BAHIR DAR UNIVERSITY INSTITUTE OF TECHNOLOGY SCHOOL OF COMPUTING & ELECTRICAL ENGINEERING ELECTRICAL & COMPUTER ENGINEERING DEPARTMENT INTERNSHIP REPORT On Bahir Dar University ICT Development Office Main Campus Data Center By Haimanot Tizazu Host Company: BDU Duration: March- June 2012 Submission Date: July 05, 2012
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
BAHIR DAR UNIVERSITY
INSTITUTE OF TECHNOLOGY
SCHOOL OF COMPUTING & ELECTRICAL ENGINEERING
ELECTRICAL & COMPUTER ENGINEERING DEPARTMENT
INTERNSHIP REPORT
On
Bahir Dar University ICT Development Office Main Campus Data Center
By
Haimanot Tizazu
Host Company: BDU
Duration: March- June 2012
Submission Date: July 05, 2012
BAHIR DAR UNIVERSITY INSTITUTE OF TECHNOLOGY
SCHOOL OF COMPUTING & ELECTRICAL ENGINEERING
ELECTRICAL & COMPUTER ENGINEERING DEPARTMENT
INTERNSHIP REPORT
On
Bahir Dar University ICT Development Office Main Campus Data Center
By
Haimanot Tizazu
ID No. 126/2000
Host Company: BDU
Duration: March-June 2012
Submission Date: July 05, 2012
Dedications
This internship report is dedicated to my parents, and all my friends for being with me and
helping me in each and every difficulty I faced in this internship report completion and to my
teachers and all those who taught me, trained me and polished my abilities at Bahir Dar
University ,Institute of Technology.
Approval of the Internship Report I, hereby declare that this Internship Report is submitted to the partial fulfillment of the
internship program during the last four months. Any part of this report has not been reported or
copied from any report of the university and others.
Approved by:
______________________ _________________________
Academic Mentor Company Supervisor
Internship Report on Bahir Dar University ICT Development Office Main Campus Data Center
School of Computing & Electrical Engineering IoT, BDU
i
Acknowledgment
The special thank goes to my helpful supervisor Mr. Ferede Wollie, Network Administrator of
Bahir Dar University. The supervision and support that he gave truly help the progression and
smoothness of the internship program. The co-operation is much indeed appreciated. I express
my sincere thanks to my mentor Mr. Tinbit Admasu.
Haimanot T.
Internship Report on Bahir Dar University ICT Development Office Main Campus Data Center
School of Computing & Electrical Engineering IoT, BDU
ii
Table of Contents
Acknowledgment…………………………………………………………………………………..i
List of figures……………………………………………………………………………………..iv
List of Acronyms & Abbreviations………………………………………………………………..v
Executive Summary………………………………………………………………………………vi
1 Background Information of Bahir Dar University…………………………………………….1
1.1 Mission…………………………………………………………………………………2
1.2 Vision…………………………………………………………………………………..2
1.3 Core Values…………………………………………………………………………….2
1.4 Main Products and Services............................................................................................3
1.5 Main Customers of Bahir Dar University.......................................................................3
1.6 The overall organizational structure and work flow of Bahir Dar University................4
1.7 ICT Development Office.................................................................................................6
2 The Overall Internship Experience…………………………………………………………..8
2.1 How I get in to the company………………………………………………………………8
2.2 The section of the Company I have been working on…………………………………….8
Figure 2.7 A typical secured network……………………………………………………………19
Figure 2.8 The work flow of main campus data center………………………………………….20
List of Tables
Table 2.1 Cisco Aironet1252 Access Point rear view…………………………………………...12
Table 2.2 Description of VTP mode……………………………………………………………..23
Internship Report on Bahir Dar University ICT Development Office Main Campus Data Center
School of Computing & Electrical Engineering IoT, BDU
v
List of Acronyms & Abbreviations ARP Address Resolution Protocol ASA Adaptive Security Appliances BDU Bahir Dar University CRAC Computer Room Air Conditioning DHCP Dynamic Host Configuration Protocol DMZ Demilitarized Zone DNS Domain Name System FTP File Transfer Protocol GLBP Gateway Load Balancing Protocol HA High Availability HSRP Hot Standby Router Protocol ICT Information Communication Technology IGMP Internet Group Membership Protocol IIS Internet information Services INSA Information Network Security Agency IP Internet Protocol IPS Intrusion prevention systems IT Information Technology L2 Layer 2 L3 Layer 3 LAN Local Area network LWAPP Lightweight Access Point Protocol NAT Network Address Translation POE Power Over Ethernet QoS Quality of Service RU Rack Unit SSP Security Services Processor UNDP United Nations Development Program UNESCO United Nations Educational, Scientific and Cultural Organization VLAN Virtual Local Area Network VPN Virtual Private Network VRRP Virtual Router Redundancy Protocol VTP Virtual Trunking protocol WCS Wireless Control System
The Catalyst 6509-E switch is an enhanced version of the Catalyst 6509 switch. The 9-slot
horizontal chassis supports redundant power supplies, redundant supervisor engines, and slots for
up to eight modules.
