DESIGN AND IMPLEMENTATION OF TACACS+ ON A SCALABLE ENTERPRISE BASED IP NETWORK

aliveboonevilleNetworking and Communications

Oct 28, 2013 (3 years and 9 months ago)

123 views



DESIGN AND

IMPLEMENTATION OF TACACS+


ON A SCALABLE ENTERPRISE BASED IP NETWORK







A
Project




Presented to the faculty of the D
epartment of
Computer Science

California State
University, Sacramento




Submitted in

partial

satisfaction of

the
r
equirements for the degree

of




MASTER OF
SCIENCE



in



Computer Science


b
y


Aejazuddin Farooqui


FALL

2012




ii


DESIGN AND

IMPLEMENTATION OF TACACS+


ON A SCALABLE ENTERPRISE BASED IP
NETWORK




A
Project



by



Aejazuddin Farooqui












Approved by:



__________________________________, Committee Chair

Dr. Jinsong Ouyang



__________________________________, Second Reader

Dr. Chung
-
E Wang




____________________________

Date






iii


Student:
Aejazuddin Farooqui




I certify that this student has met the requirements for format contained in the University
format manual, and that this
project

is suitable for shelving in the Library and credit is to
be awarded for the
project
.





__________________________, Graduate Coordinator

___________________

Dr. Nichrouz Faroughi








Date







Department of
Computer Science




iv


Abstract


of


DESIGN
AND

IMPLEMENTATION OF TACACS+


ON A SCALABLE ENTERPRISE BASED IP NETWORK



by


Aejazuddin Farooqui



As corporate offices are geographically distributed, securing and managing networks has
always been increasingly challenging. These offices have both highly confidential
mission and business critical data forwarding between different
sites and requires high
degree of network security from all possible aspects. As more sites converge, careful
design and planning must occur to assure that the quality, reliability and security of
network is not affected.

This project proposes a scalable T
ACACS+ architecture that can be implemented by
Universities, Enterprises and Internet Service Providers. The proposed architecture
facilitates easy integration of network domains and centralized manageability to provide
Authentication, Authorization and Ac
counting (AAA) services to establish network
connectivity to multivendor network elements. It also resolves two identified major
issues. One, long end
-
to
-
end round trip network user authentication delay and second,
lack of centralized manageability leading

to unauthorized user
-
access regardless of job
function.


v


These two issues are addressed in two project phases. The first phase involves creating a
prototype of an enterprise based end
-
to
-
end IP network. This prototype is designed and
deployed with two sit
es represented as regional sites in different Autonomous Systems
(AS). The second phase involves deployment of a centralized TACACS+ environment.

The proposed project is implemented using Cisco networking appliance. With the
successful implementation of
th
ese phases
, a secure and centralized TACACS+ model
was deployed with one single point to provide global administration.
To compare
network performance analysis during different time periods, a

pre
-
production ACS server
is deployed in a regional GAR site in

Penang to provide AAA services.
The average
performance during peak time i
s improved by 87.1
% a
nd the average performance
during
off peak time is improved by 89.2%. Secondly, the average hop count for devices in
Penang, where the AAA server is actually
integrated, is improved by 75%. And the
average hop count for devices in other sub
-
regions is improved by ~50%. Finally, with a
hierarchal IP network design the end
-
to
-
end back and forth authentication request and
response messages are specific to dedicate
d slaves in dedicated regional domains, hence
reducing immense noise on network core layer.



_______________________, Committee Chair

Dr. Jinsong Ouyang



_______________________

Date




vi


ACKNOWLEDG
E
MENTS


I would like to thank my supervisors Prof. Dr. Jinsong Ouyang and Prof. Dr. Martin
Nicholes, for allowing me to work on this project in the office laboratory. I would like to
thank my second reader Prof. Dr. Chung
-
E Wang for willing to review my project.
I
would like to thank my colleagues Jeff Lee and Brent Anderson for providing the
resources I needed in the lab to accomplish this project. More importantly, I am indebted
by the encouragement and inspiration that Prof. Ouyang and Prof Nicholes have provid
ed
to me. I learnt a lot of theoretical and practical concepts during this project. It not only
enhanced my knowledge in network security, but also in terms of project scoping, project
execution, demonstration of results, documentation, and successful proj
ect fulfillment.
Once again, I would like to thank Prof. Ouyang and Prof. Nicholes for all the help and
motivation and would like to share with them the credit of fulfillment of this project.

I would also like to thank Prof. Dr. Cui Zhang for providing va
luable information through
Research Methodology on preparing for Master Project and Thesis especially how to
recognize plagiarism.

Last, but not the least, I would like to thanks my wife Uzma for providing me all support
since the beginning of my master’s
course.

My best regards to all the people mentioned above. Further information on topics covered
in this project can be obtained from Cisco Systems documentation website
http://www.cisco.com/univercd
.




v
ii


TABLE

OF CONTENTS

Page



Acknowledgements

................................
................................
................................
.............

vi

List o
f Tables

................................
................................
................................
.......................
x

List o
f Figures

................................
................................
................................
....................

xii

Chapter

1.

INTRODUCTION

................................
................................
................................
..........

1

1.1

Access Control Sy
stem

................................
................................
.......................

2

1.2

What Is TACACS+?

................................
................................
...........................

3

1.2.1

Authentication

................................
................................
................................
.

3

1.2.2

Authorization

................................
................................
................................
..

4

1.2.3

Accounting

................................
................................
................................
......

4

1.3

Scope Of The Project

................................
................................
..........................

5

2.

PROTOTYPE OF AN ENTERPRISE BASED IP NETWORK
................................
....

6

2.1

Hierarchical Network Design
................................
................................
..............

6

2.2

IP Addressing

................................
................................
................................
......

7

2.3

Hardware & IOS

................................
................................
...............................

10

2.4

Implementation Of Distribution Layer At Site1

................................
...............

10

2.5

Implementation Of Access Layer At Site1

................................
.......................

16

2.6

Implementation Of Core Layer At Site1
................................
...........................

23

2.7

Configuring EIGRP

................................
................................
..........................

31


viii


2.8

Implementation Of Core Layer at Site2

................................
............................

42

2.9

Integration Of Site1 and Site2 Using WAN Links

................................
...........

43

3.

DEPLOYMENT OF CENT
RALIZED TACACS+ ENVIRONMENT

.......................

55

3.1

Installing Master And Slave TACACS+ Servers
................................
..............

58

3.2

Building Master Server And Replicating To Slave Server

...............................

59

3.2.1

Creating Network Device Group
s
................................
................................
.

60

3.2.2

Creating User Groups
................................
................................
....................

62

3.2.3

Creating Users
................................
................................
...............................

62

3.2.4

Replicating Database
................................
................................
.....................

63

3.2.5

Master Setup

................................
................................
................................
.

63

3.2.6

Slave Setup
................................
................................
................................
....

64

3.2.7

Configuring Site1 and Site2 Network Devices With TACACS+

.................

66

3.2.8

Testing For PASSED Authorization To Network Devices
...........................

69

3.2.9

Testing F
or FAILED Authorization To Network Devices

...........................

73

3.2.10

Round Trip Delay For Site1 Primary TACACS+ Server

.............................

75

3.2.11

Round Trip Delay For Site1 Secondary TACACS+ Server

.........................

76

4.

PRE
-
PRODUCTION DEPLOYMENT AND NETWORK PERFORMANCE
ANALYSIS

................................
................................
................................
..................

77

4.1

Analysis Of Round
-
Trip
-
Delay At Different Time Periods For A AAA Server
Outside Region:

................................
................................
................................

78

4.1.1

Analysis Of RTD During Morning Hours

................................
....................

79


ix


4.1.2

Analysis Of RTD During Peak Hours

................................
..........................

80

4.1.3

Analysis Of RTD During Afternoon Hours

................................
..................

82

4.1.4

Analysis Of RTD During
Off Hours
................................
.............................

83

4.1.5

Analysis Of Average RTD During Different Time Periods

.........................

84

4.2

Analysis Of Hop Count At Different Time Periods For A AAA Server Outside
Region:

................................
................................
................................
.............

85

4.3

Deploying Regional Pre
-
Production AAA Servers

................................
..........

86

4.4

Analysis Of Round
-
Trip
-
Delay At Different

Time Periods For A AAA Server
Within A Region:

................................
................................
.............................

