Analysis of Company Network Models

Analysis of Company Ne devilrk ModelsCHAPTER 1 ABSTRACTThe purpose of this physical exercise is to provide a stoped design document as per the emergencys given in various formats by the Client NoBo Inc. The scope of this document includes at start explaining the requirements provided by the client, explaining the solution both from a top level view and detailed, as well as explained be the compliance steps, technologies occasiond and scope of the future work and recommendations. We permit used modular design approach for designing the net profit .The final outcome is a detailed document which altogetherow for extensively assist in deploying and configuration stages of mesh for NoBo Designs.CHAPTER 2 INTRODUCTION2.1 AIMThis project aims to analyse the various profit models and design a cyberspace harmonize to the clients requirements.2.2 OBJECTIVESAll the lake herring engagement models Campus meshwork, Hierarchical net profit, Enterprise edge model have been review ed.According to the client requirements the sui shelve network model has been identified and designed.Proper selection of the devices (Routers, Switches, Computers, cables) has been do to meet the service requirements.The cost for entirely the devices and equipments that argon required has been estimated.Centralised internet connection has been provided for the branch puts from their respective headquarters. This provides high retain on the entropy amidst the internet internet sites.IPsec is cond for data security while utilize the backup man line when the main link goes down. cisco IOS Firew every(prenominal) is also cond on the perimeter devices.The designed network has been cond on the simulator and all its functioning has been tested.2.3 DISSERTATION STRUCTURECHAPTER 1 This chapter briefly discusses virtually the abstract of our project.CHAPTER 2 This chapter briefly explains the introduction of our project topic, reviewing all the objectives and ends with the conclu sions of from distributively unrivaled and individual chapter in our dissertation.CHAPTER 3 This chapter explains the background of various network topologies, reviewing of all the concepts like routing, confounding, IP nameing and ends with the discussion of the QOS, security issues.CHAPTER 4 This chapter introduces the requirements of network design, retaining into action, testing and ends with the invoice of all configurations.CHAPTER 5 This chapter briefly discusses about all the experimental results and ends with the analysis of the obtained results.CHAPTER 6 This chapter discusses the entire evaluation of our project and ends with the introduction of conclusions.CHAPTER 7 This chapter briefly discusses about the overall conclusions.CHAPTER 8 This chapter provides the recommendations and future work in our cede topic.CHAPTER 3LITERATURE REVIEW3.1 Cisco Network ModelsNetwork models may change collectable to the implementation of different technologies which argon appli cable to us. But the goal of all(prenominal) model is finally said(prenominal) which is convergence and achieving service integration. There are 6 different geographies available in an end-end network architecture which is briefly discussed below ( Inc., C. S. (Mar2009, Roberts, E. (8/28/95).3.2 Cisco Hierarchical modelIt is an older model which is good for network scalability. The entire network is divided into 3 floors which are given belowAccess layer These devices are generally developed entirely in a network for the purpose of providing clients access to the network. In general it has been done by the switch port access.Distribution layer In general, these devices are developed as aggregation repoints for access layer devices. These devices can be used for the dividing of workgroups or few other departments in the network environment. They can also provide pale aggregation connectivity at various Cisco Network Models.Core layer These devices are designed for the purpose of fast switching of bundles and they should provide the redundant otherwise it results in loss of degradation of service at the time of network congestion or link failures. Finally these devices help in carrying the entire network work from one end to the other end.Finally this model provides good scalability and it supports the cabal of SONA, other interactive services and these are applicable to any analysis situs (LAN, disgusted, MAN, VPN..) or other connectivity options which are applicable to us. The adjacent diagram (3.1) shows us the Cisco Hierarchical model.3.3 Campus Network ArchitectureIn last 10 historic period it has been developed rapidly and the no of services supported in this model are more(prenominal). The basic structure of this model is just an extension of the previous model. It supports the implementation of various technologies in this model like QOS, MPLS VPN, IPSEC VPN, and HSRP and so on. It provides the network access to campus wide resources and provides layer 2 switching layer 3 switching at the Access and Distribution respectively.Services in this model are switched from stateless to stateful and provide redundant devices to monitor all the events, connections in a network. Meeting of these requirements requires some changes in its basic model. The following (3.2) shows us the campus network architecture model.