Professional Documents
Culture Documents
Final Project I
Final Project I
MEKELLE UNIVERSITY
ETHIOPAIN INSTITUTE OF TECHNOLOGY
DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING
Project I
Network and System Design Proposal for
Vision 2000
TEAM MEMBERS
1. Elias Degu
2. Mewael Hayelom
3. Razin Messele
4. Yadessa Emiru
Mekelle, Ethiopia
10/02/2017
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
ABSTRACT
This project is designed by 2017 interns in response to the request by VISION 2000 which is a public
research company. The company is based on a five-story building. The ground floor is used as a store
and the first floor is a meeting hall. Currently, there is a decentralized network used only for internet
access. The management of the company has become aware of the role ICT can play to realize its
mission and, hence, has requested us ( INSA interns) to provide a secure, reliable, scalable, and cost-
effective network and system design proposal.
This document is expected to have all the Network Designing and Analysis which shall make the
needs of automation and IT needs of Vision2000.The main expectations of this design is the
exchange of different data and information across all offices in order to assist the achievement of
organizational goals .
In this context, we have done:
The type and content of the applications that should be exchanged.
Detail Requirement Study for Local Area Network for Vision2000.
Assessing all connectivity requirements.
For the design and implementation of the network infrastructure for the Vision2000, We INSA Interns
have now taken some initial activities, which would create a strong base for the near future
implementation of the whole project.
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
Table of Contents
Introduction ..................................................................................................................................................................10
1. Background ..........................................................................................................................................................10
In scope ............................................................................................................................................................................ 11
5. Methodology .......................................................................................................................................................13
Logical topology............................................................................................................................................................... 19
IP Addressing ................................................................................................................................................................... 26
Trunk ................................................................................................................................................................................ 43
Trunking design considerations .................................................................................................................................. 43
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
8. Routing ................................................................................................................................................................60
Introduction ..................................................................................................................................................................... 60
9. Security ................................................................................................................................................................66
LIST OF TABLES
Table [page]
Table 1: VLAN design …..………………………………………………..…………. 25
Table 7: VISION2000 Site Split mode IP Scope assignment on Collapsed Core switch 01 ... 58
Table 8: VISION2000 Site Split mode IP Scope assignment on Collapsed Core switch 02 … 58
LIST OF FIGURES
Figure [page]
Figure 8 Traffic Flows Are Permitted from Higher to Lower Security Levels.. 71
Figure 9 Traffic Flows Are Blocked from Lower to Higher Security Levels … 71
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
List of Abbreviations
ACL Access Control List
AD DS Active Directory Domain Service
ADSL Asymmetric Digital Subscriber line
AON Application-Oriented Network
BW Band Width
CAN Campus Area Network
CAT6 Category 6
CCTV Closed-Circuit Television
DC Domain Controller
DHCP Dynamic Host Configuration Protocol
DMZ Demilitarized Zone
DNS Domain Name System
ECNM Enterprise Composite Network Model
ET Ethiopian Telecom
ESA Email Security Appliance
HIDS Host Based Intrusion Detection System
ICT Information Communication Technology
IDS Intrusion Detection System
IIN Intelligent Information Network
INSA Information Network Security Agency
IPS Intrusion Prevention System
IT Information Technology
MAC Media Access Control
LAN Local Area Network
NAT Network Address Translation
QoS Quality of Service
SMTP Simple Mail Transfer Protocol
SONA Service-Oriented Network Architecture
TCP Transmission Control Protocol
UDP User Datagram Protocol
UTP Unshielded Twisted Pair
VLAN Virtual Local Area Network
VPN Virtual Private Network
WAN Wide Area Network
WSA Web Security Appliance
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
Introduction
1. Background
Vision 2000 is one of the institutions engaged in providing short, medium and long term
development credits. Vision 2000’s distinguishes feature is its “project” based lending tradition.
Project financed by the Bank are carefully selected and prepared through appraised, closely
supervised and systematically evaluated.
Since its establishment in 2000, the institution has been playing a significant role in promoting overall
economic development of the country.
After reestablishment from 2003, Vision 2000 has established recognition at national and
international levels. Nationally, it is the sole company with reputable experience in long term
investment financing and research. Internationally, and it is recognized as an important on leading
channel for development program financed by bilateral and/or multilateral sources.
In order to accomplish the commitment given to the organization, Vision is focusing in development
of ICT programs. It would be appropriate to mention here that in Vision 2000 there no existing
Network Infrastructure that would be upgraded, so it want to build a new Network Infrastructure.
The Enterprise invited INSA Interns to study and design an ICT infrastructure for the main office
located in Addis Ababa, Ethiopia. Network Engineering Design and Material Requirement Analysis
cover the Vision 2000 with such an undertaking; it is expected that all offices including branches
would have an access to exchange different data and information for enhancing their productivity in
achieving the common development goals.
The objective of this project is to build and implement ssecure network infrastructure (LAN and
WAN) in the Vision 2000 HQ and its Branch offices.
The Network Infrastructure objectives of this project is to analyze the requirement, design and implement
secure, scalable, adaptable, reliable, available and converged Network Infrastructure, which enables the
Vision 2000 to effectively manage and facilitate its day-to-day activities using automated application
systems, Internet access and file sharing between its offices.
Hence, the Network Infrastructure will be implemented in the Vision 2000 to meet the following
objectives:
Implement reliable, scalable, adaptable and available LAN and WAN network infrastructure in the
Vision 2000 HQ and its Branch offices to access the Enterprise’s automated application systems and
the Internet services.
secure, reliable, available and affordable service
Web system, mail system and server farm which enable the agency with the ultimate
goal of providing secure, effective and efficient infrastructure to the Vision 2000 HQ and
its Branch offices.
Wireless LAN on each floor
In scopeT
Scope of this project is limited to the assumptions that issuing company has 4 branches with
not more than 350 users in each.
The scope of the network infrastructure and network systems project includes the following
main activities:-
Provide network documentation.
Provide centralized network access.
Provide server based anti-virus system
Floor based wireless connection
Deploy/implement the designed network infrastructure (installation/placement,
configuration, testing and approving of network equipment like firewall, switches, server
and other relevant network accessories
Perform network acceptance testing.
Provide on-job training to network administrators of the company on how to administer
and manage the deployed network infrastructure.
Out scope
The designed network infrastructure can support video, data, and voice services. The following tasks
will not be covered
Voice over IP (VoIP)
Video Conference
Security Camera(CCTV)
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
To design and build a successful network, you must gain a thorough understanding of the traffic
generated by applications in use, plus the traffic flow to and from the user communities. All
devices on the network will produce data to be transported across the network. Each device
could involve many applications that generate data with differing patterns and loads.
Traffic analysis refers to characterizing the existing and or expected traffic flow, traffic pattern,
traffic volume, and protocols. This process of characterizing requires the identification of
sources of data and destinations of network traffic and direction and symmetry of its travel. This
approach can be simplified by first identifying the major traffic sources which leads to grouping
of user communities who use a particular or set of applications. Applications such as electronic
mail, word processing, printing, file transfer, and most web browsers bring about data traffic
patterns that are predictable from source to destination. That is users are categorized by their
application usage, and identifying data stores.
In the context of VISION 2000 network we start with “mission critical applications” to group
user communities.
Thus the user communities are listed as follows:
1. Internal user community
2. External user community
3. Supervisor user community
4. Programmers user community
5. Data entry user community
6. Analysis user community
The data stores to be included are:
1. Data server for the storage and retrieval raw data using the application.
2. Database server for storage and retrieval of statistical data using the application.
3. Application server for the distribution of computer applications like antivirus software.
4. Authentication and antivirus servers.
5. Web and Mail servers. These servers will be accessed by the external users so they will be
placed in a DMZ. Access to them will be protected by separate VLAN configurations and
access controls using a firewall.
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
Internet
External
Server Farm Users
Storage
Network
DMZ
Symmetrical
and
Server Farm Bidirectional
Enterprise
Application Internet User Internal User
User Asymmetrica
User Community Community
Community and
Community
Bidirectional
5. Methodology
Network access in the company should be centralized, i.e., every Customer should be
authenticated centrally by a server and not locally by his/her machine.
They have web and mail servers that should be accessed from the Internet. They need to
register their own domain and DNS infrastructure.
They also need a server-based antivirus system
This company has four branches.
Design Philosophy
We understand the fact that network infrastructures are designed and implemented to achieve business
and technical goals of a given organization. The philosophy INSA Interns adopts in the design of
network infrastructures follows the following three steps:
5.3.1 Vision
INSA Interns believes that any networking infrastructure has to be built to serve the information flow
requirement of an organization. That is the networks that are designed and deployed should be aware
of the information flow of the organization. INSA Interns has adopted the Intelligent Information
Network (IIN) technology as a vision for the networks it designs. This technology offers an
evolutionary approach that consists of three phases in which functionality can be added to the
infrastructure as required.
Integrated services: After the network infrastructure has been converged, IT resources can be
pooled and shared or “virtualized” to flexibly address the changing needs of the organization.
Integrated services help unify common elements, such as storage and data center server
capacity. By extending virtualization capabilities to encompass server, storage, and network
elements, an organization can transparently use all its resources more efficiently.
Integrated applications: With Application-Oriented Networking (AON) technology, this
phase focuses on making the network “application-aware” so that it can optimize application
performance and deliver networked applications to users more efficiently. In addition to
capabilities such as content caching, load balancing, and application-level security, AON
makes it possible for the network to simplify the application infrastructure by integrating
intelligent application message handling, optimization, and security into the existing network.
Using IIN helps organizations address new IT challenges, such as the deployment of service-oriented
architectures (SOA), Web services, and virtualization.
5.3.2 Framework
INSA Interns has adopted the Service-Oriented Network Architecture (SONA) framework to design
networks that are intelligent information Network. SONA is a framework that guides the evolution of
enterprise networks to an IIN. SONA provides the following advantages to enterprises:
The adopted SONA framework shows how integrated systems can allow a dynamic, flexible
architecture, and provide for operational efficiency through standardization and virtualization. It
brings forth the notion that the network is the common element that connects and enables all
components of the IT infrastructure.
campus, branch, data center, WAN and Metropolitan Area Network (MAN), and teleworker.
The objective for customers in this layer is to have anywhere and anytime connectivity.
Interactive services layer: Enables efficient allocation of resources to applications and
business processes that are delivered through the networked infrastructure. This layer
comprises these services:
o Voice and collaboration
o Mobility
o Security and identity
o Storage
o Computer
o Application networking
o Network infrastructure virtualization
o Services management
o Adaptive management
Application layer: Includes business applications and collaboration applications. The
objective for customers in this layer is to meet business requirements and achieve efficiencies
by leveraging the interactive services layer.
