Building a network
Data Communications and Computer Networks Lab EP1100
Ezzeldin Shereen Ming Zeng Peiyue Zhao
Version 7.0 (2018)
Department of Network and Systems Engineering School of Electrical Engineering and Computer Science KTH, Royal Institute of Technology Laboratory Manual 2 Chapter 1
Introduction
1.1 Purpose of the laboratory
The main goal of this laboratory is to give you an overview of the different processes involved in building a network, such as a corporate network. You will have to plan the IP address scheme, configure and test the equipment, as well as configure several applications and servers typical of any corporate network (DNS servers for example). After you have completed the laboratory exercises, you should be familiar with the practical issues of the different concepts explained in the course, as well as with the real equipment used nowadays in computer networks.
1.2 Duties before the lab starts
Students are required submit the homeworks before the lab starts. Students missing the homework submission will not be accepted to the lab.
1.2.1 Preparatory quizzes Each student has to complete two online lab entry quizzes, which can be found at the course web page. The quizzes are due on the first lab session, and the third. Their purpose is to check that you have enough theoretical knowledge of the tasks that you will perform in the lab. Since these tasks are not part of the course book, you will have to read this manual and its references carefully to pass the quizzes.
1.3 Rules of behavior in the laboratory
1. Every laboratory sessions begins SHARP at the specified time in the schedule. Be on time! Students who arrive later than 15 minutes after the laboratory session had begun will not be accepted to that session.
2. Each lab session is four hours long. Students are welcome to take 10 minutes break during the session when they consider convenient.
3. Please bring your identity cards with you.
4. Students must have their own copies of the laboratory manual.
5. Food and drinks are not allowed inside the laboratory.
6. Please keep your lab position organized and clean, and ensure that the equipment is in the same state (or better) as when you started.
1.4 How to use/read this manual
This manual is divided into different chapters and sections. Each chapter corresponds to a logical unit in the lab, like this introduction, and the different lab sessions. The lab sessions have two parts: ’before the lab’ and ’during the lab’. Each of the sessions is self-contained and includes the theory that you will need, either written in this lab manual or as pointers to the proper places to find it. You are required to read both sections carefully and to have a clear idea of the different concepts that you will have to manage while executing the lab tasks.
3 1.5. Notation used in the manual
Before the laboratory session: The first thing that you should do is to read the manual completely and start studying the concepts explained in the ‘Before the session’ sections. Your understanding of these concepts will be tested in the homeworks.
During the laboratory session: While you are in the lab you must have a copy of the lab manual and your solved homeworks, and perform the different tasks specified. Each of the tasks contains questions that you have to answer. To pass the lab, students must successfully complete all tasks. You must also read this part of the manual before you attend the lab, so that you are familiar with the tasks and their questions. You will not have time to read the manual during the lab!
1.5 Notation used in the manual
Whenever an example of syntax is given in the manual, the following conventions apply: • The commands meant to be written in the different terminals, whether it is a router or a PC, are written in bold letters. • Parameters that you have to substitute with their proper values are written in italic.
• Parameters inside square brackets are optional and if applied should be written without the square brackets. Example of syntax in this manual:
ping [-LRUbdfnqrvVaA] destination Example of issued command:
ping -b 255.13.1.0
1.6 Credits
Parts of this lab manual have been transcribed literally or with small modifications from the white paper ’Understand- ing IP addresses: everything you ever wanted to know’ by Chuck Semeria ( c 3Com corporation), used with kind permission of 3Com, and from different Linux HOW–TO’s and manuals. Previous versions of this manual were writ- ten/edited by Ignacio Más Ivars, Evgueni Ossipov, Héctor Velayos, Mikael Rudholm, Ognjen Vukovic´ and Ljubica Pajevic.´
Laboratory Manual 4 Chapter 2
Lab Session 1: Building a network
Before the session
2.1 Representation of networks in diagrams
Network diagrams show the relationship between the elements of communication networks such as computers, periph- eral devices and network equipment. A diagram is the main documentation of a network and its importance cannot be overemphasized. Often, it is the key resource when troubleshooting the network. The network diagram shows how the network operates, so the main task of the network administrator is to maintain the network functioning as its diagram specifies. As a general rule, any modification to the network must first be made to the network diagram, the side effects analyzed and then, if everything works properly, the network equipment will be reconfigured following the new diagram. Despite the fact that there are standards for most of the network parts, the network diagrams are not standardized at all. Developing appropriate network diagrams requires a mixture of experience, knowledge and likely some art. It is a skill that will only be developed through practice, although the study of existing diagrams helps a lot. In these brief notes you will receive some guidelines to interpret network diagrams and then you will practice with the diagram for the lab session. When reading a network diagram, the first thing to dis- cover is the represented layer. As the network diagram shows the relationships between networked elements and these hap- pen at different layers, it is natural that diagrams are classified according to the network layers. The most frequent diagram is the network layer diagram, which shows IP networks and routers between the networks. Usually they are fairly com- plex, so they do not show any information of other network layers. It is important not to overload the diagrams with in- formation, therefore the details of the individual networks are included in link layer network diagrams. This type of dia- grams have a narrower scope (a single sub-network typically) and contains a lot of details about the link and possibly phys- ical layers. Higher level diagrams are also frequent, showing the arrangement of network services like DNS or DHCP, or Figure 2.1: Network symbols often used in network the relationship between application servers and clients. diagrams. Common to all these types of diagrams is the use of sym- bols to represent the different entities. These symbols are not standardized. The diagram author can use any symbols he likes. However, these symbols must be used in a consistent way. This means that both a square and a circle can represent a router, but all routers in the diagram must be represented using the same symbol. In this lab, we will use the symbols in Figure 2.1. Files with these symbols in different formats can be downloaded freely from the Internet (http://www.cisco.com/web/about/ac50/ac47/2.html). The symbols are classified into three categories: network devices, user devices and media. Among the network devices you can find the representation for hubs, switches and routers. The user devices group contains icons for PCs, servers and PCs that act as routers. Finally, the media category contains the symbols for Ethernet connections, serial lines and the cloud. The cloud is a special symbol used to represent parts of the network not shown in a
5 2.2. Equipment description Before the session particular diagram. Thus, it can represent an unspecified network media or whole networks, which is its normal usage. Additional information can be included in the diagram using alphanumeric strings, like IP addresses, host names or device ports. The next section contains some network diagrams that will be used during the lab. At the same time, these diagrams are good examples for the brief notes just introduced.
2.1.1 The network diagram for this session During this lab session you will work with what could be a corporate network of a company with several hundreds of users. The name of the fictitious company is Acme. It has four departments: administration, production, marketing as well as research and development. Each department is divided into four areas, with a Fast Ethernet serving each area. There is a router per area, which connects the Fast Ethernet to the department’s backbone network. The company has four backbones, one per department. All the backbones are connected to the main router of the company, which provides access to the Internet among other services. This network is depicted in Figure 2.2. It is a network level diagram of Acme’s network, containing also the IP addresses used. It is natural that this diagram of a relatively complex network looks confusing at the beginning. Take your time to review it and understand all its data. It will be your guide for troubleshooting the network. As you can see in the figure, the network is quite symmetric. The whole network is called "ACME network", its do- main name is "acme" and it will use the block of IP addresses from 192.168.0.0 to 192.168.0.255 (i.e. 192.168.0.0/24). These addresses are defined as "private" by IANA (see http://www.iana.org and RFC 1918), thus they can only be used internally. The main router of the company, the PC-router depicted in the center of the figure, will implement NAT (Network Address Translation) to provide access for the hosts to the Internet, using public IP addresses. Each department has a backbone implemented with a Fast Ethernet. Each backbone has a block of eight IP ad- dresses assigned. The first address of the block identifies the network, the second is assigned to the gateway connecting it to other networks, while the rest of the addresses are assigned to the interfaces of the routers that connect the back- bone with the departmental area networks. Note that the last address of the block is reserved for the network broadcast. The domain name for the four backbones is acme. An example of a interface name in the backbone is pro.acme (in- terface to the production network backbone in the main router). Another example is mar1-in.acme (access interface to the area 1 network of the marketing department from the marketing backbone). The names are meant to help you find its correspondent interface in the network diagram. Each departmental network is composed of the backbone and four area networks. The user hosts are connected to the area network, never to the backbone. Each area network is a Fast Ethernet network with a router to the departmental backbone. A block of eight IP addresses is assigned to each area network. The first one identifies the network, the second is given to the internal router interface, the third to the switch (needed for its remote configuration features), the fourth to the area server, the last is the network broadcast and the rest can be assigned to user terminals. Each department has its own domain name. Administration has adm.acme, marketing has mar.acme, production has pro.acme and research & development has rad.acme. In addition, there are special domain names per area network. Examples of names in the area networks are ns.area1.adm.acme (DNS server of the area 1 network of administration) or sw.area2.pro.acme (switch of the area 2 network of production). Again the names are meant to help you find the position of the interface in the network diagram. Figure 2.3 contains more details of the area network. It depicts the network and link layers, including some physical details such as the router ports. This figure corresponds to the area 1 of the R&D department and also includes the departmental backbone. The rest of the areas and backbones are connected in the same way.
2.2 Equipment description
You will work with different pieces of network equipment such as cables, switches and routers during this lab. You should know what their functions and capabilities are in general terms. This section shows the actual models that you will find in the lab. It also contains some guidelines to identify the equipment and its interfaces. All the equipment is classified into four groups: cables, switches, routers and terminals. Below there is one subsection dedicated to each group.
2.2.1 Cables and connectors All the cables used in the lab are terminated with adequate connectors on both ends. Two major types of cables will be used in the lab, power supply and data cables. The power supply cable is necessary for the equipment to be powered, but it does not participate in the transmission of data signals. Figure 2.4 shows the power supply cable for PCs, routers and switches.
Laboratory Manual 6 2.2. Equipment description Before the session
Figure 2.2: Acme’s network diagram.
Laboratory Manual 7 2.2. Equipment description Before the session
Figure 2.3: Detailed network and link layer diagram.
Figure 2.4: Power supply cable. Figure 2.5: RJ 45 plug.
For data communication we will use different cables depending on the link layer technology, though the media will always be copper. For the Ethernet connections, we will use four-pair category 5 Un- shielded Twisted-Pair (UTP) cabling with RJ45 plugs on both ends. Figure 2.5 shows the RJ45 plug at the end of the UTP cable. This type of cable contains eight individually insulated wires twisted in pairs. Each pair is colored with one wire having a solid color (blue, orange, green, or brown) and the other wire having a stripe of the same color over a white background. Each wire is named by its color when it is solid (e.g. green) or by the pair white and color of the stripe other- wise (e.g. white-green). The pairs are identified by the solid colors (e.g. green pair). The RJ45 plug has eight pins, numbered from 1 to 8; each one of the wires of the four-pairs UTP cable connects to one pin. The assignment of wires to pins is named color code and it is different depending on the standard. We will use both the EIA/TIA 568A and Figure 2.6: Standards for color codes. 568B standards. Their color assignment can be seen in Figure 2.6. We will need two different types of cables for Ethernet connections: crossover cables and straight-through cables. A crossover cable must be used to connect Ethernet ports of two PCs directly, or two routers or two switches (when the uplink port of the switches is not used). It has one RJ45 plug wired following the 568A standard and the other
Laboratory Manual 8 2.2. Equipment description Before the session
Figure 2.7: DB9 to RJ45 adapter. Figure 2.8: Rollover cable. following the 568B standard. A straight-through cable must be used to connect the Ethernet ports of a switch to PCs or routers. It has both RJ45 plugs wired following the 568B standard. The only way to identify whether an Ethernet cable is a crossover or straight-through cable is to check the color code at both ends. More information about Ethernet cables and how to make them can be found at http://www.duxcw.com/ digest/Howto/network/cable/cable5.htm. General information about connectors, pin-outs, cables and adapters can be consulted at http://www.hardwarebook.net/. A different cable must be used to connect a PC to the console port of a Cisco device. The console port is a serial port, and it must be connected to the PC USB port. The console port is a RJ45 jack while the PC has a USB port. To connect both ports properly, we will use the USB to DB9 adapter, the DB9 to RJ45 adapter, (see Figure 2.9 and 2.7) and a new type of cable known as roll-over cable. A roll-over cable also uses 8 wires with RJ45 plugs on both ends, but it is different from the straight-through or crossover cables. In a roll-over cable, the pins on one end are reversed on the other end. Thus pin 1 on one end connects to pin 8 on the other end. Pin 2 connects to pin 7, pin 3 connects to pin 6 and so on. Figure 2.8 shows a roll-over cable.
Figure 2.9: USB to DB9 adapter.
In addition to these cables, there is permanent cabling in the lab room that you will need to use to connect the router’s outer interface to the departmental backbones. The permanent cables run in the tables and floor, and link each lab position with the lab’s cabling rack. The cabling rack is in front of the lab room (to your left). It contains the departmental switches and a patch panels below them. Figure 2.10 shows the interior of the cabling rack. Each switch has a label indicating to which departmental backbone it belongs. The patch panel has two rows of sockets: the top and the bottom row. Each socket on the panel connects to a similar socket by the tables, which are marked with a blue label and text LABBNÄT, Figure 2.11. The label indicates to which of the panel sockets a particular socket is connected to. For example, 17B corresponds to the socket 17 on the bottom row (T stands for top, B for bottom). The connection between the sockets in the patch panel and by the tables is equivalent to straight-through cable. The connection of the router’s outer interface to the departmental backbone requires two straight-through cables. Use one to connect the router’s outer Ethernet interface to one of the blue-label sockets by the table. Use the other to connect the socket in the patch panel with the same label to any port of the appropriate departmental switch.
2.2.2 Switches
The switch you will use in the lab is a Cisco Catalyst 3512 XL. In the front it has twelve 10/100 Ethernet switched RJ45 ports plus two additional Gigabit Ethernet slots. The Ethernet ports will be used to connect the equipment of the area network. The Gigabit slots will not be used in this lab. In the back it has the RJ45 console port for its configuration and the three-pin power supply socket. It does not have a power switch, the equipment is turned on when connected to the power supply. Each port is labeled on the box with a name, which it is also used to identify the port in the configuration menus. Figure 2.13 shows the front and Figure 2.14 shows a closer view of the Ethernet ports in the front. Note that each port is given a number, with number one in the top left corner. The number allows identification of the ports in the configuration file, but there is no difference in the behavior of the ports. Any of them can be used to connect equipment to the switch.
Laboratory Manual 9 2.2. Equipment description Before the session
Figure 2.10: Switches and patch panel in the lab cabling rack.
Figure 2.11: Cabling sockets by the tables in the lab
Laboratory Manual 10 2.3. Cisco software Before the session
There are additional switches inside the cabling rack. You will use them to connect your router to the departmental backbone, but you do not have to change their configuration.
