EXECUTIVE SUMMARY
Computer networking is an important concept in a given organization. There is a need to ensure that the connections provide room for future expansion and problem diagnosis is easy to undertake. Computer networking is a process that should be undertaken after careful analysis of organizational needs. This is an important step that is done before delving into the technical details of the computer network. Computer networks allow organizations to communicate effectively and share resources. This paper will focus on the connectivity of XYZ organization and the provisions for the various subnets that will be created. XYZ locations are linked by a wide area network. WAN is a network that is not restricted to a geographical location but is confined to the boundaries of a country or state. WAN connects several LANs and may be limited to an organization or company. WANs have high speeds and a perfect example is the internet.
The four main departments in XYZ including sales, human resource, finance, and research and development need to be seamless integrated to deliver the best results. WAN network is not reliable and coupled with poor IP configurations, the routing tables and summarization points at San Francisco campuses are very large. These render the IP scheme poorly usable and high administrative costs due to its static nature.
This paper explores the above-mentioned concerns and seeks solutions for the better of XYZ. It discusses the recommendations suitable to accommodate the new locations. Based on a VPN network, the paper resolves the issue of IP address configuration and accommodate increased network traffic.
INTRODUCTION
In order for XYZ Corporation to succeed in its business environment, it must operate efficient networks and secure its resources, networks and employees. IP Subnet design is a broader area that requires sufficient knowledge to achieve the best working environment. As a consultant with a consulting company are going to provide the best subnet design for XYZ Corporation so that its resources can be used optimally to achieve the intended purpose.
TECHNICAL ASPECTS
IP addresses are addresses used to uniquely identify a device on an IP network. The address is made up of 32 binary bits which can be segmented into a network portion and host portion using a subnet mask. The 32 binary bits are broken down into four octets each comprising of 8 bits. Each octet is represented in decimal by a period.
For a TCP/IP wide area network to work efficiently as a collection of networks, the routers that pass packets of data between networks do not know the exact location of a host for which a packet of information is destined. Routers only identify what network the host is a member of and utilize information stored in the router table to calculate how to get to the packets destination host network. After the packet is delivered to the destination’s network, the packets are delivered to the appropriate host.
VPN-BASED SOLUTION
VPN provides a host of upsides in an organization. Its implementation in XYZ will guarantee security as well as performance. VPN connects via Internet to the outside world securing the internet traffic and the corporate assets of the organization. Most of the VPN networks are encrypted so that computers and other devices communicate with them through encrypted channels. Employees in all the branches will be able to access the network resources such as files, applications, and printers through local area networks without compromising on the security and privacy. The LANs will be connected to the WAN, and the VPN to concentrate all the servers and other networked resources among them all.
Another advantage that VPN offers in the public network is the fact that, through data and user authentication, users are able to know whether the communication has been modified in transit. The identity of the remote user operating from a branch must be authenticated before it is allowed into the network. Unauthorized individuals are locked out of the network meaning that only authenticated branches of the business gains access of a certain project.
ROUTING
VPN comprised of a VPN-specific routing table that is made up of information for a specific VPN. A separate routing table for each VPN (VRF) must be created to distinguish the internet routes and VPN routes. A PE router establishes VRF tables for each VPN connecting to a certain branch or edge route. A certain branch can only access the routes in the VRF table that are specific to that VPN alone. A VRF table is identified by a range of community attributes that specify its route as belonging to a certain collection of routers. For instance, in the current XYZ business scenario, route target attribute identifying a route to San Francisco branch identifies a collection of San Francisco VRF tables to which a PE router distributes routes. The PE router uses route target to restrict the import of remote routes into its VRF table. Two scenarios happen when an ingress router detects routes advertisements from a directly connected CE router such as the headquarters. If it checks the receiver route against the VRF export table for that VPN and realizes that it matches, the route is converted into a VPN-IPv4 format and a route distinguisher assigned to it. The route distinguisher announces the route to other branch offices in VPN IPv4 format and attaches a route target to it. The attached route target based on the networks export target policy of the VRF table is distributed using IBGP sessions configured in the providers core network. Otherwise, if it does not match, it is not exported to the PE routers.
ROUTING ON VPN CLIENT SIDE
The VPN interface on the client machine comprise of VPN interface and an internet interface through which the connection is established. Every TCP/IP packet finds the best matching look-up route for a certain destination. Most practical cases, however, don’t match the specific route but rather a default route. The routing table is in the form x.x.x.x for IPv4.
