CMIT 350 WAN and SOHO
Skills Implementation

Prepared for:
University of Maryland University College
CMIT 250

Prepared by:
Devin Manning

I. Site “Los Angeles” Challenge and Implementation
The site administrator has requested that the site establishes remote IOS storage, remote management of switches, ACL list implementation, and a network time protocol for devices as described in the site specific portion of the scenario.
II. Site Solutions and Technologies * The recommended course of action for the request of a remote IOS storage capability at the site would be to establish a remote access server using a HTTP/ HTTPS protocol as opposed to the SSH option mainly because of the security and control over things such as the internet connection to the routers from not only the user database, but the source addresses as well in regards to their perspectives. This particular protocol also requires the timing information to be in setup and in place which would complement the network time protocol solution that has been requested by the site. For this request, I would use the SonicWall software in order to setup up this capability along with the SonicWall UTM appliance that is provided by the company. * In order to address the remote management of the switches request, it would require a console cable and a server that has an available console port such as the Cisco Nexus 2228TP GE Fabric Extender expansion module which is one of the easier servers to use that also provides redundancy. At that point (via hypertext) the commands would be inputted for the remote settings using the sites IP address and VLAN information. * For the ACL implementation, the best method for the site to use would be extended IP ACLs in the site router which filters packet addresses solely based on the source which allows the capability to either permit or deny source traffic to the devices and also adds UDP, ICMP, and TCP layer 3 as well as layer 4 protocol supports compared to the use of standard ACLs. I suggested this option because extended ACLs provide more tools to secure the network and also have the added capability to filter the IP address destination if necessary. It is also important to note that the most optimal placement for extended ACL’s is as close to the source router device as possible in order to stop packets from proliferating throughout the network. * In order to solve the network time protocol request for the devices, the best solution would be to establish a dedicated network time server that is inside the sites firewall as opposed to a network time protocol that operates outside of the sites firewall that syncs time from the internet time server. A dedicated network time server is a better option mainly because of the best security since it is behind the sites firewall, it always makes configuration easier since the site wouldn’t have to constantly reconfigure the firewall settings in order to allow the devices that is connected to that network to access the public time server. This option also keeps the servers, network devices, and site workstations in sync to about 2 milliseconds of each other due to the minimal latency that it provides. For the site, I selected the Fedora software based off of off the user friendly setup and use.

III. Sample Configuration
Configuration of the SonicWall software is done mostly by the software wizard for automatic installation and configuration and once it is installed, the settings can be configured by the site administrator.For the hardware configuration, the site server needs to be connect to the SonicWall appliance via a Lan switch witch would then act as a gateway to the internet. So for the sites server it should have a Server IP of 10.40.6.10, a netmask of 255.255.254.0, and the gateway would be determined by the UTM appliance.

For remote management, there are 5 steps to follow in order to set up the server or in this case the Cisco Nexus 2228TP GE Fabric Extender expansion module to set up managing the switches remotely. Upon connecting the console cable to the server and workstation you would first open the hypertext command and type the enable command followed by the configure terminal command. Next, you would input the command for remote management on the particular system that is being used followed by the ip address for the network along with the username and password. You would then repeat the last step for the secondary ip address for the network. Finally, you would use the command show running-config to verify the configurations of the remote management setup and if correct, save those changes by using the copy running-config startup-config command.

For ACL list implementation at this site, you would first have to determine which type of list that you want to build such as an IPX access-list, IP access-list, etc. Once a list has been made you would then permit or deny ip address for standard ACLs but Extended ACL's have the extended capability to block source ports, destination ip address, destination ports, etc.

The configuration needed in order to establish the Network time protocol using for the site using Fedora is to first verify that the NTP server is able to be used by inputting the command ntpdate. Next, when a preferred server is found the next command to be entered would be ntpdate server_address… which should set the system time unless a message showing that there was an error is displayed.

