Desert View High SchoolDesert View High School

Group Members:Group Members:

• Killian McLoughlin.Killian McLoughlin.

• JP SheridanJP Sheridan

• Kevin Traynor.Kevin Traynor.

Contents:Contents: Design GoalsDesign Goals

WAN DesignWAN Design

LAN DesignLAN Design Logical & Physical LAN DesignLogical & Physical LAN Design

Equipment Details:Equipment Details: MDF EquipmentMDF Equipment IDF EquipmentIDF Equipment Design Of Cabinet In Each Classroom Design Of Cabinet In Each Classroom Classroom Hardware ConfigurationClassroom Hardware Configuration Topology & ServersTopology & Servers WiringWiring

SecuritySecurity Why Use VLANS ?Why Use VLANS ? Benefits Of VLANSBenefits Of VLANS VLAN Membership Policy ServerVLAN Membership Policy Server Security HardwareSecurity Hardware

Contents continuedContents continued Layout Of Classrooms.Layout Of Classrooms.

IP AddressingIP Addressing IP Addressing Scheme.IP Addressing Scheme. Sub-netting.Sub-netting.

Router ConfigurationsRouter Configurations ACLACL (blocks(blocks Telnet traffic to router fromTelnet traffic to router from Lecturers & Students) Lecturers & Students)

DHCPDHCP ConfigurationConfiguration

ConclusionConclusion

Design goalsDesign goals To create a LAN that will act as an arm of the To create a LAN that will act as an arm of the

Washington schools district WAN.Washington schools district WAN.

This LAN should then prove functional for at This LAN should then prove functional for at least the next 7-10 years.least the next 7-10 years.

Each classroom will support at least 25 Each classroom will support at least 25 workstationsworkstations

Throughout the LAN all workstations will be Throughout the LAN all workstations will be provided with internet connection.provided with internet connection.

Design GoalsDesign Goals cntd.cntd.

Cat5 will provide the required Ethernet speeds Cat5 will provide the required Ethernet speeds using; 10Base-t, 100Base-t and 1000Base-Fx. using; 10Base-t, 100Base-t and 1000Base-Fx.

((cabling will comply with TIA/EIA-568-A and TIA/EIA-569 cabling will comply with TIA/EIA-568-A and TIA/EIA-569 standards.)standards.)

The initial requirements for any host PC on the The initial requirements for any host PC on the LAN will be 1Mbit, whereas for network servers it LAN will be 1Mbit, whereas for network servers it will be 100Mbit.will be 100Mbit.

Design GoalsDesign Goals cntd.cntd.

Desert view’s LAN will also have to cater for the Desert view’s LAN will also have to cater for the minimum of the following:minimum of the following:

10x growth in the District internet connection 10x growth in the District internet connection throughput.throughput.

2x growth in the core WAN throughput.2x growth in the core WAN throughput.

And (at least) 100x growth in the LAN’S own And (at least) 100x growth in the LAN’S own throughput.throughput.

Wan Design.Wan Design.

The Washington WAN consists of three district centers. The Washington WAN consists of three district centers.

These are:These are:

The ‘Shaw Butte’ elementary school.The ‘Shaw Butte’ elementary school. The Districts Data center.The Districts Data center. The Service center.The Service center.These centers are then connected using T1 lines through Cisco routers.These centers are then connected using T1 lines through Cisco routers.

( ‘Desert View’ connects to the core WAN through ‘Shaw Butte’)( ‘Desert View’ connects to the core WAN through ‘Shaw Butte’)

WAN DesignWAN Design The Washington School District Wide Area Network (WAN) will:The Washington School District Wide Area Network (WAN) will:

Connect all school and administrative offices with the Connect all school and administrative offices with the district office for the purpose of delivering data. district office for the purpose of delivering data. The WAN will be based on a two-layer hierarchical The WAN will be based on a two-layer hierarchical model. model.

Three (3) regional Hubs will be established at the District Three (3) regional Hubs will be established at the District Office/Data Center, Service Center and Shaw Butte Office/Data Center, Service Center and Shaw Butte Elementary School for the purpose of forming a fast Elementary School for the purpose of forming a fast WAN core network.WAN core network.

School locations will be connected into the WAN core School locations will be connected into the WAN core Hub locations based on proximity to the Hub. Hub locations based on proximity to the Hub.

