Vision 2000 Network Design Proposal

VISION 2000 NETWORK INFRASTRUCTURE AND
NETWORK SYSTEMS DOCUMENT
MEKELLE UNIVERSITY
ETHIOPAIN INSTITUTE OF TECHNOLOGY
DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING
Project I
Network and System Design Proposal for
Vision 2000
TEAM MEMBERS
1. Elias Degu
2. Mewael Hayelom
3. Razin Messele
4. Yadessa Emiru
Under the Supervision of

Advisor Ins Teklay G.
Mekelle, Ethiopia
10/02/2017
ABSTRACT
This project is designed by 2017 interns in response to the request by VISION 2000 which is a public
research company. The company is based on a five-story building. The ground floor is used as a store
and the first floor is a meeting hall. Currently, there is a decentralized network used only for internet
access. The management of the company has become aware of the role ICT can play to realize its
mission and, hence, has requested us ( INSA interns) to provide a secure, reliable, scalable, and cost-
effective network and system design proposal.
This document is expected to have all the Network Designing and Analysis which shall make the
needs of automation and IT needs of Vision2000.The main expectations of this design is the
exchange of different data and information across all offices in order to assist the achievement of
organizational goals .
In this context, we have done:
 The type and content of the applications that should be exchanged.
 Detail Requirement Study for Local Area Network for Vision2000.
 Assessing all connectivity requirements.
For the design and implementation of the network infrastructure for the Vision2000, We INSA Interns
have now taken some initial activities, which would create a strong base for the near future
implementation of the whole project.
Table of Contents
Introduction ..................................................................................................................................................................10
1. Background ..........................................................................................................................................................10
Objective of the project.................................................................................................................................................10
2. Scope of the project .............................................................................................................................................11
In scope ............................................................................................................................................................................ 11
Out scope ......................................................................................................................................................................... 11
4. Traffic Flow Analysis .............................................................................................................................................12
5. Methodology .......................................................................................................................................................13
Identify Company (the customer) requirements .............................................................................................................. 13
Network Infrastructure Design ........................................................................................................................................ 14
Design Philosophy ............................................................................................................................................................ 14

5.3.1 Vision ............................................................................................................................................................ 14
5.3.2 Framework.................................................................................................................................................... 15
5.3.1 Model ........................................................................................................................................................... 17
6. Devices, VLAN, IP addressing and Connectivity ....................................................................................................19
Logical topology............................................................................................................................................................... 19
Device Naming ................................................................................................................................................................. 21
VLAN Benefits .................................................................................................................................................................. 22

6.3.1 Solve broadcast problem .............................................................................................................................. 22
6.3.2 Reduce the size of broadcast domains ......................................................................................................... 23
6.3.3 Allow us to add additional layer of security ................................................................................................. 23
6.3.4 Make device management easier ................................................................................................................. 23
6.3.5 Allow us to implement the logical grouping of devices by function instead of location .............................. 23
Types of VLAN .................................................................................................................................................................. 23

6.4.1 Data VLAN ..................................................................................................................................................... 23
6.4.2 Default VLAN ................................................................................................................................................ 24
6.4.3 Native VLAN .................................................................................................................................................. 24
6.4.4 Management VLAN....................................................................................................................................... 24
6.4.5 Voice VLAN ................................................................................................................................................... 24
VLAN Membership ........................................................................................................................................................... 24

6.5.1 Static ............................................................................................................................................................. 25
6.5.2 Dynamic ........................................................................................................................................................ 25
VLAN Design .................................................................................................................................................................... 25
IP Addressing ................................................................................................................................................................... 26
VLAN IP Addressing .......................................................................................................................................................... 27
Management VLAN ......................................................................................................................................................... 27
Point to point connection IP addressing .......................................................................................................................... 27
Hardware Overview ......................................................................................................................................................... 28

Cisco Catalyst 2960 Series Switches............................................................................................................................ 28
Cisco ASA with FirePOWER Services ........................................................................................................................... 30
Cisco ASA 5510 Adaptive Security Appliance .............................................................................................................. 31
Rack Layout Design ......................................................................................................................................................... 32
Hardware Physical Connectivity ...................................................................................................................................... 32
Device Connectivity Labeling ........................................................................................................................................... 34
Physical LAN Design ......................................................................................................................................................... 35

Physical LAN Design for Vision 2000 site ................................................................................................................... 35
VTP Pruning................................................................................................................................................................. 36
VTP configuration ....................................................................................................................................................... 36
VTP plan for Vision 2000 ............................................................................................................................................. 37
Vlan configuration....................................................................................................................................................... 38
Switch VLAN Interface (SVI) configuration....................................................................................................................... 38
Switch Port Configuration ................................................................................................................................................ 40

Selecting and Identifying Ports to Configure .............................................................................................................. 41
Port speed ................................................................................................................................................................... 41
Port speed Switch port Configuration ........................................................................................................................ 42
Port Duplex mode ....................................................................................................................................................... 42
Duplex mode Switch port Configuration .................................................................................................................... 42
Trunk ................................................................................................................................................................................ 43
Trunking design considerations .................................................................................................................................. 43
Switch Link Aggregation .................................................................................................................................................. 47

LAG and EtherChannel ................................................................................................................................................ 47
EtherChannel protocols .............................................................................................................................................. 49
EtherChannel configuration ........................................................................................................................................ 50
Spanning Tree Protocol (STP) ........................................................................................................................................... 50

Common Spanning Tree (CST) .................................................................................................................................... 51
Per-VLAN Spanning Tree (PVST).................................................................................................................................. 51
Per-VLAN Spanning Tree plus (PVST+) ........................................................................................................................ 51
Rapid Spanning Tree Protocol (RSTP) ......................................................................................................................... 51
Multiple Spanning Tree (MST) .................................................................................................................................... 52
High Availability and Load Balancing .............................................................................................................................. 54

HSRP ............................................................................................................................................................................ 54
VRRP............................................................................................................................................................................ 54
GLBP ............................................................................................................................................................................ 54
Selecting VRRP protocol .............................................................................................................................................. 55
VLAN to Node analysis ..................................................................................................................................................... 55

VRRP configuration ..................................................................................................................................................... 55
Dynamic Host Configuration Protocol ............................................................................................................................. 57

A Split mode IP Scope assignment .............................................................................................................................. 58
7. Switches DHCP Configuration ...............................................................................................................................59
8. Routing ................................................................................................................................................................60
Introduction ..................................................................................................................................................................... 60
Static routing ................................................................................................................................................................... 60
Dynamic routing .............................................................................................................................................................. 61

Distance vector ........................................................................................................................................................... 61
Link state routing protocols ........................................................................................................................................ 62
Loop back address configuration ................................................................................................................................ 62
Configuring Default Route ............................................................................................................................................... 63

Routing configuration ................................................................................................................................................. 63
9. Security ................................................................................................................................................................66
Perimeter Security Configuration .................................................................................................................................... 66

Zone based firewall ..................................................................................................................................................... 67
Configure Host Name .................................................................................................................................................. 69
Configure login banner ............................................................................................................................................... 69

Configuration for external firewall interface .............................................................................................................. 70
Object-Group Configuration ....................................................................................................................................... 72
Mail Services ............................................................................................................................................................... 74
Internal network Services ................................................................................................................................................ 74

ACL Configuration ....................................................................................................................................................... 74
ACL to allow outside to DMZ ...................................................................................................................................... 77
NAT configuration ....................................................................................................................................................... 77
Stateful Inspection Configuration ............................................................................................................................... 77
Configuring the Botnet Traffic Filter ........................................................................................................................... 79
Configuration for internal firewall interface ............................................................................................................... 80
Hardening the Device ................................................................................................................................................. 80
Physical Security ......................................................................................................................................................... 81
Password configuration .............................................................................................................................................. 81
Privilege Password configuration................................................................................................................................ 82
Line Password configuration ....................................................................................................................................... 83
AAA configuration ....................................................................................................................................................... 84
Dynamic host configuration protocol (DHCP) snooping ............................................................................................. 85
10. Running configuration ..........................................................................................................................................87
Core switch_01 Running configuration ............................................................................................................................ 87
Running configuration for Externalfirewall ..................................................................................................................... 95
Running configuration for DMZ switch ............................................................................................................................ 99
Running configuration for server farm switch ............................................................................................................... 105
Running configuration for Access switch_01 ................................................................................................................. 109

LIST OF TABLES
Table [page]
Table 1: VLAN design …..………………………………………………..…………. 25
Table 2: IP addressing design ……………...………………….….……………........ 27
Table 3: Management IP addressing design for Vision 2 …..……..…….…………..…… 27
Table 4 MT site Point to Point IP addressing design ………...……….…….…………… 28
Table 5: Etherchannel mode and protocols …...………………………………………. 49
Table 6: Rapid_pvst configuration ………………………………………...................... 52
Table 7: VISION2000 Site Split mode IP Scope assignment on Collapsed Core switch 01 ... 58
Table 8: VISION2000 Site Split mode IP Scope assignment on Collapsed Core switch 02 … 58
Table 9: Basic Configuration components of Firewall …………..……………………… 69
Table 10: Network object group …………………..…………………………..…..…….. 73
Table 11: Service-Based Object Group Configuration ………………………...……….. 73
Table 12: ACL Description from Internet to Internal Network............................................. 75

Table 13: ACL Description from DMZ to Internal Networks …………..………………….. 75
Table 14: ACL Description from Internal Users to DMZ Server…………..…………...… 75
Table 15: ACL Description from Internal Users to Internet ………………..…..………….. 75
Table 16: ACL Description from DMZ to Internet ………………………...……………. 76
Table 17: ACL Description from Internet to DMZ ……………………................................. 76

LIST OF FIGURES
Figure [page]
Figure 1 Traffic Flow Analysis …………………………..…....………... 13
Figure 2 SONA framework ……………………………..…...……........... 16
Figure 3 Hierarchical LAN design Methodology …………………..……... 19
Figure 4 Logical Design ………………………………………..…..…….. 20
Figure 5 Rack Layout Design …………………………………..…..…….. 32
Figure 6 Zone Based Interface ………………………..………………..…. 67
Figure 7 Security Level ………………………..………………….…….. 68
Figure 8 Traffic Flows Are Permitted from Higher to Lower Security Levels.. 71
Figure 9 Traffic Flows Are Blocked from Lower to Higher Security Levels … 71
List of Abbreviations
ACL Access Control List
AD DS Active Directory Domain Service
ADSL Asymmetric Digital Subscriber line
AON Application-Oriented Network
BW Band Width
CAN Campus Area Network
CAT6 Category 6
CCTV Closed-Circuit Television
DC Domain Controller
DHCP Dynamic Host Configuration Protocol
DMZ Demilitarized Zone
DNS Domain Name System
ECNM Enterprise Composite Network Model
ET Ethiopian Telecom
ESA Email Security Appliance
HIDS Host Based Intrusion Detection System
ICT Information Communication Technology
IDS Intrusion Detection System
IIN Intelligent Information Network
INSA Information Network Security Agency
IPS Intrusion Prevention System
IT Information Technology
MAC Media Access Control
LAN Local Area Network
NAT Network Address Translation
QoS Quality of Service
SMTP Simple Mail Transfer Protocol
SONA Service-Oriented Network Architecture
TCP Transmission Control Protocol
UDP User Datagram Protocol
UTP Unshielded Twisted Pair
VLAN Virtual Local Area Network
VPN Virtual Private Network
WAN Wide Area Network
WSA Web Security Appliance
Introduction
1. Background
Vision 2000 is one of the institutions engaged in providing short, medium and long term
development credits. Vision 2000’s distinguishes feature is its “project” based lending tradition.
Project financed by the Bank are carefully selected and prepared through appraised, closely
supervised and systematically evaluated.
Since its establishment in 2000, the institution has been playing a significant role in promoting overall
economic development of the country.
After reestablishment from 2003, Vision 2000 has established recognition at national and
international levels. Nationally, it is the sole company with reputable experience in long term
investment financing and research. Internationally, and it is recognized as an important on leading
channel for development program financed by bilateral and/or multilateral sources.
In order to accomplish the commitment given to the organization, Vision is focusing in development
of ICT programs. It would be appropriate to mention here that in Vision 2000 there no existing
Network Infrastructure that would be upgraded, so it want to build a new Network Infrastructure.
The Enterprise invited INSA Interns to study and design an ICT infrastructure for the main office
located in Addis Ababa, Ethiopia. Network Engineering Design and Material Requirement Analysis
cover the Vision 2000 with such an undertaking; it is expected that all offices including branches
would have an access to exchange different data and information for enhancing their productivity in
achieving the common development goals.
Objective of the project
The objective of this project is to build and implement ssecure network infrastructure (LAN and
WAN) in the Vision 2000 HQ and its Branch offices.
The Network Infrastructure objectives of this project is to analyze the requirement, design and implement
secure, scalable, adaptable, reliable, available and converged Network Infrastructure, which enables the
Vision 2000 to effectively manage and facilitate its day-to-day activities using automated application
systems, Internet access and file sharing between its offices.
Hence, the Network Infrastructure will be implemented in the Vision 2000 to meet the following
objectives:
 Secure exchange of data/information between HQ and its Branch offices

 Implement reliable, scalable, adaptable and available LAN and WAN network infrastructure in the
Vision 2000 HQ and its Branch offices to access the Enterprise’s automated application systems and
the Internet services.
 secure, reliable, available and affordable service
 Web system, mail system and server farm which enable the agency with the ultimate
goal of providing secure, effective and efficient infrastructure to the Vision 2000 HQ and
its Branch offices.
 Wireless LAN on each floor
2. Scope of the project
In scopeT
Scope of this project is limited to the assumptions that issuing company has 4 branches with
not more than 350 users in each.
The scope of the network infrastructure and network systems project includes the following
main activities:-
 Provide network documentation.
 Provide centralized network access.
 Provide server based anti-virus system
 Floor based wireless connection
 Deploy/implement the designed network infrastructure (installation/placement,
configuration, testing and approving of network equipment like firewall, switches, server
and other relevant network accessories
 Perform network acceptance testing.
 Provide on-job training to network administrators of the company on how to administer
and manage the deployed network infrastructure.
Out scope
The designed network infrastructure can support video, data, and voice services. The following tasks
will not be covered
 Voice over IP (VoIP)
 Video Conference
 Security Camera(CCTV)
4. Traffic Flow Analysis
To design and build a successful network, you must gain a thorough understanding of the traffic
generated by applications in use, plus the traffic flow to and from the user communities. All
devices on the network will produce data to be transported across the network. Each device
could involve many applications that generate data with differing patterns and loads.
Traffic analysis refers to characterizing the existing and or expected traffic flow, traffic pattern,
traffic volume, and protocols. This process of characterizing requires the identification of
sources of data and destinations of network traffic and direction and symmetry of its travel. This
approach can be simplified by first identifying the major traffic sources which leads to grouping
of user communities who use a particular or set of applications. Applications such as electronic
mail, word processing, printing, file transfer, and most web browsers bring about data traffic
patterns that are predictable from source to destination. That is users are categorized by their
application usage, and identifying data stores.
In the context of VISION 2000 network we start with “mission critical applications” to group
user communities.
Thus the user communities are listed as follows:
1. Internal user community
2. External user community
3. Supervisor user community
4. Programmers user community
5. Data entry user community
6. Analysis user community
The data stores to be included are:
1. Data server for the storage and retrieval raw data using the application.
2. Database server for storage and retrieval of statistical data using the application.
3. Application server for the distribution of computer applications like antivirus software.
4. Authentication and antivirus servers.
5. Web and Mail servers. These servers will be accessed by the external users so they will be
placed in a DMZ. Access to them will be protected by separate VLAN configurations and
access controls using a firewall.
Internet
External
Server Farm Users
Storage
Network
DMZ
Symmetrical
and
Server Farm Bidirectional
Enterprise
Application Internet User Internal User
User Asymmetrica
User Community Community
Community and
Community
Bidirectional
Figure 1: Traffic Flow Analysis
5. Methodology
Three steps in the design methodology:

1. Identify Company (the customer) requirements.
2. Characterize the existing network and sites.
3. Network Infrastructure Design
Identify Company (the customer) requirements

The Customer requirements gathered from Vision 2000 are bullet listed as follows:
 A high performance, secure, reliable, and scalable network and system proposal
 All the branches department in the company should have one gateway to the Internet
 Every Customer of a given department needs to share data between users in his/her department
but not with users of other departments
 Each floor has a wireless connection
 Network access in the company should be centralized, i.e., every Customer should be
authenticated centrally by a server and not locally by his/her machine.
 They have web and mail servers that should be accessed from the Internet. They need to
register their own domain and DNS infrastructure.
 They also need a server-based antivirus system
 This company has four branches.
Network Infrastructure Design

The network Infrastructure design will serve as basis for the implementation of LAN and WAN
infrastructures of the Vision 2000 offices. The network design would primarily be helpful to meet
Vision 2000 business and technical requirements as well as to deploy, select detail network
equipment and components for the final solution.
Design Philosophy
We understand the fact that network infrastructures are designed and implemented to achieve business
and technical goals of a given organization. The philosophy INSA Interns adopts in the design of
network infrastructures follows the following three steps:
1. Set the Vision of the network design project

2. Develop a Framework the network design should follow
3. Develop a Model to design the network infrastructure
5.3.1 Vision
INSA Interns believes that any networking infrastructure has to be built to serve the information flow
requirement of an organization. That is the networks that are designed and deployed should be aware
of the information flow of the organization. INSA Interns has adopted the Intelligent Information
Network (IIN) technology as a vision for the networks it designs. This technology offers an
evolutionary approach that consists of three phases in which functionality can be added to the
infrastructure as required.
 Integrated transport: All traffic—data, voice, and video—consolidates onto an IP network

for secure network convergence. By integrating data, voice, and video transport into a single,
standards-based, modular network, organizations can simplify network management and
generate enterprise-wide efficiencies.
 Integrated services: After the network infrastructure has been converged, IT resources can be
pooled and shared or “virtualized” to flexibly address the changing needs of the organization.
Integrated services help unify common elements, such as storage and data center server
capacity. By extending virtualization capabilities to encompass server, storage, and network
elements, an organization can transparently use all its resources more efficiently.
 Integrated applications: With Application-Oriented Networking (AON) technology, this
phase focuses on making the network “application-aware” so that it can optimize application
performance and deliver networked applications to users more efficiently. In addition to
capabilities such as content caching, load balancing, and application-level security, AON
makes it possible for the network to simplify the application infrastructure by integrating
intelligent application message handling, optimization, and security into the existing network.
Using IIN helps organizations address new IT challenges, such as the deployment of service-oriented
architectures (SOA), Web services, and virtualization.
5.3.2 Framework
INSA Interns has adopted the Service-Oriented Network Architecture (SONA) framework to design
networks that are intelligent information Network. SONA is a framework that guides the evolution of
enterprise networks to an IIN. SONA provides the following advantages to enterprises:
 Outlines the path toward the IIN

