Secure Network Design with High-Availability & VoIP

SECURE NETWORK DESIGN
WITH HIGH-AVAILABILITY
& VOIP
PRESENTED BY:
09BCE035 ARPAN PATEL

•

•

• BRIEFLY, THIS PROJECT AIMS TO SETUP AN END-TO-END SECURE DATA & VOIP NETWORK FOR A SMALL
ENTERPRISE, WITH FEATURES LIKE HIGH AVAILABILITY, ENHANCED PERFORMANCE, RESILIENCY, SECURITY FOR
WIRED & WIRELESS COMMUNICATION AND INCREASED PRODUCTIVITY.
•

THE MAJOR OBJECTIVE OF THIS PROJECT WAS A SMALL
ENTERPRISE NETWORK UPGRADE IN ORDER TO:
• IMPROVE AND CONSOLIDATE NETWORK PERFORMANCE ON SITE.
• PROVIDE INCREASED NETWORK CAPACITY.
• IMPROVE THE NETWORKS FAULT TOLERANCE CAPABILITY.
• PROVIDE FUTURE EXPANSION CAPABILITY.
• IMPROVE THE NETWORK SECURITY TO PREVENT UNAUTHORIZED ACCESS.
• IDENTIFY THE CRITICAL POINTS OF FAILURE IN THE EXISTING NETWORK
AND PROPOSE ON HOW TO ELIMINATE THEM.

SECURITY POLICY & REQUIREMENTS:
• WIRELESS USERS ARE DENIED ACCESS TO THE PRIVATE NETWORK. ONLY ACCESS TO INTERNET.
• NETWORK DEVICES MUST ONLY BE ACCESSED BY LOCAL SITE OR REMOTE SITE ADMIN WITH
AUTHORIZATION. ONLY PERMITTED DEPARTMENTS ARE ALLOWED TO COMMUNICATE WITH OTHER
DEPARTMENTS.
• NO OTHER HOST OTHER THAN THE COMPANY’S END DEVICES CAN BE ATTACHED TO THE NETWORK. IF
ATTACHED, ACCESS MUST BE DENIED IMMEDIATELY AND ADMIN SHOULD SOMEHOW BE NOTIFIED.
• TWO GUEST COMPUTERS SHOULD BE ACCOMMODATED IN ANY DEPARTMENT AND THEY ARE ONLY
PERMITTED TO COMMUNICATE WITH THE MARKETING DEPARTMENT AND LIMITED INTERNET ACCESS.
• EMPLOYEES CAN ONLY ACCESS THE ALLOWED SITES.
• HUMAN RESOURCES IS DENIED ACCESS TO ANY OTHER DEPARTMENT & IS JUST ALLOWED INTERNET
ACCESS.

FUTURE EXPANSION CAPABILITY:
• SERVERS CAN BE ADDED TO THE NETWORK AT ANY TIME.
• CLUSTERING OF THE SEVERS CAN ALSO BE POSSIBLE IF NECESSARY IN THE FUTURE AS THE EXISTING SERVER
HARDWARE CAN SUPPORT BEING IDENTICAL & SUPPORT SCSI.
• SYSTEM COMPONENTS ARE IDENTICAL AT ALL NODES FOR EASE OF MANAGEMENT & CONFIGURATIONS
ARE SIMILAR BETWEEN ALL UNITS AND CAN BE USED AS TEMPLATES FOR ADDING NODES.
• THE DISTRIBUTION SWITCH IS A 24-PORT GIGABIT SWITCH WITH 4 SFP FIBER MODULES
• HENCE EXPANDING THE NUMBER OF DEPARTMENTS OR EVEN THE NUMBER OF BRANCHES WILL ALWAYS BE
ACCEPTABLE AS ALL THE NECESSARY CONFIGURATIONS HAVE BEEN DONE.

ACCESS LAYER SWITCHES ALSO HAVE CAPABILITIES TO BEAR MORE USERS
AND ARE ALSO CONFIGURED FOR SUCH EXPANSION:

FUTURE TRANSITION TO IPV6
• FOR FUTURE PURPOSE WITH CERTAIN CONFIGURATIONS, THE FULL
ENTERPRISE NETWORK CAN BE IMPLEMENTED WITH AN IPV6 SETUP.
• DOCUMENTATION IS ALSO PROVIDED FOR A FULL IPV6 DEPLOYMENT.

