Netsysdoc

MoE Network
Documentation
Version 5
13 February 2012
Hans Hesseling
MoE - VSO
4 Mbps Internet
MoE Network 10.40.20.234
10.40.20.233
Overall MoE Network Configuration V12, 23 Jan 2012, HH
.44 10.133.195.40/29 .41

Cisco Soho ETC HuaWei ?
2 Mbps VPN
AR29 router EPON Fiber
Policy Based Routing
Router 2Mbps ? WORE
.145 .9
on the Eudemon firewall 213.55.93.144/28 172.20.0.8/30 DANET
172.20.0.64/27 ?
takes care that to 0.0.0.0, DMZ .149 .10 Wireless
172.20.16.0/20 addresses
VLAN 80 Eudemon WB ?
Not operational yet
are routed via Cisco Soho .65 1000
Router, and 172.20.0.0/20 Firewall
addresses via Woredanet.
Consult Daily Routine .1 PM Office Data Centre
Checks to see how to with Portal servers and
Ubuntu WebServer External Stateduc Schoolnet 172.20.0.0/29
change routing at line Zimbra info. DNS Server Server
further services
failure. mail server moe.gov.et NS1 STAT SCHN
later 172.20.0.68 .66 .69 .70
213.55.93.148 .146 .151 .152
.2
.1 172.20.104.0/21
Cisco .129 HuaWei
Core .130 172.20.5.128/21 172.20.1.128/25
Core
Switch VLAN 500 VLAN 30
.141 ?
.129 Switch
.132 .134
?
Cisco DNS1 Temporarily Developmt Ubuntu

HuaWei
172.20.16.0/20 AD1 Test-Stateduc Data Base Squid/Guard 172.20.0.0/20
DHCP1 later later
WDS
i-site Huawei Server Farm
?
Ground Ground Ground 1st Floor 2nd Floor 4th Floor Ground 1st Floor 2nd Floor 2nd Floor 3rd Floor
NB013 NB019 NB019 NB112 NB212 NB417 HuaWei NB019 NB112 NB212 NB212 NB417
172.20.18.128/25 172.20.18.128/25 172.20.18.128/25 172.20.19.0/25 172.20.19.128/25 172.20.20.0/25 172.20.2.0/25 172.20.3.0/25 172.20.3.128/25 172.20.3.128/25 172.20.4.0/25
VLAN 300 VLAN 300 VLAN 300 VLAN 310 VLAN 320 VLAN 340
Distribution VLAN 100 VLAN 110 VLAN 120 VLAN 120 VLAN 130
192.168.0.31
172.20.11.5 172.20.11.6 172.20.11.7 172.20.11.115 172.20.11.125 172.20.11.135 Switch 192.168.0.1 192.168.0.11 192.168.0.21 192.168.0.22
3rd floor 3rd floor 3rd floor 2nd floor 2nd floor Ground Basement Ground 1st Floor 1st Floor 2nd Floor 3rd Floor 3rd Floor
OB227 OB227 OB227 OB131 OB131 OB014 OB015 OB015 OB1.31 OB1.31 OB2.27 OB3.29 OB3.29
172.20.26.0/25 172.20.26.0/25 172.20.26.0/25 172.20.25.128/25 172.20.25.0/25 172.20.24.0/25 172.20.8.0/25 172.20.8.128/25 172.20.9.0/25 172.20.9.0/25 172.20.9.128/25 172.20.10.0/25 172.20.10.0/25
VLAN 430 VLAN 430 VLAN 430 VLAN 420 VLAN 420 VLAN 400 VLAN 200 VLAN 200 VLAN 210 VLAN 210 VLAN 220 VLAN 230 VLAN 230
192.168.0.135 192.168.0.136 192.168.0.137 192.168.0.126 192.168.0.125 192.168.0.105 172.20.11.100 172.20.11.101 172.20.11.111 172.20.11.112 172.20.11.121 172.20.11.131 172.20.11.132
Routine early morning checks to be performed from a PC on Cisco side of network
Hans, V4, 23 Jan 2011
Please perform the following steps EVERY DAY upon arrival at the Office.
1 Check availability of i-site and the i-site ftp service. If not available, remedy the problems
2 Check availability of the external DNS and the Info site. If not OK, remedy the problems
3 Check reachability of Soho Internet router (ping 213.55.93.145). Remedy if not OK
4 Check Internet status:
a. Your PC: Do you have good Internet access
b. Your PC: Does ping of 4.2.2.2 consistently give 100% response (ping 4.2.2.2 is routed via the
213.55.93.145 gateway at all times). If OK, go to step 5.
c. If ping of 4.2.2.2 is consistently 0%, the MoE Internet line is out of service.
First check whether the alternative line, the Woredanet line to Internet is active:
logon to the server at 172.20.1.132 and check whether ping 8.8.8.8 works. If not, Woredanet is likely
to be down. With both these lines down, call ETC at 0911504004 to have this remedied.
d. If the Woredanet line is OK, then reroute all Internet traffic to it.
Login to the Eudemon:
i. telnet 172.20.0.1
ii. username *****, password *****
iii. give the commands
1. system-view
2. firewall zone internal
3. undo qos apply policy outbound
4. undo ip route 0.0.0.0 0.0.0.0 213.55.93.145
e. Verify that Internet access is now OK
f. In case of powercut, recheck the Internet situation from 4.a onward when the power comes back
g. Remember to revert the situation to normal as soon as the MoE Internet line is back!
i. telnet 172.20.0.1
ii. username *****, password *****
iii. give the commands
1. system-view
2. firewall zone internal
3. qos apply policy mypolicy outbound
4. ip route 0.0.0.0 0.0.0.0 213.55.93.145
5 Now check external availability of ns1.moe.gov.et info.moe.gov.et via Centralops.net.
If either of them is not available, it is another sign of the main MoE Internet line not working. Call
EthioTelecom 0911504004 and report a line problem.
6 Check the status of the Data Centre door. If it does not open on code or access card, a power cut has
affected it (Huawei should still repair that!). Steps to take then:
a. Start up the Access Control PC in room 16. Ensure that it connects to the correct network patch
cable marked Access Control.
b. Login to it with the password provided
c. Open Netking folder
d. Click Netking icon. A window pops up that asks for Operator ID. Type
system
and click OK (no password)
e. The CSS application server comes up. Do not close that window, minimize it.
f. In the window now visible, click Wizard > Controller
g. Click Verify all controllers
h. When ready, click Verify current controller. A window pops up with Verify succeed!
i. The door is now controllable by code and access cards again
MoE Public addresses - Version 13 February 2012
213.55.93.144/28
IP Name Function Particulars Corresponding

internal address
.145 SOHO Router inside address N/A
.146 NS1 Primary external DNS server 172.20.0.66
.147 NS2 Reserved: Secondary external DNS server NS2
.148 INFO Web server http://info.moe.gov.et HP server in DMZ / IIS 172.20.0.68
.149 Outside interface of ASA firewall N/A
.150 MAIL1 Mail 1 mail.moe.gov.et Zimbra on MoE-Dell-1 172.20.0.71
.151 MAIL2 Mail 2
.152 SCHN Schoolnet http://schoolnet.moe.gov.et Old Dell server / IIS 172.20.0.70
.153
.154 Hiding address all PCs entire Moe HQ office Dynamic PAT 172.20.0.0/19
.155
.156
.157 EMIS1 New EMIS Pilot server emis1.moe.gov.et emis@asmelash on MoE-Dell-1 172.20.0.77
.158 STAT Stateduc Pilot srvr stateduc.moe.gov.et HP server in DMZ / Apache 172.20.0.69
Documentation: MoE Wiring Cabinets
V1 30 March, V2 6 July 2011, V3 11 July, V4 12 July, Hans
Old Building
# Room Flr # of access Area served Nr of Nr of positions free Lacking Huawei

switches uncon- on access switches connec 24-port
Hua Cis nected Hua Cis tions switch still
Wei co nodes Wei co required
1 15 B 1 1 Basement 72 0 6 66 1
2 0 1 0 Ground / corridor
3 1.31 1 2 2 First floor 24 0 7 17
4 2.27 2 1 3 Second floor 36 0 14 22
5 3.29 3 2 0 Third floor 11 0 11
New Building
# Room Flr # of access Area served Nr of Nr of positions free Lacking Huawei

switches uncon- on access switches connec 24-port
Hua Cis nected Hua Cis tions switch still
Wei co nodes Wei co required
1 13 0 1 0 Data Centre vicinity 0 0
1 12 0 0 1 Network room vicinity 0 0
2 Training 0 0 1 Ground floor / basement 0 0
3 1.12 1 1 1 First floor 28 0 28
4 2.12 2 2 1 Second floor 22 11 6 5
5 3.29 3 1 ? Third floor 0 5
6 4.17 4 0 1 Fourth floor 0 0
Documentation for
MOE Network Configuration and Web Site
Maintenance
Commissioned by
USAID-AED/ EQUIP II
Submitted To
Ministry of Education
Prepared By
StarCom Network Solutions plc
Debre Zeit Road
Baleker Tower, 7th Floor
P.O. Box 55751
Addis Ababa, Ethiopia
Tel: +251-11-466 9642

Fax: +251-11-4669643
starcomsolutions@ethionet.et
January 20, 2009

Table of Contents
ExecutiveSummary.........................................................................................................................4
1 MOENetworkInfrastructureOverview..................................................................................5
1.1 Domainname..................................................................................................................5
1.2 NetworkCabling..............................................................................................................6
1.3 Internetaccessprovider..................................................................................................6
1.4 Webhosting....................................................................................................................6
1.5 Internetmailhosting.......................................................................................................6
2 BriefDescriptionoftheMOENetwork...................................................................................7
2.1 IPaddressingandsubnets...............................................................................................7
2.2 KeyNetworkDevices.......................................................................................................9
2.3 Servers.............................................................................................................................9
2.4 PerimeterSecurity.........................................................................................................10
2.5 EnterpriseSecurity........................................................................................................10
2.6 TheNetworkBackbone.................................................................................................11
2.7 ClientWorkstations.......................................................................................................11
3 MOENetworkConfiguration.................................................................................................12
3.1 CoreNetworkInfrastructureServices...........................................................................12
3.1.1 Considerations.......................................................................................................13
3.1.2 Recommendations.................................................................................................13
3.2 ActiveDirectoryandDNS..............................................................................................13
3.3 ConfigurationofSwitches.............................................................................................14
3.3.1 InterconnectionofSwitches..................................................................................15
3.3.2 VLANSegmentation...............................................................................................16
3.3.3 MOEVLANs............................................................................................................17
3.3.4 VLANMembershipAssignment.............................................................................18
3.3.5 Catalyst3560GSwitchConfiguration....................................................................19
3.4 PIX515EConfiguration..................................................................................................20
3.4.1 InterfacesonthePIX525Firewall.........................................................................20
InterfaceAssignments...............................................................................................................20
4 DetailedNetworkCablingInformation.................................................................................21
2
MOENetworkDocumentation
ByStarComNetworkSolutionsplc
4.1 OldBuildingDocumentation.........................................................................................21
4.1.1 RackDiagrams.......................................................................................................21
4.1.2 SwitchesandPatchPanelslocation(OldBuilding)...............................................23
4.1.3 Interconnections....................................................................................................23
4.1.4 NetworkNodesOldBuildingBasementFloor.....................................................24
4.1.5 NetworkNodesOldBuildingFirstFloor.............................................................25
4.1.6 NetworkNodesOldBuildingSecondFloor..........................................................27
4.2 NewBuildingDocumentation.......................................................................................30
4.2.1 RackDiagrams.......................................................................................................30
4.2.2 SwitchesandPatchPanelslocation(NewBuilding)..............................................35
4.2.3 Interconnections....................................................................................................35
4.2.4 NetworkNodesNewBuildingGroundFloor......................................................36
4.2.5 NetworkNodesNewBuildingGroundFloorTrainingRoom...............................38
4.2.6 NetworkNodesNewBuildingFirstFloor...........................................................41
4.2.7 NetworkNodesNewBuildingSecondFloor.......................................................42
4.2.8 NetworkNodesNewBuildingFourthFloor........................................................43
4.3 SwitchPortUsage..........................................................................................................44
4.3.1 OldBuildingPortUsage.........................................................................................44
4.3.2 NewBuildingPortUsage.......................................................................................44
3
ExecutiveSummary
4
1 MOENetworkInfrastructureOverview

MOEhasfullyswitchednetworkInfrastructurethatspansthenewandoldbuildingsofthe
ministry.

