Analysis of Company Network Models

Analysis of Comp any(prenominal) internet ModelsCHAPTER 1 ABSTRACTThe goal of this exercise is to give up a detailed spirit catalogue as per the urgencys given in assorted(a) formats by the Client NoBo Inc. The atomic number 18na of this muniment includes at first explaining the prerequi situates provided by the customer, explaining the solution both from a blossom level view and detailed, as wholesome as explained ar the configuration steps, technologies map and scope of the future tense work and recommendations. We imbibe apply modular spirit admittance for objectiveing the earnings .The final kayoedcome is a detailed document which exit extensively assist in deploying and configuration stages of meshing for NoBo Designs.CHAPTER 2 INTRODUCTION2.1 AIMThis fox aims to analyse the various vane manikins and design a earnings check to the lymph nodes requirements.2.2 OBJECTIVESAll the cisco cyberspace sit downs Campus meshwork, stratified mesh, Enterprise edge clay sculpture eat been reviewed.According to the client requirements the able vane model has been identified and intentional.Proper selection of the devices ( pathwayrs, Switches, Computers, cables) has been made to pair the service requirements.The cost for all the devices and equipments that argon required has been estimated.Centralised meshing connection has been provided for the differentiate berths from their respective plate. This provides high gibe on the selective information between the situations.IPsec is cond for data warranter while development the substantiateup actuate when the main fall in up goes down. lake herring IOS Firewall is excessively cond on the perimeter devices.The designed mesh topology has been cond on the simulator and all its cognitive process has been tested.2.3 DISSERTATION STRUCTURECHAPTER 1 This chapter briefly discusses some the abstract of our contrive.CHAPTER 2 This chapter briefly explains the introduct ion of our project topic, reviewing all the objectives and ends with the conclusions of all(prenominal) and individual chapter in our dissertation.CHAPTER 3 This chapter explains the background of various mesh topology topologies, reviewing of all the concepts like routing, pieceing, IP goaling and ends with the discussion of the QOS, security issues.CHAPTER 4 This chapter introduces the requirements of engagement design, implementation, testing and ends with the explanation of all configurations.CHAPTER 5 This chapter briefly discusses about all the experimental results and ends with the analysis of the obtained results.CHAPTER 6 This chapter discusses the entire evaluation of our project and ends with the introduction of conclusions.CHAPTER 7 This chapter briefly discusses about the e rattlingwhereall conclusions.CHAPTER 8 This chapter provides the recommendations and future work in our submit topic.CHAPTER 3LITERATURE REVIEW3.1 cisco Ne iirk ModelsNetwork models may chang e due to the implementation of dia mensural technologies which ar applicable to us. But the goal of distri merelyively model is at long last analogous which is convergence and achieving service integration. There are 6 divergent geographies available in an end-end network architecture which is briefly discussed beneath ( Inc., C. S. (Mar2009, Roberts, E. (8/28/95).3.2 Cisco Hierarchical modelIt is an older model which is good for network scalability. The entire network is divided into 3 storeys which are given belowAccess tier These devices are planetaryly developed entirely in a network for the purpose of providing clients vex to the network. In general it has been make by the switch appearance inlet.Distribution layer In general, these devices are developed as aggregation turn outs for admission layer devices. These devices burn down be practice sessiond for the dividing of workgroups or some former(a) departments in the network environment. They can also provi de sick of(p) aggregation connectivity at various Cisco Network Models.Core layer These devices are designed for the purpose of tight switching of packets and they should provide the redundant discontinue(a)wise it results in loss of abasement of service at the term of network congestion or link failures. Finally these devices help in endureing the entire network traffic from sensation end to the other end.Finally this model provides good scalability and it sup airs the combination of SONA, other interactive serve and these are applicable to any topology (LAN, WAN, MAN, VPN..) or other connectivity options which are applicable to us. The following diagram (3.1) shows us the Cisco Hierarchical model.3.3 Campus Network ArchitectureIn last 10 age it has been developed rapidly and the no of operate supported in this model are much. The basic structure of this model is just an extension of the preceding(prenominal) model. It supports the implementation of various technolog ies in this model like QOS, MPLS VPN, IPSEC VPN, and HSRP and so on. It provides the network approaching to campus long resources and provides layer 2 switching layer 3 switching at the Access and Distribution respectively.Services in this model are switched from stateless to stateful and provide redundant devices to monitor all the pull downts, connections in a network. Meeting of these requirements requires some changes in its basic model. The following (3.2) shows us the campus network architecture model.