WAN DesignWAN Design TCP/IP and Novell IPX are the only networking protocols TCP/IP and Novell IPX are the only networking protocols

acceptable to traverse the district WAN. acceptable to traverse the district WAN.

All other protocols will be filtered at the individual school sites using All other protocols will be filtered at the individual school sites using access routers. access routers.

High-end, powerful routers will also be installed at each WAN core High-end, powerful routers will also be installed at each WAN core location. location.

Access to the Internet or any other outside network connections will Access to the Internet or any other outside network connections will be provided through the District Office/Data Center through a Frame be provided through the District Office/Data Center through a Frame Relay WAN link. Relay WAN link.

For security purposes, no other connections will be permitted.For security purposes, no other connections will be permitted.

Wan CoreWan Core

T1 Line

T1 Line

LAN DesignLAN Design

Logical Design Of The LANLogical Design Of The LAN

Physical Design Of The LANPhysical Design Of The LAN

Logical Design Of LANLogical Design Of LAN

Physical DesignPhysical Design

Physical Design cnt.Physical Design cnt.

Physical Design cnt.Physical Design cnt.

Equipment Details

Desert View High school

MDF Equipment : MDF Equipment : Design Of MDFDesign Of MDF

33U 23in Wiring Closet#1

Patch Panel 48 RJ-45 ports 23in 2U

Patch Panel 12 MIC ports 23in 1U for fibreoptic cables

Catalyst 3548 XL Enterprise Edition

PIX 515 DC Pow ered firew all

Cisco 3600 4 -slot Modular Router-DC w ith IPSoftw are

MDF Eqipment

The The Cisco 3600 SeriesCisco 3600 Series is a family of is a family of modular, multi-service access platforms modular, multi-service access platforms for medium and large-sized offices and for medium and large-sized offices and smaller Internet Service Providers. smaller Internet Service Providers.

With over 90 modular interface options, With over 90 modular interface options, the Cisco 3600 family provides solutions the Cisco 3600 family provides solutions for data, voice video, hybrid dial access, for data, voice video, hybrid dial access, virtual private networks (VPNs), and virtual private networks (VPNs), and multi-protocol data routing. multi-protocol data routing.

The high-performance, modular The high-performance, modular architecture protects customers' architecture protects customers' investment in network technology and investment in network technology and integrates the functions of several integrates the functions of several devices into a single, manageable devices into a single, manageable solution. solution.

In Cisco 3600 series routers, the 2-port In Cisco 3600 series routers, the 2-port serial WAN interface card supports both serial WAN interface card supports both asynchronous (up to 115.2 kbps) and asynchronous (up to 115.2 kbps) and synchronous (up to 2.048 Mbps) data synchronous (up to 2.048 Mbps) data rates. rates.

Cisco 3600 Router

Cisco Catalyst 3548XL Enterprise Cisco Catalyst 3548XL Enterprise EditionEdition

stackable 10/100 and Gigabit Ethernet switcht

delivers premium performance, manageability, and

flexibility with unparalleled investment protection. 48 10/100 ports and two GBIC-based Gigabit

Ethernet ports.

This switch offers advanced software features, including complete 802.1Q and ISL VLAN support, TACACS+ security, and fault tolerance through Uplink Fast.

MDF & IDF Eqipment

IDF Equipment : IDF Equipment : Design Of IDFDesign Of IDF

33U 19in Wiring Closet#1

Patch Panel 48 RJ-45 ports 23in 2U

Patch Panel 12 MIC ports 23in 1U for fibreoptic cables

Catalyst 3548 XL Enterprise Edition

Design Of Cabinet In Each Design Of Cabinet In Each Classroom Classroom

18U 19in Wiring Closet#1

Patch Panel 48 RJ-45 ports 19in 2U

3 X 12 port 10/100 Switches (Standard Edition)

Classroom Hardware ConfigurationClassroom Hardware Configuration

Each classroom has 4 RJ 45 Points:Each classroom has 4 RJ 45 Points:

Lecturers workstations are connected to 1 of the points (CAT 5 UTP) and Lecturers workstations are connected to 1 of the points (CAT 5 UTP) and patched directly to an enterprise switch in the nearest IDF.patched directly to an enterprise switch in the nearest IDF.

