Desert View High School
description
Transcript of Desert View High School
Desert View High SchoolDesert View High School
Group Members:Group Members:
• Killian McLoughlin.Killian McLoughlin.
• JP SheridanJP Sheridan
• Kevin Traynor.Kevin Traynor.
Contents:Contents: Design GoalsDesign Goals
WAN DesignWAN Design
LAN DesignLAN Design Logical & Physical LAN DesignLogical & Physical LAN Design
Equipment Details:Equipment Details: MDF EquipmentMDF Equipment IDF EquipmentIDF Equipment Design Of Cabinet In Each Classroom Design Of Cabinet In Each Classroom Classroom Hardware ConfigurationClassroom Hardware Configuration Topology & ServersTopology & Servers WiringWiring
SecuritySecurity Why Use VLANS ?Why Use VLANS ? Benefits Of VLANSBenefits Of VLANS VLAN Membership Policy ServerVLAN Membership Policy Server Security HardwareSecurity Hardware
Contents continuedContents continued Layout Of Classrooms.Layout Of Classrooms.
IP AddressingIP Addressing IP Addressing Scheme.IP Addressing Scheme. Sub-netting.Sub-netting.
Router ConfigurationsRouter Configurations ACLACL (blocks(blocks Telnet traffic to router fromTelnet traffic to router from Lecturers & Students) Lecturers & Students)
DHCPDHCP ConfigurationConfiguration
ConclusionConclusion
Design goalsDesign goals To create a LAN that will act as an arm of the To create a LAN that will act as an arm of the
Washington schools district WAN.Washington schools district WAN.
This LAN should then prove functional for at This LAN should then prove functional for at least the next 7-10 years.least the next 7-10 years.
Each classroom will support at least 25 Each classroom will support at least 25 workstationsworkstations
Throughout the LAN all workstations will be Throughout the LAN all workstations will be provided with internet connection.provided with internet connection.
Design GoalsDesign Goals cntd.cntd.
Cat5 will provide the required Ethernet speeds Cat5 will provide the required Ethernet speeds using; 10Base-t, 100Base-t and 1000Base-Fx. using; 10Base-t, 100Base-t and 1000Base-Fx.
((cabling will comply with TIA/EIA-568-A and TIA/EIA-569 cabling will comply with TIA/EIA-568-A and TIA/EIA-569 standards.)standards.)
The initial requirements for any host PC on the The initial requirements for any host PC on the LAN will be 1Mbit, whereas for network servers it LAN will be 1Mbit, whereas for network servers it will be 100Mbit.will be 100Mbit.
Design GoalsDesign Goals cntd.cntd.
Desert view’s LAN will also have to cater for the Desert view’s LAN will also have to cater for the minimum of the following:minimum of the following:
10x growth in the District internet connection 10x growth in the District internet connection throughput.throughput.
2x growth in the core WAN throughput.2x growth in the core WAN throughput.
And (at least) 100x growth in the LAN’S own And (at least) 100x growth in the LAN’S own throughput.throughput.
Wan Design.Wan Design.
The Washington WAN consists of three district centers. The Washington WAN consists of three district centers.
These are:These are:
The ‘Shaw Butte’ elementary school.The ‘Shaw Butte’ elementary school. The Districts Data center.The Districts Data center. The Service center.The Service center.These centers are then connected using T1 lines through Cisco routers.These centers are then connected using T1 lines through Cisco routers.
( ‘Desert View’ connects to the core WAN through ‘Shaw Butte’)( ‘Desert View’ connects to the core WAN through ‘Shaw Butte’)
WAN DesignWAN Design The Washington School District Wide Area Network (WAN) will:The Washington School District Wide Area Network (WAN) will:
Connect all school and administrative offices with the Connect all school and administrative offices with the district office for the purpose of delivering data. district office for the purpose of delivering data. The WAN will be based on a two-layer hierarchical The WAN will be based on a two-layer hierarchical model. model.
Three (3) regional Hubs will be established at the District Three (3) regional Hubs will be established at the District Office/Data Center, Service Center and Shaw Butte Office/Data Center, Service Center and Shaw Butte Elementary School for the purpose of forming a fast Elementary School for the purpose of forming a fast WAN core network.WAN core network.
School locations will be connected into the WAN core School locations will be connected into the WAN core Hub locations based on proximity to the Hub. Hub locations based on proximity to the Hub.
