Computer Network labs  - CS331 – January 9, 2006.

 

Introduction to Switches

  1. Basic switch configuration.  Review the following commands and try them on a switch:  en, conf t, hostname, line con 0 (login, pass, logging sync), line vty 0 15 (login, pass), no ip domain-lookup, ip host, banner motd, en secret, copy run start, erase start, exit, sh (run, start, ip int brief, ver,  int, flash, cdp nei det, users), reload, en cdp, ip http server.  To completely “erase” a switch we must erase the config (start) like router, but vlan information is also contained in a separate file in flash called vlan.dat.  Erase that file, clear the config and reboot.
  2. Switch ports.  Configure a switch port.  It does not have an ip address like a router.  Why not?  Set speed, duplex, access mode and description on the port.  What would you put in a typical description?  Why?  Shut the port down, view its status.  Bring it back up
    1. Sw mode acc
  3. Management address and intro to vlans.  Switches can participate in an ip network (only 1, not 1 per port, why?).  This is done with a virtual interface called a management vlan (more on vlans later).  By default vlan 1 is the management vlan so by adding an ip address to that vlan, we can make the switch an ip host for ping, telnet, tftp and other traffic.  With a router and/or pc plugged into the switch and addressed on the same network, assign an ip address and default gateway to the switch. Do a sh ip int brief.  Ping the switch.  Telnet to it (you must have a telnet password). Web browse to it.  Turn off the web server in it and web browse to it again.  The switch needs a layer 2 (mac) address to communicate.  What address is it using?
    1. Int vlan 1 (ip address, desc)
    2. Ip default-gateway
    3. Sh mac-address-table
  4. Reload a switch IOS and bypass the password.  To “break” the password on a switch, power off and on while holding the mode button to enter rom monitor mode.  Rename the config.text file in flash and boot the IOS.  You should be able to enter enable mode, rename the config.text file back to its correct name, load the configuration, change the password and resave the config.  Look at a list of the files in flash on the switch.  Notice the directories and change to the html directory look at the files in it.  Delete everything in the html directory (this will wipe out the web server pages).  Download a new IOS tar file (get this from me)from a tftp server.  This should recreate the html pages.  Look at it and test it.  Save your config to the tftp server.
    1. Delete flash:html/*
    2. Tar /x tftp://ip/file
    3. >flash_int, load_helper, dir, rename, boot
    4. Rename, cd, dir flash:

Switching (Ethernet, vtp, vlans, spanning tree, trunking, dhcp)

  1. Mac Tables and port security.  Set up an Ethernet with 2-3 pc’s on it.  Ping from each to the switch.  Look at the arp tables on the pc’s and the switch.  Look at the Mac table on the switch.  Check the mac table every 15 seconds until it clears.  How long did it take?  Check a pc’s arp table every 15 seconds until it clears.  How long did it take?  Ping again.  Clear the switch mac table and verify it.  Set a static mac address for a pc on one switch port. Turn on port security. Test that pc.  Test another.  What happens?  Set the port security to “sticky”.  Retest that pc and another.  What changed?  Set the max count to 1 and action violation to shutdown.  Test both pc’s again.  Now what happens?
    1. Clear mac-address-table dynamic
    2. Mac-address-table static x.x.x int fa0/x vlan y
    3. Sh port-sec
    4. Sw port-sec mac-addr sticky
    5. Sw Port-sec max-mac-count 1
    6. Sw-sec action violation shut (or port sec action shut)
  2. Spanning Tree.  Connect 3 switches in a loop.  Determine the root bridge.  Force the root bridge to a different switch. Verify.  Determine forwarding and blocking ports on each switch.  Remove and replace cables on new ports.  How long did it take to “stabilize” the network?
    1. Sh span brief
    2. Span tree pri 1 or sp tree vlan 1 pr 4096 (8192
  3.   Vlans.  Create and name 2 vlans on a switch.  Assign 2 ports to each vlan and connect a pc to each.  Address them on different networks and ping.  (It should also fail. Why?)  Address them on the same network and ping.  (It should fail.  Why?)   Connect them to the same vlan and ping.  Why did it work?