A Cisco 12 port 10/100 Standard Switch is connected to each of the A Cisco 12 port 10/100 Standard Switch is connected to each of the remaining points.Each standard switch is patched directly back to an remaining points.Each standard switch is patched directly back to an enterprise switch in the nearest IDF (CAT 5 UTP ).enterprise switch in the nearest IDF (CAT 5 UTP ).

8 student PCs are connected to each standard switch.8 student PCs are connected to each standard switch.

A networked printer is also connected to one of the standard switches in A networked printer is also connected to one of the standard switches in each classroom.each classroom.

A File & print server handles the print queues for the entire high school A File & print server handles the print queues for the entire high school

Why Use Switches & Not Hubs Why Use Switches & Not Hubs In Classrooms ?In Classrooms ?

HubsHubs

A hub is an ethernet (10BaseT or 100BaseT UTP/STP) repeater.A hub is an ethernet (10BaseT or 100BaseT UTP/STP) repeater.

typical 12-port hub, any data it receives on one port will be re-transmitted on typical 12-port hub, any data it receives on one port will be re-transmitted on all of the other seven ports. The intended destination could be on any of all of the other seven ports. The intended destination could be on any of those ports. It's simple to understand those ports. It's simple to understand

Not very efficient as there is no traffic control - if two PCs try to transmit at Not very efficient as there is no traffic control - if two PCs try to transmit at the same time, a 'collision' occurs and the data has to be re-transmitted.the same time, a 'collision' occurs and the data has to be re-transmitted.

Even though an Ethernet card might be 'full duplex' it may not be able to Even though an Ethernet card might be 'full duplex' it may not be able to actually transmit and receive simultaneously. actually transmit and receive simultaneously.

A PC will have no interest in data which another PC is sending (for A PC will have no interest in data which another PC is sending (for example) to a printer elsewhwere on the network, so clogging up its example) to a printer elsewhwere on the network, so clogging up its ethernet interface is wasteful.ethernet interface is wasteful.

Classroom Hardware Config.

Why Use Switches & Not Hubs Why Use Switches & Not Hubs In Classrooms cnt.In Classrooms cnt.

SwitchesSwitches

A switch transmits data from one specific port to another, rather A switch transmits data from one specific port to another, rather than re-broadcasting data to all other ports. than re-broadcasting data to all other ports.

A switch is intelligent and will learn which device is on which port A switch is intelligent and will learn which device is on which port (MAC Address).(MAC Address).

A switch knows which port received data needs to be sent to. A switch knows which port received data needs to be sent to.

This makes the network much more effcient and allows more This makes the network much more effcient and allows more devices to communicate with each other simultaneously. devices to communicate with each other simultaneously.

Classroom Hardware Config.

Topology & ServersTopology & Servers This Network is structured on an extended star topology.This Network is structured on an extended star topology.

External Servers On WAN CoreExternal Servers On WAN Core

Administrative ( MAIN ) server Administrative ( MAIN ) server

DNS ServerDNS Server

Servers On Desert View LANServers On Desert View LAN

Administrative ServerAdministrative Server

Email ServerEmail Server

File & Print ServerFile & Print Server

TFTP & RAS ServerTFTP & RAS Server

School Web ServerSchool Web Server

Proxy ServerProxy Server

Application ServerApplication Server

Library ServerLibrary Server

DNS Host Server & DHCP ServerDNS Host Server & DHCP Server

Servers are located in the same room as the

MDF and are connected directly to the

enterprise switch in the MDF.

CAT 5 UTP

WiringWiring All Enterprise Switches are interconnected through trunking ports All Enterprise Switches are interconnected through trunking ports

using fiber optic cabling. using fiber optic cabling.

All cabling is ran through the existing cable runs, where possibleAll cabling is ran through the existing cable runs, where possible

All workstations are connected to network points on walls and on All workstations are connected to network points on walls and on the floors (Lecturer workstations) with CAT 5 UTP cabling.the floors (Lecturer workstations) with CAT 5 UTP cabling.

All network points in classrooms are patched through to switches in All network points in classrooms are patched through to switches in each classroom with CAT 5 UTP cabling.each classroom with CAT 5 UTP cabling.

The switches in each classroom are patched back to an enterprise The switches in each classroom are patched back to an enterprise switch in the nearest IDF.switch in the nearest IDF.

