CHAPTER 1 ABSTRACT
The purpose of this exercise is to provide a detailed design document as per the requirements given in various formats by the Client NoBo Inc. The scope of this document includes at first explaining the requirements provided by the client, explaining the solution both from a top level view and detailed, also explained are the configuration steps, technologies used and scope of the future work and recommendations. We have used modular design approach for designing the network .The final outcome is a detailed document which will extensively assist in deploying and configuration stages of network for NoBo Designs.
CHAPTER 2 INTRODUCTION
This project aims to analyse the various network models and design a network according to the client’s requirements.
- All the Cisco network models: Campus network, Hierarchical network, Enterprise edge model have been reviewed.
- According to the client requirements the suitable network model has been identified and designed.
- Proper selection of the devices (Routers, Switches, Computers, cables) has been made to meet the service requirements.
- The cost for all the devices and equipments that are required has been estimated.
- Centralised internet connection has been provided for the branch sites from their respective headquarters. This provides high control on the data between the sites.
- IPsec is cond for data security while using the backup line when the main link goes down. Cisco IOS Firewall is also cond on the perimeter devices.
- The designed network has been cond on the simulator and all its functioning has been tested.
2.3 DISSERTATION STRUCTURE:
- CHAPTER 1: This chapter briefly discusses about the abstract of our project.
- CHAPTER 2: This chapter briefly explains the introduction of our project topic, reviewing all the objectives and ends with the conclusions of each and individual chapter in our dissertation.
- CHAPTER 3: This chapter explains the background of various network topologies, reviewing of all the concepts like routing, switching, IP addressing and ends with the discussion of the QOS, security issues.
- CHAPTER 4: This chapter introduces the requirements of network design, implementation, testing and ends with the explanation of all configurations.
- CHAPTER 5: This chapter briefly discusses about all the experimental results and ends with the analysis of the obtained results.
- CHAPTER 6: This chapter discusses the entire evaluation of our project and ends with the introduction of conclusions.
- CHAPTER 7: This chapter briefly discusses about the overall conclusions.
- CHAPTER 8: This chapter provides the recommendations and future work in our present topic.
3.1 Cisco Network Models:
Network models may change due to the implementation of different technologies which are applicable to us. But the goal of each model is finally same which is convergence and achieving service integration. There are 6 different geographies available in an end-end network architecture which is briefly discussed below: ( Inc., C. S. (Mar2009, Roberts, E. (8/28/95).
3.2 Cisco Hierarchical model:
It is an older model which is good for network scalability. The entire network is divided into 3 layers which are given below:
Access layer: These devices are generally developed entirely in a network for the purpose of providing clients access to the network. In general it has been done by the switch port access.
Distribution layer: In general, these devices are developed as aggregation points for access layer devices. These devices can be used for the dividing of workgroups or some other departments in the network environment. They can also provide WAN aggregation connectivity at various Cisco Network Models.
Core layer: These devices are designed for the purpose of fast switching of packets and they should provide the redundant otherwise it results in loss of degradation of service at the time of network congestion or link failures. Finally these devices help in carrying the entire network traffic from one end to the other end.
Finally this model provides good scalability and it supports the combination of SONA, other interactive services and these are applicable to any topology (LAN, WAN, MAN, VPN..) or other connectivity options which are applicable to us. The following diagram (3.1) shows us the Cisco Hierarchical model.
3.3 Campus Network Architecture:
In last 10 years it has been developed rapidly and the no of services supported in this model are more. The basic structure of this model is just an extension of the previous model. It supports the implementation of various technologies in this model like QOS, MPLS VPN, IPSEC VPN, and HSRP and so on. It provides the network access to campus wide resources and provides layer 2 switching; layer 3 switching at the Access and Distribution respectively.
