Planning, Development and Testing Internetwork Design

Contents

Table of Contents

Aims of the Project

Problem Analysis

Requirements & Solutions

WAN requirements:

General LAN requirements:

Non- Functional Requirements

Functional Requirements

Constraints

Technical Information Existing & Recommendations

Key Factors

Resources & Materials

Information’s Sources

Efficiency

Routing Protocols

Open Shortest Path First (OSPF)

Enhanced interior gateway routing protocol (EIGRP)

VSLM

Summarisation

NAT

VTP & VLAN

STP

DHCP

Scalability

Switches Port Density

IP Scheme

Reliability

HSRP

Raid

UPS

Security

Firewalls

Physical Security

WPK2 for Wireless

Authentication and Encryption

ACL

USER Groups

DS/IPS

Analysis

Layer 3 Addressing Scheme

Switching VLANS

Test Plan

Provisional Design Topology’s

Glasgow Floor Plan

Cardiff Floor plan

Birmingham Office Floor plan

https://www.techopedia.com/definition/26152/vlan-trunking-protocol-vtp

References

This project will analyse, investigate, develop and test a new internetwork for Langburgh between their Glasgow, Birmingham and Cardiff offices. The project will make recommendations on a new IT infrastructure that will make the current structure more efficient, reliable secure and scalable for the future. Regular meetings will be held with the Managing Director to ensure the aims of the project keep in line with the objectives of the company.

Internetworking Design Basics

This report will outline the process of the planning, development and testing of the proposed internetwork design between Lanburgh’s Glasgow, Cardiff and Birmingham’s Offices with proposed upgrades.

Designing an internetwork can be a challenging task. An internetwork that consists of only 50 meshed routing nodes can pose complex problems that lead to unpredictable results. Attempting to optimize internetworks that feature thousands of nodes can pose even more complex problems.

This report provides an overview of planning and design guidelines. The report will be divided into three main areas

Determining Requirements 

Identifying and Selecting Capabilities 

Choosing Reliability, Efficiency, Scalability& Security Options 

WAN requirements:

Appropriate routing equipment at each company site to interconnect branches Cisco 1290 Routers

Application of purchased IP address block Layer 3 Subnetted Addressing scheme

Use of static / dynamic routing

Appropriate redundancy HSRP

Method of secure data transfer between Cardiff and Glasgow VPN Tunnelling

Dedicated 1GB Cardiff/Birmingham connection Static Route

General LAN requirements:

Logically layered converged switched network with appropriate management and redundancy facilities HSRP Hot Standby Router protocol

Suitable, efficient RFC 1918 IPv4 address scheme to support users with appropriate growth accommodated IPv4 Sub netted Address Scheme

Efficient allocation of IP configuration Ipv4 Address Scheme

Capability for network devices to be securely managed and configuration to be backed up Cisco Server

Ensure end device security Anti-Virus Software & Upgrade to Windows 10

Physical security Locked Cupboards Off Site Back up to cloud

Glasgow LAN requirements:

On-site hosting of the company email and web servers Cisco Server

Address translation mechanism for internal hosts accessing services outside of the network Cisco Switches

Cardiff LAN requirements:

Capability for employees to connect wirelessly to company LAN as required Cisco Wireless Routers

Appropriate fault tolerance on network devices HSRP

Birmingham LAN requirements:

Appropriate security to filter traffic allowing only students access to the email server on Glasgow campus Extended ACL

Appropriate security to filter traffic allowing only teaching staff access to the web server (intranet) on Glasgow campus Extended ACL

Implement IPv6 on 2 sample clients in an isolated test LAN ensuring layer 3 connectivity with IPV6 network egress point IPv6 Address Scheme

Routers, switches and other internetworking devices must reflect the goals, of the organizations in which they operate. For this purpose, all devices will come from Cisco. Cisco has a proven track record of reliability and efficiency and offer a lot of support and training for their devices

Two goals drive networking design and implementation:

Application availability Applications must be easily and readily available to the end users for a network to perform reliably and efficiently.

