ENTC 425 Project IP Network Design Due Dates: Part 1: Project Proposal Nov 4th Part 2: Check-off Dec 2nd Project Report: Turn in during the scheduled final exam period. (first 15 minutes) IP Network Design Objective: This challenging lab was designed to allow groups of students to design and implement a small IP network from a ‘real world’ set of requirements with limited assistance. Upon completion of this laboratory project, students should have the skills necessary to efficiently design and implement small corporate networks. This exercise will require extensive reading and planning outside class hours. A thorough understanding of design principles and implementation (equipment specific) techniques are necessary to adequately complete this exercise. Overview: You are to design a small corporate network including: an IP Address Scheme, a network layout, equipment list, and a set of equipment configuration tables. As a network designer, you will be tasked with providing service that is ‘highly available’, ‘secure’ and meets the corporation’s current and future needs. Problem Statement: Design a corporate network using private IP addresses, for a small company with at least four subnets for the following major areas: Management, Engineering, Support Staff, and Common Services. The network must be able to maintain service in the event of a single router failure with minimal downtime (the less downtime the better your grade!). Currently the company employs: Management: Engineering: Support Staff: 6 15 7 The company will most likely grow to three times this size in the near future. The common services include Mail, DSN, Internet access, File servers and other common applications shared between the three divisions. Currently, you must limit your equipment to the following items already purchased by the small company. Cisco Switches Security Products Cisco Routers 3640 Router (2) Netgear Switch (3) VPN concentrator (2) 2622 Router (1) 4003 L3 Switch (1) PIX Firewall Evaluation: One objective of this design project is to produce the best network with the least resources. A metric of comparison between performance and cost will be dollars, with low performance costing the corporation money for outage time. Finally, the cost of implementation will also be included in this report as you must track your efforts on this project and report an honest number of implementation hours. Performance Costs – In the case of a single router failure, the outage time necessary for a ‘self-heal’ >1 minute will be $100/minute. For failures that require human intervention to complete, the cost will be $5000 + $100/minute for each minute it takes the team to fix the failure. Engineering Costs – The design engineer should bill himself (internally) at a rate of $50/hour. This is implementation cost only, design is free as we want you to spend as much time as necessary designing the system. NOTE: looking up commands and configuration information (specific to your design) is considered implementation time as it deals with specific hardware. Note: • Cables are free, but need to be included in the list of materials. • Cost is only one variable in the overall ‘report’ evaluation. Special effort should be made to present your design and complete all requirements of this lab. IP Network Design Information: Top-down network design is a good method for producing high quality networks with appropriate scope and performance. This technique examines a set of needs and produces an adequate network to fulfill those needs employing ‘good engineering practices’. The basic formula is the following: 1. Understand the business needs of a network. What applications should the network support? What level of security is required? What is the ‘real’ cost of a network failure? What is the network budget? What is the timeframe? 2. Understand the technical wants and needs. Most companies would like the network to perform well under every possible application, however most of the desires are ‘wants’ and not ‘needs’. It is very important to understand the company’s needs and wants and to be able to distinguish between them. Will the network need to scale in the future (by how much)? What is the desired throughput between each group (within each group)? How much delay is acceptable? What are the perceived security risks? How adaptable is the network? 3. Develop a Logical Design. Using the technical and business information, design a logical network including IP addressing, IP routing, switching/bridging, security pieces. The logical design uses boxes representing the form and function of a typical device (router, switch, firewall…) but does not contain the detailed information on performance of each box. 4. Choose appropriate equipment. Choose equipment that will perform the desired functions specified in the logical design. This is the step in which you order equipment and specify things like Network Interface Cards (Ethernet, Token-ring, FDDI, ATM, serial…), number of ports, performance enhancements, and software configurations. A good reference for network design philosophy is Top-Down Network Design, Priscilla Oppenhimer, Macmillan Technical Publishing 1999 In the first part of this laboratory, you will take the network design principles outlined in the above reference and produce a logical network design. For the second part, you will implement the logical design with available equipment. The third part of this laboratory will be a critical examination of your logical design after learning from the implementation phase. Part 1 Logical Network Design Objective: This is the first phase of the IP Network Design Module. In this phase, students will study and employ good design guidelines to produce a logical network design for a small company. The ‘pre-lab’ assignment will address technologies, protocols and networking techniques discussed in the ‘background’. External resources are necessary to adequately answer the following questions. Background: Logical network design begins only after the goals and business needs are fully developed. Assume the company has performed this very important exercise and has come to the following conclusions concerning the desired network: Business Needs • Network will be used for internal distribution of material, it is not intended to generate revenue. • Sensitive information will be kept within the network in all subnets. Shared files will be in the Common Services subnet. • Security should address both internal and external threats. Resources Available • The company has purchased the equipment outlined in the module introduction. • Any additional devices can be used, as long as you can procure (and donate) them