NET101 Week 12 Capstone

NET101 Final Capstone: Building the Small Business Backbone

Design, IP Plan, Configure, Verify, and Document a Complete Small Network

Track your progress through this week's content

Opening Framing: From Theory to a Working Network

Over the past eleven weeks you have studied individual technologies in isolation: topologies, models, Ethernet framing, IPv4 addressing, subnetting, VLSM, packet forwarding, IPv6, ICMP troubleshooting, DHCP, DNS, and the Cisco IOS CLI. Each week answered a focused question — how does ARP work, how does a subnet mask divide a network, how does a router forward a packet.

This week answers a different question: how do all of those pieces fit together to build a real network from scratch? You will take a business brief, translate it into a network design, create a VLSM address plan, configure every device through the CLI, verify end-to-end connectivity, document the result, and troubleshoot failures. This is the capstone exercise for NET101 — the transition from understanding individual concepts to integrating them into an operational whole.

In a professional setting, this is exactly how a network deployment works. A business describes what it needs. An engineer translates those needs into a topology, an address plan, and a configuration. The engineer builds the network, verifies it works, documents it for the team, and hands it over. Every skill you have learned this semester is directly required for this process.

Capstone philosophy

A capstone is not a new topic. It is the proof that you can combine everything you have learned into a single coherent deliverable. The value is in the integration — connecting VLSM math to actual interface commands, connecting interface status to ping verification, connecting ping failures to troubleshooting logic. If you can build this network from a blank slate, you have demonstrated NET101 mastery.

Learning Outcomes

By the end of this week, you will be able to:

  1. Translate a business brief into a logical network topology with appropriate device roles.
  2. Design a VLSM address plan that allocates subnets based on host requirements with zero overlap.
  3. Configure a multi-switch, single-router network from scratch using the Cisco IOS CLI, including hostnames, passwords, interface addressing, and DHCP.
  4. Verify end-to-end connectivity systematically using ping, traceroute, show commands, and ARP inspection.
  5. Troubleshoot failures by applying the layered diagnostic methodology (L1 through L3) to identify and resolve connectivity issues.
  6. Document a completed network with a topology diagram, address table, and configuration archive suitable for handoff to another engineer.

1. The Business Brief

Every network project begins with a requirements document. In enterprise environments this might be a formal Statement of Work (SOW) or a Request for Proposal (RFP). For this capstone, the brief is a simplified version of what a small business would give to a network contractor.

Capstone Brief: Meridian Design Studio

Meridian Design Studio is a graphic design firm opening its first office. They have 45 employees across three departments and need a network that supports day-one operations.

Department breakdown:

  • Creative (25 staff): Designers, video editors, and project managers. High-bandwidth file transfers to a central NAS.
  • Administration (12 staff): HR, accounting, and reception. Standard office productivity, email, and a shared printer.
  • Guest Wi-Fi (up to 15 devices): Client visitors and contractors need internet access but must not reach internal servers or printers.

Infrastructure provided:

  • 1 x Cisco ISR 4321 router (the gateway to the ISP and between departments)
  • 3 x Cisco Catalyst 2960 switches (one per department floor area)
  • Cat6 copper cabling throughout (cable runs under 55 metres)
  • ISP uplink: a single Ethernet handoff with the address 203.0.113.2/30 (gateway 203.0.113.1)

Assigned private address space: 10.50.0.0/22 (1022 usable addresses)

Requirements:

  • Each department on its own subnet (security and broadcast isolation)
  • DHCP for all departments (no manual IP assignment on endpoints)
  • DNS resolution for internet access
  • Guest traffic must not reach Creative or Admin subnets
  • All devices manageable via the CLI with secure passwords
  • Full documentation: topology diagram, address table, device configs

Before touching any device, you need to extract the technical requirements from this brief. The three departments become three subnets. The host counts determine the prefix lengths. The router connects the subnets and provides the ISP uplink. The switches provide Layer 2 connectivity within each subnet. DHCP and DNS are infrastructure services that must be configured on the router. Guest isolation is achieved by placing guests on their own subnet with no routes to internal networks (full isolation at this stage means the router simply does not advertise internal subnets to the guest network — access control lists are covered in NET202).

