Description
report based on configuring routers and multi level switches. Concept of inter VLAN routing.
Security concepts like NAT PAT ACL.
ENTERPRISES NETWORK END TO END SOLUTION
ENTERPRISES NETWORK END TO END SOLUTION
Submitted for the partial fulfillment of the Degree Of Bachelor of Technology (Computer Science and Engineering)
Submitted by: XXXXXXXXX YYYYYY ZZZZZZZZ
Submitted to: XXXXXXXXXXXX
Training Co-ordinator CSE Department
1
ENTERPRISES NETWORK END TO END SOLUTION
ACKNOWLEDGEMENT
The author is highly grateful to the xxxxxx, Director, xxxxxxxx, for providing this opportunity to carry out the six week summer training at HPES xxxxxx. The constant guidance and encouragement received from xxxxxxx Dean T&P, xxxxxx has been of great help in carrying out the project work and is acknowledged with reverential thanks. The author would like to express a deep sense of gratitude and thanks profusely to Mr. xxxxx, Trainer at HPES. Without the wise counsel and able guidance, it would have been impossible to complete the report in this manner. The help rendered by xxxxxx for experimentation is greatly acknowledged. The author expresses gratitude to other faculty members of Computer Science and Engineering department of xxxx for their intellectual support throughout the course of this work. Finally, the authors are indebted to all whosoever have contributed in this report work and friendly stay at HPES xxxxxx.
xxxxxxx
2
ENTERPRISES NETWORK END TO END SOLUTION
Table of Contents
Contents
Abstract List of Figures List of Tables List of Acronyms 1. Introduction 1.1 Company Background and Organization Structure 1.2 Project Overview 1.3 Basics of Networking 1.4 Required Technologies 8 9 9 16
Page No.
5 6 7 7
2. Training given
2.1 CISCO Packet tracer 2.2 Basics of Router 2.3 Basic of Switch 2.4 VLAN 2.5 Inter VLAN routing 2.6 VTP 2.7 Routing Technique and Security
16 18 24 28 31 32 34
3. Project 4. Conclusion 5. Problem and Suggestions 6. References 7. Appendix
50 52 52 53 54
3
ENTERPRISES NETWORK END TO END SOLUTION
Abstract
This project is based on enterprises network and NOCs (Network Operating Centers), where we also manage stub networks (Server administration, back up jobs, user administration and all). The main objective of this project is to take care of business continuity, because now a day’s most of the organizations don’t want obstacle for even a single moment in business continuity like BPOs, Exchanges, Banks e.g. Because 80% works are done online. So to avoid discontinuity we work on redundancy and backups on servers, connectivity, routers.
We also provide network security so that unauthorized user can not access authorized data, servers for centralization of shared resources and high speed internet connectivity so that speed never becomes an issue.
4
ENTERPRISES NETWORK END TO END SOLUTION
LIST OF FIGURESFigures Layers of OSI Model Layer 7 Layer 6 Layer 5 Layer 4 Layer 3 Layer 2 Layer 1 Data transfer in various layers Cisco Packet Tracer Serial interface of routers VLAN Multilayer switch VTP modes Static routing OSPF design ACL NAT Enterprises network end to end solution(Project) www.hpes.com www.yahoo.com www.dit.com PC51 pinging with other PC in the network Page number 11 12 12 13 13 14 14 15 15 17 23 29 32 33 35 39 43 47 50 55 56 56 57
5
ENTERPRISES NETWORK END TO END SOLUTION
List of Tables
Table Name Default Administrative distance
Page number 36
List of Acronyms
ACL AS CCNA CLI DUAL EIGRP IOS NAT OSPF PAT RIP VLAN VTP
Access Control List Autonomous System Cisco Certified Network Associate Command Line Interface Diffusing Update Algorithm Enhanced Interior Gateway Routing Protocol Internetwork Operating System Network Address Transmission Open Shortest Path First Port Address Translation Routing Information Protocol Virtual Local Area Network Virtual Trunking Protocol
6
ENTERPRISES NETWORK END TO END SOLUTION
VTY Virtual Terminal
1. Introduction
1.1 Company Background and Organization Structure:
Hewlett-Packard Company (HP) is an American multinational hardware and software corporation headquartered in Palo Alto, California, United States. It provides products, technologies, software, solutions and services to consumers, small- and medium-sized businesses (SMBs) and large enterprises, including customers in the government, health and education sectors.
HP education services provide IT Professionals, enterprise businesses and end-users with the highest quality, most comprehensive, technical and business education services and expertise using advanced technologies. HP believes that we never stop learning, and therefore we emphasize on making developers and managers fully aware of new technologies. Sophisticated, new technologies can be optimized for business benefits only if supplemented by sufficient knowledge and training for implementing it. Keeping in mind that your employee’s time is a valuable resource, we have created a full suite of training programs We provide a fully integrated learning environment. This includes self-paced, web-based,
7
ENTERPRISES NETWORK END TO END SOLUTION
distance learning and online seminars via our innovative online offering the IT Resource Center, HP Education Services provides the industry's finest integrated learning curricula which includes e – learning, online forums, resource center and virtual classrooms for mastering new technologies. HP Education provides instructor led and online training with customized content to suit specific needs, ensuring the success of both, the individual IT professional and the enterprise.
1.2 Project OverviewThe project is designed for corporate purpose. We have a router cloud so that we can configure routes to reach destination network through multiple paths by using different routing mechanism and protocols. For secure communication there is gateway level security such as ACLs, Layer-3 Security used in routers. For stub networks we design and configure a centralized management by creating Domain and configure Active Directory and LDAP. Inside the network we have different departments like Admin, Finance, Faculty, Students having their own broadcast domain for all so that we can categories and manage all these dept and also make communication confidential with this we can increase our scalability and flexibility according to future growth.
1.3 Basics of Networking –
Layered Communication Model •
The information that travels on a network is generally referred to as data or a packet.
8
ENTERPRISES NETWORK END TO END SOLUTION
• • • • • • • A packet is a logically grouped unit of information that moves between computer systems. In order for data packets to travel from a source to a destination on a network, it is important that all the devices on the network speak the same language or protocol. A protocol is a set of rules that make communication on a network more efficient. A data communications protocol is a set of rules or an agreement that determines the format and transmission of data. Layer 4 on the source computer communicates with Layer 4 on the destination computer. The rules and conventions used for this layer are known as Layer 4 protocols. It is important to remember that protocols prepare data in a linear fashion.
OSI Model
• To address the problem of network incompatibility, the International Organization for Standardization (ISO) researched networking models in order to find a generally applicable set of rules for all networks. • • • • • • • • • • Using this research, the ISO created a network model that helps vendors create networks that are compatible with other networks. The Open System Interconnection (OSI) reference model released in 1984 was the descriptive network model that the ISO created. It provided vendors with a set of standards that ensured greater compatibility and interoperability among various network technologies. The OSI reference model has become the primary model for network communications. Although there are other models in existence, most network vendors relate their products to the OSI reference model. Benefits of the OSI Model: Reduces complexity Standardizes interfaces Facilitates modular engineering Ensures interoperable technology
9
ENTERPRISES NETWORK END TO END SOLUTION
• • • • Accelerates evolution Simplifies teaching and learning The OSI reference model is a framework that is used to understand how information travels throughout a network. The OSI reference model explains how packets travel through the various layers to another device on a network, even if the sender and destination have different types of network media.
Fig 1: Layers of OSI Model
Dividing the network into seven layers provides the following advantages: • • • • • It breaks network communication into smaller, more manageable parts. It standardizes network components to allow multiple vendor development and support. It allows different types of network hardware and software to communicate with each other. It prevents changes in one layer from affecting other layers. It divides network communication into smaller parts to make learning it easier to understand.
10
ENTERPRISES NETWORK END TO END SOLUTION
Description of OSI Layers
Fig 2: Layer 7
11
ENTERPRISES NETWORK END TO END SOLUTION
Fig 3: Layer 6
Fig 4: Layer 5
12
ENTERPRISES NETWORK END TO END SOLUTION
Fig 5: Layer 4
Fig 6: Layer 3
13
ENTERPRISES NETWORK END TO END SOLUTION
Fig 7: Layer 2
Fig 8: Layer 1
14
ENTERPRISES NETWORK END TO END SOLUTION
Fig 9: Data Transfer in Various Layers
1.4
Required Technologies
Hardware RequirementsA. Router B. Switch C. Multi layer 3 Switch D. Wires Software RequirementsA. Cisco Packet Tracer
2. Training given
15
ENTERPRISES NETWORK END TO END SOLUTION
2.1 CISCO Packet TracerPacket Tracer is a Cisco router simulator that can be utilized in training and education, but also in research for simple computer network simulations. The tool is created by Cisco Systems and provided for free distribution to faculty, students, and alumni who are or have participated in the Cisco Networking Academy. The purpose of Packet Tracer is to offer students and teachers a tool to learn the principles of networking as well as develop Cisco technology specific skills. The current version of Packet Tracer supports an array of simulated Application Layer protocols, as well as basic routing with RIP, OSPF, and EIGRP, to the extent required by the current CCNA curriculum. While Packet Tracer aims to provide a realistic simulation of functional networks, the application itself utilizes only a small number of features found within the actual hardware running a current Cisco IOS version. Thus, Packet Tracer is unsuitable for modeling production networks. With the introduction of version 5.3, several new features were added, including BGP. BGP is not part of the CCNA curriculum, but part of the CCNP curriculum. Packet Tracer is commonly used by Cisco Networking Academy students working towards Cisco Certified Network Associate (CCNA) certification. Due to functional limitations, it is intended by Cisco to be used only as a learning aid, not a replacement for Cisco routers and switches.
16
ENTERPRISES NETWORK END TO END SOLUTION
Fig 10: CISCO Packet Tracer
2.2 Basics of Routers? IOS User Interface The Cisco Internetwork Operating System (IOS) is the kernel of Cisco routers and most switches. A kernel is the basic, indispensable part of an operating system that allocates resources and manages things such as low-level hardware interfaces and security.
17
ENTERPRISES NETWORK END TO END SOLUTION
?
CISCO Router IOS The Cisco IOS is a proprietary kernel that provides routing, switching, internetworking, and telecommunications features.These are some important things that the Cisco router IOS software is responsible for: I. II. III. IV. V. Carrying network protocols and functions Connecting high-speed traffic between devices Adding security to control access and stop unauthorized network use Providing scalability for ease of network growth and redundancy Supplying network reliability for connecting to network resources
We can access the Cisco IOS through the console port of a router, from a modem into the auxiliary (or Aux) port, or even through Telnet. Access to the IOS command line is called an EXEC session. ?
