Escolar Documentos
Profissional Documentos
Cultura Documentos
Assessment Title:
Networking Project
Programme Title:
BACHELOR OF ICT
Course No.:
ITB6003
Course Title:
Student Name:
Student ID:
Title:
This report was requested by Dr.DimitriosLiarokapis, Networking and Data
communications tutor within the ICT department at Bahrain Polytechnic.
The due date ofthe report and the implemented network for Global
Insurance Services Company is on 22nd of December 2013. This report was
done byReem Ali, Taiba Husain and Fatima Muhasien.
Abstract
This report will provide adescription of the network topology of Global
Insurance Services (GIS) Company and its requirements. Firstly, it will
discuss the advantages of creating VLANs for the departments in each
branch. Secondly, it will present a private IPv4 addressing scheme for the
network. Thirdly, it will design security and redundancy measures to
protect the network from failures. Then, it will provide details regards
adding Wireless to each site of the network besides using Permanent
Virtual Circuits (PVCs) to connect the branches and adding Network
Address Translation (NAT) and Port Address Translation(PAT) at Geneva
site to translate private IP addresses to public IP addresses. After that, it
will provide an explanation of designing access lists to restrict specific
users from accessing network. Furthermore, it will give recommendations
on how the company will implement IPv6 for future.
Acknowledgements
Thanks for Mr.DimitriosLiarokapis because of his help and support in the
project. He helped in correcting the mistakes that have been done in the
VLSM process and he provided a better understanding of the project
requirements. Moreover, he allocated project classes that allowed us to
work on the project and ask questions.
Page 2 of 46
Table ofContents
.............................................................................................................................. 1
Title:................................................................................................................... 2
Abstract.............................................................................................................. 2
Acknowledgements............................................................................................ 2
Introduction........................................................................................................... 5
1.
Step1: VLANs................................................................................................... 6
1.2 VLANs for each branch................................................................................. 6
1.2.1 Switzerland - Geneva Branch.................................................................6
1.2.2 France Paris Branch............................................................................. 7
1.2.3 China Beijing........................................................................................ 7
1.2.4 South Africa Cape Town.......................................................................8
1.2.5 Bahrain Manama.................................................................................. 8
1.2.6 Canada Montreal..................................................................................9
1.2.7 UAE Dubai............................................................................................ 9
2.
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
Canada Montreal............................................................................20
2.1.7
2.2
2.3
Banners configuration.............................................................................25
4.
5.
6.
7.
8.
9.
Step 9: IPv6................................................................................................... 34
Conclusion........................................................................................................... 35
Reference List...................................................................................................... 36
Page 4 of 46
Introduction
This report aims to implement a network infrastructure for Global Insurance
Services (GIS)Company. It will present the requirements of all branches of the
company. It will also include detailed steps describing the technologies
used for GIS to enhance the network like using VLANs to separate users of
different types. In addition, configure a data link encapsulation method to
connect GIS with the internet provider. Moreover, WAN technology will be
used to allow the branches to communicate with each other. To control the
network access, Access Control Lists (ACLs) will be designed to restrict
access rights. Last but not least, it will provide recommendations on how
IPv6 will be implemented in the future.
Page 5 of 46
1. Step1: VLANs
Virtual Local Area Network (VLAN) is a group of devices with the same
requirements. It segments the Local Area Network (LAN) logically into multiple
broadcast domains. The purpose of creating VLANs is to split users that belong to
different groups. In this sense, users from the same type will be grouped into the
same VLAN.
There are several reasons that encouraged the Global Insurance Services (GIS)
Company to create VLANs. Firstly, VLAN will improve the performance of the
network because it prevents sending broadcasts traffic to unnecessary
destinations so the broadcasts will be sent only within the VLAN. In addition,
VLANs divide the large broadcast domains into smaller ones which will also
provide betterperformance. With VLANs, the network administrator will be able
to assign users to specific VLAN by controlling the ports. This will improve the
security and efficiency because it will permit users within same VLAN only to
access sensitive data while it will deny other VLANs users. Better yet, creating
VLANs will reduce the number of needed routers and switches. Therefore, it will
reduce the costs and save money for the company("Benefits of vlans," ).
Management
VLAN 20
Marketing
VLAN 30
Accounting
VLAN 40
IT
VLAN 50
Administration
VLAN 60
Training
VLAN 70
Other
Page 6 of 46
Description
VLAN 1 is created by default and
it cannot be deleted or altered.
This VLAN is created for
management staff because they
have same requirements.
This VLAN is created for
marketing staff because they
have same requirements.
This VLAN is created for
accounting staff because they
have same requirements.
This VLAN is created for IT staff
because they have same
requirements.
This VLAN is created for
administration staff because they
have same requirements.
This VLAN is created for training
staff because they have same
requirements.
This VLAN is created for other
staff because they have same
VLAN 80
WVLAN
VLAN 99
Native VLANs
requirements.
This VLAN is created for the
Wireless devices.
This VLAN is to allow the
switches to communicate with
each other or with the router on
a trunk link
Table1: Switzerland
VLANs
1.2.2 France Paris Branch
VLAN ID
VLAN name
VLAN 1
Default VLAN
VLAN 10
Management
VLAN 20
Marketing
VLAN 30
Accounting
VLAN 40
IT
VLAN 50
Administration
VLAN 60
Training
VLAN 70
Other
VLAN 99
Native VLANs
Description
VLAN 1 is created by default and
it cannot be deleted or altered.
This VLAN is created for
management staff because they
have same requirements.
This VLAN is created for
marketing staff because they
have same requirements.
This VLAN is created for
accounting staff because they
have same requirements.
