ACME NETWORK DESIGN 1

Running head: ACME NETWORK DESIGN

Acme Network Design

Bryan Callahan, David "Toby" Meyers & Ellis Thomas

NTC/242 - Intro to WAN Technologies

Amr Elchouemi

University of Phoenix

February 26, 2011

 Acme Network Design

Acme Manufacturing requested a comprehensive plan for implementing VLAN

technology and wireless connectivity to there multiple company locations in an effort to improve

network performance for its executive office suite and the various company departments. The

proposal will cover recommendations for the overall network design to address their expanding

operations with the acquisition of a plant in China as well as several other offices throughout the

United States. The report will also cover network topology, the hardware and software needed to

complete the project while segmenting the network for network efficiency and enacting security

policies and procedures to ensure data integrity

The Virtual Local Area Network (VLAN) will connect six different geographical

locations: New York, Chicago, Atlanta, Phoenix and China. For four different purposes:

Management, Sales, Creation and Manufacturing. With weekly telecommutes with

representatives from each office. Provide lifecycle recommendations for the management of the

WAN.

Scope

The following network design for Acme Manufacturing includes the recommended

technologies to provide data, voice and video connectivity between remote offices. The scope of

the design includes recommended WAN technologies, network services, network components,

logical topology, security and finally lifecycle recommendations.

Requirements

The Acme Manufacturing WAN requires connectivity to six different offices located in

five different cities around the world. The WAN must support basic data traffic between
locations including database queries, e-mail and file sharing. Telecommunication services

recommendations such as voice and video must be included within the network design.

The network design must support an estimated 1000 network users between all offices

and be flexible for future growth in network users and locations. As of today, the approximate

number of users by location is as follows: Atlanta, Georgia Headquarters: 300 network users,

Atlanta, Georgia Engineering: 300 network users, Distribution Facilities: 300 network users

combined, China: 100 network users combined.

Network Overview

The logical arrangement is to create a VLAN segmented according to the different

departments. Each segment can have its own group permissions and privileges. Multilayer

switches, client devices, servers and wireless routers will drive the recommended network

design. Routers placed on the backbones, between floors and between LAN and frame relay

network provider. Recommended also is application and storage servers for each department, one

e-mail and one VIP server for each location.

The physical media that connects the locations to the public switched network for

domestic operations is a leased fiber optic line and for China a satellite connection. Components

for the network system require switches, servers, client systems and wireless routers.

Components required for video conferencing: Videoconferencing Codec Unit, Camera,

Microphones, Video Displays and Conference Room Lighting of diffused directional lighting

and integrated into the construction of the building.

VPN connects wireless users to their departments’ network privileges and resources.

Firewalls between servers and the rest of network, firewalls and antivirus on each computer,
firewall of course between VLAN segments and the public switched network. Devices accessing

the WLAN will be connected and granted access to their respective department’s VLAN.

The recommended IP address scheme eases network management and increases network

security since the IP addresses on the network are grouped by device type, department, and

building. In addition, configurations for firewalls, global rules for access predicate upon

department. For example, firewall IP filtering rules using wildcards to allow or restrict entire

buildings.

WAN Technology

The recommended Wide Area Network (WAN) design will primarily rely on a public

switched network to provide connectivity between all remote branch offices. The benefit to using

a service provider for WAN connectivity is that it allows scalability to add locations, adjust

bandwidth, and eliminates the high cost of purchasing and maintaining private lines, (AT&T,

2011). Refer to figure one for a visual overview of the WAN topology.

Fiber Optic T3 leased circuits provided by local exchange carriers will provide last mile

connectivity from all domestic locations to the public switched network provider’s (PSN) point

of presence (POP). T3 leased circuits are scalable from 12 to 45 Mbps allowing plenty of room

for future technology demands on the WAN.

The public switched network provider will provide office connectivity using

multiprotocol label switching (MPLS). MPLS provides network subscribers advanced value

added services including Layer 2 and 3 VPNs, QoS over existing infrastructures such as IP,

Frame Relay, and Ethernet, (Cisco, 2011)

We will use a Satellite technology to link China to the United States public switched

network and our domestic VLAN.

 The Atlanta, Georgia offices will have an additional connection between each other

using two Cisco Aironet 1550 outdoor wireless access points used in bridge mode to make a

54Mbps wireless point-to-point connection. The Cisco Aironet uses the latest 802.11n standards

with additional quality of service and VLAN features. The wireless building-to-building

connection will establish a single virtual LAN between the Atlanta based headquarters and

engineering offices. The benefits to this additional link include eliminating the cost of one leased

line to the PSNs POP. In addition, the two offices will be able to share resources such as email
and storage servers.
Figure one Acme WAN Topology

Network Services

Videoconferencing systems shall provide for conferencing and joint meetings of

geographically diverse issues.

