SECURE NETWORK DESIGN
WITH HIGH-AVAILABILITY
& VOIP
PRESENTED BY:
09BCE035 ARPAN PATEL
•

•

• BRIEFLY, THIS PROJECT AIMS TO SETUP AN END-TO-END SECURE DATA & VOIP NETWORK FOR A SMALL
ENTERPRISE, WITH FEATUR...
THE MAJOR OBJECTIVE OF THIS PROJECT WAS A SMALL
ENTERPRISE NETWORK UPGRADE IN ORDER TO:
• IMPROVE AND CONSOLIDATE NETWORK ...
SECURITY POLICY & REQUIREMENTS:
• WIRELESS USERS ARE DENIED ACCESS TO THE PRIVATE NETWORK. ONLY ACCESS TO INTERNET.
• NETW...
FUTURE EXPANSION CAPABILITY:
• SERVERS CAN BE ADDED TO THE NETWORK AT ANY TIME.
• CLUSTERING OF THE SEVERS CAN ALSO BE POS...
ACCESS LAYER SWITCHES ALSO HAVE CAPABILITIES TO BEAR MORE USERS
AND ARE ALSO CONFIGURED FOR SUCH EXPANSION:
FUTURE TRANSITION TO IPV6
• FOR FUTURE PURPOSE WITH CERTAIN CONFIGURATIONS, THE FULL
ENTERPRISE NETWORK CAN BE IMPLEMENTED...
NETWORK FEATURES
• WEB SERVER
• FTP SERVER
• DHCP SEVER
• DNS SEVER
• SYSLOG SERVER
• VOIP
VOIP
Steps:
1. Configure Call Manager ExpressTM on a 2811 router.
2. Use the various telephony devices
3. Setup dial peers...
VOIP CONFIGURATION:
• TASKS 1 : CONFIGURE INTERFACE FASTETHERNET 0/0 AND DHCP SERVER ON ROUTERA
(2811 ROUTER)
• TASK 2 : C...
CISCO IP PHONE CONFIGURATION COMMANDS:
#Configure the FA 0/0 interface#
RouterA>enable
RouterA#configure terminal
RouterA(...
CISCO IP PHONE CONFIGURATION COMMANDS (CONTINUED):
Configure the Call Manager Express telephony service on RouterA to enab...
REMOTE SITE VOIP CONFIGURATION USING DIAL PEER:
SITE1 ROUTER SITE2 ROUTER:
dial-peer voice 47 voip
destination-pattern 1.....
ADDITIONAL FEATURES WHICH INCREASE NETWORK
PERFORMANCE & CAPACITY:
• VTP PRUNING:
• WHEN VTP PRUNING IS ENABLED ON VTP SER...
NETWORK CONNECTIVITY TESTING PLAN:
Layer 1 Error Checklist Layer 2 Error Checklist
 Broken cables
 Disconnected cables
...
STANDARD COMMAND LINE TOOLS USED TO TROUBLESHOOT
 STANDARD COMMAND LINE TOOLS THAT WILL BE USED TO TROUBLESHOOT HOST LEVE...
SECURE NETWORK DESIGN
WITH HIGH-AVAILABILITY
& VOIP
PRESENTED BY:
09BCE035 ARPAN PATEL
SITE-1:
IP ADDRESSING
SCHEME
SITE-2:
IP ADDRESSING
SCHEME
ETHER CHANNEL : CISCO’S IMPLEMENTATION OF PORT AGGREGATION
• PORT AGGREGATION: ALLOWS US TO TIE MULTIPLE PORTS TOGETHER IN...
FIBER-UPLINK
• TO HAVE A FIBER BACKBONE IS THE WISEST DECISION IN ANY ENTERPRISE
NETWORK DESIGN.
• WE HAVE IT IN THE CORE ...
REDUNDANT BACK-UP LINKS
BACKUP SERVERS INSTALLATION & CONFIGURATION:
INSTALLATION OF WINDOWS SEVER 2008
BackupSeverConfiguration…
BackupSeverConfiguration…
ACCESS-CONTROL LIST
ACCESS CONTROL LISTS (ACLS)CAN BE USED FOR
TWO PURPOSES ON NETWORKING DEVICES:
• TO FILTER TRAFFIC.
• ...
SWITCH PORT SECURITY
• NO OTHER WORKSTATION CAN BE PLUGGED TO THE FASTETHERNET PORT.
• IF UNREGISTERED MAC PLUGGED IT WILL...
REMOTE ACCESS &
REMOTE ACCESS SECURITY:
• REMOTE ACCESS: TELNET (PORT 23)
• SECURE REMOTE ACCESS:
SSH VERSION 2 (PORT 22)
...
ACCESS LISTS ( ACL )
ACCESS CONTROL LISTS (ACLS)CAN BE USED FOR TWO PURPOSES ON
NETWORKING DEVICES:
• TO FILTER TRAFFIC.
•...
MAC FILTERING
• ONLY REGISTERED USERS CAN ACCESS THE WIRELESS NETWORK
RADIUS (REMOTE DIAL IN USER SERVICE)
• RADIUS IS A AAA PROTOCOL, SECURITY SYSTEM BASED ON AUTHENTICATION, AUTHORIZATION,
A...
THANK YOU…
Secure Network Design with High-Availability & VoIP
Secure Network Design with High-Availability & VoIP
Secure Network Design with High-Availability & VoIP
Secure Network Design with High-Availability & VoIP
Secure Network Design with High-Availability & VoIP
Secure Network Design with High-Availability & VoIP
Secure Network Design with High-Availability & VoIP
Secure Network Design with High-Availability & VoIP
Secure Network Design with High-Availability & VoIP
Secure Network Design with High-Availability & VoIP
Secure Network Design with High-Availability & VoIP
Secure Network Design with High-Availability & VoIP
Secure Network Design with High-Availability & VoIP
Secure Network Design with High-Availability & VoIP
Secure Network Design with High-Availability & VoIP
Secure Network Design with High-Availability & VoIP
Secure Network Design with High-Availability & VoIP
Secure Network Design with High-Availability & VoIP
Secure Network Design with High-Availability & VoIP
Upcoming SlideShare
Loading in...5
×