87

4.4.1

Analysis Of RTD During Morning Hours

................................
....................

87

4.4.2

Analysis Of RTD During Peak Hours

................................
..........................

88

4.4.3

Analysis Of RTD During Afternoon Hours

................................
..................

90

4.4.4

Analysis Of RTD During Off
-
Peak Hours
................................
....................

91

4.4.5

Analysis Of Average RTD During Different Time Periods

.........................

92

4.5

Analysis Of Hop Count At Different Time Periods For A AAA Server In The
Same Region:
................................
................................
................................
....

94

4.6

Improvement In Network Performance

................................
............................

95

5.

CONCLUSION

................................
................................
................................
............

99

A
cronyms

................................
................................
................................
........................

100

R
eferences

................................
................................
................................
.......................

101




x


LIST OF TABLES

Tables

Page


2
-
1


Subnetted Block Of 172.16.0.0/12
................................
................................
.......

8

2
-
2


Subnetted
Block Of 192.168.0.0/16
................................
................................
.....

9

2
-
3


Hardware And IOS/Software Version

................................
...............................

10

2
-
4


Management Connectivity At Distribution Layer

................................
.............

11

2
-
5


Configuring Management VLAN On NMS

................................
......................

12

2
-
6


Configuring Access Layer Network Element

................................
....................

18

4
-
1


Average Morning Hour Stats For A AAA Server Outside A Region
................

79

4
-
2


Average Peak Hour Stats For A AAA Server Outside A Region

......................

81

4
-
3


Average Afternoon
Hour Stats For A AAA Server Outside A Region

.............

82

4
-
4


Average Off Peak Stats For A AAA Server Outside A Region

........................

83

4
-
5


Average Stats For A AAA Server Outside A Region

................................
........

84

4
-
6


Average Hop Count For A AAA Server Outside A Region

..............................

85

4
-
7


Average Morning Hour Stats For A AAA Server Within A Region

.................

87

4
-
8


Average Peak Hour Stats For A AAA Server Within A Region

.......................

89

4
-
9


Average Afternoon Hour Stats For A AAA Server Within A Region

..............

90

4
-
10


Average Off Peak Stats For A AAA Server Within A Region

..........................

91

4
-
11


Average Stats For a AAA Server Within A Region

................................
..........

92

4
-
12


Average Hop Count For A AAA Server
Within A Region

...............................

94

4
-
13


Average Performance Improvement in RTD

................................
.....................

95


xi


4
-
14


Average Hop Count Improvement

................................
................................
.....

97







xii


LIST OF FIGURES

Figures

Page


1
-
1


A Simple AAA Scenario
................................
................................
......................

2

2
-
1


Hierarchical Network Design
................................
................................
...............

6

2
-
2


LAB Prototype integrated with WAN Connectivity between Two Sites

............

7

2
-
3


Management VLAN Connectivity

................................
................................
.....

11

2
-
4


Layer1
-

Connectivity

................................
................................
........................

17

2
-
5


Segregation of Management and Client VLANs

................................
...............

18

2
-
6


Integration of Distribution and Core Layer

................................
.......................

24

2
-
7


Core VLAN’s

................................
................................
................................
.....

25

2
-
8


Discovering Routes

................................
................................
............................

33

2
-
9


Site2 Core VLAN
................................
................................
...............................

42

2
-
10


WAN Connectivity between Site1 and Site2

................................
.....................

44

2
-
11


Redistribution of EIGRP into BGP and BGP into EIGRP at Site1

...................

51

3
-
1


Server VLAN 30 at Site1

................................
................................
...................

56

3
-
2


ACS Web Interface

................................
................................
............................

59

3
-
3


Centralized Administration and One Way Replication

................................
.....

60

3
-
4


NDG of AAA Servers

................................
................................
........................

61

3
-
5


Lab NDGs with LAN &WAN Subnets

................................
.............................

61

3
-
6


Site1 IP Range
................................
................................
................................
....

61

3
-
7


User Groups

................................
................................
................................
.......

62


xiii


3
-
8


NAS Restrictions

................................
................................
...............................

62

3
-
9


Group Level Settings

................................
................................
.........................

63

3
-
10


Replicating Components from Master Server
................................
....................

63

3
-
11


Replication Servers from Master

................................
................................
.......

64

3
-
12


Replicating Components Receiving from Master Server

................................
..

64

3
-
13


Inbound Replication Master Server

................................
................................
...

64

3
-
14


Outbound Database Replication from Master
Server

................................
........

65

3
-
15


Inbound Database Replication on Slave Server

................................
.................

66

3
-
16


Communication between Client and TACACS+ Server

................................
...

68

3
-
17


Aut
hentication Logs of User AJ

................................
................................
........

73

3
-
18


Failed Authentication Logs of User AJ

................................
.............................

75

4
-
1


Average RTD During Morning Hours

................................
...............................

80

4
-
2


Average RTD During Peak Hours

................................
................................
.....

81

4
-
3


Average RTD During Afternoon Hours

................................
............................

82

4
-
4



Average RTD During Off Hours

................................
................................
.......

83

4
-
5


Average RTD At Different Time Periods

................................
..........................

84

4
-
6


Periodic Representation Of Hop Count From Different Regions

......................

85

4
-
7


Average RTD During Morning Hours

................................
...............................

88

4
-
8


Average RTD During Peak Hours

................................
................................
.....

89

4
-
9


Average RTD During Afternoon Hours

................................
............................

91

4
-
10


Average RTD During Off
-
Peak Hours

................................
..............................

92


xiv


4
-
11


Average RTD At Different Time Periods

................................
..........................

93

4
-
12


Periodic Hop Count To A TACACS+ Server In the Same Region

...................

94

4
-
13


Average Performance Improvement in RTD

................................
.....................

96

4
-
14


Average Hop Count Improvement

................................
................................
.....

97








1



CHAPTER 1.

INTRODUCTION


Securing and managing networks has always been increasingly challenging in corporate
offices. As network grows, with mergers and acquisitions or new site deployment, it
becomes more challenging to converge and secure these decentralized networks. These
off
ices have both highly confidential mission and business critical data forwarding
between different sites and requires high degree of network security from all possible
aspects.

One of the ways to secure a network is to limit network access services to the

authorized
users based on their business need.
Equally

as challenging is closely monitoring what
services are being used and their frequency of use. Network elements such as Routers and
Switches usually use Access Control Lists (ACL) to filter the source
and destination IP
addresses coming in and out of the configured device interfaces. These restrictions are
applied and
are
limited to a device and not an individual! For example, if a device is
configured to allow traffic from host 10.1.1.1 to access a we
b server say WS1, then
anyone who is sitting on the host 10.1.1.1 will automatically have access to WS1.

To prevent this, a more secure and flexible filtering method would be to provide access to
specific authorized users. That means users with a dedicate
d username and password are
only authorized to access the service or login to a network device. One solution would be
to create a user database on every network element to restrict access to. However, this
would become administrative overhead to update use
r profiles, and, very hard and
laborious to manage in corporate offices where there are thousands of network elements.



2



What ideally required is a centralized Access Control System to administer and manage
user database.

1.1

Access Control System

Access Contro
l System (ACS) is a scalable, high
-
performance Remote Access Dial in
User Services (RADIUS) and Terminal Access Controller Access Control System
(TACACS+) security server. As ACS acts as a centralized control point for managing
enterprise network users, ad
ministrators and network infrastructure resources, it provides
identity
-
based network
-
access control solution for intelligent information networks [1]. It
supports a broad variety of multivendor network access devices also known as AAA
clients, including w
ired and wireless LAN switches and access points, edge and core
routers, Voice over IP (VoIP), Firewall, etc.

Figure 1
-
1 [1] shows a simple AAA scenario where an ACS is functioning as an AAA
server for network access devices.


Figure
1
-
1

A Simple AAA Scenario

The Network Access Device (NAD) functions as an AAA client from the ACS
perspective, to direct all end
-
user host access requests to ACS, via the TACACS+ or
RADIUS protocols.




3



The NAD serves as the networ
k gatekeeper, and sends an access request to ACS on
behalf of the user. ACS verifies the username, password and possibly other data by using
its internal database or one of the configured external identity directories. ACS ultimately
responds to the NAD wi
th an access denied or an access
-
accept message with a set of
authorization attributes.