Services in this model are switched from stateless to stateful and provide redundant devices to monitor all the events, connections in a network. Meeting of these requirements requires some changes in its basic model. The following (3.2) shows us the campus network architecture model.( Gilmer, B. (Nov2004)
It provides the combination, multi- service environment which gives the sharing and connectivity of all the users who are working at the remote, branch sites. It requires the combination of both hardware and software devices for providing the services and applications to all the clients in a network architecture. SONA architecture helps an enterprise model to extend its services to the remote site under the consideration of good service levels. Cisco Unified Communications, security and so on can be offered at all the branch sites to overcome the problems of inadequate connectivity. The following diagram (3.3) shows the branch network architecture.
It plays a major role in the deployment of any network. Now days, it is growing rapidly to implement more SONA functions. These additions of new functions like virtual servers, instant applications, dynamic change of network configurations and so on. Some resources will be added online to get the support of upcoming needs. This network architecture provides the info about on- demand services which provides dynamic network environment to all the users, consolidation of services while growing of various business applications provided by an adaptive network. Finally this network model reports more usage of our capital without any changes in its infrastructure.
In general it has been developed for the purpose of higher level security features in network architecture. It has been done by the support of several server farms having different functionality from DMZ (demilitarized zone) functions like DNS, FTP, HTTP, Telnet and so on for all the users (internal/ external) to share various applications and services among partners and to get the access of internet applications.
This network architecture is entirely different and it can make a new or it can break the all discussed Cisco versions. Based on the discussion of all the services like SONA, QOS, and transport services and so on which would mandatory in an end- end system? Based on the bandwidth requirements, their functions and providing QOS the WAN/ MAN has been designed. The functioning and geography plays a major role in deciding the method and speed connectivity’s among various sites. The cost of total deployment of a network may vary and it is different from each other. If the connection exists between the sites is a traditional frame relay or if it is provided by a service provider. For example, by using MPLS this provides layer three connectivity between two ends. And it also varies by considering the distance between two sites. The convergence of various types of application over an IP network requires good connectivity, high security levels and providing of good services over the large WAN. The following fig (3.6) shows the WAN/ MAN architecture. (Israelsohn, J. (7/22/2004.)
In this approach the overall network design and implementation is discussed with the adequate background. Modular Design Approach:
The recipe for an efficient and robust network is to design the network taking into Consideration the various functionalities/requirement required by the network and placing that functionality into a module. Various modules might end up acting in independent physical devices or one physical device may contain all the modules, the idea is to visualize the various functionalities acting as independent unit. The part of the network which consists of hardware and configurations for the wide area networks is termed as the WAN module of the network. It should contain of the all routers, interfaces, cabling and configurations that belong to the Wide Area Networks. The module should be designed separate from the other modules. Similarly all the devices, interfaces and configurations that are involved in the virtual private network would be designed as one module.
Some aspects of the design for which there are no pointers in the design documents are also discussed in the detail design section with details of the relevant choices.
1) Performance: A network to its end user is as good as how his/her applications perform. Following are few metrics to for measuring network performance.
Responsiveness: The design should be such that it is par with the acceptable responsive time of all the business applications.
Throughput: The rate of traffic passing through a given point in the network, it can be calculated in multiples of bits per second or packets per second.
Utilization: utilization of resources is the most effective metric to calculate the congestion points in the network, aiding the network design to a great extent.
2) Availability: Network Availability is the key factor to a proper network design. Planning for continuous uptime is important for the business to carry out their activities without any interruptions. Following are a few points for availability:
Device Fault tolerance: All the devices installed in the network should be of quality and reliable. Where ever possible redundant ports, modules and devices should be installed.
Capacity Planning: A network design should consider adequate capacity planning, for example how many connections can a link handle in worst case scenarios.
Link Redundancy: As per the business requirement at least all the important links and internet connectivity should be redundant.
3) Scalability: All the network modules should be designed as such that they should cater for future requirements as well as today’s needs.
Topology: The topology should be designed as such that it would require minimal configuration whenever any major or minor changes are required.
