Cisco Network Proposal Part 3
Kamesha L. McCarthy
CMIT 350 - Interconnecting Cisco Devices
Professor John Galliano
10 December 2018
Table of Contents
I.
Sacramento Site – Challenges and Implementation.................................1
A. Site Details and Challenges.......................................................1
B. Site Solution and Technologies………………………………………………………………….1
C. Sample Configuration…………………………………………………………………………………2
D. Supporting Tables and/o r Diagrams………………………………………………………….3
II.
Los Angeles Site – Challenges and Implementations…………………………………………4
A. Site Details and Challenges.......................................................4
B. Site Solution and Techno logies………………………………………………………………….4
C. Sample Configuration…………………………………………………………………………………7
D. Supporting Tables and/or Diagrams………………………………………………………….8
III.
xACME WAN – Challenges and Implementations………………………………….……………9
A. Site Details and Challenges.......................................................9
B. Site Solution and Techno logies………………………………………………………………….9
C. Sample Configuration………………………………………………………………………………12
D. Supporting Tables and/or Diagrams……………………………….……………………….13
IV.
Bibliography……………………….………………………………………………………………………………15
ii
I.
Sacramento Site – Challenges and Implementation
A. Site Details and Challenges
B. Site Solution and Technologies
C. Sample Configuration
D. Supporting Tables and/or Diagrams
1
II.
Los Angeles Site – Challenges and Implementation
A. Site Details and Challenges
B. Site Solution and Technologies
C. Sample Configuration
D. Supporting Tables and/or Diagrams
2
III.
xACME WAN – Challenges and Implementation
A. Site Details and Challenges
B. Site Solution and Technologies
C. Sample Configuration
D. Supporting Tables and/or Diagrams
3
References
[1] “Cisco IP Addressing and Subnetting for new users,” cisco.com, August 10, 2016,
[Online]. Available: https://www.cisco.com/c/en/us/support/docs/ip/routinginformation-protocol-rip/13788-3.html. [Accessed: 27-Nov-2018]
[2] Cisco, “Understanding and Configuring Spanning Tree Protocol (STP) on Catalyst
Switches,” in Cisco Support, 2006. [Online]. Available:
http://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-treeprotocol/5234-5.html. [Accessed: 24- Nov- 2018].
[3] M. Rouse, “What is Route Summarization (Route Aggregation),
searchnetworking.com, June 2008. Available:
http://searchnetworking.techtarget.com/definition/route-summarization.
[Accessed: 25- Nov- 2018].
[4] "TestOut LabSim", Cdn.testout.com, 2017. [Online]. Available:
https://cdn.testout.com/client-v5-1-10-542/startlabsim.html. [Accessed: 25Nov- 2018].
[5] Shekhar, A. (2016). What Is Mesh Topology? Advantages And Disadvantages Of
Mesh Topology. [online] Fossbytes. Available at: https://fossbytes.com/whatis-mesh-topology-advantages-and-disadvantages-of-mesh-topology/. [Accessed
24- Nov- 2018].
[6] I. Price-Evans, “What is Open Shortest Path First (OSPF)?,” Metaswitch. [Online].
Available: https://www.metaswitch.com/knowledge-center/reference/whatis-open-shortest-path-first-ospf. [Accessed: 25- Nov- 2018].
4
Running Head: CISCO NETWORK PROPOSAL PART 3
Cisco Network Proposal Part 3
CMIT 350
Interconnecting Cisco Devices
16 December 2017
1
CISCO NETWORK PROPOSAL PART 3
Table of Contents
I.
Sacramento Site Challenges and Implementation
A. Site Details and Challenges
B. Site Solution(s) and Technologies
a. VLANs
b. ROS
c. DHCP
C. Supporting Diagrams and Configurations
II. Los Angeles Site Challenges and Implementation
A. Site Details and Challenges
B. Site Solution(s) and Technologies
a. Remote IOS Storage
b. Remote Management of Switches
c. ACL Implementation
d. Network Time Protocol
III. xACME Site Challenges and Implementation
A. Site Details and Challenges
B. Site Solution(s) and Technologies
a. Wide Area Network (WAN) Implementation
b. Topology
References
2
CISCO NETWORK PROPOSAL PART 3
3
I. Sacramento Site Challenges and Implementation
A. Site Details and Challenges
As a network administrator for the xAcme Technology Trade School, I have been asked to implement a
Virtual Local Area Network (VLAN) database on the site switches, configure a Routing on a Stick (ROS)
topology, and use Dynamic Host Configuration Protocol (DHCP) to manage IP addresses. Per the
Sacramento site topology diagram, the network’s address range starts at 10.50.0.0 /16. The Sacramento
site consists of the following devices [1]:
-
(1) Cisco 2800 Series router
-
(3) Cisco Catalyst 6500 Series switches
-
(4) VLANs
o
(1) Faculty VLAN with 5 connected devices used by faculty for all office locations
o
(1) Administrative VLAN with 14 connected devices used by staff for business administrative
communications
o
(1) Academic (Instructional) VLAN with 34 connected devices used by faculty and students
for classroom labs and instructional communications
o
(1) Server VLAN with 7 connected devices used by IT staff for all technology/management
communications
The topology for the Sacramento site is pictured below:
[1]
CISCO NETWORK PROPOSAL PART 3
4
B. Site Solution(s) and Technologies
As mentioned earlier, a (VLAN database will need to be implemented on the switches at the Sacramento
site. ROS topology and DHCP will also need to be implemented as well [1]. All sample configurations for
the Sacramento site will be shown in section C.
a. VLANs
The first thing that will need to be completed in order to configure the switches is to implement
VLANs on them. Creating VLANs within switches has several benefits over using additional routers
within networks. One of the benefits of creating VLANs on switches vice using routers is switches
are easier to administer and maintain than routers are. Another benefit is that switches have less
latency, which offers higher performance than routers [2].
The switchport mode will determine how a port will respond to information received as well as
decide where to send the information. The two basic types of switchports are access ports and
trunk ports. Access ports can only have one VLAN configured and can carry information to one
VLAN. Trunk ports can have more than one VLAN configured and can also pass information to more
than one VLAN at the same time [3].
Switchport security is used to secure the network from unauthorized access. Securing a switchport
can be done in one of two ways; by limiting the amount of devices by quantity that are able to
connect to a certain port or by limiting the amount of devices by MAC address that can connect to a
secure switchport. Access ports are the only ports that can have port security enabled. Port
security cannot protect against MAC address spoofing. Also, if a MAC address is not manually
configured for port security, the switch will allow the first MAC address it connects to, up to the
maximum amount of ports authorized [2].
b. ROS
The Sacramento site will be utilizing Routing on a Stick (ROS) topology. This is used to ensure all
switches on the network can communicate with one another. The switch labeled SacramentoSw2
will be the trunk link between the Sacramento router and the rest of the devices on the network.
c. DHCP
Dynamic Host Configuration Protocol (DHCP) is a protocol that automatically assigns and manages IP
addresses from a pool of addresses on the network. This pool, called the address pool, is the range
of addresses that can be assigned to requesting hosts [2]. The DHCP will only assign IP address
within the address pool, but it can also be configured to exclude specific IP addresses within the
address pool [2].
