{"id":364,"date":"2025-10-28T21:15:07","date_gmt":"2025-10-28T21:15:07","guid":{"rendered":"https:\/\/carlostech.com\/?p=364"},"modified":"2026-02-06T18:50:33","modified_gmt":"2026-02-06T18:50:33","slug":"network-project-3-advanced-security-and-redundancy","status":"publish","type":"post","link":"https:\/\/carlostech.com\/?p=364","title":{"rendered":"Network Lab 3 &#8211; Advanced Security and Redundancy"},"content":{"rendered":"\n<p>Implementing a collapsed-core enterprise network with emphasis on security, redundancy, and high availability. Key technologies include HSRP, EtherChannel, Rapid-PVST+, OSPF, firewalls, a DMZ zone, wireless controller integration, wireless connectivity and comprehensive Layer 2 security.<br><\/p>\n\n\n\n<p>Logical network topology diagram: <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"787\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/Network-Project-5-1024x787.jpg\" alt=\"\" class=\"wp-image-1439\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/Network-Project-5-1024x787.jpg 1024w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/Network-Project-5-300x230.jpg 300w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/Network-Project-5-768x590.jpg 768w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/Network-Project-5-1536x1180.jpg 1536w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/Network-Project-5-2048x1573.jpg 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><br>Device Hardening<\/h3>\n\n\n\n<p><em>User Authentication &amp; Access Control:<\/em><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"557\" height=\"82\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image.png\" alt=\"\" class=\"wp-image-365\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image.png 557w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-300x44.png 300w\" sizes=\"auto, (max-width: 557px) 100vw, 557px\" \/><figcaption class=\"wp-element-caption\">Note: Algorithm-type sha256 requires IOS 15.3+; unavailable in current environment due to Packet Tracer limitations. <\/figcaption><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use<strong> algorithm-type<\/strong> command in a real environment instead of just <strong>secret.<\/strong> <\/li>\n\n\n\n<li>Username and hostname configured.<\/li>\n\n\n\n<li>Hostname should have a specific naming convention to improve device identification.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"346\" height=\"147\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-1.png\" alt=\"\" class=\"wp-image-366\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-1.png 346w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-1-300x127.png 300w\" sizes=\"auto, (max-width: 346px) 100vw, 346px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>All passwords (current and future) encrypted.<\/li>\n\n\n\n<li>Device no longer conducts a DNS query when there is a typo &#8211; saves time.<\/li>\n\n\n\n<li>Console line configured and hardened with a timeout after 3 minutes of inactivity.\n<ul class=\"wp-block-list\">\n<li>Authentication by local user account.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p><em>SSH Configuration:<\/em><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"357\" height=\"155\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-2.png\" alt=\"\" class=\"wp-image-368\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-2.png 357w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-2-300x130.png 300w\" sizes=\"auto, (max-width: 357px) 100vw, 357px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"516\" height=\"157\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-3.png\" alt=\"\" class=\"wp-image-369\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-3.png 516w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-3-300x91.png 300w\" sizes=\"auto, (max-width: 516px) 100vw, 516px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>VTY lines and privileged EXEC mode configured and hardened. Limited remote access to SSH &#8211; no Telnet.<\/li>\n\n\n\n<li>Access Control List created to restrict access to SSH to only 8 management PCs!&nbsp;\n<ul class=\"wp-block-list\">\n<li>Reduces blast area if the management network is somehow compromised and provides greater segmentation.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"547\" height=\"186\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-4.png\" alt=\"\" class=\"wp-image-370\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-4.png 547w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-4-300x102.png 300w\" sizes=\"auto, (max-width: 547px) 100vw, 547px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>All the parameters needed to configure SSH version 2 completed.\n<ul class=\"wp-block-list\">\n<li>Only SSH version 2 allowed.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"361\" height=\"305\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-81.png\" alt=\"\" class=\"wp-image-517\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-81.png 361w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-81-300x253.png 300w\" sizes=\"auto, (max-width: 361px) 100vw, 361px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>All switches have their VLANs configured and named.<\/li>\n\n\n\n<li>Only added VLANs immediately connected to the access switches.<\/li>\n\n\n\n<li>Distribution switches need <strong>ALL<\/strong> existing VLANs in the network.<\/li>\n\n\n\n<li>Blackhole VLAN is for the ports we will soon shutdown on the access switches.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"433\" height=\"131\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-124.png\" alt=\"\" class=\"wp-image-620\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-124.png 433w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-124-300x91.png 300w\" sizes=\"auto, (max-width: 433px) 100vw, 433px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>DMZ-Switch VLAN configured. DMZ server room would have state of the art physical security, but we further improved security by taking off the servers from VLAN1 (default) to VLAN200.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"494\" height=\"98\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-186.png\" alt=\"\" class=\"wp-image-1138\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-186.png 494w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-186-300x60.png 300w\" sizes=\"auto, (max-width: 494px) 100vw, 494px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>DMZ switch SVI created in VLAN200 so our management VLAN does not extend into the DMZ. <\/li>\n\n\n\n<li>Creating ACL on switch itself that permits SSH only from the authorized management PCs in VLAN10.<\/li>\n\n\n\n<li>Creating ACL on firewall to allow only VLAN10 management PCs to reach the switch management IP address &#8211; enforcing least privilege and defense in depth.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"441\" height=\"112\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-7.png\" alt=\"\" class=\"wp-image-373\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-7.png 441w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-7-300x76.png 300w\" sizes=\"auto, (max-width: 441px) 100vw, 441px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SVI configured in VLAN 10 on access switches for remote access (SSH) management capabilities.&nbsp;<\/li>\n\n\n\n<li>It is a \/27 mask so we have 30 usable hosts\/addresses!<\/li>\n\n\n\n<li>Our management PCs live in this network as well.<\/li>\n\n\n\n<li><strong><em>Note<\/em><\/strong>: At least one port on the switch must have VLAN 10 enabled for the SVI to be up. This will be done with the trunk Etherchannels we\u2019ll configure later.&nbsp;<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"438\" height=\"113\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-8.png\" alt=\"\" class=\"wp-image-374\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-8.png 438w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-8-300x77.png 300w\" sizes=\"auto, (max-width: 438px) 100vw, 438px\" \/><figcaption class=\"wp-element-caption\">Both firewalls will have the same configurations with their own unique IP.&nbsp;&nbsp;<\/figcaption><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Dedicated management port so no production traffic is shared in this link.<\/li>\n\n\n\n<li>Security levels define how much you trust the network facing the port. By default, traffic <strong>is<\/strong> allowed to flow from higher to lower levels (LAN -&gt; DMZ or WAN).<\/li>\n\n\n\n<li>LAN will have level 100 security, DMZ level 50, and WAN level 0.<\/li>\n\n\n\n<li>Traffic is blocked by default if it flows from a lower to higher level (WAN -&gt; DMZ\/LAN or DMZ  -&gt; LAN).<\/li>\n\n\n\n<li>Need to at least configure ACLs to explicitly allow traffic when the above occurs (there&#8217;s other methods besides ACLs to accomplish this).\n<ul class=\"wp-block-list\">\n<li>If traffic originated from a higher level security zone, stateful inspection tracks these sessions and allows return traffic automatically without requiring explicit ACLs.<\/li>\n\n\n\n<li>Other methods: firewall rules which are more granular in nature, Application Inspection, etc. <\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Note<\/strong>: As we only have one management interface per firewall, we do not have remote management redundancy if the distribution switch directly connected to a firewall fails. We do however maintain production redundancy where all data traffic continues flowing. <\/li>\n\n\n\n<li>Mitigation options:\n<ul class=\"wp-block-list\">\n<li><strong>Console access backup:<\/strong> If either distribution switch fails, console access to the affected firewall remains available as an emergency management method.<\/li>\n\n\n\n<li><strong>Repurpose a data port<\/strong>: We can repurpose a data port on the firewall to become the redundant management link and ensure no production traffic enters here. Must apply a strict ACL here however.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"572\" height=\"28\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-9.png\" alt=\"\" class=\"wp-image-375\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-9.png 572w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-9-300x15.png 300w\" sizes=\"auto, (max-width: 572px) 100vw, 572px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Distribution Switch-2 port connected to the management port of FW2.&nbsp;<\/li>\n\n\n\n<li>Will configure ACLs to limit which management PCs can SSH to the firewall.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"607\" height=\"124\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-10.png\" alt=\"\" class=\"wp-image-376\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-10.png 607w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-10-300x61.png 300w\" sizes=\"auto, (max-width: 607px) 100vw, 607px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>For the Edge Routers, we will configure loopback interfaces.\n<ul class=\"wp-block-list\">\n<li>Why loopback? These are logical interfaces that remain administratively <strong>&#8216;up<\/strong>&#8216; regardless of physical ports status; however it is only reachable if at least one physical port has an active path to the network.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>We configure them with the \/32 mask.