Network Document
advertisement
Network Documentation ET477.com Prepared by: John Narvaiz Jim Walker Evan Fleischer INFRASTRUCTURE OVERVIEW ET477.com's network consists of six Windows 7 office computers, two Linux servers, one Windows Server 2008, two 2900 series Cisco switches, a 2800 series Cisco router, and a 2600 series Cisco router. The infrastructure has been wired using CAT5 UTP. The domain is broken up into two sites. The Cisco 2600 series router is used at the main site. A fast Ethernet module has been added to give it three physical interfaces. One interface is used to connect to the Internet, one connects to the gigabit port of the 2900 series Cisco main site LAN switch, and the third is used to connect to the remote site router. A CAT5 UTP crossover cable running at 100 Mbps is used to connect the router at the main site to the router at the remote site. A patch cable connects one router interface to a gigabit port on the main site switch. The Cisco 2800 series router is at the remote site along with the other Cisco 2900 series switch which is used for the remote LAN. Only two ports are used on the Cisco 2800 series remote site router. One to connect to the main site router and one to connect to the remote site LAN switch. VLANS AND IP SCHEME Five subnets in the 192.168.0.0/16 IP block are used to create separate VLANS and a connection between the main and remote site routers: 192.168.10.0/25 is used for the server VLAN on the main site. 192.168.20.0/25 is used for the office VLAN on the main site. 192.168.30.0/30 is used for the connection between routers. 192.168.10.128/25 is used for the server VLAN on the remote site. 192.168.20.128/25 is used for the office VLAN on the remote site. 207.108.245.224/29 is our assigned public address block. On both the main and remote site switches, ports Fa0/1 – 4 are assigned to the office VLAN. Ports Fa0/5 – 24 on both switches are assigned to the office VLAN. All servers and the printer are patched into their appropriate server VLAN ports on their respective sites. See the included IP scheme spreadsheet for device and interface IP assignments. AUTHENTICATION User authentication is enabled on the terminal lines, auxiliary ports, and console ports for all routers and switches. User authentication is also configured on all servers. See table below. USER AUTHENTICATION FOR DEVICES Username Password Device(s) group1 et477dotcom all routers and switches, server s1 remote et477dotcom server s2 Administrator et477dotcom server s3 DHCP Both routers are running separate DHCP servers. Server VLAN devices are given static IP’s from server subnet. Office VLAN devices are set to DHCP and receive dynamic addresses along with other necessary information. See the tables below. MAIN SITE DHCP OFFICE POOL Item Description Scope 192.168.20.0 – 192.168.20.127 Exclusions 192.168.20.0 – 192.168.10.10 Domain-name et477.com DNS 192.168.10.5 (s1.et477.com) REMOTE SITE DHCP OFFICE POOL Item Description Scope 192.168.20.128 - 192.168.20.255 Exclusions 192.168.20.128 - 192.168.20.138 Domain-name et477.com DNS 192.168.10.133 (s3.et477.com) NAT AND PAT An ACL was configured that permitted the private IP addresses from within our office network to be translated to a public address. PAT overload was configured using the ACL (access list 1) which established the dynamic source translation. Each server was configured with a static NAT translation for each private IP to a public IP address. See table below. Device Private IP Public Main Office Computers 192.168.20.11 – 192.168.20.254 207.108.245.226 Remote Office Computers 192.168.20.139 – 192.168.20.254 207.108.245.226 S1 192.168.10.5 207.108.245.227 S2 192.168.10.130 207.108.245.228 S3 192.168.10.133 207.108.245.229 SNMP SERVICE OpManager is installed on Windows Server 2008. This GUI management software monitors all devices on the server management VLAN. Network discovery has been performed and the two routers, the two switches, the two Linux servers, and the Windows server are listed and performance information is monitored and displayed. The NetFlow module was also installed in OpManager. The switches and routers are compatible with the NetFlow protocol and are configured globally and by interface to generate bandwidth data to OpManager. Clicking the NetFlow tab in OpManager displays this information. To research specific commands to configure Cisco devices for NetFlow, see the help module in OpManager. OpManager is running as a Windows service at boot time. To access the data click on the OpManager icon on the desktop of the Windows 2008 server. SERVER DATA The main site has one Linux server providing SSH, Web, and DNS services. The web site on server s1 is accessed by www.et477.com. The remote site has two servers. One Linux server providing TFTP and SSH services. The second server is running Windows Server 2008 providing RDP and SNMP services. See the tables below. Server S1 s1.et477.com Details Operating System CentOS Linux Based Static IP Address 192.168.10.5 /25 Services SSH, WEB, DNS