for the laboratory. • Use a private class B address for the entire network. • The ONLY public IP address allowed for this project are the following: 128.119.194.226 – 128.194.119.233 Timeframe • Part one must be completed by March 22nd. Supported Applications • The network should support the following applications: Mail, FTP (for allowed traffic flow), Web browsing, Video conferencing, Hosting, VoIP (H.323). In addition to the above work, the company has provided some guidance for how it would like to implement the above goals and needs. The network designer traditionally performs this work, but for the purpose of this project it has already been decided. Network designs can vary from the suggestions below, but MUST meet the desires of the company. Subnets • There must be at least 4 subnets: Management, Engineering, Support Staff, and Common Services. • More subnets are acceptable (and encouraged if appropriate). Permissions for traffic flow • Allow Internet access from all areas. • Do not allow un-solicited requests from the Internet to pass into any portion of the company. • Management should be able to access all subnets. • Engineering should not be able to access Management • Support staff should not be able to access Management or Engineering subnets. Since the business needs and network goals have already been discovered, the logical network design can begin. This is the most important phase within an IP Network Design effort as decisions are made concerning the network topology, routing protocols, subnet structure, supported switching protocols, and security policies. A good place to begin the logical network design is to choose a network topology. Network topology is the organization of layer three devices within a network (routers). Some common network topologies include: flat, star, ring, mesh, partial mesh, two-tier, three-tier. For additional information on network topologies, reference the CCDP: Cisco Internetwork Design Study Guide. After choosing a network topology, the IP addressing and routing protocols must be decided. The most common IP routing protocols are RIP, IGRP, OSPF, BGP, IS-IS, eBGP, EIGRP, and RIP2. One of the above protocols (eBGP) is designated for external routes and is aptly defined as the routing protocol of the Internet. The other routing protocols are used inside the ‘external router’. The interior routing protocols can be compared using the following set of criteria. Interior Routing Protocol Criteria • Standards based (open standard) • Support for variable-length subnet masks (VLSM) • Support for discontiguous subnets • Scalability • Bandwidth usage (update rates and update size) • Adaptability (automatic) to changes in the network • Host connection access to router information: gateway, proxy ARP, ICMP Router Discovery Protocol (IRDP), GDP, HSRP (Cisco specific). Information on routing protocols can be found in your textbook & CCDP: Cisco Internetwork Design Study Guide, CCNA. Once the routing protocol has been selected for the internal network, an IP addressing scheme must be adopted. For this network, the company has chosen to use private addresses (class B) and also requires Internet access. This requires the use of Network Address Translation (NAT) whereby a ‘gateway’ maps internal addresses to a small pool of public addresses. Therefore an internal client may send a request to the gateway for an external site. The ‘gateway’ augments the outgoing IP packet, by replacing the sender’s IP address with a public address from an address pool. Packets returning from the requested site to the public address (the shared one) will be augmented with the original (internal) source address and passed to the internal network. By using a private address, the company will allow you to luxury of using a very large number of IP addresses. Important concepts to understand when deciding on an IP addressing scheme are classful routing, classless routing, subnet masks, VLSM, discontiguous subnets and secondaries. Note, no DHCP server has been provided, so one must be obtained if a design calls for it. After the network topology and IP addressing and routing are chosen, the network layout can be drawn. In this phase, logical symbols should be used and actual device characteristics should be ignored (for the most part). Ideally, for example, you would not concern yourself with the fact that the Cisco 3640 router contains only two Ethernet ports, if it needs to be connected to four subnets, just draw the connections for this phase. The details of device specific design will be addressed later. Since the equipment is already provided in this project, you should consider physical limitations, but do not allow them to limit your design. The network layout should undergo iterations as additional IP technology and protocols are introduced to overcome device-related constraints. It would be nice to have a router for each subnet, but this is very impractical for small subnets thus different subnets can share a single router. The following IP protocols should be reviewed in order to achieve an efficient design. IP Network Technologies and Protocols • Spanning Tree – when and how it should be used • Virtual LAN – VLANs • ISL Trunking • Access List Controls (ALC) • Point-to-Point Protocol (PPP) Security is a very important piece of the logical network design. For experienced network designers, high-level security issues are the first step in a logical network design. Since this lab is intended as in introduction to network design, security is considered after an initial network layout has been decided. IP network security is a ‘hot button’ for today’s network designers and should be touted as one of the prime focuses for any corporate network design. Some items which will aid in your security approach are listed below. Security Items • Access Control Lists – Routers can block access for IP addresses • Device Access – Securing administrative interface • Switch access – Ethernet switch port and access security • Dial up access – AAA Servers (Authentication, authorization and accounting) • Perimeter Security – Routers, Bastion Hosts, DMZ, Firewalls • Encryption – CET, MD5, DSS, IPSec • Host – Password pollicies, software firewalls, VPN accounts… A good reference for security related issues is Cisco’s Managing Cisco Network Security text. Another good reference is Cisco’s website www.cisco.com which contains information on ‘Cisco safe’. Network Features You must include at least four of the following features in your implemented network design. For each additional feature implemented, you will gain an additional 5 bonuspoints on the final project grade. • Apache Web Server – must