1.2

What I
s TACACS+?

Terminal Access Controller Access Control System (TACACS) is a connection oriented
Access Control Protocol (ACP) that provides authorization for
network administrative
operations on the network infrastructure itself. It provides separate control of each
service: Authentication, Authorization and Accounting [1]. It is a client/server method
that stores specific rights for users by associating attr
ibute
-
value pair for each user. The
AAA authorization daemon on a network device such as router or a switch communicates
with the TACACS+ server to determine the correct authorization for different option,
such as EXEC and network access.

1.2.1

A
uthentication

Au
thentication provides a method for handling user identification, login and password
dialog, challenge and response, messaging and encryption. Authentication identifies users
prior to access to a network and network services [2]. The authentication facility

provides
the ability to conduct an arbitrary dialog with the user. For example, after a login and
password are provided, to challenge a number of questions, like mother’s maiden name
or service type, etc. In addition, the TACACS+ authentication service su
pports sending



4



messages to user screens. For example, a message could notify user that their password
must be changed because of the corporate password aging policy of 90 days.

1.2.2

A
uthorization

Authorization determines what a user is allowed to do. ACS can s
end user profile policies
to AAA clients to determine which network services the user can access. Different users
and groups can be authorization to give different levels of service. For example, level one
user might not have the same access privileges as
a level two user. You can also
differentiate by levels of security, access times, and services. ACS access restrictions
feature can be set to permit or deny logins based on time
-
of
-
day and day
-
of
-
week. For
example, a group of users can be created for tempo
rary accounts that can disable on
specified dates.

Users can also be restricted to a service or combination of services such as PPP, ARAP or
EXEC. After a user selects a service, Layer

2 and Layer

3 protocols can be restricted,
such as IP and IPX, and ind
ividual access lists can be applied. Access lists on a per
-
user
or per
-
group basis can restrict users from reaching parts of the network where critical
information is stored or prevent them from using certain services, such as File Transfer
Protocol (FTP)
or Simple Network Management Protocol (SNMP).

1.2.3

Accounting

AAA clients use the accounting functions that the RADIUS and TACACS+ protocols
provide to communicate relevant data for each user session to the AAA server for
recording. ACS writes accounting recor
ds to a comma
-
separated value (CSV) log file or



5



ODBC database. These logs can be imported into popular database and spreadsheet
applications for billing, security audits, and report generation.

Network managers can use the accounting facility to track user

activity for a security
audit or to provide information for user billing. Accounting records include user
identities, start and stop times, executed commands (such as PPP), number of packets,
and number of bytes.

1.3

Scope Of The Project

The project is divide
d into two phases. The first phase involves creating a prototype of an
enterprise based end
-
to
-
end IP network. This prototype is designed and deployed with
two sites represented as regional sites in different Autonomous Systems (AS) and
interconnected via
WAN links.

The second phase involves deployment of a centralized TACACS+ environment using
Cisco Secure ACS application. In this phase the TACACS+ design consists of a
centralized ‘Master’ server and dedicated regional Primary and Secondary ‘Slave’ serve
rs
for providing AAA services.

Chapter two and three describers in details about the implementation of the above two
phases with working configuration and test cases. Finally, chapter four describes about
pre
-
production deployment and network performance
analysis of deploying regional ACS
servers.




6



CHAPTER 2.

PROTOTYPE OF AN
E
NTERPRISE BASED IP NETWORK


In order to deploy and test TACACS+ architecture, a prototype of an enterprise based IP
network is deployed as phase1. In this phase, two site networks are built and
configured
with different autonomous systems to represent them as different sites.

2.1

H
ierarchical

N
etwork Design

Each site is designed in a hierarchical model to enable network design in layers. And
each layer can be focused on specific functions, thereby en
abling the design engineer to
choose the right systems and features for the layer. There are many other advantages of
implementing a hierarchical design, such as easy to scale the network, easy to understand
and troubleshoot the network, can maintain consi
stent design at different sites, etc.


Figure
2
-
1

Hierarchical Network Design

Figure 2
-
1 shows an example of a hierarchical network design that was implemented as
one of the project sites. The design consists of a backbone (core) layer, which provides



7



optimal transport between sites. The distribution layer, which provides policy bas
ed
connectivity, route summarization or aggregation and the access
-
layer, which provides
work group or user access to the network [3].

To maintain consistency Site2 was designed similar to Site1 in hierarchical layers. And to
simplify the end
-
to
-
end archit
ecture and connectivity, the two sites were connected via
point
-
to
-
point WAN links. Figure2
-
2 shows the point
-
to
-
point connectivity between Core
routers of Site1 and Site2.



Figure
2
-
2

LAB Prototype integr
ated with WAN Connectivity between Two Sites

2.2

IP A
ddressing

Effective IP address management plays a very important role in designing large scale
networks especially when networks are geographically distributed. Use of effective IP



8



addressing helps to perfor
m route summarization at distribution layer there by reducing
traffic on core, secondly easy management by allocating dedicated address space to
dedicated site, and subnetting within each site.

Two private address spaces 172.16.0.0/12 and 192.168.0.0/16,
as specified in RFC 1918,
were used to implement a hierarchical design and keep the internal and external routes
distinctive. The address block 172.16.0.0/12 is used to implement WAN and the address
block 192.168.0.0/16 is used to implement LAN design. The

tables
2
-
1
shows the two
major blocks represented in bit format.