Slave DNS RECORDS SOA S1.et477.com A s1.et477.com 207.108.245.227 A s3.et477.com 207.108.245.229 A s2.et477.com 207.108.245.228 NS s1.et477.com NS s3.et477.com CNAME ssh.et477.com – s1.et477.com CNAME www.et477.com – s1.et477.com SERVER S2 s2.et477.com Details Operating System CentOS Linux Based Static IP Address 192.168.10.130 /25 Services SSH, TFTP SERVER S3 s3.et477.com Details Operating System Windows Server 2008 Static IP Address 192.168.10.133 /25 Services RDP, SNMP, DNS Master DNS RECORDS SOA S1.et477.com A s1.et477.com 207.108.245.227 A s3.et477.com 207.108.245.229 A s2.et477.com 207.108.245.228 NS s1.et477.com NS s3.et477.com CNAME ssh.et477.com – s1.et477.com CNAME www.et477.com – s1.et477.com LOGGING, ROUTING, AND BACKUP The correct time and date have been entered into all devices and logging has been configured on the routers and switches. The TFTPgui TFTP server is running at all times on server s2. A folder is on the desktop where the configuration files from the routers and switches are stored and available for retrieval. Both OSPF dynamic routing and static routing protocols are enabled. OSPF was used to share routes between the main and remote site. A static default route was used on the remote router to provide access to the Internet. A static default route was used on the main router to provide a path to the ISP router and Internet access. See the table below. NETWORK PROTOCOL Routing Protocol Network Device(s) OSPF 100 192.168.0.0 0.0.255.255 area 0 Main Router to Remote Router Static IP route 0.0.0.0 0.0.0.0 207.108.245.225 Main Router to Internet Static IP route 0.0.0.0 0.0.0.0 192.168.30.1 Remote Router default route NETWORK PRINTER A network printer was installed and configured on the network and given the static IP address 192.168.10.3. A host A record on our DNS servers was created so that the printer could be installed by the name mike.et477.com. The installation process on each Windows 7 computer was as follows: add new printer, create a TCP/IP port for mike.et477.com, install downloaded driver from HP driver support web page. Once the driver was installed on each computer, installation of the new printer could be completed. See table below. Device IP HP printer 1320n 192.168.10.3 E-MAIL SERVICES A Google apps account was created and verified for the domain et477.com. After the account was created, three user accounts along with e-mail service were created for each group member. MX records were then created on the DNS servers to allow e-mail to be delivered to these accounts. The accounts were tested and verified. See tables below. GOOGLE APPS User Accounts User group1@et477.com Jim Walker JohnN@et477.com John Narvaiz EvanF@et477.com Evan Fleischer DNS RECORDS Details MX [1] Aspmx.l.google.com MX [5] Alt1.aspmx.l.google.com MX [5] alt2.aspmx.l.google.com MX [10] aspmx2.googlemail.com MX [10] aspmx3.googlemail.com ACCESS CONTROL LISTS Four access lists were created, one for PAT overload, two for controlling office VLAN access on both the Main and remote site routers, and one for controlling incoming services from the Internet into the private network. See descriptions below. ACL 1 Standard access list permitting any IP in 192.168.0.0/16 to access the NAT/PAT public overload interface. ACL 101 Extended access list for permitting access to only certain services on particular machines from the internet. Web is allowed to s1 (.227), ssh to s1 and s2(.228), RDP is allowed to s3(.229), DNS is allowed to s1 and s3. Each service is allowed to a particular IP address and explicitly denied to everything else. The last statement allows all other unstated traffic, for example web traffic to and from the office computers. The access list is placed on the interface directly connected to the internet, f0/0 on the main router. The direction is in because the unwanted requests would come from the internet into the network. ACL 110 Extended access list for blocking management services running on the server VLAN 10 to machines on the office VLAN 20. The services explicitly denied are SSH, TFTP and SNMP. The last line permits all other traffic from the office VLAN. The access list is placed on the office VLAN sub-interface of each router, the direction is in so unwanted requests going into the interfaces will be blocked. RDP AND SSH SERVICES SSH services for routers, switches, server s1, and server s2 was configured. Direct access from the internet was blocked by an ACL so that SSH access to the routers and switches remotely was only possible after logging into s1 or s2 using established credentials. Once configured, remote SSH services were available using the Linux bash prompt or the application Putty on Windows. Remote desktop services were enabled on the Windows 2008 server and permitted by the public facing ACL on the router. Any Windows operating system was then able to access the Windows server remotely with the appropriate credentials. This was desirable since the Windows server is running the SNMP software that monitors the network infrastructure.