( Gilmer, B. (Nov2004)It provides the combination, multi- service environment which gives the sharing and connectivity of all the phthisisrs who are working at the remote, branch sites. It requires the combination of both hardware and software program devices for providing the work and applications to all the clients in a network architecture. SONA architecture helps an unciviling move model to extend its services to the remote site under the go downting of good service levels. Cisco Unified Communications, security and so on can be finish offered at all the branch sites to overcome the problems of incapable connectivity. The following diagram (3.3) shows the branch network architecture.It plays a major office in the deployment of any network. Now days, it is ripening rapidly to implement more SONA functions. These additions of new functions like virtual master of ceremoniess, instant applications, active change of network configurations and so on. Some resources allow be added online to get the support of approaching ask. This network architecture provides the info about on- demand services which provides dynamic network environment to all the users, consolidation of services while growing of various business applications provided by an adaptive network. Finally this network model reports more usage of our capital without any changes in its infrastructure.In general it has been developed for the purpose of high level security features in network architecture. It has been done by the support of several server heightens having contrasting functionality from demilitarized zone (demilitarized zone) functions like DNS, FTP, HTTP, Telnet and so on for all the users (internal/ external) to share various applications and services among partners and to get the plan of attack of net profit applications.This network architecture is entirely different and it can make a new or it can bear the all discussed Cisco interlingual renditions. Based on the discussion of all the services like SONA, QOS, and transport services and so on which would mandatory in an end- end system? Based on the bandwidth requirements, their functions and providing QOS the WAN/ MAN has been designed. The functioning and geography plays a major role in deciding the system and speed connectivitys among various sites. The cost of total deployment of a network may vary and it is different from distributively other. If the connection exists between th e sites is a conventional frame relay or if it is provided by a service provider. For example, by using MPLS this provides layer three connectivity between two ends. And it also varies by considering the out remoteness between two sites. The convergence of various types of application over an IP network requires good connectivity, high security levels and providing of good services over the large WAN. The following fig (3.6) shows the WAN/ MAN architecture. (Israelsohn, J. (7/22/2004.)In this approach the overall network design and implementation is discussed with the commensurate to(predicate) background. Modular Design ApproachThe recipe for an efficient and robust network is to design the network taking into Consideration the various functionalities/requirement required by the network and placing that functionality into a module. Various modules faculty end up playacting in independent strong-arm devices or one physical device may contain all the modules, the idea is to vi sualize the various functionalities acting as independent unit. The part of the network which consists of hardware and configurations for the wide field of study networks is termed as the WAN module of the network. It should contain of the all highroadrs, interfaces, cabling and configurations that get going to the Wide Area Networks. The module should be designed dismantle from the other modules. Similarly all the devices, interfaces and configurations that are involved in the virtual semiprivate network would be designed as one module.Some aspects of the design for which in that location are no detailers in the design documents are also discussed in the detail design section with details of the relevant choices.1) cognitive process A network to its end user is as good as how his/her applications perform. Following are few metrics to for measuring network performance.responsiveness The design should be such that it is par with the accep skirt responsive time of all the busi ness applications.Throughput The rate of traffic passing through a given point in the network, it can be calculated in octuples of bits per minute or packets per second.Utilization utilization of resources is the most effective metric to calculate the congestion points in the network, aiding the network design to a dandy extent.2) Availability Network Availability is the key factor to a decent network design. Planning for continuous uptime is important for the business to carry out their activities without any interruptions. Following are a few points for availability craft Fault tolerance All the devices installed in the network should be of tincture and reliable. Where ever affirmable redundant ports, modules and devices should be installed.Capacity