This lab involves using software network analyzers to ...blough.ece.gatech.edu/4110/lab6.doc ·...

ECE 4110 Internetwork ProgrammingLab 6: Setting up Burdell Inc. Network Using Multiple Switches and Access Control

Lists

Group Number: ________

Member Names: _________________________ _________________________

Date Issued: October 13, 2008Date Due: October 22, 2008

NOTICE: Because there are only three setups, each group will need to sign up for timeslots on the sheets attached to the lab door. You can only sign up for a total of 2 hours (4 slots) at a time, AND YOU MUST USE THE SAME SETUP FOR THE ENTIRE LAB. These can either be in a row or spread out, but no group can have more than 4 slots reserved at any one time. Once one of your slots has expired, you can sign up for another one. See Appendix C for instructions on how to save and reload your work if you need to leave and continue later.

PLAYSTATION #: ________________

Lab Goals

Set up a network using multiple routers and switches Learn about trunk ports and trunking Learn about access control lists and use them to control information flow

PART I

You have recently graduated from Georgia Tech and you are now working for a company called Burdell Inc as a network engineer. You are presented with the following scenario:

Burdell Inc occupies a two floor office building and is made up of three departments, Administration, Accounting, and Information Technology (IT). The Administrative department is currently in need of 100 workstations and is forecasted to grow by an additional 100 machines in the foreseeable future. The Accounting department needs 1000 workstations and is not expected to grow beyond its present size. The IT department is constantly growing. IT presently needs 900 workstations and is expected to grow to twice that size.

In an effort to promote company unity and spirit, the management at Burdell Inc has decided to have members of all three departments work on both floors, i.e. no one department is physically isolated. Both floors accommodate workers form Accounting, Administration, and IT. Each department has its own VLAN and all workers on each floor and between floors should be able to communicate with each other. Figure 1, below, shows the network topology.

1

This lab requires two switches, one router, and six end station PCs. However we will not use six end station PCs, we will instead emulate the six PCs using the ping capability of Cisco 1760 interfaces and use two more Cisco 1760s to emulate the PCs. This saves us from having to dedicate six PCs for this lab assignment. We will need one PC which we will use to test our setup. Thus the equipment required will be two switches, three routers, and one end station PC. We will use this equipment to emulate the network in Figure 1.

Section I: Logging into the Routers/SwitchesAll of the routers and switches are accessible from the console manager ports. See Table 1.

Table 1. Console manager port assignmentsPart Name Console Manger Port AssignmentPlaystation1Cisco 3550 Switch floor1_switch 5Cisco 3550 Switch floor2_switch 6Cisco 1760 Router floor1_router 7Cisco 1760 Router floor1_computers 8Cisco 1760 Router floor2_computers 9Playstation2Cisco 3550 Switch floor1_switch 14Cisco 3550 Switch floor2_switch 15Cisco 1760 Router floor1_router 16Cisco 1760 Router floor1_computers 17

2

VLAN 3

INFORMATION TECHNOLOGY

VLAN 2

ACCOUNTING

VLAN 1

ADMINISTRATION

FLOOR 2

FLOOR 1

Figure 1. Burdell Inc’s network topology diagram

0/10/2

0/3

0/4

0/10/2

0/3

0/4

0/5

Cisco 1760 Router floor2_computers 18Playstation3Cisco 3550 Switch floor1_switch 23Cisco 3500 Switch floor2_switch 24Cisco 1760 Router floor1_router 25Cisco 1760 Router floor1_computers 26Cisco 1760 Router floor2_computers 27

The enable password for all of these machines is owen.

In order to connect to the console manager you need to set up your network card to access its network:# ifconfig eth0:0 192.168.254.<100+group #> So group 1 is 192.168.254.101, and so forth. You will need to do this every time you power off your machine. What this does is set up a virtual interface, so you have two IP addresses on one network card. This allows you access to two networks with only one interface card.

To connect to the CM32:#ssh [email protected] it comes up, Type yes to the RSA question.password: playstationX

You will be using a series of scripts to help you set up the routers and save your work. These scripts are described in detail in Appendix C. These should still be installed from Lab 6. If not, go to Appendix C and install the scripts according to the directions. Once this is done, MAKE SURE NO ONE ELSE IS USING THE PLAYSTATION YOU WANT TO USE. This is very important, as you are about to reset the configuration and all of their work will be lost.

Now that you are sure no one else is using the playstation, reset your chosen playstation by running the reset_pX script in the mnet_tools_v1.5 directory. Several windows should pop up. DO NOT CLOSE THEM UNTIL IT IS SAFE TO DO SO. If you are on playstation 1 or 2, you will get an error in one of the windows about VPN or Firewall processing not being enabled; ignore this for now. Once all of the other windows say it is safe to close them, do so. Now run the download_pX script to save the current configuration. From now on, you’ll run the download_pX script to save your work, and the upload_pX to restore the configuration of the playstation to the last saved state. Before running the upload script, MAKE SURE NO ONE ELSE IS USING THE PLAYSTATION.

Log into each of the machines and change its name to match Table 1. From global configuration mode:Machine(config)#hostname <name>

To go back to the console manager screen, hit <CTRL+z> and then hit x.

Section II: Switch Configuration

Refer to Appendix A for a list of switch configuration commands and their descriptions.

