/24‫على منافذ السيرفرات‬
SW-1(config)# interface range f0/21-24
SW-1(config-if-range)# switchport port-security
SW-1(config-if-range)# switchport port-security maximum 1
SW-1(config-if-range)# switchport port-security violation shutdown
SW-1(config-if-range)# switchport port-security mac-address sticky
Explanation:
(F0/21-F0/24).‫(ولبورتات السيرفرات‬F0/2-F0/5) ‫على البورتات المخصصة‬Port Security ‫تم تفعيل‬ •
running-config (sticky).‫ تلقائيًا ويخزنه في الـ‬MAC ‫ ويتعلم عنوان‬،‫كل بورت يسمح بجهاز واحد فقط‬ •
(shutdown).‫ البورت يتوقف تلقائيًا‬، (Violation)‫في حالة أي انتهاك‬ •

🔹 Note
"To enhance security, port-security was configured on all access ports to allow only one device
per port. The MAC address of the connected device is learned dynamically (sticky) and saved in
the running configuration. If any violation occurs (e.g., an unauthorized device is connected), the
port will automatically shut down to prevent unauthorized access."
🔹 Router Basic Security (R1)
Configuration
Hostname: ‫ تغيير الـ‬.1
Router> enable
Router# configure terminal
Router(config)# hostname R1
privilege mode‫عشان الدخول لـ‬Enable Password ‫ إضافة‬.2
R1(config)# enable password 0236
Console Line: ‫ حماية الـ‬.3
R1(config)# line console 0
R1(config-line)# password asd
R1(config-line)# login
VTY (Telnet) Lines: ‫ حماية الـ‬.4
R1(config)# line vty 0 4
R1(config-line)# password qwe
R1(config-line)# login
config):‫لتشفير كل الباسوردات في الـ‬Service Password Encryption ( ‫ تفعيل‬.6
R1(config)# service password-encryption
 🔹 Note
"On router R1, basic security was applied by setting an enable password, configuring
console and VTY line access with authentication, and creating a local user account.
Additionally, the service password-encryption command was enabled to ensure that all
passwords are stored in encrypted format in the running configuration."

🔹 Router-on-a-Stick (Inter-VLAN Routing) – R1

Configuration
Physical Interface:‫ تفعيل الـ‬.1
R1(config)# interface fastEthernet 0/0
R1(config-if)# no shutdown
R1(config-if)# no ip address
IP Address+‫ معين‬VLAN ID ‫ وربط كل واحدة بـ‬Sub-Interfaces ‫ إنشاء الـ‬.2
R1(config)# interface fastEthernet 0/0.2
R1(config-subif)# encapsulation dot1Q 2
R1(config-subif)# ip address 192.168.1.9 255.255.255.248
R1(config)# interface fastEthernet 0/0.3
R1(config-subif)# encapsulation dot1Q 3
R1(config-subif)# ip address 192.168.1.17 255.255.255.248

R1(config)# interface fastEthernet 0/0.4

R1(config-subif)# encapsulation dot1Q 4
R1(config-subif)# ip address 192.168.1.25 255.255.255.248

R1(config)# interface fastEthernet 0/0.5

R1(config-subif)# encapsulation dot1Q 5
R1(config-subif)# ip address 192.168.1.33 255.255.255.248

R1(config)# interface fastEthernet 0/0.10

R1(config-subif)# encapsulation dot1Q 10
R1(config-subif)# ip address 192.168.1.73 255.255.255.248

R1(config)# interface fastEthernet 0/0.15

R1(config-subif)# encapsulation dot1Q 15
R1(config-subif)# ip address 192.168.1.113 255.255.255.248
 🔹 Note
"On router R1, a Router-on-a-Stick configuration was implemented. Sub-
interfaces were created for each VLAN, and an IP address was assigned as the
default gateway for each subnet. This allows devices from different VLANs to
communicate with each other through inter-VLAN routing."

