Designing an Enterprise Network

[shonen]

Hey Guys.

I have an assignment that I have been working on that involves designing an enterprise network for an organization that utilizes the Cisco hierarchical architecture design. To be honest I feel like a bit of a fish out of water seeing as the class I attend were not properly prepared for designing such complex networks let alone have we even seen how such networks are designed and laid out on paper. It would be like giving a preschooler a hammer and nails and asking them to build a house.

In any case I was hoping that some of you people who have more experience in doing this in a real life situation could point me in the right direction, give me pointers and clarify any questions that may arise while I am researching and writing it up.

The topology consists of 6 buildings on the one site much like a school campus network (I will include my Diagrams thus far).

Sites

Cisco hierarchical architecture design

Topology

NOTE: Due to the number of client workstations, VoIP telephony and WAP devices the above graphical representation is not accurate. The main points of interest for this assignment is the core, access and distribution layers.

DMZ

Server Farm Block

Below is a list of server roles I have come up with to meet the clients needs as stated in the assignment brief. Applications were predefined in the assignment.

Server Service Implementation Overview:

• Domain controller for centralized administration of the networks user’s, allocating file shares and backing up procedures.

• Web & File Transfer Protocol (FTP) server for hosting website related content.

• SMTP mail server for email data delivery.

• Proxy server for caching web based content and monitoring visited sites to help enforce the organizations terms of use agreement policy.

• Domain Name Server for storing DNS records.

• Trivial File Transfer Protocol (TFTP) server for backing up Network Device configuration

Application Implementation Overview:

• Systems applications and Products (SAP) used throughout the company to manage manufacturing, inventory, distribution and ordering processing.

• PeopleSoft used for financial management and reporting throughout the company.

• Custom Oracle database used throughout the company, primarily for reporting and decision support.

Questions I have so far

1: Suggested models for layer 2 (access), Layer 3 (distribution) and core layer switches?

2: Suggested Media, connectors and appropriate modules/expansion slots for interconnecting the fiber back bone (core, distribution and access layers).

I hate to ask but I have had very little exposure to high end Cisco Equipment and the documentation and wide variety of models/modules on their site is rather confusing.

3: Suggested iSCSI Switch and media for linking the SAN to the server?

iSCSI has not been covered in class and after doing some online research I found that their were a couple of varieties and was confused as to which one would work better for this assignment.

4: I am having a bit of a mental blank but I believe there is a protocol that can be used to setup a virtual port for the gateway on a router. Its generally used when two routers are connected to a network to have fail over in the event a router dies.

5: From my limited understanding RADIUS only authenticates users but does not encrypt traffic, is this correct?

6: If you are to use AAA authentication on a router which is more secure Tacacs+ RADIUS or other?

That pretty much covers my questions for now but I am sure I will have a few more as I slowly write this thing up and do the diagrams for it. This assignment also has a security component which I will more than likely be picking your heads for too.

To be honest I really hate asking such things online but this was sprung on me at the last minute and I am in a bit of a pinch and yeah you guys have been more than helpful in the past, plus I may just learn something. XD Thanks in advance to all who give advice seeing as this stressed out Tafe student is very much appreciative. Also I will be using this thread as a reference source in my assignment, those of you who have been helpful will be getting a special mention.

[Stow]

1: Catalyst 6513s at the Core Catalyst 4500 Series at the edge.

2: Suggested Media - 12 or 24 Strand Single Mode Fiber

connectors and appropriate modules - Cisco 10GBASE X2 Modules

3: Cisco Catalyst 3750 and Cat6 cables.

4: Load Balancing I think this is what you are looking for.

5: RADIUS authenticates users, you would need something like IPSEC to encrypt traffic.

6: Tacacs+ TACACS+ and RADIUS Comparison

Hopefully someone will double check me. This should get you in the ball park. Hope its not too late.

[Cyber-Burn]

Hi shonen,

Hopefully this finds you before your deadline. Brings back memories of when I was in the networking academy... Anyway, I will give you my thoughts on the matter and Hopefully this will help.

1: Suggested models for layer 2 (access), Layer 3 (distribution) and core layer switches?

Core of the network would be a 6500E chassis with the series 720 supervisor. The exact chassis is going to depend on the type of switches that you deploy on your network. If you are looking at 10/100 then you would need to find a chassis that will support enough gig backbone links for your distribution layer. If you are going with gig to the desktop then you can go with gig backbones, but the industry is moving to 10 gig. Table 2 on the below page will help you make the determination.

Cisco 6500 Datasheet

For the distribution layer I would go with 4500E chassis and the Supervisor 6E for the enhanced backplane speeds (24 Gbps per slot as opposed to 6 Gbps on the standard chassis. This will allow you to get a higher port density, up to a 24 port gigabit sfp line card to run to the access layer switches.

For the access layer I would go with stackable switches for redundancy. The 3750-E series would be an ideal access layer switch. The stackable nature of the switch allows the backbone or uplink connections to the distribtution layer to be shared between all of the switches in the stack, increasing the maximum bandwidth to the device. Each switch comes with the twin gig converter that allows for 4 SFP gig ethernet ports or two 10 gig ethernet ports.

2: Suggested Media, connectors and appropriate modules/expansion slots for interconnecting the fiber back bone (core, distribution and access layers).

This as I said depends on your connection methods to the desktop. I personally run gig to the desktop, usually 2 gig to each 48 port switch depending on usage, and redundant 10 gig links from the distribution to the core. If you know what you want to run I can give you an idea of what to use for the modules.

3: Suggested iSCSI Switch and media for linking the SAN to the server?

I personally do not use iSCSI so I will have to defer to someone else on this.

4: I am having a bit of a mental blank but I believe there is a protocol that can be used to setup a virtual port for the gateway on a router. Its generally used when two routers are connected to a network to have fail over in the event a router dies.

HSRP - Hot Standby Router Protocol.

HSRP Information

5: From my limited understanding RADIUS only authenticates users but does not encrypt traffic, is this correct?

You are correct on RADIUS. Radius is only for AAA and does not encrypt traffic. The only item is RADIUS that is encrypted is the password with a MD5 hash. An IPSec tunnel would be the best bet in addition to RADIUS for the encryption of the traffic.

6: If you are to use AAA authentication on a router which is more secure Tacacs+ RADIUS or other?

I would suggest TACACS+ only for the fact that the entire packet is encrypted as opposed to just the password in RADIUS.

[shonen]

Hey Guys,

I didn't think I was getting a response to this seeing as it is for a school assignment (which is fair enough). Anyways I ended up finding some information on Radius vs Tacac's and a few other bits and piece's but the links and advice help fill in a few blanks I have.

Thanks a bunch for the information, links as references and suggested hardware models. My assignment partner was suppose to do the hardware sourcing while I work on everything else (he is still yet to deliver and I have one week until hand in) so it was a big help and saved me a great deal of time.

Thank you very VERY much for the taking time out of your day to help a fledgling student, it was perfectly timed.