2. Designing the VLSM Address Plan

This is the Week 5-6 subnetting and VLSM skill applied to a real scenario. The address block is 10.50.0.0/22, which gives 1022 usable host addresses. You must allocate subnets for three departments plus a point-to-point link between the router and the ISP (already assigned by the ISP as 203.0.113.0/30).

Step 1: List host requirements (largest first)

Subnet Required hosts Next power of 2 Prefix length Usable hosts
Creative 25 + gateway + NAS = 27 32 (2^5) /27 30
Guest 15 + gateway = 16 32 (2^5) /27 30
Admin 12 + gateway + printer = 14 16 (2^4) /28 14
Router-to-Switch links (management) Point-to-point (2 each) 4 (2^2) /30 2

Why largest first? VLSM allocates subnets in descending order of size to avoid address overlap. If you allocate a small subnet first, its boundaries might fall inside the range a larger subnet needs, wasting space or causing overlap.

Step 2: Allocate from 10.50.0.0/22

Subnet Network address Prefix Usable range Broadcast Gateway (router)
Creative 10.50.0.0 /27 10.50.0.1 – 10.50.0.30 10.50.0.31 10.50.0.1
Guest 10.50.0.32 /27 10.50.0.33 – 10.50.0.62 10.50.0.63 10.50.0.33
Admin 10.50.0.64 /28 10.50.0.65 – 10.50.0.78 10.50.0.79 10.50.0.65

Notice that the Creative subnet ends at .31, Guest starts at .32 and ends at .63, and Admin starts at .64. There is no overlap because each subnet boundary falls on a power-of-2 boundary. The remaining addresses in 10.50.0.0/22 (from 10.50.0.80 onward) are reserved for future growth — this is deliberate. A good VLSM plan leaves room for additional subnets without renumbering.

Common VLSM mistake: overlapping subnets

If you accidentally allocate the Admin subnet starting at 10.50.0.48/28 instead of 10.50.0.64/28, the range 10.50.0.48–10.50.0.63 overlaps with the Guest subnet (10.50.0.32–10.50.0.63). The router will reject overlapping subnets on different interfaces with % 10.50.0.48 overlaps with GigabitEthernet0/0.2. Always verify that each new network address starts after the previous subnet's broadcast address.

3. Topology Design

With the address plan complete, you can now draw the topology. This maps directly to the physical and logical layout of the network.

Physical topology

The router has three GigabitEthernet interfaces (Gi0/0/0, Gi0/0/1, Gi0/0/2) connected to three switches, one per department. In a production SOHO this might use Router-on-a-Stick (ROAS) with a single trunk to one switch and VLANs, but for this capstone each department has a dedicated physical link to keep the configuration straightforward and reinforce per-interface addressing. (ROAS is covered in detail in NET102 Week 03.)

Topology layout
                 [ISP]
                   |
              203.0.113.1/30
                   |
            Gi0/0/3: 203.0.113.2/30
          +---------+----------+
          |    R1 (ISR 4321)   |
          +---------+----------+
         Gi0/0/0  Gi0/0/1  Gi0/0/2
        10.50.0.1 10.50.0.33 10.50.0.65
        /27        /27        /28
           |          |          |
        [SW-CRE]  [SW-GST]  [SW-ADM]
           |          |          |
     25 Creative  15 Guest   12 Admin
       hosts      devices     hosts

Logical topology

Each switch port connects to one subnet. The router's interface IP serves as the default gateway for that subnet. The ISP-facing interface (Gi0/0/3) carries the public address. A default static route on R1 sends all non-local traffic toward the ISP gateway.

Why three separate subnets?

Recall from Weeks 5–7 that devices on the same subnet communicate directly at Layer 2 (the destination MAC is the endpoint's MAC, found via ARP). Devices on different subnets must send traffic through the router (the destination MAC is the gateway's MAC, and the router rewrites it at each hop). By placing each department on its own subnet, you achieve:

  • Broadcast isolation: A broadcast storm in the Guest network does not flood Creative or Admin.
  • Security boundary: The router can filter traffic between subnets with access control lists (NET202).
  • Management clarity: A device with IP 10.50.0.70 is immediately identifiable as an Admin host.

