Read Microsoft Word - CASE Study for CCNA3.docx text version

CASE Study for CCNA3/4

The following shows a long conversation between Zoida, the owner of the DaWine accounting company, and Brad, the network consultant and also a good friend of Zoida. Please read their long conversation carefully to complete CASE study for CCNA 3/4.

Zoida : Hey Brad, how are ya? Brad : Not too bad, mate. How are things going with you, mate? Zoida : It flows, mate. It flows..., Brad : I heard you dumped your girl friend. Are you crazy or something? Look at yourself, mate. How on earth could you get a wonderful lady like Marry again??? Zoida : No, mate. It's not like that. There was something about Marry, mate... It's not me, mate. It is her who dumped. I've been dumped, mate... There was something about Marry... Brad : Oh, no wonder. That sounds alright! And that's understandable. :D Zoida : What the ... Brad : Hey, Zo, I heard you are going to setup a network for your company. Do you need any help from me? Zoida : Yes, I need a lot of help, mate. My network consultant and engineer do not make me happy. They seem to be alright but they do not have enough knowledge on computer networking. They don't even have CCNA, mate ... Please Ma Ma Ma make me happy, mate. Brad : You've gotta find someone with at least CCNA certificate, mate. By the way, what is the problem? Zoida : Well have a look at this paper.

Brad : What on earth is this? Zoida : That's the "Considerations on setting up the network" written by my network consultant. Brad : Well, it doesn't say anything at all. "Network security must be provided"? This doesn't explain how much we have to work on to setup a security on your network, and the server list doesn't say where those servers must be placed. Jesus. This document is useless. Zoida : I Know. That's why I want to sack my network consultant and give you a contract work for the designing the network. Brad : Now you are talking. :D :D :D

Brad : Zoida, the very basic network design for any type of small business is like this.

It requires two routers and two firewalls and one switch. These are least requirements. The external router establishes a connection with external network such as internet, and the internal router interconnects the internal networks (office network). The external firewall does filtering on network traffic from external network and internal firewall does filtering on traffic from internal network. And the DMZ exists between the external firewall and internal firewall. The external and internal routers are also configured with basic ACLs to filter the traffic, but most of work is left to firewalls. The reason is firewall features of router are the software solution, and the HW firewall works much faster and much more efficiently.

Zoida : Wait a minute. What is DMZ? And why do we need that? When I served the national service (military service) in Korea, I worked around DMZ. The place was like the picture on the right.

Two military forces were placed with the DMZ in the middle but within the DMZ there wasn't any military force. It was like no force, and no protection to buffer two different military forces. So does the DMZ in your network diagram do the similar thing?

Brad : Well, Zoida, I am sorry that your country is still divided into two... Should be reunified one day... You North and South Koreas are like brothers and sisters ... Hmm Hmm Hmm, back to the point, you are right. The DMZ in my network diagram does the similar thing. So if you have a look at this picture;

See? The DMZ is placed between "Unknown and insecure network" and "Trusted Network". It provides some sort of protection to Trusted network from possible attacks from the external and insecure network.

Zoida : I would be able to understand if your story was about the military DMZ thingy, but we are talking about the computer network. How does DMZ can protect the trusted network???

Brad : That's a bloody good question which I never expected to hear from you.

Zoida : What the ...

Brad : see this picture. This picture shows the network diagram which doesn't have DMZ.

Zoida : It looks alright. What could be the problem with that?

Brad : Well, let's assume that you need to setup a public web server which has your company's homepage. In this case, you need to make the IP Address of your web server visible to external users, don't you? Otherwise no one from outside can connect to your public web server (website). And you have to place the web server within the internal network. Like the next picture.

Now, let's say your internet address space is and the web server's address is And you have to let the public know the IP Address of public WEB server. This means that if there's any attackers or hackers out there, they would know very easily what they have to attack and what the address of the target to attack is. In this picture, The target address will be, and if any of them succeeds attacking web server, they will have at least the access to at least your internal network. Then your internal network will be in danger. The two factors which cause problem here is: First, you allow the external user to access your internal network directly, and Second, the IP address of a node in your internal network will be visible to outside. If a target is visible, it will be more likely picked up to be attacked. Zoida : Ok okay okay. But how does DMZ can protect the internal network?

Brad : I am explaining it now, mate. Just be patient. If you have a look at the next picture... The next picture shows the network with DMZ. And these are rules which are very often applied to the DMZ.

Rules on External firewall: External firewall allows the traffic from DMZ network to external network. External firewall allows the traffic from external network to the DMZ network (including Web server from the picture) External firewall drops all other traffic.

Rules on internal firewall: Internal firewall allows traffic from internal network to the DMZ network. Internal firewall allows traffic from DMZ network to internal network. Internal firewall drops all other traffic.

So it will be like:

As you can see, none of the traffic from external, insecure network is allowed to access internal network directly by EXTERNAL firewall and none of traffic from internal network is allowed to access external network directly by INTERNAL firewall. So as a result, the direct communication between internal network (secured, and trusted) and external network (insecure, and untrusted) are NOT allowed, and all traffic must go through DMZ network. This can eliminate one of the problems of the network without DMZ, which is "direct access from the external network to internal network is possible". And there's a lot more benefit to have DMZ. I will leave it to you to find out those benefits. (Benefits of having DMZ must be researched and included in your CASE STUDY report).

Zoida : Well, it sounds good, but we don't have enough budge to purchase two routers, and two firewalls. Is there any way to cut down the cost? Brad : Yes, there is. The previous pictures showed the physically located DMZ, but we can create logically created DMZ. If you have a look at the picture below,

Cisco router has ACL feature which provides the filtering technology. So we can replace Router + Firewall with a Router configured with ACL.