Command-Line Interface (CLI) CLI is used to configure CISCO switches and routers. There are 4 common modes: ?
User EXEC mode: By default the first mode we enter when log in into a CISCO device is user EXEC mode. No configuration can be changed or viewed from User mode. Only basic status information can be viewed from this mode. User mode appends a “>” after the device hostname like:
Router> ?
Privileged mode: This mode allows all configuration files, settings and status information to be viewed. Privileged mode appends “#” after the device hostname like:
Router#
18
ENTERPRISES NETWORK END TO END SOLUTION
To enter into Privileged mode from User EXEC mode, type:
Router>enable Router# ?
Global Configuration mode: Very few numbers of changed are allowed in Privileged mode. Actual configuration of CISCO device is done by Global Configuration mode.
Router(config)#
To enter into Global Configuration mode from Privileged mode, type:
Router# configure terminal Router(config)#
As Global Configuration mode allows parameters that globally affect the device to be changed. Additionally, Global Configuration mode is sectioned into several sub-modes dedicated for specific functions. Among the most common sub-modes are the following:
19
ENTERPRISES NETWORK END TO END SOLUTION
?
Interface Configuration mode: To configure an interface we should specify the type of interface and the number of interface. For fast Ethernet configuration of a router, type:
Router(config)# interface fast Ethernet 0/0 Router(config-if)#
For Serial Interface configuration of a router, type:
Router(config)# interface Serial 0/0/0 Router(config-if)# ?
Line Configuration mode: To configure a line we must specify both the type of line followed by the line number. Thus to configure the first console line of a router:
Router(config)# line console 0 Router(config-line)#
To configure TELNET (or VTY) lines on a router:
Router(config)#line vty 0 4 Router(config-line)# ?
RouterConfiguration mode: This mode is used to configure dynamic routing protocols, such as RIP, EIGRP.
?
Router and Switch Administrative Configuration The administrative functions that you can configure on a router and switch are as follows:
20
ENTERPRISES NETWORK END TO END SOLUTION
? Hostnames To change the hostname of CISCO device type:
Router(config)#hostname CISCO CISCO(config)# ?
Passwords Five passwords are used to secure your Cisco routers: console, auxiliary, telnet (VTY), enablepassword, and enable secret. ? Enable passwords: To configure auxiliary password, typeRouter(config)# line aux 0 Router(config-line)# login Router(config-line)# password CISCO
To set password for Privileged mode, type –
Router(config)# enable password CISCO
To encrypt enable password, type-
Router(config)# service password encryption
To activate default encryption password, type-
Router(config)# enable secret CISCO
To set Console password for user EXEC mode, type-
Router(config)# line console 0
21
ENTERPRISES NETWORK END TO END SOLUTION
Router(config-line)# password CISCO
To set Telnet password, type-
Router(config)# line vty 0 4 Router(config-line)# password TELNET ?
Interface descriptions In a router, there are two types of ports like fast Ethernet and Serial port. Fast Ethernet configuration is done by following command:
Router(config)# interface fast Ethernet 0/1 Router(config-if)#
First 0 is indicating slot number and 1 is indicating port number. There are 2 ports in 1800 series CISCO router
Serial port configuration is done by following command:
Router(config)# interface serial 0/0/0 Router(config-if)#
First 0 is the router itself, second 0 is indicating slot number and last 0 stands for port number.
In case of switch, there are 24 fast Ethernet ports and the configuration of fast Ethernet port is same like router.
?
Configure IP Address in an Interface
22
ENTERPRISES NETWORK END TO END SOLUTION
To configure IP addresses on an interface, use the ip address command from interfaceconfiguration mode:
Router(config)# interface fast Ethernet 0/1 Router(config-if)# ip address 192.168.10.2 255.255.255.0 ?
Serial Interface Commands
DCE DTE E DCE: Data Communication Equipment DTE: Data Terminal Equipment
Fig11: Serial Interfaces of Routers
Configure a DCE serial interface with the clock rate command:
Router(config)# interface serial 0/1/0 Router(config-if)# clock rate 64000 Router(config-if)# ip address 10.0.0.2 255.0.0.0
Configure a DTE serial interface command:
Router(config)# interface serial 0/1/0 Router(config-if)# ip address 10.0.0.3 255.0.0.0 ?
Viewing, Saving and Erasing configuration To show running configuration, typeRouter# show running-configuration Or
23
ENTERPRISES NETWORK END TO END SOLUTION
Router# show stratup-configuration
To save running configuration, type-
Router# wr Building configuration…..
To delete startup-configuration, typeRouter# erase startup-configuration Erasing the nvram filesystem will remove all configuration files! Continue? [confirm][enter][OK]
2.3 Basics of SwitchSwitch is a Data Link Layer device. Per port one collision domain and one broadcast domain for all ports. It is a sensible device as it creates CAM table (Content Addressable Memory) and MAC table. Switches are hardware based device as it is used ASIC (Application Specific Integrated Circuits) but they work on bridging technology.
?
IOS User Interface The Cisco Internetwork Operating System (IOS) is the kernel of Cisco routers switches. A kernel is the basic, indispensable part of an operating system that allocates resources and manages things such as low-level hardware interfaces and security.
?
Command-Line Interface (CLI) CLI is used to configure CISCO switches. There are 4 common modes: ?
User EXEC mode: By default the first mode we enter when log in into a CISCO device is user EXEC mode. No configuration can be changed or viewed from User mode. Only basic status information can be viewed from this mode.
24
ENTERPRISES NETWORK END TO END SOLUTION
User mode appends a “>” after the device hostname like:
Switch> ?
Privileged mode: This mode allows all configuration files, settings and status information to be viewed. Privileged mode appends “#” after the device hostname like:
Switch#
To enter into Privileged mode from User EXEC mode, type:
Switch >enable Switch # ?
Global Configuration mode: Very few numbers of changed are allowed in Privileged mode. Actual configuration of CISCO switch is done by Global Configuration mode.
Switch (config)#
To enter into Global Configuration mode from Privileged mode, type:
Switch # configure terminal Switch(config)#
As Global Configuration mode allows parameters that globally affect the device to be changed. Additionally, Global Configuration mode is sectioned into several sub-modes dedicated for specific functions. Among the most common sub-modes are the following: ?
Interface Configuration mode:
25
ENTERPRISES NETWORK END TO END SOLUTION
To configure an interface we should specify the type of interface and the number of interface. For fast Ethernet configuration of a router, type:
Switch(config)# interface fast Ethernet 0/0 Switch (config-if)#
For Serial Interface configuration of a router, type:
Switch (config)# interface Serial 0/0/0 Switch (config-if)# ?
Line Configuration mode: To configure a line we must specify both the type of line followed by the line number. Thus to configure the first console line of a router:
Switch (config)# line console 0 Switch (config-line)#
To configure TELNET (or VTY) lines on a router:
Switch (config)#line vty 0 4 Switch (config-line)# ?
Switch Administrative Configuration The administrative functions that you can configure on a router and switch are as follows: ? Hostnames To change the hostname of CISCO device type:
Switch (config)#hostname CISCO CISCO(config)#
26
ENTERPRISES NETWORK END TO END SOLUTION
?
Passwords Five passwords are used to secure your Cisco routers: console, auxiliary, telnet (VTY), enablepassword, and enable secret. ? Enable passwords: To configure auxiliary password, typeSwitch (config)# line aux 0 Switch (config-line)# login Switch (config-line)# password CISCO
To set password for Privileged mode, type –
Switch (config)# enable password CISCO
To encrypt enable password, type-
Switch (config)# service password encryption
To activate default encryption password, type-
Switch(config)# enable secret CISCO
To set Console password for user EXEC mode, type-
Switch(config)# line console 0 Switch(config-line)# password CISCO
To set Telnet password, type-
Switch (config)# line vty 0 4
27
ENTERPRISES NETWORK END TO END SOLUTION
Switch (config-line)# password TELNET ?
Interface descriptions In a router, there are two types of ports like fast Ethernet and Serial port. Fast Ethernet configuration is done by following command:
Switch (config)# interface fast Ethernet 0/1 Switch (config-if)#
First 0 is indicating slot number and 1 is indicating port number. There are 2 ports in 1800 series CISCO router
Serial port configuration is done by following command:
Switch (config)# interface serial 0/0/0 Switch (config-if)#
First 0 is the router itself, second 0 is indicating slot number and last 0 stands for port number.
In case of switch, there are 24 fast Ethernet ports and the configuration of fast Ethernet port is same like router.
2.4 VLAN(Virtual Local Area Network)
To avoid collision domain VLAN concept comes, which provides different collision domain. VLAN separates a Layer 2 switch into multiple broadcast domains. Each VLAN has it’s own individual broadcast domain. Individual ports or group of ports can be assigned to a specific VLAN. Only ports assigning to the same VLAN can be communicate freely through a switch, but ports
28
ENTERPRISES NETWORK END TO END SOLUTION
assign to the different VLAN requires a router to communicate. Broadcast from one VLAN will never be sent out ports belonging to another VLAN. Layer 3 switch only supports inter VLAN routing, but not WAN routing. ?
VLAN Example Consider the following example:
VLAN 1 VLAN 1 VLAN 2
VLAN 2
Fig 12: VLAN (Virtual LAN)
Four PCs are connected to a Layer 2 switch that support VLAN. First two PCs are of Sales department; belong to VLAN 1 and last two PCs are of Account department, belong to VLAN 2. Because first PCs belong to same VLAN, they belong to the same IP subnet and broadcast domain. They are able to communicate without the need of a router. But Sales department can’t communicate with Account department without a router as their IP and broadcast domain is different. Is this scenario a router is needed to communicate among two VLANs. By default in CISCO switch, all ports on every switch belongs to VLAN 1 is considered as management VLAN.
29
ENTERPRISES NETWORK END TO END SOLUTION
? Advantages of VLAN VLAN provides the following advantages:
Broadcast domain: In a pure Layer 2 environment, broadcasts are received by every host on the switched network. In contrast, each VLAN belongs to its own broadcast domain; thus broadcast traffic from one VLAN will never reach another VLAN.
Security VLAN allow administrators to “logically” separate users and departments.
Flexibility and Scalability VLAN remove the physical boundaries of a network. Users and devices can be added or moved anywhere on the physical network, and yet remain assigned to the same VLAN. Thus access to the resources will never be interrupted. ?
