Networking, the communication between two or more networks, encompasses every aspect of connecting computers together. With the evolution of networking and the Internet, the threats to
information and networks have risen dramatically and performance has depleted enormously.
As a company grows its business its network design needs to be updated from the existing network
and expand it to accommodate additional users or workloads. But the diculty arises as networks
are being pressured to cost less, yet support the emerging applications and higher number of users
with increased performance. As personal, government and business-critical applications become
more prevalent on the Internet, it is imperative that all networks be protected from threats and
vulnerabilities in order for a business to achieve its fullest potential. Hence a Secure Design for a
network is critical in todays expanding corporate world.
2. •
•
• BRIEFLY, THIS PROJECT AIMS TO SETUP AN END-TO-END SECURE DATA & VOIP NETWORK FOR A SMALL
ENTERPRISE, WITH FEATURES LIKE HIGH AVAILABILITY, ENHANCED PERFORMANCE, RESILIENCY, SECURITY FOR
WIRED & WIRELESS COMMUNICATION AND INCREASED PRODUCTIVITY.
•
3. THE MAJOR OBJECTIVE OF THIS PROJECT WAS A SMALL
ENTERPRISE NETWORK UPGRADE IN ORDER TO:
• IMPROVE AND CONSOLIDATE NETWORK PERFORMANCE ON SITE.
• PROVIDE INCREASED NETWORK CAPACITY.
• IMPROVE THE NETWORKS FAULT TOLERANCE CAPABILITY.
• PROVIDE FUTURE EXPANSION CAPABILITY.
• IMPROVE THE NETWORK SECURITY TO PREVENT UNAUTHORIZED ACCESS.
• IDENTIFY THE CRITICAL POINTS OF FAILURE IN THE EXISTING NETWORK
AND PROPOSE ON HOW TO ELIMINATE THEM.
4. SECURITY POLICY & REQUIREMENTS:
• WIRELESS USERS ARE DENIED ACCESS TO THE PRIVATE NETWORK. ONLY ACCESS TO INTERNET.
• NETWORK DEVICES MUST ONLY BE ACCESSED BY LOCAL SITE OR REMOTE SITE ADMIN WITH
AUTHORIZATION. ONLY PERMITTED DEPARTMENTS ARE ALLOWED TO COMMUNICATE WITH OTHER
DEPARTMENTS.
• NO OTHER HOST OTHER THAN THE COMPANY’S END DEVICES CAN BE ATTACHED TO THE NETWORK. IF
ATTACHED, ACCESS MUST BE DENIED IMMEDIATELY AND ADMIN SHOULD SOMEHOW BE NOTIFIED.
• TWO GUEST COMPUTERS SHOULD BE ACCOMMODATED IN ANY DEPARTMENT AND THEY ARE ONLY
PERMITTED TO COMMUNICATE WITH THE MARKETING DEPARTMENT AND LIMITED INTERNET ACCESS.
• EMPLOYEES CAN ONLY ACCESS THE ALLOWED SITES.
• HUMAN RESOURCES IS DENIED ACCESS TO ANY OTHER DEPARTMENT & IS JUST ALLOWED INTERNET
ACCESS.
5. FUTURE EXPANSION CAPABILITY:
• SERVERS CAN BE ADDED TO THE NETWORK AT ANY TIME.
• CLUSTERING OF THE SEVERS CAN ALSO BE POSSIBLE IF NECESSARY IN THE FUTURE AS THE EXISTING SERVER
HARDWARE CAN SUPPORT BEING IDENTICAL & SUPPORT SCSI.
• SYSTEM COMPONENTS ARE IDENTICAL AT ALL NODES FOR EASE OF MANAGEMENT & CONFIGURATIONS
ARE SIMILAR BETWEEN ALL UNITS AND CAN BE USED AS TEMPLATES FOR ADDING NODES.
• THE DISTRIBUTION SWITCH IS A 24-PORT GIGABIT SWITCH WITH 4 SFP FIBER MODULES
• HENCE EXPANDING THE NUMBER OF DEPARTMENTS OR EVEN THE NUMBER OF BRANCHES WILL ALWAYS BE
ACCEPTABLE AS ALL THE NECESSARY CONFIGURATIONS HAVE BEEN DONE.