4. Device Configuration: Router R1

This section walks through every command needed to bring R1 from factory default to a fully operational state. Each command block maps to a skill from a previous week.

4.1 Initial Device Setup (Week 11: IOS Basics)

enable
configure terminal

! Hostname
hostname R1-Meridian

! Secure Privileged EXEC
enable secret Meridian#2026!

! Secure console
line console 0
 password Console#2026!
 login
 logging synchronous
 exec-timeout 10 0
 exit

! Secure VTY lines for SSH
line vty 0 4
 password VTY#2026!
 login
 transport input ssh
 exec-timeout 10 0
 exit

! Generate SSH key
ip domain-name meridian.local
crypto key generate rsa modulus 2048

! Banner
banner motd #
===============================================
  AUTHORIZED ACCESS ONLY - Meridian Design Studio
  All sessions are monitored and logged.
===============================================
#

! Disable unused services
no ip http server
no ip http secure-server
service password-encryption

What this achieves: The router has a hostname for identification, encrypted passwords on all access lines, SSH enabled for remote management, a legal banner, and password-encryption to obscure cleartext passwords in the running config. These are the Week 11 skills applied in sequence.

4.2 Interface Addressing (Weeks 4–6: IPv4 and VLSM)

! Creative subnet — Gi0/0/0
interface GigabitEthernet0/0/0
 description Creative-LAN (25 hosts)
 ip address 10.50.0.1 255.255.255.224
 no shutdown
 exit

! Guest subnet — Gi0/0/1
interface GigabitEthernet0/0/1
 description Guest-WiFi (15 devices)
 ip address 10.50.0.33 255.255.255.224
 no shutdown
 exit

! Admin subnet — Gi0/0/2
interface GigabitEthernet0/0/2
 description Admin-LAN (12 hosts)
 ip address 10.50.0.65 255.255.255.240
 no shutdown
 exit

! ISP uplink — Gi0/0/3
interface GigabitEthernet0/0/3
 description ISP-Uplink
 ip address 203.0.113.2 255.255.255.252
 no shutdown
 exit

Each ip address command uses the subnet mask from the VLSM plan. The description field ties the interface to a purpose — this is documentation inside the config itself. The no shutdown command brings each interface up; recall from Week 11 that router interfaces default to the shutdown state.

4.3 Default Route (Week 7: Packet Forwarding)

! Default route to ISP
ip route 0.0.0.0 0.0.0.0 203.0.113.1

This tells R1: "For any destination not in my directly connected subnets, forward the packet to 203.0.113.1 (the ISP router)." Without this route, R1 can reach only its own subnets. This is the static routing concept from Week 7 — the default route is a static route with a destination of 0.0.0.0/0, matching everything.

4.4 DHCP Pools (Week 10: DHCP)

! DHCP pool — Creative
ip dhcp pool CREATIVE
 network 10.50.0.0 255.255.255.224
 default-router 10.50.0.1
 dns-server 8.8.8.8 8.8.4.4
 lease 8
 exit

! DHCP pool — Guest
ip dhcp pool GUEST
 network 10.50.0.32 255.255.255.224
 default-router 10.50.0.33
 dns-server 8.8.8.8 8.8.4.4
 lease 0 4
 exit

! DHCP pool — Admin
ip dhcp pool ADMIN
 network 10.50.0.64 255.255.255.240
 default-router 10.50.0.65
 dns-server 8.8.8.8 8.8.4.4
 lease 8
 exit

! Exclude router and server addresses from pools
ip dhcp excluded-address 10.50.0.1 10.50.0.5
ip dhcp excluded-address 10.50.0.33 10.50.0.35
ip dhcp excluded-address 10.50.0.65 10.50.0.68

Design decisions explained:

  • Excluded addresses: The first few addresses in each subnet are reserved for infrastructure (router gateway, NAS, printer, access point). Without exclusions, DHCP could assign 10.50.0.1 to a workstation, creating a duplicate IP conflict with the router.
  • Guest lease time: 4 hours instead of 8 days. Guest devices are transient — a short lease reclaims addresses quickly when visitors leave.
  • DNS servers: Google Public DNS (8.8.8.8, 8.8.4.4) is used for simplicity. In production, an internal DNS server would be preferred for split-horizon resolution.