 Illustrates how to build integrated systems across a fully converged IIN
 Improves flexibility and increases efficiency, which results in optimized applications,
processes, and resources
The adopted SONA framework shows how integrated systems can allow a dynamic, flexible
architecture, and provide for operational efficiency through standardization and virtualization. It
brings forth the notion that the network is the common element that connects and enables all
components of the IT infrastructure.
SONA outlines these three layers of the IIN:
 Network infrastructure layer: Interconnects all IT resources across a converged network

foundation. The IT resources include servers, storage, and clients. The network infrastructure
layer represents how these resources exist in different places in the network, including the
campus, branch, data center, WAN and Metropolitan Area Network (MAN), and teleworker.
The objective for customers in this layer is to have anywhere and anytime connectivity.
 Interactive services layer: Enables efficient allocation of resources to applications and
business processes that are delivered through the networked infrastructure. This layer
comprises these services:
o Voice and collaboration
o Mobility
o Security and identity
o Storage
o Computer
o Application networking
o Network infrastructure virtualization
o Services management
o Adaptive management
 Application layer: Includes business applications and collaboration applications. The
objective for customers in this layer is to meet business requirements and achieve efficiencies
by leveraging the interactive services layer.
Figure 2: SONA framework

5.3.1 Model
INSA Interns has adopted Enterprise Composite Network Model (ECNM) for the networks it
designs. This model is based on the hierarchical network model principles. ECNM can be used to
divide the enterprise network, the network infrastructure of SONA, into physical, logical, and
functional areas. These areas allow our network designers and engineers to associate specific network
functionality on equipment based upon its placement and function in the model.
The ECNM contains these three major functional areas:
 Enterprise campus: Contains the modules required to build a hierarchical, highly robust
campus network that offers performance, scalability, and availability. This area contains the
network elements required for independent operation within a single campus, such as access
from all locations to central servers. The functional area does not offer remote connections or
Internet access.
 Enterprise edge: Aggregates connectivity from the various resources external to the
enterprise network. As traffic comes into the campus, this area filters traffic from the external
resources and routes it into the enterprise campus functional area. It contains all the network
elements for efficient and secure communication between the enterprise campus and remote
locations, remote users, and the Internet. The enterprise edge would replace the Demilitarized
Zone (DMZ) of most networks.
 Service provider edge: Represents connections to resources external to the campus. This area
facilitates communication to WAN and Internet service provider (ISP) technologies.
The enterprise campus functional area includes the campus infrastructure, network management,
server farm, and edge distribution modules. Each module has a specific function within the campus
network:
 Campus infrastructure module: Includes building access and building distribution sub
modules. It connects users within the campus to the server farm and edge distribution
modules. The campus infrastructure module is composed of one or more floors or buildings
connected to the campus backbone sub module.
 Network management module: Performs system logging, authentication, network
monitoring, and general configuration management functions.
 Server farm module: Contains e-mail and corporate servers providing application, file, print,
e-mail, and Domain Name System (DNS) services to internal users.
 Edge distribution module: Aggregates the connectivity from the various elements at the
enterprise edge functional area and routes the traffic into the campus backbone sub module.
The campus infrastructure module connects users within a campus to the server farm and edge
distribution modules. The campus infrastructure module comprises building access and building
distribution switches connected through the campus backbone to campus resources.
A campus infrastructure module has three sub modules:
 Building access layer sub module: Contains end-user workstations, IP phones, and Layer 2
access switches that connect devices to the building distribution sub module. The building
access layer sub module performs services such as support for multiple VLANs, private
VLANs, and establishment of trunk links to the building distribution layer and IP phones.
Each building access switch has connections to redundant switches in the building distribution
sub module.
 Building distribution layer sub module: Provides aggregation of building access devices,
often using Layer 3 switching. The building distribution sub module performs routing, QoS,
and access control. Traffic generally flows through the building distribution switches and onto
the campus core or backbone. This sub module provides fast failure recovery because each
building distribution switch maintains two equal-cost paths in the routing table for every Layer
3 network number. Each building distribution switch has connections to redundant switches in
the core.
 Campus backbone (Core layer) sub module: Provides redundant and fast-converging
connectivity between buildings and the server farm and edge distribution modules. The
purpose of the campus backbone sub module is to switch traffic as fast as possible between
campus infrastructure sub modules and destination resources. Forwarding decisions should be
made at the ASIC level whenever possible. Routing, ACLs, and processor-based forwarding
decisions should be avoided at the core and implemented at building distribution devices
whenever possible. High-end Layer 2 or Layer 3 switches are used at the core for high
throughput, with optimal routing, QoS, and security capabilities available when needed.
Figure 3: Hierarchical LAN design Methodology
6. Devices, VLAN, IP addressing and Connectivity
Logical topology
The logical design for Vision 2000 utilizes the collapsed core model where the necessary
security and switching devices are also integrated. The main assumption taken here is that the
fact that the organization is research company which we based on the security requirements
(firewall), redundancy and speed.
INTERNET FROM
AD/CD Anti virus
Application
Server
DMZ Server
SERVER FARM
Internal Firewall
External Firewall
Web
Database
Server
Server
Collapsed Switch
Collapsed Switch
Access
Switch
Access
Switch
Access
Access Switch
Switch Access
Switch Access
Switch
Figure 4: Logical Design

IP Phone
Access Switches
DMZ Switches
Collapsed Cores Internet

External Firewall
Network Mgt
Mgt Switches
ISE ServerFarm Firewalls

Edge Router
ServerFarm Switches
VPN
Storage Area
Network
Catalyst 4948
Cisco 4500 series Switches Nexus 7000
Information Network Security Agency Switch
Description: DBE LAN Design

Cisco 2911 ISR Cisco 2960 series Switch
Router Identity Services Engine
Drawn By: Jemal Haji Approved by: Jemal Mohammed
Cisco ASA 5500-X with
Signature: Cisco 3650 series Fiber Cable
Firepower series firewall
Switch UTP Cable
Customer: Development Bank Of Ethiopia UTM Firewall Servers

Cisco 3945 ISR Router
Figure 4: Logical LAN Design of Vision 2000 HQ
Device Naming
Device naming refers to assigning a specific name to devices in a network. By choosing and
documenting names wisely, it is easier to remember and identify network devices during trouble
shooting and administration. If the hostname is not explicitly configured, the device uses the factory-
assigned default hostname. This would create considerable confusion during network configuration
and maintenance. Device naming is particularly very important when accessing a remote device using
Telnet or SSH, it is important to have confirmation that an attachment has been made to the proper
device .The following scheme shows the Naming technique that should be adopted for
 AAAAA_BBB_CCcc_RACrr_DDdd
Where AAAAA for company name
BBB is for branch name
CC is devise location
cc location index
DD device type
dd Device Identification No.
So the device type abbreviations used are
 FW- ASA 55xx FIREWALL
 CC - Collapsed core switch
 AS- Access switch
Head quarter device naming for collapsed switches looks as follows
VISON_HQ_FLGR_RAK_xx_CC01
VISON_HQ_FLGR_RAK_xx_CC02
VLAN Benefits
VLAN provides following advantages:-
 Solve broadcast problem
 Reduce the size of broadcast domains
 Allow us to add additional layer of security
 Make device management easier
 Allow us to implement the logical grouping of devices by function instead of location
6.3.1 Solve broadcast problem
When we connect devices into the switch ports, switch creates separate collision domain for each port
and single broadcast domain for all ports. Switch forwards a broadcast frame from all possible ports.
In a large network having hundreds of computers, it could create performance issue. Of course we
could use routers to solve broadcast problem, but that would be costly solution since each broadcast
domain requires its own port on router. Switch has a unique solution to broadcast issue known as
VLAN. In practical environment we use VLAN to solve broadcast issue instead of router. Each
VLAN has a separate broadcast domain. Logically VLANs are also subnets. Each VLAN requires a
unique network number known as VLAN ID. Devices with same VLAN ID are the members of same
broadcast domain and receive all broadcasts. These broadcasts are filtered from all ports on a switch
that aren’t members of the same VLAN.
6.3.2 Reduce the size of broadcast domains

VLAN increase the numbers of broadcast domain while reducing their size.
6.3.3 Allow us to add additional layer of security

VLANs enhance the network security. In a typical layer 2 network, all users can see all devices by
default. Any user can see network broadcast and responds to it. Users can access any network
resources located on that specific network. Users could join a workgroup by just attaching their
system in existing switch. This could create real trouble on security platform. Properly configured
VLANs gives us total control over each port and users. Vlans give us the capability to control the
users from gaining unwanted access over the resources. We can put the group of users that need high
level security into their own VLAN so that users outside from VLAN can’t communicate with them.
6.3.4 Make device management easier

Device management is easier with VLANs. Since VLANs are a logical approach, a device can
be located anywhere in the switched network and still belong to the same broadcast domain.
We can move a user from one switch to another switch in same network while keeping his
original VLAN.
6.3.5 Allow us to implement the logical grouping of devices by function

instead of location
VLANs allow us to group the users by their function instead of their geographic locations.
Switches maintain the integrity of your VLANs. Users will see only what they are supposed to
see regardless what their physical locations are.
Types of VLAN
Based on a specific function a VLAN performs or the type of network traffic they carry, VLANs are
classified as default, native, data, management, or voice VLANs.
6.4.1 Data VLAN

A data VLAN is a VLAN that is configured to carry only user-generated traffic. A VLAN could carry
voice-based traffic or traffic used to manage the switch, but this traffic would not be part of a data
VLAN. A data VLAN is sometimes referred to as a user VLAN.
6.4.2 Default VLAN

All switch ports become a member of the default VLAN (VLAN 1 in Cisco switches) after the initial
boot up of the switch. Having all the switch ports participate in the default VLAN makes all of them
as part of the same broadcast domain. This allows any device connected to any switch port to
communicate with other devices on other switch ports. By default, Layer 2 control traffic, such as
CDP and spanning tree protocol traffic are associated with default VLAN.
6.4.3 Native VLAN

A native VLAN is assigned to an 802.1Q trunk port. An 802.1Q trunk port supports traffic coming
from many VLANs (tagged traffic) as well as traffic that does not come from a VLAN (untagged
traffic). The 802.1Q trunk port places untagged traffic on the native VLAN. Native VLANs are set
out in the IEEE 802.1Q specification to maintain backward compatibility with untagged traffic
common to legacy LAN scenarios.
Our native Vlan for instance is Vlan id 80
6.4.4 Management VLAN

A management VLAN is any VLAN you configure to access the management capabilities of a switch.
The management is assigned VLAN an IP address and subnet mask. A switch can be managed via
HTTP, Telnet, SSH, or SNMP.
6.4.5 Voice VLAN

To have assured bandwidth, transmission priority and less delay of Voice over IP, we need to have
this VLAN in the network.
VLAN Membership
VLAN membership can be assigned to a device by one of two methods
1. Static
2. Dynamic
These methods decide how a switch will associate its ports with VLANs.
6.5.1 Static
Assigning VLANs statically is the most common and secure method. It is pretty easy to set up and
supervise. In this method we manually assign VLAN to switch port. VLANs configured in this way
are usually known as port-based VLANs.
Static method is the most secure method also. As any switch port that we have assigned a VLAN will
keep this association always unless we manually change it. It works really well in a networking
environment where any user movement within the network needs to be controlled.
6.5.2 Dynamic
In dynamic method, VLANs are assigned to port automatically depending on the connected device. In
this method we have configure one switch from network as a server. Server contains device specific
information like MAC address, IP address etc. This information is mapped with VLAN. Switch acting
as server is known as VMPS (VLAN Membership Policy Server). Only high end switch can
configured as VMPS. Low end switch works as client and retrieve VLAN information from VMPS.
Dynamic VLANs supports plug and play movability.
VLAN Design
Taking the above concepts and requirements of the design we have come up with the following design
scheme.
VLAN ID
VLAN Name VLAN Description
Management Network Devices Management 90
Native Vlan Vlan for untagged frame 80
DMZ Demilitarized Zone 70
Server Farm Servers Farm 60
Point to point Point to point connection 50
Vlan10 ICT 10
Vlan20 RESARCH 20
Vlan30 30
Vlan40 Finance and HR 40
Table 1: VLAN design

IP Addressing
An IP address is designed to allow one network device to communicate with another via the Internet
protocol. IP addresses allow to identify the network device in a LAN.
IP stands for Internet Protocol, so an IP address is an Internet Protocol address. An Internet
Protocol is a set of rules that govern Internet activity and facilitate completion of a variety of actions
on the World Wide Web. Therefore, an Internet Protocol address is part of the systematically laid out
interconnected grid that governs online communication by identifying both initiating devices and
various Internet destinations, thereby making two-way communication possible. An IP address
consists of four octets, each of which contains one to three digits, with a single dot (.) separating each
number or set of digits. Each of the four numbers can range from 0 to 255. IP addresses can be
assigned to a device either static or dynamic.
Vision 2000 center IP allocation is done based on the Hierarchical network addressing principle.
Hierarchical network addressing means that IP network numbers are applied to the network segments
or VLANs in an orderly fashion that takes the network as a whole into consideration. Blocks of
contiguous network addresses are reserved for, and configured on, devices in a specific area of the
network.
Some benefits of hierarchical addressing are:
 Ease of management and troubleshooting: Hierarchical addressing groups’ network

addresses contiguously. Network management and troubleshooting are more efficient,
because a hierarchical IP addressing scheme makes problem components easier to locate.
 Minimized errors: Orderly network address assignment can minimize errors and duplicate
address assignments.
 Reduced number of routing table entries: In a hierarchical addressing plan, routing

protocols are able to perform route summarization, which allows a single routing table entry
to represent a collection of IP network numbers. Route summarization makes routing table
entries more manageable and provides the following benefits:
o Reduced number of CPU cycles when recalculating a routing table or sorting through
the routing table entries to find a match
o Reduced router memory requirements
o Faster convergence after a change in the network
o Easier troubleshooting
VLAN IP Addressing
VLAN ID VLAN Description Network Reserved IP Address Subnet Mask

05 ICT 192.168.05.0 192.168.05.1 – 192.168.05.15 255.255.255.0
10 RMPT 192.168.10.0 192.168.10.1 - 192.168.10.15 255.255.255.0
15 192.168.15.0 192.168.15.1 - 192.168.15.15 255.255.255.0
20 Finance and HR 192.168.20.0 192.168.20.1 - 192.168.20.15 255.255.255.0
60 Point-to-point 192.168.60.0 255.255.255.0
65 Servers Farm 192.168.65.0 255.255.255.0

99 Native Vlan 192.168.99.0 255.255.255.0
130 Demilitarized Zone 192.168.130.0 255.255.255.0
100 Network Management 192.168.100.0 255.255.255.0
Table 2: IP addressing design
Management VLAN
Management VLAN
VISION2000_FLRGR_CC01 192.168.100.2 255.255.255.0
VISION2000_FLRGR_CC02 192.168.100.3 255.255.255.0
VISION2000_FLRGR_SF01 192.168.100.3 255.255.255.0
VISION2000_FLRGR_DMZ01 192.168.100.5 255.255.255.0
VISION2000_FLR07_AS01 192.168.100.4 255.255.255.0
VISION2000_FLR07_AS02 192.168.100.5 255.255.255.0
VISION2000_FLR07_AS03 192.168.100.6 255.255.255.0
VISION2000_FLR07_AS04 192.168.100.6 255.255.255.0
VISION2000_FLR11_AS05 192.168.100.7 255.255.255.0
VISION2000_FLR11_AS06 192.168.100.8 255.255.255.0
Table 3: Management IP addressing design for Vision 2000
Point to point connection IP addressing
Collapsed Core Switch and Firewall
Subnet Local Local Interface Local IP Peer Peer Interface Peer IP Address
Device Address Device
192.168.60.0/30 CC01 VISION2000_F 192.168.60.1 EF01 VISION2000_FL 192.168.60.2
LRGR_CC01 RGR_FW01__Gig0/
_Gig0/1 0
192.168.60.4/30 CC02 VISION2000_F 192.168.60.5 EF01 VISION2000_FL 192.168.60.6
LRGR_CC02_Gig RGR_FW02__Gig0/
0/1 0
192.168.60.8/30 CC01 VISION2000_F 192.168.60.9 IF01 VISION2000_FL 192.168.60.10

LRGR_CC01 RGR_FW02__Gig0/
_Gig0/2 1
192.168.60.12/30 CC02 VISION2000_F 192.168.60.13 IF01 VISION2000_FL 192.168.60.14
LRGR_CC02_Gig RGR_FW01__Gig0/
0/2 1
Firewall, Server Farm and DMZ Switch
Subnet Local Local Interface Local IP Peer Peer Interface Peer IP Address
Device Address Device
192.168.60.16/30 EF01 VISION2000_F 192.168.60.17 DMZ01 VISION2000_FL 192.168.60.18
LRGR_FW01__Gi RGR_DMZ01_Gig0
g0/2 /1
192.168.65.0/24 IF01 VISION2000_F 192.168.65.1 SF01 VISION2000_FL
LRGR_FW02__Gi RGR_SF01_Gig0/1
g0/2
Table 4: MT site Point to Point IP addressing design
Hardware Overview
Cisco Catalyst 2960 Series Switches
The Cisco Catalyst 2960 Series Switch is one of the leading Layer 2 edge, providing improved ease of
use, highly secure business operations, improved sustainability, and a borderless network experience.
The Cisco Catalyst 2960 Series Switch is a fixed-configuration access switch designed for branch
office network to provide lower total cost of ownership.
Cisco WS-C2960-48TC-L Switch Front Panel

• 48 Ethernet 10/100 ports and 2 dual-purpose uplinks (each dual-purpose uplink port has 1
10/100/1000 Ethernet port and 1 SFP-based Gigabit Ethernet port, 1 port active)
• 1 RU fixed-configuration
• LAN Base image
1 10/100 ports 2 Dual-purpose ports
The Cisco Catalyst 3850 Series is the next generation of enterprise-class stackable Ethernet and
Multi-gigabit Ethernet access and aggregation layer switches that provide full convergence between
wired and wireless on a single platform. The Cisco Catalyst 3850 Series Switches support full IEEE
802.3 at Power over Ethernet Plus (PoE+), Cisco Universal Power over Ethernet (Cisco UPOE),
modular and field-replaceable network modules, RJ45 and fiber-based downlink interfaces, and
redundant fans and power supplies. With speeds that reach 10Gbps, the Cisco Catalyst 3850 Multi-
gigabit Ethernet Switches support current and next-generation wireless speeds and standards on
existing cabling infrastructure.
WS-C3850-24T-S Switch Front Panel
 24 10/100/1000 Ethernet ports
 350WAC power supply1 RU
 IP Base feature set
STAT DUPLX SPEED STACK PoE
Catalyst 3850 24 PoE+
SYST ACTV XPS S-PWR CONSOLE
MODE
NETWORK MODULE C3850-NM-2-10G
01X 12X 13X 24X G1 G2 G3 TE3 G4 TE3
1 2
1 10/100/1000 ports 2 Dual-purpose ports
The Cisco Catalyst 3560 v2 Series are next-generation, energy-efficient, Layer 3 Fast Ethernet
switches. These new switches support Cisco EnergyWise technology, which helps companies
manage power consumption of the network infrastructure and network-attached devices,
thereby reducing their energy costs and their carbon footprint.
The new switches consume less power than their predecessors and are ideal access layer
switches for enterprise, retail, and branch-office environments. They help you maximize
productivity and provide investment protection by enabling a unified network for data, voice,
and video.
WS-C3560G-24TS-E Switch Front Panel