5.3.1 Model
INSA Interns has adopted Enterprise Composite Network Model (ECNM) for the networks it
designs. This model is based on the hierarchical network model principles. ECNM can be used to
divide the enterprise network, the network infrastructure of SONA, into physical, logical, and
functional areas. These areas allow our network designers and engineers to associate specific network
functionality on equipment based upon its placement and function in the model.
Enterprise campus: Contains the modules required to build a hierarchical, highly robust
campus network that offers performance, scalability, and availability. This area contains the
network elements required for independent operation within a single campus, such as access
from all locations to central servers. The functional area does not offer remote connections or
Internet access.
Enterprise edge: Aggregates connectivity from the various resources external to the
enterprise network. As traffic comes into the campus, this area filters traffic from the external
resources and routes it into the enterprise campus functional area. It contains all the network
elements for efficient and secure communication between the enterprise campus and remote
locations, remote users, and the Internet. The enterprise edge would replace the Demilitarized
Zone (DMZ) of most networks.
Service provider edge: Represents connections to resources external to the campus. This area
facilitates communication to WAN and Internet service provider (ISP) technologies.
The enterprise campus functional area includes the campus infrastructure, network management,
server farm, and edge distribution modules. Each module has a specific function within the campus
network:
Campus infrastructure module: Includes building access and building distribution sub
modules. It connects users within the campus to the server farm and edge distribution
modules. The campus infrastructure module is composed of one or more floors or buildings
connected to the campus backbone sub module.
Network management module: Performs system logging, authentication, network
monitoring, and general configuration management functions.
Server farm module: Contains e-mail and corporate servers providing application, file, print,
e-mail, and Domain Name System (DNS) services to internal users.
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
Edge distribution module: Aggregates the connectivity from the various elements at the
enterprise edge functional area and routes the traffic into the campus backbone sub module.
The campus infrastructure module connects users within a campus to the server farm and edge
distribution modules. The campus infrastructure module comprises building access and building
distribution switches connected through the campus backbone to campus resources.
Building access layer sub module: Contains end-user workstations, IP phones, and Layer 2
access switches that connect devices to the building distribution sub module. The building
access layer sub module performs services such as support for multiple VLANs, private
VLANs, and establishment of trunk links to the building distribution layer and IP phones.
Each building access switch has connections to redundant switches in the building distribution
sub module.
Building distribution layer sub module: Provides aggregation of building access devices,
often using Layer 3 switching. The building distribution sub module performs routing, QoS,
and access control. Traffic generally flows through the building distribution switches and onto
the campus core or backbone. This sub module provides fast failure recovery because each
building distribution switch maintains two equal-cost paths in the routing table for every Layer
3 network number. Each building distribution switch has connections to redundant switches in
the core.
Campus backbone (Core layer) sub module: Provides redundant and fast-converging
connectivity between buildings and the server farm and edge distribution modules. The
purpose of the campus backbone sub module is to switch traffic as fast as possible between
campus infrastructure sub modules and destination resources. Forwarding decisions should be
made at the ASIC level whenever possible. Routing, ACLs, and processor-based forwarding
decisions should be avoided at the core and implemented at building distribution devices
whenever possible. High-end Layer 2 or Layer 3 switches are used at the core for high
throughput, with optimal routing, QoS, and security capabilities available when needed.
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
Logical topology
The logical design for Vision 2000 utilizes the collapsed core model where the necessary
security and switching devices are also integrated. The main assumption taken here is that the
fact that the organization is research company which we based on the security requirements
(firewall), redundancy and speed.
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
INTERNET FROM
AD/CD Anti virus
Application
Server
DMZ Server
SERVER FARM
Internal Firewall
External Firewall
Web
Database
Server
Server
Collapsed Switch
Collapsed Switch
Access
Switch
Access
Switch
Access
Access Switch
Switch Access
Switch Access
Switch
IP Phone
Access Switches
DMZ Switches
Network Mgt
Mgt Switches
ServerFarm Switches
VPN
Storage Area
Network
Catalyst 4948
Cisco 4500 series Switches Nexus 7000
Information Network Security Agency Switch
Device Naming
Device naming refers to assigning a specific name to devices in a network. By choosing and
documenting names wisely, it is easier to remember and identify network devices during trouble
shooting and administration. If the hostname is not explicitly configured, the device uses the factory-
assigned default hostname. This would create considerable confusion during network configuration
and maintenance. Device naming is particularly very important when accessing a remote device using
Telnet or SSH, it is important to have confirmation that an attachment has been made to the proper
device .The following scheme shows the Naming technique that should be adopted for
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
AAAAA_BBB_CCcc_RACrr_DDdd
Where AAAAA for company name
BBB is for branch name
CC is devise location
cc location index
DD device type
dd Device Identification No.
So the device type abbreviations used are
FW- ASA 55xx FIREWALL
CC - Collapsed core switch
AS- Access switch
Head quarter device naming for collapsed switches looks as follows
VISON_HQ_FLGR_RAK_xx_CC01
VISON_HQ_FLGR_RAK_xx_CC02
VLAN Benefits
VLAN provides following advantages:-
Solve broadcast problem
Reduce the size of broadcast domains
Allow us to add additional layer of security
Make device management easier
Allow us to implement the logical grouping of devices by function instead of location
When we connect devices into the switch ports, switch creates separate collision domain for each port
and single broadcast domain for all ports. Switch forwards a broadcast frame from all possible ports.
In a large network having hundreds of computers, it could create performance issue. Of course we
could use routers to solve broadcast problem, but that would be costly solution since each broadcast
domain requires its own port on router. Switch has a unique solution to broadcast issue known as
VLAN. In practical environment we use VLAN to solve broadcast issue instead of router. Each
VLAN has a separate broadcast domain. Logically VLANs are also subnets. Each VLAN requires a
unique network number known as VLAN ID. Devices with same VLAN ID are the members of same
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
broadcast domain and receive all broadcasts. These broadcasts are filtered from all ports on a switch
that aren’t members of the same VLAN.
Types of VLAN
Based on a specific function a VLAN performs or the type of network traffic they carry, VLANs are
classified as default, native, data, management, or voice VLANs.
VLAN Membership
VLAN membership can be assigned to a device by one of two methods
1. Static
2. Dynamic
These methods decide how a switch will associate its ports with VLANs.
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
6.5.1 Static
Assigning VLANs statically is the most common and secure method. It is pretty easy to set up and
supervise. In this method we manually assign VLAN to switch port. VLANs configured in this way
are usually known as port-based VLANs.
Static method is the most secure method also. As any switch port that we have assigned a VLAN will
keep this association always unless we manually change it. It works really well in a networking
environment where any user movement within the network needs to be controlled.
6.5.2 Dynamic
In dynamic method, VLANs are assigned to port automatically depending on the connected device. In
this method we have configure one switch from network as a server. Server contains device specific
information like MAC address, IP address etc. This information is mapped with VLAN. Switch acting
as server is known as VMPS (VLAN Membership Policy Server). Only high end switch can
configured as VMPS. Low end switch works as client and retrieve VLAN information from VMPS.
Dynamic VLANs supports plug and play movability.
VLAN Design
Taking the above concepts and requirements of the design we have come up with the following design
scheme.
VLAN ID
VLAN Name VLAN Description
Vlan10 ICT 10
Vlan20 RESARCH 20
Vlan30 30
IP Addressing
An IP address is designed to allow one network device to communicate with another via the Internet
protocol. IP addresses allow to identify the network device in a LAN.
IP stands for Internet Protocol, so an IP address is an Internet Protocol address. An Internet
Protocol is a set of rules that govern Internet activity and facilitate completion of a variety of actions
on the World Wide Web. Therefore, an Internet Protocol address is part of the systematically laid out
interconnected grid that governs online communication by identifying both initiating devices and
various Internet destinations, thereby making two-way communication possible. An IP address
consists of four octets, each of which contains one to three digits, with a single dot (.) separating each
number or set of digits. Each of the four numbers can range from 0 to 255. IP addresses can be
assigned to a device either static or dynamic.
Vision 2000 center IP allocation is done based on the Hierarchical network addressing principle.
Hierarchical network addressing means that IP network numbers are applied to the network segments
or VLANs in an orderly fashion that takes the network as a whole into consideration. Blocks of
contiguous network addresses are reserved for, and configured on, devices in a specific area of the
network.
Some benefits of hierarchical addressing are:
Minimized errors: Orderly network address assignment can minimize errors and duplicate
address assignments.
o Reduced number of CPU cycles when recalculating a routing table or sorting through
the routing table entries to find a match
o Reduced router memory requirements
o Faster convergence after a change in the network
o Easier troubleshooting
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
VLAN IP Addressing
Management VLAN
Management VLAN
VISION2000_FLRGR_CC01 192.168.100.2 255.255.255.0
VISION2000_FLRGR_CC02 192.168.100.3 255.255.255.0
VISION2000_FLRGR_SF01 192.168.100.3 255.255.255.0
VISION2000_FLRGR_DMZ01 192.168.100.5 255.255.255.0
VISION2000_FLR07_AS01 192.168.100.4 255.255.255.0
VISION2000_FLR07_AS02 192.168.100.5 255.255.255.0
VISION2000_FLR07_AS03 192.168.100.6 255.255.255.0
VISION2000_FLR07_AS04 192.168.100.6 255.255.255.0
VISION2000_FLR11_AS05 192.168.100.7 255.255.255.0
VISION2000_FLR11_AS06 192.168.100.8 255.255.255.0
Subnet Local Local Interface Local IP Peer Peer Interface Peer IP Address
Device Address Device
192.168.60.0/30 CC01 VISION2000_F 192.168.60.1 EF01 VISION2000_FL 192.168.60.2
LRGR_CC01 RGR_FW01__Gig0/
_Gig0/1 0
192.168.60.4/30 CC02 VISION2000_F 192.168.60.5 EF01 VISION2000_FL 192.168.60.6
LRGR_CC02_Gig RGR_FW02__Gig0/
0/1 0
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
Subnet Local Local Interface Local IP Peer Peer Interface Peer IP Address
Device Address Device
192.168.60.16/30 EF01 VISION2000_F 192.168.60.17 DMZ01 VISION2000_FL 192.168.60.18
LRGR_FW01__Gi RGR_DMZ01_Gig0
g0/2 /1
192.168.65.0/24 IF01 VISION2000_F 192.168.65.1 SF01 VISION2000_FL
LRGR_FW02__Gi RGR_SF01_Gig0/1
g0/2
Hardware Overview
Cisco Catalyst 2960 Series Switches
The Cisco Catalyst 2960 Series Switch is one of the leading Layer 2 edge, providing improved ease of
use, highly secure business operations, improved sustainability, and a borderless network experience.
The Cisco Catalyst 2960 Series Switch is a fixed-configuration access switch designed for branch
office network to provide lower total cost of ownership.
