Académique Documents
Professionnel Documents
Culture Documents
Data Communications and Computer Networks Lab 2G1316/2E1616 Data Links and Local Area Networks Lab 2E1623
Ignacio Ms Ivars Evgueni Ossipov Hctor Velayos Mikael Rudholm Version 4.0
Laboratory for Communication Networks Department of Signals, Sensors and Systems KTH, Royal Institute of Technology
Laboratory Manual
Chapter 1
Introduction
1.1 Purpose of the laboratory
The main goal of this laboratory is to give you an overview of the different processes involved in building a network, such as a corporate network. You will have to plan the IP address scheme, congure and test the equipment, as well as congure several applications and servers typical of any corporate network (DNS servers for example). After you have completed the laboratory exercises, you should be familiar with the practical issues of the different concepts explained in the course, as well as with the real equipment used nowadays in computer networks.
1.2.1 Homeworks
The lab sessions will be performed in groups of two persons. Each of these groups has to hand in one solved copy of the homeworks that are included at the end of this manual. The graded homeworks will be handed back during the rst laboratory session. The maximum number of failed questions to pass is stated in the homework header. Those students who do not pass the homeworks will have to correct the failed questions during the rst lab session and submit the corrected version by the end of the session. The homeworks check that you have enough theoretical knowledge of the tasks that you will perform in the lab. Since these tasks are not part of the course book, you will have to read this manual and its references carefully to complete the homeworks.
1.4. How to use/read this manual 4. Students must have their own copies of the laboratory manual. 5. Food and drinks are not allowed inside the laboratory.
Parameters that you have to substitute with their proper values are written in italic. Parameters inside square brackets are optional and if applied should be written without the square brackets.
1.6 Credits
Parts of this lab manual have been transcribed literally or with small modications from the white paper Understanding IP addresses: everything you ever wanted to know by Chuck Semeria ( c 3Com corporation), used with kind permission of 3Com, and from different Linux HOWTOs and manuals.
Laboratory Manual
Chapter 2
diagram. Thus, it can represent an unspecied network media or whole networks, which is its normal usage. Additional information can be included in the diagram using alphanumeric strings, like IP addresses, host names or device ports. The next section contains some network diagrams that will be used during the lab. At the same time, these diagrams are good examples for the brief notes just introduced.
Laboratory Manual
Laboratory Manual
For data communication we will use different cables depending on the link layer technology, though the media will always be copper. For the Ethernet connections, we will use four-pair category 5 Unshielded Twisted-Pair (UTP) cabling with RJ45 plugs on both ends. Figure 2.5 shows the RJ45 plug at the end of the UTP cable. This type of cable contains eight individually insulated wires twisted in pairs. Each pair is colored with one wire having a solid color (blue, orange, green, or brown) and the other wire having a stripe of the same color over a white background. Each wire is named by its color when it is solid (e.g. green) or by the pair white and color of the stripe otherwise (e.g. white-green). The pairs are identied by the solid colors (e.g. green pair). The RJ45 plug has eight pins, numbered from 1 to 8. So that each one of the wires of the four-pairs UTP cable will be connected to one pin. The assignment of wires to pins is named color code and it is different depending on the standard. We will use both the EIA/TIA 568A and 568B standards. Their color assignment can be Figure 2.6: Standards for color codes. seen in Figure 2.6. We will need two different types of cables for Ethernet connections: crossover cables and straight-through cables. A crossover cable must be used to connect Ethernet ports of two PCs directly, or two routers or two switches (when the uplink port of the switches is not used). It has one RJ45 plug wired following the 568A standard and the other following the 568B standard. A straight-through cable must be used to Laboratory Manual 8
Figure 2.9: Cabling rack in the lab connect the Ethernet ports of a switch to PCs or routers. It has both RJ45 plugs wired following the 568B standard. The only way to identify whether an Ethernet cable is a crossover or straight-through cable is to check the color code at both ends. More information about Ethernet cables and how to make them can be found at http://www.duxcw.com/ digest/Howto/network/cable/cable5.htm. General information about connectors, pin-outs, cables and adapters can be consulted at http://www.hardwarebook.net/ A different cable must be used to connect a PC to the console port of a Cisco device. The console port is a serial port, thus it must be connected to the PC serial port. The console port is a RJ45 jack while the PC serial port is a DB9 connector. To connect both ports properly, we will use the DB9 to RJ45 adapter (see Figure 2.7) and a new type of cable known as roll-over cable. A roll-over cable also uses 8 wires with RJ45 plugs on both ends, but it is different from the straight-through or crossover cables. In a roll-over cable, the pins on one end are reversed on the other end. Thus pin 1 on one end connects to pin 8 on the other end. Pin 2 connects to pin 7, pin 3 connects to pin 6 and so on. Figure 2.8 shows a roll-over cable. Finally, yet another arrangement must be used to connect two PCs through their serial ports. In this case, we would link two DB9 to RJ45 adapters using a roll-over cable. And then each DB9 plug will be connected to the serial ports of each PC. In addition to these cables, there is permanent cabling in the lab room that you will need to use to connect the routers outer interface to the departmental backbones. The permanent cables run in the ceiling and link each lab position with the labs cabling rack. The cabling rack is right by the entrance. It contains the departmental switches and two patch panels above them. Figure 2.9 shows the interior of the cabling rack. Each switch has a label indicating to which departmental backbone belongs. Each patch panel socket is marked with Laboratory Manual 9
a label (e.g. 11A-21) and connects to a similar socket with the same label by the tables. The sockets by the table are labeled Laboratory LAN. Figure 2.10 shows the sockets by the tables. The connection between the sockets in the patch panel and by the tables is equivalent to straight-through cable. The connection of the routers outer interface to the departmental backbone requires two straight-through cables. Use one to connect the routers outer Ethernet interface to one socket by the table labeled Laboratory LAN. Use the other to connect the socket in the patch panel with the same label to any port of the appropriate departmental switch.
2.2.2 Switches
The switch you will use in the lab is a Cisco Catalyst 3512 XL. In the front it has twelve 10/100 Ethernet switched RJ45 ports plus two additional Gigabit Ethernet slots. The Ethernet ports will be used to connect the equipment of the area network. The Gigabit slots will not be used in this lab. In the back it has the RJ45 console port for its conguration and the three-pin power supply socket. It does not have a power switch, the equipment is turned on when connected to the power supply. Each port is labeled on the box with a name, which it is also used to identify the port in the conguration menus. Figure 2.12 shows the front and Figure 2.13 shows a closer view of the Ethernet ports in the front. Note that each port is given a number, with number one in the top left corner. The number allows identication of the ports in the conguration le, but there is no difference in the behavior of the ports. Any of them can be used to connect equipment to the switch. More information about this model can be found at http: //www.cisco.com/univercd/cc/td/doc/product/lan/c2900xl/29_35xu/index.htm There are additional switches inside the cabling rack. You will use them to connect your router to the departmental backbone, but you do not have to change their conguration.
2.2.3 Routers
The router you will use in the lab is a Cisco 2621. All its ports are situated in the back. It has two 10/100 Ethernet RJ45 ports, a RJ45 console port for its conguration, a three-pin power socket and a power switch. Each port is labeled in the box with a name, which it is also used to identify the port in the conguration le. Since the router forwards packets between its ports, it is very important to connect each network to the proper port. Figure 2.14 shows the front and Figure 2.15 shows the ports in the back. Figure 2.11: Back of the More information about this equipment can be found at http://www.cisco.com/ Dell PC. en/US/products/hw/routers/ps259/index.html
2.2.4 Terminals
Personal Computers (PCs) running Linux will be used as terminals in the lab. Each area network has a laptop PC, which will be used as the network server for the area network. All the ports of this PC are in the back. Its most important ports for this lab are the 10/100 Ethernet RJ45 port and the DB9 serial port. Figure 2.11 shows the back of the laptop PC at the lab. Additional PCs, laptops or desktops, can be connected to the area network. These PCs must have a RJ45 Ethernet port. This port will be connected to any free port in the switch to join the area network.
Figure 2.13: Ethernet ports in the front-left of the Cisco Catalyst 3512 XL.
Figure 2.15: Ports in the back of the Cisco 2621. Laboratory Manual 11
read them carefully. After reading it, read section 2.3.3 of this manual about the same topic. It contains the answers to the set up questions that you should use during the lab. After reading the rst chapter, move on to the second, "Cisco IOS software basics". It describes general aspects of the Cisco IOS software, which you need to know before working with the router. Read it completely, with special attention to the different conguration modes, how to get help on the commands from the command line interface and how to undo a command or feature. To complete the review of the router documentation, read chapter 3 titled "Conguring with the Command Line Interface". It describes the commands to actually congure particular functions of the router. Read sections "Conguring Fast Ethernet Interfaces", "Checking the Interface Conguration" and "Saving Conguration Changes". By reading thoroughly these sections of the documentation, you will obtain a good knowledge of the router, its software and of how to congure it. However you might still need more information of particular commands. To obtain it, use the master index of the Cisco IOS Conguration Guide, Release 12.0 available at http://www.cisco.com/ univercd/cc/td/doc/product/software/ios120/12cgcr/cbkixol.htm. Use this reference to read about the "ip route" commands. It will be used during the lab to create the routing table of the router. Read also about the commands "ping" and "trace" in their privileged and user versions, since you will use them to troubleshoot the network. All this information only applies to the router conguration. There is an equivalent document for conguring the switch called "Cisco IOS Desktop Switching Software Conguration Guide". If you read this document, you will discover that the way the switch is congured is similar to that of the router, but some commands are different. You can nd these commands in a document called "Cisco IOS Desktop Switching Command Reference" available at http:// www.cisco.com/univercd/cc/td/doc/product/lan/c2900xl/29_35xu/cmdref/index.htm. If you need information on a particular command, go directly to section "Cisco IOS commands". Before the lab, it is enough that you read section "Using the command-line interface" of the switch manual. Note that it is similar to that section in the router conguration. Since we will not congure complex functions in the switch during this lab, you do not have to study deeply any of the switch commands. After reading this information about the switch, read below section 2.3.2 which describes how to start up the switch. You will start up and initially congure the switch during the lab.
