Embed Size (px)
DESCRIPTION
fall
Citation preview
Introduction to LINUX OS N E T W O R K I N G & I P L A B O R A T O R Y
OBJECTIVES To familiarize students with the powerful, robust and open operating system called LINUX. BACKGROUND Networking applications have traditionally been hosted upon Unix servers due to the robust nature of the operating system. Sun Microsystems was one of the first widely accepted Unix platforms adopted for networking applications. The Sun platforms utilize proprietary architectures and subsystem interconnections and therefore are much more expensive than the PC. Recently, a group of researchers developed a BSD-compatible Unix operating system for the PC. This open, PC based, Unix operating system is called LINUX. INTRODUCTION Linux is a multitasking, multi-user operating system, which means that many people can run many different applications on one computer simultaneously. For most of your explorations in the world of Linux, you'll be talking to the system through a shell, a program that takes the commands you type and translates them into instructions for the operating system. This can be compared to the COMMAND.COM program under MS-DOS, which does essentially the same thing. A shell is just one interface to Linux. There are many possible interfaces--like the X Window System, which lets you run commands by using the mouse and keyboard. Most Linux systems use a standard layout for files so that system resources and programs can be easily located. This layout forms a directory tree, which starts at the ``/'' directory, also known as the ``root directory''. Directly underneath / are important subdirectories: /bin, /etc, /dev, and /usr, among others. These directories in turn contain other directories, which contain system configuration files, programs, and so on. In particular, each user has a home directory, which is the directory set aside for that user to store his or her files. Usually, user home directories are contained under /home, and are named for the user owning that directory. Eg. Larry's home directory will be /home/larry.
Experiment
3 ENTC 425
Basic Unix Commands cd .. go up a folder cd /games go to games directory ls gives list of contents pwd tells what directory you are located cat A displays the file A pico a text-editor vi an advanced text editor mv A Z moves file A to file Z cp one two copies file "one" to file "two" rm abc delete file "abc" mkdir games makes a directory called games rmdir games removes the directory called games echo print something on the screen finger show a list of the current users uptime tells how long it's been since the server was last shut down time shows date and time according to the computer who shows who is logged in under the system grep searches and returns info about the word you searched for chmod changes file/directory permission compress for compressing files uncompress for uncompressing them. logout logs you out ping gives the round trip time to the web site pinged. man provides the manual, or instructions, for a command
Unix / Linux Networking commands
(If you are using Linux workstations then you need to specify /sbin/command name)
• arp
• ifconfig
• netstat
• ping
• traceroute
• ftp
EXAMPLE NETWORKING COMMANDS Checking the ARP Cache
• arp -a
Output:
eth0 10.10.1.2 at 00:c0:4f:a0:87:03
This command gives the content of the ARP Cache and the entries in the ARP Cache lasts for about 20 minutes after which they are purged. Note that the command is followed by a ‘-a’, this is called a flag and is used to specify options for a command. Each command is documented in a manual page accessed through the ‘man’ command.
Interface Details
• ifconfig -a
Output: lo0: flags=849<UP,LOOPBACK,RUNNING,MULTICAST> mtu 8232 inet 127.0.0.1 netmask ff000000 le0: flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST> mtu 1500 inet 128.194.130.200 netmask ffffff00 broadcast 128.194.130.255
The details regarding the interface can be seen from using the ‘ifconfig’ command. This displays one entry for all the interface connected to the system and also the loop back interface details.( Loop Back Address is 127.0.0.1)
You can also get your interface details using the command
• netstat -in
Routing Table • netstat -nr
Routing Table: Destination Gateway Flags Ref Use Interface -------------------- -------------------- ----- ----- ------ --------- 128.194.130.0 128.194.130.18 U 3 3138 le0 128.194.131.0 128.194.131.18 U 2 4171 le1 128.194.136.0 128.194.136.18 U 2 239 le2 224.0.0.0 128.194.130.18 U 3 0 le0 default 128.194.130.254 UG 0 340560 127.0.0.1 127.0.0.1 UH 0 252087 lo0
You can see the routing table on your machine using the above command
Ping Messages • ping <destination>
Ping messages are ICMP query messages. The station sending the ping messages will initiate the PING REQUEST message for which the server mentioned will respond by sending a PING REPLY message. Ping is actually a program that sends an ICMP echo request message.
Ping Reply Format : <no of bytes> <ip address> <ICMP Seq. No> <time to live> <Round Trip Time>
Usage : ping www.tamu.edu Output: Pinging mimir.tamu.edu [128.194.103.177] with 32 bytes of data: Reply from 128.194.103.177: bytes=32 time<10ms TTL=253 Reply from 128.194.103.177: bytes=32 time<10ms TTL=253 Reply from 128.194.103.177: bytes=32 time<10ms TTL=253 Ping statistics for 128.194.103.177: Packets: Sent = 3, Received = 3, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms Traceroute
• traceroute <destination> Usage : traceroute www.tamu.edu
Output: 1 exit-130c (128.194.130.254) 2.211 ms 1.667 ms 1.312 ms 2 pluto (128.194.129.10) 1.249 ms 1.230 ms 1.066 ms 3 hrbb-1-hrbb-nb-e-8.net.tamu.edu (165.91.133.25) 2.250 ms 2.245 ms 1.950 ms 4 csce-osr-1--bb-PE-g-1.net.tamu.edu (128.194.1.32) 2.884 ms 2.705 ms 2.351 ms 5 mimir.tamu.edu (128.194.103.177) 2.244 ms * 4.022 ms
The traceroute command builds a table of all devices located between the source and the destination. Information is provided about the delay occurred between the source and each device. Traceroute is actually a cleverly written program that uses the ping (ICMP echo request) program in conjunction with the time-to-live field of the IP header.
File Transfer Protocol FTP is used to transfer files from remote stations to a local station. There are 2 TCP connections opened by an FTP request for transferring data as shown in the diagram below.
Commonly used modes of operation are ASCII and BINARY. FTP operates at the well known ports 21 & 23. Commands associated with ftp are:
• get
• mget
• put
• mput
Configuring Network Interfaces The following commands are used to configure interfaces in the Unix environment. Depending upon the PATH of the system, the command call might require a /sbin/ before typing the command. Taking the interface from active or ‘up’ status to ‘down’: ifconfig eth0 down Taking the interface from ‘down’ to ‘up’: ifconfig eth0 up Once down, you can alter the IP address of the network interface as shown below: ifconfig eth0 <ip address> netmast <subnet mask> Routes can be added to the station by indicating the network, subnet address and gateway for each route using the ‘route’ command: route add –net <ip address> netmask <subnet mask> gw <ip address> The default gateway can be set using the following ‘route’ command: route add default gw <ip address>
Network Configuration Files Go to /etc/sysconfig directory and open the network file (use any editor like NEdit). The defaultdomain, nodename, and default gateway information are mentioned here. The default gateway is the address to which your host will first route all packets. You need to have a ifcfg-interface file in your /etc/sysconfig/network-scripts directory. Ethernet cards are usually called eth0 or eth1 depending on which interface you are using (if your workstation has more than one Ethernet cards). The loopback interface is lo. In your workstation the filename will be ifcfg-eth0. This file will contain the following information: IP address, netmask, Network address, and Broadcast address. Check these files for whether they have correct updated information. PROCEDURE: Basic Unix Commands
1. Using a text editor, create four files called name1, name2 … name4, containing the first middle and Last names of all your group members (one member per file).
2. Use the man pages to look up the operation of the tar command, make sure to look at the ‘DESCRIPTION’ section.
3. ‘tar’ all the commands into a single file and save it as group_name.tar, replace group_name with the actual name of your group! Make sure you can extract the individual name files, before you check-off.
4. Create a directory called /home/group_name and move your compressed file into that directory. Verify it arrived by using the ls command. Uncompress the file and type the following command ls –l , ls –al, ls n*.
5. When typing the ‘-l’ flag after ‘ls’ the output includes a list of permissions which indicate the ability of three different entities to ‘read’, ‘write’, and ‘execute’ a file or directory. The three entities from left to right are the owner, group and others.
EXAMPLE: rwxrw-r-- would allow the owner to read/write/execute while the group would only be able to read/write and everyone else could only read.
6. Use the chmod command to change the permissions on your compressed file
so that all users can read and write to the file (owner, group, and others). A quick example of the chmod command is shown below
EXMAPLE: chmod o=rw group_name.tar which will alter the ‘others’ permissions to read/write for the file indicated… for more information use the man pages.
7. Disconnect the LINUX computer from the Laboratory network and connect it to the Catalyst 2912 switch located at the station. Bring the Ethernet interface down and alter the IP address to 172.16.10.x, where ‘x’ is between 1-254 and
does not conflict with your other lab group members. Therefore each LINUX computer should have a unique IP address. The net-mask should be 255.255.255.0 to indicate that the host ID is only 8-bits long and is located at the end of the address.
8. Attempt to ping www.tamu.edu. 9. Bring the eth0 interface down and alter the IP address back to the original
address. Set the default gateway to 10.a.b.254, where ‘a’ and ‘b’ are unique to each LAN station. Look at the network diagram to find the appropriate numbers for ‘a’ and ‘b’.
10. Ping www.yahoo.com and note the IP address of this site. If you have trouble, attempt to ping a known IP address by number… ping 128.194.178.1 (dns.tamu.edu). If you can ping a known IP address, then you are probably having trouble resolving the text address to a number and need to reset the DNS of the terminal. You can alter the DNS server address in the /etc/resolv.conf file by adding the line nameserver <ip address> on the second line.
11. Display the address resolution protocol (ARP) table of your terminal. Ping www.cisco.com and then display the ARP table again. Do you notice a difference? Now discover the route (all terminals between you and …) to www.sbc.com .
12. Call the TA over to your station and check-off your ability to extract and display the contents of name1, name2 … name4. Then show the altered permissions on your compressed file. Finally explain the operation of the ARP table and how it was altered after pinging ‘cisco.com’.
Prelab Questions:
1. What are the features of UNIX? 2. What is a shell? What is a shell script? 3. What does FTP stand for and what is its purpose? 4. What is the purpose of NIS, NFS, DNS, DHCP, BOOTP? 5. What are the different classes of IP addresses available? 6. What are ‘loop back‘ addresses and ‘broadcast’ addresses?
Lab Questions:
NONE – Make sure to check-off your exercise before leaving
Module 2
IP Configuration ENTC 425
Setting Up LAN in Unix/Linux & Windows Environments
N E T W O R K I N G & I P L A B O R A T O R Y
OBJECTIVE: To set up a Local Area Network using Unix/Linux boxes and Windows stations. This Lab will also reinforce the Unix/Linux operating system through the use of some basic commands as well as networking related commands. INTRODUCTION: Linux is based on the POSIX operating system standard, which was derived from Unix. Unix is compatible with Linux at the system call level, meaning most programs written for either Unix or Linux can be recompiled to run on the other system, with little or no modification. There are many different kinds of Linux distributions, such as Red Hat, Caldera, SuSe, Mandrake, Slackware and Debian. Red Hat is by far the most popular in the industry. Linux itself is the core of the operating system. The kernel is the Master of all operations. It is responsible for starting and stopping the programs, handling memory request, handling network connections etc. All Linux distributions come with the same kernel, however, each one offers different tools for configurations like Red Hat has a very cool interface for installation which makes it very easy for first time users. Some major Differences between Windows NT and Linux
• Microsoft has integrated the GUI (Graphical User Interface) into the core operating system but Linux has kept it separately. The X-Window System interface employed by Linux is run as a user-level application, which makes it more stable. If the GUI fails, the OS is still up and running.
