CCNA Case Study Vinay Godugu

8/8/2019 CCNA Case Study Vinay Godugu

1/38

Due Date: 13th

week

Submitted: 13th week

Prepared by: VinayGodugu and SushenMathur

Student Number: n7067283 and n7257147


2/38

Page | 1

Executive summary

The aim of this report is to provide ABC Company with a new network design and its

implementation. It summarizes the planning and deploying when designing a network for ABC

Company. A new network design for ABC co. for all its all users has been provided by meeting all the

services required such as VOIP, Email server access, Departmental server access and internet. This

report provides with a generic, flexible and robust network design approach. This is addressed with

first part of the report providing Design, Implementation and configuration according to the

specifications followed by topology map, new network design architecture with all the critically

identified applications. The following sections details about the new architecture considered,

topology design, addressing and routing schemes used. In the last part of the report the issues

related to VOIP implementation is been discussed.


3/38

Page | 2

Table of Contents

Executive summary ................................ ................................ ................................ ............................ 1

1. Introduction ................................ ................................ ................................ ............................... 3

2. Project Overview................................ ................................ ................................ ........................ 3

2.1.1. Current Network Situation ................................ ................................ .............................. 4

2.1.2. Future Development................................ ................................ ................................ ....... 4

3. Network Design ................................ ................................ ................................ ......................... 4

3.1 Propose Network Architecture ................................ ................................ ........................... 5

3.1.1 Routing Protocol and Authentication ................................ ................................ .......... 5

3.2.4 IP scheme ................................ ................................ ................................ ................... 6

4. Configuration (Propo sal Network Configuration Design) ................................ ........................... 7

4.1 Layer 3Network Topology ................................ ................................ ................................ ... 7

4.2 Prototype Network Implementation ................................ ................................ ................... 8

4.3. DHCP Configuration ................................ ................................ ................................ ................ 8

5. Investigation of the Network Related Issues with VoIP Implementation ................................ ... 33

6. The VoIP implementation issues related to Firewall/NAT: ................................ ........................ 34

6.1 NAT (Network Address Translation) ................................ ................................ .................... 34

6.2Firewall ................................ ................................ ................................ ............................... 34

6.3 Findings & Recommendations ................................ ................................ ................................ 34

References................................ ................................ ................................ ................................ ....... 37

Table of Figures

Fig 1. Current Network Scenario..4

Fig 2. Physical Network Diagram..5

Fig 3. Layer 3 Logical Diagram.7

Fig 4. Implementation Diagram.8

Fig 5. Session Border controller (Check point software Technologies).16

Fig 6.SIP(Session Initiation protocol).17


4/38

Page | 3

1. Introduction

As a Network Engineer for a small organization we are to redesign its existing network with the

company forecasting its growth to rapidly increase in next 10 years and wants to make its network

more scalable and even eventful for future growth. The company has a confined network having HR,

Purchasing, Sales and Warehouse departments and the employees are allowed access to the

internet and company email server. The company has also implemented a wireless network for

casual staff and intends to deploy VoIP throughout the organization in near future. The redesigning

of network is being done taking all the requirements into consideration giving double the no of hosts

in every department distributed across individual switch. A wireless access point is installed for the

casual staff to get connected through their portable devices and internal VoIP for the sales and ware

house department is to be set up keeping the scalability and availability into focus. The email server

and the web server for the wired workstation connections is connected to the NAT router.

2. Project OverviewIn order to meet the requirements on future development, a new network architecture has been

designed and accordingly the IP addresses has been allocated. This report will discuss on the

configuration and implementation of that newly design network and also the issues related to VoIP

implementations in NAT/Firewalls.

ABC company Number of Users ( at present) Number of Users (Expected

in next 5 years)

Human Resource Users 20 40

Purchasing Users 20 40

Sales Users 20 40

Warehouse Users 20 40

Casual staff 25 50

Total number of users 105 210

Table 1.ABC Company users

.


5/38

Page | 4

2.1.1. Current Network Situation

.

Fig 1. Current Network Scenario

2.1.2.Future DevelopmentThe organizations business is projected to grow by 100 % in the next 5 years and a network is

needed to be designed in accordance to it. All the users are allowed to connect to the Internet

using the NAT Pool addresses. The organizations email server is also connected to the Internet

using the static NAT IP address. The company is planning to deploy VoIP on the new network.