Secure Network Design with High-Availability & VoIP

1,588

Published on

Networking, the communication between two or more networks, encompasses every aspect of connecting computers together. With the evolution of networking and the Internet, the threats to
information and networks have risen dramatically and performance has depleted enormously.
As a company grows its business its network design needs to be updated from the existing network
and expand it to accommodate additional users or workloads. But the diculty arises as networks
are being pressured to cost less, yet support the emerging applications and higher number of users
with increased performance. As personal, government and business-critical applications become
more prevalent on the Internet, it is imperative that all networks be protected from threats and
vulnerabilities in order for a business to achieve its fullest potential. Hence a Secure Design for a
network is critical in todays expanding corporate world.

Published in: Technology, Business
3 Comments
13 Likes
Statistics
Notes
No Downloads
Views
Total Views
1,588
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
3
Likes
13
Embeds 0
No embeds

No notes for slide

Transcript of "Secure Network Design with High-Availability & VoIP"

  1. 1. SECURE NETWORK DESIGN WITH HIGH-AVAILABILITY & VOIP PRESENTED BY: 09BCE035 ARPAN PATEL
  2. 2. •  •  • BRIEFLY, THIS PROJECT AIMS TO SETUP AN END-TO-END SECURE DATA & VOIP NETWORK FOR A SMALL ENTERPRISE, WITH FEATURES LIKE HIGH AVAILABILITY, ENHANCED PERFORMANCE, RESILIENCY, SECURITY FOR WIRED & WIRELESS COMMUNICATION AND INCREASED PRODUCTIVITY. •
  3. 3. THE MAJOR OBJECTIVE OF THIS PROJECT WAS A SMALL ENTERPRISE NETWORK UPGRADE IN ORDER TO: • IMPROVE AND CONSOLIDATE NETWORK PERFORMANCE ON SITE. • PROVIDE INCREASED NETWORK CAPACITY. • IMPROVE THE NETWORKS FAULT TOLERANCE CAPABILITY. • PROVIDE FUTURE EXPANSION CAPABILITY. • IMPROVE THE NETWORK SECURITY TO PREVENT UNAUTHORIZED ACCESS. • IDENTIFY THE CRITICAL POINTS OF FAILURE IN THE EXISTING NETWORK AND PROPOSE ON HOW TO ELIMINATE THEM.
  4. 4. SECURITY POLICY & REQUIREMENTS: • WIRELESS USERS ARE DENIED ACCESS TO THE PRIVATE NETWORK. ONLY ACCESS TO INTERNET. • NETWORK DEVICES MUST ONLY BE ACCESSED BY LOCAL SITE OR REMOTE SITE ADMIN WITH AUTHORIZATION. ONLY PERMITTED DEPARTMENTS ARE ALLOWED TO COMMUNICATE WITH OTHER DEPARTMENTS. • NO OTHER HOST OTHER THAN THE COMPANY’S END DEVICES CAN BE ATTACHED TO THE NETWORK. IF ATTACHED, ACCESS MUST BE DENIED IMMEDIATELY AND ADMIN SHOULD SOMEHOW BE NOTIFIED. • TWO GUEST COMPUTERS SHOULD BE ACCOMMODATED IN ANY DEPARTMENT AND THEY ARE ONLY PERMITTED TO COMMUNICATE WITH THE MARKETING DEPARTMENT AND LIMITED INTERNET ACCESS. • EMPLOYEES CAN ONLY ACCESS THE ALLOWED SITES. • HUMAN RESOURCES IS DENIED ACCESS TO ANY OTHER DEPARTMENT & IS JUST ALLOWED INTERNET ACCESS.