• Windows uses Registry as the configuration database, where as Linux uses text files for the configurations.
This list is very long and non-exhaustive. For interested readers, more differences can be found at http://www.pcquest.com/content/linux.
Experiment
4 ENTC 425
Networking Interfaces
Linux defines an abstract interface through which the hardware is accessed. This interface offers a set of operations that is the same for all types of hardware and basically deals with sending and receiving packets.
For each peripheral networking device, a corresponding interface has to be present in the kernel. For example, Ethernet interfaces in Linux are called by such names as eth0 and eth1; PPP(The Point-to-Point Protocol) interfaces are named ppp0 and ppp1.These interface names are used for configuration purposes when you want to specify a particular physical device in a configuration command, and they have no meaning beyond this use.
Before being used by TCP/IP networking, an interface must be assigned an IP address that serves as its identification when communicating with the rest of the world. This address is different from the interface name mentioned previously; if you compare an interface to a door, the address is like the nameplate pinned on it.
ADDRESS RESOLUTION: A mechanism is needed to map IP addresses onto the addresses of the underlying network. The mechanism used is the Address Resolution Protocol (ARP).
When ARP wants to find the Ethernet address corresponding to a given IP address, it uses an Ethernet feature called broadcasting, in which a datagram is addressed to all stations on the network simultaneously. The broadcast datagram sent by ARP contains a query for the IP address. Each receiving host compares this query to its own IP address and if it matches, returns an ARP reply to the inquiring host. The inquiring host can now extract the sender's Ethernet address from the reply.
Domain Name Service The Domain Name System (DNS) is a set of protocols and services on a TCP/IP network which allows users of the network to utilize hierarchical user-friendly names when looking for other hosts (that is computers) instead of having to remember and use their IP addresses. This system is used extensively on the Internet and in many private enterprises today. If you’ve used a Web browser, Telnet application, FTP utility or other similar TCP/IP utilities on the Internet, then you have probably used a DNS server. The DNS protocols best-known function is mapping user-friendly names to IP addresses. For example, suppose the FTP site at CU Boulder had an IP address of 128.138.100.1. Most people would reach this computer by specifying FTP.colorado.com and not the less friendly IP address. Besides being easier to remember, the name is more reliable. The numeric address could change for any number of reasons, but the name can always be used.
Before the implementation of DNS, user-friendly computer names were implemented through the use of HOSTS files containing a list of names and associated IP addresses. On the Internet, this file was centrally administered and each location would periodically download a new copy. As the number of machines on the Internet grew, this became an unmanageable solution. The scalable solution was DNS. DNS maps to level 7 in the OSI model and can use either UDP or TCP as the underlying protocol. Resolvers send UDP queries to servers first for increased performance and only resort to TCP if truncation of the returned data occurs. The most popular implementation of the DNS protocol “BIND” was originally developed at Berkeley for the 4.3 BSD UNIX operating system. The name “BIND” stands for Berkeley Internet Name Domain. The primary specifications for DNS are defined in Requests for Comments (RFCs) 974, 1034, and 1035. How DNS works:
DNS uses a client/server model in which the DNS server maintains a static database of domain names mapped to IP addresses. The DNS client, known as the resolver, perform queries against the DNS servers. The bottom line? DNS maps domain names to IP address using these steps:
To resolve domain names to an IP address with DNS Step 1. A client (or “resolver”) passes its request to its local name server. For example,
the URL term www.idgbooks.com typed into Internet Explorer is passed to the DNS server identified in the client TCP/IP configuration. This DNS server is known as the local name server.
Step 2. If, as often happens, the local name server is unable to resolve the request, other name servers are queried so that the resolver may be satisfied.
Step 3. If all else fails, the request is passed to more and more, higher-level name servers until the query resolution process starts with far-right term (for instance, com) or at the top of the DNS tree with root name servers
Dynamic Host Configuration Protocol Dynamic Host Configuration Protocol (DHCP) allows the dynamic leasing of IP addresses to those computers configured as DHCP clients. By using DHCP, you are freed from the burden of manually assigning IP addresses to most of your workstations. DHCP is used by two types of systems:
§ DHCP servers. To use DHCP on you Windows NT Server–based network, you must have at least one Windows NT server running the Microsoft DHCP service. This server will need to have a DHCP scope defined that specifies TCP/IP configurations and a pool of IP addresses that may be assigned to DHCP-compliant clients.
§ This is accomplished by the DHCP server responding to a request from the DHCP client for an IP address lease. The DHCP server then selects from its address pool an unused address that it may lease out to the client. Typically, the DHCP server also provides additional TCP/IP configuration information for the client.
§ DHCP clients. When installing TCP/IP on a DHCP client (such as Windows 95/98), you can invoke the ability to have IP addresses assigned automatically by properly configuring the client.
As long as a DHCP server is on the same network as the client, the server can respond to the client with an IP address to lease. After leasing the IP address, the DHCP server loads the TCP/IP configuration information on the client and uses TCP/IP to communicate. In addition to IP addresses, the DHCP server can also supply DNS server information to the client. Apache HTTP Server HTTP (Hyper Text Transfer Protocol) is the protocol used for the world wide web and Apache is the server implementation of the HTTP protocol in UNIX/LINUX environment.
WINDOWS NETWORK CONFIGURATION: Configuring the IP attributes on a windows workstation is certainly simpler than a unix box. But an incorrect configuration can really mess around with your system, so exercise caution before you change any addresses, routing table entries or other attributes. a. Go to Start -> Settings -> Control Panel -> Network. Double click on TCP/IP option
and this will open a window with the current IP settings. Modify the entries in the IP address, Netmask, domain name, dns server, domain name and default gateway entries.
b. You can specify an IP and its subnet mask to a network interface or let windows acquire all necessary information for you automatically through DHCP (Dynamic Host Configuration Protocol).
Note: We don’t have DHCP running in the lab
c. Specify the gateway for the subnet where the network interface is currently located.
All IP packets sending outside the subnet will be forwarded via the gateway. In our case the gateway address is the router port to which your LAN is connected. If you configure the IP address by DHCP, the DHCP server, if properly configured, may assign a gateway as well.
d. Specify proper host and domain name (Host: Pent X; Domain: tamu.edu). Also
specify proper DNS (Domain Name Server) to have an IP-domainname translation service. DNS not only provides you convenience of not having to remember those IP numbers, but also plays a role in host identification, which is important in security issues.
TAMU DNS Severs are: 128.194.178.1, 128.194.198.5 e. To display the Routing table go to Start -> Run -> type command. You will reach the DOS shell . C:\>Route print Try the following commands and observe the results. C:\>Route delete <ip address><gateway> C:\Route Add <ip address> <gateway> C:\Route print. Some useful tools for debugging a windows network configuration are as follows: 1. The status of the network configuration can be checked using the netstat –nr
command. This gives the routing table and the active TCP/UDP connection setup between your workstation and a remote host
2. You can also use winipcfg command to see current configuration for a specific network interface, and to make some changes in the configuration.
3. Ping command. Use this command to check connectivity to other workstations in your subnet, as well as the workstations on the other subnet.
4. traceroute command. Use this command to identify all network elements that fall between your network and destination network.
PROCEDURE I: Setting up a LAN using Unix/Linux Disconnect all network station computers from the Laboratory network and connect them to the station Catalyst 2912 switch. Alter the IP addresses of each computer to match the following configuration.
Once you have finished the IP configurations, make sure you have connectivity between all stations by pinging between them. Have the TA check-off your stations before continuing to the next procedure. If you are having trouble with this procedure, refer to exercise 3 for some LINUX networking commands.
PROCEDURE II: Building a LINUX Server Perform a network installation of Redhat LINUX 7.3 from the lanwan.tamu.edu server. When setting up your server, make sure to install the following components:
• Apache Web Server • FTP Server • Samba File Server
For assistance on the network installation of Redhat 7.3 LINUX OS, see the LINUX tutorial below:
To perform a network installation of Redhat Linux 7.3, you must first create two floppy disks: one disk to boot into the initial linux environment, and another disk containing drivers for your network adapter. FTP to lanwan.tamu.edu with
Username netlab Password letmein
Change to the /rh73net/dosutils folder and get rawrite.exe. Next, go to the /rh73net/images folder and get bootnet.img and drvnet.img. Have two formatted floppy disks on hand.
LINUX MS 98 MS 2K LINUX
S 2912
IP: 172.16.10.3 255.255.255.0
IP: 172.16.10.4 255.255.255.0
IP: 172.16.10.6 255.255.255.0
IP: 172.16.10.5 255.255.255.0
Execute the commands rawrite.exe –f bootnet.img –d a: rewrite.exe –f drvnet.img –d a: for each disk. Now we can install RedHat Linux 7.3. Boot the system that will have RH 7.3 installed with the first disk that was created with rawrite. At the boot prompt, type linux dd. Answer yes to having a driver disk and insert the second disk that was created when prompted. Proceed through the prompts until questioned on the installation method. Choose FTP. Next, set a static IP address, noting which lan you are connected to. The nameserver is 128.194.178.1. Now enter the information for the FTP server. The FTP site name is lanwan.tamu.edu. The Red Hat directory is /export/home/netlab/rh73net. Check ‘use non-anonymous ftp’. The account information is the same as above. If successful, Red Hat images should begin to transfer. The type of system you want to install is a server type. Select Autopartition for the partitioning scheme. Proceed with the install until asked what package groups you want. Be sure to select Classic X Windows, X Window System, Gnome, Window File Server, Anonymous FTP Server, Web Server and DNS Nameserver.
Create a small webpage for the Apache server using any HTML editor you choose. Group members are to make a homepage for themselves with a link to each from the main page. You will need to have a hostname for your server and an IP address.
PROCEDURE III: Configure MS Networking Setup both the Windows 98 and Windows 2000 machines to interface with the file-sharing LINUX software called Samba. Create four users and an administrator on Samba. Each user should have a personal directory and access to a shared temporary directory. The administrator should have access to all directories. Both Windows machines should be configured for DHCP with the LINUX server acting as the DHCP server. For hints on DHCP installation – see the information following the lab questions for lab 4. When you complete this exercise, have the TA check you off.
Prelab Questions:
1. Explain the operation of the DHCP protocol? a. Show a sample configuration of a DHCP server being used to support 12
machines, make sure to include the list of IP addresses on the server and the lease time.
b. Defend your choices of both. 2. Explain how DNS operates.
a. Make sure to include an example lookup for a URL. In your example, what would happen if the campus DNS server could not resolve the address?
b. Where is the DNS server of ‘last resort’? Lab Questions:
1. What is the difference between redirection and piping? 2. What is relative and absolute path in Unix/Linux file system? 3. List the important system directories of Unix/Linux and state their significance? 4. Discuss about each of the protocol discussed during your lab? 5. Given the following host IP addresses and net-masks identify the six numbered
devices as switches (S) or routers (R). Letters are hosts, numbers are devices and lines represent ethernet segments.