Costs Budgets play a big part in designing a good network

Non-functional requirements describe how the system works, while functional requirements describe what the system should do.

Non- Functional Requirements

Business Rules

Transaction corrections, adjustments and cancellations

Administrative functions

Authentication

Authorization levels

Certification Requirements

Legal or Regulatory Requirements

Training

Functional Requirements

Performance – for example Response Time, Throughput, Utilization, Static Volumetric

Scalability

Capacity

Availability

Reliability

Recoverability

Serviceability

Security

Manageability

Data Integrity

Usability

Constraints

These constraints include money, labour, technology, space, and time. Economic constraints play a major role in any network design

 

Figure 1 General Network Design Process

Below is a network design process that investigates, analysing, produces a plan and then tests the plan until all your requirements are met’

Assessing User Requirements

Users primarily want their applications available in a quick response time and it to be reliable. Response time it the time a user asked the device to perform a function and how long it takes to complete the function.

Lanburgh’s user requirements will be assessed in several ways.

User community profiles outlining what different user groups require. This is the first step in determining internetwork requirements. Faculty Staff will require more restricted access than students and finance will require more detailed information. Proper steps will be taken to ensure the confidentiality of each of these needs by a number of ways. 

Assessing Costs

A list of costs associated with internetworks include

Router hardware and software costs These can be expensive to buy or upgrade but are one of the most important part of the network system 

Performance trade-off costs This is selecting what equipment you really need and can afford 

Installation costs this can be one of the largest and most expensive jobs, it included labour charges for installation.

Expansion costs scalability, if it will save money in the future it could be recommended to install better equipment now. 

Support costs certain equipment like servers can be difficult to manage without the proper expertise or support.

Cost of downtime this is how long your company can be out of commission for repairs or installation and upgraded or if poor equipment fails.

Figure 2 is a provisional list of costs. The latest software has been proposed to increase security and efficiency. Some back up services will be moved to cloud storage for back up purposes. This can be divided into separate cloud storage allocations for Staff and Students. Hubs will be replaced with switches as these are far more efficient and secure. Two 24 port switches will be used instead of a 48 port as this will be more reliable in case one goes down. On Site storage and extra server will also be used as an extra back up. All cabling will be upgraded to 100mb to increases speed and scalability for future devices.

Figure 2 Costs of Materials

Item

Quantity

Cost £

HPE ProLiant DL380 Gen9 Xeon E5-2620V4 2.1GHz 16GB RAM 2U Rack Server

2

2513

Server License

1

652

Windows 10 Volume License

1

900pm

Switches 2960 24port

8

835

Synology DS418 DiskStation 4-Bay 16TB Network Attached NAS

2

792.74

100 TB Cloud

1

Office 365 Volume License

1

750 per month

One Drive cloud Storage 100TB

1

100 per/month

Dedicated Line

1

30 per/month

1 GB Secure Line

1

30 per/month

100mb cable

50m

1000

 

 

Glasgow

Cardiff

Birmingham

Server software

Windows server Upgraded to Windows 2016

Windows server Windows 2016 Back Up

Client OS Software

Upgraded to Windows 10

Upgraded to Windows 10

Upgraded to Windows 10

Client Application Software

MS Office 365, HR software package.

MS Office 365, Finance software package

MS Office 365, Marketing software package

Broadband

Asymmetric up to 100Mbps

Asymmetric up to 100Mbps

Asymmetric up to 100 Mbps

Public IPv4 addresses (simulated)

Router – Assigned by ISP                Server – 47.9.90.89

Router –

 Assigned by ISP               

Router –

 Assigned by ISP               

LAN IPv4 ranges

10.10.0.0 /8

10.10.0.0 /8

10.10.0.0 /8

IPv6

Not currently used

Not currently used

To be tested by two users

Switches

3* 24 port managed switch, 2*

3* 24 port managed switch,

2* 24 port managed switch,

Routers

Provided by ISP

Provided by ISP

Provided by ISP

Printers

12 Mono LaserJet                         2 colour inkjet

10 Mono LaserJet                          1 colour LaserJet

1 Mono LaserJet 1 colour inkjet

Host security

Native security that comes with end station OS.  This applies to client and server OS.

