Scribd
Upload
206 views135 pages

Ie Epss Network LLD v1.0

Uploaded by

Ethio DotNetDeveloper
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
206 views135 pages

Ie Epss Network LLD v1.0

Uploaded by

Ethio DotNetDeveloper
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 135

`

Ethiopian Pharmaceutical Supply Service – EPSS


Supply, Installation and Commissioning of
Networking Infrastructure and Modular Data
Center

Network Low Level Design Document


Type of Document:

Network Low Level Design Document


Client Name:
EPSS
Prepared by:
IE NETWORK SOLUTIONS PLC

Version:

1.0
Date:
August ,2023

GET THE JOB DONE


SI- IE-EPSS Network LLD

Table of Contents

1 Introduction ............................................................................................................2
1.1 Document Purpose ..................................................................................................... 2
1.2 Intended Audience ...................................................................................................... 2
1.3 Scope .......................................................................................................................... 2
1.4 Related Documents ..................................................................................................... 2
1.5 Proposed Design ......................................................................................................... 3
1.6 Requirements ............................................................................................................. 4
2 Physical Design .....................................................................................................5
2.1 HQ Network Design..................................................................................................... 5
2.2 DR Network Design ..................................................................................................... 6
2.3 Branch Network Design............................................................................................... 6
2.4 Design overview .......................................................................................................... 7
2.4.1 Collapsed Core Layer .............................................................................. 7

2.4.2 Access Layer ........................................................................................... 7

3 Configurations on the Network Devices ..............................................................8


3.1 EPSS Proposed Naming Convention ............................................................................ 8
3.2 User Information ......................................................................................................... 9
3.3 IP Address and VLAN Design...................................................................................... 10
4 EPSS HQ Network Implementation ....................................................................59
4.1.1 Core Switch Basic Configuration ......................................................... 59

4.1.2 Core VSS Configuration ........................................................................ 60

4.1.3 Core VTP Configuration ........................................................................ 64

4.1.4 Core VLAN Configuration ..................................................................... 65

4.1.5 Core DHCP Configuration ..................................................................... 66

4.1.6 Core SSH Configuration........................................................................ 67

4.1.7 Core SNMP Configuration..................................................................... 68

4.1.8 Core – Access Interface Configuration................................................ 68

4.2 Access layer Configuration ........................................................................................ 69


4.2.1 Overview................................................................................................. 69

Confidential© 2023 Pa ge |i
EPSS Network LLD

4.2.2 Hostname Configurations for access switches. ................................. 69

4.2.3 Spanning tree protocol ......................................................................... 70

4.2.4 VTP Configuration ................................................................................. 70

4.2.5 Storm control ......................................................................................... 71

4.2.6 SSH and User account .......................................................................... 72

4.2.7 NTP Server Configuration ..................................................................... 72

4.2.8 Port Security .......................................................................................... 72

5 Zabbix IT monitoring ...........................................................................................74


5.1 Overview................................................................................................................... 74
5.2 Install Zabbix ............................................................................................................. 76
5.2.1 Choose the platform .............................................................................. 77

5.2.2 Installing centOS ................................................................................... 77

5.2.3 Boot the CentOS ISO File...................................................................... 78

5.2.4 Install CentOS ......................................................................................... 78

5.2.5 Security Policy ....................................................................................... 85

5.2.6 Start the Installation Process ............................................................... 85

5.2.7 Install and configure Zabbix for your platform ................................... 87

5.3 Start using Zabbix ...................................................................................................... 97


6 EPSS DR Network Implementation ..................................................................102
6.1 Core Layer Configuration ........................................................................................ 102
6.1.1 Core Switch Basic Configuration ....................................................... 102

6.1.2 Core VTP Configuration ...................................................................... 103

6.1.3 Core VLAN Configuration ................................................................... 103

6.1.4 Core DHCP Configuration ................................................................... 104

6.1.5 Core SSH Configuration...................................................................... 105

6.1.6 Core SNMP Configuration................................................................... 106

6.1.7 Core – Access Interface Configuration.............................................. 106

Confidential© 2023 P a g e | ii
EPSS Network LLD

6.1.8 Core to Firewall Static Route .............................................................. 106

6.1.9 OSPF Routing ...................................................................................... 106

6.2 Access layer Configuration ...................................................................................... 107


6.2.1 Overview............................................................................................... 107

6.2.2 Hostname Configurations for access switches. ............................... 107

6.2.3 Spanning tree protocol ....................................................................... 107

6.2.4 VTP Configuration ............................................................................... 108

6.2.5 Storm control ....................................................................................... 109

6.2.6 SSH and User account ........................................................................ 109

6.2.7 NTP Server Configuration ................................................................... 110

6.2.8 Port Security ........................................................................................ 110

7 EPSS Branch Network Implementation ...........................................................111


7.1 Core Layer Configuration ........................................................................................ 111
7.1.1 Core Switch Basic Configuration ....................................................... 111

7.1.2 Core VTP Configuration ...................................................................... 112

7.1.3 Core VLAN Configuration ................................................................... 112

7.1.4 Core DHCP Configuration ................................................................... 113

7.1.5 Core SSH Configuration...................................................................... 114

7.1.6 Core SNMP Configuration................................................................... 115

7.1.7 Core – Access Interface Configuration.............................................. 115

7.2 Access layer Configuration ...................................................................................... 115


7.2.1 Overview............................................................................................... 115

7.2.2 Hostname Configurations for access switches. ............................... 116

7.2.3 Spanning tree protocol ....................................................................... 116

7.2.4 VTP Configuration ............................................................................... 117

7.2.5 Storm control ....................................................................................... 117

7.2.6 SSH and User account ........................................................................ 118

Confidential© 2023 P a g e | iii


EPSS Network LLD

7.2.7 NTP Server Configuration ................................................................... 118

7.2.8 Port Security ........................................................................................ 119

8 Document Acceptance Certificate....................................................................120

Confidential© 2023 P a g e | iv
SI- IE-EPSS Network LLD

List of Figures

FIGURE 1 EPSS HQ NETWORK DESIGN .................................................................................................................. 5


FIGURE 2 EPSS DR NETWORK DESIGN .................................................................................................................. 6
FIGURE 3 EPSS BRANCH DESIGN............................................................................................................................ 6
FIGURE 4 CORE VSS ..............................................................................................................................................61
FIGURE 5 MONITORING SAMPLE 1 ...........................................................................................................................75
FIGURE 6 MONITORING SAMPLE 2 ...........................................................................................................................76
FIGURE 7 ZABBIX SUPPORTED PLATFORM ..............................................................................................................77
FIGURE 8 DOWNLOAD CENTOS ..............................................................................................................................78
FIGURE 9 INSTALLATION ..........................................................................................................................................78
FIGURE 10 LANGUAGE CHOICE ................................................................................................................................79
FIGURE 11 DATE AND TIME .....................................................................................................................................79
FIGURE 12 INSTALLATION SUMMARY ........................................................................................................................80
FIGURE 13 SOFTWARE SELECTION .........................................................................................................................81
FIGURE 14 NETWORK AND HOSTNAME ....................................................................................................................83
FIGURE 15 EDITING INTERFACE ...............................................................................................................................84
FIGURE 16 USER SETTING ......................................................................................................................................85
FIGURE 17 SET ROOT PASSWORD ...........................................................................................................................86
FIGURE 18 CREATE USER .......................................................................................................................................86
FIGURE 19 REBOOT ................................................................................................................................................87
FIGURE 20 ZABBIX SERVER, WEB, AGENT AND MYSQL INSTALLATION .....................................................................91
FIGURE 21 IMPORT SQL DUMP ...............................................................................................................................92
FIGURE 22 WELCOME PAGE....................................................................................................................................94
FIGURE 23 CHECK OF PRE-REQUISITES ..................................................................................................................94
FIGURE 24 CONFIGURE DB CONNECTION ................................................................................................................95
FIGURE 25 ZABBIX SERVER DETAILS.......................................................................................................................95
FIGURE 26 PRE-INSTALLATION SUMMARY ...............................................................................................................96
FIGURE 27 COMPILATION OF INSTALLATION .............................................................................................................96
FIGURE 28 LOGIN PAGE ...........................................................................................................................................97
FIGURE 29 USER INFORMATION ..............................................................................................................................98
FIGURE 30 NEW USE FORM .....................................................................................................................................98
FIGURE 31 NOTIFICATION DELIVERY METHODS ........................................................................................................99
FIGURE 32 USER PERMISSION .............................................................................................................................. 100
FIGURE 33 SAVE THE USER ................................................................................................................................... 100
FIGURE 34 HOST PERMISSION .............................................................................................................................. 101
FIGURE 35 HOST GROUPS .................................................................................................................................... 101

Confidential© 2023 Pa ge |1
EPSS Network LLD

1 Introduction

1.1 Document Purpose


The main purpose of this document is to provide the low-level design for EPSS-HQ,
Branches and EPSS-DR network design and implementation. This new infrastructure will
be deployed in EPSS-HQ. This document outlines the Cisco products and technologies
that will be deployed in the Datacenter infrastructure networks. The information contained
in this document provides, among others, detailed configuration templates for the new
network devices that will be deployed. As such, this document will be used as the
foundation for the Network Implementation Plan (NIP) Security Implementation Plan (SIP)
and the Network Ready for Use (NRFU) test plan that will be crafted in the next phases of
the project.

1.2 Intended Audience


For security and intellectual reasons, this document is prepared to be reviewed only by
members of the technical and management teams of EPSS-HQ and IE Network Solutions
plc. Any other party should get formal permissions from both EPSS-HQ and IE, before
viewing the contents of this document.

1.3 Scope
The scope of this document is limited to providing low level design information related to
the following product as listed in the Bill of Materials (BOM) for the new infrastructure:

• Deployment of Collapsed Core Switch C9500-40X-A


• Deployment of Access Switch C9300L-24P-4X-E
• Deployment of Access Switch C9300L-24T-4X-E
• Deployment of Access Switch C9300L-48P-4X-E
• Deployment of Zabbix Monitoring

1.4 Related Documents


Table 1: Related Documents

Reference Description Site


1 Cisco systems, Inc https://cisco.com
2 Cisco support case https://support.cisco.com
3 Cisco help desk https://www.cisco.com/c/en/us/about/help.html

Confidential© 2023 Pa ge |2
EPSS Network LLD

4 Zabbix https://www.zabbix.com/

1.5 Proposed Design


On the HQ design we have two core switches, two DMZ switches, two SAN switches,
two server farm switches, two management switches, six 48 port access switches,
twenty-one 24 port access switches. With the 2 core switches at the center of the data
center network and each will have a 10G redundant connectivity with the access
switches, SAN switches, server farm switches, management switches and firewalls.
The access switches will be connected to the APs with copper 1G link (copper).

The database servers will be connected to the SAN and server farm switches with a
10G/25G redundant link. The application servers will be connected to the DMZ switch
with 10G redundant link and server farm switch with 10G/25G redundant link. Storage
will be connected with the SAN switch with 10G/25G redundant link. Backup server will
be connected to the server farm switch a 10G/25G redundant link. With a double link to
the server farm switches and to SAN switches the servers will have an extra path to the
network if one of the links fails to operate. As this will be making the system run at the
maximum level and time.

On the same note the DR site is a replica of the HQ site. On the DR site design we
have we have one core switches, one DMZ switches, one SAN switches, one server
farm switches, one management switches and one firewall. The connection is the same
as HQ design except for the DR there is no redundant link.

The proposed network topology is described in the following section. Prior to


beginning the detailed description, it is beneficial to define the main characteristics of
the proposed design:

➢ Connectivity between the Perimeter Fortinet Firewall (FG-601E-BDL-950-36)


and collapsed Core switches (C9500) will be 10G fiber uplinks.
➢ Connectivity between the collapsed Cores switches (C9500) and access
switches (C9300L-24P-4X-E) will be 10G fiber uplinks.
➢ Connectivity between the collapsed Core switch and the Server farm switch
(C9300X-24Y-E) will be 10G fiber link.
➢ Connectivity between the collapsed Core switch and Management Switch
(C9300L-24T-4X-E) will be 10G fiber link

Confidential© 2023 Pa ge |3
EPSS Network LLD

➢ Connectivity between each access switches and FortiAP (FAP-431F-E) will be


1G UTP link.

The architecture of the new infrastructure deployed for EPSS’s project comprises of the
Two-tier switching architecture design to be deployed.

1.6 Requirements
Based on our site survey we prepared and submitted a Site Preparation Guide (SPG). On
the SPG we listed some requirement than need to be fulfilled by EPSS in order to
implement the project. We like to remind you that those requirements should be fulfilled
before we start the implementation.

Confidential© 2023 Pa ge |4
EPSS Network LLD

2 Physical Design

2.1 HQ Network Design

Figure 1 EPSS HQ Network Design

Confidential© 2023 Pa ge |5
EPSS Network LLD

2.2 DR Network Design

Figure 2 EPSS DR Network Design

2.3 Branch Network Design

Figure 3 EPSS Branch Design

Confidential© 2023 Pa ge |6
EPSS Network LLD

2.4 Design overview


The above Enterprise Architecture is the highlight of Campus infrastructure which adds
the following layers to EPSS Core network infrastructure.

2.4.1 Collapsed Core Layer


The function of the collapsed core layer is to provide fast and efficient data transport. This
layer will work as both the core and a distribution layer using two devices that are going to
be merged as one using VSS technology. Characteristics of the core layer include the
following:
The collapsed core layer is a high-speed backbone that should be designed to switch
packets as quickly as possible to optimize communication transport within the network.
The collapsed core is comprised from two C9500 core switches working as one using the
VSS technology.
EPSS use the collapsed core is critical for connectivity, the two core switch devices working
as one are expected to provide a high level of availability and reliability. A fault-
tolerant network design ensures that failures do not have a major impact on network
connectivity. The core must be able to accommodate failures by rerouting traffic and
responding quickly to changes in network topology. The core must provide a high level of
redundancy. A full mesh is strongly suggested, and at least a well-connected partial mesh
with multiple paths from each device is required.Routing and other layer 3 functionalities
performed on this layer.

2.4.2 Access Layer


This layer is the edge of the network where wide variety of devices such as PCs, printers,
and access points etc. connects to the network. Common resources needed by users are
available at this layer while access request to remote resources are sent to the
distribution layer. This layer is also known as the desktop layer. The following are
generally done at this layer:
• Access control and policies in addition to what exists in the distribution layer.
• Dynamic configuration mechanisms
• Breaking collision domains
• Ethernet switching and static routing

Confidential© 2023 Pa ge |7
EPSS Network LLD

3 Configurations on the Network Devices

3.1 EPSS Proposed Naming Convention


EPSS device naming will be based on the below naming convention.

1. IT Devices Naming convention attributes: For a comprehensive naming convention,


we recommend the following attributes to be included in the device names:
A. Organizational name acronym;
B. Location;
C. Device Function; and
D. Indexing.

A. Organizational name acronym: We recommend that the first 3 characters of all T


I
device names should be the organizational name acronym i.e., EPSS, to aid
unique identification of items tagged to EPSS and for easy IT inventory
management.
B. Location: The inclusion of this attribute in the devices names helps the System
Administrators to easily identify the physical location of each particular device.
We recommend the location attribute to be composed of 3 components:
• Floor
• Location
I. Floor: Since the buildings have multiple floors, this component should be included
to identify the floor on which the specific IT device is stationed. Below is a proposed
sample representation of the specificfloor in the IT device naming convention:
Table 2: device naming convention with floor
Building Floors for HO site Abbreviation Result
Ground Floor GF EPSS_GF
1st Floor 1F EPSS_1F
Datacenter DC EPSS_DC
I. Location: EPSS operates one Head office and the IT device is located on two
directions of the building. Below is a proposed sample representation of the specific
site in theIT device naming convention:
Table 3: device naming convention-Location
Site name Abbreviation Result
Right side RS EPSS_GF_RS
Left side LS EPSS_GF_LS

Confidential© 2023 Pa ge |8
EPSS Network LLD

A. Device Function/Role: The functionality/role of each specific IT device should be


reflected in the IT device naming convention. Below is a sample SQA proposed
representation of the device functionality in the IT device naming convention.
Table 4: Device Function/Role
Device function Abbreviation Result
Access Switch AS EPSS_GF_RS_AS_
Access points AP EPSS_GF_RS_AP_
Wireless LAN WLC EPSS_GF_RS_WLC_
controller
Server farm switch SS EPSS_GF_RS_SS_
Core switch CS EPSS_GF_RS_CS_
Perimeter firewall PF EPSS_GF_RS_PF_
Rack Cabinet RC EPSS_GF_RS_RC_
Edge Router ER EPSS_GF_RS_ER_

B. Indexing: For devices with the same functionality and residing in the same location,
we recommend the addition of an index to uniquely identify each device.For access
points and switches, it is recommended to use even and odd indexingto represent the
side of the building. I.e. odd number indexing for left side of thebuilding, and even
number indexing for the right side of the building.
Table 5: Full device naming
Device function Abbreviation Index Result
Access Switch AS 01 EPSS_GF_AS_01
Access Switch AS 01 EPSS_F1_AS_01
Access Point AP 01 EPSS_GF_AP_01
Management Switch MS 01 EPSS_DC_MS_01
Server farm switch SS 01 EPSS-DC-CS-O1
Server farm switch SS 02 EPSS_DC_SS_02
Core switch CS 01 EPSS-DC-CS-O1
Core switch CS 02 EPSS-DC-CS-O2
Perimeter firewall PF 01 EPSS_DC_PF_01
Perimeter firewall PF 02 EPSS_DC_PF_02
Rack Cabinet RC 01 EPSS_GF_LS_RC_01
Rack Cabinet RC 02 EPSS_GF_RS_RC_02
Rack Cabinet RC 03 EPSS_DC_RC_03

3.2 User Information


The following user credentials are temporarily used for this project. We highly recommend
the administrator to change it after the project has been fully handed over (EPSS).