Table
2
-
1

Subnetted Block O
f 172.16.0.0/12

Major Block

172.16.0.0/12

Binary Representation of 2
nd
, 3
rd

and
4
th

Octet

Subnet Mask

172.16.0.0

172.0001 0000.0000 0000.0000 0000


172.16.0.1

172.0001 0000.0000 0000.0000 0001






ㄷ㈮ㄶ⸰⸲㔵

ㄷ㈮〰〱‰〰〮〰〰‰〰〮ㄱㄱ‱ㄱN


ㄷ㈮ㄶ⸱⸰

ㄷ㈮〰〱‰〰〮〰〰‰〰ㄮ〰〰‰〰N

㈵㔮㈵㔮㈵㔮O

ㄷ㈮ㄶ⸱⸰

ㄷ㈮〰〱‰〰〮〰〰‰〰ㄮ〰〰‰〰N

㈵㔮㈵㔮㈵㔮㈵O

ㄷ㈮ㄶ⸱⸴

ㄷ㈮〰〱‰〰〮〰〰‰〰ㄮ〰〰‰㄰N

㈵㔮㈵㔮㈵㔮㈵O

ㄷ㈮ㄶ⸱⸸

ㄷ㈮〰〱‰〰〮〰〰‰〰ㄮ〰〰‱〰N

㈵㔮㈵㔮㈵㔮㈵O

ㄷ㈮ㄶ⸱⸱N

ㄷ㈮〰〱‰〰〮〰〰‰〰ㄮ〰〰‱㄰N

㈵㔮㈵㔮㈵㔮㈵O

ㄷ㈮ㄶ⸱⸱N

ㄷ㈮〰〱‰〰〮〰〰‰〰ㄮ〰〱‰〰N

㈵㔮㈵㔮㈵㔮㈵O









ㄷ㈮ㄶ⸱⸲㔵

ㄷ㈮〰〱‰〰〮〰〰‰〰ㄮㄱㄱ‱ㄱN










ㄷ㈮ㄶ⸲㔵⸲㔵

ㄷ㈮〰〱‰〰〮ㄱㄱ‱ㄱㄮㄱㄱ‱ㄱN


ㄷ㈮ㄷ⸰⸰

ㄷ㈮〰〱‰〰ㄮ〰〰‰〰〮〰〰‰〰N






jaj潲 _l潣k

ㄷ㈮ㄶ⸰⸰Nㄲ

_inary oe灲esentation 潦 O
nd
, 3
rd

and
4
th

Octet

Subnet Mask









ㄷ㈮㌱⸲㔵⸲㔵

ㄷ㈮〰〱‱ㄱㄮㄱㄱ‱ㄱㄮㄱㄱ‱ㄱN





9





Table
2
-
2

Subnetted Block O
f 192.168.0.0/16

Major Block

192.168.0.0/16

Binary Representation of 2
nd
, 3
rd

and
4
th

Octet

Subnet
Mask

192.168.0.0

192.1010 1000.0000 0000.0000 0000


192.168.1.0/24

192.1010 1000.0000 0001.0000 0000

255.255.255.0

192.168.1.1

192.1010 1000.0000 0001.0000 0001


192.168.1.2

192.1010 1000.0000 0001.0000 0010










ㄹ㈮ㄶ㠮ㄮ㈵N

ㄹ㈮㄰㄰‱〰〮〰〰

〰〱⸱ㄱㄠㄱㄱ





ㄹ㈮ㄶ㠮㈮〯㈴

ㄹ㈮㄰㄰‱〰〮〰〰‰〱〮〰〰‰〰N

㈵㔮㈵㔮㈵㔮O

ㄹ㈮ㄶ㠮㌮〯㈴

ㄹ㈮㄰㄰‱〰〮〰〰‰〱ㄮ〰〰‰〰N

㈵㔮㈵㔮㈵㔮O

ㄹ㈮ㄶ㠮㐮〯㈴

ㄹ㈮㄰㄰‱〰〮〰〰‰㄰〮〰〰‰〰N

㈵㔮㈵㔮㈵㔮O

ㄹ㈮ㄶ㠮㔮〯㈴

ㄹ㈮㄰㄰‱〰〮〰〰N
〱〱⸰〰〠〰〰

㈵㔮㈵㔮㈵㔮O













ㄹ㈮ㄶ㠮㈵〮〯㈴

ㄹ㈮㄰㄰‱〰〮ㄱㄱ‱〱〮〰〰‰〰N

㈵㔮㈵㔮㈵㔮O

ㄹ㈮ㄶ㠮㈵〮〯㈷

ㄹ㈮㄰㄰‱〰〮ㄱㄱ‱〱〮〰〰‰〰N

㈵㔮㈵㔮㈵㔮㈲O

ㄹ㈮ㄶ㠮㈵〮㌲NO
T

ㄹ㈮㄰㄰‱〰〮ㄱㄱ‱〱〮〰㄰‰〰N

㈵㔮㈵㔮㈵㔮㈲O

ㄹ㈮ㄶ㠮㈵〮㘴NO
T

ㄹ㈮㄰㄰‱〰〮ㄱㄱ‱〱〮〱〰‰〰N

㈵㔮㈵㔮㈵㔮㈲O

ㄹ㈮ㄶ㠮㈵〮㤶NO
T

ㄹ㈮㄰㄰‱〰〮ㄱㄱ‱〱〮〱㄰‰〰N

㈵㔮㈵㔮㈵㔮㈲O

ㄹ㈮ㄶ㠮㈵〮ㄲ㠯


ㄹ㈮㄰㄰‱〰〮ㄱㄱ‱〱〮㄰〰‰〰N

㈵㔮㈵㔮㈵㔮㈲O









ㄹ㈮ㄶ㠮㈵〮㈲㐯


ㄹ㈮㄰㄰‱〰〮ㄱㄱN
㄰㄰⸱ㄱ〠〰〰

㈵㔮㈵㔮㈵㔮㈲O

ㄹ㈮ㄶ㠮㈵ㄮ〯㈴

ㄹ㈮㄰㄰‱〰〮ㄱㄱ‱〱ㄮ〰〰‰〰N

㈵㔮㈵㔮㈵㔮O





ㄹ㈮ㄶ㠮㈵㔮〯㈴

ㄹ㈮㄰㄰‱〰〮ㄱㄱ‱ㄱㄮ〰〰‰〰N

㈵㔮㈵㔮㈵㔮O

ㄹ㈮ㄶ㠮㈵㔮N

ㄹ㈮㄰㄰‱〰〮ㄱㄱ‱ㄱㄮ〰〰‰〰N






ㄹ㈮ㄶ㠮㈵㔮㈵N

ㄹ㈮㄰㄰N
㄰〰⸱ㄱㄠㄱㄱ⸱ㄱㄠㄱㄱ






10



The table2
-
2 shows the subnetted block of 192.168.0.0/16 which was reserved for LAN
development. Several /24 subnets were reserved for Client and Management VLAN’s. A
dedicated 192.168.250.0/24 subnet was further subnetted to /2
7 subnets to establish
EIGRP connectivity between the distribution layer and the core layer among different
sites. As a /27 subnet can host up to 30 IP’s it can scale the site distribution layer to
connect 30 distribution layer 3 switches or routers.

2.3

H
ard
ware & IOS

Several devices and IOS’s were used at different layers of the hierarchical design and the
Cisco 3640 routers were upgraded from 11.2 IOS version to 12.2 IOS version to allow
advance CLI features. The following table 2
-
3 shows the hardware and
IOS version used
to implement the prototype.

Table
2
-
3

Hardware
A
nd IOS/Software Version


2.4

Implementation
O
f Distribution Layer A
t Site1

The distribution layer is the demarcation point between the access and core layer and help
to define and differentiate the core. In a site or campus design, the distribution
layer can
include several functions such as address or area aggregation, workgroup access,
broadcast/multicast domain definitions, VLAN routing, and security [3].

Hardware

IOS Version

Catalyst 6500 Sup 720

12.2(33)SXH5

Cisco 3640

12.2(27)

Cisco 2950

12.1(22)

HP G3 Server

Win
2003 Server

Cisco Secure ACS 4.2




11



A pair of redundant, Catalyst 6509 Layer3, switches are integrated as distribution layer
swit
ches. As shown in Figure2
-
3, these switches are configured with an IP address from
a dedicated management VLAN 50 to provide management connectivity.


Figure
2
-
3

Management VLAN Connectivity

A dedicated
Network Management Switch (NMS) is configured to provide separate
management connectivity for all devices in a campus LAN. The links are configured as
access links and no other VLAN is allowed except the management VLAN 50.

The Tables
2
-
4 and 2
-
5
shows the

configuration of the Distribution and the NMS
switches. A subnet 192.168.1.0/24 is reserved to provide management connectivity.

Table
2
-
4

Management Connectivity At Distribution Layer


Distribution Switch 1

Distribution Switch2

!

vlan 50


name AJ_Lab_Mgmt_Vlan

!

!

vlan 50


name AJ_Lab_Mgmt_Vlan

!




12



interface Vlan50


description AJ_Lab_Mgmt_Vlan


ip address 192.168.1.3 255.255.255.0


no ip redirects


standby 50 ip 192.168.1.1


standby 50 timers 1 3


standby 50 priority 10


standby 50 preempt

!

interface GigabitEthernet2/2


description NMS_Port0/1


no ip address


switchport


switchport access vlan 50


switchport mode access

end

interface Vlan50


description AJ_Lab_Mgmt_Vlan


ip address 192.
168.1.2 255.255.255.0


no ip redirects


standby 50 ip 192.168.1.1


standby 50 timers 1 3


standby 50 priority 15


standby 50 preempt

!

interface GigabitEthernet7/2

description NMS_Port0/2


no ip address


switchport


switchport access vlan 50


switchport mode access


end


Table
2
-
5

Configuring Management VLAN On NMS

Network Management Switch


!

vlan 50


name AJ_Lab_Mgmt_Vlan

!

interface Vlan50


ip address 192.168.1.5 255.255.255.0


no ip route
-
cache

!

interface GigabitEthernet0/1


switchport access vlan 50


switchport mode access

!

interface GigabitEthernet0/2


switchport access vlan 50


switchport mode access

end


Test: Connectivity Test from NMS to DS1 and DS2


Result: 100%Ping
Success Rate to the interfaces on DS1 and DS2.


NMS#ping 192.168.1.2


Type escape sequence to abort.




13



Sending 5, 100
-
byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round
-
trip min/avg/max = 1/203/1012 ms

NMS#pi
ng 192.168.1.3


Type escape sequence to abort.

Sending 5, 100
-
byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round
-
trip min/avg/max = 1/200/1000 ms

NMS#


To provide 100% network uptime for any given VLAN, HSRP is implementing and a
Virtual IP 192.168.1.1 is configured as a sharing IP between the two distribution
switches. For each VLAN, distribution switch is either Active or Standby depending on
the priori
ty. A priority value of 25 is configured as Active and a priority value of 10 is
configured as Standby. A group ID 50 is assigned to VLAN50 and the members of this
virtual group continuously exchange status messages. This way one device assumes the
routin
g responsibility of other, should it go out of communication.