<\/li>\n<\/ul>\n\n\n\n<p>The type of management we will be using in this network is <strong>in-band management<\/strong>. For true segmentation (out-of-band management), we would need an entirely different physical infrastructure that enables our management network to still be online even if the production network goes down.<\/p>\n\n\n\n<p>Remote management IP addresses for the distribution switches will be configured later when we set up HSRP, as we&#8217;re using SVIs on these switches as the default gateways for our hosts in each VLAN.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Access Switch Port Configuration<\/h3>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"355\" height=\"61\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-11.png\" alt=\"\" class=\"wp-image-377\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-11.png 355w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-11-300x52.png 300w\" sizes=\"auto, (max-width: 355px) 100vw, 355px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>For the ports connected to just PCs, this would be the configuration. Configuring ASW-1 (Finance Department) &#8211; using VLAN20. Access ports carry only one VLAN.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"341\" height=\"88\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-31.png\" alt=\"\" class=\"wp-image-400\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-31.png 341w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-31-300x77.png 300w\" sizes=\"auto, (max-width: 341px) 100vw, 341px\" \/><figcaption class=\"wp-element-caption\">&nbsp;<\/figcaption><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>For the ports connected to an IP phone and a PC, this would be the configuration.\n<ul class=\"wp-block-list\">\n<li>The port is still an access port but the switch knows there\u2019s an IP phone as well.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>VoIP traffic should receive better treatment than regular data, but switches don\u2019t trust QoS markings coming from access ports, which is why the <strong>\u2018mls qos trust cos\u2019<\/strong> command is needed.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"433\" height=\"105\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-86.png\" alt=\"\" class=\"wp-image-532\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-86.png 433w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-86-300x73.png 300w\" sizes=\"auto, (max-width: 433px) 100vw, 433px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Port that connects to our Wireless Access Point.<\/li>\n\n\n\n<li>This configuration uses two separate VLANs for wireless for:<br><strong>VLAN 150:<\/strong> Management VLAN for APs and their CAPWAP tunnel to the WLC.<br><strong>VLAN 50:<\/strong> Data VLAN for wireless client traffic.<\/li>\n\n\n\n<li><strong><em>N<\/em>ote:<\/strong> You typically do <strong>not<\/strong> configure the native VLAN to match the WLC&#8217;s management VLAN because then the AP port will be sending out untagged frames while the WLC is expecting frames tagged with the management VLAN. This will cause connectivity issues.\n<ul class=\"wp-block-list\">\n<li>This was configured as is because of a Packet Tracer <strong><em>bug<\/em><\/strong> where the WLC loses connectivity if you change its management VLAN from the default untagged configuration.<\/li>\n\n\n\n<li>If your APs broadcast multiple SSIDs mapped to different VLANs, add those VLANs to the trunk&#8217;s allowed list to support the additional client traffic.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Now for our 4th access switch (connected to the servers):<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"409\" height=\"126\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-13.png\" alt=\"\" class=\"wp-image-379\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-13.png 409w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-13-300x92.png 300w\" sizes=\"auto, (max-width: 409px) 100vw, 409px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>All three of our servers are on the same VLAN, which is 90.&nbsp;<\/li>\n\n\n\n<li>Realistically, servers typically use <strong>NIC teaming<\/strong> (also called bonding or link aggregation) to combine multiple physical NICs into a single logical interface&nbsp;&#8211; increasing bandwidth and throughput. The server-side NIC team would connect to an <strong>LACP EtherChannel<\/strong> on the switch, with both sides actively negotiating the link aggregation using the Link Aggregation Control Protocol. \n<ul class=\"wp-block-list\">\n<li>Due to Packet Tracer&#8217;s limitations on server-side NIC teaming and LACP configuration on server devices, each server has two separate access port connections mimicking a single logical Etherchannel link. &nbsp;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p>For the port connected to the Wireless LAN Controller:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"538\" height=\"130\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-125.png\" alt=\"\" class=\"wp-image-634\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-125.png 538w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-125-300x72.png 300w\" sizes=\"auto, (max-width: 538px) 100vw, 538px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Configured as a trunk to carry multiple VLANs such as:\n<ul class=\"wp-block-list\">\n<li>AP management traffic (VLAN150).<\/li>\n\n\n\n<li>Wireless data traffic from multiple WLANs which are mapped to different VLANs.<\/li>\n\n\n\n<li>Management PC traffic (VLAN10). <\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Only allowed the necessary VLANs for security best practice.<\/li>\n<\/ul>\n\n\n\n<p>For the port connected connected to our Voice Gateway\/Call Manager:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"373\" height=\"76\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-200.png\" alt=\"\" class=\"wp-image-1478\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-200.png 373w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-200-300x61.png 300w\" sizes=\"auto, (max-width: 373px) 100vw, 373px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Configured as a trunk to allow VLAN10 management traffic as well besides the VoIP VLAN. <\/li>\n\n\n\n<li>Configured native VLAN to an unused VLAN for improved security. <\/li>\n\n\n\n<li>Connected port on the actual Voice Gateway must be router on a stick implementation &#8211; configured later when configuring VoIP. <\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"398\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-15-1024x398.png\" alt=\"\" class=\"wp-image-381\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-15-1024x398.png 1024w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-15-300x117.png 300w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-15-768x299.png 768w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-15-1536x597.png 1536w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-15-1140x443.png 1140w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-15.png 1600w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>This is how this portion of the network is looking currently.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Layer 2 Security<\/h3>\n\n\n\n<p>Time to configure Layer 2 security on our Access switches:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"597\" height=\"444\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-16.png\" alt=\"\" class=\"wp-image-382\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-16.png 597w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-16-300x223.png 300w\" sizes=\"auto, (max-width: 597px) 100vw, 597px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"546\" height=\"104\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-83.png\" alt=\"\" class=\"wp-image-527\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-83.png 546w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-83-300x57.png 300w\" sizes=\"auto, (max-width: 546px) 100vw, 546px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>PortFast<\/strong> is enabled on all access ports, including the trunk link to the AP, to transition interfaces immediately to the forwarding state without waiting for STP convergence.\n<ul class=\"wp-block-list\">\n<li>Should only be enabled on ports connected to end devices and never to ports connected to other switches. <\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>BPDU Guard <\/strong>is enabled on all PortFast ports to automatically disable the interface if a BPDU is received. This prevents unauthorized switches from being connected to access ports and potentially disrupting the network.<\/li>\n\n\n\n<li><strong>Port Security <\/strong>limits the number of devices allowed per port based on learned MAC addresses.\n<ul class=\"wp-block-list\">\n<li>Standard access ports, including the ones connected to WAPs: maximum 1 address.<\/li>\n\n\n\n<li>VoIP ports need to learn 2 MAC addresses (for the PC and IP phone). <\/li>\n\n\n\n<li>Learning mode: Sticky &#8211; first MAC address(es) learned are saved to the running configuration. <\/li>\n\n\n\n<li>Violation action: Restrict &#8211; unauthorized MAC addresses have their frames dropped and a log is generated. <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"405\" height=\"184\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-17.png\" alt=\"\" class=\"wp-image-383\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-17.png 405w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-17-300x136.png 300w\" sizes=\"auto, (max-width: 405px) 100vw, 405px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Both DHCP snooping and Dynamic ARP Inspection (DAI) are enabled for security. All uplink interfaces connecting to the distribution switches are configured as <strong>trusted<\/strong> ports, allowing legitimate DHCP and ARP traffic from them. \n<ul class=\"wp-block-list\">\n<li><strong>Note: <\/strong>In production environments, DHCP snooping and DAI trust settings should be configured on the <strong>port-channel interface itself<\/strong>, not on the individual member ports that make up the EtherChannel. <\/li>\n\n\n\n<li>Due to Packet Tracer&#8217;s limitations, we configured trust on the individual physical uplink interfaces. However, in real deployments, you must configure trust on the port-channel interface to ensure proper operation and avoid potential connectivity issues.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"591\" height=\"422\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-18.png\" alt=\"\" class=\"wp-image-384\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-18.png 591w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-18-300x214.png 300w\" sizes=\"auto, (max-width: 591px) 100vw, 591px\" \/><figcaption class=\"wp-element-caption\">Can see which interfaces are being used.&nbsp;<\/figcaption><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li><em><strong>Note:<\/strong><\/em> it shows interface Fa0\/2 as only being in VLAN 20.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"609\" height=\"334\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-84.png\" alt=\"\" class=\"wp-image-529\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-84.png 609w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-84-300x165.png 300w\" sizes=\"auto, (max-width: 609px) 100vw, 609px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Here, you can see the interface Fa0\/2 is also in VLAN80. <\/li>\n\n\n\n<li>This command is only for access VLAN ports.