Cisco Network Proposal Part 3 Kamesha L. McCarthy CMIT 350 - Interconnecting Cisco Devices Professor John Galliano 10 December 2018 Table of Contents I. Sacramento Site – Challenges and Implementation.................................1 A. Site Details and Challenges.......................................................1 B. Site Solution and Technologies………………………………………………………………….1 C. Sample Configuration…………………………………………………………………………………2 D. Supporting Tables and/o r Diagrams………………………………………………………….3 II. Los Angeles Site – Challenges and Implementations…………………………………………4 A. Site Details and Challenges.......................................................4 B. Site Solution and Techno logies………………………………………………………………….4 C. Sample Configuration…………………………………………………………………………………7 D. Supporting Tables and/or Diagrams………………………………………………………….8 III. xACME WAN – Challenges and Implementations………………………………….……………9 A. Site Details and Challenges.......................................................9 B. Site Solution and Techno logies………………………………………………………………….9 C. Sample Configuration………………………………………………………………………………12 D. Supporting Tables and/or Diagrams……………………………….……………………….13 IV. Bibliography……………………….………………………………………………………………………………15 ii I. Sacramento Site – Challenges and Implementation A. Site Details and Challenges B. Site Solution and Technologies C. Sample Configuration D. Supporting Tables and/or Diagrams 1 II. Los Angeles Site – Challenges and Implementation A. Site Details and Challenges B. Site Solution and Technologies C. Sample Configuration D. Supporting Tables and/or Diagrams 2 III. xACME WAN – Challenges and Implementation A. Site Details and Challenges B. Site Solution and Technologies C. Sample Configuration D. Supporting Tables and/or Diagrams 3 References [1] “Cisco IP Addressing and Subnetting for new users,” cisco.com, August 10, 2016, [Online]. Available: https://www.cisco.com/c/en/us/support/docs/ip/routinginformation-protocol-rip/13788-3.html. [Accessed: 27-Nov-2018] [2] Cisco, “Understanding and Configuring Spanning Tree Protocol (STP) on Catalyst Switches,” in Cisco Support, 2006. [Online]. Available: http://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-treeprotocol/5234-5.html. [Accessed: 24- Nov- 2018]. [3] M. Rouse, “What is Route Summarization (Route Aggregation), searchnetworking.com, June 2008. Available: http://searchnetworking.techtarget.com/definition/route-summarization. [Accessed: 25- Nov- 2018]. [4] "TestOut LabSim", Cdn.testout.com, 2017. [Online]. Available: https://cdn.testout.com/client-v5-1-10-542/startlabsim.html. [Accessed: 25Nov- 2018]. [5] Shekhar, A. (2016). What Is Mesh Topology? Advantages And Disadvantages Of Mesh Topology. [online] Fossbytes. Available at: https://fossbytes.com/whatis-mesh-topology-advantages-and-disadvantages-of-mesh-topology/. [Accessed 24- Nov- 2018]. [6] I. Price-Evans, “What is Open Shortest Path First (OSPF)?,” Metaswitch. [Online]. Available: https://www.metaswitch.com/knowledge-center/reference/whatis-open-shortest-path-first-ospf. [Accessed: 25- Nov- 2018]. 4 Running Head: CISCO NETWORK PROPOSAL PART 3 Cisco Network Proposal Part 3 CMIT 350 Interconnecting Cisco Devices 16 December 2017 1 CISCO NETWORK PROPOSAL PART 3 Table of Contents I. Sacramento Site Challenges and Implementation A. Site Details and Challenges B. Site Solution(s) and Technologies a. VLANs b. ROS c. DHCP C. Supporting Diagrams and Configurations II. Los Angeles Site Challenges and Implementation A. Site Details and Challenges B. Site Solution(s) and Technologies a. Remote IOS Storage b. Remote Management of Switches c. ACL Implementation d. Network Time Protocol III. xACME Site Challenges and Implementation A. Site Details and Challenges B. Site Solution(s) and Technologies a. Wide Area Network (WAN) Implementation b. Topology References 2 CISCO NETWORK PROPOSAL PART 3 3 I. Sacramento Site Challenges and Implementation A. Site Details and Challenges As a network administrator for the xAcme Technology Trade School, I have been asked to implement a Virtual Local Area Network (VLAN) database on the site switches, configure a Routing on a Stick (ROS) topology, and use Dynamic Host Configuration Protocol (DHCP) to manage IP addresses. Per the Sacramento site topology diagram, the network’s address range starts at 10.50.0.0 /16. The Sacramento site consists of the following devices [1]: - (1) Cisco 2800 Series router - (3) Cisco Catalyst 6500 Series switches - (4) VLANs o (1) Faculty VLAN with 5 connected devices used by faculty for all office locations o (1) Administrative VLAN with 14 connected devices used by staff for business administrative communications o (1) Academic (Instructional) VLAN with 34 connected devices used by faculty and students for classroom labs and instructional communications o (1) Server VLAN with 7 connected devices used by IT staff for all technology/management communications The topology for the Sacramento site is pictured below: [1] CISCO NETWORK PROPOSAL PART 3 4 B. Site Solution(s) and Technologies As mentioned earlier, a (VLAN database will need to be implemented on the switches at the Sacramento site. ROS topology and DHCP will also need to be implemented as well [1]. All sample configurations for the Sacramento site will be shown in section C. a. VLANs The first thing that will need to be completed in order to configure the switches is to implement VLANs on them. Creating VLANs within switches has several benefits over using additional routers within networks. One of the benefits of creating VLANs on switches vice using routers is switches are easier to administer and maintain than routers are. Another benefit is that switches have less latency, which offers higher performance than routers [2]. The switchport mode will determine how a port will respond to information received as well as decide where to send the information. The two basic types of switchports are access ports and trunk ports. Access ports can only have one VLAN configured and can carry information to one VLAN. Trunk ports can have more than one VLAN configured and can also pass information to more than one VLAN at the same time [3]. Switchport security is used to secure the network from unauthorized access. Securing a switchport can be done in one of two ways; by limiting the amount of devices by quantity that are able to connect to a certain port or by limiting the amount of devices by MAC address that can connect to a secure switchport. Access ports are the only ports that can have port security enabled. Port security cannot protect against MAC address spoofing. Also, if a MAC address is not manually configured for port security, the switch will allow the first MAC address it connects to, up to the maximum amount of ports authorized [2]. b. ROS The Sacramento site will be utilizing Routing on a Stick (ROS) topology. This is used to ensure all switches on the network can communicate with one another. The switch labeled SacramentoSw2 will be the trunk link between the Sacramento router and the rest of the devices on the network. c. DHCP Dynamic Host Configuration Protocol (DHCP) is a protocol that automatically assigns and manages IP addresses from a pool of addresses on the network. This pool, called the address pool, is the range of addresses that can be assigned to requesting hosts [2]. The DHCP will only assign IP address within the address pool, but it can also be configured to exclude specific IP addresses within the address pool [2]. C. Supporting Diagrams and Configurations The following chart lists the VLAN ID, default gateway, IP range (address pool), subnet mask, excluded addresses from the address pool, and ports used on each switch for the Sacramento site: VLAN VLAN Int Faculty (5 Devices) Int vlan 1 Administrative (14 Devices) Int vlan 2 Instructional (34 Devices) Int vlan 3 Server (7 Devices) Int vlan 4 CISCO NETWORK PROPOSAL PART 3 Default Gateway