 IP Base software (includes advanced quality of service (QoS), rate limiting, access
control lists (ACLs), Open Shortest Path First (OSPF) for routed access, and IPv6
functionality.)
 IP Services software provides a broader set of enterprise-class features
Catalyst 3560 SERIES PoE-24

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
1X 11X 13X 23X
SYST
RPS
STAT
DUPLX
SPEED 1 2
POE
2X 12X 14X 24X
MODE
2
1
The Cisco Catalyst 3650 Series is the next generation of enterprise-class standalone and
stackable access-layer switches that provide the foundation for full convergence between
wired and wireless on a single platform.
WS-C3650-24TS-E Switch Front Panel
 24 10/100/1000 Ethernet ports
 4x1G Uplink ports
 1 RU
 IP Services feature set
S TAT DUPL X S PE ED S TACK P oE
S YS T ACTV CONSO LE
MO DE
Catalyst 3650 24 PoE+ 2X10G
1 2
1 10/100/1000 ports 2 4x1G Uplink ports
Cisco ASA with FirePOWER Services
Cisco ASA with FirePOWER Services brings distinctive threat-focused next-generation security
services. It provides comprehensive protection from known and advanced threats, including
protection against targeted and persistent malware attacks. Cisco ASA is the world’s most widely
deployed, enterprise-class firewall.
Some features and benefits of Cisco ASA with FirePOWER Services:
 Advanced malware protection
 Application control and URL filtering
 Remote Access VPN
 Site-to-site VPN
 Enterprise-class management
ASA5525-X with FirePOWER Services

 8 GE(Gigabit Interface)
 3DES/AES encryption
100-240V~, 4.85A MAX, 50/60Hz
MGMT
7 5 3 1
CONSOLE
ER
E
M
TIV
T
AR
W
6 4 2 0
BO
AC
HD
PO
AL
VP
SPD LNK LNK SPD LNK SPD LNK SPD LNK SPD
1 2
1 Console Port 2 8 GE( Gigabit Interface)
Cisco ASA 5510 Adaptive Security Appliance

100-240V ~ 2.5A – 50-60Hz
MGMT
CONSOLE
USB2 USB1
FLASH
O
I
AUX
S
ER
SH
RESET
TU
TIV
LNK SPD LNK SPD LNK SPD LNK SPD

W
VP
A
A
CISCO ASA 5510 SERIES

C
PO
FL
ST
3 2 1 0
A
2 1
1 GE( Gigabit Interface) 2 Console Port

Rack Layout Design

42 U
Cisco
ASA 5525-X
BOOT ALARM
Adaptive
ACTIVE VPN Security
Appliance
PS HD
CISCO ASA 5510 SERIES
Adaptive Security Appliance
POWER STATUS ACTIVE VPN FLASH

MODE
01X 12X 13X 24X G1 G2 G3 TE3 G4 TE3

MODE
01X 12X 13X 24X G1 G2 G3 TE3 G4 TE3
S TAT DUPL X S PE ED S TACK
MO DE
Catalyst 3650 24 2X10G

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
1X 11X 13X 23X
SYST
RPS
STAT
DUPLX
SPEED 1 2
POE
2X 12X 14X 24X
MODE
3 4
1 5
ST
2 6
1000=ORG
PORT 0
PORT 1
100=GRN
10=OFF
Gb 1 Gb 2 Gb 3 Gb 4
2 4
3 4
1 5
ST
2 6
1000=ORG
PORT 0
PORT 1
100=GRN
10=OFF
Gb 1 Gb 2 Gb 3 Gb 4
2 4
Figure 5: Rack Layout Design
Hardware Physical Connectivity
In the hardware Physical connectivity the name Gig 3/2 stands for:
 Gig represents the Interface is Gigabit Ethernet Interface
 3 represents the interface slot number
 2 represents the Interface port number
Gi1/1/22 CC02
EF01 G0/2 STAT DUPLX SPEED STACK PoE
100-240V~, 4.85A MAX, 50/60Hz MODE
MGMT
7 5 3 1
CONSOLE
ER
VE
RM
TI
W
O
ALA
6 4 2 0
BO
AC
HD
PO
VP
01X 12X 13X 24X G1 G2 G3 TE3 G4 TE3

Gi0/3 Gi0/1
CC01
MODE
01X 12X 13X 24X G1 G2 G3 TE3 G4 TE3
Gi1/1/22
S TAT DUPL X S PE ED S TACK P oE
MO DE
DMZ01 Catalyst 3650 24 PoE+ 2X10G
Gig1/0/24
Connection between EF01, Collapsed Core, and DMZ Switch
Gig1/1/21
MODE
Gig0/1 01X 12X 13X 24X
CC01
100-240V~, 4.85A MAX, 50/60Hz
MGMT
7 5 3 1
CONSOLE
ER
E
M
TIV
OT
AR
W
6 4 2 0
BO
AC
HD
PO
AL
VP
IF01 Gig0/2 Gig0/0
Gig1/1/21
MODE
01X 12X 13X 24X

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
1X 11X 13X 23X
SYST
CC02
RPS
STAT
DUPLX
SPEED 1 2
POE
2X 12X 14X 24X
MODE
SF01
Connection between IF01, Collapsed Core, and Server Farm Switch
Gig1/0/23 Gig1/0/23 CC02

CC01
Catalyst 3850 24 PoE+ STAT DUPLX SPEED STACK PoE
SYST ACTV XPS S-PWR CONSOLE SYST ACTV XPS S-PWR CONSOLE
MODE
MODE
NETWORK MODULE C3850-NM-2-10G NETWORK MODULE C3850-NM-2-10G
01X 12X 13X 24X G1 G2 G3 TE3 G4 TE3 01X 12X 13X 24X G1 G2 G3 TE3 G4 TE3
Gig1/0/24 Gig1/0/24
Connection between CC01 and CC02

Gig1/1/5
Gig1/1/3

CC01
MODE
01X 12X 13X 24X
Gig1/1/6
Gig1/1/1
Gig1/1/2 Gig1/1/4
Gig0/1 Gig0/1 Gig0/1 Gig0/1

Gig0/1 Gig0/1
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
Catalyst 2960 Plus Series 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
Catalyst 2960 Plus Series
SYST 1X 11X 13X 23X 25X 35X 37X 47X SYST 1X 11X 13X 23X 25X 35X 37X 47X SYST 1X 11X 13X 23X 25X 35X 37X 47X SYST 1X 11X 13X 23X 25X 35X 37X 47X SYST 1X 11X 13X 23X 25X 35X 37X 47X SYST 1X 11X 13X 23X 25X 35X 37X 47X
RPS RPS RPS RPS RPS RPS
STAT STAT STAT STAT STAT STAT
DPLX DPLX DPLX DPLX DPLX DPLX
SPEED SPEED SPEED SPEED SPEED SPEED
1 2 1 2 1 2 1 2 1 2 1 2
2X 12X 14X 24X 26X 36X 38X 48X 2X 12X 14X 24X 26X 36X 38X 48X 2X 12X 14X 24X 26X 36X 38X 48X 2X 12X 14X 24X 26X 36X 38X 48X 2X 12X 14X 24X 26X 36X 38X 48X 2X 12X 14X 24X 26X 36X 38X 48X
MODE MODE MODE MODE MODE MODE
AS01 AS02 AS03 AS04 AS05 AS06
Connection between CC01 and Access Switches

Gig1/1/5
Gig1/1/3

CC02
MODE
01X 12X 13X 24X
Gig1/1/6
Gig1/1/1
Gig1/1/2 Gig1/1/4
Gig0/2 Gig0/2 Gig0/2

Gig0/2 Gig0/2 Gig0/2
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
Catalyst 2960 Plus Series
SYST 1X 11X 13X 23X 25X 35X 37X 47X SYST 1X 11X 13X 23X 25X 35X 37X 47X SYST 1X 11X 13X 23X 25X 35X 37X 47X SYST 1X 11X 13X 23X 25X 35X 37X 47X SYST 1X 11X 13X 23X 25X 35X 37X 47X SYST 1X 11X 13X 23X 25X 35X 37X 47X
RPS RPS RPS RPS RPS RPS
STAT STAT STAT STAT STAT STAT
DPLX DPLX DPLX DPLX DPLX DPLX
SPEED SPEED SPEED SPEED SPEED SPEED
1 2 1 2 1 2 1 2 1 2 1 2
2X 12X 14X 24X 26X 36X 38X 48X 2X 12X 14X 24X 26X 36X 38X 48X 2X 12X 14X 24X 26X 36X 38X 48X 2X 12X 14X 24X 26X 36X 38X 48X 2X 12X 14X 24X 26X 36X 38X 48X 2X 12X 14X 24X 26X 36X 38X 48X
MODE MODE MODE MODE MODE MODE
AS01 AS02 AS03 AS04 AS05 AS06
Connection between CC02 and Access Switches
Device Connectivity Labeling

The Labeling design for each device in each of the Vision 2000 Network infrastructure is done based
on the device naming convention. This labeling convention makes troubleshooting easy and user
friendly. The following table shows the labeling format between Devices in Vision 2000 network .
Collapsed Core One Collapsed Core Two
CHSA_ FLRGR _CC01_Gig1/1/23 CHSA_ FLRGR _CC02_Gig1/1/23

CHSA_ FLRGR _CC01_Gig1/1/24 CHSA_ FLRGR _CC02_Gig1/1/24
Collapsed Core One Internal Firewall One
CHSA_ FLRGR _CC01_Gig1/1/21 CHSA_ FLRGR _IF01_Gig0/1

Collapsed Core Two Internal Firewall One
VISION2000_ FLRGR _CC02_Gig1/1/21 VISION2000_ FLRGR _IF01_Gig0/2

Collapsed Core One External Firewall One
VISION2000_ FLRGR _CC01_Gig1/1/22 VISION2000_ FLRGR _EF01_Gig0/1

Collapsed Core two External Firewall One
VISION2000_ FLRGR _CC02_Gig1/1/22 VISION2000_ FLRGR _EF01_Gig0/2

Server Farm Switch One Internal Firewall One
VISION2000_ FLRGR _SF01_Gig1/0/24 VISION2000_ FLRGR _IF01Gig 0/0

DMZ switch One External Firewall
VISION2000_ FLRGR __DM01_Gig1/0/24 VISION2000_ FLRGR __EF01_Gig 0/3

ETC External Firewall One
VISION2000_ FLRGR __ET01_Gig 0/1 VISION2000_ FLRGR __EF01_Gig 0/0
Physical LAN Design

Physical LAN Design for Vision 2000 site
Often there are many network administrators working at different times of the day. Having only
a few switches that are physically able to maintain VLAN configurations makes it easier to
control VLAN upgrades and to track which network administrators performed.
For large networks, having client switches is also more cost-effective. By default, all switches
are configured to be VTP servers. This configuration is suitable for small scale networks in
which the size of the VLAN information is small and the information is easily stored in NVRAM
on the switches. In a large network of many hundreds of switches, the network administrator
must decide if the cost of purchasing switches with enough NVRAM to store the duplicate VLAN
information is too much. A cost-conscious network administrator could choose to configure a
few well-equipped switches as VTP servers, and then use switches with less memory as VTP
clients.
 Transparent Mode:
Switches configured in transparent mode forward VTP advertisements that they receive on
trunk ports to other switches in the network. VTP transparent mode switches do not advertise
their VLAN configuration and do not synchronize their VLAN configuration with any other
switch. Configure a switch in VTP transparent mode when you have VLAN configurations that
have local significance and should not be shared with the rest of the network.
In transparent mode, VLAN configurations are saved in NVRAM (but not advertised to other
switches), so the configuration is available after a switch reload. This means that when a VTP
transparent mode switch reboots, it does not revert to a default VTP server mode, but remains
in VTP transparent mode.
VTP Pruning
VTP pruning prevents unnecessary flooding of broadcast information from one VLAN across all
trunks in a VTP domain. VTP pruning permits switches to negotiate which VLANs are assigned to
ports at the other end of a trunk and, hence, prune the VLANs that are not assigned to ports on the
remote switch. Pruning is disabled by default. VTP pruning is enabled using the VTP pruning global
configuration command. It is needed to be enabled on only VTP server switch in the domain.
VTP configuration
Before adding a VTP client or server to a VTP domain, it’s always important to verify that its VTP
configuration revision number is lower than the configuration revision number of the other switches
in the VTP domain.
 On the VTP Server
o Confirm default settings
o Configure 2 switches as VTP servers
o Configure the VTP domain on the first switch in the network
o Ensure all switches are in the same VTP protocol version mode
o Configure VLANs and trunk ports
 On the VTP Client
o Confirm default settings
o Configure VTP client mode
o Configure trunks
o Connect to VTP server
o Verify VTP status
o Configure access ports
VTP plan for Vision 2000

 Access and collapsed switch will be in the same domain with the domain name of Vision 2000
and password of vision2000@pass
 The access switches are in Client mode and Collapsed Core switches in Server mode
 VTP version 2 is selected since it supports consistency check and does not check version
information if in transparent mode as compared to version 1. And upgraded features in version
3 are not as such needed in Vision 2000 network.
 VTP pruning is enabled on collapsed switches (VTP servers) to protect broadcasting floods
from one VLAN.
VTP configuration on Collapsed Core1(VISION2000_FLRGR_CC01)
VISION2000_FLRGR_CC01 (config)# vtp domain Vision 2000

VISION2000_FLRGR_CC01 (config)# vtp mode server
VISION2000_FLRGR_CC01 (config)# vtp password vision2000@pass
VISION2000_FLRGR_CC01 (config)# vtp version 2
VTP configuration on Collapsed Core2(VISION2000_FLRGR_CC02)
VISION2000_FLRGR_CC02 (config)# vtp domain Vision 2000

VISION2000_FLRGR_CC02 (config)# vtp mode server
VISION2000_FLRGR_CC02 (config)# vtp password vision2000@pass
VISION2000_FLRGR_CC02 (config)# vtp version 2
VTP configuration on Access Switch 1(VISION2000_FLR07_AS01)
VISION2000_FLR07_AS01(config)# vtp domain Vision 2000

VISION2000_FLR07_AS01(config)# vtp mode client
VISION2000_FLR07_AS01(config)# vtp password vision2000@pass
VTP configuration on Access Switch 2(VISION2000_FLR07_AS02)
VISION2000_FLR07_AS02(config)# vtp domain Vision 2000

VISION2000_FLR07_AS02(config)# vtp mode client
VISION2000_FLR07_AS02(config)# vtp password vision2000@pass
VTP configuration on DMZ Switch(VISION2000_FLR07_DM01)

VISION2000_FLR07_DM01(config)# vtp domain Vision 2000
VISION2000_FLR07_DM01(config)# vtp mode Transparent
VISION2000_FLR07_DM01(config)# vtp password vision2000@pass
VTP configuration on Server Farm Switch(VISION2000_FLR07_SF01)

VISION2000_FLR07_SF01(config)# vtp domain Vision 2000
VISION2000_FLR07_SF01(config)# vtp mode Transparent
VISION2000_FLR07_SF01(config)# vtp password vision2000@pass
Vlan configuration
VISION2000_FLRGR_CC01 (config)# vlan 05
VISION2000_FLRGR_CC01 (config-if)#name ICT
VISION2000_FLRGR_CC01 (config-if)#name RMPT
VISION2000_FLRGR_CC01 (config-if)#name CC
VISION2000_FLRGR_CC01 (config-if)#name FINANCE AND HR
VISION2000_FLRGR_CC01 (config-if)#name native vlan

VISION2000_FLRGR_CC02 (config-if)#name ICT
VISION2000_FLRGR_CC02 (config-if)#name RMPT
VISION2000_FLRGR_CC02 (config-if)#name CC
VISION2000_FLRGR_CC02 (config-if)#name FINANCE AND HR
VISION2000_FLRGR_CC02 (config-if)#name native vlan
VISION2000_FLR07_SF01 (config)# vlan 65

VISION2000_FLR07_SF01 (config-if)#name SF
VISION2000_FLR07_SF01 (config)# vlan 130
VISION2000_FLR07_SF01 (config-if)#name WEB
Vlan Assignment configuration for Access switch 1

VISION2000_FLR07_AS01 (config)# interface range
VISION2000_FLR07_AS01 (config)# switch mode access
VISION2000_FLR07_AS01 (config)#switch port nonegotiate
VISION2000_FLR07_AS01 (config)# switch port access vlan XX
Vlan Assignment configuration for Access switch 2

VISION2000_FLR07_AS02 (config)# interface range
VISION2000_FLR07_AS02 (config)# switch mode access
VISION2000_FLR07_AS02 (config)#switch port nonegotiate
VISION2000_FLR07_AS02 (config)# switch port access vlan XX
Switch VLAN Interface (SVI) configuration

A switch virtual interface (SVI) is a logical interface used to assign a layer 3 address to VLAN as the
VLAN does not have a physical Interface. The SVI for the VLAN provides Layer 3 processing for
packets from all switch ports associated with that VLAN. The Layer 3 address configured becomes
the default gateway for any hosts that are connected to the interface or VLAN. The hosts will use the
Layer 3 interface to communicate outside of their local broadcast domains. There is one-to-one
mapping between a VLAN and SVI; only a single SVI can be mapped to a VLAN. GLBP, which will
be configured on the Collapsed Core switches, also uses a virtual IP address to function.
Switch VLAN Interface is configured for the following reasons:
 To provide a default gateway for a VLAN so that traffic can be routed between VLANs
 To provide Layer 3 IP connectivity to the switch
 To support routing
 protocol and bridging configurations
In Vision 2000 network design, IP address is assigned to each VLAN SVIs to route traffic off and on
to the local VLANs. The following tables will show the IP plan for the SVI and VRRP virtual
interfaces.
SVI Configuration on Collapsed Core Switch 1 (VISION2000_FLRGR_CC01)

VISION2000_FLRGR_CC01(config)# interface vlan05
VISION2000_FLRGR_CC01(config-if)#ip address 192.168.05.2 255.255.255.0
VISION2000_FLRGR_CC01(config-if)#no shut
VISION2000_FLRGR_CC01(config-if)#exit





VISION2000_FLRGR_CC01(config)# interface vlan 99

SVI Configuration on Collapsed Core Switch 2 (VISION2000_FLRGR_CC02)





VISION2000_FLRGR_CC02(config)# interface vlan 100


SVI Configuration on DMZ switch (VISION2000_FLR07_DM01)
VISION2000_FLR07_DM01(config)# interface vlan 130

VISION2000_FLR07_DM01 (config-if)#ip address 192.168.130.1 255.255.255.0
VISION2000_FLR07_DM01 (config-if)#no shut
Switch Port Configuration