So by replacing (a router + a firewall) with just one router configured with ACL can cut down the cost. Well we can not expect the same level of functionality as a separate hardware firewall though.

Zoida : hmm, any way to cut more cost?

Brad : Jesus! You're so stingy!!! But as a matter of fact, there is a way to do further cost cut off. If you see the next picture,

If you see this part logically, this part consists of three different networks, one for external network, another for DMZ, and the other for internal network. If that's all we need (three networks) we can change with something like the next picture.

So we can replace two routers with just one router which has three interfaces, one for external, another for DMZ, and the other for internal network. Some people call this "logical DMZ".

Zoida : Oh, sounds excellent!!! How much do you want to do this?

Brad : Yea, right...

CASE Study requirements.

This case study is for postgrads students only. This case study is a group work. A group of three to four students can work together. No example network topology is given for this CASE STUDY. You are setting up a network for your friend Zoida. Your network configuration must implement the DMZ network. Some considerations are: Use packet tracer 5.0 for this assignment. You are allowed to use networking devices which are: One router. Many 24 port 2960 CISCO switches for internal network. One switch for DMZ network.

Internet connection and external router configuration. DaWine company has an Internet connection, and the static internet IP Address is Configure a loopback interface on a router to simulate internet connection. Configure PAT. Configure static port forwarding so that external users can access DMZ web server. Use TCP port 80 when you decide which traffic should be sent to DMZ web server. You must do a bit of research on static port forwarding and the result of research must be included in your CASE STUDY. Choose a routing protocol on your own for internal routing. You should explain why you chose such routing protocol in your CASE Study report. Configure a static route as a gateway for external connection. The router configuration must include basic router configurations (please refer to CCNA1/2 case study to find what basic router configuration). Internal network configuration. Use only one FastEthernet interface on a router for internal networks. There are three office networks in DaWine company. They are: Management subnet with 130 desktops. Accounting subnet with 160 desktops. Marketing subnet with 100 desktops. Human Resource subnet with 70 desktops. You are required to subnet network to accommodate these subnets. You should use VLANs for office networks, and inter-vlan routing for internal network routing process. Switches must be configured with VTP. Switches must have one or two trunk connection(s). Do not configure redundant links, nor STP. DMZ network configuration A subnet from network will be used for DMZ network. DMZ network should be able to accommodate up to 30 public servers. Place two servers in DMZ network. A web server. A web proxy. Place a server as a web proxy and give an IP address. All you need to check is connectivity between external network and a web proxy and internal network and a web proxy. You should do research on web proxy and the result of the research must be included in your case study. ACLs Based on what's been explained from the conversation between Brad and Zoida, you

should build ACLs on your own. Use extended named ACL or extended ACL only.

What is required for CCNA3/4 CASE STUDY

You have to assume that you are building a report which has to be shown to your client. The report must explain your configuration decisions on key areas such as subnetting, IP Addressing, routing protocol configuration, VLAN configuration, VTP configuration, Inter-VLAN routing, ACL configuration and whatever you think is important area. Any report format would be alright as long as it has a consistency in logical order. I warn you not to use fancy font, clipart, funky icons, too many different colors, and anything unnecessary. Once again, you are building a report which should be shown to your client. It has to be convincing, and should look professional. If you are not sure about "professional look report" I would suggest to reference sample reports from the internet. The report doesn't have to be lengthy at all. "Precise, concise, convincing in logical and consistent manner" is the key for the successful network consulting document. There is no limit on the number of words in the report. If you can make your report clean, easy to understand, and explain all key configuration parts with only 500 words, please do so. Or if you need 5,000+ words to achieve those, you can also use 5000+ words. To make your life easier, the followings are "MUST BE INCLUDED" items. Cover page, abstract, index page, appendix, and references. Subnet table + IP Addressing scheme (Logical diagram). Explanations on key areas of network configuration such as subnetting, IP Addressing, routing protocol configuration, VLAN configuration, VTP configuration, Inter-VLAN routing, whatever you think is important, and any result of research required in this CASE STUDY. In the report, you may have to use some part of configuration files to explain your configuration decisions and what effect the particular configuration lines make to the operation of the network. Append configuration files of a router and VTP server switch as appendix. Marking Scheme Presentation of report (10%) Do not use fancy font, clipart, funny pictures, unnecessary lines, boxes, and so on... Pay enough attention to "REFERENCE". Do not "copy and paste" at all. Network functionality (20%) Network must work. If your network doesn't work 100%, there will be 15% deduction straight away. Router configuration PAT (5%) Static port forwarding (10%) Basic configuration (5%) Inter-Vlan routing (5%) ACL configuration (15%) Routing protocol + default gateway configuration (5%) Switch configuration VTP server switch configuration (10%) VLAN configuration (10%) Subnetting and IP Address allocation (5%) You need to put a table of subnets and reasons why you subnetted in such a way. Send an email with your report (in word format or openoffice format) and the packet tracer (5.0) configuration file. Plagiarism A group which copies others will receive 0 mark, and a group which is copied from will receive 50% of the original case study mark. I hope this is enough warning.


Microsoft Word - CASE Study for CCNA3.docx

8 pages

Report File (DMCA)

Our content is added by our users. We aim to remove reported files within 1 working day. Please use this link to notify us:

Report this file as copyright or inappropriate


You might also be interested in

Microsoft Word - CASE Study for CCNA3.docx