1. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 1
Project 2 Written Document
Networking and Support
Gavin Tinnelly
D00105336
2. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 2
Table of Contents
Introduction.......................................................................................................................................5
User Requirements .....................................................................................................................6
Packet Tracer ....................................................................................................................................7
Introduction to Packet Tracer.....................................................................................................7
Packet Tracer Devices .................................................................................................................7
Connectors..............................................................................................................................7
End Devices.............................................................................................................................7
Switches ..................................................................................................................................8
Routers....................................................................................................................................8
Wireless Devices .....................................................................................................................8
Network Design...........................................................................................................................9
Layer 1 – The Physical Layer ........................................................................................................10
Topology....................................................................................................................................10
Port Assignment........................................................................................................................12
Dundalk Port Assignment......................................................................................................12
Dublin Port Assignment ........................................................................................................13
Connectivity ..............................................................................................................................14
Troubleshooting........................................................................................................................15
Overview of Network Topology ................................................................................................16
Layer 2 – The Data Link Layer.....................................................................................................17
Trunking ....................................................................................................................................17
Trunking Configuration in the PayPal and eBay Network.....................................................18
Configuring VTP.....................................................................................................................18
Configuring Trunk ports ........................................................................................................19
Link Aggregate Switching (LAG’s)..........................................................................................20
Configuring LAG’s..................................................................................................................20
VLAN’s.......................................................................................................................................21
VLAN Design..........................................................................................................................22
VLAN’s in PayPal and eBay....................................................................................................22
VLAN Configuration...............................................................................................................23
VLAN Port Assignment..........................................................................................................25
Test Connectivity...................................................................................................................25
VLAN configuration on a Layer 3 switch ...............................................................................25
3. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 3
Test Connectivity...................................................................................................................26
Troubleshooting....................................................................................................................26
Point to Point Protocol (PPP) ....................................................................................................27
Challenge-Handshake Authentication Protocol (CHAP) .......................................................27
Configuring PPP with CHAP...................................................................................................27
Wireless Network......................................................................................................................28
Wireless Configuration..........................................................................................................28
Connecting devices to the Wireless Network.......................................................................29
Layer 3 – The Network Layer........................................................................................................30
Routing......................................................................................................................................30
Routing Configuration...........................................................................................................30
Test Connectivity...................................................................................................................32
Dynamic Host Configuration Protocol (DHCP)..........................................................................33
DHCP in the PayPal & eBay network.....................................................................................33
DHCP Server Packet Tracer configuration.............................................................................34
Dundalk DHCP Scope Table...................................................................................................36
Dublin DHCP Scope Table......................................................................................................36
Test Connectivity...................................................................................................................36
Troubleshooting....................................................................................................................37
IP-Helper ...............................................................................................................................37
Access Control Lists (ACL’s).......................................................................................................38
ACL’s for PayPal and eBay.....................................................................................................38
Configuring ACL’s ..................................................................................................................39
Testing ACL’s .........................................................................................................................41
Troubleshooting....................................................................................................................42
Wide Area Network (WAN) Connectivity..................................................................................43
NAT/PAT................................................................................................................................43
NAT in the PayPal & eBay Network Build .............................................................................44
NAT/PAT Configuration.........................................................................................................45
Test Connectivity...................................................................................................................46
Frame Relay...........................................................................................................................47
Frame Relay in the PayPal & eBay Network Build ................................................................47
Configuring Frame Relay.......................................................................................................47
Test Connectivity...................................................................................................................49
4. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 4
Virtual Private Network (VPN) ..............................................................................................50
Virtualisation...................................................................................................................................52
The PayPal and eBay Virtual Network ..................................................................................53
Windows Server 2012 Active Directory Server.........................................................................53
Active Directory ........................................................................................................................53
Active Directory Terminology ...............................................................................................53
Active Directory in the PayPal and eBay Network................................................................55
Active Directory Structure for the PayPal and eBay Network ..............................................56
Active Directory Script ..........................................................................................................57
Folder and Group Structure for PayPal.................................................................................62
Folder configuration..............................................................................................................63
Domain Name System (DNS) ....................................................................................................65
Mail Service...............................................................................................................................65
Troubleshooting Mail Service ...............................................................................................67
Internet Information Services 8.0 Website............................................................................69
IIS Configuration....................................................................................................................69
Troubleshooting IIS ...............................................................................................................70
Dynamic Host Configuration Protocol (DHCP)..........................................................................71
Testing DHCP.........................................................................................................................72
Windows Server Update Services (WSUS)................................................................................73
WSUS Configuration..............................................................................................................73
Troubleshooting WSUS .........................................................................................................74
Logon Script ..............................................................................................................................75
Testing the logon script.........................................................................................................76
Ubuntu Server 15.10.................................................................................................................77
Configuration of the Ubuntu Server .....................................................................................77
Apache Webserver................................................................................................................78
Testing the webserver...........................................................................................................79
Samba File Share.......................................................................................................................79
Configuring Samba File Share ...............................................................................................79
Testing the Samba File Share................................................................................................80
Troubleshooting Ubuntu problems.......................................................................................81
Layer 3 Hybrid Switching..............................................................................................................83
Configuring Hybrid Mesh Network .......................................................................................83
5. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 5
Bibliography....................................................................................................................................85
Conclusion .......................................................................................................................................86
Appendices.......................................................................................................................................88
Appendix A............................................................................................................................88
Appendix B............................................................................................................................90
Appendix C ............................................................................................................................92
Appendix D............................................................................................................................95
Appendix E ............................................................................................................................97
Appendix F ............................................................................................................................99
Appendix G..........................................................................................................................100
Appendix H..........................................................................................................................101
Appendix I ...........................................................................................................................106
Appendix J...........................................................................................................................108
Introduction
This project is a follow up to the network plan for PayPal, which was completed in Semester 1. This
section of the project will document the implementation of the physical network build mentioned
6. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 6
previously. Some extra layers of complexity have been added from the original network design like
layer 3 hybrid switching and a comprehensive ACL structure.
PayPal, a multinational online payment solution and eBay, a global online sales website have decided
to expand on their existing call centre site in Dundalk, Ireland. This is a Greenfield Project as both
buildings will be undergoing a complete upgrade/revamp. A small head office building will be located
in Dublin 80 km away from the Dundalk campus and a high end link will connect the two sites.
PayPal is the core building while eBay is the secondary distribution building, the two buildings in the
Dundalk campus will be connected via another high end means of connection.
User Requirements
User requirements for this network build will depend on what department the user is a member of,
some requirements will be universally applied to all users on the network. The list of user
requirements are as follows:
All users require wired internet access and access to a printer.
Staff members can avail of WIFI on their breaks in designated areas.
The public can avail of free WIFI in designated areas.
Each device on the network will be allocated a DHCP IP address.
Each user on the network will have access to a shared departmental folder along with a
personal folder.
Users will have network use via VLAN’s based on what department they’re in.
Some users will be restricted on what they can do via Access Control Lists.
Users will require access to the company’s web server.
IT staff require full access to the internal network and access to the Dublin site.
7. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 7
Packet Tracer
Introduction to Packet Tracer
Packet Tracer is a visual simulation program designed by Cisco that allows users to create network
topologies and imitate modern networks. Packet Tracer is a free application available on Mac OS,
Linux and Microsoft Windows, it is most notably used for network implementation training purposes.
The PayPal and eBay network topology will be created in the virtual environment of Packet Tracer to
implement the design discussed in Semester 1. The most up-to-date stable version of Packet Tracer is
6.3.0.
Packet Tracer Devices
Connectors
The connectors seen below in Figure 1 represent the cables used to provide a connection between
networking devices. End devices will be connected to the edge switches via a copper straight-through
cable . The edge, core and distribution switches will be connected to each other via a copper cross-
over cable . The routers that provide the WAN connection will use a serial DCE cable . The
servers and the core router for each site will be connected to the Layer 3 Core switches via a copper
straight-through cable . The ISP routers will be connected to the webservers via a copper cross-
over cable . Each Layer 3 router in the mesh cluster will be connected together via copper cross-
over cables .
Figure 1
End Devices
The end devices seen below in Figure 2 represent the devices provided in Packet Tracer used to
access the PayPal network. The PC’s will be used to represent different VLAN’s on the network.
The Laptops will be used to show connectivity to the wireless network. The servers will be
used to provide services on the network (DNS, DHCP, Web, and TFTP). The printer will be
used to show each member of staff has access to it for printing purposes.
Figure 2
8. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 8
Switches
The switches shown in Figure 3 represent real world Cisco switches. A switch is a Layer 2 device but,
a Layer 3 switch is available that provides the switch with routing capabilities. The mesh network will
comprise of 5 layer 3 switches. The normal PayPal network will comprise of Layer 3 switches at the
core level and Layer 2 switches at the distribution and edge levels.
Figure 3
Routers
The routers shown in Figure 4 represent real world Cisco routers. The routers used in the PayPal
network were used to provide users with internet access and they will provide a connection between
the Dundalk and Dublin sites via a VPN/Frame Relay link. The 1841 Router was used at the edge
of the Dundalk and Dublin network’s and it was used to represent an ISP in Dundalk and Dublin.
Figure 4
Wireless Devices
The wireless devices shown in Figure 5 represent the wireless devices available in Packet Tracer. The
AccessPoint-PT-N was used in this network build to provide wireless access to both staff and
guests. The access points were configured with a WEP password to prevent unintended access to the
service.
Figure 5
9. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 9
Network Design
End Devices End Devices
End Device End Device
Edge Switches
Layer 2
Services
DHCP, DNS,
TFTP, Web,
Printer.
Distribution Switches Layer 2
Core Switch Layer 3
Router Router
WAN Link
Core Switch Layer 3
Distribution Switches Layer 2
Services
DHCP, DNS,
TFTP,
Printer.
