CHAPTER 1 ABSTRACT
The purpose of this exercise is to provide a detailed design document as per the requirements given in various formats by the Client NoBo Inc. The scope of this document includes at first explaining the requirements provided by the client, explaining the solution both from a top level view and detailed, also explained are the configuration steps, technologies used and scope of the future work and recommendations. We have used modular design approach for designing the network .The final outcome is a detailed document which will extensively assist in deploying and configuration stages of network for NoBo Designs.
CHAPTER 2 INTRODUCTION
This project aims to analyse the various network models and design a network according to the client's requirements.
1. All the Cisco network models: Campus network, Hierarchical network, Enterprise edge model have been reviewed.
2. According to the client requirements the suitable network model has been identified and designed.
3. Proper selection of the devices (Routers, Switches, Computers, cables) has been made to meet the service requirements.
4. The cost for all the devices and equipments that are required has been estimated.
5. Centralised internet connection has been provided for the branch sites from their respective headquarters. This provides high control on the data between the sites.
6. IPsec is cond for data security while using the backup line when the main link goes down. Cisco IOS Firewall is also cond on the perimeter devices.
7. The designed network has been cond on the simulator and all its functioning has been tested.
2.3 DISSERTATION STRUCTURE:
1. CHAPTER 1: This chapter briefly discusses about the abstract of our project.
2. CHAPTER 2: This chapter briefly explains the introduction of our project topic, reviewing all the objectives and ends with the conclusions of each and individual chapter in our dissertation.
3. CHAPTER 3: This chapter explains the background of various network topologies, reviewing of all the concepts like routing, switching, IP addressing and ends with the discussion of the QOS, security issues.
4. CHAPTER 4: This chapter introduces the requirements of network design, implementation, testing and ends with the explanation of all configurations.
5. CHAPTER 5: This chapter briefly discusses about all the experimental results and ends with the analysis of the obtained results.
6. CHAPTER 6: This chapter discusses the entire evaluation of our project and ends with the introduction of conclusions.
7. CHAPTER 7: This chapter briefly discusses about the overall conclusions.
8. CHAPTER 8: This chapter provides the recommendations and future work in our present topic.
3.1 Cisco Network Models:
Network models may change due to the implementation of different technologies which are applicable to us. But the goal of each model is finally same which is convergence and achieving service integration. There are 6 different geographies available in an end-end network architecture which is briefly discussed below: ( Inc., C. S. (Mar2009, Roberts, E. (8/28/95).
3.2 Cisco Hierarchical model:
It is an older model which is good for network scalability. The entire network is divided into 3 layers which are given below:
Access layer: These devices are generally developed entirely in a network for the purpose of providing clients access to the network. In general it has been done by the switch port access.
Distribution layer: In general, these devices are developed as aggregation points for access layer devices. These devices can be used for the dividing of workgroups or some other departments in the network environment. They can also provide WAN aggregation connectivity at various Cisco Network Models.
Core layer: These devices are designed for the purpose of fast switching of packets and they should provide the redundant otherwise it results in loss of degradation of service at the time of network congestion or link failures. Finally these devices help in carrying the entire network traffic from one end to the other end.
Finally this model provides good scalability and it supports the combination of SONA, other interactive services and these are applicable to any topology (LAN, WAN, MAN, VPN..) or other connectivity options which are applicable to us. The following diagram (3.1) shows us the Cisco Hierarchical model.
3.3 Campus Network Architecture:
In last 10 years it has been developed rapidly and the no of services supported in this model are more. The basic structure of this model is just an extension of the previous model. It supports the implementation of various technologies in this model like QOS, MPLS VPN, IPSEC VPN, and HSRP and so on. It provides the network access to campus wide resources and provides layer 2 switching; layer 3 switching at the Access and Distribution respectively.
Services in this model are switched from stateless to stateful and provide redundant devices to monitor all the events, connections in a network. Meeting of these requirements requires some changes in its basic model. The following (3.2) shows us the campus network architecture model.( Gilmer, B. (Nov2004)
It provides the combination, multi- service environment which gives the sharing and connectivity of all the users who are working at the remote, branch sites. It requires the combination of both hardware and software devices for providing the services and applications to all the clients in a network architecture. SONA architecture helps an enterprise model to extend its services to the remote site under the consideration of good service levels. Cisco Unified Communications, security and so on can be offered at all the branch sites to overcome the problems of inadequate connectivity. The following diagram (3.3) shows the branch network architecture.
It plays a major role in the deployment of any network. Now days, it is growing rapidly to implement more SONA functions. These additions of new functions like virtual servers, instant applications, dynamic change of network configurations and so on. Some resources will be added online to get the support of upcoming needs. This network architecture provides the info about on- demand services which provides dynamic network environment to all the users, consolidation of services while growing of various business applications provided by an adaptive network. Finally this network model reports more usage of our capital without any changes in its infrastructure.
In general it has been developed for the purpose of higher level security features in network architecture. It has been done by the support of several server farms having different functionality from DMZ (demilitarized zone) functions like DNS, FTP, HTTP, Telnet and so on for all the users (internal/ external) to share various applications and services among partners and to get the access of internet applications.
This network architecture is entirely different and it can make a new or it can break the all discussed Cisco versions. Based on the discussion of all the services like SONA, QOS, and transport services and so on which would mandatory in an end- end system? Based on the bandwidth requirements, their functions and providing QOS the WAN/ MAN has been designed. The functioning and geography plays a major role in deciding the method and speed connectivity's among various sites. The cost of total deployment of a network may vary and it is different from each other. If the connection exists between the sites is a traditional frame relay or if it is provided by a service provider. For example, by using MPLS this provides layer three connectivity between two ends. And it also varies by considering the distance between two sites. The convergence of various types of application over an IP network requires good connectivity, high security levels and providing of good services over the large WAN. The following fig (3.6) shows the WAN/ MAN architecture. (Israelsohn, J. (7/22/2004.)
In this approach the overall network design and implementation is discussed with the adequate background. Modular Design Approach:
The recipe for an efficient and robust network is to design the network taking into Consideration the various functionalities/requirement required by the network and placing that functionality into a module. Various modules might end up acting in independent physical devices or one physical device may contain all the modules, the idea is to visualize the various functionalities acting as independent unit. The part of the network which consists of hardware and configurations for the wide area networks is termed as the WAN module of the network. It should contain of the all routers, interfaces, cabling and configurations that belong to the Wide Area Networks. The module should be designed separate from the other modules. Similarly all the devices, interfaces and configurations that are involved in the virtual private network would be designed as one module.
Some aspects of the design for which there are no pointers in the design documents are also discussed in the detail design section with details of the relevant choices.
1) Performance: A network to its end user is as good as how his/her applications perform. Following are few metrics to for measuring network performance.
Responsiveness: The design should be such that it is par with the acceptable responsive time of all the business applications.
Throughput: The rate of traffic passing through a given point in the network, it can be calculated in multiples of bits per second or packets per second.
Utilization: utilization of resources is the most effective metric to calculate the congestion points in the network, aiding the network design to a great extent.
2) Availability: Network Availability is the key factor to a proper network design. Planning for continuous uptime is important for the business to carry out their activities without any interruptions. Following are a few points for availability:
Device Fault tolerance: All the devices installed in the network should be of quality and reliable. Where ever possible redundant ports, modules and devices should be installed.
Capacity Planning: A network design should consider adequate capacity planning, for example how many connections can a link handle in worst case scenarios.
Link Redundancy: As per the business requirement at least all the important links and internet connectivity should be redundant.
3) Scalability: All the network modules should be designed as such that they should cater for future requirements as well as today's needs.
Topology: The topology should be designed as such that it would require minimal configuration whenever any major or minor changes are required.
Addressing: The network addressing should allow routing with minimum resources. For example by using route summarization and proper ip addressing scheme which would have minimal impact or no impact on the existing networks or subnets and routing mechanisms. Local Area Network Module:
The local area network design primarily consists of dividing the various departmental requirements into logical network separations.
1. At all the sites will create individual virtual area networks for all the departments.
2. All the virtual area networks will use a class c /24 subnet mask, reason behind that is the IP addressing used for the internal networks is all private and hence no sub netting is required.
3. All the Vlans at all the sites are local Vlans which means that they do not extend across the wan pipes.
4. The departments at different sites might have similar names and functionality but its always recommended that the Vlans are kept to be local.
5. The Virtual are network will divide the whole LAN into virtual boundaries allowing for broadcast control and provide for access-control using access-lists.
A VLAN has been provisioned for the Server Network and wireless network at each site as well. The VLANS are local to the respective sites only and are class C /24 networks.DOT1q trunks have been placed between the layer 2 switches and the routers at each site. DHCP:
The DHCP is Dynamic Host Configuration Protocol provides automatic IP addresses
To the hosts on the TCP/Ip network [RFC 1531].It uses BOOTP known as bootstrap protocol. The DHCP server can be on the same or on a different network away from the host pcs. This is possible with the dhcp relay agent. When a client Pc boots, it searches for the server by sending broadcast packets on the network. When server gets theses broadcast packet it responds and sends a packet with an IP address to the client from the DHCP pool. The client can use the IP or can request for another IP instead. The client can hold this IP as according to the configuration in the DHCP server. The minimum duration for the client to hold the IP address is 8 days. After this period the clients has to make a new request for an IP address. This how , the DHCP usage in the network will reduce the intervention of the administrator from giving the IP addresses manually.
