Network Analysis
  • 20
    May

Network Analysis

University of  XXXXXXXXXXX
An analysis of the key requirements of the University’s new network, providing Physical and Logical solutions to these requirements

Contents

Introduction. 3

Key Requirements. 4

Administration Assistants. 4

Curriculum Staff. 4

Students. 4

Wireless Network. 4

Analysis of Requirements. 5

Location of IDF. 5

Router. 5

Network Addressing. 5

Server Security. 5

Server Location. 5

Administrative Assistants Requirements Analysis. 6

Curriculum Staff Requirements Analysis. 6

Students. 6

VOIP. 6

Wireless Network. 6

Network Management & Security. 7

Physical Network Topology. 9

Ground Floor. 9

First Floor. 9

Logical Network Topology. 10

IPV4 Addressing Scheme. 10

IPV6 Addressing scheme. 10

Router Connectivity. 12

Router Protocol 12

Access Control Lists. 12

DHCP. 13

Switch Connectivity. 14

Distribution Layer. 14

Access Layer. 14

IP Addressing Table. 14

Wireless LAN.. 15

Conclusion. 16

Appendix. 17

Physical Network Diagram.. 17

Rack Assignments. 19

Equipment List. 19

Logical Network Diagram.. 20

Router Port Count Table & Colour Code. 21

Router IPV6 Address table. 21

Router Interface Connectivity Table. 22

Switch 5 Connectivity Table (Distribution Layer Switch). 23

Switch Port Access Layer Interface Allocations. 24

Switch Port VLAN Summary. 32

IP Addressing Table. 33

Protocols Comparison Table. 35

References. 36

 

 

Introduction

 

This report analyses the key requirements of the University’s new network and provides Physical and Logical solutions to these requirements.

 

The report first explains the key requirements and then analyses in detail those requirements. It then looks at the Physical equipment that will be necessary. The report explains the recommended  Logical network setup and additionally makes recommendations regarding security solutions.

 

It discusses Router and Switch connectivity and provides a solution for a wireless network.

 

Key Requirements

 

The key requirements are listed below:-

 

  1. Three main Fiber backbones incoming to the Ground Floor Intermediate Distribution Frame (IDF) will need to be connected to the router.
  2. The Address range provided is 192.168.0.0/24, Addresses 192.168.1.0 /28 (summarised) are used for the Fiber backbones and cannot be used.
  3. Servers only to be accessed by relevant staff
  4. Locate Servers to give best performance
  5. A Secure Management Network to administer all of the devices

 

Administration Assistants

  1. Student Services and Student Records access the same server.
  2. 7 Student records assistants and 6 Student Services assistants to be able to access one Student Info server, 2 printers and their 13 VOIP phones.
  3. 6 Finance staff to access one finance server 1 printer and their 6 VOIP phones.

 

Curriculum Staff

  1. Network Manager and Technician to be able to access all servers, 2 printers and their 2 VOIP phones.
  2. 6 Staff and the curriculum Manager have access to 5 servers, 7 printers and their 7 VOIP phones
  3. There must be enough ports spare to support a 100% server expansion over the next 5 years. This means we need to ensure there are at least 5 extra ports.

Students

 

  1. Students to be taught in 3 large classrooms on ground floor.
  2. PHD Research Students to use hosts printers and VOIP phones in private study rooms on ground floor.
  3. All Students including PHD to be able to use meeting room hosts, IP-phone and printers on first floor.

 

Wireless Network

  1. Provide solution for a 50 host minimum wireless network.
    • Signal Penetration
    • Security
    • IEEE Standard
    • Bandwidth Allocation

 

 

 

 

Analysis of Requirements

 

Location of IDF

The three WAN Fibers are incoming to the ground floor and therefore it would be prudent to ensure a rack to support the equipment should be positioned on the ground floor.

The most obvious place to place an Intermediate Distribution Frame (IDF) would be in the storage room on the ground floor. This is directly below the Main Distribution Frame (MDF) which will be located on the first floor in the technician’s office. The three WAN Fibers can then be connected to the equipment.

Router

The bandwidth requirements are 3 x 10GB interfaces, a total of 30GB which will need to be switched. Cisco (2013) recommends The Series 7600 routers as being capable of switching high data rates such as this.

Network Addressing

According to Cisco (Cisco, 2014) Variable Length Subnet Masks (VLSM) should be used to reduce network broadcast traffic on large networks. Global Knowledge training (2013, p.3) recommends that there should be no more than 254 hosts per VLAN.  The largest network is the Student network which is less than 100 devices.

The address range provided is much larger than our needs and the number of hosts per VLAN is relatively small, therefore there is no need to utilise VLSM. It is proposed to utilise subnets where the third Octet decides the network. This number can also be used in the VLAN assignment to provide a clear link between the network ID and the VLAN ID.

Server Security

Placing the Servers on the relevant VLAN’s and utilising Access Control Lists where necessary will ensure that only the authorised users are able to access the servers.

Server Location

All of the servers are to be utilised by the staff on the first floor and therefore it is advisable that the servers also be located on the first floor. This will reduce traffic between the MDF and IDF. It is recommended that the servers be located in the Technicians room within the MDF cabinet. This location will provide physical security for the servers as only authorised staff may enter this room. It should be noted that the servers can be combined into one Hyper-V or VMWARE server depending upon client preferences.

 

Administrative Assistants Requirements Analysis

Student Services hosts and Student Records hosts will be placed on the same VLAN along with the requisite server and printers to ensure the relevant users are able to access their authorised server and printers. ACL’s will also be utilised to prevent access from unauthorised networks.

Finance hosts, the finance printer and the requisite server will be on their own VLAN to provide security. ACL’s will also be utilised to prevent access from unauthorised networks.

Curriculum Staff Requirements Analysis

The Curriculum managers host, staff hosts, 5 servers and 7 printers will be placed on the curriculum VLAN to provide security.

The network technician host and the network manager host along with their printers will each be placed on the management VLAN. The ACL’s for the all networks will be written to allow access from the Management network. This will ensure that the IT staff are able to access all of the servers and equipment infrastructure.

A minimum of five spare ports to be left for future curriculum server expansion.

Students

Requisite 72 Student hosts on the ground floor and 3 printers to be assigned to the students VLAN network.