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"378\" height=\"271\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-85.png\" alt=\"\" class=\"wp-image-530\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-85.png 378w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-85-300x215.png 300w\" sizes=\"auto, (max-width: 378px) 100vw, 378px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Configuration for the AP trunk link!<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"630\" height=\"271\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-20.png\" alt=\"\" class=\"wp-image-386\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-20.png 630w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-20-300x129.png 300w\" sizes=\"auto, (max-width: 630px) 100vw, 630px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>We placed all unused ports into the blackhole VLAN (VLAN999) and then disabled them for defense in depth. <\/li>\n\n\n\n<li>Utilized a blackhole VLAN so if somehow a bad actor is able to gain access to the switch and enable a port, they would be in a completely isolated network.<\/li>\n\n\n\n<li>This is configured only on the access switches connected to end hosts and where less-trusted devices connect. <\/li>\n\n\n\n<li>Our infrastructure switches (including those connected to the internal servers and the DMZ) typically don&#8217;t require this defense tactic because:\n<ul class=\"wp-block-list\">\n<li>These switches are located in extremely secured areas (locked server rooms, data centers) where physical access is strictly controlled and monitored.<\/li>\n\n\n\n<li>All ports on these switches serve specific infrastructure purposes.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Configuring Etherchannel<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\"><strong><em>Access to Distribution Switches<\/em><\/strong><\/h4>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"471\" height=\"85\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-21.png\" alt=\"\" class=\"wp-image-387\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-21.png 471w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-21-300x54.png 300w\" sizes=\"auto, (max-width: 471px) 100vw, 471px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Configured a LACP (<strong>command = active)<\/strong> Etherchannel with Distribution-SW 1 from two different interfaces on ASW-1.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"531\" height=\"90\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-22.png\" alt=\"\" class=\"wp-image-388\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-22.png 531w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-22-300x51.png 300w\" sizes=\"auto, (max-width: 531px) 100vw, 531px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Configured the Etherchannel link as a trunk link and tried to specify to use protocol 802.1Q for VLAN tagging. Switch did not support this command because it only supports 802.1Q &#8211; ISL deprecated.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"582\" height=\"83\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-23.png\" alt=\"\" class=\"wp-image-389\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-23.png 582w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-23-300x43.png 300w\" sizes=\"auto, (max-width: 582px) 100vw, 582px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Trunk link configured with security in mind&nbsp;and native VLAN specified.\n<ul class=\"wp-block-list\">\n<li>Configure native VLAN to an unused VLAN for maximum security.<\/li>\n\n\n\n<li>Only allow the VLANs directly connected to the switches and for management.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p><strong><em> Distribution to Access Switches<\/em><\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"638\" height=\"68\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-24.png\" alt=\"\" class=\"wp-image-390\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-24.png 638w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-24-300x32.png 300w\" sizes=\"auto, (max-width: 638px) 100vw, 638px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Highlighting the topic before, the distribution switch <strong>required<\/strong> me to specify if I am using 802.1Q.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"544\" height=\"140\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-25.png\" alt=\"\" class=\"wp-image-391\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-25.png 544w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-25-300x77.png 300w\" sizes=\"auto, (max-width: 544px) 100vw, 544px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Complete configuration for each Etherchannel link to the access switches from the Distribution switches.\n<ul class=\"wp-block-list\">\n<li><strong><em>Note<\/em><\/strong>: Only allow the same VLANs that are located on the access switch for security.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"669\" height=\"53\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-26.png\" alt=\"\" class=\"wp-image-392\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-26.png 669w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-26-300x24.png 300w\" sizes=\"auto, (max-width: 669px) 100vw, 669px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Remember: <strong>confirm<\/strong> that the native VLAN is the <strong>same<\/strong> on both ends of the trunk link. Received this error before I could configure the other side of the link.&nbsp;<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"599\" height=\"258\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-27.png\" alt=\"\" class=\"wp-image-393\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-27.png 599w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-27-300x129.png 300w\" sizes=\"auto, (max-width: 599px) 100vw, 599px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use &#8216;<strong><code>show etherchannel summary<\/code>&#8216; <\/strong>after each EtherChannel configuration to verify:\n<ul class=\"wp-block-list\">\n<li>Port status showing &#8220;<strong>P&#8221;<\/strong> which indicates that the port is bundled in the port-channel.<\/li>\n\n\n\n<li>Flags showing <strong>&#8220;SU<\/strong>&#8221; (Layer 2) or &#8220;<strong>RU<\/strong>&#8221; (Layer 3).<\/li>\n\n\n\n<li>All member ports are listed under the correct port-channel.<\/li>\n\n\n\n<li>One misconfigured parameter (speed, duplex, VLAN, mode) on any member interface will prevent the bundle from forming.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"461\" height=\"136\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-28.png\" alt=\"\" class=\"wp-image-394\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-28.png 461w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-28-300x89.png 300w\" sizes=\"auto, (max-width: 461px) 100vw, 461px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>With \u201c<strong>show running-config\u201d<\/strong> you can obtain trunk configurations for the Etherchannel links!<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><strong><em>Distribution to Distribution Switch<\/em><\/strong><\/h4>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<p>EtherChannels can be configured as either Layer 2 (trunk) or Layer 3 (routed) links.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>However in our topology, it has to be a Layer 2 trunk due to the fact that:\n<ul class=\"wp-block-list\">\n<li>VLANs need to span both distribution switches for HSRP to function.<\/li>\n\n\n\n<li>SVIs on both switches provide redundant default gateways for each VLAN.<\/li>\n\n\n\n<li>Layer 2 connectivity ensures seamless failover between the two distribution switches.<\/li>\n\n\n\n<li>VLANs must bridge across this link to maintain the same broadcast domain on both sides.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/div><\/div>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"390\" height=\"50\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-29.png\" alt=\"\" class=\"wp-image-395\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-29.png 390w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-29-300x38.png 300w\" sizes=\"auto, (max-width: 390px) 100vw, 390px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"610\" height=\"119\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-30.png\" alt=\"\" class=\"wp-image-396\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-30.png 610w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-30-300x59.png 300w\" sizes=\"auto, (max-width: 610px) 100vw, 610px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Similar configurations as to when we configured Etherchannel links between our access and distribution switches with the only difference being that we are allowing <strong>all<\/strong> VLANs that are currently utilized in our entire network.<\/li>\n<\/ul>\n\n\n\n<p>Now, all of our links have increased throughput and bandwidth! To maximize our redundant topology we&#8217;ll need to configure Rapid Per-VLAN Spanning Tree Plus. <strong>Note<\/strong>: This is Cisco proprietary &#8211; in a multi-vendor environment, you&#8217;d use Multiple Spanning Tree Protocol (MSTP). <\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Rapid Per-VLAN Spanning Tree+ is a protocol used to block Layer 2 redundant links to avoid broadcast storms, loops and MAC table instability. <\/li>\n\n\n\n<li>Using Rapid-PVST+ instead of PVST because it reduces the convergence time from 50 seconds in traditional STP to 1-6 seconds whenever the topology changes. <\/li>\n\n\n\n<li>Using Per-VLAN+ because it runs a separate spanning tree instance for each VLAN, enabling per-VLAN load balancing.\n<ul class=\"wp-block-list\">\n<li>Without Per-VLAN instances, an entire Etherchannel trunk on each switch would be blocked by STP due to it being redundant.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Configuring Rapid-PVST+<\/h3>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"271\" height=\"46\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-32.png\" alt=\"\" class=\"wp-image-402\"\/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>From our <strong>&#8216;show running-config&#8217; <\/strong>output, we see that the switch is currently running regular PVST.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"344\" height=\"48\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-33.png\" alt=\"\" class=\"wp-image-403\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-33.png 344w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-33-300x42.png 300w\" sizes=\"auto, (max-width: 344px) 100vw, 344px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Rapid PVST+ load balancing is achieved by designating different root bridges for each VLAN. Each VLAN uses the path toward its designated root bridge as their primary forwarding path, which distributes traffic across both EtherChannel uplinks and ensuring no entire link is blocked by STP.\n<ul class=\"wp-block-list\">\n<li>Configuration: \n<ul class=\"wp-block-list\">\n<li>Distribution Switch 1 will be our root bridge for VLANs 10, 20, 30, 40, 150 and 90.<\/li>\n\n\n\n<li>Distribution Switch 2 will be our root bridge for VLANs 50, 60, 70, 80 and 199.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p><strong>Note<\/strong>: The Rapid PVST+ root bridge configuration mirrors our upcoming HSRP design for consistency and optimal traffic flow:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Primary root bridge = HSRP<strong> active <\/strong>router (primary default gateway).