Download This lab involves using software network analyzers to capture

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts
no text concepts found
Transcript
ECE 4110 Internetwork Programming
Lab 7: Setting up Burdell Inc. Network Using Multiple Switches and Access Control
Lists
Group Number: ________
Member Names: _________________________
Date Issued:
Date Due:
Last Edited:
_________________________
3/29/2006
4/6/2006
3/29/2006
NOTICE: Because there are only three setups, each group will need to sign up for timeslots on the
sheets attached to the lab door. You can only sign up for a total of 2 hours (4 slots) at a time, AND
YOU MUST USE THE SAME SETUP FOR THE ENTIRE LAB. These can either be in a row or
spread out, but no group can have more than 4 slots reserved at any one time. Once one of your slots
has expired, you can sign up for another one. See Appendix C for instructions on how to save and
reload your work if you need to leave and continue later.
PLAYSTATION #: ________________
Lab Goals



Set up a network using multiple routers and switches
Learn about trunk ports and trunking
Learn about access control lists and use them to control information flow
PART I
You have recently graduated from Georgia Tech and you are now working for a company called Burdell
Inc as a network engineer. You are presented with the following scenario:
Burdell Inc occupies a two floor office building and is made up of three departments, Administration,
Accounting, and Information Technology (IT). The Administrative department is currently in need of 100
workstations and is forecasted to grow by an additional 100 machines in the foreseeable future. The
Accounting department needs 1000 workstations and is not expected to grow beyond its present size. The
IT department is constantly growing. IT presently needs 900 workstations and is expected to grow to twice
that size.
In an effort to promote company unity and spirit, the management at Burdell Inc has decided to have
members of all three departments work on both floors, i.e. no one department is physically isolated. Both
floors accommodate workers form Accounting, Administration, and IT. Each department has its own
VLAN and all workers on each floor and between floors should be able to communicate with each other.
Figure 1, below, shows the network topology.
1
0/1
0/2
0/3
FLOOR 2
0/4
VLAN 3
INFORMATION TECHNOLOGY
VLAN 2
ACCOUNTING
VLAN 1
ADMINISTRATION
0/4
0/1
0/2
FLOOR 1
0/3
0/5
Figure 1. Burdell Inc’s network topology diagram
This lab requires two switches, one router, and six end station PCs. However we will not use six end station
PCs, we will instead emulate the six PCs using the ping capability of Cisco 1760 interfaces and use two
more Cisco 1760s to emulate the PCs. This saves us from having to dedicate six PCs for this lab
assignment. We will need one PC which we will use to test our setup. Thus the equipment required will be
two switches, three routers, and one end station PC. We will use this equipment to emulate the network in
Figure 1.
Section I: Logging into the Routers/Switches
All of the routers and switches are accessible from the console manager ports. See Table 1.
Table 1. Console manager port assignments
Part
Name
Playstation1
Cisco 3550 Switch
floor1_switch
Cisco 3550 Switch
floor2_switch
Cisco 1760 Router
floor1_router
Cisco 1760 Router
floor1_computers
Cisco 1760 Router
floor2_computers
Playstation2
Cisco 3550 Switch
floor1_switch
Cisco 3550 Switch
floor2_switch
Cisco 1760 Router
floor1_router
Console Manger Port Assignment
5
6
7
8
9
14
15
16
2
Cisco 1760 Router
Cisco 1760 Router
Playstation3
Cisco 3550 Switch
Cisco 3500 Switch
Cisco 1760 Router
Cisco 1760 Router
Cisco 1760 Router
floor1_computers
floor2_computers
17
18
floor1_switch
floor2_switch
floor1_router
floor1_computers
floor2_computers
23
24
25
26
27
The enable password for all of these machines is owen.
In order to connect to the console manager you need to set up your network card to access its network:
# ifconfig eth0:0 192.168.254.<100+group #>
So group 1 is 192.168.254.101, and so forth. You will need to do this every time you power off your
machine. What this does is set up a virtual interface, so you have two IP addresses on one network card.
This allows you access to two networks with only one interface card.
To connect to the CM32:
#ssh [email protected]
If it comes up, Type yes to the RSA question.
password: playstationX
You will be using a series of scripts to help you set up the routers and save your work. These scripts
are described in detail in Appendix C. These should still be installed from Lab 6. If not, go to
Appendix C and install the scripts according to the directions. Once this is done, MAKE SURE NO
ONE ELSE IS USING THE PLAYSTATION YOU WANT TO USE. This is very important, as you
are about to reset the configuration and all of their work will be lost.
Now that you are sure no one else is using the playstation, reset your chosen playstation by running the
reset_pX script in the mnet_tools_v1.5 directory. Several windows should pop up. DO NOT CLOSE
THEM UNTIL IT IS SAFE TO DO SO. If you are on playstation 1 or 2, you will get an error in one of
the windows about VPN or Firewall processing not being enabled; ignore this for now. Once all of the
other windows say it is safe to close them, do so. Now run the download_pX script to save the current
configuration. From now on, you’ll run the download_pX script to save your work, and the upload_pX to
restore the configuration of the playstation to the last saved state. Before running the upload script, MAKE
SURE NO ONE ELSE IS USING THE PLAYSTATION.
Log into each of the machines and change its name to match Table 1. From global configuration mode:
Machine(config)#hostname <name>
To go back to the console manager screen, hit <CTRL+z> and then hit x.