User name: Admin

Password: ******** (intentionally left)

Confidential© 2023 Pa ge |9
EPSS Network LLD

3.3 IP Address and VLAN Design


A good IP address Planning is part of a good network design. The following IP address
planning is able to provide us

➢ Non overlapping or duplicate subnets

➢ Easily summarized networks

➢ Unique IP address assignments

➢ No wasted IP address space

The VLAN design follows very closely the IP address plan in a one-to-one manner. For
each subnet we have on the IP address plan, we have a unique corresponding VLAN for
it. This are greatly minimizing broadcast domain & the network is being easy for
troubleshooting.

Confidential© 2023 P a g e | 10
SI- IE-EPSS Network LLD

Main Block HQ Subnet mask Usable IP Usable IP Broadcast Mngt IP


VLAN Name Address Address Address VLANs
Beginning Ending
Director General 10.1.2.0/23 255.255.254.0 10.1.2.1 10.1.3.254 10.1.3.255 2 -
Deputy Director 255.255.254.0 10.1.4.1 10.1.5.254 10.1.5.255 -
General for Finance
10.1.4.0/23 4
Administration and
System Strength
Deputy Director 255.255.254.0 10.1.6.1 10.1.7.254 10.1.7.255 -
General - Inbound 10.1.6.0/23 6
Logistics
Deputy Director 255.255.254.0 10.1.8.1 10.1.9.254 10.1.9.255 -
General for
Pharmaceuticals and
10.1.8.0/23 8
Medical Supplies
Storage and
Distribution
General Service and 255.255.254.0 10.1.10.1 10.1.11.254 10.1.11.255 -
Property 10.1.10.0/23 10
Administration Director
Pharmaceutical and 255.255.254.0 10.1.12.1 10.1.13.254 10.1.13.255 -
Medical Supply 10.1.12.0/23 12
Distribution and Fleet

Confidential© 2023 Pa ge |1
EPSS Network LLD

Management
directorate director
Legal Services 255.255.255.0 10.1.14.1 10.1.14.254 10.1.14.255 -
10.1.14.0/24 14
Director
Warehouse and 255.255.254.0 10.1.16.1 10.1.17.254 10.1.17.255 -
Inventory Management 10.1.16.0 16
Director
Quantification and 10.1.18.0/23 255.255.254.0 10.1.18.1 10.1.19.254 10.1.19.255 10.1.2.20
Market Shaping 18
Director
Information & 10.1.20.0/23 255.255.254.0 10.1.20.1 10.1.21.254 10.1.21.255
Communication 20
Technology Director
Pharmaceutical & 10.1.22.0/23 255.255.254.0 10.1.22.1 10.1.23.254 10.1.23.255
Medical Supplies
procurement Contract 22
Management
Directorate Director
Ethics Liaison Director 10.1.24.0/24 255.255.255.0 10.1.24.1 10.1.24.254 10.1.24.255 24
RDF Finance Director 10.1.26.0/23 255.255.254.0 10.1.26.1 10.1.27.254 10.1.27.255 26
Quality Control and 10.1.28.0/23 255.255.254.0 10.1.28.1 10.1.29.254 10.1.29.255
28
Assurance Director

Confidential© 2023 Pa ge |2
EPSS Network LLD

Internal audit service 10.1.30.0/24 255.255.255.0 10.1.30.1 10.1.30.254 10.1.30.255


30
directorate
Tender Management 10.1.32.0/23 255.255.254.0 10.1.32.1 10.1.33.254 10.1.33.255 32
Director
Human Resource 10.1.34.0/23 255.255.254.0 10.1.34.1 10.1.35.254 10.1.35.255 34
Administration and
Development
Directorate Director
Women and Youth 10.1.36.0/24 255.255.255.0 10.1.36.1 10.1.36.254 10.1.36.255 36
Table 6 EPSS-HQ IP Plan
Affairs Director
Good Governance and 10.1.37.0/24 255.255.255.0 10.1.37.1 10.1.3S7.25 10.1.37.255 37
Reform Director 4
Communication Affairs 10.1.38.0/24 255.255.255.0 10.1.38.1 10.1.38.254 10.1.38.255 38
Directorate Director

Confidential© 2023 Pa ge |3
EPSS Network LLD

Main Block Subnet mask Usable IP Usable IP Broadcast Mngt IP


VLAN Name DR Address Address Address VLANs
Beginning Ending
Director General 10.2.2.0/24 255.255.255.0 10.2.2.1 10.2.2.254 10.2.2.255 2 -

Deputy Director General 255.255.255.0 10.2.3.1 10.2.3.254 10.2.3.255 -


for Finance Administration 10.2.3.0/24 3
and System Strength
Deputy Director General - 255.255.255.0 10.2.4.1 10.2.5.254 10.2.4.255 -
10.2.4.0/24 4
Inbound Logistics
Deputy Director General 255.255.255.0 10.2.5.1 10.2.5.254 10.2.5.255 -
for Pharmaceuticals and
10.2.5.0/24 5
Medical Supplies Storage
and Distribution
General Service and 255.255.255.0 10.2.6.1 10.2.6.254 10.2.6.255 -
Property Administration 10.2.6.0/24 6
Director
Pharmaceutical and 255.255.255.0 10.2.7.1 10.2.7.254 10.2.7.255 -
Medical Supply Distribution
10.2.7.0/24 7
and Fleet Management
directorate director
Legal Services Director 10.2.8.0/24 255.255.255.0 10.2.8.1 10.2.8.254 10.2.8.255 8 -

Warehouse and Inventory 255.255.255.0 10.2.9.2 10.2.9.254 10.2.9.255 -


10.2.9.0 9
Management Director

Confidential© 2023 Pa ge |4
EPSS Network LLD

Quantification and Market 10.2.10.0/24 255.255.255.0 10.2.10.1 10.2.10.254 10.2.10.255 10.2.2.20


10
Shaping Director
Information & 10.2.11.0/24 255.255.255.0 10.2.11.1 10.2.11.254 10.2.11.255
Communication 11
Technology Director
Pharmaceutical & Medical 10.2.12.0/24 255.255.255.0 10.2.12.1 10.2.12.254 10.2.12.255
Supplies procurement
12
Contract Management
Directorate Director
Ethics Liaison Director 10.2.13.0/24 255.255.255.0 10.2.13.1 10.2.13.254 10.2.13.255 13

RDF Finance Director 10.2.14.0/24 255.255.255.0 10.2.14.1 10.2.14.254 10.2.14.255 14

Quality Control and 10.2.15.0/24 255.255.255.0 10.2.15.1 10.2.15.254 10.2.15.255


15
Assurance Director
Internal audit service 10.2.16.0/24 255.255.255.0 10.2.16.1 10.2.16.254 10.2.16.255
16
directorate
Tender Management 10.2.17.0/24 255.255.255.0 10.2.17.1 10.2.17.254 10.2.17.255 17
Director
Human Resource 10.2.18.0/24 255.255.255.0 10.2.18.1 10.2.18.254 10.2.18.255 18
Administration and
Development Directorate
Director
Women and Youth Affairs 10.2.19.0/24 255.255.255.0 10.2.19.1 10.2.19.254 10.2.19.255 19
Director

Confidential© 2023 Pa ge |5
EPSS Network LLD

Good Governance and 10.2.20.0/24 255.255.255.0 10.2.20.1 10.2.20.254 10.2.20.255 20


Reform Director
Communication Affairs 10.2.21.0/24 255.255.255.0 10.2.21.1 10.2.21.254 10.2.21.255 21
Directorate Director

Table 7 EPSS-DR IP Plan

Confidential© 2023 Pa ge |6
EPSS Network LLD

Main Block Subnet mask Usable IP Usable IP Broadcast Mngt IP


VLAN Name Dessie Branch Address Address Address VLANs
Beginning Ending
Director General 10.3.2.0/24 255.255.255.0 10.3.2.1 10.3.2.254 10.3.2.255 2 -

Deputy Director 255.255.255.0 10.3.3.1 10.3.3.254 10.3.3.255 -


General for
Finance 10.3.3.0/24 3
Administration and
System Strength
Deputy Director 255.255.255.0 10.3.4.1 10.3.4.254 10.3.4.255 -
General - Inbound 10.3.4.0/24 4
Logistics
Deputy Director 255.255.255.0 10.3.5.1 10.3.5.254 10.3.5.255 -
General for
Pharmaceuticals
10.3.5.0/24 5
and Medical
Supplies Storage
and Distribution
General Service 255.255.255.0 10.3.6.1 10.3.6.254 10.3.6.255 -
and Property
10.3.6.0/24 6
Administration
Director

Confidential© 2023 Pa ge |7
EPSS Network LLD

Pharmaceutical 255.255.255.0 10.3.7.1 10.3.7.254 10.3.7.255 -


and Medical
Supply Distribution
10.3.7.0/24 7
and Fleet
Management
directorate director
Legal Services 255.255.255.0 10.3.8.1 10.3.8.254 10.3.8.255 -
10.3.8.0/24 8
Director
Warehouse and 255.255.255.0 10.3.9.3 10.3.9.254 10.3.9.255 -
Inventory
10.3.9.0 9
Management
Director
Quantification and 10.3.10.0/24 255.255.255.0 10.3.10.1 10.3.10.25 10.3.10.255 10.3.2.20
Market Shaping 4 10
Director
Information & 10.3.11.0/24 255.255.255.0 10.3.11.1 10.3.11.25 10.3.11.255
Communication 4
11
Technology
Director
Pharmaceutical & 10.3.12.0/24 255.255.255.0 10.3.12.1 10.3.12.25 10.3.12.255
Medical Supplies 4
12
procurement
Contract

Confidential© 2023 Pa ge |8
EPSS Network LLD

Management
Directorate
Director
Ethics Liaison 10.3.13.0/24 255.255.255.0 10.3.13.1 10.3.13.25 10.3.13.255
13
Director 4
RDF Finance 10.3.14.0/24 255.255.255.0 10.3.14.1 10.3.14.25 10.3.14.255
14
Director 4
Quality Control 10.3.15.0/24 255.255.255.0 10.3.15.1 10.3.15.25 10.3.15.255 15
and Assurance 4
Director
Internal audit 10.3.16.0/24 255.255.255.0 10.3.16.1 10.3.16.25 10.3.16.255 16
service directorate 4
Tender 10.3.17.0/24 255.255.255.0 10.3.17.1 10.3.17.25 10.3.17.255 17
Management 4
Director
Human Resource 10.3.18.0/24 255.255.255.0 10.3.18.1 10.3.18.25 10.3.18.255 18
Administration and 4
Development
Directorate
Director
Women and Youth 10.3.19.0/24 255.255.255.0 10.3.19.1 10.3.19.25 10.3.19.255 19
Affairs Director 4

Confidential© 2023 Pa ge |9
EPSS Network LLD

Good Governance 10.3.20.0/24 255.255.255.0 10.3.20.1 10.3.20.25 10.3.20.255


and Reform 4 20
Director
Communication 10.3.21.0/24 255.255.255.0 10.3.21.1 10.3.21.25 10.3.21.255
Affairs Directorate 4 21
Director

Table 8 EPSS-Dessie IP Plan

Confidential© 2023 P a g e | 10
EPSS Network LLD

Main Block Subnet mask Usable IP Usable IP Broadcast Mngt IP


VLAN Name Jigjiga Branch Address Address Address VLANs
Beginning Ending
Director General 10.4.2.0/24 255.255.255.0 10.4.2.1 10.4.2.254 10.4.2.255 2 -

Deputy Director 255.255.255.0 10.4.3.1 10.4.3.254 10.4.3.255 -


General for Finance
10.4.3.0/24 3
Administration and
System Strength
Deputy Director 255.255.255.0 10.4.4.1 10.4.4.254 10.4.4.255 -
General - Inbound 10.4.4.0/24 4
Logistics
Deputy Director 255.255.255.0 10.4.5.1 10.4.5.254 10.4.5.255 -
General for
Pharmaceuticals
10.4.5.0/24 5
and Medical
Supplies Storage
and Distribution
General Service and 255.255.255.0 10.4.6.1 10.4.6.254 10.4.6.255 -
Property
10.4.6.0/24 6
Administration
Director

Confidential© 2023 P a g e | 11
EPSS Network LLD

Pharmaceutical and 255.255.255.0 10.4.7.1 10.4.7.254 10.4.7.255 -


Medical Supply
Distribution and 10.4.7.0/24 7
Fleet Management
directorate director
Legal Services 255.255.255.0 10.4.8.1 10.4.8.254 10.4.8.255 -
10.4.8.0/24 8
Director
Warehouse and 255.255.255.0 10.4.9.4 10.4.9.254 10.4.9.255 -
Inventory
10.4.9.0/24 9
Management
Director
Quantification and 10.4.10.0/24 255.255.255.0 10.4.10.1 10.4.10.25 10.4.10.255 10.4.2.20
Market Shaping 4 10
Director
Information & 10.4.11.0/24 255.255.255.0 10.4.11.1 10.4.11.25 10.4.11.255
Communication 4 11
Technology Director
Pharmaceutical & 10.4.12.0/24 255.255.255.0 10.4.12.1 10.4.12.25 10.4.12.255
Medical Supplies 4
procurement
12
Contract
Management
Directorate Director

Confidential© 2023 P a g e | 12
EPSS Network LLD

Ethics Liaison 10.4.13.0/24 255.255.255.0 10.4.13.1 10.4.13.25 10.4.13.255


13
Director 4
RDF Finance 10.4.14.0/24 255.255.255.0 10.4.14.1 10.4.14.25 10.4.14.255
14
Director 4
Quality Control and 10.4.15.0/24 255.255.255.0 10.4.15.1 10.4.15.25 10.4.15.255
15
Assurance Director 4
Internal audit 10.4.16.0/24 255.255.255.0 10.4.16.1 10.4.16.25 10.4.16.255
16
service directorate 4
Tender 10.4.17.0/24 255.255.255.0 10.4.17.1 10.4.17.25 10.4.17.255
Management 4 17
Director
Human Resource 10.4.18.0/24 255.255.255.0 10.4.18.1 10.4.18.25 10.4.18.255
Administration and 4
Table 9 EPSS-Jijiga IP Plan 18
Development
Directorate Director
Women and Youth 10.4.19.0/24 255.255.255.0 10.4.19.1 10.4.19.25 10.4.19.255
19
Affairs Director 4
Good Governance 10.4.20.0/24 255.255.255.0 10.4.20.1 10.4.20.25 10.4.20.255
20
and Reform Director 4
Communication 10.4.21.0/24 255.255.255.0 10.4.21.1 10.4.21.25 10.4.21.255
Affairs Directorate 4 21
Director
Table 1. 1 EPSS-Branch-2 IP Plan

Confidential© 2023 P a g e | 13
EPSS Network LLD

Main Block Subnet mask Usable IP Usable IP Broadcast Mngt IP


VLAN Name Dire Dawa Address Address Address VLANs
Branch Beginning Ending
Director General 10.5.2.0/24 255.255.255.0 10.5.2.1 10.5.2.254 10.5.2.255 2 -

Deputy Director 255.255.255.0 10.5.3.1 10.5.3.254 10.5.3.255 -


General for Finance
10.5.3.0/24 3
Administration and
System Strength
Deputy Director 255.255.255.0 10.5.4.1 10.5.4.254 10.5.4.255 -
General - Inbound 10.5.4.0/24 4
Logistics
Deputy Director 255.255.255.0 10.5.6.1 10.5.6.254 10.5.6.255 -
General for
Pharmaceuticals and
10.5.6.0/24 6
Medical Supplies
Storage and
Distribution
General Service and 255.255.255.0 10.5.7.1 10.5.7.254 10.5.7.255 -
Property
10.5.7.7/24 7
Administration
Director

Confidential© 2023 P a g e | 14
EPSS Network LLD

Pharmaceutical and 255.255.255.0 10.5.8.1 10.5.8.254 10.5.8.255 -


Medical Supply
Distribution and Fleet 10.5.8.0/24 8
Management
directorate director
Legal Services 255.255.255.0 10.5.9.1 10.5.9.254 10.5.9.255 -
10.5.9.0/24 9
Director
Warehouse and 255.255.255.0 10.5.10.5 10.5.10.25 10.5.10.255 -
Inventory 4
10.5.10.0/24 10
Management
Director
Quantification and 10.5.11.0/24 255.255.255.0 10.5.11.1 10.5.11.25 10.5.11.255 10.5.2.20
Market Shaping 4 11
Director
Information & 10.5.12.0/24 255.255.255.0 10.5.12.1 10.5.12.25 10.5.12.255
Communication 4 12
Technology Director
Pharmaceutical & 10.5.13.0/24 255.255.255.0 10.5.13.1 10.5.13.25 10.5.13.255
Medical Supplies 4
procurement
13
Contract
Management
Directorate Director

Confidential© 2023 P a g e | 15
EPSS Network LLD

Ethics Liaison 10.5.14.0/24 255.255.255.0 10.5.14.1 10.5.14.25 10.5.14.255


14
Director 4
RDF Finance 10.5.15.0/24 255.255.255.0 10.5.15.1 10.5.15.25 10.5.15.255
15
Director 4
Quality Control and 10.5.16.0/24 255.255.255.0 10.5.16.1 10.5.16.25 10.5.16.255
16
Assurance Director 4
Internal audit service 10.5.17.0/24 255.255.255.0 10.5.17.1 10.5.17.25 10.5.17.255
17
directorate 4
Tender Management 10.5.18.0/24 255.255.255.0 10.5.18.1 10.5.18.25 10.5.18.255
18
Director 4
Human Resource 10.5.19.0/24 255.255.255.0 10.5.19.1 10.5.19.25 10.5.19.255
Administration and 4
Table 10EPSS-Dire Dawa IP Plan 19
Development
Directorate Director
Women and Youth 10.5.20.0/24 255.255.255.0 10.5.20.1 10.5.20.25 10.5.20.255
20
Affairs Director 4
Good Governance 10.5.21.0/24 255.255.255.0 10.5.21.1 10.5.21.25 10.5.21.255
21
and Reform Director 4
Communication 10.5.22.0/24 255.255.255.0 10.5.22.1 10.5.22.25 10.5.22.255
Affairs Directorate 4 22
Director

