Acacia

AcaciaAcacia

Threaded Case StudyThreaded Case Study

Aoife McIntyreAoife McIntyre

Cordelia CartyCordelia Carty

Mary KearnsMary Kearns

OverviewOverview

The school district is in the process of The school district is in the process of implementing Local Area Networks (LANs) implementing Local Area Networks (LANs) and a Wide Area Network (WAN) to provide and a Wide Area Network (WAN) to provide data connectivity between all school sites.data connectivity between all school sites.

Access to the internet from any site in the Access to the internet from any site in the school district.school district.

Implement a series of servers to facilitate Implement a series of servers to facilitate online automation of all the districts online automation of all the districts administrative and curricular functions.administrative and curricular functions.

Overview (cont)Overview (cont)

Network must be functional for a Network must be functional for a minimum of 7-10 years.minimum of 7-10 years.

Provide for 100% growth in LAN.Provide for 100% growth in LAN. TCP/IP and Novell IPX are the only TCP/IP and Novell IPX are the only

OSI layer 3 and 4 protocols allowed. OSI layer 3 and 4 protocols allowed. In our case we will use TCP/IP. In our case we will use TCP/IP.

User RequirementsUser Requirements

Two Local Area Network (LAN) segments Two Local Area Network (LAN) segments will be implemented. One VLAN will be will be implemented. One VLAN will be designed for student curriculum usage designed for student curriculum usage and the other for administration.and the other for administration.

The LAN infrastructure will be based on The LAN infrastructure will be based on Ethernet LAN switching. The transport Ethernet LAN switching. The transport speeds will be Ethernet 10BASE-T, speeds will be Ethernet 10BASE-T, 100BASE- TX, and 100BASE-FX. 100BASE- TX, and 100BASE-FX.

CablingCabling

Horizontal cabling will be Cat5 Horizontal cabling will be Cat5 Unshielded Twisted Pair (CAT5 UTP). Unshielded Twisted Pair (CAT5 UTP). It will be able to accommodate It will be able to accommodate speeds of 100Mps. This has a speeds of 100Mps. This has a maximum distance of 90m.maximum distance of 90m.

The vertical backbone will be fiber The vertical backbone will be fiber optic 1000 Base-FX, which will run optic 1000 Base-FX, which will run between the MDF and the IDF.between the MDF and the IDF.

Wide Area Network (WAN)Wide Area Network (WAN) The WAN will connect all of the schools to the three The WAN will connect all of the schools to the three

regional hubs and interconnect the regional hubs in a regional hubs and interconnect the regional hubs in a extended star topology. It will also connect the Data extended star topology. It will also connect the Data Center regional hub to the internet through a proxy Center regional hub to the internet through a proxy server. server.

Logical Addressing SchemeLogical Addressing Scheme

One class C address allocated to the schoolOne class C address allocated to the school Students – 192.168.1.1 to 192.168.1.254Students – 192.168.1.1 to 192.168.1.254 Admin – 192.168.2.1 to 192.168.2.254Admin – 192.168.2.1 to 192.168.2.254 Servers – 192.168.3.1 to 192.168.3.254Servers – 192.168.3.1 to 192.168.3.254

The class C address has been sub-netted to The class C address has been sub-netted to allow for more hosts on the same networkallow for more hosts on the same network

Logical DesignLogical Design

Wiring LayoutWiring Layout

Zone LayoutZone Layout

ClassroomsClassrooms

Each of the classroom must be able to Each of the classroom must be able to support 24 workstations and be supplied support 24 workstations and be supplied with 4 data termination points. A single with 4 data termination points. A single location in each room will be designated location in each room will be designated as the wiring point of presence (POP) for as the wiring point of presence (POP) for that room. It will consist of a lockable that room. It will consist of a lockable cabinet containing all cable terminations cabinet containing all cable terminations and electronic components; switches etc. and electronic components; switches etc.

It requires that the network in Acacia must It requires that the network in Acacia must be able to support 325 computers, 250 be able to support 325 computers, 250 computers for students and 75 computers computers for students and 75 computers for administration usage. for administration usage.

Classroom LayoutClassroom Layout

Main Distribution Frame Main Distribution Frame (MDF) (MDF)

An MDF is a free-standing or wall-An MDF is a free-standing or wall-mounted rack for managing and mounted rack for managing and interconnecting the interconnecting the telecommunications cable between telecommunications cable between the main distribution frame and the the main distribution frame and the intermediate distribution frame (IDF). intermediate distribution frame (IDF). The MDF is also the connection point The MDF is also the connection point for your LAN to the district WAN. for your LAN to the district WAN.