<\/li>\n\n\n\n<li>Secondary root bridge = HSRP <strong>standby <\/strong>router (backup default gateway).<\/li>\n\n\n\n<li>This ensures that Layer 2 forwarding paths (STP) match Layer 3 forwarding paths (HSRP). Traffic flows through the same path preventing suboptimal routing. <\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"594\" height=\"330\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-34.png\" alt=\"\" class=\"wp-image-404\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-34.png 594w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-34-300x167.png 300w\" sizes=\"auto, (max-width: 594px) 100vw, 594px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>This is the output for <strong>\u201cshow spanning-tree\u201d<\/strong> on Distribution Switch 1 &#8211; the one we actually want to be the root bridge for in VLAN 10.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"611\" height=\"271\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-35.png\" alt=\"\" class=\"wp-image-405\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-35.png 611w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-35-300x133.png 300w\" sizes=\"auto, (max-width: 611px) 100vw, 611px\" \/><\/figure>\n\n\n\n<p>This is the output for Access Switch-1. This is what we can ascertain from these screenshots:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>ASW-1 is the root bridge for VLAN 10.\n<ul class=\"wp-block-list\">\n<li>You can confirm this because the Root ID \u201c<strong>address\u201d (MAC<\/strong>) is the same as the Bridge ID (local switch) in the second screenshot.<\/li>\n\n\n\n<li>You can also see all of the ports on ASW-1 are \u201c<strong>designated<\/strong>\u201d which signifies that they are all forwarding (due to being the root bridge). DSW-1 has a root port (which also forwards) but not all ports are labeled as designated.  Only root bridges have all ports designated.<\/li>\n\n\n\n<li>With all of the switches using the default priority of 32778 for VLAN10, the root bridge election used MAC address as the tiebreaker. ASW-1 became the root bridge due to having the lowest MAC address<\/li>\n\n\n\n<li>You can configure the priority value to break the tie so the switches do not have to rely on using MAC addresses, which is what we&#8217;ll use to configure our root bridges for each VLAN.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"519\" height=\"205\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-36.png\" alt=\"\" class=\"wp-image-406\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-36.png 519w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-36-300x118.png 300w\" sizes=\"auto, (max-width: 519px) 100vw, 519px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>DSW-1 is now the root bridge in the VLANs we configured as <strong>\u201croot primary<\/strong>\u201d as well as being the secondary root bridge for all other VLANs.\n<ul class=\"wp-block-list\">\n<li>If DSW-2 fails, DSW-1 will automatically become the root bridge for those VLANs configured as <strong>\u201croot secondary\u201d<\/strong>.&nbsp;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"657\" height=\"623\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-37.png\" alt=\"\" class=\"wp-image-407\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-37.png 657w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-37-300x284.png 300w\" sizes=\"auto, (max-width: 657px) 100vw, 657px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>This is the command output on ASW-1, the <strong>former<\/strong> root bridge.&nbsp;\n<ul class=\"wp-block-list\">\n<li>You can see the Root ID priority changed to a lower number to ensure DSW-1 becomes root. The MAC of the Root ID changed to DSW-1\u2019s MAC address.<\/li>\n\n\n\n<li>ASW-1 now has a Root port.&nbsp;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Configuring IP Addresses<\/h3>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"440\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-189-1024x440.png\" alt=\"\" class=\"wp-image-1175\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-189-1024x440.png 1024w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-189-300x129.png 300w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-189-768x330.png 768w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-189-1536x661.png 1536w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-189.png 1658w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Here&#8217;s how we&#8217;ve configured IP addresses on the links connecting to the Internet:\n<ul class=\"wp-block-list\">\n<li>From the Distribution switches to the <strong>inside ports<\/strong> of the Edge routers, we&#8217;re using <strong>private IP addresses<\/strong>.<\/li>\n\n\n\n<li>On the <strong>outside facing ports<\/strong> of the Edge routers (towards our ISP), we&#8217;re using <strong>public IP addresses<\/strong> assigned by our ISP.\n<ul class=\"wp-block-list\">\n<li>These are the IP addresses that hosts on the Internet see as our source IP.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>We were only allocated <strong>4 public IPs<\/strong> from our ISP.<\/li>\n\n\n\n<li>The Edge routers will perform <strong>PAT <\/strong>for our internal network to allow hundreds or thousands of internal devices to share these 4 public IP addresses.\n<ul class=\"wp-block-list\">\n<li>Our routers will <strong>not<\/strong> perform PAT for our DMZ hosts.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"486\" height=\"91\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-39.png\" alt=\"\" class=\"wp-image-410\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-39.png 486w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-39-300x56.png 300w\" sizes=\"auto, (max-width: 486px) 100vw, 486px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Configurations for the Distribution switches to the firewalls (<strong>data traffic<\/strong>).<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"67\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-127.png\" alt=\"\" class=\"wp-image-648\"\/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Configurations for the firewalls to the Distribution switches (<strong>data traffic<\/strong>).\n<ul class=\"wp-block-list\">\n<li>Security-level is 100 because this port connects downstream to our trusted private network.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"473\" height=\"103\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-42.png\" alt=\"\" class=\"wp-image-413\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-42.png 473w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-42-300x65.png 300w\" sizes=\"auto, (max-width: 473px) 100vw, 473px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Configurations from the firewall to the edge router.\n<ul class=\"wp-block-list\">\n<li>Security-level is 0 because we do <strong>not <\/strong>trust the Internet\/WAN side whatsoever, zero trust. <\/li>\n\n\n\n<li>The command might seem redundant (since 0 is the default for interfaces named &#8216;outside&#8217;) but it doesn&#8217;t hurt to explicitly confirm the security level is set to 0!<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"438\" height=\"98\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-201.png\" alt=\"\" class=\"wp-image-1480\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-201.png 438w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-201-300x67.png 300w\" sizes=\"auto, (max-width: 438px) 100vw, 438px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Configuration for the firewall to the DMZ.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"387\" height=\"66\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-43.png\" alt=\"\" class=\"wp-image-414\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-43.png 387w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-43-300x51.png 300w\" sizes=\"auto, (max-width: 387px) 100vw, 387px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Configurations for the edge routers to the firewalls.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"537\" height=\"63\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-128.png\" alt=\"\" class=\"wp-image-650\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-128.png 537w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-128-300x35.png 300w\" sizes=\"auto, (max-width: 537px) 100vw, 537px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Configurations for the edge routers to ISP routers.\n<ul class=\"wp-block-list\">\n<li>These IP addresses on our ISP-facing interfaces will be used as the translated addresses for PAT from our internal private networks. They are:\n<ul class=\"wp-block-list\">\n<li>105.100.50.5<\/li>\n\n\n\n<li>105.100.50.1<\/li>\n\n\n\n<li>197.200.100.5<\/li>\n\n\n\n<li>197.200.100.1<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Static IPs<\/h3>\n\n\n\n<p>All of our internal servers, WLC and DMZ servers will have their own static IPs &#8211; will not be using DHCP.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"730\" height=\"633\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-45.png\" alt=\"\" class=\"wp-image-416\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-45.png 730w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-45-300x260.png 300w\" sizes=\"auto, (max-width: 730px) 100vw, 730px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>DHCP server static IP.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"752\" height=\"579\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-62.png\" alt=\"\" class=\"wp-image-435\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-62.png 752w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-62-300x231.png 300w\" sizes=\"auto, (max-width: 752px) 100vw, 752px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Static IP configuration for our WLC. <\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Configuring Redundant VLAN Gateways &#8211; HSRP<\/h3>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"527\" height=\"76\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-46.png\" alt=\"\" class=\"wp-image-418\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-46.png 527w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-46-300x43.png 300w\" sizes=\"auto, (max-width: 527px) 100vw, 527px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>We are mirroring our HSRP configuration the same way we configured R-PVST+. If DSW-1 was the root bridge for VLAN20, it would be the active default gateway for VLAN20. DSW-2 would be the standby gateway.\n<ul class=\"wp-block-list\">\n<li>The IP address \u201c172.16.20.2\u201d is the address we could use to SSH in and manage the switch remotely.<\/li>\n\n\n\n<li>The address \u201c172.16.20.1\u201d is the actual default gateway for all hosts in VLAN20 &#8211; both DSWs will use this same virtual IP.<\/li>\n\n\n\n<li>Increased priority to 120 to ensure this switch is the active gateway, used <strong>preemp<\/strong>t in case if it fails and comes back, it takes over as the active gateway again (DSW-2 would take over if DSW-1 fails).<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Same configurations for DSW-2 except modeled after how R-PVST+ was configured!<\/li>\n\n\n\n<li>No SVI created for native VLAN 199 because there are no actual hosts in this VLAN.