ACME Network Design

ACME NETWORK DESIGN 1 Running head: ACME NETWORK DESIGN

Acme Network Design Bryan Callahan, David "Toby" Meyers & Ellis Thomas  NTC/242 - Intro to WAN Technologies Amr Elchouemi University of Phoenix February 26, 2011

Acme Network Design

Acme Manufacturing requested a comprehensive plan for implementing VLAN technology and wireless connectivity to there multiple company locations in an effort to improve network performance for its executive office suite and the various company departments. The  proposal will cover recommendations for the overall network design to address their expanding operations with the acquisition of a plant in China as well as several other offices throughout the United States. The report will also cover network topology, the hardware and software needed to complete the project while segmenting the network for network efficiency and enacting security  policies and procedures to ensure data integrity The Virtual Local Area Network (VLAN) will connect six different geographical locations: New York, Chicago, Atlanta, Phoenix and China. For four different purposes: Management, Sales, Creation and Manufacturing. With weekly telecommutes with representatives from each office. Provide lifecycle recommendations for the management of the WAN. Scope The following network design for Acme Manufacturing includes the recommended technologies to provide data, voice and video connectivity between remote offices. The scope of  the design includes recommended WAN technologies, network services, network components, logical topology, security and finally lifecycle recommendations. Requirements The Acme Manufacturing WAN requires connectivity to six different offices located in five different cities around the world. The WAN must support basic data traffic between

locations including database queries, e-mail and file sharing. Telecommunication services recommendations such as voice and video must be included within the network design. The network design must support an estimated 1000 network users between all offices and be flexible for future growth in network n etwork users and locations. As of today, the approximate number of users by location is as follows: Atlanta, Georgia Headq uarters: 300 network users, Atlanta, Georgia Engineering: 300 network users, Distribution Distribution Facilities: Facilities: 300 network users combined, China: 100 network users combined.  Network Overview The logical arrangement is to create a VLAN segmented according to the different departments. Each segment can have its own group permissions and privileges. Multilayer  switches, client devices, servers and wireless routers will drive the recommended network  design. Routers placed on the backbones, between floors and between LAN and frame relay network provider. Recommended also is application and storage servers for each department, one e-mail and one VIP server for each location. The physical media that connects the locations to the public switched network for  domestic operations is a leased fiber optic line and for China a satellite connection. Components for the network system require switches, servers, client systems and wireless routers. Components required for video conferencing: Videoconferencing Codec Unit, Camera, Microphones, Video Displays and Conference Room Lighting of diffused directional lighting and integrated into the construction of the building. VPN connects wireless users to their departments’ network privileges and resources. Firewalls between servers and the rest of network, firewalls and antivirus on each computer,

firewall of course between VLAN segments and the public switched network. Devices accessing the WLAN will be connected and an d granted access to their respective department’s dep artment’s VLAN. The recommended IP address scheme eases network management and increases network  security since the IP addresses on the network are g rouped by device type, department, and  building. In addition, configurations for firewalls, global rules for access predicate u pon department. For example, firewall IP filtering rules using wildcards to allow or restrict entire  buildings. WAN Technology The recommended Wide Area Network (WAN) design will primarily rely on a public switched network to provide connectivity between all remote branch offices. The benefit to using u sing a service provider for WAN connectivity is that it allows scalability to add locations, adjust  bandwidth, and eliminates the high cost co st of purchasing and maintaining private lines, (AT&T, 2011). Refer to figure one for a visual overview of the WAN topology. Fiber Optic T3 leased circuits provided by local ex change carriers will provide last mile connectivity from all domestic locations to the public switched network provider’s (PSN) point of presence (POP). T3 leased circuits are scalable from 12 to 45 Mbps allowing plenty of room for future technology demands on the WAN. The public switched network provider will provide office connectivity using multiprotocol label switching (MPLS). MPLS provides network subscribers advanced value added services including Layer 2 and 3 VPNs, QoS over existing infrastructures such as IP, Frame Relay, and Ethernet, (Cisco, 2011) We will use a Satellite technology to link China to the United States public switched network and our domestic VLAN.

The Atlanta, Georgia offices will have an additional connection between each other  using two Cisco Aironet 1550 outdoor wireless access p oints used in bridge mode to make a 54Mbps wireless point-to-point connection. The Cisco Aironet uses the latest 802.11n standards with additional quality of service and VLAN features. The wireless building-to-building connection will establish a single virtual LAN between the Atlanta based headquarters and engineering offices. The benefits to this additional link include eliminating the cost of one leased line to the PSNs POP. In addition, the two offices will be ab le to share resources such as email

and storage servers.