 

The PHD research Students hosts to be assigned its own VLAN. Utilise ACL to block Student VLAN.

 

The 4 hosts and 4 printers in the meeting rooms on the first floor will have their own VLAN, this is to simplify the security and Access Control List.

VOIP

All VOIP phones to be placed on their own VLAN. Utilise ACL to block all but management VLAN .

Wireless Network

Check range of various manufacturers, security solutions, Vlan requirement.

 

Network Management & Security

Management VLAN

A secure management VLAN will be configured to ensure management of all network devices is possible.  Unless a user is on the management VLAN, they will not be able to configure switches and routers. The router will be configured to not allow the routing of packets from Vlans other than VLAN 99.

Additionally all switches and routers will be configured to only accept encrypted Secure Shell SSH sessions

Port Security

According to Wilkins & Smith, (2011) one of the most overlooked security areas is the configuration of individual switch ports. Wilkins argues that the Switch port security feature offers the ability to limit each port to a specific device/ Mac Address.

All ports will be configured with Mac Address Port Security. The Sticky Secure Mac Address option will be utilised. This will allow the switches to dynamically learn the initial device mac-address plugged into that particular port. This will then be saved into the running configuration.

Various Switch port Violation options exist for when an unauthorised device is plugged into a port. It is recommended that the SHUTDOWN option be used which will disable the port should anyone attempt to plug a device into the ports, directly or via wall ports in the building.

The default maximum number of MAC addresses that are permitted is set at 1 and this will ensure that only the initial host/device can be plugged into that particular port.

DHCP Snooping Security

Cisco (Cisco, 2013)  explains that The DHCP Snooping facility ensures that unauthorised DHCP servers cannot be connected to the network. The DHCP relay agents and Authorised DHCP server must be running before enabling the DHCP snooping facility on each switch and router.  Additionally the port to which the DHCP sever is connected must be set to be trusted. (Cisco, 2013). DHCP Snooping will be enabled throughout the network.

VLAN Security

Cisco (Cisco, 2014) state that good Security practice is to separate management and user data traffic and that the default of VLAN1 should be changed. Therefore the Management VLAN has been changed to VLAN 99.,

Cisco further recommends that the Native VLAN should also be distinct from all other VLANS and therefore this has been changed to VLAN 88

Blackhole VLAN

Cisco (2014) continues to explain that all unused ports should be shut down and assigned to a unused VLAN. This is usually done by configuring all unused ports to a black hole VLAN that is not used for anything else on the network. The VLAN that is set up as a blackhole is VLAN 66. All unused ports will be assigned to this and then shutdown.

Dynamic Trunking Protocol (DTP) Negotiate

According to the Cisco Academy (2014) DTP is used to negotiate the formation of a trunk between two interfaces.  The Cisco Academy recommends that Cisco best practices should be followed and that all ports should be set to non-negotiate and interfaces that need to be trunks be set in permanent trunking mode. Additionally Ports where trunking is not required will have DTP turned off (ie: all access ports).

 

Physical Network Topology

 

Ground Floor

An Intermediate Distribution frame (IDF) has been situated on the ground floor in the storage room. This is in an ideal place as it is directly below the Technicians room on the first floor.  (See Physical Network Diagram)

Router 1 will be placed within this IDF. (See Rack Assignments) The router is a Cisco ASR 7603 with an additional 4 ports Fiber interfaces which brings the total number of network interfaces to six. Three incoming fiber interfaces will be directly connected to this. A fourth fiber interface will be used as the backbone providing communications to a main distribution switch located in this IDF.

A 24 port 2960-X switch (switch 5) will be sited within this IDF to provide a distribution level for the network. All other switches and the router will be connected to this switch via fiber cables and interfaces.  A Fiber patch panel has been added to provide access to the 10Gb Fiber backbone.

Two 48 port 2960-X switches will also be sited within the IDF to service the classrooms and study rooms on the ground floor. The switches can be connected together by a stack interface connection or trunked via an uplink interface. Switch 1 will then be connected to the distribution switch(switch 5) via an additional 10Gb  fiber interface trunk.

A benefit of siting the router on the ground floor is that all ground floor data can be routed directly to the router external fiber interfaces from these two switches. There should be no need for Student and PHD Student data traffic to the first floor as there are no required student services or servers on that floor.

First Floor

A Main Distribution Frame (MDF) has been sited on the first floor within the IT Technicians office. (See Physical Network Diagram)

Two 48 port 2960-X switches will be sited within the MDF (See Rack Assignments) to service the Staff rooms and Meeting rooms on the first floor. The switches can be connected together by a stack interface connection or trunked via an uplink interface.  Switch 3 will then be connected to the distribution switch on the ground floor via an additional fiber interface trunk.  A Fiber patch panel has been added to provide access to the 10Gb Fiber backbone.

All 7 servers (2 for Administration & 5 for curriculum) will also be sited within the MDF. The siting of these servers within this room offers good physical security as only authorised staff are allowed.

 

 

Logical Network Topology

IPV4 Addressing Scheme

The logical network topology is shown in the Appendix (See Logical Network Topology). Due to the large Ipv4 address range provided there is no requirement for VLSM. Furthermore each subnet has been given a /24 classless Interdomain Routing (CIDR) range. This allows for 253 devices per subnet and is more than sufficient for each network.

Ten subnets from the 192.168.0.0/16 address range have been used. (See Router Port Count Table & Colour Code).

IPV6 Addressing scheme

The RIPE Network Coordination (2011)Centre explains that the global routing prefix is the prefix, or network, portion of the address that is assigned by an internet  provider, such as an ISP, to a customer or site. Currently a /48 global routing prefix is assigned to customers.

A Global Unicast Address block has not been provided in the brief. Therefore an example address prefix 2001:ACAD:DB8::0/48 has been chosen. Each Vlan has been assigned an ipv6 subnet ID corresponding to the VLAN ID. (See Router IPV6 Address table)

Students VLAN

The Students Vlan is VLAN 10 and has been assigned the 192.168.10.0 /24 subnet. The Student classrooms all reside on the ground floor and there is no requirement for access to any first floor services.

PHD Students VLAN

The PHD Students Vlan is VLAN 15 and has been assigned the 192.168.15.0 /24 subnet. The Student classrooms all reside on the ground floor and there is no requirement for access to any first floor services.

