ET1505 PROJECT PRESENTATION

Diploma (Conversion) in Computer Networking

Singapore Polytechnic
17 April 2017 17 August 2017
Presentation slides created by Turritopsis Dohrnii Teo En Ming
(Version 5).
 DOCUMENT VERSION CONTROL
Version Author Date Time Duration Pages
1 Turritopsis Dohrnii Teo En Ming 21 July 2017 12.30 PM to 4 hours 44
Friday 4.30 PM
2 Turritopsis Dohrnii Teo En Ming 22 July 2017 12.16 PM to 1 hour 49
Saturday 1.05 PM
3 Turritopsis Dohrnii Teo En Ming 23 July 2017 7:06 PM to 35 mins 56
Sunday 7:41 PM
4 Dennis Chua Lee Boo 24 July 2017 1:24 PM to 13 mins 63
Monday 1:37 PM
5 Turritopsis Dohrnii Teo En Ming 31 July 2017 9:30 PM to 10 mins 64
Mon 9:40 PM
 PASSWORDS

MODE PASSWORD
Console teoenming
Privileged teoenming

PPP CHAP teo-en-ming

NETWORK CONSULTANTS
Mr. Er Peh Nak
Mr. Dennis Chua Lee Boo
Mr. Turritopsis Dohrnii Teo En Ming (Zhang Enming) @ Time
Traveller

GREEN MOUNTAIN TORTOISE LLP

ER PEH NAK
Network Consultant
DENNIS CHUA
Network Consultant
TURRITOPSIS
DOHRNII
TEO EN MING
Network Consultant
NETWORK TOPOLOGY DIAGRAM
 VARIABLE LENGTH SUBNET MASK (VLSM) DESIGN

Number of host Network Address Subnet Mask Max Number of Hosts In Use Network Name
Addresses Required Possible ( Yes / No )

36+1 223.0.0.0 255.255.255.192 62 Yes Research

18+1 223.0.0.64 255.255.255.224 30 Yes Sales

14+1 223.0.0.96 255.255.255.224 30 Yes Admin

10+1 223.0.0.128 255.255.255.240 14 Yes Branch

5+1 223.0.0.144 255.255.255.248 6 Yes Server

3+1 223.0.0.152 255.255.255.248 6 Yes Management

2 223.0.0.160 255.255.255.252 2 Yes Branch - Main

2 223.0.0.164 255.255.255.252 2 Yes Border - Main

2 223.0.0.168 255.255.255.252 2 Yes Admin - Border

 VLANs REQUIRED
1. VLAN 10: RESEARCH
2. VLAN 20: SALES
3. VLAN 30: SERVER FARM
4. VLAN 99: MANAGEMENT
 CREATION OF VLANS

FLOOR3SW FLOOR2SW FLOOR1SW

vlan 10 vlan 10 vlan 10

name Research name Research name Research
vlan 20 vlan 20 vlan 20
name Sales name Sales name Sales
vlan 30 vlan 30 vlan 30
name Server name Server name Server
vlan 99 vlan 99 vlan 99
name Management name Management name Management
 VLAN TRUNKS

FLOOR3SW

int range f0/1-3

switchport mode trunk
switchport trunk allowed vlan 10,20,30,99

FLOOR2SW

int range f0/1-2

switchport mode trunk
switchport trunk allowed vlan 10,20,30,99

FLOOR1SW

Int range f0/1-2

switchport mode trunk
switchport trunk allowed vlan 10,20,30,99
SWITCH PORT ASSIGNMENT
 FLOOR3SW
Assignment of Ports to VLAN 10

int range f0/4-19

switchport mode access
switchport access vlan 10

Assignment of Ports to VLAN 20

int range f0/20-23

switchport mode access
switchport access vlan 20

Assignment of Ports to VLAN 99

int f0/24
switchport mode access
switchport access vlan 99
 FLOOR2SW
Assignment of Ports to VLAN 10

int range f0/3-14

switchport mode access
switchport access vlan 10

Assignment of Ports to VLAN 20

int range f0/15-22

switchport mode access
switchport access vlan 20

Assignment of Ports to VLAN 99

int range f0/23-24

switchport mode access
switchport access vlan 99
 FLOOR1SW
Assignment of Ports to VLAN 10

int range f0/3-10

switchport mode access
switchport access vlan 10

Assignment of Ports to VLAN 20

int range f0/11-16

switchport mode access
switchport access vlan 20

Assignment of Ports to VLAN 30

int range f0/17-21

switchport mode access
switchport access vlan 30

Assignment of Ports to VLAN 99

int range f0/22-24

switchport mode access
switchport access vlan 99
 INTER-VLAN ROUTING
MAIN-BLDG-ROUTER

