Desert View High School Group Members: Group Members: Killian McLoughlin.Killian McLoughlin. JP SheridanJP Sheridan Kevin Traynor.Kevin Traynor.

Contents:  Design Goals  WAN Design  LAN Design Logical & Physical LAN Design Logical & Physical LAN Design  Equipment Details: MDF Equipment MDF Equipment IDF Equipment IDF Equipment Design Of Cabinet In Each Classroom Design Of Cabinet In Each Classroom Classroom Hardware Configuration Classroom Hardware Configuration Topology & Servers Topology & Servers Wiring Wiring  Security Why Use VLANS ? Why Use VLANS ? Benefits Of VLANS Benefits Of VLANS VLAN Membership Policy Server VLAN Membership Policy Server Security Hardware Security Hardware

Contents continued  Layout Of Classrooms.  IP Addressing IP Addressing Scheme. IP Addressing Scheme. Sub-netting. Sub-netting.  Router Configurations ACL (blocks Telnet traffic to router from Lecturers & Students) ACL (blocks Telnet traffic to router from Lecturers & Students) DHCP Configuration DHCP Configuration  Conclusion

Design goals  To create a LAN that will act as an arm of the Washington schools district WAN.  This LAN should then prove functional for at least the next 7-10 years.  Each classroom will support at least 25 workstations  Throughout the LAN all workstations will be provided with internet connection.

Design Goalscntd.  Cat5 will provide the required Ethernet speeds using; 10Base-t, 100Base-t and 1000Base-Fx. (cabling will comply with TIA/EIA-568-A and TIA/EIA-569 standards.) (cabling will comply with TIA/EIA-568-A and TIA/EIA-569 standards.)  The initial requirements for any host PC on the LAN will be 1Mbit, whereas for network servers it will be 100Mbit.

Design Goalscntd.  Desert view’s LAN will also have to cater for the minimum of the following:  10x growth in the District internet connection throughput.  2x growth in the core WAN throughput.  And (at least) 100x growth in the LAN’S own throughput.

Wan Design.  The Washington WAN consists of three district centers. These are: The ‘Shaw Butte’ elementary school. The ‘Shaw Butte’ elementary school. The Districts Data center. The Districts Data center. The Service center. The Service center. These centers are then connected using T1 lines through Cisco routers. ( ‘Desert View’ connects to the core WAN through ‘Shaw Butte’)

WAN Design The Washington School District Wide Area Network (WAN) will: The Washington School District Wide Area Network (WAN) will: Connect all school and administrative offices with the district office for the purpose of delivering data. Connect all school and administrative offices with the district office for the purpose of delivering data. The WAN will be based on a two-layer hierarchical model. Three (3) regional Hubs will be established at the District Office/Data Center, Service Center and Shaw Butte Elementary School for the purpose of forming a fast WAN core network. Three (3) regional Hubs will be established at the District Office/Data Center, Service Center and Shaw Butte Elementary School for the purpose of forming a fast WAN core network. School locations will be connected into the WAN core Hub locations based on proximity to the Hub. School locations will be connected into the WAN core Hub locations based on proximity to the Hub.

WAN Design TCP/IP and Novell IPX are the only networking protocols acceptable to traverse the district WAN. TCP/IP and Novell IPX are the only networking protocols acceptable to traverse the district WAN. All other protocols will be filtered at the individual school sites using access routers. All other protocols will be filtered at the individual school sites using access routers. High-end, powerful routers will also be installed at each WAN core location. High-end, powerful routers will also be installed at each WAN core location. Access to the Internet or any other outside network connections will be provided through the District Office/Data Center through a Frame Relay WAN link. Access to the Internet or any other outside network connections will be provided through the District Office/Data Center through a Frame Relay WAN link. For security purposes, no other connections will be permitted. For security purposes, no other connections will be permitted.

Wan Core T1 Line

LAN Design  Logical Design Of The LAN  Physical Design Of The LAN

Logical Design Of LAN

Physical Design

Physical Design cnt.