Meeting Rooms VLAN

These rooms are bookable by students and have been assigned VLAN 12 with the address range 192.168.12.0/24. They have purposely been separated from the student network to simplify first floor security. By doing this we ensure that there is no requirement for data on the VLAN 10 (Students) and VLAN 12 (PHD Students) network to traverse the Backbone. Because they are a separate network they can be managed completely separately.

Student Services & Records VLAN

As Student Services and Records access the same file server it simplifies the network security to combine both of these departments into one VLAN. VLAN 20 has been used for this with the IP address range of 192.168.20.0/24.

Finance VLAN

The finance users are also part of the Administration department. However, due to the security requirement of ensuring only finance has access to its server the finance department has been given their own VLAN. This is VLAN 25 with an IP address subnet of 192.168.20.0/24.

Curriculum VLAN

The Curriculum network Vlan is VLAN 30 with an IP address range of 192.168.30.0/24 .

IT Staff VLAN

Although the IT Department are part of the Curriculum department they need management access to all devices and all servers. Cisco (2014) advise that it is good practice to separate user and management traffic. Their vlan is therefore the management VLAN and has been placed on VLAN 99 with an IP Address range of 192.168.99.0/24.

Voice VLAN

As all phones need to communicate with each other they have been placed on their own Vlan which is VLAN 40 with an address range of 192.168.40.0/24 . Many IP phones now have a built in 2 way switch allowing the computer to be plugged into the phone, offering another alternative. This would reduce the cabling and the infrastructure costs

Blackhole VLAN

According to Cisco (2014) It is security best practice to configure all unused ports to a VLAN other than VLAN 1 and then shut them down. This way if an unauthorised user was able to gain access and patch a host to the network the port would be firstly administratively shutdown and secondly on a VLAN with no routes or default gateway.  The black hole VLAN is therefore VLAN 66 and all unused ports should be administratively shutdown and placed into this VLAN.

NativeVLAN

The native VLAN is used by all traffic that has not been tagged by a Vlan and Cisco recommend that the native Vlan should be separated from all other traffic. The Native Vlan has therefore been set to VLAN 88 with an IP address range of 192.168.88.0/24

 

Router Connectivity

 

The Router Management IP address will be the second IP address 192.168.99.2/24 on the management VLAN (VLAN 99).

 

The router interface configuration is show in the Appendix (see Router Interface Connectivity Table). This ensures the IT department on the management network can access all areas of the network. It also provides paths for untagged native traffic.

 

Interface GI0/0 part of the backbone fiber and connects the router to the ground floor switches, this should be set up as a trunk port and allow all VLANS as shown in the Appendix (see Router Interface Connectivity Table). This interface should be set up as a trunk allowing all VLANS to traverse it from the 2960-x distribution switch (switch 5).

 

Router Protocol

The Routing Protocol choice will primarily depend upon the protocol being used by routers on the 3 incoming fibers.

If all Cisco equipment is being used and the Enhanced interior Gateway protocol (EIGRP) internal router protocol is being used by the rest of the university then EIGRP is the preferred choice and will be configured on the router. According to Cisco (2005) this provides for fast convergence, per-interface network summarization, multipath and unequal multipath load balancing.

Alternative Protocols we could use are shown in the Appendix (See Protocols Comparison Table) As can be seen Router Internet Protocol (RIP) does not support Variable length Subnet Masks (VLSM) and for future expansion possibilities it is advisable to utilise a protocol that can.  Open Shortest Path First (OSPF) and Router Internet Protocol V2 (RIPV2) can use VLSM however RIPV2 is generally for small networks and as we do not know the size of the network beyond the 3 incoming fibers it would be advisable to install a protocol designed for larger networks. EIGRP only transmits updates when routes change. RIP v2 sends updates at intervals thus consuming bandwidth. in this situation where there is only one area and one cisco router EIGRP is the easiest to configure unless third party routers are added to the network in which case OSPF should be considered the better option.

Access Control Lists

Access Control lists will be configured on the router interfaces according to the following rule.

  • Deny IP from all VLANS Except management to All other VLANS. (IE there is no need for any communication between VLANS)

 

 

DHCP

 

The options for DHCP are either run DHCP from the Cisco router or run it from a server. According to Microsoft (2015) The benefits of running DHCP on a server are mainly in manageability. If DHCP is running in an active directory domain it can be integrated and take advantages of that domains security policies. It will also benefit from automatic replication to backup servers and automatic DNS update of hostnames.

Therefore it is recommended that DHCP be run from a windows server which can either be one of the curriculum servers or for additional security could be a separate DHCP server  on a separate VLAN. This would ensure that all VLANs can access it and this would avoid any ACL security issues.

The router will need to be configured with the IP helper command on each sub interface. This relays the dynamic host configuration protocol (DHCP) request onwards to the DHCP server.

If the DHCP server is on the curriculum network an Access Control permit statement would have to be added to each interface to allow protocol 68 through to the curriculum network from each VLAN.

The interface which is connected to the DHCP server will be configured to allow it to provide DHCP offers. All other ports will be configured with the DHCP snooping security statement.

 

 

 

Switch Connectivity

 

Each switches management IP address will be configured with IP addresses from the management VLAN (VLAN 99) in the range of 192.168.99.3-7/24. The Default gateway on each switch will be set to 192.168.99.254.

Distribution Layer

A 24 port 2960-X switch (switch 5) will be configured with 3 SFP fiber ports. These three interfaces will make up the backbone of the network. All ports will be configured as trunks and only the vlans shown in the Switch 5 Connectivity Table will be allowed on each trunk. It should be noted that as there are no services or servers for use by the Students and PHD students on the first floor their VLANS are not allowed across the trunk to the first floor switches. This provides another layer of security.

Access Layer

The switch port Interface allocations are shown in the Appendix (see Switch Port Interface Allocations). A summary of the Switch VLAN allocations is also shown in the Appendix (See  Switch Port VLAN Summary). As specified five ports have been reserved for future Server expansion on switch 3 for the curriculum department.