🔹 DHCP Configuration – R1
• VLAN 2:
R1(config)# ip dhcp pool vlan2
R1(dhcp-config)# network 192.168.1.8 255.255.255.248
R1(dhcp-config)# default-router 192.168.1.9
R1(dhcp-config)# dns-server 8.8.8.8
• VLAN 3:
R1(config)# ip dhcp pool vlan3
R1(dhcp-config)# network 192.168.1.16 255.255.255.248
R1(dhcp-config)# default-router 192.168.1.17
R1(dhcp-config)# dns-server 8.8.8.8
• VLAN 4:
R1(config)# ip dhcp pool vlan4
R1(dhcp-config)# network 192.168.1.24 255.255.255.248
R1(dhcp-config)# default-router 192.168.1.25
R1(dhcp-config)# dns-server 8.8.8.8
• VLAN 5:
R1(config)# ip dhcp pool vlan5
R1(dhcp-config)# network 192.168.1.32 255.255.255.248
R1(dhcp-config)# default-router 192.168.1.33
R1(dhcp-config)# dns-server 8.8.8.8
• VLAN 10:
R1(config)# ip dhcp pool vlan10
R1(dhcp-config)# network 192.168.1.72 255.255.255.248
R1(dhcp-config)# default-router 192.168.1.73
R1(dhcp-config)# dns-server 8.8.8.8
• VLAN 15:
R1(config)# ip dhcp pool vlan15
R1(dhcp-config)# network 192.168.1.112 255.255.255.248
R1(dhcp-config)# default-router 192.168.1.113
 🔹 Note
"DHCP pools were configured on R1 for each VLAN to dynamically assign IP addresses to client
devices. Each pool specifies the network, default gateway, and DNS server, allowing hosts to
obtain the correct IP configuration automatically."

🔹 RIP Routing Configuration – R1

Configuration Commands:
R1(config)# router rip
R1(config-router)# version 2
R1(config-router)# network 192.168.1.0
R1(config-router)# no auto-summary
Explanation:
.‫ على الراوتر‬RIP ‫ لتفعيل بروتوكول‬router rip .1
Classful‫ ضروري للشبكات غير الـ‬Subnet Mask Classless ‫ يدعم‬، RIP v2‫ يستخدم‬version 2 .2
RIP.‫ التابعة لها ضمن تحديثات‬subnets ‫ وجميع الـ‬192.168.1.0 ‫ يعلن الشبكة‬network 192.168.1.0 .3
‫ وهو مهم‬،‫ يعلن على حدة‬Subnet ‫( ويضمن أن كل‬Automatic Summarization) ‫ يمنع تجميع الشبكات‬no auto-summary .4
subnets 29/ ‫مع الـ‬
🔹 Note
"RIP version 2 was configured on R1 to enable dynamic routing between subnets. The no auto-
summary command ensures proper advertisement of all subnets without summarization,
allowing correct inter-VLAN and WAN connectivity."

🔹 Note:
"The same configurations implemented on R1, including Router-on-a-Stick for inter-
VLAN routing, DHCP pools for each VLAN, RIP version 2 dynamic routing, and basic
security settings, were also applied on the branch routers in Jeddah (R2) and Riyadh
(R3), along with their connected switches. This ensures consistent VLAN
segmentation, IP address allocation, and routing across all sites."
🔹 Advice

When working on a large-scale project or a Final CCNA Lab, it’s always better to
complete all Router and Switch configurations for each branch first (VLANs, Inter-
VLAN Routing, DHCP, Security, etc.).
After that, move on to configuring the WAN and interconnecting the branches.
This approach keeps the work organized and makes troubleshooting much easier,
since you ensure that each branch is fully functional internally before integrating it
with the others.
 🔹 WAN Connectivity
WAN Setup in Packet Tracer:
*"The Frame Relay cloud in the lab was configured first by:
1. Opening the Cloud and selecting Frame Relay as the connection type.
2. Adding the appropriate DLCIs for each point-to-point connection.
After that, each branch router and HQ router was configured with a WIC-2T module to enable
serial connectivity, allowing the DCE/DTE cables to be connected correctly. This setup ensures
that each router can communicate over the Frame Relay WAN with the correct timing and IP
addressing for RIP routing."*
🔹 Frame Relay Configuration (R1)
Configuration Commands:
R1(config)# interface s0/0/0.2 point-to-point
R1(config-subif)# ip address 172.16.1.1 255.255.255.252
R1(config-subif)# frame-relay interface-dlci 200