Section II: Switch Configuration
Refer to Appendix A for a list of switch configuration commands and their descriptions.
While in Privileged EXEC-Mode, you can view the running configuration by typing show running-config.
This contains information about all the interfaces and vlans you’ve set up.
Table 2 lists the different VLANs assigned to each department in our company.
Table 2. Department VLANs
VLAN
2
3
DEPARTMENT
Administration
Accounting
3
4
InformationTechnology
Note: In Figure 1, the Administration VLAN is labeled as VLAN 1, Account as VLAN 2, etc. THIS
IS INCORRECT. Use the VLAN numbers in Table 2 for the entirety of this lab.
One switch is placed on each office floor. Three switch ports (on each switch) are configured, one for each
VLAN as illustrated by Table 2. Use the switch interface numbers shown in Figure 1 and the vlan names
and numbers from Table 2 (note that in Figure 1 the VLANs are listed 1-3, and in Table 2 2-4).
To create VLANs inside the switch, follow these simple steps:
SwitchA# vlan database <ENTER>
SwitchA(vlan)# vlan <vlan_number> name <vlan_name> <ENTER>
SwitchA(vlan)# exit
Do this for each of the vlans in Table 2. Now configure the interfaces to access those vlans:
SwitchA# configure terminal <ENTER>
SwitchA(config)# interface fastethernet <interface_number> <ENTER>
SwitchA(config-if)# switchport mode access <ENTER>
SwitchA(config-if)# switchport access vlan <enter a number here> <ENTER>
In the next command, <SPEED> depends on the router interface connected to it. Because IT is setting up
this entire network, they decide to give themselves the higher speed connections. Therefore, the
FastEthernet ports on floor1_computers and floor2_computers will be assigned VLAN 4. Now, assign the
correct operation speed to the interface: <SPEED> = 10 for Ethernet interfaces and 100 for FastEthernet.
SwitchA(config-if)# speed <SPEED> <ENTER>
SwitchA(config-if)# duplex full <ENTER>
SwitchA(config-if)# no shutdown
SwitchA(config-if)# end
Use the above configuration procedure to configure each of the used switch interfaces for each switch. (Do
this on the switch, not on the routers). Once you are done, it is a good idea to download your
configuration so you do not lose it.
Note: VLAN 1 (one) is used for the management VLAN, so any VLANs created should be numbered 2 to
1000.
Section III: Trunking Switch Ports
For VLAN information to be passed between the two switches, trunking must be configured between the
switches. VLAN trunking allows a port to pass traffic from multiple VLANs between the two switches.
Frames traveling over a trunk are tagged to identify which VLAN the frames belong to. When
implementing trunking between switches, the ports at either end of the connection must be set up for trunk
mode and the trunk encapsulation mode must match. Trunk encapsulation dictates the manner that frames
are identified (tagged) on a trunk and defines the VLAN services available. There are four types of trunking
encapsulations: 1) Inter-Switch Link Protocol (ISL) Cisco proprietary trunking protocol; 2) IEEE 802.1Q
(dot1q) Industry standard trunking protocol; 3) LAN Emulation (LANE) Used for trunking VLANs over
ATM links; and 4) IEEE 802.10 (dot10q) Cisco proprietary method for transporting VLAN information
inside standard FDDI frames.
To setup trunking between two switches, use the following commands:
SwitchA(config)# interface fastethernet <interface_number> <ENTER>
SwitchA(config-if)# no switchport mode dynamic desirable <ENTER>
SwitchA(config-if)# switchport trunk encapsulation dot1q <ENTER>
SwitchA(config-if)# switchport mode trunk <ENTER>
SwitchA(config-if)# end
4
Then, go to the other switch, and repeat these commands on the respective interface. This is important,
otherwise the switches will not be able to communicate to each other.
To limit which VLANs will be allowed to pass information on the port you can use the following
commands:
SwitchA(config)# interface fastethernet <interface_number> <ENTER>
SwitchA(config-if)# switchport trunk allowed vlan remove 1-4094 <ENTER>
SwitchA(config-if)# switchport trunk allowed vlan add 1-4 <ENTER>
Then, you will have to repeat these commands on the other switch. The previous commands remove the
default of all VLANs, and adds back support for VLANs 1-4.
Note: On one of the switches one additional port has to be trunked. This additional trunk port is used to
connect a router to the switch. The use of the router will be explained in the following section. Set-up the
trunking in the switch on floor one for the router on floor one now (see Figure 1 for the port number). The
switch port will be connected to the router’s FastEthernet port (SPEED = 100).
Section IV: Router Configuration
Refer to Appendix B for a list of router configuration commands and their descriptions.
Hosts on one VLAN cannot communicate with hosts on another VLAN since VLANs form separate
broadcast domains. As a result, a router needs to be used to route packets from one VLAN to another
VLAN. The router will be connected to the additional trunk port created on the switch above. The router
port also needs to be trunked since the router port will be passing packets from multiple VLANs.
Before configuring the router, the subnets, the assignable machine address ranges, and the required network
prefixes for each department have to be determined. Lets use the following assignments in table 3. Notice
the subnets are not all the same length.
Table 3. Department subnets and subnet workstation capacity
Department
Current Size
Future Size
(Workstations)
(Workstations)
Administration
100
200
Accounting
1000
1000
Information
Technology
900
1800
Subnet
10.1.10.0/24
192.168.148.0/22
172.16.152.0/21
Subnet Capacity
(Workstations)
2(32-24) – 2 = 28 – 2 = 254
2(32-22) – 2 = 210 – 2 =
1022
2(32-21) – 2 = 211 – 2 =
2046
Log into the router and use the following commands to configure the Fastethernet0/0 port as the trunk port
that will be connected to the additional trunk port on the switch.