This VLAN is created for IT staff
because they have same
requirements.
This VLAN is created for
administration staff because they
have same requirements.
This VLAN is created for training
staff because they have same
requirements.
This VLAN is created for other
staff because they have same
requirements.
This VLAN is to allow the
switches to communicate with
each other or with the router on
a trunk link
Description
VLAN 1 is created by default and
it cannot be deleted or altered.
This VLAN is created for
management staff because they
have same requirements.
Management
Page 7 of 46
VLAN 20
Marketing
VLAN 30
Accounting
VLAN 40
IT
VLAN 50
Administration
VLAN 60
Training
VLAN 70
Other
VLAN 99
Native VLANs
Table3: China
VLANs
1.2.4 South Africa Cape Town Branch
VLAN ID
VLAN name
VLAN 1
Default VLAN
VLAN 10
Management
VLAN 20
Marketing
VLAN 30
Accounting
VLAN 40
IT
VLAN 50
Administration
VLAN 60
Training
VLAN 70
Other
Page 8 of 46
VLAN 99
Native VLANs
Management
VLAN 20
Marketing
VLAN 30
Accounting
VLAN 40
IT
VLAN 50
Administration
VLAN 60
Training
VLAN 70
Other
VLAN 99
Native VLANs
Table5: Bahrain
VLANs
1.2.6 Canada MontrealBranch
VLAN ID
VLAN name
VLAN 1
Default VLAN
VLAN 10
Management
VLAN 20
Marketing
VLAN 30
Accounting
Page 9 of 46
Description
VLAN 1 is created by default and
it cannot be deleted or altered.
This VLAN is created for
management staff because they
have same requirements.
This VLAN is created for
marketing staff because they
have same requirements.
This VLAN is created for
accounting staff because they
have same requirements.
This VLAN is created for IT staff
because they have same
requirements.
This VLAN is created for
administration staff because they
have same requirements.
This VLAN is created for training
staff because they have same
requirements.
This VLAN is created for other
staff because they have same
requirements.
This VLAN is to allow the
switches to communicate with
each other or with the router on
a trunk link
Description
VLAN 1 is created by default and
it cannot be deleted or altered.
This VLAN is created for
management staff because they
have same requirements.
This VLAN is created for
marketing staff because they
have same requirements.
This VLAN is created for
VLAN 40
IT
VLAN 50
Administration
VLAN 60
Training
VLAN 70
Other
VLAN 99
Native VLANs
Table6: Canada
VLANs
Management
VLAN 20
Marketing
VLAN 30
Accounting
VLAN 40
IT
VLAN 50
Administration
VLAN 60
Training
VLAN 70
Other
VLAN 99
Native VLANs
Page 10 of 46
Description
VLAN 1 is created by default and
it cannot be deleted or altered.
This VLAN is created for
management staff because they
have same requirements.
This VLAN is created for
marketing staff because they
have same requirements.
This VLAN is created for
accounting staff because they
have same requirements.
This VLAN is created for IT staff
because they have same
requirements.
This VLAN is created for
administration staff because they
have same requirements.
This VLAN is created for training
staff because they have same
requirements.
This VLAN is created for other
staff because they have same
requirements.
This VLAN is to allow the
switches to communicate with
Page 11 of 46
Departmen
t name
Ne
ed
ed
siz
e
10
Network
address
Assignable
range
Broadcast
address
CID
R
Subnet mask
172.16.1.144
172.16.1.145 172.16.1.158
172.16.1.15
9
/28
255.255.255.240
Vla
n
nu
mb
er
10
Marketing
20
172.16.0.160
172.16.0.161 172.16.0.190
172.16.0.191
/27
255.255.255.224
20
Accounting
10
172.16.1.128
172.16.1.129 172.16.1.142
172.16.1.14
3
/28
255.255.255.240
30
IT
15
172.16.1.32
172.16.1.33 172.16.1.62
172.16.1.63
/27
255.255.255.224
40
Administra
tion
30
172.16.0.0
172.16.0.1 172.16.0.62
172.16.0.63
/26
255.255.255.192
50
Training
20
172.16.0.192
172.16.0.193 172.16.0.222
172.16.0.22
3
/27
255.255.255.224
60
Other
25
172.16.0.128
172.16.0.129 172.16.0.158
172.16.0.15
9
/27
255.255.255.224
70
Native
Vlans
12
172.16.1.160
172.16.1.161 172.16.1.174
172.16.1.17
5
/28
Manageme
nt
Page 12 of 46
99
255.255.255.240
WVLAN
172.16.3.124
172.16.3.125 172.16.3.126
172.16.3.12
7
/30
255.255.255.252
80
WLAN
30
172.16.0.64
172.16.0.65 172.16.0.126
172.16.0.12
7
/26
255.255.255.192
Device
Geneva R1
