Title: ACACIA ELEMENTARY SCHOOL Washington School District
1ACACIA ELEMENTARY SCHOOLWashington School
District
- Dave Soltesz, Chris Chapman
- Tracy Chenoweth, Mike Weglein
2User Requirements Document
- WAN
- Implement WAN to provide connection between all
schools in district - Provide Internet access to all users.
- 7-10 year life
- Tech.Specifications
- WAN core is a 3-router model
- Routers at each school filter traffic to core
- Enterprise servers at District MDF for DNS
emailservices provided in hierarchical manner,
located on master server at district office and
on hubs - 1 Mbps access (min) to all users
- Ethernet Technology
- Extended star topology
- Network Administrator to have remote access via
ISDN - LAN
- 3 Enterprise servers at MDF
- 24 Curriculum LAN access points and 1 Admin LAN
point in each room - Secured wiring closets in each room
- Separate broadcast domains for administration,
teachers, students
3Wan to Lan Two Layer Design
- WAN TOPOLOGY
- 2-Layer WAN Topology for District
- Three regional Hubs should be established-one
each at the District Office/Data Center, the
Service Center, and Shaw Butter Elementary
School-in order to form a fast WAN core network. - District Needs
- 4 T-1 lines interconnect core WAN
- 1 T-1 line from core WAN to each school
- District uses Frame Relay to Internet ISP
- ISDN for one remote site
- LAN TOPOLOGY
- Acacia Elementary will use a Extended Star
- One MDF and two IDFs will be used
- Switching technology will be use throughout.
- 1000 Base FX connects the MDF to the IDFs
- 100 Base TX connects the MDF and IDFs to the
classroom - 1000 Base FX connects the school trailers to
IDF-2
4WAN Overview
5WAN Summary
Routers at the district level have 3 8-port PRI
cards to handle T1 connections. 19 are being
used (5 for expansion.) Routers at the school
level have a 4-port PRI card for the T1
connection. One is being used (3 for
expansion.) Since were running frame relay to
the cloud, we have a serial connection to the
Internet. The Cisco 3662 router is the DTE that
connects our WAN. We have a frame relay
connection to the Internet at 1.544 Mbps. Frame
relay can handle high speeds in the future if we
need to upgrade our speed. WAN traffic will
travel around the three district hubs and back
and forth from individual school to district hub.
Around the three district hubs, we have four T1
lines connecting them. From district hub to each
school, we have one T1 line. Our WAN POP is
at the District Center. We have no redundancy
for connecting to the Internet.
6Washington School District
District Office, Service Center, Shaw Butte,
Acacia
The detailed IP scheme of the Washington School
District is as follows
Class B IP number assigned by ICANN 150.5.0.0.
AS number of 109.
Subnet Mask 255.255.255.0
District Office / Data Center (Regional Hub)
4 subnets 150.5.1.0 through 150.5.4.0The first
subnet is used for administrative users.
Currently 75 users, so the host numbers will be
taken from the higher half of the subnet
150.5.1.128 150.5.1.254. Three full subnets
are reserved for local expansion.
7Router Name DODCRegHub Router 3662 with 3 8-port
T1 cards
E0 150.5.1.1 Used for administration
E1 150.5.2.1 Used for DNS/email/web server
S0 150.5.0.0 Used for frame relay out to the
cloud
PRI0 150.5.141.1 T1 connection to Service Center
PRI1 150.5.142.1 T1 connection to Service Center
PRI2 150.5.143.1 T1 connection to Service Center
PRI3 150.5.144.1 T1 connection to Service Center
PRI4 150.5.145.1 T1 connection to Shaw Butte
PRI5 150.5.146.1 T1 connection to Shaw Butte
PRI6 150.5.147.1 T1 connection to Shaw Butte
PRI7 150.5.148.1 T1 connection to Shaw Butte
PRI8 150.5.149.1 T1 connection to local school
PRI9 150.5.150.1 T1 connection to local school
PRI10 150.5.151.1 T1 connection to local school
PRI11 150.5.152.1 T1 connection to local school
PRI12 150.5.153.1 T1 connection to local school
PRI13 150.5.154.1 T1 connection to local school
PRI14 150.5.155.1 T1 connection to local school
PRI15 150.5.156.1 T1 connection to local school
PRI16 150.5.157.1 T1 connection to local school
PRI17 150.5.158.1 T1 connection to local school
PRI18 150.5.159.1 T1 connection to local school
PRI19-23 Reserved for future expansion
Server IP address Type Access
DNS/Email 150.5.2.2 Enterprise Entire system
Admin 150.5.1.3 Enterprise All Admin/Faculty
system wide
Library 150.5.2.4 Workgroup Building only
Application 150.5.2.5 Workgroup Building only
8Service Center (Regional Hub)
4 subnets 150.5.45.0 through 150.5.48.0
The first subnet is used for administrative
users. Currently 75 users, so the host numbers
will be taken from the higher half of the subnet
150.5.45.128 150.5.45.254. Three full subnets
are reserved for local expansion.