While in Privileged EXEC-Mode, you can view the running configuration by typing show running-config. This contains information about all the interfaces and vlans you’ve set up.

Table 2 lists the different VLANs assigned to each department in our company.

Table 2. Department VLANsVLAN DEPARTMENT

2 Administration3 Accounting

3

4 InformationTechnology

Note: In Figure 1, the Administration VLAN is labeled as VLAN 1, Account as VLAN 2, etc. THIS IS INCORRECT. Use the VLAN numbers in Table 2 for the entirety of this lab.

One switch is placed on each office floor. Three switch ports (on each switch) are configured, one for each VLAN as illustrated by Table 2. Use the switch interface numbers shown in Figure 1 and the vlan names and numbers from Table 2 (note that in Figure 1 the VLANs are listed 1-3, and in Table 2 2-4).

To create VLANs inside the switch, follow these simple steps:SwitchA# vlan database <ENTER>SwitchA(vlan)# vlan <vlan_number> name <vlan_name> <ENTER>SwitchA(vlan)# exit

Do this for each of the vlans in Table 2. Now configure the interfaces to access those vlans:SwitchA# configure terminal <ENTER>SwitchA(config)# interface fastethernet <interface_number> <ENTER>SwitchA(config-if)# switchport mode access <ENTER>SwitchA(config-if)# switchport access vlan <enter a number here> <ENTER>

In the next command, <SPEED> depends on the router interface connected to it. Because IT is setting up this entire network, they decide to give themselves the higher speed connections. Therefore, the FastEthernet ports on floor1_computers and floor2_computers will be assigned VLAN 4. Now, assign the correct operation speed to the interface: <SPEED> = 10 for Ethernet interfaces and 100 for FastEthernet. SwitchA(config-if)# speed <SPEED> <ENTER>SwitchA(config-if)# duplex full <ENTER>SwitchA(config-if)# no shutdownSwitchA(config-if)# end

Use the above configuration procedure to configure each of the used switch interfaces for each switch. (Do this on the switch, not on the routers). Once you are done, it is a good idea to download your configuration so you do not lose it.

Note: VLAN 1 (one) is used for the management VLAN, so any VLANs created should be numbered 2 to 1000.

Section III: Trunking Switch Ports

For VLAN information to be passed between the two switches, trunking must be configured between the switches. VLAN trunking allows a port to pass traffic from multiple VLANs between the two switches. Frames traveling over a trunk are tagged to identify which VLAN the frames belong to. When implementing trunking between switches, the ports at either end of the connection must be set up for trunk mode and the trunk encapsulation mode must match. Trunk encapsulation dictates the manner that frames are identified (tagged) on a trunk and defines the VLAN services available. There are four types of trunking encapsulations: 1) Inter-Switch Link Protocol (ISL) Cisco proprietary trunking protocol; 2) IEEE 802.1Q (dot1q) Industry standard trunking protocol; 3) LAN Emulation (LANE) Used for trunking VLANs over ATM links; and 4) IEEE 802.10 (dot10q) Cisco proprietary method for transporting VLAN information inside standard FDDI frames.

To setup trunking between two switches, use the following commands:SwitchA(config)# interface fastethernet <interface_number> <ENTER>SwitchA(config-if)# no switchport mode dynamic desirable <ENTER>SwitchA(config-if)# switchport trunk encapsulation dot1q <ENTER>SwitchA(config-if)# switchport mode trunk <ENTER>SwitchA(config-if)# end

4

Then, go to the other switch, and repeat these commands on the respective interface. This is important, otherwise the switches will not be able to communicate to each other.

To limit which VLANs will be allowed to pass information on the port you can use the following commands:SwitchA(config)# interface fastethernet <interface_number> <ENTER>SwitchA(config-if)# switchport trunk allowed vlan remove 1-4094 <ENTER>SwitchA(config-if)# switchport trunk allowed vlan add 1-4 <ENTER>

Then, you will have to repeat these commands on the other switch. The previous commands remove the default of all VLANs, and adds back support for VLANs 1-4.

Note: On one of the switches one additional port has to be trunked. This additional trunk port is used to connect a router to the switch. The use of the router will be explained in the following section. Set-up the trunking in the switch on floor one for the router on floor one now (see Figure 1 for the port number). The switch port will be connected to the router’s FastEthernet port (SPEED = 100).

Section IV: Router Configuration

Refer to Appendix B for a list of router configuration commands and their descriptions.

Hosts on one VLAN cannot communicate with hosts on another VLAN since VLANs form separate broadcast domains. As a result, a router needs to be used to route packets from one VLAN to another VLAN. The router will be connected to the additional trunk port created on the switch above. The router port also needs to be trunked since the router port will be passing packets from multiple VLANs.

Before configuring the router, the subnets, the assignable machine address ranges, and the required network prefixes for each department have to be determined. Lets use the following assignments in table 3. Notice the subnets are not all the same length.

Table 3. Department subnets and subnet workstation capacityDepartment Current Size

(Workstations)Future Size

(Workstations)Subnet Subnet Capacity

(Workstations)Administration 100 200 10.1.10.0/24 2(32-24) – 2 = 28 – 2 = 254

Accounting 1000 1000 192.168.148.0/22 2(32-22) – 2 = 210 – 2 = 1022

Information Technology

900 1800 172.16.152.0/21 2(32-21) – 2 = 211 – 2 = 2046

Log into the router and use the following commands to configure the Fastethernet0/0 port as the trunk port that will be connected to the additional trunk port on the switch.