include content for the business and allow submission of comments, and be implemented on LINUX • VPN – Use the Cisco 3000 to implement a VPN connect from a lab terminal around the firewall to access a machine within the Management group. • DNS – Configure BIND on a LINUX box. Test by connecting to a web site from inside the corporate network. • DHCP – Configure a DHCP server (or as many as needed) within the network. Confirm operation through the use of a Window’s OS machine. • PIX Firewall – Perform network security through the use of the Cisco 515 PIX firewall (instead of using the LINUX firewall). • Company File Server – Setup a file server with any available software/freeware and make sure it works with Window’s OS. Also, make the file server an FTP server. There should be at least ‘group level’ authentication. • Mail Server – Configure a mail server (many share-ware software packages available for limited e-mail addresses) and confirm operation. Basic UNIX mail does not count!!!! You must implement a well known software package. • VoIP – Implement a basic VoIP service within the network between sections and prove it works. Must be a centrally managed solution. PROJECT PROPOSAL 1. Compete a logical network design for the small company. Be sure to include the following items. • • • • Network Design Overview: Re-state goals and desires. Explain your approach to network design and the type of network topology chosen. Make sure to defend your choice of network topology. (>2 pages) IP Addressing and Routing: Explain the choice of routing protocol and provide an overview of the IP addressing scheme you chose. Make sure to defend your choices. (>1 page) Logical Network Design: Show your detailed logical network design. This will include discussions on networking issues involving redundancy, performance, security and how the design meets the business goals and needs. Include a professional diagram of the network with logical symbols (Router, switch,…) and IP addresses for appropriate interfaces, label subnets and show IP addresses assigned to each. (>4 pages) Security: Explain your approach to security and discuss how you will secure the perimeter and enforce internal permissions. (>1 page) 2. Explain the Network Features you plan to implement and provide detail on what software packages you plan to use and how you will procure them. 3. Prepare a 10-minute group presentation to be given in class on Nov 4th. Part 2 IP Network Implementation Objective: The ‘IP Network Implementation’ phase of the IP design project will require students to transform the logical network design into a functional IP network. Students must perform tradeoffs between the logical design and the available hardware configurations. During this process, students will gain insight into the benefit of certain protocols, in addition to gaining valuable equipment-specific configuration knowledge. The conclusion of this section will be a functional network that fulfills the business needs and goals outlined earlier in this model. Background: The implementation phase begins with a ‘Physical Network Design’ stage. This is the design stage where network interface connection types and device-specific constraints are addressed. It will be beneficial for groups to understand the available equipment explicitly. A brief list of important attributes when choosing network components is shown below. Equipment Attributes • • • • • • • • • • Number and types of network interfaces (Ethernet, serial, Token-ring, FDDI, etc…) Speed of each network interface Processing Speed Latency Auto-sensing technology (don’t have to set speed on all ports) Ease of configuration Manageability Cost Technical Support Device specific attributes o Bridges: Bridging technologies, WAN technologies, number of MAC addresses that a learning bridge can learn, filtering speed o Switches: Throughput in packets per second, support cut-through switching, auto-detection of half and full duplex, VLAN support, amount of memory available, and the availability of a routing module. o Routers: Network-layer protocols supported, routing protocols supported, support of multi-media applications, support of advanced queuing, compression, encryption, and packet filtering. After appropriate devices have been selected, the next phase is the actual implementation of the IP network. All of the devices used in this exercise are Cisco devices, making integration a very easy task. In an actual implementation, this is rarely the case and issues involving compatibility must be addressed between dissimilar devices. Information on Cisco device configuration can be obtained in Interconnecting Cisco Network Devices and www.cisco.com. NETWORK IMPLEMENTATION Implement your logical network design. Have your TA check-off the implementation. Connect terminal devices to the network and test if all the subnet rules have been applied. Attempt to ping the terminal from outside the network. Access the Internet from each of the four required subnets. Attempt to FTP to a subnet terminal from outside the network. The final stage of this module is a critical design review. After completing the implementation, revisit your design and comment on your design choices and how you would alter your approach, implementation and record keeping on future designs. The final report for this module should have the following format: 1. Design Project Overview (>2 pages): Describe the design philosophy and the important goals of the network design (make sure you address the successfulness of each goal in the conclusion). 2. Logical Network Design (>10 pages): Update the ‘PROJECT PROPOSAL’ to reflect the actual implemented network. Make sure to describe the differences between the original design and the implemented design. 3. Implementation Notes and Lessens Learned (>4 pages): Describe specific problems encountered during implementation and discuss in detail the solutions you found. Please focus on the tougher problems (don’t dwell on cabling issues…). Describe how this project, and specifically the implementation of the network design, will alter your DESIGN of future networks. 4. IP Design Cost (>2 pages) List the cost of implementing your design including all implementation manhours ($50/hr per person). Note all hours spent in front of the equipment is considered implementation hours, any work performed away from the laboratory is considered training and does not apply to the project costs. Explain methods of reducing this cost for future designs. 5. Suggestions Make helpful suggestions on how this module can be improved. 6. Equipment Configurations Include the configuration for all equipment used during your check-off.