A- 128.194.15.100 net-mask 255.255.255.0 B- 128.194.15.1 net-mask 255.255.255.0 C- 129.195.15.230 net-mask 255.255.240.0 D- 128.194.42.2 net-mask 255.255.240.0 E- 129.194.16.2 net-mask 255.255.240.0 F- 128.194.34.2 net-mask 255.255.240.0 (Reminder: Switches and Hubs are used within the same subnet whereas routers and gateways are used for routing between different subnets)
A B C D E
(Show detailed working for problem #2)
F
1 2
3 4 5
6
6. What do you think would happen if the net-mask were specified incorrectly for a
subnet? Please explain with an example. 7. Consider the following scenario: My default router can ping the outside world. I
can ping my default router. I can also ping the outside world but no one from outside can ping me. What do you think is probably happening here?
8. If you have a network with 5 different LANs, each supporting 10 terminals, how would you configure all the terminals to operate with DHCP. Make sure to include a network diagram showing the different LANs and each DHCP server. Take into consideration that intrer-LAN traffic requires the use of a networking address.
9. Can all of a company’s machines utilize DHCP? a. If not explain what servers a company would not want to have DHCP? b. Is DHCP a security risk? Explain c. What are some other disadvantages of DHCP?
DHCP – EXAMPLE PROGRAM N E T W O R K I N G & I P L A B O R A T O R Y
OBJECTIVE Implement a DHCP Server and DHCP Clients and learn the functional operation of DHCP protocol. INTRODUCTION PROCEDURE: DHCP Server Setup DHCP server for UNIX We are using the DHCP software was downloaded from ftp://ftp.isc.org/isc/dhcp/
1. After you download unpack it. After you do cd into the distribution directory and type: ./configure
2. It will take some time to configure the settings. After it is done type: make and
make install. DHCP server configuration
3. When done with installation type ifconfig -a. You should see something like this: eth0 Link encap:10Mbps Ethernet HWaddr 00:C0:4F:D3:C4:62 inet addr:183.217.19.43 Bcast:183.217.19.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2875542 errors:0 dropped:0 overruns:0 TX packets:218647 errors:0 dropped:0 overruns:0 Interrupt:11 Base address:0x210
Note: If it doesn't say MULTICAST you should reconfigure your kernel and add multicast support. On most systems you will not need to do this. Next step is to add route for 255.255.255.255.
"In order for dhcpd to work correctly with picky DHCP clients (e.g., Windows 95), it must be able to send packets with an IP destination address of 255.255.255.255. Unfortunately, Linux insists on changing 255.255.255.255 into the local subnet broadcast address (here, that's 192.5.5.223). This results in a DHCP protocol violation, and while many DHCP clients don't notice the problem, some (e.g., all Microsoft DHCP clients) do. Clients that have this problem will appear not to see DHCPOFFER messages from the server."
Type: route add -host 255.255.255.255 dev eth0
4. Create a configuration file and enter the setup information Type: vi /etc/dhcp.conf
The sample script file to assign IP addresses randomly. This can be done with settings as follows (this text must be located in dhcp.conf):
# Sample /etc/dhcpd.conf # (add your comments here) default-lease-time 600; max-lease-time 7200; option subnet-mask 255.255.255.0; option broadcast-address 10.10.X.255; option routers 10.10.X.254; option domain-name-servers 10.10.10.100 (LANS 2-4) 128.194.178.1, 128.194.198.5; option domain-name "tamu.edu"; subnet 192.168.1.0 netmask 255.255.255.0 { range 10.10.X.20 10.10.X.30; } ddns-update-style ad-hoc;
This will result in DHCP server giving a client an IP address from the range 10.10.X.20-10.10.X.30. It will lease an IP address for 600 seconds if the client doesn't ask for specific time frame. Otherwise the maximum (allowed) lease will be 7200 seconds. The server will also "advise" the client that it should use 255.255.255.0 as its subnet mask, 192.168.1.255 as its broadcast address, 10.10.X.254 as the router/gateway and 10.10.10.100 and 128.194.178.1 as its DNS servers. Your task is to write the script to set up the DHCP server for your LAN. Starting the server There is only one thing to do before starting the server. In most cases DHCP installation doesn't create a dhcpd.leases files. This file is used by DHCPd to store information about current leases. It is in the plain text form so you can view it during the operation of DHCPd. To create dhcpd.leases type:
6. touch /var/state/dhcp/dhcpd.leases This will create an empty file (file size = 0). Some of the older version of dhcpd 2.0 placed the file in /etc/dhcpd.leases. You do not need to make any changes to the leases file it will be manipulated by the dhcpd. If you get a message saying that file exists simply ignore it and go to the next step. You can now invoke the DHCP server. Simply type (or include in the bootup scripts)
/usr/sbin/dhcpd This will invoke dhcpd on eth0 device. If you want to invoke it on another device simply supply it on the command line e.g.
/usr/sbin/dhcpd eth1
To stop the server type the following
ps –A|grep dhcp kill <pid>
Now, we will start the server on the debugging mode and put the server in foreground. You can do this by typing
7. /usr/sbin/dhcpd -d -f Then boot up one of your clients and check out the console of your server. You will see a number of debugging messages come up. If everything works out fine you are done :-). Quit dhcpd and start it without the -d -f and arguments. If you want dhcpd to start at boot-up include dhcpd in e.g.
/etc/rc.d/rc.local Client Setup
Save it and reboot your computer. Type winipcfg and check the IP address allotted and lease time and the protocol functioning. Observer the message exchanges and how the DHCP protocol works.
Module 3
Basic Switching & Routing ENTC 425
Internetworking with Static Routes and VLANs N E T W O R K I N G & I P L A B O R A T O R Y
OBJECTIVE Learn to internetwork sets of virtual local area networks (VLAN) using the Cisco Catalyst 2912 switch and the Cisco 2522 Routers. BACKGROUND SWITCHING The Cisco Catalyst 29xx switch is a managed switch with ‘xx’ ports.
Catalyst 29xx Switches
Protocols Supported:
• Ethernet: IEEE 802.3, 10BaseT
• Fast Ethernet: IEEE 802.3u, 100BaseTX
• VLAN trunking/tagging: IEEE 802.1Q
• Spanning-Tree Protocol: IEEE 802.1D
We will be learning to configure VLANs along with trunking and encapsulation of VLANS. Cisco Discovery Protocol CDP is a device-discovery protocol that is both media and protocol independent. CDP is available on all Cisco products, including routers, switches, bridges, and access servers. Using CDP, a device can advertise its existence to other devices and receive information
Experiment
5 ENTC 425
about other devices on the same LAN. CDP enables Cisco products to exchange information with each other regarding their MAC addresses, IP addresses, and outgoing interfaces. CDP runs over the data link layer only, which allows two systems that support different network-layer protocols to learn about each other. Each device configured for CDP sends periodic messages to a multicast address. Each device advertises at least one address at which it can receive Simple Network Management Protocol (SNMP) messages. Spanning Tree Protocol STP is a bridge protocol that enables a learning bridge to dynamically work around loops in a network topology by creating a spanning tree. Bridges exchange BPDU messages with other bridges to detect loops and then remove the loops by shutting down selected bridge interfaces. STP maintains a network of multiple bridges or switches. When the topology changes, the STP transparently reconfigures bridges and switches to avoid the creation of loops by placing ports in forwarding or blocking state. Each bridge group has a separate instance of the STP. STP parameters are set for each bridge group. For each spanning tree instance, you configure a set of global options with a set of port parameters. The port parameter list contains only ports that are members of a given bridge group. The Layer 3 switch routers support a maximum of 16 bridge groups, which run their own instance of spanning tree. Virtual LANS A VLAN configures switches and routers according to logical rather than physical topologies. Using VLANs, a network administrator can combine any collection of LAN segments within an internetwork into an autonomous user group, which appears as a single LAN. VLANs logically segment the network into different broadcast domains so that packets are switched only between ports within the VLAN. Typically, a VLAN corresponds to a particular subnet, although not necessarily. Basics of Switching Here’s how a switch works: As data passes through the switch, it examines addressing information attached to each data packet. From this information, the switch determines the packet’s destination on the network. It then creates a virtual link to the destination and sends the packet there. The efficiency and speed of a switch depends on its algorithms, its switching fabric, and its processor. Its complexity is determined by the layer at which the switch operates in the OSI (Open Systems Interconnection) Reference Model (see above). Traditionally switches operate at layer 2 (MAC + PHY) with no knowledge of IP addresses. As
computing power has advanced some new switches provide built in router, thus adding layer 3 features. Layer 2 Switches (The Data-Link Layer) Layer 2 switches operate using physical network addresses. Physical addresses, also known as link-layer, hardware, or MAC-layer addresses, identify individual devices. Most hardware devices are permanently assigned this number during the manufacturing process. Switches operating at Layer 2 are very fast because they’re just sorting physical addresses, but they usually aren’t very smart—that is, they don’t look at the data packet very closely to learn anything more about where it’s headed. Layer 3 Switches (The Network Layer) Layer 3 switches use network or IP addresses that identify locations on the network. They read network addresses more closely than Layer 2 switches—they identify network locations as well as the physical device. A location can be a LAN workstation, a location in a computer’s memory, or even a different packet of data traveling through a network. Switches operating at Layer 3 are smarter than Layer 2 devices and incorporate routing functions to actively calculate the best way to send a packet to its destination. But although they’re smarter, they may not be as fast if their algorithms, fabric, and processor don’t support high speeds. ROUTING A router is a special purpose computer, with lots of memory but no disk storage. Routers work at Layer 3 of the OSI model and route packets based on the destination address in the network layer. Bridges work at Layer 2 of the OSI model and forward packets based on the MAC address. A bridge does no routing; rather, it decides whether or not a packet received on one interface should be forwarded out the other based on the MAC address. Routers are capable of routing between different media—from Ethernet to Token Ring, for example. Most of today’s high-end routers are modular. They can be fit with interfaces for multiple Ethernet segments, Token Ring segments, FDDI, HSSI (high speed serial interface), ATM, BRI, and standard serial interfaces. Modern routers are also multi-protocol—that is, they can route many different protocols between interfaces. Each router also has a console and auxiliary port used for maintenance, dial back-up, and configuration. Routers route traffic based on the destination network or destination address. When configuring a router, each interface (except for the console/aux interface) needs to be told which networking protocols will be routed (ex. IP) and which routing protocol ( ex. RIP) should be used. In addition to IP, other common routed network protocols include Novell (IPX/SPX), AppleTalk, DecNET, Banyan Vines, OSI, and others. Other common routing protocols include RIP (Routing Information Protocol), IGRP, (Interior
Gateway Routing Protocol), EIGRP (Enhanced IGRP), OSPF (Open Shortest Path First) and BGP (Border Gateway Protocol). The routing protocols allow routers to exchange routing information The Cisco Router Console Interface All Cisco routers have at least a console port, a 25-pin female serial port or an 8 pin RJ45 female port. To access the router, you need to connect a serial cable between the console port of a router and a PC’s serial port. Then you can access the router through a Telnet program. Attach one end of the console cable to the serial port on the PC and the other end to the console port on the selected router. To talk to the router, use Start>Run>Telnet <router ip address>. INTERNETWORK OPERATING SYSTEM (IOS) Basics of CISCO IOS: All CISCO Networking devices have a Operating System called the Internetworking Operating System. There are 4 different modes of operation of the IOS they are the ROM Monitor mode which is the mode when the IOS is not loaded, the Exec Command Mode when the user logs in to the networking device, the Enable Prompt which is a privileged mode, and the Configuration mode. Only user level commands can be executed at the > prompt. User level commands are mainly the show commands. As you will see later, these are very useful in troubleshooting a routing problem. Configuration changes must be made at enable level; they will not work at user level. Enable level allows you to actually change the configuration settings on the router, including set-up of interfaces and configuring IP addresses. To enter enable level, you must type enable at the user level prompt >. User EXEC Mode The default command mode for the CLI is user EXEC mode. The EXEC commands available at the user EXEC level are a subset of those available at the privileged EXEC level. In general, the user EXEC commands allow you to connect to remote devices, change terminal settings on a temporary basis, perform basic tests, and list system information. The prompt for user EXEC mode is the name of the device followed by an angle bracket: Router>. Privileged EXEC Mode Privileged EXEC mode is password protected, and allows the use of all EXEC mode commands available on the system. To enter privileged EXEC mode from user EXEC mode, use the enable command. Privileged EXEC mode allows access to global configuration mode through the use of the enable command. The privileged EXEC mode prompt consists of the device’s host name followed by the pound sign: Router# .