TheNetworkprovidesthefollowingmajorservices:

InternetAccessforallworkstations
MessagingSystemthatcanrelayandacceptemailmessagesfromtheInternetusingthe
moe.gov.etdomain
WebhostingfortheMOEWebSitehttp://www.moe.gov.et
Aunifieddirectoryservicethatsupportscentralizedmanagement,singlesignonand
informationauditingcapabilities
FileandPrintSharingServices
SecureInformationprocessingusingmanagedantivirus,intrusiondetection,etc
WebbasedemailaccessforMOEstaff
MessagingandCollaborationtools
NetworkManagementSystem
ImplementationofproperVLANsegmentation
ClusteredSwitches

1.1 Domainname

MinistryofEducation(MOE)isusingregisteredpublicdomainname,moe.gov.et,fromthelocal
internetserviceprovider,EthiopianTelecommunicationCorporation(ETC).

MOEisusingtheDNSnamespacemoe.gov.etforitspublicDNSandmoe.gov.localforits
internalnamespace.

ThepublicDNSnamespaceisregisteredwiththeISP,suchasmoe.gov.et,andisusedtopublish
resources, such as the ministrys public Web site, and mail exchange records on the Internet.
The external name space is hosted on the external DNS Servers ns1.moe.gov.et and
ns2.moe.gov.et.

Thedomainname,moe.gov.et,registeredwithETCneedstopointtotheauthoritativeDNS
serverofthedomain.TheauthoritativeDNSservermaintainsalltheDNSrecords,suchas
www.moe.gov.etandmail.moe.gov.et,fortheDNSnamespace.TheDNSrecordsonthe
authoritativeDNSserverarecurrentlymaintainedbytheexternalDNSServersoftheMinistry
ns1.moe.gov.etandns2.moe.gov.et

5
Theinternalnamespacemoe.gov.localhasdedicatedinternalinfrastructureserversthat
provideDNSServerstoMOEinternalNetworkusers.TheInternalDNSserversandactive
directoryintegratedandrunontheserversMOEADDNS1.moe.gov.localand
MOEDC2.moe.gov.local
1.2 NetworkCabling

TheNetworkCablingisbasedonCat5eStructuralCablingSystem.Cat5eprovidesupto1Gbps
networkconnectivityoveradistanceof100m.Allworkstationsareconnectedtotheir
respectivewiringclosetswithCat5eUTPCables.

TheOldBuildingandtheNewBuildingareinterconnectedwithCat5eUTPCableswith1Gbps
speed.

1.3 Internetaccessprovider
MOEisusing256kbpsADSLbroadbandinternetAccesssubscribedfromtheEthiopian
TelecommunicationCorporation.
1.4 Webhosting
MOE has assigned a dedicated web server for hosting the Ministry Web Site
http://www.moe.gov.et. The Web Server is appropriately placed in the network perimeter
behindPIX525Firewallsothatitcanbeaccessedbyinternetuserswithoutcompromisingthe
internalsecurityoftheMOENetwork.

1.5 Internetmailhosting

MOEhasMicrosoftExchange2003basedMailServersforinternalaswellasinternetmail
communication.ThemailserverenableallMOEstafftohaveanemailaddressoftheform
username@moe.gov.etforinternalaswellasinternetemailcommunication.
6
2 BriefDescriptionoftheMOENetwork

2.1 IPaddressingandsubnets

PrivateIPaddressrange172.20.0.0isusedfortheoverallMOENetwork.

PublicIPAddressesareconfiguredfortheexternalinterfaceofthePIX525Firewall,and
EthernetinterfaceoftheADSLRouter.
213.55.93.144/28PublicIPSubnetforMOE
213.55.93.145EthernetInterfaceofADSLRouterforInternetAccess
213.55.93.149Outside(External)InterfaceofCiscoPIXFirewall
213.55.93.148PublicIPAddressforWebServer(www.moe.gov.et)
213.55.93.151PublicIPAddressforMailServer(mail.moe.gov.et)
213.55.93.146PublicIPAddressofMOEPrimaryDNSServerns1.moe.gov.et
213.55.93.147PublicIPAddressofMOESecondaryDNSServerns2.moe.gov.et
213.55.92.152to213.55.93.157NATAddressesforInternetAccess

7
TheIPAddressingSchemefortheMOENetworkislistedasfollows:

No. AddressRange Location Subnet
1 172.20.0.0/21 MOE NetworkManagement

VLAN
2 172.20.8.0/21 OldBuilding MinistersOfficeVLAN
3 172.20.16.0/21 OldBuilding VLANforDepartments
undertheMinisters
Office
4 172.20.24.0/21 OldBuilding FinanceVLAN
5 172.20.32.0/21 OldBuilding GeneralEducation
VLAN
6 172.20.40.0/21 OldBuilding HigherEducation
VLAN
7 172.20.48.0/21 OldandNewBuildings TVETVLAN
8 172.20.56.0/21 NewBuilding PlanningDeptVLAN
9 172.20.64.0/21 NewBuilding MOEServersVLAN
10 172.20.72.0/21 NewBuilding InternetGateway
VLAN
11 172.20.80.0/21 NewBuilding DMZVLAN
12 192.168.208.0/24 NewBuilding AED/EQUIPIIVLAN
13 213.55.93.144/28 NewBuilding MOERegistered
PublicIPSubnet

8
2.2 KeyNetworkDevices
BackboneSwitch:Cisco3560GLayerGigabitSwitchisusedasacollapsedbackbone.
Thisswitchhas2410/100/1000portsand4SFPbasedGigabitPortsthatsupport
Fiber as well as Twisted Pair transceivers. In addition, the switch has the
followingfeatures:
BasicLayer3RoutingProtocols(RIP)
Configurableupto11,000unicastroutes
Configurableupto1000IGMPgroupsandmulticastroutes
AdvancedQoS
PortsecuritysecurestheaccesstoanaccessortrunkportbasedonMAC
address
PortbasedACLs(PACLs)forLayer2interfacesallowapplicationofsecurity
policiesonindividualswitchports.
CiscosecurityVLANACLs(VACLs)onallVLANspreventunauthorizeddataflows
frombeingbridgedwithinVLANs.

AccessSwitches:MOEisusingCiscoCatalyst2960AccessSwitchesthatareclusteredtogether
under the command of the Cisco 3560G core switch. The Cisco 2960 Switches support VLAN
ConfigurationandareconfiguredtoprovideVLANSegmentationbasedontheDepartmentsof
theMinistryofEducation.InterVLANRoutingFunctionalityisprovidedbytheLayer3Catalyst
3560Gswitch.
2.3 Servers

MOEsServersarebasedonWindows2003andprovidethefollowingprimaryservices:

ActiveDirectoryService,forcentralizedAdministrationofNetworkusersandresources
FileandPrintSharing
EmailServer
WebServer
BackUpServer
AntiVirusServer
InternetSecurityandAcceleration

ServerName Location MajorFunctions
MOEADDNS1 VLAN64 DomainController,InternalDNSServer
MOEDC2 VLAN64 DomainController,InternalDNSServer
MOEMS1 VLAN64 MOEMailServer
MOEISA VLAN64,VLAN80 MicrosoftISAServer2004
MOEAV1 VLAN64 CentralizedAntiVirusandThreatProtection
ManagementServer
MOEWS1 VLAN80 MOEWebServer
MOENS1 VLAN80 MOEPublicDNSServer1
MOENS2 VLAN80 MOEPublicDNSServer2
MOENM1 VLAN1 MOENetworkManagementServer
9

2.4 PerimeterSecurity
InternetSecurityandFirewallProtectionisprovidedusingMicrosoftISAServer2004runningon
MOEISAandPIX525HardwareFirewall.

The Microsoft ISA Server 2004 is located on the PIX DMZ, and protects the internal network
from unauthorized access from the internet. The Microsoft ISA Server is to provide Internet
Access to MOE staff based on configurable control parameters like username, IP address, and
schedulehours.

TheISAServer2004isconfiguredtopublishtheInternalMailServersothatMOEuserscanhave
internetmailcommunicationusingthedomainmoe.gov.et.

ThePIXFirewallisconfiguredtoblockaccesstotheinternalnetworkfromtheinternet,andto
only publish Web, DNS and Mail Services in the DMZ Zone. The following key configurations
havebeenmadeonthePIXFirewall.

The outside interface of the PIX Firewall is directly connected to the broadband ADSL
routerforinternetaccess.
TheinsideinterfaceofthePIXisconnectedtotheDMZ.
ThePIXisconfiguredtoallowtrafficfromtheDMZzonetotheInternet.
AlltrafficfromtheinternettotheDMZisblockedexceptthefollowing:
o WebrequeststotheMOEWebServer
o SMTPCommunicationtotheExternalInterfaceoftheISAServer2004.
o DNSrequestsfromtheinternettothepublicDNSServers.
NAT is configured for mapping between the Private IP Address of the Web Server
(172.20.80.148)intheDMZtothepublicIPAddress213.55.93.148ofthewebserver.
NAT is configured for mapping between the Private IP Address of the Public Name
Servers (172.20.80.146 and 172.20.80.147) in the DMZ to the public IP Address
213.55.93.146,and213.55.93.147respectively.
NATisconfiguredformappingbetweenthePrivateIPAddressoftheExternalInterface
of ISA Computer (172.20.80.149) in the DMZ to the public IP Address the mail
exchanger213.55.93.151.

2.5 EnterpriseSecurity

MOEhasimplementedCentralizedvirusandthreatProtectionforitsinternalnetworkresources
usingSymantecEndPointProtection.TheSymantecEndpointprotectionhasthefollowingkey
features:

Antivirus and Antispyware: Antivirus and Antispyware scan for viruses and for other
securityrisks,includingspyware,adware,andotherfilesthatcanputacomputerora
networkatrisk.
10
Personal Firewall: The Symantec Endpoint Protection firewall provides a barrier
betweenthecomputerandtheInternet,preventingunauthorizedusersfromaccessing
the computers and networks. It detects possible hacker attacks, protects personal
information,andeliminatesunwantedsourcesofnetworktraffic.
Intrusion Prevention: The intrusion prevention system (IPS) is the Symantec Endpoint
Protectionclient'ssecondlayerofdefenseafterthefirewall.Theintrusionprevention
systemisanetworkbasedsystem.Ifaknownattackisdetected,oneormoreintrusion
preventiontechnologiescanautomaticallyblockit.
ProactiveThreatScanning:Proactivethreatscanningusesheuristicstodetectunknown
threats.Heuristicprocessscanninganalyzesthebehaviorofanapplicationorprocessto
determine if it exhibits characteristics of threats, such as Trojan horses, worms, or
keyloggers.
DeviceandApplicationControl:Devicelevelcontrolisimplementedusingrulesetsthat
block or allow access from devices, such as USB, infrared, FireWire, SCSI, serial ports,
andparallelports.Applicationlevelcontrolisimplementedusingrulesetsthatblockor
allowapplicationsthattrytoaccesssystemresources

2.6 TheNetworkBackbone

TheNetworkBackboneisbasedonTwistedPairCopperBackbone.TheCisco2960Switchesin
thewiringclosetsareconnectedtotheLayer3Catalyst3560GGigabitSwitchwithCat5eUTP
cablerunningatgigabitspeed.

ThelinksbetweentheCiscoswitchesareconfiguredastrunkssothattheycansupportmultiple
VLANTraffic.

2.7 ClientWorkstations
The clients workstations are Windows XP based and are connected to the network with
100Mbpsconnections.AllworkstationsreceiveautomaticsettingsfromtheDHCPServers.The
catalyst 3560G Switch is configured as DHCP Server to provide automatic IP Address settings
basedontheVLANmembershipoftheswitchporttowhichtheclientisconnected.

11
3 MOENetworkConfiguration
3.1 CoreNetworkInfrastructureServices
ThecorenetworkservicesthatarerunningontheMOENetworkinclude:

DomainNameSystem(DNS):ResolvesDNSnamestoIPaddresses

Dynamic Host Configuration Protocol (DHCP): Automatically configures network
settings on clients and facilitates management of IP addresses and network
configurationofclients.

WindowsInternetNameService(WINS):ResolvesNetBIOSnamestoIPaddresses.

Directoryservices:Authenticateusersandcomputersthattrytoaccessresources.The
ActiveDirectoryservicecanalsobeusedtocentralizeandsimplifythemanagementof
networkresources.

TheDNS,WINSandDirectoryServicesareconfiguredonWindowsServer2003Serverswhilethe
DHCPServerisconfiguredontheCatalyst3560GSwitch.

BenefitsoftheRecommendedServices

StarCom designed and implemented Network and Directory Services on the MOE Network so
thatthefollowingbenefitscanbeobtained:

Reliable infrastructure: The network and directory services are implemented on
redundantserversforbetterreliability.

Centralized resource management: Active Directory is used to provide a centralized
database of all users, computers, and other objects on the network. It helps organize
theresourcesinanITenvironmentbasedonthestructureoftheorganization.

Security:ActiveDirectoryisusedtoprovidethesecurityandauthenticationmechanism,
whichoffersprotectedandcontrolledaccesstoresources.