C. Supporting Diagrams and Configurations
The following chart lists the VLAN ID, default gateway, IP range (address pool), subnet mask, excluded
addresses from the address pool, and ports used on each switch for the Sacramento site:
VLAN
VLAN Int
Faculty
(5 Devices)
Int vlan 1
Administrative
(14 Devices)
Int vlan 2
Instructional
(34 Devices)
Int vlan 3
Server
(7 Devices)
Int vlan 4
CISCO NETWORK PROPOSAL PART 3
Default Gateway
IP Range
Subnet Mask
Excluded Addresses
Ports Used
10.50.0.0
10.50.0.1 –
10.50.0.52
255.255.255.192
10.50.0.53 –
10.50.0.62
gi 0/3 - 7
5
10.50.0.64
10.50.0.65 –
10.50.0.116
255.255.255.192
10.50.0.117 –
10.50.0.126
gi 0/8 - 21
Below are the steps to create a new VLAN on the switches [2]:
SacramentoSw2>enable
SacramentoSw2#configure terminal
SacramentoSw2 (config)#vlan 1
SacramentoSw2 (config-vlan)#name Faculty
SacramentoSw2 (config-vlan)#int range gi0/3 - 7
SacramentoSw2 (config-if)#switchport access vlan 1
SacramentoSw2 (config-if)#CRTL+Z
SacramentoSw2#copy running-config startup-config
SacramentoSw2>enable
SacramentoSw2#configure terminal
SacramentoSw2 (config)#vlan 2
SacramentoSw2 (config-vlan)#name Administrative
SacramentoSw2 (config-vlan)#int range gi0/8 - 21
SacramentoSw2 (config-if)#switchport access vlan 2
SacramentoSw2 (config-if)#CRTL+Z
SacramentoSw2#copy running-config startup-config
SacramentoSw2>enable
SacramentoSw2#configure terminal
SacramentoSw2 (config)#vlan 3
SacramentoSw2 (config-vlan)#name Instructional
SacramentoSw2 (config-vlan)#int range gi0/22 - 55
SacramentoSw2 config-if)#switchport access vlan 3
SacramentoSw2 (config-if)#CRTL+Z
SacramentoSw2#copy running-config startup-config
SacramentoSw2>enable
SacramentoSw2#configure terminal
SacramentoSw2 (config)#vlan 4
SacramentoSw2 (config-vlan)#name Server
SacramentoSw2 (config-vlan)#int range gi0/56 – 62
SacramentoSw2 (config-if)#switchport access vlan 4
SacramentoSw2 (config-if)#CRTL+Z
10.50.0.128
10.50.0.129 –
10.50.0.180
255.255.255.192
10.50.0.181 –
10.50.0.190
gi 0/22 - 55
10.50.0.192
10.50.0.193 –
10.50.0.245
255.255.255.192
10.50.0.245 –
10.50.0.254
gi 0/56 - 62
CISCO NETWORK PROPOSAL PART 3
SacramentoSw2#copy running-config startup-config
Below are the steps to configure access mode and port security on the VLANs [2]:
SacramentoSw2>enable
SacramentoSw2#configure terminal
SacramentoSw2 (config)#interface range gi0/3 - 7
SacramentoSw2 (config-if-range)#switchport mode access
SacramentoSw2 (config-if-range)#switchport port-security
SacramentoSw2 (config-if-range)#switchport port-security maximum 2
SacramentoSw2 (config-if-range)#switchport port-security mac-address sticky
SacramentoSw2 (config-if-range)#switchport port-security violation shutdown
SacramentoSw2 (config-if)#CRTL+Z
SacramentoSw2#copy running-config startup-config
SacramentoSw2>enable
SacramentoSw2#configure terminal
SacramentoSw2 (config)#interface range gi0/8 - 21
SacramentoSw2 (config-if-range)#switchport mode access
SacramentoSw2 (config-if-range)#switchport port-security
SacramentoSw2 (config-if-range)#switchport port-security maximum 2
SacramentoSw2 (config-if-range)#switchport port-security mac-address sticky
SacramentoSw2 (config-if-range)#switchport port-security violation shutdown
SacramentoSw2 (config-if)#CRTL+Z
SacramentoSw2#copy running-config startup-config
SacramentoSw2>enable
SacramentoSw2#configure terminal
SacramentoSw2 (config)#interface range gi0/22 - 55
SacramentoSw2 (config-if-range)#switchport mode access
SacramentoSw2 (config-if-range)#switchport port-security
SacramentoSw2 (config-if-range)#switchport port-security maximum 2
SacramentoSw2 (config-if-range)#switchport port-security mac-address sticky
SacramentoSw2 (config-if-range)#switchport port-security violation shutdown
SacramentoSw2 (config-if)#CRTL+Z
SacramentoSw2#copy running-config startup-config
SacramentoSw2>enable
SacramentoSw2#configure terminal
SacramentoSw2 (config)#interface range gi0/56 - 62
SacramentoSw2 (config-if-range)#switchport mode access
SacramentoSw2 (config-if-range)#switchport port-security
SacramentoSw2 (config-if-range)#switchport port-security maximum 2
SacramentoSw2 (config-if-range)#switchport port-security mac-address sticky
SacramentoSw2 (config-if-range)#switchport port-security violation shutdown
SacramentoSw2 (config-if)#CRTL+Z
SacramentoSw2#copy running-config startup-config
6
CISCO NETWORK PROPOSAL PART 3
Below are the steps to configure Routing on a Stick (ROS) [2]:
SacramentoRouter>enable
SacramentoRouter#configure terminal
SacramentoRouter(config)#interface gi0/0.1
SacramentoRouter(config-subif)#encapsulation dot1q vlan 1
SacramentoRouter(config-subif)#ip address 10.50.0.0 255.255.255.192
SacramentoRouter(config-subif)#interface gi0/0.2
SacramentoRouter(config-subif)#encapsulation dot1q vlan 2
SacramentoRouter(config-subif)#ip address 10.50.0.64 255.255.255.192
SacramentoRouter(config-subif)#interface gi0/0.3
SacramentoRouter(config-subif)#encapsulation dot1q vlan 3
SacramentoRouter(config-subif)#ip address 10.50.0.128 255.255.255.192
SacramentoRouter(config-subif)#interface gi0/0.4
SacramentoRouter(config-subif)#encapsulation dot1q vlan 4
SacramentoRouter(config-subif)#ip address 10.50.0.192 255.255.255.192
SacramentoRouter(config-subif)#no shutdown
SacramentoRouter(config-if)#end
SacramentoRouter#copy running-config startup-config
Below are the steps to configure Dynamic Host Configuration Protocol (DHCP) [2]:
SacramentoRouter>enable
SacramentoRouter#configure terminal
SacramentoRouter(config)#service dhcp
SacramentoRouter(config)#ip dhcp excluded-address 10.50.0.53 10.50.0.62
SacramentoRouter(config)#ip dhcp excluded-address 10.50.0.117 10.50.0.126
SacramentoRouter(config)#ip dhcp excluded-address 10.50.0.181 10.50.0.190
SacramentoRouter(config)#ip dhcp excluded-address 10.50.0.245 10.50.0.254
SacramentoRouter(config)#ip dhcp pool vlan 1
SacramentoRouter(config-dhcp)#network 10.50.0.0 255.255.255.192
SacramentoRouter(config-dhcp)#ip dhcp pool vlan 2
SacramentoRouter(config-dhcp)#network 10.50.0.64 255.255.255.192
SacramentoRouter(config-dhcp)#ip dhcp pool vlan 3
SacramentoRouter(config-dhcp)#network 10.50.0.128 255.255.255.192
SacramentoRouter(config-dhcp)#ip dhcp pool vlan 4
SacramentoRouter(config-dhcp)#network 10.50.0.192 255.255.255.192
SacramentoRouter(config-dhcp)#end
SacramentoRouter#copy running-config startup-config
II. Los Angeles Site Challenges and Implementation
A. Site Details and Challenges
7
CISCO NETWORK PROPOSAL PART 3
8
I have been asked to implement Remote IOS Storage, remote management of the sites switches, Access
Control List (ACL) implementation, and a Network Time Protocol (NTP) solution. The Los Angeles site
consists of the following devices [1]:
-
(1) TFTP/SFTP/NTP Server
-
(1) Cisco 2800 Series router
-
(3) Cisco Catalyst 6500 Series switches
-
(4) VLANs
o
(1) Faculty VLAN with 21 connected devices used by faculty for all office locations
o
(1) Administrative VLAN with 44 connected devices used by staff for business administrative
communications
o
(1) Academic (Instructional) VLAN with 120 connected devices used by faculty and students
for classroom labs and instructional communications
o
(1) Server VLAN with 21 connected devices used by IT staff for all technology/management
communications
The topology for the Los Angeles site is pictured below:
[1]
CISCO NETWORK PROPOSAL PART 3
9
B. Site Solution(s) and Technologies
There are several items which will need to be addressed at the Los Angeles site. These items include
remote storage of the device configurations, enabling remote device management for the switches at
the site, determining and implementing an Access Control List (ACL) for the site, and configuring a
Network Time Protocol (NTP) for the sites devices.