Global Configuration Mode Global configuration commands generally apply to features that affect the system as a whole, rather than just one protocol or interface. You can also enter any of the specific configuration modes listed in the following section from global configuration mode. To enter global configuration mode, use the configure terminal privileged EXEC command. The router prompt for global configuration mode is indicated by the term config in parenthesis: Router(config)# . ROM Monitor Mode If your router or access server does not find a valid system image to load, the system will enter read-only memory (ROM) monitor mode. ROM monitor (ROMMON) mode can also be accessed by interrupting the boot sequence during startup. From ROM monitor mode, you can boot the device or perform diagnostic tests. To enter ROM monitor mode, use the Break key (Cntl-C) during the first 60 seconds of start-up. The router prompt is indicated by an angle bracket by itself or the term ROMMON followed by a number and an angle bracket: > or rommon1> .
VLAN Tutorial:
IP: 172.16.1.2/24IP: 172.16.1.1/24
Cisco 29XXSwitch
1. Log onto 29XX Switch. 2. Switch to enable mode. 3. Do a ‘show vlan’ and ‘show vtp status’ to see if there are any VLANs
configured and the VTP domain name and operating mode. 4. Set your domain name using these commands:
Switch#vlan database Switch(vlan)#vtp domain telecom
5. Set up 2 workstations, one with IP address 172.16.1.1 and the other 172.16.1.2, netmask for both is 255.255.255.0.
6. Connect workstation 1 to port 1 of the switch, and workstation 2 to port 9 of the switch.
7. By default, every port of the switch is a member of VLAN 1 (the native VLAN). Check this by doing a ‘show vlan’.
8. Test and make sure the 2 workstations can ping each other. 9. Add a VLAN to the switch. Go back to ‘vlan database’ mode and enter:
Switch(vlan)#vlan 2 name telecom 1
10. Do a ‘show vlan’ to see that is has been entered. 11. Associate ports 9 and 10 with VLAN 2:
Switch#config t Switch(config)#int fast 0/9 Switch(config-if)#switchport access vlan 2 Switch(config-if)#int fast 0/10 Switch(config-if)#switchport access vlan 2
12. Try pinging one workstation from the other (you should not be able to). Even
though both workstations are configured on the same subnet, and are also physically connected to the same switch, they cannot see each other because they are now in 2 different broadcast domains.
13. Move the RJ45 jack from port 1 (VLAN 1) to port 10 (VLAN 2). The stations should now be able to ping each other once again since they are now both members of VLAN 2(remember to wait for the led to turn from amber to green).
14. Now lets remove VLAN 2 from the switch’s configuration:
Switch#vlan database Switch(vlan)#no vlan 2
15. Verify that VLAN 2 is now deleted with ‘show vlan’. Notice that entries for ports Fa0/9 and Fa0/10 are missing!
16. Check the running-config with ‘sh run’. Notice that they are still configured for VLAN 2. The ports must now be reverted back to the native VLAN 1:
Switch#config t Switch(config)# int fast 0/9 Switch(config-if)#no switchport access vlan 2 Switch(config-if)int fast 0/10 Switch(config-if)#no switchport access vlan 2
17. The switch is now configured with every port back as a member VLAN 1.
Static Route Configuration Tutorial: This tutorial should be performed on the Cisco 2514 routers at the lab stations. The idea is to familiarize you with the commands so you can perform the procedures.
1. Establish a hyper terminal connection from a laboratory station to the router (note: three routers are provided – so three people should be performing this simultaneously!!!!)
2. Password: Netlab 3. Enable Password: letmein
When you first connect to the router and provide the password, you enter EXEC mode, the first mode in which you can issue commands from the command-line. From here you can use such unprivileged commands as ping, telnet, and rlogin. You can also use some of the show commands to obtain information about the system. In unprivileged mode you use commands like, show version to display the version of the IOS the router is running. Typing show ? will display all the show commands available in the mode you are presently in.
4. Router>show ? The prompt for EXEC mode is Router>. The command for help is ‘show ?’.Once you hit enter after typing ‘show ?’ the various commands will be displayed.
5. Go through each option and get an idea on what each command does. To do
this you type ‘show command- name’. Also familiarize yourselves with what options each command supports. Then type the command at the command line and see the output.
You must enter privileged mode to configure the router. You do this by using the command enable. Privileged mode will usually be password protected unless the router is unconfigured.. When you issue the command enable and provide the password, you will enter privileged mode.
6. Router > enable To help the user keep track of what mode they are in, the command-line prompt changes each time you enter a different mode. When you switch from unprivileged mode to privileged mode, the prompt changes from:
Router> to Router# The router functions in many modes. The normal or EXEC mode has the router name at the prompt. The enable mode allows you to make changes to the router setup. This is characterized by the Router# prompt . The config mode allows you to make changes to
the NVRAM (Non Volatile RAM ) of the router directly. This has the Router(Config)> prompt. You can reach enable mode by typing enable. Similarly you can reach the configuration mode by typing configuration. You will quit the mode by typing ‘end’ or ‘exit’. Configuring If you have just turned on the router, it will be completely unconfigured. If it is already configured, you may want to view its current configuration. Even if it has not been previously configured, you should familiarize yourself with the show commands before beginning to configure the router. Enter privileged mode by issuing the command enable, then issue several show commands to see what they display. Remember, the command show ? will display all the show commands available in the current mode. Definitely try out the following commands:
7. Router#show interfaces Router#show ip protocols Router#show ip route Router#show ip arp
When you enter privileged mode by using the command enable, you are in the top-level mode of privileged mode, also known in this document as "parent mode." It is in this top-level or parent mode that you can display most of the information about the router. As you now know, you do this with the show commands. Here you can learn the configuration of interfaces and whether they are up or down. You can display what IP protocols are in use, such as dynamic routing protocols. You can view the route and ARP tables, and these are just a few of the more important options. As you configure the router, you will enter various sub-modes to set options, then return to the parent mode to display the results of your commands. You also return to the parent mode to enter other sub-modes. To return to the parent mode, you hit ctrl-z. This puts any commands you have just issued into affect, and returns you to parent mode. Global configuration (config) To configure any feature of the router, you must enter configuration mode. This is the first sub-mode of the parent mode. In the parent mode, you issue the command config.
8. Router#config
Router(config)#
As demonstrated above, the prompt changes to indicate the mode that you are now in. In connfiguration mode you can set options that apply system-wide, also refered to as "global configurations." For instance, it is a good idea to name your router so that you can easily identify it. You do this in configuration mode with the hostname command.
9. Router(config)#hostname Cisco2500 Router(config)#
As demonstrated above, when you set the name of the host with the hostname command, the prompt immediately changes by replacing Router with Cisco2500. (Note: It is a good idea to name your routers with an organized naming scheme.) Setting up DNS Another useful command issued from config mode is the command to designate the DNS server to be used by the router:
10. Router(config)#ip name-server aa.bb.cc.dd Router(config)#ctrl-Z Router#
Configuring interfaces Cisco 2500 has 2 ethernet ports Ethernet 0 and Ethernet 1. Therefore, to display the configuration of that interface you use the command:
11. Router#show interface ethernet 1 Router#show interface ethernet 0
Here is an example of configuring a ethernet port with an IP address:
12. Router#config t Router(config)#interface Ethernet 0 Router(config-if)#ip address 192.168.155.2 255.255.255.0 Router(config-if)#no shutdown Router(config-if)#<ctrl-Z> Router#
Then to verify configuration:
13. Router#show interface ethernet 0 Note the no shutdown command. An interface may be correctly configured and physically connected, yet be "administratively down." In this state it will not function. The command for causing an interface to be administratively down is shutdown. In the Cisco IOS, the way to reverse or delete the results of any command is to simply put no infront of it. For instance, if we wanted to unassign the IP address we had assigned to interface Ethernet 0:
14. Router#config t
Router(config)#interface Ethernet 0 Router(config-if)#no ip address 192.168.155.2 255.255.255.0 Router(config-if)#ctrl-Z Router#
Configuring most interfaces for LAN connections might consist only of assigning a network layer address and making sure the interface is not administratively shutdown. Static Routing IP routing is automatically enabled on Cisco routers. If it has been previously disabled on your router, you turn it back on in config mode with the command ip routing.
15. Router(config)#ip routing Router(config)#ctrl-Z
There are two main ways a router knows where to send packets. The administrator can assign static routes, or the router can learn routes by employing a dynamic routing protocol. These days static routes are generally used in very simple networks or in particular cases that necessitate their use. To create a static route, the administrator tells the router operating system that any network traffic destined for a specified network layer address should be forwarded to a similiarly specified network layer address. In the Cisco IOS this is done with the ip route command.
16. Router#config Router(config)#ip route 10.10.0.0 255.255.255.0 10.10.150.1 Router(config)#ctrl-Z Router#show ip route
Two things to be said about this example. First, the packet destination address must include the subnet mask for that destination network. Second, the address it is to be forwarded to is the specified address of the next router along the path to the destination. This is the most common way of setting up a static route, and the only one this document covers. Be aware, however, that there are other methods. Setting up Gateway of Last Resort It is necessary to set the default gateway. This identifies the default router that takes care of the packet to be routed when there is no match to the packets ip address in the routing table.
17. Router#config Router(config)#ip route 0.0.0.0 255.255.255.0 10.10.150.1 Router(config)#ctrl-Z Router#show ip route
Dynamic routing protocols, running on connected routers, enable those routers to share routing information. This enables routers to learn the routes available to them. The advantage of this method is that routers are able to adjust to changes in network topologies. If a route is physically removed, or a neighbor router goes down, the routing protocol searches for a new route. Routing protocols can even dynamically choose between possible routes based on variables such as network congestion or network reliability. We will do them in our next lab. Saving your configuration Once you have configured routing on the router, and you have configured individual interfaces, your router should be capable of routing traffic. Give it a few moments to talk to its neighbors, then issue the commands show ip route and show ip arp. There should now be entries in these tables learned from the routing protocol. If you turned the router off right now, and turned it on again, you would have to start configuration over again. Your running configuration is not saved to any perminent storage media. You can see this configuration with the command show running-config.
18. Router#show running-config
You do want to save your successful running configuration. Issue the command copy running-config startup-config.