Fa0/0.10
172.16.1.145
Fa0/0.20
172.16.0.161
Fa0/0.30
172.16.1.129
Fa0/0.40
172.16.1.33
Fa0/0.50
172.16.0.1
Fa0/0.60
172.16.0.193
Fa0/0.70
172.16.0.129
Fa0/0.80
172.16.3.121
Fa0/0.99
172.16.1.161
Fa0/1
150.3.1.3
S0/1/0.102
172.16.3.125
S0/1/0.103
172.16.3.133
S0/1/0.104
172.16.3.137
S0/1/0.105
172.16.3.145
S0/1/0.106
172.16.3.129
S0/1/0.107
172.16.3.141
GenevaS0 Core
Vlan 99
172.16.1.162
GenevaS1
Distribution 1
Vlan 99
172.16.1.163
Page 13 of 46
255.255.255.24
0
255.255.255.22
4
255.255.255.24
0
255.255.255.22
4
255.255.255.19
2
255.255.255.22
4
255.255.255.22
4
255.255.255.25
2
255.255.255.24
0
255.255.255.24
0
255.255.255.25
2
255.255.255.25
2
255.255.255.25
2
255.255.255.25
2
255.255.255.25
2
255.255.255.25
2
255.255.255.24
0
255.255.255.24
0
Default gateway
172.16.1.161
172.16.1.161
GenevaS2
Distribution 2
GenevaS3
Access 1
GenevaS4
Access 2
GenevaS5
Access 3
GenevaS6
Access 4
GenevaS7
access 5
GenevaS8
access 6
GenevaS9
access 7
PC1
(Administration)
PC2(Accounting
)
PC3 (Training)
PC4(IT)
PC5(Manageme
nt)
PC6 (others)
PC7 (Marketing)
Web server
Email server
Geneva WR
Vlan 99
172.16.1.164
255.255.255.24
0
Vlan 99
172.16.1.165
255.255.255.24
0
Vlan 99
172.16.1.166
255.255.255.24
0
Vlan 99
172.16.1.167
255.255.255.24
0
Vlan 99
172.16.1.168
255.255.255.24
0
Vlan 99
172.16.1.169
255.255.255.24
0
Vlan 99
172.16.1.170
255.255.255.24
0
Vlan 99
172.16.1.171
255.255.255.24
0
NIC
172.16.0.62
255.255.255.19
172.16.0.61
2
255.255.255.19
2
NIC
172.16.1.142
255.255.255.24
0
NIC
172.16.0.222
255.255.255.22
4
NIC
172.16.1.62
255.255.255.22
4
NIC
172.16.1.158
255.255.255.24
0
NIC
172.16.0.158
255.255.255.22
172.16.0.157
4
NIC
172.16.0.190
255.255.255.22
4
NIC
150.3.1.2
255.255.255.24
0
NIC
150.3.1.1
255.255.255.24
0
WAN
172.16.3.122
255.255.255.25
2
LAN/Wireless
172.16.0.65
255.255.255.19
Table9: Switzerland Devices IP2
172.16.1.161
172.16.1.161
172.16.1.161
172.16.1.161
172.16.1.161
172.16.1.161
172.16.1.161
172.16.1.161
172.16.0.1
172.16.0.1
172.16.1.129
172.16.0.193
172.16.1.33
172.16.1.145
172.16.0.129
172.16.0.161
150.3.1.3
150.3.1.3
172.16.3.121
172.16.3.121
addresses
Device Name
GenevaS0 Core
GenevaS1 Distribution 1
Mode
Server
Client
Page 14 of 46
Domain Name
project
project
Password
cisco
cisco
GenevaS2
GenevaS3
GenevaS4
GenevaS5
GenevaS6
GenevaS7
GenevaS8
GenevaS9
Distribution 2
Access 1
Access 2
Access 3
Access 4
access 5
access 6
access 7
Client
Client
Client
Client
Client
Client
Client
Client
Page 15 of 46
project
project
project
project
project
project
project
project
cisco
cisco
cisco
cisco
cisco
cisco
cisco
cisco
Departmen
t name
Need
ed
size
5
Network
address
Assignable
range
Broadcas
t
address
CID
R
172.16.2.6
4
172.16.2.65 172.16.2.78
172.16.2.79
/28
Marketing
10
172.16.1.2
08
172.16.1.209 172.16.1.222
172.16.1.22
3
/28
255.255.255.240
20
Accounting
172.16.2.4
8
172.16.2.49 172.16.2.62
172.16.2.63
/28
255.255.255.240
30
IT
10
172.16.1.1
92
172.16.1.193 172.16.1.206
172.16.1.20
7
/28
255.255.255.240
40
Administra
tion
10
172.16.1.1
76
172.16.1.177 172.16.1.190
172.16.1.19
1
/28
255.255.255.240
50
Other
15
172.16.1.6
4
172.16.1.65 172.16.1.94
172.16.1.95
/27
255.255.255.224
70
Native
Vlans
172.16.2.8
0
172.16.2.81 172.16.2.94
172.16.2.95
/28
Manageme
nt
Table11: France IP
addresses
Subnet mask
255.255.255.240
99
255.255.255.240
Device
Interface or
sub-interface
Ip address
Subnet mask
ParisR1
Fa0/0.10
172.16.2.65
Fa0/0.20
172.16.1.209
Fa0/0.30
172.16.2.49
Fa0/0.40
172.16.1.193
Fa0/0.50
172.16.1.177
Fa0/0.70
172.16.1.65
Fa0/0.99
172.16.2.81
255.255.255.24
0
255.255.255.24
0
255.255.255.24
0
255.255.255.24
0
255.255.255.24
0
255.255.255.22
4
255.255.255.24
0
Page 16 of 46
Vlan
num
ber
10
Default
gateway
Serial0/0/0.201
172.16.3.126
Serial0/0/0.23
172.16.3.149
Serial0/0/0.204
172.16.3.153
Serial0/0/0.205
172.16.3.157
Serial0/0/0.206
172.16.3.161
Serial0/0/0.207
172.16.3.165
ParisS1 Core
Vlan 99
172.16.2.82
ParisS2
Distribution 1
ParisS3
Distribution 2
ParisS4 Access
1
ParisS5 Access
2
ParisS6 Access
3
PC(Marking)
Vlan 99
172.16.2.83
Vlan 99
172.16.2.84
Vlan 99
172.16.2.85
Vlan 99
172.16.2.86
Vlan 99
172.16.2.87
NIC
172.16.1.222
PC
NIC
(Administration)
PC(Management NIC
)
PC( IT)
NIC
172.16.1.190