Decision has been made to first implement the internal VoIP network in the Sales department

and the Warehouse at the trial stage to allow users in both departments to communicate

internally.

3.Network DesignThe current network topology of the organization is bound to serve a small organization with no

scope of growth. As stated in the requirements that the companys growth is expected to be

100% in the next 5 years. For this the new design of the net work allows the requirement of

future growth, At the access layer, all VLANs are configured on every switch, so that users from

each department can be distributed across all switches. There are two Wireless Access Points,

for casual staff to connect their wireless devices. VoIP services is been installed for Sales

department and Warehouse and can be expanded to all the departments. We have provided

separate server for email and internet access through the NAT router for wired workstation

users. The NAT router and the WLAN is connected to external firewall.


6/38

Page | 5

3.1Propose Network ArchitecturePhysical Network Diagram

Fig 2. Physical Network Diagram

3.1.1 Routing Protocol and Authentication

Routing is the process of choosing the best path over the networks. Variety of metrics can be

used to define the best path. Some routing protocols use only one metric such as RIP (Routing

Information protocol) use Hop count and some use more than one metric such as IGRP (Interior

Gateway Routing Protocol) use bandwidth, delay, load, reliability, and maximum transmission

unit (MTU). The recommended routing protocols should be simple and efficient. The Maccabe

suggested the best choice is to:

(1) Minimize the number of routing protocols used in the network. Two should be the maximum

number of protocols allowed, with only one IGP.

(2) Start with the simplest routing strategy and routing mechanism/protocol.

(3) As the complexity in routing and choices of routing protocols increase, re-evaluate the

previous decisions.


7/38

Page | 6

Different routing protocols can be used in the ABC Co. network. The external routers which are

connected between two different sub-networks need to be routed with simple routing protocols

because they can be routed easily and efficient. In this network possible best routing protocols

are RIP, IGRP and OSPF. By considering their characteristics, the best suitable routing protocol

can be implemented.

3.2.4 IP scheme

As per the requirement, the network growth should be supported and designed in such a way

that there should be minimum wastage of IP addresses. So, the method used for sub-netting is

VLSM (Variable Length Subnet Masking) for users in this new network. By considering the 100%

growth in the next 5yrs, the addresses are allocated to different users.

New networkIP

addressUsers No. of

Hosts

Subnet Network mask First Address Last Address

Human

resources

40 192.168.0.0 255.255.255.192 192.168.0.1 192.168.0.63

Purchasing 40 192.168.0.64 255.255.255.192 192.168.0.65 192.168.0.126

Sales 40 192.168.0.128 255.255.254.192 192.168.0.129 192.168.0.190

Warehouse 40 192.168.0.192 255.255.254.192 192.168.0.193 192.168.0.254

Casual staff 50 192.168.1.0 255.255.254.128 192.168.1.1 192.168.1.63

Reserved Addresses 192.168.1.65to 192.168.1.255

Users Vlan Network mask IP Address

Human

resources

Vlan11 255.255.255.192 192.168.0.1

Purchasing Vlan21 255.255.255.192 192.168.0.65

Sales VLan31 255.255.254.192 192.168.0.129

Warehouse Vlan41 255.255.254.192 192.168.0.193

Casual staff Vlan51 255.255.254.128 192.168.1.1

VoIP Server Vlan61 255.255.254.128 192.168.1.65

Table 2. VLAN Addresses


8/38

4. Configuration (Proposal Network Configuration Design)4.1

Layer3

NetworkT

opology

Fig 3. Layer 3 Logical Diagram


9/38

Page | 8

4.2 Prototype Network Implementation

Fig 4. Implementation Diagram

4.3. DHCP Configuration

R1#sh run

Building configuration...

Current configuration : 2512 bytes

!

version 12.4

service timestamps debug datetimemsec

service timestamps log datetimemsec

no service password-encryption

!

ISP Router


10/38

Page | 9

hostname R1

!

boot-start-marker

boot-end-marker

!