Using the Setup command of the Command Line Interface The command setup from the set of privileged commands is used to assign IP information and to create a default conguration for continued operation. When you boot the switch (or the router) for the rst time, there is no conguration so you will be asked whether you want to enter the "initial setup dialog". Answer yes and you will be conguring everything from scratch. If this question does not appear, it means that some conguration was found. In this case, you will have to start the setup procedure from the privileged mode using these commands:
Switch> enable Password: passwd Switch# setup Continue with configuration dialog? [yes/no]: y
The password should be "qwerty". The setup procedure consists of a sequence of questions that you should answer. This information is used to create the initial conguration. After the last question, this initial conguration is shown, so it is possible to review it before saving. Here are the questions and the suggested answers: Question 1: Enter your switchs IP address and press Return:
Enter IP address: ip_address
Question 4: Enter the IP address of your switchs default gateway and press Return:
IP address of the default gateway: ip_address
Question 5: Enter a host name for the switch and press Return:
Enter host name: Switch
Question 6: Enter a secret password (which ensures switch security) and press Return:
Enter enable secret: qwerty
Question 9: You would enter Y to congure this switch as the cluster command switch. Enter N to congure it as a member switch or as a stand-alone switch.
Would you like to enable as a cluster command switch? n
Question 10: Verify that the addresses are correct in the initial conguration displayed:
The following configuration command script was created: ip subnet-zero interface VLAN1 ip address ip_address ip_netmask ip default-gateway ip_address hostname Switch enable secret 5 $1$jJql$VA6U.6uTjsa56Xx2yy/t30 line vty 0 15 password telnet_password snmp community private rw snmp community public ro cluster disable ! end ! Use this configuration? [yes/no]:
Question 11: If the information is correct, enter y at the prompt and press return to use it. When you see the message Press RETURN to get started, the setup program is complete. If the information is not correct, enter n at the prompt, press Return, and begin again at Question 1. These switches are far more powerful than what it is shown here. If you would like to know more about them, you can check their manual at the Cisco web site. Laboratory Manual 13
The password should be "qwerty". Initial conguration dialog The set up procedure consists of a sequence of questions that you should answer. This information is used to create the initial conguration. After the last question, this initial conguration is shown, so it is possible to review it before saving. Here are the questions and the suggested answers: Question 1: Answer "no" to enter the extended setup:
Would you like to enter basic management setup? [yes/no]: no
After these two questions, the conguration of the global parameters begins: Question 3: Type a name for the router:
Enter host name [Router]: Router
Question 9: Answer "no" since we will use static routing: Laboratory Manual 14
Now the conguration of the interface parameters begins. The FastEthernet 0/0 port is rst: Question 13: Answer "yes" to congure FastEthernet 0/0 interface
Do you want to configure FastEthernet0/0 interface? [yes]: yes
Question 14: Answer "yes" to use the RJ45 connector in the back part of the router
Use the 100 Base-TX (RJ-45) connector? [yes]: yes
Question 17: Type the proper IP address for this interface in dotted-decimal format. The network diagram should help nding out what this address should be. We have included an IP address as an example of the expected answer.
IP address for this interface: 192.168.0.129
Question 18: Type the proper mask in dotted-decimal format corresponding to the previous IP address. We have included a mask as an example of the expected answer.
Subnet mask for this interface: 255.255.255.0
After this question, similar questions will appear to congure the second FastEthernet interface of the router. Answer them in the same way you did with the questions for the other FastEthernet interface. Mind that the IP address and possibly the mask should be different for this second interface. After this set of questions on the second FastEthernet interface, the initial conguration is generated and displayed for you to verify it. The screen should look similar to this:
The following configuration command script was created: hostname Router enable secret 5 $1$EDYp$8IwOwl7TATzo8lYdAeuIV1 enable password lab line vty 0 4 password qwerty no snmp-server ! ip routing no bridge 1 ! interface FastEthernet0/0 media-type 100BaseX full-duplex ip address 192.168.0.129 255.255.255.0 ! interface FastEthernet0/1 media-type 100BaseX full-duplex ip address 192.168.0.26 255.255.255.0 dialer-list 1 protocol ip permit dialer-list 1 protocol ipx permit ! end 0 Go to the IOS command prompt without saving this config. 1 Return back to the setup without saving this config. 2 Save this configuration to nvram and exit. Enter your selection [2]:
Laboratory Manual
15
Figure 2.16: The ve classes of IP addresses, where the prex identies the network and the sux the particular host inside that network.
Check the conguration, specially the IP addresses and masks, and if everything is correct, answer "2" to save the conguration and exit from the set up mode. If there is some incorrect information, you can answer "1" to repeat the set up. After you save it, the router is working with your initial conguration. Note that you have not introduced the static routing table yet, thus the router can only reach directly connected networks. If any static route is needed, use the routers command ip route to add static entries to the routing table.
2.4. IP: General concepts 32bit binary number 10000001 11000000 00001010 10000000 10000000
Before the session Equivalent dotted decimal 129.52.6.0 192.5.48.3 10.2.0.37 128.10.2.3 128.128.255.0
Table 2.1: Examples of 32bit addresses and their equivalent in dotted-decimal notation. Address class A (/8 prexes) B (/16 prexes) C (/24 prexes) D (multicast) E (reserved) Range of values 0 through 127 128 through 191 192 through 223 224 through 239 240 through 255
Table 2.2: The range of decimal values in the rst octet of each class. Class B Networks Class B network addresses have a 16bit network number, with the two highest order bits set to 10, followed by a 16bit host number. They are usually referred to as /16s. There are 16,384 (2 14 ) /16 networks, with 65,534 (216 2) hosts per network. The entire class B address space contains 2 30 (1,073,741,824) addresses. Class C Networks Class C network addresses have the three highest order bits set to 110 and a 24bit network number, followed by a 8bit host number. They are referred to as /24s. There are 254 (2 8 2) hosts per network, with 2,097,152 (221 ) possible /24 networks, giving a maximum of 229 (536,870,912) addresses. Other Classes In addition to the three classes used to identify individual network interfaces, there are two additional classes: Class D addresses have their four highest order bits set to 1110 and are used to support IP Multicasting, while Class E addresses have their leading fourbits set to 1111 and are reserved for future use.
The division of IP addresses based on octet boundaries was easy to implement and deploy, but it created a lack of proper support for medium-size organizations. A /16, supporting 65,534 hosts, can be too large for this type of organizations, while a /24, with only 254 possible hosts can be far too small. In the past, sites with several hundred hosts were assigned a single /16 address, instead of two or three /24 addresses, thus quickly nishing off the /16 address space. Also, the need to give several /24 addresses to the same organization has increased the size of the routing tables.
2.4.5 IP subnetting
In 1985, IETF RFC 950 dened a way to divide single class addresses into smaller pieces. Subnetting was introduced to overcome the problems the Internet was suffering with the twolevel addressing hierarchy: rst, local administrators Laboratory Manual 17
Before the session networknumber 10000010.00000101 11111111.11111111 Extendednetworknumber Table 2.3: Subnet mask. subnetnumber 00000101 11111111 hostnumber 00011001 00000000
130.5.5.25 255.255.255.0
had to apply for a new network address before installing a new network at their site; and, second, the Internet routing tables were beginning to grow to an unmanageable size. The way to attack these problems was to add a new hierarchy to the addressing scheme. With subnetting the host number was divided into two parts, the subnet number and the host number on that subnet, thus creating a threelevel hierarchy. With the new subnetting scheme, the subnet structure of a network is not visible outside the organizations domain. This helps reducing the routing tables of the outside routers, as the route to any subnet is the same as all subnets share the same network number. It is only inside the organizations private network were routers need to differentiate between the different subnets to route packets, reducing the complexity of the routing tables to the domain of the local administrator. With the new scheme, a site with several logical networks uses subnet addressing to cover them with a single /16 (Class B) network address. This concept is sometimes called supernetting. The router accepts all trafc from the Internet to network 132.5.0.0, and forwards trafc to the interior subnetworks based on the third octet of the address.
How many subnets will we need in the future? How many hosts are in the largest subnet? How many hosts can the largest subnet contain in the future?
The rst step to perform is to take the maximum number of subnets required and round that value up to the closest power of two. This computation should take into account the possible growth of the network. For example, if we need 11 subnets, then 23 will not provide enough subnets, so we will have to round up to 2 4 . This will give us three extra subnets for our organization to grow. The second step is checking the number of hosts that we will need in the largest subnet. Imagine that we will need 26 hosts. If this is the case, then we will need at least 25 (or 32) addresses. Finally, we have to check the address space of our organization to see if we have enough bits to deploy the required sub-netting plan. For example, with a single /16 address, we could have four bits for the subnet number and ve bits for the host number. If we instead have several /24s and we want to have 11 subnets, then we will have to subnet each /24 into four subnets (with two bits of subnet number) and then combine three of them to get the required topology. Laboratory Manual 18
2.4. IP: General concepts Base Net: Subnet 0: Subnet 1: Subnet 2: Subnet 3: Subnet 4: Subnet 5: Subnet 6: Subnet 7:
Before the session 11000001.00000001.00000001.00000000 11000001.00000001.00000001.00000000 11000001.00000001.00000001.00100000 11000001.00000001.00000001.01000000 11000001.00000001.00000001.01100000 11000001.00000001.00000001.10000000 11000001.00000001.00000001.10100000 11000001.00000001.00000001.11000000 11000001.00000001.00000001.11100000 193.1.1.0/24 193.1.1.0/27 193.1.1.32/27 193.1.1.64/27 193.1.1.96/27 193.1.1.128/27 193.1.1.160/27 193.1.1.192/27 193.1.1.224/27
2.4. IP: General concepts Subnet 2: Host 1: Host 2: Host 3: ... Host 30:
Before the session 11000001.00000001.00000001.01000000 11000001.00000001.00000001.01000001 11000001.00000001.00000001.01000010 11000001.00000001.00000001.01000011 11000001.00000001.00000001.01011110 193.1.1.64/27 193.1.1.65/27 193.1.1.66/27 193.1.1.67/27 193.1.1.94/27
The valid host addresses for Subnet 2 and 6 in our example are given in Table 2.5. The bold portion of each address identies the extended-network-prex, while the underlined digits identify the 5-bit host-number eld:
Dening the Broadcast Address for Each Subnet The broadcast address for Subnet 2 is the all 1s host address or: 11000001.00000001.00000001.01011111 = 193.1.1.95 Note that the broadcast address for Subnet 2 s exactly one less than the base address for Subnet 3 (193.1.1.96). This is always the case the broadcast address for Subnet n is one less than the base address for Subnet (n+1). The broadcast address for Subnet 6 is simply the all 1s host address or: 11000001.00000001.00000001.11011111 = 193.1.1.223 Again, the broadcast address for Subnet 6 is exactly one less than the base address for Subnet 7 (193.1.1.224).