SECURITYSECURITYVLANSVLANS

Why Use VLANsWhy Use VLANsBenefits Of VLANsBenefits Of VLANs

VLAN Membership Policy ServerVLAN Membership Policy Server

Security HardwareSecurity HardwarePix FirewallPix Firewall

VLANsVLANsWhy Use VLANs ?Why Use VLANs ?

VLANs provide the following benefits:VLANs provide the following benefits:

Reduced administration costs from solving problems Reduced administration costs from solving problems associated with moves, adds, and changes. associated with moves, adds, and changes.

Workgroup and network security. Workgroup and network security.

Controlled broadcast activity. Controlled broadcast activity.

Leveraging of existing hub investments. Leveraging of existing hub investments.

Centralized administration control.Centralized administration control.

VLANSVLANS

We have decided to implement 4 VLANS We have decided to implement 4 VLANS on the Desert View LAN as follows:on the Desert View LAN as follows:

VLAN 1 = Administration.VLAN 1 = Administration. VLAN 2 = Lecturers.VLAN 2 = Lecturers. VLAN 3 = Students.VLAN 3 = Students. VLAN 4 = IP Telephony.VLAN 4 = IP Telephony.

VLAN Membership Policy ServerVLAN Membership Policy Server We have decided to implement dynamic VLANs for improved security using Cisco VMPSWe have decided to implement dynamic VLANs for improved security using Cisco VMPS

With VMPS, you can assign switch ports to VLANs dynamically, based on the source Media With VMPS, you can assign switch ports to VLANs dynamically, based on the source Media AccessAccess

Control (MAC) address of the device connected to the port. Control (MAC) address of the device connected to the port.

When you move a host from a port on one switch in the network to a port on another switch in the When you move a host from a port on one switch in the network to a port on another switch in the network, the switch assigns the new port to the proper VLAN for that host dynamically.network, the switch assigns the new port to the proper VLAN for that host dynamically.

When you enable VMPS, a MAC address-to-VLAN mapping database downloads from a Trivial When you enable VMPS, a MAC address-to-VLAN mapping database downloads from a Trivial FileFile

Transfer Protocol (TFTP) server and VMPS begins to accept client requests. If you reset or Transfer Protocol (TFTP) server and VMPS begins to accept client requests. If you reset or power cycle the switch, the VMPS database downloads from the TFTP server automatically and power cycle the switch, the VMPS database downloads from the TFTP server automatically and VMPS is re-enabled.VMPS is re-enabled.

VMPS opens a User Datagram Protocol (UDP) socket to communicate and listen to client VMPS opens a User Datagram Protocol (UDP) socket to communicate and listen to client requests.requests.

VMPS opens a User Datagram Protocol (UDP) socket to communicate and listen to client VMPS opens a User Datagram Protocol (UDP) socket to communicate and listen to client requests.requests.

When the VMPS server receives a valid request from a client, it searches its database for a MACWhen the VMPS server receives a valid request from a client, it searches its database for a MACaddress-to-VLAN mapping.address-to-VLAN mapping.

VMPS Cnt.VMPS Cnt.

The VMPS Server holds a database of device’s The VMPS Server holds a database of device’s MAC addresses and the VLAN that those MAC addresses and the VLAN that those devices are members of.devices are members of.

These addresses must be entered into the These addresses must be entered into the database manually.database manually.

That device will be on the same VLAN no matter That device will be on the same VLAN no matter what port it is connected to on the LAN.what port it is connected to on the LAN.

VMPS cnt.VMPS cnt. All Lecturer’s laptop’s MAC addresses and all All Lecturer’s laptop’s MAC addresses and all

administration workstation MAC addresses will be administration workstation MAC addresses will be entered into this database.entered into this database.

A lecturer can then plug his/her laptop into any port on A lecturer can then plug his/her laptop into any port on the LAN and still be a member of the appropriate VLAN.the LAN and still be a member of the appropriate VLAN.

This approach offers a higher level of security preventing This approach offers a higher level of security preventing student’s PCs from becoming members of the lecturer’s student’s PCs from becoming members of the lecturer’s or administration staff’s VLANs , should the student or administration staff’s VLANs , should the student decide to connect his/her workstation to the lecturer’s decide to connect his/her workstation to the lecturer’s wall point or any other switch port on the LAN that is a wall point or any other switch port on the LAN that is a member of the non-student VLAN. member of the non-student VLAN.