                        a.  vlan dat (vlan 2 name x, no vlan x)

b.      sw acc vlan 2

  1.  Trunking and vtp.  Connect 2 switches.  Create vlan 10 and vlan 99 on both.  Put a pc on a port on vlan 99 on each switch and address them on the same network.  They shouldn’t ping.  Why not?  Configure the ports on the switch to switch connection as dot1q trunks (you could do this exercise a second time and try isl instead of dot1q).  Now test connectivity between pc’s.  Erase the vlan configurations on both switches and disconnect the cable between them.  On one switch, configure it as a vtp server in the “carroll” domain.  Configure vlans 10 and 99 again.  On the second switch, configure it as a vtp client in the “carroll” domain (no vlans).  Connect the trunk.  What happens to vlans on the second switch?  View the vtp statistics.  Pay particular attention to vtp db revision number.  Why is that important?  Assign the pcs to ports and test if needed. 
    1. sw mode trunk
    2. sw trunk encap dot1q
    3. sh int fa0/x sw
    4. vlan dat (vtp server/client, vtp dom x)
    5. sh vtp stat, sh vtp sum
  2. Intervlan routing.  To direct traffic between vlans we need routing.  Configure a sw with vlans 10 and 20 and a pc on each, addressed correctly.  They should not ping.  Add a router on a trunk port.  Configure the router port as a trunk.  Ping between the pc’s.  Why does this work?  Why is it required?
    1. Int fa0/x.2 (Ip address, encap dot1q 2)
  3. DHCP.(CCNP1 lab 2.10.3)  Configure a router as a dhcp server.  Configure a pc on the same network to query for dhcp services.  On the pc, release and renew the ip address.  Verify it gets an address, mask, dns server and gateway (ipconfig /release /renew).  Exclude the address on the router.  Release and renew the pc again.  What address did it get?  Show the dhcp address leases that the router has (bindings).  This configuration only works on local networks.  What command would you use if the router with the pool was remote to this lan?  Why?
    1. Ip dhcp pool xyz (net x.x.x.x y.y.y.y, default-router x.x.x.x, dns-server x.x.x.x domain-name abc, net-bios-name-server abc)
    2. Ip dhcp excluded address
    3. Ip helper-address
    4. Sh ip dhcp bindings

Routing - Eigrp

  1. EIGRP loops, default routes and route summaries.   Config the 3 router eigrp loop network in the exercise above with unequal bandwidths and costs.  Turn on fsm debugging.  Pull one of the cable and observe the feasible successor update (without routing updates). (CCNP1 5.7.2)  Put a 1.1.1.1 loop back on one “end” router.  Put 6 loopback networks on the other “end” router (leave the cable pulled).  Put 3 loopbacks on 8.1.x.x and 3 on 8.8.x.x.  Advertise them to the other routers and verify that they can see them and ping them.  Summarize these into 2 routes for the middle router. Verify by checking the routing table.  Is everything still reachable?  Summarize them into one 8.x.x.x route for the far router and verify.  Remove eigrp from the “far” router (without the loopbacks).  Use a static default gateway to reach it from the middle router.  Verify the middle router can reach 1.1.1.1 through the static route, not eigrp.  The other eigrp router should fail.  You could enter a static route on it also, but if we had many internal routers this would be burdensome.  Redistribute the static route and verify reachability of 1.1.1.1 from everywhere.  Look at the routing tables.  What do you see?  Remove route redistribution.  Add default info-originate and verify reachability of 1.1.1.1 from everywhere again.  Look at the routing tables again.  What do you see this time?  Why are either of these techniques preferable to static routes on all internal routers?
    1. No auto-summary
    2. Redistribute static
    3. Default information-originate
    4. Debug ip eigrp fsm
    5. Ip summary-address eigrp 1 5.0.0.0 255.0.0.0