R1(config)# interface s0/0/0.3 point-to-point

R1(config-subif)# ip address 172.16.1.5 255.255.255.252
R1(config-subif)# frame-relay interface-dlci 300
Explanation:
(Jeddah & Riyadh).‫ لكل فرع‬WAN Point-to-Point ‫إلنشاء خطوط‬Sub-Interfaces S0/0/0.2 & S0/0/0.3 .1
.‫ لكل رابط لضمان التواصل بين الراوترات فقط‬30/ ‫تم تخصيص‬IP Address .2
.‫ الخاص بالفرع المقابل‬DLCI ‫ بالـ‬Sub-Interface ‫ربط كل‬frame-relay interface-dlci .3

🔹 Note
"Frame Relay point-to-point sub-interfaces were configured on R1 to connect HQ with the Jeddah
and Riyadh branches. Each sub-interface has a dedicated IP address and is mapped to its
corresponding DLCI, enabling WAN communication and integration with RIP routing."
🔹 WAN Connectivity – Frame Relay (R2 & R3)
Branch Routers Configuration:
R2 – Jeddah Branch:
R2(config)# interface s0/0/0
R2(config-if)# no shutdown
R2(config-if)# frame-relay interface-dlci 200
R2(config-if)# ip address 172.16.1.2 255.255.255.252
R3 – Riyadh Branch:
R3(config)# interface s0/0/0
R3(config-if)# no shutdown
R3(config-if)# frame-relay interface-dlci 300
R3(config-if)# ip address 172.16.1.6 255.255.255.252
Explanation:
.‫(لكل راوتر فرعي‬Serial) ‫تم تفعيل‬ •
HQ (R1).‫ في‬Sub-Interface ‫المقابل للـ‬DLCI ‫كل راوتر مربوط بـ‬ •
.‫ لكل رابط لضمان اتصال مباشر فقط بين الراوترات‬IP /30 ‫تم تخصيص‬ •

🔹 Note
"The Jeddah (R2) and Riyadh (R3) branch routers were configured with Frame Relay interfaces,
assigned DLCIs corresponding to their connections with HQ (R1). Each interface received a
dedicated /30 IP address to enable WAN connectivity and RIP routing across the enterprise
network."
🔹 Site-to-Site Tunnel Configuration (R2 & R3)
R2 – Jeddah Branch:
R2(config)# interface tunnel 1
R2(config-if)# ip address 50.0.0.2 255.255.255.0
R2(config-if)# tunnel source s0/0/0
R2(config-if)# tunnel destination 172.16.1.6
R3 – Riyadh Branch:
R3(config)# interface tunnel 1
R3(config-if)# ip address 50.0.0.3 255.255.255.0
R3(config-if)# tunnel source s0/0/0
R3(config-if)# tunnel destination 172.16.1.1
Explanation:
Frame Relay.‫بين الفروع لتأمين االتصال بين المواقع عبر شبكة الـ‬IP Tunnel ‫تم إنشاء‬ •
(tunnel destination).‫ وجهة الراوتر اآلخر‬IP ‫( و‬tunnel source) ‫ كمصدر‬Serial Interface ‫ يستخدم الـ‬Tunnel ‫كل‬ •
.‫ لتسهيل التوجيه بين الفروع‬Tunnel Interfaces ‫للـ‬Subnet 50.0.0.0/24 ‫تم تخصيص‬ •

