Threaded Case Study

About This Presentation

Title:

Threaded Case Study

Description:

... will include Domain Name Services and E-mail ... E-mail and Domain Name Service (DNS) will be permitted to ... X(config)# access-list 102 permit ip ... – PowerPoint PPT presentation

Number of Views:47

Avg rating:3.0/5.0

Slides: 28

Provided by: phillipb6

Category:

more less

Transcript and Presenter's Notes

Title: Threaded Case Study

1
Threaded Case Study

Jim Newhoff
Phillip Barnhill

2
SCOPE

The Washington School District is implementing a
wide area network (WAN) connecting all Schools
and offices in the district. There will be a
high-speed WAN core comprised of three regional
hubs the District Office, the Service Center and
Shaw Butte Elementary School. All Schools in the
district will connect to the WAN through one of
these hubs, based on their location.
The purpose for this endeavor is not only to
provide connectivity between all of the School
locations and offices, but also to provide the
district with the capabilities of an online
automated system for all administrative and many
of the curricular functions.
The design of the network will follow accepted
network design methodology.

3
NETWORK DESIGN MODEL

This design needs to meet the certain
requirements whilstkeeping in mind the Network
Design Goals
ScalabilityThe ability to address the needs of
an increasing number of users.
AdaptabilityA network that can accommodate new
services and technology without significant
changes to the existing structure.
Cost ControlKeeping the costs of the network
design within the budget constraints.

4
User Requirements

A LAN that is functional for a minimum of 7-10
years and scalable to allow for up to 1000
growth in the LAN throughput and 100 growth in
the WAN throughput Protocols allowed on the WAN
TCP/IP and IPX
Bandwidth of 1.0 Mbps for each workstation and
100 Mbps for all servers
Ethernet 10BaseT, 100BaseT and 100BaseFx and
cabling that will meet EIA/TIA 568 standards and
will include both Category 5 Unshielded Twisted
Pair (CAT5 UTP) and fiber optic multimode cable
A router installed at each of the three regional
hubs as well as at each School-X site.
Two LAN segments at each School one segment will
be for students/curriculum and the other for
administrative use.
Internet access through the District Office,
available for everyone. Services will include
Domain Name Services and E-mail services.

A web server will also be available so that all
Schools have the capability to set up home pages.
Servers will be used, each using the TCP/IP
protocol.
1. Administrative server for student tracking,
records, grades, etc. and will be accessible only
to the staff. 2. A library server will be
available to all School sites to serve as an
online library as well as a research tool. 3. An
application server will be located at each School
site and will hold all applications such as word
processing, spreadsheet and presentation
software. 4. Other servers can be implemented
once placement on the network has been decided.
Security will be maintained by denying access to
the Intranet from the Internet, through the use
of a double firewall.
Access Control Lists will be used to prevent
curriculum LAN traffic from accessing the
Administrative LAN segments.
E-mail and Domain Name Service (DNS) will be
permitted to communicate freely in both
directions as these pose no threat to the network.

6
SOME SPECIFIC USER REQUIREMENTS

The design team has flexibility in how they
implement the design.
There is provision for part of the (proposed) MDF
room to be divided up securely into an
appropriately sized room
The portable classrooms are to be removed for six
months of each year and relocated to another
School. They are situated on a concrete
foundation, so when they are relocated they will
be put back in their original positions. The
network must make provision for easy
disconnection and reconnection of these classes'
to the network.
Allowance has been made for the services of one
technical person split between Acacia and a
connected School, effectively giving Acacia a
technician for ½ a day, 5 days a week.
Initial estimated Internet usage is for 15
students to simultaneously access the internet at
a data rate of 56Kb/s.
System backups are to be made at 1 am each day.

7
SOME SPECIFIC USER REQUIREMENTS

The team has freedom to implement an appropriate
printing strategy around the following
requirements There is a Network printer of large
capacity, that will service the Admin network, to
be located in room F" in the admin block. The
total output from student printing is estimated
to be around 1000 pages per day, of which 80
will be black and white and 20 color. The budget
will not allow a printer in each classroom.
The School requires a redundant uplink
implemented via ISDN on the BRI port of the
School's router to the District office router,
which will be utilized when the primary link goes
down.
The School "library" is a mobile library in the
form of a bus that visits the School every few
days. There is to be a Library server that
connects to the Internet using the IPX protocol.
This server holds a local copy of the "curricular
research" library that is located on the server
at the district office.
Three servers are required? One will be an
Internet web server for the use of students doing
web courses etc. The second is to be an
Enterprise server, located in room H", which
will host the applications such as MS Office.
This server will also host Accounts/Admin
software but access to this software is limited
to the School Principal and his Secretary, except
for the uploading by tutors of certain data such
as student results, attendances, class details
etc. The third server. Is the library server,
which keeps a local copy of the research library
taken from the district office.
Rooms A,E,C and D in the Admin Area are to be
fitted with 4 outlets(one on each wall) to allow
flexibility in the room layout.
The design team is to allocate a room numbering
system.
The multipurpose building is to have two outlets
so it can handle occasional heavy loading such as
enrolments etc.