Figure one Acme WAN Topology  Network Services Videoconferencing systems shall provide for conferencing and joint meetings of  geographically diverse issues. Acme requests wireless connectivity for an indeterminate amount of clients for  connectivity to onsite LANs and connection to corporate VLAN. Once connectivity established  between test device, routers and internal wired network, routers programmed with MAC filtering with MAC addresses disclosed by the department. WEP programmed with randomly generated keys of maximum length and shared with the managed devices. When they connect for the first

time to the network and as devices approved and MAC addresses are given and randomly generated keys for WEP protocol. I.P. Address Scheme Our IP Address Scheme Calls for a Class A Private network where each department in each building will have their own subnet based on the following: the second octet predicated on  physical location, and the third octet identifies the department.

Location

Lo c ID

Department

Atlanta, Georgia (HQ)

10

Corporate Operations Marketing

Atlanta, Georgia (Eng)

Chicago

Phoenix

New York

China

20

30

40

50

60

VLA  Network   N Address ID 1 10.10.1.0/24 2

10.10.2.0/24

Administration

3

10.10.3.0/24

Accounting

4

10.10.4.0/24

Sales

5

10.20.5.0/24

Engineering

6

10.20.6.0/24

Sales

5

10.30.5.0/24

Administration

3

10.30.3.0/24

Sales

5

10.40.5.0/24

Administration

3

10.40.3.0/24

Sales

5

10.50.5.0/24

Administration

3

10.50.3.0/24

Production

7

10.60.7.0/24

Administration

3

10.60.3.0/24

DHCP Host Range

Broadcast Address

10.10.1.4010.10.1.239 10.10.2.4010.10.2.239 10.10.3.4010.10.3.239 10.10.4.4010.10.4.239 10.20.5.4010.20.5.239 10.20.6.4010.20.6.239 10.30.5.4010.30.5.239 10.30.3.4010.30.3.239 10.40.5.4010.40.5.239 10.40.3.4010.40.3.239 10.50.5.4010.50.5.239 10.50.3.4010.50.3.239 10.60.7.4010.60.7.239 10.60.3.40-

10.10.1.255 10.10.2.255 10.10.3.255 10.10.4.255 10.20.5.255 10.20.6.255 10.30.5.255 10.30.3.255 10.40.5.255 10.40.3.255 10.50.5.255 10.50.3.255 10.60.7.255 10.60.3.255

10.60.3.239

Table one, IP Address Scheme – Workstations The following table lists the recommended address scheme for all network devices. Host ID

Device

.1

Gateway Router  

.5

Application Server  

.6

Storage Server  

.1 5

Subnet Switch

.20 to.30 to.30 Layer Layer 3 Swit Switche chess .225

 Network attached storage drivers.

.240 - .  Network attached printers. 249 .40 - . DHCP pool for workstations 239

Table two, Address Scheme for network devices Virtual Local Area Network  The logical arrangement is to create a VLAN with seven segments according to the four  different purposes: one segment for Management, Sales, Creation and Manufacturing. Each segment can have its own group permissions and privileges. Wireless access points will belong to a separate VLAN behind a firewall with no access to network resources other than through a VPN client.

Figure two, Acme VLAN Topology VLAN membership by MAC address shall be the protocol of the Network. VLAN membership by MAC address allows workstations on the network easily moved aroun d to any network segment since MAC addresses are hard-wired into the NICs of all components (Passmore & Freeman, 1996). The virtual trunking protocol (VTP) mode used to configure the switches is transparent. Once Transparent schemes are configured, they will not attempt to reconfigure and do not n ot  broadcast their configuration (Cisco, 2009). This means that a tech will reprogram every switch when it expands. Simple identification by IP address and MAC address is not sufficient. When

spoofed, the switches and routers will not be able to tell the difference. To improve security an open source encryption system with a proprietary set of keys. Encryption systems configured to give only certain keys to certain network segments information.  Network Components All new networking equipment including multilayer switches, gateway routers, client devices, servers and wireless routers strategically placed within the local area networks to handle wired and wireless data, voice and video services for 1000 network users. In order to gain the most out ou t of implementing a VLAN, a private port switching physical topology be implemented. A private port switching topology not only increases the bandwidth  per segment but also increases network security since the only traffic found on a particular  segment is for the one device connected to that segment (Passmore, 1996). Private port switching requires each device to own a port on the local workgroup switch. To save cost, a simple layer  two twenty-port switches to attach end user devices. Layer 3 multilayer switches to connect the workgroups to the backbone. Layer 3 switches will provide inter-VLAN routing without the need for routers. One Layer 3 multilayer backbone switches per 5 workgroup switches or 100 devices. Refer to figure three for a simplified overview. Packets destined for another device on the same physical workgroup of the same VLAN assignment would only need to traverse the L2 workgroup switch; a packet destined for  another physical workgroup or another VLAN, the packets routed through the L3 switch.

