Beruflich Dokumente
Kultur Dokumente
Documentation
Version 5
13 February 2012
Hans Hesseling
MoE - VSO
4 Mbps Internet
MoE Network 10.40.20.234
10.40.20.233
Overall MoE Network Configuration V12, 23 Jan 2012, HH
.2
.1 172.20.104.0/21
Cisco .129 HuaWei
Core .130 172.20.5.128/21 172.20.1.128/25
Core
Switch VLAN 500 VLAN 30
.141 ?
.129 Switch
.132 .134
?
Ground Ground Ground 1st Floor 2nd Floor 4th Floor Ground 1st Floor 2nd Floor 2nd Floor 3rd Floor
NB013 NB019 NB019 NB112 NB212 NB417 HuaWei NB019 NB112 NB212 NB212 NB417
172.20.18.128/25 172.20.18.128/25 172.20.18.128/25 172.20.19.0/25 172.20.19.128/25 172.20.20.0/25 172.20.2.0/25 172.20.3.0/25 172.20.3.128/25 172.20.3.128/25 172.20.4.0/25
VLAN 300 VLAN 300 VLAN 300 VLAN 310 VLAN 320 VLAN 340
Distribution VLAN 100 VLAN 110 VLAN 120 VLAN 120 VLAN 130
192.168.0.31
172.20.11.5 172.20.11.6 172.20.11.7 172.20.11.115 172.20.11.125 172.20.11.135 Switch 192.168.0.1 192.168.0.11 192.168.0.21 192.168.0.22
3rd floor 3rd floor 3rd floor 2nd floor 2nd floor Ground Basement Ground 1st Floor 1st Floor 2nd Floor 3rd Floor 3rd Floor
OB227 OB227 OB227 OB131 OB131 OB014 OB015 OB015 OB1.31 OB1.31 OB2.27 OB3.29 OB3.29
172.20.26.0/25 172.20.26.0/25 172.20.26.0/25 172.20.25.128/25 172.20.25.0/25 172.20.24.0/25 172.20.8.0/25 172.20.8.128/25 172.20.9.0/25 172.20.9.0/25 172.20.9.128/25 172.20.10.0/25 172.20.10.0/25
VLAN 430 VLAN 430 VLAN 430 VLAN 420 VLAN 420 VLAN 400 VLAN 200 VLAN 200 VLAN 210 VLAN 210 VLAN 220 VLAN 230 VLAN 230
192.168.0.135 192.168.0.136 192.168.0.137 192.168.0.126 192.168.0.125 192.168.0.105 172.20.11.100 172.20.11.101 172.20.11.111 172.20.11.112 172.20.11.121 172.20.11.131 172.20.11.132
Routine early morning checks to be performed from a PC on Cisco side of network
Hans, V4, 23 Jan 2011
Please perform the following steps EVERY DAY upon arrival at the Office.
1 Check availability of i-site and the i-site ftp service. If not available, remedy the problems
2 Check availability of the external DNS and the Info site. If not OK, remedy the problems
3 Check reachability of Soho Internet router (ping 213.55.93.145). Remedy if not OK
4 Check Internet status:
a. Your PC: Do you have good Internet access
b. Your PC: Does ping of 4.2.2.2 consistently give 100% response (ping 4.2.2.2 is routed via the
213.55.93.145 gateway at all times). If OK, go to step 5.
c. If ping of 4.2.2.2 is consistently 0%, the MoE Internet line is out of service.
First check whether the alternative line, the Woredanet line to Internet is active:
logon to the server at 172.20.1.132 and check whether ping 8.8.8.8 works. If not, Woredanet is likely
to be down. With both these lines down, call ETC at 0911504004 to have this remedied.
d. If the Woredanet line is OK, then reroute all Internet traffic to it.
Login to the Eudemon:
i. telnet 172.20.0.1
ii. username *****, password *****
iii. give the commands
1. system-view
2. firewall zone internal
3. undo qos apply policy outbound
4. undo ip route 0.0.0.0 0.0.0.0 213.55.93.145
e. Verify that Internet access is now OK
f. In case of powercut, recheck the Internet situation from 4.a onward when the power comes back
g. Remember to revert the situation to normal as soon as the MoE Internet line is back!
i. telnet 172.20.0.1
ii. username *****, password *****
iii. give the commands
1. system-view
2. firewall zone internal
3. qos apply policy mypolicy outbound
4. ip route 0.0.0.0 0.0.0.0 213.55.93.145
5 Now check external availability of ns1.moe.gov.et info.moe.gov.et via Centralops.net.
If either of them is not available, it is another sign of the main MoE Internet line not working. Call
EthioTelecom 0911504004 and report a line problem.
6 Check the status of the Data Centre door. If it does not open on code or access card, a power cut has
affected it (Huawei should still repair that!). Steps to take then:
a. Start up the Access Control PC in room 16. Ensure that it connects to the correct network patch
cable marked Access Control.
b. Login to it with the password provided
c. Open Netking folder
d. Click Netking icon. A window pops up that asks for Operator ID. Type
system
and click OK (no password)
e. The CSS application server comes up. Do not close that window, minimize it.
f. In the window now visible, click Wizard > Controller
g. Click Verify all controllers
h. When ready, click Verify current controller. A window pops up with Verify succeed!
i. The door is now controllable by code and access cards again
MoE Public addresses - Version 13 February 2012
213.55.93.144/28
Old Building
New Building
Commissioned by
USAID-AED/ EQUIP II
Submitted To
Ministry of Education
Prepared By
StarCom Network Solutions plc
Debre Zeit Road
Baleker Tower, 7th Floor
P.O. Box 55751
Addis Ababa, Ethiopia
Table of Contents
ExecutiveSummary.........................................................................................................................4
1 MOENetworkInfrastructureOverview..................................................................................5
1.1 Domainname..................................................................................................................5
1.2 NetworkCabling..............................................................................................................6
1.3 Internetaccessprovider..................................................................................................6
1.4 Webhosting....................................................................................................................6
1.5 Internetmailhosting.......................................................................................................6
2 BriefDescriptionoftheMOENetwork...................................................................................7
2.1 IPaddressingandsubnets...............................................................................................7
2.2 KeyNetworkDevices.......................................................................................................9
2.3 Servers.............................................................................................................................9
2.4 PerimeterSecurity.........................................................................................................10
2.5 EnterpriseSecurity........................................................................................................10
2.6 TheNetworkBackbone.................................................................................................11
2.7 ClientWorkstations.......................................................................................................11
3 MOENetworkConfiguration.................................................................................................12
3.1 CoreNetworkInfrastructureServices...........................................................................12
3.1.1 Considerations.......................................................................................................13
3.1.2 Recommendations.................................................................................................13
3.2 ActiveDirectoryandDNS..............................................................................................13
3.3 ConfigurationofSwitches.............................................................................................14
3.3.1 InterconnectionofSwitches..................................................................................15
3.3.2 VLANSegmentation...............................................................................................16
3.3.3 MOEVLANs............................................................................................................17
3.3.4 VLANMembershipAssignment.............................................................................18
3.3.5 Catalyst3560GSwitchConfiguration....................................................................19
3.4 PIX515EConfiguration..................................................................................................20
3.4.1 InterfacesonthePIX525Firewall.........................................................................20
InterfaceAssignments...............................................................................................................20
4 DetailedNetworkCablingInformation.................................................................................21
2
MOENetworkDocumentation
ByStarComNetworkSolutionsplc
4.1 OldBuildingDocumentation.........................................................................................21
4.1.1 RackDiagrams.......................................................................................................21
4.1.2 SwitchesandPatchPanelslocation(OldBuilding)...............................................23
4.1.3 Interconnections....................................................................................................23
4.1.4 NetworkNodesOldBuildingBasementFloor.....................................................24
4.1.5 NetworkNodesOldBuildingFirstFloor.............................................................25
4.1.6 NetworkNodesOldBuildingSecondFloor..........................................................27
4.2 NewBuildingDocumentation.......................................................................................30
4.2.1 RackDiagrams.......................................................................................................30
4.2.2 SwitchesandPatchPanelslocation(NewBuilding)..............................................35
4.2.3 Interconnections....................................................................................................35
4.2.4 NetworkNodesNewBuildingGroundFloor......................................................36
4.2.5 NetworkNodesNewBuildingGroundFloorTrainingRoom...............................38
4.2.6 NetworkNodesNewBuildingFirstFloor...........................................................41
4.2.7 NetworkNodesNewBuildingSecondFloor.......................................................42
4.2.8 NetworkNodesNewBuildingFourthFloor........................................................43
4.3 SwitchPortUsage..........................................................................................................44
4.3.1 OldBuildingPortUsage.........................................................................................44
4.3.2 NewBuildingPortUsage.......................................................................................44
3
MOENetworkDocumentation
ByStarComNetworkSolutionsplc
ExecutiveSummary
4
MOENetworkDocumentation
ByStarComNetworkSolutionsplc
1 MOENetworkInfrastructureOverview
MOEhasfullyswitchednetworkInfrastructurethatspansthenewandoldbuildingsofthe
ministry.
TheNetworkprovidesthefollowingmajorservices:
InternetAccessforallworkstations
MessagingSystemthatcanrelayandacceptemailmessagesfromtheInternetusingthe
moe.gov.etdomain
WebhostingfortheMOEWebSitehttp://www.moe.gov.et
Aunifieddirectoryservicethatsupportscentralizedmanagement,singlesignonand
informationauditingcapabilities
FileandPrintSharingServices
SecureInformationprocessingusingmanagedantivirus,intrusiondetection,etc
WebbasedemailaccessforMOEstaff
MessagingandCollaborationtools
NetworkManagementSystem
ImplementationofproperVLANsegmentation
ClusteredSwitches
1.1 Domainname
MinistryofEducation(MOE)isusingregisteredpublicdomainname,moe.gov.et,fromthelocal
internetserviceprovider,EthiopianTelecommunicationCorporation(ETC).
MOEisusingtheDNSnamespacemoe.gov.etforitspublicDNSandmoe.gov.localforits
internalnamespace.