19. Router#copy running-config startup-config
Your configuration is now saved to non-volatile RAM (NVRAM). Issue the command
20. Router#show startup-config
Now any time you need to return your router to that configuration, issue the command copy startup-config running-config.
Router#copy startup-config running-config Troubleshooting Inevitably, there will be problems. Usually, it will come in the form of a user notifying you that they can not reach a certain destination, or any destinattion at all. You will need to be able to check how the router is attempting to route traffic, and you must be able to track down the point of failure. You are already familiar with the show commands, both specific commands and how to learn what other show commands are available. Some of the most basic, most useful commands you will use for troubleshooting are:
21. Router#show interfaces Router#show ip protocols Router#show ip route Router#show ip arp
Testing connectivity It is very possible that the point of failure is not in your router configuration, or at your router at all. If you examine your router's configuration and operation and everything looks good, the problem might be be farther up the line. In fact, it may be the line itself, or it could be another router, which may or may not be under your administration. One extremely useful and simple diagnostic tool is the ping command. Ping is an implementation of the IP Message Control Protocol (ICMP). Ping sends an ICMP echo request to a destination IP address. If the destination machine receives the request, it responds with an ICMP echo response. This is a very simple exchange that consists of:
22. Router#ping xx.xx.xx.xx If the ping test is successful, you know that the destination you are having difficulty reaching is alive and physically reachable. If there are routers between your router and the destination you are having difficulty reaching, the problem might be at one of the other routers. Even if you ping a router and it responds, it might have other interfaces that are down, its routing table may be corrupted, or any number of other problems may exist. To see where packets that leave your router for a particular destination go, and how far, use the trace command.
23. Router#trace xx.xx.xx.xx It may take a few minutes for this utility to finish, so give it some time. It will display a list of all the hops it makes on the way to the destination. debug commands The debug command is one of the key diagnostic tools for troubleshooting difficult problems on a router. debug enables monitoring points in the IOS and generates messages that describe what the IOS is doing and seeing. Beware – some debug options create so many messages that the IOS cannot process them all, possibly crashing the IOS. Some helpful debug commands: no debug all diasables all debugs debug ip packet issues log messages for each IP packet sent and received debug ip icmp issues log messages for ICMP echo replies (ping responses) debug ip rip issues log messages for each RIP update
Router Examination Commands Router Examination Commands are Cisco IOS commands that are used to examine the status of a router. Each command permits examination of a different configurable component of the router. Some of them are show version, show processes, show buffers, show protocols, show ip protocol, show memory, show ip route, show flash, show interfaces. Try the commands and observer the output. The most important command, which you will use pretty often, will be the ‘ip’ command.
At this point you should be familiar with the different commands available from the command line. Setting up the LAN
24. Now take a look at the link states for each link connected to the router.
Router(enable)# show ip interfaces This will show which links are active, which are down, which are configured but not in use yet and which are not configured at all.
25. View the Routing Table
Router(enable)show ip route Adding Static Routes The commands to add an entry and deleting in the routing table is
ip route <network address > <router/gateway> <mask> no ip route <network address > <router/gateway> <mask>
26. First add the Domain Name Server
Router(config)# ip name-server <ip address>
27. Add the default route Router(config)# ip 0.0.0.0 0.0.0.0 <proxies address>
28. Ping within the subnet and also try reaching a remote site. Troubleshoot your configuration until you can achieve this.
REFERENCE Tannenbaum provides an excellent introduction to routers and routing protocols in the “Network Layer” chapter of this book. It is a good idea to review routing tables and routing protocols. You can also go to the websites listed below to review a very nicely presented introduction to routing schemes and protocols. http://www.nv.cc.va.us/home/kmorneau/tcp-ip/routing/ http://www.nv.cc.va.us/home/kmorneau/tcp-ip/IPRoute.htm http://www.nv.cc.va.us/home/kmorneau/tcp-ip/ospf/ http://www.cisco.com/univercd/cc/td/doc/product/software/ssr83/rpc_r/index.htm http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/rip.htm http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/ospf.htm
PROCEDURE I: Simple Inter-Network Setup the following simple network using one router and the 2912 switch. Configure two VLANs on the switch and use the IP addresses shown in the figure. Check your configuration by using the ping and traceroute commands. You will be required to perform an FTP transfer between the MS 2K machine and your LINUX server. You should also be able to access the Apache webserver from any machine. Have the TA check off your completed network. HINT: Don’t forget to set default routes in the terminals!
eth0 IP: 192.168.1.254 255.255.255.0
eth1 IP: 192.168.5.254 255.255.255.0
IP: 192.168.5.15 255.255.255.0
IP: 192.168.5.10 255.255.255.0
IP: 192.168.1.5 255.255.255.0
S 2912
VLAN A VLAN B
MS 98 MS 2K LINUX
R 2522
LINUX
IP: 192.168.1.10 255.255.255.0
PROCEDURE II: Advanced Inter-Network Setup the following network using all three routers and the 2912 switch. Configure three VLANs on the switch and use the IP addresses shown in the figure. You should begin by configuring the VLANs and making sure you cannot ping between the networks. Then configure/connect ‘router 3’ and make sure you can ping from the LINUX box to the MS 2K machine. Now proceed with the other devices. The ONLY way to successfully implement a network is through piece-wise implementation and verification of success. Check your configuration by using the ping and traceroute commands. You will be required to perform an FTP transfer between the MS 2K machine and your LINUX server. You should also be able to access the Apache webserver from any machine. You have just configured:
1. A campus network with ‘router 3’ and an edge router (router 2) 2. A wide-area connection to a webserver connected through router 1
Have the TA check off your completed network.
eth0 IP: 172.16.20.254255.255.255.0
eth0 IP: 172.16.10.4 255.255.255.0
eth1 IP: 172.16.10.254255.255.255.0
eth0 IP: 192.168.1.4 255.255.255.0
eth0 IP: 172.16.1.254 255.255.255.0
IP: 172.16.20.4 255.255.255.0
IP: 172.16.10.6 255.255.255.0
IP: 172.16.10.5 255.255.255.0
S 2912
VLAN A VLAN B
MS 98 MS 2K LINUX LINUX
IP: 172.16.1.4 255.255.255.0
VLAN C
Router 2 Router 3
eth1 IP: 192.168.1.5 255.255.255.0
Router 1
Prelab Questions: 1. What is Packet Switching? Specifically, explain how a device can ensure two
packets arriving simultaneously can both exit the same port without collisions. What is the major advantage of switching over hubs? Given the answers to the above questions, draw a conclusion about the limiting factors of a switch (be specific and explain your answer… there is a lot of literature available discussion the design limitations of a switch).
2. What are VLANS and how do they differ from ordinary LANS? 3. Explain ISL trunking in no less than 2 pages (include diagrams). 4. What are the benefits of hierarchical routing and of flat routing? 5. What is a static route and what is a dynamic route?
Lab Questions: 1. Describe the Pros and Cons of Packet switching vs Circuit Switching? 2. What are the advantages of using VLAN’s? 3. Give a practical scenario where VLAN’s can be used? 4. Design question
Questions 1. Which PC’s can reach (or view) each other at Layer 2 (Show combinations)? 2. Can PC 3 reach PC1? What addresses must PC3 know (be careful) to be able to send
packets to PC1? 3. If PC1 only has the IP address of the PC5, how would it communicate with PC5, Show
all the steps. 4. If PC2 only knows the MAC address of the PC5, how would it communicate with PC5? 5. If there were no VLANS would this change your answer to previous question? Go back
over each of the first four questions and state your new answer assuming (if it changed) assuming all three VLANs were removed and all the PCs were on the same LAN.
VLAN A VLAN B VLAN C
PC 1 PC 2
PC 3 PC 4
PC 5 PC 6
Module 4
Advanced Switching & Routing ENTC 425
Advanced Networking – Dynamic Routing Protocols N E T W O R K I N G & I P L A B O R A T O R Y
OBJECTIVE Learn to implement 802.1q trunking between LANs. Learn to implement and analyze the dynamic routing protocols RIP and OSPF. INTRODUCTION (VLAN) Virtual LANs enable network managers to group users logically rather than by physical location. A virtual LAN (VLAN) is an emulation of a standard LAN that allows data transfer and communication to occur without the traditional restraints placed on the network. It can also be considered a broadcast domain set up within a switch. With VLANs, switches can support more than one subnet (or VLAN) on each switch, and give routers and switches the opportunity to support multiple subnets on a single physical link. A group of devices that belong to the same VLAN, but are part of different LAN segments, are configured to communicate as if they were part of the same LAN segment. Layer 3 switching supports up to 244 VLAN sub interfaces per system. VLANs enable efficient traffic separation and provide excellent bandwidth utilization. VLANs also alleviate scaling issues by logically segmenting the physical LAN structure into different subnetworks so that packets are switched only between ports within the same VLAN. This can be very useful for security, broadcast containment, and accounting. Trunking A trunk is a physical point-to-point ethernet link, which carries multiple “virtual” links, alleviating the physical port constraints. Trunks carry the traffic of multiple VLANs over a single link and allow to extend VLANs across an entire network. A trunk is a point-to-point link carrying several VLANs. The purpose of a trunk is to save ports when creating a link between two devices implementing VLANs, typically two switches. In the following diagram, we can see two VLANs that we want available on two switches, Sa and Sb. The first easy method to implement is to create two physical links between the devices, each one carrying the traffic for a VLAN:
Experiment
6 ENTC 425
Of course, this solution does not scale. If we wanted to add a third VLAN, we would need to sacrifice two additional ports. This design is also inefficient in terms of load sharing; the traffic on some VLANs may not justify a dedicated link. A trunk will bundle virtual links over one physical link, as shown in the next diagram:
Here, the unique physical link between the two switches is able to carry traffic for any VLAN. In order to achieve this, each frame sent on the link is tagged by Sa so that Sb which VLAN it belongs to. Different tagging schemes exist. The most common for Ethernet segments are:
• ISL (this is the original Cisco proprietary InterSwitch Link protocol) • 802.1q (the IEEE standard we will focus on in this document)
Basic Characteristics of 802.1q Trunking Tagging Mechanism 802.1q uses an internal tagging mechanism. Internal means that a tag is inserted within the frame (with ISL, the frame is encapsulated instead):
Note that on a 802.1q trunk, one VLAN is NOT tagged. This VLAN, named the native VLAN, must be configured the same on each side of the trunk. This way, we can deduce to which VLAN a frame belongs when we receive a frame with no tag. The tagging mechanism implies a modification of the frame; the trunking device inserts a 4-byte tag and recomputes the frame check sequence (FCS):
The EtherType field identifying the 802.1q frame is 0x8100. In addition to the 12-bit VLAN-ID, 3 bits are reserved for 802.1p priority tagging. Also, note that inserting a tag into a frame that already has the maximum Ethernet size creates a 1522 byte frame that can be considered as a "baby giant" by the receiving equipment. The 802.3 committee is extending the maximum standard frame size to address this issue. Encapsulation Routing between VLANS is acheieved by encapsulating the packets from the VLANS. There are 2 methods used
a. Inter-Switch Link (ISL)—ISL is a Cisco-proprietary trunking
encapsulation. b. IEEE 802.1Q—802.1Q is an industry-standard trunking encapsulation
IEEE 802.1Q VLAN Encapsulation 802.1Q VLAN encapsulation uses a one-level, packet tagging scheme to multiplex VLANs across a single physical link, while maintaining strict adherence to the individual VLAN domains. 802.1Q can have access ports or untagged ports where frames are assigned to VLANs based on a port VLAN identifier (PVID), or native VLAN for the port. It can also have trunked ports where some frames can be tagged and others untagged. 802.1Q uses Per VLAN Spanning Tree Plus (PVST+), mapping multiple spanning trees to the spanning tree of pure 802.1Q switches. IEEE 802.1Q VLAN encapsulation is supported over the internal and external gigabit router ports.. Inter-Switch Link VLAN Encapsulation Layer 3-switching software also supports Inter-Switch Link (ISL) encapsulation over the external Gigabit Ethernet ports or if configured as a GEC. The Catalyst 4003 and 4006 Layer 3 Services module can be deployed in environments with the ISL trunking protocol and can route between external gigabit ports running ISL and internal gigabit ports running 802.1Q stations. External ports support ISL, which use one PVST+ over ISL trunks.