( Gilmer, B. (Nov2004)It provides the combination, multi- service environment which gives the sharing and connectivity of all the users who are working at the remote, branch sites. It requires the combination of both hardware and software devices for providing the services and applications to all the clients in a network architecture. SONA architecture helps an enterprise model to exceed its services to the remote site under the love of good service levels. Cisco Unified Communications, security and so on can be offered at all the branch sites to catch up with the problems of inadequate connectivity. The followin g diagram (3.3) shows the branch network architecture.It plays a major role in the deployment of any network. Now days, it is growing rapidly to implement more SONA functions. These additions of unused functions like virtual hosts, instant applications, dynamic change of network configurations and so on. Some resources lead be added online to get the support of upcoming needs. This network architecture provides the info about on- demand services which provides dynamic network environment to all the users, consolidation of services while growing of various air applications provided by an adaptive network. Finally this network model reports more usage of our capital without any changes in its infrastructure.In general it has been developed for the purpose of higher(prenominal) level security feature films in network architecture. It has been done by the support of several emcee farms having different functionality from DMZ (demilitarized zone) functions like DNS, FTP, HTTP, Teln et and so on for all the users ( national/ external) to share various applications and services among partners and to get the access of internet applications.This network architecture is entirely different and it can perk up a new or it can break the all discussed Cisco versions. Based on the discussion of all the services like SONA, QOS, and transport services and so on which would requisite in an end- end system? Based on the bandwidth requirements, their functions and providing QOS the WAN/ MAN has been designed. The functioning and geography plays a major role in deciding the method acting and upper connectivitys among various sites. The cost of total deployment of a network may vary and it is different from separately other. If the connection exists between the sites is a traditional bound relay or if it is provided by a service provider. For example, by using MPLS this provides layer three connectivity between two ends. And it also varies by considering the distance betwe en two sites. The convergence of various types of application over an IP network requires good connectivity, high security levels and providing of good services over the large WAN. The following fig (3.6) shows the WAN/ MAN architecture. (Israelsohn, J. (7/22/2004.)In this approach the overall network design and implementation is discussed with the adequate background. Modular Design ApproachThe convention for an efficient and robust network is to design the network taking into Consideration the various functionalities/requirement required by the network and placing that functionality into a faculty. Various modules capacity end up acting in independent physical devices or one physical device may contain all the modules, the idea is to compute the various functionalities acting as independent unit. The part of the network which consists of hardware and configurations for the wide sweep networks is termed as the WAN module of the network. It should contain of the all alleyrs, in terfaces, cabling and configurations that give out to the Wide Area Networks. The module should be designed separate from the other modules. Similarly all the devices, interfaces and configurations that are involved in the virtual private network would be designed as one module.Some aspects of the design for which there are no pointers in the design documents are also discussed in the detail design section with details of the relevant choices.1) Performance A network to its end user is as good as how his/her applications perform. spare-time activity are hardly a(prenominal) metrics to for measuring network performance.Responsiveness The design should be such that it is par with the acceptable responsive time of all the business applications.Throughput The rate of traffic passing through a given point in the network, it can be calculated in multiples of bits per molybdenum or packets per second.Utilization utilization of resources is the just about effective metric to calculate the congestion points in the network, aiding the network design to a great extent.2) Availability Network Availability is the key factor to a proper network design. Planning for continuous uptime is important for the business to carry out their activities without any interruptions. Following are a few points for availability machination Fault tolerance All the devices installed in the network should be of quality and reliable. Where ever possible redundant ports, modules and devices should be installed.Capacity Planning A network design should consider adequate