The Cisco Packet Tracer simulation is based on the following:
The sites are connected together using L2 MPLS VPN from the ISP and each site has a leased line link from the ISP to be connected to other sites.
The point to point connections with the ISP in the 3 sites are connected on a firewall device that is configured to secure the internal network and allow outside permitted communication only as per its rules with the DMZ zone only that contain the WEB Servers (Database and Application and allow any inside>>>outside connection and added all security configuration to secure the sites and protect them from intrusion and all this will be shown in the below configuration.
Each site network is connected hierarchally with access switches in each floor each switch have 50 ports and they are connected to core switch which is aggregating the site access switches and connecting to the gateway router.
There is a Datacenter room in each building containing all servers and core network devices (The Firewall, The Gateway router, The Core Switch, The WEB Server).
The WAN connection and all LAN connections between firewall and gateway router, gateway router and core switch are using GigabitEthernet ports with 1Gig speed to avoid congestion in the sites core network connections and the connections between access switches and core switch are using FastEthernet with 100Mbps speed.
We followed cisco campus design standard with layering the sites internal network to:
1- access layer (which is the access switches)
2- distribution layer (which is the core switch)
3- Core layer (which is the gateway router)
To avoid congestion and loops in our network each department have a different IP addresses range and Vlan ID to make each be different broad cast domain
The core switch as we said is aggregating all switches and connected to the gateway router which is the DHCP server of each site and we also configured the router LAN interfaces with ROAS (router on stick) configuration to allow intervlan routing between vlans through it and to keep different departments connected through the router.
The primary webserver (database and application) is located at Orlando while the redundant database is at Toronto.
The primary data centre is located at Orlando and the failover is at phoenix and insured a stable connection to each of them and to all 3 sites.
We have added in phoenix additional network connection for failover by installing 2 gateway routers and configured HSRP between them to act as an active and standby router to make sure that if any issues happened in the active one the service will not be interrupted and the connection will be shifted to the standby one.
We configured EIGRP routing protocol between the firewalls and the gateway routers to make the Gateway routers to send LAN routes from the gateway to the firewall.
We configured also EIGRP between sites firewall to share their LAN router to each other’s using the ISP L2 MPLS VPN.
Packet Tracer Simulation for our designed network:
We simulated our designed network on the cisco packet tracer simulation tool using the below design and configuration.
Configuration:
Phoenix:
FireWall:
interface GigabitEthernet1/1
nameif inside
security-level 100
ip address 192.168.22.1 255.255.255.0
no shutdown
!
interface GigabitEthernet1/2
nameif outside
security-level 0
ip address 10.1.1.3 255.255.255.0
no shut
!
interface GigabitEthernet1/3
name inside-2
security-level 100
ip address 192.168.34.1 255.255.255.0
no shutdown
!
router eigrp 50
redistribute static
network 10.1.1.0 0.0.0.255
network 192.168.22.0
network 192.168.34.0
!
object network inside-net
subnet 192.168.22.0 255.255.255.0
subnet 192.168.34.0 255.255.255.0
!
object network inside-net
nat (inside,outside) dynamic interface
!
access-group OUTSIDE-DMZ in interface outside
===========================================================================
Primary Router:
interface GigabitEthernet0/0
ip address 192.168.22.2 255.255.255.0
duplex auto
speed auto
no shut
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
no shut
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
ip address 192.168.23.1 255.255.255.0
standby 1 ip 192.168.23.3
standby 1 priority 110
standby 1 preempt
no shut
!
interface GigabitEthernet0/1.2
encapsulation dot1Q 2
ip address 192.168.2.1 255.255.255.0
standby 2 ip 192.168.2.3
standby 2 priority 110
standby 2 preempt
no shut
ip dhcp excluded-address 192.168.23.1 192.168.23.3
ip dhcp excluded-address 192.168.2.1 192.168.2.3
!
ip dhcp pool Production
network 192.168.23.0 255.255.255.0
default-router 192.168.23.1
ip dhcp pool Management
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
!
router eigrp 50
network 192.168.22.0
network 192.168.23.0
network 192.168.2.0
!
ip route 0.0.0.0 0.0.0.0 192.168.22.1
--------------------------------------------------
Backup Router:
interface GigabitEthernet0/0
ip address 192.168.34.2 255.255.255.0
duplex auto
speed auto
no shut
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
no shut
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
ip address 192.168.23.2 255.255.255.0
standby 1 ip 192.168.23.3
no shut
!
interface GigabitEthernet0/1.2
encapsulation dot1Q 2
ip address 192.168.2.2 255.255.255.0
standby 2 ip 192.168.2.3
no shut
ip dhcp excluded-address 192.168.23.1 192.168.23.3
ip dhcp excluded-address 192.168.2.1 192.168.2.3
!
ip dhcp pool Production
network 192.168.23.0 255.255.255.0
default-router 192.168.23.1
ip dhcp pool Management
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
!
router eigrp 50
network 192.168.34.0
network 192.168.23.0
network 192.168.2.0
!
ip route 0.0.0.0 0.0.0.0 192.168.34.1
===========================================================================
core switch:
vlan 2
interface range fastEthernet 0/1 - fastEthernet 0/24
switchport trunk encapsulation dot1q
switchport mode trunk
no shut
interface range GigabitEthernet0/1 - GigabitEthernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
no shut
===========================================================================
Data Center Switches:
vlan 2
interface FastEthernet0/2
switchport mode trunk
no shut
interface FastEthernet0/1
switchport mode access
switchport access vlan 2
no shut
===========================================================================
Floor Switches:
interface range fastEthernet 0/1 - fastEthernet 0/24
switchport mode access
switchport access vlan 1
no shut
interface FastEthernet0/2
switchport mode trunk
no shut
_________________________________________________________________________
Orlando Site:
FireWall:
interface GigabitEthernet1/1
nameif inside
security-level 100
ip address 192.168.13.1 255.255.255.0
no shutdown
!