ThepublicDNSnamespaceisregisteredwiththeISP,suchasmoe.gov.et,andisusedtopublish
resources, such as the ministrys public Web site, and mail exchange records on the Internet.
The external name space is hosted on the external DNS Servers ns1.moe.gov.et and
ns2.moe.gov.et.
Thedomainname,moe.gov.et,registeredwithETCneedstopointtotheauthoritativeDNS
serverofthedomain.TheauthoritativeDNSservermaintainsalltheDNSrecords,suchas
www.moe.gov.etandmail.moe.gov.et,fortheDNSnamespace.TheDNSrecordsonthe
authoritativeDNSserverarecurrentlymaintainedbytheexternalDNSServersoftheMinistry
ns1.moe.gov.etandns2.moe.gov.et
5
MOENetworkDocumentation
ByStarComNetworkSolutionsplc
Theinternalnamespacemoe.gov.localhasdedicatedinternalinfrastructureserversthat
provideDNSServerstoMOEinternalNetworkusers.TheInternalDNSserversandactive
directoryintegratedandrunontheserversMOEADDNS1.moe.gov.localand
MOEDC2.moe.gov.local
1.2 NetworkCabling
TheNetworkCablingisbasedonCat5eStructuralCablingSystem.Cat5eprovidesupto1Gbps
networkconnectivityoveradistanceof100m.Allworkstationsareconnectedtotheir
respectivewiringclosetswithCat5eUTPCables.
TheOldBuildingandtheNewBuildingareinterconnectedwithCat5eUTPCableswith1Gbps
speed.
1.3 Internetaccessprovider
MOEisusing256kbpsADSLbroadbandinternetAccesssubscribedfromtheEthiopian
TelecommunicationCorporation.
1.4 Webhosting
MOE has assigned a dedicated web server for hosting the Ministry Web Site
http://www.moe.gov.et. The Web Server is appropriately placed in the network perimeter
behindPIX525Firewallsothatitcanbeaccessedbyinternetuserswithoutcompromisingthe
internalsecurityoftheMOENetwork.
1.5 Internetmailhosting
MOEhasMicrosoftExchange2003basedMailServersforinternalaswellasinternetmail
communication.ThemailserverenableallMOEstafftohaveanemailaddressoftheform
username@moe.gov.etforinternalaswellasinternetemailcommunication.
6
MOENetworkDocumentation
ByStarComNetworkSolutionsplc
2 BriefDescriptionoftheMOENetwork
2.1 IPaddressingandsubnets
PrivateIPaddressrange172.20.0.0isusedfortheoverallMOENetwork.
PublicIPAddressesareconfiguredfortheexternalinterfaceofthePIX525Firewall,and
EthernetinterfaceoftheADSLRouter.
213.55.93.144/28PublicIPSubnetforMOE
213.55.93.145EthernetInterfaceofADSLRouterforInternetAccess
213.55.93.149Outside(External)InterfaceofCiscoPIXFirewall
213.55.93.148PublicIPAddressforWebServer(www.moe.gov.et)
213.55.93.151PublicIPAddressforMailServer(mail.moe.gov.et)
213.55.93.146PublicIPAddressofMOEPrimaryDNSServerns1.moe.gov.et
213.55.93.147PublicIPAddressofMOESecondaryDNSServerns2.moe.gov.et
213.55.92.152to213.55.93.157NATAddressesforInternetAccess
7
MOENetworkDocumentation
ByStarComNetworkSolutionsplc
TheIPAddressingSchemefortheMOENetworkislistedasfollows:
No. AddressRange Location Subnet
8
MOENetworkDocumentation
ByStarComNetworkSolutionsplc
2.2 KeyNetworkDevices
BackboneSwitch:Cisco3560GLayerGigabitSwitchisusedasacollapsedbackbone.
Thisswitchhas2410/100/1000portsand4SFPbasedGigabitPortsthatsupport
Fiber as well as Twisted Pair transceivers. In addition, the switch has the
followingfeatures:
BasicLayer3RoutingProtocols(RIP)
Configurableupto11,000unicastroutes
Configurableupto1000IGMPgroupsandmulticastroutes
AdvancedQoS
PortsecuritysecurestheaccesstoanaccessortrunkportbasedonMAC
address
PortbasedACLs(PACLs)forLayer2interfacesallowapplicationofsecurity
policiesonindividualswitchports.
CiscosecurityVLANACLs(VACLs)onallVLANspreventunauthorizeddataflows
frombeingbridgedwithinVLANs.
AccessSwitches:MOEisusingCiscoCatalyst2960AccessSwitchesthatareclusteredtogether
under the command of the Cisco 3560G core switch. The Cisco 2960 Switches support VLAN
ConfigurationandareconfiguredtoprovideVLANSegmentationbasedontheDepartmentsof
theMinistryofEducation.InterVLANRoutingFunctionalityisprovidedbytheLayer3Catalyst
3560Gswitch.
2.3 Servers
MOEsServersarebasedonWindows2003andprovidethefollowingprimaryservices:
ActiveDirectoryService,forcentralizedAdministrationofNetworkusersandresources
FileandPrintSharing
EmailServer
WebServer
BackUpServer
AntiVirusServer
InternetSecurityandAcceleration
ServerName Location MajorFunctions
MOEADDNS1 VLAN64 DomainController,InternalDNSServer
MOEDC2 VLAN64 DomainController,InternalDNSServer
MOEMS1 VLAN64 MOEMailServer
MOEISA VLAN64,VLAN80 MicrosoftISAServer2004
MOEAV1 VLAN64 CentralizedAntiVirusandThreatProtection
ManagementServer
MOEWS1 VLAN80 MOEWebServer
MOENS1 VLAN80 MOEPublicDNSServer1
MOENS2 VLAN80 MOEPublicDNSServer2
MOENM1 VLAN1 MOENetworkManagementServer
9
MOENetworkDocumentation
ByStarComNetworkSolutionsplc
2.4 PerimeterSecurity
InternetSecurityandFirewallProtectionisprovidedusingMicrosoftISAServer2004runningon
MOEISAandPIX525HardwareFirewall.
The Microsoft ISA Server 2004 is located on the PIX DMZ, and protects the internal network
from unauthorized access from the internet. The Microsoft ISA Server is to provide Internet
Access to MOE staff based on configurable control parameters like username, IP address, and
schedulehours.
TheISAServer2004isconfiguredtopublishtheInternalMailServersothatMOEuserscanhave
internetmailcommunicationusingthedomainmoe.gov.et.
ThePIXFirewallisconfiguredtoblockaccesstotheinternalnetworkfromtheinternet,andto
only publish Web, DNS and Mail Services in the DMZ Zone. The following key configurations
havebeenmadeonthePIXFirewall.
The outside interface of the PIX Firewall is directly connected to the broadband ADSL
routerforinternetaccess.
TheinsideinterfaceofthePIXisconnectedtotheDMZ.
ThePIXisconfiguredtoallowtrafficfromtheDMZzonetotheInternet.
AlltrafficfromtheinternettotheDMZisblockedexceptthefollowing:
o WebrequeststotheMOEWebServer
o SMTPCommunicationtotheExternalInterfaceoftheISAServer2004.
o DNSrequestsfromtheinternettothepublicDNSServers.
NAT is configured for mapping between the Private IP Address of the Web Server
(172.20.80.148)intheDMZtothepublicIPAddress213.55.93.148ofthewebserver.
NAT is configured for mapping between the Private IP Address of the Public Name
Servers (172.20.80.146 and 172.20.80.147) in the DMZ to the public IP Address
213.55.93.146,and213.55.93.147respectively.
NATisconfiguredformappingbetweenthePrivateIPAddressoftheExternalInterface
of ISA Computer (172.20.80.149) in the DMZ to the public IP Address the mail
exchanger213.55.93.151.
2.5 EnterpriseSecurity
MOEhasimplementedCentralizedvirusandthreatProtectionforitsinternalnetworkresources
usingSymantecEndPointProtection.TheSymantecEndpointprotectionhasthefollowingkey
features:
Antivirus and Antispyware: Antivirus and Antispyware scan for viruses and for other
securityrisks,includingspyware,adware,andotherfilesthatcanputacomputerora
networkatrisk.
10
MOENetworkDocumentation
ByStarComNetworkSolutionsplc
Personal Firewall: The Symantec Endpoint Protection firewall provides a barrier
betweenthecomputerandtheInternet,preventingunauthorizedusersfromaccessing
the computers and networks. It detects possible hacker attacks, protects personal
information,andeliminatesunwantedsourcesofnetworktraffic.
Intrusion Prevention: The intrusion prevention system (IPS) is the Symantec Endpoint
Protectionclient'ssecondlayerofdefenseafterthefirewall.Theintrusionprevention
systemisanetworkbasedsystem.Ifaknownattackisdetected,oneormoreintrusion
preventiontechnologiescanautomaticallyblockit.
ProactiveThreatScanning:Proactivethreatscanningusesheuristicstodetectunknown
threats.Heuristicprocessscanninganalyzesthebehaviorofanapplicationorprocessto
determine if it exhibits characteristics of threats, such as Trojan horses, worms, or
keyloggers.
DeviceandApplicationControl:Devicelevelcontrolisimplementedusingrulesetsthat
block or allow access from devices, such as USB, infrared, FireWire, SCSI, serial ports,
andparallelports.Applicationlevelcontrolisimplementedusingrulesetsthatblockor
allowapplicationsthattrytoaccesssystemresources
2.6 TheNetworkBackbone
TheNetworkBackboneisbasedonTwistedPairCopperBackbone.TheCisco2960Switchesin
thewiringclosetsareconnectedtotheLayer3Catalyst3560GGigabitSwitchwithCat5eUTP
cablerunningatgigabitspeed.
ThelinksbetweentheCiscoswitchesareconfiguredastrunkssothattheycansupportmultiple
VLANTraffic.
2.7 ClientWorkstations
The clients workstations are Windows XP based and are connected to the network with
100Mbpsconnections.AllworkstationsreceiveautomaticsettingsfromtheDHCPServers.The
catalyst 3560G Switch is configured as DHCP Server to provide automatic IP Address settings
basedontheVLANmembershipoftheswitchporttowhichtheclientisconnected.