Router(config)# interface FastEthernet 0/0 <ENTER>
Router(config-if)# no ip address <ENTER>
Router(config-if)# no ip mroute-cache <ENTER>
Router(config-if)# speed auto <ENTER>
Router(config-if)# full-duplex <ENTER>
Router(config-if)# no shutdown <ENTER>
Router(config-if)# interface FastEthernet 0/0.1<ENTER>
Router(config-subif)# encapsulation dot1Q <vlan_number1> <ENTER>
Router(config-subif)# ip address 10.1.10.1 255.255.255.0 <ENTER>
Router(config-subif)# no shutdown <ENTER>
Router(config-subif)# interface FastEthernet 0/0.2 <ENTER>
Router(config-subif)# encapsulation dot1Q <vlan_number2> <ENTER>
5
Router(config-subif)# ip address 192.168.148.1 255.255.252.0 <ENTER>
Router(config-subif)# no shutdown <ENTER>
Router(config-subif)# interface FastEthernet 0/0.3 <ENTER>
Router(config-subif)# encapsulation dot1Q <vlan_number3> <ENTER>
Router(config-subif)# ip address 172.16.152.1 255.255.248.0 <ENTER>
Router(config-subif)# no shutdown <ENTER>
Router(config-subif)# end <ENTER>
You will have to replace <vlan_numberX> with the corresponding vlan as shown in the network diagram.
Section V: Testing Network Connectivity
Table 3. Workstation configurations
Workstation
One example IP
address on floor1
A (VLAN 2)
B (VLAN 3)
C (VLAN 4)
10.1.10.2
192.168.148.2
172.16.152.2
One example IP
address on
floor2
10.1.10.3
192.168.148.3
172.16.152.3
Subnet Mask
Default Gateway
255.255.255.0
255.255.252.0
255.255.248.0
10.1.10.1
192.168.148.1
172.16.152.1
IF we were to use six PCs as workstations in this lab we would configure the six workstations using the
above example IP addresses. We would have used the following commands on each of the six PCs to set
their individual IP addresses (example for one machine):
Prompt> ifconfig eth0 10.1.10.2 netmask 255.255.255.0 <ENTER>
Prompt> route add default gw 10.1.10.1
However, we are not going to do it this way. Instead we are going to use another router with three
interfaces to act as three machines (three different IP addresses) for the machines on floor two and again
another router for three machines on floor1.
For the computers on floor1 use:
Router(config)# interface Ethernet 0/0 <ENTER>
Router(config-if)# ip addresss 10.1.10.2 255.255.255.0 <ENTER>
Router(config-if)# full-duplex <ENTER>
Router(config-if)# no shutdown <ENTER>
Router(config-if)# interface ethernet 1/0 <ENTER>
Router(config-if)# ip address 192.168.148.2 255.255.252.0 <ENTER>
Router(config-if)# full-duplex <ENTER>
Router(config-if)# no shutdown <ENTER>
Router(config-if)# interface Fastethernet 0/0 <ENTER>
Router(config-if)# ip address 172.16.152.2 255.255.248.0 <ENTER>
Router(config-if)# full-duplex <ENTER>
Router(config-if)# speed auto <ENTER>
Router(config-if)# no shutdown <ENTER>
Router(config-if)# end <ENTER>
You will need to use the same approach for the computers on floor2.
Connect the wiring and fill in the diagram at the end of the lab to show your connections. Note that to
connect a switch to a switch you need to use a crossover cable!!! You will need to get one from a TA
and turn it in after completion of part II of the lab. After completing the wiring you should be able to ping
from any interface on one network to another interface on ant other network.
Part 1 Check-off point: show the lab TA your working network.
6
See turn in sheet at the back of this handout.
PART II
You have recently graduated from Ga. Tech and you are now working for a company called Burdell Inc. as
a network engineer. You have successfully setup the network described in Part I, but you have been given
some additional network requirements that need to be implemented and they are as follows:
1. Administration: The IT subnet should have unlimited access to the Administration subnet. The
2.
3.
4.
5.
Accounting subnet should only be able to access the print-server (10.1.10.3) on the Administration
subnet.
Accounting: IT should not have any access to the Accounting sub-network. Only the print server
(10.1.10.3) should be able to access the Accounting sub-network from the Administration subnetwork.
Information Technology: Users on the Administration should have unlimited access to the IT
subnet. Users on the Accounting sub-network should have no access to the IT subnet.
Users on each of the three subnets should have unlimited access to their own subnet.
Users from any of the three subnets should be able to send icmp echo (ping) messages to and
receive icmp echo-reply messages from subnets that they have access to.
VLAN 3
INFORMATION TECHNOLOGY
VLAN 2
ACCOUNTING
VLAN 1
ADMINISTRATION
FLOOR 2
FLOOR 1
ACL
Figure 1. Burdell Inc’s network topology diagram
7
Section I: Access Control Lists
In order to meet the requirements stated above Access Control Lists (ACL) will be used to permit and deny
access to sub-networks where necessary. This process is called IP filtering. The packet filtering capabilities
of the Cisco IOS software performs packet filtering based on the following criteria:






Source IP address
Source and destination IP address
IP protocol types, including TCP, UDP, and ICMP
Source and destination TCP protocol services, such as send mail and Telnet
Source and destination UDP protocol services, such as bootp and NetBIOS datagram
ICMP protocol services, such as ICMP echo and ICMP port unreachable
The network administrator has a lot of flexibility when creating IP access lists and determining what is
filtered and how the filters are applied. Access list criteria is defined through the use of the access-list and
ip access-list commands. Next, the filtering criteria is applied to the desired interface using the ip accessgroup command.