Confidential© 2023 P a g e | 16
EPSS Network LLD

Main Block Subnet mask Usable IP Usable IP Broadcast Mngt IP


VLAN Name Assosa Address Address Address VLANs
Branch Beginning Ending
Director General 10.6.2.0/24 255.255.255.0 10.6.2.1 10.6.2.254 10.6.2.255 2 -

Deputy Director General 255.255.255.0 10.6.3.1 10.6.3.254 10.6.3.255 -


for Finance Administration 10.6.3.0/24 3
and System Strength
Deputy Director General - 255.255.255.0 10.6.4.1 10.6.4.254 10.6.4.255 -
10.6.4.0/24 4
Inbound Logistics
Deputy Director General 255.255.255.0 10.6.5.1 10.6.5.254 10.6.5.255 -
for Pharmaceuticals and
10.6.5.0/24 5
Medical Supplies Storage
and Distribution
General Service and 255.255.255.0 10.6.6.1 10.6.6.254 10.6.6.255 -
Property Administration 10.6.6.0/24 6
Director
Pharmaceutical and 255.255.255.0 10.6.8.1 10.6.8.254 10.6.8.255 -
Medical Supply Distribution
10.6.8.0/24 8
and Fleet Management
directorate director
Legal Services Director 10.6.9.0/24 255.255.255.0 10.6.9.1 10.6.9.254 10.6.9.255 9 -

Warehouse and Inventory 255.255.255.0 10.6.10.6 10.6.10.254 10.6.10.255 -


10.6.10.0/24 10
Management Director

Confidential© 2023 P a g e | 17
EPSS Network LLD

Quantification and Market 10.6.11.0/24 255.255.255.0 10.6.11.1 10.6.11.254 10.6.11.255 10.6.2.20


11
Shaping Director
Information & 10.6.12.0/24 255.255.255.0 10.6.12.1 10.6.12.254 10.6.12.255
Communication 12
Technology Director
Pharmaceutical & Medical 10.6.13.0/24 255.255.255.0 10.6.13.1 10.6.13.254 10.6.13.255
Supplies procurement
13
Contract Management
Directorate Director
Ethics Liaison Director 10.6.14.0/24 255.255.255.0 10.6.14.1 10.6.14.254 10.6.14.255 14

RDF Finance Director 10.6.15.0/24 255.255.255.0 10.6.15.1 10.6.15.254 10.6.15.255 15

Quality Control and 10.6.16.0/24 255.255.255.0 10.6.16.1 10.6.16.254 10.6.16.255 16


Assurance Director
Internal audit service 10.6.17.0/24 255.255.255.0 10.6.17.1 10.6.17.254 10.6.17.255 17
directorate
Tender Management 10.6.18.0/24 255.255.255.0 10.6.18.1 10.6.18.254 10.6.18.255 18
Director
Human Resource 10.6.19.0/24 255.255.255.0 10.6.19.1 10.6.19.254 10.6.19.255 19
Administration and
Development Directorate
Director
Women and Youth Affairs 10.6.20.0/24 255.255.255.0 10.6.20.1 10.6.20.254 10.6.20.255 20
Director

Confidential© 2023 P a g e | 18
EPSS Network LLD

Good Governance and 10.6.21.0/24 255.255.255.0 10.6.21.1 10.6.21.254 10.6.21.255


21
Reform Director
Communication Affairs 10.6.22.0/24 255.255.255.0 10.6.22.1 10.6.22.254 10.6.22.255
22
Directorate Director

Table 11EPSS-Assosa IP Plan

Confidential© 2023 P a g e | 19
EPSS Network LLD

Main Block Subnet mask Usable IP Usable IP Broadcast Mngt IP


VLAN Name Kebri Dehar Address Address Address VLANs
Branch Beginning Ending
Director General 10.7.2.0/24 255.255.255.0 10.7.2.1 10.7.2.254 10.7.2.255 2 -

Deputy Director General 255.255.255.0 10.7.3.1 10.7.3.254 10.7.3.255 -


for Finance Administration 10.7.3.0/24 3
and System Strength
Deputy Director General - 255.255.255.0 10.7.5.1 10.7.5.254 10.7.5.255 -
10.7.5.0/24 5
Inbound Logistics
Deputy Director General 255.255.255.0 10.7.6.1 10.7.6.254 10.7.6.255 -
for Pharmaceuticals and
10.7.6.0/24 6
Medical Supplies Storage
and Distribution
General Service and 255.255.255.0 10.7.7.1 10.7.7.254 10.7.7.255 -
Property Administration 10.7.7.7/24 7
Director
Pharmaceutical and 255.255.255.0 10.7.8.1 10.7.8.254 10.7.8.255 -
Medical Supply
Distribution and Fleet 10.7.8.0/24 8
Management directorate
director
Legal Services Director 10.7.9.0/24 255.255.255.0 10.7.9.1 10.7.9.254 10.7.9.255 9 -

Confidential© 2023 P a g e | 20
EPSS Network LLD

Warehouse and Inventory 255.255.255.0 10.7.10.7 10.7.10.254 10.7.10.255 -


10.7.10.0/24 10
Management Director
Quantification and Market 10.7.11.0/24 255.255.255.0 10.7.11.1 10.7.11.254 10.7.11.255 10.7.2.20
11
Shaping Director
Information & 10.7.12.0/24 255.255.255.0 10.7.12.1 10.7.12.254 10.7.12.255
Communication 12
Technology Director
Pharmaceutical & Medical 10.7.13.0/24 255.255.255.0 10.7.13.1 10.7.13.254 10.7.13.255
Supplies procurement
13
Contract Management
Directorate Director
Ethics Liaison Director 10.7.14.0/24 255.255.255.0 10.7.14.1 10.7.14.254 10.7.14.255 14

RDF Finance Director 10.7.15.0/24 255.255.255.0 10.7.15.1 10.7.15.254 10.7.15.255 15

Quality Control and 10.7.16.0/24 255.255.255.0 10.7.16.1 10.7.16.254 10.7.16.255


16
Assurance Director
Internal audit service 10.7.17.0/24 255.255.255.0 10.7.17.1 10.7.17.254 10.7.17.255 17
directorate
Tender Management 10.7.18.0/24 255.255.255.0 10.7.18.1 10.7.18.254 10.7.18.255 18
Director
Human Resource 10.7.19.0/24 255.255.255.0 10.7.19.1 10.7.19.254 10.7.19.255 19
Administration and
Development Directorate
Director

Confidential© 2023 P a g e | 21
EPSS Network LLD

Women and Youth Affairs 10.7.20.0/24 255.255.255.0 10.7.20.1 10.7.20.254 10.7.20.255 20


Director
Good Governance and 10.7.21.0/24 255.255.255.0 10.7.21.1 10.7.21.254 10.7.21.255 21
Reform Director
Communication Affairs 10.7.22.0/24 255.255.255.0 10.7.22.1 10.7.22.254 10.7.22.255
22
Directorate Director

Table 12 EPSS-Kebri Dehar IP Plan

Confidential© 2023 P a g e | 22
EPSS Network LLD

Main Block Subnet mask Usable IP Usable IP Broadcast Mngt IP


VLAN Name Semera Address Address Address VLANs
Branch Beginning Ending
Director General 10.8.2.0/24 255.255.255.0 10.8.2.1 10.8.2.254 10.8.2.255 2 -

Deputy Director General for 255.255.255.0 10.8.3.1 10.8.3.254 10.8.3.255 -


Finance Administration and 10.8.3.0/24 3
System Strength
Deputy Director General - 255.255.255.0 10.8.5.1 10.8.5.254 10.8.5.255 -
10.8.5.0/24 5
Inbound Logistics
Deputy Director General for 255.255.255.0 10.8.6.1 10.8.6.254 10.8.6.255 -
Pharmaceuticals and Medical
10.8.6.0/24 6
Supplies Storage and
Distribution
General Service and Property 255.255.255.0 10.8.7.1 10.8.7.254 10.8.7.255 -
10.8.7.0/24 7
Administration Director
Pharmaceutical and Medical 255.255.255.0 10.8.8.1 10.8.8.254 10.8.8.255 -
Supply Distribution and Fleet
10.8.8.0/24 8
Management directorate
director
Legal Services Director 10.8.9.0/24 255.255.255.0 10.8.9.1 10.8.9.254 10.8.9.255 9 -

Warehouse and Inventory 255.255.255.0 10.8.10.8 10.8.10.254 10.8.10.25 -


10.8.10.0/24 10
Management Director 5

Confidential© 2023 P a g e | 23
EPSS Network LLD

Quantification and Market 10.8.11.0/24 255.255.255.0 10.8.11.1 10.8.11.254 10.8.11.25 10.8.2.20


11
Shaping Director 5
Information & Communication 10.8.12.0/24 255.255.255.0 10.8.12.1 10.8.12.254 10.8.12.25
12
Technology Director 5
Pharmaceutical & Medical 10.8.13.0/24 255.255.255.0 10.8.13.1 10.8.13.254 10.8.13.25
Supplies procurement 5
13
Contract Management
Directorate Director
Ethics Liaison Director 10.8.14.0/24 255.255.255.0 10.8.14.1 10.8.14.254 10.8.14.25
14
5
RDF Finance Director 10.8.15.0/24 255.255.255.0 10.8.15.1 10.8.15.254 10.8.15.25
15
5
Quality Control and 10.8.16.0/24 255.255.255.0 10.8.16.1 10.8.16.254 10.8.16.25 16
Assurance Director 5
Internal audit service 10.8.17.0/24 255.255.255.0 10.8.17.1 10.8.17.254 10.8.17.25 17
directorate 5
Tender Management Director 10.8.18.0/24 255.255.255.0 10.8.18.1 10.8.18.254 10.8.18.25 18
5
Human Resource 10.8.19.0/24 255.255.255.0 10.8.19.1 10.8.19.254 10.8.19.25 19
Administration and 5
Development Directorate
Director
Women and Youth Affairs 10.8.20.0/24 255.255.255.0 10.8.20.1 10.8.20.254 10.8.20.25 20
Director 5

Confidential© 2023 P a g e | 24
EPSS Network LLD

Good Governance and 10.8.21.0/24 255.255.255.0 10.8.21.1 10.8.21.254 10.8.21.25


21
Reform Director 5
Communication Affairs 10.8.22.0/24 255.255.255.0 10.8.22.1 10.8.22.254 10.8.22.25
22
Directorate Director 5

Table 13 EPSS-Semera IP Plan

Confidential© 2023 P a g e | 25
EPSS Network LLD

Main Block Subnet mask Usable IP Usable IP Broadcast Mngt IP


VLAN Name Nekemte Address Address Address VLANs
Branch Beginning Ending
Director General 10.9.2.0/24 255.255.255.0 10.9.2.1 10.9.2.254 10.9.2.255 2 -

Deputy Director General for 255.255.255.0 10.9.3.1 10.9.3.254 10.9.3.255 -


Finance Administration and 10.9.3.0/24 3
System Strength
Deputy Director General - 255.255.255.0 10.9.5.1 10.9.5.254 10.9.5.255 -
10.9.5.0/24 5
Inbound Logistics
Deputy Director General for 255.255.255.0 10.9.6.1 10.9.6.254 10.9.6.255 -
Pharmaceuticals and Medical
10.9.6.0/24 6
Supplies Storage and
Distribution
General Service and Property 255.255.255.0 10.9.7.1 10.9.7.254 10.9.7.255 -
10.9.7.1/24 7
Administration Director
Pharmaceutical and Medical 255.255.255.0 10.9.8.1 10.9.8.254 10.9.8.255 -
Supply Distribution and Fleet
10.9.8.0/24 8
Management directorate
director
Legal Services Director 10.9.9.0/24 255.255.255.0 10.9.9.1 10.9.9.254 10.9.9.255 9 -

Warehouse and Inventory 255.255.255.0 10.9.10.9 10.9.10.25 10.9.10.255 -


10.9.10.0 10
Management Director 4

Confidential© 2023 P a g e | 26
EPSS Network LLD

Quantification and Market 10.9.11.0/24 255.255.255.0 10.9.11.1 10.9.11.25 10.9.11.255 10.9.2.20


11
Shaping Director 4
Information & Communication 10.9.12.0/24 255.255.255.0 10.9.12.1 10.9.12.25 10.9.12.255
12
Technology Director 4
Pharmaceutical & Medical 10.9.13.0/24 255.255.255.0 10.9.13.1 10.9.13.25 10.9.13.255
Supplies procurement Contract 4
3
Management Directorate
Director
Ethics Liaison Director 10.9.14.0/24 255.255.255.0 10.9.14.1 10.9.14.25 10.9.14.255
14
4
RDF Finance Director 10.9.15.0/24 255.255.255.0 10.9.15.1 10.9.15.25 10.9.15.255
15
4
Quality Control and Assurance 10.9.16.0/24 255.255.255.0 10.9.16.1 10.9.16.25 10.9.16.255
16
Director 4
Internal audit service directorate 10.9.17.0/24 255.255.255.0 10.9.17.1 10.9.17.25 10.9.17.255
17
4
Tender Management Director 10.9.18.0/24 255.255.255.0 10.9.18.1 10.9.18.25 10.9.18.255
18
4
Human Resource Administration 10.9.19.0/24 255.255.255.0 10.9.19.1 10.9.19.25 10.9.19.255
and Development Directorate 4 19
Director
Women and Youth Affairs 10.9.20.0/24 255.255.255.0 10.9.20.1 10.9.20.25 10.9.20.255
20
Director 4
Good Governance and Reform 10.9.21.0/24 255.255.255.0 10.9.21.1 10.9.21.25 10.9.21.255
21
Director 4

Confidential© 2023 P a g e | 27
EPSS Network LLD

Communication Affairs 10.9.22.0/24 255.255.255.0 10.9.22.1 10.9.22.25 10.9.22.255


22
Directorate Director 4

Table 14 EPSS-Nekemete IP Plan

Confidential© 2023 P a g e | 28
EPSS Network LLD

Main Block Subnet mask Usable IP Usable IP Broadcast Mngt IP


VLAN Name Hawassa Address Address Address VLANs
Branch Beginning Ending
Director General 10.10.2.0/24 255.255.255.0 10.10.2.1 10.10.2.254 10.10.2.255 2 -

Deputy Director General 255.255.255.0 10.10.3.1 10.10.3.254 10.10.3.255 -


for Finance
10.10.3.0/24 3
Administration and
System Strength
Deputy Director General 255.255.255.0 10.10.5.1 10.10.5.254 10.10.5.255 -
10.10.5.0/24 5
- Inbound Logistics
Deputy Director General 255.255.255.0 10.10.6.1 10.10.6.254 10.10.6.255 -
for Pharmaceuticals and
10.10.6.0/24 6
Medical Supplies
Storage and Distribution
General Service and 255.255.255.0 10.10.7.1 10.10.7.254 10.10.7.255 -
Property Administration 10.10.7.0/24 7
Director
Pharmaceutical and 255.255.255.0 10.10.8.1 10.10.8.254 10.10.8.255 -
Medical Supply
Distribution and Fleet 10.10.8.0/24 8
Management directorate
director
Legal Services Director 10.10.9.0/24 255.255.255.0 10.10.9.1 10.10.9.254 10.10.9.255 9 -

Confidential© 2023 P a g e | 29
EPSS Network LLD

Warehouse and 255.255.255.0 10.10.10.10 10.10.10.254 10.10.10.25 -


Inventory Management 10.10.10.0 5 10
Director
Quantification and 10.10.11.0/2 255.255.255.0 10.10.11.1 10.10.11.254 10.10.11.25 10.10.2.20
11
Market Shaping Director 4 5
Information & 10.10.12.0/2 255.255.255.0 10.10.12.1 10.10.12.254 10.10.12.25
Communication 4 5 12
Technology Director
Pharmaceutical & 10.10.13.0/2 255.255.255.0 10.10.13.1 10.10.13.254 10.10.13.25
Medical Supplies 4 5
procurement Contract 13
Management Directorate
Director
Ethics Liaison Director 10.10.14.0/2 255.255.255.0 10.10.14.1 10.10.14.254 10.10.14.25
14
4 5
RDF Finance Director 10.10.15.0/2 255.255.255.0 10.10.15.1 10.10.15.254 10.10.15.25
15
4 5
Quality Control and 10.10.16.0/2 255.255.255.0 10.10.16.1 10.10.16.254 10.10.16.25 16
Assurance Director 4 5
Internal audit service 10.10.17.0/2 255.255.255.0 10.10.17.1 10.10.17.254 10.10.17.25 17
directorate 4 5
Tender Management 10.10.18.0/2 255.255.255.0 10.10.18.1 10.10.18.254 10.10.18.25 18
Director 4 5
Human Resource 10.10.19.0/2 255.255.255.0 10.10.19.1 10.10.19.254 10.10.27.25 19
Administration and 4 5

Confidential© 2023 P a g e | 30
EPSS Network LLD

Development Directorate
Director
Women and Youth 10.10.20.0/2 255.255.255.0 10.10.20.1 10.10.20.254 10.10.20.25 20
Affairs Director 4 5
Good Governance and 10.10.21.0/2 255.255.255.0 10.10.21.1 10.10.21.254 10.10.21.25
21
Reform Director 4 5
Communication Affairs 10.10.22.0/2 255.255.255.0 10.10.22.1 10.10.22.254 10.10.22.25
22
Directorate Director 4 5

Table 15 EPSS-Hawassa IP Plan

Confidential© 2023 P a g e | 31
EPSS Network LLD

Main Block Subnet mask Usable IP Usable IP Broadcast Mngt IP


VLAN Name Gambella Address Address Address VLANs
Branch Beginning Ending
Director General 10.11.2.0/24 255.255.255.0 10.11.2.1 10.11.2.254 10.11.2.255 2 -

