Design and Implementation Plan for Network Based on the ALOHA Point of Sale System. Proposed by Jedadiah Casey. Introduction

Size: px

Start display at page:

Download "Design and Implementation Plan for Network Based on the ALOHA Point of Sale System. Proposed by Jedadiah Casey. Introduction"

Brice Dalton
6 years ago
Views:

1 Design and Implementation Plan for Network Based on the ALOHA Point of Sale System Proposed by Jedadiah Casey Introduction The goal of this design document is to provide a framework of suggested implementation for a computer network based on the Aloha Point of Sale software. Aloha uses a central server for all processing and management tasks, which all terminals connect to over the Local Area Network (LAN). By implementing a solid network infrastructure, operational downtime is reduced which increases the return on investment and lowers overall cost. This document explains the current network environment, and the recommended best practices moving forward with the installation of new locations. Many of the topics can be retroactively applied to the current restaurant installations, though certain aspects (such as the physical cabling layout) may not be cost feasible. Design Requirements The requirements of the network design are to provide Layer 2 switched connectivity between the Aloha terminals and the Aloha Back of House (BOH) server. The BOH server must also have access to the Internet for credit card processing. Reliable wireless Internet access must also be provided for the customers on a network that is logically separated from the internal LAN. Aloha terminals must also be able to communicate with serial-based printers over Ethernet cabling. This requires a minimum of two RJ-45 Ethernet ports available per terminal station. Existing Network Infrastructure The physical cabling of the LAN uses Cat5e/6-based Ethernet technology. Communication between the terminals and server occur over Ethernet through a traditional network switch. Communication between the terminals and the printers also travels over the installed Ethernet cable runs; however the communication is electrically an OSI Layer 1 serial connection and does not use OSI Layer 2 frames and does not pass through any switches. All of the terminals are connected to a switch via an Ethernet patch panel in the manager s office. In three of the four COMPANY locations (Location 004 being the exception), all of the serial printer connections that travel over the installed Ethernet cable runs are direct from the terminals to the printers and do not pass through the patch panel. For example, the current Terminal 6 of the 003 location connects to a kitchen printer in the center aisle via an Ethernet cable that runs into the ceiling and passes over the walkway, then terminates on the other side. By having the infrastructure cabled in this manner instead of all cable runs terminating at the manager s office patch panel, only Terminal neckercube.com Page 1 of 15

2 can control that particular printer (in this example). If all of the Ethernet cable runs terminated at a patch panel, as they do in the 004 location, printers can quickly and easily be assigned to different terminals by adjusting the patch cable on the patch panel. However, it might not be cost-feasible to upgrade the pre-existing cabling in these locations. Currently, three of the four COMPANY locations (Location 001 being the exception) are configured to rely on the installed router for all communications, even those between the terminals and the server (which do not require Internet access through the router). This configuration has the side effect of temporarily disconnecting the terminals from the server if the router needs to be reset. The recommended practice has been implemented at Location 001 where the Aloha server is dual homed (it has two Ethernet cards installed). This creates two separate networks. The server communicates with the other terminals via Ethernet switch in one network. The server uses the other Ethernet card to connect to the router for Internet access for credit card processing. With this logical separation, resetting the router does not affect the terminals. Currently, the LAN is logically arranged in the following manner: Internet Manager s PC Aloha BOH Server Wireless Router Brighthouse Patch Panel Switch Terminal Kitchen Printer The current infrastructure uses Cisco WRVS4400n Small Business wireless routers at all four locations. While these routers do currently provide adequate functionality, they occasionally require a power cycle to reset them. All installed switches are ordinary non-managed Layer 2 switches. The hardware of all BOH servers has been either been upgraded from the original Radiant hardware, or has been assembled as part of a new server. At least one COMPANY location is currently using an SSD drive for primary storage. We have found this greatly increases network performance and stability due to the fact that rebooting the server can typically be done rapidly enough to prevent the terminals from rebooting. Currently, the routers, servers and terminals all use slightly different IP addressing schemes between each location. For example, the server IP at Location 004 is , while the server at Location 002 is This inconsistency does not affect daily operations, however by having addressing inconsistency between locations it can increase the troubleshooting time when problems arise neckercube.com Page 2 of 15