Acme requests wireless connectivity for an indeterminate amount of clients for

connectivity to onsite LANs and connection to corporate VLAN. Once connectivity established

between test device, routers and internal wired network, routers programmed with MAC filtering

with MAC addresses disclosed by the department. WEP programmed with randomly generated

keys of maximum length and shared with the managed devices. When they connect for the first
time to the network and as devices approved and MAC addresses are given and randomly

generated keys for WEP protocol.

I.P. Address Scheme

Our IP Address Scheme Calls for a Class A Private network where each department in

each building will have their own subnet based on the following: the second octet predicated on

physical location, and the third octet identifies the department.

Location Loc Department VLA Network DHCP Host Broadcast

ID N Address Range Address
ID
Atlanta, 10 Corporate 1 10.10.1.0/24 10.10.1.40- 10.10.1.255
Georgia (HQ) Operations 10.10.1.239
Marketing 2 10.10.2.0/24 10.10.2.40- 10.10.2.255
10.10.2.239
Administration 3 10.10.3.0/24 10.10.3.40- 10.10.3.255
10.10.3.239
Accounting 4 10.10.4.0/24 10.10.4.40- 10.10.4.255
10.10.4.239
Atlanta, 20 Sales 5 10.20.5.0/24 10.20.5.40- 10.20.5.255
Georgia (Eng) 10.20.5.239
Engineering 6 10.20.6.0/24 10.20.6.40- 10.20.6.255
10.20.6.239
Chicago 30 Sales 5 10.30.5.0/24 10.30.5.40- 10.30.5.255
10.30.5.239
Administration 3 10.30.3.0/24 10.30.3.40- 10.30.3.255
10.30.3.239
Phoenix 40 Sales 5 10.40.5.0/24 10.40.5.40- 10.40.5.255
10.40.5.239
Administration 3 10.40.3.0/24 10.40.3.40- 10.40.3.255
10.40.3.239
New York 50 Sales 5 10.50.5.0/24 10.50.5.40- 10.50.5.255
10.50.5.239
Administration 3 10.50.3.0/24 10.50.3.40- 10.50.3.255
10.50.3.239
China 60 Production 7 10.60.7.0/24 10.60.7.40- 10.60.7.255
10.60.7.239
Administration 3 10.60.3.0/24 10.60.3.40- 10.60.3.255
 10.60.3.239

Table one, IP Address Scheme – Workstations

The following table lists the recommended address scheme for all network devices.

Host ID Device

.1 Gateway Router

.5 Application Server

.6 Storage Server

.15 Subnet Switch

.20 to.30 Layer 3 Switches

Network attached storage

.225
drivers.

.240 - . Network attached printers.

249

.40 - . DHCP pool for workstations

239

Table two, Address Scheme for network devices

Virtual Local Area Network

The logical arrangement is to create a VLAN with seven segments according to the four

different purposes: one segment for Management, Sales, Creation and Manufacturing. Each

segment can have its own group permissions and privileges. Wireless access points will belong

to a separate VLAN behind a firewall with no access to network resources other than through a

VPN client.
Figure two, Acme VLAN Topology

VLAN membership by MAC address shall be the protocol of the Network. VLAN

membership by MAC address allows workstations on the network easily moved around to any

network segment since MAC addresses are hard-wired into the NICs of all components

(Passmore & Freeman, 1996).

The virtual trunking protocol (VTP) mode used to configure the switches is transparent.

Once Transparent schemes are configured, they will not attempt to reconfigure and do not

broadcast their configuration (Cisco, 2009). This means that a tech will reprogram every switch

when it expands. Simple identification by IP address and MAC address is not sufficient. When
spoofed, the switches and routers will not be able to tell the difference. To improve security an

open source encryption system with a proprietary set of keys. Encryption systems configured to

give only certain keys to certain network segments information.

Network Components

All new networking equipment including multilayer switches, gateway routers, client

devices, servers and wireless routers strategically placed within the local area networks to handle

wired and wireless data, voice and video services for 1000 network users.

In order to gain the most out of implementing a VLAN, a private port switching physical

topology be implemented. A private port switching topology not only increases the bandwidth

per segment but also increases network security since the only traffic found on a particular

segment is for the one device connected to that segment (Passmore, 1996). Private port switching

requires each device to own a port on the local workgroup switch. To save cost, a simple layer

two twenty-port switches to attach end user devices.