Internship Report on Bahir Dar University ICT Development Office Main Campus Data Center
School of Computing & Electrical Engineering IoT, BDU
9
Supports all Cisco Catalyst 6500 Series modules, including:
Supervisor engines
Fast Ethernet modules (with IEEE 802.3af Power over Ethernet [PoE])
Gigabit Ethernet modules (with IEEE 802.3af PoE)
10 Gigabit Ethernet modules
Flex WAN modules
Shared Port Adaptors/SPA Interface Processors
Multi-Gigabit services modules (content services ,firewall, intrusion detection, IP
Security [IPSec], VPN, network analysis, and Secure Sockets Layer [SSL]
acceleration)
Cisco Catalyst 4507 E switch
The Cisco Catalyst 4500 Series Switches enable borderless networks, providing high
performance, mobile, and secure user experience through Layer 2-4 switching investments. It
enables security, mobility, application performance, video, and energy savings over an
infrastructure that supports resiliency, virtualization, and automation. Cisco Catalyst 4500 Series
Switches provide borderless performance, scalability, and services with reduced total cost of
ownership and superior investment protection.
Cisco Catalyst 4500 has a centralized forwarding architecture that enables collaboration,
virtualization, and operational manageability through simplified operations. With forward and
backward compatibility spanning multiple generations, the new Cisco Catalyst 4500E Series
provides exceptional investment protection and deployment flexibility to meet the evolving
needs of organizations of all sizes. The Cisco Catalyst 4500E Series platform has 10 Gigabit
Ethernet (GE) uplinks and supports PoEP, enabling the customers to future proof their network.
Cisco Catalyst 3750 Series
The Cisco Catalyst3750 Series is an innovative line of multilayer Fast Ethernet and Gigabit
Ethernet switches featuring Cisco Stack Wise technology that allows customers to build a
unified, highly resilient switching system - one switch at a time. For midsized organizations and
Internship Report on Bahir Dar University ICT Development Office Main Campus Data Center
School of Computing & Electrical Engineering IoT, BDU
10
enterprise branch offices, the Cisco Catalyst 3750 Series eases deployment of converged
applications and adapts to changing business needs by providing configuration flexibility,
support for converged network patterns, and automation of intelligent network services
configurations. In addition, the Cisco Catalyst 3750 Series is optimized for high-density Gigabit
Ethernet deployments and includes a diverse range of switches that meet access, aggregation, or
small-network backbone-connectivity requirements.
Cisco Catalyst 2960 Series The Cisco Catalyst 2960-S and 2960 Series Switches are the leading Layer 2 edge, providing
improved ease of use, highly secure business operations, improved sustainability, and a
borderless network experience. The Cisco Catalyst 2960-S Series switches include new Cisco
Flex Stack switch stacking capability with 1 and 10 Gigabit connectivity, and Power over
Ethernet Plus (PoE+) with the Cisco Catalyst 2960 Switches offering fast Ethernet access
connectivity and PoE capabilities. The Cisco Catalyst 2960-S and 2960 Series are fixed-
configuration access switches designed for enterprise, midmarket, and branch office networks to
provide lower total cost of ownership.