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"445\" height=\"93\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-47.png\" alt=\"\" class=\"wp-image-419\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-47.png 445w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-47-300x63.png 300w\" sizes=\"auto, (max-width: 445px) 100vw, 445px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Configured \u2018<strong>helper-address\u2019<\/strong> on each SVI so that when hosts in each VLAN send out their DHCP broadcast message (DHCPDISCOVER), the DSW can forward these messages to our DHCP server as unicast packets, allowing the hosts to successfully obtain IP addresses when the DHCP server is located in a different VLAN!<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"605\" height=\"227\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-48.png\" alt=\"\" class=\"wp-image-420\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-48.png 605w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-48-300x113.png 300w\" sizes=\"auto, (max-width: 605px) 100vw, 605px\" \/><figcaption class=\"wp-element-caption\">Confirm your HSRP configurations with the command &#8216;<strong>show standby brief&#8217;<\/strong>!<\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Configuring the DHCP server<\/h3>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"693\" height=\"506\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-50.png\" alt=\"\" class=\"wp-image-423\" style=\"width:693px;height:auto\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-50.png 693w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-50-300x219.png 300w\" sizes=\"auto, (max-width: 693px) 100vw, 693px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>DHCP pool for VLAN20.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"705\" height=\"534\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-51.png\" alt=\"\" class=\"wp-image-424\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-51.png 705w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-51-300x227.png 300w\" sizes=\"auto, (max-width: 705px) 100vw, 705px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Our PC connected to ASW-1 in VLAN 20 (LAN) received their DHCP IP address!<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"737\" height=\"721\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-52.png\" alt=\"\" class=\"wp-image-425\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-52.png 737w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-52-300x293.png 300w\" sizes=\"auto, (max-width: 737px) 100vw, 737px\" \/><\/figure>\n\n\n\n<p>DHCP Scope for our Wireless Access Points:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ensuring our WAPs get their IP addresses from this scope. This is <strong>not<\/strong> the scope for wireless clients sending data traffic. <\/li>\n\n\n\n<li>Default gateway is the SVI we configured on Distribution switches. <\/li>\n\n\n\n<li>The WLC IP address configured here therefore our DHCP server will send Option 43 to our APs so they may form their CAPWAP tunnels to the WLC.\n<ul class=\"wp-block-list\">\n<li>Lightweight APs (which is what we are using) need to form CAPWAP tunnels to a WLC to pass management traffic.<\/li>\n\n\n\n<li>Additionally, as our APs are using <strong>local<\/strong> mode and <strong>not <\/strong>FlexConnect, they also have to forward <strong>all <\/strong>data traffic to the WLC through the CAPWAP tunnel before they reach the wired network.<\/li>\n\n\n\n<li>Can configure our APs within WLC to use FlexConnect instead after CAPWAP tunnel is formed. <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"834\" height=\"701\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-53.png\" alt=\"\" class=\"wp-image-426\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-53.png 834w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-53-300x252.png 300w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-53-768x646.png 768w\" sizes=\"auto, (max-width: 834px) 100vw, 834px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>DHCP pool for one of the WLANs.&nbsp;\n<ul class=\"wp-block-list\">\n<li>This <strong>is<\/strong> for wireless clients.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>No WLC address configured.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Configuring OSPF and Static Routes<\/h3>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"516\" height=\"106\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-54.png\" alt=\"\" class=\"wp-image-427\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-54.png 516w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-54-300x62.png 300w\" sizes=\"auto, (max-width: 516px) 100vw, 516px\" \/><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\"><em>OSPF Configuration on Distribution Switch:<\/em><\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>OSPF process ID (<strong>10)<\/strong> does <strong>not<\/strong> have to be unique across all devices &#8211; it&#8217;s only locally significant.<\/li>\n\n\n\n<li>Router ID <strong><em>MUST<\/em><\/strong> be unique per device!<\/li>\n\n\n\n<li>Advertising all of our directly connected networks on each network device: <\/li>\n\n\n\n<li>For the Distribution Switches:\n<ul class=\"wp-block-list\">\n<li>Links connected to the firewalls (Data only &#8211; <strong>not<\/strong> management!).<\/li>\n\n\n\n<li>Internal servers VLAN.<\/li>\n\n\n\n<li><strong>All<\/strong> LAN VLANs (user networks).<\/li>\n\n\n\n<li><strong>All <\/strong>WLAN VLANs (wireless networks).<\/li>\n\n\n\n<li>Not advertising VoIP VLAN because all of VoIP traffic is local, no external calls and no call manager in this project.<\/li>\n\n\n\n<li>Management VLAN should stay isolated and not be advertised to routing protocols for security reasons. <\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>OSPF uses <strong>wildcard<\/strong> subnet masks which is the inverse of subnet masks!<\/li>\n\n\n\n<li>The areas configured on the connecting interface between OSPF neighbors <strong>MUST<\/strong> match.\n<ul class=\"wp-block-list\">\n<li>Therefore, if DSW1&#8217;s interface to FW1 is in Area 0, then FW1&#8217;s interface back to DSW1 must also be in Area 0. <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"407\" height=\"131\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-169.png\" alt=\"\" class=\"wp-image-735\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-169.png 407w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-169-300x97.png 300w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-169-404x131.png 404w\" sizes=\"auto, (max-width: 407px) 100vw, 407px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Firewall operating systems do not <strong>require <\/strong>the mask to be a wildcard!&nbsp;<\/li>\n\n\n\n<li>These are the 5 direct links attached to the firewall (one being the DMZ).<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"629\" height=\"370\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-56.png\" alt=\"\" class=\"wp-image-429\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-56.png 629w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-56-300x176.png 300w\" sizes=\"auto, (max-width: 629px) 100vw, 629px\" \/><figcaption class=\"wp-element-caption\">What you should be seeing as you configure!<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"474\" height=\"77\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-57.png\" alt=\"\" class=\"wp-image-430\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-57.png 474w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-57-300x49.png 300w\" sizes=\"auto, (max-width: 474px) 100vw, 474px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>On the edge routers I created a <strong>static default route<\/strong> (administrative distance of 1 by default) pointing to the ISP\u2019s router interface as the next hop for all Internet traffic. For the redundant link, I created a <strong>floating static route<\/strong> to the backup ISP link with a higher AD (<strong>50)<\/strong>. If the primary link fails, traffic immediately starts flowing to the redundant link ensuring uninterrupted connectivity. <\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"562\" height=\"80\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-170.png\" alt=\"\" class=\"wp-image-737\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-170.png 562w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-170-300x43.png 300w\" sizes=\"auto, (max-width: 562px) 100vw, 562px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Created the static route pointing to our DMZ web server with the firewall interface as the next-hop.\n<ul class=\"wp-block-list\">\n<li>Route uses the web server&#8217;s <strong>public IP address<\/strong> as the destination because that&#8217;s the IP address that will be present in packets arriving from the Internet. When external users connect to our web server, they use the public IP &#8211; the Edge Router needs to know how to route those packets to the firewall for NAT translation.<\/li>\n\n\n\n<li>Remember our edge routers are not performing PAT for our DMZ hosts. <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"616\" height=\"207\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-59.png\" alt=\"\" class=\"wp-image-432\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-59.png 616w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-59-300x101.png 300w\" sizes=\"auto, (max-width: 616px) 100vw, 616px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>We can see what OSPF adjacencies were established using the command <strong>&#8216;show ip ospf neighbor&#8217;.<\/strong><\/li>\n\n\n\n<li>On our DSW-2, we have neighbors now with our DSW1 and two firewalls.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"277\" height=\"99\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-60.png\" alt=\"\" class=\"wp-image-433\"\/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Don\u2019t forget to <strong>advertise <\/strong>the default route to the Internet on the edge routers using <strong>&#8216;default-information originate&#8217;<\/strong> command in OSPF.\n<ul class=\"wp-block-list\">\n<li>Without this command, the Edge Routers know how to reach the Internet due to their static default routes to the ISP, but <strong>no one else <\/strong>in the network knows to use the Edge Routers for Internet-bound traffic.<\/li>\n\n\n\n<li>This command explicitly <strong>injects<\/strong> a default route into OSPF. <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong><em>Note: <\/em><\/strong>Some enterprises may decide <strong>not<\/strong> to create an OSPF adjacency between the firewall and edge routers for security purposes.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"594\" height=\"490\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-171.png\" alt=\"\" class=\"wp-image-739\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-171.png 594w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-171-300x247.png 300w\" sizes=\"auto, (max-width: 594px) 100vw, 594px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Look at some of the routes our DSW-2 learned through OSPF!\n<ul class=\"wp-block-list\">\n<li>The default routes to the edge router are here with the code &#8220;O*E2&#8221; &#8211; it learned both pathways to the Internet.<\/li>\n\n\n\n<li>It also learned the path to the DMZ through our FW1.