IP Addressing Table

The IP addressing table can be seen in the Appendix (See IP Addressing Table). The Blackhole VLAN has no default gateway assigned and therefore cannot route to other networks. Default Gateways are address 254 in their respective subnets. Servers start at address 200. Printers work backwards from 253. Client hosts start at address . in their respective subnet.

An Exclusion range should be set up on DHCP servers to exclude ranges 200-255 on all Subnets. This still leaves more than enough host IP addresses.

 

Wireless LAN

 

A wireless LAN could easily be introduced into this network topology by replacing the 2960-X distribution switch 5 with a Cisco 3850 Switch. Cisco (2014) describe the 3850 switch as combining wired and wireless networks into one physical infrastructure. It has a built in wireless controller and will support up to 40 Wireless Access Points (WAP) and 2000 wireless clients. It also supports the very latest wireless standard 802.11ac. According to Rohde- Schwarz (2014) 802.11 ac can provide a bandwidth from 6.5 Mbits to 866Mbits per second.

 

It is recommended that Cisco Aero net 3600 802.11ac Wireless Access Points be situated on the ground and first floors to provide adequate wireless coverage. Cisco  (2014) confirm that these WAP’s are particularly suited to crowded areas and can provide a bandwidth of 1Gbit.

 

Taking security into account the wireless LAN could be configured on its own VLAN and ACL’s written to deny access to the other VLANS.   .

 

The latest wireless encryption, WPA2 will be used throughout the wireless network.

 

 

Conclusion

 

A workable Solution has been described in the preceding paragraphs which caters for all the key requirements. Security is of the utmost priority and every provision that Cisco includes in its equipment has been utilised. An optional wireless controller and access points can be easily installed into this solution.

The equipment necessary for the installation is listed in the Appendix. (See Equipment List)

The 2960-X and 3850 switches have been fitted with 10gigabyte small form factor pluggable (SFP) interfaces. On the 7603 router these will provide the interface to the 3 WAN fiber interfaces coming into the building. The fourth will form part of the 10gb backbone to the distribution switch. 10GB SFP Interfaces on the 2960’s will complete the 10GB fiber backbone to the ground floor and first floor.

All Cisco Switches and routers are IPV6 compatible

 

 

 

 

 

 

 

 

 

 

 

 

 

Appendix

Physical Network Diagram

Ground Floor

network diagram 1

 

First Floor

network diagram 2

 

Rack Assignments

 

rack

 

 

Equipment List

 

Number Description Model Additional Modules
1 Cisco Router ASR 7603 4 x SFP Interfaces
5 Cisco Switch 2960-X 2 x SFP Interfaces
1 Cisco Switch 3850 2 x SFP Interaface
2 Wireless Access Points Aeronet 3600
7 Hewlett Packard Servers
2 Fiber Patch Panel
4 48 Port Patch panel

 

 

Logical Network Diagram

logical network diagram

Router Port Count Table & Colour Code

 

Network Sub-Interface Encapsulation VLAN ID IP Address SubNet Mask Ground Floor First Floor Future Use Total Ports
Students .10 IEEE 802.1q VLAN 10 192.168.10.0 255.255.255.0 75 75
Meeting Room .12 VLAN 12 192.168.12.0 255.255.255.0 8 8
PHD Students .15 VLAN 15 192.168.15.0 255.255.255.0 12 12
Services/Records .20 VLAN 20 192.168.20.0 255.255.255.0 16 16
Finance .25 VLAN 25 192.168.25.0 255.255.255.0 8 8
Curriculum .30 VLAN 30 192.168.30.0 255.255.255.0 19 5 24
IP Phones .40 VLAN 40 192.168.40.0 255.255.255.0 4 29 33
Blackhole .66 VLAN 66 192.168.66.0 255.255.255.0 5 12 17
Native .88 VLAN 88 192.168.88.0 255.255.255.0
Management .99 VLAN 99 192.168.99.0 255.255.255.0 4 4
Totals per Floor 96 96

 

 

 

Router IPV6 Address table

 

Network Prefix 2001:ACAD:DB8::/48

 

Network Sub-Interface Encapsulation VLAN ID IPV6 Address SubNet Mask
Students .10 IEEE 802.1q VLAN 10 2001:ACAD:DB8:10:: /64
Meeting Room .12 VLAN 12 2001:ACAD:DB8:12:: /64
PHD Students .15 VLAN 15 2001:ACAD:DB8:15:: /64
Services/Records .20 VLAN 20 2001:ACAD:DB8:20:: /64
Finance .25 VLAN 25 2001:ACAD:DB8:25:: /64
Curriculum .30 VLAN 30 2001:ACAD:DB8:30:: /64
IP Phones .40 VLAN 40 2001:ACAD:DB8:40:: /64
Blackhole .66 VLAN 66 2001:ACAD:DB8:66:: /64
Native .88 VLAN 88 2001:ACAD:DB8:88:: /64
Management .99 VLAN 99 2001:ACAD:DB8:99:: /64

 

 

Router Interface Connectivity Table

 

Interface Network Sub-Interface Encapsulation VLAN ID IP Address SubNet Mask
Students .10 VLAN 10 192.168.10.0 255.255.255.0
Gi0/0 Meeting Rooms .12 IEEE 802.1q VLAN 12 192.168.12.0 255.255.255.0
PHD Students .15 VLAN 15 192.168.15.0 255.255.255.0
Services/Records .20 VLAN 20 192.168.20.0 255.255.255.0
Finance .25 VLAN 25 192.168.25.0 255.255.255.0
Curriculum .30 VLAN 30 192.168.30.0 255.255.255.0
IP Phones .40 VLAN 40 192.168.40.0 255.255.255.0
Native .88 VLAN 88 192.168.88.0 255.255.255.0
Management .99 VLAN 99 192.168.99.0 255.255.255.0

 

 

Switch 5 Connectivity Table (Distribution Layer Switch)

 