Addressing: The network addressing should allow routing with minimum resources. For example by using route summarization and proper ip addressing scheme which would have minimal impact or no impact on the existing networks or subnets and routing mechanisms. Local Area Network Module:
The local area network design primarily consists of dividing the various departmental requirements into logical network separations.
- At all the sites will create individual virtual area networks for all the departments.
- All the virtual area networks will use a class c /24 subnet mask, reason behind that is the IP addressing used for the internal networks is all private and hence no sub netting is required.
- All the Vlans at all the sites are local Vlans which means that they do not extend across the wan pipes.
- The departments at different sites might have similar names and functionality but its always recommended that the Vlans are kept to be local.
- The Virtual are network will divide the whole LAN into virtual boundaries allowing for broadcast control and provide for access-control using access-lists.
A VLAN has been provisioned for the Server Network and wireless network at each site as well. The VLANS are local to the respective sites only and are class C /24 networks.DOT1q trunks have been placed between the layer 2 switches and the routers at each site. DHCP:
The DHCP is Dynamic Host Configuration Protocol provides automatic IP addresses
To the hosts on the TCP/Ip network [RFC 1531].It uses BOOTP known as bootstrap protocol. The DHCP server can be on the same or on a different network away from the host pcs. This is possible with the dhcp relay agent. When a client Pc boots, it searches for the server by sending broadcast packets on the network. When server gets theses broadcast packet it responds and sends a packet with an IP address to the client from the DHCP pool. The client can use the IP or can request for another IP instead. The client can hold this IP as according to the configuration in the DHCP server. The minimum duration for the client to hold the IP address is 8 days. After this period the clients has to make a new request for an IP address. This how , the DHCP usage in the network will reduce the intervention of the administrator from giving the IP addresses manually.
For a Pc to connect to the internet and communicate with the other Pcs on the internet, it needs a public Ip address. One has to pay to have a public IP. It will be very expensive to have all Public IP addresses in a network. So, NAT provides a facility to convert the private IP address to the Public Ip which is on the interface of the device (router) that is directly connected to the internet via ISP. This saves money. Moreover it provides the additional security to the internal network
By using the one public address.
Following are the benefits that NAT provides:
- Preservation of IP address
- IP address and application privacy
- Easy management Routing Module:
The routing module consists of the routing architecture at each site; it is the responsibility of the routers to forward packets to the correct destination. Routers by querying the routing table make the forwarding decision.
1) Static routes: At each site static routes have been placed at each head quarter sites. Static routes are the manual routes that are placed by the network administrator manually in the router and have to be taken out manually as well.
At the headquarter site the static routes point to far end headquarter site or to the vpn subnet.
2) Default routes have been placed at all sites, Default routes are treated by the routers as a catch all. If there are no specific routes towards a given destination, the default route will be picked up and the packet would be forwarded out of that interface to which the default route belongs.
Since the Internet has more than 100,000 routes , it would be infeasible to place all those routes into our routing table , so instead a default route has been placed at each headquarter to forward all the internet traffic towards the interface belonging to the ISP end. Since we are using the far end headquarter as back up to our internet connections at each site.
A special type of default route has been added in each headquarter, if the internet link goes down, the floating route will come into the routing table and the original route will disappear. The floating route is nothing but a default route with a higher administrative distance. This is a feature of Cisco IOS, it originally takes the route with the lower AD and places that into the routing table, if that route is lost it would place the second default route with the higher administrative distance.
3) Routing Information Protocol: Routing information protocol version 2 has been used to propagate the Subnet routing between the sites. RIP is a distance vector routing protocol which advertises its routing tables to its neighbours and has a hop count of 15 , since our network has only five sites at the moment, RIP has been used for routing between the networks , the RIP version2 is the recent version of the rip ipv4 and it can carry variable length subnet masks . The RIP is adequate for our requirement.