Native security that comes with end station OS

Native security that comes with end station OS

Network Security

Native security that comes with ISP router firewall.      

Native security that comes with router firewall.          

Native security that comes with router firewall.          

Backup

5TB off-site NAS device

100TB Cloud Storage

5TB off-site NAS device

5TB off-site NAS device

Key factors involved in this project are the £150,000 budget that has become available for Lanburgh to upgrade its IT system

1. Understand your network goals

 2. Create a budget and acquire components.

3. Training, security, and scalability.

4. IT maintenance.

Items required for this project are as follows and will be assessed in the Analysis section.

Software programs Microsoft Word, Visio, Packet Tracer, Microsoft Project & License

 Computer with Internet Connection

Stationary

Computer with Internet connection

Network Engineers

Dedicated Leased Line from ISP

VPN

Managing Director

Students

Faculty Staff

Web Searches

Vendors

Cisco

Networking Books

Project Brief

Routing Protocols

Ripv2

VSLM

Variable-Length Subnet Masking (VLSM)

This is subnetting this will allow more subnets without wasting large amounts of addresses.

Summarisation

This will be used to lowering the amount of routing tables. It achieves this by consolidating multiple routes into a single route

https://searchnetworking.techtarget.com/definition/route-summarization

NAT

Network Address Translation (NAT) A static Nat will be used for Students in Birmingham to access the email server in Glasgow

This lets the router to change private IP addresses into public IP addresses

There will be a static route for students to the email server

https://www.cisco.com/c/en/us/support/docs/ip/network…nat/26704-nat-faq-00.html

PAT

There will be a port translation from the public facing router to port HTTP Port 80 and HTTPS port 443 for the staff to access the internet.

VTP

Virtual Trunking Protocol – This allows you to set leave one switch as server and configure others as clients saving time configuring them individually.

 VLAN

Virtual local area network (VLAN)

This allows a group to be added inside a local area network as if they are on separate networks

STP

The Spanning Tree Protocol (STP)

This protocol prevents data going around in loops which can slow down and bring your network to a standstill

https://en.wikipedia.org/wiki/Spanning_Tree_Protocol

DHCP

Dynamic Host Configuration Protocol (DHCP) is a client/server protocol.

This automatically assigns IP addresses to clients. A separate DHCP server will be used for students and staff.

https://docs.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-top

Switches Port Density

Port density is the number of ports in a network device or the number of ports in a backbone.

ftp://ftp.hp.com/pub/networking/software/density.pdf

IP Scheme

IP scheme must scale from ipv4 to ipv6

Most IP addresses are still IPv4 IPv6 was created to allow more IP addresses as time has gone by more and more end users require IP addresses. Using IPv6 will increase the scalability of your network.

https://www.techrepublic.com/article/how-to-make-your-ipv4-network-scalable-to-ipv6/

HSRP

Hot Standby Router Protocol is a Cisco redundancy protocol for establishing a fault-tolerant default gateway.  If the main router goes down the standby router will step in.

Raid

A Redundant Array of Independent Disks (RAID) this is an arrangement of multiple disk drives set together to act as a single disk drive. There will be a 5tb off-site storage.

https://www.vmware.com/products/workstation-pro.html

UPS

This is an uninterrupted power supply that can come in the form of a battery this will protect against power failures and power surges

Firewalls

 A firewall protects your network from harm by creating a barrier between trusted internal and external networks.

Physical Security

This is protection of personnel, software and hardware and the physical harm that can be caused from fire, flooding, theft and vandalism. The servers and storage devices will be kept in a locked room.

https://searchsecurity.techtarget.com/definition/physical-security

WPK2 for Wireless

Wi-Fi Protected Access 2 (WPA2) this is considered the most secure encryption for wireless.

https://searchnetworking.techtarget.com/feature/Wireless-encryption-basics-Understanding-WEP-WPA-and-WPA2

Authentication and Encryption

Encryption turns readable data into data that looks illegible using secrets that can transform it back into meaningful data at the other end. Authentication will allow only the person with permission to access the network. This will be used on all routers and switches. SSH will be for remote management rather than telnet as it used encryption rather than clear text.