IP Range Subnet Mask Excluded Addresses Ports Used 10.50.0.0 10.50.0.1 – 10.50.0.52 255.255.255.192 10.50.0.53 – 10.50.0.62 gi 0/3 - 7 5 10.50.0.64 10.50.0.65 – 10.50.0.116 255.255.255.192 10.50.0.117 – 10.50.0.126 gi 0/8 - 21 Below are the steps to create a new VLAN on the switches [2]: SacramentoSw2>enable SacramentoSw2#configure terminal SacramentoSw2 (config)#vlan 1 SacramentoSw2 (config-vlan)#name Faculty SacramentoSw2 (config-vlan)#int range gi0/3 - 7 SacramentoSw2 (config-if)#switchport access vlan 1 SacramentoSw2 (config-if)#CRTL+Z SacramentoSw2#copy running-config startup-config SacramentoSw2>enable SacramentoSw2#configure terminal SacramentoSw2 (config)#vlan 2 SacramentoSw2 (config-vlan)#name Administrative SacramentoSw2 (config-vlan)#int range gi0/8 - 21 SacramentoSw2 (config-if)#switchport access vlan 2 SacramentoSw2 (config-if)#CRTL+Z SacramentoSw2#copy running-config startup-config SacramentoSw2>enable SacramentoSw2#configure terminal SacramentoSw2 (config)#vlan 3 SacramentoSw2 (config-vlan)#name Instructional SacramentoSw2 (config-vlan)#int range gi0/22 - 55 SacramentoSw2 config-if)#switchport access vlan 3 SacramentoSw2 (config-if)#CRTL+Z SacramentoSw2#copy running-config startup-config SacramentoSw2>enable SacramentoSw2#configure terminal SacramentoSw2 (config)#vlan 4 SacramentoSw2 (config-vlan)#name Server SacramentoSw2 (config-vlan)#int range gi0/56 – 62 SacramentoSw2 (config-if)#switchport access vlan 4 SacramentoSw2 (config-if)#CRTL+Z 10.50.0.128 10.50.0.129 – 10.50.0.180 255.255.255.192 10.50.0.181 – 10.50.0.190 gi 0/22 - 55 10.50.0.192 10.50.0.193 – 10.50.0.245 255.255.255.192 10.50.0.245 – 10.50.0.254 gi 0/56 - 62 CISCO NETWORK PROPOSAL PART 3 SacramentoSw2#copy running-config startup-config Below are the steps to configure access mode and port security on the VLANs [2]: SacramentoSw2>enable SacramentoSw2#configure terminal SacramentoSw2 (config)#interface range gi0/3 - 7 SacramentoSw2 (config-if-range)#switchport mode access SacramentoSw2 (config-if-range)#switchport port-security SacramentoSw2 (config-if-range)#switchport port-security maximum 2 SacramentoSw2 (config-if-range)#switchport port-security mac-address sticky SacramentoSw2 (config-if-range)#switchport port-security violation shutdown SacramentoSw2 (config-if)#CRTL+Z SacramentoSw2#copy running-config startup-config SacramentoSw2>enable SacramentoSw2#configure terminal SacramentoSw2 (config)#interface range gi0/8 - 21 SacramentoSw2 (config-if-range)#switchport mode access SacramentoSw2 (config-if-range)#switchport port-security SacramentoSw2 (config-if-range)#switchport port-security maximum 2 SacramentoSw2 (config-if-range)#switchport port-security mac-address sticky SacramentoSw2 (config-if-range)#switchport port-security violation shutdown SacramentoSw2 (config-if)#CRTL+Z SacramentoSw2#copy running-config startup-config SacramentoSw2>enable SacramentoSw2#configure terminal SacramentoSw2 (config)#interface range gi0/22 - 55 SacramentoSw2 (config-if-range)#switchport mode access SacramentoSw2 (config-if-range)#switchport port-security SacramentoSw2 (config-if-range)#switchport port-security maximum 2 SacramentoSw2 (config-if-range)#switchport port-security mac-address sticky SacramentoSw2 (config-if-range)#switchport port-security violation shutdown SacramentoSw2 (config-if)#CRTL+Z SacramentoSw2#copy running-config startup-config SacramentoSw2>enable SacramentoSw2#configure terminal SacramentoSw2 (config)#interface range gi0/56 - 62 SacramentoSw2 (config-if-range)#switchport mode access SacramentoSw2 (config-if-range)#switchport port-security SacramentoSw2 (config-if-range)#switchport port-security maximum 2 SacramentoSw2 (config-if-range)#switchport port-security mac-address sticky SacramentoSw2 (config-if-range)#switchport port-security violation shutdown SacramentoSw2 (config-if)#CRTL+Z SacramentoSw2#copy running-config startup-config 6 CISCO NETWORK PROPOSAL PART 3 Below are the steps to configure Routing on a Stick (ROS) [2]: SacramentoRouter>enable SacramentoRouter#configure terminal SacramentoRouter(config)#interface gi0/0.1 SacramentoRouter(config-subif)#encapsulation dot1q vlan 1 SacramentoRouter(config-subif)#ip address 10.50.0.0 255.255.255.192 SacramentoRouter(config-subif)#interface gi0/0.2 SacramentoRouter(config-subif)#encapsulation dot1q vlan 2 SacramentoRouter(config-subif)#ip address 10.50.0.64 255.255.255.192 SacramentoRouter(config-subif)#interface gi0/0.3 SacramentoRouter(config-subif)#encapsulation dot1q vlan 3 SacramentoRouter(config-subif)#ip address 10.50.0.128 255.255.255.192 SacramentoRouter(config-subif)#interface gi0/0.4 SacramentoRouter(config-subif)#encapsulation dot1q vlan 4 SacramentoRouter(config-subif)#ip address 10.50.0.192 255.255.255.192 SacramentoRouter(config-subif)#no shutdown SacramentoRouter(config-if)#end SacramentoRouter#copy running-config startup-config Below are the steps to configure Dynamic Host Configuration Protocol (DHCP) [2]: SacramentoRouter>enable SacramentoRouter#configure terminal SacramentoRouter(config)#service dhcp SacramentoRouter(config)#ip dhcp excluded-address 10.50.0.53 10.50.0.62 SacramentoRouter(config)#ip dhcp excluded-address 10.50.0.117 10.50.0.126 SacramentoRouter(config)#ip dhcp excluded-address 10.50.0.181 10.50.0.190 SacramentoRouter(config)#ip dhcp excluded-address 10.50.0.245 10.50.0.254 SacramentoRouter(config)#ip dhcp pool vlan 1 SacramentoRouter(config-dhcp)#network 10.50.0.0 255.255.255.192 SacramentoRouter(config-dhcp)#ip dhcp pool vlan 2 SacramentoRouter(config-dhcp)#network 10.50.0.64 255.255.255.192 SacramentoRouter(config-dhcp)#ip dhcp pool vlan 3 SacramentoRouter(config-dhcp)#network 10.50.0.128 255.255.255.192 SacramentoRouter(config-dhcp)#ip dhcp pool vlan 4 SacramentoRouter(config-dhcp)#network 10.50.0.192 255.255.255.192 SacramentoRouter(config-dhcp)#end SacramentoRouter#copy running-config startup-config II. Los Angeles Site Challenges and Implementation A. Site Details and Challenges 7 CISCO NETWORK PROPOSAL PART 3 8 I have been asked to implement Remote IOS Storage, remote management of the sites switches, Access Control List (ACL) implementation, and a Network Time Protocol (NTP) solution. The Los Angeles site consists of the following devices [1]: - (1) TFTP/SFTP/NTP Server - (1) Cisco 2800 Series router - (3) Cisco Catalyst 6500 Series switches - (4) VLANs o (1) Faculty VLAN with 21 connected devices used by faculty for all office locations o (1) Administrative VLAN with 44 connected devices used by staff for business administrative communications o (1) Academic (Instructional) VLAN with 120 connected devices used by faculty and students for classroom labs and instructional communications o (1) Server VLAN with 21 connected devices used by IT staff for all technology/management communications The topology for the Los Angeles site is pictured below: [1] CISCO NETWORK PROPOSAL PART 3 9 B. Site Solution(s) and Technologies There are several items which will need to be addressed at the Los Angeles site. These items include remote storage of the device configurations, enabling remote device management for the switches at the site, determining and implementing an Access Control List (ACL) for the site, and configuring a Network Time Protocol (NTP) for the sites devices. a. Remote IOS Storage In the unfortunate event that there is hardware failure at the Los Angeles site, device configurations must be stored remotely on another device. The Trivial File Transfer Protocol (TFTP) server that is on location will be utilized as the remote storage device [4]. Below are the steps to configure Remote IOS Storage [2]: LosAngelesRouter>enable LosAngelesRouter#configure terminal LosAngelesRouter(config)#no boot system LosAngelesRouter(config)#boot system [tftp] RemoteStorage [10.40.6.10] LosAngelesRouter(config)#boot system rom LosAngelesRouter(config)#config-register value LosAngelesRouter(config)#exit LosAngelesRouter#copy