4.5 Save Configuration (Week 11: Running vs Startup)

end
copy running-config startup-config

This copies the running configuration to NVRAM. If the router reboots, all configuration survives. Without this step, every command entered in this session would be lost on power loss.

5. Device Configuration: Switches

The three switches (SW-CRE, SW-GST, SW-ADM) require minimal configuration for this capstone because they are operating as simple Layer 2 switches — no VLANs, no trunking, no STP tuning. (Those features are the focus of NET102.) The configuration below applies to each switch with appropriate name changes.

SW-CRE (Creative switch) — example

enable
configure terminal

hostname SW-CRE

! Secure access
enable secret Switch#2026!
line console 0
 password Console#2026!
 login
 logging synchronous
 exit

line vty 0 15
 password VTY#2026!
 login
 transport input ssh
 exit

ip domain-name meridian.local
crypto key generate rsa modulus 2048
service password-encryption

banner motd #
=== AUTHORIZED ACCESS ONLY — Meridian Design Studio ===
#

! Management IP (optional — for remote SSH access to the switch)
interface vlan 1
 ip address 10.50.0.2 255.255.255.224
 no shutdown
 exit

ip default-gateway 10.50.0.1

end
copy running-config startup-config

Key points:

  • The switch management IP (VLAN 1 SVI) is inside the Creative subnet so the engineer can SSH to the switch from any subnet through the router.
  • ip default-gateway is required on Layer 2 switches so that management traffic from the switch itself can reach other subnets. Without it, the switch can only be managed from the same subnet.
  • SW-GST would use 10.50.0.34/27 with gateway 10.50.0.33. SW-ADM would use 10.50.0.66/28 with gateway 10.50.0.65.
Why no VLANs in this capstone?

In a production deployment, you would likely use a single switch (or stacked switches) with VLANs to separate departments, using ROAS or a Layer 3 switch for inter-VLAN routing. This capstone uses three separate physical switches to reinforce per-interface subnetting and to keep the scope within NET101 skills. VLANs, trunking, and ROAS are covered in NET102 Weeks 1–3.

6. Verification: Proving the Network Works

Configuration without verification is incomplete. You must systematically confirm that every layer is operational before declaring the network ready.

6.1 Layer 1: Physical connectivity

R1-Meridian# show ip interface brief
Interface              IP-Address      OK? Method Status     Protocol
GigabitEthernet0/0/0   10.50.0.1       YES manual up         up
GigabitEthernet0/0/1   10.50.0.33      YES manual up         up
GigabitEthernet0/0/2   10.50.0.65      YES manual up         up
GigabitEthernet0/0/3   203.0.113.2     YES manual up         up

Every interface must show up/up. If Status shows administratively down, the no shutdown command was missed. If Protocol shows down, the cable is disconnected or the remote end is not active.

6.2 Layer 2: ARP and MAC tables (Week 3 and Week 7)

R1-Meridian# show arp
Protocol  Address         Age (min)  Hardware Addr   Type  Interface
Internet  10.50.0.1              -   aabb.cc00.0100  ARPA  Gi0/0/0
Internet  10.50.0.6              2   aabb.cc00.1001  ARPA  Gi0/0/0
Internet  10.50.0.33             -   aabb.cc00.0110  ARPA  Gi0/0/1
Internet  10.50.0.65             -   aabb.cc00.0120  ARPA  Gi0/0/2

The router's own interfaces show age - (permanent). Entries with age values confirm that ARP resolution succeeded for endpoint hosts — Layer 2 is working.

6.3 Layer 3: Ping tests (Week 9: ICMP)

Test From To Expected result What it proves
1 Creative host 10.50.0.1 (gateway) Success Same-subnet L2/L3 works
2 Creative host 10.50.0.65 (Admin gateway) Success Inter-subnet routing works
3 Admin host 10.50.0.6 (Creative host) Success Return path routing works
4 Guest host 203.0.113.1 (ISP gateway) Success Default route to ISP works
5 R1 8.8.8.8 Success Internet reachability from the router
6 Creative host 8.8.8.8 Success End-to-end internet access

Order matters: Test same-subnet first (Test 1), then cross-subnet (Tests 2–3), then ISP reachability (Tests 4–5), then end-to-end (Test 6). If Test 1 fails, there is no point testing Test 6 — the problem is local. This is the bottom-up troubleshooting methodology.