a. Remote IOS Storage
In the unfortunate event that there is hardware failure at the Los Angeles site, device
configurations must be stored remotely on another device. The Trivial File Transfer Protocol
(TFTP) server that is on location will be utilized as the remote storage device [4]. Below are the
steps to configure Remote IOS Storage [2]:
LosAngelesRouter>enable
LosAngelesRouter#configure terminal
LosAngelesRouter(config)#no boot system
LosAngelesRouter(config)#boot system [tftp] RemoteStorage [10.40.6.10]
LosAngelesRouter(config)#boot system rom
LosAngelesRouter(config)#config-register value
LosAngelesRouter(config)#exit
LosAngelesRouter#copy running-config startup-config
b. Remote Management of Switches
The Los Angeles site network administrators will need to have remote access to the switches.
This will provide the network administrators the capability of changing the switch configurations
without having to physically connect to the device. This remote management will need to be
secure, so the network administrators are the only ones that can access the switch
configuration. Secure Shell (SSH) provides encrypted remote connectivity to your device [1] .
Below are the steps to configure remote access [2]:
LosAngelesSw1>enable
LosAngelesSw1#configure terminal
LosAngelesSw1(config)#ip domain-name xAcme.com
LosAngelesSw1(config)#crypto key generate rsa
LosAngelesSw1(config)#aaa new-model
LosAngelesSw1(config)#username netadmin password lacisco1
LosAngelesSw1(config)#line vty 0 15
LosAngelesSw1(config-line)#transport input ssh
LosAngelesSw1(config-line)# login local
LosAngelesSw1(config)#exit
LosAngelesSw1#copy running-config startup-config
LosAngelesSw2>enable
LosAngelesSw2#configure terminal
CISCO NETWORK PROPOSAL PART 3
10
LosAngelesSw2(config)#ip domain-name xAcme.com
LosAngelesSw2(config)#crypto key generate rsa
LosAngelesSw2(config)#aaa new-model
LosAngelesSw2(config)#username netadmin password lacisco2
LosAngelesSw2(config)#line vty 0 15
LosAngelesSw2(config-line)#transport input ssh
LosAngelesSw2(config-line)# login local
LosAngelesSw2(config)#exit
LosAngelesSw2#copy running-config startup-config
LosAngelesSw3>enable
LosAngelesSw3#configure terminal
LosAngelesSw3(config)#ip domain-name xAcme.com
LosAngelesSw3(config)#crypto key generate rsa
LosAngelesSw3(config)#aaa new-model
LosAngelesSw3(config)#username netadmin password lacisco3
LosAngelesSw3(config)#line vty 0 15
LosAngelesSw3(config-line)#transport input ssh
LosAngelesSw3(config-line)# login local
LosAngelesSw3(config)#exit
LosAngelesSw3#copy running-config startup-config
c. ACL Implementation
Access Control Lists (ACL) are used to determine if information will be allowed to be passed
through the network or not. ACLs can be used to restrict access to network resources or devices
[2]. The network administrators will need to implement an ACL on the sites router. Below are
the steps to configure an ACL on the Los Angeles site router:
LosAngelesRouter>enable
LosAngelesRouter#configure terminal
LosAngelesRouter(config)#access-list 1 permit 10.40.6.1 0.0.0.254
LosAngelesRouter(config)#access-list 1 deny any
LosAngelesRouter(config)#line vty 0 15
LosAngelesRouter(config-line)#access-class 1 in
LosAngelesRouter(config-line)#end
LosAngelesRouter#copy running-config startup-config
d. Network Time Protocol (NTP)
The Network Time Protocol (NTP) is used to maintain accurate and consistent time across the
network. This will ensure that any logged events will be in sync with each other [2]. Below are
the steps to configure NTP on the network [2]:
LosAngelesRouter>enable
LosAngelesRouter#configure terminal
LosAngelesRouter(config)#feature ntp
LosAngelesRouter(config)#ntp server 10.40.6.10
CISCO NETWORK PROPOSAL PART 3
11
LosAngelesRouter(config)#end
LosAngelesRouter#copy running-config startup-config
III. xACME Site Challenges and Implementation
A. Site Details and Challenges
There are two items which need to be addressed for the xAcme network: Wide Area Network (WAN)
Implementation and Topology. Currently, the xAcme WAN does not have authentication enabled. Also,
the only two routers that are connected to the internet are the Boston and Los Angeles routers. The
challenge with this is all other network traffic flows through these two routers. If one of these routers
fail, a good portion of the network will not be able to access the internet or the rest of the networked
devices. The topology for the entire xAcme network is pictured below [1]:
[1]
B. Site Solution(s) and Technologies
The xAcme WAN requires authentication to be configured within the routers. Also, because the flow of
network traffic is handled by only the Los Angeles and Boston routers, additional lines will need to be
leased at the Sacramento, Worchester, and Springfield sites to increase the bandwidth across the
network as well as provide network redundancy.
a. WAN Implementation
CISCO NETWORK PROPOSAL PART 3
12
Currently, the xAcme network is using High-Level Data Link Control (HDLC). This protocol does
not allow for authentication, which is a concern for xAcme. To solve the network authentication
issue, a Point-to-Point Protocol (PPP) in conjunction with the Challenged Handshake
Authentication Protocol (CHAP) will be utilized. Not only does this solve the authentication
problem, it also allows communication to devices that are not Cisco devices. Below are the
steps to change the default HDLC protocol to PPP and configure CHAP authentication [2]:
LosAngelesRouter>enable
LosAngelesRouter#configure terminal
LosAngelesRouter(config)#username SacramentoRouter password sharedpassword
LosAngelesRouter(config)#interface s0/0/0
LosAngelesRouter(config-if)#encapsulation ppp
LosAngelesRouter(config-if)#ppp authentication chap
LosAngelesRouter(config-if)#end
LosAngelesRouter#copy running-config startup-config
SacramentoRouter>enable
SacramentoRouter #configure terminal
SacramentoRouter (config)#username LosAngelesRouter password sharedpassword
SacramentoRouter (config)#interface s0/0/0
SacramentoRouter (config-if)#encapsulation ppp
SacramentoRouter (config-if)#ppp authentication chap
SacramentoRouter (config-if)#end
SacramentoRouter #copy running-config startup-config
BostonRouter>enable
BostonRouter #configure terminal
BostonRouter (config)#username WorchesterRouter password sharedpassword
BostonRouter (config)#interface s0/0/0
BostonRouter (config-if)#encapsulation ppp
BostonRouter (config-if)#ppp authentication chap
BostonRouter (config-if)#end
BostonRouter #copy running-config startup-config
WorchesterRouter>enable
WorchesterRouter #configure terminal
WorchesterRouter (config)#username BostonRouter password sharedpassword
WorchesterRouter (config)#interface s0/0/0
WorchesterRouter (config-if)#encapsulation ppp
WorchesterRouter (config-if)#ppp authentication chap
WorchesterRouter (config-if)#end
WorchesterRouter #copy running-config startup-config
WorchesterRouter>enable
WorchesterRouter #configure terminal
WorchesterRouter (config)#username SpringfieldRouter password sharedpassword
WorchesterRouter (config)#interface s0/0/1
CISCO NETWORK PROPOSAL PART 3
13
WorchesterRouter (config-if)#encapsulation ppp
WorchesterRouter (config-if)#ppp authentication chap
WorchesterRouter (config-if)#end
WorchesterRouter #copy running-config startup-config
SpringfieldRouter>enable
SpringfieldRouter #configure terminal
SpringfieldRouter (config)#username WorchesterRouter password sharedpassword
SpringfieldRouter (config)#interface s0/0/1
SpringfieldRouter (config-if)#encapsulation ppp
SpringfieldRouter (config-if)#ppp authentication chap
SpringfieldRouter (config-if)#end
SpringfieldRouter #copy running-config startup-config
b. Topology
To address the xAcme WAN topology concerns, additional lines will need to be leased to
connect the Sacramento, Worchester, and Springfield routers. These additional lines will
provide increased bandwidth for the xAcme sites, network redundancy, and will create a more
stable network by not having 100% of the network traffic passing through the Los Angeles and
Boston routers. Below is an updated network topology with the proposed additional leased
lines (new leased lines are in red):
[1]
CISCO NETWORK PROPOSAL PART 3
14
References
[1]"Cisco Network Proposal (Parts 1-3)", Learn.umuc.edu, 2017. [Online]. Available:
https://learn.umuc.edu/d2l/le/content/254883/viewContent/9909900/View. [Accessed: 13Dec- 2017].