A port on a switch needs to be configured with duplex settings that match the media type. The Cisco
Catalyst switches have three settings:
 The auto option sets auto negotiation of duplex mode. With auto negotiation enabled, the two
ports communicate to decide the best mode of operation.
 The full option sets full-duplex mode.
 The half option sets half-duplex mode.
For Fast Ethernet and 10/100/1000 ports, the default is auto. For 100BASE-FX ports, the default is
full. The 10/100/1000 ports operate in either half- or full-duplex mode when they are set to 10 or 100
Mb/s, but when set to 1,000 Mb/s, they operate only in full-duplex mode.
The duplex mode and speed of switch ports can manually be set to avoid inter-vendor issues with
auto negotiation. But when auto negotiation fails, the Catalyst switch sets the corresponding switch
port to half-duplex mode. This type of failure happens when an attached device does not support auto
negotiation.
Depending on the performance requirements for the network, Port speed is also needed between Fast
Ethernet and Gigabit Ethernet switch ports. Fast Ethernet allows up to 100 Mb/s of traffic per switch
port. Fast Ethernet is adequate for IP telephony and data traffic on most business networks, however,
performance is slower than Gigabit Ethernet ports. Gigabit Ethernet allows up to 1000 Mb/s of traffic
per switch port.
Ports are again assigned for VLAN membership depending on the VLANs assumed for their
distribution. This configuration includes only Access switches since they are in VTP client mode.
Selecting and Identifying Ports to Configure

In the network of vision 2000 all ports on switches that are assigned for horizontal links are
configured with auto for port speed and duplex since the directly connected devices may or may not
be Cisco products. This is done to keep the interoperability between devices as auto negotiation
adjusts to the appropriate settings.
On the other hand, the ports determined for vertical links are configured with full duplex since they
communicate only between cisco products. The speed of the ports is made to be auto as no specialty
needed for it.
The Assignation of ports for their VLAN membership is made on all ports of access switches based
on specific VLANs.
Port speed
Port speed is configured in either auto or numbered as 10, 100, 1000 to determine the speed of
the specific port. In Vision 2000 Network, the following configuration is made for each level
switch. All switches in the network are to be configured with auto just to use the default port
speed and keep interoperability between devices.
Port speed Switch port Configuration

Configuration on Access Switch CHSA_FLR07_AS01
CHSA_FLR07_AS01#configure terminal
CHSA_FLR07_AS01(config)# interface range fast Ethernet 0/1-24
CHSA_FLR07_AS01(config-if)# speed auto
CHSA_FLR07_AS01(config-if)# end
Port Duplex mode

There are two types of duplex settings used for communications on an Ethernet network: half duplex
and full duplex.
Half Duplex: Half-duplex communication relies on unidirectional data flow where sending and
receiving data are not performed at the same time. Half-duplex communications have performance
issues due to the constant waiting, because data can only flow in one direction at a time. Half-duplex
connections are typically seen in older hardware, such as hubs. Nodes that are attached to hubs that
share their connection to a switch port must operate in half-duplex mode because the end computers
must be able to detect collisions. Nodes can operate in a half-duplex mode if the NIC card cannot be
configured for full duplex operations. In this case the port on the switch will be in default to a half-
duplex mode as well. Because of these limitations, full-duplex communication has replaced half
duplex in more current hardware.
Full Duplex: In full-duplex communication, data flow is bidirectional, so data can be sent and
received at the same time. The bidirectional support enhances performance by reducing the wait time
between transmissions. Most Ethernet, Fast Ethernet, and Gigabit Ethernet NICs sold today offer full-
duplex capability. In full-duplex mode, the collision detect circuit is disabled. Frames sent by the two
connected end nodes cannot collide because the end nodes use two separate circuits in the network
cable. Each full-duplex connection uses only one port. Full-duplex connections require a switch that
supports full duplex or a direct connection between two nodes that each support full duplex. Nodes
that are directly attached to a dedicated switch port with NICs that support full duplex should be
connected to switch ports that are configured to operate in full-duplex mode.
Duplex mode Switch port Configuration
Configuration on Access Switch CHSA_FLR07_AS01

VISION2000_FLR07_AS01#configure terminal
VISION2000_FLR07_AS01(config) # interface range fastethernet 0/1–24, gig0/1-2
VISION2000_FLR07_AS01(config-if) # duplex auto
VISION2000_FLR07_AS01(config-if) #end
VISION2000_FLR07_AS01#wr
Configuration on Collapsed core CHSA_FLRGR_CC02

VISION2000_FLRGR_CC01#configure terminal
VISION2000_FLRGR_CC01#(config)# interface range gigabitethernet 0/1–22, gig0/1-2
VISION2000_FLRGR_CC01#(config-if)# duplex auto
VISION2000_FLRGR_CC01#(config-if)#end
VISION2000_FLRGR_CC01#wr
VISION2000_FLRGR_CC02#(config)# interface range gigabitethernet 0/1–22, gig0/1-2
VISION2000_FLRGR_CC2#(config-if)# duplex auto
VISION2000_FLRGR_CC02#(config-if)# end
Trunk
A trunk is a point-to-point link between two network devices that carries more than one VLAN. A
trunk allows the VLANs to be extended across an entire network. A VLAN trunk does not belong to a
specific VLAN; rather it is a conduit for VLANs between switches and routers.
Trunking design considerations

During the design consideration of Trunks, the ports that participate in trunking take part for the
whole processes. Although a Cisco switch can be configured to support two types of trunk ports,
IEEE 802.1Q and ISL, today only 802.1Q is used. However, legacy networks may still use ISL, and it
is useful to learn about each type of trunk port.
 An IEEE 802.1Q trunk port supports simultaneous tagged and untagged traffic. An 802.1Q
trunk port is assigned a default PVID, and all untagged traffic travels on the port default
PVID. All untagged traffic and tagged traffic with a null VLAN ID are assumed to belong to
the port default PVID. A packet with a VLAN ID equal to the outgoing port default PVID is
sent untagged. All other traffic is sent with a VLAN tag.
 In an ISL trunk port, all received packets are expected to be encapsulated with an ISL header,
and all transmitted packets are sent with an ISL header. Native (non-tagged) frames received
from an ISL trunk port are dropped. ISL is no longer a recommended trunk port mode, and it
is not supported on a number of Cisco switches.
Native VLANs and 802.1Q Trunking

A native VLAN is assigned to an 802.1Q trunk port. An 802.1Q trunk port supports traffic coming
from many VLANs (tagged traffic) as well as traffic that does not come from a VLAN (untagged
traffic). The 802.1Q trunk port places untagged traffic on the native VLAN. A native VLAN serves as
a common identifier on opposing ends of a trunk link.
Tagged Frames on the Native VLAN

If an 802.1Q trunk port receives a tagged frame (frames coming from VLANs) on the native
VLAN, it drops the frame. Consequently, when configuring a switch port on a Cisco switch,
you need to identify these devices and configure them so that they do not send tagged frames
on the native VLAN.
Untagged Frames on the Native VLAN

When a Cisco switch trunk port receives untagged frames (frames that do not come from any
VLAN) it forwards those frames to the native VLAN. When you configure an 802.1Q trunk
port, a default Port VLAN ID (PVID) is assigned the value of the native VLAN ID. All
untagged traffic coming in or out of the 802.1Q port is forwarded based on the PVID value.
DTP
Dynamic Trunking Protocol (DTP) is a Cisco proprietary protocol. Switches from other
vendors do not support DTP. DTP is automatically enabled on a switch port when certain
trunking modes are configured on the switch port.
DTP manages trunk negotiation only if the port on the other switch is configured in a trunk
mode that supports DTP. DTP supports both ISL and 802.1Q trunks.
Trunking Modes
A switch port on a Cisco switch supports a number of truking modes. The trunking mode
defines how the port negotiates using DTP to set up a trunk link with its peer port.
The switch port periodically sends DTP frames, called advertisements, to the remote port. The
command used is switchport mode trunk. The local switch port advertises to the remote port
that it is dynamically changing to a trunking state. The local port then, regardless of what DTP
information the remote port sends as a response to the advertisement, changes to a trunking
state. The local port is considered to be in an unconditional (always on) trunking state.
Dynamic auto
The switch port periodically sends DTP frames to the remote port. The command used is
switch port mode dynamic auto. The local switch port advertises to the remote switch port that
it is able to trunk but does not request to go to the trunking state. After a DTP negotiation, the
local port ends up in trunking state only if the remote port trunk mode has been configured to
be on or desirable. If both ports on the switches are set to auto, they do not negotiate to be in a
trunking state. They negotiate to be in the access (non-trunk) mode state.
Dynamic desirable
DTP frames are sent periodically to the remote port. The command used is switch port mode
dynamic desirable. The local switch port advertises to the remote switch port that it is able to
trunk and asks the remote switch port to go to the trunking state. If the local port detects that
the remote has been configured in on, desirable, or auto mode, the local port ends up in
trunking state. If the remote switch port is in the no negotiate mode, the local switch port
remains as a non-trunking port.
Turn off DTP

DTP can be turned off for the trunk so that the local port does not send out DTP frames to the
remote port. The command switch port no negotiate is used. The local port is then
considered to be in an unconditional trunking state. This feature is used when a trunk with a
switch from another switch vendor is needed to be configured.
The VLANs in Vision 2000 configured on all access switches pass through the collapsed
switches. Since the collapsed switches take many tagged frames from these access switches and
pass to the router, they need to be trunked. We decided to use native VLAN because untagged
frames increase packet overhead and process time in the absence of Native VLAN.
Trunk configuration
VISION2000_FLRGR_CC01configure terminal
VISION2000_FLRGR_CC01#(config)# interface gigabitethernet 1/1
VISION2000_FLRGR_CC01#(config-if)# Switchport trunk encapsulation dot1q
VISION2000_FLRGR_CC01#(config-if)# switchport mode trunk
VISION2000_FLRGR_CC01#(config-if)#switchport nonegotiate
VISION2000_FLRGR_CC01#(config-if)#switchport trunk allowed vlan 05,100

VISION2000_FLRGR_CC01config-if)# switchport mode trunk
VISION2000_FLRGR_CC01config-if)#switchport nonegotiate
VISION2000_FLRGR_CC02config-if)# Switchport trunk encapsulation dot1q
VISION2000_FLRGR_CC02config-if)#switchport trunk allowed vlan 20,100
VISION2000_FLR07_AS01#(config)# interface gigabitethernet 1/1,gig1/2
VISION2000_FLR07_AS01#(config-if)# Switchport trunk encapsulation dot1q
VISION2000_FLR07_AS01#(config-if)# switchport mode trunk
VISION2000_FLR07_AS01#(config-if)#switchport nonegotiate
VISION2000_FLR07_AS01#(config-if)#switchport trunk allowed vlan 5,100
VISION2000_FLR07_AS01#wr
Switches Port Description Configuration

VISION2000_FLRGR_CC01#interface gig1/23
VISION2000_FLRGR_CC01#description link_CC01_TO_CC02
VISION2000_FLRGR_CC01#description link_CC01_TO_EF01
VISION2000_FLRGR_CC01#description link_CC01_TO_IF01
VISION2000_FLRGR_CC02#description link_CC01_TO_EF01
VISION2000FLRGR_CC02#configure terminal
VISION2000_FLRGR_CC02#description link_CC01_TO_IF01
VISION2000_FLRGR_EF01#interface gig0/0
VISION2000_FLRGR_EF01#description link_EF01_TO_ISP
VISION2000_FLRGR_EF01#description link_EF01_TO_CC01
VISION2000_FLRGR_EF01#description link_EF01_TO_CC02
VISION2000_FLRGR_EF01#description link_EF01_TO_DMZ01
VISION2000_FLRGR_IF01#interface gig0/1
VISION2000_FLRGR_IF01#description link_IF01_TO_CC01
VISION2000_FLRGR_IF01#description link_IF01_TO_CC02
VISION2000_FLRGR_IF01#description link_EF01_TO_SF01
Switch Link Aggregation

LAG and EtherChannel
Link Aggregation, or LAG for short is bundling of physical ports into a single logical link to provide
high aggregate bandwidth and fault tolerance for inter-switch connectivity. EtherChannel is the Cisco
term for the LAG. This technology enables the bonding of up to eight physical Ethernet links into a
single logical link. EtherChannel is a technology that was originally developed by Cisco as a LAN
switch-to-switch technique of inverse multiplexing of multiple Fast or Gigabit Ethernet switch ports
into one logical channel. With EtherChannel, the single logical link’s speed is equal to the aggregate
of the speeds of all the physical links used. For example, if you were to create an EtherChannel out of
four 100 Mbps Ethernet links, the EtherChannel would have a speed of 400 Mbps. EtherChannel has
developed into a cross-platform method of load balancing between servers, switches, and routers.
The three major aspects to EtherChannel are as follows:

 Frame distribution
 Management of EtherChannel
 Logical port
EtherChannel does not do frame-by-frame forwarding in a round-robin fashion on each of the links.
The load-balancing policy or frame distribution used is contingent upon the switch platform used. If a
link within the EtherChannel bundle fails, traffic previously carried over the failed link will be carried
over the remaining links within the EtherChannel. Traffic in an EtherChannel is distributed across the
individual bundled links in a deterministic fashion; however, the load is not necessarily balanced
equally across all the links. Instead, frames are forwarded on a specific link as a result of a hashing
algorithm. The algorithm can use source IP address, destination IP address, or a combination of
source and destination IP addresses, source and destination MAC addresses, or TCP/UDP port
numbers. The hash algorithm computes a binary pattern that selects a link number in the bundle to
carry each frame. If only one address or port number is hashed, a switch forwards each frame by using
one or more low-order bits of the hash value as an index into the bundled links. If two addresses or
port numbers are hashed, a switch performs an exclusive-OR (XOR) operation on one or more low-
order bits of the addresses or TCP/UDP port numbers as an index into the bundled links.
The configuration applied to the individual physical interfaces that are to be aggregated by
EtherChannel affects only those interfaces. Each EtherChannel has a logical port channel interface. A
configuration applied to the port channel interface affects all physical interfaces assigned to that
interface.
Advantages of EtherChannel are:
 It allows for the creation of a very high-bandwidth logical link.
 It load balances among the physical links involved.
 It provides failover.
 It provides configuration is per logical link instead of per physical link.
EtherChannel protocols
EtherChannel can negotiate with the device on the other side of the link. Two protocols are supported
on Cisco devices. The first is the Link Aggregation Control Protocol (LACP), which is defined in
IEEE specification 802.3ad. LACP is used when you’re connecting to non-Cisco devices, such as
servers. The other protocol used in negotiating EtherChannel links is the Port Aggregation Control
Protocol (PAgP). Since PAgP is Cisco-proprietary, it is used only when you’re connecting two Cisco
devices via an EtherChannel. The following table will show the possible modes available and their
description when configuring EtherChannel.
Mode Protocol Description

On None Forces the interface into an EtherChannel without PAgP or
LACP. Channel only exists if connected to another interface
group also in On mode.
Auto PAgP Places the interface into a passive negotiating state and will
respond to PAgP packets but will not initiate PAgP negotiation.
Desirable PAgP Places the interface into an active negotiating state and will send
PAgP packets to start negotiations.
Active LACP Places the interface into a passive negotiating state and will
respond to LACP packets but will not initiate LACP negotiation.
Passive LACP Places the interface into an active negotiating state and will send
LACP packets to start negotiations.
Table 5: Etherchannel mode and protocols

Since the two collapsed switches are Cisco devices, PAgP is chosen over LACP. To create a channel
in PAgP the switch sides must be set to
 Auto-Desirable
 Desirable-Desirable
Because we are configuring EtherChannels between Cisco switches, the ports will be EtherChannels
for the life of the installation. Setting all interfaces in the EtherChannel on both sides to desirable
makes sense.
EtherChannel configuration
Collapsed Core 1 switch configuration
VISION2000_FLRGR_CC01#config t
VISION2000_FLRGR_CC011(config)#interface range gigabitethernet 0/23-24
VISION2000_FLRGR_CC011(config-if)#channel-protocol PAgp
VISION2000_FLRGR_CC011(config-if)#channel-group 1 mode desirable
VISION2000_FLRGR_CC01(config)#exit
Collapsed Core 2 switch configuration

VISION2000_FLRGR_CC01#config t
VISION2000_FLRGR_CC02(config)#interface range gigabitethernet0/23-24
VISION2000_FLRGR_CC011(config-if)#channel-protocol PAgp
VISION2000_FLRGR_CC02(config)#channel-group 1 mode auto
VISION2000_FLRGR_CC02(config)#exit
Spanning Tree Protocol (STP)

The Spanning Tree Protocol (STP) is a network protocol that ensures a loop-free topology for any
bridged Ethernet local area network. Bridging loops form because parallel switches (or bridges) are
unaware of each other. STP was developed to overcome the possibility of bridging loops so that
redundant switches and switch paths could be used for their benefits. Basically, the protocol enables
switches to become aware of each other so they can negotiate a loop-free path through the network.
Spanning tree also allows a network design to include redundant links to provide automatic backup
paths if an active link fails, without the danger of bridge loops, or the need for manual
enabling/disabling of these backup links.
STP is standardized as IEEE 802.1D. As the name suggests, it creates a spanning tree within a mesh
network of connected layer-2 Ethernet switches, and disables those links that are not part of the
spanning tree, leaving a single active path between any two network nodes. STP is based on an
algorithm (STA).
STP defines a tree with a root bridge and a loop-free path from the root to all network devices in the
Layer 2 network. STP forces redundant data paths into a standby (blocked) state. If a network
segment in the spanning tree fails and a redundant path exists, the STP algorithm recalculates the
spanning tree topology and activates the standby path.
When two Layer 2 LAN ports on a network device are part of a loop, the STP port priority and port
path cost setting determine which port is put in the forwarding state and which port is put in the
blocking state. The STP port priority value represents the location of a port in the network topology
and how efficiently that location allows the port to pass traffic. The STP port path cost value
represents media speed.
Common Spanning Tree (CST)

The IEEE 802.1Q standard specifies how VLANs are to be trunked between switches. It also specifies
only a single instance of STP that encompasses all VLANs. This instance is referred to as the
Common Spanning Tree (CST). All CST BPDUs are transmitted over trunk links using the native
VLAN with untagged frames.
Having a single STP for many VLANs simplifies switch configuration and reduces switch CPU load
during STP calculations. However, having only one STP instance can cause limitations, too.
Redundant links between switches will be blocked with no capability for load balancing. Conditions
also can occur that would cause CST to mistakenly enable forwarding on a link that does not carry a
specific VLAN, whereas other links would be blocked.
Per-VLAN Spanning Tree (PVST)

Cisco has a proprietary version of STP that offers more flexibility than the CST version. Per-VLAN
Spanning Tree (PVST) operates a separate instance of STP for each individual VLAN. This allows
the STP on each VLAN to be configured independently, offering better performance and tuning for
specific conditions. Multiple spanning trees also make load balancing possible over redundant links
when the links are assigned to different VLANs. One link might forward one set of VLANs, while
another redundant link might forward a different set.
Because of its proprietary nature, PVST requires the use of Cisco Inter-Switch Link (ISL) trunking
encapsulation between switches. In networks where PVST and CST coexist, interoperability problems
occur. Each requires a different trunking method, so BPDUs are never exchanged between STP types.
Per-VLAN Spanning Tree plus (PVST+)

