IP Network Specification, v1.1

Transcription

1 IP Network Specification, v1.1 (Class C Network)

2 Table of Contents IP Network Specifications, v (Class C Network)... 1 IP Network Requirements - General... 3 Documentation - General... 3 Configuration Guide - General Instructions... 4 Network optimization strategy:... 4 Network Diagram... 5 Table 1: Network/Host Information (Basic information)... 6 IP Address Worksheet... 7 Subnetting Worksheet: CIDR /27 ( )... 7 VLSM Worksheet... 8 Configuration Worksheet (detail) Initial (Baseline) Configuration Verification - Checklist # ACL Lists and Statements Configuration notes: ACL s 100 (inbound) Benefits: ACL 100: e0 inbound (Boaz and Eva) Configuration Test Plan (basic connectivity/security using ACL s) Monitoring the Network Validate the ACL Configuration - Checklist# CM Documentation (command outputs from validated configuration) Security Management Documentation (command outputs from validated configuration)... 15

3 IP Network Requirements - General In addition to existing specifications, the following requirements are to be followed: o Class C IP Network o RIP v1 o Configure IP addressing scheme (and network diagrams) o Sample network configuration and validity/connectivity test data (command outputs) o Site-Validation & Equipment list: serial numbers, diagrams, etc. (Recorded for documentation; see example network worksheets, test scripts, and data samples) All other customer requirements are referenced in sections, below. Documentation - General Included in this description is an outline of all tasks required to build, test, and manage the proposed configuration. To fulfill these requirements, we provide network diagrams, change management and configuration data needed to correctly connect each network component and perform software configuration. To accomplish these stated goals, the following steps shall be taken: Set up all physical systems, as per the network diagrams/layout provided and the instructions provided herein. Correctly install and configure each system/component, including each router and their basic router configuration. Set up a TFTP server on one of the workstations (eg: on the Admin. WS). Create and apply access Control Lists (ACL s) on the appropriate router(s) and interface(s), as per the instructions provided herein. Test and verify connectivity between each network device (router, workstation, and server) as described, including the Configuration Notes, and Configuration Test Plan which have been provided. It is assumed that the reader is familiar with basic MS Windows, and Cisco networking software, and has basic knowledge of TCP/IP, Cisco IOS 12.x, and networking/hardware technology used to configure each component specified in the network diagram (see below). Based upon the instructions provided, it is possible to correctly build, test, and verify a fully functioning inter-network, as described herein. Troubleshooting configuration and/or hardware failures and errors is beyond the scope of this document.

4 Configuration Guide - General Instructions This network requires a single, class C network, and is configured with a maximum of 6 subnets (note: only 5 required), and each subnet has no more than 30 network devices (i.e., no more than 30 interfaces) per subnet. The following access restrictions are required, as indicated: WorkStation 2 (WS2) and File Server 1 are on the Management Network, and are able to access all other network devices (routers, workstations, server). Unless noted otherwise, all WorkStations (WS) on the Boaz LAN shall be permitted to access to File Server 1 only, and they are NOT permitted access outside their own LAN. For example, the WS s on the Boaz LAN can access fileserver 1 and the WS s connected to their own Boaz LAN, but they are not allowed to access any WS s connected to other (external) networks or LAN s outside the Boaz LAN. Unless noted otherwise, all WorkStations (WS) on the Eva LAN shall be permitted to access to File Server 1 only, and they are NOT permitted access outside their own LAN. For example, the WS s on the Eva LAN can access fileserver 1 and the WS s connected to their own Eva LAN, but they are not allowed to access any WS s connected to other (external) networks or LAN s outside the Eva LAN. The Center, Eva, and Boaz routers are permitted to access to any device on the network, including all routers, workstations, and servers. WS s on the Boaz LAN may access each other. WS s on the Eva LAN may access each other. Refer to the Network Diagram and Configuration Worksheets for all additional information and instructions for configuring, testing, and maintaining this inter-network. Network optimization strategy: For new designs, a trade-off always occurs regarding cost, performance and expansion capabilities. Based on a key customer requirement to provide 6 sub-nets (1 unassigned ) with up to 20 additional workstations per remote office, the following solutions are to be implemented. Network Diagram and Configuration Worksheets for all additional information and instructions for configuring, testing, and maintaining this inter-network. This configuration is considered to be optimized for lowest-cost solution adding more nodes over time (up to 30 per subnet, maximum) at each location.