WAN DesignWAN Design TCP/IP and Novell IPX are the only networking protocols TCP/IP and Novell IPX are the only networking protocols
acceptable to traverse the district WAN. acceptable to traverse the district WAN.
All other protocols will be filtered at the individual school sites using All other protocols will be filtered at the individual school sites using access routers. access routers.
High-end, powerful routers will also be installed at each WAN core High-end, powerful routers will also be installed at each WAN core location. location.
Access to the Internet or any other outside network connections will Access to the Internet or any other outside network connections will be provided through the District Office/Data Center through a Frame be provided through the District Office/Data Center through a Frame Relay WAN link. Relay WAN link.
For security purposes, no other connections will be permitted.For security purposes, no other connections will be permitted.
Wan CoreWan Core
T1 Line
T1 Line
LAN DesignLAN Design
Logical Design Of The LANLogical Design Of The LAN
Physical Design Of The LANPhysical Design Of The LAN
Logical Design Of LANLogical Design Of LAN
Physical DesignPhysical Design
Physical Design cnt.Physical Design cnt.
Physical Design cnt.Physical Design cnt.
Equipment Details
Desert View High school
MDF Equipment : MDF Equipment : Design Of MDFDesign Of MDF
33U 23in Wiring Closet#1
Patch Panel 48 RJ-45 ports 23in 2U
Patch Panel 12 MIC ports 23in 1U for fibreoptic cables
Catalyst 3548 XL Enterprise Edition
PIX 515 DC Pow ered firew all
Cisco 3600 4 -slot Modular Router-DC w ith IPSoftw are
MDF Eqipment
The The Cisco 3600 SeriesCisco 3600 Series is a family of is a family of modular, multi-service access platforms modular, multi-service access platforms for medium and large-sized offices and for medium and large-sized offices and smaller Internet Service Providers. smaller Internet Service Providers.
With over 90 modular interface options, With over 90 modular interface options, the Cisco 3600 family provides solutions the Cisco 3600 family provides solutions for data, voice video, hybrid dial access, for data, voice video, hybrid dial access, virtual private networks (VPNs), and virtual private networks (VPNs), and multi-protocol data routing. multi-protocol data routing.
The high-performance, modular The high-performance, modular architecture protects customers' architecture protects customers' investment in network technology and investment in network technology and integrates the functions of several integrates the functions of several devices into a single, manageable devices into a single, manageable solution. solution.
In Cisco 3600 series routers, the 2-port In Cisco 3600 series routers, the 2-port serial WAN interface card supports both serial WAN interface card supports both asynchronous (up to 115.2 kbps) and asynchronous (up to 115.2 kbps) and synchronous (up to 2.048 Mbps) data synchronous (up to 2.048 Mbps) data rates. rates.
Cisco 3600 Router
Cisco Catalyst 3548XL Enterprise Cisco Catalyst 3548XL Enterprise EditionEdition
stackable 10/100 and Gigabit Ethernet switcht
delivers premium performance, manageability, and
flexibility with unparalleled investment protection. 48 10/100 ports and two GBIC-based Gigabit
Ethernet ports.
This switch offers advanced software features, including complete 802.1Q and ISL VLAN support, TACACS+ security, and fault tolerance through Uplink Fast.
MDF & IDF Eqipment
IDF Equipment : IDF Equipment : Design Of IDFDesign Of IDF
33U 19in Wiring Closet#1
Patch Panel 48 RJ-45 ports 23in 2U
Patch Panel 12 MIC ports 23in 1U for fibreoptic cables
Catalyst 3548 XL Enterprise Edition
Design Of Cabinet In Each Design Of Cabinet In Each Classroom Classroom
18U 19in Wiring Closet#1
Patch Panel 48 RJ-45 ports 19in 2U
3 X 12 port 10/100 Switches (Standard Edition)
Classroom Hardware ConfigurationClassroom Hardware Configuration
Each classroom has 4 RJ 45 Points:Each classroom has 4 RJ 45 Points:
Lecturers workstations are connected to 1 of the points (CAT 5 UTP) and Lecturers workstations are connected to 1 of the points (CAT 5 UTP) and patched directly to an enterprise switch in the nearest IDF.patched directly to an enterprise switch in the nearest IDF.