Router(config)# interface FastEthernet 0/0 <ENTER>Router(config-if)# no ip address <ENTER>Router(config-if)# no ip mroute-cache <ENTER>Router(config-if)# speed auto <ENTER>Router(config-if)# full-duplex <ENTER>Router(config-if)# no shutdown <ENTER>Router(config-if)# interface FastEthernet 0/0.1<ENTER>Router(config-subif)# encapsulation dot1Q <vlan_number1> <ENTER>Router(config-subif)# ip address 10.1.10.1 255.255.255.0 <ENTER>Router(config-subif)# no shutdown <ENTER>Router(config-subif)# interface FastEthernet 0/0.2 <ENTER>Router(config-subif)# encapsulation dot1Q <vlan_number2> <ENTER>

5

Router(config-subif)# ip address 192.168.148.1 255.255.252.0 <ENTER>Router(config-subif)# no shutdown <ENTER>Router(config-subif)# interface FastEthernet 0/0.3 <ENTER>Router(config-subif)# encapsulation dot1Q <vlan_number3> <ENTER>Router(config-subif)# ip address 172.16.152.1 255.255.248.0 <ENTER>Router(config-subif)# no shutdown <ENTER>Router(config-subif)# end <ENTER>

You will have to replace <vlan_numberX> with the corresponding vlan as shown in the network diagram.

Section V: Testing Network Connectivity

Table 3. Workstation configurationsWorkstation One example IP

address on floor1One example IP address on floor2

Subnet Mask Default Gateway

A (VLAN 2) 10.1.10.2 10.1.10.3 255.255.255.0 10.1.10.1B (VLAN 3) 192.168.148.2 192.168.148.3 255.255.252.0 192.168.148.1C (VLAN 4) 172.16.152.2 172.16.152.3 255.255.248.0 172.16.152.1

IF we were to use six PCs as workstations in this lab we would configure the six workstations using the above example IP addresses. We would have used the following commands on each of the six PCs to set their individual IP addresses (example for one machine):Prompt> ifconfig eth0 10.1.10.2 netmask 255.255.255.0 <ENTER>Prompt> route add default gw 10.1.10.1

However, we are not going to do it this way. Instead we are going to use another router with three interfaces to act as three machines (three different IP addresses) for the machines on floor two and again another router for three machines on floor1.

For the computers on floor1 use:

Router(config)# interface Ethernet 0/0 <ENTER>Router(config-if)# ip addresss 10.1.10.2 255.255.255.0 <ENTER>Router(config-if)# full-duplex <ENTER>Router(config-if)# no shutdown <ENTER>Router(config-if)# interface ethernet 1/0 <ENTER>Router(config-if)# ip address 192.168.148.2 255.255.252.0 <ENTER>Router(config-if)# full-duplex <ENTER>Router(config-if)# no shutdown <ENTER>Router(config-if)# interface Fastethernet 0/0 <ENTER>Router(config-if)# ip address 172.16.152.2 255.255.248.0 <ENTER>Router(config-if)# full-duplex <ENTER>Router(config-if)# speed auto <ENTER>Router(config-if)# no shutdown <ENTER>Router(config-if)# end <ENTER>

You will need to use the same approach for the computers on floor2.

Connect the wiring and fill in the diagram at the end of the lab to show your connections. Note that to connect a switch to a switch you need to use a crossover cable!!! You will need to get one from a TA and turn it in after completion of part II of the lab. After completing the wiring you should be able to ping from any interface on one network to another interface on ant other network.

Part 1 Check-off point: show the lab TA your working network.

6

See turn in sheet at the back of this handout.

PART II

You have recently graduated from Ga. Tech and you are now working for a company called Burdell Inc. as a network engineer. You have successfully setup the network described in Part I, but you have been given some additional network requirements that need to be implemented and they are as follows:

1. Administration: The IT subnet should have unlimited access to the Administration subnet. The Accounting subnet should only be able to access the print-server (10.1.10.3) on the Administration subnet.

2. Accounting: IT should not have any access to the Accounting sub-network. Only the print server (10.1.10.3) should be able to access the Accounting sub-network from the Administration sub-network.

3. Information Technology: Users on the Administration should have unlimited access to the IT subnet. Users on the Accounting sub-network should have no access to the IT subnet.

4. Users on each of the three subnets should have unlimited access to their own subnet.5. Users from any of the three subnets should be able to send icmp echo (ping) messages to and

receive icmp echo-reply messages from subnets that they have access to.

7

Figure 1. Burdell Inc’s network topology diagram

ACL

Section I: Access Control Lists

In order to meet the requirements stated above Access Control Lists (ACL) will be used to permit and deny access to sub-networks where necessary. This process is called IP filtering. The packet filtering capabilities of the Cisco IOS software performs packet filtering based on the following criteria:

Source IP address Source and destination IP address IP protocol types, including TCP, UDP, and ICMP Source and destination TCP protocol services, such as send mail and Telnet Source and destination UDP protocol services, such as bootp and NetBIOS datagram ICMP protocol services, such as ICMP echo and ICMP port unreachable

The network administrator has a lot of flexibility when creating IP access lists and determining what is filtered and how the filters are applied. Access list criteria is defined through the use of the access-list and ip access-list commands. Next, the filtering criteria is applied to the desired interface using the ip access-group command.