For a Pc to connect to the internet and communicate with the other Pcs on the internet, it needs a public Ip address. One has to pay to have a public IP. It will be very expensive to have all Public IP addresses in a network. So, NAT provides a facility to convert the private IP address to the Public Ip which is on the interface of the device (router) that is directly connected to the internet via ISP. This saves money. Moreover it provides the additional security to the internal network
By using the one public address.
Following are the benefits that NAT provides:
1.Preservation of IP address
2. IP address and application privacy
3.Easy management Routing Module:
The routing module consists of the routing architecture at each site; it is the responsibility of the routers to forward packets to the correct destination. Routers by querying the routing table make the forwarding decision.
1) Static routes: At each site static routes have been placed at each head quarter sites. Static routes are the manual routes that are placed by the network administrator manually in the router and have to be taken out manually as well.
At the headquarter site the static routes point to far end headquarter site or to the vpn subnet.
2) Default routes have been placed at all sites, Default routes are treated by the routers as a catch all. If there are no specific routes towards a given destination, the default route will be picked up and the packet would be forwarded out of that interface to which the default route belongs.
Since the Internet has more than 100,000 routes , it would be infeasible to place all those routes into our routing table , so instead a default route has been placed at each headquarter to forward all the internet traffic towards the interface belonging to the ISP end. Since we are using the far end headquarter as back up to our internet connections at each site.
A special type of default route has been added in each headquarter, if the internet link goes down, the floating route will come into the routing table and the original route will disappear. The floating route is nothing but a default route with a higher administrative distance. This is a feature of Cisco IOS, it originally takes the route with the lower AD and places that into the routing table, if that route is lost it would place the second default route with the higher administrative distance.
3) Routing Information Protocol: Routing information protocol version 2 has been used to propagate the Subnet routing between the sites. RIP is a distance vector routing protocol which advertises its routing tables to its neighbours and has a hop count of 15 , since our network has only five sites at the moment, RIP has been used for routing between the networks , the RIP version2 is the recent version of the rip ipv4 and it can carry variable length subnet masks . The RIP is adequate for our requirement.
(http://www.ciscosystems.org/en/US/docs/internetworking/technology/handbook/Routing-Basics.html accessed on Dec 12 ,2009) RIP:
As said earlier Routing Information Protocol is the only widely used distance vector protocol. It propagates the full routing table out to all participating interface in every 30 seconds. RIP works very well in smaller networks, but it is not scalable for large networks having slow WAN links or on networks with more than 15 routers installed. RIP version only supports class full routing, which essentially means that all devices in the network must have the same subnet mask. The reason: RIP version 1 does not propagate with subnet mask information. RIP version 2 supports classless routing, which is also called prefix routing and does send subnet mask in the route updates. (Chin-Fu Kuo; Ai-Chun Pang; Sheng-Kun Chan (Jan2009,)
RIP has 3 different timers which regulate the performance:
Route update timer: This timer sets the delay between the propagation of the full
Routing table to all the neighbours: this would be normally 30 seconds.
Route invalid timer If the router doesn't hear any updates for a particular router for 90 seconds it will declare that route invalid and will update all the neighbours to that the route has become invalid.
Route flush timer : After the route has become invalid , another timer starts which is normally 240 seconds ,if the router doesn't hear anything about the said route , it will flush the route out of its routing table and will update the neighbour that I am going to remove this route from my routing .
RIP being a distance-vector algorithm propagates full routing tables to neighbouring routers. The neighbouring routers then add the received routing updates with their respective local routing table's entries to accomplish the topology map. This is called routing by rumor, In routing by rumour the peer believes the routing table of its neighbour blindly without doing any calculations itself.
Rip uses hop count as its metric and if it finds that multiple path share the same cost to a particular destination it will start load-balancing between those links, however there is no unequal cost path load balancing as there is possible in case of EIGRP. Rip can be troublesome in many ways:
Rip actually only sees the hop count as a true metric, it doesn't take care into consideration any other factors So if a network has two paths, the first only 1 hop away with 64 Kbps of bandwidth but a second path exists with 2 hops but each link having a bandwidth of 2 mbps , RIP will always prefer path no 1 because the hop count is less. Rip has a very crude metric and hence not a protocol of choice in many networks.
Since RIP by default is classless and is a true distance vector protocol, it also carries with itself same issues as presented by the distance vector routing protocols, fixes have been added to RIP to counterattack such problems.
Snort is an open source network based intrusion detection system, it can do traffic logging and intrusion detection analysis on the live traffic, snort is installed on a host and the interesting traffic is copied to it via the port mirroring or port spanning techniques, Snort can be also used inline on an Ethernet tap, it can work in conjunction with Ip tables to drop unwanted traffic.
Inter-site Routing: The routing protocol RIP version 2 will propagate routes among all the sites, each Vlan will be advertised as a network in the routing protocol. Switching:
The switches at each site carry all the virtual local area networks.
1) A DOT1q trunk has been placed between the switches and the routers at each site. The dot1q trunks carries all the Vlans from the switches to the routers, the routers act as the layer 3 gateway for all the Vlans present in the site, the layer 2 switches alone cannot act as the layer 3 gateways and hence they require some kind of layer 3 device.
2) All the other ports in the switches are either access ports or are trunks to other switches in the same sites. The access ports are the user ports, each access ports would belong to one or the other Vlans. The no of access ports in the building would decide the number and the model of the switches to be placed inside the access layer.
Vlan: By Default all the ports on a layer 2 switch belong to the same broadcast domain. The broadcast domains are segregated at the router level, however there are requirements to segregate the broadcast domains in campus switching environments, hence the virtual local area networks are used. The numbers of Vlans in a switch are equal to the number of broadcast domains, the ports on the switch which belongs to a particular Vlan belongs to a certain broadcast domain of that Vlan.
Devices in one Vlan cannot connect to other Vlans if there is no layer 3 connectivity provided.
Speaking of IEEE 802.1Q....
"There are two different trunking protocols in use on today's Cisco switches, ISL and IEEE 802.1Q, generally referred to as "dot1q". There are three main differences between the two. First, ISL is a Cisco-proprietary trunking protocol, where dot1q is the industry standard. (Those of you new to Cisco testing should get used to the phrases "Cisco-proprietary" and "industry standard".)
If you're working in a multivendor environment, ISL may not be a good choice. And even though ISL is Cisco's own trunking protocol, some Cisco switches run only dot1q.ISL also encapsulates the entire frame, increasing the network overhead. A Dot1q only place a header on the frame, and in some circumstances, doesn't even do that. There is much less overhead with dot1q as compared to ISL. That leads to the third major difference, the way the protocols work with the native Vlan.
The native Vlan is simply the default Vlan that switch ports are placed into if they are not expressly placed into another Vlan. On Cisco switches, the native Vlan is Vlan 1. (This can be changed.) If dot1q is running, frames that are going to be sent across the trunk line don't even have a header placed on them; the remote switch will assume that any frame that has no header is destined for the native Vlan.
The problem with ISL is that doesn't understand what a native Vlan is. Every single frame will be encapsulated, regardless of the Vlan it's destined for. Access ports:
An access port is a port which does not carry any Vlan information, the port which is cond as a an access port, on that port the switch takes off the Vlan information and passes the frame on to the end device, end device be it a pc or a printer or something else has no information passed about the Vlan.
The routing table in a router is populated mainly in 3 ways.
a) Connected routes: router places the networks belonging to all types of its live interfaces in the routing table such routes carry an administrative distance of 0 as they are most trusted routers, these routes are taken out of the routing table if the interface goes down.
b) Static routes are routes place manually by the router administrator and carry an administrative distance of 1, these routes are the second most trusted by the router after the connected routes, since these are being added by the administrator themselves
c) Third type of routes are installed by the routing protocols and carry administrative distances according to the type of the routing protocol. Wireless local area network Module:
A Vlan has been provided at each site which acts as a wireless network, the wireless Vlan connects to wireless access points which provides wireless connectivity to the users. Wireless access points are placed at each floor at all the sites, all the wireless access points will be of Cisco Linksys brands. The wireless access points at each site will be WIFI carrying all a, b or g standard. (O. Elkeelany , M. M. M., J. Qaddour & (5 Aug 2004)
The wireless networks will use WPA2 key security mechanisms to protect the network from unauthorised access and attacks. Proper placements of the wireless access points can be done after a physical inspection of the sites. If a barrier wall or something else obstructs the coverage of the wifi access points at a floor another wifi access point will be required at the same floor. IP Addressing Module:
WAN Ip addressing, all wan connections are point to point and use a /30 subnet mask
A /30 subnet only allows for two actual hosts which fits for the wan connections.
VLAN Ip addressing, all the Vlans including the wireless and the server Vlans are /24 networks
All the future Vlans should be /24 as well, this would help to limit the layer3 broadcasts to only 254 hosts, /24 is being used because our Vlans are all based on class c private addressing and there are adequate addresses in the same class for our future needs as well so there is no actual requirement to subnet any further, sub netting further would actually make the design complex without any real benefits.