int g0/0
no ip add
no shut

int g0/0.10
encapsulation dot1Q 10
ip address 223.0.0.1 255.255.255.192

int g0/0.20
encapsulation dot1Q 20
ip address 223.0.0.65 255.255.255.224

int g0/0.30
encapsulation dot1Q 30
ip address 223.0.0.145 255.255.255.248

int g0/0.99
encapsulation dot1Q 99
ip address 223.0.0.153 255.255.255.248
 OSPF
DYNAMIC ROUTING PROTOCOL
 BRANCH-ROUTER
int lo 0
ip address 1.1.1.1 255.255.255.255

router ospf 50
network 223.0.0.129 0.0.0.0 area 0
network 223.0.0.161 0.0.0.0 area 0
 MAIN-BLDG-ROUTER
int lo 0
ip address 2.2.2.2 255.255.255.255

router ospf 50
network 223.0.0.1 0.0.0.0 area 0
network 223.0.0.65 0.0.0.0 area 0
network 223.0.0.145 0.0.0.0 area 0
network 223.0.0.153 0.0.0.0 area 0
network 223.0.0.162 0.0.0.0 area 0
network 223.0.0.165 0.0.0.0 area 0
 BORDER-ROUTER
int lo 0
ip address 3.3.3.3 255.255.255.255

router ospf 50
network 223.0.0.166 0.0.0.0 area 0
network 223.0.0.169 0.0.0.0 area 0
default-information originate
 ADMIN-BLDG-ROUTER
int lo 0
ip address 4.4.4.4 255.255.255.255

router ospf 50
network 223.0.0.97 0.0.0.0 area 0
network 223.0.0.170 0.0.0.0 area 0
CONNECTION BETWEEN BORDER-ROUTER
AND
ISP ROUTER
 DEFAULT STATIC ROUTE ON BORDER-ROUTER

ip route 0.0.0.0 0.0.0.0 200.200.100.1

 STATIC ROUTE ON ISP ROUTER

ip route 223.0.0.0 255.255.255.0 200.200.100.2

 INTERFACE CONFIGURATION ON ISP ROUTER

int s0/0/0
ip address 200.200.100.1 255.255.255.252

int g0/0
ip address 150.13.2.2 255.255.255.252
ACCESS CONTROL LISTS
ACL REQUIREMENT 1
1. Interpretation of requirements:
a. Everyone can access the internet
b. Upper half of the subnet address space cannot access FTP
2. Using named, extended ACL, place it as close to the source as
possible.
3. Lower half of the subnet address space:
223.0.0.97 to 223.0.0.111
4. Upper half of the subnet address space:
223.0.0.112 to 223.0.0.126
5. Binary representation of lower half address space (last octet):
0110 0001
0110 1111
6. Binary representation of upper half address space (last octet):

0111 0000

0111 1110

7. Hence the wildcard that will allow us to distinguish between lower half and upper half of the address
space is:

0000 0000 . 0000 0000 . 0000 0000 . 0000 1111

or

0.0.0.15

ip access-list extended INTERNET_ACCESS

deny tcp 223.0.0.112 0.0.0.15 any eq ftp-data

deny tcp 223.0.0.112 0.0.0.15 any eq ftp

permit ip any any

deny ip any any

int g0/1
ip access-group INTERNET_ACCESS in
 ACL REQUIREMENT 2 TIME BASED ACL
time-range research-access-int-web
periodic weekdays 7:00 to 19:00

ip access-list extended TIME-BASED-ACL

permit tcp 223.0.0.0 0.0.0.63 host 223.0.0.146 eq 443 time-range research-
access-int-web
permit tcp 223.0.0.0 0.0.0.63 host 223.0.0.146 eq www time-range research-
access-int-web
deny tcp 223.0.0.0 0.0.0.63 host 223.0.0.146 eq 443
deny tcp 223.0.0.0 0.0.0.63 host 223.0.0.146 eq www
permit ip any any
int g0/0.10
ip access-group TIME-BASED-ACL in

To change time manually on the MAIN-BLDG-ROUTER to test the time

based ACL, use the following Cisco IOS command:
clock set 12:00:00 Jul 12 2017
PROPAGATING DEFAULT ROUTE USING
OSPF
The previous implementation used default static routes on the branch-
router, main-bldg-router, border-router, and admin-bldg-router.

This is very time consuming to implement if there are too many routers in the
network.