Deputy Director General for 255.255.255.0 10.11.3.1 10.11.3.254 10.11.3.255 -


Finance Administration and 10.11.3.0/24 3
System Strength
Deputy Director General - 255.255.255.0 10.11.5.1 10.11.5.254 10.11.5.255 -
10.11.5.0/24 5
Inbound Logistics
Deputy Director General for 255.255.255.0 10.11.6.1 10.11.6.254 10.11.6.255 -
Pharmaceuticals and
10.11.6.0/24 6
Medical Supplies Storage
and Distribution
General Service and 255.255.255.0 10.11.7.1 10.11.7.254 10.11.7.255 -
Property Administration 10.11.7.1/24 7
Director
Pharmaceutical and Medical 255.255.255.0 10.11.8.1 10.11.8.254 10.11.8.255 -
Supply Distribution and Fleet
10.11.8.0/24 8
Management directorate
director
Legal Services Director 10.11.9.0/24 255.255.255.0 10.11.9.1 10.11.9.254 10.11.9.255 9 -

Warehouse and Inventory 255.255.255.0 10.11.10.1 10.11.10.254 10.11.10.25 -


10.11.10.0 10
Management Director 1 5

Confidential© 2023 P a g e | 32
EPSS Network LLD

Quantification and Market 10.11.11.0/24 255.255.255.0 10.11.11.1 10.11.11.254 10.11.11.25 10.11.2.20


11
Shaping Director 5
Information & 10.11.12.0/24 255.255.255.0 10.11.12.1 10.11.12.254 10.11.12.25
Communication Technology 5 12
Director
Pharmaceutical & Medical 10.11.13.0/24 255.255.255.0 10.11.13.1 10.11.13.254 10.11.13.25
Supplies procurement 5
13
Contract Management
Directorate Director
Ethics Liaison Director 10.11.14.0/24 255.255.255.0 10.11.14.1 10.11.14.254 10.11.14.25
14
5
RDF Finance Director 10.11.15.0/24 255.255.255.0 10.11.15.1 10.11.15.254 10.11.15.25
15
5
Quality Control and 10.11.16.0/24 255.255.255.0 10.11.16.1 10.11.16.254 10.11.16.25 16
Assurance Director 5
Internal audit service 10.11.17.0/24 255.255.255.0 10.11.17.1 10.11.17.254 10.11.17.25 17
directorate 5
Tender Management 10.11.18.0/24 255.255.255.0 10.11.18.1 10.11.18.254 10.11.18.25 18
Director 5
Human Resource 10.11.19.0/24 255.255.255.0 10.11.19.1 10.11.19.254 10.11.19.25 19
Administration and 5
Development Directorate
Director
Women and Youth Affairs 10.11.20.0/24 255.255.255.0 10.11.20.1 10.11.20.254 10.11.20.25 20
Director 5

Confidential© 2023 P a g e | 33
EPSS Network LLD

Good Governance and 10.11.21.0/24 255.255.255.0 10.11.21.1 10.11.21.254 10.11.21.25


21
Reform Director 5
Communication Affairs 10.11.22.0/24 255.255.255.0 10.11.22.1 10.11.22.254 10.11.22.25
22
Directorate Director 5

Table 16 EPSS-Gambella IP
Plan

Confidential© 2023 P a g e | 34
EPSS Network LLD

Main Block Subnet mask Usable IP Usable IP Broadcast Mngt IP


VLAN Name Negele Borena Address Address Address VLANs
Branch Beginning Ending
Director General 10.12.2.0/24 255.255.255.0 10.12.2.1 10.12.2.254 10.12.2.255 2 -

Deputy Director General 255.255.255.0 10.12.3.1 10.12.3.254 10.12.3.255 -


for Finance Administration 10.12.3.0/24 3
and System Strength
Deputy Director General - 255.255.255.0 10.12.5.1 10.12.5.254 10.12.5.255 -
10.12.5.0/24 5
Inbound Logistics
Deputy Director General 255.255.255.0 10.12.6.1 10.12.6.254 10.12.6.255 -
for Pharmaceuticals and
10.12.6.0/24 6
Medical Supplies Storage
and Distribution
General Service and 255.255.255.0 10.12.7.1 10.12.7.254 10.12.7.255 -
Property Administration 10.12.7.0/24 7
Director
Pharmaceutical and 255.255.255.0 10.12.8.1 10.12.8.254 10.12.8.255 -
Medical Supply
Distribution and Fleet 10.12.8.0/24 8
Management directorate
director
Legal Services Director 10.12.9.0/24 255.255.255.0 10.12.9.1 10.12.9.254 10.12.9.255 9 -

Confidential© 2023 P a g e | 35
EPSS Network LLD

Warehouse and Inventory 255.255.255.0 10.12.10.12 10.12.10.25 10.12.10.255 -


10.12.10.0 10
Management Director 4
Quantification and Market 10.12.11.0/24 255.255.255.0 10.12.11.1 10.12.11.25 10.12.11.255 10.12.2.20
11
Shaping Director 4
Information & 10.12.12.0/24 255.255.255.0 10.12.2.1 10.12.12.25 10.12.12.255
Communication 4 12
Technology Director
Pharmaceutical & Medical 10.12.13.0/24 255.255.255.0 10.12.13.1 10.12.13.25 10.12.13.255
Supplies procurement 4
13
Contract Management
Directorate Director
Ethics Liaison Director 10.12.14.0/24 255.255.255.0 10.12.14.1 10.12.14.25 10.12.14.255
14
4
RDF Finance Director 10.12.15.0/24 255.255.255.0 10.12.15.1 10.12.15.25 10.12.15.255
15
4
Quality Control and 10.12.16.0/24 255.255.255.0 10.12.16.1 10.12.16.25 10.12.16.255 16
Assurance Director 4
Internal audit service 10.12.17.0/24 255.255.255.0 10.12.17.1 10.12.17.25 10.12.17.255 17
directorate 4
Tender Management 10.12.18.0/24 255.255.255.0 10.12.18.1 10.12.18.25 10.12.18.255 18
Director 4
Human Resource 10.12.19.0/24 255.255.255.0 10.12.19.1 10.12.19.25 10.12.10.255 19
Administration and 4
Development Directorate
Director

Confidential© 2023 P a g e | 36
EPSS Network LLD

Women and Youth Affairs 10.12.20.0/24 255.255.255.0 10.12.20.1 10.12.20.25 10.12.20.255 20


Director 4
Good Governance and 10.12.21.0/24 255.255.255.0 10.12.21.1 10.12.21.25 10.12.21.255
21
Reform Director 4
Communication Affairs 10.12.22.0/24 255.255.255.0 10.12.22.1 10.12.22.25 10.12.22.255
22
Directorate Director 4

Table 17 EPSS-Negele IP Plan

Confidential© 2023 P a g e | 37
EPSS Network LLD

Main Block Subnet mask Usable IP Usable IP Broadcast Mngt IP


VLAN Name Jimma Branch Address Address Address VLANs
Beginning Ending
Director General 10.13.2.0/24 255.255.255.0 10.13.2.1 10.13.2.254 10.13.2.255 2 -

Deputy Director General 255.255.255.0 10.13.3.1 10.13.3.254 10.13.3.255 -


for Finance Administration 10.13.3.0/24 3
and System Strength
Deputy Director General - 255.255.255.0 10.13.5.1 10.13.5.254 10.13.5.255 -
10.13.5.0/24 5
Inbound Logistics
Deputy Director General 255.255.255.0 10.13.6.1 10.13.6.254 10.13.6.255 -
for Pharmaceuticals and
10.13.6.0/24 6
Medical Supplies Storage
and Distribution
General Service and 255.255.255.0 10.13.7.1 10.13.7.254 10.13.7.255 -
Property Administration 10.13.7.1/24 7
Director
Pharmaceutical and 255.255.255.0 10.13.8.1 10.13.8.254 10.13.8.255 -
Medical Supply
Distribution and Fleet 10.13.8.0/24 8
Management directorate
director
Legal Services Director 10.13.9.0/24 255.255.255.0 10.13.9.1 10.13.9.254 10.13.9.255 9 -

Confidential© 2023 P a g e | 38
EPSS Network LLD

Warehouse and Inventory 255.255.255.0 10.13.10.1 10.13.10.25 10.13.10.255 -


10.13.10.0 10
Management Director 3 4
Quantification and Market 10.13.11.0/24 255.255.255.0 10.13.11.1 10.13.11.25 10.13.11.255 10.13.2.20
11
Shaping Director 4
Information & 10.13.12.0/24 255.255.255.0 10.13.12.1 10.13.12.25 10.13.12.255
Communication 4 12
Technology Director
Pharmaceutical & Medical 10.13.13.0/24 255.255.255.0 10.13.13.1 10.13.13.25 10.13.13.255
Supplies procurement 4
13
Contract Management
Directorate Director
Ethics Liaison Director 10.13.14.0/24 255.255.255.0 10.13.14.1 10.13.14.25 10.13.14.255
14
4
RDF Finance Director 10.13.15.0/24 255.255.255.0 10.13.15.1 10.13.15.25 10.13.15.255
15
4
Quality Control and 10.13.16.0/24 255.255.255.0 10.13.16.1 10.13.16.25 10.13.16.255 16
Assurance Director 4
Internal audit service 10.13.17.0/24 255.255.255.0 10.13.17.1 10.13.17.25 10.13.17.255 17
directorate 4
Tender Management 10.13.18.0/24 255.255.255.0 10.13.18.1 10.13.18.25 10.13.18.255 18
Director 4
Human Resource 10.13.19.0/24 255.255.255.0 10.13.19.1 10.13.19.25 10.13.19.255 19
Administration and 4
Development Directorate
Director

Confidential© 2023 P a g e | 39
EPSS Network LLD

Women and Youth Affairs 10.13.20.0/24 255.255.255.0 10.13.20.1 10.13.20.25 10.13.20.255 20


Director 4
Good Governance and 10.13.21.0/24 255.255.255.0 10.13.21.1 10.13.21.25 10.13.21.255
21
Reform Director 4
Communication Affairs 10.13.22.0/24 255.255.255.0 10.13.22.1 10.13.22.25 10.13.22.255
22
Directorate Director 4

Table 18 EPSS-Jimma IP Plan

Confidential© 2023 P a g e | 40
EPSS Network LLD

Main Block Subnet mask Usable IP Usable IP Broadcast Mngt IP


VLAN Name Adama Branch Address Address Address VLANs
Beginning Ending
Director General 10.14.2.0/24 255.255.255.0 10.14.2.1 10.14.2.254 10.14.2.255 2 -

Deputy Director General 255.255.255.0 10.14.3.1 10.14.3.254 10.14.3.255 -


for Finance
10.14.3.0/24 3
Administration and
System Strength
Deputy Director General 255.255.255.0 10.14.5.1 10.14.5.254 10.14.5.255 -
10.14.5.0/24 5
- Inbound Logistics
Deputy Director General 255.255.255.0 10.14.6.1 10.14.6.254 10.14.6.255 -
for Pharmaceuticals and
10.14.6.0/24 6
Medical Supplies
Storage and Distribution
General Service and 255.255.255.0 10.14.7.1 10.14.7.254 10.14.7.255 -
Property Administration 10.14.7.0/24 7
Director
Pharmaceutical and 255.255.255.0 10.14.8.1 10.14.8.254 10.14.8.255 -
Medical Supply
Distribution and Fleet 10.14.8.0/24 8
Management directorate
director
Legal Services Director 10.14.9.0/24 255.255.255.0 10.14.9.1 10.14.9.254 10.14.9.255 9 -

Confidential© 2023 P a g e | 41
EPSS Network LLD

Warehouse and 255.255.255.0 10.14.10.1 10.14.10.254 10.14.10.255 -


Inventory Management 10.14.10.0 4 10
Director
Quantification and 10.14.11.0/24 255.255.255.0 10.14.11.1 10.14.11.254 10.14.11.255 10.14.2.20
11
Market Shaping Director
Information & 10.14.12.0/24 255.255.255.0 10.14.12.1 10.14.12.254 10.14.12.255
Communication 12
Technology Director
Pharmaceutical & 10.14.13.0/24 255.255.255.0 10.14.13.1 10.14.13.254 10.14.13.255
Medical Supplies
procurement Contract 13
Management Directorate
Director
Ethics Liaison Director 10.14.14.0/24 255.255.255.0 10.14.14.1 10.14.14.254 10.14.14.255 14

RDF Finance Director 10.14.15.0/24 255.255.255.0 10.14.15.1 10.14.15.254 10.14.15.255 15

Quality Control and 10.14.16.0/24 255.255.255.0 10.14.16.1 10.14.16.254 10.14.16.255 16


Assurance Director
Internal audit service 10.14.17.0/24 255.255.255.0 10.14.17.1 10.14.17.254 10.14.7.255 17
directorate
Tender Management 10.14.18.0/24 255.255.255.0 10.14.18.1 10.14.18.254 10.14.18.255 18
Director
Human Resource 10.14.19.0/24 255.255.255.0 10.14.19.1 10.14.19.254 10.14.19.255 19
Administration and

Confidential© 2023 P a g e | 42
EPSS Network LLD

Development Directorate
Director
Women and Youth 10.14.20.0/24 255.255.255.0 10.14.20.1 10.14.20.254 10.14.20.255 20
Affairs Director
Good Governance and 10.14.21.0/24 255.255.255.0 10.14.21.1 10.14.21.254 10.14.21.255
21
Reform Director
Communication Affairs 10.14.22.0/24 255.255.255.0 10.14.22.1 10.14.22.254 10.14.22.255
22
Directorate Director

Table 19 EPSS-Adama IP Plan

Confidential© 2023 P a g e | 43
EPSS Network LLD

Main Block Subnet mask Usable IP Usable IP Broadcast Mngt IP


VLAN Name Arbaminch Address Address Address VLANs
Branch Beginning Ending
Director General 10.15.2.0/24 255.255.255.0 10.15.2.1 10.15.2.254 10.15.2.255 2 -

Deputy Director General 255.255.255.0 10.15.3.1 10.15.3.254 10.15.3.255 -


for Finance Administration 10.15.3.0/24 3
and System Strength
Deputy Director General - 255.255.255.0 10.15.5.1 10.15.5.254 10.15.5.255 -
10.15.5.0/24 5
Inbound Logistics
Deputy Director General 255.255.255.0 10.15.6.1 10.15.6.254 10.15.6.255 -
for Pharmaceuticals and
10.15.6.0/24 6
Medical Supplies Storage
and Distribution
General Service and 255.255.255.0 10.15.7.1 10.15.7.254 10.15.7.255 -
Property Administration 10.15.7.0/24 7
Director
Pharmaceutical and 255.255.255.0 10.15.8.1 10.15.8.254 10.15.8.255 -
Medical Supply Distribution
10.15.8.0/24 8
and Fleet Management
directorate director
Legal Services Director 10.15.9.0/24 255.255.255.0 10.15.9.1 10.15.9.254 10.15.9.255 9 -

Warehouse and Inventory 255.255.255.0 10.15.10.15 10.15.10.254 10.15.10.255 -


10.15.10.0/24 10
Management Director

Confidential© 2023 P a g e | 44
EPSS Network LLD

Quantification and Market 10.15.11.0/24 255.255.255.0 10.15.11.1 10.15.11.254 10.15.11.255 10.15.2.20


11
Shaping Director
Information & 10.15.12.0/24 255.255.255.0 10.15.12.1 10.15.12.254 10.15.12.255
Communication 12
Technology Director
Pharmaceutical & Medical 10.15.13.0/24 255.255.255.0 10.15.13.1 10.15.13.254 10.15.13.255
Supplies procurement
13
Contract Management
Directorate Director
Ethics Liaison Director 10.15.14.0/24 255.255.255.0 10.15.14.1 10.15.14.254 10.15.14.255 14

RDF Finance Director 10.15.15.0/24 255.255.255.0 10.15.15.1 10.15.15.254 10.15.5.255 15

Quality Control and 10.15.16.0/24 255.255.255.0 10.15.16.1 10.15.16.254 10.15.16.255 16


Assurance Director
Internal audit service 10.15.17.0/24 255.255.255.0 10.15.17.1 10.15.17.254 10.15.17.255 17
directorate
Tender Management 10.15.18.0/24 255.255.255.0 10.15.18.1 10.15.18.254 10.15.18.255 18
Director
Human Resource 10.15.19.0/24 255.255.255.0 10.15.19.1 10.15.19.254 10.15.19.255 19
Administration and
Development Directorate
Director
Women and Youth Affairs 10.15.20.0/24 255.255.255.0 10.15.20.1 10.15.20.254 10.15.20.255 20
Director

Confidential© 2023 P a g e | 45
EPSS Network LLD

Good Governance and 10.15.21.0/24 255.255.255.0 10.15.21.1 10.15.21.254 10.15.21.255


21
Reform Director
Communication Affairs 10.15.22.0/24 255.255.255.0 10.15.22.1 10.15.22.254 10.15.22.255
22
Directorate Director

Table 20EPSS-Arba Minch IP Plan

Confidential© 2023 P a g e | 46
EPSS Network LLD

Main Block Subnet mask Usable IP Usable IP Broadcast Mngt IP


VLAN Name Gondar Address Address Address VLANs
Branch Beginning Ending
Director General 10.16.2.0/24 255.255.255.0 10.16.2.1 10.16.2.254 10.16.2.255 2 -

Deputy Director 255.255.255.0 10.16.3.1 10.16.3.254 10.16.3.255 -


General for Finance
10.16.3.0/24 3
Administration and
System Strength
Deputy Director 255.255.255.0 10.16.5.1 10.16.5.254 10.16.5.255 -
General - Inbound 10.16.5.0/24 5
Logistics
Deputy Director 255.255.255.0 10.16.6.1 10.16.6.254 10.16.6.255 -
General for
Pharmaceuticals and
10.16.6.0/24 6
Medical Supplies
Storage and
Distribution
General Service and 255.255.255.0 10.16.7.1 10.16.7.254 10.16.7.255 -
Property
10.16.7.0/24 7
Administration
Director
Pharmaceutical and 255.255.255.0 10.16.8.1 10.16.8.254 10.16.8.255 -
Medical Supply 10.16.8.0/24 8
Distribution and Fleet