🔹 Note
"Site-to-Site tunnels were configured on the branch routers to provide secure communication
between Jeddah and Riyadh branches over the existing Frame Relay WAN. Each tunnel interface
was assigned a unique IP address and mapped to the correct source and destination serial
interfaces, allowing routing and data flow between remote sites."
🔹 Access-Lists Configuration – R1
R1(config)#ip access-list extended Acl_IT
R1(config-ext-nacl)#permit ip 192.168.1.8 0.0.0.7 any
R1(config-ext-nacl)#ip access-list extended Acl_Sales
R1(config-ext-nacl)#permit ip 192.168.1.16 0.0.0.7 10.10.10.16 0.0.0.7
R1(config-ext-nacl)#permit ip 192.168.1.16 0.0.0.7 10.10.20.16 0.0.0.7
R1(config-ext-nacl)#permit ip 192.168.1.16 0.0.0.7 192.168.1.16 0.0.0.7
R1(config-ext-nacl)#deny ip 192.168.1.16 0.0.0.7 any
R1(config-ext-nacl)#ip access-list extended Acl_HR
R1(config-ext-nacl)#permit ip 192.168.1.24 0.0.0.7 192.168.1.24 0.0.0.7
R1(config-ext-nacl)#permit ip 192.168.1.24 0.0.0.7 10.10.10.24 0.0.0.7
R1(config-ext-nacl)#permit ip 192.168.1.24 0.0.0.7 10.10.20.24 0.0.0.7
R1(config-ext-nacl)#permit ip 192.168.1.24 0.0.0.7 192.168.1.16 0.0.0.7
R1(config-ext-nacl)#permit ip 192.168.1.24 0.0.0.7 10.10.10.16 0.0.0.7
R1(config-ext-nacl)#permit ip 192.168.1.24 0.0.0.7 10.10.20.16 0.0.0.7
R1(config-ext-nacl)#deny ip 192.168.1.24 0.0.0.7 any
R1(config-ext-nacl)#ip access-list extended Acl_Manager
R1(config-ext-nacl)#permit ip 192.168.1.32 0.0.0.7 192.168.1.32 0.0.0.7
R1(config-ext-nacl)#permit ip 192.168.1.32 0.0.0.7 192.168.1.24 0.0.0.7
R1(config-ext-nacl)#permit ip 192.168.1.32 0.0.0.7 192.168.1.16 0.0.0.7
R1(config-ext-nacl)#permit ip 192.168.1.32 0.0.0.7 10.10.10.16 0.0.0.7
R1(config-ext-nacl)#permit ip 192.168.1.32 0.0.0.7 10.10.10.24 0.0.0.7
R1(config-ext-nacl)#permit ip 192.168.1.32 0.0.0.7 10.10.10.32 0.0.0.7
R1(config-ext-nacl)#permit ip 192.168.1.32 0.0.0.7 10.10.20.16 0.0.0.7
 R1(config-ext-nacl)#permit ip 192.168.1.32 0.0.0.7 10.10.20.24 0.0.0.7
R1(config-ext-nacl)#permit ip 192.168.1.32 0.0.0.7 10.10.20.32 0.0.0.7
R1(config-ext-nacl)#deny ip 192.168.1.32 0.0.0.7 any
R1(config-ext-nacl)#ip access-list extended Acl_Customer
R1(config-ext-nacl)#permit tcp 192.168.1.72 0.0.0.7 any eq 80
R1(config-ext-nacl)#deny ip 192.168.1.72 0.0.0.7 any

🔹 Apply ACLs on Sub-Interfaces

R1(config)#int f0/0.2
R1(config-subif)#ip access-group Acl_IT in
R1(config-subif)#int f0/0.3
R1(config-subif)#ip access-group Acl_Sales in
R1(config-subif)#int f0/0.4
R1(config-subif)#ip access-group Acl_HR in
R1(config-subif)#int f0/0.5
R1(config-subif)#ip access-group Acl_Manager in
R1(config-subif)#int f0/0.10
R1(config-subif)#ip access-group Acl_Customer in
 Explanation
‫ لها قواعد‬VLAN ‫ كل‬.‫ لتطبيق سياسات األمان‬VLAN ‫ لكل‬R1 ‫ في الراوتر‬Sub-Interface ‫( على كل‬Extended ACLs) ‫"تم تطبيق الـ‬
:‫مخصصة حسب دورها‬
.‫مسموح لها الوصول الكامل لكل الشبكات الداخلية والخارجية‬VLAN IT •
.‫ األخرى في الفروع‬Sales ‫مسموح لها التواصل فقط مع شبكات‬VLAN Sales •
.‫فقط‬Sales ‫ و‬HR ‫مسموح لها التواصل مع‬VLAN HR •
VLAN IT.‫مسموح لها الوصول لكل الشبكات باستثناء‬VLAN Manager •
.‫ فقط‬HTTP ‫مسموح له الوصول لها على اإلنترنت عبر‬VLAN Customer •