The Cisco Catalyst 3850 Series is the next generation of enterprise-class stackable Ethernet and
Multi-gigabit Ethernet access and aggregation layer switches that provide full convergence between
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
wired and wireless on a single platform. The Cisco Catalyst 3850 Series Switches support full IEEE
802.3 at Power over Ethernet Plus (PoE+), Cisco Universal Power over Ethernet (Cisco UPOE),
modular and field-replaceable network modules, RJ45 and fiber-based downlink interfaces, and
redundant fans and power supplies. With speeds that reach 10Gbps, the Cisco Catalyst 3850 Multi-
gigabit Ethernet Switches support current and next-generation wireless speeds and standards on
existing cabling infrastructure.
WS-C3850-24T-S Switch Front Panel
24 10/100/1000 Ethernet ports
350WAC power supply1 RU
IP Base feature set
STAT DUPLX SPEED STACK PoE
Catalyst 3850 24 PoE+
SYST ACTV XPS S-PWR CONSOLE
MODE
1 2
1 10/100/1000 ports 2 Dual-purpose ports
The Cisco Catalyst 3560 v2 Series are next-generation, energy-efficient, Layer 3 Fast Ethernet
switches. These new switches support Cisco EnergyWise technology, which helps companies
manage power consumption of the network infrastructure and network-attached devices,
thereby reducing their energy costs and their carbon footprint.
The new switches consume less power than their predecessors and are ideal access layer
switches for enterprise, retail, and branch-office environments. They help you maximize
productivity and provide investment protection by enabling a unified network for data, voice,
and video.
STAT
DUPLX
SPEED 1 2
POE
2X 12X 14X 24X
MODE
2
1
The Cisco Catalyst 3650 Series is the next generation of enterprise-class standalone and
stackable access-layer switches that provide the foundation for full convergence between
wired and wireless on a single platform.
WS-C3650-24TS-E Switch Front Panel
24 10/100/1000 Ethernet ports
4x1G Uplink ports
1 RU
IP Services feature set
S YS T ACTV CONSO LE
MO DE
1 2
1 10/100/1000 ports 2 4x1G Uplink ports
Cisco ASA with FirePOWER Services brings distinctive threat-focused next-generation security
services. It provides comprehensive protection from known and advanced threats, including
protection against targeted and persistent malware attacks. Cisco ASA is the world’s most widely
deployed, enterprise-class firewall.
Some features and benefits of Cisco ASA with FirePOWER Services:
Advanced malware protection
Application control and URL filtering
Remote Access VPN
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
Site-to-site VPN
Enterprise-class management
MGMT
7 5 3 1
CONSOLE
ER
E
M
TIV
T
AR
W
6 4 2 0
BO
AC
HD
PO
AL
VP
SPD LNK LNK SPD LNK SPD LNK SPD LNK SPD
1 2
1 Console Port 2 8 GE( Gigabit Interface)
CONSOLE
USB2 USB1
FLASH
O
I
AUX
S
ER
SH
RESET
TU
TIV
VP
A
A
FL
ST
3 2 1 0
A
2 1
Cisco
ASA 5525-X
BOOT ALARM
Adaptive
ACTIVE VPN Security
Appliance
PS HD
S YS T ACTV CONSO LE
MO DE
STAT
DUPLX
SPEED 1 2
POE
2X 12X 14X 24X
MODE
3 4
1 5
ST
2 6
1000=ORG
PORT 0
PORT 1
100=GRN
10=OFF
Gb 1 Gb 2 Gb 3 Gb 4
2 4
3 4
1 5
ST
2 6
1000=ORG
PORT 0
PORT 1
100=GRN
10=OFF
Gb 1 Gb 2 Gb 3 Gb 4
2 4
In the hardware Physical connectivity the name Gig 3/2 stands for:
Gig represents the Interface is Gigabit Ethernet Interface
3 represents the interface slot number
2 represents the Interface port number
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
Gi1/1/22 CC02
EF01 G0/2 STAT DUPLX SPEED STACK PoE
Catalyst 3850 24 PoE+
SYST ACTV XPS S-PWR CONSOLE
100-240V~, 4.85A MAX, 50/60Hz MODE
MGMT
7 5 3 1
NETWORK MODULE C3850-NM-2-10G
CONSOLE
ER
VE
RM
TI
W
O
ALA
6 4 2 0
BO
AC
HD
PO
VP
Gi0/3 Gi0/1
CC01
STAT DUPLX SPEED STACK PoE
Catalyst 3850 24 PoE+
SYST ACTV XPS S-PWR CONSOLE
MODE
Gi1/1/22
S YS T ACTV CONSO LE
MO DE
Gig1/0/24
Gig1/1/21
STAT DUPLX SPEED STACK PoE
Catalyst 3850 24 PoE+
SYST ACTV XPS S-PWR CONSOLE
MODE
CC01
100-240V~, 4.85A MAX, 50/60Hz
MGMT
7 5 3 1
CONSOLE
ER
E
M
TIV
OT
AR
W
6 4 2 0
BO
AC
HD
PO
AL
VP
SPD LNK LNK SPD LNK SPD LNK SPD LNK SPD
Gig1/1/21
STAT DUPLX SPEED STACK PoE
Catalyst 3850 24 PoE+
SYST ACTV XPS S-PWR CONSOLE
MODE
CC02
RPS
STAT
DUPLX
SPEED 1 2
POE
2X 12X 14X 24X
MODE
SF01
01X 12X 13X 24X G1 G2 G3 TE3 G4 TE3 01X 12X 13X 24X G1 G2 G3 TE3 G4 TE3
Gig1/0/24 Gig1/0/24
Gig1/1/5
Gig1/1/3
CC01
SYST ACTV XPS S-PWR CONSOLE
MODE
Gig1/1/6
Gig1/1/1
Gig1/1/2 Gig1/1/4
SYST 1X 11X 13X 23X 25X 35X 37X 47X SYST 1X 11X 13X 23X 25X 35X 37X 47X SYST 1X 11X 13X 23X 25X 35X 37X 47X SYST 1X 11X 13X 23X 25X 35X 37X 47X SYST 1X 11X 13X 23X 25X 35X 37X 47X SYST 1X 11X 13X 23X 25X 35X 37X 47X
RPS RPS RPS RPS RPS RPS
STAT STAT STAT STAT STAT STAT
DPLX DPLX DPLX DPLX DPLX DPLX
SPEED SPEED SPEED SPEED SPEED SPEED
1 2 1 2 1 2 1 2 1 2 1 2
2X 12X 14X 24X 26X 36X 38X 48X 2X 12X 14X 24X 26X 36X 38X 48X 2X 12X 14X 24X 26X 36X 38X 48X 2X 12X 14X 24X 26X 36X 38X 48X 2X 12X 14X 24X 26X 36X 38X 48X 2X 12X 14X 24X 26X 36X 38X 48X
MODE MODE MODE MODE MODE MODE
CC02
SYST ACTV XPS S-PWR CONSOLE
MODE
Gig1/1/6
Gig1/1/1
Gig1/1/2 Gig1/1/4
SYST 1X 11X 13X 23X 25X 35X 37X 47X SYST 1X 11X 13X 23X 25X 35X 37X 47X SYST 1X 11X 13X 23X 25X 35X 37X 47X SYST 1X 11X 13X 23X 25X 35X 37X 47X SYST 1X 11X 13X 23X 25X 35X 37X 47X SYST 1X 11X 13X 23X 25X 35X 37X 47X
RPS RPS RPS RPS RPS RPS
STAT STAT STAT STAT STAT STAT
DPLX DPLX DPLX DPLX DPLX DPLX
SPEED SPEED SPEED SPEED SPEED SPEED
1 2 1 2 1 2 1 2 1 2 1 2
2X 12X 14X 24X 26X 36X 38X 48X 2X 12X 14X 24X 26X 36X 38X 48X 2X 12X 14X 24X 26X 36X 38X 48X 2X 12X 14X 24X 26X 36X 38X 48X 2X 12X 14X 24X 26X 36X 38X 48X 2X 12X 14X 24X 26X 36X 38X 48X
MODE MODE MODE MODE MODE MODE
Often there are many network administrators working at different times of the day. Having only
a few switches that are physically able to maintain VLAN configurations makes it easier to
control VLAN upgrades and to track which network administrators performed.
For large networks, having client switches is also more cost-effective. By default, all switches
are configured to be VTP servers. This configuration is suitable for small scale networks in
which the size of the VLAN information is small and the information is easily stored in NVRAM
on the switches. In a large network of many hundreds of switches, the network administrator
must decide if the cost of purchasing switches with enough NVRAM to store the duplicate VLAN
information is too much. A cost-conscious network administrator could choose to configure a
few well-equipped switches as VTP servers, and then use switches with less memory as VTP
clients.
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
Transparent Mode:
Switches configured in transparent mode forward VTP advertisements that they receive on
trunk ports to other switches in the network. VTP transparent mode switches do not advertise
their VLAN configuration and do not synchronize their VLAN configuration with any other
switch. Configure a switch in VTP transparent mode when you have VLAN configurations that
have local significance and should not be shared with the rest of the network.
In transparent mode, VLAN configurations are saved in NVRAM (but not advertised to other
switches), so the configuration is available after a switch reload. This means that when a VTP
transparent mode switch reboots, it does not revert to a default VTP server mode, but remains
in VTP transparent mode.
VTP Pruning
VTP pruning prevents unnecessary flooding of broadcast information from one VLAN across all
trunks in a VTP domain. VTP pruning permits switches to negotiate which VLANs are assigned to
ports at the other end of a trunk and, hence, prune the VLANs that are not assigned to ports on the
remote switch. Pruning is disabled by default. VTP pruning is enabled using the VTP pruning global
configuration command. It is needed to be enabled on only VTP server switch in the domain.
VTP configuration
Before adding a VTP client or server to a VTP domain, it’s always important to verify that its VTP
configuration revision number is lower than the configuration revision number of the other switches
in the VTP domain.
On the VTP Server
o Confirm default settings
o Configure 2 switches as VTP servers
o Configure the VTP domain on the first switch in the network
o Ensure all switches are in the same VTP protocol version mode
o Configure VLANs and trunk ports
On the VTP Client
o Confirm default settings
o Configure VTP client mode
o Configure trunks
o Connect to VTP server
o Verify VTP status
o Configure access ports
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
Vlan configuration
VISION2000_FLRGR_CC01 (config)# vlan 05
VISION2000_FLRGR_CC01 (config-if)#name ICT
VISION2000_FLRGR_CC01 (config)# vlan 10
VISION2000_FLRGR_CC01 (config-if)#name RMPT
VISION2000_FLRGR_CC01 (config)# vlan 15
VISION2000_FLRGR_CC01 (config-if)#name CC
VISION2000_FLRGR_CC01 (config)# vlan 20
VISION2000_FLRGR_CC01 (config-if)#name FINANCE AND HR
VISION2000_FLRGR_CC01 (config)# vlan 99
VISION2000_FLRGR_CC01 (config-if)#name native vlan
the default gateway for any hosts that are connected to the interface or VLAN. The hosts will use the
Layer 3 interface to communicate outside of their local broadcast domains. There is one-to-one
mapping between a VLAN and SVI; only a single SVI can be mapped to a VLAN. GLBP, which will
be configured on the Collapsed Core switches, also uses a virtual IP address to function.