Planning A network design should consider adequate capacity planning, for example how more connections can a link handle in worst consequence scenarios.Link Redundancy As per the business requirement at least(prenominal) all t he important connect and internet connectivity should be redundant.3) Scalability All the network modules should be designed as such that they should cater for future requirements as well as todays needs.Topology The topology should be designed as such that it would require minimal configuration whenever any major or minor changes are required.Addressing The network addressing should allow routing with minimum resources. For example by using street summarization and proper ip addressing scheme which would wee minimal impact or no impact on the quick networks or subnets and routing mechanisms. Local Area Network moduleThe local firmament network design primarily consists of dividing the various departmental requirements into logical network separations.At all the sites entrust create individual virtual celestial sphere networks for all the departments.All the virtual knowledge domain networks will use a affiliate c /24 subnet mask, reason behind that is the IP addressing us ed for the internal networks is all private and thereof no sub sack up is required.All the Vlans at all the sites are local Vlans which means that they do not extend across the wan pipes.The departments at different sites might have similar names and functionality but its always recommended that the Vlans are unbroken to be local.The Virtual are network will divide the all in all LAN into virtual boundaries allowing for circularize control and provide for access-control using access-lists.A VLAN has been provisioned for the Server Network and piano tuner network at all(prenominal) site as well. The VLANS are local to the respective sites unless and are class C /24 networks.DOT1q drawers have been displace between the layer 2 switches and the travel guidebookrs at each site. DHCPThe DHCP is Dynamic Host Configuration communications protocol provides political machinematic IP addressesTo the militarys on the TCP/Ip network RFC 1531.It uses BOOTP know as bootstrap protocol. The DHCP server can be on the aforesaid(prenominal) or on a different network away from the host pcs. This is possible with the dhcp relay agent. When a client Pc boots, it searches for the server by sending broadcast packets on the network. When server gets theses broadcast packet it responds and sends a packet with an IP address to the client from the DHCP pool. The client can use the IP or can request for another IP instead. The client can hold this IP as according to the configuration in the DHCP server. The minimum duration for the client to hold the IP address is 8 days. After this period the clients has to make a new request for an IP address. This how , the DHCP usage in the network will reduce the intervention of the executive from giving the IP addresses manually.NATFor a Pc to connect to the internet and exit with the other Pcs on the internet, it needs a public Ip address. unmatchable has to pay to have a public IP. It will be very expensive to have all unrestricted IP addresses in a network. So, NAT provides a facility to convert the private IP address to the Public Ip which is on the interface of the device ( despatchr) that is directly connected to the internet via ISP. This saves money. Moreover it provides the superfluous security to the internal networkBy using the one public address.Following are the benefits that NAT providesPreservation of IP addressIP address and application privacyEasy management Routing staffThe routing module consists of the routing architecture at each site it is the responsibility of the send offrs to in the lead packets to the correct finishing. Routers by querying the routing table make the forwarding decision.1) Static routes At each site nonmoving routes have been located at each head quarter sites. Static routes are the manual routes that are located by the network executive director manually in the router and have to be taken out manually as well.At the headquarter site the static routes point to far end headquarter site or to the vpn subnet.2) Default routes have been move at all sites, Default routes are treated by the routers as a catch all. If there are no specialized routes towards a given destination, the slackness route will be picked up and the packet would be forwarded out of that interface to which the default route belongs.Since the profits has more than 100,000 routes , it would be infeasible to place all those routes into our routing table , so instead a default route has been located at each headquarter to forward all the internet traffic towards the interface belonging to the ISP end. Since we are using the far end headquarter as back up to our internet connections at each site.A special type of default route has been added in each headquarter, if the internet link goes down, the floating route will come into the routing table and the original route will disappear. The floating route is nothing but a default route with a higher administrative distance. This is a feature of Cisco IOS, it originally takes the route with the cut back AD and places that into the routing table, if that route is lost it would place the second default route with the higher administrative distance.3) Routing cultivation Protocol Routing information protocol version 2 has been used to pass around the Subnet routing between the sites. hitch is a distance vector routing protocol which advertises its routing tables to its neighbours and has a hop calculate of 15 , since our network has simply if five sites at the moment, RIP has been used for routing between the networks , the RIP version2 is the recent version of the rip ipv4 and it can carry variable duration subnet masks . The RIP is adequate for our requirement.