The access list’s filtering criteria are defined in a list of permit and deny statements. The list is evaluated in
sequence, one line at a time, from top to bottom. The list is compared against the IP addresses and other
information in the data packet until a match occurs. When a match occurs the list is exited. This process
makes access lists extremely order-dependent.
By using the access-list command numbered access lists can be created. In this lab we will create named
access lists using the ip access-list command. Named and numbered access lists fall into one of two
categories, standard or extended. A standard ip access list evaluates only the source IP address of a
packet, while the extended access list can evaluate the source and destination IP address, the IP
protocol type, and the source and destination transport layer ports.
Note:
Access lists employ a concept known as the wildcard or don’t care mask. This wildcard mask is just the
inverse of a network mask. A netmask of 255.255.252.0 generates a wildcard mask of 0.0.3.255, which
means that the last 2 bits of octet 3 and all of octet 4 are don’t care bits (can be either 1 or 0).
Section II: Defining ADMIN ACL
Administration: The IT subnet should have unlimited access to the Administration subnet. The
Accounting subnet should only be able to access the print-server (10.1.10.3) on the Administration subnet.
First, the access list that is going to be assigned to the router interface used to access the Administration
subnet will be called ADMIN. The access lists applied to the other router interfaces will be called ACCT
and IT respectively.
Type the following commands while in the Global Configuration mode on the floor1_router.
The following access list is an extended access list in which we will evaluate first the source IP address as
well as (second on the same line) the destination IP address.
Router(config)#ip access-list extended ADMIN <ENTER>
Router(config-ext-nacl)# permit ip 172.16.152.0 0.0.7.255 10.1.10.0 0.0.0.255<ENTER>
Router(config-ext-nacl)#permit ip 192.168.148.0 0.0.3.255 host 10.1.10.3
Router(config-ext-nacl)# permit ip 10.1.10.0 0.0.0.255 10.1.10.0 0.0.0.255 <ENTER>
Router(config-ext-nacl)# deny ip any any log <ENTER>
Router(config-ext-nacl)# exit
8
When this list is applied to the out going packets on the floor1_router interface going to the administration
subnet, the above list permits access (to the Administration subnet) from all users on the 172.16.152.0/21
(IT) subnet. It also permits users on the Accounting subnet access to 10.1.10.3. The third rule gives users
on the administration subnet access to their own subnet. Think about why the wildcard masks (the
second and fourth sets of numbers on the 2nd, 3rd, and 4th lines) are what they are; you’ll need to
compute your own for Part III. The last line of the list has an explicit deny. This means that any packet
failing to match the filtering criteria of one of the lines of the access list is denied. All access lists have an
implicit deny so that the last line does not have to be included but it is recommended that you include it.
The keyword log causes all packets that fail to match the list to have the violation logged to the screen.
Section III: Defining ACCT ACL
Accounting: IT should not have any access to the Accounting sub-network. Only the print server
(10.1.10.3) should be able to access the Accounting sub-network from the Administration sub-network.
The following access list is an extended list in which we will evaluate first the source IP address as well as
(second on the same line) the destination IP address. Type the following commands to create a list named
ACCT:
Router(config)# ip access-list extended ACCT
Router(config-ext-nacl)# deny ip 172.16.152.0 0.0.7.255 192.168.148.0 0.0.3.255
Router(config-ext-nacl)# permit ip host 10.1.10.3 192.168.148.0 0.0.3.255
Router(config-ext-nacl)# permit ip 192.168.148.0 0.0.3.255 192.168.148.0 0.0.3.255
Router(config-ext-nacl)# deny ip any any log
Router(config-ext-nacl)# exit
When this list is applied to the out going packets on the floor1_router interface going to the accounting
subnet, the above list denies access from the IT subnetwork to the accounting subnetwork. It also allows
access from the print-server (10.1.10.3) and the accounting subnets to the accounting subnet.
Section IV: Defining IT ACL
Information Technology: Users on the Administration should have unlimited access to the IT subnet.
Users on the Accounting sub-network should have no access to the IT subnet.
The following list is a standard access list. Type the following commands to create the standard access list
called IT:
Router(config)# ip access-list standard IT
Router(config-std-nacl)# permit 10.1.10.0 0.0.0.255
Router(config-std-nacl)# deny 192.168.148.0 0.0.3.255
Router(config-std-nacl)# permit 172.16.152.0 0.0.7.255
Router(config-std-nacl)# deny any log
Router(config-std-nacl)# exit
The above list when applied to the out going packets on the router interface connected to the IT subnetwork
will allow access from administration to the subnet, and deny all access from the accounting subnet. It also
allows any IT hosts access to the IT subnet. Because of the nature of the permissions, it is enough to filter
on the source address of the packets; therefore, we use a standard access control list.
Section IV: Applying the ACLs
Now that the ACLs have been defined, they must be applied to one or more interfaces so that packets can
be filtered. The access list is applied in either and inbound or an outbound direction on the interface.