A Cisco 12 port 10/100 Standard Switch is connected to each of the A Cisco 12 port 10/100 Standard Switch is connected to each of the remaining points.Each standard switch is patched directly back to an remaining points.Each standard switch is patched directly back to an enterprise switch in the nearest IDF (CAT 5 UTP ).enterprise switch in the nearest IDF (CAT 5 UTP ).
8 student PCs are connected to each standard switch.8 student PCs are connected to each standard switch.
A networked printer is also connected to one of the standard switches in A networked printer is also connected to one of the standard switches in each classroom.each classroom.
A File & print server handles the print queues for the entire high school A File & print server handles the print queues for the entire high school
Why Use Switches & Not Hubs Why Use Switches & Not Hubs In Classrooms ?In Classrooms ?
HubsHubs
A hub is an ethernet (10BaseT or 100BaseT UTP/STP) repeater.A hub is an ethernet (10BaseT or 100BaseT UTP/STP) repeater.
typical 12-port hub, any data it receives on one port will be re-transmitted on typical 12-port hub, any data it receives on one port will be re-transmitted on all of the other seven ports. The intended destination could be on any of all of the other seven ports. The intended destination could be on any of those ports. It's simple to understand those ports. It's simple to understand
Not very efficient as there is no traffic control - if two PCs try to transmit at Not very efficient as there is no traffic control - if two PCs try to transmit at the same time, a 'collision' occurs and the data has to be re-transmitted.the same time, a 'collision' occurs and the data has to be re-transmitted.
Even though an Ethernet card might be 'full duplex' it may not be able to Even though an Ethernet card might be 'full duplex' it may not be able to actually transmit and receive simultaneously. actually transmit and receive simultaneously.
A PC will have no interest in data which another PC is sending (for A PC will have no interest in data which another PC is sending (for example) to a printer elsewhwere on the network, so clogging up its example) to a printer elsewhwere on the network, so clogging up its ethernet interface is wasteful.ethernet interface is wasteful.
Classroom Hardware Config.
Why Use Switches & Not Hubs Why Use Switches & Not Hubs In Classrooms cnt.In Classrooms cnt.
SwitchesSwitches
A switch transmits data from one specific port to another, rather A switch transmits data from one specific port to another, rather than re-broadcasting data to all other ports. than re-broadcasting data to all other ports.
A switch is intelligent and will learn which device is on which port A switch is intelligent and will learn which device is on which port (MAC Address).(MAC Address).
A switch knows which port received data needs to be sent to. A switch knows which port received data needs to be sent to.
This makes the network much more effcient and allows more This makes the network much more effcient and allows more devices to communicate with each other simultaneously. devices to communicate with each other simultaneously.
Classroom Hardware Config.
Topology & ServersTopology & Servers This Network is structured on an extended star topology.This Network is structured on an extended star topology.
External Servers On WAN CoreExternal Servers On WAN Core
Administrative ( MAIN ) server Administrative ( MAIN ) server
DNS ServerDNS Server
Servers On Desert View LANServers On Desert View LAN
Administrative ServerAdministrative Server
Email ServerEmail Server
File & Print ServerFile & Print Server
TFTP & RAS ServerTFTP & RAS Server
School Web ServerSchool Web Server
Proxy ServerProxy Server
Application ServerApplication Server
Library ServerLibrary Server
DNS Host Server & DHCP ServerDNS Host Server & DHCP Server
Servers are located in the same room as the
MDF and are connected directly to the
enterprise switch in the MDF.
CAT 5 UTP
WiringWiring All Enterprise Switches are interconnected through trunking ports All Enterprise Switches are interconnected through trunking ports
using fiber optic cabling. using fiber optic cabling.
All cabling is ran through the existing cable runs, where possibleAll cabling is ran through the existing cable runs, where possible
All workstations are connected to network points on walls and on All workstations are connected to network points on walls and on the floors (Lecturer workstations) with CAT 5 UTP cabling.the floors (Lecturer workstations) with CAT 5 UTP cabling.
All network points in classrooms are patched through to switches in All network points in classrooms are patched through to switches in each classroom with CAT 5 UTP cabling.each classroom with CAT 5 UTP cabling.
The switches in each classroom are patched back to an enterprise The switches in each classroom are patched back to an enterprise switch in the nearest IDF.switch in the nearest IDF.
