Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
ECE 4110 Internetwork Programming Lab 7: Setting up Burdell Inc. Network Using Multiple Switches and Access Control Lists Group Number: ________ Member Names: _________________________ Date Issued: Date Due: Last Edited: _________________________ 3/29/2006 4/6/2006 3/29/2006 NOTICE: Because there are only three setups, each group will need to sign up for timeslots on the sheets attached to the lab door. You can only sign up for a total of 2 hours (4 slots) at a time, AND YOU MUST USE THE SAME SETUP FOR THE ENTIRE LAB. These can either be in a row or spread out, but no group can have more than 4 slots reserved at any one time. Once one of your slots has expired, you can sign up for another one. See Appendix C for instructions on how to save and reload your work if you need to leave and continue later. PLAYSTATION #: ________________ Lab Goals Set up a network using multiple routers and switches Learn about trunk ports and trunking Learn about access control lists and use them to control information flow PART I You have recently graduated from Georgia Tech and you are now working for a company called Burdell Inc as a network engineer. You are presented with the following scenario: Burdell Inc occupies a two floor office building and is made up of three departments, Administration, Accounting, and Information Technology (IT). The Administrative department is currently in need of 100 workstations and is forecasted to grow by an additional 100 machines in the foreseeable future. The Accounting department needs 1000 workstations and is not expected to grow beyond its present size. The IT department is constantly growing. IT presently needs 900 workstations and is expected to grow to twice that size. In an effort to promote company unity and spirit, the management at Burdell Inc has decided to have members of all three departments work on both floors, i.e. no one department is physically isolated. Both floors accommodate workers form Accounting, Administration, and IT. Each department has its own VLAN and all workers on each floor and between floors should be able to communicate with each other. Figure 1, below, shows the network topology. 1 0/1 0/2 0/3 FLOOR 2 0/4 VLAN 3 INFORMATION TECHNOLOGY VLAN 2 ACCOUNTING VLAN 1 ADMINISTRATION 0/4 0/1 0/2 FLOOR 1 0/3 0/5 Figure 1. Burdell Inc’s network topology diagram This lab requires two switches, one router, and six end station PCs. However we will not use six end station PCs, we will instead emulate the six PCs using the ping capability of Cisco 1760 interfaces and use two more Cisco 1760s to emulate the PCs. This saves us from having to dedicate six PCs for this lab assignment. We will need one PC which we will use to test our setup. Thus the equipment required will be two switches, three routers, and one end station PC. We will use this equipment to emulate the network in Figure 1. Section I: Logging into the Routers/Switches All of the routers and switches are accessible from the console manager ports. See Table 1. Table 1. Console manager port assignments Part Name Playstation1 Cisco 3550 Switch floor1_switch Cisco 3550 Switch floor2_switch Cisco 1760 Router floor1_router Cisco 1760 Router floor1_computers Cisco 1760 Router floor2_computers Playstation2 Cisco 3550 Switch floor1_switch Cisco 3550 Switch floor2_switch Cisco 1760 Router floor1_router Console Manger Port Assignment 5 6 7 8 9 14 15 16 2 Cisco 1760 Router Cisco 1760 Router Playstation3 Cisco 3550 Switch Cisco 3500 Switch Cisco 1760 Router Cisco 1760 Router Cisco 1760 Router floor1_computers floor2_computers 17 18 floor1_switch floor2_switch floor1_router floor1_computers floor2_computers 23 24 25 26 27 The enable password for all of these machines is owen. In order to connect to the console manager you need to set up your network card to access its network: # ifconfig eth0:0 192.168.254.<100+group #> So group 1 is 192.168.254.101, and so forth. You will need to do this every time you power off your machine. What this does is set up a virtual interface, so you have two IP addresses on one network card. This allows you access to two networks with only one interface card. To connect to the CM32: #ssh [email protected] If it comes up, Type yes to the RSA question. password: playstationX You will be using a series of scripts to help you set up the routers and save your work. These scripts are described in detail in Appendix C. These should still be installed from Lab 6. If not, go to Appendix C and install the scripts according to the directions. Once this is done, MAKE SURE NO ONE ELSE IS USING THE PLAYSTATION YOU WANT TO USE. This is very important, as you are about to reset the configuration and all of their work will be lost. Now that you are sure no one else is using the playstation, reset your chosen playstation by running the reset_pX script in the mnet_tools_v1.5 directory. Several windows should pop up. DO NOT CLOSE THEM UNTIL IT IS SAFE TO DO SO. If you are on playstation 1 or 2, you will get an error in one of the windows about VPN or Firewall processing not being enabled; ignore this for now. Once all of the other windows say it is safe to close them, do so. Now run the download_pX script to save the current configuration. From now on, you’ll run the download_pX script to save your work, and the upload_pX to restore the configuration of the playstation to the last saved state. Before running the upload script, MAKE SURE NO ONE ELSE IS USING THE PLAYSTATION. Log into each of the machines and change its name to match Table 1. From global configuration mode: Machine(config)#hostname <name> To go back to the console manager screen, hit <CTRL+z> and then hit x. Section II: Switch Configuration Refer to Appendix A for a list of switch configuration commands and their descriptions. While in Privileged EXEC-Mode, you can view the running configuration by typing show running-config. This contains information about all the interfaces and vlans you’ve set up. Table 2 lists the different VLANs assigned to each department in our company. Table 2. Department VLANs VLAN 2 3 DEPARTMENT Administration Accounting 3 4 InformationTechnology Note: In Figure 1, the Administration VLAN is labeled as VLAN 1, Account as VLAN 2, etc. THIS IS INCORRECT. Use the VLAN numbers in Table 2 for the entirety of this lab. One switch is placed on each office floor. Three switch ports (on each switch) are configured, one for each VLAN as illustrated by Table 2. Use the switch interface numbers shown in Figure 1 and the vlan names and numbers from Table 2 (note that in Figure 1 the VLANs are listed 1-3, and in Table 2 2-4). To create VLANs inside the switch, follow these simple steps: SwitchA# vlan database <ENTER> SwitchA(vlan)# vlan <vlan_number> name <vlan_name> <ENTER> SwitchA(vlan)# exit Do this for each of the vlans in Table 2. Now configure the interfaces to access those vlans: SwitchA# configure terminal <ENTER> SwitchA(config)# interface fastethernet <interface_number> <ENTER> SwitchA(config-if)# switchport mode access <ENTER> SwitchA(config-if)# switchport access vlan <enter a number here> <ENTER> In the next command, <SPEED> depends on the router interface connected to it. Because IT is setting up this entire network, they decide to give themselves the higher speed connections. Therefore, the FastEthernet ports on floor1_computers and floor2_computers will be assigned VLAN 4. Now, assign the correct operation speed to the interface: <SPEED> = 10 for Ethernet interfaces and 100 for FastEthernet. SwitchA(config-if)# speed <SPEED> <ENTER> SwitchA(config-if)# duplex full <ENTER> SwitchA(config-if)# no shutdown SwitchA(config-if)# end Use the above configuration procedure to configure each of the used switch interfaces for each switch. (Do this on the switch, not on the routers). Once you are done, it is a good idea to download your configuration so you do not lose it. Note: VLAN 1 (one) is used for the management VLAN, so any VLANs created should be numbered 2 to 1000. Section III: Trunking Switch Ports For VLAN information to be passed between the two switches, trunking must be configured between the switches. VLAN trunking allows a port to pass traffic from multiple VLANs between the two switches. Frames traveling over a trunk are tagged to identify which VLAN the frames belong to. When implementing trunking between switches, the ports at either end of the connection must be set up for trunk mode and the trunk encapsulation mode must match. Trunk encapsulation dictates the manner that frames are identified (tagged) on a trunk and defines the VLAN services available. There are four types of trunking encapsulations: 1) Inter-Switch Link Protocol (ISL) Cisco proprietary trunking protocol; 2) IEEE 802.1Q (dot1q) Industry standard trunking protocol; 3) LAN Emulation (LANE) Used for trunking VLANs over ATM links; and 4) IEEE 802.10 (dot10q) Cisco proprietary method for transporting VLAN information inside standard FDDI frames. To setup trunking between two switches, use the following commands: SwitchA(config)# interface fastethernet <interface_number> <ENTER> SwitchA(config-if)# no switchport mode dynamic desirable <ENTER> SwitchA(config-if)# switchport trunk encapsulation dot1q <ENTER> SwitchA(config-if)# switchport mode trunk <ENTER> SwitchA(config-if)# end 4 Then, go to the other switch, and repeat these commands on the respective interface. This is important, otherwise the switches will not be able to communicate to each other. To limit which VLANs will be allowed to pass information on the port you can use the following commands: SwitchA(config)# interface fastethernet <interface_number> <ENTER> SwitchA(config-if)# switchport trunk allowed vlan remove 1-4094 <ENTER> SwitchA(config-if)# switchport trunk allowed vlan add 1-4 <ENTER> Then, you will have to repeat these commands on the other switch. The previous commands remove the default of all VLANs, and adds back support for VLANs 1-4. Note: On one of the switches one additional port has to be trunked. This additional trunk port is used to connect a router to the switch. The use of the router will be explained in the following section. Set-up the trunking in the switch on floor one for the router on floor one now (see Figure 1 for the port number). The switch port will be connected to the router’s FastEthernet port (SPEED = 100). Section IV: Router Configuration Refer to Appendix B for a list of router configuration commands and their descriptions. Hosts on one VLAN cannot communicate with hosts on another VLAN since VLANs form separate broadcast domains. As a result, a router needs to be used to route packets from one VLAN to another VLAN. The router will be connected to the additional trunk port created on the switch above. The router port also needs to be trunked since the router port will be passing packets from multiple VLANs. Before configuring the router, the subnets, the assignable machine address ranges, and the required network prefixes for each department have to be determined. Lets use the following assignments in table 3. Notice the subnets are not all the same length. Table 3. Department subnets and subnet workstation capacity Department Current Size Future Size (Workstations) (Workstations) Administration 100 200 Accounting 1000 1000 Information Technology 900 1800 Subnet 10.1.10.0/24 192.168.148.0/22 172.16.152.0/21 Subnet Capacity (Workstations) 2(32-24) – 2 = 28 – 2 = 254 2(32-22) – 2 = 210 – 2 = 1022 2(32-21) – 2 = 211 – 2 = 2046 Log into the router and use the following commands to configure the Fastethernet0/0 port as the trunk port that will be connected to the additional trunk port on the switch. Router(config)# interface FastEthernet 0/0 <ENTER> Router(config-if)# no ip address <ENTER> Router(config-if)# no ip mroute-cache <ENTER> Router(config-if)# speed auto <ENTER> Router(config-if)# full-duplex <ENTER> Router(config-if)# no shutdown <ENTER> Router(config-if)# interface FastEthernet 0/0.1<ENTER> Router(config-subif)# encapsulation dot1Q <vlan_number1> <ENTER> Router(config-subif)# ip address 10.1.10.1 255.255.255.0 <ENTER> Router(config-subif)# no shutdown <ENTER> Router(config-subif)# interface FastEthernet 0/0.2 <ENTER> Router(config-subif)# encapsulation dot1Q <vlan_number2> <ENTER> 5 Router(config-subif)# ip address 192.168.148.1 255.255.252.0 <ENTER> Router(config-subif)# no shutdown <ENTER> Router(config-subif)# interface FastEthernet 0/0.3 <ENTER> Router(config-subif)# encapsulation dot1Q <vlan_number3> <ENTER> Router(config-subif)# ip address 172.16.152.1 255.255.248.0 <ENTER> Router(config-subif)# no shutdown <ENTER> Router(config-subif)# end <ENTER> You will have to replace <vlan_numberX> with the corresponding vlan as shown in the network diagram. Section V: Testing Network Connectivity Table 3. Workstation configurations Workstation One example IP address on floor1 A (VLAN 2) B (VLAN 3) C (VLAN 4) 10.1.10.2 192.168.148.2 172.16.152.2 One example IP address on floor2 10.1.10.3 192.168.148.3 172.16.152.3 Subnet Mask Default Gateway 255.255.255.0 255.255.252.0 255.255.248.0 10.1.10.1 192.168.148.1 172.16.152.1 IF we were to use six PCs as workstations in this lab we would configure the six workstations using the above example IP addresses. We would have used the following commands on each of the six PCs to set their individual IP addresses (example for one machine): Prompt> ifconfig eth0 10.1.10.2 netmask 255.255.255.0 <ENTER> Prompt> route add default gw 10.1.10.1 However, we are not going to do it this way. Instead we are going to use another router with three interfaces to act as three machines (three different IP addresses) for the machines on floor two and again another router for three machines on floor1. For the computers on floor1 use: Router(config)# interface Ethernet 0/0 <ENTER> Router(config-if)# ip addresss 10.1.10.2 255.255.255.0 <ENTER> Router(config-if)# full-duplex <ENTER> Router(config-if)# no shutdown <ENTER> Router(config-if)# interface ethernet 1/0 <ENTER> Router(config-if)# ip address 192.168.148.2 255.255.252.0 <ENTER> Router(config-if)# full-duplex <ENTER> Router(config-if)# no shutdown <ENTER> Router(config-if)# interface Fastethernet 0/0 <ENTER> Router(config-if)# ip address 172.16.152.2 255.255.248.0 <ENTER> Router(config-if)# full-duplex <ENTER> Router(config-if)# speed auto <ENTER> Router(config-if)# no shutdown <ENTER> Router(config-if)# end <ENTER> You will need to use the same approach for the computers on floor2. Connect the wiring and fill in the diagram at the end of the lab to show your connections. Note that to connect a switch to a switch you need to use a crossover cable!!! You will need to get one from a TA and turn it in after completion of part II of the lab. After completing the wiring you should be able to ping from any interface on one network to another interface on ant other network. Part 1 Check-off point: show the lab TA your working network. 6 See turn in sheet at the back of this handout. PART II You have recently graduated from Ga. Tech and you are now working for a company called Burdell Inc. as a network engineer. You have successfully setup the network described in Part I, but you have been given some additional network requirements that need to be implemented and they are as follows: 1. Administration: The IT subnet should have unlimited access to the Administration subnet. The 2. 3. 4. 5. Accounting subnet should only be able to access the print-server (10.1.10.3) on the Administration subnet. Accounting: IT should not have any access to the Accounting sub-network. Only the print server (10.1.10.3) should be able to access the Accounting sub-network from the Administration subnetwork. Information Technology: Users on the Administration should have unlimited access to the IT subnet. Users on the Accounting sub-network should have no access to the IT subnet. Users on each of the three subnets should have unlimited access to their own subnet. Users from any of the three subnets should be able to send icmp echo (ping) messages to and receive icmp echo-reply messages from subnets that they have access to. VLAN 3 INFORMATION TECHNOLOGY VLAN 2 ACCOUNTING VLAN 1 ADMINISTRATION FLOOR 2 FLOOR 1 ACL Figure 1. Burdell Inc’s network topology diagram 7 Section I: Access Control Lists In order to meet the requirements stated above Access Control Lists (ACL) will be used to permit and deny access to sub-networks where necessary. This process is called IP filtering. The packet filtering capabilities of the Cisco IOS software performs packet filtering based on the following criteria: Source IP address Source and destination IP address IP protocol types, including TCP, UDP, and ICMP Source and destination TCP protocol services, such as send mail and Telnet Source and destination UDP protocol services, such as bootp and NetBIOS datagram ICMP protocol services, such as ICMP echo and ICMP port unreachable The network administrator has a lot of flexibility when creating IP access lists and determining what is filtered and how the filters are applied. Access list criteria is defined through the use of the access-list and ip access-list