Hi everyone, newbie here. Advice needed

wilcochris

Hey everyone, I posted a thread in the general forum but it was suggested it should be in here.

Here is the link to it: http://www.techexams.net/forums/off-topic/87774-advice.html

I was wondering if I could get advice on it. Everything is said in that thread.

Thanks in advance

oli356

Can't actually read the assignment, can you just copy the text in here. Even upload the packet tracer file to somewhere like Upload - Speedy Share - upload your files here - easier than looking at the images.

wilcochris

Hi Oli356, thanks for the reply. This forum is by far the most helpful I have looked at.

Here is the link to the packet tracer file: cisco.pkt - Speedy Share - upload your files here

Firstly I want to know if this is doable. Also, is this a standard assignment based on what one would learn in LAN switching and WAN modules with Cisco.

What I am mostly struggling with is VLANs. I have read the manual and done the labs and I don't get it.

I will post the assignment below:

The Directorate of Diplomatic Officers has recently agreed a new network infrastructure to connect its 3 international offices in Rome, Cambridge and Chicago. Your task is to complete the design and produce a working prototype configuration to prove the implementation will work. .

The offices in Cambridge, Chicago and Rome will be interconnected via resilient T1 mesh network. The clock rates are provided by Cambridge and Rome.

It is anticipated there are requirements for around 2300 hosts at the Chicago office and a potential 1093 hosts at both the Rome and Cambridge offices. There will be 12 further offices within Europe in the next 2 years each with a minimum of 550 hosts each.

The Cambridge office is used to host a connection to the Internet via a Managed Ethernet Connection (Fast Ethernet) with an allocated address of 209.123.234.5/30.

As the organisation has not previously been connected to the Internet, they have not been allocated a block of addresses to use other than the dedicated Internet link. The new network design must use a configuration to reflect this lack of addresses and utilise appropriate addressing through use of RFC1918 addresses

The organisation needs to implement a security policy on a suitable router to

• Ensure that only users from its main 3 offices can attach to the corporate data centre at 199.199.199.199.
• Only Chicago users on the Administration VLAN are able to access the Finance Server hosted at an ASP at address 200.200.200.200, utilising an application on Port 1234 using TCP.
• Only Rome and Cambridge users are able to access an EU Research database using http, https and ftp (remember ftp uses two ports) on address 194.123.88.99
• All users need to access an off-site email server running both IMAP/POP3/SMTP in the appropriate directions on address 180.145.22.33.
• Block access to a range of file-sharing networks using IRC where demotivated employees are downloading copyrighted material using networks 206.206.83.0, 206.207.82.0, 206.207.83.0, 206.207.84.0 & 206.207.85.0.
• only internal initiated connections are permitted to access the Internet.

All security violations must be logged in an appropriate syslog server.

Additional considerations which will need to be addressed include:

1. Design, justify and implement a classless based addressing scheme which will implement a VLSM to save spare addresses to encompass both the WAN and local office based LAN’s
2. Setup appropriate links to the Internet and ensure anywhere on the network can access the organisations data centre at 199.199.199.199.
3. Ensure appropriate secure routing and data-link connectivity between sites is used at all times
4. Implement appropriate scaling techniques to allow the organisation to connect to the Internet whilst maintaining their internal addressing strategy.
5. Implement the appropriate ACLs or firewall functionality in line with the organisations security policy at the most appropriate place
6. Basic Router & Switch Security should be applied to all console and virtual connections. Consider the use of appropriate technologies to help prevent unauthorised eavesdropping
7. Configure all network equipment to be queried via SNMP for basic location, contact details and utilisation for serial links. Use only RO communities and test utilising a SNMP tool of choice. - TO DO AFTER EASTER BREAK

Set up a syslog server and configure the equipment chosen to host the security policy to log all security violations

oli356

Ok that website is rubbish, have to sign up. Can you try 2shared - file upload and sharing instead please!

oli356

What's the password for the switches/routers? why isn't it cisco ?

What exactly is the problem you are having then with VLANs? Unfortunately I don't have much time to properly understand the assignment as this weekend I am preparing for a presentation I am doing next week to T-Mobile so rather busy!

wilcochris

LOL. Passwords are cisco and class. Wonderful Cisco

They VLANs don't seem to implement properly. When I try and put it on the router fa0/0.1 with an ip address it won't ping. I just don't understand how VLANs work. Like I say I have followed the cisco book and done the labs but i just don't get it.

Maybe I should have opted for something else instead of Cisco

Thanks for looking, T-Mobile must be keeping you busy. Presentations suck. lol

Thanks again

wilcochris

A quick question re what I have posted. Can I have a server address of 200.200.200.200 with a gateway of 10.0.0.1? I had it like that and it wouldn't ping. Would it work if I set the vlan ip address in the 10.0.0.0 network?

oli356

No because the whole point of the gateway is your point of contact to get you off the network onto remote networks. 200.200.200.200 and 10.0.0.1 are totally different networks... so the server wouldn't have a clue how to get there in the first place.

I had a quick look. I'm still unsure of what exactly you are struggling with, you need to give details - device names, ports, IP addresses etc. What I noticed though is that the port the finance server is plugged in to on the switch, the interface needs assigning to the VLAN you set.