(http//www.ciscosystems.org/en/US/docs/internetworking/technology/handbook/Routing-Basics.html accessed on Dec 12 ,2009) RIPAs express earlier Routing Information Protocol is the solely widely used distance vector protocol. It propagates t he secure routing table out to all participating interface in all(prenominal) 30 seconds. RIP works very well in smaller networks, but it is not scalable for large networks having slow WAN links or on networks with more than 15 routers installed. RIP version only supports class complete routing, which essentially means that all devices in the network must have the alike subnet mask. The reason RIP version 1 does not propagate with subnet mask information. RIP version 2 supports egalitarian routing, which is also called prefix routing and does send subnet mask in the route updates. (Chin-Fu Kuo Ai-Chun stab Sheng-Kun Chan (Jan2009,)RIP TimersRIP has 3 different timers which regulate the performanceRoute update timer This timer sets the delay between the propagation of the fullRouting table to all the neighbours this would be normally 30 seconds.Route handicap timer If the router doesnt hear any updates for a particular router for 90 seconds it will declare that route invalid a nd will update all the neighbours to that the route has sire invalid.Route flush timer After the route has become invalid , another timer starting lines which is normally 240 seconds ,if the router doesnt hear anything about the said route , it will flush the route out of its routing table and will update the neighbour that I am going to remove this route from my routing .RIP UpdatesRIP being a distance-vector algorithm propagates full routing tables to neighbouring routers. The neighbouring routers thusly add the received routing updates with their respective local routing tables entries to accomplish the topology map. This is called routing by rumor, In routing by rumour the peer believes the routing table of its neighbour blindly without doing any calculations itself.Rip uses hop count as its metric and if it finds that multiple path share the same cost to a particular destination it will start load-balancing between those links, however there is no unsymmetrical cost path l oad balancing as there is possible in case of EIGRP. Rip can be troublesome in many another(prenominal) waysRip actually only sees the hop count as a authorized metric, it doesnt take care into consideration any other factors So if a network has two paths, the first only 1 hop away with 64 Kbps of bandwidth but a second path exists with 2 hops but each link having a bandwidth of 2 mbps , RIP will always prefer path no 1 because the hop count is less. Rip has a very rude(a) metric and hence not a protocol of choice in many networks.Since RIP by default is classless and is a true distance vector protocol, it also carries with itself same issues as presented by the distance vector routing protocols, fixes have been added to RIP to counterattack such problems.Snort is an give way source network based intrusion detection system, it can do traffic logging and intrusion detection analysis on the live traffic, snort is installed on a host and the interesting traffic is copied to it via the port mirroring or port spanning techniques, Snort can be also used inline on an Ethernet tap, it can work in conjunction with Ip tables to omit unwanted traffic.Inter-site Routing The routing protocol RIP version 2 will propagate routes among all the sites, each Vlan will be advertised as a network in the routing protocol. SwitchingThe switches at each site carry all the virtual local area networks.1) A DOT1q ashes has been placed between the switches and the routers at each site. The dot1q trunks carries all the Vlans from the switches to the routers, the routers act as the layer 3 gateway for all the Vlans present in the site, the layer 2 switches alone cannot act as the layer 3 gateways and hence they require some kind of layer 3 device.2) All the other ports in the switches are any access ports or are trunks to other switches in the same sites. The access ports are the user ports, each access ports would belong to one or the other Vlans. The no of access ports in the bui lding would decide the number and the model of the switches to be placed deep down the access layer.Vlan By Default all the ports on a layer 2 switch belong to the same broadcast domain. The broadcast domains are exclusive outd at the router level, however there are requirements to segregate the broadcast domains in campus switching environments, hence the virtual local area networks are used. The numbers of Vlans in a switch are equal to the number of broadcast domains, the ports on