MDFMDF

MDF EquipmentMDF Equipment Cisco 2611 Router with serial, Ethernet and dial-in facilitiesCisco 2611 Router with serial, Ethernet and dial-in facilities 2 - Catalyst 3542 XL Ethernet Switches 2 - Catalyst 3542 XL Ethernet Switches Catalyst 3548 XL Enterprise Edition Catalyst 3548 XL Enterprise Edition 4  -24-port patch panels 4  -24-port patch panels 1 - 16-port patch panel 1 - 16-port patch panel Fiber patch panelFiber patch panel Administrative server Administrative server Application server Application server DNS/E-mail server DNS/E-mail server Library server Library server Workgroup serverWorkgroup server UPSUPS MonitorMonitor Monitor shelf with keyboard trayMonitor shelf with keyboard tray Ventilation PanelVentilation Panel

Intermediate Distribution Intermediate Distribution Frame (IDF)Frame (IDF)

An IDF is a free-standing or wall-An IDF is a free-standing or wall-mounted rack for managing and mounted rack for managing and interconnecting the interconnecting the telecommunications cable between telecommunications cable between end user devices and a MDF. For end user devices and a MDF. For example, there would be an IDF in example, there would be an IDF in each building or every 90 meters.each building or every 90 meters.

IDFIDF

IDF EquipmentIDF Equipment

3 - Catalyst 3542 Ethernet Switches3 - Catalyst 3542 Ethernet Switches 4 - 24-port patch panels 4 - 24-port patch panels Fibre patch panelFibre patch panel UPSUPS Ventilation PanelVentilation Panel MonitorMonitor Monitor shelf with keyboard trayMonitor shelf with keyboard tray

ServersServers

DNS/E-MAIL SERVER : The school host will be the DNS/E-MAIL SERVER : The school host will be the local post office box and will store all e-mail local post office box and will store all e-mail messages. The update DNS process will flow from messages. The update DNS process will flow from the individual school server to the Hub server and the individual school server to the Hub server and to the district server. All regional servers will be to the district server. All regional servers will be able to communicate between themselves, able to communicate between themselves, building reducdancy in the system.building reducdancy in the system.

ADMINISTRATIVE SERVER : This will contain the ADMINISTRATIVE SERVER : This will contain the student tracking, attendance, grading and other student tracking, attendance, grading and other administration functions. This server will only be administration functions. This server will only be available to teachers and staff. available to teachers and staff.

Servers (cont)Servers (cont)

LIBRARY SERVER : Acacia is implementing an LIBRARY SERVER : Acacia is implementing an automated library information and retrieval automated library information and retrieval system, which will contain an online library for system, which will contain an online library for curricular research purposes. This server will be curricular research purposes. This server will be made available to anyone at the school site. made available to anyone at the school site.

APPLICATION SERVER : All computer applications APPLICATION SERVER : All computer applications will be housed in a central server at each school will be housed in a central server at each school location. As applications such as Word location. As applications such as Word processing, Excel, PowerPoint etc are requested processing, Excel, PowerPoint etc are requested by users these applications will be retrieved by users these applications will be retrieved from the application server. This server will be from the application server. This server will be made available to anyone at the school site. made available to anyone at the school site.

Servers (cont)Servers (cont)

OTHER SERVERS: Any other servers OTHER SERVERS: Any other servers implemented at the school sites will implemented at the school sites will be departmental servers and will be be departmental servers and will be placed according to user group placed according to user group access needs. access needs.

VLAN’sVLAN’s

A VLAN is a logical grouping of devices or users A VLAN is a logical grouping of devices or users that can be grouped by function, department, or that can be grouped by function, department, or application, regardless of their physical segment application, regardless of their physical segment location. VLAN configuration is done at the switch location. VLAN configuration is done at the switch via software . via software .

Two VLANs will be used on the LAN:Two VLANs will be used on the LAN: VLAN 1 will be used for the administration segment.VLAN 1 will be used for the administration segment. VLAN 2 will be used for curriculum. VLAN 2 will be used for curriculum. All changes and moves will be controlled and managed All changes and moves will be controlled and managed

accordingly. accordingly.

VLAN’sVLAN’s

Vlans are implemented for the following Vlans are implemented for the following reasons: reasons:

Reduces administration costs related to Reduces administration costs related to moves, additions and changesmoves, additions and changes

Provides better control broadcastsProvides better control broadcasts Tightens network securityTightens network security Distributes traffic loadDistributes traffic load Relocates servers into secured locationsRelocates servers into secured locations Saves money by using existing hubsSaves money by using existing hubs

Access Control Lists (ACL’s)Access Control Lists (ACL’s)

ACL’s permit or deny certain users (or an ACL’s permit or deny certain users (or an entire network segment) access to entire network segment) access to network resources. These are set up by network resources. These are set up by the network administrator and add the network administrator and add security to the network, as well as limit security to the network, as well as limit network traffic and increase network network traffic and increase network performance. ACLs are either standard performance. ACLs are either standard numbers 1-99) or extended (numbers 100-numbers 1-99) or extended (numbers 100-199) 199)

ACL’sACL’s Students have access to: Students have access to:

Application server Application server Internet Internet Library server Library server

Students are denied access to: Students are denied access to: Any activity on the DNS server Any activity on the DNS server Administrative server Administrative server

Teachers have access to: Teachers have access to: Internet Internet DNS server for e-mail DNS server for e-mail Administrative server at Acacia Administrative server at Acacia Application server at Acacia Application server at Acacia Library server at AcaciaLibrary server at Acacia

Example ACLExample ACL Enter global configuration modeEnter global configuration mode