Routing - OSPF

  1. Single area OSPF.    Create a 2 router (Ethernet or token ring) ospf area 0.  Log ospf adjacency changes and use stable router id’s (loopbacks). Set an appropriate bandwidth for the ospf cost calculation.  View ospf neighbors and interfaces.  View ip protocols.  Determine the DR and BDR.  Change them.   Change the hello interval to 5 on one router.  What happens?  Change it on the other.  Change the dead interval to 20 and compare it.  Set up authentication on the link.  Add a third router and set up a default route (static) to it on one router. Test from both.  Now use default info originate to distribute it.  Test connectivity from both.  Use sh ip ospf int to view the ospf connection type (bc, point to point, NBMA, etc..)
    1. Log-adjacency-changes
    2. Int lo0 (ip address)
    3. Sh ip ospf (nei, nei det, int)
    4. Debug ip ospf (events, etc…)
    5. Band x
    6. Ip ospf (hello-interval x, dead-interval x)
    7. Default-information originate
    8. Ip ospf pri 50
    9. Ip ospf message-digest-key 1 md5 7 pass
    10. Area 0 auth
    11. Ip ospf network (? – look at the options here)

 

13,   Multiarea OSPF.  Set up 2 routers in area 0 and attach a third router in area 1.  The ABR should see all networks.  Use sh ip ospf database and sh ip route to confirm.  What do the other 2 routers see?  Why (what lsa’s are being used in each area)?    Put a number of loopbacks on the area 1 router (perhaps 172.30.0.0/24 thought 172.30.7.0/24).  Does those 8 routes propogate everywhere?  Fix it so they do.  Now we will summarize them so the area 0 only router sees only 1 network.  Use the area 1 range command on the ABR to summarize the 8 routes into 1.  What do you see on each router now in the routing table?  Why? (Hint, the area 0 only router should only have 1 172.30.x.x route.) Use the sh ip route supernet command.  What does it show you?  (This is CIDR).

 

Set up 4 loopback networks on the area 0 only router (172.31.0.0/24 through 172.31.3.0/24). Inject them into OSPF by using a redistribute connected statement rather than by including them in the OSPF network statements.  They should appear in the routing table as an E1 route. Create 4 more loopbacks as 172.31.8.0/24 through 172.31.11.0/24.  Advertise them in the ospf process (the network statement).  They should appear as interareas (IA routes).  All the loopbacks should be reachable from the area 1 router.  Since area 1 now has a way out (and only 1 way out), we don’t need outside routes in its routing table so we can make it a stub area.  Use the area 1 stub command on both area 1 routers.  Look at the routing table on the area 1 router.  What disappeared?  What appeared?  Is everything still reachable?  Stub networks filter outside (non ospf) routes and replace them with a gateway (lsa type 5 advertisements disappear).  We can simplify the area even more by making it a totally stubby area (area 1 stub no-sum command) on both routers.  Now what disappeared?  Is everything still reachable?  What type of lsa’s did we lose now?  We can also use the default-info orig command in ospf to advertise a default gateway.  Adding the always keyword means it will advertise itself as the gateway even if it doesn’t have a gateway itself.

 

(Instead of using loopbacks and redistributing connected to import external routes, we could have created static routes – ip route 172.31.0.0 255.255.255.0 null0 – and routed to the bit bucket (the null interface).  Then we would have redistributed static and could have changed the metric with redist static metric x.  This also is a way of routing to supernets with BGP and maintaining route stability without having individual subnets actually up and running.  This also allows the use of the redist static metric type e2 command which fixes the costs throughout the ospf network. E1 routes have costs added as they are distributed throughout the ospf network. )

a.       area 1 range x.x.x.x y.y.y.y

b.      area 1 stub (no-sum)

c.       redist connected subnets

d.      redist static metric x

e.       redist static metric type e2

f.        default-info orig (always)  The always parameter is called a persistent default route.

 

14.OSPF point to multipoint over FR (lab 6.9.2b) – not at this time as we don’t have FR equipment.

15. OSPF nssa areas and virtual links.  Configure 3 ospf routers with 1 link in area 0 and 1 in area 99.  On the area 99 only router, configure 4 loopbacks (172.10.0.0/24 through 172.10.3.0/24) and run eigrp on them.  Redistribute eigrp into ospf.  Configure the area 0 only router with a loopback 172.11.0.0/24 and put it in area 1.  What happens to the routes?  Are they reachable from area 0?  With an NSSA (not so stubby area) we want the type 5 lsa’s in areas 0 and 1, but we don’t want to burden area 99 with them.  Add the area 99 nssa no-sum command to both area 99 routers. What happened?  (Hint:  it should have lost the area 1 route, but continue to propogate the eigrp routes to all other areas.  Everything should be reachable from everywhere.)