The routers also have a trunk which comes from their respective site switches. The 1st valid address of the each Vlan belongs to the router acting as a gateway to the Vlans. These .1 addresses are required to be hardcoded inside the routers themselves.
The host addressing is taken care by the dhcp protocol, each router as its site will act as a dhcp server for all the Vlans present in the same site. The router acting as a dhcp server would provide gateway information to the hosts in each Vlan as well as the dns servers to be used and the domain information as well.
A separate list has been maintained for the hosts outside the dhcp scope, should there be a requirement that a host be provided a static Ip address, and the same Ip address should be added to the list of non dhcp addresses for each Vlan at each site. Server Farm Module:
A special virtual area network is in place at every site for a special purpose, this vlan only has servers placed in it, this Vlan acts as a DMZ at all sites. The servers at various sites are placed in separate Vlans to protect them from the broadcasts created by the users in the site as well as blocking unauthorised access. If the requirement arises that a server should also be placed in another Vlan at same time, either 2 network cards should be attached to the same server and each placed in the respective Vlan, if the server is required to be attached to more than 2 Vlans, then the server should carry a special network card which could build trunks with the 2960 switches. The speed and duplex modes on all the server ports should be manually cond by the network engineers as there are chances of duplex mismatch in the auto mode. Unauthorised access can be blocked into the server farm via using IP access-lists feature of the Cisco IOS.( Zhuo L , W. C., Lau FCM . (OCT 2003 ) Security Module:
This is the most important module of the network design, as its name suggests it would cater for the network security, following are the security measures in place for the network designs. An integrated Cisco IOS firewall protects the perimeter interface (internet connection) from attacks from the outside world at both the headquarter sites; IOS firewall uses stateful inspection for the protocols listed in the firewall itself. As advised earlier the access to the server Vlan at each site is also controlled by the use of IP access-lists, only authorized IPs/networks and that too only on specific ports are allowed to traverse the DMZ(DEMILITARIZED ZONE).
There are perimeter access-lists in place at the headquarter sites blocking most common and known attacks from the internet. The internet modules have been centrally designed to keep a tighter control and strict security. An additional measure of security can be placed at each site by adding an intrusion prevention system to each headquarter. A very effective intrusion detection engine is SNORT, being open source it can be installed in a very short period of time and is free. Further management Vlan can be secured by using port security and sticky Mac mechanisms.
The Cisco IOS firewall is an EAL4 certified solution and is a stateful firewall, it is integrated into Cisco router IOS, IOS is the best available routing, security and VoIP software around, and integrating a stateful firewall produces an economical yet flexible solution. It is the ideal solution for small offices, branch offices and wherever the need arises for an embedded firewall solution. The Cisco IOS firewall can be turned on and off in the desired manner on the desired interface in the Cisco router
Cisco IOS firewall can be cond in basically two modes, Classic firewall also known as CBAC - control based access control or the new configuration technique which is called Zone based policy firewall. The later one is used wherever the network is required to be divided into various zones for example a DMZ zone. The later configuration methodology will be carried on in the future as it caters for the changing needs of networks.
The Wan connectivity for the NoBo designs has been designed taking in consideration of the following characteristics
Head -quarters: All the head Quarters have been has been connected via an International leased line from service provider. All the branch-offices are connected to their headquarters via leased lines as well via service provider.
Wide Area Network Back up
The internet connectivity at both the remote and client sites can be used as a backup in case the primary WAN link is down; a separate site-to-site vpn link will be required to be cond between the two sites. The site to site vpn will use the IPSEC framework which would be only used if the floating routes that are present in the Cisco routers start pointing towards the vpn links in case of the wan link outage.
This IPSec vpn back up link should be strictly used as a back up as the internet bandwidth is limited and the latency is high. Network Management mechanisms would notify everyone, if the primary wan link is down. If the requirement for the backup link for a branch site comes up, same methodology can be used, the branch can acquire its own internet connection and use it as a backup link to its respective head office. In that case changes in routing will also occur. IPSec:
IPSec is a protocol contains set of features that protect the data which traverses from one location point to another. The location itself defines the type of VPN. The location could be anything such as pc on the internet, a small regional office, a home office or any corp. headquarters.
A user on the go would always connect to a user to site vpn and all the others would be called a site to site vpn.
The IPSec protocol works on layer 3 and above, like tcp/udp header and data and does not protect any layer 2 frames, a different kind of protection mechanism has to be deployed for the same and also is possible only in the controlled network.
The encryption and IPSec are many times thought to be one and the same thing but they are different, IPSec is basically a suite of protocols and one of them does encryption.
Following are the features of the IPSEC protocol suite.
* Data confidentiality
* Data integrity
* Data origin authentication
Data Confidentiality: This means that the data is kept confidential between the IPSec end points. Since IPSec vpn are mostly used over the internet. Hence the data can be captured and used by hackers. Even the data between private networks is subject to being hacked, so internet is not the only unsecured place. Various encryption techniques and algorithms are used to scramble data which travels between two vpn sites. The encryption algorithms used in IPSec are not very easy if not impossible to break. IPSec process also involves the selection of the encryption algorithm and how to distribute the encryption keys to the respective parties. As stated above encryption is not a necessary feature of the IPSec protocol but it is on mostly at all times in all IPSec vpn connections.-
Data integrity guarantees that the payload was not tampered/ altered in the transit between the IPSec VPN endpoints .This feature itself does not do any kind of data confidentiality but it uses a hashing algorithm to ascertain if the data in the IP packet was changed between endpoints. Payloads that get tampered or changed are always dropped by the IPSec.
Data origin authentication deals with the source of the IPSec VPN packets. The feature is used by all the VPN endpoints to determine that weather the other end is genuine or not. Anti-replay is an optional IPSec feature which determines that that no data packets are duplicated within the vpn connection IPSec uses sequence numbers in the packets and a windowing mechanism on the receiver side. A comparison is done between the sequence number and the sliding windows to detect late packets and further these late packets are treated as duplicate packets and are dropped
As it has been discussed earlier that IPSec is a suite of protocols and these protocols are open standard, the reason behind it is because interoperability between various vendors is a necessarily. The IPSec protocols themselves never specify any particular type of authentication, encryption algorithms, key generation techniques, or security association (SA) mechanisms.
IPSec uses 3 main protocols which are as follows
* Internet Key Exchange
* Encapsulating Security Payload
* Authentication Header
IKE: Internet Key Exchange provides a framework for the negotiation / exchange of security Parameters and the authentication keys. An important point to consider is known there are many possible options which can be used between IPSec VPN endpoints.
What IKE essentially does is that its supports the exchange of this parameter or so called options. It secures the exchange.IKE also does the exchanging of keys which are used by the encryption algorithms of IPSec. The symmetrical algorithms are the most popular ones with in all the encryption algorithms used in the IPSec vpn. IKE phase provides the encryption and secure transfer of keys for the symmetrical algorithms.
Encapsulating Security Payload is the actual framework for providing the payload confidentiality, integrity, origin authentication, anti-replay features of the IPSec suite of protocols. ESP is the sole protocol of IPSec which caters for data encryption, although it can also do all of the IPSec features
As ESP is used in today's IPSec vpn commonly following are the encryption algorithms which are used.
* Data Encryption Standard: This standard although outdated. But is commonly used and is hack able.
* Triple Data Encryption Standard: This is block cipher using DES three times. This still holds good
* Advanced Encryption Standard: This is also one of the most widely used encryption algorithms today
Authentication header is not commonly used these days as ESP is most widely used, the reason. Ah does not provide any data confidentiality which ESP provides but AH just provides a framework for doing data integrity, origin authentication and anti-replay functionality. AH uses a Hash-based Message Authentication Code (HMAC) as the authentication and integrity check mechanisms. IPSec Modes:
The cover of protection offered by IPSec to the Ip packet is defined in 2 different modes. In the IPSec packet, an IPSec header follows the Ip header and it also has an Ip protocol number, so what it essentially means that all the IPSec features work after the Ip protocol layer header. Following are two IPSec modes: tunnel mode and transport mode
When the original Ip header is kept and an IPSec header is added after it, it is called the transport mode, since IPSec only plays the role at the transport layer, the original Ip header is unprotected from the attacker. The data and the upper layers are protected by the IPSec protocol; in this case the payload is safe but the Ip headers can be seen by anyone in the untrusted network.
The second mode is known as the tunnel mode, the original Ip header details are also protected, the same thing is done for the payload as well, A new ip header is created in this mode, the Ip addresses displayed in this mode are of the tunnel endpoints and not the device Ip addresses that are behind the tunnel endpoints. The second mode is more safer as it hides the end to end communication happening , giving less chance to a packet hacker to ascertain the right packet, if they need to know the end to end packet information , they will need to hack the packet header first and then the payload. Virtual private networks Module:
The virtual private area networks allow the remote users to login to the network in a secure fashion. The Cisco internet routers will function as VPN routers as well; the static public address provided by the ISPs at each headquarters will be used at vpn gateway addresses. The remote users can login into any of the 2 headquarters and can reach the desired servers. ( Bolla*, R. B., Roberto, Davoli, Franco . (06 Jun 2006)
1. The pcs at remote locations will be treated as an extension to the network.
2. The users will use the Cisco vpn client on their windows Mac or Linux pcs to connect to the vpn gateway.
3. IPSec is the suite/framework of the open standard protocols which provide data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services at the IP layer.