Equipment Details Desert View High school

MDF Equipment : Design Of MDF

MDF Eqipment  The Cisco 3600 Series is a family of modular, multi-service access platforms for medium and large-sized offices and smaller Internet Service Providers.  With over 90 modular interface options, the Cisco 3600 family provides solutions for data, voice video, hybrid dial access, virtual private networks (VPNs), and multi-protocol data routing.  The high-performance, modular architecture protects customers' investment in network technology and integrates the functions of several devices into a single, manageable solution.  In Cisco 3600 series routers, the 2-port serial WAN interface card supports both asynchronous (up to kbps) and synchronous (up to Mbps) data rates. Cisco 3600 Router

Cisco Catalyst 3548XL Enterprise Edition   stackable 10/100 and Gigabit Ethernet switcht   delivers premium performance, manageability, and flexibility with unparalleled investment protection.   48 10/100 ports and two GBIC-based Gigabit Ethernet ports.   This switch offers advanced software features, including complete 802.1Q and ISL VLAN support, TACACS+ security, and fault tolerance through Uplink Fast. MDF & IDF Eqipment

IDF Equipment : Design Of IDF

Design Of Cabinet In Each Classroom

Classroom Hardware Configuration  Each classroom has 4 RJ 45 Points:  Lecturers workstations are connected to 1 of the points (CAT 5 UTP) and patched directly to an enterprise switch in the nearest IDF.  A Cisco 12 port 10/100 Standard Switch is connected to each of the remaining points.Each standard switch is patched directly back to an enterprise switch in the nearest IDF (CAT 5 UTP ).  8 student PCs are connected to each standard switch.  A networked printer is also connected to one of the standard switches in each classroom.  A File & print server handles the print queues for the entire high school

Why Use Switches & Not Hubs In Classrooms ? Hubs  A hub is an ethernet (10BaseT or 100BaseT UTP/STP) repeater.  typical 12-port hub, any data it receives on one port will be re-transmitted on all of the other seven ports. The intended destination could be on any of those ports. It's simple to understand  Not very efficient as there is no traffic control - if two PCs try to transmit at the same time, a 'collision' occurs and the data has to be re-transmitted.  Even though an Ethernet card might be 'full duplex' it may not be able to actually transmit and receive simultaneously.  A PC will have no interest in data which another PC is sending (for example) to a printer elsewhwere on the network, so clogging up its ethernet interface is wasteful. Classroom Hardware Config.

Why Use Switches & Not Hubs In Classrooms cnt. Switches  A switch transmits data from one specific port to another, rather than re-broadcasting data to all other ports.  A switch is intelligent and will learn which device is on which port (MAC Address).  A switch knows which port received data needs to be sent to.  This makes the network much more effcient and allows more devices to communicate with each other simultaneously. Classroom Hardware Config.

Topology & Servers  This Network is structured on an extended star topology. External Servers On WAN Core  Administrative ( MAIN ) server  DNS Server Servers On Desert View LAN  Administrative Server  Server  File & Print Server  TFTP & RAS Server  School Web Server  Proxy Server  Application Server  Library Server  DNS Host Server & DHCP Server Servers are located in the same room as the MDF and are connected directly to the enterprise switch in the MDF. CAT 5 UTP

Wiring  All Enterprise Switches are interconnected through trunking ports using fiber optic cabling.  All cabling is ran through the existing cable runs, where possible  All workstations are connected to network points on walls and on the floors (Lecturer workstations) with CAT 5 UTP cabling.  All network points in classrooms are patched through to switches in each classroom with CAT 5 UTP cabling.  The switches in each classroom are patched back to an enterprise switch in the nearest IDF.

SECURITY VLANS VLANS  Why Use VLANs  Benefits Of VLANs  VLAN Membership Policy Server Security Hardware Security Hardware  Pix Firewall

VLANs Why Use VLANs ? VLANs provide the following benefits:  Reduced administration costs from solving problems associated with moves, adds, and changes.  Workgroup and network security.  Controlled broadcast activity.  Leveraging of existing hub investments.  Centralized administration control.

VLANS  We have decided to implement 4 VLANS on the Desert View LAN as follows:  VLAN 1 = Administration.  VLAN 2 = Lecturers.  VLAN 3 = Students.  VLAN 4 = IP Telephony.

VLAN Membership Policy Server  We have decided to implement dynamic VLANs for improved security using Cisco VMPS  With VMPS, you can assign switch ports to VLANs dynamically, based on the source Media Access  Control (MAC) address of the device connected to the port.  When you move a host from a port on one switch in the network to a port on another switch in the network, the switch assigns the new port to the proper VLAN for that host dynamically.  When you enable VMPS, a MAC address-to-VLAN mapping database downloads from a Trivial File  Transfer Protocol (TFTP) server and VMPS begins to accept client requests. If you reset or power cycle the switch, the VMPS database downloads from the TFTP server automatically and VMPS is re-enabled.  VMPS opens a User Datagram Protocol (UDP) socket to communicate and listen to client requests.  When the VMPS server receives a valid request from a client, it searches its database for a MAC address-to-VLAN mapping.

VMPS Cnt.  The VMPS Server holds a database of device’s MAC addresses and the VLAN that those devices are members of.  These addresses must be entered into the database manually.  That device will be on the same VLAN no matter what port it is connected to on the LAN.