6.4 DHCP verification (Week 10)

R1-Meridian# show ip dhcp binding
Bindings from all pools not associated with VRF:
IP address       Client-ID/             Lease expiration       Type
                 Hardware address/
                 User name
10.50.0.6        aabb.cc00.1001          Apr 14 2026 09:00 AM  Automatic
10.50.0.36       aabb.cc00.2001          Apr 06 2026 01:00 PM  Automatic
10.50.0.69       aabb.cc00.3001          Apr 14 2026 09:00 AM  Automatic

R1-Meridian# show ip dhcp pool
Pool CREATIVE:
 Utilization mark (high/low)    : 100 / 0
 Subnet size (first/next)       : 0 / 0
 Total addresses                : 30
 Leased addresses               : 1
 Pending event                  : none
 ...

Confirm that each pool is leasing addresses within the correct range and that no pool shows conflicts. The show ip dhcp conflict command should return empty — any entries indicate duplicate addresses.

6.5 Routing table verification (Week 7)

R1-Meridian# show ip route
...
C    10.50.0.0/27 is directly connected, GigabitEthernet0/0/0
L    10.50.0.1/32 is directly connected, GigabitEthernet0/0/0
C    10.50.0.32/27 is directly connected, GigabitEthernet0/0/1
L    10.50.0.33/32 is directly connected, GigabitEthernet0/0/1
C    10.50.0.64/28 is directly connected, GigabitEthernet0/0/2
L    10.50.0.65/32 is directly connected, GigabitEthernet0/0/2
C    203.0.113.0/30 is directly connected, GigabitEthernet0/0/3
L    203.0.113.2/32 is directly connected, GigabitEthernet0/0/3
S*   0.0.0.0/0 [1/0] via 203.0.113.1

Every subnet appears as a C (connected) route, and the default route appears as S* (static default). If any connected route is missing, the corresponding interface is down or misconfigured.

7. Troubleshooting: When Things Go Wrong

A capstone is not just about building — it is about diagnosing and fixing. Below are the most common failures you will encounter during this build, mapped to the layer where they occur.

Symptom Layer Likely cause Diagnostic command Fix
Interface shows down/down L1 Cable disconnected or wrong port show ip interface brief Check physical cable, verify correct port
Interface shows admin down/down L1 no shutdown not applied show ip interface brief no shutdown on the interface
Ping to gateway fails from host L2/L3 Wrong subnet mask or IP on host/router show running-config interface Verify mask matches VLSM plan on both ends
Host gets no DHCP address L3 DHCP pool network doesn't match interface subnet show ip dhcp pool Ensure pool network matches interface IP/mask exactly
Cross-subnet ping fails L3 Host default gateway wrong or not set ipconfig /all on host; check DHCP default-router Fix the default-router in the DHCP pool
Ping to ISP fails from router L3 ISP interface IP or mask wrong; default route missing show ip route Verify ISP interface config and ip route 0.0.0.0 0.0.0.0 203.0.113.1
Internet works from router but not from hosts L3 ISP is not routing return traffic to 10.50.0.0/22 (needs NAT or ISP route) traceroute from host — packets leave but don't return Configure NAT (covered in NET102) or confirm ISP has a return route
DNS resolution fails but ping to 8.8.8.8 works L7 DNS server not set in DHCP pool nslookup google.com on host Add dns-server to the DHCP pool
Config lost after reboot Forgot copy run start show startup-config (empty or outdated) Always copy running-config startup-config after changes
The systematic approach

When a capstone build doesn't work, resist the urge to change random settings. Start at Layer 1: are all interfaces up/up? Move to Layer 2: does ARP resolve? Move to Layer 3: does the routing table have all expected entries? This bottom-up approach isolates the fault to the correct layer before you attempt a fix. Changing Layer 3 configuration when the problem is a disconnected cable wastes time and introduces new errors.