4. Internet Key Exchange is used to handle negotiation of protocols and algorithms as per policy and it generates the encryption and authentication keys to be used by IPSec.
5. IPSec happens in the second phase and is used to protect data flows between 2 remote hosts across the internet.
What is encryption?
"Encryption is the transformation of plain text into a form that makes the original text incomprehensible to an unauthorized recipient that does not hold a matching key to decode or decrypt the encrypted message."
Decryption is the reverse of encryption; it is the transformation of encrypted data back into plain text. Encryption techniques are as old as history in fact, Julius Cesar apparently did not trust his messengers and therefore encrypted his military messages to his generals with a simple encryption scheme; he replaced every A by D, every B by E, and so on. Only someone who knew the key (to shift each alphabetical letter by three, in this case) would be able to decrypt the message.
Following are the encryption and hashing algorithms used by the IPSec.
AES stands for Advanced Encryption Standard. A cryptographic algorithm which protects information. . AES is more secure than DES: AES has a larger key size than DES; it ensures that the only known approach for message decryption is to try all possible keys. AES has variable length keys 128, 192 or 256-bit key.
DES: Data Encryption Standard is another encryption algorithm, an old one. A newer version of the same protocol is Triple DES encryption; Triple DES has stronger encryption than its counterpart DES and is used by data to traverse the un trusted networks utilizing network layer encryption schemes.
MD5 is message digest algorithm and is a hash algorithm. HMAC is a keyed hash variant used for data authentication.
AH: Authentication Header is a security protocol used for data authentication and also anti replay services. AH embedded itself in the data to be protected for example an IP datagram to be protected
ESP: Encapsulating Security Payload. Provides data privacy, data authentication, and anti replay services. ESP encapsulates the data which needs to be protected.
The vpn connections at the NoBo designs will use pres hared keys, these key will be generated by using complex key generation software's so they are nearly impossible to guess. Quality of service module:
For a converged network this module should be designed carefully.
The entire network traffic has been divided into four classes.
1) Real time traffic (Voice and Video Traffic)
2) Application traffic (all the app servers)
3) VPN traffic
4) Internet traffic
Currently Auto Qos is being used for simplicity to provide priority to the voice and video traffic.
In the auto Qos mechanism the Cisco router uses NBAR mechanism to inspect traffic.
In case of the manual Qos policy, the traffic should be marked accordingly at the edges, i.e., at the entry point of the traffic. The manual Qos policy should be applied in the phase 2 of the network design. Once the network is operational, the various traffic flows can be measured and the appropriate queuing techniques can be applied.( A, M. (NOV 2005 )
(http://www1.cisco.com/en/US/docs/internetworking/technology/handbook/QoS.html#wp1024961 accessed on Nov 29 ,2009)
The QOS policy will be enforced with priority queuing technique over the wan pipes. The classification of the traffic is as follows.
VOIP and VIDEO traffic - highest priority
Application Traffic/Mission critical - Second high
Internet (backup) - International leased line - No priority at all. Internet Module:
Every site in an enterprise network model requires internet connectivity. The design of the internet connectivity in an enterprise model is redundant and centralized.
The remote and the client head quarters carry 2 high speed fibre connections to internet service providers at their respective locations, all the other sites present in the respective countries connect to their respective head offices for connection to internet via the wide area network pipes.
Following are the benefits for keeping the internet connectivity centralized
1)Internal Access control : As the company grows more and more branch offices would be added to the company, keeping a check and access control would become more and more difficult , if the users connect to the internet via centralized points, it's easier to implement control.
2) Centralization: More Protection from threats and attacks from the internet, keeping net connectivity centralized would make the security easier and centralized.
3) Low Cost: Hardware and Administration costs for the internet will also be lowered with this centralized design.
Internet redundancy: The 2 head quarters are playing as backups for each other internet connections, for example if the internet link goes down at the client end , Routing mechanisms have been placed that the internet users from the client and its branch will be automatically switched to the remote site internet connection.
In case the internet link on each site is up and there is a routing issue/packet loss with one of the internet service providers, a provision can be made using Cisco's IP SLA service to track the connection and switch the users to the other head quarters in case of any problems. Internet Bandwidth considerations:
The Bandwidth at both the headquarters can be decided with the following inputs.
1) Estimation of the usage by all the employees varies from company to company, depending on the type of activity.
2) Consideration of the fact that each link will be used as a backup for the other headquarter in case of an outage at the other end
3) The fact that each internet connection is also providing the remote user virtual private network connectivity as well, on the same token, if the Internet connectivity is broken on the far end headquarter the site will have to become the internet entry point for the users of the other continent.( Santitoro, R. (Apr2007,). Internet connectivity:
The headquarters are connected to the internet via internet service provider. A separate leased line has been provisioned for the same.
All the branch sites with their respective WAN pipes are connected to the internet via their headquarters.
Internet Backup: The two headquarters will use each other as backups for their internet connections via the International leased line using STATIC FLOATING DEFAULT ROUTES. The first static default route will be placed to the ISP and second default route will be placed towards the International leased line from both sides with higher administrative distance. Remote and home users:
The remote and home users can connect securely to the internal networks via using the USER IPSEC VPN through the respective headquarters. The user IPSec vpn will be deployed such that if the server Internet service is down the remote and home users can still connect to the branch vpn connection and get to their respective servers. VOIP:
A separate voice Vlan can be cond for the VOIP and video traffic at each site. Telephony services will be cond to facilitate VoIP calling. Dial-peers are used to route the voice calls to the destination. These dial-peers are similar to the static routes. These routes identify the destination peer by using session target. VIDEO CONFERENCE:
All the video traffic should be marked and classified at the source, that is on the access port of the switch from where it originates. After the video traffic has been marked , on the wan connection between the NY and London , it should be properly qos, the policies applied to the voice traffic which is also a type of real time traffic can be applied to video as well. The Qos for the video traffic should be a part of the qos policy formed for the NoBo designs.
The video conferencing devices will be connected to the respective switch at each site. The details about the opposite video conferencing devicemust be entered in both the devices. The video traffic will be identified on the switch and will be marked accordingly once the video traffic goes to the wan router it will be queued according to the qos policy. Project Equipment Cost:
1. Personal Computers: HP Pavilion Slim line s5211 each £369.32
2. Cisco 2960 switch 10/100 T 48-port £ 833/- each
3. Cisco 3560E -10/100/1000-48 ports-£7783 each
4. Cisco 2811 Router: £1,824.24/- each
5. Linksys Cisco WRT54G wireless router £59.99
6. Cat5e (305M) enhanced cable-£25 Video Conferencing:
Polycom QDX 6000 Video conferencing kit from is suggested for video conferencing. It is the most widely used device for corporate video conferencing. It is as reliable as Cisco versions and available for cheaper price: £2,703/-. Sony PCS will be used and it costs: £1,910/-
The site- site leased line prices for different service providers are given in general in the above table from the web sources.
Limitation: It was not possible to get the exact cost for the leased lines and backup lines, as the information is not open for everyone.
INTERNET SERVICE PROVIDER (ISP):
The ISP BTnet is chosen for the leased line among the sites located in up and Eclipse internet is chosen for the backup line. AT&T is chosen for the leased line for the sites in America and Level-3 is chosen for the backup. BTnet can provide various Bandwidths (2, 4, 10 Mbps..,) of leased lines. For the proposed network about 10 Mbps approximately bandwidth is suggestible.
Chapter 4: PRACTICAL WORK
This document presents a detailed plans, designs as well as configurations for our Client NoBo Designs. Recently they have acquired five locations which are spread over Europe and the Americas, All the networks are acting independently of each other. The Primary goal of this exercise is to plan design and con all five sites as such that they act as an integrated network with users from one site being able to connect the services on the other sites. Further the network design should also provide for Local area networks and virtual private networks for the remote users as well Ip addressing design etc. The solution should also consider the VOIP and security requirements.
1. What is the main purpose of the network?
2. What kind of servers (file servers, web servers, application servers, etc..) will be used to provide service to the users. Servers that are to be used are centralised or distributed.
3. Where the users located are, are they any physically separated sites?
4. How many numbers of users at each site?
5. What is the type of connectivity between each site?
6. Does the network require any internet? If yes is that a leased line, broadband, or a dial-up connection?
7. What is the networking communication protocol?(Ethernet , token ring )
8. Which protocol is used to provide security for a network?
9. Select an ISP provider by considering service, uptime/down time, and band width.
10. Do you need any back up internet connection?
11. Does the network require any firewalls?
12. What are the public and private IP addresses to be used (public addresses will be given by ISP).
13. Does the network requires NAT (network address translation) service and/or DHCP (dynamic host configuration protocol) .
14. What type of routers, switches, and firewalls are used .
15. Does the above mentioned devices need any security (privileged mode, global privileged mode) to avoid unauthorised user access .
16. Does the network need QOS (quality of service) implementation?
17. Does the network require any monitoring tools?
18. What is the budget for the network that is to be designed?
NoBo Designs have the following specific challenges.