2.2.3 Routers
The router you will use in the lab is a Cisco 2621. All its ports are situated in the back. It has two 10/100 Ethernet RJ45 ports, a RJ45 console port for its configuration, a three-pin power socket and a power switch. Each port is labeled in the box with a name, which it is also used to identify the port in the configuration file. Since the router forwards packets between its ports, it is very important to connect each network to the proper port. Figure 2.15 shows the front and Figure 2.16 shows the ports in the back. Figure 2.12: A Raspberry Pi. 2.2.4 Terminals A Raspberry Pi running Linux will be used as the terminal in the lab. The Raspberry Pi has functionalities as a regular personal computer, therefore we refer to the Raspbery Pi as PC in this lab manual. The Raspberry Pi has various ports, and its most important ports for this lab are the 10/100 Ethernet RJ45 port and the USB ports. Figure 2.12 shows the ports of the Raspberry Pi at the lab. To use the Raspberry Pi, each group needs to prepare a laptop to be remotely connected to the Raspberry Pi. For more information, please refer to Section 2.8. The Raspberry Pi will fully work as a PC in the lab. Each area network has a PC, which will be used as the network server for the area network. Additional laptops can be connected to the area network. These laptops must have a RJ45 Ethernet port. This port will be connected to any free port in the switch to join the area network.
2.3 Cisco software
In this section we will review the configuration process of the Cisco equipment in the lab. The best way to prepare yourself for this task, it is to read the manufacturer’s documentation, some of which is provided as a supplementary course material and the other is available online. Here in we will give you some references: please read them in advance as you will not have time during the lab. Since there is a huge amount of published documentation, the next paragraphs contain some guides on what are the parts that you must study for this lab. Start by reading the "Cisco Software Configuration Guide" on Canvas. From the section "About this guide", learn about the objectives, organization and conventions of the document. Then go to the chapter 1, "First-time configu- ration", which explains how to configure the router initially. This chapter describes both the 3600 and 2600 model series, read only the part related to the Cisco 2600 series. It is important to review the "Cisco 2600 Series Interface Numbering". While reading this part, recall that the routers in the lab have two Fast Ethernet ports in slot 0. Then read the following sections to overview the initial configuration process of the router: "Using the Setup Command Facility", "Configuring Global Parameters" and "Configuring Interface Parameters". This last section describes several interface types, read only the "Fast Ethernet Interface Configuration" section. Finally read the "Completing the configuration" section. During the lab you will configure the router as these sections describe, so read them carefully. After reading it, read section 2.3.3 of this manual about the same topic. It contains the answers to the set up questions that you should use during the lab. After reading the first chapter, move on to the second, "Cisco IOS software basics". It describes general aspects of the Cisco IOS software, which you need to know before working with the router. Read it completely, with special attention to the different configuration modes, how to get help on the commands from the command line interface and how to undo a command or feature. To complete the review of the router documentation, read chapter 3 titled "Configuring with the Command Line In- terface". It describes the commands to actually configure particular functions of the router. Read sections "Configuring Fast Ethernet Interfaces", "Checking the Interface Configuration" and "Saving Configuration Changes". By reading thoroughly these sections of the documentation, you will obtain a good knowledge of the router, its software and of how to configure it. However you might still need more information of particular commands. To obtain it, use the master index of the Cisco IOS Configuration Guide, Release 12.0S available at http://www. cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/c12k_fm/config.pdf. Use this ref- erence to read about the "ip route" commands. It will be used during the lab to create the routing table of the router. Read also about the commands "ping" and "trace" in their privileged and user versions, since you will use them to troubleshoot the network. All this information only applies to the router configuration. There is an equivalent document for configuring the switch called "Cisco IOS Desktop Switching Software Configuration Guide". If you read this document, you will
Laboratory Manual 11 2.3. Cisco software Before the session
Figure 2.13: Front of the Cisco Catalyst 3512 XL.
Figure 2.14: Ethernet ports in the front-left of the Cisco Catalyst 3512 XL.
Figure 2.15: Front of the Cisco 2621.
Figure 2.16: Ports in the back of the Cisco 2621.
Laboratory Manual 12 2.3. Cisco software Before the session discover that the way the switch is configured is similar to that of the router, but some commands are different. You can find these commands in a document called "Cisco IOS Desktop Switching Command Reference" available on Canvas. If you need information on a particular command, you can look it up at http://www.cisco.com/c/en/us/ td/docs/ios/fundamentals/command/reference/cf_book.html. Before the lab, it is enough that you read section "Using the command-line interface" of the switch manual. Note that it is similar to that section in the router configuration. Since we will not configure complex functions in the switch during this lab, you do not have to study deeply any of the switch commands. After reading this information about the switch, read below section 2.3.2 which describes how to start up the switch. You will start up and initially configure the switch during the lab.
2.3.1 Management console We will configure both the router and the switch typing commands in the command-line interface (CLI). To access the CLI, we will connect a management console to the router or switch. There is specific hardware that can be connected to the console port of the router or switch and behaves like a management console. However, in our lab we will instead use a PC (the Raspberry Pi) running Linux and a serial communication program called minicom, which all together offers the same functionality. First you have to connect the PC to the console port of the network equipment (i.e. the router or the switch). Use the supplied roll over cable, USB to DB-9 adapter, and DB-9 to RJ45 adapter to connect a PC USB port to the switch console port. Once the USB port and console port are connected, open a new terminal on PC. Then type sudo minicom to start the minicom program. If everything is working fine, minicom will display the messages from the network equipment as character strings and it will display the prompt for you to type commands. At any moment, you have all the minicom configuration commands available by pressing ’Ctrl+a z’. Before the lab, read the section "use" of the minicom’s manual page available on-line at http://linux.die.net/man/ 1/minicom to learn how to use this software.
2.3.2 Starting up the switch This subsection describes how to start up your Catalyst 3500 XL switch, to interpret the power-on self-test (POST) and to configure the switch.
Starting Up The switch will start booting as soon as the power supply is connected, since there is no power switch. It is important to connect the management console before the switch is powered on, so it will display the messages generated during the start up process. For the initial configuration, there is no need to connect any cable to the Ethernet ports. When the switch starts up, it begins POST, a series of eight tests that run automatically to ensure that the switch works properly. When the switch begins POST, the port LEDs turn amber for 2 seconds, and then they turn green. The System LED flashes green, and the RPS LED turns off. As each test runs, the port LEDs, starting with number 1, turn off. The port LEDs for ports 2 to 8 each turn off in turn as the system completes a test. When POST completes successfully, the port LEDs return to the status mode display, indicating that the switch is operational. If a test fails, the port LED associated with the test turns amber, and the system LED turns amber as well. To initiate the start-up configuration of the switch, send a break command from your terminal program. Then you should see the initial configuration screen of the switch.
Using the Setup command of the Command Line Interface The command setup from the set of privileged com- mands is used to assign IP information and to create a default configuration for continued operation. When you boot the switch (or the router) for the first time, there is no configuration so you will be asked whether you want to enter the "initial setup dialog". Answer yes and you will be configuring everything from scratch. If this question does not appear, it means that some configuration was found. In this case, you will have to start the setup procedure from the privileged mode using these commands:
Switch> enable Password: passwd Switch# setup Continue with configuration dialog? [yes/no]: y
The password should be "qwerty". The setup procedure consists of a sequence of questions that you should answer. This information is used to create the initial configuration. After the last question, this initial configuration is shown, so it is possible to review it before saving. Here are the questions and the suggested answers:
Question 1: Enter your switch’s IP address and press Return:
Laboratory Manual 13 2.3. Cisco software Before the session
Enter IP address: ip_address
Question 2: Enter your switch’s subnet mask and press Return:
Enter IP net mask: ip_netmask
Question 3: Enter "Y" to specify a default gateway (router):
Would you like to enter a default gateway address? [yes]: y
Question 4: Enter the IP address of your switch’s default gateway and press Return:
IP address of the default gateway: ip_address
Question 5: Enter a host name for the switch and press Return:
Enter host name: Switch
Question 6: Enter a secret password (which ensures switch security) and press Return:
Enter enable secret: qwerty
Question 7: Enter "Y" to enter a Telnet password:
Would you like to configure a Telnet password? [yes]: y
Question 8: Enter the Telnet password and press Return:
Enter Telnet password: qwerty
Question 9: You would enter Y to configure this switch as the cluster command switch. Enter N to configure it as a member switch or as a stand-alone switch.
Would you like to enable as a cluster command switch? n
Question 10: Verify that the addresses are correct in the initial configuration displayed:
The following configuration command script was created: ip subnet-zero interface VLAN1 ip address ip_address ip_netmask ip default-gateway ip_address hostname Switch enable secret 5 $1$jJql$VA6U.6uTjsa56Xx2yy/t30 line vty 0 15 password telnet_password snmp community private rw snmp community public ro cluster disable ! end ! Use this configuration? [yes/no]:
Question 11: If the information is correct, enter y at the prompt and press return to use it. When you see the message "Press RETURN to get started", the setup program is complete. If the information is not correct, enter n at the prompt, press Return, and begin again at Question 1.
2.3.3 Starting up the router
This subsection describes how to start up your Cisco 2621 router, to interpret the power-on self-test (POST) and to initially configure the router.
Laboratory Manual 14 2.3. Cisco software Before the session
Starting Up In contrast to the switch, the router will not boot when the power supply is connected. It will boot when the power switch in the back part is set to on. It is important to connect the management console before the router is powered on, so the console will display the messages generated during the start up process. For the initial configuration, there is no need to connect any cable to the Ethernet ports. When the router starts up, it performs the POST without producing external signals. When POST completes successfully, the bootstrap program is loaded from ROM into the RAM. This process produces the first messages in the console. After bootstrap is loaded, it searches and loads the Cisco IOS. In our case, this software is retrieved from the internal flash memory, decompressed and loaded into RAM. More messages appear in the console reporting the evolution of these steps. When it is successfully loaded, the router’s configuration file is searched and loaded. When you boot the router for the first time, there is no configuration file, so you will be asked whether you want to enter the "initial configuration dialog". Answer "yes" and you will be configuring everything from scratch in the set-up mode. If this question does not appear, it means that the router found some configuration. In this case, you will have to start the initial configuration procedure from the privileged mode using the setup command as described below:
Router> enable Password: passwd Router# setup Continue with configuration dialog? [yes/no]: y
The password should be "qwerty".
Initial configuration dialog The set up procedure consists of a sequence of questions that you should answer. This information is used to create the initial configuration. After the last question, this initial configuration is shown, so it is possible to review it before saving. Here are the questions and the suggested answers:
Question 1: Answer "no" to enter the extended setup:
Would you like to enter basic management setup? [yes/no]: no
Question 2: Answer "no" to skip the interface summary:
First, would you like to see the current interface summary? [yes]: no
After these two questions, the configuration of the global parameters begins:
Question 3: Type a name for the router:
Enter host name [Router]: Router
Question 4: Enter “qwerty” as the enable secret password:
Enter enable secret: qwerty
Question 5: Enter "lab" as the enable password:
Enter enable password: lab
Question 6: Enter "qwerty" as the virtual terminal password:
Enter virtual terminal password: qwerty
Question 7: Answer "no" to skip SNMP configuration:
Configure SNMP Network Management? [yes]: no
Question 8: Answer "yes" to enter the IP configuration:
Configure IP? [yes]: yes
Question 9: Answer "no" since we will use static routing:
Configure IGRP routing? [yes]: no
Question 10: Answer "no" again to this dynamic routing protocol:
Configure RIP routing? [no]: no
Laboratory Manual 15 2.3. Cisco software Before the session
Question 11 Answer "no" since bridging will not be used Configure bridging? [no]: no Question 12: No user dialing in via modems, so answer "no" here Configure Async lines? [yes]: no Now the configuration of the interface parameters begins. The FastEthernet 0/0 port is first: Question 13: Answer "yes" to configure FastEthernet 0/0 interface Do you want to configure FastEthernet0/0 interface? [yes]: yes Question 14: Answer "yes" to use the RJ45 connector in the back part of the router Use the 100 Base-TX (RJ-45) connector? [yes]: yes Question 15: Answer "yes" to activate Ethernet full-duplex mode Operate in full-duplex mode? [no]: yes Question 16: Answer "yes" to initiate the IP configuration of the interface Configure IP on this interface? [yes]: yes Question 17: Type the proper IP address for this interface in dotted-decimal format. The network diagram should help finding out what this address should be. We have included an IP address as an example of the expected answer. IP address for this interface: 192.168.0.129 Question 18: Type the proper mask in dotted-decimal format corresponding to the previous IP address. We have included a mask as an example of the expected answer. Subnet mask for this interface: 255.255.255.0 After this question, similar questions will appear to configure the second FastEthernet interface of the router. Answer them in the same way you did with the questions for the other FastEthernet interface. Mind that the IP address and possibly the mask should be different for this second interface. After this set of questions on the second FastEthernet interface, the initial configuration is generated and displayed for you to verify it. The screen should look similar to this: The following configuration command script was created: hostname Router enable secret 5 $1$EDYp$8IwOwl7TATzo8lYdAeuIV1 enable password lab line vty 0 4 password qwerty no snmp-server ! ip routing no bridge 1 ! interface FastEthernet0/0 media-type 100BaseX full-duplex ip address 192.168.0.129 255.255.255.0 ! interface FastEthernet0/1 media-type 100BaseX full-duplex ip address 192.168.0.26 255.255.255.0 dialer-list 1 protocol ip permit dialer-list 1 protocol ipx permit ! end 0 Go to the IOS command prompt without saving this config. 1 Return back to the setup without saving this config. 2 Save this configuration to nvram and exit. Enter your selection [2]: Check the configuration, especially the IP addresses and masks, and if everything is correct, answer "2" to save the configuration and exit from the set up mode. If there is some incorrect information, you can answer "1" to repeat the set up. After you save it, the router is working with your initial configuration. Note that you have not introduced the static routing table yet, thus the router can only reach directly connected networks. If any static route is needed, use the router’s command ip route to add static entries to the routing table.
Laboratory Manual 16 2.4. IP: General concepts Before the session
Figure 2.17: The five classes of IP addresses, where the prefix identifies the network and the suffix the particular host inside that network.
2.4 IP: General concepts
2.4.1 IP addressing When the Internet Protocol (IP) was designed and standardized, the specification required that each system interface had a unique Internet address of 32 bits. Some of these systems could have more than one network interface, like routers, and thus they would need a unique IP address for each interface. An IP address is divided in two parts: the first part identifies the network and the second part identifies the particular host in the network. During the early years of IP addressing, the first part of the IP address was called the network number because the leading portion of each IP address identifies the network, while the last part of the address was called the host number. In one particular network, all the hosts contain the same network number, but they must have different host numbers. On the other hand, if two hosts are in different networks their network number must be different, but they can have the same host number. There is one exception to the required uniqueness for IP addresses, and it is the group of addresses reserved for private use. These private IP addresses can be repeated in different organizations, but they should never be directly connected to the Internet.
2.4.2 Primary Address Classes One of the main goals when designing the IP protocol was supporting networks of different size. For that purpose, the IP address space was divided into five different address classes – Class A, B, C, D, and E. This way of partitioning is called classful addressing because the address space is split into predefined classes, groupings, or categories. The different classes fix the boundary between the network number and the host number at different points within the three first bytes of the address. The different formats are illustrated in Figure 2.17. Classful IP addressing is quite convenient from the routing point of view, since each address contains a self– encoding key that identifies the dividing point between the network number and the host number. This way, early routers on the Internet could know the length of the network number without having a network mask. For example, when the first two bits of an IP address are 1–0, the dividing point is between the 16th and 17th bits.