PC (Accounting)
NIC
172.16.2.62
PC (others)
NIC
172.16.1.94
172.16.2.78
172.16.1.206
Device Name
ParisS1
ParisS2
ParisS3
ParisS4
ParisS5
ParisS6
255.255.255.25
2
255.255.255.25
2
255.255.255.25
2
255.255.255.25
2
255.255.255.25
2
255.255.255.25
2
255.255.255.24
0
255.255.255.24
0
255.255.255.24
0
255.255.255.24
0
255.255.255.24
0
255.255.255.24
0
255.255.255.24
0
255.255.255.24
0
255.255.255.24
0
255.255.255.24
0
255.255.255.24
0
255.255.255.22
4
Mode
Core
Distribution 1
Distribution 2
Access 1
Access 2
Access 3
Server
Client
Client
Client
Client
Client
Domain Name
project
project
project
project
project
project
172.16.2.81
172.16.2.81
172.16.2.81
172.16.2.81
172.16.2.81
172.16.2.81
172.16.1.209
172.16.1.177
172.16.2.65
172.16.1.193
172.16.2.49
172.16.1.65
Password
cisco
cisco
cisco
cisco
cisco
cisco
Department
name
Ne
ed
ed
siz
e
5
Network
address
Assignable Broadcas
range
t
address
CID
R
172.16.2.96
172.16.2.97 172.16.2.110
72.16.2.111
/28
Marketing
20
172.16.1.0
172.16.1.1 172.16.1.30
172.16.1.31
/27
255.255.255.224
20
Accounting
10
172.16.1.224
172.16.1.23
9
/28
255.255.255.240
30
IT
10
172.16.1.240
172.16.1.25
5
/28
255.255.255.240
40
Administrati
on
20
172.16.0.224
172.16.0.25
5
/27
255.255.255.224
50
Other
15
172.16.1.96
172.16.1.225
172.16.1.238
172.16.1.241
172.16.1.254
172.16.0.225
172.16.0.254
172.16.1.97 172.16.1.126
172.16.1.12
7
/27
255.255.255.224
70
Native
Vlans
172.16.2.32
172.16.2.33 172.16.2.46
172.16.2.47
/28
Managemen
t
Table14: China IP
addresses
Ip address
Device
Interface or
sub-interface
BeijingR1
Fa0/0.10
172.16.2.97
Fa0/0.20
172.16.1.1
Fa0/0.30
172.16.1.255
Fa0/0.40
172.16.1.241
Fa0/0.50
172.16.0.255
Fa0/0.70
172.16.1.97
Page 18 of 46
Subnet mask
255.255.255.240
Vlan
num
ber
10
99
255.255.255.240
Subnet mask
255.255.255.24
0
255.255.255.22
4
255.255.255.24
0
255.255.255.24
0
255.255.255.22
4
255.255.255.22
4
Default
gateway
Fa0/0.99
172.16.2.40
S0/1/0.601
172.16.3.130
S0/1/0.602
172.16.3.162
S0/1/0.603
172.16.3.169
S0/1/0.604
172.16.3.173
S0/1/0.605
172.16.3.177
S0/1/0.607
172.16.3.181
Beijing S1 Core
Vlan 99
172.16.2.33
Beijing S2
Distribution 1
Beijing S3
Distribution 2
Beijing S4
Access 1
Beijing S5
Access 2
Beijing S6
Access 3
Beijing S7
Access 4
PC1 (Marking)
Vlan 99
172.16.2.34
Vlan 99
172.16.2.35
Vlan 99
172.16.2.36
Vlan 99
172.16.2.37
Vlan 99
172.16.2.38
Vlan 99
172.16.2.39
NIC
172.16.1.30
PC 2
NIC
(Administration)
PC 3
NIC
(Management)
PC 4 ( IT)
NIC
172.16.0.254
PC 5
(Accounting)
PC 6(others)
NIC
172.16.1.238
NIC
172.16.1.126
Device Name
172.16.2.86
172.16.1.254
Mode
255.255.255.24
0
255.255.255.25
2
255.255.255.25
2
255.255.255.25
2
255.255.255.25
2
255.255.255.25
2
255.255.255.25
2
255.255.255.24
0
255.255.255.24
0
255.255.255.24
0
255.255.255.24
0
255.255.255.24
0
255.255.255.24
0
255.255.255.24
0
255.255.255.22
4
255.255.255.22
4
255.255.255.24
0
255.255.255.24
0
255.255.255.24
0
255.255.255.22
4
Domain Name
project
project
project
Table15: China
devices IP
Server
addresses Client
Beijing S1 Core
Beijing S2 Distribution 1
Beijing S3 Distribution 2
Client
Page 19 of 46
172.16.2.40
172.16.2.40
172.16.2.40
172.16.2.40
172.16.2.40
172.16.2.40
172.16.2.40
172.16.1.1
172.16.0.255
172.16.2.97
172.16.1.241
172.16.1.255
172.16.1.97
Password
cisco
cisco
cisco
Beijing
Beijing
Beijing
Beijing
S4
S5
S6
S7
Access
Access
Access
Access
Client
Client
Client
Client
1
2
3
4
project
project
project
project
cisco
cisco
cisco
cisco
Department
name
Managemen
t
Device
Ne
ed
ed
siz
e
3
Network
address
Assignable Broadcas
range
t
address
172.16.2.240
Marketing
172.16.2.16
Accounting
172.16.2.112
IT
172.16.2.128
Administrati
on
172.16.2.0
Other
172.16.2.248
Native Vlans 6
172.16.2.224
Interface or
sub-interface
CID
R
Subnet mask
172.16.2.241
172.16.2.246
172.16.2.17 172.16.2.30
172.16.2.24
7
/29
172.16.2.31
/28
255.255.255.240
172.16.2.113
172.16.2.126
172.16.2.129
172.16.2.142
172.16.2.1 172.16.2.14
172.16.2.12
7
/28
255.255.255.240
172.16.2.14
3
/28
255.255.255.248
172.16.2.15
/28
255.255.255.240
172.16.2.249
172.16.2.254
172.16.2.225
172.16.2.230
172.16.2.25
5
/29
255.255.255.248
172.16.2.23
1
/29
Ip address
Page 20 of 46
Subnet mask
255.255.255.248
255.255.255.248
Default
gateway
CapTownR1