[2]"TestOut LabSim", Cdn.testout.com, 2017. [Online]. Available: http://cdn.testout.com/client-v5-1-10469/startlabsim.html. [Accessed: 13- Dec- 2017].
[3] P. Support, C. Switches and C. Guides, "Cisco Nexus 5000 Series NX-OS Software Configuration Guide
- Configuring Access and Trunk Interfaces [Cisco Nexus 5000 Series Switches]", Cisco, 2017.
[Online]. Available:
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/gui
de/cli/CLIConfigurationGuide/AccessTrunk.html#75292. [Accessed: 14- Dec- 2017].
[4]"What is TFTP? | Spiceworks", Spiceworks, 2017. [Online]. Available: https://www.spiceworks.com/itarticles/what-is-tftp/. [Accessed: 17- Dec- 2017].
Cisco Network Proposal
(Part III)
Prepared for:
University of Maryland University College
CMIT 350 – Interconnecting Cisco Devices
Professor Max Hall
Prepared by:
Jason R. Foltin
Dated: October 2, 2017
Table of Contents
I.
Sacramento Site – Challenges and Implementation……………………..3
A. Site Details and Challenges…………………………………………..3
B. Site Solution and Technologies………………………………………4
C. Sample Configuration………………………………………………...6
D. Supporting Tables and/or Diagrams……………………………….....9
II.
Los Angeles Site – Challenges and Implementation…………………......9
A. Site Details and Challenges………………………………………….10
B. Site Solution and Technologies……………………………………...11
C. Sample Configuration……………………………………………….12
D. Supporting Tables and/or Diagrams………………………………...13
III.
xACME WAN Site – Challenges and Implementation………………...14
A. Site Details and Challenges………………………………………...14
B. Site Solution and Technologies…………………………………….15
C. Sample Configuration……………………………………………...16
D. Supporting Tables and/or Diagrams……………………………….18
IV.
Bibliography……………………………………………………………..19
2
I.
Sacramento Site – Challenge and Implementation
The Sacramento site of xACME is one of many remote locations where students, faculty,
and staff must have the ability to perform their daily tasks and other responsibilities. In
furtherance of this requirement, xACME has implemented certain network infrastructure
technologies to increase overall efficiency in performing these tasks, as well as interconnectivity
as between the remote xACME sites.
The use of these new technologies, however, has not come without its challenges. This
Cisco Network Proposal (“Proposal”) will discuss the challenges identified by the local systems
administrators at this site and offer solutions to these issues. In addition, this Proposal will
include recommendations to remediate any potential threat vectors, as well as increase the
overall usability of the network. The goal of this Proposal is to promote the health and security
of the Sacramento site’s network, while ensuring that all authorized users can perform their
necessary tasks and responsibilities.
A. Site Details and Challenges
With specific reference to the Sacramento site, the following is a list of the pertinent
network devices and other, relevant site details:
• One (1) Cisco 2800 Series router with the below available interface ports:
Cisco 2800 Series Integrated Services
Interfaces
Ports
Available
4 Fast Ethernet
Interfaces
(Per Router)
2 Serial
Interfaces
(Per Router)
fa0/0
s0/0/0
fa0/1
s0/0/1
fa1/0
• Three (3) Cisco Catalyst 6500 Series switches with below available ports:
Cisco Catalyst 6500 Series
96 Total Gigabit Ethernet
Ports Per Switch
Module 1 = gi0/1 - gi0/24
Ports Available
Module 2 = gi1/1 - gi1/24
Module 3 = gi2/1 - gi2/24
Module 4 = gi3/1 - gi3/24
3
• Four (4) existing VLAN configurations, which are listed below according to their
intended use:
VLAN Name
Faculty
Administrative
Academic or
Instructional
Server
Members
Type of Communications
Number
of Devices
Faculty
Non-Academic
5
Staff
Students and
Faculty
IT Staff
Business and Administrative
14
Classroom Labs and Instructional
34
Technology and Management
7
In addition to this network infrastructure, the Sacramento site has been assigned the
10.50.0.0 /16 network address.
Based on these site details, the local systems administrators have requested assistance
implementing the required VLAN databases on the Sacramento site switches, with particular
attention placed on the proper assignment and implementation of switchport modes for these
devices. These newly created switchports should utilize port security and be configured to only
allow two MAC addresses per port and force a port shutdown in the event of a violation. In
addition, careful consideration of proper security protocols for any unused ports should be
discussed.
The local systems administrators have also indicated that the Sacramento site will deploy
a Router on a Stick (ROS) topology. As such, they have requested this Proposal include a
sample configuration for the Sacramento fa0/0 interface on the Cisco 2800 Series router to
provide support for the multiple VLANs, as well as inter-VLAN routing. This configuration
should use the following addressing conventions: (1) Faculty VLAN: 10.50.0.0 /26, (2)
Administrative VLAN: 10.50.0.64 /26, (3) Instructional VLAN: 10.50.0.128 /26, and (4) Server
VLAN: 10.50.0.192 /26. If necessary, a diagram depicting this topology should also be provided.
Further, the local systems administrators have requested this Proposal include a solution,
preferably DHCP, to manage the deployment of IP addresses at the Sacramento site. The
selected solution should be discussed in detail and this Proposal must include the necessary
configuration details for each of the above-listed VLANs (Faculty, Administrative, Instructional,
and Server). In particular, this configuration must include the following: (a) the pool name, (b)
exclude the last 10 addresses of each subnet range, and (d) configure the gateway, subnet mask,
and DNS address (Sacramento fa0/0 address).
B. Site Solution and Technologies
To address the VLAN needs and requirements described above, this Proposal
recommends utilizing a simple, four-step process. The first step is to build the VLAN database
for the Sacramento site, which should be created on SacramentoSw2. The second step is to
determine the appropriate switchport mode that should be utilized. An Ethernet port either be
configured as an access port or as a trunk port. If a port is configured as an access port, it can
4
only have one VLAN configured on the interface and can only carry traffic for a single VLAN
[1]. If, however, a port is configured as a trunk port, it can have two or more VLANs configured
on the interface and has the capability to carry traffic for several VLANs simultaneously [1].
Based on the Sacramento site’s current topology, configuring the ports as access ports should be
sufficient. The third step is to enable and configure port security, which is otherwise disabled by
default. In its most basic form, port security remembers the Ethernet MAC address connected to
the switch port and allows only those permitted MAC addresses to communicate on that port [2].
