Embed Size (px)
Citation preview
Computer Networks – Winter Term 2013/2014Network Design & Configuration Project
Pavel Moravec, Dept. of Computer Science, FEECS, VŠB-TU Ostrava
AssignmentDesign a configure a corporate network connected to the Internet. Verify, test and submit your solution in parts either via the Distributed Virtual Networking Laboratory (Virtlab) or electronically to an E-mail address given to you by your lab assistant backing up the functionality by supplying requested information.
Network Description
The corporate network is connected to the ISP router by customer router R1. The line between routers ISP and R1 uses private address range that is not propagated into the Internet. A static router to the public address range of the corporate network is configured at ISP router and is propagated to the Internet.
The corporate network boundary router (R1) filters the traffic between the corporate network and the Internet using ACL (Access Control Lists). Hosts residing on the Internet are represented by servers with addresses 30.0.0.10, 40.0.0.11 and 50.0.0.12.
Various Cisco routers, Cisco Catalyst 2900-series switches and hubs are used in the corporate network infrastructure. The structure of the corporate network corresponds to one of the Topologies depicted in the Appendix (it will be assigned by a teacher to every single group of students, together with the other design parameters). The ISP router and servers in the Internet are pre-configured and inaccessible to the students.
Design Requirements
Design the configuration for all networking devices (routers and switches), stations and network services running on Linux that comply with the requirements given bellow.
1
1. IP Addressing and L3 equivalent topology
Design and submit a sketch of an equivalent topology as it can be seen by network protocols of the OSI RM Layer 3 that are not aware of VLANs. For addressing plan design, every student group will be given a public network prefix and required number of stations on individual segments of the corporate network. One of the corporate network segments may host a large number of external users and uses a private address range that is hidden behind a limited number of public addresses using NAT on the corporate network border router (R1).
The specification of a privately-addressed segment, the private address range and a number of public addresses in the NAT pool will be given to student group by a teacher. The line between router R1 and ISP uses network address as shown on the topology picture.
Divide the public address range of the corporate network int subnets using variable-length subnet mask (VLSM). Assign just the necessary numbers of addresses for individual network segments and leave the remaining part of the public address range for potential growth of the corporate network. You need to remember that one subnet has to be reserved for a NAT pool when designing the addressing scheme.
Assign the lowest address(es) applicable on the particular subnet to the router interface(s) and the highest applicable address to PC's interface. Write down the addressing scheme into the original topology diagram of the corporate network and into your equivalent-topology diagram and submit both of them as PDF files. Summarize and submit the addressing in a table in a separate document in PDF format. Every row of the table will describe addressing of one subnet and will involve the network address, subnet mask, default gateway address(es), range of IP addresses applicable for the stations and the broadcast address for the subnet.
Create the addressing scheme for IPv6 networks as well, using fixed /64 network mask based on the assigned IPv6 prefix.
RT1.1. VLANs
Configure host names of all routers and switches (using the hostname command). On all switches, configure trunk links and assign access ports into particular VLANs. The numbers of VLANs used in your corporate network will be given to you by the teacher. Configure IP addresses and description informing where the interface is connected to on all routers’s and switch’s interfaces.
Configure IP addresses on all router's and PC's interfaces and activate them so that you may ping between all L3 interfaces on each segment.
RT1.2. Routing and NAT
The type of internal routing protocol (IGP) that is used in the corporate network will be givenas an assignment parameter to every group of students. It may be either RIP version 2 or OSPF (all routers belong to area 0 in the latter case).
2
All routers advertise all connected network segments into IGP. The boundary router R1 reaches the networks on the Internet using a static default route. Propagate the default route from R1 router to other routers of the corporate network via IGP.
Configure a dynamic NAT on R1 interface connected to the ISP router. The addresses of the private range will be translated to a range of public addresses reserved for the NAT pool. The size of the NAT pool will be given by a teacher.
Configure a remote access using Telnet on R1 router (use „cisco“ as the console password and enable password).
Set default gateway correctly on all PCs.
RT2.1. DHCP server
Configure a DHCP server on a router specified by teacher to lease addresses and provide network connection parameters (incl. DNS server address) for stations on a given segment. Avoid leasing of addresses that are already used on the segment. In case your assignment dictates to have the DNS server on the segment where IP addresses are provided by DHCP,configure IP address on the DNS server manually.
