Replace ISP_2/edge routers with Library Query Station (AS 500) and implement comprehensive access control

[Copilot]

Network topology updated to replace generic ISP_2/edge routing segment with a purpose-built Library Query Station (AS 500) that enforces strict access control—allowing only VLAN30 (library PCs) access and denying all other campus networks including guest WiFi. Additionally implements comprehensive server protection for VLAN31 (library servers).

Architecture Changes

• Removed: Internet Cloud, Cisco ASA Firewall, ISP_2 (AS 65000/65001)
• Added: Library Query Station (AS 500) with 3 routers, 2 switches, 6 end devices
• BGP peering: Library Building Router (AS 600) ↔ Query Station (AS 500) via 10.0.0.0/8
• Internal routing: EIGRP AS 1 (not AS 100) for Query Station routers on 11.0.0.0, 12.0.0.0
• LAN segments: 13.0.0.0/8 and 14.0.0.0/8 with switches, each having AP, laptop, PC

Access Control Lists

Query Station Isolation

Applied at Library Building Router BGP interface:

ip access-list extended QUERY-STATION-ACCESS
 ! Permit only VLAN30 (Library PCs)
 permit ip 13.0.0.0 0.255.255.255 192.168.30.0 0.0.0.255
 permit ip 14.0.0.0 0.255.255.255 192.168.30.0 0.0.0.255
 
 ! Deny all other campus networks
 deny ip 13.0.0.0 0.255.255.255 192.168.10.0 0.0.0.255  # Admin
 deny ip 13.0.0.0 0.255.255.255 192.168.20.0 0.0.0.255  # Academic
 deny ip 13.0.0.0 0.255.255.255 192.168.40.0 0.0.0.255  # Sports
 deny ip 13.0.0.0 0.255.255.255 192.168.99.0 0.0.0.255  # Guest WiFi
 deny ip 13.0.0.0 0.255.255.255 192.168.30.64 0.0.0.31  # Library Servers
 # (mirrored for 14.0.0.0)

Library Server Protection (VLAN 31) - NEW

Comprehensive protection for library servers (192.168.30.64/27), applied at Router-C VLAN 31 interface:

ip access-list extended PROTECT-LIBRARY-SERVERS
 ! Permit Admin Building (all VLANs)
 permit ip 192.168.10.0 0.0.0.255 192.168.30.64 0.0.0.31
 ! Permit Library PCs (VLAN 30)
 permit ip 192.168.30.0 0.0.0.63 192.168.30.64 0.0.0.31
 ! Deny all other networks
 deny ip any 192.168.30.64 0.0.0.31

Result:

• ✅ Admin Building can access servers
• ✅ Library PCs (VLAN30) can access servers
• ❌ Academic, Sports, Query Station, Guest WiFi all blocked from servers

Guest WiFi Enhancement

Block Query Station networks from Guest WiFi:

ip access-list extended GUEST-WIFI-ISOLATION
 deny ip 192.168.99.0 0.0.0.255 13.0.0.0 0.255.255.255
 deny ip 192.168.99.0 0.0.0.255 14.0.0.0 0.255.255.255
 deny ip 192.168.99.0 0.0.0.255 192.168.30.64 0.0.0.31  # Block servers

Routing Protocol Updates

• Campus: OSPF Area 0 (unchanged)
• External: BGP AS 600 ↔ AS 500 (was AS 65001 ↔ AS 65000)
• Query Station internal: EIGRP AS 1 (was AS 100 for edge segment)

Files Modified

• PRESENTATION.md - All 16 slides updated with Query Station topology, ACLs (including server protection), budget ($300,150)
• Smart_Campus_Network_Design_Report.md - Topology diagrams, routing configs, comprehensive ACL policies including server protection, BoM
• README.md - Architecture overview, routing protocols, security policies with server protection
• TOPOLOGY_UPDATE_SUMMARY.md - Component changes, BGP/EIGRP configs, IP addressing tables, ACL implementations

Original prompt

On PRESENTATION.md, we have removed firewall and cloud and added library query station AS 500
and have connection to library building router AS 600 with bgp
and the library library Quary Station have three routers one to connect to lirary building router with network 10.0.0.0
and inside the station you have two routers with Eigrp 1 routing
12.0.0.0
11.0.0.0
and each router will have one network connected to a switch
14.0.0.0
13.0.0.0
and every switch has access point a labtop and pc

and we have making ACL between them so that staion can access only vlan30-192.168.30.0 the pcs
and deny any thing else in the hole campus network

and we have ACL tha denys access to gust wifi vlan99-192.168.99.0/24
update the presentaion.md file and any related files

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[AbooSalh]

@copilot also i have denied that any one cannot accessing the library servers vlan 31 192.168.30.64/27
exception admin building and library pcs on vlan vlan30-192.168.30.0

[Copilot]

@copilot also i have denied that any one cannot accessing the library servers vlan 31 192.168.30.64/27
exception admin building and library pcs on vlan vlan30-192.168.30.0

Added comprehensive Library Server Protection ACL for VLAN 31 (192.168.30.64/27). The ACL now denies all networks from accessing library servers except Admin Building and Library PCs (VLAN 30).

Implementation:

ip access-list extended PROTECT-LIBRARY-SERVERS
 permit ip 192.168.10.0 0.0.0.255 192.168.30.64 0.0.0.31  ! Admin Building
 permit ip 192.168.30.0 0.0.0.63 192.168.30.64 0.0.0.31  ! Library PCs (VLAN30)
 deny ip any 192.168.30.64 0.0.0.31                       ! Deny all others

Applied to Router-C VLAN 31 interface (inbound).

Result:

• ✅ Admin Building can access servers
• ✅ Library PCs (VLAN30) can access servers
• ❌ Academic, Sports, Query Station, Guest WiFi all blocked

Updated in commit 1d82a3c