ICT802 Communication and Networks Semester 2, 2025

Southern Cross Institute, Level 2, 1-3 Fitzwilliam Street, PARRAMATTA NSW 2150 & Level 1, 37 George Street PARRAMATTA NSW 2150 Tel: +61 2 9066 6902 Website: www.sci.edu.au TEQSA Provider No: PRV14353 CRICOS Provider No: 04078a

Assessment 3 – Network Simulation and Design Task

Submission Deadline: Sunday, 25 January 2026, 23.59pm (Week 6)

Total Assessment weighting – 40%

Purpose of this assessment

This assessment is designed to develop advanced student competency in the design, simulation, and validation of secure, scalable, and protocol-diverse network architectures suitable for enterprise and carrier-grade environments. It aims to deepen understanding of the interrelated roles of physical hardware, routing devices, switching technologies, network protocols, and software-defined configurations that enable high-availability data communication across Wide Area Networks (WANs) and multi-site infrastructures. Students will apply technical knowledge of multi-layered protocol stacks—including but not limited to IP, TCP, UDP, ICMP, BGP, OSPF, MPLS, GRE, IPsec, DHCP, DNSSEC, NAT/PAT, SNMP, and SSH—to configure, analyze, and harden distributed networks. Emphasis is placed on the deployment of fault-tolerant routing protocols, service delivery zones such as DMZs, firewall rulesets, address planning using VLSM, and dynamic routing convergence strategies for both internal and external domains.

The assessment encourages practical mastery of layered architectures (OSI and TCP/IP models), interface-level diagnostics, and secure transport technologies through simulation platforms like Cisco Packet Tracer and terminal-based administration via Kali Linux. Students will design and test redundant ISP-style topologies that reflect real-world operational environments, supporting clients, public-facing services, remote access tunnels, and inter-POP link integrity. Through hands-on engagement with routing tables, ACL policies, NAT configurations, VPN overlays, syslog management, and penetration testing outputs, students will learn to identify and resolve routing anomalies, misconfigured services, security gaps, and performance bottlenecks. The overall goal is to cultivate the ability to plan, configure, secure, troubleshoot, and document complex network infrastructures that align with modern ISP and enterprise expectations for uptime, segmentation, scalability, and layered defence.

Demonstrate achievement of these learning outcomes:

ULO1 Research and evaluate diverse protocols and layered architectures in computer network development.

ULO2 Examine various network components formulating recommendations and proposing changes to meet business requirements.

ULO3 Critique major challenges in network security and propose sustainable solutions fostering innovation independently and collaboratively.

ULO4 Develop advanced techniques for managing, documenting, and troubleshooting computer networks, showcasing proficiency in network administration.

Task description:

You are required to design, implement, test, secure, and document a complete computer network solution in response to a detailed organisational scenario. This assessment must be completed individually, and all submitted work must be your own. Collaboration is not permitted.

The task requires you to demonstrate advanced technical and analytical skills by producing a fully functional and secure simulated network using Cisco Packet Tracer for design and implementation and Kali Linux for diagnostics, testing, and security validation.

Your network design must address the following critical requirements:

• Connectivity: End-to-end communication across all internal hosts, VLANs, and WAN links.
• Addressing: Full hierarchical IP addressing scheme using VLSM, including internal subnets, loopback addresses, and public IP allocations for DMZ services.
• Protocols: Implementation of advanced routing, security, and application protocols, including but not limited to BGP (internal and external), OSPF, IPsec VPN, NAT/PAT, VRRP/HSRP, DNS with DNSSEC, SMTP/IMAP, SNMP, Syslog, and SSH.
• Segmentation: VLAN-based isolation of internal departments, external service zones, and client environments, with ACLs and firewall rules to enforce access control.
• Security: Deployment of VPN gateways, ACLs, firewall policies, intrusion detection measures, and secure administration via SSH key-based authentication.
• Availability and Redundancy: Failover design using redundant links, VRRP/HSRP, dynamic routing convergence, and simulated MPLS-style backbone overlays.
• Testing and Validation: Use Kali Linux to perform connectivity checks, vulnerability scans (e.g., nmap), protocol validation (e.g., dig +dnssec, tcpdump), penetration testing (e.g., hydra, hping3), and log analysis.

