IMPLEMENTATION OF FIREWALL IN

CORPORATE ENVIRONMENT
Submitted as partial fulfillment of the requirements for the Project work for
the degree of Bachelor of Technology in Computer Science and
Engineering

Submitted By

AISWARYA PRADEEP
(2113M1621103)

Under the Guidance of

Mrs. D.Vinotha B.E., M.S.,

Head of the Department,
Department of Computer Science and Engineering

SCHOOL OF ENGINEERING AND TECHNOLOGY

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
PRIST UNIVERSITY
THANJAVUR - 613 403.

OCT/NOV - 2018
 SCHOOL OF ENGINEERING AND TECHNOLOGY
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
PRIST UNIVERSITY
THANJAVUR - 613 403.

BONAFIDE CERTIFICATE

This is to certify that the project titled “ADBLOCK USAGE IN

WEB ADVERTISEMENT” is a bonafide record of work done by
Aiswarya Pradeep (2113M1621103) in partial fulfillment of the
requirements for the Project work for the degree of Bachelor of Technology
in Computer Science and Engineering of PRIST University, Thanjavur.

Internal Guide Head of the Department

Submitted for the University Viva-Voce examination held on --------------

Internal Examiner External Examiner

i
 ACKNOWLEDGEMENT

I am pleased to record my deep sense of gratitude to Prof. P.Murugesan,

Chancellor, PRIST University, Thanjavur, for the affection that he has shown on us
during the entire course of our study.

I extend my heartfelt thanks to Dr. N. Ethirajalu, Vice Chancellor, PRIST

University, Thanjavur, for his encouragement for the successful completion of my
project.

I deemed it as a pleasure and privilege to feel indebted to Prof.Dr. S.

Nithyanandam, Registrar In-charge, PRIST University, Thanjavur, for his valuable
hints in the successful completion of my project.

I have also indebted to extend my sincere thanks to Prof. Dr.S.Devi, Dean,

School of Engineering and Technology, PRIST University, Thanjavur, for her help in
providing the necessity impetus, facilities and suggestions in completion of my project in
all the aspects.

I extend my sincere thanks to Prof.D.Vinotha, Head of the Department of

Computer Science and Engineering, PRIST University, Thanjavur, for her enthusiastic
support and necessary laboratory arrangements in completion of my project.

My thanks to Mrs.R.Shanthi, Assistant Professor and B.Tech - Project

Coordinator Department of Computer Science and Engineering, PRIST University,
Thanjavur, for her support.

I deemed it as a pleasure and privilege to feel indebted to my guide

Mrs.D.Vinotha, Assistant Professor, Department of Computer Science and Engineering,
PRIST University, Thanjavur, for her innovative suggestions and valuable hints in the
successful completion of my project.

Finally, I would like to convey my sincere thanks to all the teaching and non-
teaching faculties of the Department of Computer Science & Engineering, PRIST
University, Thanjavur. Without their cooperation, this venture would not have been a
success.

ii
 ABSTRACT
With the increased demand in Network Security there is a need for devices and software's
which can provide reliable security in the Network. This paper gives a detailed
explanation of implementing a Firewall in various environments and their role in network
security. Firewall is a network security system that grants or rejects network access to
traffic flow between an un-trusted zone and a trusted zone. The main idea of this paper is
to define the role of firewall in network security and Implementation of firewall in
hardware and software or combination of both.