commands. Next, the filtering criteria is applied to the desired interface using the ip accessgroup command. The access list’s filtering criteria are defined in a list of permit and deny statements. The list is evaluated in sequence, one line at a time, from top to bottom. The list is compared against the IP addresses and other information in the data packet until a match occurs. When a match occurs the list is exited. This process makes access lists extremely order-dependent. By using the access-list command numbered access lists can be created. In this lab we will create named access lists using the ip access-list command. Named and numbered access lists fall into one of two categories, standard or extended. A standard ip access list evaluates only the source IP address of a packet, while the extended access list can evaluate the source and destination IP address, the IP protocol type, and the source and destination transport layer ports. Note: Access lists employ a concept known as the wildcard or don’t care mask. This wildcard mask is just the inverse of a network mask. A netmask of 255.255.252.0 generates a wildcard mask of 0.0.3.255, which means that the last 2 bits of octet 3 and all of octet 4 are don’t care bits (can be either 1 or 0). Section II: Defining ADMIN ACL Administration: The IT subnet should have unlimited access to the Administration subnet. The Accounting subnet should only be able to access the print-server (10.1.10.3) on the Administration subnet. First, the access list that is going to be assigned to the router interface used to access the Administration subnet will be called ADMIN. The access lists applied to the other router interfaces will be called ACCT and IT respectively. Type the following commands while in the Global Configuration mode on the floor1_router. The following access list is an extended access list in which we will evaluate first the source IP address as well as (second on the same line) the destination IP address. Router(config)#ip access-list extended ADMIN <ENTER> Router(config-ext-nacl)# permit ip 172.16.152.0 0.0.7.255 10.1.10.0 0.0.0.255<ENTER> Router(config-ext-nacl)#permit ip 192.168.148.0 0.0.3.255 host 10.1.10.3 Router(config-ext-nacl)# permit ip 10.1.10.0 0.0.0.255 10.1.10.0 0.0.0.255 <ENTER> Router(config-ext-nacl)# deny ip any any log <ENTER> Router(config-ext-nacl)# exit 8 When this list is applied to the out going packets on the floor1_router interface going to the administration subnet, the above list permits access (to the Administration subnet) from all users on the 172.16.152.0/21 (IT) subnet. It also permits users on the Accounting subnet access to 10.1.10.3. The third rule gives users on the administration subnet access to their own subnet. Think about why the wildcard masks (the second and fourth sets of numbers on the 2nd, 3rd, and 4th lines) are what they are; you’ll need to compute your own for Part III. The last line of the list has an explicit deny. This means that any packet failing to match the filtering criteria of one of the lines of the access list is denied. All access lists have an implicit deny so that the last line does not have to be included but it is recommended that you include it. The keyword log causes all packets that fail to match the list to have the violation logged to the screen. Section III: Defining ACCT ACL Accounting: IT should not have any access to the Accounting sub-network. Only the print server (10.1.10.3) should be able to access the Accounting sub-network from the Administration sub-network. The following access list is an extended list in which we will evaluate first the source IP address as well as (second on the same line) the destination IP address. Type the following commands to create a list named ACCT: Router(config)# ip access-list extended ACCT Router(config-ext-nacl)# deny ip 172.16.152.0 0.0.7.255 192.168.148.0 0.0.3.255 Router(config-ext-nacl)# permit ip host 10.1.10.3 192.168.148.0 0.0.3.255 Router(config-ext-nacl)# permit ip 192.168.148.0 0.0.3.255 192.168.148.0 0.0.3.255 Router(config-ext-nacl)# deny ip any any log Router(config-ext-nacl)# exit When this list is applied to the out going packets on the floor1_router interface going to the accounting subnet, the above list denies access from the IT subnetwork to the accounting subnetwork. It also allows access from the print-server (10.1.10.3) and the accounting subnets to the accounting subnet. Section IV: Defining IT ACL Information Technology: Users on the Administration should have unlimited access to the IT subnet. Users on the Accounting sub-network should have no access to the IT subnet. The following list is a standard access list. Type the following commands to create the standard access list called IT: Router(config)# ip access-list standard IT Router(config-std-nacl)# permit 10.1.10.0 0.0.0.255 Router(config-std-nacl)# deny 192.168.148.0 0.0.3.255 Router(config-std-nacl)# permit 172.16.152.0 0.0.7.255 Router(config-std-nacl)# deny any log Router(config-std-nacl)# exit The above list when applied to the out going packets on the router interface connected to the IT subnetwork will allow access from administration to the subnet, and deny all access from the accounting subnet. It also allows any IT hosts access to the IT subnet. Because of the nature of the permissions, it is enough to filter on the source address of the packets; therefore, we use a standard access control list. Section IV: Applying the ACLs Now that the ACLs have been defined, they must be applied to one or more interfaces so that packets can be filtered. The access list is applied in either and inbound or an outbound direction on the interface. 