VLAN Membership Individual or group of switch ports must be manually assigned to a VLAN. Any device connected to that switch port becomes a member of that VLAN. The first step to configure a VLAN is to create the VLAN:
Switch(config)# vlan 2 Switch(config-vlan)# name Sales
The first command creates VLAN 2 and places you in VLAN configuration mode. The second command assigns the name of VLAN as Sales. The list of VLAN is stored in Flash in a database file named vlan.dat. Information concerning which ports are assigned to a specific VLAN is stored in the Startup-config file. Now we must assign an interface or range of interface to this VLAN:
30
ENTERPRISES NETWORK END TO END SOLUTION
Switch(config)# interface fastEthernet 0/1 Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan 2
2.5 Inter VLAN Routing-
InterVLAN routing makes use of the latest in technology switches ensuring a super fast, reliable, and acceptable cost routing solution.
The Cisco switch used here is layer 3 switches with built-in routing capabilities, making them the preferred choice at a reasonable cost. Of course, the proposed solution shown here is only a small part of a large scale network where layer 3 switch is usually placed as core switch, connecting all branch switches together, via superfast fiber Gigabit or Fast Ethernet links, ensuring a fast and reliable network backbone.
31
ENTERPRISES NETWORK END TO END SOLUTION
Fig 13 : Multi-layer switch(layer-3 Switch)
2.6 VTP(VLAN Trunking Protocol)
All switches connected in a network can be configuring in a domain and you can configure a switch as a server and others act as clients. All the information present in server switch for clients can be shared by server.
Modes in VTP There are 3 modes in VTP, like: Server Mode
32
ENTERPRISES NETWORK END TO END SOLUTION
We can configure VLANs, edit VLANs, manage VLANs and delete them also. This is the default mode of the switch. Client Mode We cannot delete or add or edit VLANs here. Transparent Mode This mode is used for monitoring purpose. It is not visible to either server or client. We can create or delete or edit VLANs here.
VLAN 2
Trunk mode
VLAN 3
Trunk mode
VLAN 2 VLAN 3 VLAN 2
VLAN 3
Access mode
Access mode
Fig 14: VTP Modes
VTP Configuration Backbone Switch (Server Switch) configuration To configure server switch command is: Switch(config)# vtp domain CISCO
33
ENTERPRISES NETWORK END TO END SOLUTION
Switch(config)# vtp password cisco_vtp Switch(config)# vtp mode server Switch(config)# vtp version 2 Client Switch Configuration To configuration client switch command is: Switch(config)# vtp domain CISCO Switch(config)# vtp password cisco_vtp Switch(config)# vtp mode client Switch(config)# vtp version 2
2.7 Routing Technique and Security
Routing Technique
There are two basic methods of building a routing table: Statically or Dynamically. ? information in routing tables. Example: RIP, IGRP, OSPF etc.
Metric vs. Administrative Distance A “metric”allows a router to choose the best path within a routing protocol. Distance vector routing protocol use “distance” (usually hop-count) as their metric. Link state protocols utilize some sort of “cost” as their metric. Packets route only with the best metric are added to the routing table. If router is running multiple routing protocols, Administrative Distance is used to determine which routing protocol to trust the most. Lowest administrative distance wins.
Router Source Connected Interface Static Route
Default Administrative Distance 0 1
34
ENTERPRISES NETWORK END TO END SOLUTION
EIGRP IGRP OSPF RIP External EIGRP Unknown 90 100 110 120 170 255
Table 1: Default Administrative Distance
?
Static Routing A static routing table is created, maintained and updated by a network administrator, manually. A static route to every network must be configured on every router for full connectivity. This provides a granular level of control over routing, but quickly becomes impractical on large networks.
Routers will not share static routes with each other, thus reducing CPU/RAM overhead and saving bandwidth. However, static routing is not fault-tolerant, as any change to the routing infrastructure requires manual intervention. Routers operating in a purely static environment cannot seamlessly choose a better route if a link becomes unavailable.
20.0.0.0
10.0.0.0 35
30.0.0.0
ENTERPRISES NETWORK END TO END SOLUTION
Fig 15: Static Routing
To configure Static Routing, commands for Router0 are: Router(config)# interface serial 0/0/0 Router(config)# clock rate 64000 Router(config)# ip address 20.0.0.2 255.0.0.0 Router(config)# no shutdown Router(config)# ip route 30.0.0.0 255.0.0.0 20.0.0.2
Advantages of Static Routing ? ? ? Minimal CPU/Memory overhead. No bandwidth overhead (updates are not shared between routers). Granular control on how traffic is routed.
Disadvantages of Static Routing ? ? ? Simpler to configure on larger networks. Will dynamic fault tolerance if a link goes down. Impractical on large network.
?
Dynamic Routing A dynamic routing table is created, maintained and updated by a routing protocolrunning
on the router. Examples of routing protocols include RIP (Routing Information protocol), EIGRP (Enhanced Interior Gateway Routing Protocol), and OSPF (Open Shortest Path First). There are two distinct categories of dynamic routing protocols: ? ? Distance-Vector protocols Link-State Protocols
Distance-Vector protocols include RIP (Routing Information Protocol) and IGRP (Interior Gateway Routing Protocol) and Link-State protocols include OSPF(Open Shortest Path First).
36
ENTERPRISES NETWORK END TO END SOLUTION
EIGRP (Enhanced Interior Gateway Routing Protocol) exhibits both distance-vector and link-state characteristics and considered as hybrid protocol.
Distance-Vector Protocol All distance-vector routing protocols share several key characteristics: ? ? ? ? Periodic updates of the full routing table are sent to routing neighbors. Distance-vector protocols suffer from slow convergence and are highly susceptible to loops. Some form of distance is used to calculate a route’s metric. The Bellman-Ford algorithm is used to determine the shortest path.
RIP (Routing Information Protocol) o It works on Distance-Vector mechanism. o It uses Bellman-Ford algorithm to find shortest path. o By default it uses hop count as a metric. o It can route a packet up to 15 hop count (maximum hop count is 15). o It’s update time is 30 seconds. o It’s hold down time is 180 seconds. o Invalid time is also 180 seconds. o Flush time is 240 seconds. o There is a periodic multicast in RIP version 2. o Periodic broadcast in RIP version 1. o RIP version 2 supports VLSM. o RIP version 1 is classful.
To configure routers with RIP in the Router0 to Fig 8, commands are:
Router(config)# router rip Router(config-router)# network 10.0.0.0 Router(config-router)# network 20.0.0.0 Router(config-router)# rip version 2
37
ENTERPRISES NETWORK END TO END SOLUTION
Link-State Protocol
Link-State Routing Protocols were developed to solve the convergence and loop issues of distance-vector protocols. Link-State protocols maintain three separate tables: ? ? ? Neighbor Table: Contains a list of all neighbors and the interface each neighbor is connected off of. Neighbors are formed by sending Hello packets. Topology Table: Otherwise known as the “link-state” table, contains a map of all links within an area, including each link’s status. Shortest-Path Table: Contains the best routes to each particular destination (otherwise known as the “routing” table).
OSPF (Open Shortest Path First) o Protocol of pure Link-State mechanism. o Support unlimited hop count. o OSPF uses Dijkstra algorithm to select shortest path. o Support both IP4 and IPv6 routing protocols. o Consists of area and autonomous system. o Minimizes routing update time. o Allow scalability. o Support VLSM (Variable Length Subnet Mask) and CIDR (Classless Inter Domain Routing). o Allow multi-vendor deployment (open standard). o Multicast address is 224.0.0.5 o Loop-Back interface should be configured in router when we use OSPF.
38
ENTERPRISES NETWORK END TO END SOLUTION
Area Border Router (ABR)
Area 0
Area 1
Fig 16: Autonomous System (OSPF Design)
Autonomous System: It is a collection of routers or networks under a same Administrative Distance. Administrative Distance: It is a rating or trustworthiness of a network. Area 0 is known as Backbone-Area. Area 0 contains a backbone router, which is known as Designated Router. That will be connected through Virtual Circuit to another router. Two autonomous systems are connected through Autonomous System Border Router (ASBR) use Border Gateway Protocol (BGP). When two or more Areas or Autonomous Systems are communicated then that is known as Multi access Network.
Router ID: The Router ID (RID) is an IP address used to identify the router. CISCO chooses the Router ID by using the highest IP address of all configured loop-back interfaces. If no loop-back interfaces are configured with addresses, OSPF will choose the highest IP address of all active physical interfaces.
According to the Fig 9, if we want to configure Router0 using OSPF, commands will be: Router(config)# router ospf Router(config-router)# network 192.168.10.0 0.0.0.255 area0 Router(config-router)# router-id 25.0.0.1
39
ENTERPRISES NETWORK END TO END SOLUTION
Let we are configuring Area 0 router with OSPF protocol. The second command is indicating that the Area 0 router is directly connected with another router and between them 192.168.10.0 network is running. The last command is providing RID to the router.
Hybrid Protocol (EIGRP)
EIGRP is a Cisco-proprietary Hybrid routing protocol, incorporating features of both DistanceVector and Link-State routing protocols.
EIGRP adheres to the following Hybrid characteristic: ? ? ? ? ? ? EIGRP uses Diffusing Update Algorithm (DUAL) to determine the best path among all “feasible” paths. DUAL also helps ensure a loop- free routing environment. EIGRP will form neighbor relationships with adjacent routers in the same Autonomous System (AS). EIGRP traffic is either sent as unicast or as multicast on address 224.0.0.10, depending on the EIGRP packet type. Reliable Transport Protocol (RTP) is used to ensure delivery of most EIGRP packets. EIGRP routers do not send periodic, full-table routing updates. Updates are sent only when a change occurs. EIGRP is a classless protocol, and thus supports VLSMs.
Other characteristics of EIGRP include: ? ? EIGRP has a maximum hop-count of 224, though the default maximum hop-count is sent to 100. EIGRP uses Bandwidth and Delay of Line, by default, to calculate its distance metric. It also supports 3 other parameters to calculate its metric: Reliability, Load and MTU.
40
ENTERPRISES NETWORK END TO END SOLUTION
EIGRP builds 3 separate tables: ? ? ? Neighbor Table: List of all neighbor routers. Neighbors must belong to the same Autonomous System. Topology Table: List of all routers in the Autonomous System. Routing Table: Contains the best route for each known network.
Commands for EIGRP configuration to the Router0, according to the Fig 8:
Router(config)# router eigrp 10 Router(config-router)# network 10.0.0.0 Router(config-router)# network 20.0.0.0
SECURITY
Access Control List (ACL)
Access Control List can be used for two purposes on Cisco Routers, to filter traffic and to identify traffic. Access lists are a set of rules, organized in a rule table. Each rule or line in an access-list provides a condition, either permit or deny: ? When using an access-list to filter traffic, a permit statement is used to “allow” traffic, while a deny statement is used to “block” a traffic. Filtering traffic is the primary use of ACL. However, there are several instances when it is necessary to identify traffic using ACL, including: ? ? Identifying interesting traffic to bring up an ISDN link or VPN tunnel. Identifying routes to filter or allow in routing updates.