SingleSignon:ActiveDirectoryisusedtoenablesinglesignon,whichessentiallymeans
that users need to provide their credentials only once. They need not provide
credentialseachtimetheytrytoaccessaresourceonthenetworkandthesamesetof
credentialsisusedforaccessingallresources

Welldefinedandenforcedsecuritypolicies:GroupPolicyisusedtodefineandenforce
domain wide security policies in the MOE Network. GPOs are used to ensure that
security policies that are set in the MOE LAN are enforced on every object in the
environment,andcannotbeoverriddenbyanyclientorotherdevice.
12

3.1.1 Considerations

ThenetworkanddirectoryservicesarecriticalfortheproperfunctioningoftheMOENetwork.
Using only a single infrastructure server minimizes costs, but it does not provide failover
capabilities. Failure of the infrastructure server can cripple the entire network operation. In
addition,ifthefailureiscausedbytheserverhardware,additionaldelaysareoftenintroduced
whilewaitingforsparepartsorreplacementhardware.

Deployinga clusterofserversoffersredundancyandautomatic failovercapabilities.However,
clustering requires Windows Server2003, Enterprise Edition on both infrastructure servers,
whichismoreexpensivethanWindowsServer2003,StandardEdition.Inaddition,configuring,
operating and troubleshooting server clusters is complicated, and is not recommended at this
stage.However,thisoptioncanbeconsideredinthenearfutureastheMOEnetworkutilization
grows.

Deploying two redundant infrastructure servers in a nonclustered configuration is easy to
configure. The Windows serverbased network services and Active Directory services are
designedtorunacrossmultipleservers,thuseliminatingasinglepointoffailure.

3.1.2 Recommendations

StarComNetworkSolutionsrecommendsdeployingtworedundantserverscalledtheprimary
infrastructure server (MOEADDNS1) and the secondary infrastructure server (MOEDC2).
Under normal conditions, the primary infrastructure server provides most of the network
servicesbecausethemajorityofclientrequestsarefirstdirectedtothisserver.Incaseswhere
this server fails to give a timely response, most requests are then directed to the secondary
infrastructureserver.Themajorityofclientrequestsaredirectedtothesecondaryserveronly
whentheprimaryserverdoesnotrespondinatimelymanner.Thefollowingtablepresentsthe
serviceshostedontheprimaryandsecondaryinfrastructureservers.

3.2 ActiveDirectoryandDNS

Active Directory is the directory service for Windows Server2003. It stores information about
objects on the network and makes it easy for administrators and users to find and use this
information.ActiveDirectoryserviceusesastructureddatastoreasthebasisforalogicaland
hierarchicalorganizationofdirectoryinformation.

In the MOE Network, DNS is installed on both the infrastructure servers. All clients are then
configured to send all queries to the primary infrastructure server. DNS requests go to the
secondaryinfrastructureserveronlyiftheprimaryserverisunavailableordoesnotrespond.

13
DNS is automatically installed on the primary infrastructure server. The installation of DNS is
integratedwith the installationofActiveDirectory onthatserver.AftercompletingtheActive
Directoryinstallationwizardontheprimaryserver,bothDNSandActiveDirectoryareinstalled
andconfigured.

TheinstallationofDNSonthesecondserverisdonemanuallyafterActiveDirectoryisinstalled.
BothDNSserversaresetupasActiveDirectoryIntegratedDNSserverssothattheDNS
informationisstoredinActiveDirectory.

3.3 ConfigurationofSwitches
This section focuses on the detailed configuration of the following backbone and access switches installed
at MOE.
No. SwitchName SwitchType Location
1 MOECORESW Catalyst3560G24 ServerRoom

10/100/100BaseTxand4SFP
slotsStandardImage
2 MOESWNBF0 Catalyst35602410/100Base ServerRoom
TxPortsand2SFPSlots
StandardImage
3 MOESWNBGT Catalyst29602410/100Ports MOETrainingRoom
and210/100/1000BaseTx
uplinks
4 MOESWNBGT1 Catalyst29602410/100Ports MOETrainingRoom
and210/100/1000BaseTx
uplinks
5 MOESWNBF1 Catalyst2960 2410/100Ports NewBuilding
and210/100/1000BaseTx FirstFloorRoomNo.112
uplinks
6 MOESWNBF2 Catalyst29602410/100Ports NewBuilding
and210/100/1000BaseTx SecondFloorRoomNo.212
uplinks
7 MOESWNBF4 Catalyst29602410/100Ports NewBuilding
and210/100/1000BaseTx FourthFloorRoomNo.417
uplinks
8 MOESWOBFB Catalyst29602410/100Ports OldBuilding
and210/100/1000BaseTx BasementFloorRoomNo.014
uplinks
9 MOESWOBF1 Catalyst29602410/100Ports OldBuilding
and210/100/1000BaseTx FirstFloorRoomNo.131
uplinks
10 MOESWOBF2 Catalyst29602410/100Ports OldBuildingSecondFloor
and210/100/1000BaseTx RoomNo.227
uplinks
11 MOESWOBF3 Catalyst29602410/100Ports OldBuildingSecondFloor
and210/100/1000BaseTx RoomNo.227
uplinks
14
3.3.1 InterconnectionofSwitches
TheMOEnetworkisconfiguredwithCatalyst3560Gcollapsedbackbonesservingasbothcore
and distribution and Catalyst 2960 Access Switches. The catalyst 2960 switches have gigabit
connectiontothecatalyst3560GcoreswitchwithUTPCat5ebackbonecables.

TheMOENetworkTopologyallowsforimplementationofredundancyinthefutureinwhicha
second core switch will be added and connected to the second Gigabit Ethernet ports of the
catalyst2960accessswitches.
15
3.3.2 VLANSegmentation
The MOE Network has been segmented into different VLANs to restrict network broadcast traffic and
enhancetheperformanceand security ofthe network. The VLAN segmentationhasbeen implemented
based on the organizational structure of the ministry. Communication between the different VLANs is
accomplishedthroughtheCatalyst3560Gswitchthatprovideslayer3routingfunctionality.

Accordingly,thefollowingorganizationalstructureoftheMinistryofEducationhasbeendulyconsidered
whilesegmentingtheMOEnetworkintodifferentVLANs.

Minister
9 Foreign&Publicrelation
9 Gender&Equity
9 Audit
9 Legal
9 Procurement&Generalservice
9 UNESCO&UNESCOLibrary
9 HumanResource,Archive

Finance
GeneralEducationStateMinister

9 TeacherDevelopmentProgram
9 EnglishLanguage
9 CivicEducation

HigherEducationStateMinister

9 HigherEducationExpansion
9 HigherEducationSystem

TVETStateMinister

9 TVETDepartment1
9 TVETDepartment2

Planning
9 Trainingroom,EducationInformationMgtSystem(EIM)
9 Libraries(NewBuildingFirstFloor)
16
3.3.3 MOEVLANs
VLAN Name Description IPSubnet

Item
No.
1 VLAN1 Network VLANforManaging 172,20.0.0/21
Management NetworkDevices
2 VLAN8 MinisterOffice Minister,Ministers 172.20.8.0/21
SecretariesandAdvisers
3 VLAN16 Minister Foreign&PublicRel., 172.20.16.0/21
Departments Gender&Equity,Audit,
Legal,Procurement&
GeneralService
UNESCOandHuman
Resource&Archive
4 VLAN24 Finance Finance 172.20.24.0/21
5 VLAN32 GeneralEducation TeacherDevelopment 172.20.32.0/21

StateMinister Program,EnglishLanguage
andCivicEducation
6 VLAN40 HigherEducation HigherEducation 172.20.40.0/21
StateMinister Expansion,Higher
EducationSystemand
higherEducationProjects
Coordination
7 VLAN48 TVET TwoTVETDepartments
StateMinister
8 VLAN56 Planning EducationInformationMgt 172.20.56.0/21
System(EIM),Libraries,
TrainingRoom(NB)
8 VLAN64 ServerRoom ServerFarmVLAN 172.20.64.0/21
9 VLAN72 InternetGateway VLANforISAServer2004 172.20.72.0/21
10 VLAN80 DMZ DemilitarizedZonefor 172.20.80.0/28

placingWebServer,Public
DNSServers
11 VLAN208 USAIDAED/EQUIPII USAIDAED/EQUIPII 192.168.208.0/24
Network Network
17
3.3.4 VLANMembershipAssignment
The switch ports on the MOE Switches are assigned to VLANs based on the network topology and the
clients that connect directly to the switch port as follows:
No. VLAN MOESWOBFB MOESWOBF1 MOESWOBF2 MOESWOBF3

Number (PortNumbers) (PortNumbers) (PortNumbers) (PortNumbers)
1 VLAN8 13,15,17 4,5,6
2 VLAN16 18,19 4,5,7,9,12,13 5,7,12 17,18,19,20,23
3 VLAN24 8,21,23,24 1,2
4 VLAN32 2,3,7,8,9,10,11,
13,14,15
5 VLAN40 1,11,12,13,15 3,6,8,10,14,15,16 23
17,18,19,20,23,24
6 VLAN48 19
7 VLAN56

No. VLAN Core MOE MOESW MOE MOESW MOESW MOE MOE
Number Switch SW NBFGT SW NBF1 NBF2 SW SW
NBF0 NBFGT1 NBF3 NBF4
1 VLAN8
2 VLAN16
3 VLAN24
4 VLAN32
5 VLAN40
6 VLAN48 8,11,12,13, 3,5,6,7,8
15,16,17,23, 12,14,15
16,20,23
7 VLAN56 11,13 1,2,3,4,5,6,7 2,3,4,6, 3,4,9,24 110,
8,9,10,11,12 8,17 1224
13,14,17,19
21,23
8 VLAN64 15,162 7,9
0,21
18
3.3.5 Catalyst 3560G Switch Configuration
Thecatalyst3560GbackboneswitchservesthefollowingkeyrolesintheMOENetwork.

SegmentationoftheMOENetworkintodifferentVLANs
InterVLANroutingforcommunicationamongthedifferentVLANsintheMOENetwork
Providinggigabitbackboneconnectivitytotheswitchesthataredirectlyconnectedtoit
ControllingthelevelofbroadcastontheMOEnetwork
ServingasDHCPServerbyassigningautomaticIPAddresssettingsbasedontheVLAN
membershipoftheclientcomputers
CommandSwitchforMOEcluster

19
3.4 PIX515EConfiguration
ThePIX525FirewallisconfiguredtoprovideinternetsecurityfortheMOENetworkwiththe
followingfeatures:
NetworkAddressTranslation(NAT)orPortAddressTranslation(PAT)
SegmentthePerimeterNetworkintoInside(Private),outside(public),DMZ,and
Management
AllowoutgoinginternetaccessonlyfromtheISAServercomputer
BlockInboundtrafficfromtheinternettotheinternalnetwork
AllowonlywebrequestsfromtheinternettotheMOEWebServer
AllowIncomingandoutgoingSMTPTraffictoandfromtheExchangeServer
PerformStatefulinspectionandapplicationlayerfilteringontheinternettraffic
contentfiltering(Java/ActiveX)
URLfiltering
3.4.1 InterfacesonthePIX525Firewall

InterfaceAssignments
Interface InterfaceName IPAddress ConnectedTo SecurityLevel
Ethernet0 outside 213.55.93.149 ADSLRouter 0

(Internet)
Ethernet1 inside 172.20.80.100 VLAN80 100
20
4 DetailedNetworkCablingInformation
4.1 OldBuildingDocumentation
4.1.1 RackDiagrams
21
22
4.1.2 SwitchesandPatchPanelslocation(OldBuilding)

Room# No.ofSwitches No.ofPatchPanels No.ofNodes
(Connected)
OB014 1 1(24portseach) 23
TotalNodesConnected128

4.1.3 Interconnections

InitialPoints Destination
Room# PatchPanelNo. Port Room# Patch Port

Number PanelNo. Number
OB014 1 1,2,3 NB013 1,2,3 5,29,53
OB131 1 1,2,3 NB013 1,2,3 6,30,54
OB227 1 1,2,3 NB013 1,2,3 7,31,55