6. ACCESS LAYER SWITCHES ALSO HAVE CAPABILITIES TO BEAR MORE USERS
AND ARE ALSO CONFIGURED FOR SUCH EXPANSION:
7. FUTURE TRANSITION TO IPV6
• FOR FUTURE PURPOSE WITH CERTAIN CONFIGURATIONS, THE FULL
ENTERPRISE NETWORK CAN BE IMPLEMENTED WITH AN IPV6 SETUP.
• DOCUMENTATION IS ALSO PROVIDED FOR A FULL IPV6 DEPLOYMENT.
8. NETWORK FEATURES
• WEB SERVER
• FTP SERVER
• DHCP SEVER
• DNS SEVER
• SYSLOG SERVER
• VOIP
9. VOIP
Steps:
1. Configure Call Manager ExpressTM on a 2811 router.
2. Use the various telephony devices
3. Setup dial peers
4. Connect CiscoTM IP phones on the network.
• ADDITIONALLY IN THE CURRENT NETWORK INFRASTRUCTURE IP PHONES HAVE ALSO BEEN CONFIGURED IN EACH
DEPARTMENT USING THE SAME ETHERNET NETWORK.
• BY RECONFIGURING THE NETWORK & MANAGEABLE SWITCHES VOICE IS NOW COMMUNICATED OVER THE
NETWORK.
10. VOIP CONFIGURATION:
• TASKS 1 : CONFIGURE INTERFACE FASTETHERNET 0/0 AND DHCP SERVER ON ROUTERA
(2811 ROUTER)
• TASK 2 : CONFIGURE THE CALL MANAGER EXPRESS TELEPHONY SERVICE ON ROUTERA
• TASK 3 : CONFIGURE A VOICE VLAN ON SWITCHA
• TASK 4 : CONFIGURE THE PHONE DIRECTORY FOR IP PHONE 1
• TASK 5 : VERIFY THE CONFIGURATION
11. CISCO IP PHONE CONFIGURATION COMMANDS:
#Configure the FA 0/0 interface#
RouterA>enable
RouterA#configure terminal
RouterA(config)#interface FastEthernet0/0
RouterA(config-if)#ip address 192.168.10.1 255.255.255.0
RouterA(config-if)#no shutdown
#The DHCP server is needed to provide an IP adress and the TFTP server location for each IP phone
connected to the network:
RouterA(config)#ip dhcp pool VOICE #Create DHCP pool named VOICE
RouterA(dhcp-config)#network 192.168.10.0 255.255.255.0 #DHCP network network 192.168.10 with /24 mask#
RouterA(dhcp-config)#default-router 192.168.10.1 #The default router IP address#
RouterA(dhcp-config)#option 150 ip 192.168.10.1 #Mandatory for voip configuration.
After the configuration, wait a moment and check that ‘IP Phone 1’ has received an IP address by checking
the phone screen until a configuration summary appears.
Apply the following configuration on SwitchA interfaces. This configuration will separate voice and data traffic in
different vlans on SwitchA. Data packets will be carried on the access vlan.
SwitchA(config)#interface range fa0/1 – 5 #Configure interface range#
SwitchA(config-if-range)#switchport mode access
SwitchA(config-if-range)#switchport voice vlan 1 #Define the VLAN on which voice packets will be handled#
12. CISCO IP PHONE CONFIGURATION COMMANDS (CONTINUED):
Configure the Call Manager Express telephony service on RouterA to enable voip on the network.
RouterA(config)#telephony-service #Configuring the router for telephony services#
RouterA(config-telephony)#max-dn 5 #Define the maximum number of directory numbers#
RouterA(config-telephony)#max-ephones 5 #Define the maximum number of phones#
RouterA(config-telephony)#ip source-address 192.168.10.1 port 2000 #IP Address source#
RouterA(config-telephony)#auto assign 1 to 6 #Automatically assigning ext numbers to buttons#
Although ‘IP Phone 1’ is already connected to SwitchA, it needs additional configuration before being
able to communicate. So to configure RouterA CME to assign a phone number to this IP phone:
RouterA(config)#ephone-dn 1 #Defining the first directory entry#
RouterA(config-ephone-dn)#number 999 #Assign the phone number to this entry#
Ensure that the IP Phone receives an IP Address and a the phone number 999 from RouterA
This can take a short while.