  5. 5. FUTURE EXPANSION CAPABILITY: • SERVERS CAN BE ADDED TO THE NETWORK AT ANY TIME. • CLUSTERING OF THE SEVERS CAN ALSO BE POSSIBLE IF NECESSARY IN THE FUTURE AS THE EXISTING SERVER HARDWARE CAN SUPPORT BEING IDENTICAL & SUPPORT SCSI. • SYSTEM COMPONENTS ARE IDENTICAL AT ALL NODES FOR EASE OF MANAGEMENT & CONFIGURATIONS ARE SIMILAR BETWEEN ALL UNITS AND CAN BE USED AS TEMPLATES FOR ADDING NODES. • THE DISTRIBUTION SWITCH IS A 24-PORT GIGABIT SWITCH WITH 4 SFP FIBER MODULES • HENCE EXPANDING THE NUMBER OF DEPARTMENTS OR EVEN THE NUMBER OF BRANCHES WILL ALWAYS BE ACCEPTABLE AS ALL THE NECESSARY CONFIGURATIONS HAVE BEEN DONE.
  6. 6. ACCESS LAYER SWITCHES ALSO HAVE CAPABILITIES TO BEAR MORE USERS AND ARE ALSO CONFIGURED FOR SUCH EXPANSION:
  7. 7. FUTURE TRANSITION TO IPV6 • FOR FUTURE PURPOSE WITH CERTAIN CONFIGURATIONS, THE FULL ENTERPRISE NETWORK CAN BE IMPLEMENTED WITH AN IPV6 SETUP. • DOCUMENTATION IS ALSO PROVIDED FOR A FULL IPV6 DEPLOYMENT.
  8. 8. NETWORK FEATURES • WEB SERVER • FTP SERVER • DHCP SEVER • DNS SEVER • SYSLOG SERVER • VOIP
  9. 9. VOIP Steps: 1. Configure Call Manager ExpressTM on a 2811 router. 2. Use the various telephony devices 3. Setup dial peers 4. Connect CiscoTM IP phones on the network. • ADDITIONALLY IN THE CURRENT NETWORK INFRASTRUCTURE IP PHONES HAVE ALSO BEEN CONFIGURED IN EACH DEPARTMENT USING THE SAME ETHERNET NETWORK. • BY RECONFIGURING THE NETWORK & MANAGEABLE SWITCHES VOICE IS NOW COMMUNICATED OVER THE NETWORK.
  10. 10. VOIP CONFIGURATION: • TASKS 1 : CONFIGURE INTERFACE FASTETHERNET 0/0 AND DHCP SERVER ON ROUTERA (2811 ROUTER) • TASK 2 : CONFIGURE THE CALL MANAGER EXPRESS TELEPHONY SERVICE ON ROUTERA • TASK 3 : CONFIGURE A VOICE VLAN ON SWITCHA • TASK 4 : CONFIGURE THE PHONE DIRECTORY FOR IP PHONE 1 • TASK 5 : VERIFY THE CONFIGURATION
  11. 11. CISCO IP PHONE CONFIGURATION COMMANDS: #Configure the FA 0/0 interface# RouterA>enable RouterA#configure terminal RouterA(config)#interface FastEthernet0/0 RouterA(config-if)#ip address 192.168.10.1 255.255.255.0 RouterA(config-if)#no shutdown #The DHCP server is needed to provide an IP adress and the TFTP server location for each IP phone connected to the network: RouterA(config)#ip dhcp pool VOICE #Create DHCP pool named VOICE RouterA(dhcp-config)#network 192.168.10.0 255.255.255.0 #DHCP network network 192.168.10 with /24 mask# RouterA(dhcp-config)#default-router 192.168.10.1 #The default router IP address# RouterA(dhcp-config)#option 150 ip 192.168.10.1 #Mandatory for voip configuration. After the configuration, wait a moment and check that ‘IP Phone 1’ has received an IP address by checking the