LAN Document

Local Area Network Technology Coursework DocumentTask-1 Understand the impact of LAN Technologies

Answer -1: There are some types of LAN technologies in terms of accessing media and logical connections between devices. Below are the short summary of them,

Star topology – It’s a system where a single device connected to all accessing devices like HUB & SPOKE. HUB itself connected with all the SPOKEs. HUB accepts data from a sender an delivers to its appropriate receiver (SPOKE).Ring topology – It’s a system where all the computer are connected with each other like first computer is connected with second and so on until it reaches the last computer to connect with first one.Bus topology – Computers are connected with a single long cable to communicate between them. The computers connect with this have communicate only one at a time.

Ethernet --- This technology is an enhancement of bus topology. IEEE currently controls Ethernet standards. First it opens with the speed 10Mbps, later on it come with 100Mbps and now Gigabit Ethernet operated at 1000Mbps. According to bus topology in Ethernet multiple computers share the single link to communicate between them. They use CSMA/CD mechanism to become collision free during transmission.Token Ring – It users the ring topology for communication. When a computer wants to communication it uses the token to send data. But it must be wait before the token arrives on its end then it stripes the token out of ring and send the data and after transmission it again insert the token on the ring to ensure that other stations which are going to communicate can use the token too.Fiber Distributed Data Interconnect (FDDI) – It’s also uses a ring topology but it using two ring instead of one for communication. It operates 100Mbps so its faster than Ethernet. Two counter rotating rings prevent the data loss in link failure even the node failure. This technology is generally implemented in backbone.Wireless LAN – Its uses Radio Frequency instead of cable to pass the signals between devices. It’s a hybrid of Ethernet LAN. All computers using wireless medium to communicate. There are types of connectivity in wireless called BSS, IBSS etc. where point to point or point to multipoint communication occurs between computers.

Decision – After studying the Four LAN technology I have come up with a decision that I will implement Ethernet technology on this network with the enhanced version of 100 Mbps Ethernet. Because Head office network is consists of almost 600 users and they are using local services from several servers. So the data load will be too much inside the network. That’s why 100Mbps Ethernet technology helps to facilitate this faster communication. Also I can’t take Wireless Ethernet, it requires special communication medium so I have to purchase Wireless NIC

cards that will rise up my budget. Neither have I implemented the Token ring cause in this technology if a node (computer) fails then total communication will be lost. So there is no reliability on this technology. I think it’s vulnerable for using in high speed LAN. And FDDI has the capability for faster propagation with reliability too but it also need separate hardware to implement because it has attached with two separate lines simultaneously and this technology widely uses on backbone.

Answer -2: Quality of Service (QoS) is a industry standard to ensure high performance for critical applications. In this mechanism network administrator can use their existing equipment to give more throughput on service delivery without changing the network architecture or hardware. In this technology some traffic is given preference over the others for its uses and this require reliable and guaranteed delivery. So QoS is helps to achieve this goal. There are list of network characteristics managed by QoS.Bandwidth – The rate at which traffic is carried by the network.Latency -- The delay in data transmission from source to destination.Jitter -- The variation in latency.Reliability -- The percentage of packets discarded by a router.

IETF defie two major model for QoS on IP network Integrated Services (Intserv) and Differentiated Services (Diffserv). The Intserv model integrates resource reservation and traffic control mechanisms. The Diffserv model uses traffic control to support special handling of aggregated traffic flows. There are two categories of QoS mechanism,Admission control --- These process specify how, when and whom resources will be used.Traffic control --- Segregate traffic into service classes and control delivery to the network

QoS benefits for network: Gives administrators control over network resources and allows them to manage the network from a business, rather than a technical, perspective. Ensures that time-sensitive and mission-critical applications have the resources they require, while allowing other applications access to the network. Improves user experience. Reduces costs by using existing resources efficiently, thereby delaying or reducing the need for expansion or upgrades.

Decision –In this network we have different types of service class data example File services, Web services, Mail services, DHCP services etc. Database service has the top most priority because this network is distributed over 5 locations to access Database services. I would like to prioritize Database traffic first for smooth delivery. Then I want to give precedence File service traffic because high latency on file service traffic may hamper the files to reach the requested destination or even corrupted due to lose of bits while travelling. Web service and Mail services come after and so on.