9
Packets traveling in the inbound direction come into the router form the interface. When they travel in the
outbound direction, the packets leave the router and then go onto the interface. The command ip accessgroup is used to apply the access list to the interface. The command takes the keyword in or out as a
parameter. If no parameter is provided, the out keyword is presumed. The following commands are used to
apply the access list to the router interfaces used to access each respective subnet.
Router(config)#interface fastethernet0/0.1
Router(config-if)#ip access-group ADMIN out
Router(config-if)#interface fastethernet0/0.2
Router(config-if)#ip access-group ACCT out
Router(config-if)#interface fastethernet0/0.3
Router(config-if)#ip access-group IT out
Router(config-if)#end
Use the show running-configuration command to view the router configuration that contains the ACL
definitions.
Before attempting to ping, go to the back of this lab and fill in the Access Control List Summary Table
using what you know about the rules implemented in the summary lists.
Now ping each workstation from another and ensure that inter-switch and intra-switch communication are
permitted or denied according to the specifications outlined and implemented using the access lists.
Confirm that your table is correct. Do this by unplugging one interface of floor1_computers from the
floor1_switch and plugging in one PC.
Before you go unplugging cables, however, there’s one more detail to take care of. Assume that you
unplug interface Ethernet 0/0 (10.1.10.2) from floor1_computers and set R3 to be 10.1.10.2. Now imagine
a ping packet traveling from R3 to FastEthernet 0/0 on floor1_computers (172.16.152.2). The packet
leaves R3, goes to the default gateway (10.1.10.1) enters floor1_router, gets sent out the proper
subinterface (172.16.152.1) and arrives at 172.16.152.2. Now, for the return trip, floor1_computers
consults its routing table, sees that it is directly connected to 10.1.10.0/24 through 10.1.10.2, and sends the
packet out that interface. But we just unplugged that cable, so the packet vanishes into the ether and never
gets back to R3. To avoid this, we need to define a default gateway for floor1_computers:
floor1_computers(config)# ip route 0.0.0.0 0.0.0.0 172.16.152.1 <ENTER>
The PC you will be using is R3, located on the left-most rack by the door. To the right of it you will see a
monitor with a pull-out keyboard. This is the terminal you will use to access R3. Above the monitor is a
KVM, which is used to share one monitor, keyboard, and mouse among many PCs. Push the button
labeled R3 to access the PC.
If there is no console window, click on the K on the start bar, then KNOPPIX > Root Shell. This opens up
a shell with root as the user, which is the permission level we need to change the network configuration.
Type ifconfig at the prompt; if eth0 does not show up in the listing, type ifconfig eth0 up to activate it.
The network cable from R3 has been run to port 32 of the patch panel at the top of the right-most rack.
Coming out of the port labeled 32 should be a long Ethernet cable; this cable is connected to R3’s network
card, and is what you will plug into the switch in place of the Ethernet 0/0 interface of floor1_computers.
[Prompt]# ifconfig eth0 10.1.10.2 netmask 255.255.255.0 <ENTER>
[Prompt]# route add default gw 10.1.10.1
[Prompt]# route –nv
Will show your PC’s routing table.
10
With a dashed line, draw the PC connected into the network on the wiring diagram when it is assuming the
identity of 10.1.10.2. Show this connection in the wiring diagram.
Save your configuration and demonstrate to the TA your PC acting as 10.1.10.2 with working ACLs.
Part 2 Check-off point: show the lab TA a PC acting as 10.1.10.2 with working
ACLs.
See turn in sheet at the back of this handout.
PART III
Assume that you are now to add a fourth subnetwork to the company network: the Marketing subnetwork.
Details are as follows:
1.
2.
3.
4.
5.
The marketing department will be assigned addresses on the 48.15.224.0 network.
There need to be enough addresses on the subnetwork to account for 2500 machines.
Accounting should have full access to all machines on the network.
IT and Administration should not be able to access any machines on this network.
Marketing should be able to access its own subnet.
Using this information and the preceding lab, fill out the calculation sheet at the back of the turn-in packet
and turn it in with your lab. You don’t have to actually implement this addition.
11
Appendix A: Basic Cisco Switch Commands
About this document
The purpose of this document is to give you a quick overview of how the switch user interface
works, so you can have a quick start for lab setups and troubleshooting. Also, a VLAN tutorial is included
in this document.
Similarities between routers and switches
Switches share many commands with routers; in other words, you can use many of the router
commands to interact with switches and the results will be the same. For examples, Switch# show runningconfig <ENTER> will have the same effect on both devices. Therefore, make sure that you read ‘Basic
Cisco Router Commands.doc’ before you continue reading this document.
VLANS in the MiniNet Network
Vlan configuration is typically easy; however, there are a few things that you need to know to be
successful. Cisco defines a VLAN as a broadcast domain within a switched network. VLANs allow you to
segment your switched network so that broadcast domains are smaller, leaving more bandwidth for your
end nodes. Devices that are in one VLAN do not received broadcasts from devices in another VLAN. For
devices on different VLANs to communicate, a layer 3 devices (usually a router) must be used.
How to create vlans follow these simple steps:
SwitchA# vlan database <ENTER>
SwitchA(vlan)# vlan <vlan_number> name <vlan_name> <ENTER>
SwitchA(vlan)# exit
SwitchA# configure terminal <ENTER>
SwitchA(config)# interface fastethernet <interface_number> <ENTER>
SwitchA(config-if)# switchport mode access <ENTER>
SwitchA(config-if)# switchport access vlan 2 <ENTER>
SwitchA(config-if)# end
Note: VLAN 1 (one) is used for the management VLAN, so any VLANs created should be numbered 2 to
1000.