23
4.1.4 NetworkNodes - OldBuildingBasementFloor

Room# Label Port Patch Department Connectedto Remarks
# Panel
NB013 NBF0I5 1 1 ServerRoom Roomnumber13 Interconnectiontonew
(NB013) (NB13). building.
NB013 NBF0I29 2 2 ServerRoom
(NB013)
(NB013)
Not 4 free
assigned
OB012 OBFBN5 5 1 Archive Normal
OB025 OBFBN13 13 1 Archive Switchport19 Normal
OB016 OBFBN15 15 1 Finance Normal
OB016 OBFBN16 16 1 Finance Switchport8 Normal
OB026 OBFBN17 17 1 HumanResource Normal
Dev.
OB026 OBFBN18 18 1 HumanResource Switchport18 Normal
Dev.
OB09A OBFBN19 19 1 Finance Normal
OB227 OBF2I51 20 1 Switch toport20 Normal(interconnected
to227)
OB09A OBFBN21 21 1 Finance switchport21 Normal
OB227 OBF2I52 22 1 Switchport16 Normal(interconnected
to227)
OB09A OBFBN23 23 1 Finance Switchport23 Normal
OB09B OBFBN24 24 1 Finance Switchport24 Normal
SwitchPorts:1RN124,11RN122,12RN119,13RN125,15RN123aredirectlyconnectedto
secondfloor.
24
4.1.5 NetworkNodesOldBuildingFirstFloor
.
# Panel
NB013 NBF0I6 1 1 ServerRoom(NB013) GigabitPort Interconnection
NB013 NBF0I30 2 2 ServerRoom(NB013) Interconnection
NB013 NBF0I54 3 3 ServerRoom(NB013) Interconnection
Notassigned 4 Free
OB102 OBF1N5 5 1 Procu.&GeneralServi. Switchport5 Normal
OB102 OBF1N6 6 1 Procu.&GeneralServi. Norma1
OB105 OBF1N7 7 1 UNESCO Switchport7 Normal
OB105 OBF1N8 8 1 UNESCO Norma1
OB109 OBF1N10 10 1 UNESCO Norma1
OB115 OBF1N12 12 1 Procu.&GeneralServi. Switchport12 Norma1
OB118 OBF1N13 13 1 Procu.&GeneralServi. Normal
OB121 OBF1N15 15 1 HigherEdu.StateMinis. Norma1
OB121 OBF1N16 16 1 HigherEdu.StateMinis. Switchport16 Normal
Notassigned 21 1 NotFound
Notassigned 22 1 NotFound
OB144 OBF1N23 23 1 HigherEdu.Exp. Switchport23 Normal
OB144 OBF1N24 24 1 HigherEdu.Exp. Switchport24 Normal
OB131 OBF1N25 25 2 Finance Switchport1 Normal
OB131 OBF1N26 26 2 Finance Switchport2 Normal
OB148 OBF1N27 27 2 HigherEdu.Sys. Norma1
OB148 OBF1N28 28 2 HigherEdu.Sys. Norma1
OB149 OBF1N149 29 2 HigherEdu.Sys. Switchport3 Normal
OB151 OBF1N151 30 2 HigherEdu.Sys. Switchport6 Normal
OB108 OBF1N32 31 2 Procu.&GeneralServi. Normal
Notassigned 32 2 Switchport12 Notfound
OB143 OBF1N34 34 2 HigherEdu.Expan. Fault(1&2)
25
DocumentationonUTPoutlets(Faceplates)connectedtoPatchPanelinOldBuildingRoom
131(continued).
Room# Label Port# Patch Department Connectedto Remarks

Panel
OB143 OBF1N35 35 2 HigherEdu. Switchport8 Normal
Expan.
Expan.
Expan.
OB143 OBF1N38 38 2 HigherEdu. Normal
Expan.
Expan.
Expan.
Not 41 2 Free
assigned
Not 42 2 Free
assigned
Not 43 2 Free
assigned
Not 44 2 Free
assigned
Not 45 2 Free
assigned
Not 46 2 Free
assigned
Not 47 2 Free
assigned
Not 48 2 Free
assigned
26
4.1.6 NetworkNodesOldBuildingSecondFloor

# Panel
NB013 NBF0I7 1 1 ServerRoom Gigabit1st Connectedto
(NB013) switch newbuilding
NB013 NBF0I31 2 2 ServerRoom(NB013) Gigabit2nd roomnumber
switch 13
(NB013)
Not 4 Free
assigned
OB207 OBF2N5 5 1 Gender&Edu. 1stswitchport Normal
Equity 5
OB207 OBF2N6 6 1 Gender&Edu. Norma1
Equity
OB208 OBF2N7 7 1 Foreign&Public 1stswitchport Normal
Relat. 7
OB208 OBF2N8 8 1 Foreign&Public Norma1
Relat.
Equity
Equity
Equity
OB212 OBF2N12 12 1 Gender&Edu. 1stswitchport Normal
Equity 12
OB217 OBF2N13 13 1 Minister 1stswitchport Normal
13
OB217 OBF2N14 14 1 Minister Norma1
15
17
OB226A OBF2N19 19 1 TVETStateMinister 1stswitchport Normal
19
OB226A OBF2N20 20 1 TVETStateMinister Norma1
OB226B OBF2N21 21 1 TVETStateMinister Norma1
OB226B OBF2N22 22 1 TVETStateMinister Norma1
OB228 OBF2N23 23 1 TVETStateMinister Norma1
OB228 OBF2N24 24 1 TVETStateMinister Norma1
OB232 OBF2N25 25 2 TeacherDevel. Norma1
Program
27
OB232 OBF2N26 26 2 TeacherDevel. 2ndswitch Normal
Program port2
Program port3
Program
Program
Program
OB245 OBF2N31 31 2 GeneralEdu.State Norma1
Min.
OB245 OBF2N32 32 2 GeneralEdu.State Norma1
Min.
Program port9
Program
Program port7
DocumentationonUTPoutlets(Faceplates)connectedtoPatchPanelinOldBuildingRoom
227(continued).

# Panel
OB343 OBF3N36 36 2 TeacherDevel. Norma1(3rd floor)
Program
OB345 OBF3N37 37 2 TeacherDevel. 2nd Switchport Normal
Program 13
Program
OB352 OBF3N39 39 2 TeacherDevel. 2nd switchport Normal
Program 15
Program
OB234 OBF3N41 41 2 Gender&Edu. 2nd switchport Normal
Equity 17
Equity 18
Equity 19
Equity 20
Not 45 2 Free
assigned
Not 46 2 Free
assigned
28
Not 47 2 Free
assigned
Not 48 2 Free
assigned
Not 49 3 Free
assigned
OB213 OBF2N50 50 3 Minister 2nd switchport Normal
4
OB014 OBFBI3 51 3 PatchPanel Normal
OB014 OBFBI4 52 3 PatchPanel Normal
OB202 OBF2N53 53 3 Gender&Edu. Normal
Equity
Not 54 3 Normal
assigned
OB220 OBF2N55 55 3 Normal
OB221 OBF2N56 56 3 minister 2nd switchport Normal
6
OB238 OBF2N57 57 3 TeacherDevel. Normal
Program
OB238 OBF2N58 58 3 TeacherDevel. 2nd switchport Normal
Program 8
OB245 OBF2N59 59 3 GeneralEdu.State Normal
Min.
OB245 OBF2N60 60 3 GeneralEdu.State 2nd switchport Normal
Min. 10
OB245 OBF2N61 61 3 GeneralEdu.State 2nd switchport Normal
Min. 14
OB245 OBF2N62 62 3 GeneralEdu.State Normal
Min.
OB302A OBF2N63 63 3 AuditService 2nd switchport Normal
11
OB302B OBF3N64 64 3 AuditService Normal
OB303 OBF3N65 65 3 AuditService Normal
OB306 OBF3N66 66 3 LegalService Normal
Not 69 3 Notassigned Notfound
assigned
OB329 OBF3N70 70 3 Minister 2nd switchport Normal
5
OB332 OBF3N71 71 3 Minister(HIV) 2nd switchport Normal
23
Not 72 3 Free
assigned
NB:7wiresgodowntobasement(Port#1,2,3,41,42,43,44,51,and52)
29
4.2 NewBuildingDocumentation
4.2.1 RackDiagrams
30
31
32
33
34
4.2.2 SwitchesandPatchPanelslocation(NewBuilding)

Room# No.ofSwitches No.ofPatchPanels No.ofNodes
(Connected)
NB013 2 3(24portseach) 52
TotalNodesConnected219

4.2.3 Interconnections

InitialPoints Destination
Room# PatchPanelNo. Port Room# Patch Port

Number PanelNo. Number
NB019 1 1,2,3 NB013 1,2,3 1,25,49
NB112 1 1,2,3 NB013 1,2,3 2,26,50
NB212 1 1,2,3 NB013 1,2,3 3,27,51
NB317 1 1,2,3 NB013 1,2,3 4,28,52
NB417 1 1,2,3 NB013 1,2,3 5,29,53
35
4.2.4 NetworkNodesNewBuildingGroundFloor
DocumentationonUTPoutlets(Faceplates)connectedtoPatchPanelinNewBuildingRoom
Number013.

NB19 INTNBF019 1 1 TrainingRoom NB0196corswi. Interconnection
NB112 INTNBF1 2 1 FirstFloor(NB112) NB1127core Interconnection
NB212 INT.CoNBF2 3 1 SecondFloor i
NB2128core Interconnection
NB331 INTERNBF3N1 4 1 3rd Floor NB3129core Interconnection
OB014 INTEROBF0N1 5 1 Archive(OB014) . Interconnection
OB131 INTEROBF1N1 6 1 Finance(OB131) . Interconnection
OB227 INTEROBF3N1 7 1 OB227 Interconnection
NB013 NBF0N8 8 1 ServerRoom/New 20Coreswitch Normal
NB013 NBF0N9 9 1 ServerRoom/New Normal
NB013 NBF0N10 10 1 ServerRoom/New 16CoreSwitch Normal
NB013 NBF0N12 12 1 ServerRoom/New 21CoreSwitch Normal
NB013B NBFON14 14 1 ServerRoom/New Normal
NB013B NBF0N15 15 1 ServerRoom/New Normal
NB015 NBF0N16 16 1 MOEICTDep. 11Switch2960 Normal
NB015 NBF0N17 17 1 MOEICTDep. 13Switch2960 Normal
NB015 NBF0N18 18 1 MOEICTDep. Normal
NB015B NBF0N20 20 1 MOEICTDep. Normal
NB015B NBF0N21 21 1 MOEICTDep. Normal
NB417 NBF0N22 22 1 NotKnown NB41710core Interconnection
switch
NB417 NBF0N21 23 1 NotKnown NB41721core Interconnection
switch
Not 24 free Interconnection
NB19 INTNBF019 25 TrainingRoom NB0195core Interconnection
NB01 switch
NB112 INTNBF1 26 NB112 Interconnection
NB212 INT.CoNBF2 27 NB212 Interconnection
NB331 INTERNBF3N1 28 BessoNetwork NB3129core Interconnection
switch
OB014 INTEROBF0N1 29 2 Patchpanel1 OB0142core Interconnection
switch
switch
switch
NB13 INTNBF019 32 2 1 5coreswitch Normal
NB13 INTNBF1 33 2 1 15coreswitch Normal
NB13 INT.CoNBF2 34 2 2 9switch2960 Normal
36

Number013(continued).

NB13 NBF0N35 35 2 ServerRoom Normal
NotFound NBF0N38 38 2 Notfound
NB13B NBF0N39 39 2 ServerRoom Normal
NB15 NBF0N41 41 2 MOEICTDep. 72960 Normal
NotAssig 46 2 Free
NotAssig 47 2 Free
NotAssig 48 2 Free
NB19 INT 49 3 Training NB019 Interconnection
NB112 INTNBF1 50 3 1stFloor(NB112) NB112 Interconnection
NB212 INT.Co 51 3 2ndFloor(NB212) NB212 Interconnection
NB331 INTER 52 3 3rdFloor(NB331) NB312 Interconnection
OB014 INTER 53 3 OldBuilding(OB014) OB014 Interconnection
OBF3N1
Notassig 56 3 Free
Notassig 57 3 Free
Notassig 58 3 Free
Notassig 59 3 Free
Notassig 60 3 Free
Notassig 61 3 Free
Notassig 62 3 Free
Notassig 63 3 Free
Notassig 64 3 Free
Notassig 65 3 Free
Notassig 66 3 Free
Notassig 67 3 Free
Notassig 68 3 Free
Notassig 69 3 Free
Notassig 70 3 Free
Notassig 71 3 Free
Notassig 72 3 Free

37

4.2.5 NetworkNodesNewBuildingGroundFloorTrainingRoom
Number19.

NB013 1 1 ServerRoom Interconnection
NB013 2 1 ServerRoom Gigabit2nd Interconnection
NB013 3 1 ServerRoom Gigabit1st Interconnection
Not 4 1 Notfound
NB7Hall NBFGTN5 5 1 Conference Normal
NB7Hall NBFGTN6 6 1 Conference Normal
NB010 NBFGTN7 7 1 Planning 1stSwitchPort Normal
NB010 NBFGTN8 8 1 Planning Faulty
Not 9 1 ROOMNO.9 Notfound
Not 10 1 ROOMNO.9 Notfound
NB NBFGTN11 11 1 UNESCO Normal
NB NBFGTN12 12 1 UNESCO Normal
NB011 NBFGTN13 13 1 Planning/ESDP Normal
NB011 NBFGTN14 14 1 Planning/ESDP 2ndSwitchPort Normal
nd
NB011 NBFGTN18 18 1 Planning/ESDP 2 SwitchPort Normal
NB014 NBFGTN24 24 1 Planning/ESDP 1stSwitchPort Normal
st
NB014 NBFGTN25 25 2 Planning/ESDP 1 SwitchPort Normal
NB014 NBFGTN26 26 2 Planning/ESDP 1stSwitchPort2 Normal
NB016 NBFGTN27 27 2 Ground/AED 2ndSwitchPort Normal
NB016 NBFGTN28 28 2 Ground/AED Normal
NB017 NBF4N31 31 2 Ground/AED Normal
NB017 NBF4N32 32 2 Ground/AED Normal
nd
NB017 NBF4N33 33 2 Ground/AED 2 SwitchPort Normal
NBF4N32 NBF4N34 34 2 Ground/AED Normal