INTRODUCTION (Dynamic Routing Protocols) Routing Information Protocol (RIP) The Routing Information Protocol (RIP) is a distance-vector protocol that uses hop count as its metric. RIP is widely used for routing traffic in the global Internet and is an interior gateway protocol (IGP), which means that it performs routing within a single autonomous system. Exterior gateway protocols, such as the Border Gateway Protocol (BGP), perform routing between different autonomous systems.. The latest enhancement to RIP is the RIP 2 specification, which allows more information to be included in RIP packets and provides a simple authentication mechanism. Routing Updates RIP sends routing-update messages at regular intervals and when the network topology changes. When a router receives a routing update that includes changes to an entry, it updates its routing table to reflect the new route. The metric value for the path is increased by one, and the sender is indicated as the next hop. RIP routers maintain only the best “next hop” (the route with the lowest metric value) to a destination. After updating its routing table, the router immediately begins transmitting routing updates to inform other network routers of the change. These updates are sent independently of the regularly scheduled updates that RIP routers send. RIP Routing Metric RIP uses a single routing metric (hop count) to measure the distance between the source and a destination network. Each hop in a path from source to destination is assigned a hop-count value, which is typically 1. When a router receives a routing update that contains a new or changed destination-network entry, the router adds one to the metric value indicated in the update and enters the network in the routing table. The IP address of the sender is used as the next hop. RIP prevents routing loops from continuing indefinitely by implementing a limit on the number of hops allowed in a path from the source to a destination. The maximum number of hops in a path is 15. If a router receives a routing update that contains a new or changed entry, and if increasing the metric value by one causes the metric to be infinity (that is, 16), the network destination is considered unreachable. RIP Stability Features To adjust for rapid network-topology changes, RIP specifies a number of stability features that are common to many routing protocols. RIP, for example, implements the split-horizon and hold-down mechanisms to prevent incorrect routing information from being propagated. In addition, the RIP hop-count limit prevents routing loops from continuing indefinitely.
RIP Timers RIP uses numerous timers to regulate its performance. These include a routing-update timer, a route timeout, and a route-flush timer. The routing-update timer clocks the interval between periodic routing updates. Generally, it is set to 30 seconds, with a small random number of seconds added each time the timer is reset to prevent collisions. Each routing-table entry has a route-timeout timer associated with it. When the route-timeout timer expires, the route is marked invalid but is retained in the table until the route-flush timer expires. OSPF: Open Shortest Path First This is based on Dijkstra’s Shortest Path Algorithm. Routers accumulate Link State Information dynamically using Link State Advertisements (LSA) and build a dynamically changing topological map of the network with respect to them. Routers calculate the shortest path to a network or node with them as ‘root’ using various Shortest Path Algorithms (SPF) and then route the packets through the best path. The shortest path here means the path through which the packet will encounter the least delay, so it is not necessarily the shortest geographical path. To compute a route metric this protocol takes into account the traffic and bandwidth of each link in the path to the destination. This allows load balancing. Another advantage of OSPF is that the router need not be aware of the entire network map to route packets. Also this protocol uses an authentication scheme between routers when the LSA updates are made. Since each router routes independently, this protocol is easier to debug than RIP. Once set up, an OSPF router broadcasts 5 types of control packets: a. Hello Packet: This is an I am alive signal. It serves the purpose of identifying
neighbors and existing routers. b. Database Description Packet: This facilitates exchange of information between
routers detailing their respective routing tables to check if any data is missing from their respective topological database.
c. Link State Request Packet: This asks other routers for data that has been determined to be missing or outdated from the topological database.
d. Link State Update Packet: This sends out the data requested by a router via the Link State Request Packet.
e. Link State Acknowledge Packet: This is an acknowledgement sent out for the update received.
VLAN Trunking Tutorial: VLAN Trunking Tutorial for the 29XX Switch and 2600 Router
Cisco 2600 Router
IP: 172.16.9.1/24
IP: 172.16.5.1/24
VLAN 2
VLAN 3
int fa0/1
int fa0/9
int fa0/20Trunking VLAN 2 and
VLAN 3
int fa0/0Cisco 29XXSwitch
Set up the 29XX Switch
1. Set up VLAN 2 and VLAN 3 on the 29XX Switch (do not use the native VLAN 1 for this exercise). For help on setting up VLANs, please refer to the previous ‘VLAN Tutorial’. Use Port 1 for VLAN2, and Port 9 for VLAN3.
2. We will now set up a VLAN trunk between the 29XX Switch and the 2600 Router.
The 2500 Routers do not support VLAN trunks because their ports are only 10 Mbit (VLAN trunks require 100 Mbit links).
3. Set up two workstations. Workstation 1 will have IP address 172.16.9.1 (gw
172.16.9.254) and Workstation 2 will have 172.16.5.1 (gw 172.16.5.254), netmask 255.255.255.0.
4. Connect Workstation 1 to Port 1 and Workstation 2 to Port 9. 5. Set up Port 20 on the 29XX Switch to do VLAN trunking, using 802.1q
encapsulation, forwarding all VLAN traffic. Connect this port to Fastethernet 0/0 on the 2600 Router.
Switch(config)#int fa 0/20 Switch(config-if)#switchport mode trunk Switch(config-if)#switchport trunk encap dot1q Switch(config-if)#switchport trunk allowed vlan all
Set up the 2600 Router
6. Log into the 2600 Router and go to enable mode. 7. Enable Fastethernet 0/0.
Router#config t Router(config)#int fast 0/0 Router(config-if)no shut Router(config-if)exit
8. Configure the subinterfaces. Fastethernet 0/0.1 will have encapsulation of dot1q, with an associated VLAN number of 2. Its ip address will be 172.16.5.254.
Router(config)#int fast 0/0.1 Router(config-if)#encap dot1q 2 Router(config-if)#ip address 172.16.5.254 255.255.255.0
9. Fastethernet 0/0.2 will also have encapsulation of dot1q, with an associated
VLAN number of 3. Its ip address will be 172.16.9.254
Router(config-if)#int fast 0/0.2 Router(config-if)#encap dot1q 3 Router(config-if)#ip address 172.16.9.254 255.255.255.0
10. The workstations should now be able to ping and traceroute each other successfully.
11. Attempt to ping both the actual and virtual interfaces on the router. Can you ping all the interfaces from both machines?
REFERENCES http://www.cisco.com/warp/public/cc/pd/si/casi/ca4000/prodlit/c4000_ds.htm http://www.cisco.com/univercd/cc/td/doc/product/l3sw/4908g_l3/ios_12/7w515d/config/vlan_cfg.htm#xtocid261733 http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/inst_nts/78_10164.htm#36702
Router Configuration Tutorial: Use hyper-terminal to access the routers through the Console Port.
Network Layout
1. Set up the IP Address on each of the interfaces given by your TA. 2. Start the sniffer on your desktop (the software is called ‘Distinct Network
Monitor’). You can do so by clicking on start ->Programs -> Distinct -> Network Monitor.
3. Set the sniffer to capture UDP packets on screen (the TA will show you how to do so).
RIP 4. In the router set debug mode on by typing ‘debug ip rip’ 5. Enable RIP routing by typing:
Router(config)> router rip Router(config)> 10.0.0.0
This should be done in all the routers. 6. The routers can now communicate with each other through rip protocol. The
group working on’7000new’ router should be able to see the rip update packets on their console terminal. The group on 4000 router can see the updates by typing ‘show log’. The 7000 router doesn’t show any log as it has the old IOS version installed. The group working on 7000 router can see the update messages on the other routers.
7. Also see the packets captured by the sniffer and answer the questions. 8. Try removing one of the links and see how the routing tables are updated. 9. Now disable the RIP routing using
Router(config)> no router rip
E0
E0 HUB HUB
E0
E1
E1 E1
OSPF
10. Now enable the OSPF protocol
Router(config)> router ospf 1 Router(config)> network 10.0.0.0 0.255.255.255 area 10
11. Put the router in debug mode and see the packets exchanged. 12. Remove one of the links and see how the routes are being updated. 13. You must get yourself checked off by your TA.
REFERENCE http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/rip.htm http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/ospf.htm
Procedure I : Implement 802.1q Trunking This procedure will require the use of either a Cisco 2600 router or a Cisco 3640 router. The AUI ports provided on the 2500 series routers do not support encapsulation and therefore cannot be used for 802.1q trunking. Implement an 802.1q trunk from the 2600 (3640) to the Catalyst 2912 switch through Ethernet port E0. Verify the operation of the trunk by placing Lab computers on each network and performing ping and traceroute commands. Make sure you can ping the logical IP addresses of the trunk. Enable RIP on the router. You will have to assign VLANs in the switch and configure it for trunking. When completed the configuration, have your TA check-off the trunk and begin the analysis. Analysis:
1. Connect a lab computer to VLAN0 and begin an Ethereal capture. Perform a ping from the LINUX box to the MS 98 computer and monitor the frames sent through VLAN0.
2. Perform the procedure described above with the Ethereal operating on VLANA.
3. Perform the same procedure with the Ethereal operating on VLAN B. 4. Draw a conclusion about how the frames traverse through the switch and be
ready to describe in detail in the lab questions.
E0.1 IP: 192.168.1.254 255.255.255.0
E0.2 IP: 192.168.5.254 255.255.255.0
IP: 192.168.5.15 255.255.255.0
IP: 192.168.1.5 255.255.255.0
S 2912
VLAN A VLAN B
MS 98 LINUX
R 2600 (3640) E0 IP: 192.168.10.254 255.255.255.0
VLAN0
Switch VLAN0 IP: 192.168.10.1 255.255.255.0
Procedure II : Implement a RIP Network Design and implement a small network employing the dynamic routing protocol RIP. This lab calls for all three 2500 routers, one 2600 (3640) router and the 2912 switch. Set up the network as shown below with all routers running RIP on every interface (even logical interfaces!). LOGICAL SETUP: DETAILED SETUP:
Router A
Ethernet LAN 1
Router D
Router B
Router C
Ethernet LAN 3 Ethernet LAN 2
MS 2K LINUX
S 2912
VLAN 1 VLAN 3 VLAN 4
E0
Router A
VLAN 0 VLAN 2
E0.1 E0.2
E0
Router B
E1 E1
E0 Router C
E1
E0
Router D
E1
LINUX
MS 2K
Design guidelines and suggestions: 1. VLAN Assignments (suggested)
• VLAN 0: 1 port 172.16.10.0/24 • VLAN 1: 2 ports 172.16.11.0/24 • VLAN 2: 3 ports 172.16.12.0/24 • VLAN 3: 3 ports 172.16.20.0/24 • VLAN 4: 3 ports 172.16.30.0/24
2. Router to Router LAN • Router A – B 172.16.200.0/24 • Router B – C VLAN 3 (172.16.20.0/24) • Router C – D VLAN 4 (172.16.30.0/24) • Router D – A VLAN 1 (…)
3. Assign Gateways the address of x.x.x.254. There should only be ONE gateway for each LAN (VLAN…)
HINTS:
• Draw a detailed diagram with all interfaces labeled and all IP addresses shown (even for the logical links). Have the TA check this before you begin configuring the network.