NETWORK FEATURES
• WEB SERVER
• FTP SERVER
• DHCP SEVER
• DNS SEVER
• SYSLOG SERVER
• VOIP

VOIP
Steps:
1. Configure Call Manager ExpressTM on a 2811 router.
2. Use the various telephony devices
3. Setup dial peers
4. Connect CiscoTM IP phones on the network.
• ADDITIONALLY IN THE CURRENT NETWORK INFRASTRUCTURE IP PHONES HAVE ALSO BEEN CONFIGURED IN EACH
DEPARTMENT USING THE SAME ETHERNET NETWORK.
• BY RECONFIGURING THE NETWORK & MANAGEABLE SWITCHES VOICE IS NOW COMMUNICATED OVER THE
NETWORK.

VOIP CONFIGURATION:
• TASKS 1 : CONFIGURE INTERFACE FASTETHERNET 0/0 AND DHCP SERVER ON ROUTERA
(2811 ROUTER)
• TASK 2 : CONFIGURE THE CALL MANAGER EXPRESS TELEPHONY SERVICE ON ROUTERA
• TASK 3 : CONFIGURE A VOICE VLAN ON SWITCHA
• TASK 4 : CONFIGURE THE PHONE DIRECTORY FOR IP PHONE 1
• TASK 5 : VERIFY THE CONFIGURATION

CISCO IP PHONE CONFIGURATION COMMANDS:
#Configure the FA 0/0 interface#
RouterA>enable
RouterA#configure terminal
RouterA(config)#interface FastEthernet0/0
RouterA(config-if)#ip address 192.168.10.1 255.255.255.0
RouterA(config-if)#no shutdown
#The DHCP server is needed to provide an IP adress and the TFTP server location for each IP phone
connected to the network:
RouterA(config)#ip dhcp pool VOICE #Create DHCP pool named VOICE
RouterA(dhcp-config)#network 192.168.10.0 255.255.255.0 #DHCP network network 192.168.10 with /24 mask#
RouterA(dhcp-config)#default-router 192.168.10.1 #The default router IP address#
RouterA(dhcp-config)#option 150 ip 192.168.10.1 #Mandatory for voip configuration.
After the configuration, wait a moment and check that ‘IP Phone 1’ has received an IP address by checking
the phone screen until a configuration summary appears.
Apply the following configuration on SwitchA interfaces. This configuration will separate voice and data traffic in
different vlans on SwitchA. Data packets will be carried on the access vlan.
SwitchA(config)#interface range fa0/1 – 5 #Configure interface range#
SwitchA(config-if-range)#switchport mode access
SwitchA(config-if-range)#switchport voice vlan 1 #Define the VLAN on which voice packets will be handled#

CISCO IP PHONE CONFIGURATION COMMANDS (CONTINUED):
Configure the Call Manager Express telephony service on RouterA to enable voip on the network.
RouterA(config)#telephony-service #Configuring the router for telephony services#
RouterA(config-telephony)#max-dn 5 #Define the maximum number of directory numbers#
RouterA(config-telephony)#max-ephones 5 #Define the maximum number of phones#
RouterA(config-telephony)#ip source-address 192.168.10.1 port 2000 #IP Address source#
RouterA(config-telephony)#auto assign 1 to 6 #Automatically assigning ext numbers to buttons#
Although ‘IP Phone 1’ is already connected to SwitchA, it needs additional configuration before being
able to communicate. So to configure RouterA CME to assign a phone number to this IP phone:
RouterA(config)#ephone-dn 1 #Defining the first directory entry#
RouterA(config-ephone-dn)#number 999 #Assign the phone number to this entry#
Ensure that the IP Phone receives an IP Address and a the phone number 999 from RouterA
This can take a short while.

REMOTE SITE VOIP CONFIGURATION USING DIAL PEER:
SITE1 ROUTER SITE2 ROUTER:
dial-peer voice 47 voip
destination-pattern 1..
session target ipv4:18.18.18.2
dial-peer voice 47 voip
destination-pattern ...
session target ipv4:78.78.78.2

ADDITIONAL FEATURES WHICH INCREASE NETWORK
PERFORMANCE & CAPACITY:
• VTP PRUNING:
• WHEN VTP PRUNING IS ENABLED ON VTP SERVERS, ALL THE
CLIENTS IN THE VTP DOMAIN WILL AUTOMATICALLY ENABLE VTP
PRUNING. BY DEFAULT, VLANS 2 – 1001 ARE PRUNING
ELIGIBLE, BUT VLAN 1 CAN’T BE PRUNED BECAUSE IT’S AN
ADMINISTRATIVE VLAN.
• SPANNING-TREE PORTFAST VERY CAREFULLY ENABLED
ON ACCESS PORTS CONNECTED TO HOSTS ONLY
ESPECIALLY THE SERVERS SO UPTIME IS HIGH & NO
UNNECESSARY DELAY BY STP.
SW1#config t
SW1(config)#interface Fa0/1
SW1(config-if)#switchport trunk pruning vlan 3-4

