ICT259: As a network Engineer you Have been Engaged to Configure an Enterprise Network for a company ACME.COM: Computer Networking Assignment, SUSS, Singapore

Assignment  Brief:

as a network engineer, you have been engaged to configure an enterprise network for a company, ACME.COM. There are multiple site offices and users with the need to be fully connected via IPv4 and IPv6. The company ACME.COM owns a datacentre in Jurong, and offices in Woodlands and Changi.

The company ACME.COM has subscribed to a new Internet plan from ISP.COM. The ISP.COM static IP plan provides a 1000Mbps connection with 8 public IPv4 addresses, along with an IPv6 address block. Objectives Configure and ensure all devices meet the requirements listed in the task list below.

Your resultant network should be fully IPv4 and IPv6 reachable. IP Addresses You are required to configure the interfaces needed in the routers and use the below allocation to properly configure the routers to meet the requirements. Assigned IP addresses for ACME.COM Device IPv4 Address/Range IPv6 Address/Range ISP.COM router 211.211.100.1/30 2001:DB9:0:1::1/64 Customer router WAN 211.211.100.2/30 2001:DB9:0:1::2/64x interface Routed IPs from ISP 211.211.211.240 /29 2001:db8:112:0/48

Private internal IPv4 range 10.112.0.0/16 – (this range has to be subnetted for departments – see PKT file for subnet sizes) (Address ranges must be contiguously assigned & no wastage of address space in the subnet) General configuration All ACME internal PCs/servers should have the appropriate private IPv4 address from the above range assigned to them statically. All ACME internal PCs/servers should have the appropriate global unicast IPv6 address above range assigned to them statically.

Plan your IP addressing well – Routes should be summarized (super netted) if across routers if possible (both IPv4 / IPv6) PCs must able to resolve fully qualified domain names for the internal servers, e.g. http://FinanceBatch.acme.com The servers should have both A and AAAA records. You need to update records in the Internal DNS server Existing DNS records are NOT to be modified for the public DNS server. You are permitted to add on any record for *.acme.com (Similar to the Internet where you are only allowed to modify your own company’s records).

Routing configuration IPv4 dynamic routing should be used within ACME.COM’s network and the dynamic routing protocol should use process ID 1 Static IPv6 routing should be implemented on all global unicast addresses within ACME.COM’s network.

The static default route should be implemented to the Internet for the appropriate connecting router. In order for fair dynamic routing calculation, the reference bandwidth should be based on the highest speed link in the network. Loopback IPs have to be configured for each router and advertised to the network for remote management.

Routing updates have to be suppressed on networks wherever appropriate. For the broadcast network, the Jurong router should always be the designated router and Woodland’s router as the backup. Changi router should never be able to take over any of these roles.

All routers connecting via the WAN links are to detect link failures fast, the appropriate interfaces/routes on the links must be declared down by 20 seconds. The default values need to be set based on this timing. All end users must be able to reach the Internet (eg. must be able to browse the isp.com webpage) – (*Refer to point 5 in Security Access Rules) All the users must be seen to access the Internet using the first THREE (3) host IP address from the public IPv4 pool assigned by the ISP.

Servers WWW, TFTP has to be accessible from the Internet. For security purposes, only the relevant service should be accessible and NOT other services that the server may be running. Users from the Internet must be able to only access the service and no other services on the relevant server. The TWO (2) URLs resolvable from the Internet are www.acme.com and tftp.acme.com.

Security Access Rules All routers are only to be managed by the ONLY SSH remotely. username of administrator and the encrypted secret to being used with privilege level 15 and using password123 All console and incoming virtual terminal lines need to be secured with the above. Named Access List “REMOTE-ACCESS” is to be created to allow only any of the SIX (6) PCs from the management network to remotely manage the devices via their loopback IP address.

The router connecting to the Internet To use named access-list INTERNET IN for inbound access list to permit traffic from the Internet to access authorized internal published web services and for relevant traffic only. To use named access-list INTERNET OUT Outbound access list to allow for common protocols: DNS query, web browsing only.

To apply the access lists to the correct interface Use a numbered access-list 101 to allow only finance PCs to access HRADMIN and HRJobs server’s web/secure web services, and also allow for ping and its replies only to all All other traffic should be blocked.

Use a numbered access-list 21 to disallow PCs from the engineering network to access any part of the finance network. Use a named standard access list ALLOWEDNAT to allow only authorized PC ranges to reach the Internet. Your ACL should only contain 1 ACE and it should be the smallest mask possible (eg. /30 is preferred over a /24).