RT2.2. DNS serverConfigure a DNS server on a Linux PC specified by a teacher. The DNS server will map domain names for subdomain of the isp.cz. domain whose name corresponds to a name of your company (will be given by a teacher). The domain name of the DNS server itself will be ns.<COMPANY_NAME>.isp.cz. The database of your DNS server will involve resource records to translate names of all corporate network router interfaces (excluding the interface facing to the privately-addressed segment). The router interface names will have the the following structure:
I-<DASH-SEPARATED-INTERFACE-IP-ADDRESS>.<COMPANY_NAME>.isp.cz.(e.g.. I58-196-1-10.mycompany.isp.cz)
Connect your DNS server into a DNS tree under .isp.cz. domain. The DNS server dns.isp.cz authoritative for .isp.cz. domain running on address 50.0.0.12 is preconfigured.
In addition to a translation of domain names to IP addresses your DNS server also has to translate IP addresses from the public address range of your company to domain names. Configure PTR records for the reverse translation of all names for that you configured a mapping of a domain name to the IP address. The attachment of your DNS server into a correct subtree under the in_addr.arpa domain will be accomplished by an administrator of your ISP.
The DNS server will be implemented on Linux using bind daemon and configured as recursive. As your testing topology is not connected to the Internet, set 50.0.0.12 as the address of the root name server.
3
RT2.3. Firewall Configuration - ACLs
Configure (a stateless) packet filtering on the interface of R1 router connected to ISP router using access control lists (ACL). The security policy is specified bellow. The teacher will state which segments of your corporate network will be mapped to segments denoted formally as T and N in the following policy specification.
1. Stations on segment T cannot access the Telnet server 40.0.0.112. Stations on segment N are not allowed to use WWW server 30.0.0.10, the rest of the
network may access WWW servers on the Internet without restriction3. DNS requests to DNS servers on the Internet and their replies are passed through.
DNS requests from the Internet to the corporate DNS and corresponding replies are allowed only to the address of the corporate DNS server.
4. The stations and routers of the corporate network may ping (ICMP echo request) the hosts on the Internet, but you don't want to endanger your corporate network by potential ping floods from the Internet (with the exception of the corporate DNS server that has to respond to pings from the Internet). The hosts on the Internet may also ping the external interface of R1 router
5. Implement the anti-spoofing filter that drops all the spoofed packets coming from the Internet with the source address falling into the (both public and private) address range of your corporate network. Do not allow the packets with private source address to leak out of your corporate network (the reply wouldn't be routable in the Internet anyway).
All traffic not listed above is denied.Do not forget to permit both directions of all specified traffic types.
The Work Organization, Submitting and Evaluation of the Project
Students will be divided into groups 2 students. Every group will be given a single parametrized assignment of the network design and configuration to solve and test.
The same grade will be given to all members of the group handing in the first part of the assignment or participating in the real-time test (people from the group not participating in the real-time test will not be assigned any points). The solution has to be provided in three parts the first submitted by the deadline and the second and third practically tested on labs specified in the program. The number of points that can be earned by fulfilling individual assignment requirements are listed in the same documents.
In case of not meeting the deadline or failing to demonstrate the part of the solution on a real-time test, no points can be given to a group for this part. See Web pages of the Computer Networks course to determine the minimal number of points that has to be reached to obtain credits.
The first part of the solution may be submitted by any member of the student group.
The real-time tests will take place during the labs. Each group will be given two, separately graded, subtasks from the tested part of the project with slightly modified parameters. If
4
possible for given subtask, it may be solved in virtalised environment. The assignment of tasks into real-time tests is labeled with RT1 or RT2 prefix for the tasks. You must not use any external materials during the real-time test.
The correctness of the solution may/will be checked on following parts:
• Configuration listings of all active networking devices, DNS and DHCP server.• Configuration tables of individual VLANS on switches.• OSI-RM layer 2 (e.g. CDP neighbours) and layer 3 neighbours • Result of successful NAT translation (on both inside and outside interface)• Routing protocol information on one of the Rx interfaces, the number of dynamic
routes on all routers.• Result of ping and traceroute commands directed to ISP's server.• Listing of (static) routes for IPv6 on Ry router interfaces• Result of address assignment from DHCP server (including DHCP options)• Test of normal and reverse DNS translation.• Test of firewall rules for all example situations.
5
Appendix – Topologies of the Corporate Network
6
Topology A
Topology B
7
Topology C
Topology D
8
9
Topology E
Topology F
10
Topology G
Topology H
11