An ether
-
channel, P01, as show in Figure 2
-
3 is configured between the two distribution
pair to serve as either a trunk to exchange VTP information or to serve as a high
availability link. The
following configuration is applied to configure the Ether
-
Channel
and HSRP on distribution layer switches:

Distribution Switch 1

Distribution Switch2

!

interface Vlan50


standby 50 ip 192.168.1.1


standby 50 timers 1 3


standby 50 priority 10


standby 50 preempt

!

!

interface Port
-
channel1


switchport

!

interface Vlan50


standby 50 ip 192.168.1.1


standby 50 timers 1 3


standby 50 priority 25


standby 50 preempt

!

!

interface Port
-
channel1


switchport




14




switchport trunk encapsulation dot1q


switchport trunk native vlan 999


switchport trunk allowed vlan 2
-
9,11
-

49,51
-
99,101
-
199,201
-
998,1000
-
4094


switchport mode trunk


storm
-
control broadcast level 0.50

end

!

interface GigabitEthernet2/3


description Back
-
To
-
Back Link DS2_6/3


channel
-
group 1 mode desirable

!


switchport trunk encapsulation dot1q


switchport trunk native vlan 999


switchport trunk allowed vlan 2
-
9,11
-
49,51
-
99,101
-
199,201
-
998,1000
-
4094


switchport mode trunk


storm
-
control broadcast level 0.50

end

!

inter
face GigabitEthernet6/3

description Back
-
To
-
Back Link DS1_2/3

channel
-
group 1 mode desirable

!


Test: Ether
-
Channel Check on DS1 and DS2


Result: The output shows an Ether
-
Channel also called as Port
-
Channel P01 is created
with a Group ID 1 and the port
2/3 in DS1 and port 6/
3 in DS2 are in port
-
channel 1.

DS1#sh etherchannel summary

Flags: D
-

down P
-

in port
-
channel


I
-

stand
-
alone s
-

suspended


H
-

Hot
-
standby (LACP only)


R
-

Layer3 S
-

Layer2


U
-

in use

f
-

failed to allocate aggregator



u
-

unsuitable for bundling

Number of channel
-
groups in use: 1

Number of aggregators: 1


Group Port
-
channel Protocol Ports

------
+
-------------
+
-----------
+
-----------------------------------------------

1 Po1(SU) PAgP Gi2/3(P)


DS1#

DS2#sh etherchannel summary

Flags: D
-

down P
-

bundled in port
-
channel


I
-

stand
-
alone s
-

suspended


H
-

Hot
-
standby (LACP only)


R
-

Layer3 S
-

Layer2


U
-

in use N
-

not in use, no aggregation


f
-

failed to allocate aggregator



M
-

not in use, no aggregation due to minimum links not met




15




m
-

not in use, por
t not aggregated due to minimum links not met


u
-

unsuitable for bundling


d
-

default port



w
-

waiting to be aggregated

Number of channel
-
groups in use: 1

Number of aggregators: 1


Group Port
-
channel Protocol Ports

------
+
-------------
+
-----------
+
-----------------------------------------------

1 Po1(SU) PAgP Gi6/3(P)


Test: Active & Standby test for HSRP at DS1 and DS2


Result: 100% ping result from NMS to Virtual IP 192.168.1.1 configured on DS1
and
DS2. Secondly, DS1 should be standby and DS2 as Active for VLAN 50.



Test: HSRP Failover
-

Shutdown interface vlan 50 on DS2

Result: DS1 should become active and the Virtual IP should be reachable.

NMS#ping 192.168.1.1


Type escape sequence to abort.

Sending 5, 100
-
byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round
-
trip
min/avg/max = 1/4/12 ms


DS1#sh standby br


P indicates configured to preempt.


|

Interface Grp Prio P State Active addr Standby addr Group addr

Vl50 50 10 P Standby 192.168.1.2 local

192.168.1.1

DS1#

DS2#sh standby br


P indicates configured to preempt.


|

Interface Grp Prio P State Active Standby Virtual IP

Vl50 50 25 P Active local 192.168.1.3

192.168.1.1

DS2#




16



Distribution Switch 2

Distribution Switch 1

DS2(config)#int vlan 50

DS2(config
-
if)#shut

DS2(config
-
if)#

10w2d: %HSRP
-
5
-
STATECHANGE:
Vlan50 Grp 50 state Active
-
> Init

10w2d: %STANDBY
-
6
-
STATECHANGE: Vlan50 Group 50 state
Standby
-
> Active


As interface VLAN 50 is shut on DS2, a message a generated on DS2 and DS1 about the
change of state. Obs
erve the State change from Standby to Active on DS1.

DS1#sh stan br


P indicates configured to preempt.


|

Interface Grp Prio P State Active addr Standby addr Group addr

Vl50 50 10 P Active lo
cal unknown 192.168.1.1

DS1#

DS2#sh standby br


P indicates configured to preempt.


|

Interface Grp Prio P State Active Standby Virtual IP

Vl50 50 25 P Init
unknown unknown 192.168.1.1

DS2#


Ping the Virtual IP interface which is active on DS1 from NMS.

Result: 100% Ping Success Rage.


2.5

Implementation O
f Access Layer
A
t Site1

Access Layer is the layer where clients are connected or where local users are allowed
into the network. A Cisco 2950 switch is installed and commissioned as an Access Layer
switch. As shown in Figure 2
-
4, two fibre Gigabit Ethernet links one to each Distr
ibution
NMS#ping 192.168.1.1


Type escape sequence to abort.

Sending 5, 100
-
byte ICMP Echos to 192.168.1.1, timeout is

2 seconds:

!!!!!

Success rate is 100 percent (5/5), round
-
trip min/avg/max = 1/2/4 ms

NMS#




17



Layer Switch are connected and configured as Trunks and a Fast Ethernet connection to
NMS for Network Management Access to the switch.


Figure
2
-
4

Layer1
-

Connectivity

An
unused IP from the management subnet 192.168.1.0/24 is used to configure the access
switch for management connectivity. A client Vlan10 is created and a subnet
192.168.3.0/24 is allocated for this Vlan. Layer 3 interfaces for Vlan10 are created on
DS1 and
DS2 with the first IP address 192.168.3.1 configured as Virtual IP. This virtual
IP will act as default gateway to the clients. As shown in Figure 2
-
5, to segregates the
management and the client traffic, the VLAN 10 is allowed through the uplink trunks to

the distribution layer switches and the management VLAN 50 is allowed through the FE
link to NMS.




18





Figure
2
-
5

Segregation of Management and Client VLANs

The table
2
-
6

shows the configuration and the connectivity to the Access Layer switch.

Table
2
-
6

Configuring
Access Layer Network Element


!

vlan 10


name AJ_Lab_Client_Vlan10

!

vlan 50


name AJ_Lab_Mgmt_Vlan

!

vlan 999


name AJ_Lab_Native_Vlan

!

interface Vlan50


description Management Connectivity




19




Configuring the interface
Fa0/5 on NMS connected to the AS1.




ip address 192.168.1.4 255.255.255.0


no ip route
-
cache

!

interface FastEthernet0/5


description NMS _Fa0/5


switchport access vlan 50


switchport mode access


no ip address

!

interface GigabitEthernet0/1


description DS1_G2/1


switchport trunk native vlan 999


switchport trunk allowed vlan 10


switchport mode trunk


no ip address

!

interface GigabitEthernet0/2


description DS2_G7/1


switchport trunk native vlan 999


switchport trunk allowed vlan 10


switchport mode trunk


no ip address

!

!

interface FastEthernet0/10

description Client A


switchport access vlan 10


switchport mode access


no ip address

!

ip default
-
gateway 192.168.1.1

!

!

interface FastEthernet0/5


switchport access vlan 50


switchport mode access

!




20



C
onfiguring the VLAN’s and the Layer 3 interfaces on DS1 and DS2 and allowing the
VLAN 10 through the trunk facing AS1.

Distribution
Switch 1

Distribution Switch 2

!

vlan 10


name AJ_Lab_Client_Vlan10

!

!

interface Vlan10


description Client VLAN


ip address 192.168.3.3 255.255.255.0


no ip redirects


standby 10 ip 192.168.3.1


standby 10 timers 1 3


standby 10 priority 25


standby 10 preempt

!