(http://www.ciscosystems.org/en/US/docs/internetworking/technology/handbook/Routing-Basics.html accessed on Dec 12 ,2009) RIP:
As said earlier Routing Information Protocol is the only widely used distance vector protocol. It propagates the full routing table out to all participating interface in every 30 seconds. RIP works very well in smaller networks, but it is not scalable for large networks having slow WAN links or on networks with more than 15 routers installed. RIP version only supports class full routing, which essentially means that all devices in the network must have the same subnet mask. The reason: RIP version 1 does not propagate with subnet mask information. RIP version 2 supports classless routing, which is also called prefix routing and does send subnet mask in the route updates. (Chin-Fu Kuo; Ai-Chun Pang; Sheng-Kun Chan (Jan2009,)
RIP has 3 different timers which regulate the performance:
Route update timer: This timer sets the delay between the propagation of the full
Routing table to all the neighbours: this would be normally 30 seconds.
Route invalid timer If the router doesn’t hear any updates for a particular router for 90 seconds it will declare that route invalid and will update all the neighbours to that the route has become invalid.
Route flush timer : After the route has become invalid , another timer starts which is normally 240 seconds ,if the router doesn’t hear anything about the said route , it will flush the route out of its routing table and will update the neighbour that I am going to remove this route from my routing .
RIP being a distance-vector algorithm propagates full routing tables to neighbouring routers. The neighbouring routers then add the received routing updates with their respective local routing table’s entries to accomplish the topology map. This is called routing by rumor, In routing by rumour the peer believes the routing table of its neighbour blindly without doing any calculations itself.
Rip uses hop count as its metric and if it finds that multiple path share the same cost to a particular destination it will start load-balancing between those links, however there is no unequal cost path load balancing as there is possible in case of EIGRP. Rip can be troublesome in many ways:
Rip actually only sees the hop count as a true metric, it doesn’t take care into consideration any other factors So if a network has two paths, the first only 1 hop away with 64 Kbps of bandwidth but a second path exists with 2 hops but each link having a bandwidth of 2 mbps , RIP will always prefer path no 1 because the hop count is less. Rip has a very crude metric and hence not a protocol of choice in many networks.
Since RIP by default is classless and is a true distance vector protocol, it also carries with itself same issues as presented by the distance vector routing protocols, fixes have been added to RIP to counterattack such problems.
Snort is an open source network based intrusion detection system, it can do traffic logging and intrusion detection analysis on the live traffic, snort is installed on a host and the interesting traffic is copied to it via the port mirroring or port spanning techniques, Snort can be also used inline on an Ethernet tap, it can work in conjunction with Ip tables to drop unwanted traffic.
Inter-site Routing: The routing protocol RIP version 2 will propagate routes among all the sites, each Vlan will be advertised as a network in the routing protocol. Switching:
The switches at each site carry all the virtual local area networks.
1) A DOT1q trunk has been placed between the switches and the routers at each site. The dot1q trunks carries all the Vlans from the switches to the routers, the routers act as the layer 3 gateway for all the Vlans present in the site, the layer 2 switches alone cannot act as the layer 3 gateways and hence they require some kind of layer 3 device.
2) All the other ports in the switches are either access ports or are trunks to other switches in the same sites. The access ports are the user ports, each access ports would belong to one or the other Vlans. The no of access ports in the building would decide the number and the model of the switches to be placed inside the access layer.
Vlan: By Default all the ports on a layer 2 switch belong to the same broadcast domain. The broadcast domains are segregated at the router level, however there are requirements to segregate the broadcast domains in campus switching environments, hence the virtual local area networks are used. The numbers of Vlans in a switch are equal to the number of broadcast domains, the ports on the switch which belongs to a particular Vlan belongs to a certain broadcast domain of that Vlan.
Devices in one Vlan cannot connect to other Vlans if there is no layer 3 connectivity provided.
Speaking of IEEE 802.1Q….