SECURITYSECURITYVLANSVLANS
Why Use VLANsWhy Use VLANsBenefits Of VLANsBenefits Of VLANs
VLAN Membership Policy ServerVLAN Membership Policy Server
Security HardwareSecurity HardwarePix FirewallPix Firewall
VLANsVLANsWhy Use VLANs ?Why Use VLANs ?
VLANs provide the following benefits:VLANs provide the following benefits:
Reduced administration costs from solving problems Reduced administration costs from solving problems associated with moves, adds, and changes. associated with moves, adds, and changes.
Workgroup and network security. Workgroup and network security.
Controlled broadcast activity. Controlled broadcast activity.
Leveraging of existing hub investments. Leveraging of existing hub investments.
Centralized administration control.Centralized administration control.
VLANSVLANS
We have decided to implement 4 VLANS We have decided to implement 4 VLANS on the Desert View LAN as follows:on the Desert View LAN as follows:
VLAN 1 = Administration.VLAN 1 = Administration. VLAN 2 = Lecturers.VLAN 2 = Lecturers. VLAN 3 = Students.VLAN 3 = Students. VLAN 4 = IP Telephony.VLAN 4 = IP Telephony.
VLAN Membership Policy ServerVLAN Membership Policy Server We have decided to implement dynamic VLANs for improved security using Cisco VMPSWe have decided to implement dynamic VLANs for improved security using Cisco VMPS
With VMPS, you can assign switch ports to VLANs dynamically, based on the source Media With VMPS, you can assign switch ports to VLANs dynamically, based on the source Media AccessAccess
Control (MAC) address of the device connected to the port. Control (MAC) address of the device connected to the port.
When you move a host from a port on one switch in the network to a port on another switch in the When you move a host from a port on one switch in the network to a port on another switch in the network, the switch assigns the new port to the proper VLAN for that host dynamically.network, the switch assigns the new port to the proper VLAN for that host dynamically.
When you enable VMPS, a MAC address-to-VLAN mapping database downloads from a Trivial When you enable VMPS, a MAC address-to-VLAN mapping database downloads from a Trivial FileFile
Transfer Protocol (TFTP) server and VMPS begins to accept client requests. If you reset or Transfer Protocol (TFTP) server and VMPS begins to accept client requests. If you reset or power cycle the switch, the VMPS database downloads from the TFTP server automatically and power cycle the switch, the VMPS database downloads from the TFTP server automatically and VMPS is re-enabled.VMPS is re-enabled.
VMPS opens a User Datagram Protocol (UDP) socket to communicate and listen to client VMPS opens a User Datagram Protocol (UDP) socket to communicate and listen to client requests.requests.
VMPS opens a User Datagram Protocol (UDP) socket to communicate and listen to client VMPS opens a User Datagram Protocol (UDP) socket to communicate and listen to client requests.requests.
When the VMPS server receives a valid request from a client, it searches its database for a MACWhen the VMPS server receives a valid request from a client, it searches its database for a MACaddress-to-VLAN mapping.address-to-VLAN mapping.
VMPS Cnt.VMPS Cnt.
The VMPS Server holds a database of device’s The VMPS Server holds a database of device’s MAC addresses and the VLAN that those MAC addresses and the VLAN that those devices are members of.devices are members of.
These addresses must be entered into the These addresses must be entered into the database manually.database manually.
That device will be on the same VLAN no matter That device will be on the same VLAN no matter what port it is connected to on the LAN.what port it is connected to on the LAN.
VMPS cnt.VMPS cnt. All Lecturer’s laptop’s MAC addresses and all All Lecturer’s laptop’s MAC addresses and all
administration workstation MAC addresses will be administration workstation MAC addresses will be entered into this database.entered into this database.
A lecturer can then plug his/her laptop into any port on A lecturer can then plug his/her laptop into any port on the LAN and still be a member of the appropriate VLAN.the LAN and still be a member of the appropriate VLAN.
This approach offers a higher level of security preventing This approach offers a higher level of security preventing student’s PCs from becoming members of the lecturer’s student’s PCs from becoming members of the lecturer’s or administration staff’s VLANs , should the student or administration staff’s VLANs , should the student decide to connect his/her workstation to the lecturer’s decide to connect his/her workstation to the lecturer’s wall point or any other switch port on the LAN that is a wall point or any other switch port on the LAN that is a member of the non-student VLAN. member of the non-student VLAN.