TwinGig Converter Module
The Cisco TwinGig Converter Module converts a single 10 Gigabit Ethernet X2 interface into
two Gigabit Ethernet port slots, which can be populated with appropriate Small Form-Factor
Pluggable (SFP) optics, providing a total of 12 wire-speed Gigabit Ethernet ports if used in all 6
X2 interface slots. The flexibility provided by the TwinGig Converter Module enables customers
to aggregate Gigabit Ethernet and 10 Gigabit Ethernet LAN access switches on a single line card.
Figure 2.1 Cisco twingig converter module
Internship Report on Bahir Dar University ICT Development Office Main Campus Data Center
School of Computing & Electrical Engineering IoT, BDU
11
Cisco ASA 5520 and 5540 Security Appliance
The Cisco ASA 5500 Series Adaptive Security Appliance integrates firewall, IPS, and VPN
capabilities, providing an all-in-one solution for the enterprise network.
Cisco ASA 5585-X Security Appliance
The ASA 5585-X adaptive security appliance is a 2 RU, two-slot chassis accommodating up to
two AC power supply modules, which also contain the necessary cooling components for
operation, although you can install a fan module in the second bay. The Security Services
Processor (SSP) resides in slot 0 (the bottom slot) and the optional Intrusion Prevention System
Security Services Processor (IPS SSP) resides in slot 1 (the top slot). All port numbers are
numbered from right to left beginning with 0.
Cisco 5508 Wireless Controller
The Cisco 5500 Series Wireless Controller is a highly scalable and flexible platform that enables
system wide services for mission-critical wireless in medium to large-sized enterprises and
campus environments. Designed for 802.11n performance and maximum scalability, the 5500
Series offers enhanced uptime with RF visibility and protection, the ability to simultaneously
manage up to 500 access points; superior performance for reliable streaming video and toll
quality voice; and improved fault recovery for a consistent mobility experience in the most
demanding environments.
The Cisco 5500 Series Wireless Controller, designed for 802.11n performance and maximum
scalability, supports up to 250 lightweight access points and 7000 clients, making it ideal for
large-sized enterprises and high-density applications. A core component of the Cisco unified
wireless solution, these controllers deliver wireless security, intrusion detection, radio
management, quality of service (QoS), and mobility across an entire enterprise. The controllers
work in conjunction with other controllers, Cisco Wireless Control System (WCS), and access
points to provide network managers with a robust wireless LAN solution.
The Cisco 5500 Series Wireless Controller supports the Office Extend access point, which
provides secure communications from a controller to an access point at a remote location,
seamlessly extending the corporate WLAN over the Internet to an employee's residence.
Internship Report on Bahir Dar University ICT Development Office Main Campus Data Center
School of Computing & Electrical Engineering IoT, BDU
12
Cisco Aironet 1250 Lightweight Access point
The lightweight access point (model: AIR-LAP1252) is part of the Cisco Integrated Wireless
Network Solution and requires no manual configuration before being mounted. The lightweight
access point is automatically configured by a Cisco wireless LAN controller using the
Lightweight Access Point Protocol (LWAPP).
In the Cisco Centralized Wireless LAN architecture, access points operate in lightweight mode
(as opposed to autonomous mode). The lightweight access points associate to a controller. The
controller manages the configuration, firmware, and controls transactions such as 802.1x
authentication. In addition, all wireless traffic is tunneled through the controller.