38
Room# Label Port Patch Department Remarks
# Panel
NB18 NBFGTN35 35 2 Ground/AED telephone
NB18 NBFGTN36 36 2 Ground/AED Normal2ndSwitchPort16
NB18 NBFGTN37 37 2 Ground/AED Normal
NB18 NBFGTN42 42 2 Ground/AED telephone
NB19 NBFGTN43 43 2 TrainingroomGround Normal2ndSwitchPort17
NB19 NBFGTN44 44 2 TrainingroomGround Normal
NB19 NBFGTN47 47 2 TrainingroomGround Normal1stSwitchPort5
NB20 NBFGTN63 63 3 NotKnown Normal 1stSwitchPort19
NB20 NBFGTN64 64 3 NotKnown Normal
NB21 NBFGTN65 65 3 Hardware& Normal
Maintenance
NB21 NBFGTN63 66 3 Hardware& Normal
Maintenance
Not 67 3 Notfound/helpdesk
assign
Not 68 3 Notfound/helpdesk
assign
NBFB NBFGT69 69 3 Documentation Room
NBFB NBFGT70 70 3 DocumentationRoom
Telephonelinescome 73 4 TelephonelinescomefromthirdfloorAEDdepartment.
fromthirdfloorBESOAED 74 4 TelephonelinescomefromthirdfloorAED
department. 75 4
76 4
77 4

39

Number019(continued).

Room# Label Port# Patch Department Remarks
Panel
Telephonelinescome 78 4 Telephonelinescomefromthirdfloor
fromthirdfloorBESOAED 79 4 BESOAEDdepartment.Someoftheselines
department. 80 4 areconnectedtoBESOAEDdepartmentin
81 4 roomnumbers16,17&18.
82 4
83 4
84 4
Not 85 4 NotFound
assigned
Not 86 4 NotFound
assigned
Not 87 4 NotFound
assigned
Not 88 4 NotFound
assigned
NB18 NBFGTN89 89 4 Ground/BESO telephone
NB18 NBFGTN90 90 4 Ground/BESO telephone
Not 91 4 NotFound
assigned
Not 92 4 NotFound
assigned
NB18 NBFGTN93 93 4 Ground/BESO Normal
NB18 NBFGTN96 96 4 Ground/BESO Normal2ndSwitchPort
24

40
4.2.6 NetworkNodesNewBuildingFirstFloor
Number112.

NB112 NBF1I5 1 1 NB013Gigabit Interconnection
NB112 NBF1I 2 1 NB013 Interconnection
NB116 NBF1N3 3 1 Library1st SwitchPort3 Normal
NB114 NBF1N5 5 1 TVET Normal
NB114 NBF1N8 8 1 TVET SwitchPort8 Normal
st
NB115 NBF1N9 9 1 Library1 SwitchPort9 Normal
NB115 10 1 Library1st Normal
NB121 11 1 TVET SwitchPort11 Normal
Not 19 1 TVET NotFound/128
Assigned
Not 20 1 TVET NotFound/128
Assigned
Not 19 1 TVET SwitchPort23 NotFound/128
Assigned
st
NB116 NBF1N25 Library1 Directconnectionto
floor switchport,

41
4.2.7 NetworkNodesNewBuildingSecondFloor

Number212.

Room# Label Port Patch Department Remarks
# Panel
NB13 NBF2I 1 1 TVET InterconnectedtoNB013,
ConnectedtoswitchPort1
2 1 TVET InterconnectedtoNB013,
ConnectedtoswitchPort1
NB213 NBF2N3 3 1 TVET NormalConnectedtoswitch
Port3
NB211B NBF2N5 5 1 TVET NormalConnectedtoswitch
Port5
NB211B NBF2N6 6 1 TVET NormalConnectedtoswitch
Port6
Port7
Port8
Disconnected. 9 1 Disconnectedandnodesinroomnumbers215&
10 1 216areconnectedtoGTZnetwork.
NB224 11 1 TVET
Port12
Port14
Port16
Disconnected. 17 1 Disconnectedandnodesinroomnumbers215&
18 1 216areconnectedtoGTZnetwork.
Port20
NB211A NBF2N23 23 1 TVET NormalConnectedtoswitch
Port23
NB211A NBF2N24 24 1 TVET Normal
NB253 NBF2N25 25 TVET Directconnectiontoswitchport
15

42

4.2.8 NetworkNodesNewBuildingFourthFloor

Number417.

# Panel
415 NBF4N1 1 1 Planning Switchport1 Normal
4 1 Switchport4 Notfound
11 1 free free

43
4.3 SwitchPortUsage
Thefollowingtwotablesgiveinformationaboutthecurrentusageofaccessswitchportsand
availableportsforfutureexpansion.

4.3.1 OldBuildingPortUsage

Type Label Location AvailableFreePorts No.of
Available
Ports
Cisco2960 MOESWOBFB OB014 2,3,4,5,6,7,9,10,14,16,17,20,22 13
Cisco2960 MOESWOBF1 OB131 11,21,22 21
Cisco2960 MOESWOBF2 OB227 1,2,3,4,6,8,9,10,11,14,16,18,20,21,22,24 16
Cisco2960 MOESWOBF3 OB227 1,12,16,21,22,24 6
TotalAvailableFreePorts 56
4.3.2 NewBuildingPortUsage

Type Label Location AvailableFree No.of
Ports Available
Ports
Cisco3560 CoreSwitch NB013 Core Switch
Cisco2960 MOESWNBF0 NB013 Except11,13,7,9 20
Cisco2960 MOESWNBFGT NB019 15,18,20,22,24 5
Cisco2960 MOESW NB019 Except2,3,4,6,8,17 18
NBFGT1
Cisco2960 MOESWNBF1 NB112 1,2,5,6,7,14,18,19,20,21,22 11
Cisco2960 MOESWNBF2 NB212 1,2,4,9,10,11,13,17,18,19,21,22,24 13
Cisco2960 MOESWNBF3 USAID USAID/EQUIPIINETWORK
Cisco2960 MOESWNBF4 NB417 11 1
TotalAvailableFreePorts 68
44

45
Network Design(MOE)
March 2010
I
DESIGN
TABLE OF CONTENTS
1 DETAIL DESIGN IN MOE.................................................................................................................. 3
1.1 NETWORK STRUCTURE DESIGN......................................................................................................... 3
1.2 CABLING DESIGN .............................................................................................................................. 3
1.3 NETWORK ELEMENT (NE) QUANTITY ................................................................................................ 3
1.4 TRAFFIC FLOW .................................................................................................................................. 4
1.5 NAMING CONVENTION ...................................................................................................................... 4
1.6 VLAN PLANING ................................................................................................................................. 5
1.7 IP PLANING ....................................................................................................................................... 5
1.8 SECURITY .......................................................................................................................................... 7
1.9 DHCP DESIGN............................................................................................................................... 8
1.10 QOS DESIGN .................................................................................................................................. 8
2 ATTACHMENTS ................................................................. ERROR! BOOKMARK NOT DEFINED.
Page II of 8
DESIGN
1 Detail Design in MOE
1.1 Network Structure Design
MOE Head Office
1.2 Cabling Design

The cabling design includes,
The ichnography of building
The positions of access switches
The positions of nodes
The cabling trunking
For the detail, please refer to the attachment document Cabling Design Drawing.
1.3 Network element (NE) quantity
NE-TYPE QUANTITY
AR29 1
EUDEMON 1000E 1
Page 3 of 8
DESIGN
S5300 2
S3300 12
Wireless Network Bridge 1
MOE Head Office NE Quantity
1.4 Traffic Flow
Network Structure Drawing (MOE HQ)
1*L3 Link, Fiber 1*L3 Link, 100Base-T
EPON
AR29 Router
1*L2 Link, 100Base-T
1*L3 Link, Wireless 1*L3 Link, 100Base-T

WB Servers
Eudemon
1000
Firewall
SoftCo 5816
1*L2 Link, 100Base-T IPPBX
ETC MPLS Cloud

5*L2 Link, 1000Base-T 7*L3 Link, 1000Base-T
S5300
Core Switch

Trunk Link S5300
Distribution
Switch
S3300 S3300 S3300 S3300 S3300 S3300 S3300 S3300 S3300 S3300 S3300 S3300
Access Access Access Access Access Access Access Access Access Access Access Access
Switch Switch Switch Switch Switch Switch Switch Switch Switch Switch Switch Switch
New Bu New Bu New Bu New Bu New Bu Old Bu Old Bu Old Bu Old Bu Old Bu Old Bu Old Bu
Ground 1st Floor 2nd 2nd 3rd Basement Ground 1st 1st 2nd 3rd 3rd
Floor Floor Floor Floor Floor Floor Floor Floor Floor Floor
ViewPoint
VC Room
Traffic Flow
According to above diagram, all the traffic going out to MPLS network will go through
EPON uplink as the primary link (blue path). All the traffic will automatic switch to
wireless bridge in the case of EPON link failure (red path).
Traffic switch over will be done dynamically with routing protocol. Once the routing
protocol detects EPON link failure, it will route the traffic to wireless bridge and it will
re-route back to EPON link once the link is back to normal.
1.5 Naming Convention

Naming rule: AAA-BBCCC-DDDDD-FFGG
Page 4 of 8
DESIGN
A = Site Name
B = Building
C = Floor
D = Model Number
F = Equipment Type
G = Equipment Count
1.5.1 MOE Head Office
Location Device Name

MOE Head Office MOE-NBFGD-AR29-AR01
MOE Head Office MOE-NBFGD-E1000-FW01
MOE Head Office MOE-NBFGD-S5300-CS01
MOE Head Office MOE-OBFB-S5300-DS02
MOE Head Office MOE-NBFGD-S3300-SW01
MOE Head Office MOE-NBF01-S3300-SW02
MOE Head Office MOE-OBFB-S3300-SW01
MOE Head Office MOE-OBFGD-S3300-SW01
MOE Head Office MOE-OBF01-S3300-SW01
MOE Head Office
1.6 Vlan Planing
Network Element VLAN Range

Voice 10
Video Conference 20
Servers 30
Internet 100 110 120 130 200 210 220 230
For the detail VLAN Planing, please see the ip planning.
1.7 IP Planing
Page 5 of 8
DESIGN
IP Summary(HQ)
IP Mask Vlan
MOE Major IP 172.20.0.0/16 255.255.0.0
MOE HQ 172.20.0.0/19 255.255.224.0
New Building ( 172.20.0.0/21)
Interface IP 172.20.0.0/25 255.255.255.128
VOIP IP 172.20.0.128/25 255.255.255.128 10
VC IP 172.20.1.0/25 255.255.255.128 20
Server IP 172.20.1.128/25 255.255.255.128 30
Basement & Ground 172.20.2.0/25 255.255.255.128 100
1st Floor 172.20.3.0/25 255.255.255.128 110
2nd Floor 172.20.3.128/25 255.255.255.128 120
3rd Floor 172.20.4.0/25 255.255.255.128 130
Spare 172.20.4.128/25 255.255.255.128
Spare 172.20.5.0/25 255.255.255.128
Spare 172.20.5.128/25 255.255.255.128
Spare 172.20.6.0/25 255.255.255.128
Spare 172.20.6.128/25 255.255.255.128
Spare 172.20.7.0/25 255.255.255.128
Spare 172.20.7.128/25 255.255.255.128
Old Building(172.20.8.0/22)
Basement & Ground 172.20.8.0/25 255.255.255.128 200
1st Floor 172.20.9.0/25 255.255.255.128 210
2nd Floor 172.20.9.128/25 255.255.255.128 220
3rd Floor 172.20.10.0/25 255.255.255.128 230
Spare 172.20.10.128/25 255.255.255.128
Spare 172.20.11.0/25 255.255.255.128
Spare 172.20.11.128/25 255.255.255.128
Management IP
New bld Ground Floor 192.168.0.1
New bld 1st Floor 192.168.0.11
New bld 2nd Floor 192.168.0.21
New bld 2nd Floor -Sw2 192.168.0.22
New bld 3rd Floor 192.168.0.31
Old Bld Basement 192.168.0.100
Old Bld Ground Floor 192.168.0.101
Page 6 of 8
DESIGN
Old Bld 1st Floor 192.168.0.111