WIFI Connectivity WIFI Connectivity
Dundalk LAN Dublin LAN
Figure 6
The basic network topology design for the PayPal and eBay network can be seen in Figure 6. The end
devices represent a number of devices that will be attached to the edge switches and the server
connected to the core switches represent a variety of servers, some of which are mentioned in the
diagram. The routers at the edge of the LAN’s establish the connection between both sides and the
WAN link represents how this connection will be established.
10. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 10
Layer 1 – The Physical Layer
The physical layer is the first layer in the OSI model, the network topology and connection methods
are decided upon here. The connecting of devices, ports and the establishing of connectivity happen at
this stage of the project. Once the network topology has been designed, we may move onto the data
link layer.
Topology
The network devices required to build the topology can be seen in Figure 7.
Figure 7
These devices are a mixture of Layer 1, 2 and 3 devices. Once all the devices have been inserted into
the topology on packet tracer, a clear picture of what the network looks like can be established. The
method by which these devices have been configured will be documented later in this report.
The end devices (Desktop PC’s) have been connected to the Layer 2 edge switches via a copper
straight-through cable as seen in Figure 8.
Figure 8
The edge switches will be connected to the distribution switch via a copper cross-over cable. An
additional link will be created between each core and edge switch to setup Link Aggregation Groups,
(LAG’s) for redundancy.
Figure 9
11. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 11
The distribution switches will be connected to the core switch via copper cross-over cables as seen in
Figure 10. The two distribution switches will connect to each other via another copper cross-over
cable to provide Spanning Tree Protocol (STP) to prevent loops from occurring due to redundant
paths.
Figure 10
The Layer 3 core switch will be connected to the router via a copper straight-through cable as seen in
Figure 11.
Figure 11
The routers at the edge of the Dundalk and Dublin networks will be connected using a Serial DCE
cable, via a cloud; this will be discussed in more detail in the WAN connectivity section of Layer 3.
Figure 12
12. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 12
Port Assignment
The port assignment for each device on the Dundalk and Dublin sites can be seen in Table 1 and
Table 2. These tables will also specify what device is connected to each port.
Dundalk Port Assignment
Device Port Connecting Device
Dundalk Core Switch Fa0/1 Dundalk Router
Fa0/2 DHCP Server
Fa0/3 DNS
Fa0/4 TFTP Server
Fa0/5 Webserver
Fa0/6 Printer
Gi0/1 Dundalk Distribution Switch1
Gi0/2 Dundalk Distribution Switch2
Dundalk Distribution Switch1 Fa0/1 Dundalk Edge Switch1
Fa0/2 Dundalk Edge Switch1
Fa0/3 Dundalk Edge Switch2
Fa0/4 Dundalk Edge Switch2
Fa0/5 Dundalk Edge Switch3
Fa0/6 Dundalk Edge Switch3
Fa0/7 Dundalk Edge Switch4
Fa0/8 Dundalk Edge Switch4
Fa0/24 Public-WIFI Access Point
Gi0/1 Dundalk Core Switch
Gi0/2 Dundalk Distribution Switch2
Dundalk Distribution Switch2 Fa0/1 Dundalk Edge Switch5
Fa0/2 Dundalk Edge Switch5
Fa0/3 Dundalk Edge Switch6
Fa0/4 Dundalk Edge Switch6
Fa0/5 Dundalk Edge Switch7
Fa0/6 Dundalk Edge Switch7
Fa0/7 Dundalk Edge Switch8
Fa0/8 Dundalk Edge Switch8
Fa0/24 Staff-WIFI Access Point
Gi0/1 Dundalk Distribution Switch1
Gi0/2 Dundalk Core Switch
Dundalk Edge Switch1 Fa0/1 Dundalk Distribution Switch1
Fa0/2 Dundalk Distribution Switch1
Fa0/3 Call Centre Staff PC
Fa0/24 Team-Leaders PC
Dundalk Edge Switch2 Fa0/1 Dundalk Distribution Switch1
Fa0/2 Dundalk Distribution Switch1
Fa0/3 HR + Operations PC
Fa0/24 Accounts + Payroll PC
Dundalk Edge Switch3 Fa0/1 Dundalk Distribution Switch1
Fa0/2 Dundalk Distribution Switch1
Fa0/3 Call Centre Staff PC
Fa0/24 Team-Leaders PC
Dundalk Edge Switch4 Fa0/1 Dundalk Distribution Switch1
Fa0/2 Dundalk Distribution Switch1
13. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 13
Fa0/3 IT Staff PC
Fa0/24 HR + Operations PC
Dundalk Edge Switch5 Fa0/1 Dundalk Distribution Switch2
Fa0/2 Dundalk Distribution Switch2
Fa0/3 Call Centre Staff PC
Fa0/24 Team-Leaders PC
Dundalk Edge Switch6 Fa0/1 Dundalk Distribution Switch2
Fa0/2 Dundalk Distribution Switch2
Fa0/3 HR + Operations PC
Fa0/24 Accounts + Payroll PC
Dundalk Edge Switch7 Fa0/1 Dundalk Distribution Switch2
Fa0/2 Dundalk Distribution Switch2
Fa0/3 Training Room PC
Fa0/24 IT Staff PC
Dundalk Edge Switch8 Fa0/1 Dundalk Distribution Switch2
Fa0/2 Dundalk Distribution Switch2
Fa0/3 Call Centre Staff PC
Fa0/24 Team-Leaders PC
Dundalk Router Fa0/0 Dundalk Core Switch
S0/0/0 Frame Relay
S0/0/1 ISP Router
S0/1/0 Mesh Cluster
Table 1
Dublin Port Assignment
Device Port Connecting Device
Dublin Core Switch Fa0/1 DHCP Server
Fa0/2 DNS Server
Fa0/3 Dundalk Router
Fa0/4 Printer
Fa0/5 TFTP Server
Gi0/1 Dublin Edge Switch1
Gi0/2 Dublin Edge Switch2
Dublin Edge Switch1 Fa0/3 Call Centre Staff PC
Fa0/10 HR + Operations PC
Fa0/24 Accounts + Payroll PC
Gi0/1 Dublin Core Switch
Gi0/2 Dublin Edge Switch2
Dublin Edge Switch2 Fa0/3 Call Centre Staff PC
Fa0/10 IT Staff PC
Fa0/24 Training Room PC
Gi0/1 Dublin Edge Switch2
Gi0/2 Dublin Core Switch
Dublin Router Fa0/0 Dublin Core Switch
S0/0/0 Frame Relay
S0/0/1 ISP Router
Table 2
14. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 14
It is important to note that in Table 1 port Fa0/24 on the Dundalk Distribution Switch 1 and
Fa0/24 on the Dundalk Distribution Switch 2 are connected to both the Staff WIFI and the Public
WIFI access points. In a real world network implementation, only one access point would need to be
configured, but one of the limitations of Packet Tracer is that it only allows the user to configure one
SSID per access point, thus requiring one for each SSID.
Connectivity
Static IP addresses need to be assigned to devices on the network in order to establish connectivity
and to ensure PING messages are successful. All devices on the network should be able to
communicate with each other at this stage of the design because no Access Control Lists (ACL’s) or
VLAN’s have been configured. Some steps need to be taken to configure end devices with static IP
addresses, these steps are as follows:
Step 1
Double click on a PC, when the PC configuration GUI pops up, select the Desktop tab and then IP
configuration.
Step 2
In the IP configuration tab, click the circle beside static and then enter a valid static IP address.
Step 3
Enter the IP address i.e. 192.168.10.2 and then enter a valid subnet i.e. 255.255.255.0
Step 4
Enter the default gateway address, this address may be the IP address of the router. To configure the
fast Ethernet port on a router the port must be brought up and a static IP must be assigned. This will
be talked about in the Layer 3 section of the report.
The completed IP configuration can be seen in Figure 13.
Figure 13
15. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 15
To test and make sure there is connectivity between two devices a ping message can be sent. To send
a ping message double click on one of the other configured computers and select the Command
Prompt under the Desktop tab as seen in Figure 14.
Figure 14
Enter ‘ping 192.168.10.2’ into the command prompt. If the ping message was successful, connectivity
has been achieved. A successful ping message can be seen in Figure 15.
Figure 15
All network devices should now be able to communicate with each other.
Troubleshooting
If ping messages fail between two devices a few troubleshooting steps can be taken to rectify the
problem. Make sure a valid static IP address and subnet mask have been assigned to the device. Make
sure the correct default gateway has been entered and that the correct cables were used to connect the
devices. If any of the above steps were originally wrong, send another ping message and it will be
successful this time if configured correctly.
16. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 16
Overview of Network Topology
17. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 17
Layer 2 – The Data Link Layer
The second layer of the OSI 7 layer model is the data link layer. This layer is responsible for
transferring data between networking devices in a Wide Area Network (WAN) environment or
between devices in the same Local Area Network (LAN) environment. In the PayPal network, the
trunking, WIFI configuration and the VLAN’s will all be established at this layer.
Trunking
VTP is a Cisco proprietary protocol, meaning it can only be used on Cisco devices. VTP allows an IT
administrator to configure a switch (VTP server) so that it will propagate VLAN configurations to
other switches on the network. The VTP clients synchronise with each other to make sure they all
have the same configuration settings, this minimises the chances of any configuration errors and is
less time consuming then 802.1Q. One disadvantage of VTP is that if the server fails, then all the
switches connected to it via trunking will get an error and this may bring the entire network down. If a
second management switch were to be configured and set to act as a backup to the main server, this
would add a layer of redundancy should this failure happen.