8
Access Control List Implementation

Objectives
Access Control Lists are used at the District
level to provide the public the ability to view
the home pages of the many Schools, but to
restrict access to the Intranet from the
Internet. These lists can be used to filter
traffic based on IP addresses, and also protocols
and port numbers.
Access Control Lists at the School level are
implemented to ensure students are not allowed
access to the administrative network, except for
e-mail and DNS services. The application server
located on the student network is allowed to
freely transmit data to any destination.

9
Wide Area Network (WAN)

Implementation of the IP addresses for the We
will be using the private address of class A
10.0.0.0 for the network and using NAT (Network
Address Translation) for connecting to the
Internet with a class C IP address of 158.10.10.0
Using the private address 10 . 0 . 0 . 0 0000
1010 . XXXX XXXX . XX XX XXXX . XXXX XXXX
8bits for Network10 bits for subnet 14 bits for
hosts
Subnet Mask 255.255.192.0

10
WAN IP ADDRESS TABLES example

Subnet ID Host Range Subnet
Broadcast
1 10.0.64.0 10.0.64.1 - 10.0.127.254 10.0.127.255
2 10.0.128.0 10.0.128.1 - 10.0.191.254 10.0.191.25
5
10.0.192.0 10.0.192.1 - 10.0.255.254 10.0.255.255
10.1.0.0 10.1.0.1 - 10.1.63.254 10.1.63.255
5 10.1.64.0 10.1.64.1 - 10.1.127.254 10.1.127.255
6 10.1.128.0 10.1.128.1 - 10.1.191.254 10.1.191.25
5
7 10.1.192.0 10.1.192.1 - 10.1.255.254 10.1.255.25
5
8 10.2.0.0 10.2.0.1 - 10.2.63.254 10.2.63.255
9 10.2.64.0 10.2.64.1 - 10.2.127.254 10.2.127.255
10 10.2.128.0 10.2.128.1 - 10.2.191.254 10.2.191.2
55
11 10.2.192.0 10.2.192.1 - 10.2.255.254 10.2.255.2
55
12 10.3.0.0 10.3.0.1 - 10.3.63.254 10.3.63.255
13 10.3.64.0 10.3.64.1 - 10.3.127.254 10.3.127.255
14 10.3.128.0 10.3.128.1 - 10.3.191.254 10.3.191.2
55
15 10.3.192.0 10.3.192.1 - 10.3.255.254 10.3.255.2
55
16 10.4.0.0 10.4.0.1 - 10.4.63.254 10.4.63.255
17 10.4.64.0 10.4.64.1 - 10.4.127.254 10.4.127.255

11
IP implementation

Curriculum Network Router Port E1IP Address 10
. 66 .128 . 0 Range of host addresses available
10. 66.128. 1 10. 66.195. 254
Administration Network Router Port E0IP Address
10 . 66 . 64 . 0 Range of host addresses
available 10. 66. 64. 1 10. 66.127. 254
Server Network Router Port E2IP Address 10 . 66
. 192 . 0 Range of host addresses available 10.
66. 192 .1 10. 66. 255. 254

12
IPX implementation

School-X(config) ipx routingltbrgt
School-X(config) interface ethernet 0ltbrgt
School-X(config-if) ipx network 4240ltbrgt
School-X(config-if) exitltbrgt
School-X(config) interface ethernet 1ltbrgt
School-X(config-if) ipx network 4280ltbrgt
School-X(config-if) exitltbrgt
School-X(config) interface ethernet 2ltbrgt
School-X(config-if) ipx network 42C0ltbrgt
School-X(config-if) exitltbrgt
School-X(config) interface serial 0ltbrgt
School-X(config-if) ipx network ????ltbrgt
School-X(config-if) exitltbrgt
School-X(config) exitltbrgt
School-X

13
ACL logistics

Deny users access from the curriculum LAN segment
10.66.128.0 into the administration LAN segment
10.66.64.0
Give the administration LAN segment complete
access to the curriculum LAN segment
Permit any Domain Name System (DNS) or E-mail
traffic to the DNS/E-mail server located in the
administration LAN segment
Deny users in the curriculum LAN from telnet-ing
to any server

14
Standard ACL example

Access-list 1 deny 10.66.128.0 0.0.63.255
Access-list 1 permit any
Interface E0
IP access-group 1 E0 out

15
Extended ACL example

Access-list 100 deny tcp 10.66.128.0 0.0.63.255
10.66.192.0 0.0.63.255 eq 23
Access-list 100 permit ip any any
Interface E1
IP access-group 100 in