A
Network 192.168.0.X 192.168.0.R
192.168.0.A
192.168.0.B
192.168.0.C
R
192.168.1.R Network 192.168.1.X
C
Network 192.168.0.X
192.168.1.C
D
192.168.1.D
2.4.10 IP routing
Direct or indirect routing When two machines are on the same network, there is no need to forward a packet between them on the IP layer. In this case direct routing is used. In the rst example, A and C are in the same network, so they know that they can reach each other just by using the proper Ethernet address. On the other hand, if the network addresses of source and destination are not the same, then the packet must be forwarded by a router who knows how to reach the destination. In the second example, if A wants to reach D, it needs to have some routing information to know where to send the packet to reach D. The way to add routes to the routing table in a Unix machine is to use the route command. R needs to have two IP addresses, one for each network interface. A can then know that R is on its network just looking at the IP address of the interface of R connected to the rst Ethernet segment. The same way, D sees the second network interface of R and is able to obtain the Ethernet address of this interface. Most of the times it is not necessary to manually add the routing entry for the other Ethernet segment. It is sufcient to have R as the default gateway, which is the machine to send the packets addressed to machines out of my network segment. Of course, the default gateway needs to have a routing table properly congured to forward the packets to the correct destinations. Static or dynamic routing There are two different methods to get the information that the routing table needs: static or dynamic routing. With static routing, the routing table is manually written by the system administrator, and it usually requires all the machines to have statically congured addresses. In case there is a change in the network topology, it is up to the system administrator to manually update the routing tables in all the machines needed. Usually, most of the computers and routing devices add by default a static entry in the routing table when the network interface is congured. Dynamic routing is a more complex process. It uses special routing protocols to update the information of the routing table. The routers in the different networks exchange routing information about the different networks they know about and the different metrics or costs needed to reach those networks (like number of hops, load or bandwidth and so on...). The routing protocols can be classied in Interior Gateway Protocols (IGP), which are used to distribute routing information inside Autonomous Systems (AS), or Exterior Gateway Protocols (EGP), that transmit this information between ASs. An autonomous system is a set of machines inside one particular domain administered by one authority, group or organization. Examples of IGP are OSPF and RIP, while BGP is an example of an EGP. Understanding a routing table The process to choose a particular route from the routing table is a mathematical operation. It requires a little bit of binary arithmetic and logic: An IP address matches a particular route if the network address in the routing table is exactly the same as the destination IP address logically ANDed with the network mask. In simple words, a route in the routing table is chosen if the number of bits specied by the network mask from the destination IP address are equal to the same number of bits in the network address in the routing table entry. There can be more than one entry that matches the target address in the routing table, so how does IP nd the proper route? There is one difference between the different routes, the network mask. We have previously said that the network mask is used to split our address space into smaller networks, so, of course, the larger netmask, the more precisely a target address is matched. We should always use the route that has the largest network mask. There are different ways to build a routing table. For a small LAN, like ours, the most efcient way is to build it by hand with the route command, but for larger networks, they are built and modied by routing daemons, which usually Laboratory Manual 21
2.5. Debugging
run in each router on the network. These daemons are the ones that use dynamic routing protocols to exchange routing information to compute the best routes for the different networks.
2.5 Debugging
2.5.1 General model: top down or bottom up approaches
The main tasks of a network administrator are to keep a network running and to x it in case of failure. Basically these tasks can be decomposed in the following set of subtasks. Locate the point of failure.
In general one can discover that a failure occurs by simple facts like: you cannot open a web page, you cannot print on the network printer, you cannot make a remote connection to a distant computer. . . . In this case you, as the network administrator, should perform certain steps to discover why these strange things are happening. You can use two general approaches to nd out the reason of the failure and to locate the place of the problem in the network. These two approaches are called Top-Down and Bottom-Up. From the name of the approaches you can understand that you should check the work of the network on the different levels starting from application level to physical in the top-down approach, or from physical to application layer in the bottom-up approach. Recall the main layers in the TCP/IP stack. Physical layer - On this layer you can check whether the cabling is made correctly. Check that all cables are properly connected to the network cards. And in the far end check that a network device (your PC, router etc) is powered ON! Link layer - On this layer you can check the link layer conguration, status, and statistical information of the network interfaces. In the PCs for this purpose you can use the command ifcong. This command will provide you with necessary statistics of the interface usage and its current status. You will nd in the next subsection a description on how to use this command. One of the possible problems at the link layer can be an automatic disabling of the network interface due to incorrect cabling. In this case when executing ifcong in the PC you either will not see the record about the problematic interface at all, or in the status eld (see the output of ifcong in the next subsection) will be written DOWN. In the switches and routers the command to see the status of the interfaces is show interfaces, but the meaning of these commands is exactly the same as of ifcong. To x the problem on this level rst check that the cabling is correct. Then, bring the interface up manually with the proper commands. Network layer (IP) - The typical problem on this layer is an incorrect IP conguration of the network interface. The sequence of your actions to x the problem should be: 1. Check if the network interface is congured with the proper IP address and network mask. 2. Test the conguration by checking if you can communicate with other network devices. 3. If the problem remains repeat from the conguration. There are different commands to check the IP conguration of the interfaces in PCs, switches, and routers. For example in the PCs use for this purpose ifcong. Another item which is included in the term IP conguration is proper conguration of the routing table. In the PCs, for example, you can use the command route for this purpose. Check the next subsection for details of usage of these commands. In order to test the correctness of the step one, the easiest way is to use the ping command which exists in all network devices (so in the simplest case the syntax of the command is common for PCs and Cisco devices). Check if you can ping a machine (a PC or a router) which you know for sure that it is up and running. If you can not ping this machine repeat the conguration step. If you checked the conguration and you are 100% sure that it is correct but ping still does not work, maybe the problem is not in your PC, but in an intermediate device (e.g. router). The way to locate the erroneous device is to use the traceroute command (which again exists both in the PCs and the Cisco devices). If you nd out that one of the routers which you have an access to congure is not responding, apply the same approach to locate and x the failure in this router. Transport layer - On this level you can try to establish a TCP connection to a particular port and check whether it works or not. For this purpose you can use the telnet program on your PC in the form: telnet destination_IP:port_number. The possible reason of the failure on this level could be a special set of rules in your Laboratory Manual 22
PC which forbids an access to certain IP addresses and/or TCP/UDP ports. This kind of ltering has the name "IP rewalling". Check the rewalling rules for correctness. Application layer - On this layer you can discover that something is going wrong by observing whether your applications work as they should. Most probably, applications will generate meaningful errors when they cannot work. The error message is the best hint to nd the problem. Read it carefully and make sure you understand it. Read the application manual if needed.
The syntax of the command when you would like to assign IP parameters is
ifconfig Interface_name IP_Address netmask Network_mask broadcast Broadcast_address
In the case you run ifcong without arguments, you will get a summary of the conguration of the interfaces which are up, like the one you can see below:
[lab@localhost lab]# ifconfig eth0 Link encap:Ethernet HWaddr 00:50:DA:E9:12:9C inet addr:193.150.254.81 Bcast:193.150.255.255 Mask:255.255.252.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:359 errors:0 dropped:0 overruns:0 frame:0 TX packets:72 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 Interrupt:11 Base address:0x200 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:6 errors:0 dropped:0 overruns:0 frame:0 TX packets:6 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0
As you can notice from the output, the rst line gives you information about the link layer; the second and the third show IP conguration; the fourth line gives you a status of the interface; and nally, the next three strings show the interface usage statistic. In the lab you will use this command with or without arguments. You can nd information about other arguments and options of this command typing in the terminal window:
man ifconfig
Ping Sometimes the connection to a remote machine cannot be established. This could be due to several reasons. One of these reasons could be network failure at any part of the network. If you cannot connect to a specic computer how do you know whether it is due to network failure, the computer being down or perhaps some error in a program running on the computer? As a rst step you could try to gure out if the computer is reachable through the network. For this purpose you could use the ping program available on most networked systems. Ping simply sends a number of special packets, called ECHO REQUEST packets, to the destination computer. When the destination computer receives these packets it is supposed to send back ECHO REPLY packets. Your ping program will display the received ECHO REPLY packets. These types of packets are part of the ICMP protocol which ping uses. The syntax of this command is
ping Name_of_the_machine
Laboratory Manual
23
One option that might be useful to use in this command is - n. With this option the ping will produce only numeric output, without trying to resolve symbolic names for host addresses. This option is useful in the case when DNS is not working. If this option is not specied the ping trying to resolve a name will block the terminal window for some tens of seconds. The syntax of the ping in this case is:
ping -n Name_of_the_machine
Traceroute The Internet is a large and complex aggregation of network hardware, connected together by gateways/ routers. Tracking the route your packets follow to their destination (or nding the miss-congured router that throws away your packets) can be difcult. The command traceroute utilizes the IP protocol TTL (time to live) eld which is decremented by every router a packet passes through. When this counter is zero the packet is thrown away and an ICMP TIME_EXCEEDED packet is sent back to the sender. This ICMP TIME_EXCEEDED packet contains among other things the identity of the router that dropped the packet. The traceroute attempts to force such response from each gateway/router along the path to the destination by rst sending a packet with the TTL set to one, then a packet with the TTL set to two and so on until it reaches the destination. The syntax of this command is:
traceroute Name_of_the_machine
As with ping you can use the option - n, which will disable name resolution. The syntax of the traceroute in this case is:
traceroute -n Name_of_the_machine
Route After you have checked that your interface is congured properly, but you still do not have any response from ping or traceroute, it is a good time to check that the routing information in your PC is correct. You can check the content of the routing table by typing
route
in the terminal window. You will see the output of this command like the one below.