🔹 Note
"Based on organizational security policies, each VLAN was restricted according to its role: IT has
full access, Sales communicates only with Sales across branches, HR can communicate with HR
and Sales, Managers have access to all except IT, and Customers are limited to Internet access
via HTTP. These rules were enforced using Extended ACLs applied on router R1 sub-interfaces."
🔹 EtherChannel Configuration (Jeddah & Riyadh Branches)
Jeddah Branch:
SW-JED1(config)# interface range f0/21-24
SW-JED1(config-if-range)# switchport mode trunk
SW-JED1(config-if-range)# channel-group 1 mode active
SW-JED2(config)# interface range f0/21-24
SW-JED2(config-if-range)# switchport mode trunk
SW-JED2(config-if-range)# channel-group 1 mode passive
Riyadh Branch:
SW-RYD1(config)# interface range f0/21-24
SW-RYD1(config-if-range)# switchport mode trunk
SW-RYD1(config-if-range)# channel-group 1 mode active
SW-RYD2(config)# interface range f0/21-24
SW-RYD2(config-if-range)# switchport mode trunk
SW-RYD2(config-if-range)# channel-group 1 mode passive
Explanation:
(Redundancy). ‫( وتحسين‬Bandwidth) ‫ بين السويتشات في كل فرع لتجميع البورتات وزيادة الـ‬EtherChannel ‫تم إنشاء‬ •
.‫ لتحقيق قناة افتراضية واحدة لكل زوج من السويتشات‬Active/Passive ‫ مع وضع‬LACP ‫تم استخدام بروتوكول‬ •
🔹 Note:
"EtherChannel was configured on the access switches in both Jeddah and Riyadh branches to
aggregate multiple physical links into a single logical link. LACP was used to ensure link
Redundancy and load balancing between the connected switches, enhancing overall network
performance and reliability."

🔹 SSH Configuration – R1 (HQ Router)

R1(config)# ip domain-name final-lab.com
R1(config)# crypto key generate rsa
How many bits in the modulus [512]: 1024
R1(config)# username admin privilege 15 secret P@$$word123
R1(config)# line vty 0 4
R1(config-line)# login local
R1(config-line)# transport input ssh
R1(config-line)# do show ip ssh
SSH Enabled - version 1.99
Explanation:
.‫ غير اآلمن‬Telnet ‫ بدالً من‬VTY ‫ لتأمين الوصول عن بعد إلى الـ‬R1 ‫ على الراوتر‬SSH ‫تم تفعيل‬ •
SSH.‫ بت لتشفير جلسات‬1024 ‫ بطول‬RSA ‫تم إنشاء مفتاح‬ •
SSH.‫( لتسجيل الدخول باستخدام‬privilege 15) ‫تم إنشاء حساب مستخدم بصالحيات كاملة‬ •
.‫ فقط‬SSH ‫ تم إعدادها الستخدام تسجيل الدخول المحلي فقط مع السماح ببروتوكول‬VTY lines ‫الـ‬ •

🔹 Note
"SSH was configured on R1 to provide secure remote management access. A 1024-bit RSA key
was generated, and a local admin user with full privileges was created. VTY lines were restricted
to SSH access, ensuring encrypted and authenticated connections to the router."

🔹 Note
"The same SSH configuration was applied on the branch routers R2 and
R3 (Jeddah and Riyadh) to secure remote access. Each router had a
local RSA key generated, a privileged user account created, and the VTY
lines were configured to allow SSH only, just like on the main router R1."
🔹 Configuration Backup & Syslog – R1, R2 & R3
R1 – HQ Router:
R1# copy running-config tftp:
Address or name of remote host []? 192.168.1.114
Destination filename [R1-confg]? R1-Backup.cfg
R1(config)# logging 192.168.1.117
R1(config)# logging trap debugging
Explanation:
.‫ لضمان سالمة اإلعدادات‬TFTP Server ‫ لكل راوتر على الـ‬Running Configuration ‫تم عمل نسخة احتياطية من الـ‬ •
‫ مما يسهل مراقبة أداء الشبكة والكشف‬،‫ إلى سيرفر مركزي‬Debugging ‫ على جميع الراوترات إلرسال رسائل الـ‬Syslog ‫تم تمكين‬ •
.‫عن أي مشاكل بشكل فوري‬

🔹 Note
"All routers had their running configurations backed up to the TFTP server to ensure configuration
safety. Additionally, syslog logging was enabled on each router to send debugging messages to
the central syslog server, providing centralized monitoring and troubleshooting capabilities."