 

Use the same 3 router network and addresses, but put the eigrp routes in area 0.  Put the area 0 routes in are 50 and the area 1 routes in area 51.  This is not functional due to area 51 not being directly connected to area 0.  Connect it with a virtual route.  Is everything reachable?

a.       area 51 virtual link (ip of other end of the link)

b.      sh ip ospf virtual links

Routing IS-IS

16.    IS-is – no labs at this time – our equipment is not capable.

Routing BGP

17.    Bgp(with Nat).  Configure a router to represent the isp.  It should have a loopback of 1.1.1.1 to simulate an internet destination and use 200.0.0.0/24 to connect to the customer.  Pick your own AS numbers. Share 1.1.1.0 with the customer. It will run bgp to learn customer routes.  Configure the customer router to connect to the isp and put a 195.168.0.x loopback network on it.  Share it using bgp.  Make sure it appears in the isp routing table and use extended ping to verify it reaches 1.1.1.1 (no default gateways should be used.)  Add a 196.168.1.0 loopback network.  Does it ping 1.1.1.1 (it shouldn’t)?  Why not?  Fix it.

 

Now we will convert to Nat.  Change the 2 loopbacks to 192.168 networks and allow them to use the nat pool.  Create a nat pool for all of the 222.0.0.0/24 network and advertise it using bgp – note that this is tricky.  Use a default route to reach the ISP rather than advertising the 1.1.1.1 route.  The ISP should only use connected and bgp routes to reach the customer.  Is everything reachable?  What are the advantages of this configuration?

a.       router bgp 1

b.      network x.x.x.x mask y.y.y.y

c.       no sync

d.      no auto-summary

e.       neighbor x.x.x.x remote-as y

f.        sh ip bgp (nei)  - also look at the * and . symbols and their meaning

g.       clear ip bgp *

18.    Dual bgp.  Use the configuration above and add an isp2 router with a 2.2.2.2 loopback for the internet.  Bring up bgp.  Share the 1.1.1.1 and 2.2.2.2 networks with the customer.  The customer should be able to reach both ISP’s, but they should not be able to reach each other.  Verify that.  Use the ip default network command to set a bgp default route (admin distance 20) to isp1.  Use the ip route 0.0.0.0 command with an admin distance of 30 for the backup route.  Both ISP’s should be reachable.  Put a 9.9.9.9 loopback on both isps and do not advertise it.  Turn on debug ip packet on both isps and ping 9.9.9.9 from the customer.  Which isp does it go to?  Why?  Shut down the interface to isp1.  Ping again.  Does it go to Isp2?  Why?

 

(Note that this configuration has the potential to make you a transit network, meaning isp1 can send traffic to isp2 through you.  That is bad.  In the security class we will look at distribute lists and access lists and how to prevent that.)

a.       Ip default-network.

19.    BGP with attributes.  Connect 3 routers using 3 different As’s using bgp.  Put a loopback on each end and advertise it throughout.  Look at the path in the bgp routing table.  What As’s does each lookback go through to get to the other end?  Use the nei x.x.x.x remove-private-as command to remove the AS number from each end?  What does the path look like now?  Why might you want to do this?  (in the security class we will use the path attribute to put security on different routes to different AS’s (isps).

 

Leave one router configured as  the isp and configure the other 2 with eigrp, but both having a bgp route to the isp (in a loop).  The ISP will connect using s0 to one router and s1 to the other.  We would like all traffic to use the s0 port into the isp unless it is down.  We now have a problem.  Which way will traffic go from the customer network to the isp?  First, configure bgp between the 2 customer routers.  This is called IBGP (internal BGP).  Make sure no sync is applied. (You may need the nei x.x.x.x next-hop-self command on this – I’m not sure.)  page 7-12 lab 9.11.4a to put on local pref and metric med.