[lab@localhost lab]# route Kernel IP routing table Destination Gateway Genmask 10.0.213.0 * 255.255.255.0 127.0.0.0 * 255.0.0.0 default itguest-gw.gues 0.0.0.0
[lab@localhost lab]# route -n Kernel IP routing table Destination Gateway 10.0.213.0 * 127.0.0.0 * 0.0.0.0 10.0.213.1
Flags U U UG
Metric 0 0 0
Ref 0 0 0
Use 0 0 0
If your PC has one network card the routing table will consistof three records: the route to your network, the route to the 127.0.0.0 network, and the default route. When sending packets to an IP address that is inside of your own network, your PC will use the rst record; for the packets which destination is outside of your network the PC will use the third record, and send them to the default gateway. Check the entry corresponding to the default route (the network address for default route is 0.0.0.0), it should point to the rst router in your network. If you do not have this record or it does not point to the rst router congure the routing table as described in During the Laboratory Session section. ARP In our lab you will use this command to check the content of the arp table in your PC. The syntax of arp is:
arp -a
In this form the command will output the content of the arp table. You can nd more information about usage of this command executing: Laboratory Manual 24
Telnet Telnet is a program which allows you to login to a distant device (e.g. computer, router). Use the following syntax of telnet:
telnet Destination_IP Port_number
With this syntax telnet will connect you to the default telnet port (TCP port 23). Network sniffers A network sniffer is a tool that picks up a copy of each and every packet that traverses the communication link on which your network interface is attached. We will use a sniffer so that you can see for yourself exactly what is going on when two computers start talking to each other. This will give you a chance to see how all the protocols and mechanisms you have read about so far interact and work together. There exists many network sniffers, in our lab we will use a program called Ethereal since it has some features that make it attractive for us. In the next subsection you will nd the description of Ethereal. To summarize: In a PC the troubleshooting sequence is as follows: 1. Check the conguration of the interfaces (ifcong) 2. Test the network connection (ping and traceroute) 3. Check the routing table (route) 4. Fix the problem and repeat from 1 until it works ne.
Figure 2.19: Ethereal - main window. eq ne gt lt ge le == != > < >= <= Equal Not Equal Greater that Less than Greater than or equal to Less than or equal to
Table 2.6: Basic operations. Display lters syntax and how to make the traces more attractive Display lters help you to remove the noise from a packet trace and let you see only the packets that interest you. If a packet meets the requirements expressed in your display lter, then it is displayed in the list of packets. Display lters let you compare the elds within a protocol against a specic value, compare elds against elds, and check the existence of specied elds or protocols. The simplest display lter allows you to check for the existence of a protocol or eld. If you want to see all packets which contain the IPX protocol, the lter would be ipx (without the quotation marks!). To see all packets that contain a Token-Ring RIF eld, use tr.rif. Fields can also be compared against values. The comparison operators can be expressed either through C-like symbols, or through English-like abbreviations as in Table 2.6 To create a lter click on Filter button in the left down corner of the main window. In the appearing window, type the name of your lter (for example TCP trafc) in the Filter name eld. Then, in the Filter string eld, print the string of your lter, like ip.addr eq 130.237.215.84. Click on New; your lter will be added to the widow of available lters, then click on save to save your lter. To apply your new lter click on the Apply button. After you applied your lter you can start capturing. Choose Start from the Capture menu and the Capture window will appear, as shown in Figure 2.20 In this window you will have to congure your session, and for that you have to activate the live update of packets in real time and the automatic scrolling, so you are able to see the packets passing by. In addition, you have to select the monitored interface in the upper most part of the window. Select the interface called "eth0". Do NOT put anything in the Filter string!. In this string, you are supposed to set tcpdump like lters. This type of lters uses different syntax (see the tcpdump manual page for more information). In fact, you can use either display or tcpdump lters, or even both of them, but it is enough to use only display lters. Moreover, the syntax of display lters is richer and can allow you to do much more than tcpdump lters. After you congured the Capture options click Laboratory Manual 26
Figure 2.20: Ethereal - capture window. OK to start capturing. After some time, you can stop capturing and analyze the trace. You can simplify understanding the trace by coloring certain packets. This is good if you want to see for example packets from a particular host and port number out of all captured packets. For this you need to choose Colorize Display from the Display menu (note that this item is inactive before you start capturing). Click on New and set the Display lter in appeared window, with the syntax described above. Choose the foreground and background by clicking on appropriate button. Then click on Apply, to apply your settings. In Table 2.7 you have some important protocol elds, while Table 2.8 gives some useful port numbers and Table 2.9 contains some examples.
2.7.1 Logging in
Unix is a multiuser operating system. This basically means that many people may work on the same computer at the same time; therefore to work with Linux you have to identify yourself by a process called logging in. When you switch on your PC the Linux will prompt your user name and password. Depending on the conguration this prompt can appear either in textual console or in graphical user interface (XWindows). After entering both correct name and password you are authorized to use the system.
localhost login: lab password:
If you work in graphical mode you will see an environment like the one in Figure 2.21 which looks similar to Microsoft Windows. If you are working in textual mode you will see something like this:
[lab@localhost lab]$
This is a command prompt and you are supposed to write Unix commands after the symbol $. Laboratory Manual 27
Protocol name Ethernet (eth) Ethernet (eth) Ethernet (eth) Ethernet (eth) Ethernet (eth) Ethernet (eth) IP IP IP IP IP IP IP IP IP IP IP IP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP UDP UDP UDP UDP UDP SMTP SMTP
Field name Source or Destination Address Destination Length Source Trailer Type Source or Destination Address Header checksum Differentiated Services eld Destination Flags Header Length Identication Total Length Protocol Source Time to live Version Acknowledgement number Checksum Destination Port Flags Header Length Next sequence number Source or Destination Port Sequence number Source Port Window size Checksum Destination Port Length Source or Destination Port Source Port Request Response
Filter name eth.addr eth.dst eth.len eth.src eth.trailer eth.type ip.addr ip.checksum ip.dseld ip.dst ip.ags ip.hdr_len ip.id ip.len ip.proto ip.src ip.ttl ip.version tcp.ack tcp.checksum tcp.dstport tcp.ags tcp.hdr_len tcp.nxtseq tcp.port tcp.seq tcp.srcport tcp.window_size udp.checksum udp.dstport udp.length udp.port udp.srcport smtp.req smtp.rsp
Filter description 6-byte Hardware Address 6-byte Hardware Address Unsigned 16-bit integer 6-byte Hardware Address Byte array Unsigned 16-bit integer IPv4 address Unsigned 16-bit integer Unsigned 8-bit integer IPv4 addres Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer IPv4 address Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Boolean Boolean
Number 23 80 25 53
Filter string ip tcp.dstport eq 25 ip.src eq 192.x.x.x and udp.dstport eq 53 ip.addr eq 192.x.x.x and tcp.port eq 80 arp
Description display only IP packets display SMTP requests display DNS requests display HTTP communication display ARP trafc
Laboratory Manual
28
Task pannel
Figure 2.21: Graphical User Interface. REMEMBER IN THE LAB THE USER AND PASSWORD ARE: User: lab
Password: labo
Laboratory Manual
2.7. Linux hints Command ls cd [name of a directory] less [name of a le] more [name of a le] cp [le1] [le2] mv [le1] [le2] rm [le1]
Before the session Meaning List the content of your working directory Change the directory Display the content of a le (you can use both) Copy les Move les Remove le (i.e, delete)
You can open as many terminal windows as you want - they will work in parallel. There is however another way to execute commands. Linux allows switching between graphical mode (XWindows) and textual mode by means of virtual consoles. Linux by default offers 6 consoles to the user and you can switch between them by pressing the following sequence of keys: CTRL-ALT-F1 ... CTRL-ALT-F6. When you switch to a console you will see the login prompt:
localhost login:
After you log in, you will see the command prompt. You can always return to the graphical mode by pressing CTRL-ALT-F7.
Note, that this may be the most useful command in Unix. Use it always when you are unsure about the syntax of a command. The commands which you will use in the lab are listed in Table 2.10. You can edit text les using many available text editors like: vi, pico, emacs, or any graphical editor you can nd in XWindows such as gedit.
Laboratory Manual
30
Tasks
Broadcast address: The range of addresses available for the devices in your network: Network mask:
6. Figure 2.22 represents the equipment in your area network and part of the departmental backbone. Using gure 2.2 and gure 2.3 as a guide, ll in the IP addresses, names and interface names corresponding to your position. Assign the IP addresses following the rules given in section 2.1.1.
2. Start working with the router. Find all its Ethernet ports, its console port, its power switch and its power supply socket. 3. In the switch, nd its Ethernet ports and its power supply socket. 4. In the PC, nd its serial and Ethernet ports. 5. Classify the cables in your lab position into crossover, straight-through and roll-over cables. Find also the DB9 to RJ45 adapter. Laboratory Manual 31
Tasks
Laboratory Manual
32
Tasks
During the laboratory session The different types of cables in the lab can also be identied by the color of their external covers. Please write here the color corresponding to each type of cable: Crossover cable: Straight-through cable: Roll-over cable:
Note: The color of the external cover is not standardized at all. Different brands can use different colors for the same type of cables. Check the color code in the RJ45 plugs to properly identify the type of cable.