Per VLAN Spanning Tree Plus (PVST+) provides the same functionality as PVST using 802.1Q
trunking technology rather than ISL. PVST+ is an enhancement to the 802.1Q specification and is not
supported on non-Cisco devices. This feature allows the two schemes to interoperate in a seamless
and transparent manner in almost all topologies and configurations. Rapid Per-VLAN Spanning Tree
Protocol (rapid PVST+) is based on the IEEE 802.1w standard and has a faster convergence than STP
(standard 802.1D). Rapid PVST+ includes Cisco-proprietary extensions such as BackboneFast,
UplinkFast, and PortFast.
Rapid Spanning Tree Protocol (RSTP)

RSTP is based on IEEE 802.1w standard. Numerous differences exist between RSTP and STP. RSTP
requires full-duplex point-to-point connection between adjacent switches to achieve fast convergence.
Half duplex, generally speaking, denotes a shared medium whereby multiple hosts share the same
wire; a point-to-point connection cannot reside in this environment. As a result, RSTP cannot achieve
fast convergence in half-duplex mode.
STP and RSTP also have port designation differences. RSTP has alternate and backup port
designations, which are absent from the STP environment. Ports that are not participating in spanning
tree are known as edge ports. Edge ports can be statically configured or will be recognized by the
PortFast parameter. The edge port becomes a nonedge port immediately if a bridge protocol data unit
(BPDU) is heard on the port. Nonedge ports participate in the spanning tree algorithm; hence, only
nonedge ports generate TCs on the network when transitioning to forwarding state only. TCs are not
generated for any other RSTP states. In legacy STP, TCNs were generated for any active port that was
not configured for PortFast. RSTP speeds the recalculation of the spanning tree when the Layer 2
network topology changes. It is an IEEE standard that redefines STP port roles, states, and BPDUs.
RSTP is proactive and therefore negates the need for the 802.1D delay timers. RSTP (802.1w)
supersedes 802.1D, while still remaining backward compatible. Much of the 802.1D terminology
remains, and most parameters are unchanged. In addition, 802.1w is capable of reverting back to
802.1D to interoperate with legacy switches on a per-port basis.
RSTP bridge port roles:
 Root port – A forwarding port that is the closest to the root bridge in terms of path cost
 Designated port – A forwarding port for every LAN segment
 Alternate port – A best alternate path to the root bridge. This path is different than using the
root port. The alternative port moves to the forwarding state if there is a failure on the
designated port for the segment.
 Backup port – A backup/redundant path to a segment where another bridge port already
connects. The backup port applies only when a single switch has two links to the same
segment (collision domain). To have two links to the same collision domain, the switch must
be attached to a hub.
 Disabled port – Not strictly part of STP, a network administrator can manually disable a port
Multiple Spanning Tree (MST)

MST extends the IEEE 802.1w rapid spanning tree (RST) algorithm to multiple spanning trees. This
extension provides both rapid convergence and load balancing in a VLAN environment. MST
converges faster than Per VLAN Spanning Tree Plus (PVST+) and is backward compatible with
802.1D STP, 802.1w (Rapid Spanning Tree Protocol [RSTP]), and the Cisco PVST+ architecture.
MST allows you to build multiple spanning trees over trunks. You can group and associate VLANs to
spanning tree instances. Each instance can have a topology independent of other spanning tree
instances. This architecture provides multiple forwarding paths for data traffic and enables load
balancing. Network fault tolerance is improved because a failure in one instance (forwarding path)
does not affect other instances.
In large networks, you can more easily administer the network and use redundant paths by locating
different VLAN and spanning tree instance assignments in different parts of the network. A spanning
tree instance can exist only on bridges that have compatible VLAN instance assignments. You must
configure a set of bridges with the same MST configuration information, which allows them to
participate in a specific set of spanning tree instances.
For CHSA network ,We are select Rapid_pvst .
Rapid_pvst configuration
Collpsed switch CS01 Collpsed switch CS02
Primary Root Secondary Root Primary Root Secondary Root
VLAN 05 VLAN 20 VLAN 20 VLAN 05
VLAN 10 VLAN 100 VLAN 100 VLAN 10
VLAN 15 VLAN 15
Table 6: Rapid_pvst configuration
Collapsed Core switch 1 configuration (VISION2000_FLRGR_CC01)

VISION2000_FLRGR_CC01 (config)#spanning-tree mode Rapid_pvst
VISION2000_FLRGR_CC01(config)#spanning-treeVLAN 05,10,15priorty 4096
VISION2000_FLRGR_CC01(config)#spanning-treeVLAN20,100 priort 8192
Collapsed Core switch 2 configuration (VISION2000_FLRGR_CC02)

VISION2000_FLRGR _CS02#configure terminal
VISION2000_FLRGR_CS02(config)#spanning-tree mode Rapid-pvst
VISION2000_FLRGR_CS02(config)#spanning-tree VLAN 05,10,15priorty 8192
VISION2000_FLRGR_CS02(config-mst)#spanning-treeVLAN 20,100priorty 4096
VISION2000_FLRGR_CS02(config-mst)#end
Access switch 01 configuration (VISION2000_FLR07_AS01)

VISION2000_FLR07_AS01(config)#spanning-tree mode Rapid-pvst
VISION2000_FLR07_AS01(config)#interface rang fastethernate
VISION2000_FLR07_AS01(config)#spanning-tree portfast
Access switch 02 configuration (VISION2000_FLR07_AS02)

VISION2000_FLR07_AS02(config)#spanning-tree mode Rapid-pvst
VISION2000_FLR07_AS02(config)#interface rang fastethernate
VISION2000_FLR07_AS02(config)#spanning-tree portfast
High Availability and Load Balancing

Eliminating single points of failure is one of the considerations of maintaining high availability based
on hardware and software bounds. We have a two redundant collapsed core switch which serve as a
default router for the VLANs. High availability for gateway (default router) redundancy supported
through the use of first-hop routing protocols (FHRP), such as the Hot Standby Router Protocol
(HSRP), Virtual Router Redundancy Protocol (VRRP), and Gateway Load Balancing Protocol
(GLBP). First-hop redundancy allows a network to recover from the failure of the device acting as the
default gateway for end nodes on a physical segment. HSRP and GLBP are Cisco-specific, while
VRRP is nonproprietary and thus available on other vendors’ equipment as well.
HSRP
HSRP works by configuring one or more routers to act as a default gateway that will be part of an
HSRP group. In HSRP would dictate that one router is a primary and one is a secondary (or, in HSRP
terms, one is active and one is standby). If the primary fails, the secondary will take over. All routers
that are in the same HSRP group (the default group is 0) send out SRP packets to the multicast
address 224.0.0.2 using UDP port 1985. All HSRP packets have a time-to-live (TTL) of 1, so they
will not escape the local Ethernet segment.
VRRP
The Virtual Router Redundancy Protocol (VRRP) is a standards-based alternative to HSRP, defined
in IETF standard RFC 2338. VRRP is so similar to HSRP. VRRP provides one redundant gateway
address from a group of routers. The active Router is called the master router, whereas all others are
in the backup state. The master router is the one with the highest router priority in the VRRP group.
VRRP sends its advertisements to the multicast destination address 224.0.0.18 (VRRP), using IP
protocol 112.
GLBP
The Gateway Load Balancing Protocol feature provides automatic router backup for IP hosts
configured with a single default gateway on an IEEE 802.3 LAN. Multiple first hop routers on the
LAN combine to offer a single virtual first hop IP router while sharing the IP packet forwarding load.
Other routers on the LAN may act as redundant GLBP routers that will become active if any of the
existing forwarding routers fail.
GLBP performs a similar, but not identical, function for the user as the HSRP and the VRRP. HSRP
and VRRP protocols allow multiple routers to participate in a virtual router group configured with a
virtual IP address. One member is elected to be the active router to forward packets sent to the virtual
IP address for the group. The other routers in the group are redundant until the active router fails.
These standby routers have unused bandwidth that the protocol is not using. Although multiple virtual
router groups can be configured for the same set of routers, the hosts must be configured for different
default gateways, which results in an extra administrative burden. GLBP provides load balancing over
multiple routers (gateways) using a single virtual IP address and multiple virtual MAC addresses.
Each host is configured with the same virtual IP address, and all routers in the virtual router group
participate in forwarding packets. GLBP members communicate between each other through hello
messages sent every 3 seconds to the multicast address 224.0.0.102, User Datagram Protocol (UDP)
port 3222 (source and destination).
Selecting VRRP protocol

Determining which protocol is best in CHSA center network is needed to have gateway redundancy in
place. As Cisco recommends, if you have the same VLAN on multiple access switches, use HSRP or
VRRP. If you use local VLANs, contained to a single switch, GLBP is an option. So we have decided
to use VRRP because we have such numbered same VLAN on two access switches in addition of it
ease on configuring and troubleshooting relative to HSRP and GLBP too.
VLAN to Node analysis

VRRP configuration
Collapsed switch(CS01) Collapsed switch(CS02)
Primary Secondary PrimaryRoot Secondary

Root Root Root
(Master )
(Master ) (Backup ) (Backup )
VLAN05 VLAN20 VLAN20 VLAN05
VLAN10 VLAN100 VLAN10

VLAN100
VLAN15 VLAN15
VRRP Configuration on Collapsed core 1(VISION2000_FLRGR_CC01)

VISION2000_FLRGR_CC01(config)#interface vlan 05
VISION2000_FLRGR_CC01(config-if)# standby 1 priority 200
VISION2000_FLRGR_CC01(config-if)# standby 1 ip 192.168.05.1
VISION2000_FLRGR_CC01(config-if)# standby 1preempt delay 30
VISION2000_FLRGR_CC01(config-if)# exit
VISION2000_FLRGR_CC01(config-if)# standby 1ip 192.168.10.1
VISION2000_FLRGR_CC01(config-if)# standby 1priority 200

VISION2000_FLRGR_CC01(config-if)# standby 1ip 192.168.100.1
VRRP Configuration on Collapsed core 2(VISION2000_FLRGR_CC02)

VISION2000_AM_SRK01_CS02(config-if)# exit
VISION2000_FLRGR_CC02(config-if)#standby 1 priority 100
VISION2000_FLRGR_CC02(config-if)#standby 1 ip 192.168.10.1
VISION2000_FLRGR_CC01(config-if)#standby 1preempt delay 30

VISION2000_FLRGR_CC02(config-if)#standby 1priority 200
VISION2000_FLRGR_CC02(config-if)#standby 1ip 192.168.100.1
Dynamic Host Configuration Protocol

Hosts can be manually configured to use a static IP address, subnet mask, default gateway address,
and so on. That might be appropriate for some devices, such as servers, which would need static and
reserved addresses. For the majority of end user devices, static address assignment can become a huge
administrative chore. Instead, DHCP (Dynamic Host Configuration Protocol) enables host system in
TCP/IP network to be configured IP address, subnet mask, and default gateway automatically in the
network as they boot. DHCP is defined in RFC 2131 uses a client /server mechanism for clients IP
address and information about network services (Such as DNS) available to the client. Also DHCP
benefits on its ability to manage IP address to be reclaimed when not in use and reassigned to other
client. This enables a LAN to use a smaller pool of IP Address than would be needed if all clients
were assigned a permanent address.
Deploying DHCP on a network provides the following benefits:
 Safe and reliable configuration. DHCP minimizes configuration errors caused by

manual IP address configuration, such as typographical errors, as well as address
conflicts caused by a currently assigned IP address accidentally being reissued to
another computer.
 Reduced network administration.
o TCP/IP configuration is centralized and automated.
o Network administrators can centrally define global and subnet-specific TCP/IP
configurations.
o Clients can be automatically assigned a full range of additional TCP/IP
configuration values by using DHCP options.
o Address changes for client configurations that must be updated frequently,
such as remote access clients that move around constantly, can be made
efficiently and automatically when the client restarts in its new location.
In VISION 2000 network infrastructure using DHCP server for end user computers is a need in order
to benefit from the mentioned points. Using multiple DHCP server allows for increased fault
tolerance and redundancy over using only one DHCP server. So the two collapsed core switches in
AM site and DZ site will be configured to be DHCP servers. The Following diagram shows the
process taken place between client computers to DHCP server in VISION2000 LAN.
In order to keep fault tolerance and to resolve IP address conflict too, one subnet network is divided to
two IP scopes. This 50-50 Split mode is implemented in both sites on their collapsed cores. The
following table shows how the DHCP IP pool is configured in VISION2000 network.
A Split mode IP Scope assignment
VISION2000_ FLRGR_CC01
VLAN ID IP Pool Subnet Assignable IP Address Reserved IP
05 192.168.05.0 255.255.255.0 192.168.05.16 – 127 192.168.05.1 – 15
10 192.168.10.0 255.255.255.0 192.168.10. 16 – 127 192.168.10. 1 – 15
15 192.168.15.0 255.255.255.0 192.168.15. 16 – 127 192.168.15. 1 – 15
20 192.168.20.0 255.255.255.0 192.168.20. 16 – 127 192.168.20. 1 – 15
Table 7: VISION2000 Site Split mode IP Scope assignment on Collapsed Core switch 01
VISION2000_FLRGR_CC02
VLAN IP Pool Subnet Assignable IP Address Reserved IP
ID
05 192.168.05.0 255.255.255.0 192.168.05.128 – 254 192.168.05.1 – 15
10 192.168.10.0 255.255.255.0 192.168.10. 128 – 254 192.168.10. 1 – 15
15 192.168.15.0 255.255.255.0 192.168.15. 128 – 254 192.168.15. 1 – 15
20 192.168.20.0 255.255.255.0 192.168.20. 128 – 254 192.168.20. 1 – 15
Table 8: VISION2000 Site Split mode IP Scope assignment on Collapsed Core switch 02
For VLANs other than access VLANs, there is no a need to Configure Dynamic IP address because of
the nature of service provided needs the IP addresses to be Static. In these cases, all VLANs IP
Address is configured to be static IP address
7. Switches DHCP Configuration

DHCP Configuration on DHCP server 1(VISION2000_FLRGR_CC01)
VISION2000_FLRGR_CC01(config)#ip dhcp excluded-address 192.168.05.1 192.168.15.15
VISION2000_FLRGR_CC01(config)#ipdhcp excluded-address 192.168.05.128 192.168.15.255

VISION2000_FLRGR_CC01(config)#ip dhcp pool vlan 05

VISION2000_FLRGR_CC01(dhcp-config)#network 192.168.05.0 255.255.255.0
VISION2000_FLRGR_CC01(dhcp-config)#default-router 192.168.05.1
VISION2000_FLRGR_CC01(dhcp-config)#dns-server 192.168.65.5
VISION2000_FLRGR_CC01(dhcp-config)#exit



VISION2000FLRGR_CC01(dhcp-config)#exit
DHCP Configuration on DHCP server 2(VISION2000_FLRGR_CC02)





VISION2000FLRGR_CC02(dhcp-config)#network 192.168.20.0 255.255.255.0
8. Routing
Introduction
Before we get into the specifics of routing, we need describe routing concepts that will aid our
selection of routing protocol.
Routing is the process by which an item gets from one location to another. In networking, a
router/layer 3 switch is the device used to route traffic .To be able to route anything, a router, or any
entity that performs routing, must do the following:
 Identify the destination address: Determine the destination (or address) of the item that needs
to be routed.
 Identify sources of routing information: Determine from which sources (other routers) the
router can learn the paths to given destinations.
 Identify routes: Determine the initial possible routes, or paths, to the intended destination.
 Select routes: Select the best path to the intended destination.
 Maintain and verify routing information: Determine if the known paths to the destination
There are two ways in which the destination information can be learned.
Static routing: - Routing information can be entered manually by the network administrator. The
administrator must manually update this static route entry whenever an internetwork topology change
requires an update. Static routes are user-defined routes that specify the path that packets take when
moving between a source and a destination. These administrator-defined routes allow very precise
control over the routing behavior of the IP internetwork.
Dynamic routing: - The router dynamically learns routes after an administrator configures a
routing protocol that helps determine routes. Unlike the situation with static routes, after the network
administrator enables dynamic routing, the routing process automatically updates route knowledge
whenever new topology information is received. The router learns and maintains routes to the remote
destinations by exchanging routing updates with other routers in the internetwork
Routing is the process of directing packets from a source node to a destination node on a different
network. CISCO devices support Dynamic routing protocols Such as OSPF, IS-IS, Rip, RipV2, IGRP,
EIGRP and BGR etc
 OSPF and IS-IS are both link state routing protocols, used for bigger network with multiple
routers.
 EIGRP and IGRP are CISCO proprietary routing protocols. They don’t support multiple
vender network devices. Also used for bigger network. EIGRP
 RIPV2 is a distance vector classless routing protocol that uses hop count algorithm to select
the best path to destination.
 RIPV1 is a distance vector class full routing protocol that uses hop count algorithm to select
the best path to destination.
There are many types of routing protocols; two major classes are in widespread use on IP networks.
These are
Interior Gateway Protocol (IGP) is a protocol for exchanging routing information between
gateways (hosts with routers) within an autonomous network. For instance we can mention RIP,
OSPF, and IGRP… etc. In contrast, an Exterior Gateway Protocol (EGP) is for determining
network reach ability between autonomous systems and makes use of IGPs to resolve routes within an
AS. Example: BGP
There are two major classes of routing protocols used in packet-switched networks for
computer communications
Distance vector
Distance-vector routing protocols use the Bellman-Ford algorithm, Ford–Fulkerson algorithm, or
DUAL FSM to calculate paths. As the name implies, distance vector means that routers are
advertised as vectors of distance and direction. Distance is defines in terms of metric such as hop
count and direction is simply the next-hop router or exit interface.
Routers using distance vector protocol do not have knowledge of the entire path to a destination.
Instead distance vector uses two methods:
Direction in which router or exit interface a packet should be forwarded.