iii
 ABBREVIATIONS

AS Autonomous Systems

IGRP Interior Gateway Routing Protocols

EGP Exterior Gateway Routing Protocol

HSRP Hot Standby Routing Protocol

BGP Border gateway protocol

GLBP Gateway Load Balancing Protocol

iv
 LIST OF FIGURES

S.NO LIST OF FIGURES PAGE NO

5.1 System Architecture

5.2 Dataflow Diagram

v
 TABLE OF CONTENTS
CHAPTER TITLE PAGE NO.
NO.
ACKNOWLEDGEMENT ii
SYNOPSIS iii
LIST OF ABBREVIATIONS iv
LIST OF FIGURES v
CHAPTER 1 INTRODUCTION 1
1.1.Advantages 2
CHAPTER 2 EXISTING SYSTEM 3
2.1 Introduction 3
2.2 Literature Survey 3
2.2.1 Implementation of firewall in DMZ 3
Environment
2.2.2 Implementation of firewall in VPN 3
2.2.3 Implementation of firewall in Intranet 3
2.2.4 Implementation of Firewall in Extranet 4
2.2.5 The firewall represents an indispensable 4
technical component for network security concepts.
2.3 Technique And Disadvantages 6
2.4 Summary 7
CHAPTER 3 PROPOSED SYSTEM 8
3.1. Introduction 8
3.2. Advantages 9
3.3. Summary 10
CHAPTER 4 SYSTEM REQUIREMENTS 11
4.1 Introduction 11
4.2. Hardware Requirements 11
4.3. Software Requirements 11
4.4. Software Description 12
4.5 Summary 15
CHAPTER 5 SYSTEM DESIGN 16
5.1 Architecture 16
 5.2 Data Flow Diagram 17
CHAPTER 6 MODULES DESCRIPTION 22
6.1. Algorithm 22
6.2. Modules 23
6.2.1 Packet Filtering 23
6.2.2 Client/Server Access Lists 24
6.2.3 User Authentication 25
6.2.4 Address Obfuscation 27
6.3 Summary 30
CHAPTER 7 IMPLEMENTATION AND RESULTS 31
CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENT 32
8.1 Conclusion 32
8.2 Future Enhancements 32
REFERENCES 34
APPENDICES
Appendix A
Sample Screen Shots 36
Appendix B
Sample Source Code 42
Appendix C
Base Paper 48
 CHAPTER-1
INTRODUCTION
A Firewall is a networking system that helps us in preventing unauthorized access of
one’s computer over the internet (ie, It acts as a protection barrier between the system and
the network). Firewall can enact both software and hardware appliances. Functionality
and Flow control of a Firewall Access the internet such that the internal networking
system LAN is secured such that no hacker can access or they cannot harm the internet.
For this purpose we use software or hardware or a combination of both in between the
LAN and Internet. Based on the pre-defined set of rules, the function of the firewall is to
check the data-packets coming from the Internet or any external networking system and
send it to the LAN if there no vulnerabilities are found
1.1 ADVANTAGES
There are different types of environments where a firewall can be implemented
ranging from a simple packet filter to combination of several firewalls. The choice of
firewalls [3] is very attractive. They come in every size, shape and capacity that is
designed according to the customer satisfaction. The type of firewall used to install
depends up on the size, protection and management of the network. We discuss
Implementation of firewall DMZ environment, VPN, Intranet, Extranet.
 CHAPTER 2
EXISTING SYSTEM
2.1 INTRODUCTION
Firewalls are systems which protect networks or network devices, such as industrial PCs,
control systems, cameras, etc., from unauthorized access by preventing network traffic to
or from these systems. The first broad distinction here is the difference between host
firewalls and network firewalls. The first is installed on a computer (host) or already
provided by the operating system, as a software feature. Examples of these firewalls are
the Microsoft Windows system firewall or the iptables firewall provided with most Linux
systems. Network firewalls are devices which have been developed especially for use as a
firewall and are placed in the network, rather than on a PC. These network, or hardware,
firewalls are important elements in industrial facilities, especially when they are
connected to additional networks or when wired transmissions are combined with less
secure network technologies (e.g. wireless networks). In these situations, a network
firewall serves to set up the network boundary as the first line of defense against attacks
and only allows desired traffic into and out of the network.
2.2 LITERATURE SURVEY
2.2.1 Implementation of firewall in DMZ Environment
In Computer networks, a DMZ is a demilitarized zone or a neutral zone that is in between
a company’s private network and the outside public network. In the below figure the
Main Firewall provide the access control and protection to the server from being hacked
from the public network. A DMZ is an optional and more secure approach to a firewall
and effectively acts as a proxy server as well.
2.2.2 Implementation of firewall in VPN
A Virtual Private Network (VPN) is a private network that uses public network to connect
remote sites or users together. The VPN is created by establishing a virtual point-to-point
through the use of dedicated connections, virtual tunneling protocols, or traffic
encryption. The VPN firewall ensures that the systems are encrypted and also ensures that
only authorized users can use the network and data cannot be intercepted.
2.2.3 Implementation of firewall in Intranet
An Intranet is a network that employs the same types of applications, services, and
protocols that are present in an internet, without external connectivity. The Firewall
protects the intranet by checking the traffic flow from the interconnected intranets.
2.2.4 Implementation of Firewall in Extranet.
Extranet is usually a business to business intranet. The Control access is provided to the
remote user based on the authentication and authorization as provided by a VPN.
2.2.5 The firewall represents an indispensable technical component for network
security concepts today.
The various types of firewalls range from simple packet filters all the way up to powerful
solutions with the direct support of specialized industrial protocols. Firewall designs,
which range from software packages for PCs to industrially hardened products in metal
housings for use at the field level, are every bit as diverse. The current threat of attacks
plays a large role in this because it is significant in determining the correct technology
and deployment location.
2.3 TECHNIQUE AND DISADVANTAGES
The fundamental technical function of any firewall is to filter packets. Here, the firewall
inspects packets, which it is supposed to forward, to determine whether they correspond
to a desired template for traffic patterns. These templates are modeled in the form of
rules. A firewall at the boundary of a network can thus, for example, include rules in the
form of "A communication link within the network can only take place with a specified
server" or "Only the PCs for remote maintenance can be reached outside the network, not
any other devices." Creating special rules, such as for industrial protocols is also
possible.
2.4 SUMMARY
Firewalls are important basic components in today’s security concepts. They are used in
various locations within the network. On the one hand, they can secure a company
network against the outside. On the other, they can separate various devices within a
network from each other or permit only specified communications between devices.
This concept of precise limitations on communication between network participants in
internal networks, as well as partitioning of various network areas from each other,
known as defense in depth, is usually combined with zones and conduits: layered
defenses with multiple security levels, one behind the other.
 CHAPTER 3
PROPOSED SYSTEM
3.1 INTRODUCTION
Communication from wireless to wired networks should also be controlled by firewalls.
For example, the communication of a tablet, which is connected to a device via a WLAN,
can be limited so that it can only access data through the user interface, but not additional
subsystems or other devices connected to it. If a client is integrated into a WLAN, it is
possible, in principle, to communicate directly with all other devices in the same
(sub)network. Thus, an attacker can extend a successful attack on a client that is
connected to the WLAN to any other device on the Ethernet network. This problem can
be solved by restricting the forwarding of messages between WLAN clients with a
firewall at the WLAN access point. Here, too, there is a need for a transparent layer 2
firewall which can filter communication within a network (directly between the WLAN
devices in a network). In order to do this, the firewall must be implemented directly at the
access point. Industrially hardened devices are important here as well.
In addition, it can also be practical to restrict communication to the desired patterns and
communication relationships at all other points in the network. But, because firewalls can
also have negative effects on transmission latency (delay in transmission) and network
throughput, the use of a dedicated firewall is not always possible. In such cases, high-
quality network switches can also use less powerful stateless filtering rules. These rules
are usually not referred to as firewall rules, rather as access control lists (ACL). ACLs are
suited for any situation where rapid filtering must take place within a network.
3.2 ADVANTAGES
Firewalls play various roles in the partitioning of network portions. For one, a firewall
can protect a company against threats from the outside. In many cases, this overall
protection is the domain of IT firewall solutions, which are placed in a company’s data
center. On the other hand, they can also be implemented, for instance, in production in
order to effectively separate the production network from the rest of the company
network.
3.3 SUMMARY
Industrial firewalls with router functions are perfect for smaller external branches or sites.
This allows, for example, distribution stations to be connected with the rest of the
company infrastructure via a WWAN network. The firewall controls the network traffic
coming out of and going into the external site’s local network. Since such a firewall for
connection of an external site represents the border between the company’s own network
(the external site) and an external network (a provider network or the Internet), the
firewall must possess full capabilities for packet filtering and filtering traffic between
various networks. Such a firewall is called an IP firewall since it processes Internet
Protocol (IP) traffic. Because these firewalls are often installed very near the actual
facility, industrial hardening must also be taken into consideration. Extended temperature
ranges and/or approval for use in special areas (e.g. energy supply and transportation) are
crucial.
 CHAPTER 4
SYSTEM SPECIFICATION
4.1 INTRODUCTION
The purpose of the document is to collect and analyze all assorted ideas that have come
up to define the system, its requirements with respect to consumers. Also, we shall predict
and sort out how we hope this product will be used in order to gain a better understanding
of the project, outline concepts that may be developed later, and document ideas that are
being considered, but may be discarded as the product develops. In short, the purpose of
this SRS document is to provide a detailed overview of our software product, its
parameters and goals. This document describes the project's target audience and its user
interface, hardware and software requirements. It defines how our client, team and
audience see the product and its functionality. Nonetheless, it helps any designer and
developer to assist in software delivery lifecycle (SDLC) processes.
4.2 HARDWARE REQUIREMNETS

System : Dual Core Processor

Hard Disk : 160 GB.
Monitor : 15’ Colour Monitor.
Ram : 2 GB.

4.3 SOFTWARE REQUIREMNETS

Operating system : Windows 7 Ultimate.

