Classroom Glossary Public page

NET-301 Capstone: End-to-End Network Design + Protocol RE + NSM

999 words

Points: Tier 1 gate (pass/fail) + Tier 2 scored
Time estimate: ~16 hours (Weeks 13-14 plus independent sessions throughout)
Position: Lab 13 in the lab index; terminal NET-301 deliverable

Mission

The capstone integrates the four scales of NET-301 into one end-to-end exercise. A student who completes the capstone has designed and deployed a multi-site enterprise network at carrier and datacenter scale, reverse-engineered an unknown protocol observed on its traffic, and deployed NSM coverage that detects it. This is the portfolio artifact that demonstrates Belt-5 networking competence.

The Canonical Scenario

The instructor seeds the lab environment with one unknown-protocol stream on the student's network traffic. The student does not know in advance what the protocol is; they must discover, characterize, and detect it.

Canonical exemplar target network:

  • A 200-employee company with three sites (HQ + two branch offices)
  • A public cloud presence (AWS or GCP; simulated in Containerlab + Kubernetes)
  • A remote-work VPN population (50 workers)
  • WAN underlay using either MPLS or SRv6
  • Datacenter at HQ using spine-leaf VXLAN-EVPN
  • Internet edge with BGP peering and RPKI deployment
  • NSM sensors at each site boundary and cloud egress

Tier 1: Functional Gate

Your project must work before Tier 2 scoring applies.

Gate 1 -- Topology converges:

  • Containerlab topology boots without errors
  • All routing adjacencies established (show isis/bgp neighbors; no missing peers)
  • Loopback reachability across all sites confirmed (ping all loopbacks from HQ)

Gate 2 -- WAN underlay:

  • MPLS LSPs or SRv6 SIDs established between all sites
  • For SR: at least one SR Policy demonstrated (non-shortest path traffic-engineered)
  • traceroute confirms label switching

Gate 3 -- Datacenter fabric:

  • Spine-leaf VXLAN-EVPN fabric boots with symmetric IRB
  • VM mobility demonstrated: move a container from one leaf to another; reachability maintained
  • EVPN Type-2 route update visible after migration

Gate 4 -- RPKI:

  • Routinator running and synced
  • At least 5 prefixes queried; one Invalid state demonstrated
  • FRR configured to reject Invalid routes

Gate 5 -- Protocol RE:

  • The unknown protocol's state machine identified with at least 3 named states
  • At least 3 message types identified with their field structure
  • Protocol identified (or, if novel: documented with a proposed name)

Gate 6 -- NSM detection:

  • At least one custom Suricata rule that fires on the unknown protocol's traffic
  • The rule tested against a captured pcap of the protocol; confirmed detection

Reports that do not pass all six gates receive no Tier 2 score.

Required Artifacts

Artifact Description
Containerlab topology YAML The complete multi-site topology definition
FRR/OS configuration files Per-device configs; should be Ansible/Nornir generated
Live topology demonstration Screencast or live demo during grade session
RPKI deployment evidence Routinator status + FRR rejection of Invalid route
Protocol RE write-up Hex-level dissection, state machine diagram, message type table
Custom Suricata rule .rules file; tested against protocol pcap
Capstone report 35-50 pages; see below

Capstone Report Structure

Section 1: Network Architecture Design (8-12 pages)

  • Design choices and rationale: why MPLS or SRv6 for WAN underlay? Why eBGP unnumbered in the fabric? Why symmetric IRB?
  • Site-by-site architecture description
  • BGP topology: peering relationships, RPKI deployment
  • NSM coverage: sensor placement and coverage rationale
  • Threat model: what does this design defend against? (Name at least 3 specific attack classes)

Section 2: Topology Bring-Up Procedures (5-8 pages)

  • Step-by-step procedure for cold-starting the topology
  • Verification checklist: how to confirm each component is operational
  • Troubleshooting guide: the 5 most common failure modes and how to diagnose them

Section 3: Protocol Reverse Engineering (8-12 pages)

  • Capture methodology: how you isolated the unknown protocol's traffic
  • Hex-level frame dissection: annotated byte captures of at least 5 message types
  • State machine diagram with at least 3 states and named transitions
  • Protocol identification or proposed specification
  • Confidence assessment: what aspects are certain vs. inferred?

Section 4: NSM Coverage and Detection (5-8 pages)

  • Suricata rule for the unknown protocol (with rationale for each rule option)
  • Detection demonstration: the rule firing against a captured pcap
  • Zeek script (optional but valued): behavioral detection of the protocol
  • Coverage gap analysis: what aspects of the protocol does the rule NOT detect?

Section 5: Day-2 Operational Runbooks (5-8 pages)

  • Adding a new site to the network (step-by-step)
  • Responding to a BGP prefix hijack (detection + mitigation)
  • Responding to a failed spine switch
  • Rolling a new Suricata rule update to all sensors
  • Recovering from a VTEP failure in the fabric

Section 6: Limit-of-Defence Statement (2-3 pages) This section must be honest. A limit-of-defence statement identifies what the network design does not protect against.

  • Name at least 3 attack classes that this design does not defend against
  • Explain the residual risk for each
  • Propose what additional controls would be needed to address each

Two-Tier Grading Rubric

Tier 1: Functional Gate

Pass/fail. All six gates must pass. A failing Tier 1 is a non-passing capstone; resubmission is required.

Tier 2: Report Quality (100 pts)

Architecture rationale and integration depth (40 pts)

  • Highest score: carrier, datacenter, and adversary-scale decisions are each defended against named alternatives; the capstone reads as one coherent network design rather than three independent pieces
  • Middle score: decisions are stated but not defended against alternatives; some integration gaps
  • Lowest score: decisions are unexplained; sections feel disconnected

RE methodology and NSM coverage (30 pts)

  • Highest score: RE work is systematic (hypothesis → evidence → confirmation cycle); the Suricata rule matches the RE findings; a Zeek behavioral script is provided
  • Middle score: RE identifies the protocol but the methodology is not documented; Suricata rule provided without RE-derived rationale
  • Lowest score: RE is guesswork; Suricata rule is generic

Operational realism and limit-of-defence honesty (30 pts)

  • Highest score: day-2 runbooks match what a network architect actually does at this scale; limit-of-defence statement names specific residual risks and specific mitigations
  • Middle score: runbooks are generic checklists; limit-of-defence is vague
  • Lowest score: runbooks are theoretical; limit-of-defence says "this design is complete"

B- minimum (70/100 Tier 2) for the NET-301 Certificate of Completion.

Certificate

Passing (all six Tier 1 gates + B- on Tier 2) earns the VCA-NET-301 Certificate of Completion. Combined with NET-101 + NET-201 + NET-301, the student is positioned to sit Cisco CCNP-Enterprise or CCNP-Service-Provider within four months.