Router Name SCRegHub Router 3662 with 3 8-port T1
cards
E0 150.5.45.1 Used for administration
E1 150.5.46.1 Used for DNS/email/local post
office
PRI0 150.5.141.2 T1 connection to District Office
PRI1 150.5.142.2 T1 connection to District Office
PRI2 150.5.143.2 T1 connection to District Office
PRI3 150.5.144.2 T1 connection to District Office
PRI4 150.5.160.1 T1 connection to Shaw Butte
PRI5 150.5.161.1 T1 connection to Shaw Butte
PRI6 150.5.162.1 T1 connection to Shaw Butte
PRI7 150.5.163.1 T1 connection to Shaw Butte
PRI8 150.5.164.1 T1 connection to Acacia
PRI9 150.5.165.1 T1 connection to local school
PRI10 150.5.166.1 T1 connection to local school
PRI11 150.5.167.1 T1 connection to local school
PRI12 150.5.168.1 T1 connection to local school
PRI13 150.5.169.1 T1 connection to local school
PRI14 150.5.170.1 T1 connection to local school
PRI15 150.5.171.1 T1 connection to local school
PRI16 150.5.172.1 T1 connection to local school
PRI17 150.5.173.1 T1 connection to local school
PRI18 150.5.174.1 T1 connection to local school
PRI19-23 Reserved for future expansion
9Server IP address Type Access
DNS/Email 150.5.45.2 Workgroup Building only
Admin 150.5.45.3 Workgroup All Admin in building
Library 150.5.46.2 Workgroup Building only
Application 150.5.46.3 Workgroup Building only
Acacia School (Connected to Service Center Hub)
4 subnets 150.5.53.0 through 150.5.56.0
The first subnet is used for administrative/facult
y users. Currently 75 users, so the host numbers
will be taken from the higher half of the subnet
150.5.53.128 150.5.53.254. The next two
subnets are used for 250 student IP numbers
assigned through DHCP. The ranges are from
150.5.54.32 150.5.54.254 and 150.5.55.32
150.5.55.254(this allows a bank of 446 IP
numbers.) 4th subnet is reserved for local
expansion.
Router Name Acacia School Router 2621 with 1
4-port T1 card
E0 150.5.53.1 Used for administration
E1 150.5.54.1 Used for DNS/email/local post
office
PRI0 150.5.164.2 T1 connection to Service Center
PRI1-3 Reserved for future expansion
Server IP address Type Access
DNS/Email 150.5.53.2 Workgroup Building only
Admin 150.5.53.3 Workgroup All Admin/Faculty in
building
Library 150.5.53.4 Workgroup Building only
Application 150.5.53.5 Workgroup Building only
Curriculum 150.5.54.2 Workgroup Building only
10Frame Relay Considerations
As previously stated, Frame Relay is used at the
Washington school district Data Center District
Office. The Committed Information Rate is 1544
Kbps. Our router acts as the DTE. Instead of
sending status inquiries to the frame relay
switch to receive a DLCI, we will obtain that
number from the service provider. This way, we
can input a static frame relay table for the only
frame relay connection we need. This will reduce
the overhead of our WAN because inverse ARP
messages wont have to be exchanged every 60
seconds. At the demarc at the POP of the District
Office Data Center, we would configure frame
relay with the following commands DODCRegHub(conf
ig) interface s0 DODCRegHub(config-if)
encapsulation frame-relay DODCRegHub(config-if)
bandwidth 1544 DODCRegHub(config-if) no
frame-relay inverse-arp ip dlci DODCRegHub(conf
ig-if) frame-relay map ip ip addy of service
provider dlci of same
11Equipment
- Routers (3) Cisco 3632 for WAN core upgraded with
three eight port fiber blades, two ethernet,
two serial. The District Router will also have
an ISDN BRI Port. - Routers (33) Model 2621 for schools upgraded with
one four port fiber card - Routers (1) Model 804 ISDN for alternative school
- Switches (36) Model 3548 Catalyst for WAN core
and school MDFs - Switches (108) Model 2950C-48 (based on 3 IDFs
per school) - Switches (1000) Model 2950-48 (based on 33
schools with 33 classrooms per school) - Racks (145) 19 Steel Distribution Racks for
MDFs and 3 IDFs per building - APC 1250 UPSs (145)
- Power Distribution Panel (145)