Interface Network Sub-Interface Encapsulation VLAN ID IP Address SubNet Mask
Gi0/0 Students .10 IEEE 802.1q VLAN 10 192.168.10.0 255.255.255.0
PHD Students .15 VLAN 15 192.168.15.0 255.255.255.0
IP Phones .40 VLAN 40 192.168.40.0 255.255.255.0
Native .88 VLAN 88 192.168.88.0 255.255.255.0
Management .99 VLAN 99 192.168.99.0 255.255.255.0
Interface Network Sub-Interface Encapsulation VLAN ID IP Address SubNet Mask
Gi0/1 Meeting Room .12 IEEE 802.1q VLAN 12 192.168.12.0 255.255.255.0
Services/Records .20 VLAN 20 192.168.20.0 255.255.255.0
Finance .25 VLAN 25 192.168.25.0 255.255.255.0
Curriculum .30 VLAN 30 192.168.30.0 255.255.255.0
IP Phones .40 VLAN 40 192.168.40.0 255.255.255.0
Native .88 VLAN 88 192.168.88.0 255.255.255.0
Management .99 VLAN 99 192.168.99.0 255.255.255.0
Interface Network Sub-Interface Encapsulation VLAN ID IP Address SubNet Mask
Students .10 VLAN 10 192.168.10.0 255.255.255.0
Gi0/2 Meeting Rooms .12 IEEE 802.1q VLAN 12 192.168.12.0 255.255.255.0
PHD Students .15 VLAN 15 192.168.15.0 255.255.255.0
Services/Records .20 VLAN 20 192.168.20.0 255.255.255.0
Finance .25 VLAN 25 192.168.25.0 255.255.255.0
Curriculum .30 VLAN 30 192.168.30.0 255.255.255.0
IP Phones .40 VLAN 40 192.168.40.0 255.255.255.0
Native .88 VLAN 88 192.168.88.0 255.255.255.0
Management .99 VLAN 99 192.168.99.0 255.255.255.0

 

Switch Port Access Layer Interface Allocations

Ground Floor

Switch 1

Interface Switchport Mode VLAN ID Port Security Connected Device Interface Switchport Mode VLAN ID Port Security Connected Device
Gi0/0 Trunk N/A MAC Address Sticky      Port Violation ShutdownDHCP Snooping 3850 Switch in IDF N/A N/a N/A MAC Address Sticky      Port Violation ShutdownDHCP Snooping N/A
Gi0/1 Trunk N/A Switch 2 in IDF N/A N/A N/A N/A
G0/1 Access VLAN 10 Host G0/25 Access VLAN 10 Host
G0/2 Access VLAN 10 Host G0/26 Access VLAN 10 Host
G0/3 Access VLAN 10 Host G0/27 Access VLAN 10 Host
G0/4 Access VLAN 10 Host G0/28 Access VLAN 10 Host
G0/5 Access VLAN 10 Host G0/29 Access VLAN 10 Host
G0/6 Access VLAN 10 Host G0/30 Access VLAN 10 Host
G0/7 Access VLAN 10 Host G0/31 Access VLAN 10 Host
G0/8 Access VLAN 10 Host G0/32 Access VLAN 10 Host
G0/9 Access VLAN 10 Host G0/33 Access VLAN 10 Host
G0/10 Access VLAN 10 Host G0/34 Access VLAN 10 Host
G0/11 Access VLAN 10 Host G0/35 Access VLAN 10 Host
G0/12 Access VLAN 10 Host G0/36 Access VLAN 10 Host
G0/13 Access VLAN 10 Host G0/37 Access VLAN 10 Host
G0/14 Access VLAN 10 Host G0/38 Access VLAN 10 Host
G0/15 Access VLAN 10 Host G0/39 Access VLAN 10 Host
G0/16 Access VLAN 10 Host G0/40 Access VLAN 10 Host
G0/17 Access VLAN 10 Host G0/41 Access VLAN 10 Host
G0/18 Access VLAN 10 Host G0/42 Access VLAN 10 Host
G0/19 Access VLAN 10 Host G0/43 Access VLAN 10 Host
G0/20 Access VLAN 10 Host G0/44 Access VLAN 10 Host
G0/21 Access VLAN 10 Host G0/45 Access VLAN 10 Host
Interface Switchport Mode VLAN ID Connected Device Interface Switchport Mode VLAN ID Connected Device
G0/22 Access VLAN 10 Host G0/46 Access VLAN 10 Host
G0/23 Access VLAN 10 Host G0/47 Access VLAN 10 Host
G0/24 Access VLAN 10 Host G0/48 Access VLAN 10 Host

 

 

Ground Floor

Switch 2

Interface Switchport Mode VLAN ID Port Security Connected Device Interface Switchport Mode VLAN ID Port Security Connected Device
Gi0/0 Trunk N/A MAC Address Sticky      Port Violation ShutdownDHCP Snooping Switch 1 in IDF N/A N/A N/A MAC Address Sticky      Port Violation ShutdownDHCP Snooping N/A
Gi0/1 Access VLAN 66 Spare N/A N/A N/A N/A
G0/1 Access VLAN 10 Host G0/25 Access VLAN 10 Student Printer
G0/2 Access VLAN 10 Host G0/26 Access VLAN 10 Student Printer
G0/3 Access VLAN 10 Host G0/27 Access VLAN 10 Student Printer
G0/4 Access VLAN 10 Host G0/28 Access VLAN 66 Blackhole Spare
G0/5 Access VLAN 10 Host G0/29 Access VLAN 66 Spare
G0/6 Access VLAN 10 Host G0/30 Access VLAN 66 Spare
G0/7 Access VLAN 10 Host G0/31 Access VLAN 66 Spare
G0/8 Access VLAN 10 Host G0/32 Access VLAN 66 Spare
G0/9 Access VLAN 10 Host G0/33 Access VLAN 15 MAC Address Sticky      Port Violation ShutdownDHCP Snooping Host
G0/10 Access VLAN 10 Host G0/34 Access VLAN 15 Host
G0/11 Access VLAN 10 Host G0/35 Access VLAN 15 Host
G0/12 Access VLAN 10 Host G0/36 Access VLAN 15 Host
G0/13 Access VLAN 10 Host G0/37 Access VLAN 15 Host
G0/14 Access VLAN 10 Host G0/38 Access VLAN 15 Host
G0/15 Access VLAN 10 Host G0/39 Access VLAN 15 Host
G0/16 Access VLAN 10 Host G0/40 Access VLAN 15 Host
G0/17 Access VLAN 10 Host G0/41 Access VLAN 15 Host
G0/18 Access VLAN 10 Host G0/42 Access VLAN 15 PHD Printer
G0/19 Access VLAN 10 Host G0/43 Access VLAN 15 PHD Printer
G0/20 Access VLAN 10 Host G0/44 Access VLAN 15 PHD Printer
G0/21 Access VLAN 10 Host G0/45 Access VLAN 40 VOIP
Interface Switchport Mode VLAN ID Connected Device Interface Switchport Mode VLAN ID Connected Device
G0/22 Access VLAN 10 Host G0/46 Access VLAN 40 VOIP
G0/23 Access VLAN 10 Host G0/47 Access VLAN 40 VOIP
G0/24 Access VLAN 10 Host G0/48 Access VLAN 40 VOIP