The access list’s filtering criteria are defined in a list of permit and deny statements. The list is evaluated in sequence, one line at a time, from top to bottom. The list is compared against the IP addresses and other information in the data packet until a match occurs. When a match occurs the list is exited. This process makes access lists extremely order-dependent.

By using the access-list command numbered access lists can be created. In this lab we will create named access lists using the ip access-list command. Named and numbered access lists fall into one of two categories, standard or extended. A standard ip access list evaluates only the source IP address of a packet, while the extended access list can evaluate the source and destination IP address, the IP protocol type, and the source and destination transport layer ports.

Note:Access lists employ a concept known as the wildcard or don’t care mask. This wildcard mask is just the inverse of a network mask. A netmask of 255.255.252.0 generates a wildcard mask of 0.0.3.255, which means that the last 2 bits of octet 3 and all of octet 4 are don’t care bits (can be either 1 or 0).

Section II: Defining ADMIN ACL

Administration: The IT subnet should have unlimited access to the Administration subnet. The Accounting subnet should only be able to access the print-server (10.1.10.3) on the Administration subnet.

First, the access list that is going to be assigned to the router interface used to access the Administration subnet will be called ADMIN. The access lists applied to the other router interfaces will be called ACCT and IT respectively.

Type the following commands while in the Global Configuration mode on the floor1_router.The following access list is an extended access list in which we will evaluate first the source IP address as well as (second on the same line) the destination IP address.

Router(config)#ip access-list extended ADMIN <ENTER>Router(config-ext-nacl)# permit ip 172.16.152.0 0.0.7.255 10.1.10.0 0.0.0.255<ENTER>Router(config-ext-nacl)#permit ip 192.168.148.0 0.0.3.255 host 10.1.10.3Router(config-ext-nacl)# permit ip 10.1.10.0 0.0.0.255 10.1.10.0 0.0.0.255 <ENTER>Router(config-ext-nacl)# deny ip any any log <ENTER>Router(config-ext-nacl)# exit

8

When this list is applied to the out going packets on the floor1_router interface going to the administration subnet, the above list permits access (to the Administration subnet) from all users on the 172.16.152.0/21 (IT) subnet. It also permits users on the Accounting subnet access to 10.1.10.3. The third rule gives users on the administration subnet access to their own subnet. Think about why the wildcard masks (the second and fourth sets of numbers on the 2nd, 3rd, and 4th lines) are what they are; you’ll need to compute your own for Part III. The last line of the list has an explicit deny. This means that any packet failing to match the filtering criteria of one of the lines of the access list is denied. All access lists have an implicit deny so that the last line does not have to be included but it is recommended that you include it. The keyword log causes all packets that fail to match the list to have the violation logged to the screen.

Section III: Defining ACCT ACL

Accounting: IT should not have any access to the Accounting sub-network. Only the print server (10.1.10.3) should be able to access the Accounting sub-network from the Administration sub-network.

The following access list is an extended list in which we will evaluate first the source IP address as well as (second on the same line) the destination IP address. Type the following commands to create a list named ACCT:

Router(config)# ip access-list extended ACCTRouter(config-ext-nacl)# deny ip 172.16.152.0 0.0.7.255 192.168.148.0 0.0.3.255Router(config-ext-nacl)# permit ip host 10.1.10.3 192.168.148.0 0.0.3.255Router(config-ext-nacl)# permit ip 192.168.148.0 0.0.3.255 192.168.148.0 0.0.3.255Router(config-ext-nacl)# deny ip any any logRouter(config-ext-nacl)# exit

When this list is applied to the out going packets on the floor1_router interface going to the accounting subnet, the above list denies access from the IT subnetwork to the accounting subnetwork. It also allows access from the print-server (10.1.10.3) and the accounting subnets to the accounting subnet.

Section IV: Defining IT ACL

Information Technology: Users on the Administration should have unlimited access to the IT subnet. Users on the Accounting sub-network should have no access to the IT subnet.

The following list is a standard access list. Type the following commands to create the standard access list called IT:

Router(config)# ip access-list standard ITRouter(config-std-nacl)# permit 10.1.10.0 0.0.0.255Router(config-std-nacl)# deny 192.168.148.0 0.0.3.255Router(config-std-nacl)# permit 172.16.152.0 0.0.7.255Router(config-std-nacl)# deny any logRouter(config-std-nacl)# exit

The above list when applied to the out going packets on the router interface connected to the IT subnetwork will allow access from administration to the subnet, and deny all access from the accounting subnet. It also allows any IT hosts access to the IT subnet. Because of the nature of the permissions, it is enough to filter on the source address of the packets; therefore, we use a standard access control list.

Section IV: Applying the ACLs

Now that the ACLs have been defined, they must be applied to one or more interfaces so that packets can be filtered. The access list is applied in either and inbound or an outbound direction on the interface.