The default route on the client machine over VPN interface can be configured in two choices. The route that is considered to be the default for the interface that is used by VPN choice means that all traffic is routed through the interface of the VPN that comes from the client to the server in exception of local subnet traffic. Intranet, as well as the internet traffic, can be enabled in this scenario through a default gateway in the IPv4 or IPv6 properties in the VPN configuration. For example, the client machine in the Denver branch having a LAN interface with internet connectivity through IP address 192.168.3.5 with default IPv4 route to a broadband router with IP address 192.168.3.6. Likewise on the LAN side there is a printer with an IP address 192.168.3.7. Once the VPN connection is established, the client machine obtains a VPN address with IP address 10.1.0.112 and VPN server tunneled address as 10.1.0.0. A single default IP address is added on the client machine with the highest preference or lowest metric with gateway address as 10.1.0.0. Whenever the client machine access the machines on the LAN side (in the range 192.168.3/24) the packets goes directly to the LAN without the need to pass the VPN tunnel. When the client machine needs to access resources beyond the intranet resources or machines on the internet side, the packets traverses the VPN tunnel and reaches on the VPN server. The VPN server routes the packets over the internet or intranet based on the destination routes. If IPv4 address is given to VPN client, then Network Address Translation should be running on the RRAS server in order to translate the private IP to public IP.
This configuration requires the DNS servers to be located on the intranet side to resolve intranet as well as internet queries. The other configuration possible for routing is the default route over internet interface. This implies that intranet traffic traverses the VPN tunnel while the rest goes over the underlying internet interface. This configuration is attained by disabling the default gateway inside the IPv4 or IPv6 properties on the VPN client configuration. The option is not chosen in the case of XYZ due to security considerations. Implementation of this option will imply that internet connection sharing must be disabled on the VPN client machine to prevent unauthorized users from accessing the corpnet using the VPN client machines tunnel to the VPN server. As it turns out, internet sharing is a necessary implementation on the XYZ machines to improve connectivity and production.
DNS CONFIGURATION
The intranet resources can be accessed by the VPN clients using the names http://branchname/XYZ.net. Name resolution can be achieved through DNS based resolution using the IPv4. DNS based resolution, as well as windows based resolution; require the server address to be provisioned on the VPN client. DNS server resolution will allow both IPv4 and IPv6 based network. The IP address of the DNS based server is located at the VPN client through static configuration inside the VPN client or dynamic configuration from the VPN server. Dynamic configuration will enable the handshake process to be initiated through the IKEv2 based VPN reconnect and is thus recommended in this case. IKEv2 based tunnel DNS servers IPv4 and IPv6 address is picked from the VPN server private interface and passed through the IKEv2 tunnel establishment phase.
For PPP based tunnel, the windows and DNS server IPv4 address is picked up from the VPN server’s private interface and passed via PPP IPv4 configuration to the VPN client. DNS servers IPv6 address is passed via DHCPv6 Inform Transaction after assigning IPv6 prefix to the VPN client through router advertisements. The last provision requires that DHCPv6 relay agent and DHCP stateless server be running on the network behind VPN server (Hooper, 2012).
SUBNETTING
A class A. B, or C IP network can be further divided or sub netted by the administrator to suit the structure of the company. This is important because the logical address schemes are combined with the physical networks in used by the real world. In the current case, the wide area network requires 2144 IP addresses in three disparate locations, San Francisco, Denver and Houston. San Francisco require 1290 addresses while Denver require 504 IP addresses and finally, Houston require 350 addresses, all spread over human resource, finance, research and development and customer service departments.
The organization is assigned a class B IP addresses and use a default subnet mask of 255.255.0.0 with 128-191 first octets. It then implies that the organization can use the addresses 172. 16. 0.0-172.16.7.255/21. The organization has the option of sub netting the IP addresses to 4094 subnets with 14 hosts per subnet. Two addresses cannot be utilized in this case are 172.16. 0.0 and 172.16.63.254.
In this scenario, the network should be divided into four subnets by using masks that make the network address larger and the possible range of network addresses smaller. Some of the bits used for the host address are borrowed and used for the network portion of the address. The subnet mask 255.255.255.192 gives the eight networks of 64 hosts each. Thus, if the 255.255.224.0 subnet mask is used, then 172. 16.0.0 Network becomes 172.16.0.1, 172.16.32.1, 172.16.64.1, 172. 16.96.1, 172.16.128.1, 172.16.160.1, 172.16.192.1, and finally, 172.16.224.1. This gives eight networks each network comprising of 8192 total IP addresses and 8190 usable addresses.