!

noaaa new-model

memory-sizeiomem 15

no network-clock-participate slot 1

no network-clock-participate wic 0

ipcef

!

!

noipdhcp use vrf connected

ipdhcp excluded-address 192.168.1.1








!


11/38

Page | 10

ipdhcp pool human_resource

network 192.168.0.0 255.255.255.192

default-router 192.168.0.1

!

ipdhcp pool Purchasing

network 192.168.0.64 255.255.255.192


!

ipdhcp pool Sales

network 192.168.0.128 255.255.255.192


!

ipdhcp pool warehouse

network 192.168.0.192 255.255.255.192


!

ipdhcp pool VoIP

network 192.168.1.0 255.255.255.192


!

ipdhcp pool wireless

network 192.168.1.64 255.255.255.192



12/38

Page | 11

!

!

ipauth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!


13/38

Page | 12

!

!

!

!

!

interface Loopback0

noip address

!

interface FastEthernet0/0

ip address 192.168.1.241 255.255.255.252

ipnat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface Serial0/0

ip address 130.10.10.1 255.255.255.248

ip access-group 140 in

ip access-group 130 out

ipnat outside

ip virtual-reassembly

no fair-queue

!


14/38

Page | 13


noip address

shutdown

duplex auto

speed auto

!

interface Serial0/1

noip address

!

routereigrp 1

redistribute static

network 192.168.0.0

network 192.168.1.0

network 192.168.99.0 0.0.0.3

no auto-summary

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Serial0/0

!

!

ip http server

noip http secure-server

ipnat pool test 130.10.10.3 130.10.10.6 netmask 255.255.255.248


15/38

Page | 14

ipnat inside source list yes pool test overload

ipnat inside source static 192.168.243.0 130.10.10.2

!

ip access-list standard yes

permit 192.168.0.0 0.0.1.255 log

!

access-list 130 permit tcp 130.10.10.0 0.0.0.7 any eq www

access-list 130 permit tcp 130.10.10.0 0.0.0.7 any eq 443

access-list 130 permit tcp 130.10.10.0 0.0.0.7 any eq 443

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

!


16/38

Page | 15

line con 0

line aux 0

linevty 0 4

login

!

!

End

Router (ISP) Configuration:

ISP#sh run



!

version 12.3

service timestamps debug datetimemsec

service timestamps log datetimemsec


!

hostname ISP

!

boot-start-marker

boot-end-marker

!


17/38

Page | 16

!

username R1 password 0 111

memory-sizeiomem 15

no network-clock-participate slot 1

no network-clock-participate wic 0

noaaa new-model

ip subnet-zero

ipcef

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!


18/38

Page | 17

!

!

!

interface Loopback0

ip address 111.111.111.111 255.255.255.0

!


ip address 2.2.2.1 255.255.255.0

shutdown

duplex auto

speed auto

!

interface Serial0/0

ip address 130.10.10.6 255.255.255.248

clockrate 64000

!

interface Serial0/1

noip address

shutdown

!

interface Serial0/2

noip address

shutdown


19/38

Page | 18

!

interface Serial0/3

noip address

shutdown

!

ip http server

ip classless

ip route 130.10.10.0 255.255.255.248 Serial0/0

!

!

!

!

!

!

!

!

!

line con 0

line aux 0

linevty 0 4

login

!

!


20/38

Page | 19

End

Switch Configuration:

hostname Distribution-Switch

!

boot-start-marker

boot-end-marker

!

!

noaaa new-model

systemmtu routing 1500

ip subnet-zero

ip routing

!

!

!

!

cryptopkitrustpoint TP-self-signed-3287407744

enrollmentselfsigned

subject-namecn=IOS-Self-Signed-Certificate-3287407744

revocation-check none

rsakeypair TP-self-signed-3287407744

!

!


21/38

Page | 20

cryptopki certificate chain TP-self-signed-3287407744

certificate self-signed 01

!

!

!

!

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

!

!

!


switchport trunk encapsulation dot1q

switchport trunk native vlan 99

switchport mode trunk

!


noswitchport

ip address 192.168.1.242 255.255.255.252


22/38

Page | 21

!


switchport mode dynamic desirable

!



!



!



!



!



!



!



23/38

Page | 22


!



!



!



!