Clients will require to be signed in with a username and password.

https://support.1password.com/authentication-encryption/

ACL

Extended Access Control List (ACL)

These are filters that allow a network administrator to control the flow of routing updates and filter traffic for extra security. One will be created for Students to access the Glasgow email server and one will be created for staff to access the internet.

https://www.orbit-computer-solutions.com/access-control-lists/

USER Groups

These are security groups that permit or deny users from accessing certain data. The windows server operating system can allow the administrator to control user groups centrally. This makes the process a lot more efficient. User groups will be created for staff, students and management.

https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups

DS/IPS

Intrusion Detection (IDS) and Prevention (IPS) Systems. This is used to monitor your network and act if necessary, of any unauthorised entry into your network. This will not be used at present as it will severely impact on the systems performance.

Research will be carried out by

Online and offline sources for up to date networking materials and cost.

Vendor product manuals

Looking at project brief

Contacting Cisco

Questionnaires from faculty staff

Interviews from students

Reviewing Existing documentation

Project brief

Gantt Chart

Visio Diagrams

Packet Tracer Topology

Techniques

Face to Face interviews

Telephone calls

Emails

Staff questionnaires

Campus

Faculty

Number of users

Projected 5-year growth %

Glasgow

8

 

Teaching Staff

3

 

Students

50

 

HR

3

 

IT Dept.

2

 

MD

1

Cardiff

10

 

Teaching Staff

2

 

Students

40

 

Finance

2

Birmingham

12

 

Teaching Staff

3

 

Students

35

 

Marketing

2

 

Testing

2 Sample users

Public Facing IP 165.65.74.80/28

165.65.74.0

255.255.255.252

IP Range   165.65.74.1  

165.65.74.254

Glasgow IP Range  165.65.74.1

165.65.74.63

Cardiff  IP Range  165.65.74.64

165.65.74.128

Birmingham IP Range  165.65.74.129

165.65.74.193

Private Addressing scheme

10.10.10.0/8

10.0.0.0/8  

IP range    10.0.0.1

    10.255.255.254

Net mask    255.0.0.0

Switching VLANS

VLAN 1 0 Staff

VLAN 2 0 Students

VLAN 22 Unused Ports

VLAN 30 Management.

VLAN 99  Native

Test Plan

Test Name

Test Type

Date of Test

Method

Expected Result

Actual result

Outcome and action Required

RipV2

Efficiency

9/5/2019

Use the show ip route command on the Birmingham Router

Router will show up as being rip version 2 and directly connected routes will be shown as well as rip connected routers

Router shows connected through rip

No action required

Dedicated 1GB Line

Static and Default routes

Security

9/5/2019

Use the show ip route command on the Cardiff router

S* Will show for static route between Cardiff and Birmingham

S* shows no action required

VSLM/CIDR

Efficiency

15/4/19

Use the show ip route on the Glasgow Main Router

Classless Addresses will show

Classless IPs  addresses show/no action required

NAT Static Route

Efficiency

15/4/19

Use test Student in Birminghams web browser to ping cardiffs public facing cable

Cisco Packet Tracer should show up

Use show show ip nat translations and ip nat statistics command

Action Needed/ Apply To Glasgow Branch email server.

Port Address Translation

Efficiency

18/05/19

Use Staff tester to put birmingham public ip address in

Cisco packet tracer should show.

Use show show ip nat translations and ip nat statistics command

Action Needed apply to Glasgow Branch Web Browser

VTP

Efficiency

15/4/19

Use the show VTP status in the Glasgow Root switch

DTP

VLAN/inter VLAN

Efficiency

Security

15/4/2019

Use Show VLAN Command on Glasgow Root Switch

Hosts can ping all hosts on their VLAN

Inter Vlan Networking

Efficiency

15/5/19

Ping any student client to any staff client .

