Question

design enterprise network.

design of your enterprise environment.

1. The design shall include at least two physical offices with WAN connectivity between them.
2. The design shall include the appropriate devices to support the design and accepted industry best practices.
3. The design shall include all services and components to support a functional business.
4. The design shall include data network speeds and redundancy as appropriate to minimize loss of service.
5. The design shall include infrastructural services to ensure maximum uptime and performance while minimizing administration.
6. The design shall include current versions of operating systems.
7. The design shall include protocols that are current, and industry-accepted.
8. The design shall maximize the security of the data internally and externally.
9. The design shall include the backing up of critical design and operational data.
10. The design shall include the use of Active Directory, DNS, DHCP, and WDS.
11. The design shall include at least one workstation per physical office.

This package should include the following (at a minimum):

1. Word document/s describing each element of your design. Provide detailed information, the justification for your design decisions, and areas of consideration.

2. Spreadsheet/s detailing your servers, network devices, etc with all critical information for maintaining and accessing the devices.

3. Visio or equivalent diagrams showing your various site design data and layouts.

4. Document and/or spreadsheet detailing Active Directory Group Policy.

5. An implementation schedule to complete your enterprise design.

6. A PowerPoint or equivalent presentation that you will make to your instructor, prior to beginning your work.

Answer 1

To plan and assemble a two-level grounds network engineering is everything like a three-level progressive plan and boosts execution, network accessibility, and the capacity to scale the organization plan. It is entirely expected to grounds networks where the accumulation or appropriation layer is converged with the center layer to make an extraordinary and completely useful organization for a decent measured grounds.

Nonetheless, numerous little endeavor networks don't become fundamentally bigger over the long haul. Consequently, a two-level progressive plan where the center and dissemination layers are fallen into one layer is regularly more commonsense. A "fell center" is the point at which the appropriation layer and center layer capacities are executed by a solitary gadget. The essential inspiration for the fell center plan is diminishing organization cost, while keeping up a large portion of the advantages of the three-level progressive model..

To plan and manufacture a two-level grounds network design, various contemplations must be considered. A key head-start is to discover the driver for deciding to fabricate a two-level grounds network design.

Would it be able to be a favored plan or one which you realize functions admirably and effortlessly kept up? Maybe you wound up working in a climate which had their plan firmly customized to the level 2 imploded center pecking order.

Before we get into planning and building our two-level grounds network design and this article could wind up being an arrangement as the substance is broad. On the off chance that you are now acquainted with the foundation to various leveled configuration, look down to the setup for the individual layered layers.

Configuration – Design and Build a two-tier campus network architecture – WAN Layer

I like to work from Outside-In for many reasons of which one is the ability to test connectivity to the internet as I gradually slip into the WAN and LAN Networks.

In this article, I shall begin with breaking down the network topology into 3 important parts.

1. WAN Layer
2. Collapsed Core | Aggregation or Distributionand Core Layer
3. Access Layer

Step 1: Test Connectivity to the Internet through the ISP Router

It makes sense to ensure that the ISP Router is working as required and delivering Internet and at the appropriate speeds before you begin any work.

• Connect to the Router on the interface which is to be configured on the Firewall as WAN
• Configure Interface with IP Details as appropriate for the ISP statically or if DHCP is enabled then use the leased IP for connectivity
• Perform an ICMP and DNS Tests
• Ping Google’s Public DNS 8.8.8.8

Step 2: Identity Interfaces on Firewall

Identify the Interface dedicated for your LAN Network

• – In my case I have chosen GigabitEthernet 1/1

Identify the Interface dedicated for your DMZ Network – I will not be doing a lot of work on this zone but once you have understood the concept, it easily translates into working on a zone like the DMZ network.

• In my case I have chosen GigabitEthernet 1/4

Identify the Interface dedicated for your WAN Network

• – In my case I have chosen GigabitEthernet 1/8

What is the purpose of interfaces on a Firewall?

Traffic must go through the firewall all together for the firewall to oversee and control its proposed objective. The objective could be another zone or organization fragment or dropped as it might be rebel. Actually, traffic enters and leaves the firewall through interfaces. The firewall decides acceptable behavior on a bundle dependent on whether the parcel coordinates a Security strategy rule . At the most essential level, every Security strategy rule must distinguish where the traffic originated from and where it is going

Configure Interfaces on Firewall

In figure 1.2 above – There are 3 Zones clearly indicated on firewall. The WAN, LAN and DMZ Zone have interfaces going to the ISP, DMZ Server and Core Switch for the Access Layer.

Let’s Configure the WAN Layer Device – ASA 5506-X Firewall Configuration

Configure Inside Interface on Cisco ASA Firewall

!
interface GigabitEthernet1/1
 description "Downlink to CoreSwitch"
 nameif inside
 security-level 100
 ip address 10.100.100.1 255.255.255.0
!

Configure Outside Interface on Cisco ASA Firewall

!
interface GigabitEthernet1/8
 description "Outside Interface to BT ISP"
 nameif outside
 security-level 0
 ip address 192.168.1.100 255.255.255.0
!