11
MOENetworkDocumentation
ByStarComNetworkSolutionsplc
3 MOENetworkConfiguration
3.1 CoreNetworkInfrastructureServices
ThecorenetworkservicesthatarerunningontheMOENetworkinclude:
DomainNameSystem(DNS):ResolvesDNSnamestoIPaddresses
Dynamic Host Configuration Protocol (DHCP): Automatically configures network
settings on clients and facilitates management of IP addresses and network
configurationofclients.
WindowsInternetNameService(WINS):ResolvesNetBIOSnamestoIPaddresses.
Directoryservices:Authenticateusersandcomputersthattrytoaccessresources.The
ActiveDirectoryservicecanalsobeusedtocentralizeandsimplifythemanagementof
networkresources.
TheDNS,WINSandDirectoryServicesareconfiguredonWindowsServer2003Serverswhilethe
DHCPServerisconfiguredontheCatalyst3560GSwitch.
BenefitsoftheRecommendedServices
StarCom designed and implemented Network and Directory Services on the MOE Network so
thatthefollowingbenefitscanbeobtained:
Reliable infrastructure: The network and directory services are implemented on
redundantserversforbetterreliability.
Centralized resource management: Active Directory is used to provide a centralized
database of all users, computers, and other objects on the network. It helps organize
theresourcesinanITenvironmentbasedonthestructureoftheorganization.
Security:ActiveDirectoryisusedtoprovidethesecurityandauthenticationmechanism,
whichoffersprotectedandcontrolledaccesstoresources.
SingleSignon:ActiveDirectoryisusedtoenablesinglesignon,whichessentiallymeans
that users need to provide their credentials only once. They need not provide
credentialseachtimetheytrytoaccessaresourceonthenetworkandthesamesetof
credentialsisusedforaccessingallresources
Welldefinedandenforcedsecuritypolicies:GroupPolicyisusedtodefineandenforce
domain wide security policies in the MOE Network. GPOs are used to ensure that
security policies that are set in the MOE LAN are enforced on every object in the
environment,andcannotbeoverriddenbyanyclientorotherdevice.
12
MOENetworkDocumentation
ByStarComNetworkSolutionsplc
3.1.1 Considerations
ThenetworkanddirectoryservicesarecriticalfortheproperfunctioningoftheMOENetwork.
Using only a single infrastructure server minimizes costs, but it does not provide failover
capabilities. Failure of the infrastructure server can cripple the entire network operation. In
addition,ifthefailureiscausedbytheserverhardware,additionaldelaysareoftenintroduced
whilewaitingforsparepartsorreplacementhardware.
Deployinga clusterofserversoffersredundancyandautomatic failovercapabilities.However,
clustering requires Windows Server2003, Enterprise Edition on both infrastructure servers,
whichismoreexpensivethanWindowsServer2003,StandardEdition.Inaddition,configuring,
operating and troubleshooting server clusters is complicated, and is not recommended at this
stage.However,thisoptioncanbeconsideredinthenearfutureastheMOEnetworkutilization
grows.
Deploying two redundant infrastructure servers in a nonclustered configuration is easy to
configure. The Windows serverbased network services and Active Directory services are
designedtorunacrossmultipleservers,thuseliminatingasinglepointoffailure.
3.1.2 Recommendations
StarComNetworkSolutionsrecommendsdeployingtworedundantserverscalledtheprimary
infrastructure server (MOEADDNS1) and the secondary infrastructure server (MOEDC2).
Under normal conditions, the primary infrastructure server provides most of the network
servicesbecausethemajorityofclientrequestsarefirstdirectedtothisserver.Incaseswhere
this server fails to give a timely response, most requests are then directed to the secondary
infrastructureserver.Themajorityofclientrequestsaredirectedtothesecondaryserveronly
whentheprimaryserverdoesnotrespondinatimelymanner.Thefollowingtablepresentsthe
serviceshostedontheprimaryandsecondaryinfrastructureservers.
3.2 ActiveDirectoryandDNS
Active Directory is the directory service for Windows Server2003. It stores information about
objects on the network and makes it easy for administrators and users to find and use this
information.ActiveDirectoryserviceusesastructureddatastoreasthebasisforalogicaland
hierarchicalorganizationofdirectoryinformation.
In the MOE Network, DNS is installed on both the infrastructure servers. All clients are then
configured to send all queries to the primary infrastructure server. DNS requests go to the
secondaryinfrastructureserveronlyiftheprimaryserverisunavailableordoesnotrespond.
13
MOENetworkDocumentation
ByStarComNetworkSolutionsplc
DNS is automatically installed on the primary infrastructure server. The installation of DNS is
integratedwith the installationofActiveDirectory onthatserver.AftercompletingtheActive
Directoryinstallationwizardontheprimaryserver,bothDNSandActiveDirectoryareinstalled
andconfigured.
TheinstallationofDNSonthesecondserverisdonemanuallyafterActiveDirectoryisinstalled.
BothDNSserversaresetupasActiveDirectoryIntegratedDNSserverssothattheDNS
informationisstoredinActiveDirectory.
3.3 ConfigurationofSwitches
This section focuses on the detailed configuration of the following backbone and access switches installed
at MOE.
14
MOENetworkDocumentation
ByStarComNetworkSolutionsplc
3.3.1 InterconnectionofSwitches
TheMOEnetworkisconfiguredwithCatalyst3560Gcollapsedbackbonesservingasbothcore
and distribution and Catalyst 2960 Access Switches. The catalyst 2960 switches have gigabit
connectiontothecatalyst3560GcoreswitchwithUTPCat5ebackbonecables.
TheMOENetworkTopologyallowsforimplementationofredundancyinthefutureinwhicha
second core switch will be added and connected to the second Gigabit Ethernet ports of the
catalyst2960accessswitches.
15
MOENetworkDocumentation
ByStarComNetworkSolutionsplc
3.3.2 VLANSegmentation
The MOE Network has been segmented into different VLANs to restrict network broadcast traffic and
enhancetheperformanceand security ofthe network. The VLAN segmentationhasbeen implemented
based on the organizational structure of the ministry. Communication between the different VLANs is
accomplishedthroughtheCatalyst3560Gswitchthatprovideslayer3routingfunctionality.
Accordingly,thefollowingorganizationalstructureoftheMinistryofEducationhasbeendulyconsidered
whilesegmentingtheMOEnetworkintodifferentVLANs.
Minister
9 Foreign&Publicrelation
9 Gender&Equity
9 Audit
9 Legal
9 Procurement&Generalservice
9 UNESCO&UNESCOLibrary
9 HumanResource,Archive
Finance
GeneralEducationStateMinister
9 TeacherDevelopmentProgram
9 EnglishLanguage
9 CivicEducation
HigherEducationStateMinister
9 HigherEducationExpansion
9 HigherEducationSystem
TVETStateMinister
9 TVETDepartment1
9 TVETDepartment2
Planning
9 Trainingroom,EducationInformationMgtSystem(EIM)
9 Libraries(NewBuildingFirstFloor)
16
MOENetworkDocumentation
ByStarComNetworkSolutionsplc
3.3.3 MOEVLANs
17
MOENetworkDocumentation
ByStarComNetworkSolutionsplc
3.3.4 VLANMembershipAssignment
The switch ports on the MOE Switches are assigned to VLANs based on the network topology and the
clients that connect directly to the switch port as follows:
7 VLAN56
No. VLAN Core MOE MOESW MOE MOESW MOESW MOE MOE
Number Switch SW NBFGT SW NBF1 NBF2 SW SW
NBF0 NBFGT1 NBF3 NBF4
1 VLAN8
2 VLAN16
3 VLAN24
4 VLAN32
5 VLAN40
6 VLAN48 8,11,12,13, 3,5,6,7,8
15,16,17,23, 12,14,15
16,20,23
7 VLAN56 11,13 1,2,3,4,5,6,7 2,3,4,6, 3,4,9,24 110,
8,9,10,11,12 8,17 1224
13,14,17,19
21,23
8 VLAN64 15,162 7,9
0,21
18
MOENetworkDocumentation
ByStarComNetworkSolutionsplc
3.3.5 Catalyst 3560G Switch Configuration
Thecatalyst3560GbackboneswitchservesthefollowingkeyrolesintheMOENetwork.
SegmentationoftheMOENetworkintodifferentVLANs
InterVLANroutingforcommunicationamongthedifferentVLANsintheMOENetwork
Providinggigabitbackboneconnectivitytotheswitchesthataredirectlyconnectedtoit
ControllingthelevelofbroadcastontheMOEnetwork
ServingasDHCPServerbyassigningautomaticIPAddresssettingsbasedontheVLAN
membershipoftheclientcomputers
CommandSwitchforMOEcluster
19
MOENetworkDocumentation
ByStarComNetworkSolutionsplc
3.4 PIX515EConfiguration
ThePIX525FirewallisconfiguredtoprovideinternetsecurityfortheMOENetworkwiththe
followingfeatures:
NetworkAddressTranslation(NAT)orPortAddressTranslation(PAT)
SegmentthePerimeterNetworkintoInside(Private),outside(public),DMZ,and
Management
AllowoutgoinginternetaccessonlyfromtheISAServercomputer
BlockInboundtrafficfromtheinternettotheinternalnetwork
AllowonlywebrequestsfromtheinternettotheMOEWebServer
AllowIncomingandoutgoingSMTPTraffictoandfromtheExchangeServer
PerformStatefulinspectionandapplicationlayerfilteringontheinternettraffic
contentfiltering(Java/ActiveX)
URLfiltering
3.4.1 InterfacesonthePIX525Firewall
InterfaceAssignments
20
MOENetworkDocumentation
ByStarComNetworkSolutionsplc
4 DetailedNetworkCablingInformation
4.1 OldBuildingDocumentation
4.1.1 RackDiagrams
21
MOENetworkDocumentation
ByStarComNetworkSolutionsplc
22
MOENetworkDocumentation
ByStarComNetworkSolutionsplc
4.1.2 SwitchesandPatchPanelslocation(OldBuilding)
Room# No.ofSwitches No.ofPatchPanels No.ofNodes
(Connected)
OB014 1 1(24portseach) 23
OB131 1 2(24portseach) 39
OB227 1 3(24portseach) 66
TotalNodesConnected128
4.1.3 Interconnections
InitialPoints Destination
23
MOENetworkDocumentation
ByStarComNetworkSolutionsplc
4.1.4 NetworkNodes - OldBuildingBasementFloor
Room# Label Port Patch Department Connectedto Remarks
# Panel
NB013 NBF0I5 1 1 ServerRoom Roomnumber13 Interconnectiontonew
(NB013) (NB13). building.