running-config startup-config b. Remote Management of Switches The Los Angeles site network administrators will need to have remote access to the switches. This will provide the network administrators the capability of changing the switch configurations without having to physically connect to the device. This remote management will need to be secure, so the network administrators are the only ones that can access the switch configuration. Secure Shell (SSH) provides encrypted remote connectivity to your device [1] . Below are the steps to configure remote access [2]: LosAngelesSw1>enable LosAngelesSw1#configure terminal LosAngelesSw1(config)#ip domain-name xAcme.com LosAngelesSw1(config)#crypto key generate rsa LosAngelesSw1(config)#aaa new-model LosAngelesSw1(config)#username netadmin password lacisco1 LosAngelesSw1(config)#line vty 0 15 LosAngelesSw1(config-line)#transport input ssh LosAngelesSw1(config-line)# login local LosAngelesSw1(config)#exit LosAngelesSw1#copy running-config startup-config LosAngelesSw2>enable LosAngelesSw2#configure terminal CISCO NETWORK PROPOSAL PART 3 10 LosAngelesSw2(config)#ip domain-name xAcme.com LosAngelesSw2(config)#crypto key generate rsa LosAngelesSw2(config)#aaa new-model LosAngelesSw2(config)#username netadmin password lacisco2 LosAngelesSw2(config)#line vty 0 15 LosAngelesSw2(config-line)#transport input ssh LosAngelesSw2(config-line)# login local LosAngelesSw2(config)#exit LosAngelesSw2#copy running-config startup-config LosAngelesSw3>enable LosAngelesSw3#configure terminal LosAngelesSw3(config)#ip domain-name xAcme.com LosAngelesSw3(config)#crypto key generate rsa LosAngelesSw3(config)#aaa new-model LosAngelesSw3(config)#username netadmin password lacisco3 LosAngelesSw3(config)#line vty 0 15 LosAngelesSw3(config-line)#transport input ssh LosAngelesSw3(config-line)# login local LosAngelesSw3(config)#exit LosAngelesSw3#copy running-config startup-config c. ACL Implementation Access Control Lists (ACL) are used to determine if information will be allowed to be passed through the network or not. ACLs can be used to restrict access to network resources or devices [2]. The network administrators will need to implement an ACL on the sites router. Below are the steps to configure an ACL on the Los Angeles site router: LosAngelesRouter>enable LosAngelesRouter#configure terminal LosAngelesRouter(config)#access-list 1 permit 10.40.6.1 0.0.0.254 LosAngelesRouter(config)#access-list 1 deny any LosAngelesRouter(config)#line vty 0 15 LosAngelesRouter(config-line)#access-class 1 in LosAngelesRouter(config-line)#end LosAngelesRouter#copy running-config startup-config d. Network Time Protocol (NTP) The Network Time Protocol (NTP) is used to maintain accurate and consistent time across the network. This will ensure that any logged events will be in sync with each other [2]. Below are the steps to configure NTP on the network [2]: LosAngelesRouter>enable LosAngelesRouter#configure terminal LosAngelesRouter(config)#feature ntp LosAngelesRouter(config)#ntp server 10.40.6.10 CISCO NETWORK PROPOSAL PART 3 11 LosAngelesRouter(config)#end LosAngelesRouter#copy running-config startup-config III. xACME Site Challenges and Implementation A. Site Details and Challenges There are two items which need to be addressed for the xAcme network: Wide Area Network (WAN) Implementation and Topology. Currently, the xAcme WAN does not have authentication enabled. Also, the only two routers that are connected to the internet are the Boston and Los Angeles routers. The challenge with this is all other network traffic flows through these two routers. If one of these routers fail, a good portion of the network will not be able to access the internet or the rest of the networked devices. The topology for the entire xAcme network is pictured below [1]: [1] B. Site Solution(s) and Technologies The xAcme WAN requires authentication to be configured within the routers. Also, because the flow of network traffic is handled by only the Los Angeles and Boston routers, additional lines will need to be leased at the Sacramento, Worchester, and Springfield sites to increase the bandwidth across the network as well as provide network redundancy. a. WAN Implementation CISCO NETWORK PROPOSAL PART 3 12 Currently, the xAcme network is using High-Level Data Link Control (HDLC). This protocol does not allow for authentication, which is a concern for xAcme. To solve the network authentication issue, a Point-to-Point Protocol (PPP) in conjunction with the Challenged Handshake Authentication Protocol (CHAP) will be utilized. Not only does this solve the authentication problem, it also allows communication to devices that are not Cisco devices. Below are the steps to change the default HDLC protocol to PPP and configure CHAP authentication [2]: LosAngelesRouter>enable LosAngelesRouter#configure terminal LosAngelesRouter(config)#username SacramentoRouter password sharedpassword LosAngelesRouter(config)#interface s0/0/0 LosAngelesRouter(config-if)#encapsulation ppp LosAngelesRouter(config-if)#ppp authentication chap LosAngelesRouter(config-if)#end LosAngelesRouter#copy running-config startup-config SacramentoRouter>enable SacramentoRouter #configure terminal SacramentoRouter (config)#username LosAngelesRouter password sharedpassword SacramentoRouter (config)#interface s0/0/0 SacramentoRouter (config-if)#encapsulation ppp SacramentoRouter (config-if)#ppp authentication chap SacramentoRouter (config-if)#end SacramentoRouter #copy running-config startup-config BostonRouter>enable BostonRouter #configure terminal BostonRouter (config)#username WorchesterRouter password sharedpassword BostonRouter (config)#interface s0/0/0 BostonRouter (config-if)#encapsulation ppp BostonRouter (config-if)#ppp authentication chap BostonRouter (config-if)#end BostonRouter #copy running-config startup-config WorchesterRouter>enable WorchesterRouter #configure terminal WorchesterRouter (config)#username BostonRouter password sharedpassword WorchesterRouter (config)#interface s0/0/0 WorchesterRouter (config-if)#encapsulation ppp WorchesterRouter (config-if)#ppp authentication chap WorchesterRouter (config-if)#end WorchesterRouter #copy running-config startup-config WorchesterRouter>enable WorchesterRouter #configure terminal WorchesterRouter (config)#username SpringfieldRouter password sharedpassword WorchesterRouter (config)#interface s0/0/1 CISCO NETWORK PROPOSAL PART 3 13 WorchesterRouter (config-if)#encapsulation ppp WorchesterRouter (config-if)#ppp authentication chap WorchesterRouter (config-if)#end WorchesterRouter #copy running-config startup-config SpringfieldRouter>enable SpringfieldRouter #configure terminal SpringfieldRouter (config)#username WorchesterRouter password sharedpassword SpringfieldRouter (config)#interface s0/0/1 SpringfieldRouter (config-if)#encapsulation ppp SpringfieldRouter (config-if)#ppp authentication chap SpringfieldRouter (config-if)#end SpringfieldRouter #copy running-config startup-config b. Topology To address the xAcme WAN topology concerns, additional lines will need to be leased to connect the Sacramento, Worchester, and Springfield routers. These additional lines will provide increased bandwidth for the xAcme sites, network redundancy, and will create a more stable network by not having 100% of the network traffic passing through the Los Angeles and Boston routers. Below is an updated network topology with the proposed additional leased lines (new leased lines are in red): [1] CISCO NETWORK PROPOSAL PART 3 14 References [1]"Cisco Network Proposal (Parts 1-3)", Learn.umuc.edu, 2017. [Online]. Available: https://learn.umuc.edu/d2l/le/content/254883/viewContent/9909900/View. [Accessed: 13Dec- 2017]. [2]"TestOut LabSim", Cdn.testout.com, 2017. [Online]. Available: http://cdn.testout.com/client-v5-1-10469/startlabsim.html. [Accessed: 13- Dec- 2017]. [3] P. Support, C. Switches and C. Guides, "Cisco Nexus 