Configure DMZ Interface on Cisco ASA Firewall

!
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!

Configure DNS

!
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 192.168.1.1
 name-server 8.8.8.8
 name-server 8.8.4.4

!

Configure Intra Zone Trust – Get Trusted Subnets to communicate with other subnets

!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!

Configure Access Lists to Permit Pings and Echo Replies

!
access-list 100 extended permit icmp any any
access-list from_outside extended permit icmp any any echo
!

Configure Global Network Address Translation – Translating Private Addresses to Routable Public IPs.

!
nat (inside,outside) after-auto source dynamic any interface
!

Configure Routing for the Outside and Inside Networks – See a simplified rule in figure 1.2

!
route outside 0.0.0.0 0.0.0.0 192.168.1.254 
route inside 172.16.70.0 255.255.255.0 10.100.100.2 
route inside 172.16.71.0 255.255.255.0 10.100.100.2 
route inside 172.16.80.0 255.255.255.0 10.100.100.2 
!

Configure Web Access to ASA

!
http server enable
http 0.0.0.0 0.0.0.0 inside
!

Configure the following parameters

dhcprelay enable inside
dhcprelay setroute inside
dhcprelay timeout 60
dynamic-access-policy-record DfltAccessPolicy
!



class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect dns preset_dns_map
  inspect icmp
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
!
service-policy global_policy global
prompt hostname context

: end
ciscoasa#

Access Switch#1

Access-Switch# show run

Running configuration:

hostname "Access-Switch"

ip route 0.0.0.0 0.0.0.0 172.16.70.254
ip routing
interface 47
   name "Uplink to Core Switch 172.16.71.2"
   exit

vlan 700
   name "Building 700 Data Network"
   untagged 1-40
   tagged 47
   ip address 172.16.70.4 255.255.255.0
   exit
vlan 701
   name "Building 700 Voice Network"
   untagged 47
   tagged 1-40
   ip address 172.16.71.4 255.255.255.0
   qos dscp 101110
   voice
   exit

Configuring the Access Switch in Building 800

Configure IP Routing and a Static Route to the Core Switche’s VLAN 800 SVI

hostname "Building-800-Switch"

ip route 0.0.0.0 0.0.0.0 172.16.80.254
ip routing

Configuring VLAN 800

vlan 800
   name "Building-800-Network"
   untagged 1-46
   tagged 47 {Uplink Trunk Connecting to the Core Switch}
   ip address 172.16.80.2 255.255.255.0
   exit

Core Switch

ArubaCoreSwitch# show run

Running configuration:

hostname "ArubaCoreSwitch"

ip route 0.0.0.0 0.0.0.0 10.100.100.1
ip route 172.16.71.0 255.255.255.0 172.16.71.4
ip routing

Create VLANS and SVI’s for the Respective Broadcast Domains in the Access Layer

vlan 333
   name "Uplink Layer 3 Terminate"
   untagged 47
   ip address 10.100.100.2 255.255.255.0
   exit
vlan 400
   name "Server Network"
   untagged 36
   ip address 10.10.10.1 255.255.255.0
   exit
vlan 700
   name " Building 700 Data"
   tagged 47-48
   ip address 172.16.70.254 255.255.255.0
   ip helper-address 10.10.10.40
   exit
vlan 701
   name "Building 700 Voice"
   untagged 48
   tagged 47
   ip address 172.16.71.2 255.255.255.0
   ip helper-address 10.10.10.40
   qos dscp 101110
   voice
   exit
vlan 800
   name "Building 800 Network"
   untagged 45
   tagged 47
   ip address 172.16.80.254 255.255.255.0
   ip helper-address 10.10.10.40
   exit

2-Tier Network Architectur

How the Network Design Finally Evolves

Access Switch which has 2 VLANS

Data VLAN Configuration

vlan 700
   name "Building 700 Data Network"
   tagged 47
   untagged 1-40
   ip address 172.16.70.4 255.255.255.0
   exit

Voice VLAN Configuration

Access-Switch(config)# show run vlan 700,701

Running configuration:

vlan 701
   name "Building 700 Voice Network"
   tagged 1-40
   untagged 47
   ip address 172.16.71.4 255.255.255.0
   qos dscp 101110
   voice
   exit

On Core Switch

ArubaCoreSwitch# show run vlan 701

Running configuration:

vlan 701
   name "Building 700 Voice"
   tagged 47
   untagged 48
   ip helper-address 10.10.10.40
   ip address 172.16.71.2 255.255.255.0
   qos dscp 101110
   voice
   exit
ArubaCoreSwitch#

On Access Switch

Uplink to Core

Access-Switch(config)# show run int 47
Running configuration:
interface 47
   name "Uplink to Core Switch 172.16.71.2"
   tagged vlan 700
   untagged vlan 701
   exit

Typical Switchport Interface Configuration

Access-Switch(config)# show run int 12

Running configuration:

interface 12
   tagged vlan 701
   untagged vlan 700
   exit

Access-Switch(config)#