Class A Networks Class A network addresses have an 8–bit network number, which starts with a 0, followed with a 24–bit host number. Nowadays, class A addresses are referred to as ’/8’, because of their 8–bit network number. There are 126 (27 – 2) class A networks. We have to subtract 2 because the 0.0.0.0 network is reserved for the default route and 127.0.0.0 is used for the loopback interface. Each /8 network contains 224 – 2 (16,777,214) hosts. Again, we subtract two addresses because the all–0s ("this network") and all–1s ("broadcast") host numbers cannot be assigned to individual hosts. There are in total 231 (2,147,483,648) individual addresses available in class A, which are 50% of the total IPv4 address space.
Class B Networks Class B network addresses have a 16–bit network number, with the two highest order bits set to 1–0, followed by a 16–bit host number. They are usually referred to as ’/16s’. There are 16,384 (214) /16 networks, with 65,534 (216 – 2) hosts per network. The entire class B address space contains 230 (1,073,741,824) addresses.
Class C Networks Class C network addresses have the three highest order bits set to 1–1–0 and a 24–bit network number, followed by a 8–bit host number. They are referred to as ’/24s’. There are 254 (28 – 2) hosts per network, with 2,097,152 (221) possible /24 networks, giving a maximum of 229 (536,870,912) addresses.
Laboratory Manual 17 2.4. IP: General concepts Before the session
32–bit binary number Equivalent dotted decimal 10000001 00110100 00000110 00000000 129.52.6.0 11000000 00000101 00110000 00000011 192.5.48.3 00001010 00000010 00000000 00100101 10.2.0.37 10000000 00001010 00000010 00000011 128.10.2.3 10000000 10000000 11111111 00000000 128.128.255.0
Table 2.1: Examples of 32–bit addresses and their equivalent in dotted-decimal notation.
Address class Range of values A (/8 prefixes) 0 through 127 B (/16 prefixes) 128 through 191 C (/24 prefixes) 192 through 223 D (multicast) 224 through 239 E (reserved) 240 through 255
Table 2.2: The range of decimal values in the first octet of each class.
Other Classes In addition to the three classes used to identify individual network interfaces, there are two additional classes: Class D addresses have their four highest order bits set to 1–1–1–0 and are used to support IP Multicasting, while Class E addresses have their leading four–bits set to 1–1–1–1 and are reserved for future use.
2.4.3 Dotted–Decimal Notation In order to facilitate the use of IP addresses, they are often expressed as four decimal numbers, each separated by a dot. This format is called dotted–decimal notation. In this notation, each 32–bit Internet address is divided into four 8–bit (byte) fields. Then, the value of each field is specified independently as a decimal number with the fields separated by dots. Table 2.1 shows typical Internet addresses expressed this way. Table 2.2 displays the range of decimal values that can be assigned to the first byte of each address classes.
2.4.4 Problems with Classful Addressing The Internet nowadays has surpassed in size all the original expectations of its creators. The design decisions made in the early years of the Internet have created complex problems with difficult solutions:
• When the Internet started, IP addresses were allocated to organizations based on simple requests, instead of the actual needs. The decision to create 32–bit addresses gave only 232 (4,294,967,296) IPv4 addresses available, which has led to an actual lack of addresses.
• The division of IP addresses based on octet boundaries was easy to implement and deploy, but it created a lack of proper support for medium-size organizations. A /16, supporting 65,534 hosts, can be too large for this type of organizations, while a /24, with only 254 possible hosts can be far too small. In the past, sites with several hundred hosts were assigned a single /16 address, instead of two or three /24 addresses, thus quickly finishing off the /16 address space. Also, the need to give several /24 addresses to the same organization has increased the size of the routing tables.
2.4.5 IP sub–netting In 1985, IETF RFC 950 defined a way to divide single class addresses into smaller pieces. Sub–netting was introduced to overcome the problems the Internet was suffering with the two–level addressing hierarchy: first, local administrators had to apply for a new network address before installing a new network at their site; and, second, the Internet routing tables were beginning to grow to an unmanageable size. The way to attack these problems was to add a new hierarchy to the addressing scheme. With sub–netting the host number was divided into two parts, the subnet number and the host number on that subnet, thus creating a three–level hierarchy. With the new sub–netting scheme, the subnet structure of a network is not visible outside the organization’s do- main. This helps reducing the routing tables of the outside routers, as the route to any subnet is the same as all subnets share the same network number. It is only inside the organization’s private network were routers need to differentiate
Laboratory Manual 18 2.4. IP: General concepts Before the session
network–number subnet–number host–number IP address: 130.5.5.25 10000010.00000101 00000101 00011001 Subnet Mask: 255.255.255.0 11111111.11111111 11111111 00000000 Extended–network–number
Table 2.3: Subnet mask. between the different subnets to route packets, reducing the complexity of the routing tables to the domain of the local administrator. With the new scheme, a site with several logical networks uses subnet addressing to cover them with a single /16 (Class B) network address. This concept is sometimes called super–netting. The router accepts all traffic from the Internet to network 132.5.0.0, and forwards traffic to the interior subnetworks based on the third octet of the address.
2.4.6 Extended Network Number
When a router in the Internet routes a packet, it uses the network number of the destination address. In a sub– netted environment, once a packet arrives to the sub–netted domain the routers use the extended network number to distinguish among the different subnets. The extended network number is composed of the classful network number plus the subnet number. To identify the extended subnet number routers use the subnet mask. For example, with the /16 address 130.5.0.0, if you are using the entire third byte for the subnet number, then you need to use a subnet mask of 255.255.255.0. The bits in the subnet mask are 1 for those bits on the IP address that correspond to the extended network number, and are 0 for those bits belonging to the host number. This is illustrated in Table 2.3 Nowadays, most of the modern routing protocols use the extended network number length instead of the subnet mask. The length is the number of 1 bits in the mask, so instead of saying that the mask is 255.255.255.0, we denote the IP address as 130.5.0.0/24. Anyway, all the routing protocols still need the subnet mask, as there is no Internet routing protocol that contains a one–byte field to carry the extended network number length.
2.4.7 Design Considerations
The design of an address plan for an organization requires the network administrator to carefully consider different aspects that will influence the final design:
• How many subnets do we need today?
• How many subnets will we need in the future?
• How many hosts are in the largest subnet?
• How many hosts can the largest subnet contain in the future?
The first step to perform is to take the maximum number of subnets required and round that value up to the closest power of two. This computation should take into account the possible growth of the network. For example, if we need 11 subnets, then 23 will not provide enough subnets, so we will have to round up to 24. This will give us three extra subnets for our organization to grow. The second step is checking the number of hosts that we will need in the largest subnet. Imagine that we will need 26 hosts. If this is the case, then we will need at least 25 (or 32) addresses. Finally, we have to check the address space of our organization to see if we have enough bits to deploy the required sub-netting plan. For example, with a single /16 address, we could have four bits for the subnet number and five bits for the host number. If we instead have several /24s and we want to have 11 subnets, then we will have to subnet each /24 into four subnets (with two bits of subnet number) and then combine three of them to get the required topology.
2.4.8 Subnet Example
Problem: Let’s assume that we have the network number 193.1.1.0/24 and we want to define six subnets, with a maximum of 25 hosts per subnet.
Laboratory Manual 19 2.4. IP: General concepts Before the session
Base Net: 11000001.00000001.00000001.00000000 193.1.1.0/24 Subnet 0: 11000001.00000001.00000001.00000000 193.1.1.0/27 Subnet 1: 11000001.00000001.00000001.00100000 193.1.1.32/27 Subnet 2: 11000001.00000001.00000001.01000000 193.1.1.64/27 Subnet 3: 11000001.00000001.00000001.01100000 193.1.1.96/27 Subnet 4: 11000001.00000001.00000001.10000000 193.1.1.128/27 Subnet 5: 11000001.00000001.00000001.10100000 193.1.1.160/27 Subnet 6: 11000001.00000001.00000001.11000000 193.1.1.192/27 Subnet 7: 11000001.00000001.00000001.11100000 193.1.1.224/27
Table 2.4: Subnet numbers for the sub-netting example.
Obtaining the Subnet Mask: To obtain the number of bits required for our six subnets, we need to create them in blocks of powers of two. To define six subnets, we need, thus, 8 (23) subnets and we will have two free subnets for future use. To enumerate our eight subnets, we will need to use three bits. In our example, we have a /24 address, so we will have /27 as the extended network number length, which gives a network mask of 255.255.255.224 When we have /27 subnets, we are allocating five more bits for the host number, so we have 25 (32) individual IP addresses in each subnet. However, there are only 30 (25–2) possible host addresses on each subnet, as the all–0s and all–1s host addresses cannot be used.
Obtaining the Subnet Numbers: We will number the eight subnets from 0 to 7, which in binary notation are: 0 (0002) to 7 (1112). To define subnet n, we place the binary representation of n into the bits of the subnet number. The eight subnet numbers for this example are given in Table 2.4. The eight subnet numbers for this example are given in Table 2.4. The bold portion of each address identifies the network number, while the underlined digits identify the 3–bits representing the subnet-number field:
The Reserved Subnets: The initial definition of sub–netting prohibited the use of the all–0s and the all–1s subnets. The reason was to avoid possible confusions in the original classful routers. Nowadays, routers can be running classful and classless protocols at the same time. The all–0s subnet, originally defines the entire network, so a router needs that each routing table update include the route/
Defining Host Addresses for Each Subnet The host-number field of an IP address cannot contain all 0–bits or all 1–bits. The all–0s host number identifies the base network (or subnetwork) number, while the all–1s host number represents the broadcast address for the network (or subnetwork). In our current example, there are 5 bits in the host number field of each subnet address. This means that each subnet represents a block of 30 host addresses (25–2 = 30, note that the 2 is subtracted because the all–0s and the all–1s host addresses cannot be used). The hosts on each subnet are numbered 1 through 30. In general, to define the address assigned to Host n of a particular subnet, the network administrator places the binary representation of n into the sub-net’s host number field. For example, to define the address assigned to Host 15 on Subnet 2, the network administrator simply places the binary representation of 15 (011112) into the 5–bits of Subnet 2’s host number field. The valid host addresses for Subnet 2 and 6 in our example are given in Table 2.5. The bold portion of each address identifies the extended-network-prefix, while the underlined digits identify the 5-bit host-number field:
Defining the Broadcast Address for Each Subnet The broadcast address for Subnet 2 is the all 1’s host address or: 11000001.00000001.00000001.01011111 = 193.1.1.95
Laboratory Manual 20 2.4. IP: General concepts Before the session
Subnet 2: 11000001.00000001.00000001.01000000 193.1.1.64/27 Host 1: 11000001.00000001.00000001.01000001 193.1.1.65/27 Host 2: 11000001.00000001.00000001.01000010 193.1.1.66/27 Host 3: 11000001.00000001.00000001.01000011 193.1.1.67/27 ... Host 30: 11000001.00000001.00000001.01011110 193.1.1.94/27
Subnet 6: 11000001.00000001.00000001.11000000 193.1.1.192/27 Host 1: 11000001.00000001.00000001.11000001 193.1.1.193/27 Host 2: 11000001.00000001.00000001.11000010 193.1.1.194/27 Host 3: 11000001.00000001.00000001.11000011 193.1.1.195/27 ... Host 30: 11000001.00000001.00000001.11011110 193.1.1.222/27
Table 2.5: Host addresses for the sub-netting example.
192.168.0.A 192.168.0.B A B
Network 192.168.0.X
192.168.0.R 192.168.0.A 192.168.0.B 192.168.0.C R 192.168.1.R
Network 192.168.1.X C D
Network 192.168.0.X 192.168.1.C 192.168.1.D
Figure 2.18: An IP network on one Ethernet segment. Figure 2.19: Two IP networks on two different Eth- ernet segments.
Note that the broadcast address for Subnet 2 is exactly one less than the base address for Subnet 3 (193.1.1.96). This is always the case – the broadcast address for Subnet n is one less than the base address for Subnet (n+1). The broadcast address for Subnet 6 is simply the all 1’s host address or: 11000001.00000001.00000001.11011111 = 193.1.1.223 Again, the broadcast address for Subnet 6 is exactly one less than the base address for Subnet 7 (193.1.1.224).
2.4.9 The use of ARP When computers communicate in a network using a particular link layer technology (for instance, Ethernet), they need to have more information than the IP address of the host they want to communicate with. Imagine that we have a small TCP/IP network, built over an Ethernet segment with a class C network address (192.168.0.X), that allows us to have 254 nodes. In our example network (see Fig. 2.18), we have three nodes, with host numbers A, B, C, respectively. Each one of these nodes has an Ethernet address, like 05-ED-34-4F-37-BC (written in hexadecimal form). When A wants to send a packet to C for the first time, it needs to know its Ethernet address. The only thing A knows about C is its IP address, so A uses the Address Resolution Protocol (ARP) to discover C’s Ethernet address. ARP keeps an internal table of Ethernet addresses and corresponding IP addresses. If the address A is looking for is not in the table, then ARP will broadcast a special Ethernet packet asking for the Ethernet address corresponding to C’s IP address. The host on the Ethernet segment that has the particular IP address A is asking for will then answer back to A, and then A will update its table and use that Ethernet address to send the packet to C. The entries in the ARP table are flushed after a certain period of time. Imagine now that instead of having one single Ethernet segment, we have two different segments, like in Figure 2.19. In this figure, R is an IP router, which could be a PC or a dedicated piece of hardware. Of course, R needs to have two different Ethernet interfaces to each one of the two segments it is connected to, with two different IP addresses. Since each network is a different Ethernet segment, we have two different class C addresses. Now consider that A wants to send a packet to D. The only way to do this is by sending the packet first to R, which will forward the packet to D. This way, A needs to use R’s Ethernet address, but D’s IP address in the packet it is sending. R will then receive a packet for D, and will write the proper Ethernet address (D’s address) in the packet it is forwarding. All these machines obtain the Ethernet addresses they need by using ARP.
Laboratory Manual 21 2.5. Debugging Before the session
The difference with the previous case is that now A cannot obtain D’s Ethernet address with an ARP request, because D would never see A’s request, they are in different physical wires! A knows that D is in a different IP network, so it knows that it must send the packet to R to get it forwarded to the proper destination.
2.4.10 IP routing Direct or indirect routing When two machines are on the same network, there is no need to forward a packet between them on the IP layer. In this case direct routing is used. In the first example, A and C are in the same network, so they know that they can reach each other just by using the proper Ethernet address. On the other hand, if the network addresses of source and destination are not the same, then the packet must be forwarded by a router who knows how to reach the destination. In the second example, if A wants to reach D, it needs to have some routing information to know where to send the packet to reach D. The way to add routes to the routing table in a Unix machine is to use the route command. R needs to have two IP addresses, one for each network interface. A can then know that R is on its network just looking at the IP address of the interface of R connected to the first Ethernet segment. The same way, D sees the second network interface of R and is able to obtain the Ethernet address of this interface. Most of the times it is not necessary to manually add the routing entry for the other Ethernet segment. It is sufficient to have R as the default gateway, which is the machine to send the packets addressed to machines out of my network segment. Of course, the default gateway needs to have a routing table properly configured to forward the packets to the correct destinations.