5 Network Diagram

6 Table 1: Network/Host Information (Basic information) Router Designation Router Name Enable Secret VTY/Console Password Routing Protocol Routing Statements Router 1 Center class cisco RIP v Router 2 Boaz class cisco RIP v Router 3 Eva class cisco RIP v Router Ethrnt 0 IP Ethrnt 1 IP Serial 0 IP Serial 1 IP Subnet Mask Designation Address Addr. Address Address Router xxx.xxx.xxx.xxx Router xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx Router xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx Host S/N IP Address Subnet Mask Gateway Fileserver WS2(admin) WS WS WS WS Device Router1 Router2 Router3 Fileserver1 WS2(admin) WS3 WS4 WS5 OS (Vers.) MAC Address XP XP XP XP XP WS6 XP

7 IP Address Worksheet Net Zero: /27 Net-Zero b-cast: NetMask/CIDR: Subnet # First host Last host Broadcast Subnetting Worksheet: CIDR /27 ( ) Requirements: Network must provide for 5 subnets. No more than 30 hosts per subnet. Use a Class C network address, RIP v1 (classful routing). Results: CIDR = /27 (subnet mask ); Blocksize = 32; Provides up to 6 valid subnets, (only the first 5 subnets are assigned/utilized). 30 nodes (interfaces) per subnet (maximum).

8 VLSM Worksheet 0 Network 0: Sub-Network 1: Sub-Network 2: Sub-Network 3: Sub-Network 4: Sub-Network 5:

9 Sub-Network 6: (un-used) Sub-Network 7: (invalid)

10 Configuration Worksheet (detail) Hostname Boaz Center Eva Router Type (Model #) Router S/N Console / Aux Password cisco / cisco cisco / cisco cisco / cisco Secret Password class class class VTY 0 4 Password Cisco cisco cisco Net Mask Serial 0 IP Address Serial 1 IP Address n/a n/a Serial 0 Clock Rate DTE DCE/64000 DTE Serial 1 Clock Rate N/A DCE/64000 N/A e0 IP Address e1 IP Address n/a n/a n/a Enable interfaces no shut no shut no shut Add Routing Protocol RIP (v1) RIP (v1) RIP (v1) Add Network Statements Host Table: Routers/Hosts Message of the day Center, WS3, WS4, Eva, WS5, WS6, WS2 Warning: You have entered a Restricted access area. **** Please log off!! Boaz, WS3, WS4, Eva, WS5, WS6, WS2 Warning: You have entered a Restricted access area. **** Please log off!! Center, Boaz, WS3, WS4, WS5, WS6, WS2 Warning: You have entered a Restricted access area. **** Please log off!! Ser 0 Description WAN link-center (CKT#123) WAN link - Boaz (CKT#123) Ser 1 Description N/A WAN link-eva (CKT#456) Fa 0 Description Boaz-LAN Center-LAN Eva-LAN Fa 1 Description N/A N/A N/A WAN link-center (CKT#456) N/A