Ø NoBo Designs is required to provide dedicated connections between all the five sites spread Across USA and Britain.
Ø All the sites should have continuous internet connectivity.
Ø The ip addressing scheme for all the sites as well as wide area network connections also needs to be designed.
Ø NoBo designs has different departments at each site, the ip addressing should flawlessly assimilate to provide adequate addressing as well as there should be logical separation at the same time.
Ø A separate subnet/network should be provided at each site for the servers , this subnet would act as an internal dmz.
Ø Provision required for remote connectivity at all five sites.
Ø Provision required for VoIP and video traffic between the two head offices.
Ø A wireless (wifi) network should be present at each site for wireless users.
4.4-Network design -Detailed work:
The network design has been divided into modules as earlier stated; this concept is same as designing an enterprise network where overall network is divided into different modules as per functionality basis. Later the configuration of the devices is also explained in detail.
The Routers and switches used in the NoBo Design are from Cisco systems. The Wireless routers used at all the sites are from Linksys Cisco. The model of the routers is Cisco 2811 along with the following hardware and the software features.
Hardware at London
At the London head office the Cisco 2811 series router should have 1 serial (e1) interface to connect to the service provider for international link to the NY head office. For the link between the London and New York please be aware that the link types used at both sides are different in Americas its T1 standard and in Europe its E1 standard. when ordering the channels
Ø One Serial (e1) interface connected to the Edinburgh site.
Ø One serial (e1) interface connected to the Manchester site.
Ø One Fast Ethernet or Gigabit link connected to the London Switch. This link would carry the trunk.
Ø One Fast Ethernet connected to the fibre link terminator from the ISP providing the internet connection.
Ø It would be a good idea to keep 1 extra port of each type for the purpose of redundancy and scalability.
The reason for choosing the 2800 series router: NoBo is a small business, the Cisco 2800 series router are the perfect fit to merge the vpn, internet and wan modules into one device to keep the costs lower and to keep the design simple.
The IOS version chosen should be such that it supports IPSec VPNS and IOS firewall and DOT1q trunking as well.
Switches: The model of the switches to be used at the London site is Cisco 2960 with 48 ports. At least 4 switches of series 2960 should be purchased and installed.
Reason for choosing 2960 switches: All the features of an access layer switch are present.
Further Cisco contracts for replacements and warranties should be bought.
Hardware at New York site:
The hardware at the New York site is very similar to the London site.
Router 1: 2811 Cisco series with
1 serial port for the London site
1 serial port for the Sacramento site
1 Fast Ethernet or Gigabit link connected to the NY Switch. This link would carry the trunk.
1 Fast Ethernet to connect to the fibre link terminator from the ISP providing the internet connection
Switches: 2 Cisco 2960 switches.
All the other hardware considerations are the same as explained in the London site.
Hardware at the Edinburgh site:
Router 1: 2811 Cisco series with
1 serial port for the London site
1 Fast Ethernet or Gigabit link connected to the Edinburgh Switch. This link would carry the trunk.
Switches: 2 Cisco 2960 switches.
Hardware at the Manchester site:
Router 1: 2811 Cisco series with
1 serial port for the London site
1 Fast Ethernet or Gigabit link connected to the Manchester Switch. This link would carry the trunk.
Switches:2 Cisco 2960 switches.
Hardware at the Sacramento site:
Router 1: 2811 Cisco series with
1 serial port for the NY site
1 Fast Ethernet or Gigabit link connected to the Sacramento Switch. This link would carry the trunk.
Switches: 2 Cisco 2960 switches.
For wireless, at each of the site depending on the number of the floors, Linksys cisco wrt54g routers should be placed.
The first and foremost metric is the bandwidth, how much bandwidth is required to support all users and applications, let's take it link by link.
The overseas link between the London site and the New York site requirement are as follows:
London has 4 servers with proprietary software:
LONADMIN -London Administration Server
LONTECH - London Technical Server;LONFIN - London Finance Server
Number of Users
Access / Server
Finance and Sales
International Sales and Help
Wireless, Internet, LONADMIN, LONFIN and NYFIN
The London site has 109 users, the users use the internet and some of them use the wan connection as well. There are 18 users at the London site who connect to the NY financial server, now once the actual protocol used by NY fin server can be known, the number of users can be multiplied with the bandwidth used by one user instance of the finance application . This will provide us the first leg of the bandwidth required for the connection between the London and New York site.
(a) Bandwidth of one instance of NY finance server application *18
Similarly when the two Britain branch offices i.e. Manchester and Edinburgh users want to connect to the NY finance, there number should be multiplied with the one instance of the application.
At Manchester there are 2 users which connect to the New York head office admin servers.
One instance of bandwidth used by the NY admin application should be multiplied with the number of users; this would provide us the second part of the bandwidth requirement (b).
(b) Bandwidth of one instance of NY admin server application *2
New York Site
New York has 4 servers with proprietary software: NYADMIN -London Administration Server
NYNFIN -New York Finance Server
Number of Users
Access / Server
Internet, LONADMIN, NYADMIN, SACADMIN
Internet, LONADMIN, SACADMIN
Finance and Sales
Internet, Wireless, LONFIN, NYFIN
International Sales and Help
LONFIN, NYFIN, NYADMIN, LONADMIN,
LONFIN, NYFIN, NYADMIN, LONADMIN
At the New York site, there are 78 users and all of them connect to the London Head office servers. Following are the calculation of the bandwidth used by all of these users.
(c)Administration: 18 users multiplied by the 1 instance of the London administration application.
(d)Personnel: 4 users multiplied by the 1 instance of the London administration application.
(e)Finance and sales: 40 users multiplied by the 1 instance of the London finance application.
(f)International sales and help: 8 users * one instance of London finance app, 8 users * one instance of London administration app.
(g)Management: 8 users * one instance of London finance app, 8 users * one instance of London administration app.
The Sacramento site also piggy backs the NY-London link to reach London and Manchester servers from NY.
(h)Management: 50 users * one instance of London Technical app, 50 users * one instance of Manchester technical app.
The NY-London link is also acting as up a back up to the internet connection at the head offices
(i)The amount of bandwidth which can be dedicated to the backup internet link should be taken into consideration over here.
(j) The NY-London link would be also used as a back up to the remote user virtual private networks the number of back up vpn should be established and relevant bandwidth should be provided, if the company policy is to use the internet bandwidth as a superset of the vpn bandwidth, then at least the vpn bandwidth should be Qos, i.e. the internet will be given the last priority.
(k) The bandwidth consideration for the VoIP and video connections should also be added to the bandwidth required for VoIP and video calls can be calculated by using the following method. Calculate the maximum number of VoIP and video calls which can happen at a given time using erlangs. There are several web calculators for VoIP and video.
The total bandwidth required for the NY-London Link can be calculated by adding all the elements from (a) to (k). The remote office will use the link to their respective geographic head offices for the internet connections as well as the application connectivity and the remote users will also traverse the same link to reach the respective servers at these branch offices. Following is the calculation of the bandwidth required at each branch site.
Provision for the bandwidth used by vpn users at each site can be calculated by estimating the number of simultaneous vpn connections allowed at each site. As of now each vpn connection bandwidth can be taken from the internet bandwidth available by using quality of service mechanisms.
Manchester: one instance = bandwidth for one app instance in each direction.
Manchester has 3 servers with proprietary software: MANADMIN -Manchester Administration Server
MANTECH -Manchester Technical Server: MANFIN -Manchester Finance Server
Number of Users
Access / Server
Internet access, MANADMIN, LONADMIN,NYADMIN,NYFIN
Managers require Wireless / INTERNET, MANADMIN, LONADMIN, LONFIN
Wireless, Internet, MANTECH and LONTECH
Wireless, Internet, MANTECH and LONTECH
Personnel: 2 users * one instance of London administration app.
Management: 2 users * one instance of NY administration app
2 users * one instance of NY finance app
2 users * one instance of London administration app.
2 users * one instance of London finance app.
Tech design: 30 users *one instance of London technical application.
Edinburgh users: 24* one instance of Manchester Financial application.
Edinburgh users: 12* one instance of Manchester Administration application.
Provision for internet site company policy.
Edinburgh: one instance = bandwidth for one application instance in each direction.
Edinburgh has 2 servers with proprietary software: EDADMIN -Edinburgh Administration Server
EDFIN -Edinburgh Finance Server
Number of Users
Access / Server
Internet access, EDADMIN, LONADMIN
Managers require Wireless / INTERNET, MANADMIN, LONADMIN, LONFIN, MANFIN
Wireless / Internet, EDFIN, MANFIN, LONFIN
12 users * one instance of London finance app.
12 users * one instance of London administration app.
24* one instance of Manchester Financial application.
12* one instance of Manchester Administration application
Provision for the internet and vpn traffic - site/company policy.
Sacramento: one instance = bandwidth for one application instance in each direction.
Sacramento has 2 servers with proprietary software: SACADMIN -Sacramento Administration Server
SACTECH -Sacramento Technical Server
Number of Users
Access / Server
Internet / NYADMIN
Wireless, Internet, SACTECH, MANTECH, LONTECH
2 users * one instance of Sacramento administration app.
