CMIT452 Network Implementation Proposal Paper I have attached the requirement for the paper network proposal Please use it a guideline for the term paper.
Network Proposal Paper
Depicted below is a corporate network.
A corporation has two domain system servers (DNS), one web server, and SMTP server. All servers and their connecting routers are in the same subnet. A layer 3 switch is connected thru EtherChannel to another subnet.
The webserver and SMTP server are needed to communicate with Internet.
For security purposes, web access to SMTP and DNS servers are denied. The DNS servers should communicate only with each other and the Internet.
For this network, you are required to implement the following Layer 2 and Layer 3 services:
Implement a switch to switch connectivity using Trunking and aggregating links
Implement a PVLAN solution hosting DNS WWW and SMTP servers
For security implement VACL and PACL in Critical Subnet
Provide a verification plan for the above solution
Provide a technical proposal that addresses all issues described above.
The proposal should contain:
Cover page
Index Page
Executive summary
Technical details (including any assumptions)
Conclusion
Reference page
Writing Instructions
Your paper must have a minimum of 5 pages and a maximum of 10 pages of text, excluding the required title page and bibliography, Index page, Reference page, and optional tables. Text must be Times New Roman, 12 font, 1″ margin on all sides, and double spaced.
Students must follow “Publication Manual of the American Psychological Association, Fifth Edition (APA- 5)”, also known as APA style or format. Only a Microsoft Word file will be accepted as the final submission; no HTML or PDF files allowed.
All sources must be properly cited and must be credible. At least two sources must be Internet sources (for help in evaluating the credibility of web sources, go to www.umuc.edu/library/guides/evaluate.shtml). Once you have completed a good draft, it is strongly advised that you submit it to UMUC’s Effective Writing Center (EWC). In order to allow sufficient time for their review, you need to submit the draft to EWC two weeks prior to the paper’s due date. Network Proposal Paper
Depicted below is a corporate network.
A corporation has two domain system servers (DNS), one web server, and SMTP server. All
servers and their connecting routers are in the same subnet. A layer 3 switch is connected thru
EtherChannel to another subnet.
The webserver and SMTP server are needed to communicate with Internet.
For security purposes, web access to SMTP and DNS servers are denied. The DNS servers
should communicate only with each other and the Internet.
For this network, you are required to implement the following Layer 2 and Layer 3 services:
Implement a switch to switch connectivity using Trunking and aggregating links
Implement a PVLAN solution hosting DNS WWW and SMTP servers
For security implement VACL and PACL in Critical Subnet
Provide a verification plan for the above solution
Provide a technical proposal that addresses all issues described above.
The proposal should contain:
Cover page
Index Page
Executive summary
Technical details (including any assumptions)
Conclusion
Reference page
Writing Instructions
Your paper must have a minimum of 5 pages and a maximum of 10 pages of text, excluding the
required title page and bibliography, Index page, Reference page, and optional tables. Text must
be Times New Roman, 12 font, 1″ margin on all sides, and double spaced.
Students must follow “Publication Manual of the American Psychological Association, Fifth
Edition (APA- 5)”, also known as APA style or format. Only a Microsoft Word file will be
accepted as the final submission; no HTML or PDF files allowed.
All sources must be properly cited and must be credible. At least two sources must be Internet
sources (for help in evaluating the credibility of web sources, go to
www.umuc.edu/library/guides/evaluate.shtml). Once you have completed a good draft, it is
strongly advised that you submit it to UMUC’s Effective Writing Center (EWC). In order to
allow sufficient time for their review, you need to submit the draft to EWC two weeks prior to
the paper’s due date.
CMIT_452_Cisco Network Proposal
Prof. Kusay Rukieh
CISCO NETWORK PROPOSAL
Prepare for:
Prof. Kusay Rukieh
Prepare by:
Ngu Nguyen
Ngu Nguyen
CMIT_452_Cisco Network Proposal
Prof. Kusay Rukieh
I.