VMPS cnt.VMPS cnt. We also have decided to use VMPS for the IP We also have decided to use VMPS for the IP

telephony VLAN.telephony VLAN.

This will allow IP telephones to be connected to This will allow IP telephones to be connected to any available port on any switch on the LAN and any available port on any switch on the LAN and still be a member of the appropriate VLAN.still be a member of the appropriate VLAN.

Having a VLAN exclusively for IP telephony will Having a VLAN exclusively for IP telephony will not reduce bandwidth for PCsnot reduce bandwidth for PCs

Having a VLAN exclusively for IP telephony will Having a VLAN exclusively for IP telephony will ensure maximum quality of signal for phones. ensure maximum quality of signal for phones.

Security HardwareSecurity Hardware PIX 515 DC powered firewallPIX 515 DC powered firewall

Cisco’s PIX firewall series delivers strong Cisco’s PIX firewall series delivers strong security, easy to install at a competitive price.security, easy to install at a competitive price.

Pix firewalls provide the latest in security Pix firewalls provide the latest in security technology ranging from technology ranging from

inspection firewalling inspection firewalling

contrast firewalling capabilitescontrast firewalling capabilites

Integrated intrusion detection to help secure a Integrated intrusion detection to help secure a network enviornment from next generation attacks.network enviornment from next generation attacks.

Typical classroom LayoutTypical classroom Layout

Banks of 8 PC’s

Wall points

Network printerLecturers PC/Cat5 point

Comms cabinet

Desks etc.

IP Addressing SchemeIP Addressing Scheme

Washington School District WAN uses a Washington School District WAN uses a class A IP addressing scheme.class A IP addressing scheme.

Desert View High school has been Desert View High school has been allocated the address 10.1.x.xallocated the address 10.1.x.x

This leaves us with 2 octets to subnet fromThis leaves us with 2 octets to subnet from & approximately a possible 64,000 host & approximately a possible 64,000 host

addresses.addresses.

IP Addressing Scheme cnt.IP Addressing Scheme cnt. Every wing is on its own subnet, with the exception of wing 1 which Every wing is on its own subnet, with the exception of wing 1 which

is split into 2 subnets because of the amount of hosts it requires.is split into 2 subnets because of the amount of hosts it requires.

This results in room for future expansion. This results in room for future expansion.

We Have decided to give administration its own sub-net. Through We Have decided to give administration its own sub-net. Through the use of ACLs this will allow us to distinguish between traffic from the use of ACLs this will allow us to distinguish between traffic from Teacher/Student workstations and administration workstations. Teacher/Student workstations and administration workstations.

All networking equipment and all administration workstations are on All networking equipment and all administration workstations are on the administration’s sub-net the administration’s sub-net

This sub-net is 10.1.1.XThis sub-net is 10.1.1.X

AddressesAddresses

Static IP Addresses On Administration sub-netStatic IP Addresses On Administration sub-net 10.1.1.1 = DNS/DHCP Server.10.1.1.1 = DNS/DHCP Server. 10.1.1.2 = Router.10.1.1.2 = Router. 10.1.1.3 = WWW Server.10.1.1.3 = WWW Server. 10.1.1.4 = Library Server.10.1.1.4 = Library Server. 10.1.1.5 = Application Server.10.1.1.5 = Application Server. 10.1.1.6 = File & Print Server.10.1.1.6 = File & Print Server. 10.1.1.7 = TFTP & RAS Server.10.1.1.7 = TFTP & RAS Server. 10.1.1.8 = Mail Server.10.1.1.8 = Mail Server. 10.1.1.9 – 10.1.1.19 = Enterprise Switches.10.1.1.9 – 10.1.1.19 = Enterprise Switches. 10.1.1.20 – 10.1.1.155 =Regular Switches In classrooms 10.1.1.20 – 10.1.1.155 =Regular Switches In classrooms

Subnet BreakdownSubnet Breakdown

10.1.2.X

10.1.3.X

10.1

.4.X

10.1

.1.X

(A

dmin

)

10.1.5.X

10.1.7.X

10.3.6.X

Subnet Breakdown cntd. Subnet Breakdown cntd.