Fa0/0.10
172.16.2.241
Fa0/0.20
172.16.2.17
Fa0/0.30
172.16.2.113
Fa0/0.40
172.16.2.129
Fa0/0.50
172.16.2.1
Fa0/0.70
172.16.2.249
Fa0/0.99
172.16.2.225
S0/1/0.301
172.16.3.134
255.255.255.24
8
255.255.255.24
0
255.255.255.24
0
255.255.255.24
0
255.255.255.24
0
255.255.255.24
8
255.255.255.24
8
255.255.255.252
S0/1/0.302
172.16.3.150
255.255.255.252
S0/1/0.304
172.16.3.185
255.255.255.252
S0/1/0.305
172.16.3.189
255.255.255.252
S0/1/0.306
172.16.3.170
255.255.255.252
S0/1/0.307
172.16.3.193
255.255.255.252
Vlan 99
172.16.2.226
Vlan 99
172.16.2.227
Vlan 99
172.16.2.228
Vlan 99
172.16.2.229
Vlan 99
172.16.2.230
NIC
172.16.2.30
PC
NIC
(Administration)
PC(Management NIC
)
PC( IT)
NIC
172.16.2.14
255.255.255.24
8
255.255.255.24
8
255.255.255.24
8
255.255.255.24
8
255.255.255.24
8
255.255.255.24
0
255.255.255.24
0
255.255.255.24
8
255.255.255.24
0
CapTownS1
Core
CapTownS2
Distribution 1
CapTownS3
Distribution 2
CapTownS4
Access 1
CapTownS5
Access 2
PC(Marking)
172.16.2.246
172.16.2.142
Page 21 of 46
172.16.2.225
172.16.2.225
172.16.2.225
172.16.2.225
172.16.2.225
172.16.2.17
172.16.2.1
172.16.2.241
172.16.2.129
PC (Accounting)
NIC
172.16.2.126
PC (others)
NIC
172.16.2.254
255.255.255.24
0
255.255.255.24
8
172.16.2.113
172.16.2.249
Device Name
CapTownS2
1
CapTownS3
2
CapTownS4
CapTownS5
Distribution
Client
project
Password
cisco
cisco
Distribution
Client
project
cisco
Access 1
Access 2
Client
Client
project
project
cisco
cisco
Department
name
Broadcas
t
address
CID
R
Managemen
t
Ne Network
Assignable
address
ed
range
ed
siz
e Table19: South Africa VTP
table
2
172.16.3.40
172.16.3.41 172.16.3.46
172.16.3.47
/29
Marketing
172.16.3.48
172.16.3.49 172.16.3.54
172.16.3.55
/29
255.255.255.248
Accounting
172.16.3.24
172.16.3.25 172.16.3.30
172.16.3.31
/29
255.255.255.248
IT
172.16.3.32
172.16.3.33 172.16.3.38
172.16.3.39
/29
255.255.255.248
Administrati
on
172.16.2.144
172.16.2.15
9
/28
255.255.255.240
Other
172.16.3.56
172.16.2.145
172.16.2.158
172.16.3.57 172.16.3.62
172.16.3.63
/29
255.255.255.248
172.16.3.1 172.16.3.6
172.16.3.7
/29
Native Vlans 5
172.16.3.0
Page 22 of 46
Subnet mask
255.255.255.248
255.255.255.248
Device
Interface or
sub-interface
Ip address
Subnet mask
Default gateway
ManamaR1
Fa0/0.10
172.16.3.41
255.255.255.248
Fa0/0.20
172.16.3.49
255.255.255.248
Fa0/0.30
172.16.3.25
255.255.255.248
Fa0/0.40
172.16.3.33
255.255.255.248
Fa0/0.50
172.16.2.145
255.255.255.240
Fa0/0.70
172.16.3.57
255.255.255.248
Fa0/0.99
172.16.3.1
255.255.255.248
Serial0/1/0.401
172.16.3.138
255.255.255.252
Serial0/1/0.402
172.16.3.154
255.255.255.252
Serial0/1/0.403
172.16.3.186
255.255.255.252
Serial0/1/0.405
172.16.3.197
255.255.255.252
Serial0/1/0.406
172.16.3.174
255.255.255.252
Serial0/1/0.407
172.16.3.201
255.255.255.252
ManamaS1 Core
Vlan 99
172.16.3.2
255.255.255.248
172.16.3.1
ManamaS2Distri
Vlan 99
172.16.3.3
255.255.255.248
172.16.3.1
Vlan 99
172.16.3.4
255.255.255.248
172.16.3.1
Vlan 99
172.16.3.5
255.255.255.248
172.16.3.1
NIC
172.16.3.54
255.255.255.248
172.16.3.49
172.16.2.158
255.255.255.240
172.16.2.145
172.16.3.46
255.255.255.248
172.16.3.41
172.16.3.38
255.255.255.248 172.16.3.33
172.16.3.30
255.255.255.248 172.16.3.25
bution 1
ManamaS3
Distribution 2
ManamaS4Acces
s1
PC1 (Marking)
PC 2
NIC
(Administration)
PC 3
NIC
(Management)
PC 4 ( IT)
NIC
PC 5
(Accounting)
NIC
Table20: Bahrain IP
addresses
Page 23 of 46
PC 6(others)
NIC
Device Name
172.16.3.62
255.255.255.248
ManamaS1 Core
ManamaS2Distribution 1
ManamaS3 Distribution 2
ManamaS4Access 1
Server
Client
Client
Client
Domain Name
project
project
project
project
172.16.3.57
Password
cisco
cisco
cisco
cisco
Department
name
Ne
ed
ed
siz
e
2
Network
address
172.16.3.64
172.16.3.65 172.16.3.70
172.16.3.71
/29
Marketing
172.16.2.192
172.16.2.20
7
/28
255.255.255.240
20
Accounting
172.16.2.160
172.16.2.17
5
/28
255.255.255.240
30
IT
172.16.3.8
172.16.2.193
172.16.2.206
172.16.2.161
172.16.2.174
172.16.3.9 172.16.3.14
172.16.3.15
/29
255.255.255.248
40
Administrati
on
172.16.2.176
172.16.2.19
1
/28
255.255.255.240
50
Other
172.16.2.208
172.16.2.23
9
/28
255.255.255.240
70
Native
Vlans
172.16.2.232
172.16.2.177
172.16.2.190
172.16.2.225
172.16.2.238
172.16.2.233