5000 Series NX-OS Software Configuration Guide - Configuring Access and Trunk Interfaces [Cisco Nexus 5000 Series Switches]", Cisco, 2017. [Online]. Available: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/gui de/cli/CLIConfigurationGuide/AccessTrunk.html#75292. [Accessed: 14- Dec- 2017]. [4]"What is TFTP? | Spiceworks", Spiceworks, 2017. [Online]. Available: https://www.spiceworks.com/itarticles/what-is-tftp/. [Accessed: 17- Dec- 2017]. Cisco Network Proposal (Part III) Prepared for: University of Maryland University College CMIT 350 – Interconnecting Cisco Devices Professor Max Hall Prepared by: Jason R. Foltin Dated: October 2, 2017 Table of Contents I. Sacramento Site – Challenges and Implementation……………………..3 A. Site Details and Challenges…………………………………………..3 B. Site Solution and Technologies………………………………………4 C. Sample Configuration………………………………………………...6 D. Supporting Tables and/or Diagrams……………………………….....9 II. Los Angeles Site – Challenges and Implementation…………………......9 A. Site Details and Challenges………………………………………….10 B. Site Solution and Technologies……………………………………...11 C. Sample Configuration……………………………………………….12 D. Supporting Tables and/or Diagrams………………………………...13 III. xACME WAN Site – Challenges and Implementation………………...14 A. Site Details and Challenges………………………………………...14 B. Site Solution and Technologies…………………………………….15 C. Sample Configuration……………………………………………...16 D. Supporting Tables and/or Diagrams……………………………….18 IV. Bibliography……………………………………………………………..19 2 I. Sacramento Site – Challenge and Implementation The Sacramento site of xACME is one of many remote locations where students, faculty, and staff must have the ability to perform their daily tasks and other responsibilities. In furtherance of this requirement, xACME has implemented certain network infrastructure technologies to increase overall efficiency in performing these tasks, as well as interconnectivity as between the remote xACME sites. The use of these new technologies, however, has not come without its challenges. This Cisco Network Proposal (“Proposal”) will discuss the challenges identified by the local systems administrators at this site and offer solutions to these issues. In addition, this Proposal will include recommendations to remediate any potential threat vectors, as well as increase the overall usability of the network. The goal of this Proposal is to promote the health and security of the Sacramento site’s network, while ensuring that all authorized users can perform their necessary tasks and responsibilities. A. Site Details and Challenges With specific reference to the Sacramento site, the following is a list of the pertinent network devices and other, relevant site details: • One (1) Cisco 2800 Series router with the below available interface ports: Cisco 2800 Series Integrated Services Interfaces Ports Available 4 Fast Ethernet Interfaces (Per Router) 2 Serial Interfaces (Per Router) fa0/0 s0/0/0 fa0/1 s0/0/1 fa1/0 • Three (3) Cisco Catalyst 6500 Series switches with below available ports: Cisco Catalyst 6500 Series 96 Total Gigabit Ethernet Ports Per Switch Module 1 = gi0/1 - gi0/24 Ports Available Module 2 = gi1/1 - gi1/24 Module 3 = gi2/1 - gi2/24 Module 4 = gi3/1 - gi3/24 3 • Four (4) existing VLAN configurations, which are listed below according to their intended use: VLAN Name Faculty Administrative Academic or Instructional Server Members Type of Communications Number of Devices Faculty Non-Academic 5 Staff Students and Faculty IT Staff Business and Administrative 14 Classroom Labs and Instructional 34 Technology and Management 7 In addition to this network infrastructure, the Sacramento site has been assigned the 10.50.0.0 /16 network address. Based on these site details, the local systems administrators have requested assistance implementing the required VLAN databases on the Sacramento site switches, with particular attention placed on the proper assignment and implementation of switchport modes for these devices. These newly created switchports should utilize port security and be configured to only allow two MAC addresses per port and force a port shutdown in the event of a violation. In addition, careful consideration of proper security protocols for any unused ports should be discussed. The local systems administrators have also indicated that the Sacramento site will deploy a Router on a Stick (ROS) topology. As such, they have requested this Proposal include a sample configuration for the Sacramento fa0/0 interface on the Cisco 2800 Series router to provide support for the multiple VLANs, as well as inter-VLAN routing. This configuration should use the following addressing conventions: (1) Faculty VLAN: 10.50.0.0 /26, (2) Administrative VLAN: 10.50.0.64 /26, (3) Instructional VLAN: 10.50.0.128 /26, and (4) Server VLAN: 10.50.0.192 /26. If necessary, a diagram depicting this topology should also be provided. Further, the local systems administrators have requested this Proposal include a solution, preferably DHCP, to manage the deployment of IP addresses at the Sacramento site. The selected solution should be discussed in detail and this Proposal must include the necessary configuration details for each of the above-listed VLANs (Faculty, Administrative, Instructional, and Server). In particular, this configuration must include the following: (a) the pool name, (b) exclude the last 10 addresses of each subnet range, and (d) configure the gateway, subnet mask, and DNS address (Sacramento fa0/0 address). B. Site Solution and Technologies To address the VLAN needs and requirements described above, this Proposal recommends utilizing a simple, four-step process. The first step is to build the VLAN database for the Sacramento site, which should be created on SacramentoSw2. The second step is to determine the appropriate switchport mode that should be utilized. An Ethernet port either be configured as an access port or as a trunk port. If a port is configured as an access port, it can 4 only have one VLAN configured on the interface and can only carry traffic for a single VLAN [1]. If, however, a port is configured as a trunk port, it can have two or more VLANs configured on the interface and has the capability to carry traffic for several VLANs simultaneously [1]. Based on the Sacramento site’s current topology, configuring the ports as access ports should be sufficient. The third step is to enable and configure port security, which is otherwise disabled by default. In its most basic form, port security remembers the Ethernet MAC address connected to the switch port and allows only those permitted MAC addresses to communicate on that port [2]. If any other MAC addresses attempt to communicate through the port, the port security feature will disable that port [2]. To the extent more detailed parameters are needed, as is the case here, they can be configured by issuing specific commands on an individual interface. The fourth and final step is to address proper security management for any unused ports on the Sacramento site’s switches. Generally speaking, if a port is unused it should be disabled. To the extent any unused ports are active, this proposal recommends disabling them until they are needed. Turning to the Sacramento site’s deployment of a ROS topology, a simple configuration for the Sacramento fa0/0 interface will provide the necessary functionality. The use of a ROS topology is preferable at this location because it has the capability to support the multiple VLANs that exist at this site, as well as the ability to perform InterVLAN routing. As an educational facility, the workstations contained in each of the separate VLANs at the Sacramento site must be able to communicate with each other. However, in a traditional configuration, they would be unable to do so. InterVLAN routing solves this problem by utilizing a router to forward traffic between the various VLANs that