If any other MAC addresses attempt to communicate through the port, the port security feature
will disable that port [2]. To the extent more detailed parameters are needed, as is the case here,
they can be configured by issuing specific commands on an individual interface. The fourth and
final step is to address proper security management for any unused ports on the Sacramento
site’s switches. Generally speaking, if a port is unused it should be disabled. To the extent any
unused ports are active, this proposal recommends disabling them until they are needed.
Turning to the Sacramento site’s deployment of a ROS topology, a simple configuration
for the Sacramento fa0/0 interface will provide the necessary functionality. The use of a ROS
topology is preferable at this location because it has the capability to support the multiple
VLANs that exist at this site, as well as the ability to perform InterVLAN routing. As an
educational facility, the workstations contained in each of the separate VLANs at the Sacramento
site must be able to communicate with each other. However, in a traditional configuration, they
would be unable to do so. InterVLAN routing solves this problem by utilizing a router to
forward traffic between the various VLANs that are configured on a specific switch [3]. One
form of interVLAN routing is known as Router on a Stick (ROS). In this version, the router used
to forward traffic is connected to the at-issue switch using a single interface [3]. The switchport
connected to the router is then configured as a trunk link and the single interface on the router is
then configured with the multiple IP addresses that correspond to the VLANs located on the
switch [3]. This interface accepts traffic from each of the VLANs and determines the destination
network based on the source and destination IP in the packets [3]. Once this has been
determined, the data is forwarded to the switch with the correct VLAN information [3].
Finally, to manage the assignment of unique IP addresses for the various devices and
ports at the Sacramento site, this Proposal recommends using the Dynamic Host Configuration
Protocol (DHCP). DHCP operates at the application layer of the OSI model and has the ability to
automatically assign IP addresses (as well as default gateway and subnet masks) to all network
connections. With DHCP, a device borrows, or leases, an IP address while it is attached to a
network [4]. This lease is temporary and the amount of time it is in effect depends on DHCP
server and client configurations [4]. DHCP does not require a local systems administrator to
maintain a table of IP and MAC addresses on the server and instead, only requires this individual
to install and configure the DHCP service on a DHCP server [4]. This configuration process
involves specifying a range of addresses that can be leased to any network device and a list of
excluded addresses [4]. A local systems administrator can also configure the duration of lease to
be as long or as short as necessary, from a matter of minutes to forever. All told, the use of
DHCP (as opposed to other options) greatly reduces the administrative burden associated with IP
address assignment [4].
5
C. Sample Configuration
The below configurations will address the issues and other considerations discussed in
Section B, “Site Solutions and Technologies” (above):
Configuring the VLAN Database (SacramentoSw2)
Note: Although adding a name to each VLAN is an optional task, it is extremely
helpful to identify the at-VLAN at a later date.
SacramentoSw2>ena
SacramentoSw2#conf t
SacramentoSw2(config)#vlan 2
SacramentoSw2(config-vlan)#name FacultyVLAN
SacramentoSw2(config-vlan)#vlan 3
SacramentoSw2(config-vlan)#name AdministrativeVLAN
SacramentoSw2(config-vlan)#vlan 4
SacramentoSw2(config-vlan)#name InstructionalVLAN
SacramentoSw2(config-vlan)#vlan 5
SacramentoSw2(config-vlan)#name ServerVLAN
SacramentoSw2(config-vlan)#end
SacramentoSw2#show vlan
Note: Creating VLANS does not assign any ports to them; the ports remain in the
default VLAN (VLAN 1).
SacramentoSw2>ena
SacramentoSw2#conf t
SacramentoSw2(config)#int range gi0/1 – 5
SacramentoSw2(config-if-range)#switchport access vlan 2
[Assigning ports for the 5 devices within the Faculty VLAN]
SacramentoSw2(config-if-range)# int range gi0/6 – 19
SacramentoSw2(config-if-range)#switchport access vlan 3
[Assigning ports for the 14 devices within the Administrative VLAN]
SacramentoSw2(config-if-range)# int range gi0/20 – 24, gi1/1 – 24, gi2/1 - 5
SacramentoSw2(config-if-range)#switchport access vlan 4
[Assigning ports for the 34 devices within the Instructional VLAN]
SacramentoSw2(config-if-range)# int range gi2/6 – 12
SacramentoSw2(config-if-range)#switchport access vlan 5
[Assigning ports for the 7 devices within the Server VLAN]
SacramentoSw2(config-if-range)#end
SacramentoSw2#show vlan
SacramentoSw2#copy running-config startup-config
[Saving the above configuration changes]
6
Configuring Switchport Security (All Switches)
Note: When configuring port security, it is important to remember that a secure
port cannot be a trunk port, destination port for Switch Port Analyzer (SPAN), or
an 802.1X port. Nor can the port belong to an EtherChannel port-channel interface.
SacramentoSw2>ena
SacramentoSw2#conf t
SacramentoSw2(config)#int range gi0/1 – 24, gi1/1 – 24, gi2/1 - 12
SacramentoSw2(config-if-range)#switchport mode access
SacramentoSw2(config-if-range)#switchport port-security
SacramentoSw2(config-if-range)#switchport port-security maximum 2
SacramentoSw2(config-if-range)#switchport port-security violation shutdown
SacramentoSw2(config-if-range)#switchport port-security mac-address sticky
SacramentoSw2(config-if-range)#shut
SacramentoSw2(config-if-range)#no shut
[Enabling Port Security on the Active Ports Assigned to each VLAN at the
Sacramento Site]
SacramentoSw2(config-if-range)#int range gi2/13 -24, gi3/1 – 24
SacramentoSw2(config-if-range)#shut
SacramentoSw2(config-if-range)#end
SacramentoSw2#copy running-config startup-config
Configuring the ROS Topology Requirements:
ROS Topology Configuration (Switch)
Note: To enable the ROS topology, the port on the switch that leads to the
router must be configured as a trunk port
SacramentoSw2>ena
SacramentoSw2#conf t
SacramentoSw2(config)#int fa0/24
SacramentoSw2(config-if)#switchport mode trunk
SacramentoSw2(config-if)#exit
SacramentoSw2#copy running-config startup-config
ROS Topology Configuration (Router)
Note: The ROS topology configuration process on the router takes three
steps: (1) create a sub-interface, (2) assign an IP address, and (3) define the
frame tagging method
7
Sacramento-R>ena
Sacramento-R#conf t
Sacramento-R(config)#int fa0/0
Sacramento-R(config-if)#no shut
Sacramento-R(config-if)#int fa0/0.2
Sacramento-R(config-subif)#ip address 10.50.0.0 255.255.255.192
Sacramento-R(config-subif)#encap dot1q 2
Sacramento-R(config-subif)#int fa0/0.3
Sacramento-R(config-subif)#ip address 10.50.0.64 255.255.255.192
Sacramento-R(config-subif)#encap dot1q 3
Sacramento-R(config-subif)#int fa0/0.4
Sacramento-R(config-subif)#ip address 10.50.0.128 255.255.255.192
Sacramento-R(config-subif)#encap dot1q 4
Sacramento-R(config-subif)#int fa0/0.5
Sacramento-R(config-subif)#ip address 10.50.0.192 255.255.255.192
Sacramento-R(config-subif)#encap dot1q 5
Sacramento-R(config-subif)#exit
Sacramento-R(config)#exit
Sacramento-R#copy running-config startup-config
Configuring IP Assignment (Router)
Note: It is typically good policy to start by configuring those IP addresses
that should otherwise be excluded from assignment to avoid their inadvertent
inclusion in the pool of assignable addresses. Once that has been completed,
the configuration process merely requires a local systems administrator to
define the address pool that represents the information that should be sent
out to the various workstations, as well as the default gateway and DNS
server.