VTP Server
VTP Client VTP Client VTP Client
18. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 18
Trunking Configuration in the PayPal and eBay Network
VTP will be used in the network build for PayPal and eBay to carry the traffic from multiple VLAN’s
simultaneously over cables from one switch to another. Once the VTP domain was created, all
switches within the same VTP domain will share VLAN information with each other. In this build on
the Dundalk network for example, the Dundalk core switch is the VTP server and the distribution and
edge switches are clients. All the configuration carried out on the core switch will push out to the edge
switches. A trunk link was established between each of the core and distribution switches, the
commands on how to do this will be shown later. The VTP server/client assignment for the Dundalk
network is as follows:
Device Role Domain
Dundalk Core Switch VTP Server Dundalk
Dundalk Distribution Switch1 VTP Client Dundalk
Dundalk Distribution Switch2 VTP Client Dundalk
Dundalk Edge Switch1 VTP Client Dundalk
Dundalk Edge Switch2 VTP Client Dundalk
Dundalk Edge Switch3 VTP Client Dundalk
Dundalk Edge Switch4 VTP Client Dundalk
Dundalk Edge Switch5 VTP Client Dundalk
Dundalk Edge Switch6 VTP Client Dundalk
Dundalk Edge Switch7 VTP Client Dundalk
Dundalk Edge Switch8 VTP Client Dundalk
Configuring VTP
The commands necessary to configure a switch as a VTP server and set the VTP domain are shown in
Figure 16.
Figure 16
The commands necessary to configure a switch as a VTP client and set the VTP domain are shown in
Figure 17.
Figure 17
19. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 19
Switch(config)#VTP mode server - This command sets the switch selected as the VTP server, this
switch can now modify, create and delete VLAN’s and any changes made will be advertised to all
other switches (clients) in the same VTP domain so they can synchronise their VLAN configurations
with that of the server.
Switch(config)#VTP mode client - This command sets the switch selected as the VTP client. The
client will behave in the same way as the VTP server but they cannot modify, create or delete
VLAN’s
Switch(config)#VTP domain Dundalk - The VTP domain consists of one or several interconnected
switches under the same administrative responsibility, sharing the same VTP domain name. A switch
can only be in one VTP domain at any given time. When a change is made to the VLAN
configuration on a VTP server, this change is then propagated out to all switches in the VTP domain.
Configuring Trunk ports
The commands necessary to configure a trunk port on a layer 3 switch are shown in Figure 18. These
commands must be entered on the interface for any port that is intended to be a trunk port.
Figure 18
Switch(config)#int range gi 0/1-2 - This command will select the interfaces that are due to be set as
trunk ports.
Switch(config-if-range)#switchport trunk encapsulation dot1q - This command will set the
encapsulation on the selected ports to 802.1q encapsulation.
Switch(config-if-range)#switchport mode trunk - This command will set the selected ports to
always remain a trunk port even if the connecting port is not yet set up as a trunk port.
When configuring a trunk port on the distribution and edge switches (Layer 2), it’s the same as with a
layer 3 switch except the switchport trunk encapsulation dot1q command is not required.
20. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 20
Link Aggregate Switching (LAG’s)
LAG’s are used to achieve a high speed backbone network while enabling the fast and inexpensive
transmission of bulk data. LAG’s can increase a network’s capacity while maintaining a fast
transmission speed and not changing any hardware devices on the network, this will in turn reduce
cost.
Configuring LAG’s
LAG’s were configured between all the edge and distribution switches on both the Dundalk and
Dublin networks. The configuration involved can be seen below:
Interface FastEthernet 0/1 – selects the interface to put the LAG on.
Channel-group 1 mode active – puts the LAG onto channel 1 and sets it to active.
Switchport mode trunk – trunks the port selected.
If a switch is connected to another switch there must be a different channel for each link i.e. with the
distribution switch 1 the two links coming from it down to the edge switch will both be on channel 1
and with the links going to switch 2 they will be on channel 2 etc. All of the edge switch links can be
on channel 1 since they’re not connected to another switch.
The successful setup of the LAG’s can be seen below
.
21. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 21
VLAN’s
Virtual Local Area Networks (VLAN’s) are used in a switched network to divide the network into
sections, each section or segment can be used to assign users into different workgroups or
departments. The hosts will communicate as if they were all attached to the same broadcast domain
regardless of what their physical location is. In a traditional LAN all users who require the same
resources and who have the same broadcast domain are required to be connected to the same
equipment. By applying VLAN’s to the network, uses can be spread out across various geographical
locations and still remain in their same IP subnet (broadcast domain). Each VLAN has their own
broadcast domain, only users on the same VLAN are able to receive broadcast messages. If you look
at Figure 29, if a host on VLAN 10 sends out a broadcast message, then only other computers on
VLAN 10 will receive that broadcast message.
VLANs are identified by a number, valid numbers range from 1-4094. On the switch you then assign
ports with the appropriate VLAN number, the switch then only allows information to be sent between
ports with the same VLAN. If possible it is good practice to put switches on their own VLAN, if
something happens on the network, the worst case scenario is that it only brings down the switch that
the error occurred on. It is only possible to configure VLAN’s on a managed switch, each port on the
switch can only be assigned to one VLAN.
VLAN 10
Call Centre Staff
VLAN 20
HR
VLAN 30
Payroll
VLAN 40
IT
Device A
Figure 19
22. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 22
VLAN Design
Dundalk Site
VLAN Number Department IP Address
VLAN 2 CallCentreStaff 192.168.2.0
VLAN 3 HR+OperationsManagement 192.168.3.0
VLAN 4 Accounts+Payroll 192.168.4.0
VLAN 5 IT-Staff 192.168.5.0
VLAN 6 Training-Room 192.168.6.0
VLAN 7 Staff-WIFI 192.168.7.0
VLAN 8 Public-WIFI 10.10.0.0
VLAN 9 Team-Leaders 192.168.9.0
VLAN 50 ManagementVLAN 192.168.50.0
VLAN 100 Services 192.168.100.0
VLAN 150 Uplink 192.168.150.0
Dublin Site
VLAN Number Department IP Address
VLAN 2 CallCentreStaff 172.16.2.0
VLAN 3 HR+OperationsManagement 172.16.3.0
VLAN 4 Accounts+Payroll 172.16.4.0
VLAN 5 IT-Staff 172.16.5.0
VLAN 6 Training-Room 172.16.6.0
VLAN 50 ManagementVLAN 172.16.50.0
VLAN 100 Services 172.16.100.0
VLAN 150 Uplink 172.16.150.0
VLAN’s in PayPal and eBay
VLAN’s will be used in this network build to split the network based on each department, this
segmenting will reduce the traffic load on the network, because when you divide a network with
VLAN’s you also segment the broadcast domain of the network. Since each VLAN will now have its
own broadcast domain, broadcasted traffic on any given VLAN will only be sent to hosts within that
particular VLAN.
VLAN’s in the Dundalk and Dublin sites will be assigned statically using the Switchport mode access
command. When a VLAN is statically assigned to a port the VLAN is located on that port, meaning if
a device is plugged into the port it’s automatically assigned to whatever VLAN was assigned to it.
Security is enhanced using static VLAN’s, because only devices plugged into the designated ports
will receive broadcast traffic. This VLAN assignment is perfect for PayPal and eBay since they
operate on a fixed floor plan so staff will not be moving around, any device that is plugged into an
unassigned port will be put on the default VLAN. VLAN’s for the Dundalk and Dublin sites will be
configured on the core Layer 3 switches as mentioned above.
23. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 23
VLAN Configuration
VLAN’s need only be created on the VTP server switch, in PayPal and eBay’s case this is the core
Layer 3 core switch. The VTP server will propagate the VLAN configuration and any subsequent
updates out to all the clients on the same domain. The VLAN’s were created using the following
commands:
Figure 20
Switch(config)#vlan 2 - This command creates a VLAN called VLAN 2.
Switch(config-vlan)#name CallCentreStaff - This command sets the name of VLAN 2 to
CallCentreStaff.
Switch(config-vlan)#exit - This command exits the VLAN configuration mode.
To get a list of all the VLAN’s on a switch, enter the show VLAN brief command while in privileged
mode. The result of running this command on the Dundalk core switch can be seen in Figure 21.
Figure 21
24. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 24
This command gives information such as the VLAN number, the VLAN name, it shows if the VLAN
is active or not, and it shows what ports have been assigned to the different VLAN’s. This port
assignment is done using the switchport mode access command. This port assignment for one of the
edge switches can be seen in Figure 22.
Figure 22
Switch(config)#int range fa 0/3-12 - This command selects all the ports from 3 – 12.
Switch(config-if-range)#switchport mode access - This will set the port to always behave like an
access port.
Switch(config-if-range)#switchport access vlan 2 - This assigns the access port to VLAN 2.
Now that the VLAN’s have been assigned to specific ports, by running show vlan brief on the
configured switch the ports assigned will appear beside the VLAN number as seen in Figure 23.