- HCC Patch Panel (2 per closet, 1 per room)
- VCC Patch Panel
- Fiber Dist Enclosure, Rack mount
- Patch Cables, Cables to computers, and
miscellaneous cables
12Equipment Continued
- Two HP 4050 Workgroup printers per building
- Optical fiber Multi-mode fiber connects MDFs to
IDFs and IDFs to trailers - Cat 7 1000 Mbps from MDF/IDF to desktop
- Servers Administration, Application, Curriculum
- Dell Power Edge 1300 running Windows 2000 server
- Workstations and Laptops
- 10/100BaseT NICs (workstations) Student NICs
turned down to 10 megabytes. - Windows 2000 Professional
- Novell Client for Admin running Novell Netware
3.12 (802.3) or Novell Netware 4.x (802.2)
13Estimated District Costs
14Acacia Elem. Wiring Schematic
15Acacia Cut Sheet
- Cuts sheets were created for the MDF and two
IDFs used for Acacia Elementary. The file is in
MS Excel. - Acacia cut.xls
16PPP Overview
Washington school district uses Point-to-Point
Protocol as a WAN protocol. We use PPP as it is
a standards based protocol that is stable and
widely in use. PPP has an optional
authentication phase that we are choosing to use
at this time. We have enabled Challenge
Handshake Authentication Protocol (CHAP.) At
the Acacia router, we will configure PPP like
this AcaciaSchool(config) username SCRegHub
password class AcaciaSchool(config) interface
pri 0 AcaciaSchool(config-if) encapsulation
ppp AcaciaSchool(config-if) ppp authenication
chap At the district level hubs, the
configuration would be similar, but with many
more interfaces.
17Protocol implementation
- Routed protocol
- IP
- IPX
- Routing protocol
- IGRP- with autonomous system 109
18Routing Protocol - IGRP We will use IGRP as the
routing protocol on all routers and use static
routes where applicable to save WAN bandwidth
from sending unnecessary IGRP updates. Our
autonomous system number is 109. Each router
located in the MDF of each building will have
IGRP configured similar to the following (the
example for the Acacia School.) Because no
traffic will ever have to travel through more
than 5 routers before reaching the cloud, we will
reduce the maximum hop count from the default of
100 to 10. This will enable the routers to
quickly drop packets that cant find their
destination on the system network. We will not
change the default hold-down timers or update
timers. AcadiaSchool(config) router igrp
109 AcadiaSchool(config-router) network
150.5.53.0 AcadiaSchool(config-router) network
150.5.54.0 AcadiaSchool(config-router) network
150.5.164.0 AcadiaSchool(config-router) ip
default-network 150.5.0.0 AcadiaSchool(config-rout
er) metric maximum-hop 10
19IGRP Continued
We could have chose not to advertise local
curriculum networks to reduce IGRP update
traffic, but by advertising the networks, we have
redundancy for local servers. For example, if
the curriculum server of Sunset school is
unavailable, we could have the students
temporarily access the curriculum server at
Acacia school. This would be a temporary
solution as it would increase the traffic
travelling through the router at the Service
Center. For each router located at a regional
hub, additional lines would be placed in the
configuration advertising the T1 lines (PRI
interfaces) directly connected to the
router. SCRegHub(config) network
150.5.141.0 SCRegHub(config) network
150.5.142.0 SCRegHub(config) network
150.5.143.0 SCRegHub(config) network
150.5.144.0 SCRegHub(config) network
150.5.160.0 SCRegHub(config) network
150.5.161.0 SCRegHub(config) network
150.5.162.0 SCRegHub(config) network 150.5.163.0
20IPX Routed Protocol IPX will only be used on
the administration computers. It is used to
access a server at the District level and
administrative server at the school level. The
following is the IPX naming convention for the
networks (the IP dotted-decimal number was
converted to hexadecimal for ease of use.)
