ECE 4110 Internetwork Programming

Lab 6: Setting up Burdell Inc. Network Using Multiple Switches and Access Control Lists

Group Number: ______

Member Names: ______

Date Issued: October 13, 2008

Date Due: October 22, 2008

NOTICE: Because there are only three setups, each group will need to sign up for timeslots on the sheets attached to the lab door. You can only sign up for a total of 2 hours (4 slots) at a time, AND YOU MUST USE THE SAME SETUP FOR THE ENTIRE LAB. These can either be in a row or spread out, but no group can have more than 4 slots reserved at any one time. Once one of your slots has expired, you can sign up for another one. See Appendix C for instructions on how to save and reload your work if you need to leave and continue later.

PLAYSTATION #: ______

Lab Goals

ÿ  Set up a network using multiple routers and switches

ÿ  Learn about trunk ports and trunking

ÿ  Learn about access control lists and use them to control information flow

PART I

You have recently graduated from Georgia Tech and you are now working for a company called Burdell Inc as a network engineer. You are presented with the following scenario:

Burdell Inc occupies a two floor office building and is made up of three departments, Administration, Accounting, and Information Technology (IT). The Administrative department is currently in need of 100 workstations and is forecasted to grow by an additional 100 machines in the foreseeable future. The Accounting department needs 1000 workstations and is not expected to grow beyond its present size. The IT department is constantly growing. IT presently needs 900 workstations and is expected to grow to twice that size.

In an effort to promote company unity and spirit, the management at Burdell Inc has decided to have members of all three departments work on both floors, i.e. no one department is physically isolated. Both floors accommodate workers form Accounting, Administration, and IT. Each department has its own VLAN and all workers on each floor and between floors should be able to communicate with each other. Figure 1, below, shows the network topology.


This lab requires two switches, one router, and six end station PCs. However we will not use six end station PCs, we will instead emulate the six PCs using the ping capability of Cisco 1760 interfaces and use two more Cisco 1760s to emulate the PCs. This saves us from having to dedicate six PCs for this lab assignment. We will need one PC which we will use to test our setup. Thus the equipment required will be two switches, three routers, and one end station PC. We will use this equipment to emulate the network in Figure 1.

Section I: Logging into the Routers/Switches

All of the routers and switches are accessible from the console manager ports. See Table 1.

Table 1. Console manager port assignments

Part / Name / Console Manger Port Assignment
Playstation1
Cisco 3550 Switch / floor1_switch / 5
Cisco 3550 Switch / floor2_switch / 6
Cisco 1760 Router / floor1_router / 7
Cisco 1760 Router / floor1_computers / 8
Cisco 1760 Router / floor2_computers / 9
Playstation2
Cisco 3550 Switch / floor1_switch / 14
Cisco 3550 Switch / floor2_switch / 15
Cisco 1760 Router / floor1_router / 16
Cisco 1760 Router / floor1_computers / 17
Cisco 1760 Router / floor2_computers / 18
Playstation3
Cisco 3550 Switch / floor1_switch / 23
Cisco 3500 Switch / floor2_switch / 24
Cisco 1760 Router / floor1_router / 25
Cisco 1760 Router / floor1_computers / 26
Cisco 1760 Router / floor2_computers / 27

The enable password for all of these machines is owen.

In order to connect to the console manager you need to set up your network card to access its network:

# ifconfig eth0:0 192.168.254.<100+group #>

So group 1 is 192.168.254.101, and so forth. You will need to do this every time you power off your machine. What this does is set up a virtual interface, so you have two IP addresses on one network card. This allows you access to two networks with only one interface card.

To connect to the CM32:

#ssh

If it comes up, Type yes to the RSA question.

password: playstationX

You will be using a series of scripts to help you set up the routers and save your work. These scripts are described in detail in Appendix C. These should still be installed from Lab 6. If not, go to Appendix C and install the scripts according to the directions. Once this is done, MAKE SURE NO ONE ELSE IS USING THE PLAYSTATION YOU WANT TO USE. This is very important, as you are about to reset the configuration and all of their work will be lost.