172.16.2.238
172.16.2.23
9
/29
Managemen
t
Assignable Broadcas
range Bahrain tVTP
Table22:
address
table
Table23: Canada IP
addresses
Page 24 of 46
CID
R
Subnet mask
255.255.255.248
Vlan
num
ber
10
99
255.255.255.248
Device
Interface or
sub-interface
Ip address
Subnet mask
Default gateway
MontrealR1
Fa0/0.10
172.16.3.65
255.255.255.248
Fa0/0.20
172.16.2.193
255.255.255.240
Fa0/0.30
172.16.2.161
255.255.255.240
Fa0/0.40
172.16.3.9
255.255.255.248
Fa0/0.50
172.16.2.177
255.255.255.240
Fa0/0.70
172.16.2.209
255.255.255.240
Fa0/0.99
172.16.2.233
255.255.255.248
S0/1/0.701
172.16.3.142
255.255.255.252
S0/1/0.702
172.16.3.166
255.255.255.252
S0/1/0.703
172.16.3.194
255.255.255.252
S0/1/0.704
172.16.3.202
255.255.255.252
S0/1/0.705
172.16.3.205
255.255.255.252
S0/1/0.706
172.16.3.182
255.255.255.252
MontrealS1 Core
Vlan 99
172.16.2.234
255.255.255.248
172.16.2.233
MontrealS2
Vlan 99
172.16.2.235
255.255.255.248
172.16.2.233
MontrealS3
Vlan 99
172.16.2.236
255.255.255.248
172.16.2.233
Distribution 2
MontrealS4Acces
s1
Vlan 99
172.16.2.237
255.255.255.248
172.16.2.233
MontrealS5
access 2
Vlan 99
172.16.2.238
255.255.255.248
172.16.2.233
PC(Marking)
NIC
172.16.2.206
255.255.255.240
172.16.2.193
PC
NIC
(Administration)
PC
NIC
(Management)
PC ( IT)
NIC
172.16.2.190
255.255.255.240
172.16.2.177
172.16.3.70
255.255.255.248
172.16.3.65
172.16.3.14
255.255.255.248
172.16.3.9
Distribution 1
Page 25 of 46
PC (Accounting)
NIC
172.16.2.174
255.255.255.240
172.16.2.161
PC (others)
NIC
172.16.2.222
255.255.255.240
172.16.2.209
Device Name
MontrealS1 Core
MontrealS2 Distribution 1
MontrealS3 Distribution 2
MontrealS4Access 1
MontrealS5 access 2
Server
Client
Client
Client
Client
Domain Name
project
project
project
project
project
Password
cisco
cisco
cisco
cisco
cisco
Department
name
Managemen
t
Ne
ed
ed
siz
e
1
Network
address
Assignable Broadcas
range
t
address
CID
R
Subnet mask
172.16.3.104
172.16.3.105
172.16.3.110
172.16.3.97 172.16.3.102
172.16.3.11
1
/29
172.16.3.10
3
/29
255.255.255.248
255.255.255.248
Marketing
172.16.3.96
Accounting
172.16.3.72
172.16.3.73 172.16.3.78
172.16.3.79
/29
255.255.255.248
IT
172.16.3.88
172.16.3.89 172.16.3.94
172.16.3.95
/29
255.255.255.248
Administrati
on
172.16.3.80
172.16.3.81 172.16.3.86
172.16.3.87
/29
255.255.255.248
Other
172.16.3.112
172.16.3.113
172.16.3.118
172.16.3.17 172.16.3.22
172.16.3.11
9
/30
255.255.255.248
172.16.3.23
/29
Native Vlans 5
172.16.3.16
Page 26 of 46
255.255.255.248
Device
Interface or
sub-interface
Ip address
Page 27 of 46
Subnet mask
Default gateway
DubaiR1
Fa0/0.10
172.16.3.105
Fa0/0.20
172.16.3.97
Fa0/0.30
172.16.3.73
Fa0/0.40
172.16.3.89
Fa0/0.50
172.16.3.81
Fa0/0.70
172.16.3.113
Fa0/0.99
172.16.3.17
S0/1/0.501
172.16.3.146
S0/1/0.502
172.16.3.158
S0/1/0.503
172.16.3.190
S0/1/0.504
172.16.3.198
S0/1/0.506
172.16.3.178
S0/1/0.507
172.16.3.206
DubaiS1 Core
Vlan 99
172.16.3.18
DubaiS2
Distribution 1
DubaiS3
Distribution 2
DubaiS4 Access
1
PC (Marking)
Vlan 99
172.16.3.19
Vlan 99
172.16.3.20
Vlan 99
172.16.3.21
NIC
172.16.3.102
PC
NIC
(Administration)
PC
NIC
(Management)
PC ( IT)
NIC
PC (Accounting)
NIC
Table26: UAE IP
addresses
172.16.3.86
172.16.3.110
172.16.3.94
172.16.3.78
Page 28 of 46
255.255.255.2
48
255.255.255.2
48
255.255.255.2
48
255.255.255.2
48
255.255.255.2
48
255.255.255.2
48
255.255.255.2
48
255.255.255.2
52
255.255.255.2
52
255.255.255.2
52
255.255.255.2
52
255.255.255.2
52
255.255.255.2
52
255.255.255.2
48
255.255.255.2
48
255.255.255.2
48
255.255.255.2
48
255.255.255.2
48
255.255.255.2
48
255.255.255.2
48
255.255.255.2
48
255.255.255.2
48
172.16.3.17
172.16.3.17
172.16.3.17
172.16.3.17
172.16.3.97
172.16.3.81
172.16.3.105
172.16.3.89
172.16.3.73
PC (others)
NIC
172.16.3.118
255.255.255.2
Table23: Canada IP
48
addresses
Table27: UAE devices IP
Device Name
Mode
Domain Name
addresses
DubaiS1
DubaiS2
DubaiS3
DubaiS4
Core
Distribution 1
Distribution 2
Access 1
Server
Client
Client
Client
project
project
project
project
172.16.3.113
Password
cisco
cisco
cisco
cisco
Page 29 of 46
3.1 Security
To avoid security issues, several mechanisms have been used to protect the
devices and users.
3.1.1 Port Security