!



!



!



!


24/38

Page | 23



!



!



!



!



!



!



!


!


25/38

Page | 24


!


!


!


!


!


!


!


!


!


!


!



26/38

Page | 25

!


!


!


!


!


!


!


!


!


!


!


!


27/38

Page | 26

interface GigabitEthernet0/1


!



!


!


!

interface Vlan1

noip address

shutdown

!

interface Vlan11

ip address 192.168.0.1 255.255.255.192

ip helper-address 192.168.1.241

!

interface Vlan21

ip address 192.168.0.65 255.255.255.192


!

interface Vlan31


28/38

Page | 27

ip address 192.168.0.129 255.255.255.192


!

interface Vlan41

ip address 192.168.0.193 255.255.255.192


!

interface Vlan51

ip address 192.168.1.1 255.255.255.192


!

interface Vlan61

ip address 192.168.1.65 255.255.255.192


!

interface Vlan99

ip address 192.168.110.1 255.255.255.0

!

!

routereigrp 1

no auto-summary

noeigrp log-neighbor-changes

network 192.168.0.0


29/38

Page | 28

network 192.168.1.0

network 192.168.2.0

network 192.168.3.0

network 192.168.99.0 0.0.0.3

!

ip classless

ip http server

ip http secure-server

!

!

!

control-plane

!

!

line con 0

linevty 0 4

no login

linevty 5 15

no login

!

end

Access-switch#shrun



30/38

Page | 29


!

version 12.1

no service pad

service timestamps debug uptime

service timestamps log uptime


!

hostname Access-switch

!

!

ip subnet-zero

!

ipssh time-out 120

ipssh authentication-retries 3

!

spanning-tree mode pvst

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

!

!

!


31/38

Page | 30

!


switchport trunk native vlan 99

switchport mode trunk

!


switchport access vlan 11

switchport mode access

!


switchport access vlan 61

switchport mode access

!


!


!


!


!


!


32/38

Page | 31


!


!


!


!


!


!


!


!


!


!


!



33/38

Page | 32

!


!


!


!


!


!


!

interface Vlan1

noip address

noip route-cache

shutdown

!

ip http server

!

line con 0

linevty 0 4

login


34/38

Page | 33

linevty 5 15

login

!

!

end

5. Investigation of theNetwork Related Issues with VoIP Implementation

VoIP, or IP telephony, is a service that provides voice communication across data networks. VoIP can

be used over any IP network, e.g. Internet, Local area networks and Intranet. The way it works is that

VoIP data is first digitalized into signals appropriate for sending over the network, and vice versa

when the signal reaches its destination. The two main advantages by implementing VoIP are:

Lower Cost

At present ABCs costs of relying on a traditional telecommunication provider can be lowered by

significant amounts. The cost of this service is limited to an Internet connection, or simply the costs

linked to rental of a service providers infrastructure.

- Increased functionalityVoIP makes it possible to offer services that are impossible for a traditional

telecommunication provider. ABC can easily relocate phones without having to reconfigure

anything, which is a great feature for future growth. (LLC, 2003-2009)

This service is implemented in our design by connecting an optional number of standalone IP

phones, and in addition applications for other VoIP supported devices such as computers. This is

partly realized through improving reliability of existing network, as well as guarantee that newly

implemented networks will assure the same reliability. This service relies on at least a 90/90 Kbps

connection, which is adequate for good voice quality.


35/38

Page | 34

6. The VoIP implementation issues related to Firewall/NAT:6.1NAT (Network AddressTranslation)

Network address translation is used for this network design which is needed for an enterprise like

ABC co. NAT prevents the internal addresses from being publicized on the public networks like the

internet. This helps in keeping the private internal addresses secure and does not allow anyone to

know the addresses or the addressing scheme used for the internal network.

6.2Firewall

Each network has either one or numerous firewalls; this is to enhance security by packet filtering,

application gateway and more. The firewall that is located between the ISP and ABCs network is also

the source of network address translation (NAT). This is a service that hides the private network

addresses of ABC behind one or few IP addresses in the public address space. This yet again

improves the security and is an important defense against network reconnaissance.