Introduction
This is a technically network proposal document which provides implementation of the following
solutions for a corporation. After conducting the customers network requirement and the current
network topology, we, as the Network engineers, totally understand that a corporation has two
domain system servers (DNS), one web server, and SMTP server. All servers and their connecting
router are in the same subnet. A layer 3 switch is connected thru EtherChannel to another subnet.
The webserver and SMTP server are needed to communicate with the Internet. Also, For the
security, web access to SMTP and DNS servers are denied. The DNS server should communicate
only with each other and the Internet. Therefore, we provide the following network proposal:
–
This Corporation will have two subnets: one for the Server subnet (192.168.1.0/24), and
one for Critical subnet (192.168.2.0/24). They are communicated by a Router with the
Router-on-Stick configuration.
–
The connection between switches are configure as etherchannel to provide the redundant
links, and the communication between Vlans.
–
In the server subnet, we will implement Private VLAN(PVLAN) and Vlan Access-list
(VACL) to provide the security between servers.
–
In the Critical subnet, we will implement VACL and PACL (Port Access list) .
–
On the router, we will implement Router-on-The-Stick following the 802.1q to provide
communication between two subnets. Also, we will create a default route to provide the
internet access for the two subnets outbound access.
Ngu Nguyen
CMIT_452_Cisco Network Proposal
Prof. Kusay Rukieh
1. Network Topology
2. Connectivity Table
Device
Interface
Neighbor
IPv4 Address
R1
Gigabit Ethernet 0/0
ACSW1
192.168.1.1/192.168.2.1
R1
Gigabit Ethernet 0/0
ISP
ACSW1
Ethernet 0/1
DNS1
192.168.1.53
ACSW1
Ethernet 0/2
DNS2
192.168.1.54
ACSW1
Ethernet 0/3
Web server
192.168.1.80
ACSW1
Ethernet 0/4
SMTP server
192.168.1.25
ACSW1
Fast Ethernet 0/24
R1
ACSW1
Fast Ethernet 0/22
DSW
EtherChannel
ACSW1
Fast Ethernet 0/23
DSW
EtherChannel
DSW
Fast Ethernet 0/22
ACSW1
EtherChannel
DSW
Fast Ethernet 0/23
ACSW1
EtherChannel
Ngu Nguyen
CMIT_452_Cisco Network Proposal
Prof. Kusay Rukieh
DSW
Fast Ethernet 0/20
ACSW2
EtherChannel
DSW
Fast Ethernet 0/21
ACSW2
EtherChannel
ACSW2
Fast Ethernet 0/1
PC1(Critical Subnet)
192.168.2.10
ACSW2
Fast Ethernet 0/2
PC2(Critical Subnet)
192.168.2.20
II.
Implementation
1. Implement a PVLAN solution hosting DNS WWW and SMTP servers
As per requirement, we need to implement Private vlan for these servers. DNS servers will be
configured as community private vlan, and Web/SMTP will be configured as isolated private vlan.
Syntax: switch(config)# vlan [1-65535]
>>this command creates a vlan.
ACSW1(config-vlan)#private-vlan community
>>this command sets a vlan to be a community vlan.
switch(config)# vlan [1-65535]
>>this command creates a vlan.
switch (config)# private-vlan isolated
>>this command sets a vlan to be an isolated vlan.
switch(config)# vlan [1-65535]
>>this command creates a vlan.
switch(config)# private-vlan primary
>>this command set a vlan to be a primary vlan.
switch(config)# private vlan association vlan-id [1-65535]
>>this command defines a relationship between primary and private vlans.
switch(config)#interface interface-type [1-255]
>>this command accesses to an interface.
switch(config-if)#switchport mode private-vlan [host | promicous]
>>this command sets a interface to be either host or promiscuous.
switch(config-if)#switchport mode private-vlan host-association primary-vlan-id, privatevlan-id
>>this command defines an interface belonging to defined private vlan and associate primary
vlan.
switch(config-if)#switchport mode private-vlan [promiscuous | host]
Ngu Nguyen
CMIT_452_Cisco Network Proposal
Prof. Kusay Rukieh
>>this command set an interface to be either promiscuous or host mode.
switch(config-if)#switchport mode private-vlan mapping primary-vlan-id, private-vlan-id
>>this command maps a private vlan and primary vlan in the promiscuous modes interface.