III. Supporting Tables/Diagrams
Remote Management Command Table: | Command | Purpose | Step 1 | config t Example: switch# config t switch(config)# | Enters into CLI global configuration mode. | Step 2 | nexus2228tp-system remote-mgmt primary ip ipaddr username username password password Example: switch(config)# nexus2228tp-system remote-mgmt primary ip 10.40.0.1 username admin password ************* switch(config)# | Sets up the remote management in the running configuration of the primary Cisco Nexus 2228TP. ipaddress: the IP address of the CIMC management port username: the admin username for the CIMC management software password: the admin password for the CIMC management software | Step 3 | nexus2228tp -system remote-mgmt secondary ip ipaddr username username password password Example: switch(config)# nexus2228tp-system remote-mgmt secondary ip 10.40.0.1 username admin password ************** switch(config)# | Sets up the remote management in the running configuration of the secondary Cisco Nexus 2228TP. ipaddress: the IP address of the CIMC management port username: the admin username for the CIMC management software password: the admin password for the CIMC management software | Step 4 | show running-config Example: switch(config)# show running-config !Command: show running-config !Time: Sat Jun 25 03:01:55 2011 version 4.2(1)SP1(2) no feature telnet username adminbackup password 5 $1$Oip/C5Ci$oOdx7oJSlBCFpNRmQK4na. role network -operator network-uplink type 1 nexus2228tp-system remote-mgmt primary ip 10.40.0.1 username admin password ** ************* Nexus2228tp-system remote-mgmt secondary ip 10.40.0.1 username admin password *************** interface mgmt0 ... switch(config)# | Displays the running configuration also including the remote management configuration for verification. | Step 5 | copy running-config startup-config Example: switch(config)# copy running-config startup-config | Saves the running configuration persistently through reboots and restarts by copying it to the startup configuration. | ACL List Implementation Standard ACL (Example): access-list 5 deny 172.16.2.2 0.0.0.0 access-list 5 permit 172.16.3.0 0.0.0.0 access-list 5 deny any Extended ACL (Example): access-list 125 deny ip 172.16.2.0 0.0.0.255 172.16.5.0 0.0.0.255 log access-list 125 deny ip 172.16.3.0 0.0.0.255 host 172.16.5.1 log access-list 125 permit tcp 172.17.3.0 0.0.0.255 eq 70 any log access-list 125 deny udp 172.16.7.0 0.0.0.127 172.16.8.0 0.0.0.31 eq 55 log access-list 125 deny icmp any any host-unreachable access-list 125 permit ip any any

Time Network Protocol ntpdate -q server_address
Example
~]$ ntpdate -q 0.fedora.pool.ntp.org server 10.255.255.25, stratum 2, offset -39.275438, delay 0.16083 server 165.128.63.2, stratum 2, offset -39.269122, delay 0.17191
07 Oct 17:41:09 ntpdate[10619]: step time server 10.255.255.25 offset -39.275438 sec ntpdate server_address…
Example
~]# ntpdate 0.fedora.pool.ntp.org 1.fedora.pool.ntp.org
17 Oct 17:42:13 ntpdate[10669]: step time server 204.15.208.61 offset -39.275436 sec

Bibliography * [1] Help.ubuntu.com, 'Time Synchronisation with NTP', 2015. [Online]. Available: https://help.ubuntu.com/lts/serverguide/NTP.html#ntp-installation. [Accessed: 06- Oct- 2015]. * [1] Cisco, 'Cisco IOS Security Configuration Guide, Release 12.2 - Access Control Lists: Overview and Guidelines [Cisco IOS Software Release 12.2]', 2015. [Online]. Available: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfacls.html. [Accessed: 11- Oct- 2015]. * [2] Docs.oracle.com, 'Configuring Access Control Lists (ACLs)', 2015. [Online]. Available: https://docs.oracle.com/cd/E19859-01/820-3252-11/FP44ucgACL.html. [Accessed: 11- Oct- 2015]. * [3] 2X, 'Remote Administration', 2015. [Online]. Available: http://www.2x.com/mdm/remote-administration/. [Accessed: 11- Oct- 2015]. * [4] Informit.com, 'CCNP Practical Studies: Switching | Scenario 1-2: Configuring Network Management Access to the Switch | InformIT', 2015. [Online]. Available: http://www.informit.com/library/content.aspx?b=CCNP_Studies_Switching&seqNum=9. [Accessed: 11- Oct- 2015]. * [5] Sonicwall.com, 'SonicWALL Mobile Connect for iOS - Dell SonicWALL, Inc.', 2015. [Online]. Available: http://www.sonicwall.com/us/en/products/Mobile-Connect-iOS.html. [Accessed: 11- Oct- 2015].