T-110.5102 Laboratory Works in Networking and Security (5-10 cr)

Lab B6 (extra): Router


Before you start this assignment, please send an email to the course mailing list (t-110.5102 (at) list.aalto.fi) and let us know that you're going to do this one. The assignment might require information that we'll distribute to you via email. (added 11/30/2012)

Material

These can be found at the bottom of this page:

  • Assignment Documentation (pdf)
  • Initial configuration files for the simulator (.zip)
  • Preliminary exercise (Excel-sheet)

Additional Literature

Online resources:

The following book can be found as an e-book from Aalto library:

Preliminary task 

A preliminary task is attached to this page as an Excel spreadsheet. Fill it in and return it together with your final configuration files.

General instructions for RouterSim

You need to do these labs on specific machines in Paniikki class (you receive information for logging in via email if you have enrolled for the excercise). Do not save anything on the Windows machines. Store your files for example on Dropbox or Google Drive or send an email to yourself.

The simulator software (CCNA Network Visualizer 6.0) can be accessed from the shortcut on the desktop of the Windows machines. All tasks are done in the "Net Visualizer Screen". The configuration files are opened and saved by File->Open/Save (or Ctrl+O, Ctrl+S). It is advised to save your own solution with a different name before you begin doing the task.

Command line interfaces of all simulated devices (routers, switches, hosts) can be accessed by double-clicking the device. Right-clicking will open "physical" connections panel.

Configuring happens in different modes (see the documentation powerpoint for "Cisco IOS modes" for more info). Mostly you will need to get to "privileged exec mode" via typing command enable or en. After that you can get to config mode via configure terminal or conf t. You can return from any mode via exit or logout. Also pressing ctrl+z will return to privileged exec mode. Typing a question mark (?) will list all available commands and options. Typical terminal inputs like up arrow for previously used commands and TAB for autocomplete might also be useful. 

Task 1:  Basic Configurations, DHCP and port security

The first task presents the basic command set that is invoked with all the Cisco switches and routers plus setting up DHCP, a management VLAN and port security commands.

The starting point is a switch and a router with almost blank configurations and two connected PCs to the switch. Host B has blank IP settings (DHCP will give them) and host A's settings can be viewed by right-clicking its icon and choosing "Configs".

The image of the starting network is below:
Task 1 network (simulator)

  1. Open the file "#DIRECTORY#\#GROUP#\BasicConf-start"
  2. Save the file right away with the name "BasicConf-end"
  3. Get into the global configuration mode of switch A  
  4. Change the switch name into "MY_SWITCH"
  5. Set an encrypted secret password for the privileged exec mode. Choose the password "cisco"
  6. Set the login banner. Choose the text:
         "Authorized personnel only!”
  7. Set password and login for all Telnet lines (0 to 15). Choose the password "cisco-telnet".
  8. Set the IP default gateway to "10.0.0.1" and set switchport mode of the interface that has the router connected to "trunk".
  9. Set up management VLAN (number 1). Set the IP address to "10.0.0.2" and subnet mask to "255.255.255.0". Remember to open it.
  10. Configure the interface f0/2 (connected to Host A) as follows: 
    • description to "Link to Moscow"
    • set the port into the access mode and acces VLAN number 20
    • enable port security and set the maximum number of hosts connected to this interface to 1
    • Set that the switch learns the first encountered MAC address of a host that connects into the port
  11. Return to the privileged exec mode, view your running configuration and check that everything is in place and copy running-configuration into startup-configuration..
  12. Select Router A and get into the global configuration mode. 
  13. Set up DHCP with the following settings:
    • pool name “cisco”
    • network 10.0.0.0 255.255.255.0
    • DNS server 60.60.60.1
    • default router 10.0.0.1
    • lease time 1 day
    • domain name mydomain.com
    • excluded IP addresses are 10.0.0.1 - 10.0.0.5
  14. Open the interface f0/0. Host B should now get an ip address. Check with ipconfig on terminal of Host B.
  15. Try to telnet from Host B to VLAN 1. You'll be asked the telnet password. After that you should be able to access configuration of the switch.
  16. Store the complete lab “BasicConf-end.rsm” in your USB stick and then delete it from the PC 

Grading:

 Host B obtains an IP address with DNS suffix mydomain.com  1p
 Telnet from Host B succeeds and login banner shows  1p
 Password for privileged exec mode works and shows up encrypted in running config of the switch  1p
 “MY_SWITCH#sh run” shows the correct config for the interface f0/2  1p
 "MY_SWITCH#sh run" shows the default gateway and port mode for f0/1 correctly

 1p 

 “Router#sh run” shows the DHCP settings correctly  1p

Questions:

  • What is VLAN and what are they used for? 
  • How does a host with blank IP settings know where to send a DHCP request and from what address?

 

 

Task 2: Routing

You are given a network with three routers and one switch. The task is to configure dynamic and static routes, as well as routing between two VLANs (so called Router-on-a-Stick).