9 Packets traveling in the inbound direction come into the router form the interface. When they travel in the outbound direction, the packets leave the router and then go onto the interface. The command ip accessgroup is used to apply the access list to the interface. The command takes the keyword in or out as a parameter. If no parameter is provided, the out keyword is presumed. The following commands are used to apply the access list to the router interfaces used to access each respective subnet. Router(config)#interface fastethernet0/0.1 Router(config-if)#ip access-group ADMIN out Router(config-if)#interface fastethernet0/0.2 Router(config-if)#ip access-group ACCT out Router(config-if)#interface fastethernet0/0.3 Router(config-if)#ip access-group IT out Router(config-if)#end Use the show running-configuration command to view the router configuration that contains the ACL definitions. Before attempting to ping, go to the back of this lab and fill in the Access Control List Summary Table using what you know about the rules implemented in the summary lists. Now ping each workstation from another and ensure that inter-switch and intra-switch communication are permitted or denied according to the specifications outlined and implemented using the access lists. Confirm that your table is correct. Do this by unplugging one interface of floor1_computers from the floor1_switch and plugging in one PC. Before you go unplugging cables, however, there’s one more detail to take care of. Assume that you unplug interface Ethernet 0/0 (10.1.10.2) from floor1_computers and set R3 to be 10.1.10.2. Now imagine a ping packet traveling from R3 to FastEthernet 0/0 on floor1_computers (172.16.152.2). The packet leaves R3, goes to the default gateway (10.1.10.1) enters floor1_router, gets sent out the proper subinterface (172.16.152.1) and arrives at 172.16.152.2. Now, for the return trip, floor1_computers consults its routing table, sees that it is directly connected to 10.1.10.0/24 through 10.1.10.2, and sends the packet out that interface. But we just unplugged that cable, so the packet vanishes into the ether and never gets back to R3. To avoid this, we need to define a default gateway for floor1_computers: floor1_computers(config)# ip route 0.0.0.0 0.0.0.0 172.16.152.1 <ENTER> The PC you will be using is R3, located on the left-most rack by the door. To the right of it you will see a monitor with a pull-out keyboard. This is the terminal you will use to access R3. Above the monitor is a KVM, which is used to share one monitor, keyboard, and mouse among many PCs. Push the button labeled R3 to access the PC. If there is no console window, click on the K on the start bar, then KNOPPIX > Root Shell. This opens up a shell with root as the user, which is the permission level we need to change the network configuration. Type ifconfig at the prompt; if eth0 does not show up in the listing, type ifconfig eth0 up to activate it. The network cable from R3 has been run to port 32 of the patch panel at the top of the right-most rack. Coming out of the port labeled 32 should be a long Ethernet cable; this cable is connected to R3’s network card, and is what you will plug into the switch in place of the Ethernet 0/0 interface of floor1_computers. [Prompt]# ifconfig eth0 10.1.10.2 netmask 255.255.255.0 <ENTER> [Prompt]# route add default gw 10.1.10.1 [Prompt]# route –nv Will show your PC’s routing table. 10 With a dashed line, draw the PC connected into the network on the wiring diagram when it is assuming the identity of 10.1.10.2. Show this connection in the wiring diagram. Save your configuration and demonstrate to the TA your PC acting as 10.1.10.2 with working ACLs. Part 2 Check-off point: show the lab TA a PC acting as 10.1.10.2 with working ACLs. See turn in sheet at the back of this handout. PART III Assume that you are now to add a fourth subnetwork to the company network: the Marketing subnetwork. Details are as follows: 1. 2. 3. 4. 5. The marketing department will be assigned addresses on the 48.15.224.0 network. There need to be enough addresses on the subnetwork to account for 2500 machines. Accounting should have full access to all machines on the network. IT and Administration should not be able to access any machines on this network. Marketing should be able to access its own subnet. Using this information and the preceding lab, fill out the calculation sheet at the back of the turn-in packet and turn it in with your lab. You don’t have to actually implement this addition. 11 Appendix A: Basic Cisco Switch Commands About this document The purpose of this document is to give you a quick overview of how the switch user interface works, so you can have a quick start for lab setups and troubleshooting. Also, a VLAN tutorial is included in this document. Similarities between routers and switches Switches share many commands with routers; in other words, you can use many of the router commands to interact with switches and the results will be the same. For examples, Switch# show runningconfig <ENTER> will have the same effect on both devices. Therefore, make sure that you read ‘Basic Cisco Router Commands.doc’ before you continue reading this document. VLANS in the MiniNet Network Vlan configuration is typically easy; however, there are a few things that you need to know to be successful. Cisco defines a VLAN as a broadcast domain within a switched network. VLANs allow you to segment your switched network so that broadcast domains are smaller, leaving more bandwidth for your end nodes. Devices that are in one VLAN do not received broadcasts from devices in another VLAN. For devices on different VLANs to communicate, a layer 3 devices (usually a router) must be used. How to create vlans follow these simple steps: SwitchA# vlan database <ENTER> SwitchA(vlan)# vlan <vlan_number> name <vlan_name> <ENTER> SwitchA(vlan)# exit SwitchA# configure terminal <ENTER> SwitchA(config)# interface fastethernet <interface_number> <ENTER> SwitchA(config-if)# switchport mode access <ENTER> SwitchA(config-if)# switchport access vlan 2 <ENTER> SwitchA(config-if)# end Note: VLAN 1 (one) is used for the management VLAN, so any VLANs created should be numbered 2 to 1000. For VLAN information to be passed between switches, trunking must be configured between switches. VLAN trunking allows a port to pass traffic from multiple VLANs between the two switches. Frames traveling over a trunk are tagged to identify which VLAN the frames belong to. When implementing trunking between switches, the ports at either end of the connection must be set up for trunk mode and the trunk encapsulation mode must match. Trunk encapsulation dictates the manner that frames are identified (tagged) on a trunk and defines the VLAN services available. There are four types of trunking encapsulations: 1) Inter-Switch Link Protocol (ISL) Cisco proprietary trunking protocol; 2) IEEE 802.1Q (dot1q) Industry standard trunking protocol; 3) LAN Emulation (LANE) Used for trunking VLANs over ATM links; and 4) IEEE 802.10 (dot10q) Cisco proprietary method for transporting VLAN information inside standard FDDI frames. To setup trunking between two switches, use the following commands: SwitchA(config)# interface fastethernet <interface_number> <ENTER> SwitchA(config-if)# switchport mode trunk <ENTER> SwitchA(config-if)# switchport trunk encapsulation dot1q <ENTER> SwitchA(config-if)# end Then, go to the other switch, and repeat these commands on the respective interface. This is important, otherwise, both switches will not be able to communicate to each other. To limit which VLANs will be allowed to pass information on the port you can use the following commands: 12 SwitchA(config)# interface fastethernet <interface_number> <ENTER> SwitchA(config-if)# switchport trunk allowed vlan remove 1-1005 <ENTER> SwitchA(config-if)# switchport trunk allowed vlan add 1-3 <ENTER> Then, you will have to repeat these commands on the other switch. The previous commands remove the default of all VLANs, and adds back support for VLANs 1-3. Finally, to avoid having to reconfigure your VLANs in case the switches are rebooted, type the following: RouterA# copy running-config startup-config <ENTER> 13 Appendix B: Basic Cisco Router Commands References on the www and hardcopy http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/rbkixol.htm Cisco Router Configuration, 2nd Edition, A practical Introduction to Cisco IOS Software configuration. About this document The purpose of this document is to give you a quick overview of how the router interface works, so you can have a quick start for lab setups and troubleshooting. Configuring a Router from Scratch If the router is turned on for the first time or if the router has a missing startup-config file, then, you will see a message that says: Would you like to enter the initial configuration dialog? [yes/no]: At this message just type no and press the <ENTER> key. You will see the router prompt as ‘Router>’. This means that the default running configuration was loaded; in other words, the router is not configured. To configure it, you will have to type ‘enable’ followed by pressing the ‘<ENTER>’ key. It will not ask you for a password since it has not been set up since starting from scratch. Now you will see the router prompt as ‘Router#’. Editing Commands The following command or key-strokes are used to move around the command line inside the router. Command Description <CTRL>+A Moves to the beginning of the command line <ESC>+B Moves back one word <CTRL>+B or Moves back one character Left Arrow key <CTRL>+E Moves to the end of the command line <CTRL>+F or Moves forward one character Right Arrow key <ESC>+F Moves forward one word <CTRL>+k Deletes all characters from the cursor until the end of the line <CTRL>+p or Recalls last (previous) command Up Arrow key <CTRL>+n or Recalls most recent command Down Arrow key >show history or Shows command buffer #show history <TAB> Command completion – completes a partial command name ? Displays all available commands or command parameters Three command modes used in routers are EXEC-Mode, Privileged EXEC-Mode, and Global Configuration Mode. There other command modes, but these are the main ones. EXEC-Mode Commands Provides a limited subset of commands. The first time you connect to a router, this is the mode that you will be in. The command prompt has the form ‘Router>’ To get a list of commands type ‘?’. If you see --More--, that means that the screen can be advanced by pressing either <ENTER> key, scrolls one line up, or <SPACE>, scrolls one page up. 14 Privileged EXEC-Mode Commands Provides access to all commands in the router. To enter Privileged EXEC-Mode from EXECMode, type enable<ENTER>. If a password has been setup for Privileged EXEC-Mode, you will be asked for it. It is assumed that the router has been reset to its default settings, and that it does not have any passwords setup. Some of the commands that you will need to use are shown in the following table. Command configure terminal copy copy running-config startup-config copy running-config <file_name> dir [device] disable enable password enable secret erase startup-config erase exit reload ping show [options] show running-config show interfaces show ip interface show ip protocols show startup-config more setup ? Description Enters Global Configuration Mode. Copies configuration or image data Stores the current configuration in RAM into NVRAM Copies the current configuration in RAM into <file_name> located in flash: device List the files on a given device, use dir ? for a list of possible parameters for device Turns off privileged commands Sets a local password to control access to various privileged levels Specifies an additional layer or security over the enable password command Erases the content of NVRAM Erases Flash or configuration memory Exits any configuration mode, or closes an active terminal session and terminates the EXEC Halts and performs a cold return; reloads the operating system. It will also reload the startup-config file if available. Sends an echo request; diagnoses basic network connectivity This is a very important command since you can display a great variety of router information. Type ‘show ?’ to display all your possible options. Displays the current configuration in RAM Displays statistics for all interfaces configured on the router Displays the status and global parameters associated with an interface Displays the parameters and current state of the active routing protocol process Displays the saved configuration, which is the contents of NVRAM Displays the contents of a file Enters the setup command facility Displays all available commands or command parameters Global Configuration Mode This mode allows you to make changes to the running configuration. You will need to know more about this mode that anything else. From here you can configure routing protocols, interfaces, subinterfaces, and more. To enter Global Configuration Mode, you will need to be in Privileged ECEX-Mode. Then, type ‘configure terminal <ENTER>’. From this mode, you can have access to two sub-modes: the Interface Configuration mode and the Sub-interface Configuration mode. To enter either of these modes, you will need to type the interface command followed by a interface or a subinterface. Notice that some routers have three physical interface, but other routers have only one physical interface. In the case of routers with only one interface, subinterfaces are created on top of the physical interface(more details on this are given later on). In addition, interfaces are named as either EthernetX/Y or FastEthernetX/Y where X will normally take numbers between 0-1, and Y will normally take values like 0,1,2,3,0.1,0.2, or 0.3 (the values for X and Y given here apply to our lab setup only; they could be 15 different in other network setups). Also, routers have a mixture of Ethernet and FastEthernet interfaces whereas switches (in our lab network) have FastEthernet interfaces. Take a look at the ‘ece4110-2004-02Fall-labs-7-and-8-LabSetup.xls’ file to get familiar with the router interface names. The following table shows some commands and subcommands that you can use in Global Configuration mode. Command interface ip address ip default-network ip host ip route line login network no shutdown router encapsulation full-duplex half-duplex ? Description Configures an interface type and enters configuration mode. Assigns and address and a subnet mask and starts IP processing on an interface Establishes a default route Makes a static name-to-address entry in the router’s configuration file Establishes static routes Identifies a specific line for configuration and starts the line configuration command collection mode. Logs in as a particular user. Enables password checking at login Assigns a Network Information Center-based address to which the router is directly connected. Restarts a disabled interface Starts a routing process by first defining an IP routing protocol. For example, router rip selects RIP as the routing protocol Set encapsulation type for an interface This is used to attach a sub-interface to a specific vlan. Configure full-duplex operational mode Configure half-duplex and related commands Displays all available commands or command parameters Configuration Examples To configure router with interfaces Ethernet0, Ethernet1, and FastEthernet0 to route packes between subnetworks 10.1.1.0, 10.1.2.0, and 10.1.3.0, you will have to use the following command sequences from Global Configuration mode. Router(config)# interface Ethernet0 <ENTER> Router(config-if)#ip address 10.1.1.1 255.255.255.0 <ENTER> Router(config-if)full-duplex <ENTER> Router(config-if) no shutdown <ENTER> # It is optional to type exit after you have configured one interface and before # configuring the next one Router(config-if)interface Ethernet1 <ENTER> Router(config-if)ip address 10.1.2.1 255.255.255.0 <ENTER> Router(config-if)full-duplex <ENTER> Router(config-if) no shutdown <ENTER> Router(config-if)interface FastEthernet0 <ENTER> Router(config-if)ip address 10.1.3.1 255.255.255.0 <ENTER> Router(config-if)speed auto <ENTER> Router(config-if)full-duplex <ENTER> Router(config-if) no shutdown <ENTER> Router(config-if) end <ENTER> To configure a router with interfaces Ethernet0/0, Ethernet1/0, and FastEthernet0/0 to route packes between subnetworks 10.1.1.0, 10.1.2.0, and 10.1.3.0, you will have to replace the respective interface names on the command lines shown above. To configure a router with interface with only one physical interface FastEthernet0/0 to route packets between subnetworks 10.1.1.0, 10.1.2.0, and 10.1.3.0, you will have to use the following command sequences from Global Configuration mode. 16 Router(config)interface FastEthernet0/0 <ENTER> Router(config-if)no ip address <ENTER> Router(config-if)no ip mroute-cache <ENTER> Router(config-if)speed auto <ENTER> Router(config-if)full-duplex <ENTER> Router(config-if) no shutdown <ENTER> Router(config-if)interface FastEthernet0/0.1<ENTER> Router(config-if)encapsulation dot1Q <vlan_number1> <ENTER> Router(config-if)ip address 10.1.1.1 255.255.255.0 <ENTER> Router(config-if) no shutdown <ENTER> Router(config-if)interface FastEthernet0/0.2 <ENTER> Router(config-if)encapsulation dot1Q <vlan_number2> <ENTER> Router(config-if)ip address 10.1.2.1 255.255.255.0 <ENTER> Router(config-if) no shutdown <ENTER> Router(config-if)interface FastEthernet0/0.3 <ENTER> Router(config-if)encapsulation dot1Q <vlan_number3> <ENTER> Router(config-if)ip address 10.1.3.1 255.255.255.0 <ENTER> Router(config-if) no shutdown <ENTER> Router(config-if) end <ENTER> # you will have to replace <vlan_numberX> with the corresponding VLAN 17 Appendix C: Saving and restoring your configurations The scripts for uploading and downloading configurations are located on the NAS in the Lab6 directory. They are in a tarball named mnet_tools_v1.5.tar. Copy this file to your /root directory, and unpack it using: # tar –xf mnet_tools_v1.5.tar # cd mnet_tools_v1.5 Before these scripts will work, the following two perl modules must be installed: IO-Tty-1.02.tar.gz Expect-1.15.tar.gz Here's how to install the modules: First install IO-Tty-1.02.tar.gz # tar -zxvf IO-Tty-1.02.tar.gz # cd IO-Tty-1.02 # perl Makefile.PL # make # make install Then install Expect-1.15.tar.gz # tar -zxvf Expect-1.15.tar.gz # cd Expect-1.15 # perl Makefile.PL # make # make install Now you can run minictrl.pl to make sure it is working correctly. The program should output it's usage and exit. # ./minictrl.pl Now, some notes on the actual scripts: Extension "p1", "p2", and "p3" on scripts below refer to playstation #1, playstation #2, and playstation #3 respectively. Each group of files is described below. Download and upload of configurations is based on a perl Expect module. The nature of this module is complex and finicky. Therefore, sometimes it is necessary to run an upload or download script multiple times in order to successfully upload or download. Currently, three tries are given for each upload and download. Therefore, you may see errors in the download or upload process. However, at the end of the script, you should see a successful message printed indicating that one of the three tries was successful. download_reset_p1 download_reset_p2 download_reset_p3 These scripts are used to download reset configuations. The network devices should be configured to their reset configuation before running these scripts. Then, these scripts can be executed to store a "reset" configuration. YOU NEVER NEED TO RUN THIS SCRIPT. The reset configurations are included in the tarball: reset1, reset2, and reset3. reset_p1 reset_p2 reset_p3 These scripts return the playstations to a "reset" configuration, which must be downloaded using the download_reset scripts above first. 18 download_p1 download_p2 download_p3 These scripts are used to download all network device configurations for the devices in the give playstation. The configurations are stored in files in a subfolder called playstation1, playstation2, and playstation3 respectively. Download time can vary from 30-60 seconds upload_p1 upload_p2 upload_p3 These scripts are used to restore device configurations. They can only be executed after succesfully downloading configurations using the download scripts. Upload time can vary from 3-5 minutes because the network devices must be reloaded, which takes several minutes. CM_Library.pm Library used by minictrl to download, upload, and connect to digi. minictrl.pl Tool that does the downloading and uploading of configurations. single_cmd Internal wrapper tool. 19 ECE 4110 Internetwork Programming Turn in sheet Lab 7: Setting up Burdell Inc. Network Using Multiple Switches and Access Control Lists Group Number: ________ Member Names: _________________________ _________________________ Date: _____________________ Part 1 Check-off point: show the lab TA your working network. TA Signature _______________________ DATE ______________________ Part 2 Check-off point: show the lab TA a PC acting as 192.168.148.2 with working ACLs. TA Signature _______________________ DATE ______________________ Turn-in List 1. The turn in sheet from the back of the lab 2. Physical Cabling Diagram 3. Access Control List Summary Table 4. Marketing Network Setup Sheet 20 Group Number____________________ Names:______________________________ Date:_________________________ Playstation #:____________________ Floor1_switch Digi #___ Floor2_switch Digi #___ Ethernet 0/0 Ethernet 0/0 Ethernet 1/0 0/1 1/0 Ethernet 0/1 Fast Ethernet 0/0 Fast Ethernet 0/0 Floor1_router Digi #___ Ethernet 0/1 Ethernet 0/1 Ethernet 0/1 Fast Ethernet 0/0 Ethernet 0/0 Ethernet 0/0 Ethernet 0/0 Ethernet 0/0 Floor1_computers Digi #___ Ethernet 1/0 Ethernet 0/1 Ethernet 1/0 0/1 1/0 Ethernet 0/1 Fast Ethernet 0/0 Fast Ethernet 0/0 Floor2_computers Digi #___ PC (for Part II of Lab) 21 Group Number____________________ Names:______________________________ Date:_________________________ Access Control List Summary Table: From: To: 10.1.10.2 10.1.10.3 10.1.10.2 192.168.148.3 10.1.10.2 172.16.152.3 192.168.148.2 10.1.10.3 192.168.148.2 10.1.10.2 192.168.148.2 192.168.148.3 192.168.148.2 172.16.152.3 172.16.152.2 10.1.10.3 172.16.152.2 192.168.148.3 172.16.152.2 172.16.152.3 Allowed (YES or NO)? 22 Ethernet 0/0 Fast Ethernet 0/0 Group Number____________________ Names:______________________________ Date:_________________________ Part III: Marketing Network Setup Need: 2500 machines Network address: 48.15.224.0 / ____ Netmask: ____.____.____.____ Wildcard Mask: ____.____.____.____ Calculations: ACL Setup: Fill in the commands you would use to set up the MKTING access control list Router(config)#ip access-list standard MKTING <ENTER> Router(config-std-nacl)# Router(config-std-nacl)# Router(config-std-nacl)# Router(config-std-nacl)# Router(config-std-nacl)# deny any log <ENTER> 23