50* one instance of Manchester technical application.
50* one instance of London Technical application
Provision for internet and vpn traffic - site/company policy. GNS3:
The designed network was implemented on GNS3 network simulator. This software allows to use only routing devices that has to be cond. It still gives the same results when implemented on the real network. The configuration of switches was also included with the explanation in the next following section. 4.6-Explanation of the configuration:
Each router in the NoBo has some common configurations, there for each instance of the configuration is just explained once.
Service timestamps debug date time msec
This command enables to print time stamp in the debug printed by the users, it prints date time and msec.
Service timestamps log date time msec
This command enables to add time stamp in all the logs, it prints date time and milliseconds.
Whenever troubleshooting the devices , we would need the exact date time and milliseconds of an event to analyze the occurrence of the events , its more used to analyze what led to what when troubleshooting.
This command enables the encryption of all the passwords in the configuration, so that if some has rights to see the running configuration, they shouldn't be able to see the password, this is a very good security practise to encrypt all your configuration passwords.
This command is self explanatory it sets the hostname of the device to whatever the user places as an argument.
These commands are not entered by the user and they are entered in the configuration by the router itself, these commands help the router to boot up in an efficient manner. For more information one can log into cisco.com and find more information.
Logging buffered 10240 debugging
This command tells the router the router to save the debug inside an internal buffer up to the bytes of number mentioned in the command, after that it follows the first entered first deleted mechanisms, these ensures that the buffer size does not grow too big to hinder routers functionality.
Logging console critical
This command enables the logging of all the critical messages on the console.
Authentication, authorization and Accounting commands
The AAA mechanisms govern that who can login to the router and if they are allowed to login what authorizations do they have, which effectively means that what can do with the configuration, just allowed to see them or change them as well , accounting is the recording of the user activities and logging of traffic for billing and troubleshooting purpose.
This enables authentication, authorization and accounting in the router.
aaa authentication login default local
aaa authentication login userlist local
This command enables that the login authentication into the router would be from the local lists of the usernames and passwords.
aaa authentication ppp default local
This command tells the router that all ppp authentications in the router would be also done with the local lists of usernames and passwords.
aaa authorization network group list local
This command tells the router to follow any local group lists if present for the purpose of authorization.
This command is something that is peculiar to Cisco routers; Cisco doesn't treat subnet numbers starting with zero as valid, why, this discussion is out of the scope of this document , but to enable the subnet zero as valid , we have to enter the above command.
no ip source-route
There are two types of unicast routing , destination based routing and source based routing , the sources and destination are found in the Ipv4 header , this command forces the router not to use any kind of source routing.
Source routing is used when the destination routes are sub-optimal, although source routing is also used by malicious attackers, so source routing should be turned off whenever not required.
ip domain-name local
This command sets the domain name for the router, this might b required in some special configurations but since we are not using it so we have kept the domain name to local.
This command turns on the Cisco express forwarding in the router, Cisco express forwarding is the fast switching mechanism used by the Cisco routers, what it does is that it doesn't do a routing look up in software but once a look up is done for a specific route, the information is entered into the hardware switching, this enables faster forwarding of the packets, for more information , please log into
enable secret sampath
Cisco router command line has 3 modes in it
First mode is the user login mode which has very limited functionality. It is known by the sign >
Second mode is called the enable mode this has more functionality than the user mode. it is known by the sign #
The 3rd mode is the configuration mode and is known by the (config)# sign
The above command sets a password from users logging in to the user mode and trying to get to the enable mode. Only users who know the enable secret can log into the enable mode of the router.
Enable secret is encrypted by the service password encryption.
username Sampath password 0 Sampath
The above command sets a user and its password in the Cisco router, this will be used by the AAA mechanisms for authentication, authorization and the accounting, this is called a local list of the usernames, one can always use other protocols such as radius etc to do AAA from outside radius servers.
This command enables the logging of the configuration changes made by users to the syslog, hide key is specially used to hide any passwords entered by the user in the log file.
description connected to NY router
ip address 192.168.109.2 255.255.255.252
clock rate 2000000
The above commands show the configuration of the serial interfaces , the first command changes the mode of configuration to the interface sub configuration mode as pointed by the number in 0/0 the first 0 is the slot no and the o after the / is the port no in the slot.
The second line is the description of the interface; this is simply a comment describing the use of the interface. The next line sets an Ip address for the interface and the subnet mask as well,
The next line defines the speed of the interface and not the bandwidth, we have kept the speed as default but this should be changed accordingly to the speed decided with the service provider.
Description Local area network trunk to sac switch
no ip address
interface fastethernet 0/1.1
encapsulation dot1q 1 native
interface fastethernet 0/1.100
!description sales/help vlan
encapsulation dot1q 100
The above configuration is a special kind of configuration done to the fast Ethernet port of the Cisco router.
In this configuration the port has been defined as a trunk port, a trunk port is a port which can carry a no of Vlans to the other end of the trunk.
An Ethernet port can be an access port or trunk port, an access port carries a single Vlan but a trunk port carries many Vlans. The actual hardware interface above has not been given an Ip address but is turned on. The duplex and speeds have been kept to auto.
A logical interface has been created with the command interface fast Ethernet 0/1.1 , it belongs to the port 0/1
encapsulation dot1q 1 native
This command sets the encapsulation to DOT1q and tells that this logical port 0/1.1 carries Van 1.
However this Vlan is a native Vlan , a native Vlan is a special kind of Vlan present in the dot1q trunks , its frame is not modified at all and is used by the control protocols.
An ip address is provided to the vlan interface and acts a default gateway for the vlan.
interface fastethernet 0/1.100
!description sales/help vlan
encapsulation dot1q 100
The above configuration just depicts a normal dot 1q Vlan 100
ip route 0.0.0.0 0.0.0.0 fa0/0
This syntax is used for adding static default routes, 0.0.0.0 0.0.0.0 means a catch all, if no entry in the routing table matches the destination , this default route entry is used. after the 0.0.0.0 0.0.0.0 is the interface no . On the London and Ny headquarters we have default routes pointing to the ISP interfaces and in the branch offices we have default route pointing to the wide area network connection.
ip route 0.0.0.0 0.0.0.0 s0/0 200
This is a floating default route placed on both the headquarter sites. This router is normally not used because it has a higher administrative distance then the normal default route, if the default route disappears from the routing table; only then this router shows up in the routing table as there is no other option left for the router.
ip route 192.168.20.0 255.255.255.0 s0/0
ip route 192.168.30.0 255.255.255.0 s0/0
These are the examples of the static routes placed in the configuration, A static route is a manual entry in the routing table by the administrator telling the router that what interface it should send the packets to in case there is match.
The above commands are used to con the routing protocol called routing information protocol .Using a routing protocol to populate the routing table is the very reverse of using static routing. In the case the user only specifies what network would participate in the routing, the router itself populates the routing table, it uses an algorithm to do the same , the algorithm is defined by the routing protocol used. There are many routing protocols, eigrp , ospf , rip , isis but in our design we have only used RIP because its scalable enough.
The routing information protocol shares the entire routing table with its neighbour and populates the routing table. In the above configuration, we tell the router to start using rip via typing: router rip. The second line we tell the router to use the version 2 of the routing protocol .
In the third and the further lines we tell the router to involve these networks in the routing propagation, once these networks are declared the router will start sending routing updates out of the interfaces belonging to the network. The other neighbour routers running the same protocol will start sharing the information with each other and this is how routing information will spread across the network.
You require authorisation to connect to this device. If you are not authorised to connect to this device please disconnect now. If you fail to disconnect you may be prosecuted under relevant law.
The above commands are a banner that will displayed every time a user login to the router , the banner is a very important security deterrent and is used to advise unauthorized users that they should not login if they have no business.
description connection to internet
ip address 18.104.22.168 255.255.255.252
ip access-group 101 in
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 permit ip 192.168.20.0 0.0.0.255 any
access-list 101 deny ip 0.0.0.0 0.255.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 169.254.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.0.2.0 0.0.0.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 198.18.0.0 0.1.255.255 any
access-list 101 deny ip 22.214.171.124 0.15.255.255 any
access-list 101 deny ip any host 255.255.255.255
access-list 101 permit udp any any eq 4500
access-list 101 permit udp any any eq isakmp
access-list 101 permit esp any any
access-list 101 permit tcp any any eq 1723
access-list 101 permit gre any any
access-list 101 deny icmp any any echo
access-list 101 deny ip any any log
The above configuration is for placing an access-list on the traffic entering from the internet. The access-list has been applied to the interface from which the ISP is connected; it is applied in the inwards position so as to check the traffic coming from the internet service provider. This kind of access-list is placed on the perimeter devices as a security measures to protect the network from most common known attacks.