When filtering traffic, access lists are applied on interfaces. As a packet passes through a router, the top line of the rule list is checked first, and the router continues to go down the
41
ENTERPRISES NETWORK END TO END SOLUTION
list until a match is found. Once a match is found, the packet is either permitted or denied. There is an implicit “deny all” at the end of all access lists. We can’t create it or delete it. Thus the ACL contains only deny statement to prevent all traffic. Access lists are applied either inbound (packets received on an interface, before routing), or outbound (packets leaving an interface, after routing). Only one access list per interface per protocol per direction is allowed. ? ? Inbound: Outbound: First filtering then routing. First routing then filtering.
Types of ACL There are two categories of access lists: named and numbered.
Numbered access lists are broken into several ranges, each is dedicated to a specific protocol. We use two of them mostly, they are: 1-99 100-199 IP Standard access list IP Extended access list
In case of Standard ACL, filtering can be done only on source base; we can’t define destination, service protocol, and port numbers. In case of Extended ACL, filtering can be done on basis of source, destination, service protocol, and port numbers.
Named access lists provide a bit more flexibility. Descriptive names can be used to identify access list. There are two common types of named lists: ? ? IP standard named access list IP extended named access list
42
ENTERPRISES NETWORK END TO END SOLUTION
Individual lines cannot be removed from a access list. The entire access list must be deleted and recreated. All new entries to a access list are added to the bottom.
Wild Card Mask IP access lists use wild Card Mask to determine two things: ? ? Which part of address must match exactly Which part of an address can match any number
This is oppose to a subnet mask, which tells us what part of an address is the network (subnet), and what part of an address is the host. Address: Wild Card Mask: 192.168.10.0 0.0.0.255
Configuration of ACL to the Router
20.0.0.1 20.0.0.2
10.0.0.4 10.0.0.0 30.0.0.0
30.0.0.4
Fig 17: Access Control List
43
ENTERPRISES NETWORK END TO END SOLUTION
? Standard ACL To block PCs of 10.0.0.0 from the access of outer network, command will be:
Router(config)# Router(config)# Router(config-if)#
access-list 1 deny host 10.0.0.2 interface fastEthernet 0/0 ip access-group 1 in /* Bind interface of router*/
By default all the PCs of 10.0.0.0 network will be denied. To block only 10.0.0.2 PC and permit remaining PC to access outer network:
Router(config)# ?
access-list 1 permit any
Named ACL This type of list can be either standard or extended access control list.
Router(config)#ip access-list extended mylist
/*mylist is the name of ACL*/
Router(config-ext-nacl)#deny tcp host 10.0.0.2 host 30.0.0.4 eq www /*Denying 10.0.0.2 PC from the access of Google server*/ Router(config-ext-nacl)#deny icmp host 10.0.0.3 host 30.0.0.2 echo /*Denying 10.0.0.3 PC to ping 30.0.0.2 PC*/ Router(config-ext-nacl)#deny tcp host 10.0.0.3 host 20.0.0.2 eq telnet /*Denying 10.0.0.3 PC from telnet to router interface 20.0.0.2*/ Router(config-ext-nacl)#permit tcp any any Router(config-ext-nacl)#permit icmp any any Router(config-ext-nacl)#permit ip any any Router(config)#ip access-group mylist in /* Bind the interface of router*/
44
ENTERPRISES NETWORK END TO END SOLUTION
Network Address Translation(NAT)
The rapid growth of the internet resulted in a shortage of IPv4 addresses. In response, the powers that be designated a specific subset of the IPv4 address space to be private, to temporarily alleviate this problem. A public address can be routed on the Internet. Thus devices that should be Internet accessible (such as web or email servers) must be configured with public addresses. A private address is only intended for use within an organization, and can never be routed on the internet. Three private addressing ranges were allocated, one for each IPv4 class: ? ? ? Class A- 10.x.x.x Class B- 172.16-31.x.x Class C- 192.168.x.x
NAT (Network Address Translation) is used to translate between private addresses and public addresses. NAT allows devices configured with a private address to be stamped with a public address, thus allowing those devices to communicate across the internet. NAT is not restricted to just public-to-private address translations, though this is the most common application of NAT. NAT can perform a public-to-private address translation, or a private-to private address translation as well. NAT provides an additional benefit – hiding the specific addresses and addressing structure of the internal network.
Types of NAT
NAT can be implemented using one of three methods: ? Static NAT
erforms a static one-to-one translation between two addresses, or between ports on one address to a port on another address. Static NAT is most often used to assign a public address to a device behind a NAT enabled firewall/router.
45
ENTERPRISES NETWORK END TO END SOLUTION
? ? Dynamic NAT: utilizes a pool of global addresses to dynamically translate the outbound traffic of clients behind a NAT enabled device. NAT Overload or Port Address Translation (PAT): translates the outbound traffic of clients to unique port numbers off of a single global address. PAT is necessary when the number of internal clients exceeds the available global addresses.
NAT Terminology
Specific terms are used to identify the various NAT addresses: ? ?
Inside Local: the specific IP address assigned to an inside host behind a NAT enabled device (usually a private address). Inside Global: the address that identifies an inside host to the outside world (usually a public address). Essentially this is the dynamically or statically public address assigned to a private host.
? ?
Outside Global: the address assigned to an outside host (usually a public address). Outside Local: the address that identifies an outside host to the inside network. Often this is the same address as the Outside Global. However, it is occasionally necessary to translate an outside (usually public) address to an inside (usually private) address.
46
ENTERPRISES NETWORK END TO END SOLUTION
NAT Terminology Example
10.0.0.1
20.0.0.1 Internet
192.168.10.1
30.0.0.1
10.0.0.10
30.0.0.5
Fig 18: Network Address Translation (NAT)
Consider the above figure for example. For a connection from Host A to Host B, the NAT addresses are identified as follows: ? ? ? ?
Inside Local Address:10.0.0.10 Inside Global Address:20.0.0.1 Outside Local Address:192.168.10.1 Outside Global Address:192.168.10.1
Host A is configured as 10.0.0.10 and is identified as it’s Inside Local Address. When Host A communicates with the Internet, it is stamped with Router A’s public address, using PAT. Thus Host A Inside Global Address will become 20.0.0.1. When Host A communicates with Host B, it will access Host B’s OutsideGlobal Addressof 192.168.10.1. In this instance, the Outside Local Address is also 192.168.10.1. Host A is never aware of Host B’s configured address.
Configuring Static NAT
The first step to configure Static NAT according to the figure 11, is to identify the inside (usually private) and outside (usually public) interfaces:
Router(config)#
interface fastEthernet 0/0
47
ENTERPRISES NETWORK END TO END SOLUTION
Router(config-if)# ip nat inside
Router(config)# Router(config-if)#
interface serial 0/0/0 ip nat outside
To statically map a public address to a private address, the syntax is as follows:
Router(config)#
ip nat inside source static 10.0.0.10 20.0.0.1
This command performs a static translation of the source address 10.0.0.10 (located in the inside of the network), to the outside address of 20.0.0.1.
Configuring Dynamic NAT
When configuring Dynamic NAT, the inside and outside interfaces must first be identified:
Router(config)# Router(config-if)#
interface fastEthernet 0/0 ip nat inside
Router(config)# Router(config-if)#
interface serial 0/0/0 ip nat outside
Next a pool of global addresses must be specified. Inside hosts will dynamically choose the next available address in this pool, when communicating outside the local network:
Router(config)#
ip nat pool mypool 20.0.0.10 20.0.0.50 netmask 255.0.0.0
The above command specifies that the pool names “mypool” contains a range of public addresses from 20.0.0.10 through 20.0.0.50.
48
ENTERPRISES NETWORK END TO END SOLUTION
Finally, a list of private addresses that are allowed to be dynamically translated must be specified:
Router(config)# Router(config)#
ip nat inside source list 10 pool mypool access-list 10 permit 10.0.0.0 0.255.255.255
The first command states that any inside host with a source that matches access-list 10can be translated to any address in the pool named “mypool”.
The access-list specifies any host on the 10.0.0.0 network. Configuring NAT Overload (or PAT)
Recall NAT Overload (or PAT) is necessary when the number of internal clients exceeds the available global addresses. Each internal host is translated to a unique port number off of a single global address. Configuring NAT overload is like:
Router(config)# Router(config-if)#
interface fastEthernet 0/0 ip nat inside
Router(config)# Router(config-if)#
interface serial 0/0/0 ip nat outside
Router(config)# overload Router(config)#
ip nat inside source list 10 interface serial 0/0/0
access-list 10 permit 10.0.0.0 0.255.255.255
Any inside host with a source that matches access-list 10 will be translated with overload to the IP address configured on the serial interface 0/0/0.
49
ENTERPRISES NETWORK END TO END SOLUTION
4. PROJECT
Fig 19: Enterprises
Network End To End Solution
50
ENTERPRISES NETWORK END TO END SOLUTION
The steps performed in the above scenario are as follows1. Initially by using the CISCO Packet Tracer we configure all the routers and switches. Then we configure vlan, vtp, intervlan. 2. RIPv2 routing protocol is to be used for routing. 3. Assign IP to all PC’s dynamically by making Delhi server as DHCP.
4. Now apply Numbered ACL(IP Standard access list) on Canada Router in order to block France from not communicating in the Network.
5. Apply Inbound ACL(NAT) on noida router so that no one can ping noida router but can access www.hpes.com 6. PAT is applied on U.S.A 7. Static NAT is applied on Haryana server
8. All PC’s should communicate with all DNS (www.hpes.com , www.dit.com, www.yahoo.com ).
51
ENTERPRISES NETWORK END TO END SOLUTION
Conclusion
The Conclusion of this Project is that all the PC’s are communicating with each other, and the IP address is assigned dynamically by DHCP Server. RIPv2 routing protocol is applied on each router. And all other security restrictions are imposed successfully.
Problems occurred and suggestions
In CISCO Packet Tracer5.3 when we apply PAT on USA then we are unable to halt the communication between PC 33 and PC 28. The problem occurs because of the version of Packet Tracer being used.
This problem can be Resolved in CISCO Packet Tracer5.2
52
ENTERPRISES NETWORK END TO END SOLUTION
Appendix
PC29 can access all the three DNS server
Fig20. www. hpes.com
53
ENTERPRISES NETWORK END TO END SOLUTION
Fig.21 www.yahoo.com
Fig.22 www.dit.com
54
ENTERPRISES NETWORK END TO END SOLUTION
All PC can communicate with one another.