6.3 Findings & Recommendations:

1. Firewall and NAT presents a challenge to VOIP implementers. However, there are fewsolutions to recover from these problems. On an important note all three major VOIP

protocols, SIP, H.323 and H.248 all have similar problems with NATs and firewalls. The use of

NAT may be reduced as IPv6 is adopted (Richard, Thomas and fries, 2005). VoIP issues with

firewall and NAT must deal with complexities and some are unrelated to the call setup

protocols used. NAT is commonly performed by firewalls to preserve IP addresses and hide

internal IP ports/ addresses from external and direct access. This causes issues for Voip when

endpoints negotiate ports for media exchange and they communicate with these ports to

one another in packet payloads. The RTMM (Real Time Mixed Media) must be used to

prevent latency/ jitter speed or loss of packets (Tahir and Shahzad,2010).

.

2. Making a phone call will become very complex when a NAT is introduced. The situation isanalogue to a phone network where many phones have the same number such as in a house

there will be only one line but multiple numbers can be there on one line. There are several

issues related to transmission of the media itself across the NAT including incompatability

with IPSEC (Tahir and Shahzad,2010)


36/38

Page | 35

Problems:

a. Simple NAT devices which are not aware of VOIP they perform NAT on the IP headersonly.

b. A VoIP packet contains private IP in the playload. Therefore VOIP sessions cannotestablish.

Solution:

a. Perform translation on IP header and the packet payload with a routable IP address (FarEND NAT).

b. Media relay until full session establishment.

Session Border Controller (SBC)

a.

SBCs have started as a solution to connectivity problems caused by NAT done bynon-VOIP aware devices (see figure1).

b. SBCs are used by carriers and at the border of their core networks they arelocated.(checkpoint technologies)

Fig5. Session Border controller (Check point software Technologies)

3. All the firewalls have to be SIP (Session Initiation Protocol) capable in order to support thewide-scale deployment of real-time communication. There are several solutions have been

proposed to work around the firewall/NAT traversal issues which limit SIP-based

communication.


37/38

Page | 36

Fig 6.SIP(Session Initiation protocol)

SIP ALG (Application Level Gateway)-based SIP-capable firewalls and SIP proxy based SIP-capable

firewalls are used to benefit the firewall. There are few benefits where the ALG (Application level

Gateway) take care about the LAN traffic whether it reached its destination or not but while coming

to proxy based SIP the benefits are as follows

In addition, the SIP proxy can offer benefits1 not available with the ALG architecture:

a. Far-end NAT traversal to support remote workers such as road warriors and home usersb. Encrypted SIP signaling (TLS) and media (SRTP)c. Authenticationd. Advanced filteringe. Advanced routing and control featuresf. Intelligence to enable the firewall to act as a backup for a hosted or centralized IP-PBX

4. In order to protect the VOIP and NAT traversal problem, STUN, TURN and ICE can be used.a. STUN Simple Traversal of UDP through NATs requires a STUN client on the phone

connecting to a STUN Server.

b. TURN Traversal Using Relay NAT Installation of a TURN Server as a part of requirement.c. ICE Interactive Connectivity Establishment uses STUN or TURN to solve this problem.


38/38

References

y Mccabe, D.J. 2007. Network analysis, architecture and design. moragankaufman publishers,Burlington : USA.

y Check point software Technologies Ltd. check point solution for secure VOIP. 2003 2007.y LLC, V.-I. (2003-2009). What is VoIP. Retrieved from VoIP-info: http://www.voip-

info.org/wiki/view/What+is+VOIP. Retreived on 2nd

October 2010.

y Richard, D. Thomas, J. W. and Fries, S. 2005. Security consideration for voice over IP systems:Recommendations of the National Institutes of standards and Technology. Special

publications 800-58, section 8 and 9.

y Shinder,D. 2007. Four obstacles to implement voip.http://articles.techrepublic.com.com/5100-10878_11-

6183187.html?part=rss&tag=feed&subj=tr. Retreived on 8th

of October 2010.

y Tahir,A. Shahzad, A. 2010. Security issues for VOIP systems.http://www.ijcns.org/papers/Vol.2_No.5/100508.pdf. Retrieved on 24

thSeptember 2010.

Documents

CCNA Case Study Vinay Godugu