A full description of this access-list can be found in the cisco.com website.
description connection to internet
ip inspect samfw out
ip inspect name samfw tcp
ip inspect name samfw udp
ip inspect name samfw cuseeme
ip inspect name samfw h323
ip inspect name samfw realaudio
ip inspect name samfw streamworks
ip inspect name samfw vdolive
ip inspect name samfw sqlnet
ip inspect name samfw tftp
ip inspect name samfw ftp
ip inspect name samfw icmp
ip inspect name samfw sip
ip inspect name samfw rtsp
ip inspect name samfw skinny
The above is the configuration for the Cisco IOS based firewall, this firewall does application inspection and sits on the perimeter devices. The signatures for detecting malicious content in the protocols are already built in to the ios and the user doesn't have to do anything except turning the inspection on, the firewall inspects the protocols going through the internet interface.
ip dhcp excluded-address 192.168.127.1
ip dhcp pool admin
network 192.168.121.0 255.255.255.0
The above configurations provide the details for the dhcp server configuration
ip dhcp excluded-address 192.168.127.1
This command tells the dhcp server to exclude this address from the dhcp pool
ip dhcp pool admin
network 192.168.121.0 255.255.255.0
This is the configuration for the actual dhcp pool. The network command defines the pool in terms of Ip addresses the default-router is the default-gateway used by the Vlans. Domain name and dns server also components propagated by the dhcp server.
We need to con the dhcp pool for the Vlans and the router will automatically pick up the right pool for the right vlan. The command to turn on Cisco router as a dhcp server is : service dhcp
It has been intentionally kept out of the configurations above to it can be started manually once the network is cond.
ip nat inside source list 105 interface FastEthernet0/0 overload
access-list 105 remark Traffic to NAT
access-list 105 deny ip any 192.168.20.0 0.0.0.255
access-list 105 permit ip any any
This is the NAT configuration, the first line tells the router to do nat overloading on the addresses defined by the access-list 105 and the public Ip which will be used is of fast ethernet 0/0. Nat overloading means that all the private Ip addresses will be natted over the internet public Ip , thus it's not one to one nat at all , this is most common technique.
The outside interface for the nat can be defined with the command ip nat outside which in our case is the internet interfaces on the both sites. Packets are natted if they cross only this interface in the direction away from the router. The inside interface for the nat is defined with the command ip nat inside the packets coming into this interface and going to the routing mechanism of the router are only natted.
The access-list 105 is the mechanism by which we can define what packets are to be natted , this access-list basically means that the packets coming and going to the vpn are not be treated with the Nat mechanism. Traffic originating from all the other packets is to be natted.
VoIP configuration explanation:
Following is a small footprint of the VoIP configuration to be done at all sites first we just create a VoIP dial peer.
Dial-peer voice 1 VoIP
The VoIP dial peer points to a single extension no
The extension number can be found at this peer with ip address 192.168.1.1
Session target ipv4:192.168.1.1
The codec we have selected is g711ulaw
In order to con extension numbers and phones and the type of phones etc, we require going into the telephony service mode.
We say over here that max numbers of ephones allowed are 10
We say over here that max numbers of directory numbers allowed are 11
This is an example of how to con a directory number
The directory number 1
The extension number
Name of the user
The rest of the configuration is the Virtual private networking configuration for remote users, the discussion of the configuration is outside the scope of this design document and can be accessed through the cicso.com website, although a brief description of the vpn technology has been provided up in the document.
A common switch configuration to be explained which can be entered on all switches for NoBo The interface that connects to the router will be a trunk, trunk ports carry all the Vlans to the router which is acting as a gateway for all the Vlans in the network. example configuration for a trunk
Int f1/0/1 switchport mode trunk
! the above command defines the relevant port to be a trunk instead of an access port
switch port trunk encapsulation dot1q
The above command defines the encapsulation to be 802.1q which is open standard we can also use ISL which is Cisco proprietary. All the other interfaces will be access ports. access ports only carry a single Vlan, normally an end host is connected to an access-Vlan like a pc or a server
Int f 1/0/2 Switchport mode access
! this tells the switch to keep this port as an access port .
switchport access vlan vlan number
allocating the vlan number to the access port defined. If the switch is also connecting to another downstream switch , that port on which it connects should be also defined as a Trunk port
Before assigning the ports to a vlan number we need to create the vlans. Following command is used to create vlans:
“vlan 100” will creates a vlan with number 100. “vlan-name mgt” command will assigns the vlan 100 with mgt as the name.
Configuration for a voice vlan on 2960 switch, This is a special vlan which should be cond on a cisco switch , this saves ports by allowing the phone to connect to a normal device
Switch# con terminal Switch(config)# interface gigabitethernet0/1 Interface subconfiguration mode Switch(config-if)# mls qos trust cos Con the interface to classify incoming traffic packets by using the packet CoS value. For untagged packets, the port default CoS value is used. We trust the qos marking done by the phone. Switch(config-if)# switchport voice vlan dot1p vlan-id—Con the phone to forward all voice traffic through the specified VLAN. By default, the Cisco IP Phone forwards the voice traffic with an IEEE 802.1Q priority of 5. Valid VLAN IDs are 1 to 4094. •dot1p—Con the phone to use IEEE 802.1p priority tagging for voice traffic and to use the default native VLAN (VLAN 0) to carry all traffic. By default, the Cisco IP Phone forwards the voice traffic with an IEEE 802.1p priority of 5. Switch(config-if)# end
CHAPTER 5: HYPOTHESIS TESTING:
In this chapter the screenshots of telnet session results are explained. These screenshots are taken from the simulator (GNS3). These screenshots will cover the ping results , routing tables and VoIP-configuration.
The London routing table once again proves that connectivity is complete between all the sites as it shows the Rip routes from all the sites. We can clearly observe the info about our neighbours and if there are any changes occurred at our neighbour sites we will get the updated info through the RIP updates. By using this routing table and its dynamic updates info all the routes on every site will be routed to their particular destination. London headquarter as well so it has a default route towards the internet connection, if the internet connection goes down, the floating route will come into place.
The Edinburgh routing table shows the routes propagated between Edinburgh and all other sites
All the routes being displayed are either C which means they are from directly connected interfaces or they are R which means that they are being propagated via the RIP protocol. We can see clearly that all the sites connected to this Edinburgh site. For example network 192.168.209.0 (New York headquarters) is a serial connection directly connected to London headquarters and the network 192.168.106.0 (Sacramento site) which is the finance sales VLAN is connected via New York headquarters and got the roaming access.
The Manchester routing table shows the local routes starting with c and all the RIP routes starting with R, these routes are from all other sites. It also shows the default route pointing to the serial connection which means that internet will also be connected through the London site.
We can clearly observe that network 192.168.210.0 is directly connected to the London headquarters via serial connection; network 192.168.114.0 is directly connected via fast Ethernet 1/0.104 and got the access to the required server Vlans (London admin, London finance, Manchester admin) and network 192.168.101.0, network 192.168.106.0 (New York admin, New York finance Vlans) are connected to this site via 192.168.210.1 (New York headquarters). Finally 192.168.115.0/24 is directly connected by fast Ethernet 1/0.105 and got the access to internet.
The New York routing shows that connectivity is complete between all the sites as it shows the Rip routes from all the sites. We can clearly observe the info about our neighbours and if there are any changes occurred at our neighbour sites we will get the updated info through the RIP updates. New York headquarter has a default route towards the internet connection, if the internet connection goes down, the floating route will come into place. We can see clearly the admin, personnel, finance, international sales and management users are directly connected via fa/0.101 - 0.108, the London headquarters is directly connected to this site via serial connection 192.168.209.2 and it can access the London admin, London finance and Sacramento admin using 192.168.121.0 via 192.168.109.2 (Sacramento serial)
These snapshots are from the Sacramento sites, showing its routing table and connectivity to all the other remote branches, Again if the remote branches through different continents can connect together it proves that the connectivity between the sites is working fine. We can see that clearly the admin personnel and technical design are directly connected by 192.168.121.0, 192.168.123.0, 192.168.127.0 using fa 1/0.101, fa 1/0.103, fa 1/0.107 and got the access to wireless, NYADMIN, LONTECH, MANTECH using 192.168.101.0 via serial 192.168.109.1, 192.168.207.0 via serial 192.168.109.1 and 192.168.117.0 via serial 192.168.109 (Sacramento serial interface) respectively.
The above snapshot is a ping between a Vlan of the Edinburgh site and the Manchester site. This shows connectivity between Edinburgh and Manchester up and working. We can see clearly that they are connected together and now we can access the Manchester site from Edinburgh site both of them acts like a server and a client to each other. If we give any commands on any routers and they will be executed at the other end and we can open our applications, files and so on when we perfectly authenticate it.
The above screenshot depicts the connection status as up with the successful ping between the two ends from Sacramento to New York and from Sacramento to London.
The ping between the Edinburgh Vlan and the Sacramento Vlan shows the connectivity between
The Edinburgh and Sacramento site, this one actually proves the connectivity between the London and New York sites as well. Now we access all the other sessions remotely from any session and we can open the required applications, files, troubleshoot the other networks and this just like a network protocol which helps us in bringing all the sessions together.
The above screenshot depicts the successful ping result from Manchester to the Sacramento.
This ping is again between the two wan endpoints of NY and London but these are more or less redundant after we have proved the pings between the internal Vlans. Now the technical staff at the both sites can access remotely the other sites from their home. Finally the finance sales and the international sales got the roaming access to contact at the other sites.
From the above snapshot we can see clearly that the connectivity of an internal vlan from the New York to London internal vlan pretty much proves routing. Since the pinging rate was successful the two internal Vlans from the both sites are permanently connected together and they got the access between their internal Vlans.