Now that you are sure no one else is using the playstation, reset your chosen playstation by running the reset_pX script in the mnet_tools_v1.5 directory. Several windows should pop up. DO NOT CLOSE THEM UNTIL IT IS SAFE TO DO SO. If you are on playstation 1 or 2, you will get an error in one of the windows about VPN or Firewall processing not being enabled; ignore this for now. Once all of the other windows say it is safe to close them, do so. Now run the download_pX script to save the current configuration. From now on, you’ll run the download_pX script to save your work, and the upload_pX to restore the configuration of the playstation to the last saved state. Before running the upload script, MAKE SURE NO ONE ELSE IS USING THE PLAYSTATION.

Log into each of the machines and change its name to match Table 1. From global configuration mode:

Machine(config)#hostname <name>

To go back to the console manager screen, hit <CTRL+z> and then hit x.

Section II: Switch Configuration

Refer to Appendix A for a list of switch configuration commands and their descriptions.

While in Privileged EXEC-Mode, you can view the running configuration by typing show running-config. This contains information about all the interfaces and vlans you’ve set up.

Table 2 lists the different VLANs assigned to each department in our company.

Table 2. Department VLANs

VLAN / DEPARTMENT
2 / Administration
3 / Accounting
4 / InformationTechnology

Note: In Figure 1, the Administration VLAN is labeled as VLAN 1, Account as VLAN 2, etc. THIS IS INCORRECT. Use the VLAN numbers in Table 2 for the entirety of this lab.

One switch is placed on each office floor. Three switch ports (on each switch) are configured, one for each VLAN as illustrated by Table 2. Use the switch interface numbers shown in Figure 1 and the vlan names and numbers from Table 2 (note that in Figure 1 the VLANs are listed 1-3, and in Table 2 2-4).

To create VLANs inside the switch, follow these simple steps:

SwitchA# vlan database <ENTER>

SwitchA(vlan)# vlan <vlan_number> name <vlan_name> <ENTER>

SwitchA(vlan)# exit

Do this for each of the vlans in Table 2. Now configure the interfaces to access those vlans:

SwitchA# configure terminal <ENTER>

SwitchA(config)# interface fastethernet <interface_number> <ENTER>

SwitchA(config-if)# switchport mode access <ENTER>

SwitchA(config-if)# switchport access vlan <enter a number here> <ENTER>

In the next command, <SPEED> depends on the router interface connected to it. Because IT is setting up this entire network, they decide to give themselves the higher speed connections. Therefore, the FastEthernet ports on floor1_computers and floor2_computers will be assigned VLAN 4. Now, assign the correct operation speed to the interface: <SPEED> = 10 for Ethernet interfaces and 100 for FastEthernet. SwitchA(config-if)# speed <SPEED> <ENTER>

SwitchA(config-if)# duplex full <ENTER>

SwitchA(config-if)# no shutdown

SwitchA(config-if)# end

Use the above configuration procedure to configure each of the used switch interfaces for each switch. (Do this on the switch, not on the routers). Once you are done, it is a good idea to download your configuration so you do not lose it.

Note: VLAN 1 (one) is used for the management VLAN, so any VLANs created should be numbered 2 to 1000.

Section III: Trunking Switch Ports

For VLAN information to be passed between the two switches, trunking must be configured between the switches. VLAN trunking allows a port to pass traffic from multiple VLANs between the two switches. Frames traveling over a trunk are tagged to identify which VLAN the frames belong to. When implementing trunking between switches, the ports at either end of the connection must be set up for trunk mode and the trunk encapsulation mode must match. Trunk encapsulation dictates the manner that frames are identified (tagged) on a trunk and defines the VLAN services available. There are four types of trunking encapsulations: 1) Inter-Switch Link Protocol (ISL) Cisco proprietary trunking protocol; 2) IEEE 802.1Q (dot1q) Industry standard trunking protocol; 3) LAN Emulation (LANE) Used for trunking VLANs over ATM links; and 4) IEEE 802.10 (dot10q) Cisco proprietary method for transporting VLAN information inside standard FDDI frames.

To setup trunking between two switches, use the following commands:

SwitchA(config)# interface fastethernet <interface_number> <ENTER>

SwitchA(config-if)# no switchport mode dynamic desirable <ENTER>

SwitchA(config-if)# switchport trunk encapsulation dot1q <ENTER>

SwitchA(config-if)# switchport mode trunk <ENTER>

SwitchA(config-if)# end

Then, go to the other switch, and repeat these commands on the respective interface. This is important, otherwise the switches will not be able to communicate to each other.