Figure 23
25. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 25
VLAN Port Assignment
Dundalk VLAN port Assignment
Device Port VLAN
Dundalk Core Switch Fa0/1 Uplink
Fa0/2 - 6 Services
Dundalk Distribution Switch1 Fa0/24 Public-WIFI
Dundalk Distribution Switch1 Fa0/24 Staff-WIFI
Dundalk Edge Switch1 Fa0/3-12 CallCentreStaff
Fa0/13-24 Team-Leaders
Dundalk Edge Switch2 Fa0/3-12 HR+OperationsManagement
Fa0/13-24 Accounts+Payroll
Dundalk Edge Switch3 Fa0/3-12 CallCentreStaff
Fa0/13-24 Team-Leaders
Dundalk Edge Switch4 Fa0/3-12 IT-Staff
Fa0/13-24 HR+OperationsManagement
Dundalk Edge Switch5 Fa0/3-12 CallCentreStaff
Fa0/13-24 Team-Leaders
Dundalk Edge Switch6 Fa0/3-12 HR+OperationsManagement
Fa0/13-24 Accounts+Payroll
Dundalk Edge Switch7 Fa0/3-12 Training-Room
Fa0/13-24 IT-Staff
Dundalk Edge Switch8 Fa0/3-12 CallCentreStaff
Fa0/13-24 Team-Leaders
Dublin VLAN port Assignment
Device Port VLAN
Dublin Core Switch Fa0/3 Uplink
Fa0/1-2 Services
Fa0/4-5 Services
Dublin Edge Switch1 Fa0/3-9 CallCentreStaff
Fa0/10-18 HR+OperationsManagement
Fa0/19-24 Accounts+Payroll
Dublin Edge Switch2 Fa0/3-9 CallCentreStaff
Fa0/10-18 IT-Staff
Fa0/19-24 Training-Room
Test Connectivity
To test connectivity some ping messages would be sent, at this stage only devices on the same VLAN
will be able to communicate with each other. Layer 2 switches have no routing capabilities and
intervlan routing has not yet been configured. Intervlan routing will be configured on the core Layer 3
switch. For the full configuration of the distribution and edge switches, please see Appendix A.
VLAN configuration on a Layer 3 switch
Since Layer 2 switches don’t have routing capabilities an interface has to be configured on the core
Layer 3 switch for every VLAN on the network. To do this an IP address and subnet mask is assigned
to each VLAN interface or Switched Virtual Interface (SVI) as they’re also called. The IP address for
26. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 26
each interface will serve as the default gateway for that particular VLAN. To enable intervlan routing
the following commands must be entered into the core switch:
Switch(config)#ip routing - This command will enable routing on the Layer 3 core switch. The
VLAN interfaces can now be set up and intervlan routing will be enabled.
The commands to configure the VLAN 2 interface on the core switch are as follows:
Switch(config)#interface vlan 2 - This command creates an SVI for VLAN 2.
Switch(config-if)#ip address 192.168.2.1 255.255.255.0 - This command will assign the IP
192.168.2.1 and the subnet mask 255.255.255.0 to the VLAN interface.
These commands should be repeated to create a SVI for all the VLAN’s on the network with
appropriate IP addresses and subnet masks.
Test Connectivity
Ping messages can now be sent between different VLAN’s and should be successful, as intervlan
routing is now enabled. No Access Control Lists (ACL’s) have been configured at this stage so no
restrictions are in place to stop different VLAN’s taking to each other. ACL’s will be discussed in
depth in the Layer 3 section of this report. Since the core switch in Dundalk and Dublin was a Layer 3
switch, this intervlan routing was possible. Usually intervlan routing is configured on a router, but
since a Layer 3 switch can act as a router it was deemed appropriate for the network build, since it
will keep the majority of the traffic off the backbone router and the number of hops for VLAN traffic
will be reduced.
Troubleshooting
When the original configuration for the VLAN’s was completed, hosts on the same VLAN were
unable to communicate with each other. It was later discovered that a configuration error had occurred
while setting up the VTP clients, the Dundalk Edge Switches 5-8 were not set to be on the Dundalk
domain so they couldn’t see the traffic. Once this error was rectified the VLAN’s were able to
communicate with each other freely. The next error came when a ping test was sent between hosts on
different VLAN’s. This problem was rectified after the lecturer explained intervlan routing and that
the IP routing command must be entered on the Layer 3 core switch. For the Layer 3 core switch
configuration, please see Appendix B.
27. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 27
Point to Point Protocol (PPP)
PPP is a layer two protocol used for communication between two devices using a serial interface. It is
a full-duplex protocol that uses a variation of High Speed Data Link Control (DHCP) for packet
encapsulation. It groups a device’s TCP/IP packets and forwards them to the server, for example
where they can be put on the internet. It is used to transfer a datagram between two directly connected
devices, it’s responsible for data control, link control and protocol encapsulation.
Challenge-Handshake Authentication Protocol (CHAP)
CHAP is used in conjunction with PPP as an authentication scheme to validate the identity of remote
clients. CHAP verifies the identity of the client by using a three-way-handshake, this initially happens
at the time of establishing the link and may happen again afterwards. The verification used is based on
a shared-secret password.
Configuring PPP with CHAP
Select the serial Interface you want to configure – interface serial0/0/1
Encapsulation ppp - Enables PPP encapsulation on the serial port.
Ppp authentication chap - Enables CHAP authentication on the serial port as either a server or
client. By default, not entering an option, provides authentication as a server.
A serial port with PPP and CHAP configured on it can be seen below.
28. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 28
Wireless Network
The PayPal and eBay wireless network will allow staff members to access to the company network
via phones, laptops and tablets. This wireless coverage will be restricted to certain parts of the
building and is intended only for recreational use on breaks. There will be wireless connectivity
offered to guests, but precautions will be set to make sure the company LAN is kept private. There
will be two access points in this network build, one for the Staff wireless and one for the Guest
wireless. The Staff WIFI is located on VLAN 7, while the Public WIFI is located on VLAN 8. The
wireless network will use the 5GHz frequency band to accommodate for 802.11ac.
Wireless Configuration
Configuring a wireless network on Packet Tracer comes with some limitations, Packet Tracer does not
allow the configuration of multiple SSID’s on a single access point. To accommodate this, each SSID
is represented by a different access point, in a real world situation this problem would not arise and
two separate access points would be used, one for the Staff WIFI and another for the Guest WIFI
access. The access point used in this network build is the AccessPoint-PT-N. The GUI displayed
when configuring the access point can be seen in Figure 24.
Figure 24
The SSID has been set to Public-WIFI and the channel was set to 6. The Security option has been set
to Wired Equivalent Privacy (WEP). WEP uses the RC4 encryption method, it was the IEEE’s first
attempt to secure wireless networks. WEP provides integrity by running a check that allows the
receiver to validate the data has not been tampered with during the transmission. WEP is not a very
secure option to choose for wireless security, but for demonstration purposes it was easy to
implement. The password chosen for the Pubic-WIFI SSID is 123456789a, this password can be used
by any guest to connect their device to the internet. The configuration and password used for the
Staff-WIFI can be seen in Figure 25. The Staff-WIFI was set to broadcast on channel 2 to avoid an
overlap.
Figure 25
29. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 29
Connecting devices to the Wireless Network
To connect a device to an access point, the device must have a wireless card installed. On Packet
Tracer this is done by selecting the Laptop and dragging the wireless module onto the side of the
machine. A laptop with the correct wireless card installed can be seen in Figure 26. When the correct
wireless card has been installed, the Laptop should be placed close to the access point so the
connection process can take place.
Figure 26
A successful connection for both a staff and a public device can be seen in Figure 27.
Figure 27
30. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 30
Layer 3 – The Network Layer
The third layer of the OSI 7 layer model is the network layer. This layer is where the routing
restrictions and the routing principles will be configured. Access Control Lists (ACL’s) will be
configured to restrict access to different VLAN’s and so that the Public-WIFI has no access to the
internal network but has internet access.
Routing
Routing will be used in the PayPal and eBay network to establish different routes so devices can
communicate on the network. A router is a layer 3 networking device that allows devices on a
network connect to the Internet based on IP addresses. These IP addresses are stored in a routing
table. A router will support routing protocols such as Open Shortest Path First (OSPF), RIPv1 and
RIPv2. A router will also support networking protocols such as IPv4, IPv6 and Network Address
Translation (NAT). Routers can learn routes two ways; statically and dynamically. Static routes are
manually configured and are commonly configured on point to point links. Dynamic routes use the
routing protocols mentioned above like RIP to learn the addresses.
Routing Configuration
Router configuration requires a valid IP address and subnet mask to be assigned to an interface, this
interface must then be brought up in order for connectivity to be successful. The commands below
show how to configure an interface on a router:
Router(config)#interface fastethernet 0/0 - This command selects the fastethernet port 0/0 to be
configured.
Router(config-if)#ip address 192.168.10.1 255.255.255.0 – This sets the IP address 192.168.10.1
and the subnet mask 255.255.255.0 to the interface fastethernet 0/0.
Router(config-if)#no shut – This command is necessary to bring up the interface.
Router(config-if)#exit - This command exits the fastethernet 0/0 interface.
The configuration of a serial port is quite similar to that of a fastethernet interface, but there are some
differences. A serial port will be used to establish a WAN connection between Dundalk and Dublin.
The following commands show how to configure a serial interface:
Router(config)#interface serial0/0/0 - This command selects the serial0/0/0 interface to be
configured.
Router(config-if)#ip address 200.20.0.1 255.255.255.0 - This sets the IP address 200.20.0.1 and the
subnet mask 255.255.255.0 to the interface serial0/0/0.
31. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 31
Router(config-if)#clock rate 64000 – This command will set the clock rate on the link to 64000. This
is only done on the DCE side, the DCE side can be found on Packet Tracer by hovering over the
connecting ports on a router and seeing what side the small clock symbol is displayed on.
Router(config-if)#no shut - This command is necessary to bring up the interface.
Router(config-if)#exit - This command exits the serial0/0/0 interface.
Configuring RIP
RIP is the means by which a router learns information from other routers on the network. This
information is used to build a routing table, which will be updated every 30 seconds and this
information will help the router decide the best route to send traffic on. The Dundalk Router’s routing
table can be seen in Figure 28.
Figure 28
The letter R shows that the route in the table was learned via RIP. RIP version 2 was used in this
build, because different subnets were used i.e. 192.168.0.0 and 10.10.0.0.
To configure RIP the following commands must be entered:
Router(config)#router rip - This command is how you enter the router rip interface.
32. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 32
Router(config-router)# version 2 – This command tells the router to use RIPv2 so different subnets
may be used.
Router(config-router)#network 192.168.2.0 – This command is used to RIP the 192.168.2.0
network address. If a router holds any information on a host with an IP address in that network, that
information will be sent to this router to build up the routing table.