–
On The ACSW1 switch:
ACSW1(config)#vlan 20
ACSW1(config-vlan)#private-vlan community
ACSW1(config-vlan)#vlan 30
ACSW1(config-vlan)#private-vlan isolated
ACSW1(config-vlan)#vlan 100
ACSW1(config-vlan)#private-vlan primary
ACSW1(config-vlan)#private vlan association 20, 30
ACSW1(config-vlan)#exit
ACSW1(config)#interface range fa0/1 2
ACSW1(config-if)#switchport mode private-vlan host
ACSW1(config-if)#switchport mode private-vlan host-association 100 20
ACSW1(config-if)#exit
ACSW1(config)#interface range fa0/3 4
ACSW1(config-if)#switchport mode private-vlan host
ACSW1(config-if)#switchport mode private-vlan host-association 100 30
ACSW1(config-if)#exit
ACSW1(config)#interface fa0/24
ACSW1(config-if)#switchport mode private-vlan promiscuous
ACSW1(config-if)#switchport mode private-vlan mapping 100 20, 30
–
On The ACSW2:
ACSW2(config)#vlan 200
ACSW2(config-vlan)#name Critical Subnet
2. VACL for denying web access to SMTP and DNS servers
Vlan access-list need to be deployed on the DNS and SMTP servers.
Syntax: switch(config)# ip access-list [extended | standard] [ACL-number | ACL-name]
>>this command creates an access-list either standard or extended.
switch(config)#permit [tcp | udp | ip] source [host | any] [A.B.C.D] [host | any]
[A.B.C.D] eq [number | service name]
>>this command defines an ACL rule either allow/deny traffic from source to destination with a
service option.
switch (config)#vlan access-map access-map-name increment-access-map-number [1255]
Ngu Nguyen
CMIT_452_Cisco Network Proposal
Prof. Kusay Rukieh
>>this command creates an access-map either forward or drop when there is a match in the
defined ACL.
switch(config-access-map)# match ip add [ACL number | ACL name]
>>this command creates a matching policy for an access-map..
switch(config-access-map)#action [forward | drop]
>>this command creates an action for an access-map.
switch(config)#vlan filter [access-map] vlan-list [vlan-id]
>>this command applies this traffic filter on a defined vlan.
–
On the ACSW1 switch:
ACSW1(config)#ip access-list extended No_Web_Access
ACSW1(config-ext-nac)#permit tcp any host 192.168.1.25 eq 80
ACSW1(config-ext-nac)#permit tcp any host 192.168.1.25 eq 443
ACSW1(config-ext-nac)#permit tcp any host 192.168.1.53 eq 80
ACSW1(config-ext-nac)#permit tcp any host 192.168.1.53 eq 443
ACSW1(config-ext-nac)#permit tcp any host 192.168.1.54 eq 80
ACSW1(config-ext-nac)#permit tcp any host 192.168.1.54 eq 443
ACSW1(config)#vlan access-map VACL01 10
ACSW1(config-access-map)# match ip add No_Web_Access
ACSW1(config-access-map)#action drop
ACSW1(config)#vlan access-map VACL01 20
ACSW1(config-access-map)#action forward
ACSW1(config)#vlan filter VACL01 vlan-list 20, 30
3. VACL and PACL in Critical Subnet (192.168.2.0/24)
In the critical subnet, we need to implement Vlan access-list and port access-list to secure this
hosts.