You have created a SVI on the Chicago Switch, 200.200.200.202 so if fa 0/2 is on VLAN 20 you will be able to ping that address from the finance server.

I also removed the native VLAN of 20 from int fa 0/1. Now if you had another host connected to Chicago switch, the host would be on VL1 and therefore unable to ping the Finance server. Therefore achieving "Only Chicago users on the Administration VLAN are able to access the Finance Server hosted at an ASP at address 200.200.200.200"

wilcochris

Hi Oli. Thanks for the advice re the networks. That was a rookie question on my part. I apologise for my dumbness.

I had VLAN 20 set up as the administration VLAN. I was copying what was set up in the VLAN labs. This is where I am getting confused. I just don't know how to implement it. I get the whole reason for the VLAN. I thought by setting up the way I did with VLAN 20 and port fa0/1 set to use VLAN 20 that I was doing it right. Was I right in doing this and having port fa0/1 as switchport mode trunk using native VLAN 20?

I will implement ACLs to only allow Chicago access to the finance server. As it stands, I am advertising it through OSPF.

Sorry if I am not wording all this right. So confusing. As it says, I am trying to use the VLAN to allow access to the finance server to only Chicago.

I find VLANs so confusing. This is primarily what I am struggling with. I think if I can get my head round that I will be fine.

Again, thanks for looking and the advice. This is more valuable than what the lecturer does. He says get on with it and sits back

oli356

I've never really seen the native VLAN changed. So I would just leave it alone, fa 0/2 where the server is connected to would need to be VLAN 20.

Different VLANs use different subnets so you could apply a ACL on the outbound of fa 0/2 which blocks all access if the source host isn't on VLANs 20 subnet. There are probably different ways to do this.

Research more on VLANs, watch some youtube videos and play with them for a bit. Very simple topic to understand and why you would use them.

wilcochris

I think YT might be my friend on this. Lol. Thanks for your help.

Would I need to implement the vlan on the router too?

Just one more question. Am I in the right direction by putting the other servers on loopbacks as it doesn't specifically state to use vlans.

oli356

I would just use servers and assign them IP addresses, keep them on VLAN1 as default.

Once you learn about VLANs you will learn where they need to be implemented have a look at the 2 different ways of inter-vlan routing as well.

wilcochris

Hi Oli, thank you so much for your help. It cleared things up. I YT'd VLANs and that was helpful too.

I can't seem to find an answer to a question I have. If I use inter-vlan routing using dot1qt can I use VLANs on different networks? As you can see from the assignment, the servers are on different networks. Would the dot1qt allow Internet access? I know that regularly they have to be on the same network that the gateway is on.

i hope I make sense.

Chris

oli356

Inter-vlan routing just means routing across VLANs. Every VLAN uses a different subnet/network. For example
Vlan1: 192.168.1.0 /24
Vlan2: 192.168.2.0 /24
These are therefore on different networks.

dotlq - 802.1Q is just the standard for VLANs, there is also ISL which is Cisco's own (no one uses it) - you decide which one you want to use, even though everyone goes for dotlq. They do the same thing, they just work differently.

I hope that fills any gaps of confusion.

wilcochris

Hi Oli, again thanks for all the help.

in theory, the 3 servers could be on separate VLANs and still communicate using the dot1q? Or am I way off the mark?

Gonna read more on inter-vlan routing and try the labs again.

Youve been more helpful than the lecturer. Cheers

oli356

I'm confused what you mean about "communicate using dotlq".

Check this file for example https://dl.dropbox.com/u/67409120/Demo.pkt
I just made. VLAN 1 and VLAN 2.
There are 2 methods for inter-vlan routing:
1) Router on a stick - an old method where you need to use a router connected to a switch
2) Layer 3 routing - the new method using layer 3 switches. You configure Switch Virtual Interfaces (SVIs) int vlan 1 .. ip address ..... and then turn on ip routing

Method 2 is the one done in this lab. So there are 2 VLANs, 2 different networks. If you go onto the switch and do a "show vlan brief" you can see that FA 0/1 - 2 are on VL 1 and Fa 0/3 - 4 are on VLAN 2. You can ping between all of the computers as well as inter-vlan routing is turned on.

Now, if you turned off inter-vlan routing (configure mode - no ip routing) then there would be no connectivity across the VLANs. VLANs are cool, currently working on a $13m test lab and just to make life simple there are dozens of VLANs for different purposes.. The top of rack switches are on 1 VL, the terminal servers on another, the IP PDUs on another, OOB management, etc etc etc.

wilcochris

Hi Oli,

I have fa0/0 on Cambridge with an ip of 10.16.0.254 under the 10.0.16.0 network (as the crazy assignment suggests)

Now, with the address of each of the servers they wouldn't be able to access the Internet as the gateway is on a different network. I was basically wondering how this would work using VLANs and routing.

Would it be possible at all?