 Distance from its destination.
In distance vector routing, the least cost route between any two nodes is the route with
minimum distance. In this protocol, as the name implies, each node maintains a vector (table)
of minimum distance to every node. As the name suggests the distance vector protocol is based
on calculating the direction and distance to any link in a network. The cost of reaching a
destination is calculated using various route metrics. RIP uses the hop count of the destination
whereas IGRP takes into account other information such as node delay and available
bandwidth.
Updates are performed periodically in a distance-vector protocol where all or part of a router's
routing table is sent to all its neighbours that are configured to use the same distance-vector
routing protocol. Once a router has this information it is able to amend its own routing table to
reflect the changes and then inform its neighbours of the changes. RIP, IGRP and EIGRP are
example of distance vector routing protocols.
Link state routing protocols
Link-state routing protocols are also known as shortest path first protocols and use the Dijkstra
algorithm to shares information with other routers in order to determine the shortest path to
destination. Link State routing protocols do not view networks in terms of adjacent routers and hop
counts, but they build a comprehensive view of the overall network which fully describes the all
possible routes along with their costs. Using the Shortest Path First (SPF) algorithm, the router creates
a "topological database" which is a hierarchy reflecting the network routers it knows about. It then
puts its self on the top of this hierarchy, and has a complete picture from its own perspective. Link-
state routing protocols respond quickly to network changes, send trigger updates only when a network
change has occurred, and send periodic updates (known as link-state refreshes) at long time intervals,
such as every 30 minutes. OSPF and IS-IS are examples of link-State protocols.
Loop back address configuration

Loopback interface is a virtual interface and it will NOT go down (as a physical interface), unless the
router itself goes down. So loopback interface is a point of troubleshooting on a router and can be
reached via any interface (if the loopback address route is redistributed to a routing protocol).
Because Router ID is set to differtiate routers there is no need to configure loopback address.
Configuring Default Route

The default route is configured on the router, which is used to send packets to the next hop interface
of the network if packets are with unknown destination address.
To configure default route on the router of ministry of national defence is as follows.
The ‘redistribute static route’ configuration command uses OSPF to advertise static routes, as well as
directly connected routes and the routes that have been learned from other OSPF routers.
Routing configuration
VISION2000__FLRGR_EF01# configure terminal
VISION2000__FLRGR_EF01(config)# interface Gig0/1
VISION2000__FLRGR_EF01config-if)#ip address 192.168.60.2 255.255.255.252
VISION2000__FLRGR_IF01(config)#exit
VISION2000__FLRGR_IF01# configure terminal

VISION2000__FLRGR_IF01(config)# interface Gig0/0
VISION2000__FLRGR_IF01config-if)#ip address 192.168.65.1 255.255.255.0
VISION2000__FLRGR_IF01(config)#exit
VISION2000__FLRGR_CC01# configure terminal

VISION2000__FLRGR_CC01(config)# interface Gig1/21
VISION2000__FLRGR_CC01(config)#no switchport
VISION2000__FLRGR_CC01config-if)#ip address 192.168.60.9 255.255.255.252
VISION2000__FLRGR_CC01(config)#exit
VISION2000__FLRGR_CC02# configure terminal

VISION2000__FLRGR_CC02(config)#no shutdown
VISION2000__FLRGR_ DMZ01# configure terminal

VISION2000__FLRGR_ DMZ01(config)# interface Gig1/0/24
VISION2000__FLRGR_ DMZ01(config)#no switchport

VISION2000__FLRGR_ DMZ01(config-if)#ip address 192.168.60.18 255.255.255.252
VISION2000__FLRGR_ DMZ01(config-if)#no shutdown
VISION2000__FLRGR_EF01# configure terminal

VISION2000__FLRGR_EF01(config)#router ospf 100
VISION2000__FLRGR_EF01(config)#network 192.168.60.0 255.255.255.252 area0
VISION2000__FLRGR_EF01(config)#network ISP 255.255.255.252 area0
VISION2000_FLRGR_IF01# configure terminal

VISION2000_FLRGR_IF01(config)#router ospf 100
VISION2000_FLRGR_IF01(config)#network 192.168.60.8 255.255.255.252 area0
VISION2000_FLRGR_CC01# configure terminal

VISION2000_FLRGR_CC01(config)#router ospf 100
VISION2000_FLRGR_CC01(config)#network 192.168.60.0 0.0.0.3 area0

VISION2000_FLRGR_CC02(config)#network 192.168.60.40.0.0.3 area0
VISION2000_FLRGR_CC02(config)#network 192.168.60.120.0.0.3 area0
VISION2000_FLRGR_DMZ01# configure terminal

VISION2000_FLRGR_ DMZ01(config)#router ospf 100
VISION2000_FLRGR_ DMZ01(config)#network 192.168.60.16 0.0.0.3 area0
VISION2000_FLRGR_ DMZ01(config)#network 192.168.130.0 0.0.0.255 area0
OSPF Router –ID configuration

VISION2000_FLRGR_CC01(config)# router-id 10.0.0.1


VISION2000_FLRGR_CC02(config)# router-id 10.0.0.2
VISION2000_FLRGR_EF01# configure terminal

VISION2000_FLRGR_EF01(config)#router ospf 100
VISION2000_FLRGR_EF01(config-if)#router-id 10.0.0.3
VISION2000_FLRGR_IF01# configure terminal

VISION2000_FLRGR_IF01(config)#router ospf 100
VISION2000_FLRGR_IF01(config-if)#router-id 10.0.0.4
VISION2000_FLRGR_ DMZ01# configure terminal

VISION2000_FLRGR_ DMZ01(config)#router ospf 100
VISION2000_FLRGR_ DMZ01(config-if)#router-id 10.0.0.5
OSPF Authentication configuration
VISION2000_FLRGR_CC01 (config)#router ospf 100

VISION2000_FLRGR_CC01 (config-router )#area 0 authentication message–digest
VISION2000_FLRGR_CC01 (config)#interface vlan 5
VISION2000_FLRGR_CC01 (config-if)#ip ospf message–digest-key 1 md5 VISION2000@ VISION01
VISION2000_FLRGR_CC02 (config)#router ospf 100

VISION2000_FLRGR_CC02 (config-router )#area 0 authentication message–digest

OSPF passive interface configuration
VISION2000_FLRGR_CC01(config) # router ospf 100

VISION2000_FLRGR_CC01(config-router)# passive-interface default
VISION2000_FLRGR_CC01(config-router)# no passive interface Gig 1/21,Gig1/22
VISION2000_FLRGR_CC02(config) # router ospf 100

VISION2000_FLRGR_CC02(config-router)# passive-interface default
VISION2000_FLRGR_CC02(config-router)# no passive interface Gig 1/21,Gig1/22
Configuring Default Route
VISION2000_FLRGR_EF01#(config) # ip route 0.0.0.0 0.0.0.0 10.235.55.42

VISION2000_FLRGR_EF01#(config) # router ospf 100
VISION2000_FLRGR_EF01#(config-router) #default route orginate
VISION2000_FLRGR_EF01#(config-router) #end
9. Security
Securing a network system involves preventing the inside network from the external hackers,
malwares and unauthorized system. we use different mechanism to make secure the network.
Perimeter Security Configuration
The perimeter is the network’s boundary, the points where data flows in from (and out to) other
networks, including the Internet.
Network Perimeter Security is the function and policy of securing your company’s network on the
edges (the perimeter) where the system interfaces with the rest of the world.
To begin planning a Network Perimeter defense, you have to understand exactly where the Network
perimeter is and which technologies will be required to provide the most reliable, cost-effective
Network Perimeter.
Perimeter security protects your network at the points where they connects to the Web. Firewalls
control the flow of data between your network and the Web. Intrusion Detection Systems (IDS) and
Intrusion Prevention Systems (IPS) examine network traffic and block attacks to enforce your
corporate Perimeter Security policy .We recommends to secure ECDSWCO’s Network to use a cisco
ASA 5525.
Basic ASA 5525 configure future in the Perimeter security side are;
 Zone based firewall

 Network address translation
 Access control list
 Intrusion prevention system (IPS) or firepower
Zone based firewall
A security zone should be configured for each region of relative security within the network, so that
all interfaces that are assigned to the same zone will be protected with a similar level of security.
Consider an access firewall with three interfaces:
 One interface connected to the public Internet

 One interface connected to a private LAN that must not be accessible from the public
Internet
 One interface connected to an Internet service demilitarized zone (DMZ), where a Web
server, Domain Name System (DNS) server, and e-mail server must be accessible to
the public Internet
Each interface in this network will be assigned to its own zone, although you might want to allow
varied access from the public Internet to specific hosts in the DMZ and varied application use policies
for hosts in the protected LAN.
Internet Zone
Private Zone
DMZ Zone
Figure 6: Zone Based Interface

Each zone holds only one interface. If an additional interface is added to the private zone, the hosts
connected to the new interface in the zone can pass traffic to all hosts on the existing interface in the
same zone. Additionally, the hosts’ traffic to hosts in other zones is similarly affected by existing
policies.
Typically, our network will have three main policies:
 Private zone connectivity to the Internet

 Private zone connectivity to DMZ hosts
 Internet zone connectivity to DMZ hosts
Because the DMZ is exposed to the public Internet, the DMZ hosts might be subjected to undesired
activity from malicious individuals who might succeed at compromising one or more DMZ hosts. If
no access policy is provided for DMZ hosts to reach either private zone hosts or Internet zone hosts,
then the individuals who compromised the DMZ hosts cannot
use the DMZ hosts to carry out further attack against private or Internet hosts. ZFW imposes a
prohibitive default security posture. Therefore, unless the DMZ hosts are specifically provided access
to other networks, other networks are safeguarded against any connections from the DMZ hosts.
Similarly, no access is provided for Internet hosts to access the private zone hosts, so private zone
hosts are safe from unwanted access by Internet hosts.
Configuration
A basic configuration with IP connectivity, VLAN configuration
Internet
Collapsed Core Outside interface

switches Gig 0/0 Security level 0
Inside interface
Security level 100
Perimeter Firewalls
Gig 0/1
Gig 0/3
DMZ interface
Security level 50
DMZ Switches
Figure 7: Security Level

VLAN Description VLAN Physical IP Address Security Level

ID Interface
Connection to Collapsed Gig0/1 192.168.60.2 100
Core Switch 01
Connection to Collapsed Gig0/2 192.168.60.6
Core Switch 02
Connection to Server Gig0/3 192.168.60.17 50
DMZ Switch
Connectionto … Gig0/0 10..235.55.44 0
ETHIOTELECOM
Component Parameter/Value
Host name Vision2000_FLRGR_EF01
Outside Interface IP 10..235.55.44
LAN Interface GE0/1 IP 192.168.60.2/30
LAN Interface GE0/2 IP 192.168.60.6/30
Configure login banner “Authorized personnel only”
Table 9: Basic Configuration components of Firewall
Configure Host Name
Before configuring the ASA Firewall first we have to define the hostname, Interface naming, and
security level.
 Hostname configuration: When you set a hostname for the ASA, that name appears
in the command line prompt. If you establish sessions to multiple devices, the
hostname helps you keep track of where you enter commands. The default hostname
Vision2000_FLRGR_EF01. We can change this by using the hostname command as
follows:
ciscoasa># configure terminal

ciscoasa (config)# hostname Vision2000_FLRGR_EF01
Vision2000_FLRGR_EF01(config)exit
Configure login banner

Vision2000_FLRGR_EF01(config)#banner motd “only for authorized person”
Vision2000_FLRGR_EF01(config)#exit
Configuration for external firewall interface
 Interfaces: Interfaces on the appliances have two names to distinguish them:
Physical name: commonly called a hardware name. The physical name is used
whenever we need to configure the physical properties of an interface, like its speed,
duplexing, Or an IP address. The ASA use a physical name of “gigabit Ethernet”
gigabit Ethernet slot/number.
Logical name: Logical names are used in most other commands, like applying an
ACL to an interface, or specifying an interface for an address translation policy.
Logical names should be descriptive about what the interface is connected to. Two
common (default) names used are “inside” (connected to the internal network) and
“outside” (connected to the external or public network).
 Security Levels:ASA platforms have some inherent security policies that are based on
the relative trust or security level that has been assigned to each interface. Interfaces
with a higher security level are considered to be more trusted than interfaces with a
lower security level. The security levels can range from 0 (the least amount of trust) to
100 (the greatest amount of trust). The least secure is 0 and the most secure is 100. For
the “inside” interface, the security level defaults to 100. All other interface names have
the security level default to 0 (the least secure). The security algorithm uses the
security levels to enforce its security policies. Here are the rules that the algorithm
uses:
 Traffic from a higher to a lower security level is permitted by default,

unless we have restricted traffic with an ACL. This is called an outbound
connection.
 Traffic from a lower to a higher level is denied, by default, unless we
explicitly permit it by configuring access control lists (ACLs). This is called
an inbound connection.
 Traffic from the same security level to the same level is denied by default.
To allow traffic between interfaces with the same security level, we can use
the following command:
Usually, the “outside” interface that faces a public, untrusted network should receive security level 0.
The “inside” interface that faces the community of trusted users should receive security level 100.
Any other ASA interfaces that connect to other areas of the network should receive a security level
between 1 and 99. In addition, the same two security policies apply to any number of interfaces.
Figure 2 shows an ASA with three different interfaces and how traffic is inherently permitted to flow
from higher-security interfaces toward lower-security interfaces. For example, traffic coming from the
inside network (security level 100) can flow toward the DMZ network (security level 50) because the
security levels are decreasing. As well, DMZ traffic (security level 50) can flow toward the outside
network (security level 0).
Figure 8: Traffic Flows Are Permitted from Higher to Lower Security Levels
Traffic that is initiated in the opposite direction, from a lower security level toward a higher one,
cannot pass so easily. Figure 3 shows the same ASA with three interfaces and the possible traffic flow
patterns.
Figure 9: Traffic Flows Are Blocked from Lower to Higher Security Levels
You can assign a security level of 0 to 100 to an ASA interface with the following interface
Configuration command:
Vision2000_FLRGR_EF01(config)#interface gig 0/0

Vision2000_FLRGR_EF01(config)#nameif outside
Vision2000_FLRGR_EF01(config)#security-level 0
Vision2000_FLRGR_EF01(config)#ip address 10.131.235.44 255.255.255.252
Vision2000_FLRGR_EF01(config)#no shutdown
Vision2000_FLRGR_EF01(config)#nameif inside
Vision2000_FLRGR_EF01(config)#ip adderss 192.168.60.2 255.255.255.252
Vision2000_FLRGR _EF01(config)#interface gig 0/2
Vision2000_FLRGR_EF01(config)#nameif inside-01
Vision2000_FLRGR_EF01(config)#nameif DMZ
Object-Group Configuration
By grouping like objects together, you can use the object group in an ACE instead of having to enter
an ACE for each object separately. You can create the following types of object groups:
 Protocol
 Network
 Service
 ICMP type
In the perimeter area we also have the network based and service based object groups that will be
configured in the external firewall as follows
Network Object Group
A network object group supports IPv4 and IPv6 addresses, depending upon the type of access list. To
add or change a network object group, perform the steps in this section. After you add the group, you
can add more objects as required by following this procedure again for the same group name and
specifying additional objects. You do not need to reenter existing objects; the commands you already
set remain in place unless you remove them with the no form of the command.
Network based Object- Network based Object- IP Address

Group Name Group Description
DMZ-network DMZ Network 192.168.150.0/24
inside-network All networks without DMZ 192.168.0.0/16
Table 10: Network object group
To create a network group that includes the IP addresses of three administrators, enter the following
commands:
Vision2000_FLRGR_EF01(config)#object network inside-network

Vision2000_FLRGR_EF01(config)#subnet 192.168.0.0 255.255.255.0
Vision2000_FLRGR_EF01(config)#object network DMZ-network
Vision2000_FLRGR_EF01(config)#subnet 192.168.130.0255.255.255.0
Service Object Group
To add or change a service object group, perform the steps in this section. After you add the group,
you can add more objects as required by following this procedure again for the same group name and
specifying additional objects. You do not need to reenter existing objects; the commands you already
set remain in place unless you remove them with the no form of the command.
Service based Object-Group Name Port Number Key word Protocol

Mail_ servises 25 smtp TCP
80 www TCP
443 smtp TCP
Web Servise
Internal_Services 80 www TCP
443 https TCP
443 https TCP
53 DNS TCP-UDP
Table 11: Service-Based Object Group Configuration

Mail Services
Vision2000_FLRGR_EF01 (config)#object-group service Mail_Services

Vision2000_FLRGR_EF01 (config-service-object-group)#service-object tcp eq www
Vision2000_FLRGR_EF01 (config-service-object-group)#service-object tcp eq https
Vision2000_FLRGR_EF01 (config-service-object-group)#service-object tcp eq smtp
Internal network Services
Vision2000_FLRGR_EF01 (config)#object-group service Internal_Services

Vision2000_FLRGR_EF01 (config-service-object-group)#service-object tcp eq www
Vision2000_FLRGR_EF01 (config-service-object-group)#service-object tcp eq https
Vision2000_FLRGR_EF01 (config-service-object-group)#service-object tcp eq DNS
ACL Configuration
We will apply ACL on Vision 2000 perimeter Firewalls with extended access list by considering
traffic flow from the inside, internal Network to the external, Internet Network and from the Internet
to the Internal Network. Vision 2000 will have the DMZ Servers.
The table below shows Access from Internet to internal Networks and default privileges with
protocols, when internet users try to access the Vision 2000’s internal resources
Access….From To Default access Port number Protocol
External Users Internal Networks Blocked/Denied 23 TCP

External Users Internal Networks Blocked/Denied 53 UDP
External Users Internal Networks Blocked/Denied 69 UDP
Table 12: ACL Description from Internet to Internal Network
The table below illustrates Access from DMZ to internal Networks and default privileges with
protocols, when from DMZ to try to access the ECDSWCO’s internal resources.

DMZ Internal Networks Blocked/Denied 23 TCP
DMZ Internal Networks Blocked/Denied 53 UDP
DMZ Internal Networks Blocked/Denied 69 UDP
Table 13: ACL Description from DMZ to Internal Networks
The table below illustrates Access from Internal Users to DMZ Servers and default privileges with
protocols, when Internal Users try to access theECDSWCO’s DMZ resources
Internal Users DMZ Servers Permitted 23 TCP
Internal Users DMZ Servers Permitted 53 UDP
Internal Users DMZ Servers Permitted 69 UDP
Table 14: ACL Description from Internal Users to DMZ Servers
The table below displays Access from Internal Users to Internet and default privileges with protocols,
when internal users try to access the Internet.
Internal Users Internet Permitted 23 TCP
Internal Users Internet Permitted 53 UDP
Internal Users Internet Permitted 69 UDP
Table 15: ACL Description from Internal Users to Internet

The table below displays Access from DMZ to Internet and default privileges with protocols, when
from DMZ to try to access the Internet
DMZ Internet Permitted 23 TCP
DMZ Internet Permitted 53 UDP
DMZ Internet Permitted 69 UDP
Table 16: ACL Description from DMZ to Internet
The table below shows Access from Internet to DMZ and default privileges with protocols, when
from interne tries to access the DMZ.
Internet DMZ Blocked 23 TCP
Internet DMZ Blocked 53 UDP
Internet DMZ Blocked 69 UDP
Table 17: ACL Description from Internet to DMZ
ACL Name Description

Outside_DMZ ACL to allow the Internet Users to access all servers that placed in the
DMZ. The ACL is applied on the outside interface in the inbound
direction.
DMZ_Inside ACL to allow the DMZ servers to access internal network. The ACL
is applied on the DMZ interface in the inbound direction.
ACL to allow outside to DMZ
Vision2000_FLRGR_EF01(config)#access-list Outside_DMZ extended permit ip any object-group DMZ-network

object-group Mail_ servises
Vision2000_FLRGR_EF01 (config)#access-list DMZ_Inside extended permit ip DMZ_Network object-group
inside-network object-group Internal_Services
Vision2000_FLRGR_EF01 (config)#access-group DMZ_Inside interface DMZ in
Vision2000_FLRGR_EF01 (config)#access-group Outside_DMZ interface Outside in
NAT configuration
Vision2000_FLRGR_EF01(config)#object network inside-network

Vision2000_FLRGR_EF01(config)#nat(inside,outside)dynamic interface outside
Vision2000_FLRGR_EF01(config)#nat(inside01,outside)dynamic interface outside
Vision2000_FLRGR_EF01(config)#object network DMZ-network
Vision2000_FLRGR_EF01(config)#nat(DMZ,outside)static interface outside service tcp www
www
Stateful Inspection Configuration
We uses the default Configuration, class map named inspection_default and a policy map named
global_policy as the starting point and we will optimize the configuration by checking the
performance of the traffic.
How Inspection Engines Work:
The adaptive security appliance uses the following three databases for its basic operations:
 Access lists: Used for authentication and authorization of connections based on specific
networks, hosts, and services (TCP/UDP port numbers).
 Inspections: Contains a static, predefined set of application-level inspection functions.
 Connections (XLATE and CONN tables): Maintains state and other information about each
established connection. This information is used by the Adaptive Security Algorithm and cut-
through proxy to efficiently forward traffic within established sessions.
Detail procedures that the appliance follows to inspect a packet are described as follows in order
ACL
client 1 2
6 Server
7 5
3 4
XLATE
CONN INSPECTION
1. A TCP SYN packet arrives at the ASA to establish a new connection.