 

 

 

First Floor

Switch 3

Interface Switchport Mode VLAN ID Port Security Connected Device Interface Switchport Mode VLAN ID Port Security Connected Device
Gi0/0 Trunk N/A MAC Address Sticky      Port Violation ShutdownDHCP Snooping 3850 Switch in IDF N/A N/A N/A MAC Address Sticky      Port Violation ShutdownDHCP Snooping N/A
Gi0/1 Trunk N/A Switch 4 in MDF N/A N/A N/A N/A
G0/1 Access VLAN 20 Host G0/25 Access VLAN 30 Host
G0/2 Access VLAN 20 Host G0/26 Access VLAN 30 Host
G0/3 Access VLAN 20 Host G0/27 Access VLAN 30 Host
G0/4 Access VLAN 20 Host G0/28 Access VLAN 30 Host
G0/5 Access VLAN 20 Host G0/29 Access VLAN 30 Host
G0/6 Access VLAN 20 Host G0/30 Access VLAN 30 Host
G0/7 Access VLAN 20 Host G0/31 Access VLAN 30 Host
G0/8 Access VLAN 20 Host G0/32 Access VLAN 30 Curriculum Printer
G0/9 Access VLAN 20 Host G0/33 Access VLAN 30 Curriculum Printer
G0/10 Access VLAN 20 Host G0/34 Access VLAN 30 Curriculum Printer
G0/11 Access VLAN 20 Host G0/35 Access VLAN 30 Curriculum Printer
G0/12 Access VLAN 20 Host G0/36 Access VLAN 30 Curriculum Printer
G0/13 Access VLAN 20 Host G0/37 Access VLAN 30 Curriculum Printer
G0/14 Access VLAN 20 S/Services Printer G0/38 Access VLAN 30 Curriculum Printer
G0/15 Access VLAN 20 S/Services Printer G0/39 Access VLAN 30 Curriculum Server
G0/16 Access VLAN 20 S/Services Server G0/40 Access VLAN 30 Curriculum Server
G0/17 Access VLAN 12 Host G0/41 Access VLAN 30 Curriculum Server
G0/18 Access VLAN 12 Host G0/42 Access VLAN 30 Curriculum Server
G0/19 Access VLAN 12 Host G0/43 Access VLAN 30 Curriculum Server
G0/20 Access VLAN 12 Host G0/44 Access VLAN 66 Reserved
Interface Switchport Mode VLAN ID Connected Device Interface Switchport Mode VLAN ID Connected Device
G0/21 Access VLAN 12 Meeting  Rm Printer G0/45 Access VLAN 66 Reserved
G0/22 Access VLAN 12 Meeting  Rm Printer G0/46 Access VLAN 66 Reserved
G0/23 Access VLAN 12 Meeting  Rm Printer G0/47 Access VLAN 66 Reserved
G0/24 Access VLAN 12 Meeting  Rm Printer G0/48 Access VLAN 66 Reserved

 

 

First Floor  Switch 4

Interface Switchport Mode VLAN ID Port Security Connected Device Interface Switchport Mode VLAN ID Port Security Connected Device
Gi0/0 Trunk N/A MAC Address Sticky      Port Violation ShutdownDHCP Snooping Switch 3  in MDF N/A N/A N/A MAC Address Sticky      Port Violation ShutdownDHCP Snooping N/A
Gi0/1 Access VLAN 66 Spare N/A N/A N/A N/A
G0/1 Access VLAN 40 VOIP G0/25 Access VLAN 40 VOIP
G0/2 Access VLAN 40 VOIP G0/26 Access VLAN 40 VOIP
G0/3 Access VLAN 40 VOIP G0/27 Access VLAN 40 VOIP
G0/4 Access VLAN 40 VOIP G0/28 Access VLAN 40 VOIP
G0/5 Access VLAN 40 VOIP G0/29 Access VLAN 40 VOIP
G0/6 Access VLAN 40 VOIP G0/30 Access VLAN 99 Host
G0/7 Access VLAN 40 VOIP G0/31 Access VLAN 99 Host
G0/8 Access VLAN 40 VOIP G0/32 Access VLAN 99 IT Printer
G0/9 Access VLAN 40 VOIP G0/33 Access VLAN 99 IT Printer
G0/10 Access VLAN 40 VOIP G0/34 Access VLAN 25 Host
G0/11 Access VLAN 40 VOIP G0/35 Access VLAN 25 Host
G0/12 Access VLAN 40 VOIP G0/36 Access VLAN 25 Host
G0/13 Access VLAN 40 VOIP G0/37 Access VLAN 25 Host
G0/14 Access VLAN 40 VOIP G0/38 Access VLAN 25 Host
G0/15 Access VLAN 40 VOIP G0/39 Access VLAN 25 Host
G0/16 Access VLAN 40 VOIP G0/40 Access VLAN 25 Finance Printer
G0/17 Access VLAN 40 VOIP G0/41 Access VLAN 25 Finance Server
G0/18 Access VLAN 40 VOIP G0/42 Access VLAN 66 Blackhole N/A
G0/19 Access VLAN 40 VOIP G0/43 Access VLAN 66 N/A
G0/20 Access VLAN 40 VOIP G0/44 Access VLAN 66 N/A
G0/21 Access VLAN 40 VOIP G0/45 Access VLAN 66 N/A
G0/22 Access VLAN 40 VOIP G0/46 Access VLAN 66 N/A
Interface Switchport Mode VLAN ID Connected Device Interface Switchport Mode VLAN ID Connected Device
G0/23 Access VLAN 40 VOIP G0/47 Access VLAN 66 N/A
G0/24 Access VLAN 40 VOIP G0/48 Access VLAN 66 N/A

