THREATED CASE STUDY
ACACIA SCHOOL PROJECT
Schema de cablare
In figura de mai jos sint reprezentate traseele principale ale cablurilor.
In fiecare punct marcat pe figura printr-un cerc se vor
aduce trei cabluri din subreteaua destinata studentilor (Curriculum) si un
cablu din subreteaua destinata instructorilor (Administrator). In salile in
care s 17217d35r int PC - uri din reteaua Curriculum vor fi plasate trei hub-uri de cite
12 porturi (pentru a asigura numarul minim de 24 host - uri / sala). Restul
echipamentelor sint plasate in MDF. MDF - ul va fi sala in care exista si POP -
ul, deoarece aceasta sala indeplineste conditiile de spatiu si securitate
obligatorii pentru a justifica aceasta alegere. Deoarece unele sali care
trebuiesc cablate nu intra in zona de acoperire ("catchment area") a MDF - ului
(90m) se impune prezenta unui IDF. Legatura intre MDF si IDF se va realiza prin
intermediul a patru cabluri UTP CAT 5e. Cablurile vor
fi etichetate conform algoritmului: MDF(IDF)
- numarul salii.
Am prevazut si o subretea in care sint plasate serverele (DNS, e-mail, Aplication, Adminstration, Library, File Server) care trebuie sa fie prezente in fiecare scoala.
Sugerez ca pentru fiecare PC din retea sa se foloseasca placi de retea Fast-Etherenet (100Mbps), insa pentru calculatoarele din reteaua Curriculum sa pot folosi si placi de retea de 10 Mbs.
Schema logica a retelei
In figura de mai jos este prezentata schema logica a retelei.
Echipamente necesare:
1 router CISCO 3600 (3 interfete Fast-Ethernet si 1 interfata Seriala)
6 switch - uri 24 porturi (MDF + IDF - Curriculum Subnet)
2 switch - uri 24 porturi (MDF + IDF - Administration Subnet)
3 switch - uri 8 porturi (Servers, Curriculum, Administration)
30 hub - uri 12 porturi (in salile in care sint calculatoare din subreteaua Curriculum)
Schema de adrese
Cele 6 servere necesare pentru fiecare scoala vor primi adrese publice. O singura adresa de clasa C este suficienta pentru toate serverele si toate interfetele routerelor. In Acacia, serverele au adrese intre 212.54.96.2/29 si 212.54.96.6/29. Masca de 29 de biti asigura un numar de 30 de subretele cu cite 6 host-uri pe subretea.
Calculatoare din reteaua Administrator vor primi adrese private (tot clasa C) din intervalul 192.168.2.2/24 - 192.168.2.254/24. Adresele pentru aceste calculatoare vor fi alocate static.
Calculatoarele din reteaua Curriculum vor primi adrese private (clasa C) din intervalul 192.168.1.2/24 - 192.168.1.254/24. Adresele pentru host - urile din acesta retea sint alocate dinamic si se obtin de la un server DHCP configurat pe router - ul Acacia.
Configurarea router - ului Acacia
Mai jos este o lista de comenzi necesara pentru configurarea router - ului Acacia. Acest router realizeaza legatura intre cele trei subretele din scoala si asigura legatura cu Greenway C.O. (WAN uplink).
service timestamps debug uptime
service timestamps log uptime
service password-encryption
no service tcp-small-servers
no service udp-small-servers
hostname Acacia
enable password cisco
no ip name-server
ip subnet-zero
no ip domain-lookup
ip routing
interface FastEthernet 0/0
no shutdown
description connected to Servers
ip address 212.54.96.1 255.255.255.248
keepalive 10
interface FastEthernet 1/0
no shutdown
description connected to Curriculum
ip address 192.168.1.1 255.255.255.0
keepalive 10
interface FastEthernet 2/0
no shutdown
description connected to Administration
ip address 192.168.2.1 255.255.255.0
keepalive 10
interface Ethernet 3/0
no description
no ip address
shutdown
interface Serial 3/0
no description
no ip address
shutdown
! DHCP Server
service dhcp
ip dhcp excluded-address 192.168.1.1 192.168.1.1
ip dhcp pool 1
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
router rip
version 2
network 212.54.96.0
network 192.168.1.0
network 192.168.2.0
no auto-summary
ip classless
no ip http server
snmp-server community public RO
no snmp-server location
no snmp-server contact
line console 0
exec-timeout 0 0
password cisco
login
line vty 0 4
password cisco
login
end
Protocolul de routare ales este RIPv2 pentru retelele interne. O routa statica asigura legatura la WAN.
Access Control Lists
Pentru a proteja reteaua impotriva unor atacuri atit din interior cit si din exterior (Internet) se impune folosirea unor ACL - uri.
Acacia # conf t
Acacia (config) # access-list 100 deny ip any 192.168.2.0 any
Acacia (config) # access-list 100 permit tcp any 212.54.96.2 host eq 53
Acacia (config) # access-list 100 permit tcp any 212.54.96.3 host eq 25
Acacia (config) # access-list 100 permit tcp any 212.54.96.3 host eq 110
Acacia (config) # access-list 100 permit tcp any 212.54.96.4 host
Acacia (config) # access-list 100 permit tcp any 212.54.96.6 host eq 21
Acacia (config) # access-list 100 permit tcp any 212.54.96.6 host eq 20
Acacia (config) # access-list 100 permit tcp any any eq 80
(implicit deny any)
Acacia (config) # interface e1
Acacica (config-if) # ip access-group 100 out
Acacia # conf t
Acacia (config) # access-list 101 permit tcp 192.168.1.0 any 212.54.96.2 host eq 53
Acacia (config) # access-list 101 permit tcp 192.168.2.0 any 212.54.96.2 host eq 53
Acacia (config) # access-list 101 permit tcp 192.168.1.0 any 212.54.96.3 host eq 25
Acacia (config) # access-list 101 permit tcp 192.168.2.0 any 212.54.96.3 host eq 25
Acacia (config) # access-list 101 permit tcp 192.168.1.0 any 212.54.96.3 host eq 110
Acacia (config) # access-list 101 permit tcp 192.168.2.0 any 212.54.96.3 host eq 110
Acacia (config) # access-list 101 permit ip 192.168.1.0 any 212.54.96.4 host
Acacia (config) # access-list 101 permit ip 192.168.2.0 any 212.54.96.4 host
Acacia (config) # access-list 101 permit tcp 192.168.1.0 any 212.54.96.6 host eq 21
Acacia (config) # access-list 101 permit tcp 192.168.2.0 any 212.54.96.6 host eq 21
Acacia (config) # access-list 101 permit tcp 192.168.1.0 any 212.54.96.6 host eq 20
Acacia (config) # access-list 101 permit tcp 192.168.2.0 any 212.54.96.6 host eq 20
Acacia (config) # access-list 101 permit ip 212.54.96.0 any any
(implicit deny any)
Acacia (config) # interface e1
Acacia (config-if) # ip access-group 101 in
Acacia # conf t
Acacia (config) # access-list 102 permit ip 212.54.96.0 any any
Acacia (config) # access-list 102 permit tcp any any eq 25
Acacia (config) # access-list 102 permit tcp any any eq 53
Acacia (config) # access-list 102 permit tcp any any eq 110
Acacia (config) # access-list 102 permit tcp any any eq 80
(implicit deny any)
Acacia (config) # interface s0
Acacia (config-if) # ip access-group 102 in
|