Staff test 1 from Student Test 1

Pings Successful/no action required

STP

Efficiency

15/4/2019

Show Spanning-tree protocol

Use the show spanning -tree to show new root bridge is configured

New Root Bridge Is selected/ no action required

DHCP

Efficiency

15/4/2019

Student Test 1 and Staff test one Clients and Request IP Address

Request new ip address from respective dhcp server

Requests Successful no action required

Switch Port Sticky

Security

15/5/19

Only the first mac address in port 24 will be allowed

Plug in another client to port 24 in the Glasgow root bridge. The pot will be blocked

Port Successfully blocked/no action required.

IP Scheme IPV4

Scalability

15/4/2019

Use Ping command from staff test 1 in Glasgow to student test 2 In Cardiff and student test 3 in Birmingham

Clients will reply

Pings successful /no action required

IP Scheme IPV6

Scalability

15/4/2019

Use Ping command from PC2 to PC! In the ipv6 test area

PC1 will reply to ping

Ping Successful no action rquired

HSRP

Reliability

15/4/2019

Use Shutdown command on main router so standby router becomes active

Ping ISP Router which

UPS

Reliability

15/4/2019

Shut down power to server in glasgow

Batteries will continue the power supply until main power is restored

Firewalls

Security

15/4/2019

ACL

Security

15/4/2019

WPK 2

Security

15/4/2019

Connect Rogue Device.

SSID is changed from default.

WPA2 -PSK Authentication required with password

Device wont Connect

Rogue devices wont connect/no action required.

FTFP

SSH

VPN

show crypto ipsec sa

switchport port-security

Security

14/5/19

show interfaces switchport

switchport port-security aging time 120

Security

14/5/19

show interfaces switchport

No cdp enable

Security

14/5/19

show interfaces switchport

spanning-tree portfast

Security

14/5/19

show interfaces switchport

spanning-tree bpduguard enable

Security

14/5/19

show interfaces switchport

storm-control broadcast level 75.5

Security

14/5/19

show interfaces switchport

switchport mode trunk

switchport no negotiate

Security

14/5/19

show interfaces switchport

No action needed

Ether Channel LACP – Link Aggregation Control Protocol

Efficiency

16/.5/19

Issue Show Run command

Interface Port Channel should show

Interface Port Channel 1 shows/no action required

Provisional Design Topology’

Refer to Visio file

Evaluation

3.1 Outline of the assignment

You should produce an outline of the assignment and to what extent the solution met the original requirements of the assignment brief as noted below. (4 marks)

You should give a statement regarding the extent to which each of these objectives has been achieved. If an objective has not been achieved, or has only been partially achieved, you should give an explanation.

In this assignment we were asked to upgrade the company’s existing network infrastructure. Almost all the requirements have been met except, the following

HSRP is partially working, there is a backup router, but it is misconfigured after the network was streamlined. Time constrains have made it unable to be reconfigured

VPN is also partially configured a serial cable was removed for efficiency and the wrong IP route was put on the Cardiff and Glasgow routers time constraints have made it unable to be reconfigured.

Extended ACLs have still to be implemented and tested time constraints have cause this not to be implemented yet.

There were problems implementing NAT in Glasgow. My plan was to put a Static NAT to the student email server and a PAT to port 80 and 443 to the Glasgow web server I had put a Server on DHCP for quickness and configured PAT on it, when I started the network back up it was then misconfigured. This was rectified with a static IP but became misconfigured when I put a static NAT on the same serial cable port, so I put a Static in Cardiff and a PAT in Birmingham for testing.

Vlans are all configured correctly with sub interfaces for inter vlan networking. This caused a few configuration problems as the number of gateways increased.

I would have used a Zone based firewall as it is easier to configure this than a ASA firewall, it is also a lot more cost effective as you don’t need to buy extra equipment.

IPV^ has been properly configures and through time I would role this out thought the full network.

There is redundancy on every site with no single points of failure, there are multiple switches and multiple routers all giving at least two possible routes.