Word count for the report:

Length: 3000 words (excluding reference list) (plus/minus 10%)

A suggested length guide for your assessment (you can change this to suit your report structure):

• SCI Cover Page (Provided by the lecturer)
• Executive summary (Approx. 100 words)
• Table of contents
• Introduction (Approx. 100 words)
• Project Objectives (Approx. 100 words)
• Network Requirements (Approx. 400 words)
• Network Design (Approx. 1000 words)
  • Network topology
  • Network design diagrams
  • Hardware and software components
  • Security measures
• Justification of Key Technologies (Approx. 700 words)
• Network Implementation (Approx. 300 words)
• Conclusion (Approx. 100 words)
• References
• Appendix
  • Testing/Troubleshooting guidelines (Approx. 200 words)

Submission format

Students will submit a single ZIP file through OASIS by the deadline. The file must contain all work completed for the project, properly organised and clearly named.

The submitted work must include evidence of real, hands-on networking tasks, showcasing the student's ability to design, configure, test, secure, and troubleshoot networks using appropriate tools and techniques.

The ZIP file should include:

– A clearly labelled network topology diagram saved in PNG or JPG format, providing a clear visual representation of the design.

– Screenshots of router, switch, and firewall configurations, including key commands, routing tables, VLAN configurations, ACLs (on both routers and firewalls), NAT settings, or other relevant outputs.

– Linux command outputs or screenshots showing networking tasks performed on a Linux system.

– A detailed PDF report (~3000 words) explaining the project solution, listing all included components, explaining design and implementation decisions, and briefly reflecting on lessons learned and how the work meets the unit's learning outcomes.

Include any of the following:

– A complete Cisco Packet Tracer or other simulation tool file showing the designed network topology, with all devices fully configured.

– Wireshark .pcap files showing packet captures and their analysis.

– Nmap scan results demonstrating host discovery and vulnerability assessment, submitted as either text files or annotated screenshots.

– VMware screenshots showing virtual machine settings, network configurations, and relevant snapshots if virtualisation was used.

This submission ensures students demonstrate applied, technical, and professional skills through authentic evidence of real-world tools and scenarios.

Citation and referencing (APA 7th edition)

The assignment should show evidence of research, with references from relevant academic journals. You should have at least ten different peer-reviewed academic articles and use them as the foundation for each part of your report. Do not use Wikipedia as a reference source. Unless it is a generic theory/model, cited publications must be within the past 10 years.

All citations and references must adhere to APA 7th edition referencing style. https://apastyle.apa.org/style-grammar-guidelines/references/examples

Please refer to the ICT802 Unit Assessment Guide for additional information.

Assessment submission

The submission link allows for multiple attempts, allowing you to check text matching for unintended academic misconduct behavior such as plagiarism and artificial intelligence.

Based on the text-match report, revise your work as needed. Submit your revised work for course grading.

Assessment Submission Guidelines

Before the due date, each group is allowed three (3) submission attempts, providing an opportunity to check for unintended plagiarism using text-matching software. As a team, review the similarity report together, discuss any necessary revisions, and ensure your final submission reflects the original work. If the similarity score is 30% or higher, collaborate to revise the content before making your final submission, as high similarity may indicate academic misconduct.

Academic Integrity and Misconduct

Students must submit original work and uphold academic integrity at Southern Cross Institute (SCI). The Academic Integrity Policy and Procedure outlines the principles of academic honesty and details the consequences of misconduct, including plagiarism, recycling, fabricating information, collusion, cheating in examinations, contract cheating, artificial intelligence tools, dishonest behaviour etc. SCI utilises Turnitin to encourage proper citation practices and to detect potential academic misconduct.

Ethical Use of Generative Artificial Intelligence (GenAI) Tools

Refer to the Quick Guide for Students created by the Learning Support Team for best practices in using GenAI tools. While GenAI can assist with idea generation, structuring, and drafting, students must carefully review, paraphrase, and properly reference any AI-generated

content if used. Overreliance on AI may raise academic integrity concerns such as fabricating information.