11 Initial (Baseline) Configuration Verification - Checklist #1 Prior to adding ACL s to the initial configuration, it is important to verify the baseline configuration has been successfully achieved. The checklist, below, includes a list of key tests (and the expected results) to be conducted. A similar checklist of tests will be conducted, later, and after the ACL s have been applied to the network. At this time, verify the baseline configuration has been achieved, according to the following checklist. Record the results of each test, in the space provided. Successful? Test/Condition telnet Boaz to Eva telnet WS4 to Eva telnet WS5 to Boaz telnet WS2 to Boaz telnet WS2 to Eva ping WS5 to Fileserver 1 ping WS3 to Fileserver 1 ping WS3 to WS4 ping WS5 to WS6 ping WS3 to WS5 ping WS2 to WS5 ping WS2 to WS3 ping Eva to WS3 ping Boaz to WS5 Expected Result ACL Lists and Statements Configuration notes: Prior to applying any ACL statements, perform the following steps: First, verify all network devices can successfully ping each of the other devices, for the entire network. This includes all routers, workstations, and servers (each device successfully pings the other device, ensuring fully functioning (i.e., full connectivity) between all networks, interfaces, and devices). Verify the baseline configuration has been achieved (see previous checklist). Next, copy this initial configuration to NVRAM (copy run start). Next, make a backup of each configuration of each router (without ACL s applied). This is the Fall-Back configuration, for later (i.e. if this process fails or an incorrect configuration is applied, re-use this FB configuration). For example, create a sample backup, with the filename: Router-Center-FB-cfg- 1.0.txt. Then, save this backup to fileserver, CDROM and/or diskette.

12 Admin. WS Tests: Perform tests from the Admin Workstation to each node, especially nodes that exist on ACL-protected networks. o For example, verify Admin station (WS2) can successfully ping (and/or telnet, if enabled) to WS3, WS4, WS5, and WS6. o Verify all customer and admin. applications successfully function, such as those that send/receive data and files between the fileserver (and/or the Admin Workstation) and all other hosts (from WS2 to/from all subnetworks), as required. After identifying the ACL statements required for each router and interface (including direction each ACL is to be applied), follow these instructions as you begin to apply them to each router. Remote administration is important, since it is not possible to physically maintain equipment in remote offices (Boaz and Eva). Prior to applying a new (i.e., untested) ACL to an interface, it is advisable to, first, execute a reload in 50 command at the router (PRIV mode) prompt. This will reload the NVRAM configuration, in case the ACL results in total, remote lock-out. After 50 seconds, or so, you will be able to re-connect, since the router will have returned to its Fall-Back configuration. o NOTE: If the ACL works, then you ll need to disable the reload before the 50 second reload-timer has expired. Using a text editor to store each statement, create ACL s for each router (i.e., Router- Center-ACL-cfg-1.0.txt). Enter each ACL statement into these files, and save to disk. To configure each router, copy/paste the ACL statements from the file into the HyperTerminal session of each router, as appropriate. In this manner, configure each router to use the ACL that has been created specifically for it (i.e., unless otherwise noted, do not use the Center router s ACL on the Eva, or Boaz router s, since each ACL is unique to each sub-network). Finally, after all customer tests (including the Configuration Test Plan, below) have been successfully completed, save the configuration to NVRAM (i.e., copy run start), and make copies of all disk files (that is, making copies of all the running-configuration on each router using HyperTerminal to capture/record, and cut/paste into a text file named Router-Center-cfg-1.0.txt), plus all ACL s.(i.e., text files), plus the configuration worksheets, Configuration Management information, and Network Diagram: Save all configuration information and files to a secure system, or PC, such as the Administrative WorkStation, and/or the Fileserver (using a password protected directory, with restricted read, write, or execute access permissions). Also, create an additional backup of these materials using a CD-R, and 3.5 floppy diskette (write-protected, afterwards!), and store them in a secure, cool, dry place. It is advisable to create a 3 rd set of backup media, stored in a similar manner, but in an off-site location, for use during Disaster/Recovery operations (in the event of flooding, fire, earthquake, etc.).