!

interface GigabitEthernet2/1


description connected to AS1_G0/1


no ip address


switchport


switchport trunk encapsulation dot1q


switchport trunk native vlan 999


switchport trunk allowed vlan 10


switchport mode trunk

end

!

vlan 1
0


name AJ_Lab_Client_Vlan10

!

!

interface Vlan10


description Client VLAN


ip address 192.168.3.2 255.255.255.0


no ip redirects


standby 10 ip 192.168.3.1


standby 10 timers 1 3


standby 10 priority 15


standby 10 preempt

!

!

interface GigabitEthernet7/1


description connected to AS1_G0/2


no ip address


switchport


switchport trunk encapsulation dot1q


switchport trunk native vlan 999


switchport trunk allowed vlan 10


switchport mode trunk

end


By the end of the above configuration the access switch
should be able to ping the NMS
gateway 192.168.1.1 which is a Virtual IP on VLAN 50 and it should also be able to ping
the client gateway 192.168.3.1 which is a Virtual IP on VLAN 10.


Test: Ensure that the physical interfaces G0/1, G0/2 and Fa0/5 on AS1 c
onnected to
Distribution Switches and the Management Switch are UP.

Result: All interfaces should be UP.


SW2#sh ip int br | i up

Vlan50 192.168.1.4 YES NVRAM up up




21



FastEthernet0/5 unassigned YES
unset up up

GigabitEthernet0/1 unassigned YES unset up up

GigabitEthernet0/2 unassigned YES unset up up

SW2#


Test: Ensure that Layer 3 interfaces for Management VLAN is

reachable

Result: The success rate should be 100%

SW2#ping 192.168.1.1


Type escape sequence to abort.

Sending 5, 100
-
byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round
-
trip min/avg/max = 1/2/4 ms

SW2#


Test: Ensure that Layer 3 interfaces for Client VLAN is reachable

Result: The success rate should be 100%

SW2#ping 192.168.3.1


Type escape sequence to abort.

Sending 5, 100
-
byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:

!!!!!

Success rate is 100 pe
rcent (5/5), round
-
trip min/avg/max = 1/3/8 ms

SW2#


Test: Ensure that DS1 is in Active State and DS2 in Standby State for VLAN 10

Result: VLAN 10 should be Active on DS1 and Standby on DS2

DS1#sh stan br


P indicates configured to preempt.


|

Interface Grp Prio P State Active addr Standby addr Group addr

Vl10 10 25 P Active local 192.168.3.2 192.168.3.1

Vl50 50 10 P Sta
ndby 192.168.1.2 local 192.168.1.1

DS1#


DS2#sh stan br


P indicates configured to preempt.


|




22



Interface Grp Prio P State Active Standby Virtual IP

Vl10 10 15 P Standby

192.168.3.3 local 192.168.3.1

Vl50 50 25 P Act ive local 192.168.1.3 192.168.1.1

DS2#



T
est: Shut down t he int erface VLAN 10 on DS1 and ensure t hat HSRP failover works for
Client VLAN 10
.

Result: The ping success
rat e t o virt ual IP should be 100% and DS2 should be Act ive
HSRP gat eway.

DS1(confi g)#i nt vlan 10

DS1(confi g
-
i f)#s hut


10w2d: %STANDBY
-
6
-
STATECHANGE: Vlan10 Group 10 st at e
Act ive
-
> Init


DS2#

10w2d: %HSRP
-
5
-
STATECHANGE:
Vlan10 Grp 10 st at e St andby
-
> Act iv
e

DS2#sh st an br


P indicat es configured t o preempt.


|

Int erface Grp Prio P St at e Act ive St andby Virt ual IP

Vl10 10 15 P Act ive local unknown 192.168.3.1

Vl50

50 25 P Act ive local 192.168.1.3 192.168.1.1

DS2#


Ping result from AS1 t o Virt ual IP 192.168.3.1

SW2#ping 192.168.3.1


Type escape sequence t o abort.

Sending 5, 100
-
byt e ICMP Echos t o 192.168.3.1, t imeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round
-
trip min/avg/max = 1/2/8 ms

SW2#


Connect a client to one of the ports on AS1. Ensure that the default gateway is reachable
from the client.





23



C:
\
Users
\
aj>ipconfig



Connection
-
specific DNS Suffix . :


IPv4 Add
ress. . . . . . . . . . . : 192.168.3.10


Subnet Mask . . . . . . . . . . . : 255.255.255.0


Default Gateway . . . . . . . . . : 192.168.3.1


C:
\
Users
\
aj>ping 192.168.3.1


Pinging 192.168.3.1 with 32 bytes of data:

Reply from 192.168.3.1: bytes=32 time
<1ms TTL=255

Reply from 192.168.3.1: bytes=32 time<1ms TTL=255

Reply from 192.168.3.1: bytes=32 time<1ms TTL=255

Reply from 192.168.3.1: bytes=32 time<1ms TTL=255


Ping statistics for 192.168.3.1:


Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Ap
proximate round trip times in milli
-
seconds:


Minimum = 0ms, Maximum = 0ms, Average = 0ms


C:
\
Users
\
aj>


With the successful integration of access switch and also connectivity of clients to the
layer 3 interface or gateway, the access layer can be extended by any number of access
layer switches from the distribution layer.

2.6

Implementation
O
f Core Layer A
t Sit
e1

The core layer is a high
-
speed switching backbone and should be designed to switch
packets as fast as possible [3]. The figure 2
-
6 shows the layer1 lab core design
connectivity which comprises of two Cisco 3640 routers integrated at each site. It also
includes two layer 3 switches as core switches to integrate distribution layer with the core
layer. Two VLAN, VLAN 100 and VLAN 200 with /27 subnets are used to provide
redundant connections between distribution and core layer. Figure 2
-
7 shows the layer2
connectivity of LAN100 and VLAN200. A dynamic routing protocol EIGRP is used as



24



the routing protocol as it provides fast convergence with minimum network traffic and
scales effectively in a well
-
designed network.




Figure
2
-
6

Integration of Distribution and Core Layer

Redundant fibre up links from the distribution layers switches are connected to the core
switches. The core switch, Core
-
SW1, allow traffic for VLAN 100 with a subn
et
192.168.250.0/27 and the core switch, Core
-
SW2, allows traffic for VLAN 200 with a
subnet 192.168.250.32/27. Layer 3 interfaces for these VLAN’s are created at the core
routers A and B. A subnet 192.168.5.0/24 is reserved for loopback interfaces to allo
w
devices to participate in the EIGRP process.





25





Figure
2
-
7

Core VLAN’s

The implementation of the core layer is initiated with the integration of the core switches.
The Gigabit
Ethernet links facing the distribution layer switches are configured as access
links to avoid VLANs exchanging over the link and being forwarded to core. The core
switches are configured as below:

Core
-
SW1

Core
-
SW2

!

vlan 100


name AJ_Lab_Core_Vlan_A

!

interface GigabitEthernet0/1


description Distribution
-
SW1_G1/1


switchport access vlan 100


switchport mode access

!

interface GigabitEthernet0/2

!

vlan 200


name AJ_Lab_Core_Vlan_B

!

interface GigabitEthernet0/1


description Distribution
-
SW1_G1/2


switchport access vlan 200


switchport mode access

!

interface GigabitEthernet0/2




26




Now that the core switches and their interfaces are configured the next step is to
configure the core routers and the layer 3 interfaces on them. The core routers are
configured
as:

Core Router A

Core Router B

!

interface Loopback0


ip address 192.168.5.1 255.255.255.255

!

!

interface FastEthernet1/0.1


encapsulation dot1Q 100


ip address 192.168.250.2
255.255.255.224

!

interface FastEthernet1/0.2


encapsulation dot1Q 30


ip address 192.168.250.68
255.255.255.224

!

interface FastEthernet2/0


ip address 192.168.250.34
255.255.255.224


duplex auto


speed auto

!

interface Loopback0


ip address 192.168.5.2 255.255.255.255

!