Static or dynamic routing There are two different methods to get the information that the routing table needs: static or dynamic routing. With static routing, the routing table is manually written by the system administrator, and it usually requires all the machines to have statically configured addresses. In case there is a change in the network topology, it is up to the system administrator to manually update the routing tables in all the machines needed. Usually, most of the computers and routing devices add by default a static entry in the routing table when the network interface is configured. Dynamic routing is a more complex process. It uses special routing protocols to update the information of the routing table. The routers in the different networks exchange routing information about the different networks they know about and the different metrics or ’costs’ needed to reach those networks (like number of hops, load or band- width and so on...). The routing protocols can be classified in Interior Gateway Protocols (IGP), which are used to distribute routing information inside Autonomous Systems (AS), or Exterior Gateway Protocols (EGP), that transmit this information between AS’s. An autonomous system is a set of machines inside one particular domain administered by one authority, group or organization. Examples of IGP are OSPF and RIP, while BGP is an example of an EGP.
Understanding a routing table The process to choose a particular route from the routing table is a mathematical operation. It requires a little bit of binary arithmetic and logic: An IP address matches a particular route if the network address in the routing table is exactly the same as the destination IP address logically ANDed with the network mask. In simple words, a route in the routing table is chosen if the number of bits specified by the network mask from the destination IP address are equal to the same number of bits in the network address in the routing table entry. There can be more than one entry that matches the target address in the routing table, so how does IP find the proper route? There is one difference between the different routes, the network mask. We have previously said that the network mask is used to split our address space into smaller networks, so, of course, the larger netmask, the more precisely a target address is matched. We should always use the route that has the largest network mask. There are different ways to build a routing table. For a small LAN, like ours, the most efficient way is to build it by hand with the route command, but for larger networks, they are built and modified by routing daemons, which usually run in each router on the network. These daemons are the ones that use dynamic routing protocols to exchange routing information to compute the best routes for the different networks.
2.5 Debugging
2.5.1 General model: top down or bottom up approaches The main tasks of a network administrator are to keep a network running and to fix it in case of failure. Basically these tasks can be decomposed in the following set of subtasks.
Laboratory Manual 22 2.5. Debugging Before the session
• Locate the point of failure.
• Fix the problem.
In general one can discover that a failure occurs by simple facts like: you cannot open a web page, you cannot print on the network printer, you cannot make a remote connection to a distant computer. . . . In this case you, as the network administrator, should perform certain steps to discover why these strange things are happening. You can use two general approaches to find out the reason of the failure and to locate the place of the problem in the network. These two approaches are called Top-Down and Bottom-Up. From the name of the approaches you can understand that you should check the work of the network on the different levels starting from application level to physical in the top-down approach, or from physical to application layer in the bottom-up approach. Recall the main layers in the TCP/IP stack.
Physical layer - On this layer you can check whether the cabling is made correctly. Check that all cables are properly connected to the network cards. And in the far end check that a network device (your PC, router etc) is powered ON!
Link layer - On this layer you can check the link layer configuration, status, and statistical information of the network interfaces. In the PC’s for this purpose you can use the command ifconfig. This command will provide you with necessary statistics of the interface usage and its current status. You will find in the next subsection a description on how to use this command. One of the possible problems at the link layer can be an automatic disabling of the network interface due to incorrect cabling. In this case when executing ifconfig in the PC you either will not see the record about the problematic interface at all, or in the status field (see the output of ifconfig in the next subsection) will be written “DOWN”. In the switches and routers the command to see the status of the interfaces is show interfaces, but the meaning of these commands is exactly the same as of ifconfig. To fix the problem on this level first check that the cabling is correct. Then, bring the interface up manually with the proper commands.
Network layer (IP) - The typical problem on this layer is an incorrect IP configuration of the network interface. The sequence of your actions to fix the problem should be:
1. Check if the network interface is configured with the proper IP address and network mask. 2. Test the configuration by checking if you can communicate with other network devices. 3. If the problem remains repeat from the configuration.
There are different commands to check the IP configuration of the interfaces in PC’s, switches, and routers. For example in the PC’s use for this purpose ifconfig. Another item which is included in the term “IP configuration” is proper configuration of the routing table. In the PC’s, for example, you can use the command route for this purpose. Check the next subsection for details of usage of these commands. In order to test the correctness of the step one, the easiest way is to use the ping command which exists in all network devices (so in the simplest case the syntax of the command is common for PC’s and Cisco devices). Check if you can ping a machine (a PC or a router) which you know for sure that it is up and running. If you can not ping this machine repeat the configuration step. If you checked the configuration and you are 100% sure that it is correct but ping still does not work, maybe the problem is not in your PC, but in an intermediate device (e.g. router). The way to locate the erroneous device is to use the traceroute command (which again exists both in the PC’s and the Cisco devices). If you find out that one of the routers which you have an access to configure is not responding, apply the same approach to locate and fix the failure in this router.
Transport layer - On this level you can try to establish a TCP connection to a particular port and check whether it works or not. For this purpose you can use the telnet program on your PC in the form: telnet destina- tion_IP:port_number. The possible reason of the failure on this level could be a special set of rules in your PC which forbids an access to certain IP addresses and/or TCP/UDP ports. This kind of filtering has the name "IP firewalling". Check the firewalling rules for correctness.
Application layer - On this layer you can discover that something is going wrong by observing whether your ap- plications work as they should. Most probably, applications will generate meaningful errors when they cannot work. The error message is the best hint to find the problem. Read it carefully and make sure you understand it. Read the application manual if needed.
Laboratory Manual 23 2.6. Tools and commands in the PC Before the session
2.6 Tools and commands in the PC
Here is a description of the most useful commands for debugging a network from your PC. ifconfig The first action you should performs when you are trying to connect your computer to the Internet is to configure your network interface (network card). Basically you should be able to:
1. Bring the interface up 2. Configure the IP parameters of the interface (assign an IP address, and specify the network mask) 3. Display the configuration information of the interface In Unix-like operating systems there is a command which performs exactly this. The command is ifconfig. To bring the network interface up manually, the syntax of this command is:
ifconfig Interface_name up
The syntax of the command when you would like to assign IP parameters is
ifconfig Interface_name IP_Address netmask Network_mask broadcast Broadcast_address
In the case you run ifconfig without arguments, you will get a summary of the configuration of the interfaces which are up, like the one you can see below:
[lab@localhost lab]# ifconfig eth0 Link encap:Ethernet HWaddr 00:50:DA:E9:12:9C inet addr:193.150.254.81 Bcast:193.150.255.255 Mask:255.255.252.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:359 errors:0 dropped:0 overruns:0 frame:0 TX packets:72 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 Interrupt:11 Base address:0x200
lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:6 errors:0 dropped:0 overruns:0 frame:0 TX packets:6 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0
As you can notice from the output, the first line gives you information about the link layer; the second and the third show IP configuration; the fourth line gives you a status of the interface; and finally, the next three strings show the interface usage statistic. In the lab you will use this command with or without arguments. You can find information about other arguments and options of this command typing in the terminal window:
man ifconfig
Ping Sometimes the connection to a remote machine cannot be established. This could be due to several reasons. One of these reasons could be network failure at any part of the network. If you cannot connect to a specific computer how do you know whether it is due to network failure, the computer being down or perhaps some error in a program running on the computer? As a first step you could try to figure out if the computer is reachable through the network. For this purpose you could use the ping program available on most networked systems. Ping simply sends a number of special packets, called ECHO REQUEST packets, to the destination computer. When the destination computer receives these packets it is supposed to send back ECHO REPLY packets. Your ping program will display the received ECHO REPLY packets. These types of packets are part of the ICMP protocol which ping uses. The syntax of this command is
ping Name_of_the_machine
One option that might be useful to use in this command is “- n”. With this option the ping will produce only numeric output, without trying to resolve symbolic names for host addresses. This option is useful in the case when DNS is not working. If this option is not specified the ping trying to resolve a name will block the terminal window for some tens of seconds. The syntax of the ping in this case is:
ping -n Name_of_the_machine
Laboratory Manual 24 2.6. Tools and commands in the PC Before the session
Traceroute The Internet is a large and complex aggregation of network hardware, connected together by gate- ways/ routers. Tracking the route your packets follow to their destination (or finding the miss-configured router that throws away your packets) can be difficult. The command traceroute utilizes the IP protocol TTL (time to live) field which is decremented by every router a packet passes through. When this counter is zero the packet is thrown away and an ICMP TIME_EXCEEDED packet is sent back to the sender. This ICMP TIME_EXCEEDED packet contains among other things the identity of the router that dropped the packet. The traceroute attempts to force such response from each gateway/router along the path to the destination by first sending a packet with the TTL set to one, then a packet with the TTL set to two and so on until it reaches the destination. The syntax of this command is:
traceroute Name_of_the_machine
As with ping you can use the option “- n”, which will disable name resolution. The syntax of the traceroute in this case is:
traceroute -n Name_of_the_machine
Route After you have checked that your interface is configured properly, but you still do not have any response from ping or traceroute, it is a good time to check that the routing information in your PC is correct. You can check the content of the routing table by typing
route
in the terminal window. You will see the output of this command like the one below.
[lab@localhost lab]# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.0.213.0 * 255.255.255.0 U 0 0 0 eth0 127.0.0.0 * 255.0.0.0 U 0 0 0 lo default itguest-gw.gues 0.0.0.0 UG 0 0 0 eth0
Or, if you execute this command with the option “-n”:
[lab@localhost lab]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.0.213.0 * 255.255.255.0 U 0 0 0 eth0 127.0.0.0 * 255.0.0.0 U 0 0 0 lo 0.0.0.0 10.0.213.1 0.0.0.0 UG 0 0 0 eth0
If your PC has one network card the routing table will consist of three records: the route to your network, the route to the 127.0.0.0 network, and the default route. When sending packets to an IP address that is inside of your own network, your PC will use the first record; for the packets which destination is outside of your network the PC will use the third record, and send them to the default gateway. Check the entry corresponding to the default route (the network address for default route is 0.0.0.0), it should point to the first router in your network. If you do not have this record or it does not point to the first router, configure the routing table as described in “During the Laboratory Session” section.
ARP In our lab you will use this command to check the content of the arp table in your PC. The syntax of Arp is:
Arp -a
In this form the command will output the content of the Arp table. You can find more information about usage of this command executing:
man Arp
Telnet Telnet is a program which allows you to login to a distant device (e.g. computer, router). Use the following syntax of telnet:
telnet Destination_IP Port_number
If you do not want to connect to a specific port, use
Laboratory Manual 25 2.6. Tools and commands in the PC Before the session
telnet Destination_IP
With this syntax telnet will connect you to the default telnet port (TCP port 23). Network sniffers A network sniffer is a tool that picks up a copy of each and every packet that traverses the commu- nication link on which your network interface is attached. We will use a sniffer so that you can see for yourself exactly what is going on when two computers start talking to each other. This will give you a chance to see how all the protocols and mechanisms you have read about so far interact and work together. There exists many network sniffer; in our lab we will use a program called “Wireshark”, which is probably one of the most popular sniffers used for academic purposes. In the next subsection you will find the description of Wireshark.
To summarize: In a PC the troubleshooting sequence is as follows:
1. Check the configuration of the interfaces (ifconfig) 2. Test the network connection (ping and traceroute) 3. Check the routing table (route) 4. Fix the problem and repeat from 1 until it works fine.
2.6.1 Short introduction to Wireshark Sniffer programs have their main application in two basic areas. First, network administrators can use sniffers for a variety of purposes such as security monitoring. Second, they are very useful tools for researchers in the networking area. For example, one can build a statistical model of traffic by observing traces of particular applications. This data can be used for engineering the network topology, or the creation of high performance network devices with certain quality parameters. Using Wireshark you can hack almost all kinds of network protocols by creating rules of special format, called display filters. Display filters in Wireshark are very powerful; you have more fields in Wireshark than in other protocol analyzer, and the syntax you can use to create your filters is richer. Another attractive feature of Wireshark is its ability to assemble all the packets in a TCP conversation and show you the ASCII (or EBCDIC or hex) data in that conversation. The following description provides a brief overview of the key features of Wireshark.
GUI description You can start Wireshark from a window manager, or from the command line; in the second case, you can specify optional settings, such as the interface to capture from, or more advanced settings. This is not necessary to begin with, so you can just launch the application, select the interfaces and you will see the main window of the graphical interface (see Figure 2.20), which consists of three panes that you can re-size. Below the panes there is a strip that shows the current filter and some informational text. The top pane contains the list of network packets that you can scroll through and select. By default, the packet number, packet time stamp, source and destination addresses, protocol, and description are displayed for each packet. The ’Columns’ page in the dialog box popped up by ’Edit:Preferences’ lets you change this (although, unfortunately, you currently have to save the preferences, and exit and restart Wireshark for those changes to take effect). If you click on the heading of a column, the display will be sorted by that column; clicking on the heading again will reverse the sort order for that column. An effort is made to display information as high up in the protocol stack as possible, e.g. IP addresses are displayed for IP packets, but the MAC layer address is displayed for unknown packet types. The right mouse button can be used to pop up a menu of operations. The left mouse button can be used to mark a packet. The middle pane contains a protocol tree for the currently selected packet. The tree displays each field and its value in each protocol header in the stack. You can expand each item and see the content of the different protocols by clicking the ’+’ sign left to the name of the protocol. The lowest pane contains a dump of the actual packet data. Selecting a field in the protocol tree highlights the corresponding bytes in this section.
Display filters syntax and how to make the traces more ’attractive’ Display filters help you to remove the noise from a packet trace and let you see only the packets that interest you. If a packet meets the requirements expressed in your display filter, then it is displayed in the list of packets. Display filters let you compare the fields within a protocol against a specific value, compare fields against fields, and check the existence of specified fields or protocols. The simplest display filter allows you to check for the existence of a protocol or field. If you want to see all packets which contain the TCP protocol, the filter would be ’tcp’ (without the quotation marks!). Fields can also be compared against values. The comparison operators can be expressed either through C-like symbols, or through English-like abbreviations as in Table 2.6.
Laboratory Manual 26 2.6. Tools and commands in the PC Before the session
Figure 2.20: Wireshark - main window.
eq == Equal ne != Not Equal gt > Greater that lt < Less than ge >= Greater than or equal to le <= Less than or equal to
Table 2.6: Basic operations.
To create a filter, click on the ’Filter’ button in the left down corner of the main window. In the appearing window, type the name of your filter (for example ’TCP traffic’) in the ’Filter name’ field. Then, in the ’Filter string’ field, print the string of your filter, like ’ip.addr eq 130.237.50.78’. Click on ’New’; your filter will be added to the window of available filters, then click on save to save your filter. To apply your new filter click on the ’Apply’ button. After you applied your filter you can start capturing. Choose ’Start’ from the ’Capture’ menu and the Capture window will appear, as shown in Figure 2.21. In this window you will have to configure your session, and for that you have to activate the live update of packets in real time and the automatic scrolling, so you are able to see the packets passing by. In addition, you have to select the monitored interface in the upper most part of the window. Select the interface called "eth0". Do NOT put anything in the ’Filter’ string! In this string, you are supposed to set ’tcpdump like’ filters. This type of filters uses different syntax (see the ’tcpdump’ manual page for more information). In fact, you can use either ’display’ or ’tcpdump filters’, or even both of them, but it is enough to use only display filters. Moreover, the syntax of ’display’ filters is richer and can allow you to do much more than ’tcpdump’ filters. After you configured the Capture options click ’OK’ to start capturing. After some time, you can stop capturing and analyze the trace. You can simplify understanding the trace by coloring certain packets. This is good if you want to see for example packets from a particular host and port number out of all captured packets. For this you need to choose Colorize Display from the Display menu (note that this item is inactive before you start capturing). Click on New and set the Display filter in appeared window, with the syntax described above. Choose the foreground and background by clicking on appropriate button. Then click on ’Apply’, to apply your settings. In Table 2.7 you have some important protocol fields, while Table 2.8 gives some useful port numbers and Table 2.9 contains some examples.