NB013 NBF0I29 2 2 ServerRoom
(NB013)
NB013 NBF0I53 3 3 ServerRoom
(NB013)
Not 4 free
assigned
OB012 OBFBN5 5 1 Archive Normal
OB012 OBFBN6 6 1 Archive Normal
OB014 OBFBN7 7 1 Archive Normal
OB014 OBFBN8 8 1 Archive Normal
OB014 OBFBN9 9 1 Archive Normal
OB014 OBFBN10 10 1 Archive Normal
OB014 OBFBN11 11 1 Archive Normal
OB014 OBFBN12 12 1 Archive Normal
OB025 OBFBN13 13 1 Archive Switchport19 Normal
OB025 OBFBN14 14 1 Archive Normal
OB016 OBFBN15 15 1 Finance Normal
OB016 OBFBN16 16 1 Finance Switchport8 Normal
OB026 OBFBN17 17 1 HumanResource Normal
Dev.
OB026 OBFBN18 18 1 HumanResource Switchport18 Normal
Dev.
OB09A OBFBN19 19 1 Finance Normal
OB227 OBF2I51 20 1 Switch toport20 Normal(interconnected
to227)
OB09A OBFBN21 21 1 Finance switchport21 Normal
OB227 OBF2I52 22 1 Switchport16 Normal(interconnected
to227)
OB09A OBFBN23 23 1 Finance Switchport23 Normal
OB09B OBFBN24 24 1 Finance Switchport24 Normal
SwitchPorts:1RN124,11RN122,12RN119,13RN125,15RN123aredirectlyconnectedto
secondfloor.
24
MOENetworkDocumentation
ByStarComNetworkSolutionsplc
4.1.5 NetworkNodesOldBuildingFirstFloor
.
Room# Label Port Patch Department Connectedto Remarks
# Panel
NB013 NBF0I6 1 1 ServerRoom(NB013) GigabitPort Interconnection
NB013 NBF0I30 2 2 ServerRoom(NB013) Interconnection
NB013 NBF0I54 3 3 ServerRoom(NB013) Interconnection
Notassigned 4 Free
OB102 OBF1N5 5 1 Procu.&GeneralServi. Switchport5 Normal
OB102 OBF1N6 6 1 Procu.&GeneralServi. Norma1
OB105 OBF1N7 7 1 UNESCO Switchport7 Normal
OB105 OBF1N8 8 1 UNESCO Norma1
OB109 OBF1N9 9 1 UNESCO Switchport9 Normal
OB109 OBF1N10 10 1 UNESCO Norma1
OB115 OBF1N11 11 1 Procu.&GeneralServi. Norma1
OB115 OBF1N12 12 1 Procu.&GeneralServi. Switchport12 Norma1
OB118 OBF1N13 13 1 Procu.&GeneralServi. Normal
OB118 OBF1N14 14 1 Procu.&GeneralServi. Norma1
OB121 OBF1N15 15 1 HigherEdu.StateMinis. Norma1
OB121 OBF1N16 16 1 HigherEdu.StateMinis. Switchport16 Normal
OB128 OBF1N17 17 1 HigherEdu.StateMinis. Switchport17 Normal
OB128 OBF1N18 18 1 HigherEdu.StateMinis. Switchport18 Normal
OB130 OBF1N19 19 1 HigherEdu.StateMinis. Switchport19 Normal
OB130 OBF1N20 20 1 HigherEdu.StateMinis. Switchport20 Normal
Notassigned 21 1 NotFound
Notassigned 22 1 NotFound
OB144 OBF1N23 23 1 HigherEdu.Exp. Switchport23 Normal
OB144 OBF1N24 24 1 HigherEdu.Exp. Switchport24 Normal
OB131 OBF1N25 25 2 Finance Switchport1 Normal
OB131 OBF1N26 26 2 Finance Switchport2 Normal
OB148 OBF1N27 27 2 HigherEdu.Sys. Norma1
OB148 OBF1N28 28 2 HigherEdu.Sys. Norma1
OB149 OBF1N149 29 2 HigherEdu.Sys. Switchport3 Normal
OB151 OBF1N151 30 2 HigherEdu.Sys. Switchport6 Normal
OB108 OBF1N32 31 2 Procu.&GeneralServi. Normal
Notassigned 32 2 Switchport12 Notfound
OB111 OBF1N33 33 2 UNESCO Switchport4 Normal
OB143 OBF1N34 34 2 HigherEdu.Expan. Fault(1&2)
25
MOENetworkDocumentation
ByStarComNetworkSolutionsplc
DocumentationonUTPoutlets(Faceplates)connectedtoPatchPanelinOldBuildingRoom
131(continued).
26
MOENetworkDocumentation
ByStarComNetworkSolutionsplc
4.1.6 NetworkNodesOldBuildingSecondFloor
DocumentationonUTPoutlets(Faceplates)connectedtoPatchPanelinOldBuildingRoom
227(continued).
28
MOENetworkDocumentation
ByStarComNetworkSolutionsplc
Not 47 2 Free
assigned
Not 48 2 Free
assigned
Not 49 3 Free
assigned
OB213 OBF2N50 50 3 Minister 2nd switchport Normal
4
OB014 OBFBI3 51 3 PatchPanel Normal
OB014 OBFBI4 52 3 PatchPanel Normal
OB202 OBF2N53 53 3 Gender&Edu. Normal
Equity
Not 54 3 Normal
assigned
OB220 OBF2N55 55 3 Normal
OB221 OBF2N56 56 3 minister 2nd switchport Normal
6
OB238 OBF2N57 57 3 TeacherDevel. Normal
Program
OB238 OBF2N58 58 3 TeacherDevel. 2nd switchport Normal
Program 8
OB245 OBF2N59 59 3 GeneralEdu.State Normal
Min.
OB245 OBF2N60 60 3 GeneralEdu.State 2nd switchport Normal
Min. 10
OB245 OBF2N61 61 3 GeneralEdu.State 2nd switchport Normal
Min. 14
OB245 OBF2N62 62 3 GeneralEdu.State Normal
Min.
OB302A OBF2N63 63 3 AuditService 2nd switchport Normal
11
OB302B OBF3N64 64 3 AuditService Normal
OB303 OBF3N65 65 3 AuditService Normal
OB306 OBF3N66 66 3 LegalService Normal
OB307 OBF3N67 67 3 LegalService Normal
OB301 OBF3N68 68 3 LegalService Normal
Not 69 3 Notassigned Notfound
assigned
OB329 OBF3N70 70 3 Minister 2nd switchport Normal
5
OB332 OBF3N71 71 3 Minister(HIV) 2nd switchport Normal
23
Not 72 3 Free
assigned
NB:7wiresgodowntobasement(Port#1,2,3,41,42,43,44,51,and52)
29
MOENetworkDocumentation
ByStarComNetworkSolutionsplc
4.2 NewBuildingDocumentation
4.2.1 RackDiagrams
30
MOENetworkDocumentation
ByStarComNetworkSolutionsplc
31
MOENetworkDocumentation
ByStarComNetworkSolutionsplc
32
MOENetworkDocumentation
ByStarComNetworkSolutionsplc
33
MOENetworkDocumentation
ByStarComNetworkSolutionsplc
34
MOENetworkDocumentation
ByStarComNetworkSolutionsplc
4.2.2 SwitchesandPatchPanelslocation(NewBuilding)
Room# No.ofSwitches No.ofPatchPanels No.ofNodes
(Connected)
NB013 2 3(24portseach) 52
NB019 2 4(24portseach) 96
NB112 1 1(24portseach) 24
NB212 1 1(24portseach) 24
NB417 1 1(24portseach) 23
TotalNodesConnected219
4.2.3 Interconnections
InitialPoints Destination
35
MOENetworkDocumentation
ByStarComNetworkSolutionsplc
4.2.4 NetworkNodesNewBuildingGroundFloor
DocumentationonUTPoutlets(Faceplates)connectedtoPatchPanelinNewBuildingRoom
Number013.
Room# Label Port# Patch Department Connectedto Remarks
NB19 INTNBF019 1 1 TrainingRoom NB0196corswi. Interconnection
NB112 INTNBF1 2 1 FirstFloor(NB112) NB1127core Interconnection
NB212 INT.CoNBF2 3 1 SecondFloor i
NB2128core Interconnection
NB331 INTERNBF3N1 4 1 3rd Floor NB3129core Interconnection
OB014 INTEROBF0N1 5 1 Archive(OB014) . Interconnection
OB131 INTEROBF1N1 6 1 Finance(OB131) . Interconnection
OB227 INTEROBF3N1 7 1 OB227 Interconnection
NB013 NBF0N8 8 1 ServerRoom/New 20Coreswitch Normal
NB013 NBF0N9 9 1 ServerRoom/New Normal
NB013 NBF0N10 10 1 ServerRoom/New 16CoreSwitch Normal
NB013 NBF0N11 11 1 ServerRoom/New Normal
NB013 NBF0N12 12 1 ServerRoom/New 21CoreSwitch Normal
NB013 NBF0N13 13 1 ServerRoom/New Normal
NB013B NBFON14 14 1 ServerRoom/New Normal
NB013B NBF0N15 15 1 ServerRoom/New Normal
NB015 NBF0N16 16 1 MOEICTDep. 11Switch2960 Normal
NB015 NBF0N17 17 1 MOEICTDep. 13Switch2960 Normal
NB015 NBF0N18 18 1 MOEICTDep. Normal
NB015 NBF0N19 19 1 MOEICTDep. Normal
NB015B NBF0N20 20 1 MOEICTDep. Normal
NB015B NBF0N21 21 1 MOEICTDep. Normal
NB417 NBF0N22 22 1 NotKnown NB41710core Interconnection
switch
NB417 NBF0N21 23 1 NotKnown NB41721core Interconnection
switch
Not 24 free Interconnection
NB19 INTNBF019 25 TrainingRoom NB0195core Interconnection
NB01 switch
NB112 INTNBF1 26 NB112 Interconnection
NB212 INT.CoNBF2 27 NB212 Interconnection
NB331 INTERNBF3N1 28 BessoNetwork NB3129core Interconnection
switch
OB014 INTEROBF0N1 29 2 Patchpanel1 OB0142core Interconnection
switch
OB131 INTEROBF1N1 30 2 Patchpanel1 OB1313core Interconnection
switch
OB227 INTEROBF3N1 31 2 Patchpanel1 OB2274core Interconnection
switch
NB13 INTNBF019 32 2 1 5coreswitch Normal
NB13 INTNBF1 33 2 1 15coreswitch Normal
NB13 INT.CoNBF2 34 2 2 9switch2960 Normal
36
MOENetworkDocumentation
ByStarComNetworkSolutionsplc
DocumentationonUTPoutlets(Faceplates)connectedtoPatchPanelinNewBuildingRoom
Number013(continued).