9

Packets traveling in the inbound direction come into the router form the interface. When they travel in the outbound direction, the packets leave the router and then go onto the interface. The command ip access-group is used to apply the access list to the interface. The command takes the keyword in or out as a parameter. If no parameter is provided, the out keyword is presumed. The following commands are used to apply the access list to the router interfaces used to access each respective subnet.

Router(config)#interface fastethernet0/0.1Router(config-if)#ip access-group ADMIN outRouter(config-if)#interface fastethernet0/0.2Router(config-if)#ip access-group ACCT outRouter(config-if)#interface fastethernet0/0.3Router(config-if)#ip access-group IT outRouter(config-if)#end

Use the show running-configuration command to view the router configuration that contains the ACL definitions.

Before attempting to ping, go to the back of this lab and fill in the Access Control List Summary Table using what you know about the rules implemented in the summary lists.

Now ping each workstation from another and ensure that inter-switch and intra-switch communication are permitted or denied according to the specifications outlined and implemented using the access lists. Confirm that your table is correct. Do this by unplugging one interface of floor1_computers from the floor1_switch and plugging in one PC.

Before you go unplugging cables, however, there’s one more detail to take care of. Assume that you unplug interface Ethernet 0/0 (10.1.10.2) from floor1_computers and set R3 to be 10.1.10.2. Now imagine a ping packet traveling from R3 to FastEthernet 0/0 on floor1_computers (172.16.152.2). The packet leaves R3, goes to the default gateway (10.1.10.1) enters floor1_router, gets sent out the proper subinterface (172.16.152.1) and arrives at 172.16.152.2. Now, for the return trip, floor1_computers consults its routing table, sees that it is directly connected to 10.1.10.0/24 through 10.1.10.2, and sends the packet out that interface. But we just unplugged that cable, so the packet vanishes into the ether and never gets back to R3. To avoid this, we need to define a default gateway for floor1_computers:

floor1_computers(config)# ip route 0.0.0.0 0.0.0.0 172.16.152.1 <ENTER>

The PC you will be using is R3, located on the left-most rack by the door. To the right of it you will see a monitor with a pull-out keyboard. This is the terminal you will use to access R3. Above the monitor is a KVM, which is used to share one monitor, keyboard, and mouse among many PCs. Push the button labeled R3 to access the PC.

If there is no console window, click on the K on the start bar, then KNOPPIX > Root Shell. This opens up a shell with root as the user, which is the permission level we need to change the network configuration. Type ifconfig at the prompt; if eth0 does not show up in the listing, type ifconfig eth0 up to activate it.

The network cable from R3 has been run to port 32 of the patch panel at the top of the right-most rack. Coming out of the port labeled 32 should be a long Ethernet cable; this cable is connected to R3’s network card, and is what you will plug into the switch in place of the Ethernet 0/0 interface of floor1_computers.

[Prompt]# ifconfig eth0 10.1.10.2 netmask 255.255.255.0 <ENTER>[Prompt]# route add default gw 10.1.10.1

[Prompt]# route –nv Will show your PC’s routing table.

10

With a dashed line, draw the PC connected into the network on the wiring diagram when it is assuming the identity of 10.1.10.2. Show this connection in the wiring diagram.

Save your configuration and demonstrate to the TA your PC acting as 10.1.10.2 with working ACLs.

Part 2 Check-off point: show the lab TA a PC acting as 10.1.10.2 with working ACLs.See turn in sheet at the back of this handout.

PART III

Assume that you are now to add a fourth subnetwork to the company network: the Marketing subnetwork. Details are as follows:

1. The marketing department will be assigned addresses on the 48.15.224.0 network.2. There need to be enough addresses on the subnetwork to account for 2500 machines.3. Accounting should have full access to all machines on the network.4. IT and Administration should not be able to access any machines on this network.5. Marketing should be able to access its own subnet.

Using this information and the preceding lab, fill out the calculation sheet at the back of the turn-in packet and turn it in with your lab. You don’t have to actually implement this addition.

11

Appendix A: Basic Cisco Switch Commands

About this documentThe purpose of this document is to give you a quick overview of how the switch user interface

works, so you can have a quick start for lab setups and troubleshooting. Also, a VLAN tutorial is included in this document.

Similarities between routers and switchesSwitches share many commands with routers; in other words, you can use many of the router

commands to interact with switches and the results will be the same. For examples, Switch# show running-config <ENTER> will have the same effect on both devices. Therefore, make sure that you read ‘Basic Cisco Router Commands.doc’ before you continue reading this document.

VLANS in the MiniNet NetworkVlan configuration is typically easy; however, there are a few things that you need to know to be

successful. Cisco defines a VLAN as a broadcast domain within a switched network. VLANs allow you to segment your switched network so that broadcast domains are smaller, leaving more bandwidth for your end nodes. Devices that are in one VLAN do not received broadcasts from devices in another VLAN. For devices on different VLANs to communicate, a layer 3 devices (usually a router) must be used.

How to create vlans follow these simple steps:

SwitchA# vlan database <ENTER>SwitchA(vlan)# vlan <vlan_number> name <vlan_name> <ENTER>SwitchA(vlan)# exitSwitchA# configure terminal <ENTER>SwitchA(config)# interface fastethernet <interface_number> <ENTER>SwitchA(config-if)# switchport mode access <ENTER>SwitchA(config-if)# switchport access vlan 2 <ENTER>SwitchA(config-if)# end

Note: VLAN 1 (one) is used for the management VLAN, so any VLANs created should be numbered 2 to 1000.