SacramentoR>ena
SacramentoR#config t
SacramentoR(config)#ip dhcp excluded-address 10.50.0.53 10.50.0.62
SacramentoR(config)#ip dhcp excluded-address 10.50.0.117 10.50.0.126
SacramentoR(config)#ip dhcp excluded-address 10.50.0.181 10.50.0.126
SacramentoR(config)#ip dhcp excluded-address 10.50.0.245 10.50.0.254
SacramentoR(config)#ip dhcp pool Faculty
SacramentoR(dhcp-config)#network 10.50.0.0 255.255.255.192
SacramentoR(dhcp-config)#default-router 10.255.255.253 255.255.255.252
SacramentoR(dhcp-config)#dns-server 10.255.255.253 255.255.255.252
SacramentoR(config)#ip dhcp pool Administrative
SacramentoR(dhcp-config)#network 10.50.0.64 255.255.255.192
SacramentoR(dhcp-config)#default-router 10.255.255.253 255.255.255.252
SacramentoR(dhcp-config)#dns-server 10.255.255.253 255.255.255.252
SacramentoR(config)#ip dhcp pool Instructional
SacramentoR(dhcp-config)#network 10.50.0.128 255.255.255.192
8
SacramentoR(dhcp-config)#default-router 10.255.255.253 255.255.255.252
SacramentoR(dhcp-config)#dns-server 10.255.255.253 255.255.255.252
SacramentoR(config)#ip dhcp pool Server
SacramentoR(dhcp-config)#network 10.50.0.192 255.255.255.192
SacramentoR(dhcp-config)#default-router 10.255.255.253 255.255.252
SacramentoR(dhcp-config)#dns-server 10.255.255.253 255.255.255.252
SacramentoR(dhcp-config)#exit
SacramentoR(config)#exit
SacramentoR#copy running-config startup-config
D. Supporting Tables and/or Diagrams
The following table provides the relevant information related to the four individual
VLANs that current exist at the Sacramento site.
VLAN
(Name)
VLAN
ID
VLAN Address
Ports
Excluded IP Addresses
Faculty
2
10.50.0.0 /26
gi0/1 – 5
10.50.0.53 – 10.50.0.62
Administrative
3
10.50.0.64 /26
gi0/6 – 19
10.50.0.117 – 10.50.0.126
Instructional
4
10.50.0.128 /26
gi0/20 – 24, gi1/1 –
24, gi2/1 - 5
10.50.0.181 – 10.50.0.190
Server
5
10.50.0.192 /26
gi2/6 – 12
10.50.0.245 – 10.50.0.254
II.
Los Angeles Site – Challenges and Implementation
The Los Angeles site of xACME is one of many remote locations where students, faculty,
and staff must have the ability to perform their daily tasks and other responsibilities. In
furtherance of this requirement, xACME has implemented certain network infrastructure
technologies to increase overall efficiency in performing these tasks, as well as interconnectivity
as between the remote xACME sites.
The use of these new technologies, however, has not come without its challenges. This
Cisco Network Proposal (“Proposal”) will discuss the challenges identified by the local systems
administrators at this site and offer solutions to these issues. In addition, this Proposal will
include recommendations to remediate any potential threat vectors, as well as increase the
overall usability of the network. The goal of this Proposal is to promote the health and security
of the Los Angeles site’s network, while ensuring that all authorized users can perform their
9
necessary tasks and responsibilities.
A. Site Details and Challenges
With specific reference to the Los Angeles site, the following is a list of the pertinent
network devices and other, relevant site details:
• One (1) Cisco 2800 Series router with the below available interface ports:
Cisco 2800 Series Integrated Services
Interfaces
Ports
Available
4 Fast Ethernet
Interfaces
(Per Router)
2 Serial
Interfaces
(Per Router)
fa0/0
s0/0/0
fa0/1
s0/0/1
fa1/0
• Three (3) Cisco Catalyst 6500 Series switches with below available ports:
Cisco Catalyst 6500 Series
96 Total Gigabit Ethernet
Ports Per Switch
Module 1 = gi0/1 - gi0/24
Ports Available
Module 2 = gi1/1 - gi1/24
Module 3 = gi2/1 - gi2/24
Module 4 = gi3/1 - gi3/24
• One (1) TFTP/SFTP/NTP server that has been assigned the following IP address –
10.40.6.10/23
• Four (4) existing VLAN configurations, which are listed below according to their
intended use:
VLAN Name
Faculty
Administrative
Academic or
Instructional
Server
Members
Type of Communications
Faculty
Non-Academic
Number
of Devices
21
Staff
Students and
Faculty
IT Staff
Business and Administrative
44
Classroom Labs and Instructional
120
Technology and Management
21
10
In addition to this network infrastructure, the Los Angeles site has been assigned the
10.40.0.0 /16 network address.
Based on these site details, the local systems administrators have requested assistance in
developing and implementing a multi-faceted solution at the Los Angeles site. First, with respect
to remote storage for device configurations, the local systems administrators require assistance in
selecting the correct Remote IOS Storage protocol and then properly implementing the proposed
solution. Second, all switches within the Los Angeles site topology should be configured to
allow for remote management, thereby increasing efficiency and network performance. Third,
the local systems administrators desire to restrict and otherwise protect access to network
devices. As such, the only VLAN that should be permitted to communicate remot ely with the
Sacramento site devices should belong to the Server VLAN. In furtherance of this goal, the local
site administrators have requested this Proposal include a discussion on the type of ACL to
implement, the placement of this ACL list, and a configuration for the Sacramento site’s router.
Fourth, an NTP solution is required for all devices found within this topology to ensure clock
synchronization, which will provide accurate record logging and allow authentication protocols
to be established.
B. Site Solution and Technologies
There are several different options available for copying configuration files from a
network device to a file server for remote storage. These options include using File Transfer
Protocol (FTP), Secure File Transfer Protocol (SFTP), Trivial File Transfer Protocol (TFTP), or
Remote Copy Protocol (RCP). [5]. Based on the equipment available at the Los Angeles site, as
well as a review of each of the different transport mechanisms, this Proposal recommends using
TFTP to back up the router configuration files at the Los Angeles site [5].
In a similar fashion, there are also a number of different protocols available to permit
remote access to and management of the various switches at the Los Angeles site. For instance, a
local systems administrator can remotely access a Cisco device using Telnet, Secure Shell
(SSH), Cisco Discovery Protocol (CDP), or Internet Control Message Protocol (ICMP) [6]. A
review of these protocols reveals that SSH is likely the best remote access protocol for the Los
Angeles site. SSH has two primary benefits: (1) it can be used with any brand or type of network
device and (2) it is a secure protocol that encrypts its session between an SSH Client and an SSH
Server [6].
To address the need to restrict and otherwise protect access to network device, an Access
Control List (ACL) will need to be configured to only allow the Server VLAN to remotely
communicate with other Sacramento site devices. An ACL is a network filter that is utilized by
routers and some switches “to permit and restrict data flows into and out of network interfaces”
[7]. There are several different types of ACLs and most are defined for a particular purpose or
protocol. For Cisco routers, the two main types of ACLs are a known as a “standard ACL” and
an “extended ACL” [8]. A standard ACL can filter on only the source IP address in an IP packet
header, whereas an extended ACL can filter on (1) the source IP address, (2) the destination IP
address, (3) the TCP/IP protocol, and (4) the TCP/IP protocol information [8]. Reviewing these
11
different filtering capabilities in conjunction with the local systems administrators’ requirements,
a standard ACL will adequately fulfill this request.
Finally, this Proposal will employ the Network Time Protocol (NTP) over the Simple
Network Time Protocol (SNTP) to provide the require clock synchronization. Specifically, NTP
synchronizes the time of day among a set of distributed time servers and clients so that local
systems administrators can correct events when they receive system logs and other time-specific
events from multiple network devices [9]. With the User Datagram Protocol (UDP) as its
transport protocol, NTP uses standard Universal Time Coordinated (UTC) [9]. Because the Los
Angeles site already has a NTP server installed, a simple configuration will allow for NTP to
enabled and utilized.