Old Bld 1st Floor-Sw2 192.168.0.112
Old Bld 2nd Floor 192.168.0.121
Old Bld 3rd Floor 192.168.0.131
Old Bld 3rd Floor-S2 192.168.0.132
Core Switch 192.168.0.10
Distribution Switch 192.168.0.20
1.8 Security
In Ethiopia network, we design several different zones in the firewalls. They are
TRUST and UNTRUST. Firewall inside is in the TRUST zone, IP/MPLS backbone
and other outside domain is in the UNTRUST zone. According to the change of the
network, we can define other personal zones for the future.
Firewall Zone Design
ZONE TRUST UNTRUST

Preference 85 5
Beside that, Eudemon 1000E can always be configured to provide defense against
DDOS (Distributed Denial of Service) and also LAND attack and etc. As a result, the
Eudemon 1000E can assure the normal operations of the intranets and internal
systems.
Firewall operation mode
Firewall is proposed to be in transparent mode (or bridge mode). In this mode,

interfaces on the Eudemon cannot be configured with IP addresses and they reside in
layer 2 security zone.
Packet filtering policy
Packet filter is a kind of network security protection mechanism. It is used to control

the inbound and outbound data between networks in different security levels. A series
of filter rules are needed to filter data packets, which can be carried out by applying
filter rules defined by ACL between different zones in the firewall. The proposed
packet filtering policy is presented blow.
Allow HTTP traffic: inbound and outbound
Allow FTP traffic: inbound and outbound
Allow SMTP/POP/IMAP4 traffic:
Allow SNMP
and Allow others which is dictated by M/A/A requirement
Page 7 of 8
DESIGN
Deny the rest
Attack defense
Normally, network attacks intrude or destroy network servers (hosts) to steal the
sensitive data on servers or interrupt server services. There are also the network
attacks that directly destroy network devices, which can make networks service
abnormal or even out of service. The attack defense of the firewall can detect various
types of network attacks and take the measures to protect internal networks from
malicious attacks. As a result, the firewall can assure the normal operations of the
internal networks and systems. The proposed attack defense is presented below:
Denial of service attack
Scanning and snooping attack
Defective packet attack defense
DDoS Attack Defense
DNS-flood attack Defense
HTTP Flood Defense
Connection Flood Defense
UDP Flood Defense
ICMP Flood Defense
For detail Explanation Please Refer the Security design document
1.9 DHCP Design

In S5300 core switch, DHCP Server is configured, and for each VLAN Interface, there
is a DHCP Server.
1.10 QoS Design

QoS is configured in AR29 Router (PQ) and Switches (802.1p).Inside enterprise
network the following QOS activities will be performed.
Traffic Classification will be performed by: S5300
Traffic marking will be performed by: S5300
Traffic Policing will be performed by: S5300
Traffic queuing will be performed by: AR29
Page 8 of 8
Firewall Design (MoE)
V3, 30 November 2011
I
DESIGN
TABLE OF CONTENTS
1 .FIREWALL ............................................................................................................................................ 1
1 .1FIREWALL DESIGN ............................................................................................................................ 1
1. 2IREWALL ZONES..3
1.3FIREWALL OPERATION MODES..4
1.4.PACKET FILTTERING POLICY....6
1.5ATTACK DEFENSE....7
1.6.IPS & AV...9
2. SWITCH &ROUTER ...15
Page II of 13
DESIGN
1. Firewall Design MoE
2. Firewall Zones
The firewall will be configured in such a way that it has four Zones which are INTERNAL, DMZ,
WOREDANET, and UNTRUST. Firewall inside is INTERNAL and the VPN connection to NDC are in the
WOREDANET zone, Internet connection is in the UNTRUST zone and Servers which are accessible
from both WOREDANET, UNTRUST and INTERNAL are located in DMZ zone.
Firewall Zone Design
ZONE INTERNAL WOREDANET DMZ UNTRUST

Preference 95 80 50 5
Page 3 of 13
DESIGN
3. Firewall operation Mode
The operation mode of the firewall will be route mode. In this mode, interfaces on the Eudemon will be
configured with IP addresses.
4. Packet Filtering Policy
Packet filter is a network security protection mechanism. It is used to control the inbound and outbound
data between networks in different security levels. A series of filter rules are needed to filter data packets,
which can be carried out by applying filter rules defined by ACL between different zones in the firewall.
The initial operational packet filtering policy is presented below. As much as possible, symbolic names
are used for the Service Sets (i.e., groups of TCP and UDP ports that have to be opened) and for the
Address Sets (the address groups for which the Service Sets must be applied),
Page 4 of 13
DESIGN
Eudemon Zone, Port and IP characteristics
Security Zones and INTERNAL: GigabitEthernet0/0/0

Eudemon Port WOREDANET: GigabitEthernet0/0/1
Assignments UNTRUST: GigabitEthernet0/0/2
DMZ: GigabitEthernet0/0/3
Eudemon Interface IP GE0/0/0:172.20.0.3 GE0/0/1:?
addresses GE0/0/2: ? GE0/0/3: ?
Service Categories Service Sets
MoE Users Service Sets 1. Service Set Browsing:

(to be applied from tcp: icmp, http, https, domain; udp: domain
INTERNAL to
2. Service Set File: tcp: ftp, ftp-data; udp: tftp
EXTERNAL, DMZ and
WOREDANET) 3. Service Set Mail-Client:
tcp: imap4, pop3, 465, 587, 995
MoE DMZ Service Set 1. Service Set DMZ-roles:

(from DMZ to EXTERNAL tcp: icmp, http, https, ssh, telnet, domain, smtp
and WOREDANET) udp: domain
e-Gov Service Sets 1. Service Set Microsoft:

(to be applied from tcp: 25, 53, 80, 88, 110, 135, 139, 143, 389, 443, 445,
INTERNAL to 464, 636, 993, 995, 3269, 5722, 49152 to 65535
WOREDANET, and from udp: 53, 67, 88, 123, 137, 138, 389, 445, 464, 2535,
WOREDANET to 5722, 49152 to 65535
INTERNAL)
2. Service Set Videoconference:
tcp: 23, 80, 700, 1320 to 1416, 1720, 5000
udp: 80, 161, 1719, 1729, 4101, 3333 to 3336, 5060,
7684, 7685, 10000 to 11600
3. Service Set VOIP: tcp 0-65535, udp 0-65535
4. Service Set NMS: tcp 21 22 23 69 8080 10443 12212

31030 31037 31039 31080; udp 514 162 161
Service Sets for access 1. Service Set Incoming-Web:

from less trusted zones tcp: icmp, http, https, domain; udp: domain
2. Service Set Incoming-Mail:

tcp: icmp, smtp, domain; udp: domain
Service Set for 1. Service Set Admin:

Administrators tcp 0-65535, udp 0-65535
Page 5 of 13
DESIGN
ADDRESS SETS
1. Address Set Internal

IP: 172.20.0.0 /19
2. Address Set Woredanet
IP: 172.16.0.0 0.15.255.255 .
10.0.0.0 0.255.255.255
3. Address Set DMZ
172.20.0.64 255.255.255.192
4. Address Set DMZ-Webservers
INFO: 172.20.0.68 STAT: 170.20.0.69
SCHN: 170.20.0.70 SPARE: 172.20.0.71
(individual Webserver addresses defined as Objects)
5. Address Set DMZ-Mailservers
MAIL1: 172.20.0.71 MAIL2: 172.20.0.72
(Individual Mailserver addresses defined as Objects)
6. Address Set DMZ-Nameservers
NS1: 172.20.0.66 NS2: 172.20.0.67
(Individual Name Server addresses defined as Objects)
7. Address Set MoE-Servers
172.20.1.128 255.255.255.128
8. Address Set Intranet
172.20.1.132
9. Address Set MoE-VOIP
172.20.0.128 255.255.255.128
10. Address Set MoE-VC
172.20.1.0 255.255.255.128
11. Address Set MoE-Administrators
172.20.18.132 172.20.18.170
12. Address Set eGov-admin
-- initially empty
13. Address Set OtherMoE
Mexico: 172.20.32.0/22
Curriculum: 172.20.64.0/22
NAE: 172.20.96.0/22
14. Address Set Other-eGov-servers
the address-pool of all other eGovernment servers
15. Address Set MoE-ADServer
172.20.1.130
16. Address Set EMIS1
172.20.0.77
Page 6 of 13
DESIGN
Firewall Policy: Access Rules
Interzone from INTERNAL to UNTRUST

From Address Set To Address Set For Service Set Action
Internal Untrust Browsing Allow

Internal Untrust FTP Allow
Internal Untrust Mail-client Allow
MoE-Administrators Untrust Admin Allow
Internal Untrust Any other Deny
Interzone from UNTRUST to INTERNAL

Untrust Internal Any Deny
Interzone from INTERNAL to WOREDANET

Internal Woredanet Browsing Allow

Internal Woredanet FTP Allow
Internal Woredanet Mail-client Allow
MoE-Administrators Woredanet Admin Allow
MoE-servers Other-eGov-servers Microsoft Allow
MoE-VOIP Woredanet VOIP Allow
MoE-Vcseg Woredanet Videoconference Allow
Internal Woredanet Any other Deny
Interzone from WOREDANET to INTERNAL

OtherMoE Intranet Browsing Allow

OtherMoE Intranet FTP Allow
Other-eGov-servers MoE-ADServer Microsoft Allow
eGov-administrators MoE-servers Admin Allow
Woredanet MoE-VOIP VOIP Allow
Woredanet MoE-Vcseg Videoconference Allow
Woredanet Internal Any other Deny
Page 7 of 13
DESIGN
Interzone from INTERNAL to DMZ

Internal DMZ-Webservers Browsing Allow

Internal DMZ-Webservers FTP Allow
Internal DMZ-Mailservers Mail-client Allow
MoE-Administrators DMZ Admin Allow
MoE-servers DMZ Microsoft Allow
Internal DMZ Any other Deny
Interzone from DMZ to INTERNAL

DMZ Internal Any other Deny
Interzone from WOREDANET to DMZ

Woredanet DMZ-Webservers Browsing Allow

Woredanet DMZ-Webservers FTP Allow
OtherMoE DMZ-Mailservers Mail-client Allow
Woredanet DMZ Any other Deny
Interzone from DMZ to WOREDANET

DMZ Woredanet Any other Deny
Page 8 of 13
DESIGN
Interzone from UNTRUST to DMZ

UNTRUST DMZ-Webservers Incoming-Web Allow

UNTRUST DMZ-Mailservers Incoming-Mail Allow
UNTRUST DMZ-Nameservers DNS Allow
UNTRUST DMZ Any other Deny
Interzone from DMZ to UNTRUST

DMZ UNTRUST DMZ-roles Allow

DMZ UNTRUST Any other Deny
Page 9 of 13
DESIGN
Firewall Policy: NAT
NAT from UNTRUST to DMZ

System Addressed Public Address Private Address at DMZ Type of NAT
MoE Name Server 1 NS1 (213.55.93.146) NS1-int (172.20.0.66) Static

MoE Name Server 2 NS2 (213.55.93.147) NS2-int (172.20.0.67) Static
info.moe.gov.et INFO (213.55.93.148) INFO-int (172.20.0.68) Static
stateduc.moe.gov.et STAT (213.55.93.158) STAT-int (172.20.0.69) Static
schoolnet.moe.gov.et SCHN (213.55.93.152) SCHN-int (172.20.0.70) Static
SPARE (213.55.93.152) SPARE-int (172.20.0.71) Static
mail.moe.gov.et MAIL1 (213.55.93.150) MAIL1-int (172.20.0.72) Static
MAIL2 (213.55.93.151) MAIL2-int (172.20.0.73) Static
NAT from INTERNAL to DMZ

System Addressed Public Address Private Address at DMZ Type of NAT
info.moe.gov.et INFO (213.55.93.148) INFO-int (172.20.0.68) Static

stateduc.moe.gov.et STAT (213.55.93.158) STAT-int (172.20.0.69) Static
schoolnet.moe.gov.et SCHN (213.55.93.152) SCHN-int (172.20.0.70) Static
SPARE (213.55.93.152) SPARE-int (172.20.0.71) Static
mail.moe.gov.et MAIL1 (213.55.93.150) MAIL1-int (172.20.0.72) Static
MAIL2 (213.55.93.151) MAIL2-int (172.20.0.73) Static
NAT from WOREDANET to INTERNAL

System Addressed Address in WOREDANET Private Address in INTERNAL Type of NAT
NAT from INTERNAL to UNTRUST