For VLAN information to be passed between switches, trunking must be configured between
switches. VLAN trunking allows a port to pass traffic from multiple VLANs between the two switches.
Frames traveling over a trunk are tagged to identify which VLAN the frames belong to. When
implementing trunking between switches, the ports at either end of the connection must be set up for trunk
mode and the trunk encapsulation mode must match. Trunk encapsulation dictates the manner that frames
are identified (tagged) on a trunk and defines the VLAN services available. There are four types of trunking
encapsulations: 1) Inter-Switch Link Protocol (ISL) Cisco proprietary trunking protocol; 2) IEEE 802.1Q
(dot1q) Industry standard trunking protocol; 3) LAN Emulation (LANE) Used for trunking VLANs over
ATM links; and 4) IEEE 802.10 (dot10q) Cisco proprietary method for transporting VLAN information
inside standard FDDI frames.
To setup trunking between two switches, use the following commands:
SwitchA(config)# interface fastethernet <interface_number> <ENTER>
SwitchA(config-if)# switchport mode trunk <ENTER>
SwitchA(config-if)# switchport trunk encapsulation dot1q <ENTER>
SwitchA(config-if)# end
Then, go to the other switch, and repeat these commands on the respective interface. This is
important, otherwise, both switches will not be able to communicate to each other.
To limit which VLANs will be allowed to pass information on the port you can use the following
commands:
12
SwitchA(config)# interface fastethernet <interface_number> <ENTER>
SwitchA(config-if)# switchport trunk allowed vlan remove 1-1005 <ENTER>
SwitchA(config-if)# switchport trunk allowed vlan add 1-3 <ENTER>
Then, you will have to repeat these commands on the other switch.
The previous commands remove the default of all VLANs, and adds back support for VLANs 1-3.
Finally, to avoid having to reconfigure your VLANs in case the switches are rebooted, type the
following:
RouterA# copy running-config startup-config <ENTER>
13
Appendix B: Basic Cisco Router Commands
References on the www and hardcopy
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/rbkixol.htm
Cisco Router Configuration, 2nd Edition, A practical Introduction to Cisco IOS Software configuration.
About this document
The purpose of this document is to give you a quick overview of how the router interface works,
so you can have a quick start for lab setups and troubleshooting.
Configuring a Router from Scratch
If the router is turned on for the first time or if the router has a missing startup-config file, then, you will
see a message that says:
Would you like to enter the initial configuration dialog? [yes/no]:
At this message just type no and press the <ENTER> key.
You will see the router prompt as ‘Router>’. This means that the default running configuration was loaded;
in other words, the router is not configured. To configure it, you will have to type ‘enable’ followed by
pressing the ‘<ENTER>’ key. It will not ask you for a password since it has not been set up since starting
from scratch. Now you will see the router prompt as ‘Router#’.
Editing Commands
The following command or key-strokes are used to move around the command line inside the
router.
Command
Description
<CTRL>+A
Moves to the beginning of the command line
<ESC>+B
Moves back one word
<CTRL>+B or
Moves back one character
Left Arrow key
<CTRL>+E
Moves to the end of the command line
<CTRL>+F or
Moves forward one character
Right Arrow key
<ESC>+F
Moves forward one word
<CTRL>+k
Deletes all characters from the cursor until the end of the line
<CTRL>+p or
Recalls last (previous) command
Up Arrow key
<CTRL>+n or
Recalls most recent command
Down Arrow key
>show history or
Shows command buffer
#show history
<TAB>
Command completion – completes a partial command name
?
Displays all available commands or command parameters
Three command modes used in routers are EXEC-Mode, Privileged EXEC-Mode, and Global
Configuration Mode. There other command modes, but these are the main ones.
EXEC-Mode Commands
Provides a limited subset of commands. The first time you connect to a router, this is the mode
that you will be in. The command prompt has the form ‘Router>’
To get a list of commands type ‘?’. If you see --More--, that means that the screen can be advanced by
pressing either <ENTER> key, scrolls one line up, or <SPACE>, scrolls one page up.
14
Privileged EXEC-Mode Commands
Provides access to all commands in the router. To enter Privileged EXEC-Mode from EXECMode, type enable<ENTER>. If a password has been setup for Privileged EXEC-Mode, you will be asked
for it. It is assumed that the router has been reset to its default settings, and that it does not have any
passwords setup.
Some of the commands that you will need to use are shown in the following table.
Command
configure terminal
copy
copy running-config startup-config
copy running-config <file_name>
dir [device]
disable
enable password
enable secret
erase startup-config
erase
exit
reload
ping
show [options]
show running-config
show interfaces
show ip interface
show ip protocols
show startup-config
more
setup
?
Description
Enters Global Configuration Mode.
Copies configuration or image data
Stores the current configuration in RAM into NVRAM
Copies the current configuration in RAM into <file_name>
located in flash: device
List the files on a given device, use dir ? for a list of possible
parameters for device
Turns off privileged commands
Sets a local password to control access to various privileged
levels
Specifies an additional layer or security over the enable
password command
Erases the content of NVRAM
Erases Flash or configuration memory
Exits any configuration mode, or closes an active terminal
session and terminates the EXEC
Halts and performs a cold return; reloads the operating
system. It will also reload the startup-config file if available.