For VLAN information to be passed between switches, trunking must be configured between switches. VLAN trunking allows a port to pass traffic from multiple VLANs between the two switches. Frames traveling over a trunk are tagged to identify which VLAN the frames belong to. When implementing trunking between switches, the ports at either end of the connection must be set up for trunk mode and the trunk encapsulation mode must match. Trunk encapsulation dictates the manner that frames are identified (tagged) on a trunk and defines the VLAN services available. There are four types of trunking encapsulations: 1) Inter-Switch Link Protocol (ISL) Cisco proprietary trunking protocol; 2) IEEE 802.1Q (dot1q) Industry standard trunking protocol; 3) LAN Emulation (LANE) Used for trunking VLANs over ATM links; and 4) IEEE 802.10 (dot10q) Cisco proprietary method for transporting VLAN information inside standard FDDI frames.

To setup trunking between two switches, use the following commands:SwitchA(config)# interface fastethernet <interface_number> <ENTER>SwitchA(config-if)# switchport mode trunk <ENTER>SwitchA(config-if)# switchport trunk encapsulation dot1q <ENTER>SwitchA(config-if)# end

Then, go to the other switch, and repeat these commands on the respective interface. This is important, otherwise, both switches will not be able to communicate to each other.

To limit which VLANs will be allowed to pass information on the port you can use the following commands:

12

SwitchA(config)# interface fastethernet <interface_number> <ENTER>SwitchA(config-if)# switchport trunk allowed vlan remove 1-1005 <ENTER>SwitchA(config-if)# switchport trunk allowed vlan add 1-3 <ENTER>

Then, you will have to repeat these commands on the other switch.

The previous commands remove the default of all VLANs, and adds back support for VLANs 1-3.

Finally, to avoid having to reconfigure your VLANs in case the switches are rebooted, type the following:

RouterA# copy running-config startup-config <ENTER>

13

Appendix B: Basic Cisco Router Commands

References on the www and hardcopyhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/rbkixol.htmCisco Router Configuration, 2nd Edition, A practical Introduction to Cisco IOS Software configuration.

About this documentThe purpose of this document is to give you a quick overview of how the router interface works,

so you can have a quick start for lab setups and troubleshooting.

Configuring a Router from Scratch

If the router is turned on for the first time or if the router has a missing startup-config file, then, you will see a message that says:Would you like to enter the initial configuration dialog? [yes/no]:At this message just type no and press the <ENTER> key.You will see the router prompt as ‘Router>’. This means that the default running configuration was loaded; in other words, the router is not configured. To configure it, you will have to type ‘enable’ followed by pressing the ‘<ENTER>’ key. It will not ask you for a password since it has not been set up since starting from scratch. Now you will see the router prompt as ‘Router#’.

Editing CommandsThe following command or key-strokes are used to move around the command

line inside the router.Command Description

<CTRL>+A Moves to the beginning of the command line<ESC>+B Moves back one word<CTRL>+B orLeft Arrow key

Moves back one character

<CTRL>+E Moves to the end of the command line<CTRL>+F orRight Arrow key

Moves forward one character

<ESC>+F Moves forward one word<CTRL>+k Deletes all characters from the cursor until the end of the line<CTRL>+p or Up Arrow key

Recalls last (previous) command

<CTRL>+n orDown Arrow key

Recalls most recent command

>show history or#show history

Shows command buffer

<TAB> Command completion – completes a partial command name? Displays all available commands or command parameters

Three command modes used in routers are EXEC-Mode, Privileged EXEC-Mode, and Global Configuration Mode. There other command modes, but these are the main ones.

EXEC-Mode CommandsProvides a limited subset of commands. The first time you connect to a router, this is the mode

that you will be in. The command prompt has the form ‘Router>’To get a list of commands type ‘?’. If you see --More--, that means that the screen can be advanced by pressing either <ENTER> key, scrolls one line up, or <SPACE>, scrolls one page up.

14

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/rbkixol.htm

Privileged EXEC-Mode CommandsProvides access to all commands in the router. To enter Privileged EXEC-Mode from EXEC-

Mode, type enable<ENTER>. If a password has been setup for Privileged EXEC-Mode, you will be asked for it. It is assumed that the router has been reset to its default settings, and that it does not have any passwords setup.Some of the commands that you will need to use are shown in the following table.

Command Descriptionconfigure terminal Enters Global Configuration Mode.copy Copies configuration or image datacopy running-config startup-config Stores the current configuration in RAM into NVRAMcopy running-config <file_name> Copies the current configuration in RAM into <file_name>

located in flash: devicedir [device] List the files on a given device, use dir ? for a list of possible

parameters for devicedisable Turns off privileged commands enable password Sets a local password to control access to various privileged

levelsenable secret Specifies an additional layer or security over the enable

password commanderase startup-config Erases the content of NVRAMerase Erases Flash or configuration memoryexit Exits any configuration mode, or closes an active terminal

session and terminates the EXECreload Halts and performs a cold return; reloads the operating

system. It will also reload the startup-config file if available.ping Sends an echo request; diagnoses basic network connectivityshow [options] This is a very important command since you can display a

great variety of router information. Type ‘show ?’ to display all your possible options.

show running-config Displays the current configuration in RAMshow interfaces Displays statistics for all interfaces configured on the routershow ip interface Displays the status and global parameters associated with an

interfaceshow ip protocols Displays the parameters and current state of the active

routing protocol processshow startup-config Displays the saved configuration, which is the contents of

NVRAMmore Displays the contents of a filesetup Enters the setup command facility? Displays all available commands or command parameters

Global Configuration ModeThis mode allows you to make changes to the running configuration. You will need to know more

about this mode that anything else. From here you can configure routing protocols, interfaces, sub-interfaces, and more. To enter Global Configuration Mode, you will need to be in Privileged ECEX-Mode. Then, type ‘configure terminal <ENTER>’.