13. REMOTE SITE VOIP CONFIGURATION USING DIAL PEER:
SITE1 ROUTER SITE2 ROUTER:
dial-peer voice 47 voip
destination-pattern 1..
session target ipv4:18.18.18.2
dial-peer voice 47 voip
destination-pattern ...
session target ipv4:78.78.78.2
14. ADDITIONAL FEATURES WHICH INCREASE NETWORK
PERFORMANCE & CAPACITY:
• VTP PRUNING:
• WHEN VTP PRUNING IS ENABLED ON VTP SERVERS, ALL THE
CLIENTS IN THE VTP DOMAIN WILL AUTOMATICALLY ENABLE VTP
PRUNING. BY DEFAULT, VLANS 2 – 1001 ARE PRUNING
ELIGIBLE, BUT VLAN 1 CAN’T BE PRUNED BECAUSE IT’S AN
ADMINISTRATIVE VLAN.
• SPANNING-TREE PORTFAST VERY CAREFULLY ENABLED
ON ACCESS PORTS CONNECTED TO HOSTS ONLY
ESPECIALLY THE SERVERS SO UPTIME IS HIGH & NO
UNNECESSARY DELAY BY STP.
SW1#config t
SW1(config)#interface Fa0/1
SW1(config-if)#switchport trunk pruning vlan 3-4
15. NETWORK CONNECTIVITY TESTING PLAN:
Layer 1 Error Checklist Layer 2 Error Checklist
Broken cables
Disconnected cables
Cables connected to the wrong ports
Intermittent cable connections
Cables incorrectly terminated
Wrong cables used
Cross-connects
Rollovers
Straight-through cables
Transceiver problems
DCE cable problems
DTE cable problems
Devices powered off
Improperly configured serial interfaces
Improperly configured Ethernet interfaces
Wrong clock rate settings on serial interfaces
Wrong encapsulation set on serial interfaces
Faulty NIC
Layer 3 Error Checklist
Wrong routing protocol enabled
Incorrect network/IP addresses
Incorrect subnet masks
Incorrect interface addresses
Incorrect DNS-to-IP bindings
Wrong autonomous system number for EIGRP
16. STANDARD COMMAND LINE TOOLS USED TO TROUBLESHOOT
STANDARD COMMAND LINE TOOLS THAT WILL BE USED TO TROUBLESHOOT HOST LEVEL PROBLEMS ARE:
PING – CHECK CONNECTIVITY BETWEEN HOST AND OTHER NETWORK DEVICES
TRACERT – CHECK PATH TO OTHER NETWORK DEVICES
IPCONFIG – SEE IF HOST PROPERLY DETECTS CONFIGURATIONS ASSIGNED TO IT
ARP -A – DISPLAYS THE IP-TO-PHYSICAL ADDRESS TRANSLATION TABLES
STANDARD CISCO IOS COMMAND LINE TOOLS THAT WILL BE USED TO TROUBLESHOOT ROUTER LEVEL
PROBLEMS ARE:
PING – CHECK CONNECTIVITY BETWEEN ROUTER AND OTHER NETWORK DEVICES
TRACEROUTE - CHECK PATH TO OTHER NETWORK DEVICES
SHOW ARP – SHOW THE IP/MAC ADDRESS USED
SHOW IP ROUTE – SHOWS A ROUTER’S ROUTING TABLE
SHOW INTERFACE/SHOW INTERFACE BRIEF – SHOWS EXISTING INTERFACE CONFIGURATIONS AND IF
ADMINISTRATIVELY UP OR DOWN
SHOW RUN – SHOWS EXISTING OVERALL ALL CONFIGURATIONS
25. ETHER CHANNEL : CISCO’S IMPLEMENTATION OF PORT AGGREGATION
• PORT AGGREGATION: ALLOWS US TO TIE MULTIPLE PORTS TOGETHER INTO A SINGLE
LOGICAL INTERFACE.
• NOT ONLY DOES PORT AGGREGATION INCREASE THE BANDWIDTH OF A LINK, BUT IT
ALSO PROVIDES REDUNDANCY.
Benefits
1. Enhanced Performance.
2. Redundancy
3. Resiliency And Faster Convergence.
So once Again How did we
implement Ether Channel??
Switch(config)#interface range gigabitEthernet 0/1-2
Switch(config-if)#Switchport mode trunk
Switch(config-if)#Switchport nonnegotiable
Switch(config)#Channel-group 1 mode desirable
26.
27. FIBER-UPLINK
• TO HAVE A FIBER BACKBONE IS THE WISEST DECISION IN ANY ENTERPRISE
NETWORK DESIGN.
• WE HAVE IT IN THE CORE BACKBONE WHICH CONNECTS THE CORE ROUTER TO
THE DISTRIBUTION SWITCH.