Fig.22 PC 51 pinging with other PC in the network
55
doc_302854751.docx
report based on configuring routers and multi level switches. Concept of inter VLAN routing.
Security concepts like NAT PAT ACL.
ENTERPRISES NETWORK END TO END SOLUTION
ENTERPRISES NETWORK END TO END SOLUTION
Submitted for the partial fulfillment of the Degree Of Bachelor of Technology (Computer Science and Engineering)
Submitted by: XXXXXXXXX YYYYYY ZZZZZZZZ
Submitted to: XXXXXXXXXXXX
Training Co-ordinator CSE Department
1
ENTERPRISES NETWORK END TO END SOLUTION
ACKNOWLEDGEMENT
The author is highly grateful to the xxxxxx, Director, xxxxxxxx, for providing this opportunity to carry out the six week summer training at HPES xxxxxx. The constant guidance and encouragement received from xxxxxxx Dean T&P, xxxxxx has been of great help in carrying out the project work and is acknowledged with reverential thanks. The author would like to express a deep sense of gratitude and thanks profusely to Mr. xxxxx, Trainer at HPES. Without the wise counsel and able guidance, it would have been impossible to complete the report in this manner. The help rendered by xxxxxx for experimentation is greatly acknowledged. The author expresses gratitude to other faculty members of Computer Science and Engineering department of xxxx for their intellectual support throughout the course of this work. Finally, the authors are indebted to all whosoever have contributed in this report work and friendly stay at HPES xxxxxx.
xxxxxxx
2
ENTERPRISES NETWORK END TO END SOLUTION
Table of Contents
Contents
Abstract List of Figures List of Tables List of Acronyms 1. Introduction 1.1 Company Background and Organization Structure 1.2 Project Overview 1.3 Basics of Networking 1.4 Required Technologies 8 9 9 16
Page No.
5 6 7 7
2. Training given
2.1 CISCO Packet tracer 2.2 Basics of Router 2.3 Basic of Switch 2.4 VLAN 2.5 Inter VLAN routing 2.6 VTP 2.7 Routing Technique and Security
16 18 24 28 31 32 34
3. Project 4. Conclusion 5. Problem and Suggestions 6. References 7. Appendix
50 52 52 53 54
3
ENTERPRISES NETWORK END TO END SOLUTION
Abstract
This project is based on enterprises network and NOCs (Network Operating Centers), where we also manage stub networks (Server administration, back up jobs, user administration and all). The main objective of this project is to take care of business continuity, because now a day’s most of the organizations don’t want obstacle for even a single moment in business continuity like BPOs, Exchanges, Banks e.g. Because 80% works are done online. So to avoid discontinuity we work on redundancy and backups on servers, connectivity, routers.
We also provide network security so that unauthorized user can not access authorized data, servers for centralization of shared resources and high speed internet connectivity so that speed never becomes an issue.
4
ENTERPRISES NETWORK END TO END SOLUTION
LIST OF FIGURESFigures Layers of OSI Model Layer 7 Layer 6 Layer 5 Layer 4 Layer 3 Layer 2 Layer 1 Data transfer in various layers Cisco Packet Tracer Serial interface of routers VLAN Multilayer switch VTP modes Static routing OSPF design ACL NAT Enterprises network end to end solution(Project) www.hpes.com www.yahoo.com www.dit.com PC51 pinging with other PC in the network Page number 11 12 12 13 13 14 14 15 15 17 23 29 32 33 35 39 43 47 50 55 56 56 57
5
ENTERPRISES NETWORK END TO END SOLUTION
List of Tables
Table Name Default Administrative distance
Page number 36
List of Acronyms
ACL AS CCNA CLI DUAL EIGRP IOS NAT OSPF PAT RIP VLAN VTP
Access Control List Autonomous System Cisco Certified Network Associate Command Line Interface Diffusing Update Algorithm Enhanced Interior Gateway Routing Protocol Internetwork Operating System Network Address Transmission Open Shortest Path First Port Address Translation Routing Information Protocol Virtual Local Area Network Virtual Trunking Protocol
6
ENTERPRISES NETWORK END TO END SOLUTION
VTY Virtual Terminal
1. Introduction
1.1 Company Background and Organization Structure:
Hewlett-Packard Company (HP) is an American multinational hardware and software corporation headquartered in Palo Alto, California, United States. It provides products, technologies, software, solutions and services to consumers, small- and medium-sized businesses (SMBs) and large enterprises, including customers in the government, health and education sectors.
HP education services provide IT Professionals, enterprise businesses and end-users with the highest quality, most comprehensive, technical and business education services and expertise using advanced technologies. HP believes that we never stop learning, and therefore we emphasize on making developers and managers fully aware of new technologies. Sophisticated, new technologies can be optimized for business benefits only if supplemented by sufficient knowledge and training for implementing it. Keeping in mind that your employee’s time is a valuable resource, we have created a full suite of training programs We provide a fully integrated learning environment. This includes self-paced, web-based,
7
ENTERPRISES NETWORK END TO END SOLUTION
distance learning and online seminars via our innovative online offering the IT Resource Center, HP Education Services provides the industry's finest integrated learning curricula which includes e – learning, online forums, resource center and virtual classrooms for mastering new technologies. HP Education provides instructor led and online training with customized content to suit specific needs, ensuring the success of both, the individual IT professional and the enterprise.
1.2 Project OverviewThe project is designed for corporate purpose. We have a router cloud so that we can configure routes to reach destination network through multiple paths by using different routing mechanism and protocols. For secure communication there is gateway level security such as ACLs, Layer-3 Security used in routers. For stub networks we design and configure a centralized management by creating Domain and configure Active Directory and LDAP. Inside the network we have different departments like Admin, Finance, Faculty, Students having their own broadcast domain for all so that we can categories and manage all these dept and also make communication confidential with this we can increase our scalability and flexibility according to future growth.
1.3 Basics of Networking –
Layered Communication Model •
The information that travels on a network is generally referred to as data or a packet.
8
ENTERPRISES NETWORK END TO END SOLUTION
• • • • • • • A packet is a logically grouped unit of information that moves between computer systems. In order for data packets to travel from a source to a destination on a network, it is important that all the devices on the network speak the same language or protocol. A protocol is a set of rules that make communication on a network more efficient. A data communications protocol is a set of rules or an agreement that determines the format and transmission of data. Layer 4 on the source computer communicates with Layer 4 on the destination computer. The rules and conventions used for this layer are known as Layer 4 protocols. It is important to remember that protocols prepare data in a linear fashion.
OSI Model
• To address the problem of network incompatibility, the International Organization for Standardization (ISO) researched networking models in order to find a generally applicable set of rules for all networks. • • • • • • • • • • Using this research, the ISO created a network model that helps vendors create networks that are compatible with other networks. The Open System Interconnection (OSI) reference model released in 1984 was the descriptive network model that the ISO created. It provided vendors with a set of standards that ensured greater compatibility and interoperability among various network technologies. The OSI reference model has become the primary model for network communications. Although there are other models in existence, most network vendors relate their products to the OSI reference model. Benefits of the OSI Model: Reduces complexity Standardizes interfaces Facilitates modular engineering Ensures interoperable technology
9
ENTERPRISES NETWORK END TO END SOLUTION
• • • • Accelerates evolution Simplifies teaching and learning The OSI reference model is a framework that is used to understand how information travels throughout a network. The OSI reference model explains how packets travel through the various layers to another device on a network, even if the sender and destination have different types of network media.
Fig 1: Layers of OSI Model
Dividing the network into seven layers provides the following advantages: • • • • • It breaks network communication into smaller, more manageable parts. It standardizes network components to allow multiple vendor development and support. It allows different types of network hardware and software to communicate with each other. It prevents changes in one layer from affecting other layers. It divides network communication into smaller parts to make learning it easier to understand.
10
ENTERPRISES NETWORK END TO END SOLUTION
Description of OSI Layers
Fig 2: Layer 7
11
ENTERPRISES NETWORK END TO END SOLUTION
Fig 3: Layer 6
Fig 4: Layer 5
12
ENTERPRISES NETWORK END TO END SOLUTION
Fig 5: Layer 4
Fig 6: Layer 3
13
ENTERPRISES NETWORK END TO END SOLUTION
Fig 7: Layer 2
Fig 8: Layer 1
14
ENTERPRISES NETWORK END TO END SOLUTION
Fig 9: Data Transfer in Various Layers
1.4
Required Technologies
Hardware RequirementsA. Router B. Switch C. Multi layer 3 Switch D. Wires Software RequirementsA. Cisco Packet Tracer
2. Training given
15
ENTERPRISES NETWORK END TO END SOLUTION
2.1 CISCO Packet TracerPacket Tracer is a Cisco router simulator that can be utilized in training and education, but also in research for simple computer network simulations. The tool is created by Cisco Systems and provided for free distribution to faculty, students, and alumni who are or have participated in the Cisco Networking Academy. The purpose of Packet Tracer is to offer students and teachers a tool to learn the principles of networking as well as develop Cisco technology specific skills. The current version of Packet Tracer supports an array of simulated Application Layer protocols, as well as basic routing with RIP, OSPF, and EIGRP, to the extent required by the current CCNA curriculum. While Packet Tracer aims to provide a realistic simulation of functional networks, the application itself utilizes only a small number of features found within the actual hardware running a current Cisco IOS version. Thus, Packet Tracer is unsuitable for modeling production networks. With the introduction of version 5.3, several new features were added, including BGP. BGP is not part of the CCNA curriculum, but part of the CCNP curriculum. Packet Tracer is commonly used by Cisco Networking Academy students working towards Cisco Certified Network Associate (CCNA) certification. Due to functional limitations, it is intended by Cisco to be used only as a learning aid, not a replacement for Cisco routers and switches.
16
ENTERPRISES NETWORK END TO END SOLUTION
Fig 10: CISCO Packet Tracer
2.2 Basics of Routers? IOS User Interface The Cisco Internetwork Operating System (IOS) is the kernel of Cisco routers and most switches. A kernel is the basic, indispensable part of an operating system that allocates resources and manages things such as low-level hardware interfaces and security.
17
ENTERPRISES NETWORK END TO END SOLUTION
?
CISCO Router IOS The Cisco IOS is a proprietary kernel that provides routing, switching, internetworking, and telecommunications features.These are some important things that the Cisco router IOS software is responsible for: I. II. III. IV. V. Carrying network protocols and functions Connecting high-speed traffic between devices Adding security to control access and stop unauthorized network use Providing scalability for ease of network growth and redundancy Supplying network reliability for connecting to network resources
We can access the Cisco IOS through the console port of a router, from a modem into the auxiliary (or Aux) port, or even through Telnet. Access to the IOS command line is called an EXEC session. ?