capacity planning, for example how many connections can a link handle in worst case scenarios.Link prolixity As per the business requirement at least all the important links and internet connectivity should be redundant.3) Scalability All the network modules should be designed as such that they should cater for future requirements as considerably as todays needs.Topology The topology should be designed as such that it would require minimal configuration whenever any major or minor changes are required.Addressing The network addressing should allow routing with minimum resources. For example by using route summarization and proper ip addressing scheme which would have minimal impact or no impact on the existing networks or subnets and routing mechanisms. Local Area Network ModuleThe topical anaesthetic area network design primarily consists of dividing the various departmental requirements into logical network separations.At all the sites forget create individual virtual area networks for all the departments.All the virtual area networks will use a class c /24 subnet mask, reason behind that is the IP addressing used for the internal networks is all private and hence no sub netting is required.All the Vlans at all the sites are local anaesthetic Vlans which means that they do not extend across the wan pipes.The departments at different sites might have similar names and functionality but its always recommended that the Vlans are kept to be local.The Virtual are network will divide the whole LAN into virtual boundaries allowing for broadcast control and provide for access-control using access-lists.A VLAN has been provisioned for the host Network and radiocommunication network at each site as swell up. The VLANS are local to the respective sites totally and are class C /24 networks.DOT1q trunks have been situated between the layer 2 switches and the routers at each site. DHCPThe DHCP is Dynamic Host Configuration protocol provides railcarmatic IP addressesTo the arrays on the TCP/Ip network RFC 1531.It uses BOOTP known as bootstrap protocol. The DHCP waiter can be on the very(prenominal) or on a different network away from the host pcs. This is possible with the dhcp relay agent. When a client Pc boots, it searches for the server by sending broadcast packets on the network. When server gets theses broadcast packet it responds and sends a packet with an IP address to the client from the DHCP pool. The client can use the IP or can request for another(prenominal) IP instead. The client can concur this IP as according to the configuration in the DHCP server. The minimum duration for the client to hold the IP address is 8 days. After this period the clients has to make a new request for an IP address. This how , the DHCP usage in the network will reduce the intervention of the decision maker from giving the IP addresses manually.NATFor a Pc to connect to the internet and communicate with the other Pcs on the internet, it needs a public Ip address. One has to pay to have a public IP. It will be very expensive to have all Public IP addresses in a network. So, NAT provides a facility to convert the private IP address to the Public Ip which is on the interface of the device (router) that is directly connected to the internet via ISP. This saves money. Moreover it provides the additional security to the internal networkBy using the one public address.F ollowing are the benefits that NAT providesPreservation of IP addressIP address and application privacyEasy management Routing ModuleThe routing module consists of the routing architecture at each site it is the responsibility of the routers to forward packets to the correct destination. Routers by querying the routing table make the forwarding decision.1) Static routes At each site static routes have been placed at each head quarter sites. Static routes are the manual routes that are placed by the network administrator manually in the router and have to be interpreted out manually as well.At the headquarter site the static routes point to far end headquarter site or to the vpn subnet.2) Default routes have been placed at all sites, Default routes are treated by the routers as a catch all. If there are no specific routes towards a given destination, the default route will be picked up and the packet would be forwarded out of that interface to which the default route belongs.Since th e Internet has more than 100,000 routes , it would be infeasible to place all those routes into our routing table , so instead a default route has been placed at each headquarter to forward all the internet traffic towards the interface belong to the ISP end. Since we are using the far end headquarter as back up to our internet connections at each site.A special type of default route has been added in each headquarter, if the internet link goes down, the floating route will come into the routing table and the original route will disappear. The floating route is nothing but a default route with a higher administrative distance. This is a feature of Cisco IOS, it originally takes the route with the lower AD and places that into the routing table, if that route is lost it would place the second default route with the higher administrative distance.3) Routing study Protocol Routing information protocol version 2 has been used to propagate the Subnet routing between the sites. draw is a distance vector routing protocol which advertises its routing tables to its neighbours and has a hop come of 15 , since our network has only five sites at the moment, rip has been used for routing between the networks , the RIP version2 is the recent version of the rip ipv4 and it can carry variant length subnet masks . The RIP is adequate for our requirement.