For the Bandwidth management, it’s simply use with WAN and Internet traffic because when QoS is implemented on network local head office users will not face any constraints of bandwidth as they are connected with 100Mbps link. But when other 4 location user tries to communicate they can face constrain of bandwidth because WAN link doesn’t come with 100Mbps link rather it will has a few Mbps bandwidth to connect with HQ. So proper bandwidth management is needed to ensure quality and reliable delivery. Internet bandwidth will be managed too. If there is no management of bandwidth the entire link bandwidth will be shared among all of the users. So users come late will get slow due to uses. That’s why it should be managed properly on subnet wise/department wise.

Answer-3: LAN security is the mechanism to protect network resources from any vulnerability. It consists of provision and policies develop by network administrator to prevent unauthorized traffic to be entered into restricted resources. There are lot of security exploits can be happened in a IP network. Below is the common list of security risk for a network,

o Denial of service attacko ARP spoofingo Buffer overflowo Man in the middle attacko SQL injectiono Sync attacko Port scanning

Most of the attack effect network traffic and target LAN user machine and servers to reduce throughput and effective service delivery. There are some recommended measures we can take to avoid these types of vulnerabilities.

o A firewall and proxy to keep unwanted people accessing from inside/outside of network.o User end points will be equipped with strong antivirus programs with up to date virus

definition database and schedule scan on daily/weekly basis.o More vulnerable servers (like Web/FTP/Mail) which can access from outside need to

keep on a isolated zone to take protection from being compromise.o Strong encrypted password used for device access and need to change periodically.o Host traffic should be monitored to check there are any security policy violation occurs or

not.

There are some certain layers of security which can be applied to ensure maximum network performance and availability.

1. Perimeter Security --- This layer is the first layer of security which has to be faced the outsiders to enter the corporate network. In this layer consists of internet and wan network. This layer includes DMZ zone resources like Mail/FTP/Web server. So there will be need a firewall with intrusion detection technology to sense the attack on perimeter to take necessary action as quick as possible.

2. Core Security zone --- This layer consists of internal LAN devices with servers. This is the zone which needs to protect not only from outsider also from inside users too. Here we can separate server zone network from user network to use separate firewall to protect

each of them. There will be policies on server firewall to authorize which user/user segment to access which services from whom. Here we can use intrusion prevention system to categorize signature based attacks and can block the malicious traffic.

3. Host level security --- This is the end stations security which includes user PC and individual servers. This end stations can be prevented with its own security mechanism by using of antivirus programs.

Answer-4: Identity based networking can be used to block unwanted user getting access to network. It consists of Extensible Authentication Protocol with AAA service enable in network. All the authorize user will use his own identity codes to access the network these could be a simple username password or machine generated certificate or both. Even using very simple mechanism of port security can be applied to achieve that where each port binds with a single MAC address. So if the port doesn’t get the correct MAC it won’t active but this mechanism won’t work if there is not dedicated user port provided.

Task-2 Be able to design LAN Infrastructure

Answer-1: Here is the topology we can deploy in this network.

Topology – 1

Topology – 2

First topology consists of three zone internet, Core infrastructure and WAN. Internet zone is connecting the router with internet service provider network to reach outside world. There will be NAT and PAT used in router to facilitate user and internet enabled servers to reach the internet. Below this there will be core network zone which has been protected by a firewall. So user traffic from inside to outside and inbound traffic must meet the policy. Behind the firewall core zone consists with networking equipments to facilitate access of servers and hosts for internal resources. Third zone is the WAN connections where outside users from 4 locations will come to get the corporate resources. This zone is handled by internet router too and forward traffic to the firewall for applying policies. Once a policy is checked WAN traffic is get access to the core network. This topology has some performance and security flaws. First user data and server data are reside on same core network which is vulnerable because host station broadcast messages can be degreed the performance of service delivery. Again Core zone have both DMZ and local servers. So if any outsider sniffs in a server the entire network is open for them. Here is no different zone for intranet and internet traffic. Also a single firewall is used to filter whole internet and WAN traffic which could be a performance issue for dedicated traffic delivery.