Room# Label Port# Patch Department Connectedto Remarks
NB13 NBF0N35 35 2 ServerRoom Normal
NB13 NBF0N36 36 2 ServerRoom Normal
NB13 NBF0N37 37 2 ServerRoom Normal
NotFound NBF0N38 38 2 Notfound
NB13B NBF0N39 39 2 ServerRoom Normal
NB15 NBF0N40 40 2 MOEICTDep. Normal
NB15 NBF0N41 41 2 MOEICTDep. 72960 Normal
NB15 NBF0N42 42 2 MOEICTDep. Normal
NB15 NBF0N43 43 2 MOEICTDep. Normal
NB15 NBF0N44 44 2 MOEICTDep. Normal
NB15 NBF0N45 45 2 MOEICTDep. Normal
NotAssig 46 2 Free
NotAssig 47 2 Free
NotAssig 48 2 Free
NB19 INT 49 3 Training NB019 Interconnection
NB112 INTNBF1 50 3 1stFloor(NB112) NB112 Interconnection
NB212 INT.Co 51 3 2ndFloor(NB212) NB212 Interconnection
NB331 INTER 52 3 3rdFloor(NB331) NB312 Interconnection
OB014 INTER 53 3 OldBuilding(OB014) OB014 Interconnection
OB131 INTER 54 3 OldBuilding(OB131) OB131 Interconnection
OB227 INTER 55 3 OldBuilding(OB227) OB227 Interconnection
OBF3N1
Notassig 56 3 Free
Notassig 57 3 Free
Notassig 58 3 Free
Notassig 59 3 Free
Notassig 60 3 Free
Notassig 61 3 Free
Notassig 62 3 Free
Notassig 63 3 Free
Notassig 64 3 Free
Notassig 65 3 Free
Notassig 66 3 Free
Notassig 67 3 Free
Notassig 68 3 Free
Notassig 69 3 Free
Notassig 70 3 Free
Notassig 71 3 Free
Notassig 72 3 Free
37
MOENetworkDocumentation
ByStarComNetworkSolutionsplc
4.2.5 NetworkNodesNewBuildingGroundFloorTrainingRoom
DocumentationonUTPoutlets(Faceplates)connectedtoPatchPanelinNewBuildingRoom
Number19.
Room# Label Port Patch Department Connectedto Remarks
NB013 1 1 ServerRoom Interconnection
NB013 2 1 ServerRoom Gigabit2nd Interconnection
NB013 3 1 ServerRoom Gigabit1st Interconnection
Not 4 1 Notfound
NB7Hall NBFGTN5 5 1 Conference Normal
NB7Hall NBFGTN6 6 1 Conference Normal
NB010 NBFGTN7 7 1 Planning 1stSwitchPort Normal
NB010 NBFGTN8 8 1 Planning Faulty
Not 9 1 ROOMNO.9 Notfound
Not 10 1 ROOMNO.9 Notfound
NB NBFGTN11 11 1 UNESCO Normal
NB NBFGTN12 12 1 UNESCO Normal
NB011 NBFGTN13 13 1 Planning/ESDP Normal
NB011 NBFGTN14 14 1 Planning/ESDP 2ndSwitchPort Normal
NB011 NBFGTN15 15 1 Planning/ESDP Normal
NB011 NBFGTN16 16 1 Planning/ESDP Normal
NB011 NBFGTN17 17 1 Planning/ESDP Normal
nd
NB011 NBFGTN18 18 1 Planning/ESDP 2 SwitchPort Normal
NB011 NBFGTN19 19 1 Planning/ESDP Normal
NB011 NBFGTN20 20 1 Planning/ESDP Normal
NB012 NBFGTN21 21 1 Planning/ESDP 2ndSwitchPort Normal
NB012 NBFGTN22 22 1 Planning/ESDP 2ndSwitchPort Normal
NB014 NBFGTN23 23 1 Planning/ESDP 2ndSwitchPort Normal
NB014 NBFGTN24 24 1 Planning/ESDP 1stSwitchPort Normal
st
NB014 NBFGTN25 25 2 Planning/ESDP 1 SwitchPort Normal
NB014 NBFGTN26 26 2 Planning/ESDP 1stSwitchPort2 Normal
NB016 NBFGTN27 27 2 Ground/AED 2ndSwitchPort Normal
NB016 NBFGTN28 28 2 Ground/AED Normal
NB017 NBFGTN29 29 2 Ground/AED 2ndSwitchPort Normal
NB017 NBFGTN30 30 2 Ground/AED 2ndSwitchPort Normal
NB017 NBF4N31 31 2 Ground/AED Normal
NB017 NBF4N32 32 2 Ground/AED Normal
nd
NB017 NBF4N33 33 2 Ground/AED 2 SwitchPort Normal
NBF4N32 NBF4N34 34 2 Ground/AED Normal
38
MOENetworkDocumentation
ByStarComNetworkSolutionsplc
Room# Label Port Patch Department Remarks
# Panel
NB18 NBFGTN35 35 2 Ground/AED telephone
NB18 NBFGTN36 36 2 Ground/AED Normal2ndSwitchPort16
NB18 NBFGTN37 37 2 Ground/AED Normal
NB18 NBFGTN38 38 2 Ground/AED Normal2ndSwitchPort14
NB18 NBFGTN39 39 2 Ground/AED Normal2ndSwitchPort18
NB18 NBFGTN40 40 2 Ground/AED Normal2ndSwitchPort20
NB18 NBFGTN41 41 2 Ground/AED Normal2ndSwitchPort22
NB18 NBFGTN42 42 2 Ground/AED telephone
NB19 NBFGTN43 43 2 TrainingroomGround Normal2ndSwitchPort17
NB19 NBFGTN44 44 2 TrainingroomGround Normal
NB19 NBFGTN45 45 2 TrainingroomGround Normal
NB19 NBFGTN46 46 2 TrainingroomGround Normal
NB19 NBFGTN47 47 2 TrainingroomGround Normal1stSwitchPort5
NB19 NBFGTN48 48 2 TrainingroomGround Normal1stSwitchPort1
NB19 NBFGTN49 49 3 TrainingroomGround Normal1stSwitchPort7
NB19 NBFGTN50 50 3 TrainingroomGround Normal1stSwitchPort3
NB19 NBFGTN51 51 3 TrainingroomGround Normal1stSwitchPort4
NB19 NBFGTN52 52 3 TrainingroomGround Normal1stSwitchPort6
NB19 NBFGTN53 53 3 TrainingroomGround Normal1stSwitchPort9
NB19 NBFGTN54 54 3 TrainingroomGround Normal1stSwitchPort8
NB19 NBFGTN55 55 3 TrainingroomGround Normal1stSwitchPort11
NB19 NBFGTN56 56 3 TrainingroomGround Normal1stSwitchPort12
NB19 NBFGTN57 57 3 TrainingroomGround Normal1stSwitchPort10
NB19 NBFGTN58 58 3 TrainingroomGround Normal
NB19 NBFGTN59 59 3 TrainingroomGround Normal1stSwitchPort13
NB19 NBFGTN60 60 3 TrainingroomGround Normal1stSwitchPort14
NB19 NBFGTN61 61 3 TrainingroomGround Normal
NB19 NBFGTN62 62 3 TrainingroomGround Normal
NB20 NBFGTN63 63 3 NotKnown Normal 1stSwitchPort19
NB20 NBFGTN64 64 3 NotKnown Normal
NB21 NBFGTN65 65 3 Hardware& Normal
Maintenance
NB21 NBFGTN63 66 3 Hardware& Normal
Maintenance
Not 67 3 Notfound/helpdesk
assign
Not 68 3 Notfound/helpdesk
assign
NBFB NBFGT69 69 3 Documentation Room
NBFB NBFGT70 70 3 DocumentationRoom
NBFB NBFGT71 71 3 DocumentationRoom
NBFB NBFGT72 72 3 DocumentationRoom
Telephonelinescome 73 4 TelephonelinescomefromthirdfloorAEDdepartment.
fromthirdfloorBESOAED 74 4 TelephonelinescomefromthirdfloorAED
department. 75 4
76 4
77 4
39
MOENetworkDocumentation
ByStarComNetworkSolutionsplc
DocumentationonUTPoutlets(Faceplates)connectedtoPatchPanelinNewBuildingRoom
Number019(continued).
Room# Label Port# Patch Department Remarks
Panel
Telephonelinescome 78 4 Telephonelinescomefromthirdfloor
fromthirdfloorBESOAED 79 4 BESOAEDdepartment.Someoftheselines
department. 80 4 areconnectedtoBESOAEDdepartmentin
81 4 roomnumbers16,17&18.