(http//www.ciscosystems.org/en/US/docs/internetworking/technology/handbook/Routing-Basics.html accessed on Dec 12 ,2009) RIPAs said earlier Routing Information Protocol is the only widely used distance vector protocol. It propagates the full routing table out to all participating interface in every 30 seconds. RIP works very well in smaller networks, but it is not scalable for large networks having slow WAN links or on networks with more than 15 routers installed. RIP version only supports class full routing, which essentially means that all devices in the network must have the alike subnet mask. The reason RIP version 1 does not propagate with subnet mask information. RIP version 2 supports classless routing, which is also called prefix routing and does send subnet mask in the route updates. (Chin-Fu Kuo Ai-Chun Pang Sheng-Kun Chan (Jan2009,)RIP TimersRIP has 3 different timers which regulate the performanceRoute update timer This timer sets the delay between the propagation of the fullRouting table to all the neighbours this would be normally 30 seconds.Route invalid timer If the router doesnt hear any updates for a particular router for 90 seconds it will declare that route invalid and will update all the neighbours to that the route has father invalid.Route flush timer After the route has become invalid , another timer starts which is normally 240 seconds ,if the router doesnt hear anything about the said route , it will flush the route out of its routing table and will update the neighbour that I am going to remove this route from my routing .RIP UpdatesRIP being a distance-vector algorithm propagates full routing tables to neighbouring routers. The neighbouring routers then add the accredited routing updates with their respective local routing tables entries to accomplish the topology map. This is called routing by rumor, In routing by rumour the peer believes the routing table of its neighbour blindly without doing any calculations itself.Rip uses hop count as its metric and if it finds that multiple path share the same cost to a particular destination it will start load-balancing between those links, still there is no unequal cost path load balancing as there is possible in case of EIGRP. Rip can be troublesome in many waysRip actually only sees the hop count as a true metric, it doesnt take care into consideration any other factors So if a network has two paths, the first only 1 hop away with 64 Kbps of bandwidth but a second path exists with 2 hops but each link having a bandwidth of 2 mbps , RIP will always prefer path no 1 because the hop count is less. Rip ha s a very crude metric and hence not a protocol of choice in many networks.Since RIP by default is classless and is a true distance vector protocol, it also carries with itself same issues as presented by the distance vector routing protocols, fixes have been added to RIP to counterattack such problems.Snort is an open source network based intrusion sensing system, it can do traffic logging and intrusion detection analysis on the live traffic, snort is installed on a host and the interesting traffic is copied to it via the port mirroring or port spanning techniques, Snort can be also used inline on an Ethernet tap, it can work in conjunction with Ip tables to drop unwanted traffic.Inter-site Routing The routing protocol RIP version 2 will propagate routes among all the sites, each Vlan will be advertised as a network in the routing protocol. SwitchingThe switches at each site carry all the virtual local area networks.1) A DOT1q trunk has been placed between the switches and the rout ers at each site. The dot1q trunks carries all the Vlans from the switches to the routers, the routers act as the layer 3 gateway for all the Vlans present in the site, the layer 2 switches alone cannot act as the layer 3 gateways and hence they require some kind of layer 3 device.2) All the other ports in the switches are either access ports or are trunks to other switches in the same sites. The access ports are the user ports, each access ports would belong to one or the other Vlans. The no of access ports in the building would decide the function and the model of the switches to be placed inside the access layer.Vlan By Default all the ports on a layer 2 switch belong to the same broadcast domain. The broadcast domains are segregated at the router level, however there are requirements to segregate the broadcast domains in campus switching environments, hence the virtual local area networks are used. The numbers of Vlans in a switch are equal to the number of broadcast domains, t he ports on the switch which belongs to a particular Vlan belongs to a certain broadcast domain of that Vlan.Devices in one Vlan