Command-Line Interface (CLI) CLI is used to configure CISCO switches and routers. There are 4 common modes: ?
User EXEC mode: By default the first mode we enter when log in into a CISCO device is user EXEC mode. No configuration can be changed or viewed from User mode. Only basic status information can be viewed from this mode. User mode appends a “>” after the device hostname like:
Router> ?
Privileged mode: This mode allows all configuration files, settings and status information to be viewed. Privileged mode appends “#” after the device hostname like:
Router#
18
ENTERPRISES NETWORK END TO END SOLUTION
To enter into Privileged mode from User EXEC mode, type:
Router>enable Router# ?
Global Configuration mode: Very few numbers of changed are allowed in Privileged mode. Actual configuration of CISCO device is done by Global Configuration mode.
Router(config)#
To enter into Global Configuration mode from Privileged mode, type:
Router# configure terminal Router(config)#
As Global Configuration mode allows parameters that globally affect the device to be changed. Additionally, Global Configuration mode is sectioned into several sub-modes dedicated for specific functions. Among the most common sub-modes are the following:
19
ENTERPRISES NETWORK END TO END SOLUTION
?
Interface Configuration mode: To configure an interface we should specify the type of interface and the number of interface. For fast Ethernet configuration of a router, type:
Router(config)# interface fast Ethernet 0/0 Router(config-if)#
For Serial Interface configuration of a router, type:
Router(config)# interface Serial 0/0/0 Router(config-if)# ?
Line Configuration mode: To configure a line we must specify both the type of line followed by the line number. Thus to configure the first console line of a router:
Router(config)# line console 0 Router(config-line)#
To configure TELNET (or VTY) lines on a router:
Router(config)#line vty 0 4 Router(config-line)# ?
RouterConfiguration mode: This mode is used to configure dynamic routing protocols, such as RIP, EIGRP.
?
Router and Switch Administrative Configuration The administrative functions that you can configure on a router and switch are as follows:
20
ENTERPRISES NETWORK END TO END SOLUTION
? Hostnames To change the hostname of CISCO device type:
Router(config)#hostname CISCO CISCO(config)# ?
Passwords Five passwords are used to secure your Cisco routers: console, auxiliary, telnet (VTY), enablepassword, and enable secret. ? Enable passwords: To configure auxiliary password, typeRouter(config)# line aux 0 Router(config-line)# login Router(config-line)# password CISCO
To set password for Privileged mode, type –
Router(config)# enable password CISCO
To encrypt enable password, type-
Router(config)# service password encryption
To activate default encryption password, type-
Router(config)# enable secret CISCO
To set Console password for user EXEC mode, type-
Router(config)# line console 0
21
ENTERPRISES NETWORK END TO END SOLUTION
Router(config-line)# password CISCO
To set Telnet password, type-
Router(config)# line vty 0 4 Router(config-line)# password TELNET ?
Interface descriptions In a router, there are two types of ports like fast Ethernet and Serial port. Fast Ethernet configuration is done by following command:
Router(config)# interface fast Ethernet 0/1 Router(config-if)#
First 0 is indicating slot number and 1 is indicating port number. There are 2 ports in 1800 series CISCO router
Serial port configuration is done by following command:
Router(config)# interface serial 0/0/0 Router(config-if)#
First 0 is the router itself, second 0 is indicating slot number and last 0 stands for port number.
In case of switch, there are 24 fast Ethernet ports and the configuration of fast Ethernet port is same like router.
?
Configure IP Address in an Interface
22
ENTERPRISES NETWORK END TO END SOLUTION
To configure IP addresses on an interface, use the ip address command from interfaceconfiguration mode:
Router(config)# interface fast Ethernet 0/1 Router(config-if)# ip address 192.168.10.2 255.255.255.0 ?
Serial Interface Commands
DCE DTE E DCE: Data Communication Equipment DTE: Data Terminal Equipment
Fig11: Serial Interfaces of Routers
Configure a DCE serial interface with the clock rate command:
Router(config)# interface serial 0/1/0 Router(config-if)# clock rate 64000 Router(config-if)# ip address 10.0.0.2 255.0.0.0
Configure a DTE serial interface command:
Router(config)# interface serial 0/1/0 Router(config-if)# ip address 10.0.0.3 255.0.0.0 ?
Viewing, Saving and Erasing configuration To show running configuration, typeRouter# show running-configuration Or
23
ENTERPRISES NETWORK END TO END SOLUTION
Router# show stratup-configuration
To save running configuration, type-
Router# wr Building configuration…..
To delete startup-configuration, typeRouter# erase startup-configuration Erasing the nvram filesystem will remove all configuration files! Continue? [confirm][enter][OK]
2.3 Basics of SwitchSwitch is a Data Link Layer device. Per port one collision domain and one broadcast domain for all ports. It is a sensible device as it creates CAM table (Content Addressable Memory) and MAC table. Switches are hardware based device as it is used ASIC (Application Specific Integrated Circuits) but they work on bridging technology.
?
IOS User Interface The Cisco Internetwork Operating System (IOS) is the kernel of Cisco routers switches. A kernel is the basic, indispensable part of an operating system that allocates resources and manages things such as low-level hardware interfaces and security.
?
Command-Line Interface (CLI) CLI is used to configure CISCO switches. There are 4 common modes: ?
User EXEC mode: By default the first mode we enter when log in into a CISCO device is user EXEC mode. No configuration can be changed or viewed from User mode. Only basic status information can be viewed from this mode.
24
ENTERPRISES NETWORK END TO END SOLUTION
User mode appends a “>” after the device hostname like:
Switch> ?
Privileged mode: This mode allows all configuration files, settings and status information to be viewed. Privileged mode appends “#” after the device hostname like:
Switch#
To enter into Privileged mode from User EXEC mode, type:
Switch >enable Switch # ?
Global Configuration mode: Very few numbers of changed are allowed in Privileged mode. Actual configuration of CISCO switch is done by Global Configuration mode.
Switch (config)#
To enter into Global Configuration mode from Privileged mode, type:
Switch # configure terminal Switch(config)#
As Global Configuration mode allows parameters that globally affect the device to be changed. Additionally, Global Configuration mode is sectioned into several sub-modes dedicated for specific functions. Among the most common sub-modes are the following: ?
Interface Configuration mode:
25
ENTERPRISES NETWORK END TO END SOLUTION
To configure an interface we should specify the type of interface and the number of interface. For fast Ethernet configuration of a router, type:
Switch(config)# interface fast Ethernet 0/0 Switch (config-if)#
For Serial Interface configuration of a router, type:
Switch (config)# interface Serial 0/0/0 Switch (config-if)# ?
Line Configuration mode: To configure a line we must specify both the type of line followed by the line number. Thus to configure the first console line of a router:
Switch (config)# line console 0 Switch (config-line)#
To configure TELNET (or VTY) lines on a router:
Switch (config)#line vty 0 4 Switch (config-line)# ?
Switch Administrative Configuration The administrative functions that you can configure on a router and switch are as follows: ? Hostnames To change the hostname of CISCO device type:
Switch (config)#hostname CISCO CISCO(config)#
26
ENTERPRISES NETWORK END TO END SOLUTION
?
Passwords Five passwords are used to secure your Cisco routers: console, auxiliary, telnet (VTY), enablepassword, and enable secret. ? Enable passwords: To configure auxiliary password, typeSwitch (config)# line aux 0 Switch (config-line)# login Switch (config-line)# password CISCO
To set password for Privileged mode, type –
Switch (config)# enable password CISCO
To encrypt enable password, type-
Switch (config)# service password encryption
To activate default encryption password, type-
Switch(config)# enable secret CISCO
To set Console password for user EXEC mode, type-
Switch(config)# line console 0 Switch(config-line)# password CISCO
To set Telnet password, type-
Switch (config)# line vty 0 4
27
ENTERPRISES NETWORK END TO END SOLUTION
Switch (config-line)# password TELNET ?
Interface descriptions In a router, there are two types of ports like fast Ethernet and Serial port. Fast Ethernet configuration is done by following command:
Switch (config)# interface fast Ethernet 0/1 Switch (config-if)#
First 0 is indicating slot number and 1 is indicating port number. There are 2 ports in 1800 series CISCO router
Serial port configuration is done by following command:
Switch (config)# interface serial 0/0/0 Switch (config-if)#
First 0 is the router itself, second 0 is indicating slot number and last 0 stands for port number.
In case of switch, there are 24 fast Ethernet ports and the configuration of fast Ethernet port is same like router.
2.4 VLAN(Virtual Local Area Network)
To avoid collision domain VLAN concept comes, which provides different collision domain. VLAN separates a Layer 2 switch into multiple broadcast domains. Each VLAN has it’s own individual broadcast domain. Individual ports or group of ports can be assigned to a specific VLAN. Only ports assigning to the same VLAN can be communicate freely through a switch, but ports
28
ENTERPRISES NETWORK END TO END SOLUTION
assign to the different VLAN requires a router to communicate. Broadcast from one VLAN will never be sent out ports belonging to another VLAN. Layer 3 switch only supports inter VLAN routing, but not WAN routing. ?
VLAN Example Consider the following example:
VLAN 1 VLAN 1 VLAN 2
VLAN 2
Fig 12: VLAN (Virtual LAN)
Four PCs are connected to a Layer 2 switch that support VLAN. First two PCs are of Sales department; belong to VLAN 1 and last two PCs are of Account department, belong to VLAN 2. Because first PCs belong to same VLAN, they belong to the same IP subnet and broadcast domain. They are able to communicate without the need of a router. But Sales department can’t communicate with Account department without a router as their IP and broadcast domain is different. Is this scenario a router is needed to communicate among two VLANs. By default in CISCO switch, all ports on every switch belongs to VLAN 1 is considered as management VLAN.
29
ENTERPRISES NETWORK END TO END SOLUTION
? Advantages of VLAN VLAN provides the following advantages:
Broadcast domain: In a pure Layer 2 environment, broadcasts are received by every host on the switched network. In contrast, each VLAN belongs to its own broadcast domain; thus broadcast traffic from one VLAN will never reach another VLAN.
Security VLAN allow administrators to “logically” separate users and departments.
Flexibility and Scalability VLAN remove the physical boundaries of a network. Users and devices can be added or moved anywhere on the physical network, and yet remain assigned to the same VLAN. Thus access to the resources will never be interrupted. ?