3 Each location, with the exception of 001, are using static IP addresses provided by Brighthouse. These are assigned by Brighthouse in blocks of six addresses. This is an unnecessary expense, as a single dynamic IP address (as configured at Location 001) is all that is required. Design To eliminate or otherwise reduce the problems mentioned previously, the LAN should be designed with physical redundancy and logical separation. To accomplish this, each terminal should have four Ethernet cable runs: two for operation (terminal and printer), and two for redundancy in case the ports go bad (which we have seen happen over time at each of the locations). All physical cable runs should be labeled and terminate to a patch panel in the manager s office. Currently, the 004 location is cabled in this manner, though without the redundancy of four ports at each terminal. By including two extra cable runs per terminal, the initial build cost is higher, but it increases the longevity of the network and reduces the time and cost of repairs in the future, since cables connected to non-working ports can be moved to working ports. This type of connectivity is most likely not cost-feasible to retrofit the existing locations, however it is very strongly recommended for all newly-built locations. The new infrastructure logical plan looks like the following: Manager s PC Aloha BOH Server Patch Panel Cisco Catalyst 2950 Layer 2 Managed Switch Cisco 3725 Router Brighthouse Internet Terminal Kitchen Printer Cisco WRVS4400n Wireless In the above logical diagram, any terminal that connects to a kitchen printer has two connections to the central patch panel. The terminal is then physically routed to the kitchen printer with a short patch cable at the patch panel. If the terminal needs to be replaced, the kitchen printer can be physically rewired to a different terminal temporarily and quickly by adjusting the short patch cable. Currently, this type of adjustment can only be done at the 004 location. The heart of the network resides in a Cisco 3725 model access router, and a Cisco Catalyst 2950 Layer 2 managed switch. The 3725 router connects directly to the Brighthouse cable modem and to the 2950 switch. All other network devices connect to the 2950 through the patch panel. The existing WRVS4400n routers will be repurposed as wireless access points to provide guest wireless access services only neckercube.com Page 3 of 15

4 Each 2950 switch port is configurable, and groups of ports can be configured for separate, isolated subnetworks. For example, though all network devices connect to the same switch, the terminals and server will be separated into their own logical private sub-network (VLAN). The repurposed wireless routers connect to another separate private VLAN and cannot reach the terminals or the rest of the network; only the Internet. This dramatically increases security over the current implementation and helps with regards to PCI DSS compliance. Additionally, the Catalyst 2950 is a managed switch, which means it can be logged into (both in-band and out-of-band) for both configuration and monitoring/troubleshooting. For example, if one of the ports is having an issue, the switch is configurable to send an alert. This increases the overall dependability and reliability of the network because one malfunctioning port does not take down the entire system, as it does now. The 3725 router offers similar functionality. If the cable modem or wireless router needs to be reset, it does not affect the rest of the network, as it does now. The Cisco 3725 and 2950 are designed to never need to be reset unless a manual software upgrade occurs, with potential uptime measured in months and even years. The Brighthouse cable modem connects directly the Cisco 3725 router. The 3725 provides Network Address Translation (NAT) and stealth firewall services so the other network segments have configurable protected Internet access via Access Control Lists (ACLs). For example, even though all devices are connected to the same 2950 switch, the VLAN containing the terminals can be prevented from reaching the Internet or the wireless users to maintain data security. The terminals and one of the Ethernet interfaces on the BOH server reside in VLAN 100 on the switch. The BOH servers will be configured with the IP address /24, with each terminal being statically configured as /24 for T1,.102 for T2, and so on. No gateway or DNS configuration is required for this network, as it will not participate on the Internet or any other part of the LAN. The BOH server s Ethernet interface must be assigned to LAN CARD #0 with LANACFG. Please view the Appendix for more information on configuration. The terminals connect to corresponding port numbers on the 2950 switch. For example, port 1 for T1, port 2 for T2, etc. This aids in troubleshooting. The server connects to the last port in the series. For example, if there are nine terminals, the BOH server connects to port 10. The other Ethernet interface on the BOH server, the manager PC, the office printer, and any other network devices besides the Cisco WRVS4400n wireless router connect to VLAN 20 and use the IP address scheme /24. The 3725 router is configured with the in-band management IP address /24. The printer is configured as /24. The Cisco WRVS4400n is reconfigured to act as a guest wireless access point. The LAN port 1 of the WRVS4400n is connected to the 2950 port 23. The 2950 switch port 23 resides in VLAN 30 and uses the /24 network. As a required part of the overall design, extra 3725 routers and 2950 switches must be acquired to use as immediate replacement in case of failure. The ideal replacement plan would be to keep one extra 3725 and 2950 per location, however a more cost-reasonable plan would be to keep 1-2 extras of each 2012 neckercube.com Page 4 of 15