System Addressed Public Address Private Address in INTERNAL Type of NAT
Hiding Address 213.55.93.154 172.20.0.0/19 Dynamic PAT
Page 10 of 13
DESIGN
Firewall Policy: Routing
As there are two routes to the Internet, routing is defined as follows:
Deafult Routing
By default, Source Address Based Policy Routing is applied:
From 172.20.0.0/20 to 0.0.0.0 use default route via eGovernment network (WOREDANET)
From 172.20.16.0/20 to 0.0.0.0 use default route via MoE leased line (UNTRUST) (all internal Source Addresses are
PATed behind the Hiding Address)
Calamity Routing
If the circuit to UNTRUST goes down, all routing is via WOREDANET;
If the circuit to WOREDANET goes down, all routing is via UNTRUST (all internal Source Addresses are
PATed behind the Hiding Address)
Page 11 of 13
DESIGN
5. Attack defense
Normally, network attacks intrude or destroy network servers (hosts) to steal the
sensitive data on servers or interrupt server services. There are also the network
attacks that directly destroy network devices, which can make networks service
abnormal or even out of service. The attack defense of the firewall can detect various
types of network attacks and take the measures to protect internal networks from
malicious attacks. As a result, the firewall can assure the normal operations of the
internal networks and systems. The proposed attack defense is presented below:
Denial of service attack
Port Scanning and snooping attack
Defective packet attack defense
DDoS Attack Defense
SYN Flood Attack Defence
DNS-flood attack Defense
HTTP Flood Defense
Connection Flood Defense
UDP Flood Defense
ICMP Flood Defense
Malformed Packet Attack
In addition to this ,to assure the normal operations of the intranets and internal
systems , Eudemon 1000E will be configured to provide Special Packet Control such
as large-icmp , icmp-redirect, icmp-unreachable, route-record and tracert.
Page 12 of 13
DESIGN
6. IPS & AV(Intrusion Prevention & AntiVirus)

IPS
IPS signatures are used to describe the characters of the attack behaviors existing on
networks. The Eudemon 1000E compares the contents of packets with IPS signatures to
detect and defend against attacks. Once attacks are identified, the response modes of
alert and block are available.
Unless there are special requirements the IPS policy will refer the default template.
Anti Virus
The Eudemon 1000E provides an abundant virus database. By comparing scanned files
with the features in the virus database, the Eudemon 1000E identifies whether the files
contain viruses. And then the Eudemon 1000E process the files infected with viruses
according the processing modes configured in the AV policies.
AV processing can be implemented on the files transmitted through protocols such as

SMTP, HTTP and POP3.But to apply for SMTP and POP3 protocols ,it takes to much
resource and affect the system performance.So we apply it on HTTP Protocol.
IPS and Anti Virus Databases are scheduled to be updated online daily in mid night.
2. SWITCH & ROUTER

2.1 DHCP Snooping (to be configured on the switches)
Preventing the Bogus DHCP Server Attack By configuring an interface as trust or untrust
Prevent DHCP exhaustion attack By configuring MAC address limit on interface
Prevent Attack of sending bogus messages to extend IP address leases By checking whether the
DHCP request messages have matching entries in the DHCP snooping binding table
/////k//////Prevent users not to use Static IP Address unless included in Static Binding Table
2.2 ACL ( to be configured on switches and Routers)

Filter Users accessing the switch through telnet.
2.3 AAA /Local Authentication ( to be configured on switches and routers)

Create local user name and password to authenticate users who try to access the devices through
telnet ,web and terminal.
2.4 SECURITY PROTECTION ON INTERFACE (to be configured on the switches)

ICMP rate limit and MAC Table limit. Packet is invalid unless it is Static MAC address that are
manually configured or secure-dynamic address learnt before the number of the addresses reach
the upper limit.
Page 13 of 13
Content Management of i-site, info.moe.gov.et and textbook.moe.gov.et
Hans, 21 July; adapted, 6 December 2011; re-adapted 13 February 2012.
Contents
1 Introduction .................................................................................................................................... 1
2 Prerequisites ................................................................................................................................... 2
3 Structure of the sites common features and differences ............................................................ 3
4 Content Management - General ..................................................................................................... 4
5 Content Management adapt a page ............................................................................................ 4
6 Content Management create a new page ................................................................................... 4
1 Introduction
i-site is the MoE Intranet service. It can be accessed from within the MoE premises only. It resides on
MoE-HP-4 with address 172.20.1.132, in the Huawei-connected Server Farm at MoE.
To access it, typing i-site in the URL is sufficient.
i-site is reachable from all other MoE establishments: NAE, HERQA, CEICT/Mexico, via the
eGovernment Network. It can be considered to make i-site accessible also from other Ministries and
Organisations within the eGovernment network. To do that, i-site.local.moe.gov would have to be
defined in the eGovernment DNS (or Ministry DNSes), and the Eudemon Firewalls at the various
Ministries would have to be configured to let traffic to the i-site server pass.
On i-site, a webmaster email account is displayed: isite.MoE@gmail.com . Users sometimes send
mail to this account, which therefore must be checked periodically.
info.moe.gov.et is the MoE Supplementary Website. It can be accessed from within the MoE
premises and via the Internet. Until February 2012 it resides on MoE-HP3 in the DMZ of MoE
Headquarters, accessible at address 213.55.93.148. After February 2012 Info is one of the Virtual
Servers on one physical HP DL380 server in the National Data Centre. The server is assigned to MoE;
details in section 11 of this document. Infos external address there is 213.55.98.13.
The reason to maintain info.moe.gov.et next to the Portal, www.moe.gov.et is that it has facilities
that are not easily reproduced on the Portal, eg the Syllabus pages. Furthermore, there is often
volatile information that is not needed to be on the Portal. Also, it is often faster to first make an
appealing page on info and then if necessary port it to the Portal, than to make it directly on the
Portal. In all cases, the Portal is the first customer entry point, and for some pages the customer is
taken from there to info by means of links.
textbooks.moe.gov.et is the MoE Textbook Distribution site. It resides on the MoE-assigned physical
server in the National Data Centre too, as a virtual server. Its public address is 213.55.98.14. As of
writing, the server is not yet in production as the textbook units is still formulating the Terms of Use
and any legal issues to be published as Conditions on the site. Also, no textbooks or chapters have
1
been provided with us. From day 1 of the servers public availability, Google Analytics should be
applied to be able to run overviews of numbers of downloads.
www.moe.gov.et is the MoE Portal, a part of the eGovernment Portal that is shared by 4 Ministries
(MoE, MoFED, MoLSA, MoH). More are supposed to follow in 2012. The Portal is a very ambitious
project that for each Ministry actually consists of multiple interlinked websites. In the case of MoE,
there are 5 target user groups, each with their own information (at least that is the design), and each
of these 5 groups must have all information in 4 languages (English, Amhara, Tigrinha, Oromifa). All
in all actually 20 websites for MoE alone. This ambition may be too high for some time to come.
On the Portal, www.moe.gov.et a webmaster email account is displayed:

webmaster.moe.ethiopia@gmail.com . Users sometimes send mail to this account, which therefore
must be checked periodically.
The content of i-site, info and textbooks is maintained with the program GoLive. The content
management can be run from any PC, but it is best to appoint 1 PC as the Content Management PC,
and always prepare all content there. Advantages: no confusion about the latest version of files, and
the PC always has a complete copy of the entire sites, for calamities and backup. Hans PC will be left
accessible for this purpose. Logon on Hans-PC with password ArbaMinch12. The PC also checks the
email accounts as described above with Outlook. To check the email, start Outlook; Under Inbox you
should see arrange by email account, Z on top (else click on the texts Arranged by and xx on
top).
i-site, info and textbooks contain shtml pages only. As some pages use common sections (menus
etc), the use of Server Side Includes is used; all pages are therefore .shtml pages. Content
management is done by editing the html of a page, or by using one page as a template for another
and just changing html contents. Html content management allows much more flexibility than eg the
Portal, but therefore is also slightly more complex. Portal maintenance is complex too; its complexity
is caused by having to classify all metadata for pages and documents, to be consistent across sites.
2 Prerequisites
The servers must run IIS7, be configured for Server Side Includes, and must allow anybody to access
the root directory of the site (usually /inetpub/wwwroot). The servers must be defined to allow use
of FTP Publishing Services, and the PCs that can maintain contents must be declared in IIS.
The Content Management PC must run GoLive. Go Live has a Site File definition for each of the sites
to be maintained. In that Site File there are a number of settings, identifying the webmaster as
authorized maintainer, identifying the webserver by address, and having ftp preconfigured.
To maintain contents on a site, take the following steps:
1 Start GoLive
2 Click File>Open Recent> (name of site file)

The Site File is either MoE Intranet (for i-site), MoE Extranet (for info.moe.gov.et ), or
2
MoE Textbooks (for textbooks.moe.gov.et).
GoLive opens the Site Copy that is available on the Content Management PC, and
displays
a. The list of pages on that site (the home page is index.shtml)
b. The list of folders of that site. Important folders:
i. CSS: this contains the look-and-feel definitions. Do not change
ii. Images: this contains images used on a site (banners, logos, pictures)
iii. pdf: this contains PDF-documents that can be requested via this site
iv. other names: you can define any folder with any contents, the sites usually
have these other folders for further document downloads, eg for CPD
(cpdocs), EMIS (emdocs) etc.
3 Create a new page, or edit an existing page, or add a document to one of the folders
4 Publish the new page or the document by highlighting the page or document, and then
clicking Site>Publish Server>Upload. Instantly, an underlying ftp command will transfer
the document to the actual website and it can be referenced from Internet.
5 Note that any new page or new document must be referenced by an existing page by
means of a link otherwise the users of a website will not find the page or document.
See next chapters how to do that.
3 Structure of the sites common features and differences
1 Both sites have the index.shtml as home page. That page refers to a number of pages
and documents, and those pages again refer to other pages and documents, etc.
2 Both sites make use of Include statements. If a page contains an Include statement,
it means that it refers to a separate page (in html this time) which is the same for a
number of pages. For example: ALL pages on i-site have an Include statement for the
horizontal menu. In that way, maintenance of the horizontal menu can be done in one
file (MoEhm), and all pages will automatically include that menu. Also, a group of pages,
eg all pages that are under Institutions on info.moe.gov.et have the same vertical
menu in the left hand side. That vertical menu is also maintained separately and
included in each of those pages with an Include statement
3 The i-site makes use of a horizontal drop-down menu. If you move the cursor over one
element of it, a drop-down list appears with another (vertical) menu. The
info.moe.gov.et does NOT have a horizontal drop-down menu. The reason is, that there
are many different browsers in use in the world, and the older browsers do not properly
handle drop-down (eg Internet Explorer 6). Inside the MoE we can control the browser
version by installing it, but in the Internet we cannot.
3
4 Content Management - General
You open a page in Go-Live by clicking on its name in the left hand side of the GoLive window. A new
window opens with the page content. In the menu bar above the page contents there are 4 options:
layout, source, preview and pdf preview. If you click on source, you see the html code and you can
edit it, If you click on Preview, you see what the page will actually look like. So if you change an
existing page or create a new page, then always check with Preview if the page looks OK before you
publish.
In Preview, the Include statements will not show any data. So the horizontal menu and any other
elements that are Included will not be there. Dont worry, on the real website they will (as long as
those menu files are actually also published).
5 Content Management adapt a page
Steps to follow:
1 Identify the name of the page you need to adapt. When accessing i-site, info.moe.gov.et
or textbooks.moe.gov.et , the name of the page you are looking at is in the top of the
browser window.
2 In GoLive, click on the name of that page on the left hand side, and the page will open.
Click the Source button on top of the window, and start editing the page. Normally, you
will need to understand only a bit of html. Mostly, you just copy a relevant other part of
the page, and adapt the text in it. By comparing the html of the page with what you see
on the real website, you will automatically see how eg buttons are made, and how you
can add buttons by just copying sections of the existing page and altering the text in
them. If in doubt, consult a html manual from the Internet, eg
http://www.w3schools.com/html/ or http://htmlhelp.com/reference/html40/
6 Content Management create a new page
Steps to follow:
1 When accessing the i-site or info.moe.gov.et , select a page that has the most similar
structure to the page you want to make.
2 In GoLive, click on that page to open it.
3 Choose a name for the page you need to make.
4 Save the page you opened under that new name and close it.
5 Open and edit the new page to your liking and save it again
6 Publish it.
4
MoE Server Configurations
Hans, 7 Feb 2012
The following types of servers exist:
A Operational Servers in the MoE Data Centre
o 4 * HP DL380 servers as supplied in the 13 Ministries network

o 2 * Dell R910 servers as purchased by EMIS team
B Non-operational, old servers in the EMIS / ICT Team area:
o 4 * Old Dell servers as present already before 1 Feb 2011; decommissioned, but still usable
for several purposes. They will need rack and power space in the data centre, which depends
on Procurement Department. Therefore they are left out of this present overview.
C Operational MoE servers in the National Data Centre (NDC)
o 1 * Server in the National Data Centre. See document: Access from MoE to MoE Webservers
in the NDC DMZ.
The below chart provides the technical and functional data for the first 2 types of servers.
The order they are listed in is the order from top to bottom in the server rack in the Data Centre.
Item Physical Server Virtual Server on Function IP address