Coding Language : HTML (Front End)
Toolkit : Cisco packet tracer
4.4 SOFTARE DESCRIPTION
Cisco packet tracer
As networking systems continue to evolve in complexity, new curricula and educational
tools are emerging to facilitate teaching and learning about networking technology. The
Cisco Networking Academy® program is designed to keep pace with the evolution of
networking systems by providing innovative curricula and educational tools that help
students understand the complexities of information and communication technologies
(ICTs). Within this framework, the Cisco® Packet Tracer e-learning software was
developed to help Networking Academy students gain practical networking technology
skills in a rapidly changing environment. Students seeking ICT skills can now benefit
from the accessibility of online curricula and new opportunities for social learning,
collaboration, and competition. Solution Cisco® Packet Tracer is a powerful network
simulation program that allows students to experiment with network behavior and ask
“what if” questions. As an integral part of the Networking Academy comprehensive
learning experience, Packet Tracer provides simulation, visualization, authoring,
assessment, and collaboration capabilities to facilitate the teaching and learning of
complex technology concepts. Page 1 of 3 Cisco Packet Tracer Data Sheet Packet Tracer
supplements physical equipment in the classroom by allowing students to create a
network with an almost unlimited number of devices, encouraging practice, discovery,
and troubleshooting. The simulation-based learning environment helps students develop
21st century skills such as decision making, creative and critical thinking, and problem
solving. Packet Tracer complements the Networking Academy curricula, allowing
instructors to easily teach and demonstrate complex technical concepts and networking
systems design. Instructors can customize individual or multiuser activities, providing
hands-on lessons for students that offer value and relevance in their classrooms. Students
can build, configure, and troubleshoot networks using virtual equipment and simulated
connections, alone or in collaboration with other students. Packet Tracer offers an
effective, interactive environment for learning networking concepts and protocols. Most
importantly, Packet Tracer helps students and instructors create their own virtual
“network worlds” for exploration, experimentation, and explanation of networking
concepts and technologies. The Teaching Experience Cisco Packet Tracer provides
multiple opportunities for instructors to demonstrate networking concepts. Although
Packet Tracer is not a substitute for real equipment, it allows students to practice using a
command-line interface. This “e-doing” capability is a fundamental component of
learning how to configure routers and switches. Packet Tracer’s simulation mode enables
instructors to demonstrate processes that were formerly hidden to students. These
simulation capabilities can help simplify the learning process by providing tables,
diagrams, and other visual representations of internal functions such as dynamic data
transfers and packet content expansion. The simulation mode also decreases instructor
presentation time by replacing whiteboards and static slides with real-time visuals. Packet
Tracer helps instructors teach complex networking concepts in the following ways: •
Provides a visual demonstration of complex technologies and configurations • Allows
instructors to author customized, guided activities that provide immediate feedback using
the Activity Wizard • Facilitates numerous learning activities such as lectures, individual
and group lab activities, homework, assessments, games, network design,
troubleshooting, modeling tasks, case studies, and competitions • Enables visualization,
animation, and detailed modeling for exploration, experimentation, and explanation •
Supports self-paced learning outside the classroom • Supports social learning processes
by enabling collaboration and competition • Supports the majority of protocols and
technologies taught in the following Networking Academy curricula: Cisco CCNA®
Discovery, CCNA Exploration, and CCNA Security, and can be used to teach concepts
from IT Essentials and Cisco CCNP® courses Figure 2. Multiuser games provide fun
learning opportunities for collaboration and competition Page 2 of 3 Cisco Packet Tracer
Data Sheet The Student Experience Students who spend more time in a hands-on mode of
learning, with simulation and interactive capabilities, will be better equipped to apply
concepts and configuration fundamentals when exposed to real equipment. As students
gain practical experience with tasks such as configuration and troubleshooting, they
become more confident in their abilities. Cisco Packet Tracer’s multiuser functionality
also provides an opportunity for social learning, allowing students to collaborate and
compete with each other and play games that enhance the learning experience. Key
Features Packet Tracer Workspaces: Cisco Packet Tracer has two workspaces—logical
and physical. The logical workspace allows users to build logical network topologies by
placing, connecting, and clustering virtual network devices. The physical workspace
provides a graphical physical dimension of the logical network, giving a sense of scale
and placement in how network devices such as routers, switches, and hosts would look in
a real environment. The physical view also provides geographic representations of
networks, including multiple cities, buildings, and wiring closets. Figure 3. The physical
workspace provides a graphical view of the logical network Packet Tracer Modes: Cisco
Packet Tracer provides two operating modes to visualize the behavior of a network—real-
time mode and simulation mode. In real-time mode the network behaves as real devices
do, with immediate real-time response for all network activities. The real-time mode
gives students a viable alternative to real equipment and allows them to gain
configuration practice before working with real equipment. In simulation mode the user
can see and control time intervals, the inner workings of data transfer, and the
propagation of data across a network. This helps students understand the fundamental
concepts behind network operations. A solid understanding of network fundamentals can
help accelerate learning about related concepts.
HTML
HTML (Hypertext Markup Language)
HTML (Hypertext Markup Language) is a text-based approach to describing how content
contained within an HTML file is structured. This markup tells a web browser how to
display the text, images and other forms of multimedia on a webpage.
Commonly used HTML tags
The role of HTML is to inform a web browser about how the content contained within an
HTML file is structured. Commonly used HTML tags include <H1>, which describes a
top-level heading; <H2>, which describes a second-level heading; <p> to describe a
paragraph; <table>, which describes tabular data; and <ol>, which describes an ordered
list of information.
As you can see from this very short list, HTML tags primarily dictate the structural
elements of a page.
Variations of HTML
In the early days of the world wide web, marking up text-based documents using HTML
syntax was more than sufficient to facilitate the sharing of academic documents and
technical memos. However, as the internet expanded beyond the walls of academia and
into the homes of the general population, greater demand was placed on webpages in
terms of formatting and interactivity.
HTML 4.01 was released in 1999, at a time when the internet was not yet a household
name, and HTML5 was not standardized until 2014. During this time, HTML markup
drifted from the job of simply describing the structure of the content on a webpage into
the role of also describing how content should look when a webpage displays it.
As a result, HTML4-based webpages often included information within a tag about what
font to use when displaying text, what color should be used for the background and how
content should be aligned.
Describing within an HTML tag how an HTML element should be formatted when
rendered on a webpage is considered an HTML antipattern. HTML should describe how
content is structured, not how it will be styled and rendered within a browser.
For rendering, the proper practice is to use cascading style sheets (CSS). An HTML file
can link to a cascading style sheet, which will contain information about which colors to
use, which fonts to use and other HTML element rendering information. Separating
information about how a page is structured, which is the role of HTML, from the
information about how a webpage looks when it is rendered in a browser, which is the
role of a CSS file, is a software development pattern and best practice known as
separation of concerns.
HTML4 vs. HTML5
The separation of concerns pattern is more rigorously enforced in HTML5 than it was in
HTML4. With HTML5, the bold <b> and italicize <i> tags have been deprecated. For the
paragraph tag, the align attribute has been completely removed from the HTML
specification.
For the purpose of backward-compatibility, web browsers will continue to support these
deprecated HTML tags, but the changes to the HTML specification do demonstrate the
desire of the community for HTML to return to its original purpose of describing the
structure of content, while encouraging developers to use cascading style sheets for
formatting purposes.
HTML tag vs. element vs. attribute
The idea of using text to describe how text should be displayed might sound somewhat
paradoxical, but it is not. This is the whole reason why HTML is known as a markup
language.
Using HTML, a document containing text is further marked up with additional text
describing how the document should be displayed. To keep the markup part separate from
the actual content of the HTML file, there is a special, distinguishing HTML syntax that
is used. These special components are known as HTML tags. The tags can contain name-
value pairs known as attributes, and a piece of content that is enclosed within a tag is
referred to as an HTML element.
Editing HTML example
In the following HTML example, there are two HTML elements. Both elements use the
same paragraph tag, designated with the letter p, and both use the directional attribute dir,
although a different value is assigned to the HTML attribute's name-value pairing, namely
rtl and ltr.
Raw HTML displayed in a basic text editor
Figure 1. An example of an HTML element using the paragraph tag and the direction
attribute dir
Notice that when this HTML snippet is rendered in a browser, the HTML tags impact
how each HTML element is displayed on the page, but none of the HTML tags or
attributes are displayed. HTML simply describes how to render the content. The HTML
itself is never displayed to the end user.
Rendering of HTML in a web browser
What is well-formed HTML?
In order for a web browser to display an HTML page without error, it must be provided
with well-formed HTML. To be well-formed, each HTML element must be contained
within an open tag -- <p> -- and a close tag -- </p>. Furthermore, any new tag opened
within another tag must be closed before the containing tag is closed. So <h1><p>well-
formed HTML</p></h1> is well-formed HTML, while <h1><p>well-formed
HTML</h1></p> is not well-formed HTML.
HTML syntax standards
Another syntax rule is that HTML attributes should be enclosed within single or double
quotes. There is often debate about which format is technically correct, but the World
Wide Web Consortium asserts that both approaches are acceptable.
"By default, SGML requires that all attribute values be delimited using either double
quotation marks (ASCII decimal 34) or single quotation marks (ASCII decimal 39)."
The best advice for choosing between single and double quotes is to keep the usage
consistent across all the documents. HTML style-checkers can be used to enforce
consistent use across pages. It should be noted that sometimes using a single quote is
required, such as in an instance where an attribute's value actually contains a double quote
character. The reverse is true as well.
"Single quote marks can be included within the attribute value when the value is
delimited by double quote marks, and vice versa."
How to use and implement HTML
Because HTML is completely text-based, an HTML file can be edited simply by opening
it up in a program such as Notepad++, Vi or Emacs. Any text editor can be used to create
or edit an HTML file and, so long as the file is created with a .html extension, any web
browser, such as Chrome or Firefox, will be capable of displaying the file as a webpage.
For professional software developers, there are a variety of WYSIWYG editors to
develop webpages. NetBeans, IntelliJ, Eclipse and Microsoft's Visual Studio provide
WYSIWYG editors as either plug-ins or as standard components, making it incredibly
easy to use and implement HTML.