 

 

 

Switch Port VLAN Summary

 

GROUND FLOOR

 

Switch 1 48 port 2960 –X

 

VLAN 10 – 24 ports
VLAN 10 – 24 ports

 

NOTE: Switch 1 Gi0/0 To Router 1 interface Gi0/0 – Fiber

 

Switch 2 48 port 2960 –X

 

VLAN 10 – 24 ports
VLAN 10 3 ports 5 Spare ports VLAN 15 – 12 ports VLAN 40 4 ports

 

 

 

FIRST FLOORSwitch 3 48 port 2960 –X 

VLAN 20 – 16 ports VLAN 12 – 8 ports
VLAN 30 19 Ports VLAN 30 -5 Ports Future Expansion

 

Note : Switch 3 Gi0/0 to Router 1 interface Gi0/1 – Fiber

 

  Switch 4 48 port 2960 –X

 

VLAN 40 – 24 Ports
VLAN 40 5 Ports VLAN 99 4 Ports VLAN 25 – 8 Ports 7 Spare Ports

 

 

IP Addressing Table

 

 

 

Network VLAN ID IP Address SubNet Mask Description
Students VLAN 10 192.168.10.0 255.255.255.0 Network
Students VLAN 10 192.168.10.1 255.255.255.0 First host address
Students VLAN 10 192.168.10.254 255.255.255.0 Router
Students VLAN 10 192.168.10.255 255.255.255.0 Broadcast
Meeting Room VLAN 12 192.168.12.0 255.255.255.0 Network
Meeting Room VLAN 12 192.168.12.0 255.255.255.0 First Host Address
Meeting Room 1 VLAN 12 192.168.12.250 255.255.255.0 Printer
Meeting Room 2 VLAN 12 192.168.12.251 255.255.255.0 Printer
Meeting Room 3 VLAN 12 192.168.12.252 255.255.255.0 Printer
Meeting Room 4 VLAN 12 192.168.12.253 255.255.255.0 Printer
Meeting Room VLAN 12 192.168.12.254 255.255.255.0 Router
Meeting Room VLAN 12 192.168.12.255 255.255.255.0 Broadcast
PHD Students VLAN 15 192.168.15.0 255.255.255.0 Network
PHD Students VLAN 15 192.168.15.1 255.255.255.0 First host address
PHD Students 1 VLAN 15 192.168.15.251 255.255.255.0 Printer
PHD Students 2 VLAN 15 192.168.15.252 255.255.255.0 Printer
PHD Students 3 VLAN 15 192.168.15.253 255.255.255.0 Printer
PHD Students VLAN 15 192.168.15.254 255.255.255.0 Router
PHD Students VLAN 15 192.168.15.255 255.255.255.0 Broadcast
Services/Records VLAN 20 192.168.20.0 255.255.255.0 Network
Services/Records VLAN 20 192.168.20.1 255.255.255.0 First host address
Services/Records VLAN 20 192.168.20.200 255.255.255.0 Server
Records VLAN 20 192.168.20.253 255.255.255.0 Printer
Services VLAN 20 192.168.20.254 255.255.255.0 Printer
Services/Records VLAN 20 192.168.20.254 255.255.255.0 Router
Services/Records VLAN 20 192.168.20.255 255.255.255.0 Broadcast
Finance VLAN 25 192.168.25.0 255.255.255.0 Network
Finance VLAN 25 192.168.25.1 255.255.255.0 First host address
Finance VLAN 25 192.168.25.200 255.255.255.0 Server
Finance VLAN 25 192.168.25.253 255.255.255.0 Printer
Finance VLAN 25 192.168.25.254 255.255.255.0 Router
Finance VLAN 25 192.168.25.255 255.255.255.0 Broadcast
Curriculum VLAN 30 192.168.30.0 255.255.255.0 Network
Curriculum VLAN 30 192.168.30.1 255.255.255.0 First host address
Curriculum VLAN 30 192.168.30.200 255.255.255.0 Server
Curriculum VLAN 30 192.168.30.201 255.255.255.0 Server
Curriculum VLAN 30 192.168.30.202 255.255.255.0 Server
Curriculum VLAN 30 192.168.30.203 255.255.255.0 Server
Curriculum VLAN 30 192.168.30.204 255.255.255.0 Server
Curriculum VLAN 30 192.168.30.247 255.255.255.0 Printer
Network VLAN ID IP Address SubNet Mask Description
Curriculum VLAN 30 192.168.30.248 255.255.255.0 Printer
Curriculum VLAN 30 192.168.30.249 255.255.255.0 Printer
Curriculum VLAN 30 192.168.30.250 255.255.255.0 Printer
Curriculum VLAN 30 192.168.30.251 255.255.255.0 Printer
Curriculum VLAN 30 192.168.30.252 255.255.255.0 Printer
Curriculum Manager VLAN 30 192.168.30.253 255.255.255.0 Printer
Curriculum VLAN 30 192.168.30.254 255.255.255.0 Router
Curriculum VLAN 30 192.168.30.255 255.255.255.0 Broadcast
IP Phones VLAN 40 192.168.40.0 255.255.255.0 Network
IP Phones VLAN 40 192.168.40.1 255.255.255.0 First host address
IP Phones VLAN 40 192.168.40.254 255.255.255.0 Router
IP Phones VLAN 40 192.168.40.255 255.255.255.0 Broadcast
Blackhole VLAN 66 192.168.66.0 255.255.255.0 Network
Blackhole VLAN 66 192.168.66.1 255.255.255.0 First host address
Blackhole VLAN 66 None Assigned 255.255.255.0 Router
Blackhole VLAN 66 192.168.66.255 255.255.255.0 Broadcast
Native VLAN 88 192.168.88.0 255.255.255.0 Network
Native VLAN 88 192.168.88.1 255.255.255.0 First host address
Native VLAN 88 192.168.88.249 255.255.255.0 Switch 1
Native VLAN 88 192.168.88.250 255.255.255.0 Switch 2
Native VLAN 88 192.168.88.251 255.255.255.0 Switch 3
Native VLAN 88 192.168.88.252 255.255.255.0 Switch 4
Native VLAN 88 192.168.88.253 255.255.255.0 Switch 5
Native VLAN 88 192.168.88.254 255.255.255.0 Router
Native VLAN 88 192.168.88.255 255.255.255.0 Broadcast
IT Services VLAN 99 192.168.99.0 255.255.255.0 Network
IT Services VLAN 99 192.168.99.1 255.255.255.0 First host address
IT Services Technician VLAN 99 192.168.99.252 255.255.255.0 Printer
IT Services Manager VLAN 99 192.168.99.253 255.255.255.0 Printer
IT Services VLAN 99 192.168.99.254 255.255.255.0 Router
IT Services VLAN 99 192.168.99.255 255.255.255.0 Broadcast