VLAN Membership Individual or group of switch ports must be manually assigned to a VLAN. Any device connected to that switch port becomes a member of that VLAN. The first step to configure a VLAN is to create the VLAN:
Switch(config)# vlan 2 Switch(config-vlan)# name Sales
The first command creates VLAN 2 and places you in VLAN configuration mode. The second command assigns the name of VLAN as Sales. The list of VLAN is stored in Flash in a database file named vlan.dat. Information concerning which ports are assigned to a specific VLAN is stored in the Startup-config file. Now we must assign an interface or range of interface to this VLAN:
30
ENTERPRISES NETWORK END TO END SOLUTION
Switch(config)# interface fastEthernet 0/1 Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan 2
2.5 Inter VLAN Routing-
InterVLAN routing makes use of the latest in technology switches ensuring a super fast, reliable, and acceptable cost routing solution.
The Cisco switch used here is layer 3 switches with built-in routing capabilities, making them the preferred choice at a reasonable cost. Of course, the proposed solution shown here is only a small part of a large scale network where layer 3 switch is usually placed as core switch, connecting all branch switches together, via superfast fiber Gigabit or Fast Ethernet links, ensuring a fast and reliable network backbone.
31
ENTERPRISES NETWORK END TO END SOLUTION
Fig 13 : Multi-layer switch(layer-3 Switch)
2.6 VTP(VLAN Trunking Protocol)
All switches connected in a network can be configuring in a domain and you can configure a switch as a server and others act as clients. All the information present in server switch for clients can be shared by server.
Modes in VTP There are 3 modes in VTP, like: Server Mode
32
ENTERPRISES NETWORK END TO END SOLUTION
We can configure VLANs, edit VLANs, manage VLANs and delete them also. This is the default mode of the switch. Client Mode We cannot delete or add or edit VLANs here. Transparent Mode This mode is used for monitoring purpose. It is not visible to either server or client. We can create or delete or edit VLANs here.
VLAN 2
Trunk mode
VLAN 3
Trunk mode
VLAN 2 VLAN 3 VLAN 2
VLAN 3
Access mode
Access mode
Fig 14: VTP Modes
VTP Configuration Backbone Switch (Server Switch) configuration To configure server switch command is: Switch(config)# vtp domain CISCO
33
ENTERPRISES NETWORK END TO END SOLUTION
Switch(config)# vtp password cisco_vtp Switch(config)# vtp mode server Switch(config)# vtp version 2 Client Switch Configuration To configuration client switch command is: Switch(config)# vtp domain CISCO Switch(config)# vtp password cisco_vtp Switch(config)# vtp mode client Switch(config)# vtp version 2
2.7 Routing Technique and Security
Routing Technique
There are two basic methods of building a routing table: Statically or Dynamically. ? information in routing tables. Example: RIP, IGRP, OSPF etc.
Metric vs. Administrative Distance A “metric”allows a router to choose the best path within a routing protocol. Distance vector routing protocol use “distance” (usually hop-count) as their metric. Link state protocols utilize some sort of “cost” as their metric. Packets route only with the best metric are added to the routing table. If router is running multiple routing protocols, Administrative Distance is used to determine which routing protocol to trust the most. Lowest administrative distance wins.
Router Source Connected Interface Static Route
Default Administrative Distance 0 1
34
ENTERPRISES NETWORK END TO END SOLUTION
EIGRP IGRP OSPF RIP External EIGRP Unknown 90 100 110 120 170 255
Table 1: Default Administrative Distance
?
Static Routing A static routing table is created, maintained and updated by a network administrator, manually. A static route to every network must be configured on every router for full connectivity. This provides a granular level of control over routing, but quickly becomes impractical on large networks.
Routers will not share static routes with each other, thus reducing CPU/RAM overhead and saving bandwidth. However, static routing is not fault-tolerant, as any change to the routing infrastructure requires manual intervention. Routers operating in a purely static environment cannot seamlessly choose a better route if a link becomes unavailable.
20.0.0.0
10.0.0.0 35
30.0.0.0
ENTERPRISES NETWORK END TO END SOLUTION
Fig 15: Static Routing
To configure Static Routing, commands for Router0 are: Router(config)# interface serial 0/0/0 Router(config)# clock rate 64000 Router(config)# ip address 20.0.0.2 255.0.0.0 Router(config)# no shutdown Router(config)# ip route 30.0.0.0 255.0.0.0 20.0.0.2
Advantages of Static Routing ? ? ? Minimal CPU/Memory overhead. No bandwidth overhead (updates are not shared between routers). Granular control on how traffic is routed.
Disadvantages of Static Routing ? ? ? Simpler to configure on larger networks. Will dynamic fault tolerance if a link goes down. Impractical on large network.
?
Dynamic Routing A dynamic routing table is created, maintained and updated by a routing protocolrunning
on the router. Examples of routing protocols include RIP (Routing Information protocol), EIGRP (Enhanced Interior Gateway Routing Protocol), and OSPF (Open Shortest Path First). There are two distinct categories of dynamic routing protocols: ? ? Distance-Vector protocols Link-State Protocols
Distance-Vector protocols include RIP (Routing Information Protocol) and IGRP (Interior Gateway Routing Protocol) and Link-State protocols include OSPF(Open Shortest Path First).
36
ENTERPRISES NETWORK END TO END SOLUTION
EIGRP (Enhanced Interior Gateway Routing Protocol) exhibits both distance-vector and link-state characteristics and considered as hybrid protocol.
Distance-Vector Protocol All distance-vector routing protocols share several key characteristics: ? ? ? ? Periodic updates of the full routing table are sent to routing neighbors. Distance-vector protocols suffer from slow convergence and are highly susceptible to loops. Some form of distance is used to calculate a route’s metric. The Bellman-Ford algorithm is used to determine the shortest path.
RIP (Routing Information Protocol) o It works on Distance-Vector mechanism. o It uses Bellman-Ford algorithm to find shortest path. o By default it uses hop count as a metric. o It can route a packet up to 15 hop count (maximum hop count is 15). o It’s update time is 30 seconds. o It’s hold down time is 180 seconds. o Invalid time is also 180 seconds. o Flush time is 240 seconds. o There is a periodic multicast in RIP version 2. o Periodic broadcast in RIP version 1. o RIP version 2 supports VLSM. o RIP version 1 is classful.
To configure routers with RIP in the Router0 to Fig 8, commands are:
Router(config)# router rip Router(config-router)# network 10.0.0.0 Router(config-router)# network 20.0.0.0 Router(config-router)# rip version 2
37
ENTERPRISES NETWORK END TO END SOLUTION
Link-State Protocol
Link-State Routing Protocols were developed to solve the convergence and loop issues of distance-vector protocols. Link-State protocols maintain three separate tables: ? ? ? Neighbor Table: Contains a list of all neighbors and the interface each neighbor is connected off of. Neighbors are formed by sending Hello packets. Topology Table: Otherwise known as the “link-state” table, contains a map of all links within an area, including each link’s status. Shortest-Path Table: Contains the best routes to each particular destination (otherwise known as the “routing” table).
OSPF (Open Shortest Path First) o Protocol of pure Link-State mechanism. o Support unlimited hop count. o OSPF uses Dijkstra algorithm to select shortest path. o Support both IP4 and IPv6 routing protocols. o Consists of area and autonomous system. o Minimizes routing update time. o Allow scalability. o Support VLSM (Variable Length Subnet Mask) and CIDR (Classless Inter Domain Routing). o Allow multi-vendor deployment (open standard). o Multicast address is 224.0.0.5 o Loop-Back interface should be configured in router when we use OSPF.
38
ENTERPRISES NETWORK END TO END SOLUTION
Area Border Router (ABR)
Area 0
Area 1
Fig 16: Autonomous System (OSPF Design)
Autonomous System: It is a collection of routers or networks under a same Administrative Distance. Administrative Distance: It is a rating or trustworthiness of a network. Area 0 is known as Backbone-Area. Area 0 contains a backbone router, which is known as Designated Router. That will be connected through Virtual Circuit to another router. Two autonomous systems are connected through Autonomous System Border Router (ASBR) use Border Gateway Protocol (BGP). When two or more Areas or Autonomous Systems are communicated then that is known as Multi access Network.
Router ID: The Router ID (RID) is an IP address used to identify the router. CISCO chooses the Router ID by using the highest IP address of all configured loop-back interfaces. If no loop-back interfaces are configured with addresses, OSPF will choose the highest IP address of all active physical interfaces.
According to the Fig 9, if we want to configure Router0 using OSPF, commands will be: Router(config)# router ospf Router(config-router)# network 192.168.10.0 0.0.0.255 area0 Router(config-router)# router-id 25.0.0.1
39
ENTERPRISES NETWORK END TO END SOLUTION
Let we are configuring Area 0 router with OSPF protocol. The second command is indicating that the Area 0 router is directly connected with another router and between them 192.168.10.0 network is running. The last command is providing RID to the router.
Hybrid Protocol (EIGRP)
EIGRP is a Cisco-proprietary Hybrid routing protocol, incorporating features of both DistanceVector and Link-State routing protocols.
EIGRP adheres to the following Hybrid characteristic: ? ? ? ? ? ? EIGRP uses Diffusing Update Algorithm (DUAL) to determine the best path among all “feasible” paths. DUAL also helps ensure a loop- free routing environment. EIGRP will form neighbor relationships with adjacent routers in the same Autonomous System (AS). EIGRP traffic is either sent as unicast or as multicast on address 224.0.0.10, depending on the EIGRP packet type. Reliable Transport Protocol (RTP) is used to ensure delivery of most EIGRP packets. EIGRP routers do not send periodic, full-table routing updates. Updates are sent only when a change occurs. EIGRP is a classless protocol, and thus supports VLSMs.
Other characteristics of EIGRP include: ? ? EIGRP has a maximum hop-count of 224, though the default maximum hop-count is sent to 100. EIGRP uses Bandwidth and Delay of Line, by default, to calculate its distance metric. It also supports 3 other parameters to calculate its metric: Reliability, Load and MTU.
40
ENTERPRISES NETWORK END TO END SOLUTION
EIGRP builds 3 separate tables: ? ? ? Neighbor Table: List of all neighbor routers. Neighbors must belong to the same Autonomous System. Topology Table: List of all routers in the Autonomous System. Routing Table: Contains the best route for each known network.
Commands for EIGRP configuration to the Router0, according to the Fig 8:
Router(config)# router eigrp 10 Router(config-router)# network 10.0.0.0 Router(config-router)# network 20.0.0.0
SECURITY
Access Control List (ACL)
Access Control List can be used for two purposes on Cisco Routers, to filter traffic and to identify traffic. Access lists are a set of rules, organized in a rule table. Each rule or line in an access-list provides a condition, either permit or deny: ? When using an access-list to filter traffic, a permit statement is used to “allow” traffic, while a deny statement is used to “block” a traffic. Filtering traffic is the primary use of ACL. However, there are several instances when it is necessary to identify traffic using ACL, including: ? ? Identifying interesting traffic to bring up an ISDN link or VPN tunnel. Identifying routes to filter or allow in routing updates.