8. Professional Documentation

A network that works but isn't documented is a liability. When the original engineer leaves, the next person inherits a black box. Professional documentation ensures that any qualified engineer can understand, maintain, and troubleshoot the network without reverse-engineering it.

8.1 Address table

The address table is the most referenced document in any network. It maps every IP address to a device, interface, and purpose.

Device Interface IP address Subnet mask Default gateway Purpose
R1-Meridian Gi0/0/0 10.50.0.1 255.255.255.224 Creative gateway
R1-Meridian Gi0/0/1 10.50.0.33 255.255.255.224 Guest gateway
R1-Meridian Gi0/0/2 10.50.0.65 255.255.255.240 Admin gateway
R1-Meridian Gi0/0/3 203.0.113.2 255.255.255.252 203.0.113.1 ISP uplink
SW-CRE VLAN 1 10.50.0.2 255.255.255.224 10.50.0.1 Switch management
SW-GST VLAN 1 10.50.0.34 255.255.255.224 10.50.0.33 Switch management
SW-ADM VLAN 1 10.50.0.66 255.255.255.240 10.50.0.65 Switch management
NAS-01 Eth0 10.50.0.3 255.255.255.224 10.50.0.1 Creative file server (static)
PRN-01 Eth0 10.50.0.67 255.255.255.240 10.50.0.65 Admin shared printer (static)
All endpoints DHCP Per subnet Per subnet gateway Workstations and guest devices

8.2 Topology diagram

The topology diagram should show every device, every link, every IP address, and every subnet label. Use a tool like Cisco Packet Tracer, draw.io, or even a clear hand-drawn diagram. The key is that another engineer can look at it and understand the network without reading the configuration files.

A professional topology diagram includes:

  • Device names and models
  • Interface labels on both ends of every link
  • IP addresses and subnet masks on every interface
  • Subnet labels (e.g., "Creative — 10.50.0.0/27")
  • The ISP cloud with the public address
  • A legend for line types (copper, fiber, wireless)

8.3 Configuration archive

Save a copy of every device's show running-config output to a text file. Name the files clearly: R1-Meridian_running-config_2026-04-06.txt, SW-CRE_running-config_2026-04-06.txt, etc. These files are the baseline — if a device is replaced, the new device can be configured by pasting the saved config. In production, this is automated with tools like RANCID or Oxidized (mentioned in Week 11's design context).

Documentation as a professional skill

In job interviews for network engineering roles, candidates are often asked to whiteboard a network design. The ability to draw a clean topology, assign addresses without overlap, and explain the routing logic is what separates entry-level candidates from those who get hired. This capstone deliverable is essentially a portfolio piece.

Real-World Design Context: What Comes Next

The Meridian network you built this week is functional but deliberately simplified. A production version of this network would include additional technologies that you will study in upcoming units. Understanding what is missing helps you see where NET101 ends and the rest of the degree begins.

  • VLANs and trunking (NET102 Weeks 1–3): Instead of three physical switches, a production network would use VLANs on a single switch stack with 802.1Q trunks. This reduces hardware cost and simplifies management.
  • NAT (NET102): The ISP will not route return traffic to your private 10.50.0.0/22 addresses. Network Address Translation (NAT) on R1 translates internal addresses to the public 203.0.113.2 address for outbound traffic. Without NAT, internet access from endpoints will fail in a real ISP scenario.
  • Access control lists (NET202): The Guest subnet is isolated by being on a separate subnet, but nothing currently prevents a guest device from pinging 10.50.0.3 (the NAS). ACLs on the router would deny Guest-to-Creative and Guest-to-Admin traffic while allowing Guest-to-Internet.
  • Dynamic routing (NET102 Weeks 7–12): With only one router and a single ISP link, a static default route is sufficient. In a multi-router network, OSPF or EIGRP would replace static routes for automatic failover and scalability.
  • Redundancy: This network has a single router, single ISP link, and single switches — every component is a single point of failure. Production networks add redundant links, HSRP/VRRP for gateway redundancy, and STP for loop prevention (NET102 Weeks 4–6).
  • Monitoring and logging: A production network would send syslog messages to a central server, run SNMP for health monitoring, and use NTP for synchronized timestamps across all devices.