are configured on a specific switch [3]. One form of interVLAN routing is known as Router on a Stick (ROS). In this version, the router used to forward traffic is connected to the at-issue switch using a single interface [3]. The switchport connected to the router is then configured as a trunk link and the single interface on the router is then configured with the multiple IP addresses that correspond to the VLANs located on the switch [3]. This interface accepts traffic from each of the VLANs and determines the destination network based on the source and destination IP in the packets [3]. Once this has been determined, the data is forwarded to the switch with the correct VLAN information [3]. Finally, to manage the assignment of unique IP addresses for the various devices and ports at the Sacramento site, this Proposal recommends using the Dynamic Host Configuration Protocol (DHCP). DHCP operates at the application layer of the OSI model and has the ability to automatically assign IP addresses (as well as default gateway and subnet masks) to all network connections. With DHCP, a device borrows, or leases, an IP address while it is attached to a network [4]. This lease is temporary and the amount of time it is in effect depends on DHCP server and client configurations [4]. DHCP does not require a local systems administrator to maintain a table of IP and MAC addresses on the server and instead, only requires this individual to install and configure the DHCP service on a DHCP server [4]. This configuration process involves specifying a range of addresses that can be leased to any network device and a list of excluded addresses [4]. A local systems administrator can also configure the duration of lease to be as long or as short as necessary, from a matter of minutes to forever. All told, the use of DHCP (as opposed to other options) greatly reduces the administrative burden associated with IP address assignment [4]. 5 C. Sample Configuration The below configurations will address the issues and other considerations discussed in Section B, “Site Solutions and Technologies” (above): Configuring the VLAN Database (SacramentoSw2) Note: Although adding a name to each VLAN is an optional task, it is extremely helpful to identify the at-VLAN at a later date. SacramentoSw2>ena SacramentoSw2#conf t SacramentoSw2(config)#vlan 2 SacramentoSw2(config-vlan)#name FacultyVLAN SacramentoSw2(config-vlan)#vlan 3 SacramentoSw2(config-vlan)#name AdministrativeVLAN SacramentoSw2(config-vlan)#vlan 4 SacramentoSw2(config-vlan)#name InstructionalVLAN SacramentoSw2(config-vlan)#vlan 5 SacramentoSw2(config-vlan)#name ServerVLAN SacramentoSw2(config-vlan)#end SacramentoSw2#show vlan Note: Creating VLANS does not assign any ports to them; the ports remain in the default VLAN (VLAN 1). SacramentoSw2>ena SacramentoSw2#conf t SacramentoSw2(config)#int range gi0/1 – 5 SacramentoSw2(config-if-range)#switchport access vlan 2 [Assigning ports for the 5 devices within the Faculty VLAN] SacramentoSw2(config-if-range)# int range gi0/6 – 19 SacramentoSw2(config-if-range)#switchport access vlan 3 [Assigning ports for the 14 devices within the Administrative VLAN] SacramentoSw2(config-if-range)# int range gi0/20 – 24, gi1/1 – 24, gi2/1 - 5 SacramentoSw2(config-if-range)#switchport access vlan 4 [Assigning ports for the 34 devices within the Instructional VLAN] SacramentoSw2(config-if-range)# int range gi2/6 – 12 SacramentoSw2(config-if-range)#switchport access vlan 5 [Assigning ports for the 7 devices within the Server VLAN] SacramentoSw2(config-if-range)#end SacramentoSw2#show vlan SacramentoSw2#copy running-config startup-config [Saving the above configuration changes] 6 Configuring Switchport Security (All Switches) Note: When configuring port security, it is important to remember that a secure port cannot be a trunk port, destination port for Switch Port Analyzer (SPAN), or an 802.1X port. Nor can the port belong to an EtherChannel port-channel interface. SacramentoSw2>ena SacramentoSw2#conf t SacramentoSw2(config)#int range gi0/1 – 24, gi1/1 – 24, gi2/1 - 12 SacramentoSw2(config-if-range)#switchport mode access SacramentoSw2(config-if-range)#switchport port-security SacramentoSw2(config-if-range)#switchport port-security maximum 2 SacramentoSw2(config-if-range)#switchport port-security violation shutdown SacramentoSw2(config-if-range)#switchport port-security mac-address sticky SacramentoSw2(config-if-range)#shut SacramentoSw2(config-if-range)#no shut [Enabling Port Security on the Active Ports Assigned to each VLAN at the Sacramento Site] SacramentoSw2(config-if-range)#int range gi2/13 -24, gi3/1 – 24 SacramentoSw2(config-if-range)#shut SacramentoSw2(config-if-range)#end SacramentoSw2#copy running-config startup-config Configuring the ROS Topology Requirements: ROS Topology Configuration (Switch) Note: To enable the ROS topology, the port on the switch that leads to the router must be configured as a trunk port SacramentoSw2>ena SacramentoSw2#conf t SacramentoSw2(config)#int fa0/24 SacramentoSw2(config-if)#switchport mode trunk SacramentoSw2(config-if)#exit SacramentoSw2#copy running-config startup-config ROS Topology Configuration (Router) Note: The ROS topology configuration process on the router takes three steps: (1) create a sub-interface, (2) assign an IP address, and (3) define the frame tagging method 7 Sacramento-R>ena Sacramento-R#conf t Sacramento-R(config)#int fa0/0 Sacramento-R(config-if)#no shut Sacramento-R(config-if)#int fa0/0.2 Sacramento-R(config-subif)#ip address 10.50.0.0 255.255.255.192 Sacramento-R(config-subif)#encap dot1q 2 Sacramento-R(config-subif)#int fa0/0.3 Sacramento-R(config-subif)#ip address 10.50.0.64 255.255.255.192 Sacramento-R(config-subif)#encap dot1q 3 Sacramento-R(config-subif)#int fa0/0.4 Sacramento-R(config-subif)#ip address 10.50.0.128 255.255.255.192 Sacramento-R(config-subif)#encap dot1q 4 Sacramento-R(config-subif)#int fa0/0.5 Sacramento-R(config-subif)#ip address 10.50.0.192 255.255.255.192 Sacramento-R(config-subif)#encap dot1q 5 Sacramento-R(config-subif)#exit Sacramento-R(config)#exit Sacramento-R#copy running-config startup-config Configuring IP Assignment (Router) Note: It is typically good policy to start by configuring those IP addresses that should otherwise be excluded from assignment to avoid their inadvertent inclusion in the pool of assignable addresses. Once that has been completed, the configuration process merely requires a local systems administrator to define the address pool that represents the information that should be sent out to the various workstations, as well as the default gateway and DNS server. SacramentoR>ena SacramentoR#config t SacramentoR(config)#ip dhcp excluded-address 10.50.0.53 10.50.0.62 SacramentoR(config)#ip dhcp excluded-address 10.50.0.117 10.50.0.126 SacramentoR(config)#ip dhcp excluded-address 10.50.0.181 10.50.0.126 SacramentoR(config)#ip dhcp excluded-address 10.50.0.245 10.50.0.254 SacramentoR(config)#ip dhcp pool Faculty SacramentoR(dhcp-config)#network 10.50.0.0 255.255.255.192 SacramentoR(dhcp-config)#default-router 10.255.255.253 255.255.255.252 SacramentoR(dhcp-config)#dns-server 10.255.255.253 255.255.255.252 SacramentoR(config)#ip dhcp pool Administrative SacramentoR(dhcp-config)#network 10.50.0.64 255.255.255.192 SacramentoR(dhcp-config)#default-router 10.255.255.253 255.255.255.252 SacramentoR(dhcp-config)#dns-server 10.255.255.253 255.255.255.252 SacramentoR(config)#ip dhcp pool Instructional SacramentoR(dhcp-config)#network 10.50.0.128 255.255.255.192 8 SacramentoR(dhcp-config)#default-router 10.255.255.253 255.255.255.252 SacramentoR(dhcp-config)#dns-server 10.255.255.253 255.255.255.252 SacramentoR(config)#ip dhcp pool Server SacramentoR(dhcp-config)#network 10.50.0.192 255.255.255.192 SacramentoR(dhcp-config)#default-router 10.255.255.253 255.255.252 SacramentoR(dhcp-config)#dns-server 10.255.255.253 255.255.255.252 