Key hardware features of the access point include:
• Two radio module slots for single or dual-radio operation • Ethernet port and console port • LEDs, • Multiple power sources • UL 2043 compliance • Anti-theft features
Figure 2.2 Cisco Aironet1252 Access Point rear view
1 2.4-GHz radio antenna 4 5-GHz radio antenna 2 Module slot 0 (2.4-GHz
radio module shown) 5 Module slot 1 (5-GHz module
shown) 3 LEDs 6 PC cable security slot
Table 2.1 Cisco Aironet1252 Access Point rear view
Internship Report on Bahir Dar University ICT Development Office Main Campus Data Center
School of Computing & Electrical Engineering IoT, BDU
13
2.2.2 Campus Hierarchical Network Design Overview Cisco introduced the hierarchical design model, which uses a layered approach to network design
in 1999 (Figure 2.3). The building block components are the access layer, the distribution layer,
and the core (backbone) layer. The principal advantages of this model are its hierarchical
structure and its modularity.
Figure 2.3 Hierarchical Campus Network Design
In a hierarchical design, the capacity, features, and functionality of a specific device are
optimized for its position in the network and the role that it plays. This promotes scalability and
stability. The number of flows and their associated bandwidth requirements increase as they
traverse points of aggregation and move up the hierarchy from access to distribution to core.
Internship Report on Bahir Dar University ICT Development Office Main Campus Data Center
School of Computing & Electrical Engineering IoT, BDU
14
Functions are distributed at each layer. A hierarchical design avoids the need for a fully-meshed
network in which all network nodes are interconnected.
The building blocks of modular networks are easy to replicate, redesign, and expand. There
should be no need to redesign the whole network each time a module is added or removed.
Distinct building blocks can be put in-service and taken out-of-service without impacting the rest
of the network. This capability facilitates troubleshooting, problem isolation, and network
management.
Core Layer
In a typical hierarchical model, the individual building blocks are interconnected using a core
layer. The core serves as the backbone for the network, as shown in Figure 2.4. The core needs to
be fast and extremely resilient because every building block depends on it for connectivity.
Current hardware accelerated systems have the potential to deliver complex services at wire
speed. However, in the core of the network a “less is more” approach should be taken. A
minimal configuration in the core reduces configuration complexity limiting the possibility for
operational error.
Figure 2.4 Core Layer
Internship Report on Bahir Dar University ICT Development Office Main Campus Data Center
School of Computing & Electrical Engineering IoT, BDU
15
Although it is possible to achieve redundancy with a fully-meshed or highly-meshed topology,
that type of design does not provide consistent convergence if a link or node fails. Also, peering
and adjacency issues exist with a fully-meshed design, making routing complex to configure and
difficult to scale. In addition, the high port count adds unnecessary cost and increases complexity
as the network grows or changes. The following are some of the other key design issues to keep
in mind:
• Design the core layer as a high-speed, Layer3 (L3) switching environment utilizing only
hardware-accelerated services. Layer3 core designs are superior to Layer2 and other alternatives
because they provide:
– Faster convergence around a link or node failure.
– Increased scalability because neighbor relationships and meshing are reduced.
– More efficient bandwidth utilization.
Use redundant point-to-point L3 interconnections in the core (triangles, not squares) wherever
possible, because this design yields the fastest and most deterministic convergence results.
Avoid L2 loops and the complexity of L2 redundancy, such as Spanning Tree Protocol (STP)
and indirect failure detection for L3 building block peers.
Distribution Layer
The distribution layer aggregates nodes from the access layer, protecting the core from high-
density peering (Figure 2.5). Additionally, the distribution layer creates a fault boundary
providing a logical isolation point in the event of a failure originating in the access layer.
Typically deployed as a pair of L3 switches, the distribution layer uses L3 switching for its
connectivity to the core of the network and L2 services for its connectivity to the access layer.
Load balancing, Quality of Service (QoS), and ease of provisioning are key considerations for
the distribution layer.
Internship Report on Bahir Dar University ICT Development Office Main Campus Data Center
School of Computing & Electrical Engineering IoT, BDU
16
Figure 2.5 Distribution Layer
High availability in the distribution layer is provided through dual equal-cost paths from the
distribution layer to the core and from the access layer to the distribution layer. This results in
fast, deterministic convergence in the event of a link or node failure. When redundant paths are
present, failover depends primarily on hardware link failure detection instead of timer-based
software failure detection. Convergence based on these functions, which are implemented in
hardware, is the most deterministic.