Using port security enables the company to define a list of Mac addresses that
are permitted to access the port. This will limit the access to the port and restrict
unauthorized devices from accessing it. The advantage of the port security is
that when a device is trying to access the port and its MAC address is not exist
within the MAC addresses list, a security violation action is taken like shutdown
the port. There are three types of secure MAC address which are: static, dynamic
and sticky(Polytechnic IT Team, PowerPoint slides).
Page 30 of 46
To enhance the security of Global Insurance Services (GIS) Company and prevent
unauthorized access, the switches have been configured with the secure sticky
MAC address. The reason behind choosing this type is the address can be
dynamically learned and added to the MAC addresses table. It can be also added
manually. Better yet, the configuration is stored in the running configuration
(NVRAM) which means it will not be lost after reload(Polytechnic IT Team,
PowerPoint Slides). GIS Company has configured port security on the switches
interfaces with a maximum number of two MAC addresses only to prevent the
access of strange devices.
Page 31 of 46
3.1.2 Passwords
To impose a high level security on the company devices, passwords have been
configured on the routers and switches. For privileged EXEC mode, an encrypted
password has been configured. The purpose of this password is to prevent access
to the privileged EXEC mode without typing the configured password. In addition,
line console and line vty passwords have been configured for all switches and
routers. This measure will also deny access from line console or line vty without
entering the configured password. The capture below shows the configured
passwords for privileged EXEC mode, line console and line VTY on Geneva router.
2. Redundancy
To ensure the availability of the network and protect it from single points of
failure, the company will provide multiple paths for the data. In other words, the
company will put more cross over cables between the switches to provide
alternative paths besides more switches. Moreover, the company has designed
the topology as a Hierarchical Network which consists of three layers: core,
distribution and access to increase the redundancy and the performance. The
capture below shows the redundancy at Switzerland branch.
Page 34 of 46
There are several reasons that leaded the company to use this method.
Firstly, PPP protocol operates on multi-vendor devices, therefore it will be suitable
for any type of devices. Moreover, it supports authentication option which allows
two routers to exchange authentication messages. It provides two authentication
protocols which are: Password Authentication Protocol (PAP) and Challenge
Handshake Authentication Protocol (CHAP). In addition, PPP supports data
compression option which decreases the data size and then decompresses the
data at the destination. The compression option will increase the network
performance. Besides, one of PPP components is Network Control Protocols
(NCPs) which are useful to establish and configure various network layer
protocols. These protocols are located between the data link layer and the
network layer to permit the network layer protocols to work on the same
communications links ("Point-to-point protocol," 2013).
For authentication, the company decided to use Challenge Handshake
Authentication Protocol (CHAP) because it is more secure. CHAP uses three-way
handshake which involves sending challenge/response messages. These
messages will be sent again during the connection at random periods to verify
that the peer is still there.
Page 37 of 46
connecting all the routers with each other. This type of topology will
increase the redundancy and fault tolerance because if one of the links
fails, there are other paths for the packet to reach the destination. The
captures below show the frame configurations (Horton).
Page 38 of 46
Page 39 of 46
Page 40 of 46
8. Step 8: Access
Control Lists (ACLs)
Figure14: NAT configuration on
8.1
The first access list has been designed as a standard for the NAT which will give
permissions to the whole network 172.16.0.0/16.