All the networks ripped on the Dundalk router can be seen in Figure 29.
Figure 29
Configuring a Static Route
The letter S in Figure 28 refers to a static route. This means the route was manually configured, static
routes are not advertised and because of this they’re more secure. The command to configure a static
route is shown below:
Router(config)#ip route 0.0.0.0 0.0.0.0 Serial0/0/1 – This command is used to create a static route to
an external router such as an ISP. The 0.0.0.0 0.0.0.0 means that all traffic that’s unassigned leaving
the serial port 0/0/1 will be sent to the external router and all traffic that is coming in from the outside
LAN will be sent to a specified location.
For the full Dundalk and Dublin Site Router configurations, please see Appendix C and D.
Test Connectivity
Connectivity between the two sites can now be tested via ping messaging. The ping messages will be
successful at this stage, because intervlan routing is enabled on both core switches in Dundalk and
Dublin and no Access Control Lists or other restrictions are in place to block communications.
33. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 33
Dynamic Host Configuration Protocol (DHCP)
Dynamic Host Configuration Protocol (DHCP) is a client/server protocol that will automatically
provide a host with an IP address, subnet mask and default gateway. There is a pool of address that
will be allocated to a host machine when it logs onto a network. DHCP will provide an available IP
address to the connected host, all the addresses in the scope are available for ‘rent’ unless restrictions
are set. Some buzzwords regarding DHCP will now be explained.
Scope
A DHCP scope is a range of valid IP addresses that can be allocated for assignment or lease to client
computers on a particular subnet. A scope is configured to determine the address pool of IP’s that the
server can provide to DHCP clients. If the scope sets a starting address of 192.168.10.1 and an ending
address of 192.168.10.50, DHCP can lease or assign any address in that range to a client once it’s not
already leased out.
Exclusion Range
An exclusion range is a configuration on the DHCP server to exclude a range of IP addresses or a
single IP from being assigned automatically to the DHCP client machines. The exclusion range is
specified when configuring the DHCP server, an example of when an IP address may need to be
excluded is for servers and other mission critical equipment. If the IP address 192.168.10.1 was
assigned to the DNS Server, you don’t want client machines getting leased this address, that’s why
it’s included in the exclusion range.
Reservations
The DHCP reservation feature allows IT administrators to reserve one or more IP addresses to
mission critical computers only. To configure a DHCP reservation the IT administrator must know the
MAC address of the target computers that the IP addresses are to be resolved. Every time the host logs
onto the network it will be given the same IP address. If the host is not on the network, the IP will be
reserved until it comes back online. The reserved address will only be assigned to the device whose
MAC address is used to map it with.
DHCP in the PayPal & eBay network
DHCP will be used in the PayPal and eBay network to allocate an IP address to all devices logged
onto the company network. Multiple scopes will be set, these scopes will be based upon the VLAN
design for the departments in the company. Users working in the same department will be assigned an
IP address from the same network since they’re part of the same departmental VLAN.
The IP addresses leased on the wireless network will be private IP addresses, these IP
addresses will not be used to access the internet because Network Address Translation (NAT)
will be used to swap the private addresses to public addresses. This process will be
34. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 34
documented in more detail in the NAT section of the report. The DHCP service will be
configured on the DHCP server in the Dundalk and Dublin sites.
DHCP Server Packet Tracer configuration
The TCP/IP settings for the Dundalk DHCP server can be seen in Figure 30.
Figure 30
DHCP Scope Configuration
In this network build the first 20 addresses of each network will not be allocated to hosts. For example
if VLAN 2 was on the network 192.168.2.0, the first available address on this scope is 192.168.2.20,
the first 20 addresses have been reserved for administrational reasons such as adding additional
interfaces in the future. The scopes set for each VLAN interface can be seen in Figure 31.
Figure 31
35. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 35
The steps taken to set up a scope on the server GUI are outlined below:
Step 1
Navigate to the DHCP tab on the left and make sure the DHCP service us turned on.
Step 2
Enter a scope name, in this configuration the VLAN number was entered here.
Step 3
Enter a default gateway and DNS server address. For example VLAN 2’s default gateway address
would be 192.168.2.1 as this was the IP address assigned to the VLAN 2 interface on the Dundalk
core Layer 3 switch. The DNS server address is the IP address that was statically assigned to the DNS
server.
Step 4
Select a starting IP address and subnet mask, the starting IP address is the first address available for
lease in the scope. VLAN 2’s starting IP address will be 192.168.2.20
Step 5
The maximum number of users will dictate the amount of hosts that can receive DHCP IP addresses
from a scope at any one time.
Step 6
The TFTP server’s IP address was added at the end, the configuration of the TFTP server will be
talked about in more detail later.
Step 7
Save the scope so that the changes made take place.
A sample DHCP scope for VLAN 150 is shown in Figure 32.
Figure 32
36. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 36
Dundalk DHCP Scope Table
Scope Name Default Gateway Starting Range Subnet Mask DNS
VLAN 2 192.168.2.1 192.168.2.20 255.255.255.0 192.168.100.11
VLAN 3 192.168.3.1 192.168.3.20 255.255.255.0 192.168.100.11
VLAN 4 192.168.4.1 192.168.4.20 255.255.255.0 192.168.100.11
VLAN 5 192.168.5.1 192.168.5.20 255.255.255.0 192.168.100.11
VLAN 6 192.168.6.1 192.168.6.20 255.255.255.0 192.168.100.11
VLAN 7 192.168.7.1 192.168.7.20 255.255.255.0 192.168.100.11
VLAN 8 10.10.0.1 10.10.0.20 255.255.0.0 192.168.100.11
VLAN 9 192.168.9.1 192.168.9.20 255.255.255.0 192.168.100.11
VLAN 50 192.168.50.1 192.168.50.20 255.255.255.0 192.168.100.11
VLAN 100 192.168.100.1 192.168.100.20 255.255.255.0 192.168.100.11
VLAN 150 192.168.150.1 192.168.150.20 255.255.255.0 192.168.100.11
Dublin DHCP Scope Table
Scope Name Default Gateway Starting Range Subnet Mask DNS
VLAN 2 172.16.2.1 172.16.2.20 255.255.255.0 172.16.100.11
VLAN 3 172.16.3.1 172.16.3.20 255.255.255.0 172.16.100.11
VLAN 4 172.16.4.1 172.16.4.20 255.255.255.0 172.16.100.11
VLAN 5 172.16.5.1 172.16.5.20 255.255.255.0 172.16.100.11
VLAN 6 172.16.6.1 172.16.6.20 255.255.255.0 172.16.100.11
Test Connectivity
To test if a DHCP address has been correctly configured to the correct VLAN, the DHCP option must
be selected on the PC’s desktop. In Figure 33 it can be seen that the correct DHCP scope address has
been assigned to the PC, the PC is on VLAN 2 and it’s been given a .2 IP address.
Figure 33
37. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 37
Troubleshooting
Before a successful DHCP request was achieved, many problems were encountered. Most notably the
APIPA error as seen in Figure 34.
Figure 34
All the code and configurations entered previous to this were checked repeatedly to see if an error had
been made. After many hours of searching, a solution was found. A command called ‘IP-Helper’ was
missing from the configuration. Many sources said this would fix the APIPA error.
IP-Helper
The IP-Helper command is used to help forward DHCP broadcasts to their destination. DHCP
requests and replies are broadcast traffic, without the IP-Helper command issues will arise when
trying to obtain the correct IP address. The helper address will forward the DHCP requests to the
DHCP server. By default routers drop all broadcast packets sent through them, the IP-Helper address
enables the router to forward the broadcast messages to a specific host (The DHCP server). The IP-
Helper command must be entered on the routers interface that is due to receive the broadcast packets
from the hosts. Once the IP helper command was entered, the DHCP requests were successful.
The commands necessary for entering the IP-Helper command are shown below.
Switch(config)#interface vlan 2 – This command takes the user into the VLAN 2 interface
Switch(config-if)#ip helper-address 192.168.100.10 – The IP address entered for the IP-Helper is
the static IP address assigned to the DHCP server.
38. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 38
Access Control Lists (ACL’s)
An Access Control List (ACL) is a network filter used by routers and some switches on a network
interface, to permit and deny data flows in and out of the interface they’re placed on. If an ACL is
being used to permit traffic, it will specify what traffic is allowed on the interface or out of the
interface. If an ACL is used to deny traffic it will specify what traffic is not allowed on the interface
or what traffic is denied from leaving that interface. When an ACL is configured on an interface the
network device it’s configured on will analyse the data passing through the interface, it will compare
it to the criteria stated in the ACL and from this will either permit or deny the data flow. An ACL’s
primary function is to provide a basic level of security in the network, even though they do not
provide as good protection as something like a stateful firewall, they do provide protection on high
speed interfaces where the line rate speed is important and firewalls may be restrictive. It is important
to note that at the bottom of each ACL there is an implicit deny, this means that if an ACL was
permitted to accept traffic from 192.168.2.0 (VLAN 2), it would allow traffic from this network but it
would deny all other traffic that’s not on the 192.168.2.0 network.
On Cisco routers there are two main types of Access Control Lists, a standard ACL and an extended
ACL. A standard ACL provides packet filtering based only on the source IP address, an extended
ACL allows packet filtering based on the source and destination address and they can check for
specific port numbers and protocols. Standard ACL’s should be placed as close to the destination as
possible because they filter traffic based on the source address and don’t hold any destination
information. Extended ACL’s should be placed as close to the source devices as possible. Standard
ACL’s are numbered from 1 – 99 and extended ACL’s are numbered from 100 – 199.
ACL’s are read in a sequential order, the order of the statements is important. The most restrictive
statements should be at the top of the list and the least restrictive should be at the bottom of the list.