Check the values of your interface by typing ifcong without options. You should see the conguration information in the form shown below. Fill in below the missing elds of the ifcong output:
eth0
Link encap:Ethernet HWaddr inet addr: Bcast: Mask: UP BROADCAST RUNNING MULTICAST MTU: Metric:1 RX packets:1217 errors:0 dropped:0 overruns:1 frame:0 TX packets:303 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 Interrupt:11 Base address:0x200 Link encap:Local Loopback inet addr: Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:6 errors:0 dropped:0 overruns:0 frame:0 TX packets:6 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0
lo
6. Add a route to the default gateway with the route command. The default gateway should be the inner interface of your LAN router.
route add default gw Address_of_your_router
Laboratory Manual
33
Tasks
During the laboratory session Looking at the routing table above, answer the following question (you should not run any command to answer this question, just look at the table, which you have lled in above). Suppose you ping a computer inside your network and a computer which is outside of your network. Look at the routing table of your computer and mark which routing entry is the one that is used to send these ping packets, both to the switch and a computer outside your network.
Switch IP address: Switch net mask address: Switch default gateway address: Switch secret password: Switch Telnet password: If the switch is a link-layer device and thus independent of the IP layer, why does it requires an IP address?
2. Connect a management console to the switch following the instructions in 2.2.1. 3. Start the management console following the instructions in 2.3.1. 4. Power on the switch. Some messages should be displayed in the console while the switch boots. If there are no messages displayed, check the connection and conguration of the emulated console. 5. Perform the initial conguration of the switch as described in 2.3.2 6. Once you have nished and saved the initial conguration, reboot the switch using the switchs command reload. 7. After the switch completes the reboot process, connect the PC Ethernet port to any port of the switch. In the PC open a terminal window. Execute telnet IP_of_the_Switch to login from the PC to the switch. Display the conguration of the switch using the proper CLI command. With the information shown, ll in the gaps below.
interface VLAN1 ip address ip default-gateway
Laboratory Manual
34
Tasks
FastEthernet 0/0 IP address: FastEthernet 0/0 subnetwork mask address: FastEthernet 0/1 IP address: FastEthernet 0/1 subnetwork mask address: Router default gateway address: Router secret password: Router Telnet password:
Looking at the network diagram, you can discover that the router needs four static routes to reach all the networks. Fill in the routing information in the table below. Remember that the router needs a static route to the network behind each of the other area routers in the same departmental backbone. Since there are three additional routers per departmental backbone, three statics routes are needed. In addition, the router needs a static route indicating that any other network can be reached through the PC-router interface in the backbone. Use the network number 0.0.0.0 and network mask 0.0.0.0 to identify any other network. Note that the router can reach any host in a directly connected network without a static route to that network. No 1 2 3 4 Destination network Subnet mask Next hop address
2. Connect a management console to the router following the instructions in 2.2.1. 3. Start the management console following the instructions in 2.3.1 4. Connect the router Fast Ethernet ports to the corresponding switch ports. Remember to use the proper type of Ethernet cable. Refer to Figure 2.3 to nd out which ports of the router should be connected to each network. 5. Power the router on. Some messages should be displayed in the console while the router boots. If there are no messages displayed, check the connection and the conguration of the emulated console. 6. Perform the initial conguration of the router as described in 2.3.3. 7. Once you have nished and saved the initial conguration, add the static routes of the table above using the "ip route" command. The parameters to this command can be discovered using the question mark character in the CLI while in conguration mode. 8. Once you have added the routing table save the conguration with the copy command. Use the proper parameters to this command. 9. Once you have completed and saved the conguration, reboot the router using the command reload. 10. After the router completes the reboot process, open a terminal window in the PC. Execute telnet IP_of_the_Router to login from the PC to the router. Display the conguration of the router using the proper CLI command. With the information shown, ll in the gaps below. Laboratory Manual 35
Tasks
interface FastEthernet0/0 ip address no ip directed-broadcast speed full-duplex ! interface FastEthernet0/1 ip address no ip directed-broadcast speed full-duplex !
11. Ping from the router to its default gateway (the interface of the PC-router in your departmental backbone). Which is the symbol used to display a successfully received ping reply?
Ping the machine www.it.kth.se and stop it after a few replies typing Ctrl+C; ll in the missing parts of the ping output given below and answer to the following questions.
PING www.it.kth.se ( bytes from bytes from bytes from ) ( ( ( (84) bytes ): ): ): of data. icmp_seq=1 ttl= icmp_seq=2 ttl= icmp_seq=3 ttl= time= time= time=
How many IP hops away is the machine www.it.kth.se from your current position? (Remember ping requests/replays are sent with maximum value of TTL = 255)
If traceroute does not work, do the troubleshooting. 2. Most of the large corporations try to hide the internal structure of their network. Because of this the routers are congured not to send ICMP messages back. Make a traceroute to the following machine and answer the following questions: www.microsoft.com. Which is the sequence number of the rst router which does not respond? 36
Laboratory Manual
Tasks
What is the Ethernet address of your PC(you can also nd this information using ifcong command)?
The following lter will display only IP trafc (we will refer to this lter later as IP_FILTER).
ip
The following lter will display traceroute trafc from and to your PC (we will refer to this lter later as TRACEROUTE_FILTER).
(ip.src==IP_of_Your_PC and ip.proto==0x11) or (ip.dst==IP_of_Your_PC and ip.proto==0x01)
If you see an error message after executing this command this means that your ARP table does not have an entry for this IP address. This is ne, just proceed with the task. Now gow back to your Ethereal window. While capturing, make a ping to the switch in your network. Type the ARP_FILTER in the Filter eld of the main window of Ethereal and answer the following questions: On which layer of the TCP/IP stack does ARP work?
What is the meaning of the rst message of ARP (look at info column)?
What is the meaning of the second message of ARP (look at info column)?
3. While capturing, make a ping to the ROUTER in your network. Type the IP_FILTER in the Filter eld of the main window of Ethereal and answer the following questions: In the main window of Ethereal choose one of the ICMP request packets. Look at Figure 2.23, nd appropriate information in Ethereal and ll in the gaps (Hint: you need to calculate how many bytes the ICMP header of the PING packet is). 37
Laboratory Manual
Tasks
Figure 2.23: Format of the Ping message 4. While capturing the trafc in Ethereal, make a traceroute to 194.71.11.40 without the -n option. Type the TRACEROUTE_FILTER in the Filter eld of the main window of Ethereal and answer the following questions: How many times does the PC send traceroute probes to each hop? Hint: Choose consequently at least 7 UDP packets starting from the rst one. Look at Time To Live value of the IP header in each packet.
Choose one of the last three ICMP messages of the traceroute (these message came from the destination machine). What is the code (number and meaning) of this ICMP message?
Choose any other ICMP message of the traceroute (this message came from one of the routers on the path to the destination). What is the code (number and meaning) of this ICMP message?
What is the UDP port number(s) to which the traceroute sends its probes?
List the names of all protocols which are involved in the traceroute communications (look at the Protocols column in Ethereals main window).
5. Repeat the task in item 4 with -n option in the traceroute. Which protocols are missing now?
Laboratory Manual
38
Chapter 3
These lines should be included in the conguration le of the router as the rest of the conguration. The rst line declares that the denition of an ACL is starting. The keywords ip access-list are mandatory, while extended species the type of ACL. There are several types of ACL, but we will always use extended ACL because they provide the richest syntax. The rst line ends with the name we gave to this ACL, noHTTPtraffic, that can be used for reference to this ACL later. The second and third lines are the statements, which establish our policy. The rst keyword deny or permit indicates whether the statement will deny or accept respectively the trafc if the condition is satised. The rest of the line contains the condition against which each packet will be tested. The condition starts with a keyword and then it has two mandatory addresses source address and destination address and optionally port. The rst keyword in the condition indicates the type of trafc to match. Possible values for this eld are tcp,udp,ip or icmp. After the trafc type, each address is specied with two words, the rst is the expected IP address and the second is called a wildcard mask. The wildcard mask indicates which bits of the packets IP address must match the expected address for the statement to be applied. The wildcard mask looks like a network mask, but it operates in a completely different way. Each 0 bit in the wildcard means to check the corresponding packets address bit, while a 1 bit means to ignore. So the destination address 192.168.10.0 0.0.0.255 of the rst statement means that the rst 3 octets of the packets destination 39
Tasks
address must match the rst 3 octets of the given address for this rule to be applied. The last octet of the packets address is not checked since the wildcard mask contains ones there. As a special case, the address 0.0.0.0 means any IP address and the wildcard mask 255.255.255.255 means do not check any bit of the packets address. In our example, the couple 0.0.0.0 255.255.255.255 in the source address of the rst statement means accept any address as the source address of the tested packet. The router will display the word any instead of this couple. The condition nishes with the port to be matched, being this information optional. In our example, the rst statement contains a port limitation in the condition but not the second. In the rst condition, eq 80 means that the packet must contain the port 80 (HTTP port) to match the condition. To summarize, our ACL has two statements. The rst one denies tcp trafc from any source with destination any host in our network (192.168.10.0/24) if the packet contains HTTP trafc (port 80). The second one permits any other packet. It is important to highlight that the packets are tested against the statements in the order in which the statements were created and that when a packet matches a statement, the permit or deny decision is made and the rest of the statements are not checked. For example, if the second statement were in the rst position, all packets would be accepted since all would match the permit condition and the deny condition would never be tested. To nish with the syntax of the ACLs, mind that by default they contain a nal statement deny 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255, which will deny all packets not matching any of the previous statements. It is always there, even though it is never displayed. This means that the second statement of our example is important, otherwise the default statement would have drop all the packets not containing port 80. Remember that you always need to permit the allowed trafc explicitly. Once the desired ACLs are included in the conguration of the router, they must be linked to a particular interface. This linking mechanism provides great exibility because different interfaces in the router can apply different policies (ACLs). The syntax to link our ACL to the incoming trafc to the FastEthernet0/1 port of the router would be:
interface FastEthernet0/1 ... ip access-group noHTTPtraffic in ...