Switch VLAN Interface is configured for the following reasons:
To provide a default gateway for a VLAN so that traffic can be routed between VLANs
To provide Layer 3 IP connectivity to the switch
To support routing
protocol and bridging configurations
In Vision 2000 network design, IP address is assigned to each VLAN SVIs to route traffic off and on
to the local VLANs. The following tables will show the IP plan for the SVI and VRRP virtual
interfaces.
For Fast Ethernet and 10/100/1000 ports, the default is auto. For 100BASE-FX ports, the default is
full. The 10/100/1000 ports operate in either half- or full-duplex mode when they are set to 10 or 100
Mb/s, but when set to 1,000 Mb/s, they operate only in full-duplex mode.
The duplex mode and speed of switch ports can manually be set to avoid inter-vendor issues with
auto negotiation. But when auto negotiation fails, the Catalyst switch sets the corresponding switch
port to half-duplex mode. This type of failure happens when an attached device does not support auto
negotiation.
Depending on the performance requirements for the network, Port speed is also needed between Fast
Ethernet and Gigabit Ethernet switch ports. Fast Ethernet allows up to 100 Mb/s of traffic per switch
port. Fast Ethernet is adequate for IP telephony and data traffic on most business networks, however,
performance is slower than Gigabit Ethernet ports. Gigabit Ethernet allows up to 1000 Mb/s of traffic
per switch port.
Ports are again assigned for VLAN membership depending on the VLANs assumed for their
distribution. This configuration includes only Access switches since they are in VTP client mode.
Port speed
Port speed is configured in either auto or numbered as 10, 100, 1000 to determine the speed of
the specific port. In Vision 2000 Network, the following configuration is made for each level
switch. All switches in the network are to be configured with auto just to use the default port
speed and keep interoperability between devices.
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
Trunk
A trunk is a point-to-point link between two network devices that carries more than one VLAN. A
trunk allows the VLANs to be extended across an entire network. A VLAN trunk does not belong to a
specific VLAN; rather it is a conduit for VLANs between switches and routers.
In an ISL trunk port, all received packets are expected to be encapsulated with an ISL header,
and all transmitted packets are sent with an ISL header. Native (non-tagged) frames received
from an ISL trunk port are dropped. ISL is no longer a recommended trunk port mode, and it
is not supported on a number of Cisco switches.
DTP
Dynamic Trunking Protocol (DTP) is a Cisco proprietary protocol. Switches from other
vendors do not support DTP. DTP is automatically enabled on a switch port when certain
trunking modes are configured on the switch port.
DTP manages trunk negotiation only if the port on the other switch is configured in a trunk
mode that supports DTP. DTP supports both ISL and 802.1Q trunks.
Trunking Modes
A switch port on a Cisco switch supports a number of truking modes. The trunking mode
defines how the port negotiates using DTP to set up a trunk link with its peer port.
The switch port periodically sends DTP frames, called advertisements, to the remote port. The
command used is switchport mode trunk. The local switch port advertises to the remote port
that it is dynamically changing to a trunking state. The local port then, regardless of what DTP
information the remote port sends as a response to the advertisement, changes to a trunking
state. The local port is considered to be in an unconditional (always on) trunking state.
Dynamic auto
The switch port periodically sends DTP frames to the remote port. The command used is
switch port mode dynamic auto. The local switch port advertises to the remote switch port that
it is able to trunk but does not request to go to the trunking state. After a DTP negotiation, the
local port ends up in trunking state only if the remote port trunk mode has been configured to
be on or desirable. If both ports on the switches are set to auto, they do not negotiate to be in a
trunking state. They negotiate to be in the access (non-trunk) mode state.
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
Dynamic desirable
DTP frames are sent periodically to the remote port. The command used is switch port mode
dynamic desirable. The local switch port advertises to the remote switch port that it is able to
trunk and asks the remote switch port to go to the trunking state. If the local port detects that
the remote has been configured in on, desirable, or auto mode, the local port ends up in
trunking state. If the remote switch port is in the no negotiate mode, the local switch port
remains as a non-trunking port.
Trunk configuration
VISION2000_FLRGR_CC01configure terminal
VISION2000_FLRGR_CC01#(config)# interface gigabitethernet 1/1
VISION2000_FLRGR_CC01#(config-if)# Switchport trunk encapsulation dot1q
VISION2000_FLRGR_CC01#(config-if)# switchport mode trunk
VISION2000_FLRGR_CC01#(config-if)#switchport nonegotiate
VISION2000_FLRGR_CC01#(config-if)#switchport trunk allowed vlan 05,100
VISION2000_FLRGR_CC01#wr
VISION2000_FLRGR_CC01#configure terminal
VISION2000_FLRGR_CC01#(config)# interface gigabitethernet 1/2
VISION2000_FLRGR_CC01#(config-if)# Switchport trunk encapsulation dot1q
VISION2000_FLRGR_CC01#(config-if)# switchport mode trunk
VISION2000_FLRGR_CC01#(config-if)#switchport nonegotiate
VISION2000_FLRGR_CC01#(config-if)#switchport trunk allowed vlan 10,100
VISION2000_FLRGR_CC01#wr
VISION2000_FLRGR_CC01#configure terminal
VISION2000_FLRGR_CC01#(config)# interface gigabitethernet 1/3
VISION2000_FLRGR_CC01#(config-if)# Switchport trunk encapsulation dot1q
VISION2000_FLRGR_CC01#(config-if)# switchport mode trunk
VISION2000_FLRGR_CC01#(config-if)#switchport nonegotiate
VISION2000_FLRGR_CC01#(config-if)#switchport trunk allowed vlan 10,100
VISION2000_FLRGR_CC01#wr
VISION2000_FLRGR_CC01#configure terminal
VISION2000_FLRGR_CC01#(config)# interface gigabitethernet 1/4
VISION2000_FLRGR_CC01#(config-if)# Switchport trunk encapsulation dot1q
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
VISION2000_FLRGR_CC01#configure terminal
VISION2000_FLRGR_CC01#(config)# interface gigabitethernet 1/6
VISION2000_FLRGR_CC01#(config-if)# Switchport trunk encapsulation dot1q
VISION2000_FLRGR_CC01#(config-if)# switchport mode trunk
VISION2000_FLRGR_CC01config-if)#switchport nonegotiate
VISION2000_FLRGR_CC01#(config-if)#switchport trunk allowed vlan 20,100
VISION2000_FLRGR_CC01#wr
VISION2000_FLRGR_CC02#configure terminal
VISION2000_FLRGR_CC02#(config)# interface gigabitethernet 1/2
VISION2000_FLRGR_CC02#(config-if)# Switchport trunk encapsulation dot1q
VISION2000_FLRGR_CC02#(config-if)# switchport mode trunk
VISION2000_FLRGR_CC02#(config-if)#switchport nonegotiate
VISION2000_FLRGR_CC02#(config-if)#switchport trunk allowed vlan 10,100
VISION2000_FLRGR_CC02#wr
VISION2000_FLRGR_CC02#configure terminal
VISION2000_FLRGR_CC02#(config)# interface gigabitethernet 1/3
VISION2000_FLRGR_CC02#(config-if)# Switchport trunk encapsulation dot1q
VISION2000_FLRGR_CC02#(config-if)# switchport mode trunk
VISION2000_FLRGR_CC02#(config-if)#switchport nonegotiate
VISION2000_FLRGR_CC02#(config-if)#switchport trunk allowed vlan 10,100
VISION2000_FLRGR_CC02#wr
VISION2000_FLRGR_CC02#configure terminal
VISION2000_FLRGR_CC02#(config)# interface gigabitethernet 1/4
VISION2000_FLRGR_CC02config-if)# Switchport trunk encapsulation dot1q
VISION2000_FLRGR_CC02#(config-if)# switchport mode trunk
VISION2000_FLRGR_CC02#(config-if)#switchport nonegotiate
VISION2000_FLRGR_CC02#(config-if)#switchport trunk allowed vlan 10,100
VISION2000_FLRGR_CC02#wr
VISION2000_FLRGR_CC02#configure terminal
VISION2000_FLRGR_CC02#(config)# interface gigabitethernet 1/5
VISION2000_FLRGR_CC02#(config-if)# Switchport trunk encapsulation dot1q
VISION2000_FLRGR_CC02#(config-if)# switchport mode trunk
VISION2000_FLRGR_CC02#(config-if)#switchport nonegotiate
VISION2000_FLRGR_CC02#(config-if)#switchport trunk allowed vlan 15,100
VISION2000_FLRGR_CC02#wr
VISION2000_FLRGR_CC02#configure terminal
VISION2000_FLRGR_CC02#(config)# interface gigabitethernet 1/6
VISION2000_FLRGR_CC02#(config-if)# Switchport trunk encapsulation dot1q
VISION2000_FLRGR_CC02#(config-if)# switchport mode trunk
VISION2000_FLRGR_CC02#(config-if)#switchport nonegotiate
VISION2000_FLRGR_CC02config-if)#switchport trunk allowed vlan 20,100
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
VISION2000_FLR07_AS01#configure terminal
VISION2000_FLR07_AS01#(config)# interface gigabitethernet 1/1,gig1/2
VISION2000_FLR07_AS01#(config-if)# Switchport trunk encapsulation dot1q
VISION2000_FLR07_AS01#(config-if)# switchport mode trunk
VISION2000_FLR07_AS01#(config-if)#switchport nonegotiate
VISION2000_FLR07_AS01#(config-if)#switchport trunk allowed vlan 5,100
VISION2000_FLR07_AS01#wr
VISION2000_FLRGR_CC02#configure terminal
VISION2000_FLRGR_CC02#interface gig1/23
VISION2000_FLRGR_CC02#description link_CC02_TO_CC01
VISION2000_FLRGR_CC02#configure terminal
VISION2000_FLRGR_CC02#interface gig1/24
VISION2000_FLRGR_CC02#description link_CC02_TO_CC01
VISION2000_FLRGR_CC02#interface gig1/22
VISION2000_FLRGR_CC02#description link_CC01_TO_EF01
VISION2000FLRGR_CC02#configure terminal
VISION2000_FLRGR_CC02#interface gig1/21
VISION2000_FLRGR_CC02#description link_CC01_TO_IF01
VISION2000_FLRGR_EF01#interface gig0/0
VISION2000_FLRGR_EF01#description link_EF01_TO_ISP
VISION2000_FLRGR_EF01#interface gig0/1
VISION2000_FLRGR_EF01#description link_EF01_TO_CC01
VISION2000_FLRGR_EF01#interface gig0/2
VISION2000_FLRGR_EF01#description link_EF01_TO_CC02
VISION2000_FLRGR_EF01#interface gig0/3
VISION2000_FLRGR_EF01#description link_EF01_TO_DMZ01
VISION2000_FLRGR_IF01#interface gig0/1
VISION2000_FLRGR_IF01#description link_IF01_TO_CC01
VISION2000_FLRGR_IF01#interface gig0/2
VISION2000_FLRGR_IF01#description link_IF01_TO_CC02
VISION2000_FLRGR_IF01#interface gig0/3
VISION2000_FLRGR_IF01#description link_EF01_TO_SF01
single logical link. EtherChannel is a technology that was originally developed by Cisco as a LAN
switch-to-switch technique of inverse multiplexing of multiple Fast or Gigabit Ethernet switch ports
into one logical channel. With EtherChannel, the single logical link’s speed is equal to the aggregate
of the speeds of all the physical links used. For example, if you were to create an EtherChannel out of
four 100 Mbps Ethernet links, the EtherChannel would have a speed of 400 Mbps. EtherChannel has
developed into a cross-platform method of load balancing between servers, switches, and routers.