From this mode, you can have access to two sub-modes: the Interface Configuration mode and the Sub-interface Configuration mode. To enter either of these modes, you will need to type the interface command followed by a interface or a subinterface.

Notice that some routers have three physical interface, but other routers have only one physical interface. In the case of routers with only one interface, subinterfaces are created on top of the physical interface(more details on this are given later on). In addition, interfaces are named as either EthernetX/Y or FastEthernetX/Y where X will normally take numbers between 0-1, and Y will normally take values like 0,1,2,3,0.1,0.2, or 0.3 (the values for X and Y given here apply to our lab setup only; they could be

15

different in other network setups). Also, routers have a mixture of Ethernet and FastEthernet interfaces whereas switches (in our lab network) have FastEthernet interfaces. Take a look at the ‘ece4110-2004-02-Fall-labs-7-and-8-LabSetup.xls’ file to get familiar with the router interface names.

The following table shows some commands and subcommands that you can use in Global Configuration mode.

Command Descriptioninterface Configures an interface type and enters configuration mode.ip address Assigns and address and a subnet mask and starts IP processing on an interfaceip default-network Establishes a default routeip host Makes a static name-to-address entry in the router’s configuration fileip route Establishes static routesline Identifies a specific line for configuration and starts the line configuration

command collection mode.login Logs in as a particular user. Enables password checking at loginnetwork Assigns a Network Information Center-based address to which the router is

directly connected.no shutdown Restarts a disabled interfacerouter Starts a routing process by first defining an IP routing protocol. For example,

router rip selects RIP as the routing protocolencapsulation Set encapsulation type for an interface This is used to attach a sub-interface to a

specific vlan.full-duplex Configure full-duplex operational modehalf-duplex Configure half-duplex and related commands? Displays all available commands or command parameters

Configuration ExamplesTo configure router with interfaces Ethernet0, Ethernet1, and FastEthernet0 to route packes

between subnetworks 10.1.1.0, 10.1.2.0, and 10.1.3.0, you will have to use the following command sequences from Global Configuration mode.

Router(config)# interface Ethernet0 <ENTER>Router(config-if)#ip address 10.1.1.1 255.255.255.0 <ENTER>Router(config-if)full-duplex <ENTER>Router(config-if) no shutdown <ENTER># It is optional to type exit after you have configured one interface and before # configuring the next oneRouter(config-if)interface Ethernet1 <ENTER>Router(config-if)ip address 10.1.2.1 255.255.255.0 <ENTER>Router(config-if)full-duplex <ENTER>Router(config-if) no shutdown <ENTER>Router(config-if)interface FastEthernet0 <ENTER>Router(config-if)ip address 10.1.3.1 255.255.255.0 <ENTER>Router(config-if)speed auto <ENTER>Router(config-if)full-duplex <ENTER>Router(config-if) no shutdown <ENTER>Router(config-if) end <ENTER>

To configure a router with interfaces Ethernet0/0, Ethernet1/0, and FastEthernet0/0 to route packes between subnetworks 10.1.1.0, 10.1.2.0, and 10.1.3.0, you will have to replace the respective interface names on the command lines shown above.

To configure a router with interface with only one physical interface FastEthernet0/0 to route packets between subnetworks 10.1.1.0, 10.1.2.0, and 10.1.3.0, you will have to use the following command sequences from Global Configuration mode.

16

Router(config)interface FastEthernet0/0 <ENTER>Router(config-if)no ip address <ENTER>Router(config-if)no ip mroute-cache <ENTER>Router(config-if)speed auto <ENTER>Router(config-if)full-duplex <ENTER>Router(config-if) no shutdown <ENTER>Router(config-if)interface FastEthernet0/0.1<ENTER>Router(config-if)encapsulation dot1Q <vlan_number1> <ENTER>Router(config-if)ip address 10.1.1.1 255.255.255.0 <ENTER>Router(config-if) no shutdown <ENTER>Router(config-if)interface FastEthernet0/0.2 <ENTER>Router(config-if)encapsulation dot1Q <vlan_number2> <ENTER>Router(config-if)ip address 10.1.2.1 255.255.255.0 <ENTER>Router(config-if) no shutdown <ENTER>Router(config-if)interface FastEthernet0/0.3 <ENTER>Router(config-if)encapsulation dot1Q <vlan_number3> <ENTER>Router(config-if)ip address 10.1.3.1 255.255.255.0 <ENTER>Router(config-if) no shutdown <ENTER>Router(config-if) end <ENTER>