It is a straightforward command in the interfaces conguration where the name of the ACL is used to identify it. The nal keyword in means that the ACL is to be checked against incoming trafc, thus outgoing trafc will not be ltered. The other value of this nal keyword can be out to lter outgoing trafc. Remember that there is an additional restriction; at most two ACL can be linked to one interface (one per direction). To close this section, we will give you some useful hints when working with ACLs. The ACL must be created in global conguration mode, but they are linked to interfaces from the particular interfaces conguration mode. The statements are tested in the order in which they were created, thus if you need to change the order of the statements, you have to delete them rst using the no form and retype them again in the desired order. The command show ip interface executed in privileged mode lists the ACLs, which are set for each interface. And the command show access-list [name] displays the contents of the ACL given by name. When the optional name is omitted all ACLs are displayed.
Laboratory Manual
40
Tasks
Tasks
4. Once the cable is connected, login to your PC as user lab using password labo. Open a terminal window in the PC and start the program minicom there. 5. Connect the power cable to the router and switch it on. Check that some messages appear in the management console as the router boots. 6. Wait until the router boots. Then if the router asks you whether you would like to enter the initial conguration dialog, answer no. When the routers prompt appears, enter in global conguration mode using the enable command. 7. This time we will not congure the router typing all commands in the command line interface, but we will download the conguration from a TFTP server in the network. So the rst step is to congure the router to reach the TFTP server. In our network, the TFTP server is running in the PC-router, which is also the default gateway to the Internet. This PC can be reached through the routers port named FastEthernet0/1. Using the information in gure 3.1, congure the routers interface FastEthernet0/1 with the proper IP address and network mask. Remember to use the proper commands to enter in interface conguration mode (i.e. configure terminal and interface FastEthernet0/1). 8. Once you have congured the interface, check that it is not shutdown. In order to check this display the running conguration of the router (show running-config). Find the description of the interfaces. If the word shutdown is part of the conguration of any of the two interfaces (i.e FastEthernet0/0 or FastEthernet0/1) the interface does not work. If this is the case you have to switch it on manually by performing the following steps; otherwise omit them. (a) Enter in the interface conguration mode (i.e. configure terminal and interface FastEthernet0/x, where x is the number of the shutdown interface). (b) Type no shutdown. (c) Exit from the interface conguration mode. 9. At this point you must be able to reach the TFTP server. Check it using ping from the router to the PC-routers closest interface. If you cannot reach the IP address of the TFTP server, review all previous steps until you nd the problem. Do not proceed to the next step, before you can reach the TFTP server. 10. The TFTP server stores a different conguration le for every router. So you have to download the le corresponding to your router using the right lename. The lename of your routers conguration is composed by your network name and the sufx -r-cong. For example, if your position is area 2 of the production department, the lename is pro2-r-cong. If your position is area 4 of the research and development department, the lename is rad4-r-cong and so on. Download that le to your routers running conguration, using the following Cisco command in global conguration mode: copy tftp running-config Firstly, you will be asked for the IP address of the remote host. This should be the IP address of the closest interface of the PC-router to your router. After this you need to indicate the lename and the destination lename (use the default value running-config). After you answer the third and last question, the conguration le will be downloaded to your router. The conguration will become the running conguration in the router immediately after the download process is completed. 11. The router is now congured as gure 3.1 indicates, including passwords and routing table. Looking at the running-conguration, check that none of the FastEthernet interfaces is shutdown as explained in Step 8 above. 12. Check that the received conguration is correct. To do this: (a) Check that the IP addresses assigned to the interfaces correspond to those in gure 3.1. (b) Check the routing table. You should be able to ping and traceroute any hostname in the Internet from the router. For instance, try to traceroute www.imit.kth.se. 13. Save the conguration of the router using copy running-config startup-config. 14. Now that the router is ready, congure the switch. Connect the management console to the switch and power it on. Some messages should appear in the console while the switch boots. Laboratory Manual 42
Tasks
15. Wait until the switch boots. Then if the switch asks you whether you would like to enter the initial conguration dialog, answer no. When the switch prompt appears, enter in global conguration mode using the enable command. Note that the switch can ask you to log in. 16. Using the information in Figure 3.1, congure the switchs interface VLAN1 with the proper IP address and network mask. Remember to use the proper commands to enter in interface conguration mode (i.e. configure terminal and interface vlan1). 17. Set the default gateway for the switch with the command ip default-gateway privileged mode. IP_of_Gateway in
18. Once you have congured the interface and the default gateway, you must be able to reach the TFTP server. It is the same server for both the switch and router. Check it using ping from the switch. If you cannot reach the IP address of the TFTP server, review all the previous steps until you nd the problem. Do not proceed to the next step, before you can reach the TFTP server. 19. The TFTP server stores a different conguration le for every switch. So you have to download the le corresponding to your switch using the right lename. The lename of your switchs conguration is composed by your network name and the sufx -sw-cong. For example, if your position is area 2 of the production department, the lename is pro2-sw-cong. If your position is area 4 of the research and development department, the lename is rad4-sw-congand so on. Download that le to your switchs running conguration, using the following Cisco command in global conguration mode: copy tftp running-config Firstly, you will be asked for the IP address of the remote host. This should be the IP address of the closest interface of the PC-router to your router. After this you need to indicate the lename and the destination lename (use the default value running-config). After you answer the third and last question, the conguration le will be downloaded to your switch. The conguration will become the running conguration in the switch immediately after the download process is complete. The switch is now congured as gure 3.1 indicates, including passwords and the IP address. 20. Check that the received conguration is correct. Check that the IP addresses assigned to the vlan interface is right and check the default gateway. You should be able to ping and traceroute any host in the Internet from the switch. For instance, try to traceroute www.imit.kth.se. 21. Now, save the conguration of the switch using copy running-config startup-config. 22. Finally, congure the PC Ethernet interface using the commands described in the section 2.6. You will need to congure the network interface with proper IP address and network mask, and then the PC routing table. Open a terminal window in your PC. You will type all commands there. 23. Congure your Ethernet interface (Remember that in your PC the ID of the Ethernet interface in the PC is eth0) with the command ifconfig. Recall the IP information of your network and congure your interface using the following command:
ifconfig Interface_ID IP_of_your_PC netmask Your_Netmask broadcast Broadcast_address
24. Add a route to the default gateway with the route command. The default gateway should be the inner interface of your LAN router.
route add default gw Address_of_your_router
25. Now the conguration of the PC is nished. You should be able to ping and traceroute any hostname in the Internet from the PC. For instance, traceroute to www.imit.kth.se.
Tasks
1. From the PC telnet to the PC router in the lab, the one that offers Internet access to all the routers. It can be reached at any IP address shown in Figure 2.3. Use the same user and password that you are using in the PC at your position. The Linux command should look like this:
telnet IP_of_PC-Router -l Lab
2. From the PC-router telnet to your own router and enter in privileged mode (command enable) so you can change the conguration of the router. Note that this is exactly the type of connection that policy 1 tries to forbid. 3. Write below the ACL corresponding to the above policy 1 using the the proper Cisco syntax. Remember that telnet uses tcp port 23.
4. Add the ACL above to the router conguration using the telnet connection established through the PC-router. Do not link the ACL to the interface yet. Close the telnet connection from the PC-router to your router with the command exit after adding the ACL. 5. Connect the management console to the router, enter in the conguration mode and link the previous ACL to the proper interface. Note that the proper interface depends on how you wrote the ACL. Mind that the telnet connection to PC-router from your PC should keep working after the ACL is set. 6. Now that the ACL is set, check that you cannot establish a telnet connection from the PC-router to your router any longer. What is the error message displayed when the telnet connection fails?
7. Before starting with the second policy, check that you can open with a web browser in the PC both ftp://ftp.sunet.se and http://ftp.sunet.se. Both URLs will reach the FTP archive of the Swedish University Network, but the former will use the FTP protocol while the second will use the HTTP protocol. The second policy will only permit the HTTP connection to this site. 8. Close the web browser. 9. Write below the ACL corresponding to the policy 2 using the proper Cisco syntax. Note that this ACL should permit some additional trafc not mentioned in the text of the policy before blocking the rest of the trafc: Web browsing (tcp port 80) will work if Domain Name Resolution (DNS) is working, thus DNS (udp port 53) should be permitted as well. In addition, you should allow the trafc useful for network maintenance, so permit also ICMP trafc.
Laboratory Manual
44
Tasks
10. Add this second ACL to the router conguration using a telnet connection from your PC to the router. 11. Link this new ACL to the proper interface. Note that the proper interface depends on how you wrote the ACL. Mind also that the outgoing telnet connection to the router from your PC allowed by policy 1 should keep working after this ACL is set. 12. Now that the ACL is set, check that you can still open this URL http://ftp.sunet.se with a web browser in the PC. 13. Now check that you cannot open this URL ftp://ftp.sunet.se with a web browser in the PC. What is the error message displayed when the connection fails?
14. Now check that ftp.sunet.se is still alive using ping from the PC. Why does ping work when the site cannot be browsed?
15. Now trace the route from the PC to ftp.sunet.se using the Linux command traceroute. Why cannot traceroute reach the destination even when ICMP trafc is allowed? (Hint: read traceroute manual page with man traceroute if you are not sure how it works).