EtherChannel protocols
EtherChannel can negotiate with the device on the other side of the link. Two protocols are supported
on Cisco devices. The first is the Link Aggregation Control Protocol (LACP), which is defined in
IEEE specification 802.3ad. LACP is used when you’re connecting to non-Cisco devices, such as
servers. The other protocol used in negotiating EtherChannel links is the Port Aggregation Control
Protocol (PAgP). Since PAgP is Cisco-proprietary, it is used only when you’re connecting two Cisco
devices via an EtherChannel. The following table will show the possible modes available and their
description when configuring EtherChannel.
Auto PAgP Places the interface into a passive negotiating state and will
respond to PAgP packets but will not initiate PAgP negotiation.
Desirable PAgP Places the interface into an active negotiating state and will send
PAgP packets to start negotiations.
Active LACP Places the interface into a passive negotiating state and will
respond to LACP packets but will not initiate LACP negotiation.
Passive LACP Places the interface into an active negotiating state and will send
LACP packets to start negotiations.
EtherChannel configuration
Collapsed Core 1 switch configuration
VISION2000_FLRGR_CC01#config t
VISION2000_FLRGR_CC011(config)#interface range gigabitethernet 0/23-24
VISION2000_FLRGR_CC011(config-if)#channel-protocol PAgp
VISION2000_FLRGR_CC011(config-if)#channel-group 1 mode desirable
VISION2000_FLRGR_CC01(config)#exit
wire; a point-to-point connection cannot reside in this environment. As a result, RSTP cannot achieve
fast convergence in half-duplex mode.
STP and RSTP also have port designation differences. RSTP has alternate and backup port
designations, which are absent from the STP environment. Ports that are not participating in spanning
tree are known as edge ports. Edge ports can be statically configured or will be recognized by the
PortFast parameter. The edge port becomes a nonedge port immediately if a bridge protocol data unit
(BPDU) is heard on the port. Nonedge ports participate in the spanning tree algorithm; hence, only
nonedge ports generate TCs on the network when transitioning to forwarding state only. TCs are not
generated for any other RSTP states. In legacy STP, TCNs were generated for any active port that was
not configured for PortFast. RSTP speeds the recalculation of the spanning tree when the Layer 2
network topology changes. It is an IEEE standard that redefines STP port roles, states, and BPDUs.
RSTP is proactive and therefore negates the need for the 802.1D delay timers. RSTP (802.1w)
supersedes 802.1D, while still remaining backward compatible. Much of the 802.1D terminology
remains, and most parameters are unchanged. In addition, 802.1w is capable of reverting back to
802.1D to interoperate with legacy switches on a per-port basis.
RSTP bridge port roles:
Root port – A forwarding port that is the closest to the root bridge in terms of path cost
Designated port – A forwarding port for every LAN segment
Alternate port – A best alternate path to the root bridge. This path is different than using the
root port. The alternative port moves to the forwarding state if there is a failure on the
designated port for the segment.
Backup port – A backup/redundant path to a segment where another bridge port already
connects. The backup port applies only when a single switch has two links to the same
segment (collision domain). To have two links to the same collision domain, the switch must
be attached to a hub.
Disabled port – Not strictly part of STP, a network administrator can manually disable a port
instances. This architecture provides multiple forwarding paths for data traffic and enables load
balancing. Network fault tolerance is improved because a failure in one instance (forwarding path)
does not affect other instances.
In large networks, you can more easily administer the network and use redundant paths by locating
different VLAN and spanning tree instance assignments in different parts of the network. A spanning
tree instance can exist only on bridges that have compatible VLAN instance assignments. You must
configure a set of bridges with the same MST configuration information, which allows them to
participate in a specific set of spanning tree instances.
For CHSA network ,We are select Rapid_pvst .
Rapid_pvst configuration
Collpsed switch CS01 Collpsed switch CS02
Primary Root Secondary Root Primary Root Secondary Root
VLAN 05 VLAN 20 VLAN 20 VLAN 05
VLAN 10 VLAN 100 VLAN 100 VLAN 10
VLAN 15 VLAN 15
HSRP
HSRP works by configuring one or more routers to act as a default gateway that will be part of an
HSRP group. In HSRP would dictate that one router is a primary and one is a secondary (or, in HSRP
terms, one is active and one is standby). If the primary fails, the secondary will take over. All routers
that are in the same HSRP group (the default group is 0) send out SRP packets to the multicast
address 224.0.0.2 using UDP port 1985. All HSRP packets have a time-to-live (TTL) of 1, so they
will not escape the local Ethernet segment.
VRRP
The Virtual Router Redundancy Protocol (VRRP) is a standards-based alternative to HSRP, defined
in IETF standard RFC 2338. VRRP is so similar to HSRP. VRRP provides one redundant gateway
address from a group of routers. The active Router is called the master router, whereas all others are
in the backup state. The master router is the one with the highest router priority in the VRRP group.
VRRP sends its advertisements to the multicast destination address 224.0.0.18 (VRRP), using IP
protocol 112.
GLBP
The Gateway Load Balancing Protocol feature provides automatic router backup for IP hosts
configured with a single default gateway on an IEEE 802.3 LAN. Multiple first hop routers on the
LAN combine to offer a single virtual first hop IP router while sharing the IP packet forwarding load.
Other routers on the LAN may act as redundant GLBP routers that will become active if any of the
existing forwarding routers fail.
GLBP performs a similar, but not identical, function for the user as the HSRP and the VRRP. HSRP
and VRRP protocols allow multiple routers to participate in a virtual router group configured with a
virtual IP address. One member is elected to be the active router to forward packets sent to the virtual
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
IP address for the group. The other routers in the group are redundant until the active router fails.
These standby routers have unused bandwidth that the protocol is not using. Although multiple virtual
router groups can be configured for the same set of routers, the hosts must be configured for different
default gateways, which results in an extra administrative burden. GLBP provides load balancing over
multiple routers (gateways) using a single virtual IP address and multiple virtual MAC addresses.
Each host is configured with the same virtual IP address, and all routers in the virtual router group
participate in forwarding packets. GLBP members communicate between each other through hello
messages sent every 3 seconds to the multicast address 224.0.0.102, User Datagram Protocol (UDP)
port 3222 (source and destination).
VISION2000_FLRGR_CC01(config)#interface vlan 10
VISION2000_FLRGR_CC01(config-if)# standby 1 priority 200
VISION2000_FLRGR_CC01(config-if)# standby 1ip 192.168.10.1
VISION2000_FLRGR_CC01(config-if)# standby 1preempt delay 30
VISION2000_FLRGR_CC01(config-if)# exit
VISION2000_FLRGR_CC01(config)#interface vlan 15
VISION2000_FLRGR_CC01(config-if)# standby 1 priority 200
VISION2000_FLRGR_CC01(config-if)# standby 1 ip 192.168.15.1
VISION2000_FLRGR_CC01(config-if)# standby 1preempt delay 30
VISION2000_FLRGR_CC01(config-if)# exit
VISION2000_FLRGR_CC01(config)#interface vlan 20
VISION2000_FLRGR_CC01(config-if)# standby 1priority 200
VISION2000_FLRGR_CC01(config-if)# standby 1 ip 192.168.20.1
VISION2000_FLRGR_CC01(config-if)# standby 1preempt delay 30
VISION2000_FLRGR_CC01(config-if)# exit
VISION2000_FLRGR_CC02(config)#interface vlan 10
VISION2000_FLRGR_CC02(config-if)#standby 1 priority 100
VISION2000_FLRGR_CC02(config-if)#standby 1 ip 192.168.10.1
VISION2000_FLRGR_CC01(config-if)# standby 1preempt delay 30
VISION2000_FLRGR_CC02(config-if)#exit
VISION2000_FLRGR_CC02(config)#interface vlan 15
VISION2000_FLRGR_CC02(config-if)#standby 1 priority 100
VISION2000_FLRGR_CC02(config-if)#standby 1 ip 192.168.15.1
VISION2000_FLRGR_CC01(config-if)#standby 1preempt delay 30
VISION2000_FLRGR_CC02(config-if)#exit
VISION2000_FLRGR_CC02(config)#interface vlan 20
VISION2000_FLRGR_CC02(config-if)#standby 1 priority 100
VISION2000_FLRGR_CC02(config-if)#standby 1 ip 192.168.20.1
VISION2000_FLRGR_CC01(config-if)# standby 1preempt delay 30
VISION2000_FLRGR_CC02(config-if)#exit
In VISION 2000 network infrastructure using DHCP server for end user computers is a need in order
to benefit from the mentioned points. Using multiple DHCP server allows for increased fault
tolerance and redundancy over using only one DHCP server. So the two collapsed core switches in
AM site and DZ site will be configured to be DHCP servers. The Following diagram shows the
process taken place between client computers to DHCP server in VISION2000 LAN.
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
In order to keep fault tolerance and to resolve IP address conflict too, one subnet network is divided to
two IP scopes. This 50-50 Split mode is implemented in both sites on their collapsed cores. The
following table shows how the DHCP IP pool is configured in VISION2000 network.