ACL statements are processed in a top-down manner until a match is found, if no match is found in
the ACL the packet is dropped, this is the implicit deny. Each ACL needs a unique name or number,
applying an empty ACL to an interface will permit all traffic by default, for an ACL to have an
implicit deny statement, at least one permit or deny statement must be in the ACL.
ACL’s for PayPal and eBay
The ACL’s used in this network build for PayPal and eBay will apply restrictions based on
departmental VLAN’s. An example of a configured ACL is, IT staff need access to all other VLAN’s
on the network for troubleshooting reasons but no other departmental VLAN should have access to
the IT staff VLAN. This is done by configuring an ACL to permit the IT staff access to any network
and then letting the implicit deny work its magic by denying all other VLAN’s access to the IT staff.
Another ACL will be used to block users of the Public-WIFI access to the internal company network,
39. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 39
users of the Guest-WIFI should only have access to the internet. This is done by blocking the Public -
WIFI VLAN from accessing any other VLAN on the network but allowing them access to the
internet. The IT staff will have access to the Public -WIFI VLAN for troubleshooting reasons, it is not
good practice to allow guests access to the internal company network.
Configuring ACL’s
Some of the ACL’s configured in this network build will now be explained.
ACL for IT Staff on Dundalk site
As mentioned above, this ACL will allow IT staff access to any other VLAN on the network but will
block users from other VLAN’s from communicating with the IT staff. This is an extended ACL and the
configuration can be seen in Figure 35.
Figure 35
access-list 103 permit udp any eq bootpc any eq bootps – This command will permit the UDP ports
from any of the restrictions that follow this command, so the ACL will not have any effect on the
assignment of DHCP addresses. Any eq bootpc means that DHCP assignment will be permitted on
any client and any eq bootps means that DHCP assignment will be permitted on any server.
access-list 103 permit ip 192.168.5.0 0.0.0.255 any – This command permits the IT staff VLAN
(192.168.5.0) access to any other VLAN on the network. The 0.0.0.255 part of the command serves as
a wildcard, a 0 in a wildcard is an exact match to the octet and a 255 in a wildcard means that any
value in the octet is expected, so the 0.0.0.255 wildcard will match any address on the 192.168.5.0
address. The any part of the command is what allows the 192.168.5.0 network access to all other
networks.
access-list 103 permit ip 172.16.5.0 0.0.0.255 any – This command works in a similar way to the
command above but it’s now allowing the IT staff VLAN on the Dublin site access to any network on
the Dundalk site. This allows for troubleshooting to take place by the IT staff on both sides of the
network.
At the end of the access-103 command there is an implicit deny, we don’t need to actually type a
command for this, it slots in after the final command in the access list. So in other words if you’re not
on the IT staff VLAN in Dundalk or Dublin, you don’t have the rights granted in this ACL.
40. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 40
ACL for Public–WIFI on Dundalk site
The ACL for Public-WIFI will block the Public-WIFI VLAN from communicating with all other
VLAN’s on the network on both the Dundalk and Dublin networks. It will allow the Public-WIFI
VLAN access onto the internet, the configuration for this ACL can be seen in Figure 36.
Figure 36
Access-list 110 permit tcp 10.0.0.0 0.0.255.255 200.100.0.0 0.0.0.255 – This command will allow
traffic from the 10.0.0.0 (Public-WIFI) network out onto the 200.100.0.0 (The ISP network).
ip access-list extended PublicWIFI – this creates an extended access-list called PublicWIFI
Deny ip any 192.168.0.0 0.0.255.255 – This will deny any other network not in the 192.168.0.0
access from communicating with it i.e. denying the 10.0.0.0 network access to the Dundalk network.
Deny ip any 172.16.0.0 0.0.255.255– This will deny any other network not in the 172.16.0.0 access
from communicating with it i.e. denying the 10.0.0.0 network access to the Dublin network.
Permit ip any any – this will permit all other traffic access that has not already been denied in the
ACL to communicate.
ACL for HR+OperationsManagement on Dublin site
This VLAN required access to VLAN 2, 4, 100 and 150 and it must be denied access everywhere else
The configuration for this ACL can be seen in Figure 37.
Figure 37
access-list 101 permit udp any eq bootpc any eq bootps – This command will permit the UDP ports
from any of the restrictions that follow this command, so the ACL will not have any effect on the
assignment of DHCP addresses. Any eq bootpc means that DHCP assignment will be permitted on
any client and any eq bootps means that DHCP assignment will be permitted on any server.
41. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 41
access-list 101 permit icmp 172.16.3.0 0.0.0.255 172.16.5.0 0.0.0.255 echo-reply – This command
means that even though the HR+OperationsManagement VLAN cannot communicate with the IT
staff VLAN, the IT staff must be able to receive ping replies from it, all traffic will be blocked except
ping replies sent by the IT staff.
access-list 101 deny ip 172.16.3.0 0.0.0.255 172.16.5.0 0.0.0.255 – This will deny the
HR+OperationsManagement VLAN access to the IT staff VLAN.
access-list 101 deny ip 172.16.3.0 0.0.0.255 172.16.6.0 0.0.0.255 – This will deny the
HR+OperationsManagement VLAN access to the Training-Room VLAN.
access-list 101 permit ip any any - this will permit all other traffic access that has not already been
denied in the ACL to communicate.
ACL for Telnet Access
Telnet access was granted for the IT staff VLAN on both the Dundalk and Dublin sites. A standard
access list called Allowed-Telnet-Hosts was created to permit 192.168.5.0 and 172.16.5.0 (The IT
VLAN’s). This ACL was then applied to the telnet interface (line vty 0 4). It set the password class that
must be entered when telneting into any device.
Testing ACL’s
The ACL’s created for the network are now ready for testing. The VLAN’s and the ACL’s created for
the Dundalk network can be seen in Figure 38.
Figure 38
42. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 42
A list of the VLAN’s and their corresponding ACL’s configured for the Dublin network can be seen
in Figure 39.
Figure 39
All these ACL’s were tested using Packet Tracer and the tests were successful.
Troubleshooting
When first configuring the ACL’s it took some time to figure out how to allow a ping message to be
sent between a VLAN who was denied access to the VLAN requesting a ping reply. For example, all
the staff on the network were denied access to the IT staff VLAN but the IT staff needed to receive
ping replies from these staff members. After reading through some documents online the access-list
101 permit icmp <insert addresses/wildcards here> echo-reply command found and it fixed the
problem immediately.
The PC’s on the internal LAN’s were not picking up DHCP addresses as expected when some of the
ACL’s were configured. To solve this the access-list 101 permit udp any eq bootpc any eq bootps
command was used. This command allowed both the pc, and servers (if needed) to get a DCHP
address and for the ACL not to interfere with the DHCP address assignment process.
43. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 43
Wide Area Network (WAN) Connectivity
In this particular network build the two sites in Dundalk and Dublin need to be connected via a WAN
connection to ensure all the sites can access the company’s network. In the case of PayPal and eBay,
means such as Frame Relay and a VPN will be used to connect the two sites. NAT will be used to
allow the private addresses of both companies to be translated into a single public address for internet
activity.
NAT/PAT
Network Address Translation (NAT) is a routing protocol that transfers a private IP addresses into
public IP addresses for the purpose of connecting users to the internet. Port Address Translation
(PAT) is used in conjunction with NAT to translate multiple internal private IP addresses into one
public external IP address based on the port the private addresses are going out on.
Private Addresses
Private addresses are IP addresses that are reserved for use on LAN’s. Private networks can use IP
addresses anywhere in the following ranges:
192.168.0.0 – 192.168.255.255
172.16.0.0 – 172.31.255.255
10.0.0.0 – 10.255.255.255
A private IP address allows organisations to create their own private network. As seen above there are
three IP blocks, these blocks are referred to as class A, class B and class C addresses. Computers,
phones and network printers sitting on the LAN are usually assigned a private IP address. Address
duplication with private addresses is not an issue, these private IP addresses can be used on any
number of LAN’s and there wouldn’t be a problem because the LAN’s will never come into contact
with each other. Devices residing outside the LAN cannot directly communicate with the private IP
addresses, if access was needed to a private IP address NAT can be used to accomplish this.
Public Addresses
Public IP addresses are addressed that are assigned to a device in order to allow direct access over the
internet. NAT in conjunction with PAT can assign one single IP address to a network if required, this
is a widely used solution, because it helps with the limited pubic address problem. A web server,
email server or any other server directly accessible from the internet are candidates for having a
public IP address. These pubic addresses will be globally unique and can only be assigned to one
device. A company may have hundreds of internal private IP addresses mapped to one single private
IP address for internet activity. The NAT translation table can be used to see a list of public IP
addresses assigned to private addresses. NAT may also be used to stop users out on the internet from
accessing the private LAN, this is done by dropping external traffic when entering the internal LAN.
44. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 44
NAT in the PayPal & eBay Network Build
NAT will be configured on the router at the edge of the Dundalk and Dublin sites to provide the
internal private addresses with public addresses to get internet access. NAT will be used with PAT to
map these addresses. An inbound static NAT will be configured on each side from the ISP back into
the webserver, the external address will be mapped onto the private address and then forwarded onto
the webserver. The inbound NAT will get a request from a public address and this will be translated
into a private address, this will then be sent onto the webserver. This means that users can get onto the
PayPal and eBay website from the internet but the external address will not actually access the
internal LAN. NAT translations are not fixed, while static NAT has a fixed private address for
mapping external addresses. The translation of a public to a private address using NAT can be seen in
Figure 40.
Figure 40
In Figure 40 if you look at the In Layers section on the left and look in the Layer 3 section you can
see that the 192.168.5.21 address has sent out a ping towards the ISP router. In the Out Layers section
for Layer 3 on the right you can see that the IP has been translated into a private IP address of
200.100.0.1. Figure 41 shows the output of the show ip nat translations command after the ping was
successful.