Laboratory Manual
45
Tasks
Laboratory Manual
46
Chapter 4
A query type, specifying a simple resource record or a more complex query A class for the DNS domain name 47
Tasks
DNS queries are resolved in different ways. Sometimes your machine contains a local cache that contains information previously looked for, or the DNS server can use its own cache to answer a query. However, most of the time, the DNS server needs to contact other DNS servers to resolve the name and then send back the answer to the client. This is called a recursive query. The client machine can also contact additional DNS servers using separate queries. This process is called iteration. The local name resolver The rst step when resolving a name is to contact the local resolver, which tries to answer using locally cached information. The local resolver operates with information obtained from two possible sources: A hosts le congured locally, which contains hosts name to address mappings. These manually inserted mappings are stored in the local cache when the DNS client is started.
Some Resource Records (RR) that came in previous responses from DNS servers, and that are kept in the local cache for some time.
If the local resolver is not able to solve a query, then the process continues with the client querying a DNS server. The DNS server When a client wants to query a DNS server, it needs to know the IP address of the server. This IP address can be stored locally in a conguration le or it can be received from the network when the network conguration takes place. Sometimes the list of DNS servers contains more than one entry, in which case the client usually selects the DNS servers one by one. In Linux operating system the le, which contain IP addresses of DNS servers is /etc/resolv.conf Each DNS server contains information about one or more domains. In the terminology of DNS the domain is also referred as a zone. When a DNS server receives a query, it rst checks whether the information is stored in one of its locally congured zone les. If it is, then the server answers the query authoritatively based on the resource information in that le. If no information exists in the local zone les, then the server checks whether it can answer the query with a cached response from a previous query. If this is not the case, then the query continues recursively. The process of recursion to resolve a query involves more DNS servers. By default, the DNS client asks the server to use recursion if needed before returning an answer. In most of the cases, the server is congured to support the recursion. The rst thing a DNS server needs in order to perform the recursion properly is some root hints. In other words it needs a list of IP addresses of DNS servers, which are authoritative for the root of the DNS tree. These root servers are authoritative for all the top level domains, like .com or .net. Using these root hints, a DNS server can recursively complete any query and locate the servers which are authoritative for any other DNS domain used at any branch of the DNS tree. Lets follow the example in Figure 4.1 to clarify it. Imagine that you have a laptop connected to your LAN in area1.rad.acme and you want to connect to another laptop in area3.mar.acme. Imagine the name of this second laptop is laptop1.area3.mar.acme. The rst thing that your laptop does is contacting the DNS server of your area, in this case ns.area1.rad.acme to obtain the IP address of laptop1.area3.mar.acme. The DNS server of your area has no information at all about anything out of its own area (we assume that the local cache is empty). Your DNS server decides that it needs to contact one of the root servers to obtain the authoritative server for the acme domain. In the environment of our laboratory, there is only one root server and its IP address is 192.168.0.1. The root server sends a referral to the authoritative server of acme domain (ns.acme). In our case the DNS server ns.acme runs on the same machine, its IP address is 192.168.0.1. After receiving the referral your DNS server proceeds with the recursion asking ns.acme to give an IP address of the DNS server responsible for the mar.acme domain. We congured the DNS server ns.acme so that it is authoritative for all its subdomains (adm.acme, pro.acme, rad.acme, and mar.acme).When the answer saying that ns.acme is also authoritative DNS server for mar.acme domain is received from ns.acme your DNS server will proceed with the recursion and ask ns.acme to give a referral to the DNS server of area3.mar.acme. It is important to understand that these two servers (i.e root, ns.acme) could be located in different machines, and most of the time they will be! Since ns.acme is authoritative for mar.acme domain it has a description of this zone, which includes the records about authoritative DNS servers for all its subdomains (area1.mar.acme, area2.mar.acme, area3.mar.acme, and area4.mar.acme). In our example the DNS server ns.acme will pick the IP address of ns.area3.mar.acme and will send it back to your DNS server. At the nal step of the recursion, your DNS server will send the full query for laptop1.area3.mar.acme to ns.area3.mar.acme. This last DNS server will give an authoritative answer with the IP address we are requesting to the DNS server of your area, nishing the recursion process. Finally, your DNS server (ns.area1.rad.acme) will forward the answer to the DNS client in your PC and the query will be nished. This recursion process can be time consuming and resource intensive, but it has some advantages for the DNS server, as it obtains information about the DNS name space and caches it in its local cache to speed up subsequent queries. The local DNS cache is cleared when the DNS server is restarted. Laboratory Manual 48
Tasks
Laboratory Manual
49
When a server answers a query for a client, there are different types of responses that it can give. For example: An authoritative answer. It has the authoritative bit set and means that the answer was obtained from a server with direct authority over the queried name.
A positive answer, which contains the demanded resource records (RR) or a set of RRs that comply with the questioned DNS name and record type. A referral answer, which contains additional resource records not included in the query. This answers is given back to the client when recursion is not supported by the server, so that the client can continue the query using iteration. If the client is unable to use iteration, it can make further queries using the referral information. A negative answer, which can indicate that either an authoritative server answered that the queried name does not exist, or that it exists but there are no records of the specied type for that name.
How iteration and caching work When the use of recursion is disabled in the DNS server, or the client does not request its use, then the client uses iteration to resolve a name. An iterative query from a client demands the best possible answer from the server, but without contacting other DNS servers. If this is the case, the DNS server answers with the knowledge it has in its own cache or zone les. If the server does not have the right answer, it provides a list of name servers and resource records for other DNS servers that are closer in the DNS tree to the name queried. When the answer from the DNS server is a referral, it is up to the client to continue the iterative query to the other DNS servers, until it gets the denitive authoritative answer. The use of the cache by the server is fundamental in the whole DNS scheme. Caching provides the means to speed up the performance of DNS resolution and it also reduces the amount of DNS related trafc in the network. When DNS servers make recursive queries, they temporarily cache resource records with information obtained from other authoritative servers. This cached information coming from authoritative servers can be used to answer later queries about the same RRs. The information cached on the servers has a maximum TimeToLive (TTL). As long as the TTL does not expire the server can use the RR cached to answer queries. The cached RRs are assigned by default the minimum TTL, which is set in the zones start of authority (SOA) resource record. This default value is usually 3600 seconds, but it can be adjusted, or individual TTLs can be given to each RR.
Laboratory Manual
50
Tasks
During the laboratory session Your Position adm1 adm2 adm3 adm4 rad1 rad2 rad3 rad4 mar1 mar2 mar3 mar4 pro1 pro2 pro3 pro4 Name of the web server www.webcrawler.com www.adobe.com www.digits.com www.alltheweb.com www.dit.upm.es www.csu.edu.au www.abc.es www.ucc.ie www.semanticweb.org www.cbi-web.org www.healthweb.org www.un.org www.auckland.ac.nz www.rmit.edu.vn www.mult.ru www.anekdot.ru
2. First, perform a recursive query to get the IP address corresponding to a hostname. In this step use dig without options to resolve hostnames. This is an example of the syntax:
dig Name_of_a_machine
Answer these two questions: Look in Table 4.1 and pick up the name of the web server which corresponds to your position. Resolve its IP address using dig. Look at the statistics part (the last part of digs output). What is the query time?
Repeat the previous exercise with the same name. What is the query time now? Why do you observe this phenomenon?
3. Second, perform a non-recursive query. In the last step, your DNS client contacted several servers to complete the recursive query. Now you will use dig to contact the different servers one by one until you get the IP address corresponding to the given hostname. The goal of this step is to discover how the DNS client in your PC resolves IP addresses given symbolic names. Execute these commands and answer the questions: Laboratory Manual 51
Tasks
During the laboratory session Execute the following command to obtain the list of available root servers.
dig +nostats +nocmd
Choose a ROOT server from the list and write its name here:
Now perform non-recursive queries to resolve the IP address of the machine www.fokus.gmd.de. Write below the list of DNS servers (name and IP address) contacted. Start querying from the root server that you chose above and use the following syntax of dig to do non-recursive queries:
Note: read the description of DNS in Section 4.1 if you do not remember how the recursion works.
Laboratory Manual
52
Tasks
Each time you edit this le, increment this eld by 1. This will tell your DNS server to ush the cache and load the edited zone information. Also, notice that in all templates that we provide to you, you need to change certain values. The values that you should change are written in italics in the manual. In general you should change the places where it says IP_of_Your_Router or your_area.your_department. One last comment: whenever you start named, you should always check the output messages of the initialization. All the output is forwarded to the ninth virtual terminal, so just press Ctrl+Alt+F9 to see named startup messages. To go back to the graphical environment X-Window, press Alt+F7. First, get the parameters for the conguration of your DNS server:
1. Considering the diagram in Figure 4.1 as an example identify the following information for your network.
What is the IP address of the machine which is able to resolve all domains of ACMEs network?
What is the IP address of the machine which run the DNS server for YOUR network?
Use Figure 4.1 as an example and assign the names to the devices in your network and ll them into the diagram in Figure 4.2 : 53
Laboratory Manual
Tasks
However, C-style /* */, C++-style // and Unix-style # comments are used in the le /etc/named.conf. Dont use a semicolon to mark a comment in this le. Finally, after each step that you perform, you should always save your conguration le before continuing. Look at the le /etc/named.conf. It should look like this:
options { directory "/var/named"; }; zone "." { type forward; forward only; forwarders { 192.168.0.1; }; }; zone "0.0.127.in-addr.arpa" { type master; file "pz/127.0.0"; };
Laboratory Manual
54
Tasks
During the laboratory session The directory line indicates the directory where the zone les are located. The name server changes its directory to this location before reading the les, allowing the lenames to be relative to this directory. On a primary master server, the named.conf le contains one record for each le to be read. The record starts with the keyword zone followed by the domain name and the class (in stands for the Internet). The word master indicates that this server is a primary master server for the zone, and the last line shows the le to be read. The special zone . is used when your server can not resolve the names by its own. Basically, you should read this zone description as For every name which is not under my responsibility forward the query to 192.168.0.1, which is the IP address of the PC-router; it will handle it. Open the le/var/named/pz/127.0.0. This le contains the database for your localhost (your own PC). You can check that it corresponds to the second zone in your named.conf le. It should contain the following:
Laboratory Manual
$TTL 3D @ IN SOA ns.your_area.your_department.acme. hostmaster.your_area.your_department.acme. ( 200203191; Year+Month+Date+Serial 8H ; Refresh 2H ; Retry 4W ; Expire 1D) ; Minimum TTL NS ns.your_area.your_department.acme. 1 PTR localhost.