Laboratory Manual 27 2.6. Tools and commands in the PC Before the session
Protocol name Field name Filter name Filter description Ethernet (eth) Source or Destination Address eth.addr 6-byte Hardware Address Ethernet (eth) Destination eth.dst 6-byte Hardware Address Ethernet (eth) Length eth.len Unsigned 16-bit integer Ethernet (eth) Source eth.src 6-byte Hardware Address Ethernet (eth) Trailer eth.trailer Byte array Ethernet (eth) Type eth.type Unsigned 16-bit integer IP Source or Destination Address ip.addr IPv4 address IP Header checksum ip.checksum Unsigned 16-bit integer IP Differentiated Services field ip.dsfield Unsigned 8-bit integer IP Destination ip.dst IPv4 addres IP Flags ip.flags Unsigned 8-bit integer IP Header Length ip.hdr_len Unsigned 8-bit integer IP Identification ip.id Unsigned 16-bit integer IP Total Length ip.len Unsigned 16-bit integer IP Protocol ip.proto Unsigned 8-bit integer IP Source ip.src IPv4 address IP Time to live ip.ttl Unsigned 8-bit integer IP Version ip.version Unsigned 8-bit integer TCP Acknowledgement number tcp.ack Unsigned 32-bit integer TCP Checksum tcp.checksum Unsigned 16-bit integer TCP Destination Port tcp.dstport Unsigned 16-bit integer TCP Flags tcp.flags Unsigned 8-bit integer TCP Header Length tcp.hdr_len Unsigned 8-bit integer TCP Next sequence number tcp.nxtseq Unsigned 32-bit integer TCP Source or Destination Port tcp.port Unsigned 16-bit integer TCP Sequence number tcp.seq Unsigned 32-bit integer TCP Source Port tcp.srcport Unsigned 16-bit integer TCP Window size tcp.window_size Unsigned 16-bit integer UDP Checksum udp.checksum Unsigned 16-bit integer UDP Destination Port udp.dstport Unsigned 16-bit integer UDP Length udp.length Unsigned 16-bit integer UDP Source or Destination Port udp.port Unsigned 16-bit integer UDP Source Port udp.srcport Unsigned 16-bit integer SMTP Request smtp.req Boolean SMTP Response smtp.rsp Boolean
Table 2.7: Important protocol fields in Wireshark
Application Protocol Number Telnet TCP 23 WWW TCP 80 SMTP TCP 25 DNS UDP 53
Table 2.8: Some useful port numbers
Filter string Description ip display only IP packets tcp.dstport eq 25 display SMTP requests ip.src eq 192.x.x.x and udp.dstport eq 53 display DNS requests ip.addr eq 192.x.x.x and tcp.port eq 80 display HTTP communication Arp display Arp traffic
Table 2.9: Some useful display filters
Laboratory Manual 28 2.7. Linux hints Before the session
Figure 2.21: Wireshark - capture window.
2.7 Linux hints
In this lab we do not assume that you have experience working with Unix-like operating systems such as Linux. Therefore, we briefly describe in this section some basic operations that will help you to complete the lab work. If you are experienced with Unix-like operating systems, skimming through this section would still be helpful.
2.7.1 Logging in Unix is a multi-user operating system. This basically means that many people may work on the same computer at the same time; therefore to work with Linux you have to identify yourself by a process called logging in. When you switch on your PC the Linux will prompt your user name and password. Depending on the configuration this prompt can appear either in textual console or in graphical user interface (XWindows). After entering both correct name and password you are authorized to use the system. If you work in graphical mode you will see an environment like the one in Figure 2.22 which looks similar to Microsoft Windows. If you are working in textual mode you will see something like this:
user@live: $
This is a command prompt and you are supposed to write Unix commands after the symbol “$”. In graphical user interface mode, so go on “Accessories/Terminal” to start a terminal window.
2.7.2 The Linux file system It is very important to know at least a minimum of information about the Linux file system to perform successfully in our lab. The file system in Linux is organized as a tree where all directories are branching out from the root. The root of the Linux file system is denoted as “/”. Under the root there are a number of subdirectories (execute ls / to see the content of the root directory). Among them the most interesting for us are: /bin, /usr/sbin, /sbin, /etc/, and /home. The first three directories contain the binary files which are capable to change the key parameters of the system. The directory /etc contains the system configuration files. Configuration files are the textual files which can be modified by the administrator of the system. The directory /home contains the directories of the users. So, for example, if a user with the user name “lab” exists in the system then all his files will be placed in the directory /home/lab. Obviously, in Linux the rights to access different directories are restricted for different users. By default for a normal user, a write access is forbidden for the whole /etc directory, and the execution of all programs that can modify system parameters is limited (e.g. ifconfig, route etc.). Therefore you have to know that in order to modify any system parameter you must be a superuser (root) or have special privileges. You can have these privileges if you start a command with “sudo” in front.
Laboratory Manual 29 2.7. Linux hints Before the session
Figure 2.22: Graphical User Interface.
Another important thing for you to know is the concept of paths. In Linux there is a special system file for each user which contains the paths to the most used directories. Since the access to some parts of the file system is restricted for the normal user, there is no path to the programs which are in the /bin and /usr/sbin. If, for example, you have logged in as a normal user you will not be able to execute traceroute command. In this case you have to specify the full path to this command (e.g. /usr/sbin/traceroute) to execute it. To summarize the discussion: • All directories are branching out from the root (“/”) • The record “/usr/sbin/traceroute” means: The program “traceroute” is in the “sbin” directory, which is in the “usr” directory. The “usr” directory branches directly from the “root” (“/”) • The most used programs in our lab have the following paths (try to specify the whole path when you see an error like bash: name_of_command: command not found):
1. /sbin/ifconfig 2. /bin/ping 3. /usr/sbin/traceroute 4. /sbin/route
2.7.3 XWindows and virtual consoles The graphical user interface in Linux has the name “XWindows”. We will not describe all functionality of XWindows; you will find it easy to use. Remember, even if you work in graphical mode it is still a Unix system and whenever you would like to execute something you could need to type a command somewhere. For this purpose XWindows offers the so-called “terminal windows”, depicted in Figure 2.22. To launch a new terminal go to Applications>Accessorise. In this window you will see a command prompt such as:
[lab@localhost lab]$
You can open as many terminal windows as you want - they will work in parallel. There is however another way to execute commands. Linux allows switching between graphical mode (XWindows) and textual mode by means of virtual consoles. Linux by default offers 6 consoles to the user and you can switch between them by pressing the following sequence of keys: CTRL-ALT-F1 ... CTRL-ALT-F6. When you switch to a console you will see the login prompt:
localhost login:
After you log in, you will see the command prompt. You can always return to the graphical mode by pressing CTRL-ALT-F7.
Laboratory Manual 30 2.8. Connecting to Raspberry Pi Before the session
Command Meaning ls List the content of your working directory cd [name of a directory] Change the directory less [name of a file] Display the content of a file (you can use both) more [name of a file] cp [file1] [file2] Copy files mv [file1] [file2] Move files rm [file1] Remove file (i.e, delete)
Table 2.10: Unix commands
2.7.4 Unix commands Let us remind you again that all commands have to be written in the terminal window. Here we give you a list of the most useful commands. You can always get online help about the syntax of a particular command typing
man Name_of_a_command
Note, that this may be the most useful command in Unix. Use it always when you are unsure about the syntax of a command. The commands which you will use in the lab are listed in Table 2.10. You can edit text files using many available text editors like: vi, pico, emacs, or any graphical editor you can find in XWindows such as gedit.
2.7.5 Getting help Remember, if you are working with Linux you can always get online help about a particular command by typing: man [name of a command]. A summary about the usage of a particular command can be obtained using the option “- -help”. For example : ifconfig –help. However, if you want to access help via Internet there are sites that contain all Linux documentation. The docu- ments about all Linux concepts have the name “HOWTO”. You can find them at http://en.tldp.org/. You can also access online manuals for Linux commands at http://man.he.net.
2.8 Connecting to Raspberry Pi
1. Download the VNC Viewer from https://www.realvnc.com/download/viewer/. 2. Power up the Raspberry Pi. 3. Wait for about 1 minute for the Raspberry Pi to boot up.
4. Connect your computer to the wireless network "PiNetX", where "X" stands for the ID of the Raspberry Pi and can be found on the case of the Raspberry Pi. The password is also available on the case of the Raspberry Pi. 5. Run the VNC Viewer and connect to host 192.168.50.1. The user name and password for login is "pi" and "raspberry".
Laboratory Manual 31 Tasks During the laboratory session During the laboratory session
2.9 Task 1: Review your network diagram
The first thing you should do when creating a network is to carefully review your network diagram and identify the different elements in it. Figures 2.2 and 2.3 show the network diagram for this session. Look at them and answer the following questions:
1. How many departmental backbones are there in the whole network?
2. How many LAN’s are there per backbone?
3. How many link-layer hops do the packets perform from the PC in your LAN to the gateway to the Internet? (Hint: How many ’cables’ are your packets crossing in Figure 2.3?)
4. How many hops do the packets perform considering ONLY the network layer in the same path? (Hint: How many IP-level devices are your packets crossing?)
5. Each position in the lab corresponds to an area network of a particular department. Write below the name of the network you are in and the range of the assigned IP addresses.
• Network address: • Broadcast address: • The range of addresses available for the devices in your network: • Network mask:
6. Figure 2.23 represents the equipment in your area network and part of the departmental backbone. Using figure 2.2 and figure 2.3 as a guide, fill in the IP addresses, names and interface names corresponding to your position. Assign the IP addresses following the rules given in section 2.1.1.
2.10 Task 2: Identify your equipment
This task focuses in the identification of the equipment in your lab position. You will work with the router, the switch and the PC to find their external ports. The guidelines given at section 2.2 will be a great help here. This task is both simple and important. You need to be familiar with the aspect and location of the different ports, before you can perform more complex configuration tasks. In addition to the network devices, here you will also work with the cables that interconnect them. Knowing how to identify the different cables is also very important for the rest of the tasks in the lab.
1. Following the indications of section 2.2, find the router, the switch and the PC server (the Raspberry Pi). Note that the model name of the Cisco equipment appears in the front top-right corner of the box.
• Search in the Cisco boxes and write down the model series:
Cisco router: series Cisco switch: Catalyst
2. Start working with the router. Find all its Ethernet ports, its console port, its power switch and its power supply socket.
3. In the switch, find its Ethernet ports and its power supply socket.
4. In the PC, find its serial and Ethernet ports.
5. Classify the cables in your lab position into crossover, straight-through and roll-over cables. Find also the DB9 to RJ45 adapter and USB to DB9 adapter.
Laboratory Manual 32 Tasks During the laboratory session
Figure 2.23: Area diagram
Laboratory Manual 33 Tasks During the laboratory session
• The different types of cables in the lab can also be identified by the color of their external covers. Please write here the color corresponding to each type of cable:
Crossover cable: Straight-through cable: Roll-over cable:
Note: The color of the external cover is not standardized at all. Different brands can use different colors for the same type of cables. Check the color code in the RJ45 plugs to properly identify the type of cable.
2.11 Task 3: Configure the PC server (the Raspberry Pi)
In this task you will configure the PC using the commands described in the subsection 2.6. In order to do this you will need to perform three actions. First you have to connect your laptop to the PC (Raspberry Pi). Second you have to configure the network interface of your computer (assign the proper IP address and the proper netmask). The second action is to write proper information in the routing table of the PC.
1. Connect to the PC (Raspberry Pi) with your laptop. 2. Open a terminal window on the PC server. You will type all commands in there. 3. Put up your Ethernet interface (in your PC the interface name is eth1) with the command ifconfig. Recall the IP information of your network and configure your interface using the following command:
ifconfig Interface_ID IP_of_your_PC netmask Your_Netmask broadcast Broadcast_address
• Check the values of your interface by typing ifconfig without options. You should see the configuration information in the form shown below. Fill in below the missing fields of the ifconfig output: eth1 Link encap:Ethernet HWaddr inet addr: Bcast: Mask: UP BROADCAST RUNNING MULTICAST MTU: Metric:1 RX packets:1217 errors:0 dropped:0 overruns:1 frame:0 TX packets:303 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 Interrupt:11 Base address:0x200
lo Link encap:Local Loopback inet addr: Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:6 errors:0 dropped:0 overruns:0 frame:0 TX packets:6 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0
4. Add a route to the default gateway with the route command. The default gateway should be the inner interface of your LAN router.
route add default gw Address_of_your_router
• Check the content of the routing table by executing route -n Fill in the missing fields of the routing table of your PC: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 0.0.0.0 0.0.0.0 UG 0 0 0 eth0
• Looking at the routing table above, answer the following question (you should not run any command to answer this question, just look at the table, which you have filled in above). Suppose you ping a computer inside your network and a computer which is outside of your network. Look at the routing table of your computer and mark which routing entry is the one that is used to send these ping packets, both to the switch and a computer outside your network.
Laboratory Manual 34 Tasks During the laboratory session
2.12 Task 4: Configure the switch
This task deals with the configuration of the switch in our network. You will create the configuration file of the switch following the steps described in 2.3.2. You will use the PC (the Raspberry Pi) running Linux as the management console.
1. Before starting the initial configuration of the switch, you need to find out the answers to the question that will appear during the setup process. Most of these answers already appeared in 2.3.2. The IP configuration data must be obtained from the network diagram for your session (See Figure 2.2 considering the position of the switch in the network and your IP addressing scheme)
• Fill in the gaps below with the information to be used for the configuration of the switch: – Switch IP address: – Switch net mask address: – Switch default gateway address: – Switch secret password: – Switch Telnet password: • If the switch is a link-layer device and thus independent of the IP layer, why does it require an IP address?
2. Connect a management console to the switch following the instructions in 2.2.1.
3. Start the management console following the instructions in 2.3.1.
4. Power on the switch. Some messages should be displayed in the console while the switch boots. If there are no messages displayed, check the connection and configuration of the emulated console.
5. Perform the initial configuration of the switch as described in 2.3.2
6. Once you have finished and saved the initial configuration, reboot the switch using the switch’s command reload.
7. After the switch completes the reboot process, connect the PC Ethernet port to any port of the switch. In the PC open a terminal window. Execute telnet IP_of_the_Switch to login from the PC to the switch. Display the configuration of the switch using the proper CLI command. With the information shown, fill in the gaps below.
interface VLAN1 ip address ip default-gateway
2.13 Task 5: Configure the router
This task deals with the configuration of the router in our network. You will create the configuration file of the router following the steps described in 2.3.3. You will use the PC running Linux as the management console.
1. Before starting the initial configuration of the router, you need to find out the answers to the question that will appear during the setup process. Most of these answers already appeared in 2.3.3, but the IP configuration data must be obtained from the network diagram for your session (See Figure 2.2 considering the position of the router in the network and your IP addressing scheme).