Server Name this Physical Server
#1 Dell R910 MoE-Dell-1 VSphere / VMWare 172.20.1.143
#1-1 EMIS Test MoE in-house training server 172.20.1.136
#1-2 EMIS@asmelash Public field-test EMIS server 172.20.0.77
nd nd
#1-3 Squid 2 Squid server, 2 proxy 172.20.17.141
#1-4 Zimbra MoE email server 172.20.0.71
#1-5 ns1 External DNS for moe.gov.et 172.20.0.66
#2 Dell R910 MoE-Dell-2 Windows 2008 Server with VMWare client
--- this system is inappropriately installed and should be reinstalled wit VSphere / VMWare ---
#2-1 EMIS server Not in use, remove
#2-2 CyberDB HR service. Not used by HR 172.20.1.142
#3 HP DL380 MoE-HP-1 Active Directory To be used for all AD at MoE 172.20.1.130
as soon as new staff is present
#4 HP DL380 MoE-HP-2 VSphere / VMWare 172.20.1.134
#4-1 Apt-Cacher MoE central Ubuntu cache 172.20.1.135
st st
#4-2 Squid 1 Squid server 1 proxy 172.20.1.141
#4-3 Nagios Monitoring and management 172.20.1.145
#5 HP DL380 MoE-HP-3 INFO server Free when NDC server is up. 172.20.0.68
To be then virtualized&reused
#6 HP DL380 MoE-HP-4 i-site Including other functions: AD, 172.20.1.132
Internal DNS, WDS, FTP server
Legend:
Virtualized Physical Server Windows 2008 Server Operational Inside

Single-OS Server Ubuntu Not operational DMZ
MoEs servers info.moe.gov.et and textbooks.moe.gov.et in the NDC
Hans, 8 February 2011
Contents
1 Introduction .................................................................................................................................... 1
2 Network Access Diagram ................................................................................................................ 1
3 Configuration & Management of the physical and virtual servers ................................................. 3
4 Security Policy ................................................................................................................................. 3
1 Introduction
The National Data Centre is the best place to host services of MoE that have to be available for the
public. The advantages of the NDC are significant:
- A team of staff with broad ICT experience to manage and operate the ICT environment
- A well-organized Data Centre with adequate power backup and air conditioning
- Physical access security
- Data security and backup
- A strong Internet connection (now 100 Mbps but practically unlimited)
- A good Woredanet connection
Hence MoE has decided to place two services at the NDC:
1 info.moe.gov.et , the Supplementary Website of MoE, supplementing the MoE Portal at

www.moe.gov.et . The reason to maintain info.moe.gov.et next to the Portal is that it
has facilities that are not easily reproduced on the Portal, eg the Syllabus pages.
Furthermore, there is often volatile information that is not needed to be on the Portal.
Also, it is often faster to first make an appealing page on info, and then port it to the
Portal, than to make it directly on the Portal; because the Portal only has a cumbersome
small-window html-editor. In all cases, the Portal is the first customer entry point, and
for some pages the customer is taken from there to info by means of links.
2 textbooks.moe.gov.et , the server via which MoE plans to distribute (chapters of)
General Education textbooks to the Ethiopian Public to help alleviate the printed
textbook shortage in the country.
2 Network Access Diagram
The Network diagram depicting the access from MoE to the servers is on the next page.
1
4 Mbps Internet PM Office Data Centre
Access from MoE 10.40.20.234 with Portal servers
and further services
to MoE Webservers Cisco Soho ETC
10.40.20.233
HuaWei .44 10.133.195.40/29 .41
2 Mbps VPN
?
EPON Fiber
in NDC DMZ Router 2Mbps
.145
AR29 router
.9
? WORE
V1, 26 Jan 2012 DMZ
172.20.0.64/27 213.55.93.144/28 172.20.0.8/30
.149 .10
?
Wireless
DANET
VLAN 80 Eudemon WB Not operational yet
HH .65 1000
?
Firewall
.1
Ubuntu External Stateduc Schoolnet 172.20.0.0/29

Zimbra DNS Server Server
mail server NS1 STAT SCHN WebServer WebServer
info. textbooks.
NDC Admin and MoE .66 .69 .70
.146 .151 .152 moe.gov.et moe.gov.et
Web Content
Management stations HuaWei .2
172.31.102.194
213.55.98.13
172.31.102.195
213.55.98.14
.1 172.20.104.0/21 Core
One physical server
172.20.18.132 Cisco Switch .129 Rack:
Core .130 172.20.5.128/21 172.20.1.128/25 Server label:
172.20.18.170 Switch VLAN 500 VLAN 30
.141 ?
.129 Vsphere/Vmware licence:
.132 .134
?
Cisco DNS1 Temporarily Developmt Ubuntu

HuaWei
172.20.16.0/20 AD1 Test-Stateduc Data Base Squid/Guard 172.20.0.0/20
DHCP1 later later
WDS
i-site Huawei Server Farm
?
Ground Ground Ground 1st Floor 2nd Floor 4th Floor Ground 1st Floor 2nd Floor 2nd Floor 3rd Floor
NB013 NB019 NB019 NB112 NB212 NB417 HuaWei NB019 NB112 NB212 NB212 NB417
172.20.18.128/25 172.20.18.128/25 172.20.18.128/25 172.20.19.0/25 172.20.19.128/25 172.20.20.0/25 172.20.2.0/25 172.20.3.0/25 172.20.3.128/25 172.20.3.128/25 172.20.4.0/25
VLAN 300 VLAN 300 VLAN 300 VLAN 310 VLAN 320 VLAN 340
Distribution VLAN 100 VLAN 110 VLAN 120 VLAN 120 VLAN 130
192.168.0.31
172.20.11.5 172.20.11.6 172.20.11.7 172.20.11.115 172.20.11.125 172.20.11.135 Switch 192.168.0.1 192.168.0.11 192.168.0.21 192.168.0.22
3rd floor 3rd floor 3rd floor 2nd floor 2nd floor Ground Basement Ground 1st Floor 1st Floor 2nd Floor 3rd Floor 3rd Floor
OB227 OB227 OB227 OB131 OB131 OB014 OB015 OB015 OB1.31 OB1.31 OB2.27 OB3.29 OB3.29
172.20.26.0/25 172.20.26.0/25 172.20.26.0/25 172.20.25.128/25 172.20.25.0/25 172.20.24.0/25 172.20.8.0/25 172.20.8.128/25 172.20.9.0/25 172.20.9.0/25 172.20.9.128/25 172.20.10.0/25 172.20.10.0/25
VLAN 430 VLAN 430 VLAN 430 VLAN 420 VLAN 420 VLAN 400 VLAN 200 VLAN 200 VLAN 210 VLAN 210 VLAN 220 VLAN 230 VLAN 230
192.168.0.135 192.168.0.136 192.168.0.137 192.168.0.126 192.168.0.125 192.168.0.105 172.20.11.100 172.20.11.101 172.20.11.111 172.20.11.112 172.20.11.121 172.20.11.131 172.20.11.132
3 Configuration & Management of the physical and virtual servers
1 The base operating system of the server is VSphere, allowing VMWare to run as the core
system under which operating systems are installed. The licence for VSphere / VMWare
is free. MoE has registered for the licence and obtained licence nr
2 The VSphere Client is the controlling console of the physical server and its VSphere/
VMWare installation. VSphere Client is run from one of the two Administrator PCs at
MoE, and required access via ports 901 905 from MoE.
3 The Info server is implemented on a Windows 2008 Server system under VSphere/
VMWare. It uses IIS Version 7 for the Webserver.
Management and configuration of the Windows 2008 Server environment is done from
one of the two Administrators PCs at MoE, using Remote Console Access from MoE.
The Content Management of the Webserver is done with Adobe GoLive from one of the
two Administrators PCs at MoE; and requires FTP access from MoE.
Access to this server is allowed from anywhere on the Internet.
4 The Textbooks server is implemented on a different Windows 2008 Server system under
VSphere/VMWare.
It uses IIS Version 7 for the Webserver.
Management and configuration of the Windows 2008 Server environment is done from
one of the two Administrators PCs at MoE, using Remote Console Access from MoE.
The Content Management of the Webserver is done with Adobe GoLive from one of the
two Administrators PCs at MoE; and requires FTP access from MoE.
The access to this server via Internet must be restricted to IP addresses belonging to the
Ethiopian IP address space.
4 Security Policy
From To Ports Allow

Internet Info, 213.55.98.13 http V
Ethiopian Internet addresses Textbooks, 213.55.98.14 http V
Woredanet Info, 213.55.98.13 http V
Woredanet Textbooks, 213.55.98.14 http V
MoE, 172.20.18.132 and .170 Info, 172.31.102.194 http, ftp, Remote Console V
MoE, 172.20.18.132 and .170 Textbooks, 172.31.102.195 http, ftp, Remote Console V
MoE, 172.20.18.132 and .170 172.31.102.197 VSphere Client V
5 Content Management
The Content Management of both servers is described in the section 9 of this document.

Netsysdoc

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Netsysdoc

Hochgeladen von

Copyright:

Verfügbare Formate

MoE Network

.44 10.133.195.40/29 .41

Cisco DNS1 Temporarily Developmt Ubuntu

IP Name Function Particulars Corresponding

# Room Flr # of access Area served Nr of Nr of positions free Lacking Huawei

# Room Flr # of access Area served Nr of Nr of positions free Lacking Huawei

Tel: +251-11-466 9642

January 20, 2009

1 172.20.0.0/21 MOE NetworkManagement

No. SwitchName SwitchType Location

1 MOECORESW Catalyst3560G24 ServerRoom

VLAN Name Description IPSubnet

5 VLAN32 GeneralEducation TeacherDevelopment 172.20.32.0/21

9 VLAN72 InternetGateway VLANforISAServer2004 172.20.72.0/21

10 VLAN80 DMZ DemilitarizedZonefor 172.20.80.0/28

No. VLAN MOESWOBFB MOESWOBF1 MOESWOBF2 MOESWOBF3

Interface InterfaceName IPAddress ConnectedTo SecurityLevel

Ethernet0 outside 213.55.93.149 ADSLRouter 0

Room# PatchPanelNo. Port Room# Patch Port

Room# Label Port# Patch Department Connectedto Remarks

Room# Label Port Patch Department Connectedto Remarks

Room# Label Port Patch Department Connectedto Remarks

Room# PatchPanelNo. Port Room# Patch Port

Cisco2960 MOESWOBF1 OB131 11,21,22 21

Cisco2960 MOESWOBF2 OB227 1,2,3,4,6,8,9,10,11,14,16,18,20,21,22,24 16

Cisco2960 MOESWOBF3 OB227 1,12,16,21,22,24 6

Cisco2960 MOESWNBF0 NB013 Except11,13,7,9 20

Cisco2960 MOESWNBFGT NB019 15,18,20,22,24 5

Cisco2960 MOESW NB019 Except2,3,4,6,8,17 18

Cisco2960 MOESWNBF1 NB112 1,2,5,6,7,14,18,19,20,21,22 11

Cisco2960 MOESWNBF2 NB212 1,2,4,9,10,11,13,17,18,19,21,22,24 13

Cisco2960 MOESWNBF3 USAID USAID/EQUIPIINETWORK

Cisco2960 MOESWNBF4 NB417 11 1

1 Detail Design in MOE

1.1 Network Structure Design

MOE Head Office

1.2 Cabling Design

The ichnography of building

The positions of access switches

The positions of nodes

The cabling trunking

1.3 Network element (NE) quantity

MOE Head Office NE Quantity

1.4 Traffic Flow

Network Structure Drawing (MOE HQ)

1*L3 Link, Fiber 1*L3 Link, 100Base-T

1*L2 Link, 100Base-T

1*L3 Link, Wireless 1*L3 Link, 100Base-T

ETC MPLS Cloud

2*L2 Link, 1000Base-T

7*L2 Link, 1000Base-T

1.5 Naming Convention

1.5.1 MOE Head Office

Location Device Name

MOE Head Office

1.6 Vlan Planing

Network Element VLAN Range

Old Bld 1st Floor 192.168.0.111

Firewall Zone Design

ZONE TRUST UNTRUST

Firewall operation mode

Firewall is proposed to be in transparent mode (or bridge mode). In this mode,

Packet filtering policy

1L3 Link, Fiber 1L3 Link, 100Base-T

1L3 Link, Wireless 1L3 Link, 100Base-T