the switch which belongs to a particular Vlan belongs to a certain broadcast domain of that Vlan.Devices in one Vlan cannot connect to other Vlans if there is no layer 3 connectivity provided.TrunkingSpeaking of IEEE 802.1Q.There are two different trunking protocols in use on todays Cisco switches, ISL and IEEE 802.1Q, in the first place referred to as dot1q. There are three main differences between the two. First, ISL is a Cisco-proprietary trunking protocol, where dot1q is the manufacturing stan dard. (Those of you new to Cisco testing should get used to the phrases Cisco-proprietary and industry standard.)If youre working in a multivendor environment, ISL may not be a good choice. And flat though ISL is Ciscos own trunking protocol, some Cisco switches run only dot1q.ISL also encapsulates the entire frame, increasing the network overhead. A Dot1q only place a header on the frame, and in some circumstances, doesnt even do that. There is much less overhead with dot1q as compared to ISL. That leads to the triad major difference, the way the protocols work with the native Vlan.The native Vlan is simply the default Vlan that switch ports are placed into if they are not expressly placed into another Vlan. On Cisco switches, the native Vlan is Vlan 1. (This can be changed.) If dot1q is running, frames that are going to be sent across the trunk line dont even have a header placed on them the remote switch will assume that any frame that has no header is bandaged for the native Vlan.The problem with ISL is that doesnt understand what a native Vlan is. Every single frame will be encapsulated, regardless of the Vlan its destined for. Access portsAn access port is a port which does not carry any Vlan information, the port which is cond as a an access port, on that port the switch takes off the Vlan information and passes the frame on to the end device, end device be it a pc or a printer or something else has no information passed about the Vlan.A).routingThe routing table in a router is populated mainly in 3 ways.a) Connected routes router places the networks belonging to all types of its live interfaces in the routing table such routes carry an administrative distance of 0 as they are most trust routers, these routes are taken out of the routing table if the interface goes down.b) Static routes are routes place manually by the router administrator and carry an administrative distance of 1, these routes are the second most trusted by the router after the con nected routes, since these are being added by the administrator themselvesc) Third type of routes are installed by the routing protocols and carry administrative distances according to the type of the routing protocol. Wireless local area network mental facultyA Vlan has been provided at each site which acts as a radio set network, the wireless Vlan connects to wireless access points which provides wireless connectivity to the users. Wireless access points are placed at each floor at all the sites, all the wireless access points will be of Cisco Linksys brands. The wireless access points at each site will be WIFI carrying all a, b or g standard. (O. Elkeelany , M. M. M., J. Qaddour (5 Aug 2004)The wireless networks will use WPA2 key security mechanisms to protect the network from unauthorised access and attacks. Proper placements of the wireless access points can be done after a physical watchfulness of the sites. If a barrier wall or something else obstructs the coverage of the wifi access points at a floor another wifi access point will be required at the same floor. IP Addressing ModuleWAN Ip addressing, all wan connections are point to point and use a /30 subnet maskA /30 subnet only allows for two actual hosts which fits for the wan connections.VLAN Ip addressing, all the Vlans including the wireless and the server Vlans are /24 networksAll the future Vlans should be /24 as well, this would help to limit the layer3 broadcasts to only 254 hosts, /24 is being used because our Vlans are all based on class c private addressing and there are adequate addresses in the same class for our future needs as well so there is no actual requirement to subnet any further, sub netting further would actually make the design complex without any real benefits.The routers also have a trunk which comes from their respective site switches. The 1st valid address of the each Vlan belongs to the router acting as a gateway to the Vlans. These .1 addresses are required to be ha rdcoded inside the routers themselves.The host addressing is taken care by the dhcp protocol, each router as its site will act as a dhcp server for all the Vlans present in the same site. The router acting as a dhcp server would provide gateway information to the hosts in each Vlan as well as the dns servers to be used and the domain information as well.A separate list has been maintained for the hosts outside the dhcp scope, should there be a requirement that a host be provided a static Ip address, and the same Ip address should be added to the list of non dhcp addresses for each Vlan at each site. Server Farm ModuleA special virtual area network is in place at every site for a special purpose, this vlan only has servers placed in it, this Vlan acts as a demilitarized zone at all sites. The servers at various sites are placed in separate Vlans to protect them from the broadcasts created by the users in the site as well as blocking unauthorised access. If the requirement arises that a server should also be placed in another Vlan at same time, either 2 network cards should be attached to the same server and each placed in the respective Vlan, if the server is required to be attached to more than 2 Vlans, then the server should carry a special network card which could build trunks with the 2960 switches. The speed and convert modes on all the server ports should be manually cond by the network engineers as there are chances of duplex mismatch in the auto mode. Unauthorised access can be blocked into the server farm via using IP access-lists feature of the Cisco IOS.