The above diagram clearly shows the VOIP functionality at London headquarters, we can see that the telephony service has been enabled using the max ephones and max dn (directory number). When all the ephones have successfully registered using the dial-peers services all the VOIP calls from London headquarters will be routed to the other end (destination peer ) when the same configuration is implemented on a real network with a cipc (cisco software) on a pc.
The above diagram clearly shows the VOIP functionality at New York headquarters, we can see that the telephony service has been enabled using the max ephones and max dn (directory number). When all the ephones have successfully registered using the dial-peers services all the VOIP calls from New York headquarters will be routed to the other end (destination peer ) when the same configuration is implemented on a real network with a cipc (cisco software) on a pc
CHAPTER 6: PROJECT EVALUATION
The evaluation of the entire project has been done using different scenarios which includes the reviewing of all Cisco network models, all routing principles, switching concepts, IP addressing schemes, bandwidth considerations, security issues and finally implementing Quality of service. All those above concepts are the most important considerations in designing a complex network.
To fulfil our project aim a complex network or a converged network has been designed by using all the sources and consideration of concepts from the literature review. Based on the client requirements and the reviewing of all deployment technologies, finally we developed a complex network using a WAN deployment.
According to the client specifications our required complex network has been designed and the entire network set up has been tested in all aspects in case of any errors occurred in our network setup. All the issues have been considered and all the steps have been implemented to overcome them and successfully design a complex network. By using the WAN technology (deployment) the entire individual sites of both the headquarters are connected to their respective headquarters using different leased line connections. All the users on each and individual site have developed virtual local area networks for all their departments. The entire data transmission between all the virtual LANS on each site has been done using dot1q switching and the communication between all the branch sites and their headquarters has been developed using the Routing principles. For efficient usage of our entire applications the max available bandwidth has been measured and for a proper communication or a permanent connection between the both headquarters the leased line connection is always active in any case if it goes down then a backup connection will serves the purpose. And it becomes active when the leased line connection goes down. In this case the backup link using a different ISP will provides the communication between the headquarters when the primary one fails.
And the data transmission over the backup link should be secure to achieve that we implemented an IPSEC VPN tunnel over the medium to recognize the interesting traffic between both the ends. It has been developed by connecting the fast Ethernet interfaces of the both headquarters to the ISP and by providing the static routes at both ends. Whenever the backup connection has been established the data integrity, data confidentiality and the authentication has been achieved finally the data transmission becomes more secure. The QOS has been developed throughout the network and the entire network traffic has been policed and then the traffic shaping has been done between the both ends. Whenever the entire network proposal has been designed we cond all the devices on each sites according to the given requirements and all the sites have been connected and cond on a network simulator “Gns3”. The results have been taken as screenshots and demonstrated. The brief explanation will be given in the next chapter on overall conclusions and Recommendations.
Chapter 7: Conclusions
This chapter discusses about the conclusions and recommendations.
This document discusses the configuration and the design for the NoBo, the requirements mentioned in the requirement document have been fulfilled. At each site, all the devices (routers and switches) are secured so that only the authorised administrators can have the access by configuring privileged mode passwords. Also, AAA (Authorisation, Accounting and Authentication) cond on the routers will allows only the authorized users, Accounting on the routers will maintains records of the users who accessed the network resources and how long they accessed them. Cisco Ios firewall was cond to provide even more security to the internal network. With the provision of Vlans, the server form can be placed in one of the Vlans making it possible to build a demilitarized zone. This makes it possible for securing the internal networks from hackers.
NAT is cond on the routers to allow the internal users to access the internet. This is cost effective, as we don't need to go for public IP addresses, This was possible with NAT overloading configuration. DHCP allows the users to get dynamic IP addresses from the DHCP server cond on the router at each site. This reduces human (Administrators) effort. Wi-Fi network access was provided for the wireless users. Polycom video conferencing devices were suggested for the conferencing, since these are cheaper and quality assured devices. Auto Qos was implemented.
The leased line connection and the internet connections should be taken from two different ISPs. This will be helpful when one link goes down the other will serves as the backup link. Otherwise, if we chose both the links from the same ISP, then there will not be any communication between the sites if the ISP service is down. Therefore In this report, at London site, the ISP BTnet was chosen for the leased line as it promises approximately 100% up time and Eclipse-internet was chosen for the internet backup line, these two ISPs are chosen for the sites in the Great Britain. And for the American sites, AT&T is chosen for the Leased line and Level -3 for the backup. With the IPSec provision, the business data is secured while using the backup line. The designed network is a centralised network where assuring high control on the data.
The best part of this network design is the device hardening and the redundant internet link. The only drawback of this network could be the device redundancy. What if the router of any headquarters' goes down? The entire communication will be lost as it is centralised to the two head quarters. Since we are using the worlds' most popular and reliable routers from Cisco this risk can be reduced. Alternatively, it is suggested to deploy another router at both the head quarters for router redundancy. Proper network devices and the number of those devices carefully suggested in designing the network keeping in mind the requirements of the NoBo. The same devices are been cond on the simulator and the screenshots of the results are provided. Recommendations and Future work
IT- Network policy: NoBo networks should formulate a governance policy for their network in general; such a policy should be adhered whenever working on the Company network.
IT- end user policy: NoBo network should also have an end user policy governing the rules and regulations to be followed by the end user when using the network.
Network Operations Centre: NoBo networks should form a network operations centre at least at one of the head offices, they should also hire network engineering and monitoring personnel's who would troubleshoot alarms raised by the network management suite mentioned above. New York and the London head offices are the two most important sites for the business and the connectivity should be up at 99.999% all the times.
Internet connectivity for remote sites: As the branch offices grow in size , they should move away from the centralized internet design to a localized internet design, Internet is an economical resource and the remote sites should have their own internet connections , they should only use the head office internet in case of an outage.
Back Up links for the remote sites: In the early stages of the growth of the remote sites, the remote sites can use the IPSec vpn connection to the head office to be used as a backup connection in case of wan failure and vice versa in case of internet failure.
In the later stages, all sites should have a dedicated leased line acting as a back up to connect to the head office.
Change management process: NoBo networks should form and adhere to a change management process; this process would be required to keep all the changes in alignment and avoid confusions and ease the troubleshooting process.
Security: It-security policies: It should come into place including all the aspects of IT security, its rules and regulations and the guidelines to provide necessary measures. In case of a breach such a policy should be circulated to all the employees of the company.
Device hardening: All the devices in the network, whether they are the routers, switches, servers and hosts should be properly hardened by having proper access-control mechanisms in place , the servers and the hosts should have all the security patches , antivirus software's and antispyware software's at all given time.
Network Firewalls: NoBo should invest in the Cisco series of ASA firewalls, at the moment we have used the existing IOS firewall inside the routers, A separate ASA firewall should be placed on both the internet links providing stateful security to the network, carrying on NAT and providing VPN facilities to the remote employees.
Access-layer Security:The Access layer switches security should be taken into consideration. The BPDU guard should be placed on all the access ports. The ports of the access switches should be binded with the respective Mac addresses so that no unauthorized users can connect.
At this point of time a very basic or really no design exists for the VoIP at NoBo.
Following are the points for the future work that is to be done.
1) An extension design map for the whole company
2) There should be provision for the connection to the pots telephony system
3) Selecting the voice service providers
4) Selecting the VoIP server platform (solution)
5) Creating a dial plan
6) Selecting the right Qos techniques.
VoIP Server:NoBo should deploy a VoIP server i.e. call manager express from Cisco, it is deployed over Cisco 2800 series platform of routers has all the features to cater the requirements for NoBo.
IPv6 consideration:The network should be Ipv6 ready - all the devices that are being introduced should be Ipv6 ready.
Internet Protocol Version 6 (IPv6) is designed to increase Internet global address space to accommodate the rapidly increasing numbers of users and applications that require unique global IP addresses and help enable a global environment where the addressing rules of the network are again transparent to applications.
This new protocol promises a host of advantages that may in the future far surpass those of IPv4—the dominant IP today. IPv6 integrates all IPv4 improvements from the past 20 years, improvements that focus on network security, expansion of quality of service (QoS) options, embedded IP-friendly mobility, auto configuration, ready-to-use support, and peer-to-peer capability—the kinds of advantages that service providers can capitalize on to differentiate themselves and expand their businesses.
Future consideration Local Area Network Design:
From: ICND cisco press 1
The Local area network shown right now does consist of a single layer 2 switch connected to the wan router, in a proper campus local area network Design, this is not true. The switching in campus network are classified in two segments, first is the access layer, the switches in the access layer connect to a large number of end users and have trunks back up to switches who connect to the switches in the access layer are called the distribution layer switches and then in turn connect to the core of the campus network.
Access switches connect directly to the end user. Access switches should not be designed to pass traffic between 2 switches. Each access switch should connect to at least 2 distribution switches for the purpose of redundancy in case of a link failure.
Distribution switches connect to the access switches and provide an aggregation point to them, distribution switches do not connect to end user directly but are meant for frame forwarding between switches only. Distribution switches can be layer 3 switches in which the access-control also takes place. ( ICND cisco press 1)