82 4
83 4
84 4
Not 85 4 NotFound
assigned
Not 86 4 NotFound
assigned
Not 87 4 NotFound
assigned
Not 88 4 NotFound
assigned
NB18 NBFGTN89 89 4 Ground/BESO telephone
NB18 NBFGTN90 90 4 Ground/BESO telephone
Not 91 4 NotFound
assigned
Not 92 4 NotFound
assigned
NB18 NBFGTN93 93 4 Ground/BESO Normal
NB18 NBFGTN94 94 4 Ground/BESO Normal
NB18 NBFGTN95 95 4 Ground/BESO Normal
NB18 NBFGTN96 96 4 Ground/BESO Normal2ndSwitchPort
24
40
MOENetworkDocumentation
ByStarComNetworkSolutionsplc
4.2.6 NetworkNodesNewBuildingFirstFloor
DocumentationonUTPoutlets(Faceplates)connectedtoPatchPanelinNewBuildingRoom
Number112.
Room# Label Port Patch Department Connectedto Remarks
NB112 NBF1I5 1 1 NB013Gigabit Interconnection
NB112 NBF1I 2 1 NB013 Interconnection
NB116 NBF1N3 3 1 Library1st SwitchPort3 Normal
NB116 NBF1N4 4 1 Library1st SwitchPort4 Normal
NB114 NBF1N5 5 1 TVET Normal
NB114 NBF1N6 6 1 TVET Normal
NB114 NBF1N7 7 1 TVET Normal
NB114 NBF1N8 8 1 TVET SwitchPort8 Normal
st
NB115 NBF1N9 9 1 Library1 SwitchPort9 Normal
NB115 10 1 Library1st Normal
NB121 11 1 TVET SwitchPort11 Normal
NB121 NBF1N12 12 1 TVET Normal
NB122 NBF1N13 13 1 TVET SwitchPort13 Normal
NB122 NBF1N14 14 1 TVET Normal
NB126 NBF1N15 15 1 TVET SwitchPort15 Normal
NB126 NBF1N16 16 1 TVET SwitchPort16 Normal
NB130 NBF1N17 17 1 TVET SwitchPort17 Normal
NB130 NBF1N18 18 1 TVET Normal
Not 19 1 TVET NotFound/128
Assigned
Not 20 1 TVET NotFound/128
Assigned
NB125 NBF1N21 21 1 TVET SwitchPort12 Normal
NB125 NBF1N22 22 1 TVET Normal
Not 19 1 TVET SwitchPort23 NotFound/128
Assigned
NB116 NBF1N24 24 1 Library1st SwitchPort24 Normal
st
NB116 NBF1N25 Library1 Directconnectionto
floor switchport,
41
MOENetworkDocumentation
ByStarComNetworkSolutionsplc
4.2.7 NetworkNodesNewBuildingSecondFloor
DocumentationonUTPoutlets(Faceplates)connectedtoPatchPanelinNewBuildingRoom
Number212.
Room# Label Port Patch Department Remarks
# Panel
NB13 NBF2I 1 1 TVET InterconnectedtoNB013,
ConnectedtoswitchPort1
2 1 TVET InterconnectedtoNB013,
ConnectedtoswitchPort1
NB213 NBF2N3 3 1 TVET NormalConnectedtoswitch
Port3
NB213 NBF2N4 4 1 TVET Normal
NB211B NBF2N5 5 1 TVET NormalConnectedtoswitch
Port5
NB211B NBF2N6 6 1 TVET NormalConnectedtoswitch
Port6
NB214 NBF2N7 7 1 TVET NormalConnectedtoswitch
Port7
NB214 NBF2N8 8 1 TVET NormalConnectedtoswitch
Port8
Disconnected. 9 1 Disconnectedandnodesinroomnumbers215&
10 1 216areconnectedtoGTZnetwork.
NB224 11 1 TVET
NB217 NBF2N12 12 1 TVET NormalConnectedtoswitch
Port12
NB224 NBF2N13 13 1 TVET Normal
NB217 NBF2N14 14 1 TVET NormalConnectedtoswitch
Port14
NB223 NBF2N15 15 1 TVET Normal
NB223 NBF2N16 16 1 TVET NormalConnectedtoswitch
Port16
Disconnected. 17 1 Disconnectedandnodesinroomnumbers215&
18 1 216areconnectedtoGTZnetwork.
NB227 NBF2N19 19 1 TVET Normal
NB227 NBF2N20 20 1 TVET NormalConnectedtoswitch
Port20
NB228 NBF2N21 21 1 TVET Normal
NB228 NBF2N22 22 1 TVET Normal
NB211A NBF2N23 23 1 TVET NormalConnectedtoswitch
Port23
NB211A NBF2N24 24 1 TVET Normal
NB253 NBF2N25 25 TVET Directconnectiontoswitchport
15
42
MOENetworkDocumentation
ByStarComNetworkSolutionsplc
4.2.8 NetworkNodesNewBuildingFourthFloor
DocumentationonUTPoutlets(Faceplates)connectedtoPatchPanelinNewBuildingRoom
Number417.
Room# Label Port Patch Department Connectedto Remarks
# Panel
415 NBF4N1 1 1 Planning Switchport1 Normal
415 NBF4N1 2 1 Planning Switchport2 Normal
415 NBF4N1 3 1 Planning Switchport3 Normal
4 1 Switchport4 Notfound
416 NBF4N1 5 1 Planning Switchport5 Normal
416 NBF4N1 6 1 Planning Switchport6 Normal
416 NBF4N1 7 1 Planning Switchport7 Normal
416 NBF4N1 8 1 Planning Switchport8 Normal
9 1 Switchport9 Notfound
10 1 Switchport10 Notfound
11 1 free free
12 1 Switchport12 Notfound
418 NBF4N13 13 1 Planning Switchport13 Normal
418 NBF4N14 14 1 Planning Switchport14 Normal
412 NBF4N15 15 1 Planning Switchport15 Normal
412 NBF4N16 16 1 Planning Switchport16 Normal
412 NBF4N17 17 1 Planning Switchport17 Normal
413 NBF4N18 18 1 Planning Switchport18 Normal
413 NBF4N19 19 1 Planning Switchport19 Normal
413 NBF4N20 20 1 Planning Switchport20 Normal
21 1 Switchport21 Notfound
414 NBF4N22 22 1 Planning Switchport22 Normal
23 1 Switchport23 Notfound
414 NBF4N24 24 1 Planning Switchport24 Normal
43
MOENetworkDocumentation
ByStarComNetworkSolutionsplc
4.3 SwitchPortUsage
Thefollowingtwotablesgiveinformationaboutthecurrentusageofaccessswitchportsand
availableportsforfutureexpansion.
4.3.1 OldBuildingPortUsage
Type Label Location AvailableFreePorts No.of
Available
Ports
Cisco2960 MOESWOBFB OB014 2,3,4,5,6,7,9,10,14,16,17,20,22 13
TotalAvailableFreePorts 56
4.3.2 NewBuildingPortUsage
Type Label Location AvailableFree No.of
Ports Available
Ports
Cisco3560 CoreSwitch NB013 Core Switch
NBFGT1
TotalAvailableFreePorts 68
44
MOENetworkDocumentation
ByStarComNetworkSolutionsplc
45
MOENetworkDocumentation
ByStarComNetworkSolutionsplc
Network Design(MOE)
March 2010
I
DESIGN
TABLE OF CONTENTS
1 DETAIL DESIGN IN MOE.................................................................................................................. 3
1.1 NETWORK STRUCTURE DESIGN......................................................................................................... 3
1.2 CABLING DESIGN .............................................................................................................................. 3
1.3 NETWORK ELEMENT (NE) QUANTITY ................................................................................................ 3
1.4 TRAFFIC FLOW .................................................................................................................................. 4
1.5 NAMING CONVENTION ...................................................................................................................... 4
1.6 VLAN PLANING ................................................................................................................................. 5
1.7 IP PLANING ....................................................................................................................................... 5
1.8 SECURITY .......................................................................................................................................... 7
1.9 DHCP DESIGN............................................................................................................................... 8
1.10 QOS DESIGN .................................................................................................................................. 8
2 ATTACHMENTS ................................................................. ERROR! BOOKMARK NOT DEFINED.
Page II of 8
DESIGN
For the detail, please refer to the attachment document Cabling Design Drawing.
NE-TYPE QUANTITY
AR29 1
EUDEMON 1000E 1
Page 3 of 8
DESIGN
S5300 2
S3300 12
Wireless Network Bridge 1
EPON
AR29 Router
Eudemon
1000
Firewall
SoftCo 5816
1*L2 Link, 100Base-T IPPBX
S3300 S3300 S3300 S3300 S3300 S3300 S3300 S3300 S3300 S3300 S3300 S3300
Access Access Access Access Access Access Access Access Access Access Access Access
Switch Switch Switch Switch Switch Switch Switch Switch Switch Switch Switch Switch
New Bu New Bu New Bu New Bu New Bu Old Bu Old Bu Old Bu Old Bu Old Bu Old Bu Old Bu
Ground 1st Floor 2nd 2nd 3rd Basement Ground 1st 1st 2nd 3rd 3rd
Floor Floor Floor Floor Floor Floor Floor Floor Floor Floor
1*L2 Link, 100Base-T
ViewPoint
VC Room
Traffic Flow
According to above diagram, all the traffic going out to MPLS network will go through
EPON uplink as the primary link (blue path). All the traffic will automatic switch to
wireless bridge in the case of EPON link failure (red path).
Traffic switch over will be done dynamically with routing protocol. Once the routing
protocol detects EPON link failure, it will route the traffic to wireless bridge and it will
re-route back to EPON link once the link is back to normal.
