Enterprise Network Lab
Step-by-step EVE-NG lab tutorial for a mid-sized organization (100–150 users). Build, configure, and master every concept hands-on with Cisco CLI, Active Directory, firewalls, and wireless segmentation.
Network Topology
Three-tier architecture with collapsed core/distribution
🔷 Device Inventory
| Device | Model (Lab) | Role |
|---|---|---|
| CORE-RTR | Cisco ISR 4331 | Edge router, BGP/OSPF, WAN uplink |
| FW-01 | FortiGate 60F / ASA 5506-X | Perimeter firewall, NAT, VPN |
| CORE-SW | Cisco C3850-24T | Core L3 switch, inter-VLAN routing |
| DIST-SW1/2 | Cisco C2960X-48 | Distribution, VLAN trunking |
| ACC-SW1–4 | Cisco C2960-24 | Access layer, port security |
| WLC-01 | Cisco 3504 WLC | Wireless LAN controller |
| AP-01–06 | Cisco Aironet 2800 | Lightweight APs per floor |
| DC-01 | Windows Server 2022 | AD DS, DNS, DHCP |
| LNX-01 | Ubuntu 22.04 LTS | Syslog, monitoring, web |
📐 Design Decisions
- Collapsed Core/Distribution: For 150 users, a full 3-tier is overkill. Core-SW handles both L3 routing and distribution.
- Redundancy: Two distribution switches with HSRP for gateway failover.
- Uplinks: 10G trunks between Core-SW and DIST switches; 1G to access.
- OOB Management: Dedicated VLAN 99 for device management, SSH-only access.
- ISP Redundancy: Single ISP with static default route (upgrade to dual-ISP + BGP later).
🎯 Interview Insight
“We chose a collapsed core design because for 100-150 users, a full three-tier architecture adds unnecessary complexity and cost. The L3 core switch handles inter-VLAN routing via SVIs, eliminating the need for a separate distribution layer. This is a common design in mid-sized enterprises.”
VLAN Design & IP Addressing
Segmented network with /24 subnets from 10.10.0.0/16| VLAN ID | Name | Subnet | Gateway | DHCP Range | Purpose |
|---|---|---|---|---|---|
| 99 | MGMT | 10.10.99.0/24 | 10.10.99.1 | Static Only | Network device management |
| 10 | SERVERS | 10.10.10.0/24 | 10.10.10.1 | 10.10.10.20–50 | Production servers |
| 20 | STAFF | 10.10.20.0/24 | 10.10.20.1 | 10.10.20.10–200 | Employee workstations |
| 30 | VOICE | 10.10.30.0/24 | 10.10.30.1 | 10.10.30.10–100 | VoIP phones |
| 40 | GUEST | 10.10.40.0/24 | 10.10.40.1 | 10.10.40.10–200 | Guest wireless, internet-only |
| 50 | DMZ | 10.10.50.0/24 | 10.10.50.1 | Static Only | Public-facing services |
| 60 | WIFI-STAFF | 10.10.60.0/24 | 10.10.60.1 | 10.10.60.10–200 | Staff wireless devices |
🔧 VLAN Configuration — Core Switch Cisco CLI
! Create VLANs vlan 10 name SERVERS vlan 20 name STAFF vlan 30 name VOICE vlan 40 name GUEST vlan 50 name DMZ vlan 60 name WIFI-STAFF vlan 99 name MGMT ! SVIs (Layer 3 interfaces for each VLAN) interface vlan 10 description Server VLAN Gateway ip address 10.10.10.1 255.255.255.0 ip helper-address 10.10.10.20 no shutdown ! interface vlan 20 description Staff VLAN Gateway ip address 10.10.20.1 255.255.255.0 ip helper-address 10.10.10.20 no shutdown ! interface vlan 30 description Voice VLAN Gateway ip address 10.10.30.1 255.255.255.0 ip helper-address 10.10.10.20 no shutdown ! interface vlan 40 description Guest VLAN Gateway — Internet Only ip address 10.10.40.1 255.255.255.0 ip helper-address 10.10.10.20 no shutdown ! interface vlan 50 description DMZ Gateway ip address 10.10.50.1 255.255.255.0 no shutdown ! interface vlan 60 description Staff Wireless Gateway ip address 10.10.60.1 255.255.255.0 ip helper-address 10.10.10.20 no shutdown ! interface vlan 99 description Management VLAN ip address 10.10.99.1 255.255.255.0 no shutdown ip routing
🎯 Interview: Why this IP scheme?
Q: How did you decide on 10.10.x.0/24 subnets?
“We use RFC 1918 private addressing with a 10.10.0.0/16 supernet. Each VLAN gets a /24, supporting up to 254 hosts — more than enough for our 150-user org. The second octet (10) is our site ID, making it easy to expand to multi-site with 10.20.x.0 for a second site. VLAN IDs map to the third octet for easy troubleshooting — VLAN 20 lives in 10.10.20.0/24.”
Inter-VLAN Routing
Layer 3 switching with ACL-enforced isolationTrunk Configuration Cisco CLI
! Core Switch trunk to Distribution interface GigabitEthernet1/0/1 description Trunk to DIST-SW1 switchport mode trunk switchport trunk encapsulation dot1q switchport trunk allowed vlan 10,20,30,40,50,60,99 switchport trunk native vlan 999 no shutdown ! Access port example (Staff PC) interface GigabitEthernet0/1 description Staff PC - Fa0/1 switchport mode access switchport access vlan 20 switchport voice vlan 30 spanning-tree portfast spanning-tree bpduguard enable no shutdown
HSRP Gateway Redundancy Cisco CLI
! DIST-SW1 (Primary) interface vlan 20 ip address 10.10.20.2 255.255.255.0 standby 20 ip 10.10.20.1 standby 20 priority 110 standby 20 preempt standby 20 track 1 decrement 20 ! DIST-SW2 (Standby) interface vlan 20 ip address 10.10.20.3 255.255.255.0 standby 20 ip 10.10.20.1 standby 20 priority 100
🎯 Interview: Why HSRP over VRRP?
“HSRP is Cisco-proprietary but our environment is 100% Cisco. HSRP v2 supports millisecond timers and works with IPv6. In a multi-vendor shop, I’d use VRRP (RFC 5798). We track the uplink interface — if the primary’s uplink fails, it decrements priority below the standby’s, triggering automatic failover.”
Guest VLAN Isolation ACL
ip access-list extended GUEST-RESTRICT deny ip 10.10.40.0 0.0.0.255 10.10.0.0 0.0.255.255 permit ip 10.10.40.0 0.0.0.255 any interface vlan 40 ip access-group GUEST-RESTRICT in