• Setup Router A first and implement the trunk and all VLANS in the switch. Verify you have setup the switch correctly before you begin.
• Check your configuration after each change – proceed in an organized fashion so that problem can be found and fixed before you connect all the equipment.
• Some problems with dynamic routing can remain even after you have fixed a problem… so make sure you have the configuration setup correctly BEFORE you engage RIP.
Analysis:
1. Complete the setup and engage RIP on every router (all interfaces). 2. Capture (and save) the routing table on router C. 3. Configure MS 2K station to perform frame captures using Ethereal and begin
frame captures. 4. Disconnect the cable between router D and VLAN 2. 5. Wait ~10 minutes and then end the Ethereal session. Capture (and save) the
routing table on router C. 6. Be prepared to show the router updates that traversed VLAN 3 after the cable
was disconnected.
Prelab Questions:
1. Explain the operations upon a single packet passing through an 802.1q TRUNK between two different VLANS. Be specific and include diagrams of the header structure and all frame fields.
2. How is encapsulation different from trunking (be specific)? a. Define each and highlight differences. b. How should each be used in a corporate network?
3. What is an administrative distance? 4. Why do routing protocols use metrics? 5. What is convergence time? 6. What is the difference between a routed and routing protocol? Give 2 examples. 7. Compare Static with Dynamic Routes and give scenarios when static route is
preferable to dynamic route and vice versa? 8. Explain the split horizon and hold down mechanisms? 9. Read RFC covering OSPF and provide Byte-level layout of each broadcast packet
type?
Lab Questions:
1. Create a short (5 page) tutorial on configuring 802.1q Trunks between two VLANS on a Cisco 2912 switch and a Cisco 2600 (3640) router. Include in your tutorial all necessary commands for each device to configure the VLANs and the frame captures from procedure 1. Make sure to describe in detail how frames move through the switch and router, both logically and physically.
2. In report form, explain the events which occurred after disconnecting the cable in procedure 2. Make sure to use the Ethereal session data to show all the update packets that traversed VLAN 3. In your report, highlight the routing table being passed in each frame and make sure to indicate which router was sending the update.
3. How much time was required for the network to settle… that is, how long until the routing updates were the same? Is this longer or shorter than you expected – considering you understand the RIP protocol?
4. What protocol does RIP use? Which port number does it use? 5. What are the RFC’s, which explain, RIP, RIPv2, & BGP? 6. Provide a diagram of your network in procedure 2 including IP addresses and NIC
interface names (E0 etc,.). Attach the configuration of each 2500 router to your report.
Module 5
Basic Network Security ENTC 425
Advanced Routing –Network Address Translation & Access List Set up
N E T W O R K I N G & I P L A B O R A T O R Y
OBJECTIVE
In this lab we will be learning about the Network Address Translation and Access List setting up in Cisco Routers.
INTRODUCTION The Internet is expanding at an exponential rate. As the amount of information and resources increases, it is becoming a requirement for even the smallest businesses and homes to connect to the Internet. Network Address Translation (NAT) is a method of connecting multiple computers to the Internet (or any other IP network) using one IP address. This allows home users and small businesses to connect their network to the Internet cheaply and efficiently. The impetus towards increasing use of NAT comes from a number of factors:
• A world shortage of IP addresses • Security needs • Ease and flexibility of network administration
NAT automatically provides firewall-style protection without any special set-up. That is because it only allows connections that are originated on the inside network. This means, for example, that an internal client can connect to an outside FTP server, but an outside client will not be able to connect to an internal FTP server because it would have to originate the connection, and NAT will not allow that. It is still possible to make some internal servers available to the outside world via inbound mapping, which maps certain well know TCP ports (e.g.. 21 for FTP) to specific internal addresses, thus making services such as FTP or Web available in a controlled way. To summarise, a NAT gateway can provide the following benefits:
• Firewall protection for the internal network; only servers specifically designated with "inbound mapping" will be accessible from the Internet
• Protocol-level protection • Automatic client computer configuration control • Packet level filtering and routing
The basic purpose of NAT is to multiplex traffic from the internal network and present it to the Internet as if it was coming from a single computer having only one IP address.
Experiment
7 ENTC 425
The TCP/IP protocols include a multiplexing facility so that any computer can maintain multiple simultaneous connections with a remote computer. It is this multiplexing facility that is the key to single address NAT. To multiplex several connections to a single destination, client computers label all packets with unique "port numbers". Each IP packet starts with a header containing the source and destination addresses and port numbers:
Source address Source port Destination address Destination port This combination of numbers completely defines a single TCP/IP connection. The addresses specify the two machines at each end, and the two port numbers ensure that each connection between this pair of machines can be uniquely identified. Each separate connection is originated from a unique source port number in the client, and all reply packets from the remote server for this connection contain the same number as their destination port, so that the client can relate them back to its correct connection. In this way, for example, it is possible for a web browser to ask a web server for several images at once and to know how to put all the parts of all the responses back together. When any remote server responds to an NAT client, incoming packets arriving at the NAT gateway will all have the same Destination address, but the destination Port number will be the unique Source Port number that was assigned by the NAT. The NAT gateway looks in its port mapping table to determine which "real" client address and port number a packet is destined for, and replaces these numbers before passing the packet on to the local client. This process is completely dynamic. When a packet is received from an internal client, NAT looks for the matching source address and port in the port mapping table. If the entry is not found, a new one is created, and a new mapping port allocated to the client:
• Incoming packet received on non-NAT port • Look for source address, port in the mapping table • If found, replace source port with previously allocated mapping port • If not found, allocate a new mapping port • Replace source address with NAT address, source port with mapping port • Packets received on the NAT port undergo a reverse translation process: • Incoming packet received on NAT port • Look up destination port number in port mapping table • If found, replace destination address and port with entries from the mapping table • If not found, the packet is not for us and should be rejected
Each client has an idle time-out associated with it. Whenever new traffic is received for a client, its time-out is reset. When the time-out expires, the client is removed from the table. This ensures that the table is kept to a reasonable size. The length of the time-out varies, but taking into account traffic variations on the Internet should not go below 2-3
minutes. Most NAT implementations can also track TCP clients on a per-connection basis and remove them from the table as soon as the connection is closed. This is not possible for UDP traffic since it is not connection based. Because the port mapping table relates complete connection information - source and destination address and port numbers - it is possible to validate any or all of this information before passing incoming packets back to the client. This checking helps to provide effective firewall protection against Internet-launched attacks on the private LAN. Each IP packet also contain checksums that are calculated by the originator. They are recalculated and compared by the recipient to see if the packet has been corrupted in transit. The checksums depend on the contents of the packet. Since the NAT must modify the packet addresses and port numbers, it must also recalculate and replace the checksums. Careful design in the NAT software can ensure that this extra processing has a minimal effect on the gateway's throughput. Before doing so it must check for, and discard, any corrupt packets to avoid converting a bad packet into a good one.
Access-List An access list is a sequential collection of permit and deny conditions that apply to IP addresses. The Cisco IOS software tests addresses against the conditions in an access list one by one. The first match determines whether the software accepts or rejects the address. Because the software stops testing conditions after the first match, the order of the conditions is critical. If no conditions match, the software rejects the address. The two steps involved in using access lists are as follows:
1. Create an access list by specifying an access list number or name and access conditions.
2. Apply the access list to interfaces or terminal lines. PROCEDURE:
Setting up Network Address Translation
1. Define a NAT Pool from which IP addresses can be used.
Router(enable)# ip nat pool nat1 128.194.119.231 128.194.119.235 prefix-length 24 2. Define the inside interface in the Fast Ethernet 0/0 interface
Router(config-if)# ip nat inside
Private Network
Public Network
0/0 0/1
3. Define the outside interface in the Fast Ethernet 0/1 interface
Router(config-if)# ip nat outside 4. Link the Nat Pool with access-list you will be creating (Access List number eg.7)
Router(config-if)# ip nat inside source list 7 pool nat1 nooverload
Overload is used when single IP address is used for all outgoing traffic. The NAT then is called PAT (Port Address Translation) as all outbound connections are identified by port numbers.
Configure Access-List
5. Set up a access-list to accept all ip internal address 10.x.x.x to any network Router(configf)# access list 7 accept 10.0.0.0 0.255.255.255 any
6. Ping internal and external networks to check whether your configurations are
correct. 7. Check the NAT using the following commands
Router(config-if)# show ip nat statistics Router(config-if)# show ip nat translations
Once you complete the Lab get checked off by TA.
Prelab Questions: 1. Explain the operation of Network Address Translation. 2. What is Port Address Translation (PAT)? How is different from NAT? 3. What are the security benefits of NAT and Access-List? 4. How would one operate a Web server behind a router employing NAT?
Lab Questions:
1. Show the statistics and translations of your NAT configurations. 2. Create a brief tutorial for configuring NAT on the Cisco 2600 router. Include all
the commands necessary to configure NAT and assign three IP addresses to the ‘pool’. Also make sure to include commands necessary to alter the lease time and other ‘variables’.
3. Using a single router, design a small corporate network with NAT and ACL to allow the following functionality.
a. Three LANs and one DMZ (you might need trunking) b. The network must host a Web server c. The network should use Private IP addresses d. The network should also employ DHCP e. Assume 5 hosts for each LAN f. Make sure none from LAN 3 can communicate with LAN 1. g. LIST ALL THE COMMANDS for the Cisco 2600 router to implement the
NAT and ACL for your design. Assume you have 5 public addresses available.
NOTE: Question 3 should take no less than 5 pages if you do it correctly.
Firewall Set up & Configuration N E T W O R K I N G & I P L A B O R A T O R Y
Objective: This lab aims at familiarizing the student with basic concepts of firewall on the Linux Shareware. INTRODUCTION Firewall is used to prevent unauthorized packets and unauthorized users from gaining access to our network. Network security can be achieved using effective firewalling. Each packet requesting access into the network or leaving the network is examined and treated accordingly. This puts the host in which firewalling is done in a Promiscuous mode. For example packets from within the network may not be routed through the gateway to the outside world for reasons of security and no packets from outside may be routed into the network to prevent unauthorized access to the data / information available from our database. Firewall setup along with suitable encryption techniques can provide good security to the network. A firewall is a security system, designed to prevent unauthorized access to a private or local network. The system can either be a hardware firewall or a software firewall, or a combination of both. There are two types of firewalls.