13 ACL s 100 (inbound) The following Extended ACL statements restrict access between nodes, as per the requirements of this case study. For this study, ACL s are to be applied to the e0 interface (inbound) on both the Boaz and Eva routers. Since Boaz and Eva are configured as per the Network Diagram, the same ACL is to be applied to each router, (i.e., ACL 100, applied to their inbound, e0 interfaces), as described in the table below. Please note: The ACL number is local-only, and is not a global value. If additional traffic/applications shall be permitted between these WS s, then additional ACL s (and/or statements) must be created/applied. If additional security is required, ACL s can be applied to Center, thereby limiting traffic destined for the Center LAN ( network). At this time, additional restrictions are unnecessary, since the Administrator is the primary user on the Center-LAN and is, also, responsible for maintaining the entire network. Benefits: This is an Extended ACL created as a security standard throughout the network (in this case, standard implies it is an identical ACL used on all remote routers, Boaz and Eva), which minimizes complexity, and simplifies CM, test, and management procedures. Furthermore, only the remote routers are affected by these ACL s, thereby minimizing overall performance impact on the network by a) limiting the number of ACL s (and statements) to be applied to each packet, and b) limiting the amount of unwanted traffic from traversing the WAN (serial links). ACL 100: e0 inbound (Boaz and Eva) Statements access-list 100 permit / ip any host / access-list 100 permit / icmp any any echo-reply ip access-group 100 in Descriptions Permit any host on LAN access to fileserver 1 Allow successful ping originating from any host on external network to return to source Apply ACL to LAN interface (e0, incoming) Configuration Test Plan (basic connectivity/security using ACL s) The access control (security) goals for this network include the following conditions: WorkStation 2 (WS2) and File Server 1 are on the Management Network, and are able to access all other network devices (routers, workstations, server). Unless noted otherwise, all WorkStations (WS) on the Boaz LAN shall be permitted to access to File Server 1 only, and they are NOT permitted access

14 outside their own LAN. For example, the WS s on the Boaz LAN can access fileserver 1 and the WS s connected to their own Boaz LAN, but they are not allowed to access any WS s connected to other (external) networks or LAN s outside the Boaz LAN. Unless noted otherwise, all WorkStations (WS) on the Eva LAN shall be permitted to access to File Server 1 only, and they are NOT permitted access outside their own LAN. For example, the WS s on the Eva LAN can access fileserver 1 and the WS s connected to their own Eva LAN, but they are not allowed to access any WS s connected to other (external) networks or LAN s outside the Eva LAN. The Center, Eva, and Boaz routers are permitted to access to any device on the network, including all routers, workstations, and servers. WS s on the Boaz LAN may access each other. WS s on the Eva LAN may access each other. Monitoring the Network After each component has been configured and the procedures (and configurations) documented, as outlined above (and according to the Network Diagram), the following tests should be conducted to verify the correct configuration has been achieved (and is maintained) for each node on the network. Place a checkmark next to each line item, to indicate the test was successful, according to the instructions provided on each line. The following tests and commands should be conducted as part of routine and/or preventative maintenance procedures. Verify each test achieves the expected result. Periodically, verify the Configuration Management information has not changed, and the CM data is still valid, and is running on each router and system in the network. The CM Worksheets, below, document the validated configuration. In the future, testing should be conducted to ensure the configuration has not been modified, and the configuration adheres to the validated CM information contained in this document. Any changes/modifications made to any network component must be re-tested (i.e. re-validated according to the testing guidelines listed herein), and all changes documented using the CM worksheets, Network Diagram, and Checklists. Because the network is vital to the company (i.e., business-critical) it is recommended that Change Management policies and procedures be defined and implemented, and strictly adhered to even for relatively minor changes to any network component, or device.

15 Validate the ACL Configuration - Checklist#2 Successful? Test/Condition telnet Boaz to Eva telnet WS4 to Eva telnet WS5 to Boaz telnet WS2 to Boaz telnet WS2 to Eva ping WS5 to Fileserver 1 ping WS3 to Fileserver 1 ping WS3 to WS4 ping WS5 to WS6 ping WS3 to WS5 ping WS2 to WS5 ping WS2 to WS3 ping Eva to WS3 ping Boaz to WS5 Expected Result unreachable unreachable unreachable CM Documentation (command outputs from validated configuration) Commands (outputs) Boaz Center Eva show cdp neighbors show ip route show ip protocol show ip interface brief show version show hosts show startup-config show running-config Note: For specific configuration data, refer to previous worksheets, tables and descriptions (i.e., interfaces, directions, protocols, etc.) Security Management Documentation (command outputs from validated configuration) Commands (outputs) Boaz Center Eva show ip interface show ip access lists Show access-lists Note: For specific configuration data, refer to previous worksheets, tables and descriptions (i.e., interfaces, directions, protocols, etc.)