Page 4 of 8
DESIGN
A = Site Name
B = Building
C = Floor
D = Model Number
F = Equipment Type
G = Equipment Count
1.7 IP Planing
Page 5 of 8
DESIGN
IP Summary(HQ)
IP Mask Vlan
MOE Major IP 172.20.0.0/16 255.255.0.0
MOE HQ 172.20.0.0/19 255.255.224.0
New Building ( 172.20.0.0/21)
Interface IP 172.20.0.0/25 255.255.255.128
VOIP IP 172.20.0.128/25 255.255.255.128 10
VC IP 172.20.1.0/25 255.255.255.128 20
Server IP 172.20.1.128/25 255.255.255.128 30
Basement & Ground 172.20.2.0/25 255.255.255.128 100
1st Floor 172.20.3.0/25 255.255.255.128 110
2nd Floor 172.20.3.128/25 255.255.255.128 120
3rd Floor 172.20.4.0/25 255.255.255.128 130
Spare 172.20.4.128/25 255.255.255.128
Spare 172.20.5.0/25 255.255.255.128
Spare 172.20.5.128/25 255.255.255.128
Spare 172.20.6.0/25 255.255.255.128
Spare 172.20.6.128/25 255.255.255.128
Spare 172.20.7.0/25 255.255.255.128
Spare 172.20.7.128/25 255.255.255.128
Old Building(172.20.8.0/22)
Basement & Ground 172.20.8.0/25 255.255.255.128 200
1st Floor 172.20.9.0/25 255.255.255.128 210
2nd Floor 172.20.9.128/25 255.255.255.128 220
3rd Floor 172.20.10.0/25 255.255.255.128 230
Spare 172.20.10.128/25 255.255.255.128
Spare 172.20.11.0/25 255.255.255.128
Spare 172.20.11.128/25 255.255.255.128
Management IP
New bld Ground Floor 192.168.0.1
New bld 1st Floor 192.168.0.11
New bld 2nd Floor 192.168.0.21
New bld 2nd Floor -Sw2 192.168.0.22
New bld 3rd Floor 192.168.0.31
Old Bld Basement 192.168.0.100
Old Bld Ground Floor 192.168.0.101
Page 6 of 8
DESIGN
1.8 Security
In Ethiopia network, we design several different zones in the firewalls. They are
TRUST and UNTRUST. Firewall inside is in the TRUST zone, IP/MPLS backbone
and other outside domain is in the UNTRUST zone. According to the change of the
network, we can define other personal zones for the future.
Allow SNMP
Page 7 of 8
DESIGN
Attack defense
Normally, network attacks intrude or destroy network servers (hosts) to steal the
sensitive data on servers or interrupt server services. There are also the network
attacks that directly destroy network devices, which can make networks service
abnormal or even out of service. The attack defense of the firewall can detect various
types of network attacks and take the measures to protect internal networks from
malicious attacks. As a result, the firewall can assure the normal operations of the
internal networks and systems. The proposed attack defense is presented below:
Page 8 of 8
Firewall Design (MoE)
V3, 30 November 2011
I
DESIGN
TABLE OF CONTENTS
1 .FIREWALL ............................................................................................................................................ 1
1 .1FIREWALL DESIGN ............................................................................................................................ 1
1. 2IREWALL ZONES..3
1.3FIREWALL OPERATION MODES..4
1.4.PACKET FILTTERING POLICY....6
1.5ATTACK DEFENSE....7
1.6.IPS & AV...9
2. SWITCH &ROUTER ...15
Page II of 13
DESIGN
2. Firewall Zones
The firewall will be configured in such a way that it has four Zones which are INTERNAL, DMZ,
WOREDANET, and UNTRUST. Firewall inside is INTERNAL and the VPN connection to NDC are in the
WOREDANET zone, Internet connection is in the UNTRUST zone and Servers which are accessible
from both WOREDANET, UNTRUST and INTERNAL are located in DMZ zone.
Page 3 of 13
DESIGN
The operation mode of the firewall will be route mode. In this mode, interfaces on the Eudemon will be
configured with IP addresses.
Packet filter is a network security protection mechanism. It is used to control the inbound and outbound
data between networks in different security levels. A series of filter rules are needed to filter data packets,
which can be carried out by applying filter rules defined by ACL between different zones in the firewall.
The initial operational packet filtering policy is presented below. As much as possible, symbolic names
are used for the Service Sets (i.e., groups of TCP and UDP ports that have to be opened) and for the
Address Sets (the address groups for which the Service Sets must be applied),
Page 4 of 13
DESIGN
Page 5 of 13
DESIGN
ADDRESS SETS
Page 6 of 13
DESIGN
Page 7 of 13
DESIGN
Page 8 of 13
DESIGN
Page 9 of 13
DESIGN
Page 10 of 13
DESIGN
Deafult Routing
By default, Source Address Based Policy Routing is applied:
From 172.20.0.0/20 to 0.0.0.0 use default route via eGovernment network (WOREDANET)
From 172.20.16.0/20 to 0.0.0.0 use default route via MoE leased line (UNTRUST) (all internal Source Addresses are
PATed behind the Hiding Address)
Calamity Routing
If the circuit to UNTRUST goes down, all routing is via WOREDANET;
If the circuit to WOREDANET goes down, all routing is via UNTRUST (all internal Source Addresses are
PATed behind the Hiding Address)
Page 11 of 13
DESIGN
5. Attack defense
Normally, network attacks intrude or destroy network servers (hosts) to steal the
sensitive data on servers or interrupt server services. There are also the network
attacks that directly destroy network devices, which can make networks service
abnormal or even out of service. The attack defense of the firewall can detect various
types of network attacks and take the measures to protect internal networks from
malicious attacks. As a result, the firewall can assure the normal operations of the
internal networks and systems. The proposed attack defense is presented below:
In addition to this ,to assure the normal operations of the intranets and internal
systems , Eudemon 1000E will be configured to provide Special Packet Control such
as large-icmp , icmp-redirect, icmp-unreachable, route-record and tracert.
Page 12 of 13
DESIGN
IPS signatures are used to describe the characters of the attack behaviors existing on
networks. The Eudemon 1000E compares the contents of packets with IPS signatures to
detect and defend against attacks. Once attacks are identified, the response modes of
alert and block are available.
Unless there are special requirements the IPS policy will refer the default template.
Anti Virus
The Eudemon 1000E provides an abundant virus database. By comparing scanned files
with the features in the virus database, the Eudemon 1000E identifies whether the files
contain viruses. And then the Eudemon 1000E process the files infected with viruses
according the processing modes configured in the AV policies.
IPS and Anti Virus Databases are scheduled to be updated online daily in mid night.
Preventing the Bogus DHCP Server Attack By configuring an interface as trust or untrust
Prevent DHCP exhaustion attack By configuring MAC address limit on interface
Prevent Attack of sending bogus messages to extend IP address leases By checking whether the
DHCP request messages have matching entries in the DHCP snooping binding table
/////k//////Prevent users not to use Static IP Address unless included in Static Binding Table
Page 13 of 13
Content Management of i-site, info.moe.gov.et and textbook.moe.gov.et
Hans, 21 July; adapted, 6 December 2011; re-adapted 13 February 2012.
Contents
1 Introduction .................................................................................................................................... 1
2 Prerequisites ................................................................................................................................... 2
3 Structure of the sites common features and differences ............................................................ 3
4 Content Management - General ..................................................................................................... 4
5 Content Management adapt a page ............................................................................................ 4
6 Content Management create a new page ................................................................................... 4
1 Introduction
i-site is the MoE Intranet service. It can be accessed from within the MoE premises only. It resides on
MoE-HP-4 with address 172.20.1.132, in the Huawei-connected Server Farm at MoE.
To access it, typing i-site in the URL is sufficient.
i-site is reachable from all other MoE establishments: NAE, HERQA, CEICT/Mexico, via the
eGovernment Network. It can be considered to make i-site accessible also from other Ministries and
Organisations within the eGovernment network. To do that, i-site.local.moe.gov would have to be
defined in the eGovernment DNS (or Ministry DNSes), and the Eudemon Firewalls at the various
Ministries would have to be configured to let traffic to the i-site server pass.
On i-site, a webmaster email account is displayed: isite.MoE@gmail.com . Users sometimes send
mail to this account, which therefore must be checked periodically.
info.moe.gov.et is the MoE Supplementary Website. It can be accessed from within the MoE
premises and via the Internet. Until February 2012 it resides on MoE-HP3 in the DMZ of MoE
Headquarters, accessible at address 213.55.93.148. After February 2012 Info is one of the Virtual
Servers on one physical HP DL380 server in the National Data Centre. The server is assigned to MoE;
details in section 11 of this document. Infos external address there is 213.55.98.13.
The reason to maintain info.moe.gov.et next to the Portal, www.moe.gov.et is that it has facilities
that are not easily reproduced on the Portal, eg the Syllabus pages. Furthermore, there is often
volatile information that is not needed to be on the Portal. Also, it is often faster to first make an
appealing page on info and then if necessary port it to the Portal, than to make it directly on the
Portal. In all cases, the Portal is the first customer entry point, and for some pages the customer is
taken from there to info by means of links.
textbooks.moe.gov.et is the MoE Textbook Distribution site. It resides on the MoE-assigned physical
server in the National Data Centre too, as a virtual server. Its public address is 213.55.98.14. As of
writing, the server is not yet in production as the textbook units is still formulating the Terms of Use
and any legal issues to be published as Conditions on the site. Also, no textbooks or chapters have
1
been provided with us. From day 1 of the servers public availability, Google Analytics should be
applied to be able to run overviews of numbers of downloads.
www.moe.gov.et is the MoE Portal, a part of the eGovernment Portal that is shared by 4 Ministries
(MoE, MoFED, MoLSA, MoH). More are supposed to follow in 2012. The Portal is a very ambitious
project that for each Ministry actually consists of multiple interlinked websites. In the case of MoE,
there are 5 target user groups, each with their own information (at least that is the design), and each
of these 5 groups must have all information in 4 languages (English, Amhara, Tigrinha, Oromifa). All
in all actually 20 websites for MoE alone. This ambition may be too high for some time to come.