Hence the solution is to use default-information originate on the BORDER-

ROUTER and have it propagate to the other routers using OSPF.
BORDER-ROUTER

router ospf 50
default-information originate

MAIN-BLDG-ROUTER

no ip route 0.0.0.0 0.0.0.0 223.0.0.166

ADMIN-BLDG-ROUTER

no ip route 0.0.0.0 0.0.0.0 223.0.0.169

BRANCH-ROUTER

no ip route 0.0.0.0 0.0.0.0 223.0.0.162

USING PPP AUTHENTICATION
There are only 2 serial connections, between branch-router and main-bldg-
router, and between main-bldg-router and border-router.

We will use PPP CHAP authentication because password is encrypted and

not sent in clear text.
BETWEEN BRANCH-ROUTER AND MAIN-BLDG-
ROUTER
BRANCH-ROUTER

username MAIN-BLDG-ROUTER password teo-en-ming

int s0/0/0
encapsulation ppp
ppp authentication chap

MAIN-BLDG-ROUTER

username BRANCH-ROUTER password teo-en-ming

int s0/0/1
encapsulation ppp
ppp authentication chap
BETWEEN MAIN-BLDG-ROUTER AND BORDER-
ROUTER
MAIN-BLDG-ROUTER

username BORDER-ROUTER password teo-en-ming

int s0/0/0
encapsulation ppp
ppp authentication chap

BORDER-ROUTER

username MAIN-BLDG-ROUTER password teo-en-ming

int s0/0/1
encapsulation ppp
ppp authentication chap
NETWORK TESTING
 NETWORK DEVICE ASSIGNMENT

FIRST ROW FROM THE WHITEBOARD

S2: FLOOR1SW
S3: FLOOR2SW
S4: FLOOR3SW

R1: BRANCH-ROUTER
R2: MAIN-BLDG-ROUTER
R3: ADMIN-BLDG-ROUTER
R4: BORDER-ROUTER
R5: ISP ROUTER
 PHYSICAL ASSIGNMENT

RESEARCH PC: FLOOR1SW, PORT 3

SALES PC: FLOOR2SW, PORT 15

INTERNAL WEB SERVER: FLOOR1SW, PORT 17

MANAGEMENT PC: FLOOR3SW, PORT 24

ADMIN PC: INTERFACE G0/1 OF ADMIN-BLDG-ROUTER

BRANCH PC: INTERFACE G0/0 OF BRANCH-ROUTER

INTERNET SERVER: INTERFACE G0/0 OF ISP ROUTER

 TRUNK ASSIGNMENT

TRUNK 1: BETWEEN FLOOR1SW AND FLOOR2SW

TRUNK 2: BETWEEN FLOOR2SW AND FLOOR3SW

TRUNK 3: BETWEEN FLOOR1SW AND FLOOR3SW

TRUNK 4: BETWEEN FLOOR3SW AND MAIN-BLDG-ROUTER

1. INTERNET SERVER
IP Address: 150.13.2.1
Subnet Mask: 255.255.255.252
Gateway: 150.13.2.2

Installed with XAMPP, Apache or Microsoft IIS web server

software.
2. INTERNAL WEB SERVER
IP Address: 223.0.0.146
Subnet Mask: 255.255.255.248
Gateway: 223.0.0.145

Installed with XAMPP, Apache or Microsoft IIS web server

software.
3. ADMIN PC
IP Address: 223.0.0.98
Subnet Mask: 255.255.255.224
Gateway: 223.0.0.97
4. RESEARCH PC
IP Address: 223.0.0.2
Subnet Mask: 255.255.255.192
Gateway: 223.0.0.1
5. BRANCH PC
IP Address: 223.0.0.130
Subnet Mask: 255.255.255.240
Gateway: 223.0.0.129
6. SALES PC
IP Address: 223.0.0.66
Subnet Mask: 255.255.255.224
Gateway: 223.0.0.65
7. MANAGEMENT PC
IP Address: 223.0.0.157
Subnet Mask: 255.255.255.248
Gateway: 223.0.0.153
8. TESTING THE DHCP SERVER
ADMIN-BLDG-ROUTER# configure terminal
ADMIN-BLDG-ROUTER(config)# service dhcp
ADMIN-BLDG-ROUTER(config)# ip dhcp pool ADMIN-POOL
ADMIN-BLDG-ROUTER(dhcp-config)# network 223.0.0.96 255.255.255.224
ADMIN-BLDG-ROUTER(dhcp-config)# default-router 223.0.0.97
ADMIN-BLDG-ROUTER(dhcp-config)# dns-server 8.8.8.8 8.8.4.4
ADMIN-BLDG-ROUTER(dhcp-config)# domain-name teo-en-ming.com
ADMIN-BLDG-ROUTER(dhcp-config)# lease 1 (1 day)
ADMIN-BLDG-ROUTER(config)# ip dhcp excluded-address 223.0.0.97
ADMIN-BLDG-ROUTER # show ip dhcp binding
REFERENCE: http://www.firewall.cx/cisco-technical-knowledgebase/cisco-
routers/812-cisco-router-dhcp-config.html
9. TRANSITION FROM BLOCKING TO
FORWARDING IN ZERO SECOND
In each of the 3 switches, issue the following command:
spanning-tree portfast default
This works for access/edge ports only.
10. BPDUGUARD
When a rogue switch is connected to any of the 3 switches, the port in
question will be shutdown.
Issue the following command in each of the 3 switches:
spanning-tree portfast bpduguard default
TABLE 1 DEMON ROUTING BETWEEN
MAIN BUILDING VLANS