These WYSIWYG editors also provide HTML troubleshooting facilities, although

modern web browsers often contain web developer plug-ins that will highlight problems
with HTML pages, such as a missing end tag or syntax that does not create well-formed
HTML.
Chrome and Firefox both include HTML developer tools that allow for the immediate
viewing of a webpage's complete HTML file, along with the ability to edit HTML on the
fly and immediately incorporate changes within the browser.
The HTML standard
HTML is a formal recommendation by the World Wide Web Consortium (W3C) and is
generally adhered to by all major web browsers, including both desktop and mobile web
browsers. HTML5 is the latest version of the specification.
4.5 SUMMARY
The software requirements specification document lists sufficient and necessary
requirements for the project development. To derive the requirements, the developer
needs to have clear and thorough understanding of the products under development. This
is achieved through detailed and continuous communications with the project team and
customer throughout the software development process
 CHAPTER - 5
SYSTEM DESIGN
5.1 ARCHITECTURE
5.2 DATA FLOW DIAGRAM
 INPUT DESIGN AND OUTPUT DESIGN
INPUT DESIGN
The input design is the link between the information system and the user. It comprises the
developing specification and procedures for data preparation and those steps are
necessary to put transaction data in to a usable form for processing can be achieved by
inspecting the computer to read data from a written or printed document or it can occur by
having people keying the data directly into the system. The design of input focuses on
controlling the amount of input required, controlling the errors, avoiding delay, avoiding
extra steps and keeping the process simple. The input is designed in such a way so that it
provides security and ease of use with retaining the privacy. Input Design considered the
following things:’
 What data should be given as input?
 How the data should be arranged or coded?
 The dialog to guide the operating personnel in providing input.
 Methods for preparing input validations and steps to follow when error occur.
OBJECTIVES
1.Input Design is the process of converting a user-oriented description of the input into a
computer-based system. This design is important to avoid errors in the data input process
and show the correct direction to the management for getting correct information from the
computerized system.
2.It is achieved by creating user-friendly screens for the data entry to handle large volume
of data. The goal of designing input is to make data entry easier and to be free from
errors. The data entry screen is designed in such a way that all the data manipulates can
be performed. It also provides record viewing facilities.
3.When the data is entered it will check for its validity. Data can be entered with the help
of screens. Appropriate messages are provided as when needed so that the user
will not be in maize of instant. Thus the objective of input design is to create an input
layout that is easy to follow
OUTPUT DESIGN
A quality output is one, which meets the requirements of the end user and presents the
information clearly. In any system results of processing are communicated to the users
and to other system through outputs. In output design it is determined how the
information is to be displaced for immediate need and also the hard copy output. It is the
most important and direct source information to the user. Efficient and intelligent output
design improves the system’s relationship to help user decision-making.
1. Designing computer output should proceed in an organized, well thought out manner;
the right output must be developed while ensuring that each output element is designed so
that people will find the system can use easily and effectively. When analysis design
computer output, they should Identify the specific output that is needed to meet the
requirements.
2.Select methods for presenting information.
3.Create document, report, or other formats that contain information produced by the
system.
The output form of an information system should accomplish one or more of the
following objectives.
 Convey information about past activities, current status or projections of the
 Future.
 Signal important events, opportunities, problems, or warnings.
 Trigger an action.
 Confirm an action.
 SYSTEM STUDY

FEASIBILITY STUDY:

The feasibility of the project is analyzed in this phase and business proposal is put
forth with a very general plan for the project and some cost estimates. During system
analysis the feasibility study of the proposed system is to be carried out. This is to ensure
that the proposed system is not a burden to the company. For feasibility analysis, some
understanding of the major requirements for the system is essential.

Three key considerations involved in the feasibility analysis are

 Economical feasibility

 Technical feasibility

 Social feasibility

ECONOMICAL FEASIBILITY:

This study is carried out to check the economic impact that the system will have
on the organization. The amount of fund that the company can pour into the research and
development of the system is limited. The expenditures must be justified. Thus the
developed system as well within the budget and this was achieved because most of the
technologies used are freely available. Only the customized products had to be purchased.

TECHNICAL FEASIBILITY:

This study is carried out to check the technical feasibility, that is, the technical
requirements of the system. Any system developed must not have a high demand on the
available technical resources. This will lead to high demands on the available technical
resources. This will lead to high demands being placed on the client. The developed
system must have a modest requirement, as only minimal or null changes are required for
implementing this system.

SOCIAL FEASIBILITY:

The aspect of study is to check the level of acceptance of the system by the user.
This includes the process of training the user to use the system efficiently. The user must
not feel threatened by the system, instead must accept it as a necessity. The level of
acceptance by the users solely depends on the methods that are employed to educate the
user about the system and to make him familiar with it. His level of confidence must be
raised so that he is also able to make some constructive criticism, which is welcomed, as
he is the final user of the system.
 SYSTEM TESTING

The purpose of testing is to discover errors. Testing is the process of trying to

discover every conceivable fault or weakness in a work product. It provides a way to
check the functionality of components, sub assemblies, assemblies and/or a finished
product It is the process of exercising software with the intent of ensuring that the
Software system meets its requirements and user expectations and does not fail in an
unacceptable manner. There are various types of test. Each test type addresses a specific
testing requirement.

TYPES OF TESTS:
Testing is the process of trying to discover every conceivable fault or weakness in
a work product. The different type of testing are given below:

UNIT TESTING:

Unit testing involves the design of test cases that validate that the internal program
logic is functioning properly, and that program inputs produce valid outputs. All decision
branches and internal code flow should be validated. It is the testing of individual
software units of the application .it is done after the completion of an individual unit
before integration.

This is a structural testing, that relies on knowledge of its construction and is

invasive. Unit tests perform basic tests at component level and test a specific business
process, application, and/or system configuration. Unit tests ensure that each unique path
of a business process performs accurately to the documented specifications and contains
clearly defined inputs and expected results.

INTEGRATION TESTING:

Integration tests are designed to test integrated software components to determine

if they actually run as one program. Testing is event driven and is more concerned with
the basic outcome of screens or fields. Integration tests demonstrate that although the
components were individually satisfaction, as shown by successfully unit testing, the
combination of components is correct and consistent. Integration testing is specifically
aimed at exposing the problems that arise from the combination of components.
FUNCTIONAL TEST:
Functional tests provide systematic demonstrations that functions tested are available
as specified by the business and technical requirements, system documentation, and user
manuals.
Functional testing is centered on the following items:

Valid Input : identified classes of valid input must be accepted.

Invalid Input : identified classes of invalid input must be rejected.
Functions : identified functions must be exercised.
Output : identified classes of application outputs must be
exercised.
Systems/ Procedures: interfacing systems or procedures must be invoked.

Organization and preparation of functional tests is focused on requirements, key

functions, or special test cases. In addition, systematic coverage pertaining to identify
Business process flows; data fields, predefined processes, and successive processes must
be considered for testing. Before functional testing is complete, additional tests are
identified and the effective value of current tests is determined.