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p>Last thing we need to configure are routes to our edge router&#8217;s loopback interfaces for remote management! We do not want to advertise these routes through OSPF for security purposes. <\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Wireless Configuration<\/h3>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"726\" height=\"557\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-61.png\" alt=\"\" class=\"wp-image-434\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-61.png 726w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-61-300x230.png 300w\" sizes=\"auto, (max-width: 726px) 100vw, 726px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Due to a Packet Tracer quirk, we&#8217;re unable to configure our WLC through its console port so we\u2019re going to have to resort to remotely configuring the WLC using the HTTP(s) GUI!\n<ul class=\"wp-block-list\">\n<li>Realistically, you must connect first with the console port to configure a management IP address to then be able to configure using the HTTPs GUI.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>We will be utilizing a bastion host to remotely configure the WLC. A hardened bastion host provides secure administrative access, minimizing the attack surface by centralizing management connections through a single, secured entry point. This host will also be remotely managing the rest of our network devices.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"445\" height=\"191\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-63.png\" alt=\"\" class=\"wp-image-436\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-63.png 445w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-63-300x129.png 300w\" sizes=\"auto, (max-width: 445px) 100vw, 445px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Able to ping the WLC from the bastion host!<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"720\" height=\"713\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-64.png\" alt=\"\" class=\"wp-image-437\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-64.png 720w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-64-300x297.png 300w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-64-150x150.png 150w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-64-75x75.png 75w\" sizes=\"auto, (max-width: 720px) 100vw, 720px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>HTTP into the WLC and configuring it. Ideally would use HTTPs on port 443 as it is more secure but unable to due to Packet Tracer limitation. <\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"744\" height=\"639\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-65.png\" alt=\"\" class=\"wp-image-439\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-65.png 744w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-65-300x258.png 300w\" sizes=\"auto, (max-width: 744px) 100vw, 744px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"558\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-66-1024x558.png\" alt=\"\" class=\"wp-image-440\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-66-1024x558.png 1024w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-66-300x164.png 300w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-66-768x419.png 768w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-66-1536x837.png 1536w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-66-1140x621.png 1140w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-66.png 1600w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Configuring the WLC.<\/figcaption><\/figure>\n\n\n\n<p>Configuring the Management interface on the WLC:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"655\" height=\"607\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-73.png\" alt=\"\" class=\"wp-image-447\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-73.png 655w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-73-300x278.png 300w\" sizes=\"auto, (max-width: 655px) 100vw, 655px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>In a real environment, the VLAN identifier for the management interface on the WLC would be the VLAN it is located in, which is VLAN150 in our network.\n<ul class=\"wp-block-list\">\n<li>After repeated experiments, this is not feasible in Packet Tracer as there\u2019s a well known PT software bug that breaks the WLC connectivity once you change its Management VLAN. Therefore, we&#8217;re leaving the WLC Management as 0 <strong>(untagged).<\/strong> We&#8217;re setting <strong>native VLAN 150 <\/strong>on trunk ports connecting to the WLC and APs so management traffic stays untagged as well.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"783\" height=\"371\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-67.png\" alt=\"\" class=\"wp-image-441\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-67.png 783w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-67-300x142.png 300w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-67-768x364.png 768w\" sizes=\"auto, (max-width: 783px) 100vw, 783px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Creating the dynamic interfaces that map the WLANs to their respective VLANs.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"591\" height=\"784\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-68.png\" alt=\"\" class=\"wp-image-442\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-68.png 591w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-68-226x300.png 226w\" sizes=\"auto, (max-width: 591px) 100vw, 591px\" \/><\/figure>\n\n\n\n<p>Configure the information necessary for the interface.<br>Don\u2019t check \u201c<strong>Enable Dynamic AP Management\u201d<\/strong> as our Management Interface is providing that service already.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>In a production network with many APs, these roles would be separated across different interfaces for better scalability and performance.<\/li>\n\n\n\n<li><strong>Management Interface<\/strong>: Initial AP discovery, CAPWAP tunnel formation, and provides administrative access to the WLC via SSH or HTTPs as the primary management IP address of the WLC. <\/li>\n\n\n\n<li><strong>AP Manager Interface<\/strong> = AP management traffic <strong>after<\/strong> the APs joined already, ongoing communication. Handles continuous CAPWAP communication.<\/li>\n\n\n\n<li>Can have multiple AP-Manager interfaces to load balance if there is a large deployment of APs. \n<ul class=\"wp-block-list\">\n<li>Better scaling for environments with hundreds of APs. <br><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"927\" height=\"492\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-69.png\" alt=\"\" class=\"wp-image-443\" style=\"width:627px;height:auto\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-69.png 927w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-69-300x159.png 300w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-69-768x408.png 768w\" sizes=\"auto, (max-width: 927px) 100vw, 927px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Now we&#8217;re creating the actual <strong>WLAN (wireless network)<\/strong> that clients will see and connect to. This is where we configure the <strong>SSID<\/strong> (the network name users see when they search for Wi-Fi), along with security settings and VLAN mapping.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"712\" height=\"448\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-70.png\" alt=\"\" class=\"wp-image-444\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-70.png 712w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-70-300x189.png 300w\" sizes=\"auto, (max-width: 712px) 100vw, 712px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enabled. Ensure it\u2019s <strong>mapped to the dynamic interface<\/strong> just created.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"452\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-71-1024x452.png\" alt=\"\" class=\"wp-image-445\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-71-1024x452.png 1024w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-71-300x132.png 300w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-71-768x339.png 768w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-71.png 1056w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"292\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-72.png\" alt=\"\" class=\"wp-image-446\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-72.png 618w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-72-300x142.png 300w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Using WPA2-PSK although this is only the third best option here for security.\n<ul class=\"wp-block-list\">\n<li>Cannot use either of the 802.1X security options (which are superior) because we did not configure a RADIUS server.<\/li>\n\n\n\n<li>Static WEP should never be used as it is easily cracked and CKIP is deprecated. <\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Ideally would use WPA3 as it offers superior security with Simultaneous Authentication of Equals and Protected Management Frames compared to WPA2 since we have no RADIUS server.<\/li>\n\n\n\n<li>AES is vastly superior to TKIP.\n<ul class=\"wp-block-list\">\n<li>WPA2 allowed use of TKIP for backwards compatibility but should never be used due to known vulnerabilities. <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p>The next thing to configure are AP Groups. Here, we dictate which specific SSIDs each AP will broadcast. We do not want the AP for the HR and IT departments to broadcast the WiFi for the Finance department!<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"564\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-202-1024x564.png\" alt=\"\" class=\"wp-image-1485\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-202-1024x564.png 1024w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-202-300x165.png 300w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-202-768x423.png 768w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-202-1536x846.png 1536w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-202.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Created AP Groups to organize access points and control which SSIDs they broadcast.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"385\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-203-1024x385.png\" alt=\"\" class=\"wp-image-1486\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-203-1024x385.png 1024w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-203-300x113.png 300w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-203-768x289.png 768w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-203-1536x578.png 1536w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-203.png 1711w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Configuring the <strong>&#8216;FIN.MARK&#8217;<\/strong> AP group with the &#8216;<strong>Finance.Marketing<\/strong>&#8216; SSID enabled, restricting member APs to broadcast only this SSID.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"446\" height=\"372\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-204.png\" alt=\"\" class=\"wp-image-1487\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-204.png 446w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-204-300x250.png 300w\" sizes=\"auto, (max-width: 446px) 100vw, 446px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ensuring that the AP located in the Finance and Marketing Department is joined into the <strong>FIN.MARK<\/strong> AP Group.