10.1.10.X

10.1.11.X

10.1.12.X

10.1.9.X

10.1.8.X

Routing ProtocolsRouting Protocols We have decided to use Interior Gateway We have decided to use Interior Gateway

Routing Protocol (IGRP) as the network routing Routing Protocol (IGRP) as the network routing protocols.protocols.

Some of the advantages are:Some of the advantages are: ScalabilityScalability Fast response to network changesFast response to network changes Use a sophisticated composite metric that provides Use a sophisticated composite metric that provides

significant route selection flexibility.significant route selection flexibility. Can maintain up to four unequal paths between a Can maintain up to four unequal paths between a

network source and destination.network source and destination. Multiple paths can increase available bandwidth or for Multiple paths can increase available bandwidth or for

route redundancy.route redundancy.

Router ConfigurationRouter Configuration

DHCPDHCP

Before configuring DHCP on the , subnets must be decided on and Before configuring DHCP on the , subnets must be decided on and all static address must be noted so that they can be excluded from all static address must be noted so that they can be excluded from DHCP pool. DHCP pool.

An FTP or TFTP server must be configured to be a DHCP server An FTP or TFTP server must be configured to be a DHCP server which will hold the DHCP database.which will hold the DHCP database.

In this case we're using the DNS server to be a dual function server In this case we're using the DNS server to be a dual function server to save cost and space.to save cost and space.

Router ConfigurationRouter Configuration Sample DHCP configurationSample DHCP configuration

Desert_view(config)# Desert_view(config)# ip dhcp database tftp://administrator:cisco@10.1.1.1/router-ip dhcp database tftp://administrator:cisco@10.1.1.1/router-dhcp timeout 80 dhcp timeout 80 //howlong to wait for reply//howlong to wait for reply

Desert_view(config)# Desert_view(config)# ip dhcp database tftp: ip dhcp database tftp: //administrator:cisco@10.1.1.3/router-//administrator:cisco@10.1.1.3/router-dhcp write-delay 80//how often updates database dhcp write-delay 80//how often updates database

Desert_view(config)# Desert_view(config)# ip dhcp excluded-address 10.1.2.4 //network printerip dhcp excluded-address 10.1.2.4 //network printer

//excludes this printer address from DHCP Pool//excludes this printer address from DHCP Pool Desert_view(config)# Desert_view(config)# ip dhcp pool Wing_five_eastip dhcp pool Wing_five_east

Desert_view(config-dhcp)# Desert_view(config-dhcp)# network 10.1.5.0 255.255.255.0 network 10.1.5.0 255.255.255.0 //wing 5 subnet//wing 5 subnet

Desert_view(config-dhcp)# Desert_view(config-dhcp)# domain-name desert_view domain-name desert_view

Desert_view(config-dhcp)# Desert_view(config-dhcp)# dns-server 10.1.1.1 dns-server 10.1.1.1

Desert_view(config-dhcp)# Desert_view(config-dhcp)# default-router 10.1.1.2default-router 10.1.1.2

ACLsACLs This access control list prevents telnet traffic to the router.This access control list prevents telnet traffic to the router.

Router> Router> enableenableRouter# Router# hostname Desert_viewhostname Desert_viewDesert_view# Desert_view# enable secret *****enable secret *****Desert_view# Desert_view# config tconfig tDesert_view(config)# Desert_view(config)# access list 101 deny tcpaccess list 101 deny tcp “Subnet’s IP address”“Subnet’s IP address” 0.0.0.255 0.0.0.255

10.1.1.2 0.0.0.0 eq telnet10.1.1.2 0.0.0.0 eq telnet

Desert_view(config)# Desert_view(config)# access list 101 permit ip any anyaccess list 101 permit ip any anyDesert_view(config)# Desert_view(config)# int e0int e0Desert_view(config-int)# Desert_view(config-int)# ip access-group 101 inip access-group 101 in

All subnets except for the administration’s subnet would be implemented into All subnets except for the administration’s subnet would be implemented into this ACLthis ACL

10.1.1.2 is the router’s IP address.10.1.1.2 is the router’s IP address.

++

Router Configuration

ConclusionsConclusions

Easy To Implement.Easy To Implement.

Easy To Maintain.Easy To Maintain.

High security.High security.

A Lot Of Support For Expansion.A Lot Of Support For Expansion.

ANY QUESIONSANY QUESIONS

????????????