To limit which VLANs will be allowed to pass information on the port you can use the following commands:

SwitchA(config)# interface fastethernet <interface_number> <ENTER>

SwitchA(config-if)# switchport trunk allowed vlan remove 1-4094 <ENTER>

SwitchA(config-if)# switchport trunk allowed vlan add 1-4 <ENTER>

Then, you will have to repeat these commands on the other switch. The previous commands remove the default of all VLANs, and adds back support for VLANs 1-4.

Note: On one of the switches one additional port has to be trunked. This additional trunk port is used to connect a router to the switch. The use of the router will be explained in the following section. Set-up the trunking in the switch on floor one for the router on floor one now (see Figure 1 for the port number). The switch port will be connected to the router’s FastEthernet port (SPEED = 100).

Section IV: Router Configuration

Refer to Appendix B for a list of router configuration commands and their descriptions.

Hosts on one VLAN cannot communicate with hosts on another VLAN since VLANs form separate broadcast domains. As a result, a router needs to be used to route packets from one VLAN to another VLAN. The router will be connected to the additional trunk port created on the switch above. The router port also needs to be trunked since the router port will be passing packets from multiple VLANs.

Before configuring the router, the subnets, the assignable machine address ranges, and the required network prefixes for each department have to be determined. Lets use the following assignments in table 3. Notice the subnets are not all the same length.

Table 3. Department subnets and subnet workstation capacity

Department / Current Size (Workstations) / Future Size (Workstations) / Subnet / Subnet Capacity (Workstations)
Administration / 100 / 200 / 10.1.10.0/24 / 2(32-24) – 2 = 28 – 2 = 254
Accounting / 1000 / 1000 / 192.168.148.0/22 / 2(32-22) – 2 = 210 – 2 = 1022
Information Technology / 900 / 1800 / 172.16.152.0/21 / 2(32-21) – 2 = 211 – 2 = 2046

Log into the router and use the following commands to configure the Fastethernet0/0 port as the trunk port that will be connected to the additional trunk port on the switch.

Router(config)# interface FastEthernet 0/0 <ENTER>

Router(config-if)# no ip address <ENTER>

Router(config-if)# no ip mroute-cache <ENTER>

Router(config-if)# speed auto <ENTER>

Router(config-if)# full-duplex <ENTER>

Router(config-if)# no shutdown <ENTER>

Router(config-if)# interface FastEthernet 0/0.1<ENTER>

Router(config-subif)# encapsulation dot1Q <vlan_number1> <ENTER>

Router(config-subif)# ip address 10.1.10.1 255.255.255.0 <ENTER>

Router(config-subif)# no shutdown <ENTER>

Router(config-subif)# interface FastEthernet 0/0.2 <ENTER>

Router(config-subif)# encapsulation dot1Q <vlan_number2> <ENTER>

Router(config-subif)# ip address 192.168.148.1 255.255.252.0 <ENTER>

Router(config-subif)# no shutdown <ENTER>

Router(config-subif)# interface FastEthernet 0/0.3 <ENTER>

Router(config-subif)# encapsulation dot1Q <vlan_number3> <ENTER>

Router(config-subif)# ip address 172.16.152.1 255.255.248.0 <ENTER>

Router(config-subif)# no shutdown <ENTER>

Router(config-subif)# end <ENTER>

You will have to replace <vlan_numberX> with the corresponding vlan as shown in the network diagram.

Section V: Testing Network Connectivity

Table 3. Workstation configurations

Workstation / One example IP address on floor1 / One example IP address on floor2 / Subnet Mask / Default Gateway
A (VLAN 2) / 10.1.10.2 / 10.1.10.3 / 255.255.255.0 / 10.1.10.1
B (VLAN 3) / 192.168.148.2 / 192.168.148.3 / 255.255.252.0 / 192.168.148.1
C (VLAN 4) / 172.16.152.2 / 172.16.152.3 / 255.255.248.0 / 172.16.152.1

IF we were to use six PCs as workstations in this lab we would configure the six workstations using the above example IP addresses. We would have used the following commands on each of the six PCs to set their individual IP addresses (example for one machine):

Prompt> ifconfig eth0 10.1.10.2 netmask 255.255.255.0 <ENTER>

Prompt> route add default gw 10.1.10.1

However, we are not going to do it this way. Instead we are going to use another router with three interfaces to act as three machines (three different IP addresses) for the machines on floor two and again another router for three machines on floor1.

For the computers on floor1 use:

Router(config)# interface Ethernet 0/0 <ENTER>