1. Filtering Firewalls - that block selected network packets. 2. Proxy Servers (sometimes called firewalls) - that make network connections for
you. A filtering firewall works at the network level. Data is only allowed to leave the system if the firewall rules allow it. As packets arrive they are filtered by their type, source address, destination address, and port information contained in each packet. Many network routers have the ability to perform some firewall services. Filtering firewalls can be thought of as a type of router. Because of this you need a deep understanding of IP packet structure to work with one. Lab Firewall architecture: _/\__/\_ | Proxy / | _______________ | | | Firewall | (LAN) | | / Internet \----| System |--(HUB)--| Workstation/s | \_ _ _ _/ |__________| |_______________| \/ \/ \/
Experiment
8 ENTC 425
Packet Filtering for Security in Linux using ipchains The start of each packet says where it's going, where it came from, the type of the packet, and other administrative details. This start of the packet is called the header. The rest of the packet, containing the actual data being transmitted, is usually called the body. Some protocols, such TCP, which is used for web traffic, mail, and remote logins, use the concept of a `connection' -- before any packets with actual data are sent, various setup packets (with special headers) are exchanged saying `I want to connect', `OK' and `Thanks'. Then normal packets are exchanged. A packet filter is a piece of software which looks at the header of packets as they pass through, and decides the fate of the entire packet. It might decide to deny the packet (ie. discard the packet as if it had never received it), accept the packet (ie. let the packet go through), or reject the packet (like deny, but tell the source of the packet that it has done so). Under Linux, packet filtering is built into the kernel. Linux ipchains is required to administer the IP packet filters in Linux. SYNOPSIS ipchains -[ADC] chain rule-specification [options] ipchains -[RI] chain rulenum rule-specification [options] ipchains -D chain rulenum [options] ipchains -[LFZNX] [chain] [options] ipchains -P chain target [options] ipchains -M [ -L | -S ] [options] DESCRIPTION Ipchains is used to set up, maintain, and inspect the IP firewall rules in the Linux kernel. These rules can be divided into 4 different categories: the IP input chain,the IP output chain, the IP forwarding chain, and user defined chains. For each of these categories, a separate table of rules is maintained, any of which might refer to one of the user-defined chains. See ipfw(4) for more details. TARGETS A firewall rule specifies criteria for a packet, and a target. If the packet does not match, the next rule in the chain is the examined; if it does match, then the next rule is specified by the value of the target, which can be the name of a user-defined chain, or one of the special values ACCEPT, DENY, REJECT, MASQ, REDIRECT, or RETURN. ACCEPT means to let the packet through. DENY means to drop the packet on the floor. REJECT means the same as drop, but is more polite and easier to debug, since an ICMP message is sent back to the sender indicating that the packet was dropped. (Note that DENY and REJECT are the same for ICMP packets). MASQ is only legal for the forward and user defined chains, and can only be used when the kernel is compiled with CONFIG_IP_MASQUERADE defined. With this, packets
will be masqueraded as if they originated from the local host. Furthermore, reverse packets will be recognized as such and they will be demasqueraded automatically, bypassing the forwarding chain. REDIRECT is only legal for the input and user-defined chains and can only be used when the Linux kernel is com piled with CONFIG_IP_TRANSPARENT_PROXY defined. With this, packets will be redirected to a local socket, even if they were sent to a remote host. If the specified redirection port is 0, which is the default value, the destination port of a packet will be used as the redirection port. When this target is used, an optional extra argument (the port number) can be supplied. If the end of a user-defined chain is reached, or a rule with target RETURN is matched, then the next rule in the previous (calling) chain is examined. If the end of a built-in chain is reached, or a rule in a builtin chain with target RETURN is matched, the target specified by the chain policy determines the fate of the packet. OPTIONS The options that are recognized by ipchains can be divided into several different groups. COMMANDS These options specify the specific action to perform; only one of them can be specified on the command line, unless otherwise specified below. For all the long versions of the command and option names, you only need to use enough letters to ensure that ipchains can differentiate it from all other options. -A, --append
Append one or more rules to the end of the selected chain. When the source and/or destination names resolve to more than one address, a rule will be added for each possible address combination.
-D, --delete
Delete one or more rules from the selected chain. There are two versions of this command: the rule can be specified as a number in the chain (starting at 1 for the first rule) or a rule to match.
-R, --replace
Replace a rule in the selected chain. If the source and/or destination names resolve to multiple addresses, the command will fail. Rules are num-
bered starting at 1. -I, --insert
Insert one or more rules in the selected chain as the given rule number. So, if the rule number is 1, the rule or rules are inserted at the head of the chain.
-L, --list
List all rules in the selected chain. If no chain is selected, all chains are listed. It is legal to specify the -Z (zero) option as well, in which case no chain may be specified. The exact output is effected by the other arguments given.
-F, --flush Flush the selected chain. This is equivalent to deleting all the rules one by one. -Z, --zero
Zero the packet and byte counters in all chains. It is legal to specify the -L, --list (list) option as well, to see the counters immediately before they are cleared; if this is done, then no specific chain can be specified (they will all be displayed and cleared.
-N, --new-chain
Create a new user-defined chain of the given name. There must be no target of that name already.
-X, --delete-chain
Delete the specified user-defined chain. There must be no references to the chain (if there are you must delete or replace the referring rules before the chain can be deleted). If no argument is given, it will attempt to delete every non- builtin chain.
-P, --policy
Set the policy for the chain to the given target. See the section TARGETS for the legal targets. Only non-userdefined chains can have policies, and neither built-in nor user-defined chains can be policy targets.
-M, --masquerading
This option allows viewing of the currently mas-queraded connections (in conjuction with the -L option) or to set the kernel masqerading parameters (with the -S option).
-S, --set tcp tcpfin udp
Change the timeout values used for masquerading. This command always takes 3 parameters, representing the timeout values (in seconds) for TCP sessions, TCP sessions after receiving a FIN packet, and UDP packets, respectively. A timeout value 0 means that the current timeout value of the corresponding entry is preserved. This option is only allowed in combination with the -M flag.
-C, --check
Check the given packet against the selected chain. This is extremely useful for testing, as the same kernel routines used to check "real" network packets are used to check this packet. It can be used to check user-defined chains as well as the builtin ones. The same arguments used to specify firewall rules are used to construct the packet to be tested. In particular, the -s (source), -d (destination), -p (protocol), and -i (interface) flags are compulsory.
-h Help. Give a (currently very brief) description of the command syntax. PARAMETERS The following parameters make up a rule specification (as used in the add, delete, replace, append and check com- mands). -p, --protocol[!] protocol
The protocol of the rule or of the packet to check. The specified protocol can be one of tcp, udp, icmp, or all, or it can be a numeric value, repre- senting one of these protocols or a different one. Also a protocol name from /etc/protocols is allowed. A "!" argument before the protocol inverts the test. The number zero is equivalent to all. Protocol all will match with all protocols and is taken as default
when this option is omit-ted. All may not be used in in combination with the check command.
-s, --source [!] address[/mask] [!] [port[:port]]
Source specification. Address can be either a hostname, a network name, or a plain IP address. The mask can be either a network mask or a plain number, specifying the number of 1's at the left side of the network mask. Thus, a mask of 24 is equivalent to 255.255.255.0. A "!" argument before the address specification inverts the sense of the address. The source may include a port specification or ICMP type. This can either be a service name, a port number, a numeric ICMP type, or one of the ICMP type names shown by the command ipchains -h icmp Note that many of these ICMP names refer to both a type and code, meaning that an ICMP code after the -d flag is illegal. In the rest of this paragraph, a port means either a port specification or an ICMP type. An inclusive range is can also be specified, using the format port:port. If the first port is omitted, "0" is assumed; if the last is omitted, "65535" is assumed. Ports may only be specified in combination with the tcp, udp, or icmp protocols. A "!" before the port specification inverts the sense. When the check command is specified, exactly one port is required, and if the -f (fragment) flag is specified, no ports are allowed. The flag --src is a convenience
alias for this option. --source-port [!] [port[:port]]
This allows separate specifiction of the source port or port range. See the description of the -s flag above for details.The flag --sport is an alias
for this option. -d, --destination [!] address[/mask] [!] [port[:port]]
Destination specification. See the desciption of the -s (source) flag for a detailed description of the syntax. For ICMP, which does not have ports, a "destination port" refers to the numeric ICMP code. The flag --dst is a convenience alias for this option.
--destination-port [!] [port[:port]]
This allows separate specifiction of the ports. See the description of the -s flag for details. The flag --dport is an alias for this option.
--icmp-type [!] typename
This allows specification of the ICMP type (use the -h icmp option to see valid ICMP type names). This is often more convenient to appending it to the destination specification.
-j, --jump target
This specifies the target of the rule; ie. what to do if the packet matches it. The target can be a user-defined chain (not the one this rule is in) or one of the special targets which decide the fate of the packet immediately. If this option is omitted in a rule, then matching the rule will have no effect on the packet's fate, but the counters on the rule will be incremented.
-i, --interface [!] name
Optional name of an interface via which a packet is received, or via which is packet is going to be sent. When this option is omitted, the empty string is assumed, which has a special meaning and will match with any interface name. When the "!"
argument is used before the interface name, the sense is inverted. If the interface name ends in a "+", then any interface which begins with this name will match.
[!] -f, --fragment
This means that the rule only refers to second and furthur fragments of fragmented packets. Since there is no way to tell the source or destination ports of such a packet (or ICMP type), such a packet will not match any rules which specify them.
When the "!" argument precedes the "-f" flag, the sense is inverted.
PROCEDURE: Te firewall script is usually placed in the /etc/rc.d/ directory. There are by default 3 built-in chains namely the Input chain, Output chain and the Forward chain.
1. First see the ipchain rules that are already configured on the proxy server. ipchains -L
2. Flush out all the ipchains rules.
ipchains -F
Each chain has a policy associated with it. The policy may be to ACCEPT, DENY or REJECT all packets. 3. Write a rule to the input chain to drop all the incoming packets.
ipchains –P input DENY or ipchains –P input REJECT
4. Add a ipchain rule to drop all the packets in the output chain. ipchains –P output DENY or ipchains –P output REJECT
Check the network by trying to open a browser and connecting to some web site. 5. Prevent forwarding of the packets by adding a rule to the Forward chain.
ipchains –P forward DENY or ipchains –P forward REJECT
6. Remove the rules that you just added.
ipchains –F
7. Add rules to accept all packets.
ipchains –P input ACCEPT ipchains –P output ACCEPT
8. Write a rule to Masquerade the packets coming from private network so that it can
see public network. ipchains –A forward –s 10.10.9.0/24 –j MASQ
9. Write a rule accept the ICMP messages from 10.10.9.x network. ipchains –A input -p icmp –s 10.10.9.0/24 –j DENY
10. Write a ipchains rule to accept tcp packets. ipchains –A input -p tcp –j ACCEPT
11. Write a ipchains rule to accept udp packets.
ipchains –A input -p udp –j ACCEPT
Now write your own rules to accept dns connection, http connections and icmp messages.
REFERENCE Go to the linux web site (www.linux.org) and read the pages on Firewall and IP Forwarding techniques. Our Linux kernel is 2.2 (you have to read for the specific kernel) .You can also go to Dr.Pooch’s website http://cs.tamu.edu/faculty/pooch to get more information on firewalls and attack and defense techniques. A few other websites are: Info on ipfwadm utility: http://www.dreamwvr.com/ipfwadm/ipfwadm-faq.html Info on ipchains utility: http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO-7.html This site presents the differences between ipchains & ipfwadm: http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO-8.html General info on firewall setup and architecture: http://www.linuxdoc.org/HOWTO/Firewall-HOWTO.html