Access Layer
The access layer is the first point of entry into the network for edge devices, end stations, and IP
phones (Figure 2.6). The switches in the access layer are connected to two separate distribution
layer switches for redundancy. If the connection between the distribution layer switches is an L3
connection, then there are no loops and all uplinks actively forward traffic.
Internship Report on Bahir Dar University ICT Development Office Main Campus Data Center
School of Computing & Electrical Engineering IoT, BDU
17
Figure 2.6 Access Layer
A robust access layer provides the following key features:
• High availability (HA) supported by many hardware and software attributes.
• Inline power (POE) for IP telephony and wireless access points, allowing customers to
converge voice onto their data network and providing roaming WLAN access for users.
• Foundation services.
The hardware and software attributes of the access layer that support high availability include the
following:
• System-level redundancy using redundant supervisor engines and redundant power
supplies. This provides high-availability for critical user groups.
• Default gateway redundancy using dual connections to redundant systems (distribution
layer switches) that use GLBP, HSRP, or VRRP. This provides fast failover from one
switch to the backup switch at the distribution layer.
• Operating system high-availability features, such as Link Aggregation (EtherChannel or
802.3ad), which provide higher effective bandwidth while reducing complexity.
• Prioritization of mission-critical network traffic using QoS. This provides traffic
classification and queuing as close to the ingress of the network as possible.
Internship Report on Bahir Dar University ICT Development Office Main Campus Data Center
School of Computing & Electrical Engineering IoT, BDU
18
• Security services for additional security against unauthorized access to the network
through the use of tools such as 802.1x, port security, DHCP snooping, Dynamic ARP
Inspection, and IP Source Guard.
• Efficient network and bandwidth management using software features such as Internet
Group Membership Protocol (IGMP) snooping. IGMP snooping helps control multicast
packet flooding for multicast applications.
2.2.3 Security
The world is becoming more interconnected with the advent of the Internet and new networking
technology. There is a large amount of personal, commercial, military, and government
information on networking infrastructures worldwide. Network security is becoming of great
importance because of intellectual property that can be easily acquired through the internet.
Perimeter Security
A network /internetwork perimeter is a secure boundary of a network that may include some or
all of the firewalls, routers, ids, VPN, mechanisms, DMZ and screened subnets.DMZ is outside
the Firewall screened subnet is an isolated sub-network connected to a dedicated firewall
interface.
Cisco ASA Firewall
A firewall is a network system or group of systems that manages access between two or more
networks. Firewall operations are based on one of three technologies:
• Packet filtering- Limits information that is allowed into a network based on the
destination and source address
• Proxy server (Application layer)- Requests connections on behalf of a client
• Stateful packet filtering - Limits information that is allowed into a network based not
only on the destination and source addresses, but also on the contents of the state table.
Internship Report on Bahir Dar University ICT Development Office Main Campus Data Center
School of Computing & Electrical Engineering IoT, BDU
19
Figure 2.7 A typical secured network
The higher the security level of an interface the higher the trust level of the network connected to
that interface and vice-versa. As a result the above figure assign a security level of 100 to an
inside interface of a given LAN and the 0 security level to the outside interface which is
connected to the Internet or to service provider.
Server Farm Security
Deploying multilayer defense mechanisms is the first action that should be considered to secure
server farms. To add aditional protection to each of the council’s server farm from internal and
external attacks Cisco ASA 5500 firewalls and IPS modules will be deployed. The Cisco ASA
5500 firewalls and IPS modules will be configured to filter and inspect traffics that flow to/ from
those critical application servers according to access policies set by the BDU.
ASA Firewall Placement
The ASA firewall will be placed between the core/distribution switches and the redundant server
farm switches to secure any traffic flow between the server farms and the LAN users.
Network Device Security (Device Hardening)
Physical security/controls help protect the data’s environment and prevent potential attackers
from readily having physical access to the data. Examples of physical controls are
– Security systems to monitor for intruders
Internship Report on Bahir Dar University ICT Development Office Main Campus Data Center
School of Computing & Electrical Engineering IoT, BDU
20
– Physical security barriers (for example, locked doors) while entering to data centers and
accessing network devices.