cannot connect to other Vlans if there is no layer 3 connectivity provided.TrunkingSpeaking of IEEE 802.1Q.There are two different trunking protocols in use on todays Cisco switches, ISL and IEEE 802.1Q, generally referred to as dot1q. There are three main differences between the two. First, ISL is a Cisco-proprietary trunking protocol, where dot1q is the industry standard. (Those of you new to Cisco testing should get used to the phrases Cisco-proprietary and industry standard.)If youre working in a multivendor environment, ISL may not be a good choice. And even though ISL is Ciscos own trunking protocol, some Cisco switches run only dot1q.ISL also encapsulates the entire erect, increasing the network overhead. A Dot1q only place a header on the frame, and in some circumstances, doesnt even do that. There is much less overhead with dot1q as compared to I SL. That leads to the third major difference, the way the protocols work with the homegrown Vlan.The native Vlan is simply the default Vlan that switch ports are placed into if they are not expressly placed into another Vlan. On Cisco switches, the native Vlan is Vlan 1. (This can be changed.) If dot1q is running, frames that are going to be sent across the trunk line dont even have a header placed on them the remote switch will assume that any frame that has no header is destined for the native Vlan.The problem with ISL is that doesnt understand what a native Vlan is. Every single frame will be encapsulated, regardless of the Vlan its destined for. Access portsAn access port is a port which does not carry any Vlan information, the port which is cond as a an access port, on that port the switch takes off the Vlan information and passes the frame on to the end device, end device be it a pc or a printer or something else has no information passed about the Vlan.A).routingThe routing table in a router is populated mainly in 3 ways.a) Connected routes router places the networks belonging to all types of its live interfaces in the routing table such routes carry an administrative distance of 0 as they are approximately trusted routers, these routes are taken out of the routing table if the interface goes down.b) Static routes are routes place manually by the router administrator and carry an administrative distance of 1, these routes are the second almost trusted by the router later the connected routes, since these are being added by the administrator themselvesc) Third type of routes are installed by the routing protocols and carry administrative distances according to the type of the routing protocol. Wireless local area network ModuleA Vlan has been provided at each site which acts as a radio network, the wireless Vlan connects to wireless access points which provides wireless connectivity to the users. Wireless access points are placed at each floor at al l the sites, all the wireless access points will be of Cisco Linksys brands. The wireless access points at each site will be WIFI carrying all a, b or g standard. (O. Elkeelany , M. M. M., J. Qaddour (5 Aug 2004)The wireless networks will use WPA2 key security mechanisms to cling to the network from unauthorised access and attacks. Proper placements of the wireless access points can be done after a physical inspection of the sites. If a barrier wall or something else obstructs the coverage of the wireless local area network access points at a floor another wifi access point will be required at the same floor. IP Addressing ModuleWAN Ip addressing, all wan connections are point to point and use a /30 subnet maskA /30 subnet only allows for two actual hosts which fits for the wan connections.VLAN Ip addressing, all the Vlans including the wireless and the server Vlans are /24 networksAll the future Vlans should be /24 as well, this would help to limit the layer3 broadcasts to only 2 54 hosts, /24 is being used because our Vlans are all based on class c private addressing and there are adequate addresses in the same class for our future needs as well so there is no actual requirement to subnet any further, sub netting further would actually make the design complex without any echt benefits.The routers also have a trunk which comes from their respective site switches. The 1st valid address of the each Vlan belongs to the router acting as a gateway to the Vlans. These .1 addresses are required to be hardcoded inside the routers themselves.The host addressing is taken care by the dhcp protocol, each router as its site will act as a dhcp server for all the Vlans present in the same site. The router acting as a dhcp server would provide gateway information to the hosts in each Vlan as well as the dns servers to be used and the domain information as well.A separate list has been maintained for the hosts outside the dhcp scope, should there be a requirement that a hos t be provided a static Ip address, and the same Ip address should be added to the list of non dhcp addresses for each Vlan at each site. Server Farm ModuleA special virtual area network is in place at every site for a special purpose, this vlan only has servers placed in it, this Vlan acts as a DMZ at all sites. The servers at various sites are placed in separate Vlans to hold dear them from the broadcasts created by the users in the site as well as blocking unauthorised access. If the requirement arises that a server should also be placed in another Vlan at same time, either 2 network cards should be attached to the same server and each placed in the respective Vlan, if the server is required to be attached to more than 2 Vlans, then the server should carry a special network card which could build trunks with the 2960 switches. The speed and duplex modes on all the server ports should be manually cond by the network engineers as there are chances of duplex mismatch in the auto mod e. Unauthorised access can be blocked into the server farm via using IP access-lists feature of the Cisco IOS.