NETWORK CONNECTIVITY TESTING PLAN:
Layer 1 Error Checklist Layer 2 Error Checklist
 Broken cables
 Disconnected cables
 Cables connected to the wrong ports
 Intermittent cable connections
 Cables incorrectly terminated
 Wrong cables used
 Cross-connects
 Rollovers
 Straight-through cables
 Transceiver problems
 DCE cable problems
 DTE cable problems
 Devices powered off
 Improperly configured serial interfaces
 Improperly configured Ethernet interfaces
 Wrong clock rate settings on serial interfaces
 Wrong encapsulation set on serial interfaces
 Faulty NIC
Layer 3 Error Checklist
 Wrong routing protocol enabled
 Incorrect network/IP addresses
 Incorrect subnet masks
 Incorrect interface addresses
 Incorrect DNS-to-IP bindings
 Wrong autonomous system number for EIGRP

STANDARD COMMAND LINE TOOLS USED TO TROUBLESHOOT
 STANDARD COMMAND LINE TOOLS THAT WILL BE USED TO TROUBLESHOOT HOST LEVEL PROBLEMS ARE:
 PING – CHECK CONNECTIVITY BETWEEN HOST AND OTHER NETWORK DEVICES
 TRACERT – CHECK PATH TO OTHER NETWORK DEVICES
 IPCONFIG – SEE IF HOST PROPERLY DETECTS CONFIGURATIONS ASSIGNED TO IT
 ARP -A – DISPLAYS THE IP-TO-PHYSICAL ADDRESS TRANSLATION TABLES
 STANDARD CISCO IOS COMMAND LINE TOOLS THAT WILL BE USED TO TROUBLESHOOT ROUTER LEVEL
PROBLEMS ARE:
 PING – CHECK CONNECTIVITY BETWEEN ROUTER AND OTHER NETWORK DEVICES
 TRACEROUTE - CHECK PATH TO OTHER NETWORK DEVICES
 SHOW ARP – SHOW THE IP/MAC ADDRESS USED
 SHOW IP ROUTE – SHOWS A ROUTER’S ROUTING TABLE
 SHOW INTERFACE/SHOW INTERFACE BRIEF – SHOWS EXISTING INTERFACE CONFIGURATIONS AND IF
ADMINISTRATIVELY UP OR DOWN
 SHOW RUN – SHOWS EXISTING OVERALL ALL CONFIGURATIONS

ETHER CHANNEL : CISCO’S IMPLEMENTATION OF PORT AGGREGATION
• PORT AGGREGATION: ALLOWS US TO TIE MULTIPLE PORTS TOGETHER INTO A SINGLE
LOGICAL INTERFACE.
• NOT ONLY DOES PORT AGGREGATION INCREASE THE BANDWIDTH OF A LINK, BUT IT
ALSO PROVIDES REDUNDANCY.
Benefits
1. Enhanced Performance.
2. Redundancy
3. Resiliency And Faster Convergence.
So once Again How did we
implement Ether Channel??
Switch(config)#interface range gigabitEthernet 0/1-2
Switch(config-if)#Switchport mode trunk
Switch(config-if)#Switchport nonnegotiable
Switch(config)#Channel-group 1 mode desirable

FIBER-UPLINK
• TO HAVE A FIBER BACKBONE IS THE WISEST DECISION IN ANY ENTERPRISE
NETWORK DESIGN.
• WE HAVE IT IN THE CORE BACKBONE WHICH CONNECTS THE CORE ROUTER TO
THE DISTRIBUTION SWITCH.
• ALSO THE SEVERS OF ALL 3 SITES ARE NOW CONNECTED WITH A GIGABIT FIBER
TO THE NETWORK.
Benefits
1. High Availability
2. High Response time.
3. Increased Reliability

BACKUP SERVERS INSTALLATION & CONFIGURATION:

INSTALLATION OF WINDOWS SEVER 2008

ACCESS-CONTROL LIST
ACCESS CONTROL LISTS (ACLS)CAN BE USED FOR
TWO PURPOSES ON NETWORKING DEVICES:
• TO FILTER TRAFFIC.
• TO LOCALIZE SPECIFIC TRAFFIC IN SPECIFIC
SUBNETS.
TYPES OF ACCESS LISTS:
• NUMBERED
• NAMED
• EXTENDED
• STANDARD
• ACCESS CONTROL LISTS WORKS IN A TOP DOWN
APPROACH
- A PERMIT STATEMENT IS USED TO ALLOW TRAFFIC
- A DENY STATEMENT IS USED TO BLOCK TRAFFIC.
 COMMANDS :
- ROUTER(CONFIG) #IP ACCESS - LIST EXTENDED <NAME>
- ROUTER(CONFIG-EXT-NACL) #PERMIT IP HOST <SOURCE
IP> HOST <DESTINATION IP>

SWITCH PORT SECURITY
• NO OTHER WORKSTATION CAN BE PLUGGED TO THE FASTETHERNET PORT.
• IF UNREGISTERED MAC PLUGGED IT WILL BE SHUTDOWN OR RESTRICTED.
Switch(config) #Interface fa 0/1
Switch(config) # Switchport port-security
Switch(config) # Switchport port-security mac-address sticky

REMOTE ACCESS &
REMOTE ACCESS SECURITY:
• REMOTE ACCESS: TELNET (PORT 23)
• SECURE REMOTE ACCESS:
SSH VERSION 2 (PORT 22)
 CONFIGURATION AS FOLLOWS:
Host identification (Using RSA-Keys)
Encryption (IDEA)
Authentication (RSA Challenge)
Router(config)# ip domain-name cisco.com
Router(config)# crypto key generate rsa
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
Router(config)#exit
*Mar 1 0:4:8.988: %SSH-5-ENABLED: SSH 1.99 has been enabled
Router(config)#ip ssh version 2
Router(config)# username cisco password cisco
Router(config)# line vty 0 4
Router(config-line)# login local
Router(config-line)# transport input ssh
Router(config)#ip ssh time-out 90
Router(config)#ip ssh authentication-retries 2

ACCESS LISTS ( ACL )
ACCESS CONTROL LISTS (ACLS)CAN BE USED FOR TWO PURPOSES ON
NETWORKING DEVICES:
• TO FILTER TRAFFIC.
• TO LOCALIZE SPECIFIC TRAFFIC IN SPECIFIC SUBNETS.
TYPES OF ACCESS LISTS:
• NUMBERED
• NAMED
• EXTENDED
• STANDARD

MAC FILTERING
• ONLY REGISTERED USERS CAN ACCESS THE WIRELESS NETWORK

RADIUS (REMOTE DIAL IN USER SERVICE)
• RADIUS IS A AAA PROTOCOL, SECURITY SYSTEM BASED ON AUTHENTICATION, AUTHORIZATION,
AND ACCOUNTING.
• CLIENT SERVER MODEL
• SHARED SECRET MUST BE SHARED BETWEEN CLIENT(ACCESS POINT) AND SERVER AND CLIENT MUST
BE CONFIGURED TO USE RADIUS SERVER TO GET SERVICE.
• RADIUS USES A CENTRALIZED SERVER THAT ALLOWS YOU TO DEFINE THE USERNAME AND
PASSWORD OF THE USERS BY WHICH THEY CAN LOGIN TO THEIR ACCOUNT BEFORE ACCESSING
THE NETWORK.
• RADIUS SERVER IS RESPONSIBLE FOR GETTING USER CONNECTION REQUESTS, AUTHENTICATING THE
USER AND THEN RETURNING ALL CONFIGURATION INFORMATION NECESSARY FOR THE CLIENT TO
DELIVER SERVICE TO THE USER.
• TRANSACTIONS BETWEEN CLIENT AND SERVER ARE AUTHENTICATED THROUGH THE USE OF A SHARED
KEY AND THIS KEY IS NEVER SENT OVER THE NETWORK.
• PASSWORD IS ENCRYPTED BEFORE SENDING IT OVER NETWORK USING WPA2
• HERE SECURITY IS FULLY DEPENDENT ON THE SEVER NOT THE ACCESS POINT, HENCE SECURITY
INCREASED.

Secure Network Design with High-Availability & VoIP

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (20)

Similaire à Secure Network Design with High-Availability & VoIP

Similaire à Secure Network Design with High-Availability & VoIP (20)

Plus de Arpan Patel

Plus de Arpan Patel (6)

Dernier

Dernier (20)

Secure Network Design with High-Availability & VoIP