Sends an echo request; diagnoses basic network connectivity
This is a very important command since you can display a
great variety of router information. Type ‘show ?’ to display
all your possible options.
Displays the current configuration in RAM
Displays statistics for all interfaces configured on the router
Displays the status and global parameters associated with an
interface
Displays the parameters and current state of the active
routing protocol process
Displays the saved configuration, which is the contents of
NVRAM
Displays the contents of a file
Enters the setup command facility
Displays all available commands or command parameters
Global Configuration Mode
This mode allows you to make changes to the running configuration. You will need to know more
about this mode that anything else. From here you can configure routing protocols, interfaces, subinterfaces, and more. To enter Global Configuration Mode, you will need to be in Privileged ECEX-Mode.
Then, type ‘configure terminal <ENTER>’.
From this mode, you can have access to two sub-modes: the Interface Configuration mode and the
Sub-interface Configuration mode. To enter either of these modes, you will need to type the interface
command followed by a interface or a subinterface.
Notice that some routers have three physical interface, but other routers have only one physical
interface. In the case of routers with only one interface, subinterfaces are created on top of the physical
interface(more details on this are given later on). In addition, interfaces are named as either EthernetX/Y or
FastEthernetX/Y where X will normally take numbers between 0-1, and Y will normally take values like
0,1,2,3,0.1,0.2, or 0.3 (the values for X and Y given here apply to our lab setup only; they could be
15
different in other network setups). Also, routers have a mixture of Ethernet and FastEthernet interfaces
whereas switches (in our lab network) have FastEthernet interfaces. Take a look at the ‘ece4110-2004-02Fall-labs-7-and-8-LabSetup.xls’ file to get familiar with the router interface names.
The following table shows some commands and subcommands that you can use in Global
Configuration mode.
Command
interface
ip address
ip default-network
ip host
ip route
line
login
network
no shutdown
router
encapsulation
full-duplex
half-duplex
?
Description
Configures an interface type and enters configuration mode.
Assigns and address and a subnet mask and starts IP processing on an interface
Establishes a default route
Makes a static name-to-address entry in the router’s configuration file
Establishes static routes
Identifies a specific line for configuration and starts the line configuration
command collection mode.
Logs in as a particular user. Enables password checking at login
Assigns a Network Information Center-based address to which the router is
directly connected.
Restarts a disabled interface
Starts a routing process by first defining an IP routing protocol. For example,
router rip selects RIP as the routing protocol
Set encapsulation type for an interface This is used to attach a sub-interface to a
specific vlan.
Configure full-duplex operational mode
Configure half-duplex and related commands
Displays all available commands or command parameters
Configuration Examples
To configure router with interfaces Ethernet0, Ethernet1, and FastEthernet0 to route packes
between subnetworks 10.1.1.0, 10.1.2.0, and 10.1.3.0, you will have to use the following command
sequences from Global Configuration mode.
Router(config)# interface Ethernet0 <ENTER>
Router(config-if)#ip address 10.1.1.1 255.255.255.0 <ENTER>
Router(config-if)full-duplex <ENTER>
Router(config-if) no shutdown <ENTER>
# It is optional to type exit after you have configured one interface and before
# configuring the next one
Router(config-if)interface Ethernet1 <ENTER>
Router(config-if)ip address 10.1.2.1 255.255.255.0 <ENTER>
Router(config-if)full-duplex <ENTER>
Router(config-if) no shutdown <ENTER>
Router(config-if)interface FastEthernet0 <ENTER>
Router(config-if)ip address 10.1.3.1 255.255.255.0 <ENTER>
Router(config-if)speed auto <ENTER>
Router(config-if)full-duplex <ENTER>
Router(config-if) no shutdown <ENTER>
Router(config-if) end <ENTER>
To configure a router with interfaces Ethernet0/0, Ethernet1/0, and FastEthernet0/0 to route packes
between subnetworks 10.1.1.0, 10.1.2.0, and 10.1.3.0, you will have to replace the respective interface
names on the command lines shown above.
To configure a router with interface with only one physical interface FastEthernet0/0 to route
packets between subnetworks 10.1.1.0, 10.1.2.0, and 10.1.3.0, you will have to use the following command
sequences from Global Configuration mode.
16
Router(config)interface FastEthernet0/0 <ENTER>
Router(config-if)no ip address <ENTER>
Router(config-if)no ip mroute-cache <ENTER>
Router(config-if)speed auto <ENTER>
Router(config-if)full-duplex <ENTER>
Router(config-if) no shutdown <ENTER>
Router(config-if)interface FastEthernet0/0.1<ENTER>
Router(config-if)encapsulation dot1Q <vlan_number1> <ENTER>
Router(config-if)ip address 10.1.1.1 255.255.255.0 <ENTER>
Router(config-if) no shutdown <ENTER>
Router(config-if)interface FastEthernet0/0.2 <ENTER>
Router(config-if)encapsulation dot1Q <vlan_number2> <ENTER>
Router(config-if)ip address 10.1.2.1 255.255.255.0 <ENTER>
Router(config-if) no shutdown <ENTER>
Router(config-if)interface FastEthernet0/0.3 <ENTER>
Router(config-if)encapsulation dot1Q <vlan_number3> <ENTER>
Router(config-if)ip address 10.1.3.1 255.255.255.0 <ENTER>
Router(config-if) no shutdown <ENTER>
Router(config-if) end <ENTER>
# you will have to replace <vlan_numberX> with the corresponding VLAN
17
Appendix C: Saving and restoring your configurations
The scripts for uploading and downloading configurations are located on the NAS in the Lab6 directory.