Syntax: switch(config)# ip access-list [extended | standard] [ACL-number | ACL-name]
>>this command creates an access-list either standard or extended.
switch(config)#permit [tcp | udp | ip] source [host | any] [A.B.C.D] [host | any]
[A.B.C.D] eq [number | service name]
>>this command defines an ACL rule either allow/deny traffic from source to destination with a
service option.
switch (config)#vlan access-map access-map-name increment-access-map-number [1255]
>>this command creates an access-map either forward or drop when there is a match in the
defined ACL.
switch(config-access-map)# match ip add [ACL number | ACL name]
>>this command creates a matching policy for an access-map..
Ngu Nguyen
CMIT_452_Cisco Network Proposal
Prof. Kusay Rukieh
switch(config-access-map)#action [forward | drop]
>>this command creates an action for an access-map.
switch(config)#vlan filter [access-map] vlan-list [vlan-id]
>>this command applies this traffic filter on a defined vlan.
a. VACL
Allow only traffic DNS, WEB, and SMTP between PC1, PC2 in Critical subnet to Server
subnet. Deny all other traffic.
ACSW2(config)#ip access-list extended Critical_Subnet
ACSW2(config)#permit tcp host 192.168.2.10 host 192.168.1.25 eq 25
ACSW2(config)#permit udp host 192.168.2.10 host 192.168.1.53 eq 53
ACSW2(config)#permit udp host 192.168.2.10 host 192.168.1.53 eq 53
ACSW2(config)#permit tcp host 192.168.2.10 host 192.168.1.80 eq 80
ACSW2(config)#permit tcp host 192.168.2.10 host 192.168.1.80 eq 443
– Do the same configuration for PC2 (192.168.2.20)
ACSW2(config)#vlan access-map VACL02 10
ACSW2(config-access-map)# match ip add Critical_Subnet
ACSW2(config-access-map)#action forward
ACSW2(config)#vlan access-map VACL02 20
ACSW2(config-access-map)#action drop
ACSW1(config)#vlan filter VACL01 vlan-list 200
b. PACL
Deny Telnet and SSH between two hosts: 192.168.2.10 and 192.168.2.20.
–
On the ACSW2 switch, configure the PACL to block the telnet and SSH:
ACSW2(config)#ip access-list extended No_Telnet_SSH
ACSW2(config-ext-nac)#deny tcp host 192.168.2.10 host 192.168.2.20 eq 22
ACSW2(config-ext-nac)#deny tcp host 192.168.2.10 host 192.168.2.20 eq 23
ACSW2(config-ext-nac)#permit ip any any
ACSW2(config-ext-nac)#exit
ACSW2(config)#interface fa0/1
ACSW2(config-if)#ip access-group No_Telnet_SSH in
4. Port Channel between DSW switch and ACSW1 Switch, ACSW2 switch
Port channel need to be configured between DSW, and ACSW1, ACSW2 to make redundant links.
Syntax: switch(config)#interface interface-type number [1-255]
Ngu Nguyen
CMIT_452_Cisco Network Proposal
Prof. Kusay Rukieh
>>this command accesses to an interface.
switch (config-if)#channel-group [1-255] mode [active | passive | auto | desire | on]
>>this command creates a channel either LACP(open standard) or PAgP (Cisco).
switch (config)#interface port-channel [1-255]
>>this command accesses an port channel interface.
switch (config-if)#switchport trunk encapsulation [dot1q | isl]
>>this command set an encapsulation type on this port channel interface.
switch (config-if)#switchport mode [trunk | access | static]
>>this command selects interface type either trunk, access or static.