The second access list was designed as an extended access list and will be
closest to the source of the traffic denied.. This access list will allow the Internet
to access the servers of Geneva branch for email and Internet traffic only but
deny access to all other parts of the network.
The third access list is extended. It permits the IT staff only to access the device
through SSH and then deny all other branches to access devices through SSH.
After that, it will permit other users to access the servers but deny them from
accessing everything on the network 172.16.0.0/16 and permit them to access
the Internet. It will permit the administration staff to access the network
172.16.0.0/16 and to access servers. Then it will deny administration users from
accessing any which will deny them to access the Internet.
Page 41 of 46
5.1
The access lists for other branches are the same except the IP addresses are
different. The access list is extended. It permits the IT staff only to access the
device through SSH and then deny all other branches to access devices through
SSH. After that, it will permit other users to access the servers but deny them
from accessing everything on the network 172.16.0.0/16 and permit them to
access the Internet. It will permit the administration staff to access the network
172.16.0.0/16 and to access servers. Then it will deny administration users from
accessing any which will deny them to access the Internet.
ip access-list extended FRANCE
permit tcp 172.16.1.192 0.0.0.15 any eq 22
deny tcp any any eq 22
permit ip 172.16.1.64 0.0.0.31 150.3.1.0 0.0.0.15
deny ip 172.16.1.64 0.0.0.31 172.16.0.0 0.0.255.255
permit ip 172.16.1.64 0.0.0.31 any
permit ip 172.16.1.176 0.0.0.15 172.16.0.0 0.0.255.255
permit ip 172.16.1.176 0.0.0.15 150.3.1.0 0.0.0.15
deny ip 172.16.1.176 0.0.0.15 any
Page 42 of 46
Page 43 of 46
6. Step 9: IPv6
For the future, the company will need to update its network to be compatible
with IPv6 which is the latest revision of Internet Protocol (IP). As the company
may expand in the future, it will need to switch to IPv6 which provides IP address
space larger than IPv4. Within this section, recommendations will be given on
how IPv6 will be implemented on the LAN and the WAN connections. In addition,
it will present the differences between implementing routing protocol for IPv4
and IPv6.
IPv4 and IPv6 protocols are not compatible; therefore the company will not be
able to straightforward switchover to IPv6. Because the company is already using
IPv4, it will need to use transition mechanism. The best option for the company is
using Dual Stack which is a method that involves running both IPv4 and IPv6 at
the same time (Polytechnic IT Team - PowePoint slides, 2013). GIS Company will
use tunneling to allow IPv4 to communicate with IPv6 and encapsulates the
packets of IPv6 within IPv4 packets ("Ipv6 tunnel through," 2006). Each device in
each branch in LAN will have two protocol stacks configurations on the interface.
As IPv4, IPv6 has similar routing protocols to allow routers to communicate with
each other. Despite the similarities, the routing protocols of IPv6 aremore
sophisticated besides the implementing process is quietly different. When
configuring the routing protocol for IPv6, routing process must be created firstly.
Then the routing process must be enabled on the interfaces ("Implementing ospf
for," 2011). For the future, the company will use the routing protocol OSPFv3 to
support IPv6. Although OSPF version 2 and version 3 are similar, there are
important differences. In OSPFv3 the interface must be directly enabled by
typing the commands in interface configuration mode whereas in OSPFv2, the
interface indirectly enabled because the commands are typed in router
configuration mode. Another difference is that OSPFv3 supports multiple
instances of OSPF per link ("Ospfv2 versus ospfv3," 2010).
Conclusion
To conclude, Global Insurance Services Company (GIS) implemented the network
topology that is effective with the entire seven sites network the computers,
switches and Routes from different sites can ping. Thus, the ping is successful
between the computer and the wireless router in Geneva to connect to the
internet because GIS implemented NAT between EIX and GIS (Geneva) routers to
allow the connection provided by the internet service with the internal and
external network, secondly, configured Frame-Relay (FR) to connect both inside
and outside network,OSPF and CHAP.Thirdly, GIS configured access list to
restrict certain network access ,fourthly, for security reasons, all GIS routers
Page 44 of 46
have Encrypted passwords and the network is disrupted into different VLANS. In
addition email and web Servers are implemented in Geneva site.Finally, GIS in
future will need to update the network so it is compatible with IPV6.The Company
recommended Dual Stack to be implemented on WAN and LAN.
Page 45 of 46
Reference List
Benefits of vlans.(n.d.). Retrieved from
http://my.safaribooksonline.com/book/certification/ccna/9780470489628/virtuallocal-area-networks-vlans/benefits_of_vlans
Bryant, C. (2008, July 14). Free cisco ccna training: Advantages of ospf. Retrieved
from http://blog.pluralsight.com/videos/free-cisco-ccna-trainingadvantages-of-ospf
Frame relay. (n.d.). Retrieved from http://www.protocols.com/pbook/frame.htm
Horton, D. (n.d.). Wan design with frame relay. Retrieved from http://www.happymonkey.net/papers/frame-relay-paper.pdf
Implementing ospf for ipv6. (2011, July 25). Retrieved from
http://www.cisco.com/en/US/docs/ios/ios_xe/ipv6/configuration/guide/ip6ospf_xe.html
Tetz , E. (n.d.). Router banner configuration. Retrieved from
http://www.dummies.com/how-to/content/router-banner-configuration.html
IT Team. (n.d.). Chapter_2_switches_part_ii.pptx.(Master's thesis, Bahrain
Polytechnic).
Page 46 of 46