Hosts Pass/Fail
From VLAN/SW To VLAN/SW Protocol
Research -
VLAN10 /SW1 VLAN20/SW2 ICMP Sales Pass
Research -
VLAN10 /SW1 VLAN30/SW1 ICMP Server Pass
Research -
VLAN10 /SW1 VLAN99/SW3 ICMP Mgmt Pass
Sales -
VLAN20 /SW2 VLAN10/SW1 ICMP Research Pass
VLAN20 /SW2 VLAN30/SW1 ICMP Sales - Server Pass
VLAN20 /SW2 VLAN99/SW3 ICMP Sales - Mgmt Pass
Server -
VLAN30 /SW1 VLAN10/SW1 ICMP Research Pass
VLAN30 /SW1 VLAN20/SW2 ICMP Server - Sales Pass
VLAN30 /SW1 VLAN99/SW3 ICMP Server - Mgmt Pass
Mgmt -
VLAN30 /SW1 VLAN10/SW1 ICMP Research Pass
VLAN30 /SW1 VLAN20/SW2 ICMP Mgmt - Sales Pass
VLAN30 /SW1 VLAN30/SW1 ICMP Mgmt - Server Pass
TABLE 2 DEMON ACCESS OF ALL HOSTS
TO EACH OTHER AND INTERNAL SERVER
From Host To Host Pass/Fail
Research PC Sales PC Pass
Research PC Server Pass
Research PC Mgmt PC Pass
Research PC Admin PC Pass
Research PC Branch PC Pass
Research
Sales PC PC Pass
Sales PC Server Pass
Sales PC Mgmt PC Pass
Sales PC Admin PC Pass
Sales PC Branch PC Pass
Research
Mgmt PC PC Pass
Mgmt PC Sales PC Pass
Mgmt PC Server Pass
Mgmt PC Admin PC Pass
Mgmt PC Branch PC Pass
Research
Admin PC PC Pass
Admin PC Sales PC Pass
Admin PC Server Pass
Admin PC Mgmt PC Pass
Admin PC Branch PC Pass
Research
Branch PC PC Pass
Branch PC Sales PC Pass
Branch PC Server Pass
Branch PC Mgmt PC Pass
Branch PC Admin PC Pass
TABLE 3 DEMON BEHAVIOR OF INTER-
NETWORK WHEN SINGLE TRUNK FAILS
TRUNK 1 : BETWEEN SW 1 & SW 2 LINK
FAILED

Trunk Up /
Route Pass/Fail
From Host To Host Down
Research Sales down trunk (SW1 - SW 3) Pass
Research Server down trunk (SW1 - SW 3) Pass
Research Mgmt down trunk (SW1 - SW 3) Pass
Sales Research down trunk (SW1 - SW 3) Pass
Sales Server down trunk (SW1 - SW 3) Pass
Sales Mgmt down trunk (SW1 - SW 3) Pass
Server Research down trunk (SW1 - SW 3) Pass
Server Sales down trunk (SW1 - SW 3) Pass
Server Mgmt down trunk (SW1 - SW 3) Pass
Mgmt Research down trunk (SW1 - SW 3) Pass
Mgmt Sales down trunk (SW1 - SW 3) Pass
Mgmt Server down trunk (SW1 - SW 3) Pass
TRUNK 2 : BETWEEN SW 2 & SW 3 LINK
FAILED