2. The ASA checks the access list database to determine if the connection is permitted.
3. The ASA creates a new entry in the connection database (XLATE and CONN tables).
4. The ASA checks the Inspections database to determine if the connection requires application-level
inspection.
5. After the application inspection engine completes any required operations for the packet, the ASA
forwards the packet to the destination system.
6. The destination system responds to the initial request.
7. The ASA receives the reply packet, looks up the connection in the connection database, and
forwards the packet because it belongs to an established session.
//Class map
……………………………………………………………………………………………………………
………
class-map inspection_default
match default-inspection-traffic
!
……………………………………………………………………………………………………………
………
//Policy map
policy-map global_policy
class inspection_default
inspect dns maximum length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect sunrpc
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect esmtp
inspect sqlnet
inspect tftp
inspect xdmcp
!
……………………………………………………………………………………………………………
………
//Service policy
service-policy global_policy global
Configuring the Botnet Traffic Filter

Malware is malicious software that is installed on an unknowing host. Malware that attempts network
activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary data)
can be detected by the Botnet Traffic Filter when the malware starts a connection to a known bad IP
address. The Botnet Traffic Filter checks incoming and outgoing connections against a dynamic
database of known bad domain names and IP addresses (the blacklist), and then logs or blocks any
suspicious activity.
The Botnet Traffic Filter can receive periodic updates for the dynamic database from the Cisco update
server. This database lists thousands of known bad domain names and IP addresses.
How the ASA Uses the Dynamic Database

The ASA uses the dynamic database as follows:
1. When the domain name in a DNS reply matches a name in the dynamic database, the Botnet Traffic
Filter adds the name and IP address to the DNS reverse lookup cache.
2. When the infected host starts a connection to the IP address of the malware site, then the ASA
sends a syslog message informing you of the suspicious activity and optionally drops the traffic if you
configured the ASA to do so
3. In some cases, the IP address itself is supplied in the dynamic database, and the Botnet Traffic
Filter logs or drops any traffic to that IP address without having to inspect DNS requests.
The database files are downloaded from the Cisco update server, and then stored in running memory;
they are not stored in flash memory. Be sure to identify a DNS server for the ASA so that it can
access the Cisco update server URL
Configuring the Dynamic Database
This procedure enables database updates, and also enables use of the downloaded dynamic database
by the ASA
Enable ASA use of a DNS server in the Device Management > DNS > DNS Client > DNS Lookup
area. In multiple context mode, the system downloads the database for all contexts using the admin
context interface; be sure to identify a DNS server in the admin context.
Configuration for internal firewall interface

Vision2000_FLRGR_EF01(config)#nameif inside
Vision2000_FLRGR_EF01(config)#ip address 192.168.60.21 255.255.255.252
Vision2000_FLRGR_EF01(config)#nameif outside-01
Vision2000_FLRGR_EF01(config)#nameif outside
Hardening the Device

Device hardening is one of the fundamental security modules that should be put into practice to
protect the device from unauthorized users and activity. An intruder gaining unauthorized access to a
device relinquishes complete access to the networks, and all other security measures taken become
redundant.
Physical Security
Physical security describes measures that are designed to deny access to unauthorized personnel
(including attackers or even accidental intruders) from physically accessing a building, facility,
resource, or stored information and guidance on how to design structures to resist potentially hostile
acts. Physical security can be as simple as a locked door or as elaborate as multiple layers of barriers,
armed security guards and guardhouse placement. Good physical security uses the concept of layered
defense, in appropriate combinations to deter and delay intrusions (passive defense), and detect and
respond to intrusions (active defense). Ultimately it should be too difficult, risky or costly to an
attacker to even attempt an intrusion.
However, strong security measures also come at a cost, and there can be no perfect security. It is up to
a security designer to balance security features and a tolerable amount of personnel access against
available resources, risks to assets to be protected and even aesthetics.
Physical security is not a modern phenomenon. Physical security exists in order to deter or prevent
persons from entering a physical facility. Historical examples of physical security include city walls
etc.
The technology used for physical security has changed over time. While in past eras, there was no
passive infrared (PIR) based technology, electronic access control systems, or video surveillance
system (VSS) cameras, the essential methodology of physical security has not altered over time.
Fundamentally, it is recommended to have a combination of security layers that could provide enough
protection from internal or external attack.
It is recommended to have a surveillance system, alarm system and an access control system in our
network system. And also every rack should be locked.
INSA recommends the following security measures to be used:
All of the access switch racks should be locked
The server room should have a well secured door with lock.
Password configuration
The appliances support two levels of passwords: one for access to User EXEC mode via telnet and
SSH, and one for access to Privilege EXEC. These passwords are automatically encrypted when
stored in RAM or flash to protect them from eavesdropping attacks.
A password is a protected string of characters that is used to authenticate a user. There are three types
of password protection schemes in Cisco IOS.
Clear-text passwords: These are the most insecure because they have no encryption. Passwords are
viewable in the device configuration in clear text.
Type 7 passwords: These use the Cisco proprietary encryption algorithm and are known to be weak.
Several password utilities are available to decipher Type 7 encrypted passwords. Type 7 encryption is
used by the enable password, username, and line password commands.
Type 5 passwords: These use MD5 hashing algorithm (one-way hash) and are therefore much
stronger because they are considered irreversible. The only way to crack the Type 5 password is by
using brute force or dictionary attacks. It is highly recommended that you use Type 5 encryption
instead of Type 7 where possible. Type 5 encryption is used by the enable secret command to specify
an additional layer of security over the enable password command. The enable secret command takes
preference over the enable password command. The username secret command also uses Type 5
encryption.
Privilege Password configuration
Steps to configure enable password on all network devices

Collapsed core switch 01
Vision2000_FLRGR_CC01(config)#enable secret Vision2000!t20o2
Vision2000_FLRGR_CC2 (config)#enable secret Vision2000!t20o2
7TH Floor Access switch 01

Vision2000_FLR07_AS01(config) # enable secret Vision2000!t20o2
External firewall
Vision2000_FLRGR_EF01(config)# enable secret Vision2000!t20o2
Internal firewall
Vision2000_FLRGR_IF01(config) # enable secret Vision2000!t20o2
Server farm switch

Vision2000_FLRGR_SF01(config) # enable secret Vision2000!t20o2
DMZ switch
CHSA_FLRGR_DMZ01(config) # enable secret Vision2000!t20o2
Line Password configuration

Vision2000_FLRGR_CC01(config) # line console 0
Vision2000_FLRGR_CC01(config-line) #password Vision2000!t20o2
Vision2000_FLRGR_CC01(config-line) # login
Vision2000_FLRGR_CC01(config-line) #exit
Vision2000_FLRGR_CC01(config)# ip domain-name
Vision2000_FLRGR_CC01(config)#crypto key generate rsa
Vision2000_FLRGR_CC01(config) # access-list 10 permit 192.168.100.0 0.0.0.255
Vision2000_FLRGR_CC01(config) # line vty 0 4
Vision2000_FLRGR_CC01(config-line) # access-class 10 in
Vision2000_FLRGR_CC01(config) # transport input ssh

Vision2000_FLRGR_CC02(config) # line console 0
Vision2000_FLRGR_CC02(config-line) #password Vision2000!t20o2
Vision2000_FLRGR_CC02(config-line) # login
Vision2000_FLRGR_CC02(config-line) #exit
Vision2000_FLRGR_CC02(config)# ip domain-name
Vision2000_FLRGR_CC02(config)#crypto key generate rsa
Vision2000_FLRGR_CC02(config) # access-list 10 permit 192.168.100.0 0.0.0.255
Vision2000_FLRGR_CC02(config) # line vty 0 4
Vision2000_FLRGR_CC02(config-line) # access-class 10 in
Vision2000_FLRGR_CC02(config) # transport input ssh
Access switch 01
Vision2000_FLR07_AS01(config) # line console 0
Vision2000_FLR07_AS01(config-line)#password Vision2000!t20o2
Vision2000_FLR07_AS01(config-line) # login
Vision2000_FLR07_AS01(config-line) #exit
Vision2000_FLRGR_AS01 (config)# ip domain-name
Vision2000_FLRGR_AS01 (config)#crypto key generate rsa
Vision2000_FLRGR_AS01 (config) # access-list 10 permit 192.168.100.0 0.0.0.255
Vision2000_FLRGR_AS01 (config) # line vty 0 4
Vision2000_FLRGR_AS01 (config-line) # access-class 10 in
Vision2000_FLRGR_AS01 (config)# transport input ssh
External firewall
Vision2000_FLRGR_EF01 (config) # line console 0
Vision2000_FLRGR_EF01 (config-line)# password Vision2000!t20o2
Vision2000_FLRGR_EF01 (config-line) # login
Vision2000_FLRGR_EF01 (config-line) #exit
Vision2000_FLRGR_EF01 (config)# ip domain-name
Vision2000_FLRGR_EF01 (config)#crypto key generate rsa
Vision2000_FLRGR_IF01 (config)# access-list 10 permit 192.168.100.0 0.0.0.255
Vision2000_FLRGR_EF01 (config)# line vty 0 4
Vision2000_FLRGR_EF01 (config-line) # access-class 10 in
Vision2000_FLRGR_EF01 (config)# transport input ssh
Internal firwall
Vision2000_FLRGR_IF01 (config)# line console 0
Vision2000_FLRGR_IF01 (config-line)#password Vision2000!t20o2
Vision2000_FLRGR_IF01 (config-line) # login
Vision2000_FLRGR_IF01 (config-line) #exit

Vision2000_FLRGR_IF01 (config)# ip domain-name
Vision2000_FLRGR_IF01 (config)#crypto key generate rsa
Vision2000_FLRGR_IF01 (config) # access-list 10 permit 192.168.100.0 0.0.0.255
Vision2000_FLRGR_IF01 (config) # line vty 0 4
Vision2000_FLRGR_IF01 (config-line)# access-class 10 in
Vision2000_FLRGR_IF01 (config)# transport input ssh
Server farm switch
Vision2000_FLRGR_SF01(config) # line console 0
Vision2000_FLRGR_ SF01(config-line)#password Vision2000!t20o2
Vision2000_FLRGR_ SF01(config-line)# login
Vision2000_FLRGR_ SF01(config-line)#exit
Vision2000_FLRGR_ SF01(config)# ip domain-name
Vision2000_FLRGR_ SF01(config)#crypto key generate rsa
Vision2000_FLRGR_ SF01(config)# access-list 10 permit 192.168.100.0 0.0.0.255
Vision2000_FLRGR_ SF01(config)# line vty 0 4
Vision2000_FLRGR_ SF01(config-line) # access-class 10 in
Vision2000_FLRGR_ SF01(config)# transport input ssh
Vision2000_FLRGR_DMZ01(config) # line console 0

Vision2000_FLRGR_DMZ01(config-line)#password Vision2000!t20o2
Vision2000_FLRGR_DMZ01(config-line)# login
Vision2000_FLRGR_DMZ01(config-line)#exit
Vision2000_FLRGR_DMZ01(config)# ip domain-name
Vision2000_FLRGR_DMZ01(config)#crypto key generate rsa
Vision2000_FLRGR_DMZ01(config) # access-list 10 permit 192.168.100.0 0.0.0.255
Vision2000_FLRGR_DMZ01(config)# line vty 0 4
Vision2000_FLRGR_DMZ01(config-line)# access-class 10 in
Vision2000_FLRGR_DMZ01(config)# transport input ssh
AAA configuration
Collapsed Core Switch 01
Vision2000_FLRGR_CC01(config) # username admin@ Vision2000password Vision2000!t20o2
Vision2000_FLRGR_CC01(config) # AAA new-model
Vision2000_FLRGR_CC01(config-AAA) # aaa authentication login default local
Vision2000_FLRGR_CC01(config-AAA) #aaa authorization exec local
Vision2000_FLRGR_CC02(config) # username admin@c Vision2000password Vision2000!t20o2
Vision2000_FLRGR_CC02(config) # AAA new-model
Vision2000_FLRGR_CC02(config-AAA) # aaa authentication login default local
Vision2000_FLRGR_CC02(config-AAA) #aaa authorization exec local
Server farm switch

Vision2000_FLR07_SF01(config) # username admin@ Vision2000 password Vision2000!t20o2
Vision2000_FLR07_SF01(config) # AAA new-model
Vision2000_FLR07_SF01(config-AAA) # aaa authentication login default local
Vision2000_FLR07_SF01(config-AAA) #aaa authorization exec local
DMZ switch
Vision2000_FLR07_DMZ01(config) # username admin@ Vision2000 password Vision2000!t20o2
Vision2000_FLR07_DMZ01(config) # AAA new-model
Vision2000_FLR07_DMZ01(config-AAA) # aaa authentication login default local
Vision2000_FLR07_DMZ01(config-AAA) #aaa authorization exec local

Seven floor Access switch 01
Vision2000_FLR07_AS01(config) # username admin@ Vision2000 password Vision2000!t20o2
Vision2000_FLR07_AS01(config) # AAA new-model
Vision2000_FLR07_AS01(config-AAA) # aaa authentication login default local
Vision2000_FLR07_AS01(config-AAA) #aaa authorization exec local
Dynamic host configuration protocol (DHCP) snooping

DHCP snooping can prevent DHCP spoofing attacks. DHCP snooping is a Cisco Catalyst feature that
determines which switch ports can respond to DHCP requests. Ports are identified as trusted and
untrusted.
Only ports that connect to an authorized DHCP server are trusted, and allowed to send all types of
DHCP messages. All other ports on the switch are untrusted and can send only DHCP requests. If a
DHCP response is seen on an untrusted port, the port is shut down.
In our projct, we will configure the number of DHCP packets per second that an interface can receive.
Vision2000_FLRGR_CC01(config) # interface rang gig1/0-6

Vision2000_FLRGR_CC01(config) # ip dhcp-snooping trust
Vision2000_FLRGR_CC01(config) # ip dhcp-snooping limit rate 100
Vision2000_FLRGR_CC02(config) # interface rang gig1/0-6

Vision2000_FLRGR_CC02(config) # ip dhcp-snooping trust
Vision2000_FLRGR_CC01(config) # ip dhcp-snooping limit rate 100
BPDU and loop guard Configuration

Vision2000_FLRGR_CC01(config)# spanning-tree portfast bpduguard
Vision2000_FLRGR_CC01(config)# errdisable recovery cause bpduguard
Vision2000_FLRGR_CC01(config)# errdisable recovery interval 400
Vision2000_FLRGR_CC01(config)# spanning-tree loopguard default
Vision2000_FLRGR_CC02(config)# spanning-tree portfast bpduguard

Vision2000_FLRGR_CC02(config)# errdisable recovery cause bpduguard
Vision2000_FLRGR_CC02(config)# errdisable recovery interval 400
Vision2000_FLRGR_CC02(config)# spanning-tree loopguard default
Vision2000_FLRGR_AS01(config)# spanning-tree portfast bpduguard

Vision2000_FLRGR_AS01(config)# errdisable recovery cause bpduguard
Vision2000_FLRGR_AS01(config)# errdisable recovery interval 400
Vision2000_FLRGR_AS01(config)# spanning-tree loopguard default
Service and protocol security configuration

Vision2000_FLRGR_EF01(config) # no cdp run
Vision2000_FLRGR_EF01(config) # no cdp enable
Vision2000_FLRGR_EF01(config-line) # no ip http server
Vision2000_FLRGR_EF01(config)# no ip domain-lookup
Vision2000_FLRGR_IF01(config)# no cdp run

Vision2000_FLRGR_IF01(config)# no cdp enable
Vision2000_FLRGR_IF01(config-line)# no ip http server
Vision2000_FLRGR_IF01(config)# no ip domain-lookup
Vision2000_FLRGR_CC01(config)# no cdp run

Vision2000_FLRGR_CC01(config)# no cdp enable
Vision2000_FLRGR_CC01(config-line)# no ip http server
Vision2000_FLRGR_CC01(config)# no ip domain-lookup
Vision2000_FLRGR_CC02(config)# no cdp run

Vision2000_FLRGR_CC02(config)# no cdp enable
Vision2000_FLRGR_CC02(config-line)# no ip http server
Vision2000_FLRGR_CC02(config)# no ip domain-lookup
Vision2000_FLRGR_DMZ01(config)# no cdp run

Vision2000_FLRGR_ DMZ01(config)# no cdp enable
Vision2000_FLRGR_ DMZ01(config-line)# no ip http server
Vision2000_FLRGR_ DMZ01(config)# no ip domain-lookup
Vision2000_FLRGR_SF01(config)# no cdp run

Vision2000_FLRGR_SF01(config)# no cdp enable
Vision2000_FLRGR_SF01(config-line) # no ip http server
Vision2000_FLRGR_SF01(config)# no ip domain-lookup
Vision2000_FLR07_AS01(config)# no cdp run

Vision2000_FLR07_AS01(config)# no cdp enable
Vision2000_FLR07_AS01(config-line)# no ip http server
Vision2000_FLR07_AS01(config)# no ip domain-lookup
Vision2000_FLR07_AS01(config)#interface range fa0/1-24

Vision2000_FLR07_AS01(config)#switchport port0-security
10. Running configuration
Core switch_01 Running configuration
Vision2000_FLR00_CC01#show running-config
Building configuration...
Current configuration : 11062 bytes

!
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config
!
hostname Vision2000_FLR07_CC01
!
boot-start-marker
boot-end-marker
!
vrf definition Mgmt-vrf

!
address-family ipv4
exit-address-family
!
--More--
*Feb 02 04:24:50.865: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to
up
*Feb 02 04:24:51.868: %LINEPROTO-5-UPDOWN: Line protocol on Interface
GigabitEthernet1/0/1, changed state to up
address-family ipv6
exit-address-family
!
enable secret 5 $1$MGhO$FNTsZafywLO3uon81fFNP/
enable password 7 1511032C166B3F76783C67
!
username charityadmin password 7 094F46290B4403405B0356
no aaa new-model
switch 1 provision ws-c3850-24t
!
ip routing
!
ip domain-name Vision2000
ip dhcp excluded-address 192.168.5.1 192.168.5.15