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"707\" height=\"170\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-74.png\" alt=\"\" class=\"wp-image-448\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-74.png 707w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-74-300x72.png 300w\" sizes=\"auto, (max-width: 707px) 100vw, 707px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Our AP in the Finance\/Marketing Department established the CAPWAP tunnel to our WLC!<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"880\" height=\"577\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-75.png\" alt=\"\" class=\"wp-image-449\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-75.png 880w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-75-300x197.png 300w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-75-768x504.png 768w\" sizes=\"auto, (max-width: 880px) 100vw, 880px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A user\u2019s laptop is able to connect to the WiFi and obtain an IP address from the DHCP server demonstrating seamless integration between the wireless and wired networks.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">PAT Configuration<\/h3>\n\n\n\n<p>PAT will be implemented at our Edge Routers (non-DMZ traffic) for the following reasons:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>We want the firewall to focus solely on security filtering and policy enforcement, while the Edge Routers handle address translation and ISP connectivity, segmenting their duties optimizes each device for their primary role. <\/li>\n\n\n\n<li>Firewall-1 will still perform NAT for all DMZ-traffic but offloading internal user PAT to the edge routers significantly reduces the firewall&#8217;s processing burden. This preserves firewall resources for intensive security features such as deep packet inspection, intrusion prevention system and other security implementations the firewall will conduct to keep our network safe. \n<ul class=\"wp-block-list\">\n<li>FW-1 performs static NAT for our DMZ servers because our servers utilize <strong>sockets<\/strong> to track each unique TCP connection. Each connection is identified by its unique source IP and port combination, allowing thousands of users to simultaneously connect to the same destination port making PAT unnecessary here. <\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Consolidating routing and PAT together at the network perimeter simplifies configuration and provides a single point of management for Internet-facing connectivity. <\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"358\" height=\"96\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-76.png\" alt=\"\" class=\"wp-image-450\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-76.png 358w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-76-300x80.png 300w\" sizes=\"auto, (max-width: 358px) 100vw, 358px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Define what interfaces are facing inside (LANs) and outside (WANs) on our edge routers.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"486\" height=\"71\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-77.png\" alt=\"\" class=\"wp-image-451\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-77.png 486w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-77-300x44.png 300w\" sizes=\"auto, (max-width: 486px) 100vw, 486px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Created an ACL that permits all of our LAN hosts.\n<ul class=\"wp-block-list\">\n<li><strong><em>Note<\/em><\/strong>: &#8211; This is a <strong>NAT identification ACL<\/strong>, not a security ACL. It doesn&#8217;t block traffic &#8211; it simply tells the router which source IP addresses should be translated via PAT.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"525\" height=\"117\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-162.png\" alt=\"\" class=\"wp-image-719\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-162.png 525w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-162-300x67.png 300w\" sizes=\"auto, (max-width: 525px) 100vw, 525px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Configured the router to reference &#8220;<strong>ACL1&#8243;<\/strong> when performing PAT. When traffic from our internal LANs (that is &#8216;permitted&#8217; by ACL 1) exits through the outgoing interfaces, the router will translate the source IP addresses to the <strong>public IP address configured on that outgoing interface<\/strong>.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"447\" height=\"222\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-163.png\" alt=\"\" class=\"wp-image-722\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-163.png 447w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-163-300x149.png 300w\" sizes=\"auto, (max-width: 447px) 100vw, 447px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Using <strong>&#8220;tracert&#8221; <\/strong>we see the ping from our host in VLAN20 is unable to reach an internet host. You can clearly see the ping dies at our firewall (10.2.2.2). <\/li>\n\n\n\n<li>Tracert only displays the last device that is able to respond, therefore we know the issue is with the firewall. The issue should lie within two possible causes:<\/li>\n\n\n\n<li>Either the firewall doesn&#8217;t know how to route out to the Internet (improbable because we know the firewall learned a default route through OSPF) or return traffic is being blocked by the firewall. Let&#8217;s troubleshoot the return traffic being blocked:\n<ul class=\"wp-block-list\">\n<li>In a production firewall, <strong>stateful inspection<\/strong> automatically allows return traffic for established connections. However, in Packet Tracer, either:<\/li>\n\n\n\n<li>Stateful inspection isn&#8217;t fully implemented or we need explicit ACLs to permit traffic from the Internet because stateful inspection isn&#8217;t working in Packet Tracer. <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"434\" height=\"77\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-164.png\" alt=\"\" class=\"wp-image-726\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-164.png 434w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-164-300x53.png 300w\" sizes=\"auto, (max-width: 434px) 100vw, 434px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Configured the commands necessary to ensure the firewall inspects all ICMP traffic globally, which should allow return ICMP echo replies due to these sessions being stateful.\n<ul class=\"wp-block-list\">\n<li>However, the pings still failed. I removed the &#8220;stateful inspection&#8221; commands from ICMP to now troubleshoot ACLs and isolate the issue.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"489\" height=\"122\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-165.png\" alt=\"\" class=\"wp-image-727\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-165.png 489w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-165-300x75.png 300w\" sizes=\"auto, (max-width: 489px) 100vw, 489px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Configured ACLs on my LAN-facing and WAN-facing interfaces:<\/li>\n\n\n\n<li>To improve redundancy and resiliency in our network, if the link between both Distribution Switches fails, traffic would have to flow from one DSW through a Firewall to reach the other side of the network. However:\n<ul class=\"wp-block-list\">\n<li>Cisco firewalls <strong>block<\/strong> traffic between interfaces with the <strong>same security level <\/strong>by default. The command to allow this (<code><strong>same-security-traffic permit inter-interface<\/strong><\/code>) is <strong>not <\/strong>supported in Packet Tracer!<\/li>\n\n\n\n<li>Which is the reason why we are also configuring explicit ACLs on inside interfaces.<\/li>\n\n\n\n<li>ACLs on the outside interfaces to explicitly allow return traffic (ICMP in this case). Stateful inspection should automatically permit return traffic when an internal host initiates the session but it appears that this doesn&#8217;t function properly in Packet Tracer, requiring explicit ACLs to manually permit return traffic.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>NOTE: <\/strong>Remember ACLs have an<strong> implicit deny<\/strong> <strong>any any <\/strong>at the end. In this scenario, <strong>all other <\/strong>traffic (HTTPs, SMTP) will be <strong>denied<\/strong>. This is a controlled, isolated project where we are simply testing basic connectivity between remote hosts using ping. In a production environment, you would need to add permit statements for all required protocols. Additionally, to reiterate, stateful inspection would normally have handled this automatically. <\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"465\" height=\"165\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-166.png\" alt=\"\" class=\"wp-image-728\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-166.png 465w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-166-300x106.png 300w\" sizes=\"auto, (max-width: 465px) 100vw, 465px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>And the pings worked! After configuring the explicit ACLs, pings from our LAN hosts to Internet destinations are now successful.<\/li>\n\n\n\n<li>After researching this issue, I discovered that firewalls within Packet Tracer do not properly implement stateful inspection. Therefore, in a real Cisco firewall &#8211; the class and policy maps we configured would have been sufficient to allow return traffic for established sessions.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"598\" height=\"94\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-167.png\" alt=\"\" class=\"wp-image-730\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-167.png 598w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-167-300x47.png 300w\" sizes=\"auto, (max-width: 598px) 100vw, 598px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>We see PAT working on our Edge Router! <\/li>\n<\/ul>\n\n\n\n<p>The final thing we need to configure for PAT is to ensure that Firewall-1 performs static-NAT for our public-facing servers located in the DMZ. The reason we want the firewall to perform this function instead of the edge router is because:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>This configuration provides tighter control over the DMZ and enables specialized NAT policies like static NAT for our public-facing servers.<\/li>\n\n\n\n<li>We want to centralize all of our DMZ security into the firewall.<\/li>\n\n\n\n<li>We want complete session visibility where the firewall tracks the full NAT session which will provide more insight regarding any security event correlation for DMZ traffic. <\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"585\" height=\"112\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-172.png\" alt=\"\" class=\"wp-image-741\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-172.png 585w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-172-300x57.png 300w\" sizes=\"auto, (max-width: 585px) 100vw, 585px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>This is how you configure static NAT on a firewall.