VMPS cnt.  All Lecturer’s laptop’s MAC addresses and all administration workstation MAC addresses will be entered into this database.  A lecturer can then plug his/her laptop into any port on the LAN and still be a member of the appropriate VLAN.  This approach offers a higher level of security preventing student’s PCs from becoming members of the lecturer’s or administration staff’s VLANs, should the student decide to connect his/her workstation to the lecturer’s wall point or any other switch port on the LAN that is a member of the non-student VLAN.

VMPS cnt.  We also have decided to use VMPS for the IP telephony VLAN.  This will allow IP telephones to be connected to any available port on any switch on the LAN and still be a member of the appropriate VLAN.  Having a VLAN exclusively for IP telephony will not reduce bandwidth for PCs  Having a VLAN exclusively for IP telephony will ensure maximum quality of signal for phones.

Security Hardware PIX 515 DC powered firewall PIX 515 DC powered firewall Cisco’s PIX firewall series delivers strong security, easy to install at a competitive price. Cisco’s PIX firewall series delivers strong security, easy to install at a competitive price. Pix firewalls provide the latest in security technology ranging from Pix firewalls provide the latest in security technology ranging from inspection firewalling inspection firewalling contrast firewalling capabilites contrast firewalling capabilites Integrated intrusion detection to help secure a network enviornment from next generation attacks. Integrated intrusion detection to help secure a network enviornment from next generation attacks.

Typical classroom Layout Banks of 8 PC’s Wall points Network printer Lecturers PC/Cat5 point Comms cabinet Desks etc.

IP Addressing Scheme  Washington School District WAN uses a class A IP addressing scheme.  Desert View High school has been allocated the address 10.1.x.x  This leaves us with 2 octets to subnet from & approximately a possible 64,000 host addresses. & approximately a possible 64,000 host addresses.

IP Addressing Scheme cnt.  Every wing is on its own subnet, with the exception of wing 1 which is split into 2 subnets because of the amount of hosts it requires.  This results in room for future expansion.  We Have decided to give administration its own sub-net. Through the use of ACLs this will allow us to distinguish between traffic from Teacher/Student workstations and administration workstations.  All networking equipment and all administration workstations are on the administration’s sub-net  This sub-net is X

Addresses Static IP Addresses On Administration sub-net  = DNS/DHCP Server.  = Router.  = WWW Server.  = Library Server.  = Application Server.  = File & Print Server.  = TFTP & RAS Server.  = Mail Server.  – = Enterprise Switches.  – =Regular Switches In classrooms

Subnet Breakdown X X X X (Admin) X X X

Subnet Breakdown cntd X X X X X

Routing Protocols  We have decided to use Interior Gateway Routing Protocol (IGRP) as the network routing protocols.  Some of the advantages are: Scalability Scalability Fast response to network changes Fast response to network changes Use a sophisticated composite metric that provides significant route selection flexibility. Use a sophisticated composite metric that provides significant route selection flexibility. Can maintain up to four unequal paths between a network source and destination. Can maintain up to four unequal paths between a network source and destination. Multiple paths can increase available bandwidth or for route redundancy. Multiple paths can increase available bandwidth or for route redundancy.

Router Configuration DHCP  Before configuring DHCP on the, subnets must be decided on and all static address must be noted so that they can be excluded from DHCP pool.  An FTP or TFTP server must be configured to be a DHCP server which will hold the DHCP database.  In this case we're using the DNS server to be a dual function server to save cost and space.

Router Configuration  Sample DHCP configuration  Desert_view(config)# ip dhcp database dhcp timeout 80 //howlong to wait for reply  Desert_view(config)# ip dhcp database tftp: dhcp write-delay 80//how often updates database  Desert_view(config)# ip dhcp excluded-address //network printer //excludes this printer address from DHCP Pool  Desert_view(config)# ip dhcp pool Wing_five_east  Desert_view(config-dhcp)# network //wing 5 subnet  Desert_view(config-dhcp)# domain-name desert_view  Desert_view(config-dhcp)# dns-server  Desert_view(config-dhcp)# default-router

ACLs  This access control list prevents telnet traffic to the router. Router> enable Router# hostname Desert_view Desert_view# enable secret ***** Desert_view# config t Desert_view(config)# access list 101 deny tcp “Subnet’s IP address” eq telnet Desert_view(config)# access list 101 permit ip any any Desert_view(config)# int e0 Desert_view(config-int)# ip access-group 101 in  All subnets except for the administration’s subnet would be implemented into this ACL  is the router’s IP address. + Router Configuration

Conclusions  Easy To Implement.  Easy To Maintain.  High security.  A Lot Of Support For Expansion.

ANY QUESIONS ?????? ??????