When filtering traffic, access lists are applied on interfaces. As a packet passes through a router, the top line of the rule list is checked first, and the router continues to go down the
41
ENTERPRISES NETWORK END TO END SOLUTION
list until a match is found. Once a match is found, the packet is either permitted or denied. There is an implicit “deny all” at the end of all access lists. We can’t create it or delete it. Thus the ACL contains only deny statement to prevent all traffic. Access lists are applied either inbound (packets received on an interface, before routing), or outbound (packets leaving an interface, after routing). Only one access list per interface per protocol per direction is allowed. ? ? Inbound: Outbound: First filtering then routing. First routing then filtering.
Types of ACL There are two categories of access lists: named and numbered.
Numbered access lists are broken into several ranges, each is dedicated to a specific protocol. We use two of them mostly, they are: 1-99 100-199 IP Standard access list IP Extended access list
In case of Standard ACL, filtering can be done only on source base; we can’t define destination, service protocol, and port numbers. In case of Extended ACL, filtering can be done on basis of source, destination, service protocol, and port numbers.
Named access lists provide a bit more flexibility. Descriptive names can be used to identify access list. There are two common types of named lists: ? ? IP standard named access list IP extended named access list
42
ENTERPRISES NETWORK END TO END SOLUTION
Individual lines cannot be removed from a access list. The entire access list must be deleted and recreated. All new entries to a access list are added to the bottom.
Wild Card Mask IP access lists use wild Card Mask to determine two things: ? ? Which part of address must match exactly Which part of an address can match any number
This is oppose to a subnet mask, which tells us what part of an address is the network (subnet), and what part of an address is the host. Address: Wild Card Mask: 192.168.10.0 0.0.0.255
Configuration of ACL to the Router
20.0.0.1 20.0.0.2
10.0.0.4 10.0.0.0 30.0.0.0
30.0.0.4
Fig 17: Access Control List
43
ENTERPRISES NETWORK END TO END SOLUTION
? Standard ACL To block PCs of 10.0.0.0 from the access of outer network, command will be:
Router(config)# Router(config)# Router(config-if)#
access-list 1 deny host 10.0.0.2 interface fastEthernet 0/0 ip access-group 1 in /* Bind interface of router*/
By default all the PCs of 10.0.0.0 network will be denied. To block only 10.0.0.2 PC and permit remaining PC to access outer network:
Router(config)# ?
access-list 1 permit any
Named ACL This type of list can be either standard or extended access control list.
Router(config)#ip access-list extended mylist
/*mylist is the name of ACL*/
Router(config-ext-nacl)#deny tcp host 10.0.0.2 host 30.0.0.4 eq www /*Denying 10.0.0.2 PC from the access of Google server*/ Router(config-ext-nacl)#deny icmp host 10.0.0.3 host 30.0.0.2 echo /*Denying 10.0.0.3 PC to ping 30.0.0.2 PC*/ Router(config-ext-nacl)#deny tcp host 10.0.0.3 host 20.0.0.2 eq telnet /*Denying 10.0.0.3 PC from telnet to router interface 20.0.0.2*/ Router(config-ext-nacl)#permit tcp any any Router(config-ext-nacl)#permit icmp any any Router(config-ext-nacl)#permit ip any any Router(config)#ip access-group mylist in /* Bind the interface of router*/
44
ENTERPRISES NETWORK END TO END SOLUTION
Network Address Translation(NAT)
The rapid growth of the internet resulted in a shortage of IPv4 addresses. In response, the powers that be designated a specific subset of the IPv4 address space to be private, to temporarily alleviate this problem. A public address can be routed on the Internet. Thus devices that should be Internet accessible (such as web or email servers) must be configured with public addresses. A private address is only intended for use within an organization, and can never be routed on the internet. Three private addressing ranges were allocated, one for each IPv4 class: ? ? ? Class A- 10.x.x.x Class B- 172.16-31.x.x Class C- 192.168.x.x
NAT (Network Address Translation) is used to translate between private addresses and public addresses. NAT allows devices configured with a private address to be stamped with a public address, thus allowing those devices to communicate across the internet. NAT is not restricted to just public-to-private address translations, though this is the most common application of NAT. NAT can perform a public-to-private address translation, or a private-to private address translation as well. NAT provides an additional benefit – hiding the specific addresses and addressing structure of the internal network.
Types of NAT
NAT can be implemented using one of three methods: ? Static NAT
erforms a static one-to-one translation between two addresses, or between ports on one address to a port on another address. Static NAT is most often used to assign a public address to a device behind a NAT enabled firewall/router.45
ENTERPRISES NETWORK END TO END SOLUTION
? ? Dynamic NAT: utilizes a pool of global addresses to dynamically translate the outbound traffic of clients behind a NAT enabled device. NAT Overload or Port Address Translation (PAT): translates the outbound traffic of clients to unique port numbers off of a single global address. PAT is necessary when the number of internal clients exceeds the available global addresses.
NAT Terminology
Specific terms are used to identify the various NAT addresses: ? ?
Inside Local: the specific IP address assigned to an inside host behind a NAT enabled device (usually a private address). Inside Global: the address that identifies an inside host to the outside world (usually a public address). Essentially this is the dynamically or statically public address assigned to a private host.
? ?
Outside Global: the address assigned to an outside host (usually a public address). Outside Local: the address that identifies an outside host to the inside network. Often this is the same address as the Outside Global. However, it is occasionally necessary to translate an outside (usually public) address to an inside (usually private) address.
46
ENTERPRISES NETWORK END TO END SOLUTION
NAT Terminology Example
10.0.0.1
20.0.0.1 Internet
192.168.10.1
30.0.0.1
10.0.0.10
30.0.0.5
Fig 18: Network Address Translation (NAT)
Consider the above figure for example. For a connection from Host A to Host B, the NAT addresses are identified as follows: ? ? ? ?
Inside Local Address:10.0.0.10 Inside Global Address:20.0.0.1 Outside Local Address:192.168.10.1 Outside Global Address:192.168.10.1
Host A is configured as 10.0.0.10 and is identified as it’s Inside Local Address. When Host A communicates with the Internet, it is stamped with Router A’s public address, using PAT. Thus Host A Inside Global Address will become 20.0.0.1. When Host A communicates with Host B, it will access Host B’s OutsideGlobal Addressof 192.168.10.1. In this instance, the Outside Local Address is also 192.168.10.1. Host A is never aware of Host B’s configured address.
Configuring Static NAT
The first step to configure Static NAT according to the figure 11, is to identify the inside (usually private) and outside (usually public) interfaces:
Router(config)#
interface fastEthernet 0/0
47
ENTERPRISES NETWORK END TO END SOLUTION
Router(config-if)# ip nat inside
Router(config)# Router(config-if)#
interface serial 0/0/0 ip nat outside
To statically map a public address to a private address, the syntax is as follows:
Router(config)#
ip nat inside source static 10.0.0.10 20.0.0.1
This command performs a static translation of the source address 10.0.0.10 (located in the inside of the network), to the outside address of 20.0.0.1.
Configuring Dynamic NAT
When configuring Dynamic NAT, the inside and outside interfaces must first be identified:
Router(config)# Router(config-if)#
interface fastEthernet 0/0 ip nat inside
Router(config)# Router(config-if)#
interface serial 0/0/0 ip nat outside
Next a pool of global addresses must be specified. Inside hosts will dynamically choose the next available address in this pool, when communicating outside the local network:
Router(config)#
ip nat pool mypool 20.0.0.10 20.0.0.50 netmask 255.0.0.0
The above command specifies that the pool names “mypool” contains a range of public addresses from 20.0.0.10 through 20.0.0.50.
48
ENTERPRISES NETWORK END TO END SOLUTION
Finally, a list of private addresses that are allowed to be dynamically translated must be specified:
Router(config)# Router(config)#
ip nat inside source list 10 pool mypool access-list 10 permit 10.0.0.0 0.255.255.255
The first command states that any inside host with a source that matches access-list 10can be translated to any address in the pool named “mypool”.
The access-list specifies any host on the 10.0.0.0 network. Configuring NAT Overload (or PAT)
Recall NAT Overload (or PAT) is necessary when the number of internal clients exceeds the available global addresses. Each internal host is translated to a unique port number off of a single global address. Configuring NAT overload is like:
Router(config)# Router(config-if)#
interface fastEthernet 0/0 ip nat inside
Router(config)# Router(config-if)#
interface serial 0/0/0 ip nat outside
Router(config)# overload Router(config)#
ip nat inside source list 10 interface serial 0/0/0
access-list 10 permit 10.0.0.0 0.255.255.255
Any inside host with a source that matches access-list 10 will be translated with overload to the IP address configured on the serial interface 0/0/0.
49
ENTERPRISES NETWORK END TO END SOLUTION
4. PROJECT
Fig 19: Enterprises
Network End To End Solution
50
ENTERPRISES NETWORK END TO END SOLUTION
The steps performed in the above scenario are as follows1. Initially by using the CISCO Packet Tracer we configure all the routers and switches. Then we configure vlan, vtp, intervlan. 2. RIPv2 routing protocol is to be used for routing. 3. Assign IP to all PC’s dynamically by making Delhi server as DHCP.
4. Now apply Numbered ACL(IP Standard access list) on Canada Router in order to block France from not communicating in the Network.
5. Apply Inbound ACL(NAT) on noida router so that no one can ping noida router but can access www.hpes.com 6. PAT is applied on U.S.A 7. Static NAT is applied on Haryana server
8. All PC’s should communicate with all DNS (www.hpes.com , www.dit.com, www.yahoo.com ).
51
ENTERPRISES NETWORK END TO END SOLUTION
Conclusion
The Conclusion of this Project is that all the PC’s are communicating with each other, and the IP address is assigned dynamically by DHCP Server. RIPv2 routing protocol is applied on each router. And all other security restrictions are imposed successfully.
Problems occurred and suggestions
In CISCO Packet Tracer5.3 when we apply PAT on USA then we are unable to halt the communication between PC 33 and PC 28. The problem occurs because of the version of Packet Tracer being used.
This problem can be Resolved in CISCO Packet Tracer5.2
52
ENTERPRISES NETWORK END TO END SOLUTION
Appendix
PC29 can access all the three DNS server
Fig20. www. hpes.com
53
ENTERPRISES NETWORK END TO END SOLUTION
Fig.21 www.yahoo.com
Fig.22 www.dit.com
54
ENTERPRISES NETWORK END TO END SOLUTION
All PC can communicate with one another.
Fig.22 PC 51 pinging with other PC in the network
55
doc_302854751.docx