Figure 41
45. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 45
NAT/PAT Configuration
NAT/PAT is configured on the router since the router is where the users will leave the LAN and go
out onto the WAN and leave the WAN to enter the LAN. The NAT command used will be determined
by the router interface, the interface will decide if an IP address is being translated from a public
address to a private or a private address to a public address. The commands necessary to configure
NAT with PAT can be seen in Figure 42.
Figure 42
The above command is applied to the Fa 0/0 port on the Dundalk router.
IP nat inside – this will set the Fa 0/0 port interface as being an inside interface, the IP addresses
entering this interface on the router will be private addresses that will need to be translated to public
addresses.
IP nat outside – this will set the selected interface as being an outside interface, the IP addresses
entering this interface on the router will be public addresses to be translated into private addresses,
this command is usually entered in the serial interface on the router since it will be the entry point to
the internet.
Figure 43
access-list 5 permit 192.168.0.0 0.0.255.255 – This is a standard ACL that will allow all the devices
on the 192.168.0.0 (the internal LAN) and the 10.10.0.0 (the Public-WIFI) networks to leave the LAN
and access the internet. This ACL was placed on the Dundalk router. The commands for this can be
seen in Figure 43.
Figure 44
IP nat inside source list 5 interface Serial0/0/1 overload – this command will enable PAT on the
router, if overload was missing from this command just regular NAT would be enabled. This
command states that all inside addresses will be translated to outside public addresses when leaving
the s0/0/1 port on the router. All private addresses will be issued the same public address, this
command can be seen in Figure 44.
IP nat inside source static tcp 192.168.100.13 80 200.100.0.1 80 – This is the static NAT command
that will send all traffic coming in on the 200.100.0.1 interface onto the webserver at 192.168.100.13
46. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 46
Test Connectivity
The connectivity can now be tested by sending a ping message from an internal PC on the network
out to the Internet server. These tests were successful. Pings were then sent from the internet back into
machines on the internal LAN, these pings failed like they should do since we blocked this. Another
test is to send a ping from the internet server to the internal webserver, this ping was successful and
this was expected since we wrote an inbound static nat statement to allow this.
Figure 45
Another test is to connect a PC off the internet server and try to access the internal PayPal webserver.
This is done by going onto the web browser and typing the address of the outgoing serial interface on
the Dundalk router going towards the internet server. The result of this test is shown in Figure 46.
Figure 46
The public PC does not access the webserver itself due to the NAT constraints but hosts on the LAN
can. By entering the address 192.168.100.13 (the webserver) into any of the PC’s on the internal LAN
the browser window for PayPal will pop up.
47. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 47
Frame Relay
Frame Relay is a service designed for cost-efficient data transmission for traffic between LAN’s and
between endpoints in WAN’s. Frame relay uses virtual circuits, meaning that multiple connections on
a LAN may travel across the same virtual path. Multiple sites can be connected using Frame Relay
because of these virtual circuits, since Frame Relay can be used as the backbone between sites. Frame
Relay puts the data into a variable sized unit called a frame, it leaves an error correction up to the
endpoints and this in turn will speed up the overall data transmission.
Frame Relay required a dedicated connection during transmission, which this isn’t ideal for voice and
video since they need a steady flow of transmissions. Frame Relay transmits packets at the data link
layer of the OSI model. As mentioned before, Frame Relay can connect multiple sites together via a
WAN connection, these virtual circuits are then labelled using a Data Link Connection Identifier
(DLCI), and the DLCI will contain all the information regarding the connection. If Frame Relay is
being used to connect two sites as per the project (Dundalk and Dublin) multiple DLCI’s will be used.
Frame Relay in the PayPal & eBay Network Build
Frame Relay will be used in this network build to provide a WAN connection between the sites in
Dundalk and Dublin. The connection will give hosts in the Dublin site access to the Dundalk site and
vice versa, this connection is very important, because the HQ in Dublin requires a secure connection
back to Dundalk to transfer confidential data over the WAN. The connection between the two sites
will serve as a backbone between the two sites, forming one single network.
Configuring Frame Relay
Frame Relay configuration on Packet Tracer is done via the cloud, the commands must be entered on
each serial interface on the cloud and on each router at either end of the Frame Relay connection.
Serial 0/0/0 will be used on each of the routers, the commands to configure Frame Relay can be seen
below:
encapsulation frame-relay ietf – This command will set the encapsulation to ietf on the interface
selected to Frame Relay. The type of encapsulation used should be the same on either side of the
WAN connection, in this case ietf will be used on both sides.
frame-relay lmi-type ansi – This command will set the LMI type to ANSI, this must be the same on
either side of the WAN connection. The default LMI type is cisco, the LMI determines the type of
connection type.
Once the above commands have been entered on the serial ports, the cloud is now ready to be
configured. The cloud configuration can be seen in Figure 47.
48. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 48
Figure 47
To configure the Frame Relay cloud, click on it and select the config tab at the top, then select the
interface to be configured. In this network build Serial 0 is on the Dundalk side and Serial 1 is on the
Dublin side. Tick the box to make sure the port status is on and change the LMI type to ANSI. Enter
a DLCI number and a name, in this case the Dundalk-Dublin link was given a DLCI of 200 and the
Dublin – Dundalk link was given a DLCI of 300. The cloud configuration for the Dublin side (Serial
1) can be seen in Figure 48.
Figure 48
This configuration is mostly the same as with Serial 0, but new DLCI values have been added. The
Dundalk–Dublin link has a DLCI of 100 and the Dublin-Dundalk link has a DLCI of 400.
49. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 49
Figure 49
The next part of the configuration is to map the DLCI’s together to form a dull-duplex link between
the sites, this can be seen in Figure 49. While still in the config tab click on Frame Relay under the
connections heading, this is where the mapping is done. A port and a DLCI must be selected on each
side to map them together. Serial 0 is mapped onto Serial 1 and Serial 1 is mapped onto Serial 0.
Test Connectivity
To test if Frame Relay was configured correctly, a ping was sent from the Dundalk site to the Dublin
site and vice versa. These ping messages were successful and thus Frame Relay has been configured
successfully.
50. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 50
Virtual Private Network (VPN)
A Virtual Private Network (VPN) allows data to be sent from one site to another via a secure
encrypted tunnel over the Internet. A VPN encrypts each data frame that’s being sent over the Internet
so outside users cannot see the source or destination address of the data. A VPN will be configured on
the serial interfaces on the Dundalk and Dublin routers, the configuration necessary to set up a VPN
can be seen below.
VPN Configuration
In this network build the VPN link will be configured on the same link as the Frame Relay WAN link
(the serial 0/0/0 interface). An ACL will be set in place to create a tunnel between the IT VLAN in the
Dundalk site and the IT VLAN in the Dublin site. A VPN link may be used to fully connect each
LAN together but this build already has this connection set up via Frame Relay, the VPN will be used
to set up a secure connection between the two sites, keeping the confidential data off the WAN link.
The commands necessary to set up a VPN connection can be seen in Figure 50.
Figure 50
crypto isakmp policy 10 – This command creates an (Internet Security Association and Key
Management Protocol) ISAKMP policy and labels it with the policy number 10. This policy will
encrypt the VPN tunnel data with a key, this key will be exchanged at the other end of the tunnel to
decrypt the data.
encr aes – This sets the encryption type of the VPN link to Advanced Encryption Standard (AES). All
traffic traversing through the tunnel will be encrypted using AES.
authentication pre-share – This establishes a pre-shared key over the VPN link, this key will be
generated on both ends of the VPN so data can transfer.
group 2 - this command labels a group containing all sites in the VPN tunnel.
51. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 51
crypto isakmp key Password address 200.20.0.2 – This command will label the ISAKMP key with
the word Password, it also specifies the address of the interface the key will be sent to.
crypto ipsec transform-set MySet esp-3des esp-sha-hmac – This command will specify the settings
for the transform set labelled MySet. This transform set will contain the settings for the connection
such as the algorithms used and the encryption type used.
crypto map MyMap 10 ipsec-isakmp – This maps the security information with the ISAKMP to a
specified path to the other side of the tunnel.
set peer 200.20.0.2 – This sets the IP address of the interface on the other side of the VPN tunnel.
set transform-set MySet – This specifies the transform set being used in the crypto map to MySet.
match address 100 - This specifies that the ACL 100 will be used for the mapped entry.
access-list 100 permit ip 192.168.5.0 0.0.0.255 172.16.5.0 0.0.0.255 – this is the ACL mentioned in
the match address command. The ACL will allow all traffic from the IT staff VLAN in the Dundalk
site access to the IT staff VLAN in the Dublin site via a secure VPN link.
52. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 52
Virtualisation
Virtualisation is the process of creating and managing logical computing resources from available
physical resources. Virtualisation software is used to create a layer between workloads and the
underlying physical hardware. Virtualised resources such as CPU’s, memory and disk storage once
installed can be pooled together and provisioned to workloads without regard for their physical
location in a company. When creating a virtual machine, RAM and a hard drive need to be decided
upon, the hard drive can be a fixed size or a dynamic size. A fixed size hard drive is when the space
allocated can only be used by the virtual machine, the host machine cannot use this allocated space
once it has been assigned to the virtual machine. A dynamic sized hard drive is when the virtual
machine is not allocated a specific part of the host machines hard drive, if the virtual machine requires
more hard drive space, it will be automatically be allocated to the virtual machine. The hard drive of
the virtual machine is saved as a VDI file, this file can be backed up to hold a copy of the machines
current state. When allocating RAM to a virtual machine it’s important to remember that the RAM
allocated cannot be used by the host machine when the virtual machine is running. Virtualisation is
mainly used in businesses today to centralise system administration and management tasks and to
optimise the use of commuting resources and support workload scalability.