The content of i-site, info and textbooks is maintained with the program GoLive. The content
management can be run from any PC, but it is best to appoint 1 PC as the Content Management PC,
and always prepare all content there. Advantages: no confusion about the latest version of files, and
the PC always has a complete copy of the entire sites, for calamities and backup. Hans PC will be left
accessible for this purpose. Logon on Hans-PC with password ArbaMinch12. The PC also checks the
email accounts as described above with Outlook. To check the email, start Outlook; Under Inbox you
should see arrange by email account, Z on top (else click on the texts Arranged by and xx on
top).
i-site, info and textbooks contain shtml pages only. As some pages use common sections (menus
etc), the use of Server Side Includes is used; all pages are therefore .shtml pages. Content
management is done by editing the html of a page, or by using one page as a template for another
and just changing html contents. Html content management allows much more flexibility than eg the
Portal, but therefore is also slightly more complex. Portal maintenance is complex too; its complexity
is caused by having to classify all metadata for pages and documents, to be consistent across sites.
2 Prerequisites
The servers must run IIS7, be configured for Server Side Includes, and must allow anybody to access
the root directory of the site (usually /inetpub/wwwroot). The servers must be defined to allow use
of FTP Publishing Services, and the PCs that can maintain contents must be declared in IIS.
The Content Management PC must run GoLive. Go Live has a Site File definition for each of the sites
to be maintained. In that Site File there are a number of settings, identifying the webmaster as
authorized maintainer, identifying the webserver by address, and having ftp preconfigured.
1 Start GoLive
2
MoE Textbooks (for textbooks.moe.gov.et).
GoLive opens the Site Copy that is available on the Content Management PC, and
displays
a. The list of pages on that site (the home page is index.shtml)
b. The list of folders of that site. Important folders:
i. CSS: this contains the look-and-feel definitions. Do not change
ii. Images: this contains images used on a site (banners, logos, pictures)
iii. pdf: this contains PDF-documents that can be requested via this site
iv. other names: you can define any folder with any contents, the sites usually
have these other folders for further document downloads, eg for CPD
(cpdocs), EMIS (emdocs) etc.
3 Create a new page, or edit an existing page, or add a document to one of the folders
4 Publish the new page or the document by highlighting the page or document, and then
clicking Site>Publish Server>Upload. Instantly, an underlying ftp command will transfer
the document to the actual website and it can be referenced from Internet.
5 Note that any new page or new document must be referenced by an existing page by
means of a link otherwise the users of a website will not find the page or document.
See next chapters how to do that.
1 Both sites have the index.shtml as home page. That page refers to a number of pages
and documents, and those pages again refer to other pages and documents, etc.
2 Both sites make use of Include statements. If a page contains an Include statement,
it means that it refers to a separate page (in html this time) which is the same for a
number of pages. For example: ALL pages on i-site have an Include statement for the
horizontal menu. In that way, maintenance of the horizontal menu can be done in one
file (MoEhm), and all pages will automatically include that menu. Also, a group of pages,
eg all pages that are under Institutions on info.moe.gov.et have the same vertical
menu in the left hand side. That vertical menu is also maintained separately and
included in each of those pages with an Include statement
3 The i-site makes use of a horizontal drop-down menu. If you move the cursor over one
element of it, a drop-down list appears with another (vertical) menu. The
info.moe.gov.et does NOT have a horizontal drop-down menu. The reason is, that there
are many different browsers in use in the world, and the older browsers do not properly
handle drop-down (eg Internet Explorer 6). Inside the MoE we can control the browser
version by installing it, but in the Internet we cannot.
3
4 Content Management - General
You open a page in Go-Live by clicking on its name in the left hand side of the GoLive window. A new
window opens with the page content. In the menu bar above the page contents there are 4 options:
layout, source, preview and pdf preview. If you click on source, you see the html code and you can
edit it, If you click on Preview, you see what the page will actually look like. So if you change an
existing page or create a new page, then always check with Preview if the page looks OK before you
publish.
In Preview, the Include statements will not show any data. So the horizontal menu and any other
elements that are Included will not be there. Dont worry, on the real website they will (as long as
those menu files are actually also published).
Steps to follow:
1 Identify the name of the page you need to adapt. When accessing i-site, info.moe.gov.et
or textbooks.moe.gov.et , the name of the page you are looking at is in the top of the
browser window.
2 In GoLive, click on the name of that page on the left hand side, and the page will open.
Click the Source button on top of the window, and start editing the page. Normally, you
will need to understand only a bit of html. Mostly, you just copy a relevant other part of
the page, and adapt the text in it. By comparing the html of the page with what you see
on the real website, you will automatically see how eg buttons are made, and how you
can add buttons by just copying sections of the existing page and altering the text in
them. If in doubt, consult a html manual from the Internet, eg
http://www.w3schools.com/html/ or http://htmlhelp.com/reference/html40/
Steps to follow:
1 When accessing the i-site or info.moe.gov.et , select a page that has the most similar
structure to the page you want to make.
2 In GoLive, click on that page to open it.
3 Choose a name for the page you need to make.
4 Save the page you opened under that new name and close it.
5 Open and edit the new page to your liking and save it again
6 Publish it.
4
MoE Server Configurations
Hans, 7 Feb 2012
o 4 * Old Dell servers as present already before 1 Feb 2011; decommissioned, but still usable
for several purposes. They will need rack and power space in the data centre, which depends
on Procurement Department. Therefore they are left out of this present overview.
o 1 * Server in the National Data Centre. See document: Access from MoE to MoE Webservers
in the NDC DMZ.
The below chart provides the technical and functional data for the first 2 types of servers.
The order they are listed in is the order from top to bottom in the server rack in the Data Centre.
Legend:
Contents
1 Introduction .................................................................................................................................... 1
2 Network Access Diagram ................................................................................................................ 1
3 Configuration & Management of the physical and virtual servers ................................................. 3
4 Security Policy ................................................................................................................................. 3
1 Introduction
The National Data Centre is the best place to host services of MoE that have to be available for the
public. The advantages of the NDC are significant:
- A team of staff with broad ICT experience to manage and operate the ICT environment
- A well-organized Data Centre with adequate power backup and air conditioning
- Physical access security
- Data security and backup
- A strong Internet connection (now 100 Mbps but practically unlimited)
- A good Woredanet connection
The Network diagram depicting the access from MoE to the servers is on the next page.
1
4 Mbps Internet PM Office Data Centre
Access from MoE 10.40.20.234 with Portal servers
and further services
to MoE Webservers Cisco Soho ETC
10.40.20.233
HuaWei .44 10.133.195.40/29 .41
2 Mbps VPN
?
EPON Fiber
in NDC DMZ Router 2Mbps
.145
AR29 router
.9
? WORE
V1, 26 Jan 2012 DMZ
172.20.0.64/27 213.55.93.144/28 172.20.0.8/30
.149 .10
?
Wireless
DANET
VLAN 80 Eudemon WB Not operational yet
HH .65 1000
?
Firewall
.1
Ground Ground Ground 1st Floor 2nd Floor 4th Floor Ground 1st Floor 2nd Floor 2nd Floor 3rd Floor
NB013 NB019 NB019 NB112 NB212 NB417 HuaWei NB019 NB112 NB212 NB212 NB417
172.20.18.128/25 172.20.18.128/25 172.20.18.128/25 172.20.19.0/25 172.20.19.128/25 172.20.20.0/25 172.20.2.0/25 172.20.3.0/25 172.20.3.128/25 172.20.3.128/25 172.20.4.0/25
VLAN 300 VLAN 300 VLAN 300 VLAN 310 VLAN 320 VLAN 340
Distribution VLAN 100 VLAN 110 VLAN 120 VLAN 120 VLAN 130
192.168.0.31
172.20.11.5 172.20.11.6 172.20.11.7 172.20.11.115 172.20.11.125 172.20.11.135 Switch 192.168.0.1 192.168.0.11 192.168.0.21 192.168.0.22
3rd floor 3rd floor 3rd floor 2nd floor 2nd floor Ground Basement Ground 1st Floor 1st Floor 2nd Floor 3rd Floor 3rd Floor
OB227 OB227 OB227 OB131 OB131 OB014 OB015 OB015 OB1.31 OB1.31 OB2.27 OB3.29 OB3.29
172.20.26.0/25 172.20.26.0/25 172.20.26.0/25 172.20.25.128/25 172.20.25.0/25 172.20.24.0/25 172.20.8.0/25 172.20.8.128/25 172.20.9.0/25 172.20.9.0/25 172.20.9.128/25 172.20.10.0/25 172.20.10.0/25
VLAN 430 VLAN 430 VLAN 430 VLAN 420 VLAN 420 VLAN 400 VLAN 200 VLAN 200 VLAN 210 VLAN 210 VLAN 220 VLAN 230 VLAN 230
192.168.0.135 192.168.0.136 192.168.0.137 192.168.0.126 192.168.0.125 192.168.0.105 172.20.11.100 172.20.11.101 172.20.11.111 172.20.11.112 172.20.11.121 172.20.11.131 172.20.11.132
3 Configuration & Management of the physical and virtual servers
1 The base operating system of the server is VSphere, allowing VMWare to run as the core
system under which operating systems are installed. The licence for VSphere / VMWare
is free. MoE has registered for the licence and obtained licence nr
2 The VSphere Client is the controlling console of the physical server and its VSphere/
VMWare installation. VSphere Client is run from one of the two Administrator PCs at
MoE, and required access via ports 901 905 from MoE.
3 The Info server is implemented on a Windows 2008 Server system under VSphere/
VMWare. It uses IIS Version 7 for the Webserver.
Management and configuration of the Windows 2008 Server environment is done from
one of the two Administrators PCs at MoE, using Remote Console Access from MoE.
The Content Management of the Webserver is done with Adobe GoLive from one of the
two Administrators PCs at MoE; and requires FTP access from MoE.
Access to this server is allowed from anywhere on the Internet.
4 The Textbooks server is implemented on a different Windows 2008 Server system under
VSphere/VMWare.
It uses IIS Version 7 for the Webserver.
Management and configuration of the Windows 2008 Server environment is done from
one of the two Administrators PCs at MoE, using Remote Console Access from MoE.
The Content Management of the Webserver is done with Adobe GoLive from one of the
two Administrators PCs at MoE; and requires FTP access from MoE.
The access to this server via Internet must be restricted to IP addresses belonging to the
Ethiopian IP address space.
4 Security Policy
5 Content Management
The Content Management of both servers is described in the section 9 of this document.