VMPS cnt.VMPS cnt. We also have decided to use VMPS for the IP We also have decided to use VMPS for the IP
telephony VLAN.telephony VLAN.
This will allow IP telephones to be connected to This will allow IP telephones to be connected to any available port on any switch on the LAN and any available port on any switch on the LAN and still be a member of the appropriate VLAN.still be a member of the appropriate VLAN.
Having a VLAN exclusively for IP telephony will Having a VLAN exclusively for IP telephony will not reduce bandwidth for PCsnot reduce bandwidth for PCs
Having a VLAN exclusively for IP telephony will Having a VLAN exclusively for IP telephony will ensure maximum quality of signal for phones. ensure maximum quality of signal for phones.
Security HardwareSecurity Hardware PIX 515 DC powered firewallPIX 515 DC powered firewall
Cisco’s PIX firewall series delivers strong Cisco’s PIX firewall series delivers strong security, easy to install at a competitive price.security, easy to install at a competitive price.
Pix firewalls provide the latest in security Pix firewalls provide the latest in security technology ranging from technology ranging from
inspection firewalling inspection firewalling
contrast firewalling capabilitescontrast firewalling capabilites
Integrated intrusion detection to help secure a Integrated intrusion detection to help secure a network enviornment from next generation attacks.network enviornment from next generation attacks.
Typical classroom LayoutTypical classroom Layout
Banks of 8 PC’s
Wall points
Network printerLecturers PC/Cat5 point
Comms cabinet
Desks etc.
IP Addressing SchemeIP Addressing Scheme
Washington School District WAN uses a Washington School District WAN uses a class A IP addressing scheme.class A IP addressing scheme.
Desert View High school has been Desert View High school has been allocated the address 10.1.x.xallocated the address 10.1.x.x
This leaves us with 2 octets to subnet fromThis leaves us with 2 octets to subnet from & approximately a possible 64,000 host & approximately a possible 64,000 host
addresses.addresses.
IP Addressing Scheme cnt.IP Addressing Scheme cnt. Every wing is on its own subnet, with the exception of wing 1 which Every wing is on its own subnet, with the exception of wing 1 which
is split into 2 subnets because of the amount of hosts it requires.is split into 2 subnets because of the amount of hosts it requires.
This results in room for future expansion. This results in room for future expansion.
We Have decided to give administration its own sub-net. Through We Have decided to give administration its own sub-net. Through the use of ACLs this will allow us to distinguish between traffic from the use of ACLs this will allow us to distinguish between traffic from Teacher/Student workstations and administration workstations. Teacher/Student workstations and administration workstations.
All networking equipment and all administration workstations are on All networking equipment and all administration workstations are on the administration’s sub-net the administration’s sub-net
This sub-net is 10.1.1.XThis sub-net is 10.1.1.X
AddressesAddresses
Static IP Addresses On Administration sub-netStatic IP Addresses On Administration sub-net 10.1.1.1 = DNS/DHCP Server.10.1.1.1 = DNS/DHCP Server. 10.1.1.2 = Router.10.1.1.2 = Router. 10.1.1.3 = WWW Server.10.1.1.3 = WWW Server. 10.1.1.4 = Library Server.10.1.1.4 = Library Server. 10.1.1.5 = Application Server.10.1.1.5 = Application Server. 10.1.1.6 = File & Print Server.10.1.1.6 = File & Print Server. 10.1.1.7 = TFTP & RAS Server.10.1.1.7 = TFTP & RAS Server. 10.1.1.8 = Mail Server.10.1.1.8 = Mail Server. 10.1.1.9 – 10.1.1.19 = Enterprise Switches.10.1.1.9 – 10.1.1.19 = Enterprise Switches. 10.1.1.20 – 10.1.1.155 =Regular Switches In classrooms 10.1.1.20 – 10.1.1.155 =Regular Switches In classrooms
Subnet BreakdownSubnet Breakdown
10.1.2.X
10.1.3.X
10.1
.4.X
10.1
.1.X
(A
dmin
)
10.1.5.X
10.1.7.X
10.3.6.X
Subnet Breakdown cntd. Subnet Breakdown cntd.