SacramentoR(dhcp-config)#exit SacramentoR(config)#exit SacramentoR#copy running-config startup-config D. Supporting Tables and/or Diagrams The following table provides the relevant information related to the four individual VLANs that current exist at the Sacramento site. VLAN (Name) VLAN ID VLAN Address Ports Excluded IP Addresses Faculty 2 10.50.0.0 /26 gi0/1 – 5 10.50.0.53 – 10.50.0.62 Administrative 3 10.50.0.64 /26 gi0/6 – 19 10.50.0.117 – 10.50.0.126 Instructional 4 10.50.0.128 /26 gi0/20 – 24, gi1/1 – 24, gi2/1 - 5 10.50.0.181 – 10.50.0.190 Server 5 10.50.0.192 /26 gi2/6 – 12 10.50.0.245 – 10.50.0.254 II. Los Angeles Site – Challenges and Implementation The Los Angeles site of xACME is one of many remote locations where students, faculty, and staff must have the ability to perform their daily tasks and other responsibilities. In furtherance of this requirement, xACME has implemented certain network infrastructure technologies to increase overall efficiency in performing these tasks, as well as interconnectivity as between the remote xACME sites. The use of these new technologies, however, has not come without its challenges. This Cisco Network Proposal (“Proposal”) will discuss the challenges identified by the local systems administrators at this site and offer solutions to these issues. In addition, this Proposal will include recommendations to remediate any potential threat vectors, as well as increase the overall usability of the network. The goal of this Proposal is to promote the health and security of the Los Angeles site’s network, while ensuring that all authorized users can perform their 9 necessary tasks and responsibilities. A. Site Details and Challenges With specific reference to the Los Angeles site, the following is a list of the pertinent network devices and other, relevant site details: • One (1) Cisco 2800 Series router with the below available interface ports: Cisco 2800 Series Integrated Services Interfaces Ports Available 4 Fast Ethernet Interfaces (Per Router) 2 Serial Interfaces (Per Router) fa0/0 s0/0/0 fa0/1 s0/0/1 fa1/0 • Three (3) Cisco Catalyst 6500 Series switches with below available ports: Cisco Catalyst 6500 Series 96 Total Gigabit Ethernet Ports Per Switch Module 1 = gi0/1 - gi0/24 Ports Available Module 2 = gi1/1 - gi1/24 Module 3 = gi2/1 - gi2/24 Module 4 = gi3/1 - gi3/24 • One (1) TFTP/SFTP/NTP server that has been assigned the following IP address – 10.40.6.10/23 • Four (4) existing VLAN configurations, which are listed below according to their intended use: VLAN Name Faculty Administrative Academic or Instructional Server Members Type of Communications Faculty Non-Academic Number of Devices 21 Staff Students and Faculty IT Staff Business and Administrative 44 Classroom Labs and Instructional 120 Technology and Management 21 10 In addition to this network infrastructure, the Los Angeles site has been assigned the 10.40.0.0 /16 network address. Based on these site details, the local systems administrators have requested assistance in developing and implementing a multi-faceted solution at the Los Angeles site. First, with respect to remote storage for device configurations, the local systems administrators require assistance in selecting the correct Remote IOS Storage protocol and then properly implementing the proposed solution. Second, all switches within the Los Angeles site topology should be configured to allow for remote management, thereby increasing efficiency and network performance. Third, the local systems administrators desire to restrict and otherwise protect access to network devices. As such, the only VLAN that should be permitted to communicate remot ely with the Sacramento site devices should belong to the Server VLAN. In furtherance of this goal, the local site administrators have requested this Proposal include a discussion on the type of ACL to implement, the placement of this ACL list, and a configuration for the Sacramento site’s router. Fourth, an NTP solution is required for all devices found within this topology to ensure clock synchronization, which will provide accurate record logging and allow authentication protocols to be established. B. Site Solution and Technologies There are several different options available for copying configuration files from a network device to a file server for remote storage. These options include using File Transfer Protocol (FTP), Secure File Transfer Protocol (SFTP), Trivial File Transfer Protocol (TFTP), or Remote Copy Protocol (RCP). [5]. Based on the equipment available at the Los Angeles site, as well as a review of each of the different transport mechanisms, this Proposal recommends using TFTP to back up the router configuration files at the Los Angeles site [5]. In a similar fashion, there are also a number of different protocols available to permit remote access to and management of the various switches at the Los Angeles site. For instance, a local systems administrator can remotely access a Cisco device using Telnet, Secure Shell (SSH), Cisco Discovery Protocol (CDP), or Internet Control Message Protocol (ICMP) [6]. A review of these protocols reveals that SSH is likely the best remote access protocol for the Los Angeles site. SSH has two primary benefits: (1) it can be used with any brand or type of network device and (2) it is a secure protocol that encrypts its session between an SSH Client and an SSH Server [6]. To address the need to restrict and otherwise protect access to network device, an Access Control List (ACL) will need to be configured to only allow the Server VLAN to remotely communicate with other Sacramento site devices. An ACL is a network filter that is utilized by routers and some switches “to permit and restrict data flows into and out of network interfaces” [7]. There are several different types of ACLs and most are defined for a particular purpose or protocol. For Cisco routers, the two main types of ACLs are a known as a “standard ACL” and an “extended ACL” [8]. A standard ACL can filter on only the source IP address in an IP packet header, whereas an extended ACL can filter on (1) the source IP address, (2) the destination IP address, (3) the TCP/IP protocol, and (4) the TCP/IP protocol information [8]. Reviewing these 11 different filtering capabilities in conjunction with the local systems administrators’ requirements, a standard ACL will adequately fulfill this request. Finally, this Proposal will employ the Network Time Protocol (NTP) over the Simple Network Time Protocol (SNTP) to provide the require clock synchronization. Specifically, NTP synchronizes the time of day among a set of distributed time servers and clients so that local systems administrators can correct events when they receive system logs and other time-specific events from multiple network devices [9]. With the User Datagram Protocol (UDP) as its transport protocol, NTP uses standard Universal Time Coordinated (UTC) [9]. Because the Los Angeles site already has a NTP server installed, a simple configuration will allow for NTP to enabled and utilized. C. Sample Configuration The below configurations will address the issues and other considerations discussed in Section B, “Site Solutions and Technologies” (above): Configuring Remote Device Configuration Storage (Router) Note: TFTP does not include any security measurements such as login or access control mechanisms and thus, adding a console password will help alleviate concerns related to these issues. LosAngeles-R>ena LosAngeles-R#conf t LosAngeles-R(config)#line con 0 LosAngeles-R(config-line)#password S#cur1ty LosAngeles-R(config-line)#login LosAngeles-R(config-line)#exit LosAngeles-R(config)# copy run tftp: //10.40.6.10/LosAngelesRouter-config Write file LosAngelesRouter-config on host 10.40.6.10 [confirm] (press “y” and “enter”) Writing LosAngelesRouter-config!!! [OK] Configuring Remote Management of Switches (All Switches) Note: The