!

interface FastEthernet1/0.1


encapsulation dot1Q
100


ip address 192.168.250.3
255.255.255.224

!

interface FastEthernet1/0.2


encapsulation dot1Q 30


ip address 192.168.250.69
255.255.255.224

!

interface FastEthernet2/0


ip address 192.168.250.35
255.255.255.224


duplex auto


speed auto


description Distribution
-
SW2_G6/2


switchport access vlan 100


switchport mode access

!

interface GigabitEth
ernet0/3


description Core
-
A_Fa1/0.1


switchport trunk encapsulation dot1q


switchport trunk allowed vlan 30,100


switchport mode trunk

!

interface GigabitEthernet0/4


description Core
-
B_Fa1/0.1


switchport trunk encapsulation dot1q


switchport trunk allow
ed vlan 30,100


switchport mode trunk

!


description Distribution
-
SW2_G6/1


switchport access vlan 200


switchport mode access

!

interface FastEthernet0/3


description Core
-
A_Fa2/0


switchport access vlan 200


switchport mode access


no ip address

!

interface FastEthernet0/4


description Core
-
B_
Fa2/0


switchport access vlan 200


switchport mode access


no ip address

!




27



!

!


Perform check to ensure that the link between the core switches and the core routers is
established.

Core
-
SW1#sh ip int br

Interface IP
-
Address OK? Method Status Protocol

Vlan1 unassigned YES unset a
dministratively down down

Vlan100 192.168.250.1 YES manual up up

GigabitEthernet0/3 unassigned YES unset up up

GigabitEthernet0/4 unassigned YES unset up up

Core
-
SW2#sh ip int br

Interface IP
-
Address OK? Method Status Protocol

Vlan1 unassigned YES NVRAM administratively down down

Vlan200 192.168.250.33 YES manual up

up

FastEthernet0/3 unassigned YES unset up up

FastEthernet0/4 unassigned YES unset up up



Core
-
R1#sh ip int br

Interface IP
-
Address OK? Method Status

Protocol

FastEthernet1/0 unassigned YES NVRAM up up

FastEthernet1/0.1 192.168.250.2 YES NVRAM up up

FastEthernet1/0.2 192.168.250.68 YES NVRAM up
up

FastEthernet2/0 192.168.250.34 YES NVRAM up up

FastEthernet3/0 172.16.1.1 YES NVRAM administratively down down

Loopback0 192.168.5.1 YES NVRAM up up

Core
-
R1#

Core
-
R2#sh ip int br

Interface IP
-
Address OK? Method Status Protocol

FastEthernet1/0 unassigned YES NVRAM up up

FastEthernet1/0.1 192.168.250.3 YES NVRAM up

up

FastEthernet1/0.2 192.168.250.69 YES NVRAM up up

FastEthernet2/0 192.168.250.35 YES NVRAM up up

Loopback0 192.168.5.2 YES NVRAM up up

Core
-
R2#


Ensure that the default gateway is reachable from the core switches.

Core
-
SW1#ping 192.168.250.2


Type escape sequence to abort.




28



Sending 5, 100
-
byte ICMP Echos to 192.168.250.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round
-
trip min/
avg/max = 1/2/9 ms

Core
-
SW1#ping 192.168.250.3


Type escape sequence to abort.

Sending 5, 100
-
byte ICMP Echos to 192.168.250.3, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round
-
trip min/avg/max = 1/203/1006 ms

Core
-
SW1#

Core
-
SW2#ping
192.168.250.34


Type escape sequence to abort.

Sending 5, 100
-
byte ICMP Echos to 192.168.250.34, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round
-
trip min/avg/max = 1/2/4 ms

Core
-
SW2#ping 192.168.250.35


Type escape sequence to abort.

S
ending 5, 100
-
byte ICMP Echos to 192.168.250.35, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round
-
trip min/avg/max = 1/200/1000 ms

Core
-
SW2#


Ensure that the neighbor relationship is established between the core switches and the
core
routers.

Core
-
SW1#sh cdp nei

Capability Codes: R
-

Router, T
-

Trans Bridge, B
-

Source Route Bridge


S
-

Switch, H
-

Host, I
-

IGMP, r
-

Repeater, P
-

Phone


Device ID Local Intrfce Holdtme Capability Platform Po
rt ID

Core
-
R1 Gig 0/3 145 R 3640 Fas 1/0

Core
-
R2 Gig 0/4 121 R 3640 Fas 1/0

Core
-
SW1#

ore
-
SW2#sh cdp nei

Capability Codes: R
-

Router, T
-

Trans Bridge, B
-

Source Route Bridge


S
-

Switch, H
-

Host, I
-

IGMP, r
-

Repeater, P
-

Phone


Device ID Local Intrfce Holdtme Capability Platform Port ID

Core
-
R1 Fas 0/3 161 R 3640 Fas 2/0

Core
-
R2

Fas 0/4 137 R 3640 Fas 2/0

Core
-
SW2#




29




Configure the distribution layer3 switches to integrate with core. Redundant uplinks from
each distribution pair is configured one in each core VLANs 100 and 200.

Distribution


pwitch N

aistri扵bion


pwitch O

!

vlan ㄰N


name Ag彌a扟b潲e彖lan彁

!

vlan ㈰O


name Ag彌a扟b潲e彖lan彂

!

interface slan㄰N


i瀠a摤dess ㄹ㈮ㄶ㠮㈵〮㐠
㈵㔮㈵㔮㈵㔮㈲O

!

interface slan㈰O


i瀠a摤dess ㄹ㈮ㄶ㠮㈵〮㌶N
㈵㔮㈵㔮㈵㔮㈲O

!

interface i潯灢oc欰


i瀠a摤dess ㄹ㈮ㄶ㠮㔮㌠㈵㔮㈵㔮㈵㔮㈵O

!

interface diga扩tbthernetNLN


n漠i瀠a摤dess


switch灯pt


switch灯pt access⁶lan ㄰N


switch灯pt m潤o access

!

interface diga扩tbthernetNLO


n漠i瀠a摤dess


switch灯pt


switch灯pt access⁶lan ㈰O


switch灯pt m潤o acc
ess

!

!

vlan ㄰N


name Ag彌a扟b潲e彖lan彁

!

vlan ㈰O


name Ag彌a扟b潲e彖lan彂

!

interface slan㄰N


i瀠a摤dess ㄹ㈮ㄶ㠮㈵〮㔠
㈵㔮㈵㔮㈵㔮㈲O

!

interface slan㈰O


i瀠a摤dess ㄹ㈮ㄶ㠮㈵〮㌷N
㈵㔮㈵㔮㈵㔮㈲O

!

interface i潯灢oc欰


i瀠a摤dess ㄹ㈮ㄶ㠮㔮㐠㈵㔮㈵㔮㈵㔮㈵O

!

interface diga扩tbthernetSLN


switch灯pt


switch灯pt access⁶lan ㈰O


switch灯pt m潤o access


st潲m
J
c潮tr潬 扲潡摣ast level 〮㔰

!

interface diga扩tbthernetSLO


switch灯pt


switch灯pt access⁶lan ㄰N


switch灯pt mo
摥 access


st潲m
J
c潮tr潬 扲潡摣ast level 〮㔰

!


lnce the 摩stri扵ti潮 layer switches are a摶ertise搠 in c潲e siAksⰠ the c潲e an搠
摩stri扵ti潮 layer sh潵l搠 esta扬ish reacha扩lity⸠ ming chec欠 is 灥rf潲me搠 扥tween
摩stri扵tion 灡ir an搠the c潲e t漠onsure reacha扩lity⸠

ming chec歳 f潲 c潲e⁩nterfaces in siA
k ㄰〠Nr潭 apㄠan搠ap㈺




30




DS1#ping 192.168.250.2


Type escape sequence to abort.

Sending 5, 100
-
byte ICMP Echos to 192.168.250.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round
-
trip min/avg/max = 1/2/4 ms

DS1#

DS1#ping 192.168.250.3


T
ype escape sequence to abort.

Sending 5, 100
-
byte ICMP Echos to 192.168.250.3, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round
-
trip min/avg/max = 1/2/4 ms

DS1#

DS2#ping 192.168.250.2


Type escape sequence to abort.

Sending 5, 100
-
byte

ICMP Echos to 192.168.250.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round
-
trip min/avg/max = 1/2/4 ms

DS2#ping 192.168.250.3


Type escape sequence to abort.

Sending 5, 100
-
byte ICMP Echos to 192.168.250.3, timeout is 2 seconds:

!!!
!!