interface GigabitEthernet1/2
nameif DMZ
security-level 100
ip address 192.168.14.1 255.255.255.0
no shutdown
!
interface GigabitEthernet1/3
name DMZ-2
security-level 100
ip address 192.168.15.1 255.255.255.0
no shutdown
!
interface GigabitEthernet1/4
nameif outside
security-level 0
ip address 10.1.1.1 255.255.255.0
no shut
!
router eigrp 50
redistribute static
network 10.1.1.0 0.0.0.255
network 192.168.14.0
network 192.168.15.0
network 192.168.13.0
!
!
object network inside-net
subnet 192.168.13.0 255.255.255.0
!
object network dmz-server
host 192.168.14.2
host 192.168.15.2
!
access-list OUTSIDE-DMZ extended permit ip any host 192.168.14.2
access-list OUTSIDE-DMZ extended permit ip any host 192.168.15.2
!
object network inside-net
nat (inside,outside) dynamic interface
!
object network dmz-server
nat (dmz,outside) dynamic interface
!
access-group OUTSIDE-DMZ in interface outside
===========================================================================
Router:
interface GigabitEthernet0/0
ip address 192.168.13.2 255.255.255.0
duplex auto
speed auto
no shut
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
no shut
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
ip address 192.168.11.1 255.255.255.0
no shut
!
interface GigabitEthernet0/1.2
encapsulation dot1Q 2
ip address 192.168.1.1 255.255.255.0
no shut
ip dhcp excluded-address 192.168.11.1
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool Production
network 192.168.11.0 255.255.255.0
default-router 192.168.11.1
ip dhcp pool Management
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
!
router eigrp 50
network 192.168.13.0
network 192.168.11.0
network 192.168.1.0
!
ip route 0.0.0.0 0.0.0.0 192.168.13.1
===========================================================================
core switch:
vlan 2
interface range fastEthernet 0/1 - fastEthernet 0/24
switchport trunk encapsulation dot1q
switchport mode trunk
no shut
interface range GigabitEthernet0/1 - GigabitEthernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
no shut
===========================================================================
Data Center Switches:
vlan 2
interface FastEthernet0/2
switchport mode trunk
no shut
interface FastEthernet0/1
switchport mode access
switchport access vlan 2
no shut
===========================================================================
Floor Switches:
interface range fastEthernet 0/1 - fastEthernet 0/24
switchport mode access
switchport access vlan 1
no shut
interface FastEthernet0/2
switchport mode trunk
no shut
___________________________________________________________________________
Toronto:
FireWall:
interface GigabitEthernet1/1
nameif inside
security-level 100
ip address 192.168.45.1 255.255.255.0
no shutdown
!
interface GigabitEthernet1/2
nameif DMZ
security-level 100
ip address 192.168.114.1 255.255.255.0
no shutdown
!
interface GigabitEthernet1/3
name DMZ-2
security-level 100
ip address 192.168.115.1 255.255.255.0
no shutdown
!
interface GigabitEthernet1/4
nameif outside
security-level 0
ip address 10.1.1.2 255.255.255.0
no shut
!
router eigrp 50
redistribute static
network 10.1.1.0 0.0.0.255
network 192.168.114.0
network 192.168.115.0
network 192.168.45.0
!
object network inside-net
subnet 192.168.45.0 255.255.255.0
!
object network dmz-server
host 192.168.114.2
host 192.168.115.2
!
access-list OUTSIDE-DMZ extended permit ip any host 192.168.114.2
access-list OUTSIDE-DMZ extended permit ip any host 192.168.115.2
!
object network inside-net
nat (inside,outside) dynamic interface
!
object network dmz-server
nat (dmz,outside) dynamic interface
!
access-group OUTSIDE-DMZ in interface outside
===========================================================================
Router:
interface GigabitEthernet0/0
ip address 192.168.45.2 255.255.255.0
duplex auto
speed auto
no shut
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
no shut
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
ip address 192.168.44.1 255.255.255.0
no shut
!
interface GigabitEthernet0/1.2
encapsulation dot1Q 2
ip address 192.168.4.1 255.255.255.0
no shut
!
ip dhcp excluded-address 192.168.44.1
ip dhcp excluded-address 192.168.4.1
!
ip dhcp pool Production
network 192.168.44.0 255.255.255.0
default-router 192.168.44.1
ip dhcp pool Management
network 192.168.4.0 255.255.255.0
default-router 192.168.4.1
!
router eigrp 50
network 192.168.45.0
network 192.168.44.0
network 192.168.4.0
!
ip route 0.0.0.0 0.0.0.0 192.168.45.1
===========================================================================
core switch:
vlan 2
interface range fastEthernet 0/1 - fastEthernet 0/24
switchport trunk encapsulation dot1q
switchport mode trunk
no shut
interface range GigabitEthernet0/1 - GigabitEthernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
no shut
===========================================================================
Data Center Switches:
vlan 2
interface FastEthernet0/2
switchport mode trunk
no shut
interface FastEthernet0/1
switchport mode access
switchport access vlan 2
no shut
==========================================================================
Floor Switches:
interface range fastEthernet 0/1 - fastEthernet 0/24
switchport mode access
switchport access vlan 1
no shut
interface FastEthernet0/2
switchport mode trunk
no shut