–
On The DSW Switch
DSW1(config)#int range fast Ethernet 0/22 23
DSW1(config-if)#channel-group 1 mode active
DSW1(config)#interface port-channel 1
DSW1(config-if)#switchport trunk encapsulation dot1 q
DSW1(config-if)#switchport mode trunk
DSW1(config)#int range fast Ethernet 0/20 21
DSW1(config-if)#channel-group 2 mode active
DSW1(config)#interface port-channel 2
DSW1(config-if)#switchport trunk encapsulation dot1 q
DSW1(config-if)#switchport mode trunk
–
On The ACSW1
ACSW1(config)#int range fast Ethernet 0/22 23
ACSW1(config-if)#channel-group 1 mode active
ACSW1(config)#interface port-channel 1
ACSW1(config-if)#switchport trunk encapsulation dot1 q
ACSW1(config-if)#switchport mode trunk
–
On The ACSW2
ACSW2(config)#int range fast Ethernet 0/20 21
ACSW2(config-if)#channel-group 2 mode active
ACSW2(config)#interface port-channel 2
ACSW2(config-if)#switchport trunk encapsulation dot1 q
ACSW2(config-if)#switchport mode trunk
5. Configure Router-on-The-Stick configuration on router R1 and Internet access.
– On the router:
Syntax: Router(config)# interface interface-type 0/0.x
Ngu Nguyen
CMIT_452_Cisco Network Proposal
Prof. Kusay Rukieh
>>this command creates a sub-interface (logical) over an interface (physical).
Router(config-sub-if)#ip add A.B.C.D netmask A.B.C.D
>> this command creates a ip address for an interface.
Router(config-sub-if)#encapsulation [dot1q | ISL ] vlan-id [1-65534]
>> this command selects the encapsulation type either dot1q(standard), or ISL(Cisco).
Router(config)# interface interface-type
>> this command accesses to a physical interface.
Router(config)#no shut
>> this command enables an interface up.
– On The switch:
ACSW2(config)#interface interface-type number [1 – 255]
>> this command accesses to an interface.
ACSW2(config-if)#switchport [trunk | access | static] encapsulation [dot1q | ISL]
>> this command set type of traffic over a trunk link.
ACSW2(config-if)# switchport mode [trunk | access | static]
>> this command sets an interfaces type.
ACSW2(config-if)#switchport trunk allowed vlan vlan-id, [1-65534]
>> this command defines vlans which are allowed on a trunk link.
In order to allow communication between Critical subnet and Server subnet, we need to configure
VLAN routing on the R1 router. Also, we need to configure default route to provide the Internet
access for both internal subnets (192.168.1.0/24 and 192.168.2.0/24).
a. Router-on-The-Stick
– On The router
Router(config)#hostname R1
R1(config)# interface Gigabit Ethernet 0/0.100
R1(config-sub-if)#ip add 192.168.1.1 255.255.255.0
R1(config-sub-if)#encapsulation dot1q 100
R1(config)# interface Gigabit Ethernet 0/0.200
R1(config-sub-if)#ip add 192.168.2.1 255.255.255.0
R1(config-sub-if)#encapsulation dot1q 200
R1(config)# Gigabit Ethernet 0/0
R1(config)#no shut
–
On The ACSW1 switch
ACSW2(config)#interface fast ethernet 0/24
ACSW2(config-if)#switchport trunk encapsulation dot1q
ACSW2(config-if)# switchport mode trunk
ACSW2(config-if)#switchport trunk allowed vlan 1, 100, 200
Ngu Nguyen
CMIT_452_Cisco Network Proposal
Prof. Kusay Rukieh
b. Configure Default Gateway for the internal access the internet
R1(config)#ip route 0.0.0.0 0.0.0.0 interface gigabit Ethernet 0/1
>>This command sets default gateway which provide outbound access for all internal network
subnet with the next hop as an interface.
6. Provide a verification plan for the above solution
a. Implement a PVLAN solution hosting DNS WWW and SMTP servers
–
Because we implement Private VLAN in the Server subnet, two dns servers are able to
communicate each other as they belong to the Community VLAN:
–
From DNS server 1 command prompt, ping to DNS server 2, it will be successful.
–
From DNS server1 server2s command prompt, ping to WWW, and SMTP servers, it will
not be successfully, since they belong to the Isolated VLAN.
–
From WWW servers command prompt ping to STMP server, it will not successful since
they belong to the Isolated VLAN.
–
From DNS, WWW, and SMTPs command prompt, ping to google.com or any internet
site, it will successful since we implement default-route.