use of local usernames is not required – the usernames and passwords that are used to gain access to a network device could be centrally managed through a AAA server. LosAngelesSw1>ena LosAngelesSw1#conf t LosAngelesSw1(config)#line vty 0 15 LosAngelesSw1(config-line)#login local [Assigning local user names for Remote Access] 12 LosAngelesSw1(config-line)#exit LosAngelesSw1(config)#username @dm1n password S3curePas$word LosAngelesSw1(config)#ip domain-name xAcme.edu LosAngelesSw1(config)#cypto key generate rsa … How many bits in the modulus [512]: (press “enter” to accept the default number of bits) … LosAngelesSw1(config)#line vty 0 15 LosAngelesSw1(config-line)#transport input ssh [Prohibiting Telnet and Requiring SSH for all incoming connections] LosAngelesSw1(config-line)#end LosAngelesSw1#copy running-config startup-config Configuring the Access Control List (ACL) (Router) Note: By default, there are no security restrictions in place on incoming VTY lines as to who or what source can connect to a network device is the password is known or otherwise available. Adding an ACL will provide the necessary restrictions to limit remote access to only those authorized devices or users. LosAngeles-R>ena LosAngeles-R#conf t Los-Angeles-R(config)# Los-Angeles-R(config)#access-list 1 permit 10.40.6.0 0.0.255.255 Los-Angeles-R(config)#access-list 1 deny any any Los-Angeles-R(config)#line vty 0 15 Los-Angeles-R(config-line)#access-class 1 in Los-Angeles-R(config-line)#exit Los-Angeles-R(config)#exit Los-Angeles-R#copy running-config startup-config Configuring the Network Time Protocol (NTP) (Router) LosAngeles-R>ena LosAngeles-R#conf t LosAngeles-R(config)#feature ntp LosAngeles-R(config)#ntp server 10.40.6.10 LosAngeles-R(config)#exit LosAngeles-R#copy running-config startup-config D. Supporting Tables and/or Diagrams 13 The following diagram depicts some of the various configuration changes that have been deployed at the Los Angeles site to fulfill the requirements described by the local systems administrators. III. xACME WAN Site – Challenges and Implementation The xACME WAN site is used to connect the many remote locations where students, faculty, and staff must have the ability to perform their daily tasks and other responsibilities. In furtherance of this requirement, xACME has implemented certain network infrastructure technologies to increase overall efficiency in performing these tasks, as well as interconnectivity as between the remote xACME sites. The use of these new technologies, however, has not come without its challenges. This Cisco Network Proposal (“Proposal”) will discuss the challenges identified by the local systems administrators at this site and offer solutions to these issues. In addition, this Proposal will include recommendations to remediate any potential threat vectors, as well as increase the overall usability of the network. The goal of this Proposal is to promote the health and security of the xACME WAN site’s network, while ensuring that all authorized users can perform their necessary tasks and responsibilities. A. Site Details and Challenges 14 The current WAN links for the xACME educational facilities are serial-based and connected over leased lines that utilize the Cisco default protocol for layer 2 connectivity. Currently, authentication is not present, but the added security from its implementation would be preferred. Accordingly, the local systems administrators have requested research on the available WAN protocols and the implementation of a WAN solution that will provide authentication as between devices. Specifically, this proposal should include all necessary steps for deploying the recommended WAN solution, which must specifically include device configurations based on the current implementation. In addition, the network topology for xACME has been designed such that the Los Angeles and Boston sites are connected across leased lines, and each of these two sites remains as the entry point to its respective regional locations. That said, however, a recent review of the traffic has raised concerns, particularly in the amount and extent of traffic that is being handled by the router for each of these two locations. As such, the local systems administrators for these two sites have requested a review of the xACME educational topology, as well as recommendations that would provide adequate redundancy and alleviate some of the bandwidth requirements that are currently placed on both devices. To the extent necessary, additional lines are available and can be leased. If this option is selected, the additional range of lines may be leased from the available xACME public address range (165.128.63.0 /26). B. Site Solution and Technologies There are two WAN protocol options available for the required WAN solution: the HighLevel Data Link Control (HDLC) Protocol and the Point to Point Protocol (PPP) [9]. There are, of course, additional WAN protocols that exist. These options, however, either require the purchase of additional equipment and other items or are unsupported based on the current xACME educational topology. Turning to the two viable options, the HDLC Protocol is a simple protocol that is used to connect point-to-point serial devices and is the default protocol on all Cisco serial interfaces [9]. Although PPP is based on the HDLC protocol and is also used to connect point-to-point leased lines, there are several differences between these two protocols. For instance, PPP is not limited to only Cisco devices, it relies on several sub-protocols to function, and it generally has more features (including authentication that is supported with PAP and CHAP) [9]. As a result, this Proposal recommends using PPP (with CHAP for authentication) to meet the needs and requirements articulated by the local systems administrators. The use of this protocol over the HDLC Protocol will provide the necessary authentication as between network devices. To alleviate the bandwidth concerns and provide additional redundancy within the xACME educational topology, this Proposal recommends adding an additional connection as between the Sacramento and Springfield sites using two additional leased line connections. The addition of these two leased lines would transform the xACME topology from a peer-to-peer WAN topology to a ring WAN topology. In a ring WAN topology, “each site is connected to two other sites so that the entire WAN forms a ring pattern” [10]. Using this particular topology has at least two distinct advantages over a peer-to-peer WAN topology. First, a single cable problem will not drastically impact the entire network’s performance. Second, the routers at any 15 given location can redirect data if one route becomes inundated with traffic [10]. That aside, a ring WAN topology is only practical where there are a limited number of locations – typically fewer than four or five sites [10]. As a result, if xACME desires to increase the current number of locations, another topology should likely be deployed. For instance, a tiered or hybrid WAN topology could provide similar redundancy and bandwidth improvements, while still providing the needed flexibility for site expansions [10]. C. Sample Configuration The below configurations will address the issues and other considerations discussed in Section B, “Site Solutions and Technologies” (above): Configuring PPP with CHAP Authentication (All Routers) Note: Before configuring CHAP as the authentication method, you need to set a username that matches the host’s name on the other side of the connection, along with a shared password that is used by both of the routers. Boston-R>ena Boston-R#conf t Boston-R#username WorchesterRouter password Sh@redPassW3rd … Worchester-R>ena Worchester-R#conf t Worchester-R(config)#username BostonRouter password Sh@redPassW3rd … Boston-R>ena Boston-R#conf t Boston-R(config)#int s0/0/1 