School-X config t School-X(config)
access-list 101 permit ip host 10.66.128.2
10.66.0.0 0.0.255.255!The above line allows
traffic from the application server which is
locatedon the curriculum LAN to communicate
freely with the whole network School-X(config)
access-list 101 permit ip 10.66.64.0 0.0.63.255
10.66.128.0 0.0.63.255!The above line allows
traffic from the administration subnet to
communicate with the curriculum LAN
School-X(config) int E1 School-X(config-if)
ip access-group 101 out School-X(config)
access-list 102 permit tcp 10.66.128.0 0.0.63.255
host 10.66.192.2 eq 25!The above line allows the
student/curriculum network to access the E-Mail
Server on the Server Subnet School-X(config)
access-list 102 permit udp 10.66.128.0 0.0.63.255
host 10.66.192.2 eq 53!The above line allows the
student/curriculum network to access the DNS
Server on the Server Subnet School-X(config)
access-list 102 deny ip 10.66.128.0 0.0.63.255
10.66.192.0 0.0.63.255!The above line denies all
other traffic from the Student/Curriculum
subnet School-X(config) access-list 102
permit ip any any!The above line permits all
other ip traffic so that the district office can
access the School-XServers School-X(config)
int E2 School-X(config-if) ip access-group 102
in School-X config t School-X(config)
access-list 103 permit tcp 10.66.128.0 0.0.63.255
any eq 80!The above line allows the Students to
access the internet School-X(config)
access-list 103 permit ip 10.66.128.0 0.0.63.255
host 10.66.4.4!The above line allows the
Students to access the Library Server located at
the District Office School-X(config)
access-list 103 permit ip 10.66.64.0 0.0.63.255
any!The above line allows the Admin LAN full
access out of the Acacia router
School-X(config) int S0 School-X(config-if)
ip access-group 103 out

17
Admin Network 10.66.64.0

Address Range 10.66. 64.1 10.66.127.254
Curriculum Network 10.66.128.0Address Range
10.66.128.1 10.66.195.254
Server Network 10.66.192.0Address Range
10.66.192.1 10.66.255.254

18
ACL logistics

Deny users access from the curriculum LAN segment
10.66.128.0 into the administration LAN segment
10.66.64.0
Give the administration LAN segment complete
access to the curriculum LAN segment
Permit any Domain Name System (DNS) or E-mail
traffic to the DNS/E-mail server located in the
administration LAN segment
Deny users in the curriculum LAN from telnet-ing
to any server

19
Developing the Commands to use

1. Standard ACL exampleAccess-list 1 deny
10.66.128.0 0.0.63.255Access-list 1 permit any
Interface E0Ip access-group 1 E0 out
2. Extended ACL example
Access-list 100 deny tcp 10.66.128.0 0.0.63.255
10.66.192.0 0.0.63.255 eq 23Access-list 100
permit ip any any Interface E1 Ip access-group
100 in

School-Xconfig t
School-X(config) access-list 101 permit ip
host 10.66.128.2 10.66.0.0 0.0.255.255
!The above line allows traffic from the
application server which is located on the
curriculum LAN to communicate freely with the
whole network
School-X(config) access-list 101 permit ip
10.66.64.0 0.0.63.255 10.66.128.0 0.0.63.255
!The above line allows traffic from the
administration subnet to communicate with the
curriculum LAN
School-X(config) int E1
School-X(config-if) ip access-group 101 out
lt/fontgtlt/pgt
School-X(config) access-list 102 permit tcp
10.66.128.0 0.0.63.255 host 10.66.192.2 eq 25
!The above line allows the student/curriculum
network to access the E-Mail Server on the Server
Subnet
School-X(config) access-list 102 permit udp
10.66.128.0 0.0.63.255 host 10.66.192.2 eq
53
!The above line allows the student/curriculum
network to access the DNS Server on the Server
Subnet
School-X(config) access-list 102 deny ip
10.66.128.0 0.0.63.255 10.66.192.0 0.0.63.255
!The above line denies all other traffic from the
Student/Curriculum subnet
School-X(config) access-list 102 permit ip any
any
!The above line permits all other ip traffic so
that the district office can access the
School-X servers

School-X config t
School-X(config) access-list 103 permit tcp
10.66.128.0 0.0.63.255 any eq 80
!The above line allows the Students to access the
internet
School-X(config) access-list 103 permit ip
10.66.128.0 0.0.63.255 host 10.66.4.4
!The above line allows the Students to access
the Library Server located at the District Office
School-X(config) access-list 103 permit ip
10.66.64.0 0.0.63.255 any
!The above line allows the Admin LAN full access
out of the School-X router
School-X(config) int S0
School-X(config-if) ip access-group 103 out