VISION2000_ FLRGR_CC01
VLAN ID IP Pool Subnet Assignable IP Address Reserved IP
05 192.168.05.0 255.255.255.0 192.168.05.16 – 127 192.168.05.1 – 15
10 192.168.10.0 255.255.255.0 192.168.10. 16 – 127 192.168.10. 1 – 15
15 192.168.15.0 255.255.255.0 192.168.15. 16 – 127 192.168.15. 1 – 15
20 192.168.20.0 255.255.255.0 192.168.20. 16 – 127 192.168.20. 1 – 15
Table 7: VISION2000 Site Split mode IP Scope assignment on Collapsed Core switch 01
VISION2000_FLRGR_CC02
VLAN IP Pool Subnet Assignable IP Address Reserved IP
ID
05 192.168.05.0 255.255.255.0 192.168.05.128 – 254 192.168.05.1 – 15
10 192.168.10.0 255.255.255.0 192.168.10. 128 – 254 192.168.10. 1 – 15
15 192.168.15.0 255.255.255.0 192.168.15. 128 – 254 192.168.15. 1 – 15
20 192.168.20.0 255.255.255.0 192.168.20. 128 – 254 192.168.20. 1 – 15
Table 8: VISION2000 Site Split mode IP Scope assignment on Collapsed Core switch 02
For VLANs other than access VLANs, there is no a need to Configure Dynamic IP address because of
the nature of service provided needs the IP addresses to be Static. In these cases, all VLANs IP
Address is configured to be static IP address
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
8. Routing
Introduction
Before we get into the specifics of routing, we need describe routing concepts that will aid our
selection of routing protocol.
Routing is the process by which an item gets from one location to another. In networking, a
router/layer 3 switch is the device used to route traffic .To be able to route anything, a router, or any
entity that performs routing, must do the following:
Identify the destination address: Determine the destination (or address) of the item that needs
to be routed.
Identify sources of routing information: Determine from which sources (other routers) the
router can learn the paths to given destinations.
Identify routes: Determine the initial possible routes, or paths, to the intended destination.
Select routes: Select the best path to the intended destination.
Maintain and verify routing information: Determine if the known paths to the destination
There are two ways in which the destination information can be learned.
Static routing: - Routing information can be entered manually by the network administrator. The
administrator must manually update this static route entry whenever an internetwork topology change
requires an update. Static routes are user-defined routes that specify the path that packets take when
moving between a source and a destination. These administrator-defined routes allow very precise
control over the routing behavior of the IP internetwork.
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
Dynamic routing: - The router dynamically learns routes after an administrator configures a
routing protocol that helps determine routes. Unlike the situation with static routes, after the network
administrator enables dynamic routing, the routing process automatically updates route knowledge
whenever new topology information is received. The router learns and maintains routes to the remote
destinations by exchanging routing updates with other routers in the internetwork
Routing is the process of directing packets from a source node to a destination node on a different
network. CISCO devices support Dynamic routing protocols Such as OSPF, IS-IS, Rip, RipV2, IGRP,
EIGRP and BGR etc
OSPF and IS-IS are both link state routing protocols, used for bigger network with multiple
routers.
EIGRP and IGRP are CISCO proprietary routing protocols. They don’t support multiple
vender network devices. Also used for bigger network. EIGRP
RIPV2 is a distance vector classless routing protocol that uses hop count algorithm to select
the best path to destination.
RIPV1 is a distance vector class full routing protocol that uses hop count algorithm to select
the best path to destination.
There are many types of routing protocols; two major classes are in widespread use on IP networks.
These are
Interior Gateway Protocol (IGP) is a protocol for exchanging routing information between
gateways (hosts with routers) within an autonomous network. For instance we can mention RIP,
OSPF, and IGRP… etc. In contrast, an Exterior Gateway Protocol (EGP) is for determining
network reach ability between autonomous systems and makes use of IGPs to resolve routes within an
AS. Example: BGP
There are two major classes of routing protocols used in packet-switched networks for
computer communications
Distance vector
Distance-vector routing protocols use the Bellman-Ford algorithm, Ford–Fulkerson algorithm, or
DUAL FSM to calculate paths. As the name implies, distance vector means that routers are
advertised as vectors of distance and direction. Distance is defines in terms of metric such as hop
count and direction is simply the next-hop router or exit interface.
Routers using distance vector protocol do not have knowledge of the entire path to a destination.
Instead distance vector uses two methods:
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
In distance vector routing, the least cost route between any two nodes is the route with
minimum distance. In this protocol, as the name implies, each node maintains a vector (table)
of minimum distance to every node. As the name suggests the distance vector protocol is based
on calculating the direction and distance to any link in a network. The cost of reaching a
destination is calculated using various route metrics. RIP uses the hop count of the destination
whereas IGRP takes into account other information such as node delay and available
bandwidth.
Updates are performed periodically in a distance-vector protocol where all or part of a router's
routing table is sent to all its neighbours that are configured to use the same distance-vector
routing protocol. Once a router has this information it is able to amend its own routing table to
reflect the changes and then inform its neighbours of the changes. RIP, IGRP and EIGRP are
example of distance vector routing protocols.
Link-state routing protocols are also known as shortest path first protocols and use the Dijkstra
algorithm to shares information with other routers in order to determine the shortest path to
destination. Link State routing protocols do not view networks in terms of adjacent routers and hop
counts, but they build a comprehensive view of the overall network which fully describes the all
possible routes along with their costs. Using the Shortest Path First (SPF) algorithm, the router creates
a "topological database" which is a hierarchy reflecting the network routers it knows about. It then
puts its self on the top of this hierarchy, and has a complete picture from its own perspective. Link-
state routing protocols respond quickly to network changes, send trigger updates only when a network
change has occurred, and send periodic updates (known as link-state refreshes) at long time intervals,
such as every 30 minutes. OSPF and IS-IS are examples of link-State protocols.
Routing configuration
VISION2000__FLRGR_EF01# configure terminal
VISION2000__FLRGR_EF01(config)# interface Gig0/1
VISION2000__FLRGR_EF01config-if)#ip address 192.168.60.2 255.255.255.252
VISION2000__FLRGR_EF01(config)# interface Gig0/2
VISION2000__FLRGR_EF01config-if)#ip address 192.168.60.6 255.255.255.252
VISION2000__FLRGR_EF01(config)# interface Gig0/3
VISION2000__FLRGR_EF01config-if)#ip address 192.168.60.17 255.255.255.252
VISION2000__FLRGR_IF01(config)#exit
9. Security
Securing a network system involves preventing the inside network from the external hackers,
malwares and unauthorized system. we use different mechanism to make secure the network.
The perimeter is the network’s boundary, the points where data flows in from (and out to) other
networks, including the Internet.
Network Perimeter Security is the function and policy of securing your company’s network on the
edges (the perimeter) where the system interfaces with the rest of the world.
To begin planning a Network Perimeter defense, you have to understand exactly where the Network
perimeter is and which technologies will be required to provide the most reliable, cost-effective
Network Perimeter.
Perimeter security protects your network at the points where they connects to the Web. Firewalls
control the flow of data between your network and the Web. Intrusion Detection Systems (IDS) and
Intrusion Prevention Systems (IPS) examine network traffic and block attacks to enforce your
corporate Perimeter Security policy .We recommends to secure ECDSWCO’s Network to use a cisco
ASA 5525.
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
Basic ASA 5525 configure future in the Perimeter security side are;
A security zone should be configured for each region of relative security within the network, so that
all interfaces that are assigned to the same zone will be protected with a similar level of security.
Consider an access firewall with three interfaces:
Each interface in this network will be assigned to its own zone, although you might want to allow
varied access from the public Internet to specific hosts in the DMZ and varied application use policies
for hosts in the protected LAN.
Internet Zone
Private Zone
DMZ Zone
Each zone holds only one interface. If an additional interface is added to the private zone, the hosts
connected to the new interface in the zone can pass traffic to all hosts on the existing interface in the
same zone. Additionally, the hosts’ traffic to hosts in other zones is similarly affected by existing
policies.
Because the DMZ is exposed to the public Internet, the DMZ hosts might be subjected to undesired
activity from malicious individuals who might succeed at compromising one or more DMZ hosts. If
no access policy is provided for DMZ hosts to reach either private zone hosts or Internet zone hosts,
then the individuals who compromised the DMZ hosts cannot
use the DMZ hosts to carry out further attack against private or Internet hosts. ZFW imposes a
prohibitive default security posture. Therefore, unless the DMZ hosts are specifically provided access
to other networks, other networks are safeguarded against any connections from the DMZ hosts.
Similarly, no access is provided for Internet hosts to access the private zone hosts, so private zone
hosts are safe from unwanted access by Internet hosts.
Configuration
A basic configuration with IP connectivity, VLAN configuration
Internet
Gig 0/3
DMZ interface
Security level 50
DMZ Switches
Component Parameter/Value
Host name Vision2000_FLRGR_EF01
Outside Interface IP 10..235.55.44
LAN Interface GE0/1 IP 192.168.60.2/30
LAN Interface GE0/2 IP 192.168.60.6/30
Configure login banner “Authorized personnel only”
Before configuring the ASA Firewall first we have to define the hostname, Interface naming, and
security level.
Hostname configuration: When you set a hostname for the ASA, that name appears
in the command line prompt. If you establish sessions to multiple devices, the
hostname helps you keep track of where you enter commands. The default hostname
Vision2000_FLRGR_EF01. We can change this by using the hostname command as
follows:
Physical name: commonly called a hardware name. The physical name is used
whenever we need to configure the physical properties of an interface, like its speed,
duplexing, Or an IP address. The ASA use a physical name of “gigabit Ethernet”
gigabit Ethernet slot/number.
Logical name: Logical names are used in most other commands, like applying an
ACL to an interface, or specifying an interface for an address translation policy.
Logical names should be descriptive about what the interface is connected to. Two
common (default) names used are “inside” (connected to the internal network) and
“outside” (connected to the external or public network).
Security Levels:ASA platforms have some inherent security policies that are based on
the relative trust or security level that has been assigned to each interface. Interfaces
with a higher security level are considered to be more trusted than interfaces with a
lower security level. The security levels can range from 0 (the least amount of trust) to
100 (the greatest amount of trust). The least secure is 0 and the most secure is 100. For
the “inside” interface, the security level defaults to 100. All other interface names have
the security level default to 0 (the least secure). The security algorithm uses the
security levels to enforce its security policies. Here are the rules that the algorithm
uses:
Usually, the “outside” interface that faces a public, untrusted network should receive security level 0.
The “inside” interface that faces the community of trusted users should receive security level 100.
Any other ASA interfaces that connect to other areas of the network should receive a security level
between 1 and 99. In addition, the same two security policies apply to any number of interfaces.
Figure 2 shows an ASA with three different interfaces and how traffic is inherently permitted to flow
from higher-security interfaces toward lower-security interfaces. For example, traffic coming from the
inside network (security level 100) can flow toward the DMZ network (security level 50) because the
security levels are decreasing. As well, DMZ traffic (security level 50) can flow toward the outside
network (security level 0).
Figure 8: Traffic Flows Are Permitted from Higher to Lower Security Levels
Traffic that is initiated in the opposite direction, from a lower security level toward a higher one,
cannot pass so easily. Figure 3 shows the same ASA with three interfaces and the possible traffic flow
patterns.