This solves the problems of different hosts situated in different locations. The eight networks are sufficient to accommodate more traffic and branches for the organization. Instead or requesting for more addresses for each network, a choice to divide the network into sub nets enable the organization to use a block of addresses on multiple physical networks.
DEFAULT GATEWAYS
Communication between hosts on different networks is done using a device called the router. A router is specified to a host and links the host subnets to other hosts, thus referred to as a default gateway. When a host attempts to communicate with another device using a TCP/IP, it performs a comparison process utilizing the defined subnet mask and the destination IP address versus the sub net mask and its own IP addresses. The result of the comparison notifies the computer whether it is dealing with the local host or remote host. If the result of the process determines destination to be local, the computer will forward the packet on the local sub net. If the result of the comparison determines the destination as remote, then the computer will forward the packets to the default gateway defined in its TCP/IP properties. Routers are tasked with the forwarding of the packets to the correct subnet.
Updated Network diagram
CONFIGURATIONS
Config files are created under the file name “vpn_xyzserver.config” located in the same directory as VPN s server processes executable files. The config settings are saved in any instance the VPN server settings are changed, or its internal structure is modified. The VPN server reads the contents of the vpn_server.config when booted and returns them to the initial values prior to termination. Thus, the config settings will allow the structural settings of the VPN to be restored to the initial state prior to booting regardless of when it was shut down. In case the configuration settings are not available on the disk when the VPN server is launched, default settings are used (Alex Shneyderman, 2003).
Configuration settings have the advantage of saving all the structural data used by the VPN Server and the Virtual Hub. Since these settings hold lots of magnitude in securing the systems network, they cannot be allowed to be viewed by any other party except the VPN server system administrator located at the headquarters of XYZ. The encrypted passwords and connection settings certificate private key are saved in the headquarters where they cannot be accessed nor edited by any user. Windows version VPN Server configuration settings are set up automatically upon installation and read/write operations is only system administrators.
This technique also addresses lag and bandwidth issues resulting from VPN and WAN slow links. Since the servers may be kept at strategic locations near the branches, clients at those locations will access the files located at their local servers at high speeds compared to slow WAN links. Through Remote Differential Compression, more bandwidth is conserved by replicating only data that have recently been modified since the last replication.
The technique will also maintain file conformity within all branches of the organization as changes made in the headquarters will be replicated and synchronized in all branches.
CONCLUSION
The paper has dealt with the recommendations that will allow XYZ seamless connectivity across all its branches. Various subnets have been analyzed and their optimality assessed. This has enabled the connectivity to be possible and allowed for the possibility for future connections. It has recommended a VPN connection over WAN for improved connectivity. Remote access solutions such as VPN are providing the required connection of convenience for workers in a corporate network. The connectivity requirements are for pervasive connections where the user expects an assured and available connection to corporate resources from anywhere in the globe. VPN gathers for numerous XYZ offices situated across the globe as well as telecommuting users involved in different projects and wants to report to the company in real time.
Routing is achieved via default route over VPN IP based while DFS is implemented on the Windows Server 2008 to improve system performance and improve backup of critical files. XYZ will set up backup service designed to provide employees with secure data backup from remote locations. VPN allows users to log in remotely and continue to serve the customers as if they are working at their branch office. The ability to integrate IPSec capable devices with existing Internet connection to result in extranet connections means that telecommuting users are supported and as such proves as the viable solution for XYZ. VPN allows users to log in remotely and continue to serve the customers as if they are working at their branch office.
References
Casad, J. (2004). Sams Teach Yourself TCP/IP in 24 Hours. Sams Publishing.
http://www.cisco.com/cgi-bin/Support/PSP/psp_view.pl?p=Internetworking:EIGRP .
Kizza, J. M. (2009). A guide to computer network security. Springer.
Pepelnjak, I. (2013). EIGRP Network DXYZgn Solutions: The Definitive Resource for EIGRP DXYZgn, Deployment, and Operation. Cisco Press.
Retana, A. (2012). EIGRP for IP: Basic Operation and Configuration. Addison Wesley.
Tomsho, G. (2011). Guide to Networking Essentials. Cengage.