–
From ACSW1, use the command show vlan and show run | i vlan to verify the defined
VLAN configuration.
b. VACL for denying web access to SMTP and DNS servers
–
From www server, open browser and try to access SMTP (192.168.1.25) and DNS
(192.168.1.53/192.168.1.54) servers. The result will be not successful.
–
From ACSW1, use the command show run access-list to verify the defined ACL.
c. VACL and PACL in Critical Subnet (192.168.2.0/24)
–
From PC1(192.168.2.10)s command prompt, ssh and telnet to PC2 (192.168.2.20). The
result will be not successful.
Ngu Nguyen
CMIT_452_Cisco Network Proposal
Prof. Kusay Rukieh
–
From PC1s command prompt, ping to PC2, the result will be successful.
–
From PC1, and PC2s command prompt, use the command nslookup google.com, it will
successful resolve the ip add of the google.com. Please remember that we assume that PC1
and PC2 have been already configured DNS option with the ip add of DNS server
(192.168.1.53/192.16.1.54).
–
From PC1, and PC2s command prompt, configure the mailbox with the server gateway is
SMTP server (192.168.1.25), it will be successful.
–
From PC1, and PC2s command prompt, use the browser to web access to WEB server
(192.168.1.80), it will be successful.
–
From ACSW2, use the command show run access-list to verify the defined ACL.
d. Port Channel between DSW switch and ACSW1 Switch, ACSW2 switch
From DSW switch and ACSW1 Switch, ACSW2 switch, use the follow command to verify:
–
Switch# show etherchannel summary
>> to verify the brief info about the current channel port.
e. Configure Router-on-The-Stick configuration on router R1 and Internet access.
–
From PC1, and PC2s command prompt, use the command nslookup google.com, it will
successful resolve the ip add of the google.com. Please remember that we assume that PC1
and PC2 have been already configured DNS option with the ip add of DNS server
(192.168.1.53/192.16.1.54).
–
From PC1, and PC2s command prompt, configure the mailbox with the server gateway is
SMTP server (192.168.1.25), it will be successful.
–
From PC1, and PC2s command prompt, use the browser to web access to WEB server
(192.168.1.80), it will be successful.
Ngu Nguyen
CMIT_452_Cisco Network Proposal
Prof. Kusay Rukieh
–
From PC1, and PC2s command prompt, use the browser to web access google.com, it will
be successful
–
ACSW1#show interface fast Ethernet 0/24 switchport
>>to verify the trunk status, vlans allowed on the interface.
–
R1# show ip interface brief
>> to verify the sub-interface ip add
–
R1#show ip route
>>to verify default route.
–
On the PC1, and PC2s command prompt, use the command: tracert google.com to
verify the traffic passing over their gateway.
Work Cites:
Ngu Nguyen
CMIT_452_Cisco Network Proposal
Prof. Kusay Rukieh
[1] Hucaby David. CCNP Routing and Switching SWITCH 300-115 Official Cert Guide.
Indianapolis, IN 46240, ID: Cisco Press, 1 Edition, Dec26, 2014.
[2] McQuerry Stephen. VLAN Access Control List. Cisco: General Networking: Cisco Press.
Oct11, 2002.
[3] Bhaji Yusuf. Security Features on Switches. Cisco: Security: Cisco Press. Jul3, 2008
[4] Janowski Michal. (Jun 7, 2014). Understand Etherchannel Load Balancing. Retrieved
fromPacketpushers.net.
http://packetpushers.net/understand-etherchannel-load-balancing-catalyst-switches/
[5] …
Purchase answer to see full
attachment
Consider the following information, and answer the question below. China and England are international trade…
The CPA is involved in many aspects of accounting and business. Let's discuss some other…
For your initial post, share your earliest memory of a laser. Compare and contrast your…
2. The Ajax Co. just decided to save $1,500 a month for the next five…
How to make an insertion sort to sort an array of c strings using the…
Assume the following Keynesian income-expenditure two-sector model: AD = Cp + Ip Cp = Co…