Creating a reference to ChatGPT or other AI models and software

As per American Psychological Association (2020), the reference and in-text citations for ChatGPT are formatted as follows:

OpenAI. (2023). ChatGPT (Mar 14 version) [Large language model]. https://chat.openai.com/chat

• Parenthetical citation: (OpenAI, 2023)
• Narrative citation: OpenAI (2023)

Note: Although here we focus on ChatGPT, they can be adapted to the use of other large language models (e.g., Bard), algorithms, and similar software.

All citations and references must adhere to APA 7th edition referencing style. https://apastyle.apa.org/style-grammar-guidelines/references/examples

Scenario Overview

ApexLink Networks is a rapidly expanding enterprise Internet Service Provider (ISP) and managed services provider headquartered in Sydney, New South Wales. Following several new multi year contracts across government, education, and private sector clients, the organisation is undertaking a national infrastructure uplift to increase service capacity, improve resilience, and standardise security controls across all operational sites.

Sydney remains the central operations hub and primary data centre for the deployment. For the purposes of this assessment simulation, the Sydney facility is treated as a Tier II aligned core site with Tier III style operational expectations, including strong redundancy, strict segmentation, and hardened administrative access. Sydney hosts shared services used by all locations, including central DNS and DHCP, enterprise email services (SMTP and IMAP), remote access VPN gateways, and a dedicated DMZ for public facing services such as web, proxy, and mail gateways. Canberra, Hobart, and Darwin operate as regional POPs that provide local connectivity, departmental access, and resilient regional continuity during partial outages or backbone instability.

The core objective is to deploy a secure, segmented, and highly available WAN that interconnects Sydney with Canberra, Hobart, and Darwin using an ISP style multi protocol architecture. Internal routing reachability and policy must be managed through OSPF for intra domain routing and BGP for inter POP propagation and external peering simulation. WAN transport is implemented as a simulated MPLS L3VPN style backbone overlay, with encrypted overlays via site to site IPsec tunnels used for sensitive traffic and as a secondary fallback path. Redundant paths and failover must be observable through controlled link toggling and routing convergence evidence.

ApexLink Networks standardises on Linux based administration and open source security tooling for operational consistency. Core services such as DNS, DHCP, and mail servers are hosted on Ubuntu Server virtual machines within the Sydney environment, with branches using lightweight Linux servers for local logging, caching resolvers, and diagnostics. Kali Linux is used for penetration testing, vulnerability scanning, packet capture, and validation of protocol behaviour. Administrative access must occur over SSH using key based authentication, and security controls must be demonstrable through centralised logging, SNMP based monitoring, and enforceable edge policies using NAT, PAT, and firewall rule sets.

This national rollout requires that each branch POP integrates into a cohesive WAN with consistent security policy enforcement, seamless access to shared enterprise applications, and centralised management from Sydney. The design mandates strict segmentation using VLANs and controlled inter VLAN access, robust routing convergence under failure conditions, and auditable security operations aligned with modern ISP and enterprise expectations for availability, scalability, and layered defence.

Each site will have its own local edge infrastructure and use VLAN-based segmentation to divide departments such as Administration, Sales, Engineering, Support, and Management. A unique IPv4 address space using Variable Length Subnet Masking (VLSM) must be designed for all offices, ensuring efficient use of IP resources while maintaining logical boundaries. All internal communication between VLANs must be controlled using ACLs, firewalls, and router-on-a-stick trunking configurations. For inter-site communication, MPLS VPN tunnels must be used to ensure secure, private transmission over public carrier backbones. Additionally, site-to-site IPsec VPNs will provide a secondary encrypted overlay network for sensitive data traffic. Each branch will support local user access and also serve as a resilient regional node with its own caching DNS resolvers, DHCP relay configurations, file mirrors, and scheduled backup snapshots. Remote access will be secured using IPsec VPN tunnels terminating at the Sydney DMZ, authenticated by multi-factor authentication, and audited through the SIEM. Branch offices will use BGP for inter-office route propagation, with OSPF for internal dynamic routing. A secure MPLS backbone will serve as the primary WAN transport method, with fallback to encrypted VPN tunnels over public broadband. Internal and external email services will be hosted on Postfix and Dovecot Linux servers located within a demilitarized zone. Web proxies, intrusion detection systems, and policy-based NAT/PAT rules will be enforced at all network edges, supported by extensive ACLs.