Confidential© 2023 P a g e | 47
EPSS Network LLD

Management
directorate director
Legal Services 255.255.255.0 10.16.9.1 10.16.9.254 10.16.9.255 -
10.16.9.0/24 9
Director
Warehouse and 255.255.255.0 10.16.10.16 10.16.10.254 10.16.10.25 -
Inventory 10.16.10.0/24 5 10
Management Director
Quantification and 10.16.11.0/24 255.255.255.0 10.16.11.1 10.16.11.254 10.16.11.25 10.16.2.20
Market Shaping 5 11
Director
Information & 10.16.12.0/24 255.255.255.0 10.16.12.1 10.16.12.254 10.16.12.25
Communication 5 12
Technology Director
Pharmaceutical & 10.16.13.0/24 255.255.255.0 10.16.13.1 10.16.13.254 10.16.13.25
Medical Supplies 5
procurement Contract 13
Management
Directorate Director
Ethics Liaison Director 10.16.14.0/24 255.255.255.0 10.16.14.1 10.16.14.254 10.16.24.25
14
5
RDF Finance Director 10.16.15.0/24 255.255.255.0 10.16.15.1 10.16.15.254 10.16.15.25
15
5
Quality Control and 10.16.16.0/24 255.255.255.0 10.16.16.1 10.16.16.254 10.16.16.25 16
Assurance Director 5

Confidential© 2023 P a g e | 48
EPSS Network LLD

Internal audit service 10.16.17.0/24 255.255.255.0 10.16.17.1 10.16.17.254 10.16.17.25 17


directorate 5
Tender Management 10.16.18.0/24 255.255.255.0 10.16.18.1 10.16.18.254 10.16.18.25 18
Director 5
Human Resource 10.16.19.0/24 255.255.255.0 10.16.19.1 10.16.19.254 10.16.19.25 19
Administration and 5
Development
Directorate Director
Women and Youth 10.16.20.0/24 255.255.255.0 10.16.20.1 10.16.20.254 10.16.20.25 20
Affairs Director 5
Good Governance 10.16.21.0/24 255.255.255.0 10.16.21.1 10.16.21.254 10.16.21.25
21
and Reform Director 5
Communication 10.16.22.0/24 255.255.255.0 10.16.22.1 10.16.22.254 10.16.22.25
Affairs Directorate 5 22
Director

Table 21EPSS-Gondar IP Plan

Confidential© 2023 P a g e | 49
EPSS Network LLD

Main Block Subnet mask Usable IP Usable IP Broadcast Mngt IP


VLAN Name Mekelle Address Address Address VLANs
Branch Beginning Ending
Director General 10.17.2.0/24 255.255.255.0 10.17.2.1 10.17.2.254 10.17.2.255 2 -

Deputy Director 255.255.255.0 10.17.3.1 10.17.3.254 10.17.3.255 -


General for Finance
10.17.3.0/24 3
Administration and
System Strength
Deputy Director 255.255.255.0 10.17.5.1 10.17.5.254 10.17.5.255 -
General - Inbound 10.17.5.0/24 5
Logistics
Deputy Director 255.255.255.0 10.17.6.1 10.17.6.254 10.17.6.255 -
General for
Pharmaceuticals and
10.17.6.0/24 6
Medical Supplies
Storage and
Distribution
General Service and 255.255.255.0 10.17.7.1 10.17.7.254 10.17.7.255 -
Property Administration 10.17.7.0/24 7
Director
Pharmaceutical and 255.255.255.0 10.17.8.1 10.17.8.254 10.17.8.255 -
Medical Supply 10.17.8.0/24 8
Distribution and Fleet

Confidential© 2023 P a g e | 50
EPSS Network LLD

Management
directorate director
Legal Services Director 10.17.9.0/24 255.255.255.0 10.17.9.1 10.17.9.254 10.17.9.255 9 -

Warehouse and 255.255.255.0 10.17.10.17 10.17.10.254 10.17.10.25 -


10.17.10.0/2
Inventory Management 5 10
4
Director
Quantification and 10.17.11.0/2 255.255.255.0 10.17.11.1 10.17.11.254 10.17.11.25 10.17.2.20
Market Shaping 4 5 11
Director
Information & 10.17.12.0/2 255.255.255.0 10.17.12.1 10.17.12.254 10.17.12.25
Communication 4 5 12
Technology Director
Pharmaceutical & 10.17.13.0/2 255.255.255.0 10.17.13.1 10.17.13.254 10.17.13.25
Medical Supplies 4 5
procurement Contract 13
Management
Directorate Director
Ethics Liaison Director 10.17.14.0/2 255.255.255.0 10.17.4.1 10.17.14.254 10.17.14.25
14
4 5
RDF Finance Director 10.17.15.0/2 255.255.255.0 10.17.15.1 10.17.15.254 10.17.15.25
15
4 5
Quality Control and 10.17.16.0/2 255.255.255.0 10.17.16.1 10.17.16.254 10.17.16.25 16
Assurance Director 4 5

Confidential© 2023 P a g e | 51
EPSS Network LLD

Internal audit service 10.17.17.0/2 255.255.255.0 10.17.17.1 10.17.17.254 10.17.17.25 17


directorate 4 5
Tender Management 10.17.18.0/2 255.255.255.0 10.17.18.1 10.17.18.254 10.17.18.25 18
Director 4 5
Human Resource 10.17.19.0/2 255.255.255.0 10.17.19.1 10.17.19.254 10.17.19.25 19
Administration and 4 5
Development
Directorate Director
Women and Youth 10.17.20.0/2 255.255.255.0 10.17.20.1 10.17.20.254 10.17.20.25 20
Affairs Director 4 5
Good Governance and 10.17.21.0/2 255.255.255.0 10.17.21.1 10.17.21.254 10.17.21.25
21
Reform Director 4 5
Communication Affairs 10.17.22.0/2 255.255.255.0 10.17.22.1 10.17.22.254 10.17.22.25
22
Directorate Director 4 5

Table 22EPSS-Mekelle IP Plan

Confidential© 2023 P a g e | 52
EPSS Network LLD

Main Block Subnet mask Usable IP Usable IP Broadcast Mngt IP

VLAN Name shire Branch Address Address Address VLANs


Beginning Ending

Director General 10.18.2.0/24 255.255.255.0 10.18.2.1 10.18.2.254 10.18.2.255 2 -

Deputy Director 255.255.255.0 10.18.3.1 10.18.3.254 10.18.3.255 -


General for Finance
10.18.3.0/24 3
Administration and
System Strength
Deputy Director 255.255.255.0 10.18.5.1 10.18.5.254 10.18.5.255 -
General - Inbound 10.18.5.0/24 5
Logistics
Deputy Director 255.255.255.0 10.18.6.1 10.18.6.254 10.18.6.255 -
General for
Pharmaceuticals and
10.18.6.0/24 6
Medical Supplies
Storage and
Distribution
General Service and 255.255.255.0 10.18.7.1 10.18.7.254 10.18.7.255 -
Property
10.18.7.0/24 7
Administration
Director
Pharmaceutical and 255.255.255.0 10.18.8.1 10.18.8.254 10.18.8.255 -
Medical Supply 10.18.8.0/24 8
Distribution and Fleet

Confidential© 2023 P a g e | 53
EPSS Network LLD

Management
directorate director
Legal Services 255.255.255.0 10.18.9.1 10.18.9.254 10.18.9.255 -
10.18.9.0/24 9
Director
Warehouse and 255.255.255.0 10.18.10.1 10.18.10.254 10.18.10.255 -
Inventory 10.18.10.0/24 8 10
Management Director
Quantification and 10.18.11.0/24 255.255.255.0 10.18.11.1 10.18.11.254 10.18.11.255 10.18.2.20
Market Shaping 11
Director
Information & 10.18.12.0/24 255.255.255.0 10.18.12.1 10.18.12.254 10.18.12.255
Communication 12
Technology Director
Pharmaceutical & 10.18.13.0/24 255.255.255.0 10.18.13.1 10.18.13.254 10.18.13.255
Medical Supplies
procurement Contract 13
Management
Directorate Director
Ethics Liaison Director 10.18.14.0/24 255.255.255.0 10.18.14.1 10.18.14.254 10.18.14.255 14

RDF Finance Director 10.18.15.0/24 255.255.255.0 10.18.15.1 10.18.15.254 10.18.15.255 15

Quality Control and 10.18.16.0/24 255.255.255.0 10.18.16.1 10.18.16.254 10.18.16.255 16


Assurance Director
Internal audit service 10.18.17.0/24 255.255.255.0 10.18.27.1 10.18.27.254 10.18.27.255 17
directorate

Confidential© 2023 P a g e | 54
EPSS Network LLD

Tender Management 10.18.18.0/24 255.255.255.0 10.18.18.1 10.18.18.254 10.18.18.255 18


Director
Human Resource 10.18.19.0/24 255.255.255.0 10.18.19.1 10.18.19.254 10.18.19.255 19
Administration and
Development
Directorate Director
Women and Youth 10.18.20.0/24 255.255.255.0 10.18.20.1 10.18.20.254 10.18.20.255 20
Affairs Director
Good Governance 10.18.21.0/24 255.255.255.0 10.18.21.1 10.18.21.254 10.18.21.255
21
and Reform Director
Communication 10.18.22.0/24 255.255.255.0 10.18.22.1 10.18.22.254 10.18.22.255
Affairs Directorate 22
Director

Table 23 EPSS-Shire IP Plan

Confidential© 2023 P a g e | 55
EPSS Network LLD

Main Block Subnet mask Usable IP Usable IP Broadcast Mngt IP


Addis Ababa Address Address Address
VLAN Name VLANs
Site 2 Beginning Ending

Director General 255.255.255.0 10.19.2.1 10.19.2.25 10.19.2.255 -


10.19.2.0/24 2
4
Deputy Director General 255.255.255.0 10.19.3.1 10.19.3.25 10.19.3.255 -
for Finance 4
10.19.3.0/24 3
Administration and
System Strength
Deputy Director General 255.255.255.0 10.19.5.1 10.19.5.25 10.19.5.255 -
10.19.5.0/24 5
- Inbound Logistics 4
Deputy Director General 255.255.255.0 10.19.6.1 10.19.6.25 10.19.6.255 -
for Pharmaceuticals and 4
10.19.6.0/24 6
Medical Supplies
Storage and Distribution
General Service and 255.255.255.0 10.19.7.1 10.19.7.25 10.19.7.255 -
Property Administration 10.19.7.0/24 4 7
Director
Pharmaceutical and 255.255.255.0 10.19.8.1 10.19.8.25 10.19.8.255 -
Medical Supply 4
Distribution and Fleet 10.19.8.0/24 8
Management directorate
director

Confidential© 2023 P a g e | 56
EPSS Network LLD

Legal Services Director 255.255.255.0 10.19.9.1 10.19.9.25 10.19.9.255 -


10.19.9.0/24 9
4
Warehouse and 255.255.255.0 10.19.10.19 10.19.10.2 10.19.10.255 -
Inventory Management 10.19.10.0/24 54 10
Director
Quantification and 10.19.11.0/24 255.255.255.0 10.19.11.1 10.19.11.2 10.19.11.255 10.19.2.20
11
Market Shaping Director 54
Information & 10.19.12.0/24 255.255.255.0 10.19.12.1 10.19.12.2 10.19.12.255
Communication 54 12
Technology Director
Pharmaceutical & 10.19.13.0/24 255.255.255.0 10.19.13.1 10.19.13.2 10.19.13.255
Medical Supplies 54
procurement Contract 13
Management Directorate
Director
Ethics Liaison Director 10.19.14.0/24 255.255.255.0 10.19.14.1 10.19.14.2 10.19.14.255
14
54
RDF Finance Director 10.19.15.0/24 255.255.255.0 10.19.15.1 10.19.15.2 10.19.15.255
15
54
Quality Control and 10.19.16.0/24 255.255.255.0 10.19.16.1 10.19.16.2 10.19.16.255 16
Assurance Director 54
Internal audit service 10.19.17.0/24 255.255.255.0 10.19.17.1 10.19.17.2 10.19.17.255 17
directorate 54
Tender Management 10.19.18.0/24 255.255.255.0 10.19.18.1 10.19.18.2 10.19.18.255 18
Director 54

Confidential© 2023 P a g e | 57
EPSS Network LLD

Human Resource 10.19.19.0/24 255.255.255.0 10.19.19.1 10.19.19.2 10.19.19.255 19


Administration and 54
Development Directorate
Director
Women and Youth 10.19.20.0/24 255.255.255.0 10.19.20.1 10.19.20.2 10.19.20.255 20
Affairs Director 54
Good Governance and 10.19.21.0/24 255.255.255.0 10.19.21.1 10.19.21.2 10.19.21.255
21
Reform Director 54
Communication Affairs 10.19.22.0/24 255.255.255.0 10.19.22.1 10.19.22.2 10.19.22.255
22
Directorate Director 54

Table 24 EPSS-Addis ababa Site 2

Confidential© 2023 P a g e | 58
SI- IE-EPSS Network LLD

4 EPSS HQ Network Implementation

4.1.1 Core Switch Basic Configuration


➢ Hostname Configurations for core switches.

For Core switches 1

Switch> enable

Switch> configure terminal

switch (config)# hostname EPSS-HQ-CS-01

switch (config)# line console 0

switch (config)# password secret %TGBnhy6

switch (config)# line vty 0 4

switch (config-line)# password secret %TGBnhy6

switch (config)# banner login motd

Ethiopian Pharmaceutical Supply


Service(EPSS)
Authorized Access only

------------------------------------------------

UNAUTHORISED ACCESS TO THIS DEVICE IS PROHIBITED.

You must have explicit permission to access this device. All activities performed on this device
are logged and violations of this policy will result in legal and/or disciplinary action.

------------------------------------------------

EPSS-HQ-CS-01 (config)# end

Confidential© 2023 P a g e | 59
EPSS Network LLD

For Core switches 2

Switch> enable

Switch> configure terminal

switch (config)# hostname EPSS-HQ-CS-02

EPSS-HQ-CS-02(config)# end

4.1.2 Core VSS Configuration


3.1.2.1 Overview
We plan to configure VSS configuration on the core switches Network operators increase
network reliability by configuring redundant pairs of network devices and links. Redundant
network elements and redundant links can add complexity to network design and
operation. Virtual switching simplifies the network by reducing the number of network
elements and hiding the complexity of managing redundant switches and links.

A VSS combines a pair of Cisco C9500-40X-A series switches into a single network
element. The VSS manages the redundant links, which externally act as a single port
channel.

The VSS simplifies network configuration and operation by reducing the number of Layer
3 routing neighbors and by providing a loop-free Layer 2 topology.

Confidential© 2023 P a g e | 60
EPSS Network LLD

Figure 4 Core VSS

VSS Configuration

Right now, we have Cisco C9500-40X-A Core SW that are running in “standalone”. In order
to bond these two using VSS we will have to do the following:

➢ Configure a virtual switch domain on both switches and configure one switch as
“switch 1” and the other one as “switch 2”.
➢ Configure the virtual switch links.
➢ Execute the conversion command which will reboot the switches.
N.B Before we configure anything, we have to check both switches are running the same
IOS or not!

Let’s configure the virtual switch domain ID and switch numbers:

## EPSS-HQ-CS-01

! stackwise-virtual

domain 1

exit

interface range ten0/0/47 - 48

stackwise-virtual link 1

exit

interface ten0/0/46

stackwise-vitual dual-active-detection

Confidential© 2023 P a g e | 61
EPSS Network LLD

exit

reload

All the commands should be excuted on each switch then save the configutration and reload the
switches.

N:B Do the same thing in the second switch.

3.1.2.3 Interface Connectivity


From Device Interface To device Interface
FG 601F-Primary HA FG 601F-Secondary HA2
FG 601F-Primary g0/0/1 FG 601F-Secondary g0/0/1
ISP --- FG 601F-Primary ge0/0/1 or 17
ISP --- FG 601F-Secondary ge0/0/1 or 17
FG 601F-Primary ten0/0/1 or x1 Cisco 9500-1 ten0/0/1 or 1
FG 601F-Secondary ten1/0/1 or x1 Cisco 9500-2 ten2/0/1 or 1
FG 601F-Primary ten0/0/2 or x2 Cisco 9500-1 ten0/0/2 or 2
FG 601F-Secondary ten1/0/2 or x2 Cisco 9500-2 ten2/0/2 or 2
FG 601F-Primary g0/0/2 or 18 Cisco 9300-DMZ-1 ge0/0/1 or 1
FG 601F-Primary g0/0/2 or 19 Cisco 9300-DMZ-2 ge0/0/1 or 2
FG 601F-Secondary g0/0/2 or 18 Cisco 9300-DMZ-1 ge0/0/1 or 1
FG 601F-Secondary g0/0/2 or 19 Cisco 9300-DMZ-2 ge0/0/1 or 2
Cisco 9500-1 ten0/0/3 or 3 Cisco 9300-MNGMT-1 ten0/0/1 or 1
Cisco 9500-1 ten0/0/4 or 4 Cisco 9300-MNGMT-2 ten0/0/1 or 1
Cisco 9500-2 ten0/0/3 or 3 Cisco 9300-MNGMT-1 ten0/0/2 or 2
Cisco 9500-2 ten0/0/4 or 4 Cisco 9300-MNGMT-2 ten0/0/2 or 2
Cisco 9500-1 ten0/0/5 or 5 Cisco 9300-DC-1 ten0/0/1 or 1
Cisco 9500-1 ten0/0/6 or 6 Cisco 9300-DC-2 ten0/0/1 or 1
Cisco 9500-2 ten0/0/5 or 5 Cisco 9300-DC-1 ten0/0/2 or 2
Cisco 9500-2 ten0/0/6 or 6 Cisco 9300-DC-2 ten0/0/2 or 2
Cisco 9500-1 ten0/0/48 or 48 Cisco 9500-2 ten0/0/48 or 48
Cisco 9500-1 ten0/0/47 or 47 Cisco 9500-2 ten0/0/47 or 47

3.1.2.4 Physical L3 Interface Configuration with Perimeter Firewall


➢ Interface description configuration between the CoreVSS and Perimeter Firewall 1

Confidential© 2023 P a g e | 62
EPSS Network LLD

Interface ten0/0/1, ten2/0/1

Channel-group 3 mode active

End

Interface port-channel3

Switchport mode trunk

end

interface Port-channel3

description EPSS-HQ-CS-01--> EPSS-HQ-FW

no switchport

ip address X.X.X.X

interface Ten0/0/1

description EPSS-HQ-CS-01--> EPSS-HQ-FW-01

no switchport

no ip address

channel-group 3 mode active

interface Ten2/0/1

Description EPSS-HQ-CS-01--> EPSS-HQ-FW-01

no switchport

no ip address

spanning-tree portfast edge

channel-group 3 mode active

Confidential© 2023 P a g e | 63
EPSS Network LLD

➢ Interface description configuration between the CoreVSS and Perimeter Firewall 2

Interface ten0/0/2, ten2/0/2

Channel-group 3 mode active

End

Interface port-channel3

Switchport mode trunk

end

interface ten0/0/1

description EPSS-HQ-CS-02--> EPSS-HQ-FW-02

no switchport

no ip address

channel-group 3 mode active

interface ten2/0/2

description EPSS-HQ-CS-2--> EPSS-HQ-FW-02

no switchport

no ip address

spanning-tree portfast edge

channel-group 3 mode active

4.1.3 Core VTP Configuration


VTP is a Cisco proprietary layer 2 messaging protocol that propagates the definition of
Virtual Local Area Networks (VLAN) on the whole local area network. To do this, VTP

Confidential© 2023 P a g e | 64
EPSS Network LLD

carries VLAN information to all the switches in a VTP domain. VTP advertisements can be
sent over ISL, 802.1Q, IEEE 802.10 and LAN trunks.