C. Sample Configuration
The below configurations will address the issues and other considerations discussed in
Section B, “Site Solutions and Technologies” (above):
Configuring Remote Device Configuration Storage (Router)
Note: TFTP does not include any security measurements such as login or access
control mechanisms and thus, adding a console password will help alleviate
concerns related to these issues.
LosAngeles-R>ena
LosAngeles-R#conf t
LosAngeles-R(config)#line con 0
LosAngeles-R(config-line)#password S#cur1ty
LosAngeles-R(config-line)#login
LosAngeles-R(config-line)#exit
LosAngeles-R(config)# copy run tftp: //10.40.6.10/LosAngelesRouter-config
Write file LosAngelesRouter-config on host 10.40.6.10 [confirm] (press “y” and “enter”)
Writing LosAngelesRouter-config!!! [OK]
Configuring Remote Management of Switches (All Switches)
Note: The use of local usernames is not required – the usernames and passwords
that are used to gain access to a network device could be centrally managed through
a AAA server.
LosAngelesSw1>ena
LosAngelesSw1#conf t
LosAngelesSw1(config)#line vty 0 15
LosAngelesSw1(config-line)#login local
[Assigning local user names for Remote Access]
12
LosAngelesSw1(config-line)#exit
LosAngelesSw1(config)#username @dm1n password S3curePas$word
LosAngelesSw1(config)#ip domain-name xAcme.edu
LosAngelesSw1(config)#cypto key generate rsa
…
How many bits in the modulus [512]: (press “enter” to accept the default number of bits)
…
LosAngelesSw1(config)#line vty 0 15
LosAngelesSw1(config-line)#transport input ssh
[Prohibiting Telnet and Requiring SSH for all incoming connections]
LosAngelesSw1(config-line)#end
LosAngelesSw1#copy running-config startup-config
Configuring the Access Control List (ACL) (Router)
Note: By default, there are no security restrictions in place on incoming VTY lines
as to who or what source can connect to a network device is the password is known
or otherwise available. Adding an ACL will provide the necessary restrictions to
limit remote access to only those authorized devices or users.
LosAngeles-R>ena
LosAngeles-R#conf t
Los-Angeles-R(config)#
Los-Angeles-R(config)#access-list 1 permit 10.40.6.0 0.0.255.255
Los-Angeles-R(config)#access-list 1 deny any any
Los-Angeles-R(config)#line vty 0 15
Los-Angeles-R(config-line)#access-class 1 in
Los-Angeles-R(config-line)#exit
Los-Angeles-R(config)#exit
Los-Angeles-R#copy running-config startup-config
Configuring the Network Time Protocol (NTP) (Router)
LosAngeles-R>ena
LosAngeles-R#conf t
LosAngeles-R(config)#feature ntp
LosAngeles-R(config)#ntp server 10.40.6.10
LosAngeles-R(config)#exit
LosAngeles-R#copy running-config startup-config
D. Supporting Tables and/or Diagrams
13
The following diagram depicts some of the various configuration changes that have been
deployed at the Los Angeles site to fulfill the requirements described by the local systems
administrators.
III.
xACME WAN Site – Challenges and Implementation
The xACME WAN site is used to connect the many remote locations where students,
faculty, and staff must have the ability to perform their daily tasks and other responsibilities. In
furtherance of this requirement, xACME has implemented certain network infrastructure
technologies to increase overall efficiency in performing these tasks, as well as interconnectivity
as between the remote xACME sites.
The use of these new technologies, however, has not come without its challenges. This
Cisco Network Proposal (“Proposal”) will discuss the challenges identified by the local systems
administrators at this site and offer solutions to these issues. In addition, this Proposal will
include recommendations to remediate any potential threat vectors, as well as increase the
overall usability of the network. The goal of this Proposal is to promote the health and security
of the xACME WAN site’s network, while ensuring that all authorized users can perform their
necessary tasks and responsibilities.
A. Site Details and Challenges
14
The current WAN links for the xACME educational facilities are serial-based and
connected over leased lines that utilize the Cisco default protocol for layer 2 connectivity.
Currently, authentication is not present, but the added security from its implementation would be
preferred. Accordingly, the local systems administrators have requested research on the
available WAN protocols and the implementation of a WAN solution that will provide
authentication as between devices. Specifically, this proposal should include all necessary steps
for deploying the recommended WAN solution, which must specifically include device
configurations based on the current implementation.
In addition, the network topology for xACME has been designed such that the Los
Angeles and Boston sites are connected across leased lines, and each of these two sites remains
as the entry point to its respective regional locations. That said, however, a recent review of the
traffic has raised concerns, particularly in the amount and extent of traffic that is being handled
by the router for each of these two locations. As such, the local systems administrators for these
two sites have requested a review of the xACME educational topology, as well as
recommendations that would provide adequate redundancy and alleviate some of the bandwidth
requirements that are currently placed on both devices. To the extent necessary, additional lines
are available and can be leased. If this option is selected, the additional range of lines may be
leased from the available xACME public address range (165.128.63.0 /26).
B. Site Solution and Technologies
There are two WAN protocol options available for the required WAN solution: the HighLevel Data Link Control (HDLC) Protocol and the Point to Point Protocol (PPP) [9]. There are,
of course, additional WAN protocols that exist. These options, however, either require the
purchase of additional equipment and other items or are unsupported based on the current
xACME educational topology. Turning to the two viable options, the HDLC Protocol is a simple
protocol that is used to connect point-to-point serial devices and is the default protocol on all
Cisco serial interfaces [9]. Although PPP is based on the HDLC protocol and is also used to
connect point-to-point leased lines, there are several differences between these two protocols.
For instance, PPP is not limited to only Cisco devices, it relies on several sub-protocols to
function, and it generally has more features (including authentication that is supported with PAP
and CHAP) [9]. As a result, this Proposal recommends using PPP (with CHAP for
authentication) to meet the needs and requirements articulated by the local systems
administrators. The use of this protocol over the HDLC Protocol will provide the necessary
authentication as between network devices.
To alleviate the bandwidth concerns and provide additional redundancy within the
xACME educational topology, this Proposal recommends adding an additional connection as
between the Sacramento and Springfield sites using two additional leased line connections. The
addition of these two leased lines would transform the xACME topology from a peer-to-peer
WAN topology to a ring WAN topology. In a ring WAN topology, “each site is connected to
two other sites so that the entire WAN forms a ring pattern” [10]. Using this particular topology
has at least two distinct advantages over a peer-to-peer WAN topology. First, a single cable
problem will not drastically impact the entire network’s performance. Second, the routers at any
15
given location can redirect data if one route becomes inundated with traffic [10]. That aside, a
ring WAN topology is only practical where there are a limited number of locations – typically
fewer than four or five sites [10]. As a result, if xACME desires to increase the current number
of locations, another topology should likely be deployed. For instance, a tiered or hybrid WAN
topology could provide similar redundancy and bandwidth improvements, while still providing
the needed flexibility for site expansions [10].
C. Sample Configuration
The below configurations will address the issues and other considerations discussed in
Section B, “Site Solutions and Technologies” (above):
Configuring PPP with CHAP Authentication (All Routers)
Note: Before configuring CHAP as the authentication method, you need to set a
username that matches the host’s name on the other side of the connection, along
with a shared password that is used by both of the routers.