Change all appearances of your_area and your_department to the names corresponding to your area and department (refer to Figure 4.2 for information). Save the le and proceed further. In this le you can see the structure of the database les (db). Remember that every line that starts with a semicolon is a comment. This le maps addresses to host names. Each le is named as the network number it represents, so 127.0.0 means that this particular le contains the mappings from IP addresses to names for any address of the form 127.0.0.x. As you can see, only the last part (the x) of the IP address needs to be written in the le, as all the other parts are already matched when this le is used. This is the reason why the localhost entry is only a 1, because the localhost address is 127.0.0.1. Notice also the . at the end of localhost. If a machine name does not end in a period in a zone le the origin is added to its end, so the entry would be localhost.127.0.0 which, of course, is wrong! Most entries in the db les are called DNS resource records, and they must start in column one. The ordering of resource records in the db les is as follows (not all of them need to be present): SOA record: Indicates authority for this zone le NS record: Lists a name server for this zone A record: Name to address mapping PTR record: Address to name mapping CNAME record: Canonical name (for aliases) Edit /etc/resolv.conf. Comment out the line that you already have and put the IP address of your PC as IP of the nameserver. Your le should look like this:
nameserver IP_address_of_your_PC #nameserver 192.168.0.1
Save the le and proceed further. Start named running /etc/init.d/named start. Check that named loads correctly by looking at the virtual terminal 9 (Remember: Ctrl+Alt+F9). Run dig -x 127.0.0.1 and ll the missing parts of its output below. Of course, some of the values will not be the same for you, as your localhost zone le could differ from this example, however the ANSWER SECTION should be there!
[lab@localhost lab]# dig -x 127.0.0.1 ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 22718 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: . . ;1.0.0.127. ;; ANSWER SECTION:
IN
PTR
55
Tasks
.in-addr.arpa. ;; AUTHORITY SECTION: 0.0.127.in-addr.arpa. ;; ;; ;; ;; Query time: msec #53( SERVER: WHEN: MSG SIZE rcvd:
IN
NS
This entry tells named where to nd the database about your own area. You should already know what each eld means. The notify no means that we do not want to notify all the rest of the DNS servers about the content of our le. . . after all we are only testing! Save the le and proceed further. Execute the following command with appropriate names for your_area and your_department (Check Figure 4.2 for needed information).
mv /var/named/pz/Your_Zone /var/named/pz/your_area.your_department.acme
In this zone le you should be able to recognize most of the Resource Records (RR). Most of them are A resource records, that map names to IP addresses. There is also a CNAME record, which is an alias for the web server, which in your case would run on the same PC. That is why it points to the A record of your name server (your PC). Save the le and proceed further. Restart named running /etc/init.d/named restart and check log messages at CTRL+ALT+F9. In the case of error messages you need to search for an error in your conguration les. Otherwise, run
dig www.your_area.your_department.acme
Laboratory Manual
56
Tasks
During the laboratory session and ll in the missing parts of its output below:
[lab@localhost lab]# dig www.your_area.your_department.acme; DiG 9.1.0 www.your_area.your_department.acme ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 22718 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: . .acme. ;www. ;; ANSWER SECTION: . . .acme. . .acme. ns. ;; AUTHORITY SECTION: . .acme. ;; ;; ;; ;;
IN
IN IN
. A
IN
NS
Laboratory Manual
57
Tasks
During the laboratory session You can easily understand the content of this le. All resource records are of type PTR, so they translate IP addresses to names. Edit the le and substitute the given strings by names and IP numbers of your network. Remember! You only have to write the host part of your IP addresses. For example if the IP address of the inner interface of your router is 192.168.0.129, then instead of the entry First_valid_host_address you should write only "129". Notice also the dots at the end of the names. If you do not add those dots, then the name of the zone le would be added at the end. Save the le and proceed further.
Restart named running /etc/init.d/named restart and check if any errors appear in the virtual console. If all is correct, run
dig -x IP_Address_of_Your_Router
IN
PTR
IN
IN
NS
IN
Laboratory Manual
58
Lab homework
Name: Name Wrong answers: Max. no. errors: 1/2/2/2 E-Mail: E-Mail: Course: 2G1316/2E1616 Pass: Yes No 2E1623
A straight-through cable:
A crossover cable:
A rollover cable:
Names: 2. Which is the Cisco IOS command to enter the conguration mode from a terminal in Cisco IOS? congure terminal
Commands are always entered from terminals without any special command
Commands are entered from terminals when in privileged mode without any additional command
terminal congure
3. Which is the correct mode and Cisco IOS command to enter the interface conguration mode of a Fast Ethernet interface in the router? router(cong)> interface fastethernet 0/0
4. Which is the Cisco IOS command to exit from any conguration mode? exit
log out
nish
write
5. Which is the correct mode and Cisco IOS command to set the address of an Ethernet interface? router(cong)# ip address 192.168.10.4
6. Which is the Cisco IOS command to list the current conguration of the router? show running-cong
write running-cong
display running-cong
show startup-cong
7. Which is the Cisco IOS command to save the current conguration of the router so that it will be used the next time the router boots? save running-cong startup-cong
8. Which is the Cisco IOS command to get help on command syntax? router> ?
router> help on
router> man
Homework
Names: 9. Which is the Cisco IOS command to delete a line from the current conguration? erase
delete
del
no
10. Which is the Cisco IOS command to add a static route? router (cong)# ip route 192.168.0.0 255.255.0.0 193.168.13.1
IP subnetting exercises
1. Complete the following table which provides practice in converting a number from binary to decimal format.
7 128 1
6 64 1
5 32 0
4 16 0
3 8 1
2 4 1
1 2 0
0 1 0
2. Complete the following table which provides practice in converting a number from decimal to binary format.
128 0
64 0
32 1
16 1
8 0
4 0
2 0
1 0
Binary 48=32+16=001100002
Names: 3. Calculate the network address to which the IP addresses below belong. Calculte also the broadcast addresses of the networks. As a guideline, look at the example of such calculations.
EXAMPLE to calculate the network address given the IP address 192.168.0.17 with network mask 255.255.255.248
BIT-WISE AND
192.168. 0. 17 255.255.255.248
---> --->
Network address
192.168.
0. 16
<---
EXAMPLE to calculate the broadcast address for the network address 192.168.0.16 with network mask 255.255.255.248
192.168.
0. 16
--->
In the broadcast address, all bits in the host part should be set to one, thus: 192.168.
0. 23
<---
111
Broadcast address:
Broadcast address:
Broadcast address:
Homework
Names: 4. Given a network mask in slash notation write below its binary and dotted decimal formats
EXAMPLE on conversion from the slash notation of the network mask to its binary and decimal formats
/29
--->
11111111 . 11111111 . 11111111 . 11111 000 29 bits host part 255 . 255 . 255 . 248
/24
/22
/27
Traceroute receives three consequent ICMP Time Exceeded messages, then stops.
Traceroute receives an ICMP message Port Unreachable or hit the maximum count of hops (30 by default).
Traceroute receives PING requests from the destination. (b) Why do you see three time values in each string that traceroute outputs. What do these numbers mean? These numbers are values of TTL eld converted to seconds; traceroute sends three probes for each TTL value. These numbers are three timestamps which are used for control purposes. These numbers are round trip times (RTT); traceroute sends three probes for each TTL value. These numbers are RTTs; traceroute sends one probe to each router and gets three replies. 5
Homework
Names: (c) What is the reason for why you can see symbols * instead of names or IP numbers. No response within 5 seconds or a router sends ICMP message with too small TTL.
No response within 30 seconds or a router router sends ICMP message with too small TTL.
2. Read the manual of ping in Linux and answer why the round trip time of the rst packet is larger than the rest The rst packet is normally discarded by the rst router.
The destination machine resolves the name of your machine for security reasons. The source machine determines the MAC address of the rst router using ARP. Ping takes it easier with rst packet, maybe you will cancel the operation.
3. In Linux read the manual of the ifcong command and answer the following questions: (a) What information can you get by executing ifcong without arguments? Displays help on how to use ifcong.
Displays conguration of currently active interfaces (link layer, IP layer), statistic on transmitted received packets.
Gives you a list of applications which send data on a loopback interface (lo0). (b) If your computer is connected to an Ethernet network, why is it not possible to execute the following command:
ifconfig eth0 130.237.215.80 netmask 255.255.255.0 mtu 3000
(Hint: Just remember the meaning and values of the MTU) It will work! I tried! Instead of mtu it should be -ipmtu; MTU is an abbreviation for speed of the links and it is 3000 mtu by default. MTU stands for maximum transfer unit. For Ethernet it is 1500 bytes while in the example it is 3000 bytes. MTU stands for maximum transfer unit. For Ethernet it is 3500 bytes while in the example it is 3000 bytes.
4. Use the description of Ethereal that we provided in Section 2.6.1. to answer the following question: Your IP address is 130.237.215.80, and you are using traceroute to nd the path to a distant computer. Construct the display lter so that you will see only the exchange of messages between your PC and the rst router. (Hints: Traceroute uses UDP as transport layer protocol with code 0x11 in the IP header; the code of ICMP is 0x01. Every router sets ttl in the ICMP time exceeded message to the maximum value: 255)
(ip.src==130.237.215.80 and ip.proto==0x11 and ip.ttl==1) || (ip.dst==130.237.215.80 and ip.proto==0x01 and ip.ttl==255) (ip.src==130.237.215.80 and ip.proto==0x11) || (ip.dst==130.237.215.80 and ip.proto==0x01) (ip.src==130.237.215.80 and udp.proto==0x11) || (ip.dst==130.237.215.80 and icmp.proto==0x01)
Homework