3.2 Strengths and weaknesses

You should give an assessment of the strengths and weaknesses of the outputs of the practical assignment. (4 marks)

The network I have planned and built is strong on security and efficiency. I have used RipV2 as it is one of the easiest to implement and maintain. Through time I would recommend using some of the other protocols as the network grows and the management staff get to know it.

The Inter vlans work on every site. I have good switch security with a goodpractices demonstration in a switch and on a router for test, this would be used on every switch and router after the testing stage.

There is a DHCP properly configured on each site on for the Staff and one for the students, each DHCP is on the same Vlan as the clients they are serving. Staff and Students also have they’re on printers on there on vlan for added privacy and security.

Each site offline storage is at another site in the network. Glasgow’s in in Cardiff, Cardiff’s is in Glasgow’s and Birmingham is in Glasgow’s

All trunk GB ports are used as trunk ports as they have lower costs and faster.

 

3.3 Recommendations

You should make recommendations for any future development of the solution and give your reasons for these recommendations. (4 marks)

In the future I would use other routing protocols which can be more efficient though harder to configure. I would make every trunk route and ether channel linking the two gigabyte ports this doubles the bandwidth. As the company grows, I would use more ethernet channels to create more bandwidth.

I would guide have a booklet printed for all the users advising on safe practice and strong passwords as a lot of damage from networks can come from the inside as well as the outside such as a person bringing their own devices which contain viruses.

I would create a VPN from Glasgow to Birmingham and Birmingham to Glasgow as well for added security.

I would remove the printers off DHCP and put them on a static IP rather than having to request one every time they are switched on. They were configured DHCP for time scale factors.

There is a TFTP server which backs up the running configs in Glasgow this will be rolled out to every site in future

 

3.4 Modifications

You should give a summary of any modifications to the project plan, solution design and/or implementation that were made during the project, including reference to any unforeseen events and how they were handled. (4 marks)

OSPF and EIGRP were initially be going to be used but RipV2 was quicker and easier to use.

More switch security has been implemented as they are easy to configure i.e. Switchport security, broadcast storm control. Switches come with preconfigure settings which can be easily manipulated by attackers and leave the system vulnerable.

One unforeseen even was configuring with no single default gateway with sub interfaces. After research I understood that a sub interface can be configured just like a physical interface.

I had more routers than I needed so after removing one my configurations on HSRP and VPN became misconfigured, these still need to be trouble shooted.

3.5 Knowledge and skills

You should identify any knowledge and skills which have been gained or developed while carrying out the project assignment and how the actions/ process of carrying out the project could have been improved. (4 marks)

I have gained skills in using the command line interface and the commands, using some of them that often has made configuring routers a switch a lot easier.

I know have a better understanding of what the commands are and why they are used.

I have found a lot more ways to configure switches for extra security with some basic switch configurations to start with like closing all ports until you use them, removing them from vlan 1, enabling broadcast storm control.

I have learned a lot more about configuring routers and setting them up to start with with passwords, no ip-domain look up, password encryption and understand a lot clearer why the work.

I have learned a lot more about IPv6 and what the addresses are made up of like a post code and machine mac address.

I’ve learned a lot more about encryption with things like SSH which encrypts text where telnet ins clear text for remote access and making it a lot more secure.

I’ve learned how to configure servers for DHCP, WEB, EMAIL TFTP, FTP and how to back up the settings.

I have learned a lot about standard ACLs and Extended Access-lists and how to configure and verify them allowing filtering from different networks or clients.

I have learned a lot more about what ports are used for and have most of the well-known ones memorised whereas before they were just jumbled numbers.

I could have improved my network by doing a lot more research first, some command I learned save a lot of time. I could have HSRP and VPN better configured instead of deleting a router leaving older configurations.

Identifying the root bridge earlier would have allowed me to reduce the costs of the network by using the GB ports straight to the router then the redundancy put on fast ethernet.

Bibliography

         https://www.techopedia.com/definition/26152/vlan-trunking-protocol-vtp

Cisco Networking Academy Logbooks

CCNA Routing & Switching Protocol PDFs

Dans Courses CCNA material