• Fill in the gaps below with the information to be used for the configuration of the router: – FastEthernet 0/0 IP address: – FastEthernet 0/0 subnetwork mask address: – FastEthernet 0/1 IP address: – FastEthernet 0/1 subnetwork mask address:
Laboratory Manual 35 Tasks During the laboratory session
– Router default gateway address: – Router secret password: – Router Telnet password: • Looking at the network diagram, you can discover that the router needs four static routes to reach all the networks. Fill in the routing information in the table below. Remember that the router needs a static route to the network behind each of the other area routers in the same departmental backbone. Since there are three additional routers per departmental backbone, three statics routes are needed. In addition, the router needs a static route indicating that any other network can be reached through the PC-router interface in the backbone. Use the network number 0.0.0.0 and network mask 0.0.0.0 to identify any other network. Note that the router can reach any host in a directly connected network without a static route to that network.
No Destination network Subnet mask Next hop address 1 2 3 4
2. Connect a management console to the router following the instructions in 2.2.1.
3. Start the management console following the instructions in 2.3.1
4. Connect the router Fast Ethernet ports to the corresponding switch ports. Remember to use the proper type of Ethernet cable. Refer to Figure 2.3 to find out which ports of the router should be connected to each network.
5. Power the router on. Some messages should be displayed in the console while the router boots. If there are no messages displayed, check the connection and the configuration of the emulated console.
6. Perform the initial configuration of the router as described in 2.3.3.
7. Once you have finished and saved the initial configuration, add the static routes of the table above using the "ip route" command. The parameters to this command can be discovered using the question mark character in the CLI while in configuration mode.
8. Once you have added the routing table save the configuration with the copy command. Use the proper parame- ters to this command.
9. Once you have completed and saved the configuration, reboot the router using the command reload.
10. After the router completes the reboot process, open a terminal window in the PC. Execute telnet IP_of_the_Router to login from the PC to the router. Display the configuration of the router using the proper CLI command. With the information shown, fill in the gaps below.
interface FastEthernet0/0 ip address no ip directed-broadcast speed full-duplex ! interface FastEthernet0/1 ip address no ip directed-broadcast speed full-duplex !
11. Ping from the router to its default gateway (the interface of the PC-router in your departmental backbone). Which is the symbol used to display a successfully received ping reply?
Laboratory Manual 36 Tasks During the laboratory session
2.14 Task 6: Using ping and understanding its output
1. Now after you have configured your computer and the network equipment, you can test the connection. If something does not work, do the troubleshooting described in Section 2.5.1.
• In a terminal window of the PC try the ping command to check that the following hosts are alive (reachable from your machine). Pinging the PC-Router use the IP address of the interface which belong to your department (Check Figure 2.2 for the proper address). ping -n router_IP ping -n IP_of_PC-router ping -n www.imit.kth.se • Ping the machine www.kth.se and stop it after a few replies typing Ctrl+C; fill in the missing parts of the ping output given below and answer to the following questions. PING www.kth.se ( ) (84) bytes of data. bytes from ( ): icmp_seq=1 ttl= time= bytes from ( ): icmp_seq=2 ttl= time= bytes from ( ): icmp_seq=3 ttl= time= • How many IP hops away is the machine www.kth.se from your current position? (Remember ping re- quests/replays are sent with maximum value of TTL = 255)
2.15 Task 7: Using traceroute and understanding its output
1. Run traceroute to the following destinations (do not forget the option “-n”, which switches off DNS lookup):
traceroute -n IP of the gateway to the Internet traceroute -n www.kth.se traceroute -n www.berkeley.edu
If traceroute does not work, do the troubleshooting. 2. Most of the large corporations try to hide the internal structure of their network. Because of this the routers are configured not to send ICMP messages back. Make a traceroute to www.microsoft.com and answer the following question:
• Which is the sequence number of the first router which does not respond?
2.16 Task 8: Checking ARP
1. Discover how exactly your PC does the mapping between MAC and IP addresses and how that affects the protocols and their performance.
• Execute : arp -a . How many entries has the ARP table of your PC? • What is the Ethernet address of your PC(you can also find this information using the ifconfig command)?
2.17 Task 9: Using Wireshark
1. In this task you should discover some details of the protocols’ work by observing the traffic using Wireshark. To start Wireshark, open a terminal window and type:
sudo Wireshark
Remember the facts about construction of the filters and do the following:
• The following filter will display all Ethernet frames from and to your machine which contain the ARP pro- tocol (we will refer to this filter later as ARP_FILTER). Execute ifconfig to discover Your_MAC_Address.
Laboratory Manual 37 Tasks During the laboratory session
eth.addr==Your_MAC_Address and arp • The following filter will display only IP traffic (we will refer to this filter later as IP_FILTER). ip • The following filter will display traceroute traffic from and to your PC (we will refer to this filter later as TRACEROUTE_FILTER). (ip.src==IP_of_Your_PC and ip.proto==0x11) or (ip.dst==IP_of_Your_PC and ip.proto==0x01) 2. Before proceeding further run the following command in a terminal window:
arp -d switch_IP
If you see an error message after executing this command this means that your ARP table does not have an entry for this IP address. This is fine, just proceed with the task. Now go back to your Wireshark window. While capturing, make a ping to the switch in your network. Type the ARP_FILTER in the Filter field of the main window of Wireshark and answer the following questions:
• On which layer of the TCP/IP stack does ARP work?
• What is the meaning of the first message of ARP (look at “info” column)?
• What is the meaning of the second message of ARP (look at “info” column)?
• What is the destination address of an ARP request?
• What is the destination address of an ARP reply?
3. While capturing, make a ping to the ROUTER in your network. Type the IP_FILTER in the Filter field of the main window of Wireshark and answer the following questions:
• In the main window of Wireshark choose one of the ICMP request packets. Look at Figure 2.24, find appropriate information in Wireshark and fill in the gaps (Hint: you need to calculate how many bytes the ICMP header of the PING packet is).
4. While capturing the traffic in Wireshark, make a traceroute to 194.71.11.40 without the “-n” option. Type the TRACEROUTE_FILTER in the Filter field of the main window of Wireshark and answer the following questions:
• How many times does the PC send traceroute probes to each hop? Hint: Choose consequently at least 7 UDP packets starting from the first one. Look at Time To Live value of the IP header in each packet.
• Choose one of the last three ICMP messages of the traceroute (these message came from the destination machine). What is the code (number and meaning) of this ICMP message?
• Choose any other ICMP message of the traceroute (this message came from one of the routers on the path to the destination). What is the code (number and meaning) of this ICMP message?
Laboratory Manual 38 Tasks During the laboratory session
Figure 2.24: Format of the Ping message
• What is the UDP port number(s) to which the traceroute sends its probes?
• List the names of all protocols which are involved in the traceroute communications (look at the ’Protocols’ column in Wireshark’s main window).
5. Repeat the task in item 4 with ’-n’ option in the traceroute.
• Which protocols are missing now?
Laboratory Manual 39 Tasks During the laboratory session
Laboratory Manual 40 Chapter 3
Lab Session 2: Digging in the protocols
Before the session
3.1 Traffic filtering
The purpose of the routing is to provide enough information to the routers so they are able to forward traffic to any destination in the network. However, sometimes it is required that some part of the traffic does not reach certain destinations. For instance, we would like to avoid users from outside of our network to access the router in our network for remote configuration using telnet. In addition to security, there are more reasons to place restrictions on the network traffic. Load balancing is another typical example, where the traffic is classified and routed depending on its nature and not only its destination. The set of restrictions on certain types of traffic is usually referred as traffic policies. The mechanism to enforce these policies in the network is called traffic filtering, and a router applying it is commonly known as a firewall. The syntax for policies varies between different vendors and platforms, but all implementations allow us to express rules to check whether the traffic should be forwarded or dropped. Thus, it is important to note that traffic filtering is applied in addition to the routing. Since we are using Cisco equipment in the lab, we will use their syntax. In Cisco IOS, the filtering is called the access control and it is expressed through Access Control Lists (ACL). An ACL is a sequential collection of statements that establish what kind of packets to permit or deny based on their source address, destination address and/or port. It is possible to store several ACLs in the configuration of the routers, but only two ACLs can be applied per interface, one for the outgoing traffic and another one for the incoming traffic. Each packet arriving or leaving the interface is tested against the statements to determine whether it should be forwarded or dropped. These concepts are better illustrated with an example. Imagine that we want to create a policy that forbids HTTP traffic (web browsing) to get in our network 192.168.10.0/24. Using the Cisco ACLs, this is written as follows:
ip access-list extended noHTTPtraffic deny TCP 0.0.0.0 255.255.255.255 192.168.10.0 0.0.0.255 eq 80 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
These lines should be included in the configuration file of the router as the rest of the configuration. The first line declares that the definition of an ACL is starting. The keywords ip access-list are mandatory, while extended specifies the type of ACL. There are several types of ACL, but we will always use extended ACL because they provide the richest syntax. The first line ends with the name we gave to this ACL, noHTTPtraffic, that can be used for reference to this ACL later. The second and third lines are the statements, which establish our policy. The first keyword deny or permit indicates whether the statement will deny or accept respectively the traffic if the condition is satisfied. The rest of the line contains the condition against which each packet will be tested. The condition starts with a keyword and then it has two mandatory addresses source address and destination address and optionally port. The first keyword in the condition indicates the type of traffic to match. Possible values for this field are TCP,udp,ip or icmp. After the traffic type, each address is specified with two words, the first is the expected IP address and the second is called a wildcard mask. The wildcard mask indicates which bits of the packet’s IP address must match the expected address for the state- ment to be applied. The wildcard mask looks like a network mask, but it operates in a completely different way. Each 0 bit in the wildcard means to check the corresponding packet’s address bit, while a 1 bit means to ignore. So the destination address 192.168.10.0 0.0.0.255 of the first statement means that the first 3 octets of the packet’s
41 Tasks Before the session destination address must match the first 3 octets of the given address for this rule to be applied. The last octet of the packet’s address is not checked since the wildcard mask contains ones there. As a special case, the address 0.0.0.0 means any IP address and the wildcard mask 255.255.255.255 means do not check any bit of the packet’s address. In our example, the couple 0.0.0.0 255.255.255.255 in the source address of the first statement means accept any address as the source address of the tested packet. The router will display the word any instead of this couple. The condition finishes with the port to be matched, being this information optional. In our example, the first statement contains a port limitation in the condition but not the second. In the first condition, eq 80 means that the packet must contain the port 80 (HTTP port) to match the condition. To summarize, our ACL has two statements. The first one denies TCP traffic from any source with destination any host in our network (192.168.10.0/24) if the packet contains HTTP traffic (port 80). The second one permits any other packet. It is important to highlight that the packets are tested against the statements in the order in which the statements were created and that when a packet matches a statement, the permit or deny decision is made and the rest of the statements are not checked. For example, if the second statement were in the first position, all packets would be accepted since all would match the permit condition and the deny condition would never be tested. To finish with the syntax of the ACLs, mind that by default they contain a final statement deny 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255, which will deny all packets not matching any of the pre- vious statements. It is always there, even though it is never displayed. This means that the second statement of our example is important, otherwise the default statement would have dropped all the packets not containing port 80. Remember that you always need to permit the allowed traffic explicitly. Once the desired ACL’s are included in the configuration of the router, they must be linked to a particular interface. This linking mechanism provides great flexibility because different interfaces in the router can apply different policies (ACLs). The syntax to link our ACL to the incoming traffic to the FastEthernet0/1 port of the router would be:
interface FastEthernet0/1 ... ip access-group noHTTPtraffic in ...
It is a straightforward command in the interface’s configuration where the name of the ACL is used to identify it. The final keyword in means that the ACL is to be checked against incoming traffic, thus outgoing traffic will not be filtered. The other value of this final keyword can be out to filter outgoing traffic. Remember that there is an additional restriction; at most two ACL can be linked to one interface (one per direction). To close this section, we will give you some useful hints when working with ACLs. The ACL must be created in global configuration mode, but they are linked to interfaces from the particular interface’s configuration mode. The statements are tested in the order in which they were created, thus if you need to change the order of the statements, you have to delete them first using the “no” form and retype them again in the desired order. The command show ip interface executed in privileged mode lists the ACLs, which are set for each interface. And the command show access-list [name] displays the contents of the ACL given by name. When the optional name is omitted all ACLs are displayed.
Laboratory Manual 42 Tasks During the laboratory session
Figure 3.1: Area diagram During the laboratory session
3.2 Task 1: Initial configuration of the equipment
This task will guide you through the initial configuration of the equipment for this lab session. We will use the network diagrams depicted in Figures 2.2 and 2.3.
1. Figure 3.1 represents the equipment in your area network and part of the departmental backbone. Using figure 2.2 and figure 2.3 as a guide, fill in the IP addresses, names and interface names corresponding to your position. Assign the IP addresses following the rules given in section 2.1.1.
2. Following this diagram, connect the interfaces of the router, the switch and the PC.
3. First you need to configure the router in your network. Connect the management console to the router. Use the PC running Linux as management console. Remember to link the console port of the router to the USB of the PC using the rollover cable, the RJ-45 to DB9 converter, and the USB to DB9 converter.
Laboratory Manual 43 Tasks During the laboratory session
4. Open a terminal window in the PC and start the program minicom with the superuser privileges (sudo).
5. Connect the power cable to the router and switch it on. Check that some messages appear in the management console as the router boots.
6. Wait until the router boots. Then if the router asks you whether you would like to enter the initial configuration dialog, answer no. When the router’s prompt appears, enter in global configuration mode using the enable command.
7. This time we will not configure the router typing all commands in the command line interface, but we will download the configuration from a TFTP server in the network. So the first step is to configure the router to reach the TFTP server. In our network, the TFTP server is running in the PC-router, which is also the default gateway to the Internet. This PC can be reached through the router’s port named FastEthernet0/1. Using the information in figure 3.1, configure the router’s interface FastEthernet0/1 with the proper IP address and network mask. Remember to use the proper commands to enter in interface configuration mode (i.e. configure terminal and interface FastEthernet0/1).
8. Once you have configured the interface, check that it is not shutdown. In order to check this display the running configuration of the router (show running-config). Find the description of the interfaces. If the word “shutdown” is part of the configuration of any of the two interfaces (i.e FastEthernet0/0 or FastEthernet0/1) the interface does not work. If this is the case you have to switch it on manually by performing the following steps; otherwise omit them.
(a) Enter in the interface configuration mode (i.e. configure terminal and interface FastEthernet0/x, where ’x’ is the number of the shutdown interface). (b) Type no shutdown. (c) Exit from the interface configuration mode.
9. At this point you must be able to reach the TFTP server. Check it using ping from the router to the PC-router’s closest interface. If you cannot reach the IP address of the TFTP server, review all previous steps until you find the problem. Do not proceed to the next step, before you can reach the TFTP server.