#VTP Configuration EPSS Core Switch Side#

EPSS-HQ-CS(config)#vtp domain EPSS-HQ-VTP

EPSS-HQ-CS (config)#vtp password %TGBnhy6

EPSS-HQ-CS (config)#vtp mode server

4.1.4 Core VLAN Configuration


This configuration will create a new VLAN and assign IP address to its interface, effectively
making the switch act as layer 3 device for that VLAN. The devices within that VLAN use
Switch’s IP address as their default gateway for proper routing.

EPSS-HQ-CS-01> enable

EPSS-HQ-CS-01# configure terminal

EPSS-HQ-CS-01(config)# vlan 2

EPSS-HQ-CS-01(config-vlan)# name Director General

EPSS-HQ-CS-01(config-vlan)# ip address 10.1.2.1 255.255.255.254.0

EPSS-HQ-CS-01(config-if)# no shutdown

The below table lists the allocated VLANS for this deployment.

Confidential© 2023 P a g e | 65
EPSS Network LLD

VLAN Name VLANs

Director General 2
Deputy Director General for Finance Administration and System Strength 4
Deputy Director General - Inbound Logistics 6
Deputy Director General for Pharmaceuticals and Medical Supplies Storage and
8
Distribution
General Service and Property Administration Director 10
Pharmaceutical and Medical Supply Distribution and Fleet Management directorate
12
director
Legal Services Director 14
Warehouse and Inventory Management Director 16
Quantification and Market Shaping Director 18
Information & Communication Technology Director 20
Pharmaceutical & Medical Supplies procurement Contract Management Directorate
22
Director
Ethics Liaison Director 24
RDF Finance Director 26
Quality Control and Assurance Director 28
Internal audit service directorate 30
Tender Management Director 32
Human Resource Administration and Development Directorate Director 34
Women and Youth Affairs Director 36
Good Governance and Reform Director 37
Communication Affairs Directorate Director 38

4.1.5 Core DHCP Configuration


We will use different DHCP pools to assign IP address for client machine and other
applications. DHCP is a protocol that provides a mechanism for allocating IP addresses
dynamically so that addresses can be reused when hosts no longer need them. DHCP
adds the capability to automatically allocate reusable network addresses and configuration
options to Internet hosts. DHCP consists of two components: a protocol for delivering host-
specific configuration parameters from a DHCP server to a host and a mechanism for
allocating network addresses to hosts. DHCP is built on a client/server model, where

Confidential© 2023 P a g e | 66
EPSS Network LLD

designated DHCP server hosts allocate network addresses and deliver configuration
parameters to dynamically configured hosts. DHCP implementation offers the following
benefits:

1. Reduced client configuration tasks and costs Because DHCP is easy to configure,
it minimizes operational overhead and costs associated with device configuration
tasks and eases deployment by nontechnical users.
2. Centralized management because the DHCP server maintains configurations for
several subnets, administrator only needs to update a single, central server when
configuration parameters change.

The following configuration is to be done on the collapsed core switch, named, EPSS-
HQ-CS

IP dhcp exclude-address 10.1.2.1 10.1.2.30

Ip dhcp pool Director-General

Network 10.1.2.0 255.255.254.0

default-router 10.1.2.1

4.1.6 Core SSH Configuration


SSH provides a secure way to access and manage devices remotely over an
unsecured network.

The RSA key pair consists of a public key and a private key. The public key is used for
encryption, and the private key is used for decryption. Generating an RSA key pair is the
first step in setting up SSH. The key pair is used to secure the SSH communication
between the client and the switch. Enabling SSH version 2 ensures that the switch uses
the more secure protocol for remote access.

The "line vty 0 15" command configures the virtual terminal lines (used for remote access).
The "transport input ssh" command specifies that SSH should be used as the transport
protocol for these virtual terminal lines. The "login local" command indicates that local
authentication (username and password) should be used for SSH access.

Local user credentials are needed to authenticate users when they connect to the switch
via SSH. The "username" command creates a local user account with a specified

Confidential© 2023 P a g e | 67
EPSS Network LLD

username. The "privilege 15" setting assigns the highest privilege level (full access) to this
user. The "secret" command sets the password for this user.

aaa new-model

username EPSS password %TGBnhy6

line vty 0 15

transport input ssh

crypto key generate RSA

login local

This step further specifies that SSH should be the only for Information & Communication
Technology Director. The "access-class" command is optional and can be used to restrict
SSH access to specific IP addresses or subnets. You can use the "access-class" command
to limit SSH access to specific IP addresses or subnets. This adds an extra layer of security
by allowing SSH connections only from trusted sources.

Access-list permit 10.1.20.0.0 0.0.0.255

Iine vty 5 15

Transport input ssh

Access-class 23 in

Exit

4.1.7 Core SNMP Configuration


SNMP (Simple Network Management Protocol) is used for monitoring and managing
network device. Here’s a basic guide on SNMP configuration on EPPS-HQ-CS

snmp-server enable traps


snmp-server community EPSS
snmp-server host X.X.X.X community
4.1.8 Core – Access Interface Configuration
The network setup involves linking core switches with access switches using 10 Gigabit
Ethernet SFP+ uplinks, enabling fast data exchange between end-user devices and the
network's core infrastructure. Core switches handle significant traffic flows across the
network, while access switches connect individual user devices, collectively forming an
efficient hierarchical network architecture.

Confidential© 2023 P a g e | 68
EPSS Network LLD

EPPS-HQ-CS# configure terminal

EPPS-HQ-CS(config)# interface range ge0/0/8- 40

EPPS-HQ-CS(config-if)# switchport mode trunk

EPPS-HQ-CS(config-if)# switchport trunk allowed vlan 2, 4, 6, 8, 10, 12, 14, 16, 18, 20,
22, 24, 26, 28, 30, 32, 34, 36, 37, 38

EPPS-HQ-CS(config-if)# end

4.2 Access layer Configuration


4.2.1 Overview
The access layer is the point at which user-controlled, user-accessible devices are
connected to the network, and it is the one architecture component that is found in every
LAN. It is where user-controlled devices, user-accessible devices, and other end-point
devices are connected to the network. The access layer provides both wired and wireless
connectivity and contains features and services that ensure security and resiliency for the
entire network.

Network resiliency and security in the access layer is achieved using Cisco Catalyst
Infrastructure Security Features (CISF) including Dynamic Host Configuration Protocol
(DHCP) snooping, IP Source Guard, port security, and Dynamic Address Resolution
Protocol (ARP) Inspection.

The LAN access layer provides high-bandwidth connections to devices via 10/100/1000
Ethernet with both Gigabit and 10-Gigabit uplink connectivity options. The 10 Gigabit
uplinks also support Gigabit connectivity to provide flexibility and help business continuity
during a transition to 10 Gigabit Ethernet. The LAN access layer is configured as a Layer
2 switch directly connected core switch.

4.2.2 Hostname Configurations for access switches.

!
For Access switches 1
!
Switch> enable
Switch> configure terminal
switch (config)# hostname EPSS_AS_01

Confidential© 2023 P a g e | 69
EPSS Network LLD

EPSS_AS_01 (config)# end


!

All access switch Naming will be the same format

4.2.3 Spanning tree protocol


We will implement spanning tree on EPSS switches to prevent loop. Spanning Tree
Protocol (STP) is a Layer 2 protocol that runs on bridges and switches. The main purpose
of STP is to ensure that we do not create loops when we have redundant paths in our
network.

Spanning tree protocol Configuration

# Spanning Tree rapid-pvst Configuration On EPSS Access Switch#


!
spanning-tree mode rapid-pvst
end
!
interface GigabitEthernet0/0/1-48
switchport mode access
switchport access vlan X
spanning-tree portfast
spanning-tree portfast edge
spanning-tree bpduguard enable
!

4.2.4 VTP Configuration


VTP is a Cisco proprietary layer 2 messaging protocol that propagates the definition of
Virtual Local Area Networks (VLAN) on the whole local area network. To do this, VTP
carries VLAN information to all the switches in a VTP domain. VTP advertisements can be
sent over ISL, 802.1Q, IEEE 802.10 and LAN trunks.

VTP is a Cisco proprietary layer 2 messaging protocol that propagates the definition of
Virtual Local Area Networks (VLAN) overall local area network. To do this, VTP carries
VLAN information to all the switches in a VTP domain. VTP advertisements can be sent
over ISL, 802.1Q, IEEE 802.10 and LAN trunks. VTP is available on most of the Cisco
Catalyst Family products.

Confidential© 2023 P a g e | 70
EPSS Network LLD

# VTP Configuration On EPSS Access Switch switch

# EPSS Switch Configuration

EPSS_AS_01# vtp domain EPSS

EPSS_AS_01# version 2

EPSS_AS_01# vtp password %TGBnhy6

EPSS_AS_01# vtp mode client

4.2.5 Storm control


We will use different type of storm control to prevent unwanted traffic to EPSS access
switch. Storm control prevents LAN interfaces from being disrupted by a broadcast storm.
A broadcast storm occurs when broadcast packets flood the subnet, creating excessive
traffic and degrading network performance. Errors in the protocol-stack implementation or
in the network configuration can cause a broadcast storm. When storm control is enabled
on an interface, the switch monitors packets received on the interface and determines
whether the packets are broadcast. The switch monitors the number of broadcast packets
received within a one-second time interval. When the interface threshold is meet, all
incoming data traffic on the interface is dropped. This threshold is specified as a
percentage of total available bandwidth that can be used by broadcast traffic. If the lower
threshold is specified, all data traffic is forwarded as soon as the incoming traffic falls below
that threshold.

Multicast Storm Control Multicast and broadcast suppression share a common threshold
per interface. Multicast suppression takes effect only if broadcast suppression is enabled.
Disabling broadcast suppression on an interface also disables multicast suppression.

Storm Control Configuration on Each EPSS Access Switch


!
(config) #interface range gig1/0/1 – 46
(config-if) #storm-control broadcast level 75
(config-if) #storm-control multicast level 75
(config-if) #storm-control action shutdown

Confidential© 2023 P a g e | 71
EPSS Network LLD

4.2.6 SSH and User account

!
ip domain-name epss.gov.et
crypto key generate rsa
How many bits in the modulus [512]: 1024
ip ssh version 2

➢ Prepare the Devices to Manageable

line con 0
line vty 0 4
access-class 55 in
transport input ssh
The above configuration will be done on all access switch

4.2.7 NTP Server Configuration


➢ Configuration on NTP server for a synchronized clock

ntp server x.x.x.x


ntp update-calendar
clock timezone PST -8
clock summer-time PDT recurring
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime

The above configuration will be done on all access switch

4.2.8 Port Security


By default, the switchport security feature is disabled on all switchports and must be
enabled. Table 1 shows the steps required to enable the switchport security feature on an
interface (This can cause some confusion, but when using Cisco IOS, switchport
configuration is performed while in interface configuration mode. The
terms interface and switchport are interchangeable).

(config) #interface range gig0/0/1 – 46

Confidential© 2023 P a g e | 72
EPSS Network LLD

(config) #switchport port-security maximum 5


(config) #switchport port-security

Confidential© 2023 P a g e | 73
EPSS Network LLD

5 Zabbix IT monitoring

5.1 Overview
Zabbix is an open-source monitoring software tool for diverse IT components, including
networks, servers, virtual machines (VMs) and cloud services. Zabbix provides monitoring
metrics, such as network utilization, CPU load and disk space consumption. The software
monitors operations on Linux, Hewlett Packard Unix (HP-UX), Mac OS X, Solaris and other
operating systems (OSes); however, Windows monitoring is only possible through agents.

Zabbix can be deployed for agent-based and agentless monitoring. Agents are installed
on IT components to check performance and collect data. The agent then reports back to
a centralized Zabbix management server. That information is included in reports or
presented visually in the Zabbix graphical user interface (GUI). If there are any issues
regarding what is being monitored, Zabbix will send a notification or alert to the user.
Agentless monitoring accomplishes the same type of monitoring by using existing
resources in a system or device to emulate an agent.

The Zabbix web-based GUI enables users to view their IT environment via customizable
dashboards based on widgets, graphs, network maps, slideshows and reports. For
example, a user can customize a report to show metrics associated with both service-level
agreements (SLAs) and key performance indicators (KPIs) on CPU loads.

Confidential© 2023 P a g e | 74
EPSS Network LLD

Figure 5 Monitoring Sample 1


Zabbix works via three discovery mode options:

▪ Network discovery periodically scans an IT environment and records a


device's type, IP address, status, uptimes and downtimes.
▪ Low-level discovery automatically creates items, triggers and graphs based
on the discovered device. Low-level discovery can create metrics from Simple
Network Management Protocol (SNMP) object identifiers, Windows services,
Open Database Connectivity (ODBC) Structured Query Language (SQL)
queries, network interfaces and more.
▪ Auto-discovery automatically starts monitoring any discovered device using a
Zabbix agent.
With Zabbix distributed monitoring, remotely run scripts collect data from
multiple devices in distributed locations and combine that data in one
dashboard or report, such as server availability across the country.

Confidential© 2023 P a g e | 75
EPSS Network LLD

Figure 6 Monitoring Sample 2


Zabbix can send email notifications based on predefined events in a user's IT
environment. Another way for Zabbix users to stay up to date with their IT
environment is through mobile applications from suppliers such as M7 Monitoring
or of their own creation.

5.2 Install Zabbix

Prerequisites

• Apache web server


• PHP with required extensions
• MySQL

Confidential© 2023 P a g e | 76
EPSS Network LLD

5.2.1 Choose the platform

Figure 7 Zabbix Supported Platform

5.2.2 Installing centOS


System Requirements

• 4 Core Processor (2 GHz)


• 4 GB Physical RAM
• 100 GB or more Disk Space
• Internet Connectivity

Follow the Steps to Install CentOS 7

If you are only looking to update or upgrade CentOS

Download CentOS 7

To download the official and up-to-date CentOS 7 ISO file, navigate


to https://www.centos.org/download/.

Confidential© 2023 P a g e | 77
EPSS Network LLD

Figure 8 Download CentOS

5.2.3 Boot the CentOS ISO File

Upon booting the CentOS 7 ISO file, you can begin the installation process. To do so,
select Install CentOS 7. That will start the installer’s graphical interface.

If you are booting from a USB, click the Install to Hard Drive icon on the desktop. That will
open the installation wizard.

Figure 9 Installation

5.2.4 Install CentOS

Before starting the installation process itself, select which language you would like to use
during installation. The default option is English.

Confidential© 2023 P a g e | 78
EPSS Network LLD

Figure 10 language Choice

Click Continue to confirm your selection.

There are a couple of settings you would want to configure. All items marked with a warning
icon must be configured before you begin the installation. System configurations outlined
below may differ based on use case.

Set Date and Time

Figure 11 Date and Time

Confidential© 2023 P a g e | 79
EPSS Network LLD

To set a date and time for the system, click the Date & Time icon under
the Localization heading. Select a region/time zone on the map of the world as seen
below. Once you have selected your time zone, hit Done to save your changes.

Keyboard Layout

Select the Keyboard option under the Localization heading to set the keyboard layout.

The system default is English (US) and the language you selected in the initial window.
Click the plus icon to add more layouts. Move a layout to the top of the list to make it the
default option.

Click the Options button to define a key combination for switching between keyboard
layouts. When you are satisfied with the settings defined, select the Done button to confirm
the changes.

System Language

Next, select the Language Support option under the Localization heading. The language
selected in the Welcome to CentOS 7 window will be the default system language. If
necessary, select additional languages and hit the Done button once you are finished.

Figure 12 installation summary

Confidential© 2023 P a g e | 80
EPSS Network LLD

Software Selection

Select the Software Selection option under the Software heading. You will see a list of
predefined Base Environment options and optional add-ons. This part entirely depends
on your needs.

• Minimal Install. This is the most flexible and least resource-demanding option.
Excellent for production environment servers. Be prepared to customize the
environment.
• Predefined Server Options. If you are 100% certain about the role of your server
and don’t want to customize it for its role, select one of the predefined server
environments.
• GNOME Desktop and KDE Plasma Workspaces. These environments include a
full graphical user interface.

Figure 13 Software Selection

When you have selected the base environment and optional add-ons, click
the Done button. Wait for the system to check for software dependencies before you move
on to the next option.

