Desert View High School Group Members: • Killian McLoughlin. • JP Sheridan • Kevin Traynor.
Contents: • Design Goals • WAN Design • LAN Design • Logical & Physical LAN Design • Equipment Details: • MDF Equipment • IDF Equipment • Design Of Cabinet In Each Classroom • Classroom Hardware Configuration • Topology & Servers • Wiring • Security • Why Use VLANS ? • Benefits Of VLANS • VLAN Membership Policy Server • Security Hardware
Contents continued • Layout Of Classrooms. • IP Addressing • IP Addressing Scheme. • Sub-netting. • Router Configurations • ACL(blocksTelnet traffic to router fromLecturers & Students) • DHCPConfiguration • Conclusion
Design goals • To create a LAN that will act as an arm of the Washington schools district WAN. • This LAN should then prove functional for at least the next 7-10 years. • Each classroom will support at least 25 workstations • Throughout the LAN all workstations will be provided with internet connection.
Design Goals cntd. • Cat5 will provide the required Ethernet speeds using; 10Base-t, 100Base-t and 1000Base-Fx. (cabling will comply with TIA/EIA-568-A and TIA/EIA-569 standards.) • The initial requirements for any host PC on the LAN will be 1Mbit, whereas for network servers it will be 100Mbit.
Design Goals cntd. • Desert view’s LAN will also have to cater for the minimum of the following: • 10x growth in the District internet connection throughput. • 2x growth in the core WAN throughput. • And (at least) 100x growth in the LAN’S own throughput.
Wan Design. • The Washington WAN consists of three district centers. These are: • The ‘Shaw Butte’ elementary school. • The Districts Data center. • The Service center. These centers are then connected using T1 lines through Cisco routers. ( ‘Desert View’ connects to the core WAN through ‘Shaw Butte’)
WAN Design The Washington School District Wide Area Network (WAN) will: • Connect all school and administrative offices with the district office for the purpose of delivering data. The WAN will be based on a two-layer hierarchical model. • Three (3) regional Hubs will be established at the District Office/Data Center, Service Center and Shaw Butte Elementary School for the purpose of forming a fast WAN core network. • School locations will be connected into the WAN core Hub locations based on proximity to the Hub.
WAN Design • TCP/IP and Novell IPX are the only networking protocols acceptable to traverse the district WAN. • All other protocols will be filtered at the individual school sites using access routers. • High-end, powerful routers will also be installed at each WAN core location. • Access to the Internet or any other outside network connections will be provided through the District Office/Data Center through a Frame Relay WAN link. • For security purposes, no other connections will be permitted.
Wan Core T1 Line T1 Line
LAN Design • Logical Design Of The LAN • Physical Design Of The LAN
Desert View High school Equipment Details
MDF Eqipment Cisco 3600 Router • The Cisco 3600 Series is a family of modular, multi-service access platforms for medium and large-sized offices and smaller Internet Service Providers. • With over 90 modular interface options, the Cisco 3600 family provides solutions for data, voice video, hybrid dial access, virtual private networks (VPNs), and multi-protocol data routing. • The high-performance, modular architecture protects customers' investment in network technology and integrates the functions of several devices into a single, manageable solution. • In Cisco 3600 series routers, the 2-port serial WAN interface card supports both asynchronous (up to 115.2 kbps) and synchronous (up to 2.048 Mbps) data rates.
MDF & IDF Eqipment Cisco Catalyst 3548XL Enterprise Edition • stackable 10/100 and Gigabit Ethernet switcht • delivers premium performance, manageability, and flexibility with unparalleled investment protection. • 48 10/100 ports and two GBIC-based Gigabit Ethernet ports. • This switch offers advanced software features, including complete 802.1Q and ISL VLAN support, TACACS+ security, and fault tolerance through Uplink Fast.