# you will have to replace <vlan_numberX> with the corresponding VLAN

17

Appendix C: Saving and restoring your configurations

The scripts for uploading and downloading configurations are located on the NAS in the Lab6 directory. They are in a tarball named mnet_tools_v1.5.tar. Copy this file to your /root directory, and unpack it using:# tar –xf mnet_tools_v1.5.tar# cd mnet_tools_v1.5

Before these scripts will work, the following two perl modules must be installed:

IO-Tty-1.02.tar.gz Expect-1.15.tar.gz

Here's how to install the modules:

First install IO-Tty-1.02.tar.gz# tar -zxvf IO-Tty-1.02.tar.gz# cd IO-Tty-1.02# perl Makefile.PL# make# make install

Then install Expect-1.15.tar.gz# tar -zxvf Expect-1.15.tar.gz# cd Expect-1.15# perl Makefile.PL# make# make install

Now you can run minictrl.pl to make sure it is working correctly. The program should output it's usage and exit.# ./minictrl.pl

Now, some notes on the actual scripts:Extension "p1", "p2", and "p3" on scripts below refer to playstation #1, playstation #2, and playstation #3 respectively. Each group of files is described below.

Download and upload of configurations is based on a perl Expect module. The nature of this module is complex and finicky. Therefore, sometimes it is necessary to run an upload or download script multiple times in order to successfully upload or download. Currently, three tries are given for each upload and download. Therefore, you may see errors in the download or upload process. However, at the end of the script, you should see a successful message printed indicating that one of the three tries was successful.

download_reset_p1download_reset_p2download_reset_p3These scripts are used to download reset configuations. The network devices should be configured to their reset configuation before running these scripts. Then, these scripts can be executed to store a "reset" configuration. YOU NEVER NEED TO RUN THIS SCRIPT. The reset configurations are included in the tarball: reset1, reset2, and reset3.

reset_p1reset_p2reset_p3These scripts return the playstations to a "reset" configuration, which must be downloaded using the download_reset scripts above first.

18

download_p1download_p2download_p3These scripts are used to download all network device configurations for the devices in the give playstation. The configurations are stored in files in a subfolder called playstation1, playstation2, and playstation3 respectively. Download time can vary from 30-60 seconds

upload_p1upload_p2upload_p3These scripts are used to restore device configurations. They can only be executed after succesfully downloading configurations using the download scripts. Upload time can vary from 3-5 minutes because the network devices must be reloaded, which takes several minutes.

CM_Library.pmLibrary used by minictrl to download, upload, and connect to digi.

minictrl.plTool that does the downloading and uploading of configurations.

single_cmdInternal wrapper tool.

19

ECE 4110 Internetwork ProgrammingTurn in sheet

Lab 7: Setting up Burdell Inc. Network Using Multiple Switches and Access Control Lists

Group Number: ________

Member Names: _________________________ _________________________

Date: _____________________

Part 1 Check-off point: show the lab TA your working network.

TA Signature _______________________ DATE ______________________

Part 2 Check-off point: show the lab TA a PC acting as 192.168.148.2 with working ACLs.

TA Signature _______________________ DATE ______________________

Turn-in List

1. The turn in sheet from the back of the lab2. Physical Cabling Diagram3. Access Control List Summary Table4. Marketing Network Setup Sheet

20

Group Number____________________ Names:______________________________Date:_________________________

Playstation #:____________________

21

Ethernet 0/1 Ethernet 0/0 Ethernet 0/1

Fast Ethernet 0/0 Ethernet 0/1 Fast Ethernet 0/0

Ethernet 0/0 Ethernet 0/1

Fast Ethernet 0/0


Fast Ethernet 0/0 Ethernet 0/1 Ethernet 0/0 Ethernet 0/1


Fast Ethernet 0/0


Fast Ethernet 0/0

Ethernet 0/0 Ethernet 1/0 Ethernet 0/1 Ethernet 0/0 Ethernet 0/1


Fast Ethernet 0/0

Floor1_switch Digi #___

Floor2_switch Digi #___

Floor1_router Digi #___

Floor1_computers Digi #___

Floor2_computers Digi #___

PC (for Part II of Lab)

Ethernet 1/0Ethernet 0/0


Access Control List Summary Table:

From: To: Allowed (YES or NO)?

10.1.10.2 10.1.10.3

10.1.10.2 192.168.148.3

10.1.10.2 172.16.152.3

192.168.148.2 10.1.10.3

192.168.148.2 10.1.10.2

192.168.148.2 192.168.148.3

192.168.148.2 172.16.152.3

172.16.152.2 10.1.10.3

172.16.152.2 192.168.148.3

172.16.152.2 172.16.152.3

22


Part III: Marketing Network Setup

Need: 2500 machines

Network address: 48.15.224.0 / ____

Netmask: ____.____.____.____

Wildcard Mask: ____.____.____.____

Calculations:

ACL Setup:Fill in the commands you would use to set up the MKTING access control list

Router(config)#ip access-list standard MKTING <ENTER>

Router(config-std-nacl)#




Router(config-std-nacl)# deny any log <ENTER>

23

This lab involves using software network analyzers to ...blough.ece.gatech.edu/4110/lab6.doc ·...

Documents

Transcript of This lab involves using software network analyzers to ...blough.ece.gatech.edu/4110/lab6.doc ·...