5 to use across all locations for immediate replacement until new replacements can be ordered. As the number of locations increases, the number of extras should also increase. Proof of Concept Two of the major components of this design have already been proven in the existing operations. With the 004 location, most kitchen printers are not directly connected to the terminals. They pass through the patch panel in the manager s office. This allows a kitchen printer to be connected to different terminals, should the need arise. This is the only location, currently, that has this capability. With the 001 location, the server is multi-homed with the terminals and the server residing on their own private network. This has the two-fold effect of the terminals being unaffected by external network events, such as the Internet going down or the router being reset, as well as isolating the terminals from the rest of the network which helps to prevent malicious damage to the terminals from issues such as viruses. Additionally, we have seen that a BOH server equipped with an SSD instead of a traditional hard drive is able to reboot quickly enough to return to full operation before the terminals are able to time out and reboot themselves. This in itself saves an enormous amount of time when issues arise with the BOH server. To further prove the effectiveness of the new logical network layout, a pilot test using a single location is necessary. Since the 001 location is currently logically arranged closest to this proposed network design, we should install a 3725 router and 2950 switch at this location for a pilot test of perhaps a few weeks. If the test is successful and network reliability is increased, we should implement the changes to the other locations. Physical Cabling For New Restaurant Locations: Implementation Plan Run four Cat5e/6 Ethernet cables to a 4-port wall box at each terminal location (two ports will be unused initially and serve for redundancy purposes). Each port should be punched down to a patch panel containing 48 or more ports in the manager s office. Both ends of the cable must be labeled with the same number. For example, if one of the cables punches down at port 23 on the patch panel, the port at the other end at the wall box must be labeled 23. This aids in troubleshooting issues and eases physical cabling in the manager s office. For each kitchen printer, run two cables: one for active use, and one for redundancy. Use a patch cable to connect the Ethernet port of the terminal to a port in the wall jack. If the patch cable connects to port 23 in the wall jack, locate port 23 at the patch panel in the manager s office neckercube.com Page 5 of 15

6 Connect a patch cable from port 23 on the patch panel to the appropriate port on the 2950 switch. For example, if it is Terminal 3 you just connected, the patch cable connects from port 23 on the patch panel to port 3 on the Catalyst 2950 switch. Use a patch cable with a serial adapter to connect from one of the terminal s COM ports to an RJ-45 port in the wall jack. Use an Ethernet patch cable at the patch panel to connect to the printer. For example, if the patch cable from the terminal s COM3 port connects to the wall jack labeled port 24, and the kitchen printer connects to the wall jack labeled port 37, use a short Ethernet patch cable to connect port 24 to port 37 on the patch panel. This creates a Layer 1 physical serial connection between the terminal and the kitchen printer. Cisco WVRS4400n Configuration: Backup router configuration for rollback purposes Set username and password to XXXXXX / XXXXXX Change device IP to /24 Connect LAN Port 1 to Port 23 on the Catalyst 2950 switch. Verify Internet connectivity with a wireless device. Verify the internal VLANs cannot be accessed by pinging , (it should fail) Cisco Catalyst 2950 Configuration: Port 1 10: VLAN 100 (Aloha VLAN) Port 11 22: VLAN 20 (Management VLAN) Port 23: VLAN 30 (Wireless VLAN) Port 24: 802.1q Trunk port which connects to 3725 router s F0/1 interface Switch SSHv2 Management IP in VLAN20: Login: XXXXXX / XXXXXX For configuration script, see Appendix. Cisco 3725 Router Configuration: Interface FastEthernet 0/0 either DHCP or Static (depending on location) Interface FastEthernet 0/1.100: /24 VLAN 100 Interface FastEthernet 0/1.20: /24 VLAN 20 Interface FastEthernet 0/1.30: /24 VLAN 30 VLAN 30 Wireless users have 15-minute renewable DHCP lease SSHv2 Management from VLAN20 only: Login: XXXXXX / XXXXXX Stateful firewall configured via Cisco IOS Firewall and Access Control Lists (ACLs) For configuration script, see Appendix neckercube.com Page 6 of 15

7 Server Configuration: Install 2 nd Ethernet card, if necessary Connect ALOHA LAN link to Port 10 on the Catalyst 2950 switch Connect ALOHA Internet link to port 11 on the Catalyst 2950 switch Use LANACFG to set the ALOHA LAN Ethernet card to #0 (if necessary, see Appendix) Set the IP of Card #0 to with no gateway or DNS server. Open a command prompt and verify connectivity with one of the terminals: ping Set the IP of the Internet-facing interface to DHCP. Verify Internet connectivity. Terminal Configuration: Set the IP address to xx, where xx represents the terminal number (ie 04 for Terminal 4) Open a command prompt and verify connectivity with the server: ping Miscellaneous Configuration: Reset PRINTER IP address to Connect PRINTER and XXXXXX Server to available ports in the MGMT VLAN (ports 11-22) ==================== Aloha BOH Server LANACFG Instructions: Appendix The Aloha BOH server must use LAN CARD #0 to connect to the terminals. This can be reset with the LANACFG utility (which can be downloaded at as of this writing). To reset the configuration, open a command prompt (in Administrator mode, if the BOH server is running Windows 7), and type: lanacfg showlanapaths If you see a different interface than intended using #0, you must reassign it to an unused number: lanacfg setlananumber 0 9 Verify the change: lanacfg showlanpaths Using the previous command, note the intended network interface that should be set to 0. Using interface 5 as an example, reset it to 0 by typing: lanacfg setlananumber 5 0 Verify the change: lanacfg showlanpaths 2012 neckercube.com Page 7 of 15