“There are two different trunking protocols in use on today’s Cisco switches, ISL and IEEE 802.1Q, generally referred to as “dot1q”. There are three main differences between the two. First, ISL is a Cisco-proprietary trunking protocol, where dot1q is the industry standard. (Those of you new to Cisco testing should get used to the phrases “Cisco-proprietary” and “industry standard”.)
If you’re working in a multivendor environment, ISL may not be a good choice. And even though ISL is Cisco’s own trunking protocol, some Cisco switches run only dot1q.ISL also encapsulates the entire frame, increasing the network overhead. A Dot1q only place a header on the frame, and in some circumstances, doesn’t even do that. There is much less overhead with dot1q as compared to ISL. That leads to the third major difference, the way the protocols work with the native Vlan.
The native Vlan is simply the default Vlan that switch ports are placed into if they are not expressly placed into another Vlan. On Cisco switches, the native Vlan is Vlan 1. (This can be changed.) If dot1q is running, frames that are going to be sent across the trunk line don’t even have a header placed on them; the remote switch will assume that any frame that has no header is destined for the native Vlan.
The problem with ISL is that doesn’t understand what a native Vlan is. Every single frame will be encapsulated, regardless of the Vlan it’s destined for. Access ports:
An access port is a port which does not carry any Vlan information, the port which is cond as a an access port, on that port the switch takes off the Vlan information and passes the frame on to the end device, end device be it a pc or a printer or something else has no information passed about the Vlan.
The routing table in a router is populated mainly in 3 ways.
a) Connected routes: router places the networks belonging to all types of its live interfaces in the routing table such routes carry an administrative distance of 0 as they are most trusted routers, these routes are taken out of the routing table if the interface goes down.
b) Static routes are routes place manually by the router administrator and carry an administrative distance of 1, these routes are the second most trusted by the router after the connected routes, since these are being added by the administrator themselves
c) Third type of routes are installed by the routing protocols and carry administrative distances according to the type of the routing protocol. Wireless local area network Module:
A Vlan has been provided at each site which acts as a wireless network, the wireless Vlan connects to wireless access points which provides wireless connectivity to the users. Wireless access points are placed at each floor at all the sites, all the wireless access points will be of Cisco Linksys brands. The wireless access points at each site will be WIFI carrying all a, b or g standard. (O. Elkeelany , M. M. M., J. Qaddour & (5 Aug 2004)
The wireless networks will use WPA2 key security mechanisms to protect the network from unauthorised access and attacks. Proper placements of the wireless access points can be done after a physical inspection of the sites. If a barrier wall or something else obstructs the coverage of the wifi access points at a floor another wifi access point will be required at the same floor. IP Addressing Module:
WAN Ip addressing, all wan connections are point to point and use a /30 subnet mask
A /30 subnet only allows for two actual hosts which fits for the wan connections.
VLAN Ip addressing, all the Vlans including the wireless and the server Vlans are /24 networks
All the future Vlans should be /24 as well, this would help to limit the layer3 broadcasts to only 254 hosts, /24 is being used because our Vlans are all based on class c private addressing and there are adequate addresses in the same class for our future needs as well so there is no actual requirement to subnet any further, sub netting further would actually make the design complex without any real benefits.
The routers also have a trunk which comes from their respective site switches. The 1st valid address of the each Vlan belongs to the router acting as a gateway to the Vlans. These .1 addresses are required to be hardcoded inside the routers themselves.
The host addressing is taken care by the dhcp protocol, each router as its site will act as a dhcp server for all the Vlans present in the same site. The router acting as a dhcp server would provide gateway information to the hosts in each Vlan as well as the dns servers to be used and the domain information as well.