I used the loopbacks as I couldn't understand VLANs for one and how connectivity would work with a gateway on a different network for two

oli356

i will look in a second but you CAN NOT have a gateway on a different network, the point of the gateway is to get to different networks.

wilcochris

Thank you so much Oli. I am understanding it now. It helps so much to have a working example. So I could use a multi layer switch with vlans for each of the servers and then trunk to the router without having to do inter-valn routing on the router?

Another quick question, ACL's will still be implemented right

oli356

uhhh yeah.. trying to get my head around it without reading the assignment again. Just try it and see what happens Nothing ever works first time in networking!

Yeah, nothing changes on that side.

wilcochris

It's an awful assignment. I think I am going to have to have stern words with the lecturer. I can't see how this can be done without having 3 separate routers for the 3 server networks. If I have cambridge fa0/1 with 10.0.0.254/8 there is no way out from the servers that are on different networks.

Or am I being dumb in thinking that?

I am using the file you posted and I have added a router to the switch but I cannot get any devices to ping it if the router is not on that network - which is what is supposed to happen. Is it going to be a case of 3 routers to achieve this?

oli356

If you add a router to the switch (Sw fa 0/5 >> Router fa 0/0) the router needs something to talk to on his subnet (192.168.3.0 / 24 ) if you go onto the switchport the router is connected to and do a "no switchport" and then assign an IP address as you would normally, then there should be connectivity.

The no switchport command makes the port L3, hence being able to give it an IP.

wilcochris

Hi Oli, just gave that a try and the PC's still can't get out of the network. They can ping each other, but they get no further than that switch and can't even get onto the router. I am assuming it's because the fa0/5 and router fa0/0 are different networks to the pc's.

Just not sure how the different networks would get out of the network onto the internet

I really do apologise for sounding so dumb

chmod

You don't understand the fundamentals of networking.

You need step back a little and understand the most basic things. Do you know why you configure an ip, subnet mask and default gateway in your computer network card? do you know where the DG ip comes from, how a switch knows how to reach another PC, where is the traffic tagged, why is it tagged, what is a tag, how is tagging handled by a switch?.

I'm not sure if we can have a chat in TE, if there is a way i'll be more than glad to help you out with this.

wilcochris

I do understand network fundamentals. I am, however, struggling to understand VLANs. What I'm struggling with is trying to get 3 separate networks to go through the default gateway. I've read and read the Cisco chapters on VLANs and tried the vlan and inter vlan routing labs. I have a feeling that this assignment is not doable. The only way I can figure out to allow the servers (minus finance) access to the Internet and rest of the network is to use loop back addresses.

My lecturer alluded to the fact that separate networks can access the network through a gateway on another network by using inter vlan routing

chmod

Based on your questions seems that you are either confused or not understand the concept at all not just vlan.
Maybe there is something about a very basic topic that you did not get quite well and that is why you are having such a hard time to undertand more advanced topics.

If you want i can give you an explanation over skype or chat.

If you don't understand ip addressing, how a PC and a switch reach another PC/device you won't understand other topics(like is happening now). You don't know why a l3 port or l2 and how they interact together.
You are asking if i use this IP and this other IP would this work? clearly shows you don't why you input certain ip in your pc which is basic to understand.

If i give you an straightforward answer of how to do it you won't understand what you are doing, the question about the ip addresses of the DG means you don't the get concept yet, but is OK.

I'll try to make an explanation with an example and post it later in a few hours, hope that helps you understand the concept adn solves your issue.

wilcochris

Hey chmod, I appreciate the comments.

I do understand the basics. It's VLANs that seem to be confusing me. I understand why they are used and why they are a good thing.

I know that a PC sends say a ping packet to another PC and that the router then checks the routing table and forwards out the correct port (after it has learnt the addresses of the network) and that the device that receives the ping then sends a response.

I know L3 deals with the IP addressing and that L2 is MAC and data link.

L2 uses the MAC in the address table and corresponds that with the IP address to send it to the right device.

I guess what confuses me is the professor alluding to 10.0.0.1/8 being able to communicate through a gateway of 192.168.0.1/24 using VLAN.

It makes no sense to me at all that it would do it like that.

It's logical that 10.0.0.1 and 192.168.0.1 are different and that they can't use a gateway that is on a different network. I guess getting mixed knowledge from the professor is confusing me.

What I am trying to do is get the 199.199.199.0, 180.145.22.0 and 194.123.88 networks to get off the switch and onto the router out into the network and internet. This is one of the reasons I though VLAN's and inter-VLAN routing would do what I want.

Looking at the Cisco inter-vlan routing lab, it states that sub interfaces can be used and I was kinda under the impression that these sub interfaces could be used as the DG to get out onto the network.

I guess I am in the wrong direction. I'll PM you my email so we can chat if you want to.

chmod

What you mentioned above is wrong. I'll try to help you later on today.

wilcochris

What parts are wrong?

L2 is MAC and L3 is IP right. Isn't that what the OSI model says.

The stuff I had written is what we are being taught by the professor.

Is it really wrong?

This is what I gleaned from Cisco too

My bad. It missed out that switches are L2, and the MAC address table is stored on the switches

chmod

Half right half wrong is just the concept more than a paragraph per se.

I'll add you to google talk.

wilcochris

Big thanks to Oli356 and chmod for helping me understand VLAN's