8 Type: exit Reboot the server. ==================== Cisco Catalyst 2950 Switch Configuration: version 12.1 no service pad service timestamps debug uptime service timestamps log uptime service password-encryption hostname Cat2950 aaa new-model aaa authentication login default local aaa authorization exec default local enable secret <OMITTED> username <OMITTED> privilege 15 secret <OMITTED> ip subnet-zero ip domain-name domain.local ip ssh time-out 120 ip ssh authentication-retries 3 ip ssh version 2 spanning-tree mode rapid-pvst no spanning-tree optimize bpdu transmission spanning-tree extend system-id interface FastEthernet0/1 interface FastEthernet0/ neckercube.com Page 8 of 15

9 interface FastEthernet0/3 interface FastEthernet0/4 interface FastEthernet0/5 interface FastEthernet0/6 interface FastEthernet0/7 interface FastEthernet0/8 interface FastEthernet0/9 interface FastEthernet0/10 interface FastEthernet0/11 interface FastEthernet0/ neckercube.com Page 9 of 15

10 interface FastEthernet0/13 interface FastEthernet0/14 interface FastEthernet0/15 interface FastEthernet0/16 interface FastEthernet0/17 interface FastEthernet0/18 interface FastEthernet0/19 interface FastEthernet0/20 interface FastEthernet0/21 interface FastEthernet0/ neckercube.com Page 10 of 15

11 interface FastEthernet0/23 switchport access vlan 30 interface FastEthernet0/24 switchport mode trunk switchport nonegotiate interface FastEthernet0/25 shutdown interface FastEthernet0/26 shutdown interface Vlan1 no ip address no ip route-cache shutdown interface Vlan20 ip address no ip route-cache ip default-gateway no ip http server access-list 1 remark BLOCK_NON_MGMT access-list 1 permit line con 0 password <OMITTED> logging synchronous line vty 0 4 access-class 1 in password <OMITTED> transport input ssh line vty 5 15 access-class 1 in password <OMITTED> transport input ssh ntp clock-period ntp peer neckercube.com Page 11 of 15

12 end ==================== Cisco 3725 Router Configuration: version 12.4 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption hostname Cisco3725 boot-start-marker boot system flash: <OMITTED> boot-end-marker enable secret <OMITTED> aaa new-model aaa authentication login default local aaa authorization exec default local aaa session-id common memory-size iomem 50 ip cef ip inspect name FIREWALL tcp ip inspect name FIREWALL udp no ip dhcp use vrf connected ip dhcp excluded-address ip dhcp excluded-address ip dhcp pool WIRELESS dns-server network default-router lease ip dhcp pool MGMT 2012 neckercube.com Page 12 of 15

13 dns-server network default-router ip domain name domain.local ip name-server ip name-server multilink bundle-name authenticated username <OMITTED> privilege 15 secret <OMITTED> archive log config hidekeys ip ssh version 2 interface FastEthernet0/0 description BRIGHTHOUSE ip address dhcp ip access-group FIREWALL in ip inspect FIREWALL out ip nat outside ip virtual-reassembly duplex auto speed auto interface FastEthernet0/1 no ip address duplex auto speed auto interface FastEthernet0/1.20 description MGMT encapsulation dot1q 20 ip address ip nat inside ip virtual-reassembly 2012 neckercube.com Page 13 of 15

14 interface FastEthernet0/1.30 description WIRELESS encapsulation dot1q 30 ip address ip access-group BLK_WLAN in ip nat inside ip virtual-reassembly interface FastEthernet0/1.100 description ALOHA encapsulation dot1q 100 ip address no ip forward-protocol nd no ip http server no ip http secure-server ip nat inside source list 1 interface FastEthernet0/0 overload ip access-list standard MGMT_SSH permit ip access-list extended BLK_WLAN remark Deny Wireless From Other VLANs deny ip any deny ip any permit ip any any ip access-list extended FIREWALL permit udp any eq bootps any eq bootpc permit gre any any permit icmp any any echo-reply permit icmp any any traceroute access-list 1 permit access-list 1 permit access-list 101 deny ip any any control-plane line con 0 password <OMITTED> logging synchronous 2012 neckercube.com Page 14 of 15

15 line aux 0 line vty 0 4 access-class MGMT_SSH in password <OMITTED> transport input ssh line vty 5 15 access-class MGMT_SSH in password <OMITTED> transport input ssh ntp peer end 2012 neckercube.com Page 15 of 15

CONFIGURATION DU SWITCH

CONFIGURATION DU SWITCH Current configuration : 2037 bytes version 12.2 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption hostname Switch no aaa new-model ip subnet-zero