Config tConfig t Permits all users access to email/DNS serverPermits all users access to email/DNS server

Acacia(config)# access-list 101 permit tcp 192.168.1.0 Acacia(config)# access-list 101 permit tcp 192.168.1.0 0.0.0.255 192.168.3.1 0.0.0.0 0.0.0.255 192.168.3.1 0.0.0.0

Permits all users access to the library serverPermits all users access to the library server Acacia(config)# access-list 101 permit tcp 192.168.1.0 Acacia(config)# access-list 101 permit tcp 192.168.1.0

0.0.0.255 192.168.3.2 0.0.0.00.0.0.255 192.168.3.2 0.0.0.0 Blocks all student/curriculum traffic from access the Blocks all student/curriculum traffic from access the

admin networkadmin network Acacia(config)# access-list 101 deny 192.168.1.0 0.0.0.255 Acacia(config)# access-list 101 deny 192.168.1.0 0.0.0.255

192.168.2.0 0.0.255.255 192.168.2.0 0.0.255.255 Permits all other trafficPermits all other traffic

Acacia(config)# access-list 101 permit any any Acacia(config)# access-list 101 permit any any

IGRPIGRP IGRP is a IGRP is a distance vectordistance vector Interior Gateway Interior Gateway

Protocol. Distance vector routing protocols Protocol. Distance vector routing protocols mathematically compare routes using some mathematically compare routes using some measurement of distance. This measurement is measurement of distance. This measurement is known as the distance vector. known as the distance vector.

Routers using a distance vector protocol must Routers using a distance vector protocol must send all or a portion of their routing table in a send all or a portion of their routing table in a routing-update message at regular intervals to routing-update message at regular intervals to each of their neighboring routers. each of their neighboring routers.

As routing information is reproduced through the As routing information is reproduced through the network, routers can identify new destinations as network, routers can identify new destinations as they are added to the network, learn of failures in they are added to the network, learn of failures in the network, and, most importantly, calculate the network, and, most importantly, calculate distances to all known destinations.distances to all known destinations.

IGRP ImplementationIGRP Implementation

Acacia# config tAcacia# config tAcacia(config)# router igrp 100Acacia(config)# router igrp 100

Acacia(config-router)# network 192.168.1.0Acacia(config-router)# network 192.168.1.0Acacia(config-router)# network 192.168.2.0Acacia(config-router)# network 192.168.2.0Acacia(config-router)# network 192.168.3.0Acacia(config-router)# network 192.168.3.0

Acacia(config-router)#exitAcacia(config-router)#exit

FirewallsFirewalls

A system designed to prevent unauthorized A system designed to prevent unauthorized access to or from a private network. Firewalls can access to or from a private network. Firewalls can be implemented in both hardware and software, be implemented in both hardware and software, or a combination of both. or a combination of both.

Firewalls are frequently used to prevent Firewalls are frequently used to prevent unauthorized Internet users from accessing unauthorized Internet users from accessing private networks connected to the Internet, private networks connected to the Internet, especially intranets. especially intranets.

All messages entering or leaving the intranet All messages entering or leaving the intranet pass through the firewall, which examines each pass through the firewall, which examines each message and blocks those that do not meet the message and blocks those that do not meet the specified security criteria.specified security criteria.

SecuritySecurity Double firewall implementationDouble firewall implementation

ACL’s act as second layer of firewallACL’s act as second layer of firewall Network will be divided into 3 logical network Network will be divided into 3 logical network

classifications: staff/administrative, curriculum classifications: staff/administrative, curriculum and serversand servers

Two separate VLANs: Curriculum and Two separate VLANs: Curriculum and Staff/AdministrationStaff/Administration

Utilization of access control listsUtilization of access control lists User ID and Password Policy published and strictly User ID and Password Policy published and strictly

enforced on all computers in the Districtenforced on all computers in the District All traffic from Curriculum LAN prohibited on All traffic from Curriculum LAN prohibited on

Administrative LAN.Administrative LAN.

ProsPros The network speed can be upgraded without The network speed can be upgraded without

much change in the physical cabling much change in the physical cabling With 4 CAT5 cables in every data termination With 4 CAT5 cables in every data termination

point in the rooms, extra computers or other point in the rooms, extra computers or other devices can be used in the classrooms as devices can be used in the classrooms as needed needed

ACLs provide very strong security : students ACLs provide very strong security : students in the curriculum network cannot get into in the curriculum network cannot get into administrator network administrator network

Use of VLAN’s provide internal securityUse of VLAN’s provide internal security Troubleshooting made simpler using switchesTroubleshooting made simpler using switches

ConsCons There is no redundancy of router link at POP. If There is no redundancy of router link at POP. If

the WAN link fails there will be no access to other the WAN link fails there will be no access to other resources in the district or access to the Internet resources in the district or access to the Internet

The use of switches increase the network latency The use of switches increase the network latency as well as initial cost of the networkas well as initial cost of the network

Expensive to implementExpensive to implement Password security is based on user cooperationPassword security is based on user cooperation Non – Centralized – With IDFs in each building, it Non – Centralized – With IDFs in each building, it

is difficult to locate problemsis difficult to locate problems