Classroom Hardware Configuration • Each classroom has 4 RJ 45 Points: • Lecturers workstations are connected to 1 of the points (CAT 5 UTP) and patched directly to an enterprise switch in the nearest IDF. • A Cisco 12 port 10/100 Standard Switch is connected to each of the remaining points.Each standard switch is patched directly back to an enterprise switch in the nearest IDF (CAT 5 UTP ). • 8 student PCs are connected to each standard switch. • A networked printer is also connected to one of the standard switches in each classroom. • A File & print server handles the print queues for the entire high school
Classroom Hardware Config. Why Use Switches & Not Hubs In Classrooms ? Hubs • A hub is an ethernet (10BaseT or 100BaseT UTP/STP) repeater. • typical 12-port hub, any data it receives on one port will be re-transmitted on all of the other seven ports. The intended destination could be on any of those ports. It's simple to understand • Not very efficient as there is no traffic control - if two PCs try to transmit at the same time, a 'collision' occurs and the data has to be re-transmitted. • Even though an Ethernet card might be 'full duplex' it may not be able to actually transmit and receive simultaneously. • A PC will have no interest in data which another PC is sending (for example) to a printer elsewhwere on the network, so clogging up its ethernet interface is wasteful.
Classroom Hardware Config. Why Use Switches & Not Hubs In Classrooms cnt. Switches • A switch transmits data from one specific port to another, rather than re-broadcasting data to all other ports. • A switch is intelligent and will learn which device is on which port (MAC Address). • A switch knows which port received data needs to be sent to. • This makes the network much more effcient and allows more devices to communicate with each other simultaneously.
Topology & Servers • This Network is structured on an extended star topology. External Servers On WAN Core • Administrative ( MAIN ) server • DNS Server Servers On Desert View LAN • Administrative Server • Email Server • File & Print Server • TFTP & RAS Server • School Web Server • Proxy Server • Application Server • Library Server • DNS Host Server & DHCP Server Servers are located in the same room as the MDF and are connected directly to the enterprise switch in the MDF. CAT 5 UTP
Wiring • All Enterprise Switches are interconnected through trunking ports using fiber optic cabling. • All cabling is ran through the existing cable runs, where possible • All workstations are connected to network points on walls and on the floors (Lecturer workstations) with CAT 5 UTP cabling. • All network points in classrooms are patched through to switches in each classroom with CAT 5 UTP cabling. • The switches in each classroom are patched back to an enterprise switch in the nearest IDF.
SECURITY VLANS Why Use VLANs Benefits Of VLANs VLAN Membership Policy Server Security Hardware Pix Firewall
VLANsWhy Use VLANs ? VLANs provide the following benefits: • Reduced administration costs from solving problems associated with moves, adds, and changes. • Workgroup and network security. • Controlled broadcast activity. • Leveraging of existing hub investments. • Centralized administration control.
VLANS • We have decided to implement 4 VLANS on the Desert View LAN as follows: • VLAN 1 = Administration. • VLAN 2 = Lecturers. • VLAN 3 = Students. • VLAN 4 = IP Telephony.
VLAN Membership Policy Server • We have decided to implement dynamic VLANs for improved security using Cisco VMPS • With VMPS, you can assign switch ports to VLANs dynamically, based on the source Media Access • Control (MAC) address of the device connected to the port. • When you move a host from a port on one switch in the network to a port on another switch in the network, the switch assigns the new port to the proper VLAN for that host dynamically. • When you enable VMPS, a MAC address-to-VLAN mapping database downloads from a Trivial File • Transfer Protocol (TFTP) server and VMPS begins to accept client requests. If you reset or power cycle the switch, the VMPS database downloads from the TFTP server automatically and VMPS is re-enabled. • VMPS opens a User Datagram Protocol (UDP) socket to communicate and listen to client requests. • VMPS opens a User Datagram Protocol (UDP) socket to communicate and listen to client requests. • When the VMPS server receives a valid request from a client, it searches its database for a MAC address-to-VLAN mapping.
VMPS Cnt. • The VMPS Server holds a database of device’s MAC addresses and the VLAN that those devices are members of. • These addresses must be entered into the database manually. • That device will be on the same VLAN no matter what port it is connected to on the LAN.
VMPS cnt. • All Lecturer’s laptop’s MAC addresses and all administration workstation MAC addresses will be entered into this database. • A lecturer can then plug his/her laptop into any port on the LAN and still be a member of the appropriate VLAN. • This approach offers a higher level of security preventing student’s PCs from becoming members of the lecturer’s or administration staff’s VLANs , should the student decide to connect his/her workstation to the lecturer’s wall point or any other switch port on the LAN that is a member of the non-student VLAN.