As a company that embraces open-source technologies, the company requires all its infrastructure and diagnostic operations to be managed using Linux-based systems. The centralised services (e.g., DHCP, DNS, Apache Web Server, and Mail Transfer Agent) must run on Ubuntu Server VMs deployed on VMware ESXi hypervisors in the Sydney data centre. Branch locations will use lightweight Linux servers for local authentication and packet capture/logging, with Kali Linux installations used for penetration testing, vulnerability scanning, and remote packet analysis. All administrative access must occur over SSH with key-based authentication, and Linux systems could be hardened using tools such as Lynis, UFW, and App Armor. All network devices and servers will be Linux-based wherever possible, including pfSense firewalls, VyOS routers, and Kali Linux for penetration testing. The organisation will employ DNSSEC on internal name servers, enforce SSH key-based login for all privileged accounts, and maintain full audit trails via centralized rsys log and log rotate

configurations. Standard administrative tools such as iptables, fail2ban, and tcpdump will be used for system security and diagnostics. All Linux systems will be managed using Ansible playbooks and monitored via open-source solutions such as Zabbix or Prometheus. Backup infrastructure will include Borg Backup running on a SAN-hosted file archive.

The new infrastructure project requires that each branch office be fully integrated into a cohesive Wide Area Network that ensures consistent security policies, seamless access to shared enterprise applications, and centralised service management from the Sydney headquarters. Sydney will house the primary data centre, which will operate 24x7 and support all mission-critical systems, including customer relationship management, secure internal messaging, file services, VPN gateway clusters, mail servers, DHCP, DNS, SIEM systems, and high-performance SAN and NAS storage arrays. The design mandates strict segmentation across departments using VLANs and firewalled inter-VLAN access. The Sydney data centre will also provide centralised system logging, authentication via Kerberos and LDAP, and a remote patch deployment service for all Linux-based workstations and servers throughout the organisation. This enterprise network design and implementation project represents a critical milestone in the company's national growth strategy, requiring rigorous planning, secure design practices, platform-agnostic service deployment, and compliance with ISO 27001 security standards. The assessment tasks require deep technical involvement and practical demonstration of skills using network emulation tools, Linux terminals, firewall rule configuration, and secure system deployment strategies across virtual and physical infrastructure.

Tasks

You are engaged as infrastructure engineers for a national Internet Service Provider (ISP). Your role is to design, implement, simulate, and document a multi-protocol, Tier III-grade Wide Area Network that connects a central operations and data centre hub in Sydney to regional POPs (Points of Presence) in Canberra, Hobart, and Darwin. The Sydney site must host all mission-critical services and serve both internal ISP functions and public/private sector clients through secure, scalable, and logically segmented infrastructure.

You are engaged as senior infrastructure engineers to design, simulate, and document the deployment of a national Wide Area Network (WAN) for a rapidly expanding Internet Service Provider (ISP). The central operations hub and Tier II-compliant data centre is in Sydney and must provide reliable, high-performance, and secure services to regional POPs (Points of Presence) in Canberra, Hobart, and Darwin. The ISP serves a diverse client base across government, education, and private sectors, and is responsible for delivering connectivity, hosting, DNS, VPN, email, and web services under strict performance and compliance requirements. Your WAN design must support both internal ISP operations and multi-tenant service delivery. It must also provide full redundancy, client isolation, dynamic routing, and secure external peering. All service zones must be logically segmented, monitored, and hardened to support 24x7 operations. Cisco Packet Tracer must be used for all network simulation, while Kali Linux must be used for all diagnostics, testing, penetration attempts, and protocol validation. Your implementation must incorporate advanced protocol layering, multi-

site routing architectures, secure service delivery zones (DMZs), and ISP backbone failover capabilities. Your design must feature advanced and diverse, such as but not limited to:

• BGP (internal and external)
• OSPF (intra-POP link-state routing)
• DHCP (for dynamically allocated client edge devices)
• DNS with DNSSEC (internal and external resolution)
• IPsec (VPN gateways for enterprise clients)
• GRE (tunnelling for legacy transport)
• ICMP / Traceroute / Ping
• IPsec (site-to-site and remote VPN gateways)
• NAT/PAT (service isolation)
• VRRP/HSRP (redundancy and failover)
• MPLS L3VPN (simulated over multiple logical clouds)
• SMTP/IMAP (mail services)
• SNMP v3 (monitoring)
• SSH (remote secure admin)
• Syslog/logrotate (centralised logging)
• RSTP or MSTP (loop prevention in switched core)
• HTTPS / Apache Web Server
• ACLs (Standard, Extended, Named)
• FTP / SFTP

You must complete the following deliverables in your submission. All simulations must be performed in Cisco Packet Tracer. All diagnostics, testing, and CLI outputs must be captured from Kali Linux.

Task 1: National Multi-Site WAN Design

Design a fully redundant and secure Wide Area Network (WAN) interconnecting four Australian POPs: Sydney (Tier II core DC), Canberra, Hobart, and Darwin. This ISP-level deployment must include full-scale core routing, simulated MPLS backbone overlays, and encrypted tunnels.

Technical Requirements:

• Implement MPLS-based transport using loopback-routed cloud segments in Cisco Packet Tracer.
• Create IPSec VPN overlay tunnels for client isolation and encrypted delivery of services.
• Configure iBGP within your AS (internal peers between POPs).
• Enable eBGP peering to upstream service providers or simulated client connections.
• OSPF must be used as intra-site IGP with distinct area IDs per POP.
• Simulate redundant paths and backbone failover via link toggling.

Deliverables:

Task 2: IP Addressing and Subnet Allocation (ISP + Client)

Create a hierarchical IP addressing scheme that supports ISP internal operations and multiple client services with minimal IP wastage.

Technical Requirements:

• Use public IPs for DMZ, mail, VPN, DNS, and client-exposed services.
• Use private RFC1918 IPs for internal VLANs and infrastructure services.
• Allocate loopback IPs (/32) to all routing nodes for BGP/MPLS consistency.
• Simulate client edge IP pools using /29 public IP blocks.

Deliverables:

Task 3: VLAN and VRF Segmentation

Design and implement VLAN and optional VRF segmentation to support service separation, traffic isolation, and enhanced network management within your ISP backbone and branch environments. This task focuses on ensuring each department, service, and client environment is logically segmented using Layer 2 and Layer 3 mechanisms.

Technical Requirements:

• Define VLANs for Admin, Engineering, NOC, Monitoring, Routing, etc., to ensure departmental isolation.
• Create additional external service VLANs to support Web, Mail, VPN, and DNS services hosted at the Sydney core.
• Ensure 802.1Q trunking is configured between all routers and switches that carry inter-VLAN traffic.

Page 10 of 18

• Configure DHCP relay agents to forward client DHCP requests to a central DHCP server, and validate dynamic IP lease assignment across VLANs.

Deliverables:

• A full VLAN and trunking configuration plan
• A packet tracer screenshot showing VLAN propagation and trunking verification
• A working DHCP simulation via CLI or GUI (with relevant logs captured from the DHCP server or ipconfig output on end devices)
• Complete the table:

Task 4: Protocol Implementation and Simulation

This task focuses on implementing a diverse set of routing, security, tunneling, and monitoring protocols across your simulated ISP infrastructure. The goal is to exceed the complexity of Assessment 2 by including multiple protocol layers—transport, encryption, application services, and diagnostics—across multiple network nodes and simulation endpoints.

You must demonstrate correct protocol configuration, proof of operation and convergence, and CLI-level validation, especially through tools available in Cisco Packet Tracer and Kali Linux. Your implementation must simulate real-world scenarios involving inter-AS routing, secure tunnels, high-availability failover, DNS protection, mail services, and centralized logging.