SYSTEM TEST:
System testing ensures that the entire integrated software system meets requirements.
It tests a configuration to ensure known and predictable results. An example of system
testing is the configuration oriented system integration test. System testing is based on
process descriptions and flows, emphasizing pre-driven process links and integration
points.
WHITE BOX TESTING:
White Box Testing is a testing in which in which the software tester has knowledge
of the inner workings, structure and language of the software, or at least its purpose. It is
purpose. It is used to test areas that cannot be reached from a black box level.
BLACK BOX TESTING:
Black Box Testing is testing the software without any knowledge of the inner workings,
structure or language of the module being tested. Black box tests, as most other kinds of
tests, must be written from a definitive source document, such as specification or
requirements document, such as specification or requirements document. It is a testing in
which the software under test is treated, as a black box .you cannot “see” into it. The test
provides inputs and responds to outputs without considering how the software works.
UNIT TESTING:
Unit testing is usually conducted as part of a combined code and unit test phase of
the software lifecycle, although it is not uncommon for coding and unit testing to be
conducted as two distinct phases.
Test strategy and approach
Field testing will be performed manually and functional tests will be written in
detail.
Test objectives
 All field entries must work properly.
 Pages must be activated from the identified link.
 The entry screen, messages and responses must not be delayed.
Features to be tested
 Verify that the entries are of the correct format
 No duplicate entries should be allowed
 All links should take the user to the correct page.
INTEGRATION TESTING:
Software integration testing is the incremental integration testing of two or more
integrated software components on a single platform to produce failures caused by
interface defects.
The task of the integration test is to check that components or software
applications, e.g. components in a software system or – one step up – software
applications at the company level – interact without error.
Test Results: All the test cases mentioned above passed successfully. No defects
encountered.
ACCEPTANCE TESTING:
User Acceptance Testing is a critical phase of any project and requires significant
participation by the end user. It also ensures that the system meets the functional
requirements.
Test Results: All the test cases mentioned above passed successfully. No defects
encountered
 CHAPTER-5
MODULUS DESCRIPTION
6.1 ANOMALY DETECTION ALGORITHM
Anomaly detection (also outlier detection) is the identification of rare items, events or
observations which raise suspicions by differing significantly from the majority of the
data. Typically the anomalous items will translate to some kind of problem such as bank
fraud, a structural defect, medical problems or errors in a text. Anomalies are also
referred to as outliers, novelties, noise, deviations and exceptions.
In particular, in the context of abuse and network intrusion detection, the interesting
objects are often not rareobjects, but unexpected bursts in activity. This pattern does not
adhere to the common statistical definition of an outlier as a rare object, and many outlier
detection methods (in particular unsupervised methods) will fail on such data, unless it
has been aggregated appropriately. Instead, a cluster analysis algorithm may be able to
detect the micro clusters formed by these patterns.
Three broad categories of anomaly detection techniques exist. Unsupervised anomaly
detection techniques detect anomalies in an unlabeled test data set under the assumption
that the majority of the instances in the data set are normal by looking for instances that
seem to fit least to the remainder of the data set. Supervised anomaly detection techniques
require a data set that has been labeled as "normal" and "abnormal" and involves training
a classifier (the key difference to many other statistical classification problems is the
inherent unbalanced nature of outlier detection). Semi-supervised anomaly
detection techniques construct a model representing normal behavior from a
given normal training data set, and then test the likelihood of a test instance to be
generated by the learnt model.
6.2. MODULES
Packet Filtering
Packet filtering is easily implemented and provides excellent security, but decreases
network functionality and versatility. In essence the firewall scans each packet.
Depending on the configuration of the firewall, it may allow HTTP, DNS, POP3, and
SMTP packets to pass through, but not FTP or Telnet packets. You can see how this now
limits your LAN.
Client/Server Access Lists
Client Access Lists work well in conjunction with Packet Filtering. The firewall grants
different rights to users based on IP address. This can be used to block E-mail from
certain annoying spammers. It can also be used to allow FTP communication between
your LAN and another LAN that is known to be secure. Remember, although another
company may be "trusted," you must consider the overall security implementation on
their system as well. By granting access to your network, you are potentially allowing
everyone they allow on their network to use your network.
Server Access Lists work in a similar manner as Client Access Lists except they prevent
users on your LAN from accessing insecure servers. This may also be used to prevent
employees from visiting "inappropriate" web sites during work hours. Clearly, an
electrical engineer designing nuclear submarine controls has no need to visit the URL
"www.freelotto.com".
The problem with Client/Server Access Lists is that it is quite easy to "spoof" an IP
address. In other words, a crafty outside user can make it appear as though his IP address
is actually originating from that secure LAN mentioned before, possible giving him FTP
access to your LAN. Fortunately, most firewall software/hardware is capable of detecting
IP spoofing, especially if the IP address being spoofed is inside your LAN. In this case, it
can tell by detecting what port is accessed (internal or external).
User Authentication
Sometimes legitimate users need to log in from home and use FTP facilities. This can be
accomplished using User Authentication. When implemented properly, an outside user
can dial into the LAN (passing through the firewall), and submit both a user name and a
password. This can be easily defeated if a listener simply records the raw packets the
legitimate user sends for authentication. Even if the user name and password are sent with
weak encryption, a simple playback of this recording at the appropriate time will breach
these security measures. Strong encryption algorithms such as public key encryption
should be used so the data is not encrypted the same way every time. Once the connection
is established, the degree of encryption can be lowered or eliminated. It is important to
regulate this practice very closely. If users are allowed to create their own passwords and
do not have to change them frequently, illegitimate users may be able to find these
passwords quite easily (for instance, trying the names of the users children).
Address Obfuscation
Address Obfuscation is another feature provided by firewalls. When implemented
properly in conjunction with other firewall features, it can greatly increase LAN security.
When inside the LAN, users see each other actual IP address. However, the outside world
sees different IP addresses, sometimes dynamic in nature. This prevents illegitimate users
from identifying resources behind the firewall.
6.3 Summary
We can conclude from that HSRP does not offer load balance service, because even with
increasing and decreasing levels of complexity of the links, the generated traffic remained
the same. By observing the result, we can conclude that after configuring the GLBP the
specific link was able to handle the generated traffic. In a complex AS, more traffic will
be generated to accommodate its complexity. Unlike HSRP, GLBP is seen to redirect
traffic accordingly to cater to the dynamic complexity of the link to the AS.
 CHAPTER- 7
IMPLEMENTATION RESULTS
Part 1: Verify Connectivity and Explore the ASA Note: This Packet Tracer activity starts
with 20% of the assessment items marked as complete. This is to ensure that you do not
inadvertently change some ASA default values. For example, the default name of the
inside interface is “inside” and should not be changed. Click Check Results to see which
assessment items are already scored as correct.
Step 1: Verify connectivity. The ASA is not currently configured. However, all routers,
PCs, and the DMZ server are configured. Verify that PC-C can ping any router interface.
PC-C is unable to ping the ASA, PC-B, or the DMZ server.
Step 2: Determine the ASA version, interfaces, and license. Use the show version
command to determine various aspects of this ASA device.
Step 3: Determine the file system and contents of flash memory.
a. Enter privileged EXEC mode. A password has not been set. Press Enter when
prompted for a password.
b. Use the show file system command to display the ASA file system and determine
which prefixes are supported.
c. Use the show flash: or show disk0: command to display the contents of flash memory.
Part 2: Configure ASA Settings and Interface Security Using the CLI Tip: Many ASA
CLI commands are similar to, if not the same, as those used with the Cisco IOS CLI. In
addition, the process of moving between configuration modes and sub modes is
essentially the same.
Step 1: Configure the hostname and domain name. a. Configure the ASA hostname as
CCNAS-ASA. b. Configure the domain name as ccnasecurity.com.
Step 2: Configure the enable mode password. Use the enable password command to
change the privileged EXEC mode password to ciscoenpa55.
Step 3: Set the date and time. Use the clock set command to manually set the date and
time (this step is not scored).
Step 4: Configure the inside and outside interfaces. You will only configure the VLAN 1
(inside) and VLAN 2 (outside) interfaces at this time. The VLAN 3 (dmz) interface will
be configured in
Part 5 of the activity.
a. Configure a logical VLAN 1 interface for the inside network (192.168.1.0/24) and set
the security level to the highest setting of 100. CCNAS-ASA(config)# interface vlan 1
CCNAS-ASA(config-if)# name if inside CCNAS-ASA(config-if)# ip address 192.168.1.1
255.255.255.0 CCNAS-ASA(config-if)# security-level 100
b. Create a logical VLAN 2 interface for the outside network (209.165.200.224/29), set
the security level to the lowest setting of 0, and enable the VLAN 2 interface. CCNAS-
ASA(config-if)# interface vlan 2 CCNAS-ASA(config-if)# nameif outside
CCNAS-ASA(config-if)# ip address 209.165.200.226 255.255.255.248
CCNAS-ASA(config-if)# security-level 0