21IPX Routing
To configure a router to use IPX, we have to do
the following from global config level This
example is for the Regional hub at the Service
Center. It has IPX configured for the directly
connected administrative network and has to have
IPX enabled over the PRI interfaces. SCRegHub(co
nfig) ipx routing SCRegHub(config) interface
e0 SCRegHub(config-if) ipx network
92052D01 SCRegHub(config-if) int pri
0 SCRegHub(config-if) ipx network
92058300 SCRegHub(config-if) int pri
1 SCRegHub(config-if) ipx network
92058400 SCRegHub(config-if) int pri
2 SCRegHub(config-if) ipx network
92058500 SCRegHub(config-if) int pri
3 SCRegHub(config-if) ipx network
92058600 SCRegHub(config-if) int pri
4 SCRegHub(config-if) ipx network
9205A000 SCRegHub(config-if) int pri
5 SCRegHub(config-if) ipx network
9205A100 SCRegHub(config-if) int pri
6 SCRegHub(config-if) ipx network
9205A200 SCRegHub(config-if) int pri
7 SCRegHub(config-if) ipx network
9205A300 And so on for the 11 schools
connected to this regional hub. Each of their
administrative networks would be configured
similarly. When finished with interfaces,
continue with SCRegHub(config-if) ipx
maximum-paths 2
22IP ADDRESSING/ SUBNETTING
23Security
- Layer 3 Access Control Lists
- Layer 2 VLans (2)- Administration and Students
- Teachers will use port 1 on each classroom
switch for the admin VLAN. - Administration will use ports 1 24 on the
switches at the IDF and MDF for the admin VLAN - All users will require both usernames and
passwords. Must be changed periodically - Access to enterprise servers controlled by access
lists on the router
24Access Lists
We will use ACLs to control the access of
information among the nodes in the network. At
the school level, we need to do the
following Allow administration/faculty all
access Allow student access to the DNS/local post
office server Deny student access to the
administration network Allow everyone Internet
access This access list will only differ at each
individual school by substituting the appropriate
student subnet addresses and DNS/email server.
This could be accomplished easily by storing the
ACLs on an Administration server and having the
network administrator telnet in to the routers to
change them or email the new lists to the local
administrators. For Acacia, the ACL will go on E0
out of 150.5.53.1 (the port connected to the
Administration network) access-list 100 permit
150.5.53.0 0.0.0.255 any any access-list 100
permit tcp 150.5.54.0 0.0.0.255 150.5.53.2
0.0.0.0 eq 25 access-list 100 permit tcp
150.5.54.0 0.0.0.255 150.5.53.2 0.0.0.0 eq
53 access-list 100 permit tcp 150.5.55.0
0.0.0.255 150.5.53.2 0.0.0.0 eq 25 access-list
100 permit tcp 150.5.55.0 0.0.0.255 150.5.53.2
0.0.0.0 eq 53 access-list 100 deny 150.5.54.0
0.0.0.255 150.5.53.0 0.0.0.255 access-list 100
deny 150.5.55.0 0.0.0.255 150.5.53.0
0.0.0.255 access-list 100 permit 150.5.54.0
0.0.0.255 access-list 100 permit any any This
list then needs to be activated on the
interface. int s0 ip access-group 100 out
25Cons
- Expensive solution as multiple switches are used.
- Bottleneck at the connection to the Internet.
- No redundancy from the individual school(s) to
the district hubs. - Extended star topology allows single point of
failure (district routers)
26Pros
- Using high-end routers, switching technology at
all schools. - Operating in a pure switched environment.
- Built in redundancy at the core.
- Media can handle future enhancements without
being replaced. - Network is Functional, Scalable, Adaptable, and
Manageable.