Figure 9: Traffic Flows Are Blocked from Lower to Higher Security Levels
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
You can assign a security level of 0 to 100 to an ASA interface with the following interface
Configuration command:
Object-Group Configuration
By grouping like objects together, you can use the object group in an ACE instead of having to enter
an ACE for each object separately. You can create the following types of object groups:
Protocol
Network
Service
ICMP type
In the perimeter area we also have the network based and service based object groups that will be
configured in the external firewall as follows
A network object group supports IPv4 and IPv6 addresses, depending upon the type of access list. To
add or change a network object group, perform the steps in this section. After you add the group, you
can add more objects as required by following this procedure again for the same group name and
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
specifying additional objects. You do not need to reenter existing objects; the commands you already
set remain in place unless you remove them with the no form of the command.
To create a network group that includes the IP addresses of three administrators, enter the following
commands:
To add or change a service object group, perform the steps in this section. After you add the group,
you can add more objects as required by following this procedure again for the same group name and
specifying additional objects. You do not need to reenter existing objects; the commands you already
set remain in place unless you remove them with the no form of the command.
Mail Services
ACL Configuration
We will apply ACL on Vision 2000 perimeter Firewalls with extended access list by considering
traffic flow from the inside, internal Network to the external, Internet Network and from the Internet
to the Internal Network. Vision 2000 will have the DMZ Servers.
The table below shows Access from Internet to internal Networks and default privileges with
protocols, when internet users try to access the Vision 2000’s internal resources
The table below illustrates Access from DMZ to internal Networks and default privileges with
protocols, when from DMZ to try to access the ECDSWCO’s internal resources.
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
The table below illustrates Access from Internal Users to DMZ Servers and default privileges with
protocols, when Internal Users try to access theECDSWCO’s DMZ resources
Access….From To Default access Port number Protocol
Internal Users DMZ Servers Permitted 23 TCP
Internal Users DMZ Servers Permitted 53 UDP
Internal Users DMZ Servers Permitted 69 UDP
Internal Users DMZ Servers Permitted 443 TCP
The table below displays Access from Internal Users to Internet and default privileges with protocols,
when internal users try to access the Internet.
Access….From To Default access Port number Protocol
Internal Users Internet Permitted 23 TCP
Internal Users Internet Permitted 53 UDP
Internal Users Internet Permitted 69 UDP
Internal Users Internet Permitted 443 TCP
The table below displays Access from DMZ to Internet and default privileges with protocols, when
from DMZ to try to access the Internet
Access….From To Default access Port number Protocol
DMZ Internet Permitted 23 TCP
DMZ Internet Permitted 53 UDP
DMZ Internet Permitted 69 UDP
DMZ Internet Permitted 443 TCP
The table below shows Access from Internet to DMZ and default privileges with protocols, when
from interne tries to access the DMZ.
Access….From To Default access Port number Protocol
Internet DMZ Blocked 23 TCP
Internet DMZ Blocked 53 UDP
Internet DMZ Blocked 69 UDP
Internet DMZ Blocked 443 TCP
NAT configuration
We uses the default Configuration, class map named inspection_default and a policy map named
global_policy as the starting point and we will optimize the configuration by checking the
performance of the traffic.
The adaptive security appliance uses the following three databases for its basic operations:
Access lists: Used for authentication and authorization of connections based on specific
networks, hosts, and services (TCP/UDP port numbers).
Inspections: Contains a static, predefined set of application-level inspection functions.
Connections (XLATE and CONN tables): Maintains state and other information about each
established connection. This information is used by the Adaptive Security Algorithm and cut-
through proxy to efficiently forward traffic within established sessions.
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
Detail procedures that the appliance follows to inspect a packet are described as follows in order
ACL
client 1 2
6 Server
7 5
3 4
XLATE
CONN INSPECTION
//Class map
……………………………………………………………………………………………………………
………
class-map inspection_default
match default-inspection-traffic
!
……………………………………………………………………………………………………………
………
//Policy map
policy-map global_policy
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
class inspection_default
inspect dns maximum length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect sunrpc
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect esmtp
inspect sqlnet
inspect tftp
inspect xdmcp
!
……………………………………………………………………………………………………………
………
//Service policy
service-policy global_policy global
The Botnet Traffic Filter can receive periodic updates for the dynamic database from the Cisco update
server. This database lists thousands of known bad domain names and IP addresses.
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
Physical Security
Physical security describes measures that are designed to deny access to unauthorized personnel
(including attackers or even accidental intruders) from physically accessing a building, facility,
resource, or stored information and guidance on how to design structures to resist potentially hostile
acts. Physical security can be as simple as a locked door or as elaborate as multiple layers of barriers,
armed security guards and guardhouse placement. Good physical security uses the concept of layered
defense, in appropriate combinations to deter and delay intrusions (passive defense), and detect and
respond to intrusions (active defense). Ultimately it should be too difficult, risky or costly to an
attacker to even attempt an intrusion.
However, strong security measures also come at a cost, and there can be no perfect security. It is up to
a security designer to balance security features and a tolerable amount of personnel access against
available resources, risks to assets to be protected and even aesthetics.
Physical security is not a modern phenomenon. Physical security exists in order to deter or prevent
persons from entering a physical facility. Historical examples of physical security include city walls
etc.
The technology used for physical security has changed over time. While in past eras, there was no
passive infrared (PIR) based technology, electronic access control systems, or video surveillance
system (VSS) cameras, the essential methodology of physical security has not altered over time.
Fundamentally, it is recommended to have a combination of security layers that could provide enough
protection from internal or external attack.
It is recommended to have a surveillance system, alarm system and an access control system in our
network system. And also every rack should be locked.
INSA recommends the following security measures to be used:
All of the access switch racks should be locked
The server room should have a well secured door with lock.
Password configuration
The appliances support two levels of passwords: one for access to User EXEC mode via telnet and
SSH, and one for access to Privilege EXEC. These passwords are automatically encrypted when
stored in RAM or flash to protect them from eavesdropping attacks.
A password is a protected string of characters that is used to authenticate a user. There are three types
of password protection schemes in Cisco IOS.
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
Clear-text passwords: These are the most insecure because they have no encryption. Passwords are
viewable in the device configuration in clear text.
Type 7 passwords: These use the Cisco proprietary encryption algorithm and are known to be weak.
Several password utilities are available to decipher Type 7 encrypted passwords. Type 7 encryption is
used by the enable password, username, and line password commands.
Type 5 passwords: These use MD5 hashing algorithm (one-way hash) and are therefore much
stronger because they are considered irreversible. The only way to crack the Type 5 password is by
using brute force or dictionary attacks. It is highly recommended that you use Type 5 encryption
instead of Type 7 where possible. Type 5 encryption is used by the enable secret command to specify
an additional layer of security over the enable password command. The enable secret command takes
preference over the enable password command. The username secret command also uses Type 5
encryption.
External firewall
Vision2000_FLRGR_EF01(config)# enable secret Vision2000!t20o2
Internal firewall
Vision2000_FLRGR_IF01(config) # enable secret Vision2000!t20o2
AAA configuration
Collapsed Core Switch 01
Vision2000_FLRGR_CC01(config) # username admin@ Vision2000password Vision2000!t20o2
Vision2000_FLRGR_CC01(config) # AAA new-model
Vision2000_FLRGR_CC01(config-AAA) # aaa authentication login default local
Vision2000_FLRGR_CC01(config-AAA) #aaa authorization exec local
Collapsed core switch 02
Vision2000_FLRGR_CC02(config) # username admin@c Vision2000password Vision2000!t20o2
Vision2000_FLRGR_CC02(config) # AAA new-model
Vision2000_FLRGR_CC02(config-AAA) # aaa authentication login default local
Vision2000_FLRGR_CC02(config-AAA) #aaa authorization exec local
DMZ switch
Vision2000_FLR07_DMZ01(config) # username admin@ Vision2000 password Vision2000!t20o2
Vision2000_FLR07_DMZ01(config) # AAA new-model
Vision2000_FLR07_DMZ01(config-AAA) # aaa authentication login default local
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
Vision2000_FLR00_CC01#show running-config
Building configuration...
interface GigabitEthernet1/0/2
switchport mode trunk
switchport nonegotiate
storm-control broadcast level 70.00
storm-control multicast level 70.00
storm-control action shutdown
ip dhcp snooping limit rate 100
ip dhcp snooping trust
!
interface GigabitEthernet1/0/3
switchport mode trunk
switchport nonegotiate
storm-control broadcast level 70.00
storm-control multicast level 70.00
storm-control action shutdown
ip dhcp snooping limit rate 100
ip dhcp snooping trust
!
interface GigabitEthernet1/0/4
switchport mode trunk
switchport nonegotiate
storm-control broadcast level 70.00
storm-control multicast level 70.00
storm-control action shutdown
ip dhcp snooping limit rate 100
ip dhcp snooping trust
!
interface GigabitEthernet1/0/5
switchport mode trunk
switchport nonegotiate
storm-control broadcast level 70.00
storm-control multicast level 70.00
storm-control action shutdown
ip dhcp snooping limit rate 100
ip dhcp snooping trust
!
interface GigabitEthernet1/0/6
switchport mode trunk
switchport nonegotiate
storm-control broadcast level 70.00
storm-control multicast level 70.00
storm-control action shutdown
ip dhcp snooping limit rate 100
ip dhcp snooping trust
!
interface GigabitEthernet1/0/7
storm-control broadcast level 70.00
storm-control multicast level 70.00
storm-control action shutdown
!
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
interface GigabitEthernet1/0/8
storm-control broadcast level 70.00
storm-control multicast level 70.00
storm-control action shutdown
!
interface GigabitEthernet1/0/9
storm-control broadcast level 70.00
storm-control multicast level 70.00
storm-control action shutdown
!
interface GigabitEthernet1/0/10
storm-control broadcast level 70.00
storm-control multicast level 70.00
storm-control action shutdown
!
interface GigabitEthernet1/0/11
storm-control broadcast level 70.00
storm-control multicast level 70.00
storm-control action shutdown
!
interface GigabitEthernet1/0/12
storm-control broadcast level 70.00
storm-control multicast level 70.00
storm-control action shutdown
!
interface GigabitEthernet1/0/13
storm-control broadcast level 70.00
storm-control multicast level 70.00
storm-control action shutdown
!
interface GigabitEthernet1/0/14
storm-control broadcast level 70.00
storm-control multicast level 70.00
storm-control action shutdown
!
interface GigabitEthernet1/0/15
storm-control broadcast level 70.00
storm-control multicast level 70.00
storm-control action shutdown
!
interface GigabitEthernet1/0/16
storm-control broadcast level 70.00
storm-control multicast level 70.00
storm-control action shutdown
!
interface GigabitEthernet1/0/17
storm-control broadcast level 70.00
storm-control multicast level 70.00
storm-control action shutdown
!