• ALSO THE SEVERS OF ALL 3 SITES ARE NOW CONNECTED WITH A GIGABIT FIBER
TO THE NETWORK.
Benefits
1. High Availability
2. High Response time.
3. Increased Reliability
40. ACCESS-CONTROL LIST
ACCESS CONTROL LISTS (ACLS)CAN BE USED FOR
TWO PURPOSES ON NETWORKING DEVICES:
• TO FILTER TRAFFIC.
• TO LOCALIZE SPECIFIC TRAFFIC IN SPECIFIC
SUBNETS.
TYPES OF ACCESS LISTS:
• NUMBERED
• NAMED
• EXTENDED
• STANDARD
• ACCESS CONTROL LISTS WORKS IN A TOP DOWN
APPROACH
- A PERMIT STATEMENT IS USED TO ALLOW TRAFFIC
- A DENY STATEMENT IS USED TO BLOCK TRAFFIC.
COMMANDS :
- ROUTER(CONFIG) #IP ACCESS - LIST EXTENDED <NAME>
- ROUTER(CONFIG-EXT-NACL) #PERMIT IP HOST <SOURCE
IP> HOST <DESTINATION IP>
41.
42. SWITCH PORT SECURITY
• NO OTHER WORKSTATION CAN BE PLUGGED TO THE FASTETHERNET PORT.
• IF UNREGISTERED MAC PLUGGED IT WILL BE SHUTDOWN OR RESTRICTED.
Switch(config) #Interface fa 0/1
Switch(config) # Switchport port-security
Switch(config) # Switchport port-security mac-address sticky
43.
44. REMOTE ACCESS &
REMOTE ACCESS SECURITY:
• REMOTE ACCESS: TELNET (PORT 23)
• SECURE REMOTE ACCESS:
SSH VERSION 2 (PORT 22)
CONFIGURATION AS FOLLOWS:
Host identification (Using RSA-Keys)
Encryption (IDEA)
Authentication (RSA Challenge)
Router(config)# ip domain-name cisco.com
Router(config)# crypto key generate rsa
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
Router(config)#exit
*Mar 1 0:4:8.988: %SSH-5-ENABLED: SSH 1.99 has been enabled
Router(config)#ip ssh version 2
Router(config)# username cisco password cisco
Router(config)# line vty 0 4
Router(config-line)# login local
Router(config-line)# transport input ssh
Router(config)#ip ssh time-out 90
Router(config)#ip ssh authentication-retries 2
45.
46.
47. ACCESS LISTS ( ACL )
ACCESS CONTROL LISTS (ACLS)CAN BE USED FOR TWO PURPOSES ON
NETWORKING DEVICES:
• TO FILTER TRAFFIC.
• TO LOCALIZE SPECIFIC TRAFFIC IN SPECIFIC SUBNETS.
TYPES OF ACCESS LISTS:
• NUMBERED
• NAMED
• EXTENDED
• STANDARD
51. RADIUS (REMOTE DIAL IN USER SERVICE)
• RADIUS IS A AAA PROTOCOL, SECURITY SYSTEM BASED ON AUTHENTICATION, AUTHORIZATION,
AND ACCOUNTING.
• CLIENT SERVER MODEL
• SHARED SECRET MUST BE SHARED BETWEEN CLIENT(ACCESS POINT) AND SERVER AND CLIENT MUST
BE CONFIGURED TO USE RADIUS SERVER TO GET SERVICE.
• RADIUS USES A CENTRALIZED SERVER THAT ALLOWS YOU TO DEFINE THE USERNAME AND
PASSWORD OF THE USERS BY WHICH THEY CAN LOGIN TO THEIR ACCOUNT BEFORE ACCESSING
THE NETWORK.
• RADIUS SERVER IS RESPONSIBLE FOR GETTING USER CONNECTION REQUESTS, AUTHENTICATING THE
USER AND THEN RETURNING ALL CONFIGURATION INFORMATION NECESSARY FOR THE CLIENT TO
DELIVER SERVICE TO THE USER.
• TRANSACTIONS BETWEEN CLIENT AND SERVER ARE AUTHENTICATED THROUGH THE USE OF A SHARED
KEY AND THIS KEY IS NEVER SENT OVER THE NETWORK.
• PASSWORD IS ENCRYPTED BEFORE SENDING IT OVER NETWORK USING WPA2
• HERE SECURITY IS FULLY DEPENDENT ON THE SEVER NOT THE ACCESS POINT, HENCE SECURITY
INCREASED.