Figure three, simplified private port physical topology. Routers are on the backbone to route packets between each floor of each building and one additional router will be required at each location to serve as gateway to the WAN link. Each gateway will also be equipped with firewall hardware. In order to support 1000 network users, it is recommended that one application and one storage server be placed at each location for each department with the exception of Atlanta, Georgia who will share server resources over a wireless WAN link. Additionally, one e-mail and one VOIP based PBX server is required at each location. A dedicated VOIP based PBX server at each ea ch location running Cisco Unified Communications Manager software will fulfill Acme Manufacturing voice and video requirements. Cisco Unified Communications Manager supports the latest VOIP technology

including SSL VPN on IP phones, video conferencing, four-digit extension dialing even between locations, and call forwarding (Cisco, 2011). Hardware needed for Wireless connectivity at locations with wireless connectivity will be 1000ft Enhanced Category 6 Network Cable for every 75000 square feet, D-LINK WNDR3800  N600 Wireless Dual Band Wireless routers and a D-Link DGS-1005G 5-Port Gigabit Switch for  every 4 routers. Mounting racks and wireless routers placed e very 75 ft and above reachable height to serve in locations with high concentrations of workers.  Network Security VPN connects wireless users to their departments’ network privileges and resources. A VPN policy conforms wireless use to network security protocols. Firewalls between servers and the rest of network, firewalls and antivirus on each computer, firewall of course between VLAN segments and the public switched network. User access from wireless device to VLAN authorized in their department. Network management and security group the IP addresses on the network by device type, department and building. Configurations for firewalls, global rules for  access predicate upon department. In example, it only allows the wildcard access to wildcard and only department devices can access the sales department server. The communication backbones provided by the incumbent local exchange carrier (ILEC) to connect the multiple company sites implements there own network security features in an attempt to secure network connections from the time the information transmitted, to the time, it is received, as well as open system authentication with a service set identifier (SSID) beaconing. Open System Authentication is a process by which a computer can gain access to a wireless network that uses the Wired Equivalent Privacy (WEP) protocol. Attackers determine SSID, Beaconing, passive scanning, the service set identifier of the computer should match the SSID of 

the wireless access point. A well-secured network using WPA or, ev en better, WPA2, and a nontrivial password, will take care of those people, as well as more capable hackers Lifecycle Recommendations We suggest scheduling a maintenance inspection every two years including: Updates, attenuation of signaling equipment, broadcast media and all static equipment replace damaged or  aged equipment. We suggest that encryption algorithms, user passwords and access expire and terminate upon employee departure. That penetration tests scheduled to check and improve the security of the network. Backing up the vlan.dat file of the switches to save the configuration of  each network in case of switch failure reconfiguration only takes as long as replacement or it takes to reboot the switch or the rest of the network. Network administrators are required to update firmware on all devices monthly and virus definitions daily on all machines in the network.

References AT&T (2011). Enterprise Business Frame Relay. Retrieved on August 14, 2011, from: AT&T, http://www.business.att.com/enterprise/Family/network-services/frame-relay-atm. Cisco (2009). Understanding VLAN Trunk Protocol (VTP). Retrieved on February 28, 2011, from: Cisco, http://www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note09186a0080094c5 2.shtml#vtp_modes. Cisco (2011). Cisco Aironet 1550 Series. Retrieved on August 14, 2011 from: Cisco, http://www.cisco.com/en/US/products/ps11451/index.html. Cisco (2011). Cisco Unified Communications Manager Express. Retrieved on August 14, 2011 from: Cisco, http://www.cisco.com/cisco/web/solutions/small_business/products/voice_conferencing/u c_manager_express/index.html. Cisco (2011). Multiprotocol Label Switching (MPLS). Retrieved on August 14, 2011 from: Cisco, http://www.cisco.com/en/US/products/ps6557/products_ios_technology_home.html. Passmore & Freeman (1996). The virtual LAN technology report. Retrieved on August 14, 2011 from: 3COM, http://www.3com.com/other/pdfs/solutions/en_US/20037401.pdf. Welcher (2004). Clever Addressing Schemes. Section Case Study #2: Controlling College Students

Retrieved on February 28, 2011, from: netcraftsmen.net, http://www.netcraftsmen.net/resources/archived-articles/506.html.