phone screen until a configuration summary appears. Apply the following configuration on SwitchA interfaces. This configuration will separate voice and data traffic in different vlans on SwitchA. Data packets will be carried on the access vlan. SwitchA(config)#interface range fa0/1 – 5 #Configure interface range# SwitchA(config-if-range)#switchport mode access SwitchA(config-if-range)#switchport voice vlan 1 #Define the VLAN on which voice packets will be handled#
  12. 12. CISCO IP PHONE CONFIGURATION COMMANDS (CONTINUED): Configure the Call Manager Express telephony service on RouterA to enable voip on the network. RouterA(config)#telephony-service #Configuring the router for telephony services# RouterA(config-telephony)#max-dn 5 #Define the maximum number of directory numbers# RouterA(config-telephony)#max-ephones 5 #Define the maximum number of phones# RouterA(config-telephony)#ip source-address 192.168.10.1 port 2000 #IP Address source# RouterA(config-telephony)#auto assign 1 to 6 #Automatically assigning ext numbers to buttons# Although ‘IP Phone 1’ is already connected to SwitchA, it needs additional configuration before being able to communicate. So to configure RouterA CME to assign a phone number to this IP phone: RouterA(config)#ephone-dn 1 #Defining the first directory entry# RouterA(config-ephone-dn)#number 999 #Assign the phone number to this entry# Ensure that the IP Phone receives an IP Address and a the phone number 999 from RouterA This can take a short while.
  13. 13. REMOTE SITE VOIP CONFIGURATION USING DIAL PEER: SITE1 ROUTER SITE2 ROUTER: dial-peer voice 47 voip destination-pattern 1.. session target ipv4:18.18.18.2 dial-peer voice 47 voip destination-pattern ... session target ipv4:78.78.78.2
  14. 14. ADDITIONAL FEATURES WHICH INCREASE NETWORK PERFORMANCE & CAPACITY: • VTP PRUNING: • WHEN VTP PRUNING IS ENABLED ON VTP SERVERS, ALL THE CLIENTS IN THE VTP DOMAIN WILL AUTOMATICALLY ENABLE VTP PRUNING. BY DEFAULT, VLANS 2 – 1001 ARE PRUNING ELIGIBLE, BUT VLAN 1 CAN’T BE PRUNED BECAUSE IT’S AN ADMINISTRATIVE VLAN. • SPANNING-TREE PORTFAST VERY CAREFULLY ENABLED ON ACCESS PORTS CONNECTED TO HOSTS ONLY ESPECIALLY THE SERVERS SO UPTIME IS HIGH & NO UNNECESSARY DELAY BY STP. SW1#config t SW1(config)#interface Fa0/1 SW1(config-if)#switchport trunk pruning vlan 3-4
  15. 15. NETWORK CONNECTIVITY TESTING PLAN: Layer 1 Error Checklist Layer 2 Error Checklist  Broken cables  Disconnected cables  Cables connected to the wrong ports  Intermittent cable connections  Cables incorrectly terminated  Wrong cables used  Cross-connects  Rollovers  Straight-through cables  Transceiver problems  DCE cable problems  DTE cable problems  Devices powered off  Improperly configured serial interfaces  Improperly configured Ethernet interfaces  Wrong clock rate settings on serial interfaces  Wrong encapsulation set on serial interfaces  Faulty NIC Layer 3 Error Checklist  Wrong routing protocol enabled  Incorrect network/IP addresses  Incorrect subnet masks  Incorrect interface addresses  Incorrect DNS-to-IP bindings  Wrong autonomous system number for EIGRP