10. The TFTP server stores a different configuration file for every router. So you have to download the file corre- sponding to your router using the right filename. The filename of your router’s configuration is composed by your network name and the suffix ’-r-config’. For example, if your position is area 2 of the production depart- ment, the filename is ’pro2-r-config’. If your position is area 4 of the research and development department, the filename is ’rad4-r-config’ and so on. Download that file to your router’s running configuration, using the following Cisco command in global configuration mode:
copy tftp running-config
Firstly, you will be asked for the IP address of the remote host. This should be the IP address of the closest interface of the PC-router to your router. After this you need to indicate the filename and the destination filename (use the default value running-config). After you answer the third and last question, the configuration file will be downloaded to your router. The configuration will become the running configuration in the router immediately after the download process is completed.
11. The router is now configured as figure 3.1 indicates, including passwords and routing table. Looking at the running-configuration, check that none of the FastEthernet interfaces is shutdown as explained in Step 8 above.
12. Check that the received configuration is correct. To do this:
(a) Check that the IP addresses assigned to the interfaces correspond to those in figure 3.1. (b) Check the routing table. You should be able to ping and traceroute any hostname in the Internet from the router. For instance, try to traceroute www.imit.kth.se.
13. Save the configuration of the router using copy running-config startup-config.
14. Now that the router is ready, configure the switch. Connect the management console to the switch and power it on. Some messages should appear in the console while the switch boots.
Laboratory Manual 44 Tasks During the laboratory session
15. Wait until the switch boots. Then if the switch asks you whether you would like to enter the initial configuration dialog, answer no. When the switch prompt appears, enter in global configuration mode using the enable command. Note that the switch can ask you to log in. 16. Using the information in Figure 3.1, configure the switch’s interface VLAN1 with the proper IP address and net- work mask. Remember to use the proper commands to enter in interface configuration mode (i.e. configure terminal and interface vlan1). 17. Set the default gateway for the switch with the command ip default-gateway IP_of_Gateway in privileged mode. 18. Once you have configured the interface and the default gateway, you must be able to reach the TFTP server. It is the same server for both the switch and router. Check it using ping from the switch. If you cannot reach the IP address of the TFTP server, review all the previous steps until you find the problem. Do not proceed to the next step, before you can reach the TFTP server. 19. The TFTP server stores a different configuration file for every switch. So you have to download the file corre- sponding to your switch using the right filename. The filename of your switch’s configuration is composed by your network name and the suffix ’-sw-config’. For example, if your position is area 2 of the production depart- ment, the filename is ’pro2-sw-config’. If your position is area 4 of the research and development department, the filename is ’rad4-sw-config’ and so on. Download that file to your switch’s running configuration, using the following Cisco command in global configuration mode: copy tftp running-config Firstly, you will be asked for the IP address of the remote host. This should be the IP address of the closest interface of the PC-router to your router. After this you need to indicate the filename and the destination filename (use the default value running-config). After you answer the third and last question, the configuration file will be downloaded to your switch. The configuration will become the running configuration in the switch immediately after the download process is complete. The switch is now configured as figure 3.1 indicates, including passwords and the IP address. 20. Check that the received configuration is correct. Check that the IP addresses assigned to the vlan interface is right and check the default gateway. You should be able to ping and traceroute any host in the Internet from the switch. For instance, try to traceroute www.imit.kth.se. 21. Now, save the configuration of the switch using copy running-config startup-config. 22. Finally, configure the PC Ethernet interface using the commands described in the section 2.6. You will need to configure the network interface with proper IP address and network mask, and then the PC routing table. Open a terminal window in your PC. You will type all commands there. 23. Configure your Ethernet interface (Remember that in your PC the ID of the Ethernet interface in the PC is eth1) with the command ifconfig. Recall the IP information of your network and configure your interface using the following command:
ifconfig Interface_ID IP_of_your_PC netmask Your_Netmask broadcast Broadcast_address 24. Add a route to the default gateway with the ’route’ command. The default gateway should be the inner interface of your LAN router.
route add default gw Address_of_your_router
25. Now the configuration of the PC is finished. You should be able to ping and traceroute any hostname in the Internet from the PC. For instance, traceroute to www.imit.kth.se.
3.3 Task 2: Traffic filtering
In this task you will have to use Cisco ACLs to enforce a couple of policies in your area network. The policies are: Policy 1: All incoming telnet connections must be blocked, while outgoing telnet connections must be allowed. Policy 2: Users within the area network should be only permitted to browse the Internet with a web browser or telnet to remote locations. Any other application must be blocked. The first policy would be part of the network security because it would avoid remote configuration of our network equipment from outside the area network. The second policy would enforce the ’correct’ use of the network resources, restricting the user traffic to the allowed applications.
Laboratory Manual 45 Tasks During the laboratory session
1. From the PC telnet to the PC router in the lab, the one that offers Internet access to all the routers. It can be reached at any IP address shown in Figure 2.3. As the user name use: lab and the password labo. The Linux command should look like this: telnet IP_of_PC-Router -l lab 2. From the PC-router telnet to your own router and enter in privileged mode (command enable) so you can change the configuration of the router. Note that this is exactly the type of connection that policy 1 tries to forbid. 3. Write below the ACL corresponding to the above policy 1 using the proper Cisco syntax. Remember that telnet uses tcp port 23.
4. Add the ACL above to the router configuration using the telnet connection established through the PC-router. Do not link the ACL to the interface yet. Close the telnet connection from the PC-router to your router with the command exit after adding the ACL. 5. Connect the management console to the router, enter in the configuration mode and link the previous ACL to the proper interface. Note that the proper interface depends on how you wrote the ACL. Mind that the telnet connection to PC-router from your PC should keep working after the ACL is set. 6. Now that the ACL is set, check that you cannot establish a telnet connection from the PC-router to your router any longer. What is the error message displayed when the telnet connection fails?
7. Before starting with the second policy, check that you can open with a web browser in the PC both ’ftp://ftp.sunet.se’ and ’http://ftp.sunet.se’. Both URLs will reach the FTP archive of the Swedish University Network, but the for- mer will use the FTP protocol while the second will use the HTTP protocol. The second policy will only permit the HTTP connection to this site. 8. Close the web browser. 9. Write below the ACL corresponding to the policy 2 using the proper Cisco syntax. Note that this ACL should permit some additional traffic not mentioned in the text of the policy before blocking the rest of the traffic: Web browsing (tcp port 80) will work if Domain Name Resolution (DNS) is working, thus DNS (udp port 53) should be permitted as well. In addition, you should allow the traffic useful for network maintenance, so permit also ICMP traffic.
Laboratory Manual 46 Tasks During the laboratory session
10. Add this second ACL to the router configuration using a telnet connection from your PC to the router. 11. Link this new ACL to the proper interface. Note that the proper interface depends on how you wrote the ACL. Mind also that the outgoing telnet connection to the router from your PC allowed by policy 1 should keep working after this ACL is set. 12. Now that the ACL is set, check that you can still open this URL ’http://ftp.sunet.se’ with a web browser in the PC. 13. Now check that you cannot open this URL ’ftp://ftp.sunet.se’ with a web browser in the PC. What is the error message displayed when the connection fails?
14. Now check that ’ftp.sunet.se’ is still alive using ping from the PC. Why does ping work when the site cannot be browsed?
15. Now trace the route from the PC to ’ftp.sunet.se’ using the Linux command traceroute. Why cannot tracer- oute reach the destination even when ICMP traffic is allowed? (Hint: read traceroute manual page with man traceroute if you are not sure how it works).
Laboratory Manual 47 Tasks During the laboratory session
Laboratory Manual 48 Chapter 4
Lab Session 3: Offering network services
Before the session
4.1 Domain Name System
The Domain Name System converts hostnames to IP addresses and vice-versa. DNS is one of the most obscure areas of network administration, but we will try to give you a good introduction to it, so that you are able to configure a DNS server and understand what you are doing. Some simple words of caution, though: DNS is a net-wide database, so take care about what you put into it. Keep your DNS tidy and consistent and you will get good service from it. Learn to use it, administer it, debug it and you will be another good administrator keeping the net from failing due to mismanagement.
4.1.1 What is DNS? The Domain Name System is a distributed database, that operates on a client–server scheme. It support replication and caching to provide robustness and adequate performance. The name servers are the programs that contain information about different parts of the database and provide that information to the clients, which are called resolvers. Most of the time, the resolvers are just libraries that send queries across the network to the name servers. The structure of DNS is seen as an inverted tree with the root node at the top, very similar to the UNIX file system. Each node in the tree has a label that identifies it to its parent. The root node has reserved the ‘.’ label. Each of the subtrees of the whole tree represent a part of the DNS database, or in other words a domain in the Domain Name System. Each domain can also be divided into subdomains, that are drawn as children of their parent domains. Every domain has a unique name, which identifies its position in the database. In DNS, the domain name is a sequence of labels from the node at the root of that particular domain to the root of the whole tree, with ‘.’ separating the labels. Domain names are the indexes to the DNS database. Each domain may contain final hosts and subdomains Each host on the network has a domain name, which points to the information about that host in DNS database. This information can include IP address, e-mail information, etc. A host in the Internet may have several different names. However, one of them must be declared as an official canonical name. Other names are just domain name aliases, which are equivalent to the canonical name. In DNS, each domain can be managed by a different organization or company, and they can break their domain in as many subdomains as they want. Even more, the organizations can give responsibility of those subdomains to different organizations.
4.1.2 How DNS works When a DNS client wants to look up a name, it queries DNS servers to resolve the name. The query that the client sends contains three pieces of information:
• A Fully Qualified Domain Name (FQDN), which is the specific domain you are looking for
• A query type, specifying a simple resource record or a more complex query
• A class for the DNS domain name
49 Tasks Before the session
DNS queries are resolved in different ways. Sometimes your machine contains a local cache that contains infor- mation previously looked for, or the DNS server can use its own cache to answer a query. However, most of the time, the DNS server needs to contact other DNS servers to resolve the name and then send back the answer to the client. This is called a recursive query. The client machine can also contact additional DNS servers using separate queries. This process is called iteration.
The local name resolver The first step when resolving a name is to contact the local resolver, which tries to answer using locally cached information. The local resolver operates with information obtained from two possible sources:
• A hosts file configured locally, which contains hosts name to address mappings. These manually inserted map- pings are stored in the local cache when the DNS client is started.
• Some Resource Records (RR) that came in previous responses from DNS servers, and that are kept in the local cache for some time.
If the local resolver is not able to solve a query, then the process continues with the client querying a DNS server.
The DNS server When a client wants to query a DNS server, it needs to know the IP address of the server. This IP address can be stored locally in a configuration file or it can be received from the network when the network configuration takes place. Sometimes the list of DNS servers contains more than one entry, in which case the client usually selects the DNS servers one by one. In Linux operating system the file, which contain IP addresses of DNS servers is /etc/resolv.conf Each DNS server contains information about one or more domains. In the terminology of DNS the domain is also referred as a zone. When a DNS server receives a query, it first checks whether the information is stored in one of its locally configured zone files. If it is, then the server answers the query authoritatively based on the resource information in that file. If no information exists in the local zone files, then the server checks whether it can answer the query with a cached response from a previous query. If this is not the case, then the query continues recursively. The process of recursion to resolve a query involves more DNS servers. By default, the DNS client asks the server to use recursion if needed before returning an answer. In most of the cases, the server is configured to support the recursion. The first thing a DNS server needs in order to perform the recursion properly is some root hints. In other words it needs a list of IP addresses of DNS servers, which are authoritative for the root of the DNS tree. These root servers are authoritative for all the top level domains, like ‘.com’ or ‘.net’. Using these root hints, a DNS server can recursively complete any query and locate the servers which are authoritative for any other DNS domain used at any branch of the DNS tree. Let’s follow the example in Figure 4.1 to clarify it. Imagine that you have a laptop connected to your LAN in area1.rad.acme and you want to connect to another laptop in area3.mar.acme. Imagine the name of this second laptop is laptop1.area3.mar.acme. The first thing that your laptop does is contacting the DNS server of your area, in this case ns.area1.rad.acme to obtain the IP address of laptop1.area3.mar.acme. The DNS server of your area has no information at all about anything out of its own area (we assume that the local cache is empty). Your DNS server decides that it needs to contact one of the root servers to obtain the authoritative server for the acme domain. In the environment of our laboratory, there is only one root server and its IP address is 192.168.0.1. The root server sends a referral to the authoritative server of acme domain (ns.acme). In our case the DNS server ns.acme runs on the same machine, its IP address is 192.168.0.1. After receiving the referral your DNS server proceeds with the recursion asking ns.acme to give an IP address of the DNS server responsible for the mar.acme domain. We config- ured the DNS server ns.acme so that it is authoritative for all its subdomains (adm.acme, pro.acme, rad.acme, and mar.acme).When the answer saying that ns.acme is also authoritative DNS server for mar.acme domain is received from ns.acme your DNS server will proceed with the recursion and ask ns.acme to give a referral to the DNS server of area3.mar.acme. It is important to understand that these two servers (i.e root, ns.acme) could be located in different machines, and most of the time they will be! Since ns.acme is authoritative for mar.acme domain it has a description of this zone, which includes the records about authoritative DNS servers for all its subdomains (area1.mar.acme, area2.mar.acme, area3.mar.acme, and area4.mar.acme). In our example the DNS server ns.acme will pick the IP address of ns.area3.mar.acme and will send it back to your DNS server. At the final step of the recursion, your DNS server will send the full query for laptop1.area3.mar.acme to ns.area3.mar.acme. This last DNS server will give an authoritative answer with the IP address we are requesting to the DNS server of your area, finishing the recursion process. Finally, your DNS server (ns.area1.rad.acme) will forward the answer to the DNS client in your PC and the query will be finished.
Laboratory Manual 50 Tasks Before the session
Figure 4.1: DNS configuration for an example domain.
Laboratory Manual 51 Tasks Before the session
This recursion process can be time consuming and resource intensive, but it has some advantages for the DNS server, as it obtains information about the DNS name space and caches it in its local cache to speed up subsequent queries. The local DNS cache is cleared when the DNS server is restarted.
Alternative query responses When a server answers a query for a client, there are different types of responses that it can give. For example:
• An authoritative answer. It has the authoritative bit set and means that the answer was obtained from a server with direct authority over the queried name. • A positive answer, which contains the demanded resource records (RR) or a set of RR’s that comply with the questioned DNS name and record type. • A referral answer, which contains additional resource records not included in the query. This answers is given back to the client when recursion is not supported by the server, so that the client can continue the query using iteration. If the client is unable to use iteration, it can make further queries using the referral information. • A negative answer, which can indicate that either an authoritative server answered that the queried name does not exist, or that it exists but there are no records of the specified type for that name.
How iteration and caching work When the use of recursion is disabled in the DNS server, or the client does not request its use, then the client uses iteration to resolve a name. An iterative query from a client demands the best possible answer from the server, but without contacting other DNS servers. If this is the case, the DNS server answers with the knowledge it has in its own cache or zone files. If the server does not have the right answer, it provides a list of name servers and resource records for other DNS servers that are closer in the DNS tree to the name queried. When the answer from the DNS server is a referral, it is up to the client to continue the iterative query to the other DNS servers, until it gets the definitive authoritative answer. The use of the cache by the server is fundamental in the whole DNS scheme. Caching provides the means to speed up the performance of DNS resolution and it also reduces the amount of DNS related traffic in the network. When DNS servers make recursive queries, they temporarily cache resource records with information obtained from other authoritative servers. This cached information coming from authoritative servers can be used to answer later queries about the same RR’s. The information cached on the servers has a maximum TimeToLive (TTL). As long as the TTL does not expire the server can use the RR cached to answer queries. The cached RR’s are assigned by default the minimum TTL, which is set in the zone’s start of authority (SOA) resource record. This default value is usually 3600 seconds, but it can be adjusted, or individual TTL’s can be given to each RR.