Protocols to be Implemented:

• Routing & Transport:
  • BGP (both internal iBGP and external eBGP sessions)
  • OSPF as an intra-site IGP
  • GRE tunnels for legacy path simulations
  • MPLS logic simulated using loopback routing via cloud segments
• Security & VPN:
  • IPsec for encrypted VPN tunnels
  • NAT and PAT for internal-to-public translation
  • VRRP or HSRP for gateway failover
  • SSH with public-key infrastructure for secure administration
  • DNSSEC validation on internal zones
• Application & Service Protocols:
  • DNS resolution and zone simulation (internal and external)
  • SMTP and IMAP for mail service simulation
  • Syslog configuration and log rotate for log management
  • SNMP (preferably SNMPv2 traps) for NMS integration
• Monitoring, Logging, and Diagnostics:
  • Logrotate for daily system log rotation
  • SNMP trap testing using Wireshark or Packet Tracer simulation
  • CLI-based test outputs (ping, traceroute, tcpdump, dig, etc.)
  • Capture all outputs via CLI on Kali Linux and core devices

Deliverables:

Students must submit screenshots of configuration and output, captured CLI evidence, and test results to validate protocol behaviour and successful simulation. Students must complete the table with relevant outputs from their simulation and document all configuration steps, ideally including test commands like nmap, openssl s_client, tcpdump, show commands, and relevant logs.

Example:

Task 5: ACLs, NAT, and Firewall Simulation

Configure ACLs, NAT, and stateful firewall rules to protect all zones:

• Deny unauthorised inter-VLAN access
• Permit VPN client access only to DMZ services
• Translate public to internal IPs for exposed services
• Implement simulated stateful firewall edge

Develop ACL rules and simulate NAT translations for inbound and outbound traffic. Create a basic stateful firewall simulation using ACLs and object groups.

Technical Requirements:

• Restrict inter-VLAN traffic based on policy.
• Permit only VPN clients to reach DMZ via ACLs.
• Configure NAT pools and inspect show ip nat translations.

Deliverables:

• Completed ACL rule table (rule ID, action, src, dest, proto, port, purpose)
• NAT translations with show ip nat translations
• Packet capture of blocked and allowed traffic
• Test validation using Kali tools (nmap, hping3, etc.)

Task 6: Remote Access and VPN Testing

Use Kali Linux to simulate remote clients accessing ISP-hosted services over IPsec VPN tunnels. Test client-to-ISP VPN connectivity using Kali Linux. Simulate IPsec connectivity using static keys and verify tunnel access.

• Authenticate via shared key (simulated)
• Route internal traffic through VPN gateway
• Access DMZ services (web, mail, DNS)
• Demonstrate logging and ACL enforcement on tunnel traffic

Deliverables:

• ip route table showing VPN routing
• VPN access attempt logs
• Traceroute results
• Logs from /var/log/auth.log, syslog, firewall hits

Task 7: Penetration Testing and Validation

Run a basic simulated penetration test using Kali tools to test firewall resilience, open ports, weak configurations, and attack surfaces. Conduct live security validation using Kali Linux and test protection for:

• SSH brute-force (e.g., hydra)
• Port scans (nmap)
• Web-based attacks (optional XSS or SQLi sim via curl)
• VPN scanning
• Firewall bypass attempts

Deliverables:

• Attack simulation summary
• Detection evidence (log samples, alerts)
• Screenshots of scan results
• Summary of mitigations

Task 8: Logging, Monitoring, and Management

Implement a simulated centralised log and monitoring solution.

Set up simulated centralised logging and monitoring infrastructure.

• Forward syslogs to a collector (even if simulated)
• Simulate SNMP traps to a monitoring server
• Log ACL violations, failed login attempts, and link down events
• Rotate logs and simulate daily retention with logrotate

Deliverables:

• Log samples (auth.log, syslog, firewall logs)
• Logrotate configuration
• SNMP test via Kali
• Packet captures of SNMP trap attempts

Submission Report

Prepare a professional technical report of approximately 3,000 words (excluding references and appendices), documenting your ISP-grade WAN design, service segmentation, routing infrastructure, security enforcement, and multi-site implementation strategy. This report must reflect an advanced level of technical competency expected of engineers working in Tier III data centre environments and must use Kali Linux, Cisco Packet Tracer, and VMware/Linux platforms where applicable.