Confidential© 2023 P a g e | 81
EPSS Network LLD

Select Installation Destination

Click the Installation Destination option under the System heading. Check your
machine’s storage under the Local Standard Disks heading. CentOS 7 will be installed on
the selected disk.

Partitioning

Option 1: Automatic Partitioning

Under the Other Storage Options heading, select the Automatically configure
partitioning checkbox. This ensures the selected destination storage disk will
automatically partition with the /(root), /home and swap partitions. It will automatically
create an LVM logical volume in the XFS file system.

If you do not have enough free space, you can reclaim disk space and instruct the system
to delete files.

When finished, click the Done button.

Option 2: Manual Partitioning

Select the I will configure partitioning checkbox and choose Done.

If you want to use other file systems (such as ext4 and vfat) and a non-LVM partitioning
scheme, such as btrfs. This will initiate a configuration pop-up where you can set up your
partitioning manually.

This is an advanced option that depends on your requirements.

Configuring KDUMP

KDUMP is enabled by default.

To disable the KDUMP kernel crash dumping mechanism, select the KDUMP option under
the System heading and uncheck the Enable kdump checkbox. Click the Done button to
confirm your changes.

Note: KDUMP captures system information at the time of a crash. It helps you diagnose
the cause of the crash. When enabled, kdump reserves a portion of system memory.

Confidential© 2023 P a g e | 82
EPSS Network LLD

Network and Hostname

Click the Network & Host Name option under the System heading.

For the hostname, type in the fully qualified domain name of your system. In our example,
we will set the Hostname as my_server.phoenixnap.com, where my_server is the
hostname while phoenixnap.com is the domain.

Figure 14 Network and Hostname

Select Configure… and select to add IPv4 settings or IPv6 settings depending on what
you have. Add static IP addresses to help identify your computer on the network. Bear in
mind that your network environment’s settings define these values.

Confidential© 2023 P a g e | 83
EPSS Network LLD

Figure 15 Editing Interface

To add a static IP address:

1. Select Manual from the Method drop-down.


2. Click the Add button to add a static IP address.
3. Enter the information for your network domain.
• IP Address
• Netmask Address
• Gateway Address
• DNS Servers Address
4. Click Save to confirm your changes.

By default, all detected ethernet connections are disabled. Click the ON/OFF toggle to
enable the connection. After the installation of CentOS, follow our guide to learn more
details about configuring your network settings.

Confidential© 2023 P a g e | 84
EPSS Network LLD

Note: Is CentOS the best option for your server? Refer to the Ubuntu VS CentOS article
to see a comparison between the two and decide which one is best for you.
5.2.5 Security Policy

Select the Security Policy option under the System heading. Choose a profile from the
list and hit Select profile. Hit the Done button to confirm your selection.

5.2.6 Start the Installation Process

Once everything is set up according to your liking, hit Begin Installation to start the install.
This will start the initial installation process.

Figure 16 User Setting

Define Root Password

To define the root user, select the Root Password icon.

Select a Root Password and re-enter it in Confirm field.

Root user accounts should consist of at least 12 characters, including uppercase and
lowercase letters, numbers, and special characters. We cannot stress enough the
importance of a well-defined root password.

Click the Done button to proceed.

Confidential© 2023 P a g e | 85
EPSS Network LLD

Figure 17 Set Root password

Create User

To begin, select the User Creation option.

Add a new system account user by defining the full name, user name, and password.
We recommend you check the Make this user administrator and Require a password
to use this account checkboxes. This will grant the user root privileges.

Figure 18 Create User

After you fill in all of the fields and define a secure password, select Done in the upper-
left corner of the screen.

Confidential© 2023 P a g e | 86
EPSS Network LLD

Wait for the installation process to complete .

Figure 19 Reboot

Before you start using your new CentOS installation, reboot the system. Click
the Reboot button.

Log into the system by using the credentials you defined previously.

5.2.7 Install and configure Zabbix for your platform

Step 1 – Disable SELinux

Open SELinux configuration and edit the file:

# Become root user

sudo su

# Enter password

. vim /etc/sysconfig/selinux

Change “SELINUX=enforcing” to “SELINUX=disabled”

Save and exit the file. Then reboot the system.

reboot

Confidential© 2023 P a g e | 87
EPSS Network LLD

Step 2 – Install and Configure Apache

Use the following commands:

yum -y install httpd

check service status.

systemctl status httpd.service

If Apache service is not running, start it manually.

systemctl start httpd.service

Enable httpd service on system boot.

A. Install Zabbix server, frontend, agent

B. Create initial database

Make dure you have database server up and running

Run the following on your databases host.

Confidential© 2023 P a g e | 88
EPSS Network LLD

On Zabbix server host import initial schema and data. You will be prompted to enter your
newly created password.

Disable log_bin_trust_function_creators option after importing database schema.

C. Configure the database for Zabbix server

Edit file /etc/zabbix/zabbix_server.conf

D. Start Zabbix server and agent process

Start Zabbix server and agent processes and make it start at system boot.

E. Open Zabbix UI web page

The default URL for Zabbix UI when using Apache web server is http://host/zabbix

Step 3 – Configure Needed Repositories

Install epel and remi repos.

yum -y install epel-release

yum install http://rpms.remirepo.net/enterprise/remi-release-7.rpm

Confidential© 2023 P a g e | 89
EPSS Network LLD

Disable PHP 5 repositories and enable PHP 7.2 repo.

yum-config-manager --disable remi-php54

yum-config-manager --enable remi-php72

Step 4 – Install PHP

yum install php php-pear php-cgi php-common php-mbstring php-snmp php-gd php-pecl-mysql p
hp-xml php-mysql php-gettext php-bcmath

Modify the PHP time Zone by editing the php.ini file.


vim /etc/php.ini

Uncomment the following line and add your time zone.


date.timezone = Australia/Sydney

Step 6 – Create a Database for Zabbix

You can choose any name for the database in place of fosslinuxzabbix in the below
command:

Create database fosslinuxzabbix;

Create a DB user and grant privileges.

create user 'zabbixuser'@'localhost' identified BY '@dfEr234KliT90';

grant all privileges on fosslinuxzabbix.* to zabbixuser@localhost ;

Flush privileges.

flush privileges;

Confidential© 2023 P a g e | 90
EPSS Network LLD

Step 7 – Install Zabbix and needed dependencies

Adding Zabbix repository. Copy the latest download URL from the official website. Paste
it in the below command appropriately.
rpm -ivh https://repo.zabbix.com/zabbix/4.0/rhel/7/x86_64/zabbix-release-4.0-1.el7.noarc
h.rpm

Install Zabbix.

yum install zabbix-server-mysql zabbix-web-mysql zabbix-agent zabbix-get

Figure 20 Zabbix server, web, agent and MySQL installation


Step 8 – Configure Zabbix

Change Time Zone by editing the Zabbix Apache configuration file.

vim /etc/httpd/conf.d/zabbix.conf

Uncomment the following line and add your Time Zone.

php_value date.timezone Australia/Sydney

PHP Parameters should look like as follows:

php_value max_execution_time 300

php_value memory_limit 128M

Confidential© 2023 P a g e | 91
EPSS Network LLD

php_value post_max_size 16M

php_value upload_max_filesize 2M

php_value max_input_time 300

php_value max_input_vars 10000

php_value always_populate_raw_post_data -1

php_value date.timezone Australia/Sydney

Restart HTTPD service.

systemctl restart httpd.service

Generally, Zabbix installation package gives SQL file which includes an initial schema
and data for the Zabbix server with MySQL.

Change directory and go the Zabbix directory.

cd /usr/share/doc/zabbix-server-mysql-4.0.4/

Import the MySQL dump file.

zcat create.sql.gz | mysql -u zabbixuser -p fosslinuxzabbix

Figure 21 Import SQL Dump


Now modify the Zabbix configuration file with Database details.

vim /etc/zabbix/zabbix_server.conf

Modify the following parameters

DBHost=localhost

DBName=fosslinuxzabbix

DBUser=zabbixuser

Confidential© 2023 P a g e | 92
EPSS Network LLD

DBPassword=@dfEr234KliT90

Then save and exit the file. Restart Zabbix service.

systemctl status zabbix-server.service

Enable Zabbix on system boot.

systemctl enable zabbix-server.service

Modify firewall rules.

firewall-cmd --add-service={http,https} --permanent

firewall-cmd --add-port={10051/tcp,10050/tcp} --permanent

firewall-cmd --reload

Now restart httpd service.

systemctl restart httpd

Step 9 – Setup Zabbix

You can access Zabbix using following URL:


http://Server-Host-Name Or IP /zabbix/

You should see the welcome page.

Confidential© 2023 P a g e | 93
EPSS Network LLD

Figure 22 Welcome Page

Click Next.

Figure 23 Check of Pre-requisites

Here you Zabbix will check installed PHP, MySQL versions and parameters, etc.

If you see any parameter failing, you have to modify it and refresh the page.

E.g:- for PHP parameter you have to modify (/etc/php.ini) file. Click Next.

Confidential© 2023 P a g e | 94
EPSS Network LLD

Configure DB Connection

Figure 24 configure DB connection

Add database details and click Next. Then you will see server details, and you can add any
name for “Name”.

Figure 25 Zabbix Server Details

Click Next. You should see the Database details and server details.

Confidential© 2023 P a g e | 95
EPSS Network LLD

Figure 26 Pre-installation Summary

Click Next to complete the installation.

Figure 27 Compilation of installation

Confidential© 2023 P a g e | 96
EPSS Network LLD

5.3 Start using Zabbix

Login and configuring user

We will log in and set up a system user in Zabbix.

Login

Figure 28 login page

This is the Zabbix welcome screen. Enter the user name Admin with password Zabbix to
log in as a Zabbix superuser. Access to all menu sections will be granted.

Protection against brute force attacks


In case of five consecutive failed login attempts, Zabbix interface will pause for 30 seconds
in order to prevent brute force and dictionary attacks.

The IP address of a failed login attempt will be displayed after a successful login.

Adding user

To view information about users, go to Users → Users.

Confidential© 2023 P a g e | 97
EPSS Network LLD

Figure 29 User Information


To add a new user, click on Create user.

In the new user form, make sure to add your user to one of the existing user groups, for
example 'Zabbix administrators'.

Figure 30 New Use form

All mandatory input fields are marked with a red asterisk.

By default, new users have no media (notification delivery methods) defined for them. To
create one, go to the 'Media' tab and click on Add.

Confidential© 2023 P a g e | 98
EPSS Network LLD

Figure 31 Notification delivery methods


In this pop-up, enter an email address for the user.

You can specify a time period when the medium will be active (see Time period
specification page for a description of the format), by default a medium is always active.
You can also customize trigger severity levels for which the medium will be active, but
leave all of them enabled for now.

Click on Add to save the medium, then go to the Permissions tab.

Permissions tab has a mandatory field Role. The role determines which frontend elements
the user can view and which actions he is allowed to perform. Press Select and select one
of the roles from the list. For example, select Admin role to allow access to all Zabbix
frontend sections, except Administration. Later on, you can modify permissions or create
more user roles. Upon selecting a role, permissions will appear in the same tab:

Confidential© 2023 P a g e | 99
EPSS Network LLD

Figure 32 User Permission

Click Add in the user properties form to save the user. The new user appears in the user
list.

Figure 33 Save the user

Adding permissions

By default, a new user has no permissions to access hosts and templates. To grant the
user rights, click on the group of the user in the Groups column (in this case - 'Zabbix

Confidential© 2023 P a g e | 100


EPSS Network LLD

administrators'). In the group properties form, go to the Host permissions tab to assign
permissions to host groups.

Figure 34 Host Permission


This user is to have read-only access to Linux servers group, so click on Select next to
the host group selection field.

Figure 35 Host Groups


In this pop-up, mark the checkbox next to 'Linux servers', then click Select. Linux
servers should be displayed in the selection field. Click the 'Read' button to set the
permission level and then Add to add the group to the list of permissions. In the user group
properties form, click Update.

To grant permissions to templates, you will need to switch to the Template permissions tab
and specify template groups.

Confidential© 2023 P a g e | 101


EPSS Network LLD

6 EPSS DR Network Implementation

6.1 Core Layer Configuration


6.1.1 Core Switch Basic Configuration
➢ Hostname Configurations for core switches.

For Core switches

Switch> enable

Switch> configure terminal

switch (config)# hostname EPSS-DR-CS

switch (config)# line console 0

switch (config)# password secret %TGBnhy6

switch (config)# line vty 0 4

switch (config-line)# password secret %TGBnhy6

switch (config)# banner login motd

Ethiopian Pharmaceutical Supply


Service(EPSS)
Authorized Access only

------------------------------------------------

UNAUTHORISED ACCESS TO THIS DEVICE IS PROHIBITED.

You must have explicit permission to access this device. All activities performed on this device
are logged and violations of this policy will result in legal and/or disciplinary action.

------------------------------------------------

Confidential© 2023 P a g e | 102


EPSS Network LLD

EPSS-DR-CS (config)# end

6.1.2 Core VTP Configuration


VTP is a Cisco proprietary layer 2 messaging protocol that propagates the definition of
Virtual Local Area Networks (VLAN) on the whole local area network. To do this, VTP
carries VLAN information to all the switches in a VTP domain. VTP advertisements can be
sent over ISL, 802.1Q, IEEE 802.10 and LAN trunks.

#VTP Configuration EPSS Core Switch Side#

EPSS-DR-CS(config)#vtp domain EPSS-DR-VTP

EPSS-DR-CS (config)#vtp password %TGBnhy6

EPSS-DR-CS (config)#vtp mode server

6.1.3 Core VLAN Configuration


This configuration will create a new VLAN and assign IP address to its interface, effectively
making the switch act as layer 3 device for that VLAN. The devices within that VLAN use
Switch’s IP address as their default gateway for proper routing.

EPSS-DR-CS> enable

EPSS-DR-CS# configure terminal

EPSS-DR-CS(config)# vlan 20

EPSS-DR-CS(config-vlan)# name IT

EPSS-DR-CS(config-vlan)# ip address 10.1.20.1 255.255.255.254.0

EPSS-DR-CS(config-if)# no shutdown

The below table lists the allocated VLANS for this deployment.

Confidential© 2023 P a g e | 103


EPSS Network LLD

VLAN Name VLANs

Pharmaceutical and Medical Supply Distribution and Fleet Management directorate director 12
Legal Services Director 14
Warehouse and Inventory Management Director 16
Information & Communication Technology Director 20
Human Resource Administration and Development Directorate Director 34
Communication Affairs Directorate Director 38

6.1.4 Core DHCP Configuration


We will use different DHCP pools to assign IP address for client machine and other
applications. DHCP is a protocol that provides a mechanism for allocating IP addresses
dynamically so that addresses can be reused when hosts no longer need them. DHCP
adds the capability to automatically allocate reusable network addresses and configuration
options to Internet hosts. DHCP consists of two components: a protocol for delivering host-
specific configuration parameters from a DHCP server to a host and a mechanism for
allocating network addresses to hosts. DHCP is built on a client/server model, where
designated DHCP server hosts allocate network addresses and deliver configuration
parameters to dynamically configured hosts. DHCP implementation offers the following
benefits:

3. Reduced client configuration tasks and costs Because DHCP is easy to configure,
it minimizes operational overhead and costs associated with device configuration
tasks and eases deployment by nontechnical users.
4. Centralized management because the DHCP server maintains configurations for
several subnets, administrator only needs to update a single, central server when
configuration parameters change.

The following configuration is to be done on the collapsed core switch, named, EPSS-
DR-CS

IP dhcp exclude-address 10.1.20.1 10.1.20.30

Ip dhcp pool IT

Network 10.1.20.0 255.255.254.0

Confidential© 2023 P a g e | 104


EPSS Network LLD

default-router 10.1.20.1

6.1.5 Core SSH Configuration


SSH provides a secure way to access and manage devices remotely over an unsecured
network.The RSA key pair consists of a public key and a private key. The public key is
used for encryption, and the private key is used for decryption. Generating an RSA key
pair is the first step in setting up SSH. The key pair is used to secure the SSH
communication between the client and the switch. Enabling SSH version 2 ensures that
the switch uses the more secure protocol for remote access.

The "line vty 0 15" command configures the virtual terminal lines (used for remote access).
The "transport input ssh" command specifies that SSH should be used as the transport
protocol for these virtual terminal lines. The "login local" command indicates that local
authentication (username and password) should be used for SSH access.

Local user credentials are needed to authenticate users when they connect to the switch
via SSH. The "username" command creates a local user account with a specified
username. The "privilege 15" setting assigns the highest privilege level (full access) to this
user. The "secret" command sets the password for this user.

aaa new-model

username EPSS password %TGBnhy6

line vty 0 15

transport input ssh

crypto key generate RSA

login local

This step further specifies that SSH should be the only for Information & Communication
Technology Director. The "access-class" command is optional and can be used to restrict
SSH access to specific IP addresses or subnets. You can use the "access-class" command
to limit SSH access to specific IP addresses or subnets. This adds an extra layer of security
by allowing SSH connections only from trusted sources.

Access-list permit 10.1.20.0.0 0.0.0.255

Iine vty 5 15

Transport input ssh

Access-class 23 in

Confidential© 2023 P a g e | 105


EPSS Network LLD

Exit

6.1.6 Core SNMP Configuration


SNMP (Simple Network Management Protocol) is used for monitoring and managing
network device. Here’s a basic guide on SNMP configuration on EPPS-DR-CS

snmp-server enable traps


snmp-server community EPSS
snmp-server host X.X.X.X community

6.1.7 Core – Access Interface Configuration


The network setup involves linking core switches with access switches using 10 Gigabit
Ethernet SFP+ uplinks, enabling fast data exchange between end-user devices and the
network's core infrastructure. Core switches handle significant traffic flows across the
network, while access switches connect individual user devices, collectively forming an
efficient hierarchical network architecture.