Laboratory Manual 52 Tasks During the laboratory session
Your Position Name of the web server adm1 www.webcrawler.com adm2 www.adobe.com adm3 www.digits.com adm4 www.alltheweb.com rad1 www.dit.upm.es rad2 www.csu.edu.au rad3 www.abc.es rad4 www.ucc.ie mar1 www.semanticweb.org mar2 www.cbi-web.org mar3 www.healthweb.org mar4 www.un.org pro1 www.auckland.ac.nz pro2 www.rmit.edu.vn pro3 www.mult.ru pro4 www.anekdot.ru
Table 4.1: The hostnames to use in Task 2.2 During the laboratory session
4.2 Task 1: Initial configuration of the equipment
The first task in this lab is to configure the router, the switch and the PC. For this, you will repeat the tasks in section 3.2. Follow all the steps you performed in lab 2 and configure properly these devices.
4.3 Task 2: Checking DNS operation
In this exercise we want you to understand the way DNS works. You will use BIND DNS server version 9. BIND is the most commonly used DNS server on the Internet, especially on Unix-like operating systems. You will have to edit the configuration files in your PC that control the operation of DNS. In order to edit a configuration file you can use any text editor such as gedit, emacs, or vi. If you are not familiar with any of them, we suggest to use gedit. In order to be able to successfully save edited files you have to run an editor with the security privileges of root user. You can start gedit by typing sudo gedit in a terminal window. Sudo password is ‘1234’.
1. Edit the file /etc/resolv.conf. If it does not exists, create one. It contains the IP address of the DNS server to contact when resolving names. Change the name-server’s IP address to the IP of the PC-router in the network: 192.168.0.1. After editing, the first line of the file should contain the following:
nameserver 192.168.0.1
2. First, perform a recursive query to get the IP address corresponding to a hostname. In this step use dig without options to resolve hostnames. This is an example of the syntax:
dig Name_of_a_machine
Answer these two questions:
• Look in Table 4.1 and pick up the name of the web server which corresponds to your position. Resolve its IP address using dig. Look at the statistic’s part (the last part of ‘dig’s’ output). What is the query time?
• Repeat the previous exercise with the same name. What is the query time now? Why do you observe this phenomenon?
Laboratory Manual 53 Tasks During the laboratory session
3. Second, perform a non-recursive query. In the last step, your DNS client contacted several servers to complete the recursive query. Now you will use dig to contact the different servers one by one until you get the IP address corresponding to the given hostname. The goal of this step is to discover how the DNS client in your PC resolves IP addresses given symbolic names. Execute these commands and answer the questions:
• Execute the following command to obtain the list of available root servers. dig +nostats +nocmd How many ‘ROOT’ servers does your machine recognize?
• Choose a ‘ROOT’ server from the list and write its name here:
• Now perform non-recursive queries to resolve the IP address of the machine www.ee.kth.se. Write below the list of DNS servers (name and IP address) contacted. Start querying from the root server that you chose above and use the following syntax of dig to do non-recursive queries:
dig +norec +nostats +nocmd www.ee.kth.se @IP_of_the_DNS_server
Note: read the description of DNS in Section 4.1 if you do not remember how the recursion works.
• How many DNS servers contain records about domain ee.kth.se?
• Does the machine www.ee.kth.se have another name?
4.4 Task 3: Configure your own DNS
In this task you will configure a DNS server for your area network in the department. In the process of configuring your DNS server you will edit the configuration files of BIND. The configuration files are structured as an inverted tree with the root file ‘/etc/bind/named.conf’ on the top. In this file you can see that three other files are included. File ‘/etc/bind/named.conf.options’ contains an option statement. The directory options defines the directory for the zone and cache files. File ‘/etc/bind/named.conf.default-zones’ has the information where localhost, broadcast, and root level zone files are stored. File ‘/etc/bind/named.conf.local’ is used for adding new zones. In this file, you define where the different files that contain the databases of your DNS zones are located. After this, you will have to edit these zone files appropriately, including the different mappings from IP addresses to names and vice-versa. All these zone files are located in ‘/etc/bind’.
Remember the following! All zone files in the directory contain a serial number inside. A typical example is:
Laboratory Manual 54 Tasks During the laboratory session
; ; Zone file for your_area.your_department.acme ; ; The full zone file ; $TTL 3D @ IN SOA ns.your_area.your_department.acme. hostmaster.your_area.your_department.acme. ( 201502271300 ; serial, todays date + todays serial #
Each time you edit this file, increment this field by 1. This will tell your DNS server to flush the cache and load the edited zone information. Also, notice that in all templates that we provide to you, you need to change certain values. The values that you should change are written in italics in the manual. In general you should change the places where it says IP_of_Your_Router or your_area.your_department.
One last comment: whenever you start BIND, you can always check the output messages of the initialization. All the output is saved in file ‘/var/log/daemon.log’, so just open the file for reading using ‘sudo less /var/log/daemon.log’ to see BIND startup messages.
First, get the parameters for the configuration of your DNS server:
1. Considering the diagram in Figure 4.1 as an example identify the following information for your network.
• What is the domain name of your department?
• What is the domain name of your area?
• What is the IP address of the machine which is able to resolve all domains of ACME’s network?
• What is the IP address of the machine which run the DNS server for YOUR network?
• Use Figure 4.1 as an example and assign the names to the devices in your network and fill them into the diagram in Figure 4.2 :
Laboratory Manual 55 Tasks During the laboratory session
Figure 4.2: DNS information for your domain.
4.4.1 Configuring your domain In this section you will set up your own domain. You will modify files ‘/etc/bind/named.conf.options’, ‘/etc/bind/named.conf.default-zones’, and ‘/etc/bind/named.conf.local’. Before you start editing files, a few words about the syntax for comments in DNS related files. Comments in zone files start with semicolon. Since all lines must finish with a semicolon, a line with a comment looks like this:
;This is a comment;
However, C-style /* */, C++-style // and Unix-style # comments are used in files ‘/etc/bind/named.conf.options’, ‘/etc/bind/named.conf.default-zones’, and ‘/etc/bind/named.conf.local’. Don’t use a semicolon to mark a comment in these files. Finally, after each step that you perform, you should always save your configuration file before continuing.
• Look at the file ‘/etc/bind/named.conf.default-zones’. It should look like this:
zone "." { type forward; forward only; forwarders { 192.168.0.1; }; }; zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127";
Laboratory Manual 56 Tasks During the laboratory session
}; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; };
The record starts with the keyword zone followed by the domain name and the class (in stands for the Internet). The word master indicates that this server is a primary master server for the zone, and the last line shows the file to be read. On a primary master server, files ’named.conf.default-zones’ and ’named.conf.local’ contain one record for each file to be read. The special zone ‘.’ is used when your server can not resolve the names by its own. Basically, you should read this zone description as ‘For every name which is not under my responsibility forward the query to 192.168.0.1, which is the IP address of the PC-router; it will handle it’. These zones are the default zones, their zone files come predefined so you do not have to worry about them. However, for your better understanding you will have to edit the file for your localhost (your own PC).
• Open the file‘/etc/bind/db.127’. This file contains the database for your localhost (your own PC). You can check that it corresponds to the third zone in your ‘named.conf.default-zone’ file. It should contain the following:
$TTL 3D @ IN SOA ns.your_area.your_department.acme. hostmaster.your_area.your_department.acme. ( 201502271300; Year+Month+Date+Serial 8H ; Refresh 2H ; Retry 4W ; Expire 1D) ; Minimum TTL NS ns.your_area.your_department.acme. 1.0.0 PTR localhost.
Change all appearances of your_area and your_department to the names corresponding to your area and depart- ment (refer to Figure 4.2 for information). Save the file and proceed further. In this file you can see the structure of the database files (db). Remember that every line that starts with a semicolon is a comment. This file maps addresses to host names. Each file is named as the network number it represents, so 127 means that this particular file contains the mappings from IP addresses to names for any address of the form 127.x.x.x. As you can see, only the parts (the ‘x.x.x’) of the IP address needs to be written in the file, as all the other parts are already matched when this file is used. This is the reason why the localhost entry is 1.0.0, because the localhost address is ‘127.0.0.1’. Note that the entry address is written in the opposite order. Notice also the ‘.’ at the end of localhost. If a machine name does not end in a period in a zone file the origin is added to its end, so the entry would be ‘localhost.127.0.0’ which, of course, is wrong! Most entries in the db files are called DNS resource records, and they must start in column one. The ordering of resource records in the db files is as follows (not all of them need to be present):
SOA record: Indicates authority for this zone file NS record: Lists a name server for this zone A record: Name to address mapping PTR record: Address to name mapping CNAME record: Canonical name (for aliases) • Edit ‘/etc/resolv.conf’. Comment out the line that you already have and put the IP address of your PC as IP of the nameserver. Your file should look like this:
nameserver IP_address_of_your_PC #nameserver 192.168.0.1
Save the file and proceed further.
• Start BIND running ‘/etc/init.d/bind9 start’. Check that BIND loads correctly by looking at the file ‘/var/log/daemon.log’. Run dig -x 127.0.0.1 and fill the missing parts of its output below. Of course, some of the values will not be the same for you, as your localhost zone file could differ from this example, however the ANSWER SECTION should be there!
Laboratory Manual 57 Tasks During the laboratory session
[lab@localhost lab]# dig -x 127.0.0.1 ;; Got answer: ;; -»HEADER«- opcode: QUERY, status: NOERROR, id: 22718 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION: ;1.0.0.127. . . IN PTR
;; ANSWER SECTION: .in-addr.arpa. IN .
;; AUTHORITY SECTION: 0.0.127.in-addr.arpa. IN NS .
;; Query time: msec ;; SERVER: #53( ) ;; WHEN: ;; MSG SIZE rcvd:
4.4.2 Your own area Now, you should create the database for your own area, that will translate from names to IP addresses. Construct the zone of your area, restart DNS server, and verify that the server is working properly by performing the following tasks:
• Edit ‘/etc/bind/named.conf.local’ file. Append the following text to the end of this file:
zone "your_area.your_department.acme" { type master; notify no; file "/etc/bind/db.your_area.your_department.acme"; };
This entry tells BIND where to find the database about your own area. You should already know what each field means. The ‘notify no’ means that we do not want to notify all the rest of the DNS servers about the content of our file. . . after all we are only testing! Save the file and proceed further.
• Open the file ‘/etc/bind/db.your_area.your_department.acme’. It should contain the following:
; ; Zone file for your_area.your_department.acme ; ; The full zone file ; $TTL 3D @ IN SOA ns.your_area.your_department.acme. hostmaster.your_area.your_department.acme. ( 201502271300 ; serial, todays date + todays serial # 8H ; refresh, seconds 2H ; retry, seconds 4W ; expire, seconds 1D ) ; minimum, seconds ; ;--- -DESCRIPTION of THIS DNS server------; ;------LABEL--VALUE------COMMENT------; TXT "Area.Dept.acme DNS server" NS ns ; Inet Address of name server ; ;----ASSIGNMENT of IP ADDRESSES TO THE NETWORK DEVICES-; ;NAME------LABEL--IP ADDRESS------; ; localhost A 127.0.0.1 ns A IP_of_your_DNS_Server www CNAME ns Name_of_the_inner_interface_of_your_router A IP_of_your_router sw A IP_of_your_switch other A IP_of_other_device
In this zone file you should be able to recognize most of the Resource Records (RR). Most of them are ‘A’ resource records, that map names to IP addresses. There is also a CNAME record, which is an alias for the web server, which in your case would run on the same PC. That is why it points to the ‘A’ record of your name server (your PC). Save the file and proceed further.
Laboratory Manual 58 Tasks During the laboratory session
• Restart BIND running ‘/etc/init.d/bind9 restart’ and check log messages in ‘/var/log/daemon.log’. In the case of error messages you need to search for an error in your configuration files. Otherwise, run
dig www.your_area.your_department.acme
and fill in the missing parts of its output below:
[lab@localhost lab]# dig www.your_area.your_department.acme; «» DiG 9.1.0 «» www.your_area.your_department.acme ;; global options: printcmd ;; Got answer: ;; -»HEADER«- opcode: QUERY, status: NOERROR, id: 22718 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION: ;www. . .acme. IN A
;; ANSWER SECTION: . . .acme. IN . ns. . .acme. IN A
;; AUTHORITY SECTION: . .acme. IN NS .
;; Query time: msec ;; SERVER: #53( ) ;; WHEN: ;; MSG SIZE rcvd:
4.4.3 The reverse zone area The last thing that we need to do is to construct the reverse zone of the area (the files that will translate from IP addresses to names).
• Edit ‘/etc/bind/named.conf.local’ file and append the following text to the end of this file:
zone "0.168.192.in-addr.arpa" { type master; notify no; file "/etc/bind/db.192.168.0"; };
Save the file and proceed further.
• Open the file /etc/bind/db.192.168.0, it should contain the following:
; ; Zone file for 0.168.192.in-addr.arpa ; ; The reverse zone file ; $TTL 3D @ IN SOA ns.your_area.your_department.acme. hostmaster.your_area.your_department.acme. ( 201502271300 ; serial, todays date + todays serial # 8H ; refresh, seconds 2H ; retry, seconds 4W ; expire, seconds 1D ) ; minimum, seconds ; NS ns.your_area.your_department.acme. ; ;-REVERSE ASSIGNMENT of IP ADDRESSES TO THE NETWORK DEVICES------; ;Host Part of IP ADD------LABEL------NAME------;
First_valid_host_address PTR Name_of_the_inner_interface_of_your_Router. your_area.your_department.acme. Second_valid_host_address PTR sw.your_area.your_department.acme. Third_valid_host_address PTR ns.your_area.your_department.acme. Fourth_valid_host_address PTR other.your_area.your_department.acme.
Laboratory Manual 59 Tasks During the laboratory session
You can easily understand the content of this file. All resource records are of type PTR, so they translate IP addresses to names. Edit the file and substitute the given strings by names and IP numbers of your network. Remember! You only have to write the host part of your IP addresses. For example if the IP address of the inner interface of your router is 192.168.0.129, then instead of the entry First_valid_host_address you should write only "129". Notice also the dots at the end of the names. If you do not add those dots, then the name of the zone file would be added at the end. Save the file and proceed further.
• Restart BIND running ‘/etc/init.d/bind9 restart’ and check if any errors appear. If all is correct, run
dig -x IP_Address_of_Your_Router
and fill in the missing parts of its output below:
[lab@localhost lab]# dig -x IP_Address_of_Your_Router ;; Got answer: ;; -»HEADER«- opcode: QUERY, status: NOERROR, id: 23263 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION: ; ...... IN PTR
;; ANSWER SECTION: .in-addr.arpa. IN .
;; AUTHORITY SECTION: .in-addr.arpa. IN NS .
;; ADDITIONAL SECTION: ns. . .acme. IN A
;; Query time: msec ;; SERVER: #53( ) ;; WHEN: ;; MSG SIZE rcvd:
Laboratory Manual 60