c. Use the following verification commands to check your configurations:
1) Use the show interface ip brief command to display the status for all ASA interfaces.
Note: This
command is different from the IOS command show ip interface brief. If any of the
physical or logical
interfaces previously configured are not up/up, troubleshoot as necessary before
continuing.
Tip: Most ASA show commands, including ping, copy, and others, can be issued from
within any
configuration mode prompt without the do command.
2) Use the show ip address command to display the information for the Layer 3 VLAN
interfaces.
3) Use the show switch vlan command to display the inside and outside VLANs
configured on the ASA
and to display the assigned ports.
Step 5: Test connectivity to the ASA.
a. You should be able to ping from PC-B to the ASA inside interface address
(192.168.1.1). If the pings fail,
troubleshoot the configuration as necessary.
b. From PC-B, ping the VLAN 2 (outside) interface at IP address 209.165.200.226. You
should not be able
to ping this address.
Part 3: Configure Routing, Address Translation, and Inspection Policy
Using the CLI
Step 1: Configure a static default route for the ASA.
Configure a default static route on the ASA outside interface to enable the ASA to reach
external networks.
a. Create a “quad zero” default route using the route command, associate it with the ASA
outside interface,
and point to the R1 G0/0 IP address (209.165.200.225) as the gateway of last resort.
CCNAS-ASA(config)# route outside 0.0.0.0 0.0.0.0 209.165.200.225
b. Issue the show route command to verify the static default route is in the ASA routing
table.
c. Verify that the ASA can ping the R1 S0/0/0 IP address 10.1.1.1. If the ping is
unsuccessful, troubleshoot
as necessary.
Step 2: Configure address translation using PAT and network objects.
a. Create network object inside-net and assign attributes to it using the subnet and nat
commands.
CCNAS-ASA(config)# object network inside-net
CCNAS-ASA(config-network-object)# subnet 192.168.1.0 255.255.255.0
CCNAS-ASA(config-network-object)# nat (inside,outside) dynamic interface
CCNAS-ASA(config-network-object)# end
b. The ASA splits the configuration into the object portion that defines the network to be
translated and the
actual nat command parameters. These appear in two different places in the running
configuration.
Display the NAT object configuration using the show run command.
c. From PC-B attempt to ping the R1 G0/0 interface at IP address 209.165.200.225. The
pings should fail.
d. Issue the show nat command on the ASA to see the translated and untranslated hits.
Notice that, of the
pings from PC-B, four were translated and four were not. The outgoing pings (echos)
were translated and sent to the destination. The returning echo replies were blocked by
the firewall policy. You will configure
the default inspection policy to allow ICMP in Step 3 of this part of the activity.
Step 3: Modify the default MPF application inspection global service policy.
For application layer inspection and other advanced options, the Cisco MPF is available
on ASAs.
The Packet Tracer ASA device does not have an MPF policy map in place by default. As
a modification, we
can create the default policy map that will perform the inspection on inside-to-outside
traffic. When configured
correctly only traffic initiated from the inside is allowed back in to the outside interface.
You will need to add
ICMP to the inspection list.
a. Create the class-map, policy-map, and service-policy. Add the inspection of ICMP
traffic to the policy map
list using the following commands:
CCNAS-ASA(config)# class-map inspection_default
CCNAS-ASA(config-cmap)# match default-inspection-traffic
CCNAS-ASA(config-cmap)# exit
CCNAS-ASA(config)# policy-map global_policy
CCNAS-ASA(config-pmap)# class inspection_default
CCNAS-ASA(config-pmap-c)# inspect icmp
CCNAS-ASA(config-pmap-c)# exit
CCNAS-ASA(config)# service-policy global_policy global
b. From PC-B, attempt to ping the R1 G0/0 interface at IP address 209.165.200.225. The
pings should be
successful this time because ICMP traffic is now being inspected and legitimate return
traffic is being
allowed. If the pings fail, troubleshoot your configurations.
Part 4: Configure DHCP, AAA, and SSH
Step 1: Configure the ASA as a DHCP server.
a. Configure a DHCP address pool and enable it on the ASA inside interface.
CCNAS-ASA(config)# dhcpd address 192.168.1.5-192.168.1.36 inside
b. (Optional) Specify the IP address of the DNS server to be given to clients.
CCNAS-ASA(config)# dhcpd dns 209.165.201.2 interface inside
c. Enable the DHCP daemon within the ASA to listen for DHCP client requests on the
enabled interface
(inside).
CCNAS-ASA(config)# dhcpd enable inside
d. Change PC-B from a static IP address to a DHCP client, and verify that it receives IP
addressing
information. Troubleshoot, as necessary to resolve any problems.
Step 2: Configure AAA to use the local database for authentication.
a. Define a local user named admin by entering the username command. Specify a
password of
adminpa55.
CCNAS-ASA(config)# username admin password adminpa55
b. Configure AAA to use the local ASA database for SSH user authentication.
CCNAS-ASA(config)# aaa authentication ssh console
Step 3: Configure remote access to the ASA.
The ASA can be configured to accept connections from a single host or a range of hosts
on the inside or
outside network. In this step, hosts from the outside network can only use SSH to
communicate with the ASA.
SSH sessions can be used to access the ASA from the inside network.
a. Generate an RSA key pair, which is required to support SSH connections. Because the
ASA device has
RSA keys already in place, enter no when prompted to replace them.
CCNAS-ASA(config)# crypto key generate rsa modulus 1024
WARNING: You have a RSA keypair already defined named <Default-RSA-Key>.
Do you really want to replace them? [yes/no]: no
ERROR: Failed to create new RSA keys named <Default-RSA-Key>
b. Configure the ASA to allow SSH connections from any host on the inside network
(192.168.1.0/24) and
from the remote management host at the branch office (172.16.3.3) on the outside
network. Set the SSH
timeout to 10 minutes (the default is 5 minutes).
CCNAS-ASA(config)# ssh 192.168.1.0 255.255.255.0 inside
CCNAS-ASA(config)# ssh 172.16.3.3 255.255.255.255 outside
CCNAS-ASA(config)# ssh timeout 10
c. Establish an SSH session from PC-C to the ASA (209.165.200.226). Troubleshoot if it
is not successful.
PC> ssh -l admin 209.165.200.226
d. Establish an SSH session from PC-B to the ASA (192.168.1.1). Troubleshoot if it is not
successful.
PC> ssh -l admin 192.168.1.1
Part 5: Configure a DMZ, Static NAT, and ACLs
R1 G0/0 and the ASA outside interface already use 209.165.200.225 and .226,
respectively. You will use
public address 209.165.200.227 and static NAT to provide address translation access to
the server.
Step 1: Configure the DMZ interface VLAN 3 on the ASA.
a. Configure DMZ VLAN 3, which is where the public access web server will reside.
Assign it IP address
192.168.2.1/24, name it dmz, and assign it a security level of 70. Because the server does
not need to
initiate communication with the inside users, disable forwarding to interface VLAN 1.
CCNAS-ASA(config)# interface vlan 3
CCNAS-ASA(config-if)# ip address 192.168.2.1 255.255.255.0
CCNAS-ASA(config-if)# no forward interface vlan 1
CCNAS-ASA(config-if)# nameif dmz
INFO: Security level for "dmz" set to 0 by default.
CCNAS-ASA(config-if)# security-level 70
b. Assign ASA physical interface E0/2 to DMZ VLAN 3 and enable the interface.
CCNAS-ASA(config-if)# interface Ethernet0/2
CCNAS-ASA(config-if)# switchport access vlan 3
c. Use the following verification commands to check your configurations:
1) Use the show interface ip brief command to display the status for all ASA interfaces.
2) Use the show ip address command to display the information for the Layer 3 VLAN
interfaces. 3) Use the show switch vlan command to display the inside and outside
VLANs configured on the ASA
and to display the assigned ports.
Step 2: Configure static NAT to the DMZ server using a network object.
Configure a network object named dmz-server and assign it the static IP address of the
DMZ server
(192.168.2.3). While in object definition mode, use the nat command to specify that this
object is used to
translate a DMZ address to an outside address using static NAT, and specify a public
translated address of
209.165.200.227.
CCNAS-ASA(config)# object network dmz-server
CCNAS-ASA(config-network-object)# host 192.168.2.3
CCNAS-ASA(config-network-object)# nat (dmz,outside) static 209.165.200.227
CCNAS-ASA(config-network-object)# exit
Step 3: Configure an ACL to allow access to the DMZ server from the Internet.
Configure a named access list OUTSIDE-DMZ that permits the TCP protocol on port 80
from any external
host to the internal IP address of the DMZ server. Apply the access list to the ASA
outside interface in the “IN”
direction.
CCNAS-ASA(config)# access-list OUTSIDE-DMZ permit icmp any host 192.168.2.3
CCNAS-ASA(config)# access-list OUTSIDE-DMZ permit tcp any host 192.168.2.3 eq
80
CCNAS-ASA(config)# access-group OUTSIDE-DMZ in interface outside
Note: Unlike IOS ACLs, the ASA ACL permit statement must permit access to the
internal private DMZ
address. External hosts access the server using its public static NAT address, the ASA
translates it to the
internal host IP address, and then applies the ACL.
Step 4: Test access to the DMZ server.
At the time this Packet Tracer activity was created, the ability to successfully test outside
access to the DMZ
web server was not in place; therefore, successful testing is not required.
Step 5: Check results.
Your completion percentage should be 100%. Click Check Results to see feedback and
verification of which
required components have been completed.
 CHAPTER-8
CONCLUSION AND FUTURE ENHANCEMENT
8.1 CONCLUSION:
It is clear that some form of security for private networks connected to the internet is
essential. A firewall is an important and necessary part of that security, but cannot be
expected to perform all the required security functions.
8.2 FUTURE ENHANCEMENT
Firewalls will continue to advance as the attacks on IT industry and infrastructure become
more and more sophisticated. Firewalls that scan for viruses as they enter the network and
several firms are currently exploring this idea, but it is not yet in wide use.
REFFERENCES:
[1] Firewalls by Dr.Talal Alkharobi.
[2] Basic Firewall Functionality – Joel Snyder
[3] Implementing a Distributed Firewall-Sotiris
Loannidis, Angelos D.Keromytis, Steve M. Bellovin,
Jonathan M. Smith.
[4] DMZ (demilitarized zone)-Margaret Rouse
[5][6][7][8] Firewalls By Hareesh Pattipati.
[9] Network Security First-Step: Firewalls -
Donald Stoddard, Thomas M. Thomas.
 APPENDICES
APPENDIX A
Sample Screen Shots
 APPENDIX B
Sample Source Code
Router1>
Preliminary Configuration at Router1