  16. 16. STANDARD COMMAND LINE TOOLS USED TO TROUBLESHOOT  STANDARD COMMAND LINE TOOLS THAT WILL BE USED TO TROUBLESHOOT HOST LEVEL PROBLEMS ARE:  PING – CHECK CONNECTIVITY BETWEEN HOST AND OTHER NETWORK DEVICES  TRACERT – CHECK PATH TO OTHER NETWORK DEVICES  IPCONFIG – SEE IF HOST PROPERLY DETECTS CONFIGURATIONS ASSIGNED TO IT  ARP -A – DISPLAYS THE IP-TO-PHYSICAL ADDRESS TRANSLATION TABLES  STANDARD CISCO IOS COMMAND LINE TOOLS THAT WILL BE USED TO TROUBLESHOOT ROUTER LEVEL PROBLEMS ARE:  PING – CHECK CONNECTIVITY BETWEEN ROUTER AND OTHER NETWORK DEVICES  TRACEROUTE - CHECK PATH TO OTHER NETWORK DEVICES  SHOW ARP – SHOW THE IP/MAC ADDRESS USED  SHOW IP ROUTE – SHOWS A ROUTER’S ROUTING TABLE  SHOW INTERFACE/SHOW INTERFACE BRIEF – SHOWS EXISTING INTERFACE CONFIGURATIONS AND IF ADMINISTRATIVELY UP OR DOWN  SHOW RUN – SHOWS EXISTING OVERALL ALL CONFIGURATIONS
  17. 17. SECURE NETWORK DESIGN WITH HIGH-AVAILABILITY & VOIP PRESENTED BY: 09BCE035 ARPAN PATEL
  18. 18. SITE-1: IP ADDRESSING SCHEME
  19. 19. SITE-2: IP ADDRESSING SCHEME
  20. 20. ETHER CHANNEL : CISCO’S IMPLEMENTATION OF PORT AGGREGATION • PORT AGGREGATION: ALLOWS US TO TIE MULTIPLE PORTS TOGETHER INTO A SINGLE LOGICAL INTERFACE. • NOT ONLY DOES PORT AGGREGATION INCREASE THE BANDWIDTH OF A LINK, BUT IT ALSO PROVIDES REDUNDANCY. Benefits 1. Enhanced Performance. 2. Redundancy 3. Resiliency And Faster Convergence. So once Again How did we implement Ether Channel?? Switch(config)#interface range gigabitEthernet 0/1-2 Switch(config-if)#Switchport mode trunk Switch(config-if)#Switchport nonnegotiable Switch(config)#Channel-group 1 mode desirable
  21. 21. FIBER-UPLINK • TO HAVE A FIBER BACKBONE IS THE WISEST DECISION IN ANY ENTERPRISE NETWORK DESIGN. • WE HAVE IT IN THE CORE BACKBONE WHICH CONNECTS THE CORE ROUTER TO THE DISTRIBUTION SWITCH. • ALSO THE SEVERS OF ALL 3 SITES ARE NOW CONNECTED WITH A GIGABIT FIBER TO THE NETWORK. Benefits 1. High Availability 2. High Response time. 3. Increased Reliability
  22. 22. REDUNDANT BACK-UP LINKS
  23. 23. BACKUP SERVERS INSTALLATION & CONFIGURATION:
  24. 24. INSTALLATION OF WINDOWS SEVER 2008
  25. 25. BackupSeverConfiguration…
  26. 26. BackupSeverConfiguration…