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
interface GigabitEthernet1/0/18
storm-control broadcast level 70.00
storm-control multicast level 70.00
storm-control action shutdown
!
interface GigabitEthernet1/0/19
storm-control broadcast level 70.00
storm-control multicast level 70.00
storm-control action shutdown
!
interface GigabitEthernet1/0/20
storm-control broadcast level 70.00
storm-control multicast level 70.00
storm-control action shutdown
!
interface GigabitEthernet1/0/21
description link_CC01_TO_IF01
no switchport
ip address 192.168.60.9 255.255.255.252
storm-control broadcast level 70.00
storm-control multicast level 70.00
storm-control action shutdown
!
interface GigabitEthernet1/0/22
description link_CC01_TO_EF01
no switchport
ip address 192.168.60.1 255.255.255.252
storm-control broadcast level 70.00
storm-control multicast level 70.00
storm-control action shutdown
!
interface GigabitEthernet1/0/23
description link_CC01_TO_CC02
switchport mode trunk
switchport nonegotiate
channel-protocol pagp
channel-group 1 mode desirable
!
interface GigabitEthernet1/0/24
description link_CC01_TO_CC02
switchport mode trunk
switchport nonegotiate
channel-protocol pagp
channel-group 1 mode desirable
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface TenGigabitEthernet1/1/3
!
interface TenGigabitEthernet1/1/4
!
interface Vlan1
no ip address
shutdown
!
interface Vlan5
ip address 192.168.5.2 255.255.255.0
standby 1 priority 200
standby 1 preempt delay minimum 30
!
interface Vlan10
ip address 192.168.10.2 255.255.255.0
standby 1 ip 192.168.10.1
standby 1 priority 200
standby 1 preempt delay minimum 30
!
interface Vlan15
ip address 192.168.15.2 255.255.255.0
standby 1 ip 192.168.15.1
standby 1 priority 200
standby 1 preempt delay minimum 30
!
interface Vlan20
ip address 192.168.20.2 255.255.255.0
standby 1 ip 192.168.20.1
standby 1 preempt delay minimum 30
!
interface Vlan65
no ip address
!
interface Vlan99
ip address 192.168.99.2 255.255.255.0
!
interface Vlan100
ip address 192.168.100.2 255.255.255.0
standby 1 ip 192.168.100.1
standby 1 preempt delay minimum 30
!
interface Vlan130
no ip address
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
!
router ospf 100
router-id 10.0.0.1
passive-interface default
no passive-interface GigabitEthernet1/0/21
no passive-interface GigabitEthernet1/0/22
no passive-interface GigabitEthernet1/0/23
no passive-interface GigabitEthernet1/0/24
network 192.168.5.0 0.0.0.255 area 0
network 192.168.10.0 0.0.0.255 area 0
network 192.168.15.0 0.0.0.255 area 0
network 192.168.20.0 0.0.0.255 area 0
network 192.168.60.0 0.0.0.3 area 0
network 192.168.60.8 0.0.0.3 area 0
network 192.168.100.0 0.0.0.255 area 0
default-information originate always
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.131.235.44
!
!
access-list 10 permit 192.168.100.0 0.0.0.255
!
!
banner login ^C
Welcome to Vision2000_FLR00_CC01
##########################################
# This is a Login banner used to show #
# legal and privacy information. #
# #
# Unauthorized users prohibited #
##########################################
^C
!
line con 0
password 7 00071B26161A1F545F2E1E
logging synchronous
login local
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class 10 in
password 7 0307532B144E351E1E064B
logging synchronous
login local
transport input all
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
line vty 5 15
login
!
wsma agent exec
profile httplistener
profile httpslistener
!
wsma agent config
profile httplistener
profile httpslistener
!
wsma agent filesys
profile httplistener
profile httpslistener
!
wsma agent notify
profile httplistener
profile httpslistener
!
!
wsma profile listener httplistener
transport http
!
wsma profile listener httpslistener
transport https
!
ap group default-group
end
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name chsa.gov.et
same-security-traffic permit inter-interface
object network inside01-nat
subnet 192.168.0.0 255.255.0.0
object network net-inside
object network inside_net
object network iside_net
object network inside-nat
subnet 192.168.0.0 255.255.0.0
object network PUBLIC-IP-PAT
host 197.156.101.137
description inside to outside nat(pat)
object network PORTAL-NAT
host 192.168.130.5
description nat for web server
object network PUBLIC-WEB-IP
host 197.156.101.138
description nat for portal server
access-list outside-to-webserver extended permit tcp any host 192.168.130.5 eq www
access-list outside-to-webserver extended permit tcp any host 192.168.130.5 eq https
pager lines 24
mtu outside 1500
mtu inside 1500
mtu inside01 1500
mtu DMZ 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit host 192.168.65.25 inside
icmp permit host 192.168.65.25 inside01
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network inside01-nat
nat (inside01,outside) dynamic PUBLIC-IP-PAT
object network inside-nat
nat (inside,outside) dynamic PUBLIC-IP-PAT
object network PORTAL-NAT
nat (DMZ,outside) static PUBLIC-WEB-IP service tcp www www
access-group outside-to-webserver in interface outside
router ospf 100
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
router-id 10.0.0.3
network 10.131.235.40 255.255.255.248 area 0
network 192.168.60.0 255.255.255.252 area 0
network 192.168.60.4 255.255.255.252 area 0
network 192.168.60.16 255.255.255.252 area 0
log-adj-changes
redistribute static subnets
default-information originate always
!
route outside 0.0.0.0 0.0.0.0 10.131.235.42 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.100.0 255.255.255.0 inside
ssh 192.168.100.0 255.255.255.0 inside01
ssh timeout 30
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username charityadmin password vgeKLDSERqj5iBL2 encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 19
subscribe-to-alert-group configuration periodic monthly 19
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:605926f12a0f585a114296d438bb795f
: end
Vision2000_FLR00_DMZ01#show running-config
Building configuration...
hostname Vision2000_FLR07_DMZ01
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 $1$fZ1p$3joqHosU84g8KR1FZemj30
enable password 7 1511032C166B3F76783C67
!
username Vision2000admin password 7 070C296C5C480D57471D59
no aaa new-model
switch 1 provision ws-c3650-24ts
ip routing
!
ip domain-name Vision2000
ip device tracking
!
!
vtp domain Vision2000
vtp mode transparent
!
crypto pki trustpoint TP-self-signed-3944390644
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3944390644
revocation-check none
rsakeypair TP-self-signed-3944390644
!
!
crypto pki certificate chain TP-self-signed-3944390644
certificate self-signed 01
30820254 308201BD A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33393434 33393036 3434301E 170D3136 30383131 30393038
32345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 39343433
39303634 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D790 5E6E1C12 11E4C5DC B1DBA5E7 45257310 571EB8D4 9A580A0B 5AC2BCF0
110BC5C5 723B4BEB F45F12B0 56588895 7EE1C9B4 CC162D9A 3497D36B 840246A5
D713C781 2CF6429E 3236C083 42D6594E FD1D1576 C4C2FCE3 31CAE69B
DD68F020AE5097D1 A2DE4717 22A31E5B 7AF675BD 1744993E 456D5C77 43C5C3AC
E2BAB2EDA9790203 010001A3 7C307A30 0F060355 1D130101 FF040530 030101FF
30270603551D1104 20301E82 1C434853 415F464C 5230375F 444D5A30 312E6368
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
interface GigabitEthernet1/0/5
switchport access vlan 130
switchport mode access
!
interface GigabitEthernet1/0/6
switchport access vlan 130
switchport mode access
!
interface GigabitEthernet1/0/7
switchport access vlan 130
switchport mode access
!
interface GigabitEthernet1/0/8
switchport access vlan 130
switchport mode access
!
interface GigabitEthernet1/0/9
switchport access vlan 130
switchport mode access
!
interface GigabitEthernet1/0/10
switchport access vlan 130
switchport mode access
!
interface GigabitEthernet1/0/11
switchport access vlan 130
switchport mode access
!
interface GigabitEthernet1/0/12
switchport access vlan 130
switchport mode access
!
interface GigabitEthernet1/0/13
switchport access vlan 130
switchport mode access
!
interface GigabitEthernet1/0/14
switchport access vlan 130
switchport mode access
!
interface GigabitEthernet1/0/15
switchport access vlan 130
switchport mode access
!
interface GigabitEthernet1/0/16
switchport access vlan 130
switchport mode access
!
interface GigabitEthernet1/0/17
switchport access vlan 130
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
!
ip default-gateway 192.168.130.1
ip http server
ip http authentication local
ip http secure-server
!
access-list 10 permit 192.168.100.0 0.0.0.255
!
banner login ^C
Welcome to Vision2000_FLR00_DMZ01
##########################################
# This is a Login banner used to show #
# legal and privacy information. #
# #
# Unauthorized users prohibited #
##########################################
^C
!
line con 0
password 7 121A0D37004A18567A2476
logging synchronous
login local
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class 10 in
password 7 070C296C5C480D57471D59
logging synchronous
login local
transport input all
line vty 5 15
login
!
wsma agent exec
profile httplistener
profile httpslistener
wsma agent config
profile httplistener
profile httpslistener
wsma agent filesys
profile httplistener
profile httpslistener
wsma agent notify
profile httplistener
profile httpslistener
!
wsma profile listener httplistener
transport http
!
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
Vision2000_FLRGR_SF01#show Running-config
Building configuration...
Vision2000_FL07_AS01#show running-config
Building configuration...
!
errdisable recovery cause bpduguard
errdisable recovery interval 200
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree portfast bpduguard default
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
interface FastEthernet0/1
switchport access vlan 5
switchport mode access
switchport nonegotiate
switchport port-security
spanning-tree portfast
!
interface FastEthernet0/2
switchport access vlan 5
switchport mode access
switchport nonegotiate
switchport port-security
spanning-tree portfast
!
interface FastEthernet0/3
switchport access vlan 5
switchport mode access
switchport nonegotiate
switchport port-security
spanning-tree portfast
!
interface FastEthernet0/4
switchport access vlan 5
switchport mode access
switchport nonegotiate
switchport port-security
spanning-tree portfast
!
interface FastEthernet0/5
switchport access vlan 5
switchport mode access
switchport nonegotiate
switchport port-security
spanning-tree portfast
!
interface FastEthernet0/6
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
interface FastEthernet0/13
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
interface FastEthernet0/20
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
no ip route-cache
VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
!
no ip http server
access-list 10 permit 192.168.100.0 0.0.0.255
no cdp run
!
control-plane
!
banner login ^CC
Welcome to Vision2000_FL07_AS01
^C
!
line con 0
password Vision2000!t20o2
login local
line vty 0 4
access-class 10 in
login local
transport input telnet
line vty 5 15
login
!
end