The report must include the following sections and evidentiary material:

1. Network Requirements and Topology Overview

• Description of all four POP locations and the Sydney data centre
• Departmental and customer-facing service segregation
• ISP core and edge service expectations
• Required redundancy and high availability features
• Diagram: L3 Logical Topology including BGP/MPLS/OSPF domains

2. IP Addressing Design

• Explanation of IP address hierarchy: internal infrastructure, client allocations, loopback IPs
• VLSM-based subnet planning
• Public IP use policy for DMZ services
• Diagram: IP allocation zones and addressing hierarchy

3. Completed Subnet Tables

• Subnet allocation for each VLAN and inter-router link
• Public IP assignments for NAT, VPN, DNS, and SMTP services

Sample table:

4. VLAN Configuration Table

• VLAN ID assignments across POPs
• DHCP pool configuration
• Routing interface assignment (router-on-a-stick)
• Layer 2 switch tagging validation (802.1Q)

5. Screenshots of Network Configurations

• Cisco Packet Tracer CLI outputs:
  • show ip route, show ip ospf neighbor, show ip bgp summary
• Linux CLI from Kali:
  • ip addr, ip route, iptables -L, dig, tcp dump
  • Firewall configuration interfaces (pfSense or CLI)
  • VLAN tagging tests (ping, traceroute across VLANs)

6. WAN Connectivity and Routing Protocols

• Full documentation of:
  • BGP (iBGP and eBGP) peerings with ASNs and policies
  • OSPF deployment plan with area design
  • MPLS label simulation (using logical loopbacks in Packet Tracer)
  • IPsec overlay and GRE encapsulation tests
• Routing redundancy and failover strategy
• VRRP/HSRP failover test outputs (simulated)

7. Security Measures and Justifications

• VLAN isolation and DMZ placement
• ACL structure and rule enforcement policy
• NAT and PAT justification for edge services
• DNSSEC deployment
• SSH key-based login
• Host hardening measures on Linux systems (output of lynis audit)

8. Firewall ACL Table

• Tabular list of ACLs applied to core and edge routers
• Rules for inter-VLAN, WAN ingress/egress, VPN access
• ACL hits validation using show access-lists and log review

9. Testing and Troubleshooting Procedures

Kali Linux–based penetration testing against exposed services:

• nmap, hydra, hping3, wireshark
• DNS poisoning simulation (optional lab)
• ACL bypass and replay attempt with tcpdump logs
• VPN tunnel simulation and encryption validation
• Traceroute comparisons during MPLS vs VPN failover
• SNMP test trap capture (if simulated)

10. Terminal Output Evidence (VMware/Kali Linux/macOS Unix Terminal)

• SSH authentication and public key validation
• Log capture:
  • /var/log/auth.log, /var/log/syslog, /var/log/messages
• Routing table dumps
• Interface state and traffic testing (netstat, iftop)
• System status checks: uptime, open ports, daemon status
• Packet captures with tcpdump -n -i eth0

11. Logging, Monitoring, and Automation

• Syslog configuration for event forwarding from POPs to Sydney NMS
• Sample logs of failed login attempts, ACL violations, routing updates
• Logrotate configuration files and sample rotation logs
• SNMP configuration and OID validation output
• Use of scripts or Ansible playbooks for rule deployment (if applicable)

12. Troubleshooting Log (Fault Simulations)

• Three simulated fault cases:
  1. BGP route flap or withdrawal and how convergence is handled
  2. VPN tunnel misconfiguration and session denial with fix
  3. VLAN mis-tagging causing loss of service in one subnet
• Diagnostic tools used and outputs
• Final status and validation logs/screenshots

13. References (APA 7th)

• Minimum 10 academic and/or technical sources
• Citations for routing best practices, security models, DNSSEC, BGP policy, etc.

14. Appendices

• Complete routing configuration scripts (Packet Tracer routers)
• Full IP address plan and public/private allocation
• Packet captures (.pcap summaries)
• Screenshots from Kali Linux and Packet Tracer
• Any supplemental figures, backups, or commands not inline in main report

Rubric for Assessment 3 – Network Simulation and Design Task (40%) – OPEN ASSESSMENT