Hello guys! One of my students sent this networking design task, and I would like you to learn from it, especially if you are planning to take the CCNA networking exam.
Case Study Scenario: RRB
You have been hired as a network engineer to design a new network for RRB, which is a thriving fashion company in New York City, United States of America, that has been using a third-party network for over a decade.
RRB has the following four departments within its main headquarters: Production (PD), Information Technology (IT), Customer Service (CS), and Marketing (MK). The senior management has decided to own its network infrastructure, including Local Area Network (LAN), Wide Area Network (WAN), and an external Server-Side location connected via appropriate WAN technology, prioritizing secure communication between the PD department and the external site. The server-side site will host DNS, WEB, and EMAIL servers.
You are required to achieve the following:
- Hierarchical Network Design Model (LAN)
- Subnetting (Design IP Addressing and Allocation)
- VLAN Configuration, VLAN Trunking 802.1Q, Inter-VLAN Routing
- DHCP Server, DNS Server, Web Server, Email Server
- Dynamic Routing Protocol Configuration using RIPv2 and OSPF
- User Privileges (Encrypted Passwords Configuration for Console, User, Privilege Exec Mode)
- Two Variations of Extended Access Control List (ACL)
- IPSec VPN Configuration
Note: This project was designed with a packet Tracer software however I have removed all videos and images relating to this piece of project design because a lot of you found it hard to understand
If you are planning to take the CCNA certification and want to know more about this project, kindly email me at email@example.com let’s fix a zoom tutorial session for you.
Proposed Network Design and Implementation.
A study by Hamid (2015) states that the possibility that every network is rated to be perfect and error-free is very minimal supposing it is subjected to proper expert analysis and evaluation of the attacker’s penetration capabilities. For a sample case study, RRB has the following four departments within its main headquarters:s Production (PD), Information Technology (IT), Customer Service (CS), and Marketing (MK). The senior management has decided to own its network infrastructure, including Local Area Network (LAN), Wide Area Network (WAN), and an external Server-Side location connected via appropriate WAN technology, prioritizing secure communication between the PD department and the external site. The server-side site will host DNS, WEB, and EMAIL servers.
The Layered Hierarchical Network Design.
Danilo (2018) states that the layered network design gives three conceptual layers of the network design and implementation to improve performance, security, and ease network maintenance (Danilo, 2018). These three layers include the core, distribution, and access layers that provide various and different functions in the layered architecture to achieve a specific network objective. These three layers provide a good understanding of building a high-performance, scalable, secure, and easy-to-manage network (Sinket, 2019). The figure below is the hierarchical network design for RRB.
Subnetting (Design IP Addressing and Allocation)
During IP address allocation, we allocated an IP address between the routers and multilayer switches, and in the respective departments after subnetting. The following is the addressing table we used.
Table 1: Between the Routers, Multilayer switches
|No.||Devices||Network Address & Subnet Mask||Usable Addresses||Broadcast Address|
|1||RRB-HQ-Router to RRB-MAIN-ISP-Router||220.127.116.11/30||190.200. 99.1 and 190.200. 99.2||190.200. 99.3|
|2||RRB-HQ-Router to RRB-BACKUP-ISP-Router||18.104.22.168/30||190.200. 99.5 and 190.200. 99.6||190.200. 99.7|
|3||RRB-SERVER-SIDE-Router to RRB-MAIN-ISP-Router||190.200. 99.8/30||190.200. 99.9 and 190.200. 99.10||190.200. 99.11|
|5||RRB- SERVER-SIDE-Router to RRB-BACKUP-ISP-Router||190.200. 99.12/30||190.200. 99.13 and 190.200. 99.14||190.200. 99.15|
|6||RRB-HQ-Router to RRB-MLSW1||192.168.5.224/30||192.168.5.225 and 192.168.1.226||192.168.5.227|
|7||RRB-HQ-Router to RRB-MLSW2||192.168.5.228/30||192.168.5.229 and 192.168.5.230||192.168.5.231|
Table 2: HQ Departments
|No.||Department||Network & Subnet Mask||Valid Host Addresses||Default Gateway||Broadcast Address|
|1||PD||192.168.5.0/26||192.168.5.1 to 192.168.5.62||192.168.5.1||192.168.5.63|
|2||CS||192.168.5.64/26||192.168.5.65 to 192.168.5.126||192.168.5.65||192.168.5.127|
|3||MK||192.168.5.128/26||192.168.5.129 to 192.168.5.190||192.168.5.129||192.168.5.191|
|4||IT||192.168.5.192/27||192.168.5.193 to 192.168.5.222||192.168.5.193||192.168.5.223|
Table 3: Server-Side Site
|No.||Branch||Network & IP Address||Valid Host Addresses||Default Gateway||Broadcast Address|
|1||Server-Side LAN||192.168.5.240/28||192.168.5.241 to 192.168.5.254||192.168.5.241||192.168.5.255|
For improved security and easy maintenance, each department within the RRB HQ network is in a different VLAN and assigned to a different subnet. By default, the devices in different VLANs will not communicate unless inter-VLAN communication is implemented. The following is a sample of the VLAN configuration and VLAN database in the switches.