  27. 27. ACCESS-CONTROL LIST ACCESS CONTROL LISTS (ACLS)CAN BE USED FOR TWO PURPOSES ON NETWORKING DEVICES: • TO FILTER TRAFFIC. • TO LOCALIZE SPECIFIC TRAFFIC IN SPECIFIC SUBNETS. TYPES OF ACCESS LISTS: • NUMBERED • NAMED • EXTENDED • STANDARD • ACCESS CONTROL LISTS WORKS IN A TOP DOWN APPROACH - A PERMIT STATEMENT IS USED TO ALLOW TRAFFIC - A DENY STATEMENT IS USED TO BLOCK TRAFFIC.  COMMANDS : - ROUTER(CONFIG) #IP ACCESS - LIST EXTENDED <NAME> - ROUTER(CONFIG-EXT-NACL) #PERMIT IP HOST <SOURCE IP> HOST <DESTINATION IP>
  28. 28. SWITCH PORT SECURITY • NO OTHER WORKSTATION CAN BE PLUGGED TO THE FASTETHERNET PORT. • IF UNREGISTERED MAC PLUGGED IT WILL BE SHUTDOWN OR RESTRICTED. Switch(config) #Interface fa 0/1 Switch(config) # Switchport port-security Switch(config) # Switchport port-security mac-address sticky
  29. 29. REMOTE ACCESS & REMOTE ACCESS SECURITY: • REMOTE ACCESS: TELNET (PORT 23) • SECURE REMOTE ACCESS: SSH VERSION 2 (PORT 22)  CONFIGURATION AS FOLLOWS: Host identification (Using RSA-Keys) Encryption (IDEA) Authentication (RSA Challenge) Router(config)# ip domain-name cisco.com Router(config)# crypto key generate rsa How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys, keys will be non-exportable...[OK] Router(config)#exit *Mar 1 0:4:8.988: %SSH-5-ENABLED: SSH 1.99 has been enabled Router(config)#ip ssh version 2 Router(config)# username cisco password cisco Router(config)# line vty 0 4 Router(config-line)# login local Router(config-line)# transport input ssh Router(config)#ip ssh time-out 90 Router(config)#ip ssh authentication-retries 2
  30. 30. ACCESS LISTS ( ACL ) ACCESS CONTROL LISTS (ACLS)CAN BE USED FOR TWO PURPOSES ON NETWORKING DEVICES: • TO FILTER TRAFFIC. • TO LOCALIZE SPECIFIC TRAFFIC IN SPECIFIC SUBNETS. TYPES OF ACCESS LISTS: • NUMBERED • NAMED • EXTENDED • STANDARD
  31. 31. MAC FILTERING • ONLY REGISTERED USERS CAN ACCESS THE WIRELESS NETWORK
  32. 32. RADIUS (REMOTE DIAL IN USER SERVICE) • RADIUS IS A AAA PROTOCOL, SECURITY SYSTEM BASED ON AUTHENTICATION, AUTHORIZATION, AND ACCOUNTING. • CLIENT SERVER MODEL • SHARED SECRET MUST BE SHARED BETWEEN CLIENT(ACCESS POINT) AND SERVER AND CLIENT MUST BE CONFIGURED TO USE RADIUS SERVER TO GET SERVICE. • RADIUS USES A CENTRALIZED SERVER THAT ALLOWS YOU TO DEFINE THE USERNAME AND PASSWORD OF THE USERS BY WHICH THEY CAN LOGIN TO THEIR ACCOUNT BEFORE ACCESSING THE NETWORK. • RADIUS SERVER IS RESPONSIBLE FOR GETTING USER CONNECTION REQUESTS, AUTHENTICATING THE USER AND THEN RETURNING ALL CONFIGURATION INFORMATION NECESSARY FOR THE CLIENT TO DELIVER SERVICE TO THE USER. • TRANSACTIONS BETWEEN CLIENT AND SERVER ARE AUTHENTICATED THROUGH THE USE OF A SHARED KEY AND THIS KEY IS NEVER SENT OVER THE NETWORK. • PASSWORD IS ENCRYPTED BEFORE SENDING IT OVER NETWORK USING WPA2 • HERE SECURITY IS FULLY DEPENDENT ON THE SEVER NOT THE ACCESS POINT, HENCE SECURITY INCREASED.
  33. 33. THANK YOU…

×