EPPS-DR-CS# configure terminal

EPPS-DR-CS(config)# interface range ge0/0/8- 40

EPPS-DR-CS(config-if)# switchport mode trunk

EPPS-DR-CS(config-if)# switchport trunk allowed vlan 12,14,16, 20, 34, 38

EPPS-DR-CS(config-if)# end

6.1.8 Core to Firewall Static Route


Static routes specify the IP address of a next-hop router that is reachable from that network
interface. Routers are aware of which IP addresses are reachable through various network
pathways and can forward those packets along pathways capable of reaching the packets’
ultimate destinations. The perimeter firewall will have a point-to-point connection with the
internet link and the core switch.

6.1.9 OSPF Routing


Open Shortest Path First (OSPF) is a link-state interior routing protocol that is widely used
in large enterprise organizations. It only routes packets within a single autonomous system
(AS).

The main benefit of OSPF is that it detects link failures in the network quickly and within
seconds, has converged network traffic successfully without any networking loops. Also,
OSPF has many features to control which routes are propagated and which are not,
maintaining smaller routing tables.

Confidential© 2023 P a g e | 106


EPSS Network LLD

6.2 Access layer Configuration


6.2.1 Overview
The access layer is the point at which user-controlled, user-accessible devices are
connected to the network, and it is the one architecture component that is found in every
LAN. It is where user-controlled devices, user-accessible devices, and other end-point
devices are connected to the network. The access layer provides both wired and wireless
connectivity and contains features and services that ensure security and resiliency for the
entire network.

Network resiliency and security in the access layer is achieved using Cisco Catalyst
Infrastructure Security Features (CISF) including Dynamic Host Configuration Protocol
(DHCP) snooping, IP Source Guard, port security, and Dynamic Address Resolution
Protocol (ARP) Inspection.

The LAN access layer provides high-bandwidth connections to devices via 10/100/1000
Ethernet with both Gigabit and 10-Gigabit uplink connectivity options. The 10 Gigabit
uplinks also support Gigabit connectivity to provide flexibility and help business continuity
during a transition to 10 Gigabit Ethernet. The LAN access layer is configured as a Layer
2 switch directly connected core switch.

6.2.2 Hostname Configurations for access switches.

!
For Access switches 1
!
Switch> enable
Switch> configure terminal
switch (config)# hostname EPSS_DR_AS_01
EPSS_DR_AS_01 (config)# end
!

6.2.3 Spanning tree protocol


We will implement spanning tree on EPSS switches to prevent loop. Spanning Tree
Protocol (STP) is a Layer 2 protocol that runs on bridges and switches. The main purpose
of STP is to ensure that we do not create loops when we have redundant paths in our
network.

Spanning tree protocol Configuration

Confidential© 2023 P a g e | 107


EPSS Network LLD

# Spanning Tree rapid-pvst Configuration On EPSS Access Switch#


!
spanning-tree mode rapid-pvst
end
!
interface GigabitEthernet0/0/1-48
switchport mode access
switchport access vlan X
spanning-tree portfast
spanning-tree portfast edge
spanning-tree bpduguard enable
!

6.2.4 VTP Configuration


VTP is a Cisco proprietary layer 2 messaging protocol that propagates the definition of
Virtual Local Area Networks (VLAN) on the whole local area network. To do this, VTP
carries VLAN information to all the switches in a VTP domain. VTP advertisements can be
sent over ISL, 802.1Q, IEEE 802.10 and LAN trunks.

VTP is a Cisco proprietary layer 2 messaging protocol that propagates the definition of
Virtual Local Area Networks (VLAN) overall local area network. To do this, VTP carries
VLAN information to all the switches in a VTP domain. VTP advertisements can be sent
over ISL, 802.1Q, IEEE 802.10 and LAN trunks. VTP is available on most of the Cisco
Catalyst Family products.

# VTP Configuration On EPSS Access Switch switch

# EPSS Switch Configuration

SSSSS# vtp domain EPSS

EPSS_DR_AS_01# version 2

EPSS_DR_AS_01# vtp password %TGBnhy6

EPSS_DR_AS_01# vtp mode client

Confidential© 2023 P a g e | 108


EPSS Network LLD

6.2.5 Storm control


We will use different type of storm control to prevent unwanted traffic to EPSS access
switch. Storm control prevents LAN interfaces from being disrupted by a broadcast storm.
A broadcast storm occurs when broadcast packets flood the subnet, creating excessive
traffic and degrading network performance. Errors in the protocol-stack implementation or
in the network configuration can cause a broadcast storm. When storm control is enabled
on an interface, the switch monitors packets received on the interface and determines
whether the packets are broadcast. The switch monitors the number of broadcast packets
received within a one-second time interval. When the interface threshold is meet, all
incoming data traffic on the interface is dropped. This threshold is specified as a
percentage of total available bandwidth that can be used by broadcast traffic. If the lower
threshold is specified, all data traffic is forwarded as soon as the incoming traffic falls below
that threshold.

Multicast Storm Control Multicast and broadcast suppression share a common threshold
per interface. Multicast suppression takes effect only if broadcast suppression is enabled.
Disabling broadcast suppression on an interface also disables multicast suppression.

Storm Control Configuration on Each EPSS Access Switch

(config) #interface range gig1/0/1 – 46

(config-if) #storm-control broadcast level 75

(config-if) #storm-control multicast level 75

(config-if) #storm-control action shutdown

6.2.6 SSH and User account

!
ip domain-name epss.gov.et
crypto key generate rsa
How many bits in the modulus [512]: 1024
ip ssh version 2

Confidential© 2023 P a g e | 109


EPSS Network LLD

➢ Prepare the Devices to Manageable

line con 0
line vty 0 4
access-class 55 in
transport input ssh
The above configuration will be done on all access switch

6.2.7 NTP Server Configuration


➢ Configuration on NTP server for a synchronized clock

ntp server x.x.x.x


ntp update-calendar
clock timezone PST -8
clock summer-time PDT recurring
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime

The above configuration will be done on all access switch

6.2.8 Port Security


By default, the switchport security feature is disabled on all switchports and must be
enabled. Table 1 shows the steps required to enable the switchport security feature on an
interface (This can cause some confusion, but when using Cisco IOS, switchport
configuration is performed while in interface configuration mode. The
terms interface and switchport are interchangeable).

(config) #interface range gig0/0/1 – 46


(config) #switchport port-security maximum 5
(config) #switchport port-security

Confidential© 2023 P a g e | 110


EPSS Network LLD

7 EPSS Branch Network Implementation

7.1 Core Layer Configuration


7.1.1 Core Switch Basic Configuration
➢ Hostname Configurations for core switches.

For Core switches

Switch> enable

Switch> configure terminal

switch (config)# hostname EPSS-BR-CS

switch (config)# line console 0

switch (config)# password secret %TGBnhy6

switch (config)# line vty 0 4

switch (config-line)# password secret %TGBnhy6

switch (config)# banner login motd

Ethiopian Pharmaceutical Supply


Service(EPSS)
Authorized Access only

------------------------------------------------

UNAUTHORISED ACCESS TO THIS DEVICE IS PROHIBITED.

You must have explicit permission to access this device. All activities performed on this device
are logged and violations of this policy will result in legal and/or disciplinary action.

------------------------------------------------

Confidential© 2023 P a g e | 111


EPSS Network LLD

EPSS-BR-CS (config)# end

7.1.2 Core VTP Configuration


VTP is a Cisco proprietary layer 2 messaging protocol that propagates the definition of
Virtual Local Area Networks (VLAN) on the whole local area network. To do this, VTP
carries VLAN information to all the switches in a VTP domain. VTP advertisements can be
sent over ISL, 802.1Q, IEEE 802.10 and LAN trunks.

#VTP Configuration EPSS Core Switch Side#

EPSS-BR-CS(config)#vtp domain EPSS-BR-VTP

EPSS-BR-CS (config)#vtp password %TGBnhy6

EPSS-BR-CS (config)#vtp mode server

7.1.3 Core VLAN Configuration


This configuration will create a new VLAN and assign IP address to its interface, effectively
making the switch act as layer 3 device for that VLAN. The devices within that VLAN use
Switch’s IP address as their default gateway for proper routing.

EPSS-BR-CS> enable

EPSS-BR-CS# configure terminal

EPSS-BR-CS(config)# vlan 20

EPSS-BR-CS(config-vlan)# name IT

EPSS-BR-CS(config-vlan)# ip address 10.1.20.1 255.255.255.254.0

EPSS-BR-CS(config-if)# no shutdown

The below table lists the allocated VLANS for this deployment.

Confidential© 2023 P a g e | 112


EPSS Network LLD

VLAN Name VLANs

Pharmaceutical and Medical Supply Distribution and Fleet Management directorate director 12
Warehouse and Inventory Management Director 16
Information & Communication Technology Director 20
Human Resource Administration and Development Directorate Director 34

7.1.4 Core DHCP Configuration


We will use different DHCP pools to assign IP address for client machine and other
applications. DHCP is a protocol that provides a mechanism for allocating IP addresses
dynamically so that addresses can be reused when hosts no longer need them. DHCP
adds the capability to automatically allocate reusable network addresses and configuration
options to Internet hosts. DHCP consists of two components: a protocol for delivering host-
specific configuration parameters from a DHCP server to a host and a mechanism for
allocating network addresses to hosts. DHCP is built on a client/server model, where
designated DHCP server hosts allocate network addresses and deliver configuration
parameters to dynamically configured hosts. DHCP implementation offers the following
benefits:

5. Reduced client configuration tasks and costs Because DHCP is easy to configure,
it minimizes operational overhead and costs associated with device configuration
tasks and eases deployment by nontechnical users.
6. Centralized management because the DHCP server maintains configurations for
several subnets, administrator only needs to update a single, central server when
configuration parameters change.

The following configuration is to be done on the collapsed core switch, named, EPSS-
BR-CS

IP dhcp exclude-adBRess 10.1.20.1 10.1.20.30

Ip dhcp pool IT

Network 10.1.20.0 255.255.254.0

Confidential© 2023 P a g e | 113


EPSS Network LLD

default-router 10.1.20.1

7.1.5 Core SSH Configuration


SSH provides a secure way to access and manage devices remotely over an unsecured
network.The RSA key pair consists of a public key and a private key. The public key is
used for encryption, and the private key is used for decryption. Generating an RSA key
pair is the first step in setting up SSH. The key pair is used to secure the SSH
communication between the client and the switch. Enabling SSH version 2 ensures that
the switch uses the more secure protocol for remote access.

The "line vty 0 15" command configures the virtual terminal lines (used for remote access).
The "transport input ssh" command specifies that SSH should be used as the transport
protocol for these virtual terminal lines. The "login local" command indicates that local
authentication (username and password) should be used for SSH access.

Local user credentials are needed to authenticate users when they connect to the switch
via SSH. The "username" command creates a local user account with a specified
username. The "privilege 15" setting assigns the highest privilege level (full access) to this
user. The "secret" command sets the password for this user .

aaa new-model

username EPSS password %TGBnhy6

line vty 0 15

transport input ssh

crypto key generate RSA

login local

This step further specifies that SSH should be the only for Information & Communication
Technology Director. The "access-class" command is optional and can be used to restrict
SSH access to specific IP addresses or subnets. You can use the "access-class" command
to limit SSH access to specific IP addresses or subnets. This adds an extra layer of security
by allowing SSH connections only from trusted sources.

Access-list permit 10.1.20.0.0 0.0.0.255

Iine vty 5 15

Transport input ssh

Confidential© 2023 P a g e | 114


EPSS Network LLD

Access-class 23 in

Exit

7.1.6 Core SNMP Configuration


SNMP (Simple Network Management Protocol) is used for monitoring and managing
network device. Here’s a basic guide on SNMP configuration on EPPS-BR-CS

snmp-server enable traps


snmp-server community EPSS
snmp-server host X.X.X.X community
7.1.7 Core – Access Interface Configuration
The network setup involves linking core switches with access switches using 10 Gigabit
Ethernet SFP+ uplinks, enabling fast data exchange between end-user devices and the
network's core infrastructure. Core switches handle significant traffic flows across the
network, while access switches connect individual user devices, collectively forming an
efficient hierarchical network architecture.

EPPS-BR-CS# configure terminal

EPPS-BR-CS(config)# interface range ge0/0/8- 40

EPPS-BR-CS(config-if)# switchport mode trunk

EPPS-BR-CS(config-if)# switchport trunk allowed vlan 12,16, 20, 34

EPPS-BR-CS(config-if)# end

7.2 Access layer Configuration


7.2.1 Overview
The access layer is the point at which user-controlled, user-accessible devices are
connected to the network, and it is the one architecture component that is found in every
LAN. It is where user-controlled devices, user-accessible devices, and other end-point
devices are connected to the network. The access layer provides both wired and wireless
connectivity and contains features and services that ensure security and resiliency for the
entire network.

Network resiliency and security in the access layer is achieved using Cisco Catalyst
Infrastructure Security Features (CISF) including Dynamic Host Configuration Protocol
(DHCP) snooping, IP Source Guard, port security, and Dynamic Address Resolution
Protocol (ARP) Inspection.

Confidential© 2023 P a g e | 115


EPSS Network LLD

The LAN access layer provides high-bandwidth connections to devices via 10/100/1000
Ethernet with both Gigabit and 10-Gigabit uplink connectivity options. The 10 Gigabit
uplinks also support Gigabit connectivity to provide flexibility and help business continuity
during a transition to 10 Gigabit Ethernet. The LAN access layer is configured as a Layer
2 switch directly connected core switch.

7.2.2 Hostname Configurations for access switches.

!
For Access switches 1
!
Switch> enable
Switch> configure terminal
switch (config)# hostname EPSS_BR_AS_01
EPSS_BR_AS_01 (config)# end
!

7.2.3 Spanning tree protocol


We will implement spanning tree on EPSS switches to prevent loop. Spanning Tree
Protocol (STP) is a Layer 2 protocol that runs on bridges and switches. The main purpose
of STP is to ensure that we do not create loops when we have redundant paths in our
network.

Spanning tree protocol Configuration

# Spanning Tree rapid-pvst Configuration On EPSS Access Switch#


!
spanning-tree mode rapid-pvst
end
!
interface GigabitEthernet0/0/1-48
switchport mode access
switchport access vlan X
spanning-tree portfast
spanning-tree portfast edge
spanning-tree bpduguard enable
!

Confidential© 2023 P a g e | 116


EPSS Network LLD

7.2.4 VTP Configuration


VTP is a Cisco proprietary layer 2 messaging protocol that propagates the definition of
Virtual Local Area Networks (VLAN) on the whole local area network. To do this, VTP
carries VLAN information to all the switches in a VTP domain. VTP advertisements can be
sent over ISL, 802.1Q, IEEE 802.10 and LAN trunks.

VTP is a Cisco proprietary layer 2 messaging protocol that propagates the definition of
Virtual Local Area Networks (VLAN) overall local area network. To do this, VTP carries
VLAN information to all the switches in a VTP domain. VTP advertisements can be sent
over ISL, 802.1Q, IEEE 802.10 and LAN trunks. VTP is available on most of the Cisco
Catalyst Family products.

# VTP Configuration On EPSS Access Switch switch

# EPSS Switch Configuration

EPSS_BR_AS_01# vtp domain EPSS

EPSS_BR_AS_01# version 2

EPSS_BR_AS_01# vtp password %TGBnhy6

EPSS_BR_AS_01# vtp mode client

7.2.5 Storm control


We will use different type of storm control to prevent unwanted traffic to EPSS access
switch. Storm control prevents LAN interfaces from being disrupted by a broadcast storm.
A broadcast storm occurs when broadcast packets flood the subnet, creating excessive
traffic and degrading network performance. Errors in the protocol-stack implementation or
in the network configuration can cause a broadcast storm. When storm control is enabled
on an interface, the switch monitors packets received on the interface and determines
whether the packets are broadcast. The switch monitors the number of broadcast packets
received within a one-second time interval. When the interface threshold is meet, all
incoming data traffic on the interface is dropped. This threshold is specified as a
percentage of total available bandwidth that can be used by broadcast traffic. If the lower

Confidential© 2023 P a g e | 117


EPSS Network LLD

threshold is specified, all data traffic is forwarded as soon as the incoming traffic falls below
that threshold.

Multicast Storm Control Multicast and broadcast suppression share a common threshold
per interface. Multicast suppression takes effect only if broadcast suppression is enabled.
Disabling broadcast suppression on an interface also disables multicast suppression.

Storm Control Configuration on Each EPSS Access Switch


!
(config) #interface range gig1/0/1 – 46
(config-if) #storm-control broadcast level 75
(config-if) #storm-control multicast level 75
(config-if) #storm-control action shutdown
!

7.2.6 SSH and User account

!
ip domain-name epss.gov.et
crypto key generate rsa
How many bits in the modulus [512]: 1024
ip ssh version 2

➢ Prepare the Devices to Manageable

line con 0
line vty 0 4
access-class 55 in
transport input ssh
The above configuration will be done on all access switch

7.2.7 NTP Server Configuration


➢ Configuration on NTP server for a synchronized clock

ntp server x.x.x.x


ntp update-calendar
clock timezone PST -8
clock summer-time PDT recurring

Confidential© 2023 P a g e | 118


EPSS Network LLD

service timestamps debug datetime msec localtime


service timestamps log datetime msec localtime

The above configuration will be done on all access switch

7.2.8 Port Security


By default, the switchport security feature is disabled on all switchports and must be
enabled. Table 1 shows the steps required to enable the switchport security feature on an
interface (This can cause some confusion, but when using Cisco IOS, switchport
configuration is performed while in interface configuration mode. The
terms interface and switchport are interchangeable).

(config) #interface range gig0/0/1 – 46


(config) #switchport port-security maximum 5
(config) #switchport port-security

Confidential© 2023 P a g e | 119


EPSS Network LLD

8 Document Acceptance Certificate

Name Name

Title Title

Company Company

Signature Signature

Date Date

Name Name

Title Title

Company Company

Signature Signature

Date Date

Name Name

Title Title

Company Company

Signature Signature

Date Date

Confidential© 2023 P a g e | 120

You might also like