Boston-R(config-if)#encapsulation ppp Boston-R(config-if)#exit Boston-R(config)#exit … Worchester-R>ena Worchester-R#conf t Worchester-R(config)#int s0/0/1 Worchester-R(config-if)#encapsulation ppp 16 Worchester-R(config-if)#exit Worchester-R(config)#exit … Boston-R>ena Boston-R#conf t Boston-R(config)#int s0/0/1 Boston-R(config-if)#no ppp pap sent-username WorchesterRouter Boston-R(config-if)#ppp authentication chap Boston-R(config-if)#exit Boston-R(config)#exit Boston-R# … Worchester-R>ena Worchester-R#conf t Worchester-R(config)#int s0/0/1 Worchester-R(config-if)#no ppp pap sent-username BostonRouter Worchester-R(config-if)#ppp authentication chap Worchester-R(config-if)#exit Worchester-R(config)#exit Worchester-R#debug ppp authentication Worchester-R#conf t Worchester-R(config)#int s0/0/1 Worchester-R(config-if)#shut Worchester-R(config-if)#no shut … Worchester-R(config-if)#no shut Worchester-R(config-if)#exit Worchester-R(config)#exit Worchester-R#sh int s0/0/1 Adding Redundancy and Bandwidth (Sacramento and Springfield Routers) Note: There are additional commands that can further configure this particular leased line connection. One such example is setting the clock rate, which uses the “clock rate” command. Sacramento-R>ena Sacramento-R#conf t Sacramento-R(config)#int s0/0/1 Sacramento-R(config-if)#ip address 165.128.63.5 255.255.255.252 17 Sacramento-R(config-if)#shut Sacramento-R(config-if)#no shut Sacramento-R(config-if)#exit Sacramento-R(config)#exit Sacramento-R#copy running-config startup-config D. Supporting Tables and/or Diagrams The below diagram depicts the additional leased line connections that add redundancy to the xACME educational topology, as well as provide added routes to decrease bandwidth concerns at all xACME remote locations: 18 BIBLIOGRAPHY [1] “Configuring Access and Trunk Interfaces,” Cisco.com, n.d. [Online]. Available: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/ guide/cli/CLIConfigurationGuide/AccessTrunk.html [Sept. 29, 2017]. [2] D. Davis, “Lock Down Cisco Switch Port Security,” TechRepublic.com, Oct. 11, 2007. [Online]. Available: http://www.techrepublic.com/blog/it-security/lock-down-ciscoswitch-port-security-88196/ [Sept. 30, 2017]. [3] “Inter-VLAN Routing,” CCNABlog.com, n.d. [Online]. Available: http://www.ccnablog.com/inter-vlan-routing/ [Sept. 21, 2017]. [4] T. Dean, Network+ Guide to Networks, 5th ed. Boston, MA: Course Technology, 2010 [5] “Managing Configuration Files,” Cisco.com, n.d. [Online]. Available: https://www.cisco.com/c/en/us/td/docs/ios/12_2/configfun/configuration/guide/ffun_c/fcf 007.html [Oct. 1, 2017]. [6] “Cisco CCNA – Remote Management with Telnet, SSH, CDP & ICMP,” CertificationKits.com, n.d. [Online]. Available: https://www.certificationkits.com/ciscocertification/ccna-articles/cisco-ccna-miscellaneous-topics/cisco-ccna-remotemanagement-with-telnet-ssh-cdp-a-icmp/ [Sept. 27, 2017]. [7] T. Wilson, “Securing Networks: Access Control List (ACL) Concepts, PluralSight.com, May 16, 2012. [Online]. Available: https://www.pluralsight.com/blog/it-ops/accesscontrol-list-concepts [Sept. 28, 2012]. [8] “Types of ACLS,” eTutorials.com, n.d. [Online]. Available: http://etutorials.org/Networking/Router+firewall+security/Part+III+Nonstateful+Filtering +Technologies/Chapter+7.+Basic+Access+Lists/Types+of+ACLs/ [Sept. 29, 2012]. [9] “Network Time Protocol (NTP),” SearchNetworking.com, Feb. 2007. [Online]. Available: http://searchnetworking.techtarget.com/definition/Network-Time-Protocol [Sept. 30, 2012]. [10] “WAN Topologies,” angelfire.com, n.d. [Online]. Available: http://www.angelfire.com/mech/phattony/wan_topologies.htm [Oct. 2, 2017]. 19 CMIT 350 WAN and SOHO Skills Implementation Use this document as a guide for formatting and organizing your CMIT 350 Skills Implementation challenge. Title Page Professionalism will be key to your success and advancement in your academic and professional career. Use the title page to identify relevant information such as your name, the course, professor, and submission/completion date. Document Index/Contents Organization will allow your document to be divided into key areas of consideration and allows an overall structure to be placed over the submission. Sample text: I. II. III. IV. I. Site “XXXXXXXX” Challenges and Implementation Site “XXXXXXXX” Challenges and Implementation Site “XXXXXXXX” Challenges and Implementation Bibliography Site “XXXXXXXXXX” Challenge and Implementation (Provide a section for each site, as suggested in your table of contents.) Site Details and Challenges (Summary) Here, you will simply summarize the site requirements and/or challenges you are attempting to overcome. You will not need to implement solutions or discuss your approach at this point. This information is provided to you and can simply be organized and restated as you understand it. Think of this area as what needs to be corrected. Suggested length would be one or two paragraphs. Sample text: As described in the scenario, the xUMUC site was developed without any VLAN structure, and administrators have found the need to isolate broadcast traffic from a layer-2 perspective. Site Solution(s) and Technologies With the challenges stated, you will be able to clearly define your approach to solving those challenges and can state the technologies you will be implementing. Be sure to use this area to justify your approach and selection of technologies as well. The specific length and details of this area will vary based on the specifics and depth of the challenge you are facing. Your justification would be your selection of a specific technology or approach over another and why you chose the approach you are taking. Show off your knowledge in the foundational skills here! Sample text: In order to relieve the administrative tasks surrounding the implementation of manual IP addressing per device, we will configure and implement a DHCP (dynamic host configuration protocol) server, per site requirements. The DHCP allows for devices to identify, request and implement IP configurations as well as other settings…. Since this area may call for facts and details around technologies and approaches, you will most likely find yourself using in-text citations, which would appear as follows: Open Shortest Path First is an open standard routing protocol that’s been implemented by a wide variety of network vendors, including Cisco [1]. Sample Configuration Understanding the technologies will satisfy a portion of the documents' requirements. You will also need to display how the solutions you are suggesting would be implemented. This will include the specific commands used to configure the devices. Instructions will state when sample configurations are required, and any sample configurations should be limited to the devices provided, per the site topology. Device syntax to be used can be found in your training suite, TestOut’s LabSim. Show off your technical competency here! Sample text: Sample Device Configuration 1 Supporting Tables/Diagrams When structuring solutions per certain sites, you may find it helpful or even necessary to structure information with tables and/or diagrams. These items can be used to support and display your understood solutions located in the “Site Solution(s) and Technologies” area. Display your organizational and logical skills in this area! Sample table: Sample Table 1 Sample Table 2 Sample Diagram 1 Repeat the format to include document components for each site. In this sample, sections numbered II and III in your table of contents would be provided next, followed by the bibliography. IV. Bibliography Be responsible with your research and included works. Provide proper credit in the IEEE format to original authors and their works that you leverage in your submission. Sample Entry: [1] T. Lammle. CCNA Routing and Switching Study Guide. Indianapolis, ID: Sybex Wiley, 2013, p. 386.
Purchase answer to see full attachment