I proposed 2nd topology for implement in network. This design has separate functional zone called DMZ zone for internet server like Web/Manil/FTP etc. Core zone with layer3 seperation from user traffic to local server traffic. Here is separate serverFarm zone for local servers like Database, Domain controller, DNS and so on. Also I give separate firewall to secure serverFarm zone. In DMZ security will be given by a separate perimeter firewall. If any vulnerability occur firewall can easily separate DMZ server traffic make core network zone safe. Here WAN connections are terminated on separate WAN router. So layer based security is achieved with dedicated traffic delivery for local and outside users. Above all in this topology we use intrusion detection system to track unusual behavior of user traffic and generate alarm to network administrator to take necessary actions.

Answer-6: In my proposed design I am going to use certain devices to connect user stations and servers. Below is the list of the devices we are going to use,

o Routers (both for Internet & WAN)o Firewall (both for Internet & ServerFarm)o Intrusion Detection System (IDS appliance)o Layer 3 Switch(used for Core Network)o Layer 2 Switch(used for both Host Access & Servers to connect in both DMZ and ServerFarm

zone)Here we use Layer 3 switches which will be connected with all the access switches on redundant path. Depending on the distance of host location Access switch uplinks will be used either Gigabit Copper based Ethernet cable or Gigabit Fiber based cable. Access switches will be manageable where we can segregate department wise user on different vlans. Through this vlan we can reduce broadcast domains and also subnet wise user management is easier. Inter vlan sub network will be communicating through Core switch. IDS is use to get unusual activity alarm when devices are affected. ServerFarm zone has been seperated with different sub network where a single server vlan or multiple vlans can be used. Servers are directly connected with this switch and this switch will have uplinks with ServerFarm firewall. We use a Syslog server in local serverfarm zone to get all the network equipment logs centrally. We are deploying NMS servers to collect SNMP trap from devices, which will give us insight on various events occur on each device and flexibility of management. On the upper side of Core switch we connect with Internet firewall where the entire user internet request are monitored. With this firewall a separate

zone connects with a switch, this zone is for the servers which can receive not only local traffic but aslo from outsider. Here Mail,Web,Ftp servers will connect directly on switch ports and I am going to give Public IP directly on this server NIC. On the other hand a WAN router is connected with this firewall directly for handle remote branch office traffic. So WAN router will segregate all branch office networks and facilitate communication between them. Above the internet firewall a internet router will use to terminate internet service provider connections and perform NAT operations for user to provide internet. Also this router can handle multiple service provider links to load balance and/or failure protection.

Answer-7: In this network many types of traffic will be generated because serverfarm zone has different server with services for example Database service, Domain service, File service, local web service, DHCP service, SNMP manage services etc. DMZ zone has the separate service like Mail, Web, Ftp etc. According to the QoS plan First Database traffic will be prioritize from Serverfarm and from Access area. Then we prioritize file service traffic as it is also need to be delivered efficiently. DHCP and other local service will serve normally. To achieve this we have to use QoS on every network device that carry these service data.

Task-3 Be able to implement LAN infrastructure

Answer-8:

Network topology for LAN, WAN, Internet infrastructure

Answer-9: Below is the subnet list of user networks,

User Department Range of IP addresses Subnet Mask Gateway IP Broadcast IP

Customer Service 192.168.1.1 <->192.168.1.13

255.255.255.240 192.168.1.14 192.168.1.15

Accounts 192.168.1.65 <-> 192.168.1.125

255.255.255.192 192.168.1.126 192.168.1.127

Finance 192.168.1.129 <-> 192.168.1.190

255.255.255.192 192.168.1.191 192.168.1.192

Library Room-1 192.168.2.1 <->192.168.2.125

255.255.255.128 192.168.2.126 192.168.2.127

Library Room-2 192.168.2.129 <-> 192.168.2.253

255.255.255.128 192.168.2.254 192.168.2.255

Library Room-3 192.168.3.1 <->192.168.3.125

255.255.255.128 192.168.3.126 192.168.3.127

Library Room-4 192.168.3.129 <-> 192.168.3.253

255.255.255.128 192.168.3.254 192.168.3.255

Library Room-5 192.168.4.1 <->192.168.4.125

255.255.255.128 192.168.4.126 192.168.4.127

Here I have used Class C private IP address for connecting Host stations and VLSM is being applied. Variable Length Subnet Mask (VLSM) is a technique on which you can save you IPs for being spoiled by over used. In this example we are using 1,2and 3 numbers in 3rd octate to fulfill all user IP requirements. It’s scalable of satisfy future growth because if tomorrow some new users come and LAN is expanded then we can use this 3rd octate decimal numbers to facilitate more that 250 x 253 users without much spoil our ip. Also this type of VLSM is helpful when summarization is used on classes routing protocols to route with multiple routers.