 

ISDN (Done remotely or at UM/HelenaAdtran Atlas 550 configuration).

16.    BRI using Legacy configuration.  Connect the BRI (U) ports from 2 routers to the adtran BRI dialup ports.  (The adtran represents the telephone company and any 2 wire (pin 4 and 5) straight through cable will work.)  The UM/H access router is at 150.131.200.8 and the BRI routers are port 2034, 2035, 2040 and 2041.  Configure the ISDN switch type (the adtran is a basic-ni).  Configure the Spids with LDNs.  Bring the port up and verify layer 1 and 2 connectivity with the adtran.  Add usernames and secret passwords for each router (like PPP).  Add ip addresses on the same subnet to each bri interface.  Use the dialer-list command to specify interesting traffic (what is that?) and the dialer-group command to apply it to the interface.  Use PPP authentication with Chap.  Set the dialer Idle timeout.  Configure each bri with a map specifying the other routers phone, name and ip address.  Ping between the routers bri interfaces.  Note that routing updates will typically keep the link up, so static routes are often used instead.  Can  you think of other reasons to allow (or not) broadcast traffic.

a.       Sh isdn stat

b.      Sh isdn act

c.       Sh isdn hist

d.      Clear isdn bri 0

e.       (int and global conf)Isdn switch-type x

f.        Int - Isdn spid1 xxxxxxxxxxxxxxxxx xxxxxxx

g.       Dialer idle-timeout 100

h.       Int- Dialer map ip x.x.x.x name x xxxxxxx(phone) and optionally the word broadcast to allow broadcast traffic on the link.

i.         Conf - Dialer-list 1 protocol ip permit

j.        Int- Dialer-group 1

17.    BRI using Dialers.  Clear the configuration from the previous exercise.  Configure the bri interface with switch type, spids and a dialer pool.  Configure a dialer interface with an ip address, dialer groups, pool members, remote names and phone numbers. Add a timeout of 30 seconds.  Test to make sure it pings.  Add a loopback network on each router and use rip to share the loopbacks.  Look at the routing tables.  Do the loopbacks appear?  Why not?  Fix it.  Do an extended ping from loopback to loopback.  What are the 2 big problems with running rip over isdn (or dialup)?  Optional – try calling 2 different routers.  Try calling 2 routers at the same time.

a.       Dialer string xxxxxxx (broadcast)

b.      Dialer Remote name xxx

c.       Dialer Load threshold 2 either

d.      Hold-queue 75 in

e.       Dialer pool member 1

f.        Dialer pool 1

 

Frame Relay

 

18.    a When using a router as a frame switch you must use ietf encap to bring up the lmi or, if using cisco, use a dce clockrate.

19.    a

 

Queueing?

 

 

 

Wan

  • ccna4, ccnp6 (dialup, isdn, fr), floating static
  • Priority queuing with web services (ccnp1 mod 1, ccnp2)

Set up 2 routers with a serial link and verify ping between them.  What queueing method are they using by default?  What does this mean?  Change it from WFQ to FIFO (or vice versa).  What does that mean?  Change it to priority queueing?  Add a loopback and set priority queueing from that network to high.  Add another loopback and let traffic to from it to low priority.  Verify queueing with the appropriate show commands.

a)      Access-list 1 permit x.x.x.x z.z.z.z (reverse mask)

b)      Priority-list 10 prot ip (high/med/normal/low) list 1

c)      Priority-group 10

d)      Sh int

e)      Sh queueing int s0

f)        Sh queueing priority

  • Compression (ccnp2)
  • Broadband (ccnp2)

Advanced Switching/Routing technologies

  • QOS (CCNP 1.4.4, ccnp3)
  • Hsrp (ccnp3)
  • multilayer (ccnp3)
  • Multicasting (ccnp3)

 

Move this into the network security class –

  • Security and AAA (ccnp2 and 3)
  • Switching acls, layer 2 security/VMPS
  • Routing Acl’s, from ccna2/3 and ccnp1 lab 1.4.3, also reflexive access lists and distribute lists to hide networks.
  • Route maps – ccnp1, ch 8
  • Also consider doing tcp and applications in this class
  • Vpns