10.1.10.X
10.1.11.X
10.1.12.X
10.1.9.X
10.1.8.X
Routing ProtocolsRouting Protocols We have decided to use Interior Gateway We have decided to use Interior Gateway
Routing Protocol (IGRP) as the network routing Routing Protocol (IGRP) as the network routing protocols.protocols.
Some of the advantages are:Some of the advantages are: ScalabilityScalability Fast response to network changesFast response to network changes Use a sophisticated composite metric that provides Use a sophisticated composite metric that provides
significant route selection flexibility.significant route selection flexibility. Can maintain up to four unequal paths between a Can maintain up to four unequal paths between a
network source and destination.network source and destination. Multiple paths can increase available bandwidth or for Multiple paths can increase available bandwidth or for
route redundancy.route redundancy.
Router ConfigurationRouter Configuration
DHCPDHCP
Before configuring DHCP on the , subnets must be decided on and Before configuring DHCP on the , subnets must be decided on and all static address must be noted so that they can be excluded from all static address must be noted so that they can be excluded from DHCP pool. DHCP pool.
An FTP or TFTP server must be configured to be a DHCP server An FTP or TFTP server must be configured to be a DHCP server which will hold the DHCP database.which will hold the DHCP database.
In this case we're using the DNS server to be a dual function server In this case we're using the DNS server to be a dual function server to save cost and space.to save cost and space.
Router ConfigurationRouter Configuration Sample DHCP configurationSample DHCP configuration
Desert_view(config)# Desert_view(config)# ip dhcp database tftp://administrator:[email protected]/router-ip dhcp database tftp://administrator:[email protected]/router-dhcp timeout 80 dhcp timeout 80 //howlong to wait for reply//howlong to wait for reply
Desert_view(config)# Desert_view(config)# ip dhcp database tftp: ip dhcp database tftp: //administrator:[email protected]/router-//administrator:[email protected]/router-dhcp write-delay 80//how often updates database dhcp write-delay 80//how often updates database
Desert_view(config)# Desert_view(config)# ip dhcp excluded-address 10.1.2.4 //network printerip dhcp excluded-address 10.1.2.4 //network printer
//excludes this printer address from DHCP Pool//excludes this printer address from DHCP Pool Desert_view(config)# Desert_view(config)# ip dhcp pool Wing_five_eastip dhcp pool Wing_five_east
Desert_view(config-dhcp)# Desert_view(config-dhcp)# network 10.1.5.0 255.255.255.0 network 10.1.5.0 255.255.255.0 //wing 5 subnet//wing 5 subnet
Desert_view(config-dhcp)# Desert_view(config-dhcp)# domain-name desert_view domain-name desert_view
Desert_view(config-dhcp)# Desert_view(config-dhcp)# dns-server 10.1.1.1 dns-server 10.1.1.1
Desert_view(config-dhcp)# Desert_view(config-dhcp)# default-router 10.1.1.2default-router 10.1.1.2
ACLsACLs This access control list prevents telnet traffic to the router.This access control list prevents telnet traffic to the router.
Router> Router> enableenableRouter# Router# hostname Desert_viewhostname Desert_viewDesert_view# Desert_view# enable secret *****enable secret *****Desert_view# Desert_view# config tconfig tDesert_view(config)# Desert_view(config)# access list 101 deny tcpaccess list 101 deny tcp “Subnet’s IP address”“Subnet’s IP address” 0.0.0.255 0.0.0.255
10.1.1.2 0.0.0.0 eq telnet10.1.1.2 0.0.0.0 eq telnet
Desert_view(config)# Desert_view(config)# access list 101 permit ip any anyaccess list 101 permit ip any anyDesert_view(config)# Desert_view(config)# int e0int e0Desert_view(config-int)# Desert_view(config-int)# ip access-group 101 inip access-group 101 in
All subnets except for the administration’s subnet would be implemented into All subnets except for the administration’s subnet would be implemented into this ACLthis ACL
10.1.1.2 is the router’s IP address.10.1.1.2 is the router’s IP address.
++
Router Configuration
ConclusionsConclusions
Easy To Implement.Easy To Implement.
Easy To Maintain.Easy To Maintain.
High security.High security.
A Lot Of Support For Expansion.A Lot Of Support For Expansion.
ANY QUESIONSANY QUESIONS
????????????