Answer-10: There are a lot of security policies we can take to secure the network. We have focused only the useful techniques for this infrastructure.Access list – to prevent unauthorized traffic travel on secure network area like ServerFarm or DMZ zone user ACL to block traffic. ACL can also be used to permits specific services access by specific users based on IP/identity. MAC based authentication – to prevent unauthorize PC/handheld/laptop to get access we can use MAC based authentication where all the authorize station MAC will be registered on a AAA server and when a device wants to connect it check device MAC to get access.Port security – There are few port security mechanism we can use in a port to secure network. We can limit mac entry learned on a port to prevent a port being use a hub source for another user network.BPDU guard – This technology is used to prevent STP root bridge manipulation. That’s why this feature needs to enabled on every access port to prevent any device becoming Root Bridge.

Secure protocol like https is using for accessing network devices web GUI. This will help you to encrypt user transaction to the device preventing man-in-the-middle attack.

Answer-11: There are some ways to test the network performance, reliability and security.o From host stations use ping to www.google.com and see the reply times, if it shows a steady time

then network utilization and bandwidth are in good shape.o When using network traffic just disconnect one uplink cable from access switch to check the

reliability of network.o Check the see the access list hits that traffic it filtering according to the rule. o If subnet wise policy applied then shift a user PC from one subnet to another and check the access

policy shifted or not.o From host pc send extended ping to the servers and see checks the alarm from firewall.o Using traffic generator software from host PC to check IDS is working or not.o Use a authorize device to plug into a switch port and check it’s getting connection or not.

Task-4 Be able to manage LAN infrastructure

Answer-12: List is showing some performance baseline for the above network infrastructure.o Check CPU on switches / routers/firewallso Perform trace routes to / from different VLANs to determine avg latencyo check uplinks for dropped / discarded packets, ctc, alignment errors (duplex mismatch)o Host sending any kind of bulk traffic or noto All the server with specified service up and running or noto How many connections on DMZ serverso How much bandwidth is used by the internet and wan router

Answer-13: Here are some screen shots showing performance monitoring from different tools.

Infromation about network perfromance getting from Cisco Network Analysis System

Last two screenshot has been taken from Solarwinds Network Performance monitor tool and Cacti tool.

These above reports show the network performance in any given time.First screenshots is taken from Cisco Network analysis tool where it shows traffic summary using Netflow technology. Here you can find which host is creating the highest traffic in network, which protocol has the highest usage in network, vlan wise traffic distribution.Next screenshot you find the latest network device CPU usage which can ensure your quality of performance using Solariswind NPM. If any CPU usage goes beyond the nnormal value it generates alarm ans send notifications to administrator. Third screenshot is being generated from a linux based monitoring service called CACTI. It’s file the link utilization. So you can see and report how much bandwidth is using and also can get usage history per day/month/year basis.

Answer-14: For easily troubleshoot in network some steps should be followed.o Some user complains about not getting Ips from DHCP servers. o Name resolve not workingo User not getting internet.o Branch user not getting services.o one department user can’t access another department pc

Troubleshooting the above problems,o First check the PC NIC is connected with switch or not.o Check the switch port either this port is the member of vlan or not.o Check the DHCP server for its service.o For resolve name problem, check the DNS server and its service. If service running then restart

the specific service.

o For internet purpose, try to ping www.google.com from windows command prompt. If it gets an IP but not getting reply check the NAT configuration in internet router. Also issue tracert command with www.google.com and check from which hop it’s not getting the answer.

o If remote branch user facing problem with connectivity check the routing on both WAN router and Core switch. Also check the both firewall to see there are policies for the WAN user which want to access.

o If a sub network user not access another sub network user PC then check the inter vlan routing.