!
ip dhcp pool vlan05
network 192.168.5.0 255.255.255.0
default-router 192.168.5.1
dns-server 192.168.65.5 213.55.96.148 4.2.2.2
!
ip dhcp pool vlan10
network 192.168.10.0 255.255.255.0
dns-server 192.168.65.5 213.55.96.148 4.2.2.2
!
ip dhcp pool vlan15
network 192.168.15.0 255.255.255.0
dns-server 192.168.65.5 213.55.96.148 4.2.2.2
!
ip dhcp pool vlan20
network 192.168.20.0 255.255.255.0
dns-server 192.168.65.5 213.55.96.148 4.2.2.2
!
ip dhcp pool vlan100
network 192.168.100.0 255.255.255.0
dns-server 192.168.65.5 213.55.96.148 4.2.2.2
!
qos queue-softmax-multiplier 100
!
crypto pki trustpoint TP-self-signed-3470558
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3470558
revocation-check none
rsakeypair TP-self-signed-3470558
!
crypto pki certificate chain TP-self-signed-3470558
certificate self-signed 01
30820225 3082018E A0030201 02020101 300D0609 2A864886 F70D0101 05050030
2E312C30 2A060355 04031323 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33343730 35353830 1E170D31 36303830 39303134 3931345A
170D3230 30313031 30303030 30305A30 2E312C30 2A060355 04031323 494F532D
53656C66 2D536967 6E65642D 43657274 69666963 6174652D 33343730 35353830
819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 A675ABC4
145C76E6 BBF926D1 FF4C7671 75B4C021 BEF77F88 91ADA6A5 D87129EE 1829B6ED
BBBF6092 C3FF48AA 0F511F92 BE61476C F458FFD8 1A16F27B E23EF823 5B346F4F
1A765418 8E3D0421 4A1390C3 223F0D84 35AFFDA4 94B72BCE 1D127AE0 858D59F3

ABA02D75 425ABBC2 41239873 BFD2B15E 958D8062 9BAC9778 A0300AFB 02030100
01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D 23041830
168014C9 B2DAB219 67987A43 A3E10B7C AFBBC942 D7744C30 1D060355 1D0E0416
0414C9B2 DAB21967 987A43A3 E10B7CAF BBC942D7 744C300D 06092A86 4886F70D
01010505 00038181 003CA94B 4DBD8786 CD17CEFB 91A65CBD 357F5E39 F966E1FE
11398CD3 28FBD9DF 172CB3E4 FF0441B0 C5F5BCA7 3AC0BB83 5BA224A1 62475475
91D33358 0052722A F8B10B15 2829E4B0 43348509 FEC457D3 B5DEF942 AED05F89
89C828DA C32199E5 9046BCCB C4FEC9D9 DC0EE4AA F4FA1B8F BC72E888 146C80CC
470A8DFF EA8B4995 32
quit
diagnostic bootup level minimal
port-channel load-balance src-dst-mac
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 5,10,15 priority 4096
spanning-tree vlan 20,65,100 priority 8192
hw-switch switch 1 logging onboard message level 3
!
redundancy
mode sso
!
!
!
class-map match-any non-client-nrt-class
!
policy-map port_child_policy
class non-client-nrt-class
bandwidth remaining ratio 10
!
!
interface Port-channel1
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
negotiation auto
!
interface GigabitEthernet1/0/1
storm-control broadcast level 70.00
storm-control multicast level 70.00
storm-control action shutdown
ip dhcp snooping limit rate 100
ip dhcp snooping trust
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
description link_CC01_TO_IF01
no switchport
ip address 192.168.60.9 255.255.255.252
!
description link_CC01_TO_EF01
no switchport
ip address 192.168.60.1 255.255.255.252
!
description link_CC01_TO_CC02
channel-protocol pagp
channel-group 1 mode desirable
!
description link_CC01_TO_CC02
channel-protocol pagp
channel-group 1 mode desirable
!
!
!
!
!
interface TenGigabitEthernet1/1/1
!
!
!
!
interface Vlan1
no ip address
shutdown
!
interface Vlan5
ip address 192.168.5.2 255.255.255.0
standby 1 priority 200
standby 1 preempt delay minimum 30
!
interface Vlan10
ip address 192.168.10.2 255.255.255.0
standby 1 ip 192.168.10.1
!
interface Vlan15
ip address 192.168.15.2 255.255.255.0
standby 1 ip 192.168.15.1
!
interface Vlan20
ip address 192.168.20.2 255.255.255.0
standby 1 ip 192.168.20.1
!
interface Vlan65
no ip address
!
interface Vlan99
ip address 192.168.99.2 255.255.255.0
!
interface Vlan100
ip address 192.168.100.2 255.255.255.0
standby 1 ip 192.168.100.1
!
interface Vlan130
no ip address
!
router ospf 100
router-id 10.0.0.1
passive-interface default
no passive-interface GigabitEthernet1/0/21
network 192.168.5.0 0.0.0.255 area 0
network 192.168.10.0 0.0.0.255 area 0
network 192.168.15.0 0.0.0.255 area 0
network 192.168.20.0 0.0.0.255 area 0
network 192.168.60.0 0.0.0.3 area 0
network 192.168.60.8 0.0.0.3 area 0
network 192.168.100.0 0.0.0.255 area 0
default-information originate always
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.131.235.44
!
!
access-list 10 permit 192.168.100.0 0.0.0.255
!
!
banner login ^C
Welcome to Vision2000_FLR00_CC01
##########################################
# This is a Login banner used to show #
# legal and privacy information. #
# #
# Unauthorized users prohibited #
##########################################
^C
!
line con 0
password 7 00071B26161A1F545F2E1E
logging synchronous
login local
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class 10 in
password 7 0307532B144E351E1E064B
logging synchronous
login local
transport input all
line vty 5 15
login
!
wsma agent exec
profile httplistener
profile httpslistener
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!
wsma profile listener httplistener
transport http
!
wsma profile listener httpslistener
transport https
!
ap group default-group
end
Running configuration for Externalfirewall
Vision2000_FF00-EF01# show running-config

: Saved
:
: Serial Number: FCH2020JE1A
: Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
:
ASA Version 9.2(2)4
!
hostname Vision2000-FF00-EF01
domain-name Vision2000
enable password Kr2uDB1Ky2XBaepb encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny udp any4 any4 eq domain

names
!
nameif outside
security-level 0
ip address 10.131.235.44 255.255.255.248
!
description LINK_EF01_TO_CC01
nameif inside
security-level 100
ip address 192.168.60.2 255.255.255.252
!
description LINK_EF01_TO_CC02
nameif inside01
security-level 100
ip address 192.168.60.6 255.255.255.252
!
description LINK_EF01_TO_DM01
nameif DMZ
security-level 50
ip address 192.168.60.17 255.255.255.252
!
shutdown
no nameif
no security-level
no ip address
!
shutdown
no nameif
no security-level
no ip address
!
shutdown
no nameif
no security-level
no ip address
!
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name chsa.gov.et
same-security-traffic permit inter-interface
object network inside01-nat
subnet 192.168.0.0 255.255.0.0
object network net-inside
object network inside_net
object network iside_net
object network inside-nat
subnet 192.168.0.0 255.255.0.0
object network PUBLIC-IP-PAT
host 197.156.101.137
description inside to outside nat(pat)
object network PORTAL-NAT
host 192.168.130.5
description nat for web server
object network PUBLIC-WEB-IP
host 197.156.101.138
description nat for portal server
access-list outside-to-webserver extended permit tcp any host 192.168.130.5 eq www
access-list outside-to-webserver extended permit tcp any host 192.168.130.5 eq https
pager lines 24
mtu outside 1500
mtu inside 1500
mtu inside01 1500
mtu DMZ 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit host 192.168.65.25 inside
icmp permit host 192.168.65.25 inside01
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network inside01-nat
nat (inside01,outside) dynamic PUBLIC-IP-PAT
object network inside-nat
nat (inside,outside) dynamic PUBLIC-IP-PAT
object network PORTAL-NAT
nat (DMZ,outside) static PUBLIC-WEB-IP service tcp www www
access-group outside-to-webserver in interface outside
router ospf 100
router-id 10.0.0.3
network 10.131.235.40 255.255.255.248 area 0
network 192.168.60.0 255.255.255.252 area 0
network 192.168.60.4 255.255.255.252 area 0
network 192.168.60.16 255.255.255.252 area 0
log-adj-changes
redistribute static subnets
default-information originate always
!
route outside 0.0.0.0 0.0.0.0 10.131.235.42 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.100.0 255.255.255.0 inside
ssh 192.168.100.0 255.255.255.0 inside01
ssh timeout 30
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username charityadmin password vgeKLDSERqj5iBL2 encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 19
subscribe-to-alert-group configuration periodic monthly 19
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:605926f12a0f585a114296d438bb795f
: end
Running configuration for DMZ switch
Vision2000_FLR00_DMZ01#show running-config

!
!
version 15.0
no service pad
service password-encryption
service compress-config
!
hostname Vision2000_FLR07_DMZ01
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 $1$fZ1p$3joqHosU84g8KR1FZemj30
enable password 7 1511032C166B3F76783C67
!
username Vision2000admin password 7 070C296C5C480D57471D59
no aaa new-model
switch 1 provision ws-c3650-24ts
ip routing
!
ip device tracking
!
!
vtp domain Vision2000
vtp mode transparent
!
crypto pki trustpoint TP-self-signed-3944390644
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3944390644
revocation-check none
rsakeypair TP-self-signed-3944390644
!
!
crypto pki certificate chain TP-self-signed-3944390644
certificate self-signed 01
30820254 308201BD A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33393434 33393036 3434301E 170D3136 30383131 30393038
32345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 39343433
39303634 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D790 5E6E1C12 11E4C5DC B1DBA5E7 45257310 571EB8D4 9A580A0B 5AC2BCF0
110BC5C5 723B4BEB F45F12B0 56588895 7EE1C9B4 CC162D9A 3497D36B 840246A5
D713C781 2CF6429E 3236C083 42D6594E FD1D1576 C4C2FCE3 31CAE69B
DD68F020AE5097D1 A2DE4717 22A31E5B 7AF675BD 1744993E 456D5C77 43C5C3AC
E2BAB2EDA9790203 010001A3 7C307A30 0F060355 1D130101 FF040530 030101FF
30270603551D1104 20301E82 1C434853 415F464C 5230375F 444D5A30 312E6368
73612E676F762E65 74301F06 03551D23 04183016 80146567 B123C24D 008B8216 0954AAF6

2EFD948F 4B6C301D 0603551D 0E041604 146567B1 23C24D00 8B821609 54AAF62EFD948F4B
6C300D06 092A8648 86F70D01 01040500 03818100 1541F1F1 2ED535C4D461BA89 030D2FCB
8E7C5399 58683D5E 75A44955 D585D709 AF998072 2BAFB8FE3D1B7B33 A2FB1CB7
E2EBB87C B12DDD6D 9FC6EAEE 0EC22A0C 5950068C 921ABD69EB9D9EE7 C2ADFBFD
919C12C7 0E22FBD4 B65FEE4F E6F45BD8 1F9084E2 A0E6BB387A1A5DDD 14C6FBD1
543350C4 1FDF320C 1A3FF6D1 FDD43FA0
quit
!
diagnostic bootup level minimal
spanning-tree mode pvst
!
redundancy
mode sso
!
!
vlan 130
name DMZ
!
!
class-map match-any non-client-nrt-class
match non-client-nrt
!
policy-map port_child_policy
class non-client-nrt-class
bandwidth remaining ratio 10
!
!
vrf forwarding Mgmt-vrf
no ip address
negotiation auto
!
switchport access vlan 130
switchport mode access
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!

!
!
!
!
!
!
!
description LINK_DMZ_TO_EF01
no switchport
ip address 192.168.60.18 255.255.255.252
!
!
!
!
!
interface Vlan1
no ip address
shutdown
!
interface Vlan130
ip address 192.168.130.1 255.255.255.0
!
router ospf 100
router-id 10.0.0.5
network 192.168.60.16 0.0.0.3 area 0
network 192.168.130.0 0.0.0.255 area 0
!
ip default-gateway 192.168.130.1
ip http server
ip http authentication local
ip http secure-server
!
!
banner login ^C
Welcome to Vision2000_FLR00_DMZ01
##########################################
# #
##########################################
^C
!
line con 0
password 7 121A0D37004A18567A2476
logging synchronous
login local
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class 10 in
password 7 070C296C5C480D57471D59
logging synchronous
login local
transport input all
line vty 5 15
login
!
wsma agent exec
wsma agent config
wsma agent filesys
wsma agent notify
!
wsma profile listener httplistener
transport http
!
wsma profile listener httpslistener

transport https
ap group default-group
end
Running configuration for server farm switch
Vision2000_FLRGR_SF01#show Running-config

!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Vision2000_FLRGR_SF01
!
enable secret 5 $1$Q6Mx$TQLJZXZcjNZwtZ9wnie5C/
!
username Vision2000admin password 0 Vision2000!t20o2
no aaa new-model
system mtu routing 1500
ip subnet-zero
ip routing
!
!
no file verify auto
spanning-tree mode pvst
!
vlan internal allocation policy ascending
!
!
!

!
!
!
!
!
!
!
!
!
!

!
!
!
!
!
!
!
!
!
!

switchport trunk encapsulation dot1q
switchport trunk allowed vlan 65,100
!
description LINK-SF01-TO-IF01
!
shutdown
!
shutdown
!
shutdown
!
shutdown
!
interface Vlan1
no ip address
shutdown
!
interface Vlan65
ip address 192.168.65.254 255.255.255.0
!
ip default-gateway 192.168.65.1
ip classless
ip http server
!
!
control-plane
!
banner login ^CC
Welcome to Vision2000_FL07_SF01


# #
##########################################
^C
!
line con 0
password Vision2000!t20o2
login
line vty 0 4
access-class 10 in
login local
transport input telnet
line vty 5 15
login
!
End
Running configuration for Access switch_01
Vision2000_FL07_AS01#show running-config

!
version 12.2
no service pad
no service password-encryption
!
hostname Vision2000_FL07_AS01
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$Txe4$/rr1AbERFSyMHWJrO9Dl20
!
username Vision2000admin password 0 Vision2000!t20o2
no aaa new-model
system mtu routing 1500
ip subnet-zero
!
!
no ip domain-lookup
!
!
!
errdisable recovery cause bpduguard
errdisable recovery interval 200
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree portfast bpduguard default
spanning-tree etherchannel guard misconfig
!
vlan internal allocation policy ascending
!
!
interface FastEthernet0/1
switchport port-security
spanning-tree portfast
!
!
!
!
!

!
!
!
!
!
!
!

!
!
!
!
!
!
!

!
!
!
!
!
!
!
interface Vlan1
no ip address
no ip route-cache
!
interface Vlan100
ip address 192.168.100.5 255.255.255.0
no ip route-cache
!
no ip http server
no cdp run
!
control-plane
!
banner login ^CC
Welcome to Vision2000_FL07_AS01
^C
!
line con 0
password Vision2000!t20o2
login local
line vty 0 4
access-class 10 in
login local
transport input telnet
line vty 5 15
login
!
end

Vision 2000 Network Design Proposal

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Vision 2000 Network Design Proposal

Diunggah oleh

Hak Cipta:

Format Tersedia

VISION 2000 NETWORK INFRASTRUCTURE AND

NETWORK SYSTEMS DOCUMENT

Under the Supervision of

Objective of the project.................................................................................................................................................10

2. Scope of the project .............................................................................................................................................11

Out scope ......................................................................................................................................................................... 11

4. Traffic Flow Analysis .............................................................................................................................................12

Identify Company (the customer) requirements .............................................................................................................. 13

Network Infrastructure Design ........................................................................................................................................ 14

Design Philosophy ............................................................................................................................................................ 14

6. Devices, VLAN, IP addressing and Connectivity ....................................................................................................19

Device Naming ................................................................................................................................................................. 21

VLAN Benefits .................................................................................................................................................................. 22

Types of VLAN .................................................................................................................................................................. 23

VLAN Membership ........................................................................................................................................................... 24

VLAN Design .................................................................................................................................................................... 25

VLAN IP Addressing .......................................................................................................................................................... 27

Management VLAN ......................................................................................................................................................... 27

Point to point connection IP addressing .......................................................................................................................... 27

Hardware Overview ......................................................................................................................................................... 28

Rack Layout Design ......................................................................................................................................................... 32

Hardware Physical Connectivity ...................................................................................................................................... 32

Device Connectivity Labeling ........................................................................................................................................... 34

Physical LAN Design ......................................................................................................................................................... 35

Switch VLAN Interface (SVI) configuration....................................................................................................................... 38

Switch Port Configuration ................................................................................................................................................ 40

Switch Link Aggregation .................................................................................................................................................. 47

Spanning Tree Protocol (STP) ........................................................................................................................................... 50

High Availability and Load Balancing .............................................................................................................................. 54

VLAN to Node analysis ..................................................................................................................................................... 55

Dynamic Host Configuration Protocol ............................................................................................................................. 57

7. Switches DHCP Configuration ...............................................................................................................................59

Static routing ................................................................................................................................................................... 60

Dynamic routing .............................................................................................................................................................. 61

Configuring Default Route ............................................................................................................................................... 63

Perimeter Security Configuration .................................................................................................................................... 66

Configure login banner ............................................................................................................................................... 69

Internal network Services ................................................................................................................................................ 74

10. Running configuration ..........................................................................................................................................87

Core switch_01 Running configuration ............................................................................................................................ 87

Running configuration for Externalfirewall ..................................................................................................................... 95

Running configuration for DMZ switch ............................................................................................................................ 99

Running configuration for server farm switch ............................................................................................................... 105

Running configuration for Access switch_01 ................................................................................................................. 109

Table 2: IP addressing design ……………...………………….….……………........ 27

Table 3: Management IP addressing design for Vision 2 …..……..…….…………..…… 27

Table 4 MT site Point to Point IP addressing design ………...……….…….…………… 28

Table 5: Etherchannel mode and protocols …...………………………………………. 49

Table 6: Rapid_pvst configuration ………………………………………...................... 52

Table 9: Basic Configuration components of Firewall …………..……………………… 69

Table 10: Network object group …………………..…………………………..…..…….. 73

Table 11: Service-Based Object Group Configuration ………………………...……….. 73

Table 12: ACL Description from Internet to Internal Network............................................. 75

Table 14: ACL Description from Internal Users to DMZ Server…………..…………...… 75

Table 15: ACL Description from Internal Users to Internet ………………..…..………….. 75

Table 16: ACL Description from DMZ to Internet ………………………...……………. 76

Table 17: ACL Description from Internet to DMZ ……………………................................. 76

Figure 1 Traffic Flow Analysis …………………………..…....………... 13

Figure 2 SONA framework ……………………………..…...……........... 16

Figure 3 Hierarchical LAN design Methodology …………………..……... 19

Figure 4 Logical Design ………………………………………..…..…….. 20

Figure 5 Rack Layout Design …………………………………..…..…….. 32

Figure 6 Zone Based Interface ………………………..………………..…. 67