 

 

 

 

 

Protocols Comparison Table

 

RIP RIPV2 EIGRP OSPF
Cisco Proprietary no no yes no
Classfull or Classless protocol classfull classless classless classless
VLSM Support no yes yes yes
Discontiguous network no yes yes yes
Auto Summarisation yes yes yes no
Protocol Type Distance Vector Distance Vector Hybrid Link State
Administrative Distance 120 120 90 (170 External) 110
Path Metric Hops Count Hops Count Bandwidth, delay, reliability, load Bandwidth
Hierarchical Network no(flat only) no(flat only) yes(using areas) yes(using areas)
Maintained Tables routing table routing table routing,neigbour,topology routing,neigbour,topology
Hop Count Limit 15 15 255 no limit
Algorithm for Selecting the Best path Bellman-Ford Bellman-Ford Difussing Update Algorithm (DUAL) Djekstra’s
Peer Authentication no yes yes yes
Sending Updates broadcast multicast 224.0.0.9 multicast 224.0.0.10 multicast 224.0.0.5 and .6
Sends Periodic Updates yes(every 30 secs) yes(every 30 secs) no no
Full or partial updates full full partial partial
Configuration example #Router rip                  #network 10.0.0.0              #passive interface serial 0/1 #Router rip                    #version 2                    #network 10.1.1.0    #network 10.1.1.2.0                        #passive interface serial 0/1 #Router eigrp 10#network 10.0.0.0#network 192.168.0.0                          #passive interface serial 0/1  #no auto-summary #Router ospf 15#network 10.0.0.0 0.0.0.255 area 0
Troubleshooting #Show ip route                #show ip protocols       #debug ip rip #Show ip route                #show ip protocols       #debug ip rip #Show ip route#show ip eigrp neighbors#show ip eigrp topology #Show ip route#show ip protocols#show ip ospf database#show ip ospf neighbour#show ip ospf interface

 

References

 

Cisco Networking Academy (2014) Routing and Switching Essentials Companion Guide. 1st edn. Indianapolis: Cisco press.

Cisco.com, 2014. Cisco Catalyst 3850 Series Switches. [Online] Available at: http://www.cisco.com/c/en/us/products/switches/catalyst-3850-series-switches/index.html [Accessed 11th Apr 2015].

Cisco, 2005. Introduction to EIGRP. [Online] Available at: http://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-protocol-eigrp/13669-1.html [Accessed 7th April 2015].

cisco, 2013. Cisco 7603 Chassis. [Online] Available at: http://www.cisco.com/c/en/us/products/collateral/routers/7603-router/product_data_sheet09186a0080088771.html [Accessed 17th April 2015].

Cisco (2013) Configuring DHCP Snooping. Available at: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_nx-os-cfg/sec_dhcpsnoop.html#wp1299767 (Accessed: 3rd April 2015).

Cisco (2014) Benefits of Migrating to Cisco Catalyst 2960-X. Available at: http://www.cisco.com/c/dam/en/us/products/collateral/switches/catalyst-2960-x-series-switches/feature-comparison-c83-731053.pdf (Accessed: 7th Nov 2014).

Cisco, 2014. Cisco Aironet 3600 Series Access Point Data Sheet. [Online] Available at: http://www.cisco.com/c/en/us/products/collateral/wireless/aironet-3600-series/data_sheet_c78-686782.html [Accessed 10th April 2015].

Cisco (2014) Cisco Catalyst 2960 Series Switches. Available at: http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-2960-series-switches/prod_qas0900aecd80322c37.html (Accessed: 28 th November 2014).

Cisco, 2014. Design Best Practices for VLANs (3.3.2). [Online] Available at: http://www.ciscopress.com/articles/article.asp?p=2181837&seqNum=11 [Accessed 6th April 2015].

Cisco (2014) Subnetting an IPv4 Network. Available at: http://static-course-assets.s3.amazonaws.com/IntroNet50ENU/module9/index.html#9.0.1.1 (Accessed: 31st March 2015).

Cisco (2014) VLAN Security and Design. Available at: http://static-course-assets.s3.amazonaws.com/RSE50ENU/module3/index.html#3.3.2.1 (Accessed: 3rd April 2015).

Global Knowledge Training, 2013. Designing IP Addresses. [Online] Available at: http://www.globalknowledge.co.uk/content/files/documents/640774/640799/designing-ip-addresses-for-large-networks [Accessed 31st Mar 2015].

Microsoft, 2015. What Is DHCP? [Online] Available at: https://technet.microsoft.com/en-us/library/dd145320%28v=ws.10%29.aspx [Accessed 12th April 2015].

Murphy, D. (2009) Upgrade to Gigabit Networking for Better Performance. Available at: http://www.pcworld.com/article/173129/upgrade_to_gigabit_networking.html (Accessed: 5th Oct 2014).

RIPE Coordination Centre, 2011. Understanding IP Addressing and CIDR Charts. [Online] Available at: https://www.ripe.net/about-us/press-centre/understanding-ip-addressing [Accessed 13th April 2015].

rohde schwarz, 2014. http://www.rohde-schwarz-usa.com/. [Online] Available at: http://www.rohde-schwarz-usa.com/rs/rohdeschwarz/images/1MA192_7e_80211ac_technology.pdf [Accessed 10th April 2015].

Wilkins, S. & Smith, F.H. (2011) CCNP Security Secure 642-637 Official Cert Guide. 1st edn. Indianapolis: Cisco Press. Available at: http://www.ciscopress.com/articles/article.asp?p=1722561 [accessed 8th April 2015].

 

 

Comments are closed.