– Climate protection systems, to maintain proper temperature and humidity, in addition to
alerting personnel in the event of fire
– Security personnel to guard the data
2.3 The Work Flow of Main Campus Data Center
In the figure 11, main campus data center is under System & Network administrator. The work flow of main campus data center is from the president to network Administrator it is hierarchical steps.
President
Executive Director
System & Network Administrator
Case Team
Network Administrator
Figure 2.8 The work flow of main campus data center
Internship Report on Bahir Dar University ICT Development Office Main Campus Data Center
School of Computing & Electrical Engineering IoT, BDU
21
2.4 Work piece and work tasks I have been executing
Work tasks which I have been executing during my internship period is basic switch
configuration, VLAN, VTP, Trunking configuration and Microsoft window server 2008 DNS,
DHCP, IIS, FTP and active Directory.
VLAN configuration
The hierarchical topology segments the network into physical building blocks, simplifying
operation and increasing availability. Each layer within the hierarchical infrastructure has a
specific role. By default, switches break up collision domains and routers break up broadcast
domains. The supervisor said that by creating virtual local area network (VLAN) in the
distribution layer, switches break up broadcast domains in a pure switched internetwork. A
VLAN is a logical grouping of network users and resources connected to administratively
defined ports on a switch. He said that when you create VLANs, you’re given the ability to
create smaller broadcast domains within a layer 2 switched internetworks by assigning different
ports on the switch to service different sub networks. A VLAN is treated like its own subnet or
broadcast domain, meaning that frames broadcast onto the network are only switched between
the ports logically grouped within the same VLAN.
VLANs consists of two basic goals
1. Creating the VLAN and
2. Assigning the proper port to that VLAN
In actuality, I am very concerned with the work During the Configuring of VLANs .VLANs can
be created on a VTP server switch or they can be created on each individual switches but in the
BDU campus area network created all VLNs on VTP server switches which makes it more
manageable and scalable. I have chosen the distribution layer switches to operate on a VTP
server mode and I have made all the access switches to operate in VTP clients, Hence All the
VLANs configured in distribution switch will be propagated to all the respected access switches.
Note: By default, all VLANs are allowed on all trunks. You can explicitly control which VLANs
are allowed on a trunk by using the switchport trunk allowed vlan vlan-id command on the
interface at each end of the trunk. In addition, it can specify a native VLAN other than the
Internship Report on Bahir Dar University ICT Development Office Main Campus Data Center
School of Computing & Electrical Engineering IoT, BDU
22
default VLAN 1, using the switchport trunk native vlan vlan-id command. These two
measures can help reduce the possibility of VLAN attacks.
The Fast Ethernet ports connected to the hosts on the network can be set up as static access
because they are not to be used as trunk ports. Use the switchport mode access command to set
the access mode
VTP
VTP stands for VLAN trunking protocol VTP is a Cisco proprietary Layer 2 messaging protocol
that manages the addition, deletion, and renaming of Virtual Local Area Networks (VLAN) on a
network-wide basis. Cisco's VLAN Trunk Protocol reduces administration loads in a switched
network. When a new VLAN is created on one VTP server, the VLAN is distributed through all
switches in the domain. This reduces the need to configure the same VLAN everywhere. VTP
provides the following benefits:
• VLAN configuration consistency across the network
• Mapping scheme that allows a VLAN to be trunked over mixed media
• Accurate tracking and monitoring of VLANs
• Dynamic reporting of added VLANs across the network
• Plug-and-play configuration when adding new VLANs
A VTP domain, also called a VLAN management domain, consists of trunked switches that are
under the administrative responsibility of a switch or switches in server VTP mode. A switch can
be in only one VTP domain with the same VTP domain name. The default VTP mode for the
2960 and 3560 switches is server mode. VLAN information is not propagated until a domain
name is specified and trunks are set up between the devices.