( Zhuo L , W. C., Lau FCM . (OCT 2003 ) Security ModuleThis is the most important module of the network design, as its name suggests it would cater for the network security, following are the security measures in place for the network designs. An integrated Cisco IOS firewall protects the perimeter interface (internet connection) from attacks from the outside world at both the headquarter sites IOS firewall uses stateful inspection for the protocols listed in the firewall itself. As advised earlier the access to the server Vlan at each site is also controlled by the use of IP access-lists, only authorized IPs/networks and that too only on specific ports are allowed to traverse the DMZ(DEMILITARIZED ZONE).There are perimeter access-lists in place at the headquarter sites blocking most common and known attacks from the internet. The internet modules have been centrally designe d to keep a tighter control and strict security. An additional measure of security can be placed at each site by adding an intrusion prevention system to each headquarter. A very effective intrusion detection engine is SNORT, being open source it can be installed in a very brusk period of time and is free. Further management Vlan can be secured by using port security and sticky Mac mechanisms.http//www.cisco.com/en/US/ spurring/collateral/vpndevc/ps5708/ps5710/ps1018/prod_qas09186a008010a40e.htmlThe Cisco IOS firewall is an EAL4 certified solution and is a stateful firewall, it is integrated into Cisco router IOS, IOS is the best available routing, security and VoIP software around, and integrating a stateful firewall produces an economical as yet flexible solution. It is the ideal solution for small offices, branch offices and wherever the need arises for an embedded firewall solution. The Cisco IOS firewall can be turned on and off in the desired manner on the desired interface in the Cisco routerCisco IOS firewall can be cond in basically two modes, Classic firewall also known as CBAC control based access control or the new configuration technique which is called Zone based policy firewall. The later one is used wherever the network is required to be divided into various zones for example a DMZ zone. The later configuration methodology will be carried on in the future as it caters for the changing needs of networks.WAN MODULEThe Wan connectivity for the NoBo designs has been designed taking in consideration of the following characteristicsWAN connectivityHead -quarters All the head Quarters have been has been connected via an International lease line from service provider. All the branch-offices are connected to their headquarters via leased lines as well via service provider.Wide Area Network Back upThe internet connectivity at both the remote and client sites can be used as a backup in case the primary WAN link is down a separate site-to-site vpn link will be required to be cond between the two sites. The site to site vpn will use the IPSEC framework which would be only used if the floating routes that are present in the Cisco routers start pointing towards the vpn links in case of the wan link outage.This IPSec vpn back up link should be strictly used as a back up as the internet bandwidth is limited and the latency is high. Network Management mechanisms would notify everyone, if the primary wan link is down. If the requirement for the backup link for a branch site comes up, same methodology can be used, the branch can acquire its own internet connection and use it as a backup link to its respective head office. In that case changes in routing will also occur. IPSecIPSec is a protocol contains set of features that protect the data which traverses from one location point to another. The location itself defines the type of VPN. The location could be anything such as pc on the internet, a small regional office, a home office or an y corp. headquarters.A user on the go would always connect to a user to site vpn and all the others would be called a site to site vpn.The IPSec protocol works on layer 3 and above, like tcp/udp header and data and does not protect any layer 2 frames, a different kind of protection mechanism has to be deployed for the same and also is possible only in the controlled network.The encryption and IPSec are many times thought to be one and the same thing but they are different, IPSec is basically a suite of protocols and one of them does encryption.Following are the features of the IPSEC protocol suite.Data confidentialityData integrityData origin authentication