Guided Lab: Build the Meridian Network in Packet Tracer

Lab environment

Platform: Cisco Packet Tracer 8.x
Topology: 1 x ISR 4321, 3 x 2960 switches, 6+ PCs, 1 NAS (server), 1 printer (server)
Time estimate: 90–120 minutes
Deliverables: Working .pkt file, address table, topology screenshot

Phase 1: Build the physical topology (15 min)

  1. Place the ISR 4321 router and label it R1-Meridian.
  2. Place three 2960 switches and label them SW-CRE, SW-GST, SW-ADM.
  3. Connect R1 Gi0/0/0 to SW-CRE Fa0/1 with a straight-through cable.
  4. Connect R1 Gi0/0/1 to SW-GST Fa0/1 with a straight-through cable.
  5. Connect R1 Gi0/0/2 to SW-ADM Fa0/1 with a straight-through cable.
  6. Add 3 PCs to SW-CRE, 2 PCs to SW-GST, 2 PCs to SW-ADM. Connect each to sequential switch ports.
  7. Add a Server (as NAS-01) to SW-CRE port Fa0/24 with static IP 10.50.0.3/27, gateway 10.50.0.1.
  8. Add a Server (as PRN-01) to SW-ADM port Fa0/24 with static IP 10.50.0.67/28, gateway 10.50.0.65.
  9. Add an ISP router (any model) with interface IP 203.0.113.1/30. Connect to R1 Gi0/0/3.

Phase 2: Configure R1 (30 min)

  1. Apply the full router configuration from Section 4 of this lesson.
  2. After each major block (hostname, interfaces, DHCP, default route), run show running-config to verify.
  3. After all configuration, run show ip interface brief and confirm all interfaces are up/up.

Phase 3: Configure switches (15 min)

  1. Apply the switch configuration from Section 5 to each switch, changing the hostname and management IP for each.
  2. Verify each switch can ping its own gateway.

Phase 4: Set endpoints to DHCP (10 min)

  1. On each PC, go to Desktop > IP Configuration > select DHCP.
  2. Verify each PC receives an address in the correct subnet range.
  3. Confirm the default gateway and DNS server are populated correctly.

Phase 5: Verification (20 min)

  1. Run all six ping tests from the verification table in Section 6.3.
  2. Run show ip dhcp binding on R1 and confirm all endpoint leases appear.
  3. Run show ip route on R1 and verify all connected routes and the default route.
  4. Run tracert 203.0.113.1 from a Creative PC — it should show one hop (R1).
  5. Run show arp on R1 and verify MAC entries for active hosts.

Phase 6: Documentation (15 min)

  1. Take a screenshot of your Packet Tracer topology with all labels visible.
  2. Complete the address table from Section 8.1 with the actual IPs assigned by DHCP.
  3. Save show running-config from R1 and each switch to text files.
  4. Write a one-paragraph summary of the network design and any issues encountered.
Success criteria: All six ping tests pass, all DHCP bindings appear, the routing table shows all expected routes, and the documentation package (topology diagram, address table, config archive) is complete. If any test fails, use the troubleshooting table in Section 7 to diagnose and fix the issue before declaring success.

Outcome Check: What NET101 Mastery Looks Like

If you have completed this capstone successfully, you can now:

  • Read a business brief and extract the technical requirements that drive a network design.
  • Create a VLSM address plan that fits multiple subnets into a single address block without overlap.
  • Configure a Cisco router from scratch: hostname, passwords, interfaces, DHCP pools, static routes.
  • Configure Cisco switches with management IPs and secure access.
  • Verify connectivity layer by layer using show commands, ping, traceroute, and ARP inspection.
  • Troubleshoot failures systematically instead of guessing.
  • Document a network so that another engineer can understand and maintain it.

These skills are the foundation for everything in NET102 (VLANs, STP, OSPF) and beyond. You are no longer studying networking concepts in isolation — you can build and verify a working network.

Hands-On Labs

Lab 1: Extend the Network

Task: Add a fourth subnet for a "Server Room" department with 6 hosts. Allocate the next available /28 from the 10.50.0.0/22 block (starting at 10.50.0.80/28). Add a fourth switch, configure a new router interface, create a DHCP pool, and verify connectivity to all existing subnets.