VMPS cnt. • We also have decided to use VMPS for the IP telephony VLAN. • This will allow IP telephones to be connected to any available port on any switch on the LAN and still be a member of the appropriate VLAN. • Having a VLAN exclusively for IP telephony will not reduce bandwidth for PCs • Having a VLAN exclusively for IP telephony will ensure maximum quality of signal for phones.
Security Hardware PIX 515 DC powered firewall • Cisco’s PIX firewall series delivers strong security, easy to install at a competitive price. • Pix firewalls provide the latest in security technology ranging from • inspection firewalling • contrast firewalling capabilites • Integrated intrusion detection to help secure a network enviornment from next generation attacks.
Typical classroom Layout Banks of 8 PC’s Desks etc. Wall points Comms cabinet Lecturers PC/Cat5 point Network printer
IP Addressing Scheme • Washington School District WAN uses a class A IP addressing scheme. • Desert View High school has been allocated the address 10.1.x.x • This leaves us with 2 octets to subnet from & approximately a possible 64,000 host addresses.
IP Addressing Scheme cnt. • Every wing is on its own subnet, with the exception of wing 1 which is split into 2 subnets because of the amount of hosts it requires. • This results in room for future expansion. • We Have decided to give administration its own sub-net. Through the use of ACLs this will allow us to distinguish between traffic from Teacher/Student workstations and administration workstations. • All networking equipment and all administration workstations are on the administration’s sub-net • This sub-net is 10.1.1.X
Addresses Static IP Addresses On Administration sub-net • 10.1.1.1 = DNS/DHCP Server. • 10.1.1.2 = Router. • 10.1.1.3 = WWW Server. • 10.1.1.4 = Library Server. • 10.1.1.5 = Application Server. • 10.1.1.6 = File & Print Server. • 10.1.1.7 = TFTP & RAS Server. • 10.1.1.8 = Mail Server. • 10.1.1.9 – 10.1.1.19 = Enterprise Switches. • 10.1.1.20 – 10.1.1.155 =Regular Switches In classrooms
Subnet Breakdown 10.1.7.X 10.3.6.X 10.1.2.X 10.1.3.X 10.1.5.X 10.1.1.X (Admin) 10.1.4.X
Subnet Breakdown cntd. 10.1.12.X 10.1.11.X 10.1.10.X 10.1.9.X 10.1.8.X
Routing Protocols • We have decided to use Interior Gateway Routing Protocol (IGRP) as the network routing protocols. • Some of the advantages are: • Scalability • Fast response to network changes • Use a sophisticated composite metric that provides significant route selection flexibility. • Can maintain up to four unequal paths between a network source and destination. • Multiple paths can increase available bandwidth or for route redundancy.
Router Configuration DHCP • Before configuring DHCP on the , subnets must be decided on and all static address must be noted so that they can be excluded from DHCP pool. • An FTP or TFTP server must be configured to be a DHCP server which will hold the DHCP database. • In this case we're using the DNS server to be a dual function server to save cost and space.
Router Configuration • Sample DHCP configuration • Desert_view(config)# ip dhcp database tftp://administrator:email@example.com/router-dhcp timeout 80 //howlong to wait for reply • Desert_view(config)# ip dhcp database tftp: //administrator:firstname.lastname@example.org/router-dhcp write-delay 80//how often updates database • Desert_view(config)# ip dhcp excluded-address 10.1.2.4 //network printer//excludes this printer address from DHCP Pool • Desert_view(config)# ip dhcp pool Wing_five_east • Desert_view(config-dhcp)# network 10.1.5.0 255.255.255.0 //wing 5 subnet • Desert_view(config-dhcp)# domain-name desert_view • Desert_view(config-dhcp)# dns-server 10.1.1.1 • Desert_view(config-dhcp)# default-router 10.1.1.2
Router Configuration ACLs • This access control list prevents telnet traffic to the router. Router> enable Router# hostname Desert_view Desert_view# enable secret ***** Desert_view# config t Desert_view(config)# access list 101 deny tcp“Subnet’s IP address”0.0.0.255 10.1.1.2 0.0.0.0 eq telnet Desert_view(config)# access list 101 permit ip any any Desert_view(config)# int e0 Desert_view(config-int)# ip access-group 101 in • All subnets except for the administration’s subnet would be implemented into this ACL • 10.1.1.2 is the router’s IP address. +
Conclusions • Easy To Implement. • Easy To Maintain. • High security. • A Lot Of Support For Expansion.
ANY QUESIONS ??????