Router1>enable

Router1# configure terminal

Router1(config)# interface loopback 0
Router1(config-if)# ip address 10.10.10.101 255.255.255.255
Router1(config-if)# no shutdown
Router1(config-if)# exit

Router1(config)#interface serial 0/1

Router1(config-if)# ip address 172.16.1.1 255.255.255.252
Router1(config-if)# no shutdown
Router1(config-if)# end
Router1# wr

Router1(config)#interface serial 0/0

Router1(config-if)# ip address 10.10.10.1 255.255.255.252
Router1(config-if)# no shutdown
Router1(config-if)# end
Router1# wr

Configure Routing Protocol OSPF on Router 1

Router1(Config)#ip routing
Router1(Config)#router ospf 10
Router1(Config-router)#router-id 10.10.10.101
Router1(Config-router)#network 10.10.10.0 0.0.0.3 area 0
Router1(Config-router)#network 10.10.10.101 0.0.0.0 area 0
Router1(Config-router)#end
Router1#wr
MPLS configuration on Router 1

Router1# config t
Router1(config)# ip cef
Router1(config)# mpls ip
Router1(config)# mpls label protocol ldp
Router1(config)# mpls label range 100 199
Router1(config)# mpls ldp router-id loopback 0

Router1(config)#interface serial 0/0

Router1(config-if)# mpls ip
Router1(config-if)# mpls label protocol ldp
Router1(config-if)# end
Router1# wr

Router 2

Router2>

Preliminary Configuration at Router6

Router2>enable

Router2# configure terminal

Router2(config)# interface loopback 0
Router2(config-if)# ip address 10.10.10.100 255.255.255.255
Router2(config-if)# no shutdown
Router2(config-if)# exit

Router2(config)# interface serial 0/0

Router2(config-if)# ip address 10.10.10.2 255.255.255.252
Router2(config-if)# no shutdown
Router2(config-if)# exit

Router2(config)# interface serial 0/1

Router2(config-if)# ip address 10.10.10.6 255.255.255.252
Router2(config-if)# no shutdown
Router2(config-if)# exit

Configure Routing Protocol OSPF on Router 2

Router2(Config)#ip routing
Router2(Config)#router ospf 10
Router2(Config-router)#router-id 10.10.10.100
Router2(Config-router)#network 10.10.10.100 0.0.0.0 area 0
Router2(Config-router)#network 10.10.10.4 0.0.0.3 area 0
Router2(Config-router)#network 10.10.10.0 0.0.0.3 area 0
Router2(Config-router)#end
Router2#wr

MPLS configuration on Router 2

Router2# config t
Router2(config)# ip cef
Router2(config)# mpls ip
Router2(config)# mpls label protocol ldp
Router2(config)# mpls label range 200 199
Router2(config)# mpls ldp router-id loopback 0

Router2(config)#interface serial 0/0

Router2(config-if)# mpls ip
Router2(config-if)# mpls label protocol ldp
Router2(config-if)# end
Router2# wr

Router2(config)#interface serial 0/1

Router2(config-if)# mpls ip
Router2(config-if)# mpls label protocol ldp
Router2(config-if)# end
Router2# wr

Router 3

Router3>

Preliminary Configuration at Router3

Router3>enable

Router3# configure terminal

Router3(config)# interface loopback 0
Router3(config-if)# ip address 10.10.10.102 255.255.255.255
Router3(config-if)# no shutdown
Router3(config-if)# exit

Router3(config)# interface serial 1/0

Router3(config-if)# ip address 172.16.2.1 255.255.255.252
Router3(config-if)# no shutdown
Router3(config-if)# exit

Router3(config)# interface serial 1/1

Router3(config-if)# ip address 10.10.10.5 255.255.255.252
Router3(config-if)# no shutdown
Router3(config-if)# exit
Router3(config)#interface serial 1/2
Router3(config-if)# ip address 192.168.2.1 255.255.255.252
Router3(config-if)# no shutdown
Router3(config-if)# end
Router3# wr

Configure Routing Protocol OSPF on Router 3

Router3(Config)#ip routing
Router3(Config)#router ospf 10
Router3(Config-router)#router-id 10.10.10.103
Router3(Config-router)#network 10.10.10.4 0.0.0.3 area 0
Router3(Config-router)#network 10.10.10.103 0.0.0.0 area 0
Router3(Config-router)#end
Router3#wr

MPLS configuration on Router 3

Router3# config t
Router3(config)# ip cef
Router3(config)# mpls ip
Router3(config)# mpls label protocol ldp
Router3(config)# mpls label range 300 399
Router3(config)# mpls ldp router-id loopback 0

Router3(config)# interface serial 1/1

Router3(config-if)# mpls ip
Router3(config-if)# mpls label protocol ldp
Router3(config-if)# exit

Checking LDP
Run these show commands in privileged mode in all ISP routers to check LDP and
observe the outputs

Router # sh ip route
Router# sh mpls interfaces
Router# sh mpls ldp neighbor
Router#sh mpls ldp bindings
Router#sh mpls forwarding-table
Router#sh mpls ip binding

-------------------------------------------------------------------------------------
Customer Configuration

Router 4

Router4>

Preliminary Configuration at Router4

Router4>enable

Router4(config)# interface serial 0/0

Router4(config-if)# ip address 172.16.1.2 255.255.255.252
Router4(config-if)# no shutdown
Router4(config-if)# exit

Router4(config)# interface fa 0/0

Router4(config-if) # ip address 172.16.10.1 255.255.255.0
Router4(config-if)# no shutdown
Router4(config-if)# exit

Configure Routing Protocol BGP on Router 4

Router4(config)# router bgp 65001
Router4(config-router)#no synchronization
Router4(config-router)# no auto-summary
Router4(config-router)# network 172.16.10.0 mask 255.255.255.0
Router4(config-router)# neighbor 172.16.1.1 remote-as 1
Router4(config-router)#end
Router4# wr

Router 5

Router5>

Preliminary Configuration at Router5

Router5>enable

Router5(config)# interface fastethernet 0/0

Router5(config-if)# ip address 192.168.10.1 255.255.255.0
Router5(config-if)# no shutdown
Router5(config-if)# exit
ddddRouter5(config)#interface serial 0/0
Router5(config-if)# ip address 192.168.1.2 255.255.255.252
Router5(config-if)# no shutdown
Router5(config-if)# end
Router5# wr

Configure Routing Protocol BGP on Router 5

Router5(config)# router bgp 65001

Router5(config-router)#no synchronization
Router5(config-router)# no auto-summary
Router5(config-router)# network 192.168.10.0 mask 255.255.255.0
Router5(config-router)# neighbor 192.168.1.1 remote-as 1
Router5(config-router)#end
Router5# wr

Router 6

Router6>

Preliminary Configuration at Router6

Router6>enable

Router6# configure terminal

Router6(config)# interface fastethernet 0/0
Router6(config-if)# ip address 172.16.20.1 255.255.255.0
Router6(config-if)# no shutdown
Router6(config-if)# exit