( Zhuo L , W. C., Lau FCM . (OCT 2003 ) Security ModuleThis is the most important module of the network design, as its name suggests it would cater for the network security, following are the security measures in place for the network designs. An merged Cisco IOS firewall protects the perimeter interface (internet connection) from attacks from the outside world at both the headquarter sites IOS fire wall uses stateful inspection for the protocols listed in the firewall itself. As advised earlier the access to the server Vlan at each site is also controlled by the use of IP access-lists, only authorized IPs/networks and that too only on specific ports are allowed to traverse the DMZ(DEMILITARIZED ZONE).There are perimeter access-lists in place at the headquarter sites blocking most common and known attacks from the internet. The internet modules have been centrally designed to keep a tighter control and strict security. An additional measure of security can be placed at each site by adding an intrusion prevention system to each headquarter. A very effective intrusion detection engine is SNORT, being open source it can be installed in a very compact period of time and is free. Further management Vlan can be secured by using port security and sticky Mac mechanisms.http//www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/prod_qas09186a008010a40e.htmlThe Cisco IOS fir ewall is an EAL4 certified solution and is a stateful firewall, it is integrated into Cisco router IOS, IOS is the best available routing, security and VoIP software around, and integrating a stateful firewall produces an economical yet flexible solution. It is the ideal solution for small offices, branch offices and wheresoever the need arises for an embedded firewall solution. The Cisco IOS firewall can be move on and off in the craved manner on the desired interface in the Cisco routerCisco IOS firewall can be cond in basically two modes, Classic firewall also known as CBAC control based access control or the new configuration technique which is called Zone based policy firewall. The later one is used wherever the network is required to be divided into various zones for example a DMZ zone. The later configuration methodology will be carried on in the future as it caters for the changing needs of networks.WAN moduleThe Wan connectivity for the NoBo designs has been designed taki ng in consideration of the following characteristicsWAN connectivityHead -quarters All the head Quarters have been has been connected via an multinational leased line from service provider. All the branch-offices are connected to their headquarters via leased lines as well via service provider.Wide Area Network Back upThe internet connectivity at both the remote and client sites can be used as a backup in case the primary WAN link is down a separate site-to-site vpn link will be required to be cond between the two sites. The site to site vpn will use the IPSEC framework which would be only used if the floating routes that are present in the Cisco routers start pointing towards the vpn links in case of the wan link outage.This IPSec vpn back up link should be strictly used as a back up as the internet bandwidth is limited and the latency is high. Network counsel mechanisms would notify everyone, if the primary wan link is down. If the requirement for the backup link for a branch si te comes up, same methodology can be used, the branch can acquire its own internet connection and use it as a backup link to its respective head office. In that case changes in routing will also occur. IPSecIPSec is a protocol contains set of features that protect the data which traverses from one location point to another. The location itself defines the type of VPN. The location could be anything such as pc on the internet, a small regional office, a home office or any corp. headquarters.A user on the go would always connect to a user to site vpn and all the others would be called a site to site vpn.The IPSec protocol works on layer 3 and above, like transmission control protocol/udp header and data and does not protect any layer 2 frames, a different kind of protection mechanism has to be deployed for the same and also is possible only in the controlled network.The encryption and IPSec are many times thought to be one and the same thing but they are different, IPSec is basically a suite of protocols and one of them does encryption.Following are the features of the IPSEC protocol suite.Data confidentialityData integrityData origin authentication