Trunk Up /
Route Pass/Fail
From Host To Host Down
Research Sales down trunk (SW1 - SW 3) Pass
Research Server down trunk (SW1 - SW 3) Pass
Research Mgmt down trunk (SW1 - SW 3) Pass
Sales Research down trunk (SW1 - SW 3) Pass
Sales Server down trunk (SW1 - SW 3) Pass
Sales Mgmt down trunk (SW1 - SW 3) Pass
Server Research down trunk (SW1 - SW 3) Pass
Server Sales down trunk (SW1 - SW 3) Pass
Server Mgmt down trunk (SW1 - SW 3) Pass
Mgmt Research down trunk (SW1 - SW 3) Pass
Mgmt Sales down trunk (SW1 - SW 3) Pass
Mgmt Server down trunk (SW1 - SW 3) Pass
TRUNK 3 : BETWEEN SW 1 & SW 3 LINK
FAILED
Trunk Up /
Route Pass/Fail
From Host To Host Down
trunk (SW1 -SW2-SW
Research Sales down 3) Pass
trunk (SW1 -SW2-SW
Research Server down 3) Pass
trunk (SW1 -SW2-SW
Research Mgmt down 3) Pass
trunk (SW1 -SW2-SW
Sales Research down 3) Pass
trunk (SW1 -SW2-SW
Sales Server down 3) Pass
trunk (SW1 -SW2-SW
Sales Mgmt down 3) Pass
trunk (SW1 -SW2-SW
Server Research down 3) Pass
trunk (SW1 -SW2-SW
Server Sales down 3) Pass
trunk (SW1 -SW2-SW
Server Mgmt down 3) Pass
trunk (SW1 -SW2-SW
Mgmt Research down 3) Pass
trunk (SW1 -SW2-SW
Mgmt Sales down 3) Pass
trunk (SW1 -SW2-SW
Mgmt Server down 3) Pass
TRUNK 4 : BETWEEN SW 3 AND MAIN-
BLDG-ROUTER LINK FAILED
Trunk Up /
Route Pass/Fail
From Host To Host Down
trunk (SW1 -SW2-SW
Research Sales down 3) Fail
trunk (SW1 -SW2-SW
Research Server down 3) Fail
trunk (SW1 -SW2-SW
Research Mgmt down 3) Fail
trunk (SW1 -SW2-SW
Sales Research down 3) Fail
trunk (SW1 -SW2-SW
Sales Server down 3) Fail
trunk (SW1 -SW2-SW
Sales Mgmt down 3) Fail
trunk (SW1 -SW2-SW
Server Research down 3) Fail
trunk (SW1 -SW2-SW
Server Sales down 3) Fail
trunk (SW1 -SW2-SW
Server Mgmt down 3) Fail
trunk (SW1 -SW2-SW
Mgmt Research down 3) Fail
trunk (SW1 -SW2-SW
Mgmt Sales down 3) Fail
trunk (SW1 -SW2-SW
Mgmt Server down 3) Fail
RECOMMENDATIONS FOR FUTURE
NETWORK IMPROVEMENTS
RECOMMENDATION 1
Buying a block of static public IPv4 addresses for enterprise use
can be very expensive. We recommend using private IP
addresses for internal network implementation in the future. XYZ
Research company can use a single public IP address in the
future. For all the workstations in the internal network to access
the internet, we can implement Port Address Translation (PAT) or
NAT Overload. To allow outside hosts to access internal servers,
we can configure static NAT or port forwarding.
RECOMMENDATION 2
First Hop Routing Protocol (FHRP) > Hot Standby Router Protocol
(HSRP)
RECOMMENDATIONS FOR FUTURE
NETWORK IMPROVEMENTS (CONTD)
We recommend implementing HSRP so that there is router
redundancy at the border. The first router will be the main
forwarding router and the second router will be the standby
router. When the main router fails, the standby router will take
over. This type of redundancy will ensure that there is an always
on connection to the internet.
RECOMMENDATION 3
We recommend using Cat 7 LAN cables.
CHALLENGES ENCOUNTERED
We realized that vlan 30 is not created on FLOOR2SW and
FLOOR3SW. This is because we did not backup and restore
vlan.dat in every switch. VLANs are created in every switch
because there are port assignments for every VLAN. When there
is no port assignment to VLAN, that VLAN is not created on the
switch. Either we manually create vlan 30 on FLOOR2SW and
FLOOR3SW using the vlan 30 global configuration command
or we backup and restore vlan.dat in the flash storage area of
every switch.
 END OF PRESENTATION
Presentation slides created by Turritopsis Dohrnii Teo En Ming
from 12:30 PM to 4:30 PM for 4 hours on 21 JULY 2017 FRIDAY.