Success rate is 100 percent (5/5), round
-
trip min/avg/max = 1/2/4 ms

DS2#



Ping checks for core interfaces in VLAN 200 from DS1 and DS2:

DS1#ping 192.168.250.34


Type escape sequence to abort.

Sending 5, 100
-
byte ICMP Echos to 192.168.250.34, timeout
is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round
-
trip min/avg/max = 1/2/4 ms

DS1#

DS1#ping 192.168.250.35


Type escape sequence to abort.

Sending 5, 100
-
byte ICMP Echos to 192.168.250.35, timeout is 2 seconds:

!!!!!




31



Success rate is 100 percent
(5/5), round
-
trip min/avg/max = 1/2/4 ms

DS1#

DS2#ping 192.168.250.34


Type escape sequence to abort.

Sending 5, 100
-
byte ICMP Echos to 192.168.250.34, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round
-
trip min/avg/max = 1/1/4 ms

DS2#ping 192.168.250.35


Type escape sequence to abort.

Sending 5, 100
-
byte ICMP Echos to 192.168.250.35, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round
-
trip min/avg/max = 1/2/4 ms

DS2#


The above test ensures that the connectivity i
s established between the core and the
distribution layer and that the distribution layer has redundant connections to the core.
However, the end
-
to
-
end reachability from access layer to core is not yet established.

To establish end
-
to
-
end connectivity, t
he next step is to advertise the access VLAN into
core. This can be done via static or dynamic routing.

In an enterprise LAN environment, as there are hundreds of access VLAN’s, static routes
is not a scalable solution to implement. It will be laborious a
nd hard to manage hundreds
of static routes. The feasible solution would be to configure a dynamic routing protocol.

2.7

Configuring EIGRP

Enhanced Interior Gateway Routing Protocol (EIGRP) is a dynamic routing protocol
developed by Cisco. EIGRP scales
effectively in a well
-
designed network and provides
extremely quick convergence times with minimal network traffic [4].

An EIGRP process is identified by an autonomous system (AS) number so that routers
with the same AS numbers will exchange routing inform
ation with each other, resulting



32



in a routing domain. As the network prototype is implemented with two sites A and B,
these sites are assigned with unique AS numbers 10 and 20. Within the EIGRP process,
only the dedicated networks are advertised. Like any

other routing protocol, EIGRP uses
route metric (Bandwidth, Delay, Reliability, Load and MTU) to select the best route form
a group of possible routes. The route metrics configured are Bandwidth= 100000, Delay
= 100, Reliability=255, Load=1 and MTU=1500.

The core and the distribution routers of Site1 are configured as follows
:

Core
-
R1#sh run | b eigrp

router eigrp 10


network 192.168.5.1 0.0.0.0


network 192.168.250.0 0.0.0.31


network 192.168.250.32 0.0.0.31


network 192.168.250.64 0.0.0.31


default
-
metri
c 100000 100 255 1 1500


no auto
-
summary

Core
-
R2#sh run | b eigrp

router eigrp 10


network 192.168.5.2 0.0.0.0


network 192.168.250.0 0.0.0.31


network 192.168.250.32 0.0.0.31


network 192.168.250.64 0.0.0.31


default
-
metric 100000 100 255 1 1500


no auto
-
summary

!

DS1#sh run | b eigrp

router eigrp 10


passive
-
interface default


no passive
-
interface Vlan100


no passive
-
interface Vlan200


network 192.168.1.0


network 192.168.3.0


network 192.168.5.3 0.0.0.0


network 192.168.250.0 0.0.0.31


network 192.168.250.32 0.0.0.31


network 192.168.250.64 0.0.0.31


no auto
-
summary


eigrp log
-
neighbor
-
changes

!

DS2#sh run | b eigrp

router eigrp 10


passive
-
interface default


no passive
-
interface Vlan100


no passive
-
interface Vlan200


network 192.168.1.0


network 192.168.3.0


network 192.168.5.4 0.0.0.0


network 192.168.250.0 0.0.0.31


network 192.168.250.32 0.0.0.31


network 192.168.250.64 0.0.0.31


no auto
-
summary


eigrp log
-
neighbor
-
changes

When the devices are configured and the n
etworks are advertised in the EIGRP process,
as a part of neighbor discovery process, the EIGRP routers sent hello packets to their



33



connected networks using multicast address 224.0.0.10. The figure 2
-
8 shows the
convergence process between two EIGRP route
rs [5].


Figure
2
-
8

Discovering Routes

The following messages were captured on DS1 during the neighbor discovery process.
DS1 becomes adjacent with Core1, Core2 and DS2 via VLAN100 through subnet
192.168.250.0/27 and also via VLAN 200 through subnet 192.168.250.32/27.

10w4d: %DUAL
-
5
-
NBRCHANGE:

IP
-
EIGRP 10: Neighbor 192.168.250.2 (Vlan100)
is up: new adjacency

10w4d: %DUAL
-
5
-
NBRCHANGE: IP
-
EIGRP 10: Neighbor 192.168.250.35
(Vlan200) is up: new adjacency

10w4d: %DUAL
-
5
-
NBRCHANGE: IP
-
EIGRP 10: Neighbor 192.168.250.3 (Vlan100)
is up: new adjacency

1
0w4d: %DUAL
-
5
-
NBRCHANGE: IP
-
EIGRP 10: Neighbor 192.168.250.5 (Vlan100)
is up: new adjacency

10w4d: %DUAL
-
5
-
NBRCHANGE: IP
-
EIGRP 10: Neighbor 192.168.250.37
(Vlan200) is up: new adjacency

10w4d: %DUAL
-
5
-
NBRCHANGE: IP
-
EIGRP 10: Neighbor 192.168.250.34



34



(Vlan20
0) is up: new adjacency


Once a neighbor is discovered via the hello packet, a neighbor table is created which
keeps the state information of the adjacent neighbors. When newly discovered neighbors
are learned, the address and the interface of the neighbo
rs are recorded. The following
table gives the neighbor table of Core1, Core2, DS1 and DS2.

Core
-
R1#sh ip eigrp neighbors

IP
-
EIGRP neighbors for process 10

H Address Interface Hold Uptime SRTT RTO Q Seq Type



(sec) (ms) Cnt Num

6 192.168.250.35 Fa2/0 14 17:23:52 4 200 0 80

4 192.168.250.37 Fa2/0 13 17:23:52 3 200 0 28

1 192.168.250.36 Fa2/0 10 17:23:54 1
200 0 24

2 192.168.250.5 Fa1/0.1 11 17:59:56 1 200 0 29

0 192.168.250.4 Fa1/0.1 12 18:00:50 1 200 0 23

5 192.168.250.3 Fa1/0.1 11 3d00h 1 200 0 79

Core
-
R1#

Core
-
R2#sh ip eigrp

neighbors

IP
-
EIGRP neighbors for process 10

H Address Interface Hold Uptime SRTT RTO Q Seq Type


(sec) (ms) Cnt Num

2 192.168.250.34 Fa2/0 13 17:24:22 1568
5000 0 695

6 192.168.250.37 Fa2/0 10 18:00:26 4 200 0 28

4 192.168.250.5 Fa1/0.1 14 18:00:26 2 200 0 29

1 192.168.250.36 Fa2/0 13 18:01:20 4 200 0 24

0 192.168.250.4

Fa1/0.1 10 18:01:20 1 200 0 23

5 192.168.250.2 Fa1/0.1 12 3d00h 37 222 0 696

Core
-
R2#

DS1#sh ip eigrp nei

IP
-
EIGRP neighbors for process 10

H Address Interface Hold Uptime SRTT RTO Q Seq
Type


(sec) (ms) Cnt Num

0 192.168.250.34 Vl200 10 17:14:21 57 342 0 695

5 192.168.250.37 Vl200 13 17:50:25 3 200 0 28

4 192.168.250.5 Vl100

14 17:50:25 2 200 0 29

3 192.168.250.3 Vl100 12 17:51:19 490 2940 0 79

2 192.168.250.35 Vl200 14 17:51:20 868 5000 0 80

1 192.168.250.2 Vl100 12 17:51:20 316 1896 0 696

DS1#

DS2#sh ip eigrp neighbors




35



IP
-
EIGRP neighbors for process 10

H Address Interface Hold Uptime SRTT RTO Q Seq