Why it matters: Network growth is inevitable. You must be able to expand an existing VLSM plan without renumbering or breaking existing subnets.

Time: 30 minutes

Deliverable: Updated address table showing all four subnets, successful ping from a Server Room host to each other subnet's gateway.

Lab 2: Break and Fix

Task: Have a partner (or introduce yourself) three deliberate faults in the working Meridian network: one Layer 1 fault (shut down an interface), one Layer 3 fault (wrong subnet mask on an interface), and one service fault (delete a DHCP pool). Then systematically diagnose and repair each fault without knowing what was changed.

Why it matters: Troubleshooting is the most valued skill in networking. This lab forces you to apply the bottom-up methodology under realistic conditions.

Time: 30 minutes

Deliverable: A written log of each fault: symptom observed, diagnostic commands used, root cause identified, and fix applied.

Lab 3: Documentation from Scratch

Task: Given only a router's show running-config and show ip interface brief output (no topology diagram), reverse-engineer the complete network documentation: draw the topology, build the address table, and identify the VLSM plan.

Why it matters: You will often inherit networks with no documentation. The ability to reconstruct the design from device configs is a critical operational skill.

Time: 20 minutes

Deliverable: Hand-drawn or digital topology diagram and completed address table that matches the config output.

Checkpoint Questions

  1. The Creative department needs 25 hosts plus a gateway and a NAS. You choose a /27 prefix. How many usable addresses does a /27 provide, and why is /28 insufficient?
  2. Explain why VLSM allocates the largest subnet first. What happens if you allocate the smallest subnet first and then try to fit a larger one?
  3. A Creative host (10.50.0.6) pings an Admin host (10.50.0.69). Describe the complete packet path: which MAC addresses are used at each hop, and where does the router rewrite them?
  4. You run show ip dhcp binding on R1 and see no entries for the Guest pool, even though guest devices are connected. List three possible causes and the diagnostic command for each.
  5. After configuring R1, you can ping 203.0.113.1 (ISP) from the router, but a Creative PC cannot reach the internet. The PC can ping 10.50.0.1 and 10.50.0.65 successfully. What is the most likely cause?
  6. Why does the switch need an ip default-gateway command even though it is a Layer 2 device? What breaks if this command is missing?
  7. You configured a DHCP pool with network 10.50.0.0 255.255.255.224 but forgot the ip dhcp excluded-address command. What specific problem could this cause, and how would you detect it?
  8. A colleague hands you a network with no documentation. You can access the router CLI. List the five show commands you would run first to reconstruct the network design, and explain what each reveals.

Weekly Reflection

Reflect on the full NET101 journey

You started this unit learning what a network is. You end it by building one from scratch. Consider: which week's topic gave you the most trouble during this capstone? Was it the subnetting math, the CLI configuration syntax, the DHCP setup, or the troubleshooting? That answer tells you where to focus your review before moving to NET102, where every one of these skills is assumed as a prerequisite.

Write a short reflection (3–5 sentences) answering: What was the hardest integration challenge in this capstone, and what would you do differently if you built this network a second time?

Resources

  • Cisco Packet Tracer — Free network simulation tool from Cisco Networking Academy. Used for the guided lab and all hands-on exercises in this capstone.
  • Cisco IOS Command Reference — Official command documentation for all IOS commands used in the router and switch configurations (ip address, ip dhcp pool, ip route, service password-encryption, etc.).
  • RFC 1918 — Address Allocation for Private Internets — Defines the 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 private ranges used in this capstone's address plan.
  • RFC 2131 — Dynamic Host Configuration Protocol — The DHCP specification governing the DORA process configured in the router's DHCP pools.
  • Cisco NetAcad CCNA: Introduction to Networks (ITN) — Modules 1–17 cover every topic integrated in this capstone, from network fundamentals through IOS configuration and verification.
  • Jeremy's IT Lab — CCNA Full Course (YouTube) — Free video series covering subnetting, VLSM, IOS basics, DHCP configuration, and static routing — all directly applicable to this capstone build.

NET101 Final Assessment

Complete the Week 12 quiz to test your capstone integration skills.

Take Week 12 Quiz