Boston-R>ena
Boston-R#conf t
Boston-R#username WorchesterRouter password Sh@redPassW3rd
…
Worchester-R>ena
Worchester-R#conf t
Worchester-R(config)#username BostonRouter password Sh@redPassW3rd
…
Boston-R>ena
Boston-R#conf t
Boston-R(config)#int s0/0/1
Boston-R(config-if)#encapsulation ppp
Boston-R(config-if)#exit
Boston-R(config)#exit
…
Worchester-R>ena
Worchester-R#conf t
Worchester-R(config)#int s0/0/1
Worchester-R(config-if)#encapsulation ppp
16
Worchester-R(config-if)#exit
Worchester-R(config)#exit
…
Boston-R>ena
Boston-R#conf t
Boston-R(config)#int s0/0/1
Boston-R(config-if)#no ppp pap sent-username WorchesterRouter
Boston-R(config-if)#ppp authentication chap
Boston-R(config-if)#exit
Boston-R(config)#exit
Boston-R#
…
Worchester-R>ena
Worchester-R#conf t
Worchester-R(config)#int s0/0/1
Worchester-R(config-if)#no ppp pap sent-username BostonRouter
Worchester-R(config-if)#ppp authentication chap
Worchester-R(config-if)#exit
Worchester-R(config)#exit
Worchester-R#debug ppp authentication
Worchester-R#conf t
Worchester-R(config)#int s0/0/1
Worchester-R(config-if)#shut
Worchester-R(config-if)#no shut
…
Worchester-R(config-if)#no shut
Worchester-R(config-if)#exit
Worchester-R(config)#exit
Worchester-R#sh int s0/0/1
Adding Redundancy and Bandwidth (Sacramento and Springfield Routers)
Note: There are additional commands that can further configure this particular
leased line connection. One such example is setting the clock rate, which uses the
“clock rate” command.
Sacramento-R>ena
Sacramento-R#conf t
Sacramento-R(config)#int s0/0/1
Sacramento-R(config-if)#ip address 165.128.63.5 255.255.255.252
17
Sacramento-R(config-if)#shut
Sacramento-R(config-if)#no shut
Sacramento-R(config-if)#exit
Sacramento-R(config)#exit
Sacramento-R#copy running-config startup-config
D. Supporting Tables and/or Diagrams
The below diagram depicts the additional leased line connections that add redundancy to
the xACME educational topology, as well as provide added routes to decrease bandwidth
concerns at all xACME remote locations:
18
BIBLIOGRAPHY
[1]
“Configuring Access and Trunk Interfaces,” Cisco.com, n.d. [Online]. Available:
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/
guide/cli/CLIConfigurationGuide/AccessTrunk.html [Sept. 29, 2017].
[2]
D. Davis, “Lock Down Cisco Switch Port Security,” TechRepublic.com, Oct. 11, 2007.
[Online]. Available: http://www.techrepublic.com/blog/it-security/lock-down-ciscoswitch-port-security-88196/ [Sept. 30, 2017].
[3]
“Inter-VLAN Routing,” CCNABlog.com, n.d. [Online]. Available:
http://www.ccnablog.com/inter-vlan-routing/ [Sept. 21, 2017].
[4]
T. Dean, Network+ Guide to Networks, 5th ed. Boston, MA: Course Technology, 2010
[5]
“Managing Configuration Files,” Cisco.com, n.d. [Online]. Available:
https://www.cisco.com/c/en/us/td/docs/ios/12_2/configfun/configuration/guide/ffun_c/fcf
007.html [Oct. 1, 2017].
[6]
“Cisco CCNA – Remote Management with Telnet, SSH, CDP & ICMP,”
CertificationKits.com, n.d. [Online]. Available: https://www.certificationkits.com/ciscocertification/ccna-articles/cisco-ccna-miscellaneous-topics/cisco-ccna-remotemanagement-with-telnet-ssh-cdp-a-icmp/ [Sept. 27, 2017].
[7]
T. Wilson, “Securing Networks: Access Control List (ACL) Concepts, PluralSight.com,
May 16, 2012. [Online]. Available: https://www.pluralsight.com/blog/it-ops/accesscontrol-list-concepts [Sept. 28, 2012].
[8]
“Types of ACLS,” eTutorials.com, n.d. [Online]. Available:
http://etutorials.org/Networking/Router+firewall+security/Part+III+Nonstateful+Filtering
+Technologies/Chapter+7.+Basic+Access+Lists/Types+of+ACLs/ [Sept. 29, 2012].
[9]
“Network Time Protocol (NTP),” SearchNetworking.com, Feb. 2007. [Online].
Available: http://searchnetworking.techtarget.com/definition/Network-Time-Protocol
[Sept. 30, 2012].
[10]
“WAN Topologies,” angelfire.com, n.d. [Online]. Available:
http://www.angelfire.com/mech/phattony/wan_topologies.htm [Oct. 2, 2017].
19
CMIT 350 WAN and SOHO Skills Implementation
Use this document as a guide for formatting and organizing your CMIT 350
Skills Implementation challenge.
Title Page
Professionalism will be key to your success and advancement in your academic and
professional career. Use the title page to identify relevant information such as your name, the
course, professor, and submission/completion date.
Document Index/Contents
Organization will allow your document to be divided into key areas of consideration and allows
an overall structure to be placed over the submission.
Sample text:
I.
II.
III.
IV.
I.
Site “XXXXXXXX” Challenges and Implementation
Site “XXXXXXXX” Challenges and Implementation
Site “XXXXXXXX” Challenges and Implementation
Bibliography
Site “XXXXXXXXXX” Challenge and Implementation
(Provide a section for each site, as suggested in your table
of contents.)
Site Details and Challenges (Summary)
Here, you will simply summarize the site requirements and/or challenges you are attempting to
overcome. You will not need to implement solutions or discuss your approach at this point. This
information is provided to you and can simply be organized and restated as you understand it.
Think of this area as what needs to be corrected. Suggested length would be one or two
paragraphs.
Sample text:
As described in the scenario, the xUMUC site was developed without any VLAN structure, and
administrators have found the need to isolate broadcast traffic from a layer-2 perspective.
Site Solution(s) and Technologies
With the challenges stated, you will be able to clearly define your approach to solving those
challenges and can state the technologies you will be implementing. Be sure to use this area to
justify your approach and selection of technologies as well. The specific length and details of
this area will vary based on the specifics and depth of the challenge you are facing. Your
justification would be your selection of a specific technology or approach over another and why
you chose the approach you are taking. Show off your knowledge in the foundational skills here!
Sample text:
In order to relieve the administrative tasks surrounding the implementation of manual IP
addressing per device, we will configure and implement a DHCP (dynamic host configuration
protocol) server, per site requirements. The DHCP allows for devices to identify, request and
implement IP configurations as well as other settings….
Since this area may call for facts and details around technologies and approaches, you will most
likely find yourself using in-text citations, which would appear as follows:
Open Shortest Path First is an open standard routing protocol that’s been implemented by a
wide variety of network vendors, including Cisco [1].
Sample Configuration
Understanding the technologies will satisfy a portion of the documents' requirements. You will
also need to display how the solutions you are suggesting would be implemented. This will
include the specific commands used to configure the devices. Instructions will state when
sample configurations are required, and any sample configurations should be limited to the
devices provided, per the site topology. Device syntax to be used can be found in your training
suite, TestOut’s LabSim. Show off your technical competency here!
Sample text:
Sample Device Configuration 1
Supporting Tables/Diagrams
When structuring solutions per certain sites, you may find it helpful or even necessary to
structure information with tables and/or diagrams. These items can be used to support and
display your understood solutions located in the “Site Solution(s) and Technologies” area.
Display your organizational and logical skills in this area!
Sample table:
Sample Table 1
Sample Table 2
Sample Diagram 1
Repeat the format to include document components for each site. In this
sample, sections numbered II and III in your table of contents would be
provided next, followed by the bibliography.
IV.
Bibliography
Be responsible with your research and included works. Provide proper credit in the IEEE format
to original authors and their works that you leverage in your submission.
Sample Entry:
[1] T. Lammle. CCNA Routing and Switching Study Guide. Indianapolis, ID: Sybex Wiley, 2013,
p. 386.
Purchase answer to see full
attachment