Layer 3 multilayer switches to connect the workgroups to the backbone. Layer 3 switches

will provide inter-VLAN routing without the need for routers. One Layer 3 multilayer backbone

switches per 5 workgroup switches or 100 devices. Refer to figure three for a simplified

overview. Packets destined for another device on the same physical workgroup of the same

VLAN assignment would only need to traverse the L2 workgroup switch; a packet destined for

another physical workgroup or another VLAN, the packets routed through the L3 switch.
 Figure three, simplified private port physical topology.

Routers are on the backbone to route packets between each floor of each building and one

additional router will be required at each location to serve as gateway to the WAN link. Each

gateway will also be equipped with firewall hardware.

In order to support 1000 network users, it is recommended that one application and one

storage server be placed at each location for each department with the exception of Atlanta,

Georgia who will share server resources over a wireless WAN link. Additionally, one e-mail and

one VOIP based PBX server is required at each location.

A dedicated VOIP based PBX server at each location running Cisco Unified

Communications Manager software will fulfill Acme Manufacturing voice and video

requirements. Cisco Unified Communications Manager supports the latest VOIP technology
including SSL VPN on IP phones, video conferencing, four-digit extension dialing even between

locations, and call forwarding (Cisco, 2011).

Hardware needed for Wireless connectivity at locations with wireless connectivity will be

1000ft Enhanced Category 6 Network Cable for every 75000 square feet, D-LINK WNDR3800

N600 Wireless Dual Band Wireless routers and a D-Link DGS-1005G 5-Port Gigabit Switch for

every 4 routers. Mounting racks and wireless routers placed every 75 ft and above reachable

height to serve in locations with high concentrations of workers.

Network Security

VPN connects wireless users to their departments’ network privileges and resources. A

VPN policy conforms wireless use to network security protocols. Firewalls between servers and

the rest of network, firewalls and antivirus on each computer, firewall of course between VLAN

segments and the public switched network. User access from wireless device to VLAN

authorized in their department. Network management and security group the IP addresses on the

network by device type, department and building. Configurations for firewalls, global rules for

access predicate upon department. In example, it only allows the wildcard access to wildcard and

only department devices can access the sales department server.

The communication backbones provided by the incumbent local exchange carrier (ILEC)

to connect the multiple company sites implements there own network security features in an

attempt to secure network connections from the time the information transmitted, to the time, it

is received, as well as open system authentication with a service set identifier (SSID) beaconing.

Open System Authentication is a process by which a computer can gain access to a wireless

network that uses the Wired Equivalent Privacy (WEP) protocol. Attackers determine SSID,

Beaconing, passive scanning, the service set identifier of the computer should match the SSID of
the wireless access point. A well-secured network using WPA or, even better, WPA2, and a non-

trivial password, will take care of those people, as well as more capable hackers

Lifecycle Recommendations

We suggest scheduling a maintenance inspection every two years including: Updates,

attenuation of signaling equipment, broadcast media and all static equipment replace damaged or

aged equipment. We suggest that encryption algorithms, user passwords and access expire and

terminate upon employee departure. That penetration tests scheduled to check and improve the

security of the network. Backing up the vlan.dat file of the switches to save the configuration of

each network in case of switch failure reconfiguration only takes as long as replacement or it

takes to reboot the switch or the rest of the network. Network administrators are required to

update firmware on all devices monthly and virus definitions daily on all machines in the

network.
 References

AT&T (2011). Enterprise Business Frame Relay.

Retrieved on August 14, 2011, from: AT&T,

http://www.business.att.com/enterprise/Family/network-services/frame-relay-atm.

Cisco (2009). Understanding VLAN Trunk Protocol (VTP).

Retrieved on February 28, 2011, from: Cisco,

http://www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note09186a0080094c5

2.shtml#vtp_modes.

Cisco (2011). Cisco Aironet 1550 Series.

Retrieved on August 14, 2011 from: Cisco,

http://www.cisco.com/en/US/products/ps11451/index.html.

Cisco (2011). Cisco Unified Communications Manager Express.

Retrieved on August 14, 2011 from: Cisco,

http://www.cisco.com/cisco/web/solutions/small_business/products/voice_conferencing/u

c_manager_express/index.html.

Cisco (2011). Multiprotocol Label Switching (MPLS).

Retrieved on August 14, 2011 from: Cisco,

http://www.cisco.com/en/US/products/ps6557/products_ios_technology_home.html.

Passmore & Freeman (1996). The virtual LAN technology report.

Retrieved on August 14, 2011 from: 3COM,

http://www.3com.com/other/pdfs/solutions/en_US/20037401.pdf.

Welcher (2004). Clever Addressing Schemes.

Section Case Study #2: Controlling College Students

Retrieved on February 28, 2011, from: netcraftsmen.net,

http://www.netcraftsmen.net/resources/archived-articles/506.html.