VLAN Trunking (802.1Q)
To have VLAN traffic between the switches in the network, trunk links were used to facilitate this. The following are samples of VLAN Trunking configuration in the switches.
By default, the devices in different VLANs will not communicate unless inter-VLAN is implemented. During the configuration, the switch virtual interface (SVI) was used as the protocol for inter-VLAN routing. This creates VLAN interfaces and gives them IP addresses. The following are samples of inter-VLAN routing configuration in layer three devices.
All the host devices in the HQ network are allocated IPv4 addresses dynamically. The dedicated DHCP server at the server-side site was used as the DHCP server. The diagrams below show DHCP server configurations and evidence of automatic IPv4 assignment.
For domain name resolution, the DNS server was used in the network with the below configuration and evidence of resolution.
The web server in the network was configured with other HTML files as per our needs, and all the hosts can access the web pages. The following are samples of the results on the host’s devices.
To enable sending and receiving of mail in the network using SMTP and POP3 protocols, the email server was configured to facilitate this process. The following are samples of the configuration and results in the host’s devices.
Dynamic Routing Protocol Configuration- RIPv2 + OSPF
As routing protocols, OSPF and RIPv2 are used to advertise network routes and make it possible for networks to talk to each other. The following shows OSPF and RIPv2 configuration commands and output in the router.
Security is a very important milestone in network design and implementation. Therefore, user privileges were implemented in line with console user and privileged exec modes. Both line console and privileged exec mode are protected using passwords, and all these passwords are encrypted. The console port is mainly used for local system access using a console terminal. By default, the console port does not require a password for console administrative access. However, you should always configure a console port line-level password. The enable password is used to secure privilege mode. The command “show running-configuration” will show this password in clear text unless the service password-encryption password is used. The diagrams show sample configuration results in the devices in the network.
Access Control Lists
Pluralsight (2019) says that ACLs are network filters that routers and some switches use to let data into and out of network interfaces or stop it. When an ACL is configured on an interface, the network device analyzes the data passing through the interface, compares it to the criteria described in the ACL, and either permits the data to flow or prohibits it. To enhance security, ACLs were used to filter traffic based on a set of rules set.
(a). Extended ACL: To implement secure communication between the RRB HQ network and the server-side network, the first access control list was implemented together with site-to-site VPN in HQ and Server-side routers.
(b). Standard ACL: The second ACL was implemented in the line VTY interfaces of the HQ-router to allow only the IT department to SSH to the router.
According to GeeksforGeeks (2020), Virtual Private Networks or VPNs allow network users to access a private network over the Internet securely and privately. The VPN technology will tend to create an encrypted connection called a VPN tunnel, and all Internet traffic and communication is passed through this secure tunnel. Therefore, the IPsec VPN will provide secure internet communication over the IP network. IPsec will protect the IP communication by verifying the session and encrypting all data packets during the communication.
For security on our network, a site-to-site VPN was set up between the HQ and server-side routers to make sure that the HQ network and the servers could talk to each other safely. This implementation will ensure that all traffic between the headquarters and the server-side networks is encrypted and unreadable by sniffers. The implemented ACL species has a rule allowing only the HQ subnets to have secure communication with the servers.
The diagrams below show a sample IPsec VPN configuration plus an indication of unencrypted and encrypted traffic.
The proposed RRB network will ensure better performance, redundancy, scalability, and security implementation principles to the overall company network and security systems when all the required expectations are implemented as explained in the above discussion. The proposed network will ensure that the company achieves a greater milestone in the better market leads in terms of connecting the company to a more robust, reliable, high-performing, and secured network.