Router6(config)#interface serial 0/1

Router6(config-if)# ip address 172.16.2.2 255.255.255.252
Router6(config-if)# no shutdown
Router6(config-if)# end
Router6# wr

Configure Routing Protocol BGP on Router 6

Router6(config)# router bgp 65002

Router6(config-router)#no synchronization
Router6(config-router)# no auto-summary
Router6(config-router)# network 172.16.20.0 mask 255.255.255.0
Router6(config-router)# neighbor 172.16.2.1 remote-as 1
Router6(config-router)#end
Router6# wr
Router 7
Router7>

Preliminary Configuration at Router7

Router7>enable

Router7(config)# interface fastethernet 0/0

Router7(config-if)# ip address 192.168.20.1 255.255.255.0
Router7(config-if)# no shutdown
Router7(config-if)# exit

Router7(config)#interface serial 0/0

Router7(config-if)# ip address 192.168.2.2 255.255.255.252
Router7(config-if)# no shutdown
Router7(config-if)# end
Router7# wr

Configure Routing Protocol BGP on Router 7

Router7(config)# router bgp 65001

Router7(config-router)#no synchronization
Router7(config-router)# no auto-summary
Router7(config-router)# network 192.168.20.0 mask 255.255.255.0
Router7(config-router)# neighbor 192.168.2.1 remote-as 1
Router7(config-router)#end
Router7# wr
 MPLS VPN CONFIGURATION

Provider Edge ROUTER1

Creation of VPN(VRF TABLE) and assigning route-distinguisher/route- target:-

ROUTER1 #config t
ROUTER1 (config)#ip vrf CUST_A
ROUTER1 (config-vrf)#rd 1:100
ROUTER1 (config-vrf)#route-target both 1:100
ROUTER1 (config-vrf)#exit

ROUTER1 #config t
ROUTER1 (config)#ip vrf CUST_B
ROUTER1 (config-vrf)#rd 1:200
ROUTER1 (config-vrf)#route-target both 1:200
ROUTER1 (config-vrf)#exit

(Note 1 is AS Number of ISP)

Assigning an interface to the VRF table:-

ROUTER1 (config)#interface s 0/1

ROUTER1 (config-if)#ip vrf forwarding CUST_A

(IP address 172.16.1.1 on the interface will be removed as we configure the VRF routing
on an interface. Configure the IP once again)

ROUTER1 (config-if)# ip address 172.16.1.1 255.255.255.252

ROUTER1 (config-if)#no shut
ROUTER1 (config-if)#end
ROUTER1 #wr
Assigning an interface to the VRF table:-

ROUTER1 (config)#interface s 0/2

ROUTER1 (config-if)#ip vrf forwarding CUST_B

(IP address 192.168.1.1 on the interface will be removed as we configure the VRF routing
on an interface. Configure the IP once again)

ROUTER1 (config-if)# ip address 192.168.1.1 255.255.255.252

ROUTER1 (config-if)#no shut
ROUTER1 (config-if)#end
ROUTER1 #wr
Configuring MP-iBGP with other PE Router( ROUTER3) & eBGP with Customer
Routers

ROUTER1 # config t
ROUTER1 (config)# router bgp 1
ROUTER1 (config-router)#neighbor 10.10.10.102 remote-as 1
ROUTER1 (config-router)#neighbor 10.10.10.102 update-source loopback0

ROUTER1 (config-router)#address- family ipv4 vrf CUST_A

ROUTER1 (config-router-af)# no auto-summary
ROUTER1 (config-router-af)# no synchronization
ROUTER1 (config-router-af)# neighbor 172.16.1.2 remote-as 65001
ROUTER1 (config-router-af)# neighbor 172.16.1.2 activate
ROUTER1 (config-router-af)# exit

ROUTER1 (config-router)#address- family ipv4 vrf CUST_B

ROUTER1 (config-router-af)# no auto-summary
ROUTER1 (config-router-af)#no synchronization
ROUTER1 (config-router-af)# neighbor 192.168.1.2 remote-as 65001
ROUTER1 (config-router-af)# neighbor 192.168.1.2 activate
ROUTER1 (config-router-af)# neighbor 192.168.1.2 as-override
ROUTER1 (config-router-af)# exit
ROUTER1 (config-router)#address-family vpnv4
ROUTER1 (config-router-af)# neighbor 10.10.10.102 activate
ROUTER1 (config-router-af)# neighbor 10.10.10.102 send-community extended
ROUTER1 (config-router-af)# exit–address-family
ROUTER1 (config-router-af)#end
ROUTER1 #wr

Provider Edge ROUTER3

Creation of VPN(VRF TABLE) and assigning route-distinguisher/route- target:-

ROUTER3 #config t
ROUTER3 (config)#ip vrf CUST_A
ROUTER3 (config-vrf)#rd 1:100
ROUTER3 (config-vrf)#route-target both 1:100
ROUTER3 (config-vrf)#exit

ROUTER3 #config t
ROUTER3 (config)#ip vrf CUST_B
ROUTER3 (config-vrf)#rd 1:200
ROUTER3 (config-vrf)#route-target both 1:200
ROUTER3 (config-vrf)#exit

(Note 1 is AS Number of ISP)

Assigning an interface to the VRF table:-

ROUTER3 (config)#interface s 1/0

ROUTER3 (config-if)#ip vrf forwarding CUST_A
(IP address 172.16.2.1 on the interface will be removed as we configure the VRF routing
on an interface. Configure the IP once again)

ROUTER3 (config-if)# ip address 172.16.2.1 255.255.255.252

ROUTER3 (config-if)#no shut
ROUTER3 (config-if)#end
ROUTER3 #wr

Assigning an interface to the VRF table:-

ROUTER3 (config)#interface s 1/2

ROUTER3 (config-if)#ip vrf forwarding CUST_B

(IP address 192.168.2.1 on the interface will be removed as we configure the VRF routing
on an interface. Configure the IP once again)

ROUTER3 (config-if)# ip address 192.168.2.1 255.255.255.252

ROUTER3 (config-if)#no shut
ROUTER3 (config-if)#end
ROUTER3 #wr

Configuring MP-iBGP with other PE Router ( ROUTER 1) & eBGP with customer
router

ROUTER3 # config t
ROUTER3 (config)# router bgp 1
ROUTER3 (config-router)#neighbor 10.10.10.101 remote-as 1
ROUTER3 (config-router)#neighbor 10.10.10.101 update-source loopback0

ROUTER3 (config-router)#address- family ipv4 vrf CUST_A

ROUTER3 (config-router-af)# no auto-summary
ROUTER3 (config-router-af)#no synchronization
ROUTER3 (config-router-af)# neighbor 172.16.2.2 remote-as 65002
ROUTER3 (config-router-af)# neighbor 172.16.2.2 activate
ROUTER3 (config-router-af)# exit

ROUTER3 (config-router)#address- family ipv4 vrf CUST_B

ROUTER3 (config-router-af)# no auto-summary
ROUTER3 (config-router-af)#no synchronization
ROUTER3 (config-router-af)# neighbor 192.168.2.2 remote-as 65001
ROUTER3 (config-router-af)# neighbor 192.168.2.2 activate
ROUTER3 (config-router-af)# neighbor 192.168.2.2 as-override

ROUTER3 (config-router)#address-family vpnv4

ROUTER3 (config-router-af)# neighbor 10.10.10.101 activate
ROUTER3 (config-router-af)# neighbor 10.10.10.101 send-community extended
ROUTER3 (config-router-af)# exit–address-family
ROUTER3 (config-router-af)#exit
ROUTER3 #wr

To check Result

ROUTER1#sh ip route vrf CUST_A

ROUTER1#sh ip route vrf CUST_B
ROUTER1#ping vrf CUST_A 192.168.10.1
ROUTER1#ping vrf CUST_B 172.16.10.1

ROUTER3#sh ip route vrf CUST_B

ROUTER1#sh ip route vrf CUST_A
ROUTER3 #ping vrf verizon 192.168.20.1
ROUTER3 #ping vrf verizon 172.16.20.1

Check the end to end connectivity from the respective branches of the customer site by
connecting PCs to the customer routers and pinging PC IP Addresses end to end.
 APPENDIX C
Base Paper