🔹 Note
R2 & R3 – Branch Routers:
"The same steps were applied on the Jeddah branch router (R2) and the Riyadh branch router (R3)
to back up their running configurations to the TFTP server and enable Syslog to send debugging
messages to the central server for network monitoring and troubleshooting."
‫‪🔹 Testing & Verification‬‬
‫بعد االنتهاء من إعداد الشبكة‪ ،‬تم إجراء مجموعة من االختبارات للتأكد من أن كل شيء يعمل بشكل صحيح‪:‬‬

‫‪1. Connectivity Tests‬‬

‫‪Ping‬بين فروع الشركة )‪ (HQ ↔ Jeddah ↔ Riyadh‬للتأكد من نجاح الربط عبر الـ‪Frame Relay.‬‬ ‫‪o‬‬
‫‪Ping‬بين األجهزة داخل نفس الـ ‪ VLAN‬للتأكد من الـ‪Inter-VLAN Routing.‬‬ ‫‪o‬‬
‫‪2. Routing Verification‬‬
‫‪show ip route‬أظهر أن كل الشبكات تم إضافتها من خالل بروتوكول‪RIP v2.‬‬ ‫‪o‬‬
‫‪show ip interface brief‬للتأكد من أن جميع الواجهات مفعلة وبالعناوين الصحيحة‪.‬‬ ‫‪o‬‬
‫‪3. VLAN & Switch Configuration‬‬
‫‪show vlan brief‬يوضح أن جميع الـ ‪ VLANs‬معرفة وتم ربطها بالمنافذ الصحيحة‪.‬‬ ‫‪o‬‬
‫‪show etherchannel summary‬للتأكد من نجاح تجميع الـ ‪ Links‬بين السويتشات‪.‬‬ ‫‪o‬‬
‫‪4. Security Testing‬‬
‫تجربة ‪ Port Security:‬توصيل جهاز غير مصرح به → يتم إغالق الـ ‪ Port‬تلقائيًا‪.‬‬ ‫‪o‬‬
‫تجربة‪ACLs:‬‬ ‫‪o‬‬
‫▪ الـ ‪ Sales‬يمكنه االتصال فقط بـ‪Sales.‬‬
‫▪ الـ ‪ HR‬يمكنه الوصول لـ ‪ Sales‬وأجهزتهم‪.‬‬
‫▪ الـ ‪ Customer‬لديه صالحية ‪ HTTP‬فقط‪.‬‬
‫‪5. Services Verification‬‬
‫‪TFTP‬تم استخدام ‪copy running-config tftp:‬لحفظ إعدادات الراوترات على السيرفر‪.‬‬ ‫‪o‬‬
‫‪Syslog‬التحقق من تسجيل األحداث ‪ Logs‬على السيرفر المركزي‪.‬‬ ‫‪o‬‬
‫‪SNMP‬إعداد ‪ SNMP Community strings‬لتوفير المراقبة عبر‪NMS.‬‬ ‫‪o‬‬
 🔹 Executive Summary – Final CCNA Lab Project
This project demonstrates the design and implementation of a complete enterprise network
connecting three company branches (Cairo HQ, Jeddah, and Riyadh). It includes LAN, WAN,
security, redundancy, and network management services. Below is a summary of the main
achievements.

Category Key Achievements

Implemented VLANs for IT, Sales, HR, Managers, Customers, Servers. Router-on-a-Stick enabled Inter-VLAN
Segmentation
routing. DHCP pools per VLAN for automated IP assignment.

SSH for secure remote access (RSA keys). Extended ACLs enforcing department-specific policies.
Security
Port Security with sticky MAC & shutdown on violation. Password encryption for router access.

Redundancy & - EtherChannel (EtherChannel with LACP for link aggregation. Frame Relay WAN with site-to-site tunnels between
Performance Jeddah & Riyadh. Dynamic routing using RIP v2 with no auto-summary.

Monitoring & - SNMP Server SNMP server for network monitoring. Syslog server for centralized logging. TFTP server for
Management configuration backup. Connectivity & Security tests verified functionality

The project successfully integrates all CCNA topics into a practical enterprise environment,
demonstrating a secure, scalable, and well-managed network design suitable for real-world
deployment.