A separate list has been maintained for the hosts outside the dhcp scope, should there be a requirement that a host be provided a static Ip address, and the same Ip address should be added to the list of non dhcp addresses for each Vlan at each site. Server Farm Module:
A special virtual area network is in place at every site for a special purpose, this vlan only has servers placed in it, this Vlan acts as a DMZ at all sites. The servers at various sites are placed in separate Vlans to protect them from the broadcasts created by the users in the site as well as blocking unauthorised access. If the requirement arises that a server should also be placed in another Vlan at same time, either 2 network cards should be attached to the same server and each placed in the respective Vlan, if the server is required to be attached to more than 2 Vlans, then the server should carry a special network card which could build trunks with the 2960 switches. The speed and duplex modes on all the server ports should be manually cond by the network engineers as there are chances of duplex mismatch in the auto mode. Unauthorised access can be blocked into the server farm via using IP access-lists feature of the Cisco IOS.( Zhuo L , W. C., Lau FCM . (OCT 2003 ) Security Module:
This is the most important module of the network design, as its name suggests it would cater for the network security, following are the security measures in place for the network designs. An integrated Cisco IOS firewall protects the perimeter interface (internet connection) from attacks from the outside world at both the headquarter sites; IOS firewall uses stateful inspection for the protocols listed in the firewall itself. As advised earlier the access to the server Vlan at each site is also controlled by the use of IP access-lists, only authorized IPs/networks and that too only on specific ports are allowed to traverse the DMZ(DEMILITARIZED ZONE).
There are perimeter access-lists in place at the headquarter sites blocking most common and known attacks from the internet. The internet modules have been centrally designed to keep a tighter control and strict security. An additional measure of security can be placed at each site by adding an intrusion prevention system to each headquarter. A very effective intrusion detection engine is SNORT, being open source it can be installed in a very short period of time and is free. Further management Vlan can be secured by using port security and sticky Mac mechanisms.
The Cisco IOS firewall is an EAL4 certified solution and is a stateful firewall, it is integrated into Cisco router IOS, IOS is the best available routing, security and VoIP software around, and integrating a stateful firewall produces an economical yet flexible solution. It is the ideal solution for small offices, branch offices and wherever the need arises for an embedded firewall solution. The Cisco IOS firewall can be turned on and off in the desired manner on the desired interface in the Cisco router
Cisco IOS firewall can be cond in basically two modes, Classic firewall also known as CBAC – control based access control or the new configuration technique which is called Zone based policy firewall. The later one is used wherever the network is required to be divided into various zones for example a DMZ zone. The later configuration methodology will be carried on in the future as it caters for the changing needs of networks.
The Wan connectivity for the NoBo designs has been designed taking in consideration of the following characteristics
Head -quarters: All the head Quarters have been has been connected via an International leased line from service provider. All the branch-offices are connected to their headquarters via leased lines as well via service provider.
Wide Area Network Back up
The internet connectivity at both the remote and client sites can be used as a backup in case the primary WAN link is down; a separate site-to-site vpn link will be required to be cond between the two sites. The site to site vpn will use the IPSEC framework which would be only used if the floating routes that are present in the Cisco routers start pointing towards the vpn links in case of the wan link outage.
This IPSec vpn back up link should be strictly used as a back up as the internet bandwidth is limited and the latency is high. Network Management mechanisms would notify everyone, if the primary wan link is down. If the requirement for the backup link for a branch site comes up, same methodology can be used, the branch can acquire its own internet connection and use it as a backup link to its respective head office. In that case changes in routing will also occur. IPSec:
IPSec is a protocol contains set of features that protect the data which traverses from one location point to another. The location itself defines the type of VPN. The location could be anything such as pc on the internet, a small regional office, a home office or any corp. headquarters.
A user on the go would always connect to a user to site vpn and all the others would be called a site to site vpn.
The IPSec protocol works on layer 3 and above, like tcp/udp header and data and does not protect any layer 2 frames, a different kind of protection mechanism has to be deployed for the same and also is possible only in the controlled network.
The encryption and IPSec are many times thought to be one and the same thing but they are different, IPSec is basically a suite of protocols and one of them does encryption.
Following are the features of the IPSEC protocol suite.
- Data confidentiality
- Data integrity