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"557\" height=\"80\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-173.png\" alt=\"\" class=\"wp-image-743\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-173.png 557w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-173-300x43.png 300w\" sizes=\"auto, (max-width: 557px) 100vw, 557px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Remember our prior issues where we needed to explicitly allow return ICMP replies with an ACL even though stateful inspections should be sufficient due to security-levels.\n<ul class=\"wp-block-list\">\n<li>Recall we already configured ACLs permitting ICMP traffic on the interfaces facing the Internet and LAN hosts. <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"475\" height=\"159\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-174.png\" alt=\"\" class=\"wp-image-744\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-174.png 475w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-174-300x100.png 300w\" sizes=\"auto, (max-width: 475px) 100vw, 475px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A host in our private LAN can ping the DMZ server!<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"606\" height=\"464\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-175.png\" alt=\"\" class=\"wp-image-745\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-175.png 606w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-175-300x230.png 300w\" sizes=\"auto, (max-width: 606px) 100vw, 606px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Our Internet host beyond our ISP routers is able to ping our web server within our DMZ!<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">VoIP Configuration<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>What we&#8217;re going to configure on our Voice Gateway is the Call Manager functionality. In a typical enterprise deployment, the Voice Gateway would route external traffic to\/from the PSTN network (allowing external calling), while a separate Call Manager server would handle internal phone services. However, <strong>Packet Tracer does not simulate PSTN connectivity<\/strong>, so in this topology, we&#8217;re configuring the Voice Gateway to act solely as the Call Manager server.<\/li>\n\n\n\n<li>The Call Manager&#8217;s function is to assign extension numbers to internal phones as well as handle internal call routing. <\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"467\" height=\"169\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-176.png\" alt=\"\" class=\"wp-image-747\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-176.png 467w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-176-300x109.png 300w\" sizes=\"auto, (max-width: 467px) 100vw, 467px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Begin by configuring the subinterface on the Voice Gateway connected to ASW4.\n<ul class=\"wp-block-list\">\n<li>Remember: all of our VoIP is in one VLAN: 80.<\/li>\n\n\n\n<li>Same commands as &#8220;router-on-a-stick&#8221;. <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"499\" height=\"207\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-177.png\" alt=\"\" class=\"wp-image-749\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-177.png 499w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-177-300x124.png 300w\" sizes=\"auto, (max-width: 499px) 100vw, 499px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Creating the DHCP pool for our IP phones to obtain the necessary configurations for connectivity. <\/li>\n\n\n\n<li>Included Options 66 and 150 that tells the IP phones the location of the TFTP server where they can download their configuration files from. \n<ul class=\"wp-block-list\">\n<li>Option 66 if you&#8217;re environment is multi-vendor and you can also utilize hostnames instead of just IP addresses (however Packet Tracer does not support this as evident above).<\/li>\n\n\n\n<li>Option 150 is for Cisco IP phones only, no hostnames. <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"661\" height=\"244\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-180.png\" alt=\"\" class=\"wp-image-756\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-180.png 661w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-180-300x111.png 300w\" sizes=\"auto, (max-width: 661px) 100vw, 661px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Mapping phone extensions to directories.\n<ul class=\"wp-block-list\">\n<li>For example: whichever IP phone gets assigned <strong>ephone-dn 1<\/strong> will have its primary extension to reach it as 303.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"608\" height=\"136\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-178.png\" alt=\"\" class=\"wp-image-752\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-178.png 608w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-178-300x67.png 300w\" sizes=\"auto, (max-width: 608px) 100vw, 608px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>IP Phones need to get on the network through a DHCP service to be able to even communicate and be configured with the correct configuration files (downloaded from TFTP server as instructed by DHCP). Then, they need to register with a Call Manager to get an actual phone identity (or extension number).<\/li>\n\n\n\n<li>Therefore instructing our IP phones to communicate with our Voice Gateway router using port 2000 to register with SCCP\/SIP. \n<ul class=\"wp-block-list\">\n<li>Configured <strong>auto assign<\/strong> so whenever the IP phone communicates with our CME for SCCP\/SIP registration, it automatically assigns it the next available extension number. <\/li>\n\n\n\n<li>The CME handing out extensions is on a <strong>first come, first serve<\/strong> basis &#8211; there is no way of guaranteeing a specific phone to obtain a specific extension number utilizing this command. <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"473\" height=\"109\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-199.png\" alt=\"\" class=\"wp-image-1474\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-199.png 473w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-199-300x69.png 300w\" sizes=\"auto, (max-width: 473px) 100vw, 473px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>However, you can bind the MAC address of the phone to a specific ephone-dn (directory) to guarantee that phone receives that specific extension number. This is the method we&#8217;d typically use so we can group extensions numbers to departments and provide structure.<\/li>\n\n\n\n<li>The above commands display how you would configure this scenario. \n<ul class=\"wp-block-list\">\n<li>Here, ephone-1 (that has the MAC address configured above) will be guaranteed to receive whatever extension is mapped to the directory of ephone-1. Additionally, the first button on the physical phone is mapped to the extension 303 (the number mapped to <strong>ephone-dn 1<\/strong>).<\/li>\n\n\n\n<li>You must configure each e-phone with the corresponding MAC address and button <strong>prior<\/strong> to powering on the phones before the DHCP server gives them the necessary information. <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"700\" height=\"680\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-198.png\" alt=\"\" class=\"wp-image-1472\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-198.png 700w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-198-300x291.png 300w\" sizes=\"auto, (max-width: 700px) 100vw, 700px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>As you can see our IP phones have registered with the Call Manager and have obtained their extensions.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"468\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-190-1024x468.png\" alt=\"\" class=\"wp-image-1179\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-190-1024x468.png 1024w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-190-300x137.png 300w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-190-768x351.png 768w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-190-1536x702.png 1536w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-190.png 1804w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Our first IP phone with the extension 303 is calling our second IP phone with the extension 304.\n<ul class=\"wp-block-list\">\n<li>Our VoIP configuration is complete!<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"736\" src=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-205-1024x736.png\" alt=\"\" class=\"wp-image-1536\" srcset=\"https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-205-1024x736.png 1024w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-205-300x216.png 300w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-205-768x552.png 768w, https:\/\/carlostech.com\/wp-content\/uploads\/2025\/10\/image-205.png 1075w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>And this is our final network topology!<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-buttons is-content-justification-center is-layout-flex wp-container-core-buttons-is-layout-16018d1d wp-block-buttons-is-layout-flex\">\n<div class=\"wp-block-button\"><a class=\"wp-block-button__link wp-element-button\" href=\"https:\/\/carlostech.com\/?page_id=1276\">Back to Projects<\/a><\/div>\n<\/div>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This lab implements a collapsed-core enterprise network with emphasis on security, redundancy, and high availability. Key technologies include HSRP, EtherChannel, Rapid-PVST+, OSPF, stateful firewalls, a DMZ zone, wireless controller integration, and comprehensive Layer 2 security. &hellip; <\/p>\n<p><a href=\"https:\/\/carlostech.com\/?p=364\" class=\"awp-btn awp-btn-secondary awp-btn-bubble\"><span class=\"screen-reader-text\">Network Lab 3 &#8211; Advanced Security and Redundancy<\/span><i class=\"fa fa-arrow-right\"><\/i><span class=\"bubble_effect\"><span class=\"circle top-left\"><\/span><span class=\"circle top-left\"><\/span><span class=\"circle top-left\"><\/span><span class=\"button effect-button\"><\/span><span class=\"circle bottom-right\"><\/span><span class=\"circle bottom-right\"><\/span><span class=\"circle bottom-right\"><\/span><\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":1536,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[15,13],"tags":[11],"class_list":["post-364","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-home","category-network","tag-network"],"_links":{"self":[{"href":"https:\/\/carlostech.com\/index.php?rest_route=\/wp\/v2\/posts\/364","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/carlostech.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/carlostech.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/carlostech.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/carlostech.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=364"}],"version-history":[{"count":300,"href":"https:\/\/carlostech.com\/index.php?rest_route=\/wp\/v2\/posts\/364\/revisions"}],"predecessor-version":[{"id":1542,"href":"https:\/\/carlostech.com\/index.php?rest_route=\/wp\/v2\/posts\/364\/revisions\/1542"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/carlostech.com\/index.php?rest_route=\/wp\/v2\/media\/1536"}],"wp:attachment":[{"href":"https:\/\/carlostech.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=364"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/carlostech.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=364"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/carlostech.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=364"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}