They are in a tarball named mnet_tools_v1.5.tar. Copy this file to your /root directory, and unpack it using:
# tar –xf mnet_tools_v1.5.tar
# cd mnet_tools_v1.5
Before these scripts will work, the following two perl modules must be installed:
IO-Tty-1.02.tar.gz
Expect-1.15.tar.gz
Here's how to install the modules:
First install IO-Tty-1.02.tar.gz
# tar -zxvf IO-Tty-1.02.tar.gz
# cd IO-Tty-1.02
# perl Makefile.PL
# make
# make install
Then install Expect-1.15.tar.gz
# tar -zxvf Expect-1.15.tar.gz
# cd Expect-1.15
# perl Makefile.PL
# make
# make install
Now you can run minictrl.pl to make sure it is working correctly. The program should output it's usage and
exit.
# ./minictrl.pl
Now, some notes on the actual scripts:
Extension "p1", "p2", and "p3" on scripts below refer to playstation #1, playstation #2, and playstation #3
respectively. Each group of files is described below.
Download and upload of configurations is based on a perl Expect module. The nature of this module is
complex and finicky. Therefore, sometimes it is necessary to run an upload or download script multiple
times in order to successfully upload or download. Currently, three tries are given for each upload and
download. Therefore, you may see errors in the download or upload process. However, at the end of the
script, you should see a successful message printed indicating that one of the three tries was successful.
download_reset_p1
download_reset_p2
download_reset_p3
These scripts are used to download reset configuations. The network devices should be configured to their
reset configuation before running these scripts. Then, these scripts can be executed to store a "reset"
configuration. YOU NEVER NEED TO RUN THIS SCRIPT. The reset configurations are included
in the tarball: reset1, reset2, and reset3.
reset_p1
reset_p2
reset_p3
These scripts return the playstations to a "reset" configuration, which must be downloaded using the
download_reset scripts above first.
18
download_p1
download_p2
download_p3
These scripts are used to download all network device configurations for the devices in the give playstation.
The configurations are stored in files in a subfolder called playstation1, playstation2, and playstation3
respectively. Download time can vary from 30-60 seconds
upload_p1
upload_p2
upload_p3
These scripts are used to restore device configurations. They can only be executed after succesfully
downloading configurations using the download scripts. Upload time can vary from 3-5 minutes because
the network devices must be reloaded, which takes several minutes.
CM_Library.pm
Library used by minictrl to download, upload, and connect to digi.
minictrl.pl
Tool that does the downloading and uploading of configurations.
single_cmd
Internal wrapper tool.
19
ECE 4110 Internetwork Programming
Turn in sheet
Lab 7: Setting up Burdell Inc. Network Using Multiple Switches and Access Control
Lists
Group Number: ________
Member Names: _________________________
_________________________
Date: _____________________
Part 1 Check-off point: show the lab TA your working network.
TA Signature _______________________ DATE ______________________
Part 2 Check-off point: show the lab TA a PC acting as 192.168.148.2 with working
ACLs.
TA Signature _______________________ DATE ______________________
Turn-in List
1. The turn in sheet from the back of the lab
2. Physical Cabling Diagram
3. Access Control List Summary Table
4. Marketing Network Setup Sheet
20
Group Number____________________ Names:______________________________
Date:_________________________
Playstation #:____________________
Floor1_switch Digi #___
Floor2_switch Digi #___
Ethernet 0/0
Ethernet 0/0
Ethernet 1/0
0/1
1/0
Ethernet 0/1
Fast Ethernet 0/0
Fast Ethernet 0/0
Floor1_router Digi #___
Ethernet 0/1
Ethernet 0/1
Ethernet 0/1
Fast Ethernet 0/0
Ethernet 0/0
Ethernet 0/0
Ethernet 0/0
Ethernet 0/0
Floor1_computers Digi #___
Ethernet 1/0
Ethernet 0/1
Ethernet 1/0
0/1
1/0
Ethernet 0/1
Fast Ethernet 0/0
Fast Ethernet 0/0
Floor2_computers Digi #___
PC (for Part II of Lab)
21
Group Number____________________ Names:______________________________
Date:_________________________
Access Control List Summary Table:
From:
To:
10.1.10.2
10.1.10.3
10.1.10.2
192.168.148.3
10.1.10.2
172.16.152.3
192.168.148.2
10.1.10.3
192.168.148.2
10.1.10.2
192.168.148.2
192.168.148.3
192.168.148.2
172.16.152.3
172.16.152.2
10.1.10.3
172.16.152.2
192.168.148.3
172.16.152.2
172.16.152.3
Allowed (YES or NO)?
22
Ethernet 0/0
Fast Ethernet 0/0
Group Number____________________ Names:______________________________
Date:_________________________
Part III: Marketing Network Setup
Need:
2500 machines
Network address:
48.15.224.0 / ____
Netmask:
____.____.____.____
Wildcard Mask:
____.____.____.____
Calculations:
ACL Setup:
Fill in the commands you would use to set up the MKTING access control list
Router(config)#ip access-list standard MKTING <ENTER>
Router(config-std-nacl)#
Router(config-std-nacl)#
Router(config-std-nacl)#
Router(config-std-nacl)#
Router(config-std-nacl)# deny any log <ENTER>
23