Image of the network:

Task 2 network (simulator)

Note:

  • Interfaces are shutdown by default, remember to open them
  • Save running configuration every time before closing a config window
  • In almost every case the subnet mask is 255.255.255.0

 

A more detailed image with all necessary addresses and interfaces shown: 

 Task 2 network

Part A: Dynamic, static and default routes 

  1. Open the file "#DIRECTORY#\#GROUP#\Routing-start"
  2. Save the file right away with the name "Routing-end"
  3. Start by configuring the interfaces of Routers A and C. Host PCs are connected to f0/0, set their IP addresses as well as serial interfaces' addressess corresponding to the image above.
  4. Router B has a switch in its f0/0. Set no ip address there at this time, but remember to set Router B's serial interface.
  5. After this, configure static routes to Router C (three networks).
  6. Then move to Router A. Configure dynamic routing using RIPv2 and disable auto-summary. Also, configure last-resort (default) gateway in case the dynamic doesn't work.
  7. Create default gateway for Router B.
  8. Check the configuration with “show ip route” command in each of the routers. When you are done, ping from Host A to Host C. Hosts B and D should only be able to ping each other.
Part B: Multiple VLANs and Router-on-a-Stick 
  1. Log in configuration mode of Switch B.
  2. Create and open interface VLAN 1 and assign IP address 10.0.5.2 to it.
  3. Create VLAN 16 and name it "Bravo", then VLAN 17 named "Delta".
  4. Configure interface f0/1 to mode "trunk". After that, configure f0/2 to access VLAN 16 and f0/3 to access VLAN 17. Exit the config of the switch.
  5. Then log in configuration mode of Router B.
  6. Create a subinterface f0/0.1 and give it description "Management" and IP address. 10.0.5.1. Set the encapsulation to "dot1q". Use the same encapsulation also on the following subinterfaces.
  7. Create subinterface f0/0.16 with description "Bravo" and IP 10.0.6.1
  8. Create subinterface f0/0.17 with description "Delta" and IP 10.0.7.1
  9. Check and save the running configuration and close the config window.
  10. You are now able to ping from any host to any. Try "tracert" from Host A to D. The route should show up nicely.
  11. When everything works, save the final result with the name "Routing-end.rsm".

Grading

A successful ping from Host A to C 1p 
A successful ping from Host B to D 1p
A correct tracert from Host A to D 1p 
“Router#sh ip route” shows correct static routes in Router C  1p
“Router#sh ip route” shows correct RIP settings in Router A  
 1p
"Switch#sh run" shows correct VLANs in correct interfaces  1p
"Router#sh run" in Router B shows correct subinterface IPs  1p
"Router#sh run" in Router B shows correct subinterface descriptions and encapsulation  1p

Questions:

  • Why didn't RIP in Router A work in this setup?
  • Consider the following changes in the network:

    Network 2 changed

-What is the subnet, broadcast address, host address range and the number of valid hosts for the subnet between Router A and Router C? 

-What is this type of network called / how does it work? 

 


Task 3: NAT and ACL

You are given a corporate network consisting of a gateway router B with corporate Web Server (Host B) connected to it, an ISP router A (off your premises) with Host A representing the public internet and a Department gateway router C with two workstations (Hosts G and H) connected via a switch. All static routing configurations have been already made and the interfaces are up. Your task is to implement NAT in the department router and two ACLs.

Image of the network:

Task 3 network

In the simulator:

Task 3 network (simulator)  

 

Part A: NAT

In this task you must configure the Department router so that worksations H and G are behind NAT.

  1. Open the file "#DIRECTORY#\#GROUP#\NAT_ACL-start"
  2. Save the file right away with the name "NAT_ACL-end"
  3. Configure dynamic NAT for subnet 10.0.0.0/24 with public address 200.200.2.2 . Use pool name "mynat".

 

Part B: ACL

You must now create two extended ACLs to limit traffic to the Web Server (Host B). Remember that extended ACLs should be placed as close to the source as possible. Also note that Router A is off your premises so you cannot configure it.

  1. First, create an ACL that allows all ip traffic from host G to the Web Server and only HTTP-TCP traffic from host H. All other traffic from 10.0.0.0/24 to the Web Server should be denied but all other traffic to the internet allowed.
  2. Activate the ACL for the correct interface.
  3. Create another ACL that allows only HTTP and HTTPS traffic from the internet (any source IP address) to the Web Server.
    For testing purposes, also a    llow ICMP traffic from the ISP subnet 9.9.9.0/24 to the Web Server so pinging is possible.
  4. Activate the ACL for the correct interface.
  5. When everything works, save the final result with the name "NAT_ACL-end.rsm".

Now you should be able to ping from Host G to the Web Server (10.0.1.2). You should not be able to ping from Host H to the Web Server. You should be able to ping from Host H to the internet and from the internet you should be able to ping the Web Server but nothing else.

Grading: 

 "Router#sh run" on Router C shows correct NAT and ACL configurations 2
 A successful ping from the Web Server to Router C (200.200.2.2) but failed to G or H (10.0.0.3 or .4)  2

 A successful ping from Host G to the Web Server (10.0.1.2) 

1
A failed ping from Host H to the Web Server 1
 A successful ping from the Internet to the Web Server but failed ping to Router C  2

Questions:

 

  • What is the difference between netmask and wildcard mask?
  • Why does ACL need at least one permit statement?

  

Material
Description
Preliminary Task Preliminary exercise. Fill in this file and submit together with your configuration files.
Documentation A presentation containing the necessary documentation for the assignment.
Configuration files Initial configuration files for the exercises.