In this network build all the virtual machines used will be created using Oracle’s Virtual Box. In order
to establish a virtual network, the machines created must all have the same network adapter settings.
Keeping the network on internal prevents any accidents happening like sending out DHCP addresses
to users of the college WIFI and in doing so taking the whole WIFI network down. The network
settings used can be seen in Figure 51.
Figure 51
53. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 53
The PayPal and eBay Virtual Network
Oracle Virtual Box
GIGABYTE Laptop
Windows 10 64 Bit
i7 processor
16 GB RAM
Windows Active Directory
Server
Windows Services
Server Windows 7 Client UBUNTU Server
UBUNTU Client
Active Directory
standalone server.
Services
- DNS
- DHCP
- File Service
-SMTP Email Service
- WSUS
- IIS Webserver
- Linked to AD domain
Specifications
- Windows 7 64 Bit
- Linked to AD domain
- Shared Folders
- Web Service
Specifications
- Apache Web Service
- Samba File Share
- Linked to AD domain
Specifications
- Ubuntu 14.04
- Shared Folders
- Apache Web Service
Figure 52
Windows Server 2012 Active Directory Server
Active Directory
Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks.
AD provides a common interface for maintaining and organising information related to resources
connected to a variety of network directories. AD has a hierarchical framework, each node in the tree-
like structure is referred to as an object and is associated with a network resource such as a user or a
service. AD is a Lightweight Directory Access Protocol (LDAP) compliant database that contains
objects, the most commonly used objects are users, groups and computers. These objects created can
be organised into organisational units (OU’s). Group Policy Objects (GPO’s) can be linked to the
OU’s to centralise the settings for different users or computers in a company.
Active Directory Terminology
Domain – The AD domain is the core structural unit of an Active Directory, it contains the OU’s and
represents administrative, security and policy boundaries. Small to medium companies usually only
have one domain whereas larger companies can have a multitude of domains spanning across
different geographical locations.
54. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 54
Organisational Unit – an OU is an Active Directory container that is used to organise a network’s
users and resources into logical administrative units. An OU can contain AD objects such as users,
groups, computers, printers, shared folders and domain controllers.
Forest – A forest is a collection of one or more AD trees that provide a common AD environment.
All domains in all trees can communicate and share information. A forest can consist of a single tree
within a single domain, it could also contain several trees, each with a hierarchy of parent and child
domains.
Tree – A tree is a grouping of domains that share a common naming structure. A tree can consist of a
parent domain and one or more child domains.
User – A user is a user account in an AD service. A user account object contains information such as
group memberships, account restrictions and the profile path.
LDAP Attributes – typically contain the data, every attribute is defined in a schema and an attributes
characteristics are defined using the ASN.1 notation. Some common LDAP attributes can be seen in
Figure 53.
Figure 53
Groups – A group object represents a collection of users who share common rights or permissions.
Groups are used to assign members permissions, this is more efficient than assigning permissions to
each user individually. There are two main types of groups, global and domain local.
55. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 55
Global Group – A global group is used to organise user’s computers and groups from the same
domain with similar access rights or permissions. It is considered global because it can be made a
member of a domain local group in any domain. A global group is usually created for each domain,
location or department.
Domain Local Group – A domain local group is the main security principal recommended for
assigning rights and permissions to domain resources. A domain local can contain groups from other
domains and it can be assigned rights and permissions to any resource within the same domain.
Group Policy – Group policy is used to configure and manage computers and users in a domain. All
configurations are defined, enforced and updated using group policy. Group Policy provides a system
administrator with the ability to set rules that control the working environment of end users and their
computers. It centralises administration, management and configuration of operating systems,
applications and users in AD it is also used to enhance security.
Active Directory in the PayPal and eBay Network
The PayPal and eBay network build requires an AD design to be implemented on the company system
to apply resource privileges to the employee’s user accounts. The companies consist of a multitude of
departments, each user will be allocated to an OU based on their department. This makes applying
group policy management and resources easier, since restrictions can be placed on each department
rather than applying it to each individual user. User accounts will be made members of global groups
based on their departments, these global groups will be made members of domain local groups. The
domain local groups will dictate the privileges members of the global groups will have, to different
resources. Two scripts will be used in this network build, one for the designing and implementation of
AD and another logon script what will map the required shares to specific network drives when a user
logs into a client machine.
56. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 56
Active Directory Structure for the PayPal and eBay Network
GTDomain.com
PayPal
Accounting
Call Centre Staff
IT
Users
Groups
Computers
Parent
OU
Child OU s
Domain
Local
Groups
dl_accounting
dl_CallCentreStaff
dl_IT
Global
Groups
gl_accounting
gl_IT
gl_CallCentreStaff
PayPal-PC1
PayPal-PC2
PayPal-PC3
PayPal-PC4
PayPal-PC5
PayPal-PC6
GTDOMAIN.COM
PayPal – Parent OU
Accounting – Child OU
Call Centre Staff – Chid OU
IT – Child OU
Users – Container
Groups – Container
Computers – Container
Gavin Tinnelly
John Burke
Declan Lambe
An Example of
some Users
57. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 57
Active Directory Script
The PayPal and eBay AD structure will be implemented via one script. Scripting is used to implement
actions that would usually be done using the GUI. Scripting ensures consistency in a company as it
reduces the time spent on repetitive tasks, allows the management of user and computer accounts
from the IT administrators desktop, allows the starting and stopping of processes and it automates the
setup, and deployment and management of servers and desktops. Scripting for this assignment was
done on PowerShell, it is an object-based management engine based on the .NET framework. Some
important sections of code from the AD script can be seen below. The full PowerShell AD script can
be seen in Appendix H.
Creating the Parent OU
This was done by first connecting to the domain/objection and then to ADSI. A prompt was coded to
ask the user what they wanted the parent OU to be called and then it saved onto the domain.
$objDomain = [ADSI] "LDAP://dc=GTDOMAIN,dc=com"
$newOrganizationalUnit = read-host "what is the parent ou called?"
$objOU = $objDomain.create("organizationalUnit","ou=$newOrganizationalUnit")
$objOU.SetInfo()
Creating the Child OU’s
This was done by creating the child OU inside the parent OU on the domain.
ou=$newOrganizationalUnit is the OU the user entered above in the prompt. This step was repeated
until the 6 child OU’s were created.
$objDomain = [ADSI] "LDAP://ou=$newOrganizationalUnit,dc=GTDOMAIN,dc=com"
$newOrganizationalUnitAcc = read-host "what is the first child ou called?"
$objOU = $objDomain.create("organizationalUnit","ou=$newOrganizationalUnitAcc")
$objOU.SetInfo()
Creating Global Groups
This was done via a while loop, the loop asked the user how many global groups they wanted to
create and what they wanted the group to be called. The global group was then placed inside the
groups OU inside the parent OU. ou=$newOrganizationalUnitGroup is the child OU for groups and
$newOrganizationalUnit is the parent OU. The cmdlet new-ADGroup is used to set the name of the
group, set the path and make the group a global group.
$globalGroups = read-host "How many global groups do you want?"
while($globalGroups -gt 0)
{
$objDomain = [ADSI] "LDAP://dc=gtdomain,dc=com"
$path ="ou=$newOrganizationalUnitGroup,ou=$newOrganizationalUnit,dc=gtdomain,dc=com"
$globalGroupName = read-host "what is the global group called?"
New-ADGroup -Name $globalGroupName -Path $path -GroupScope Global
$globalGroups = $globalGroups - 1
}
58. Project 2 Gavin Tinnelly 24/04/2016
BSc In Computing Networking And Support Page 58
Creating Domain Local Groups
This was also done via a while loop, the loop asks the user how many domain local groups they want
and what the domain local groups should be called. The domain local groups are then placed inside
the groups OU inside the Parent OU. The code is pretty much the same as with the global group but
when assigning the GroupScope ‘domainlocal’ must be entered in here instead of global.
$domainLocalGroups = read-host "How many domain local groups do you want?"
while($domainLocalGroups -gt 0)
{
$objDomain = [ADSI] "LDAP://dc=gtdomain,dc=com"
$path ="ou=$newOrganizationalUnitGroup,ou=$newOrganizationalUnit,dc=gtdomain,dc=com"
$domainlocalGroupName = read-host "what is the domain local group called?"
New-ADGroup -Name $domainLocalGroupName -Path $path -GroupScope Global
$domainLocalGroups = $domainLocalGroups - 1
}
Making Global groups members of Domain local groups
This was done using the dsmod command, the user was prompted to enter the global group they
wanted to make a member of a domain local. The path was then entered to the domain local group and
the –addmbr command was used, followed by the path to the global group.
$GlobalGroupNamee = Read-Host "global group for merge"
$domainlocalnamee = Read-Host "domain local for merge"
dsmod
group("cn=$domainlocalnamee,ou=$newOrganizationalUnitGroup,ou=$newOrganizationalUnit,dc=
GTDOMAIN,dc=com") -addmbr
("cn=$GlobalGroupNamee,ou=$newOrganizationalUnitGroup,ou=$newOrganizationalUnit,dc=GTD
OMAIN,dc=com")
Adding folders to the C drive and sharing these folders.
This was done by creating a variable called path that specified the path to a folder for each user. The
folder was shared using the new-smbshare cmdlet and then specifying the folder path followed by the
access rights.
$path =
"c:PayPalGavin_Tinnelly","c:PayPalDeclan_Lambe","c:PayPalJohn_Burke","c:PayPalJames_
Carey","c:PayPalAnthony_Gonnelly","c:PayPalEllen_Keenan"
md $path -Force
New-SmbShare -name PayPal -Path "c:PayPal" -FullAccess Administrator -ReadAccess Users