In this lab you are going to create a simple flat network. This is not a good design for a campus network, but rather is a starting point for improvement!
Here is a diagram of what you are going to build:
Flat campus network
Each group has a physical switch, an uplink into a virtualized Cisco 7200 border router, and a VM host which is your DHCP server.
Each participants's laptop will take the place of one of the campus buildings: NOC, Admin etc. If there are more than six people in a group then choose your own names for the additional buildings.
All buildings are on the same subnet 192.168.0.0/24, and there is NAT at the border so all outbound traffic is NAT'd to the external address of the border router.
hostX.ws.nsrc.org
. The username and password are given out in classConnect the uplink cable into the switch. Also connect an ethernet cable from each participant's laptop into the switch.
If labels are available, label each ethernet cable with the building name.
However at this point nothing will work, as you have not configured your border router or DHCP server.
Only one person can be making changes on the border router, so nominate someone in your group to work at the console, but work together as a group.
Connect to the virtual console port as described under "Kit access instructions". Hit Enter, and answer "no" if you see this prompt:
Would you like to enter the initial configuration dialog? [yes/no]:
More log messages may appear. Hit enter to get a Router>
prompt.
Go into enable mode and configuration mode:
Router>enable
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Now apply the following configuration, remembering to change "X" to your group number. Copy-paste is fine. Lines beginning with "!" are just comments.
! Set the hostname you see in the command line prompt
hostname groupX-border << change X
! Set up authentication
aaa new-model
username cisco password 0 cisco
enable secret cisco
! Enable ssh and disable telnet
no ip domain lookup
ip domain-name ws.nsrc.org
crypto key generate rsa modulus 2048
ip ssh version 2
line vty 0 15
transport input ssh
! Configure the external interface
interface FastEthernet0/0
no shutdown
description Uplink to REN
ip address 10.10.0.22X 255.255.255.0 << change X
no ip redirects
no ip proxy-arp
ip nat outside
! Configure the internal interface
interface FastEthernet0/1
no shutdown
description Campus network
ip address 192.168.0.1 255.255.255.0
ip helper-address 10.10.0.X << change X
no ip redirects
no ip proxy-arp
ip nat inside
! Configure NAT and default gateway
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
ip nat inside source list 101 interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 10.10.0.254
Once you have done this, exit configuration mode and save your configuration to NVRAM.
groupX-border(config)#end
groupX-border#
*Mar 1 18:49:17.675: %SYS-5-CONFIG_I: Configured from console by console
groupX-border#write
Building configuration...
[OK]
Now test what you have done:
A real campus network will use a DHCP server to allocate addresses. For this network we will build one using Linux.
Although a simple DHCP server normally sits on the same subnet as the clients, in our case the DHCP server is on a different subnet. This is the purpose of the "ip helper-address" statement you configured on the router: any DHCP broadcasts will be relayed to the remote DHCP server to deal with.
Again, since your group only has a single DHCP server, you will need to nominate someone to type the commands.
Login to the DHCP server using the username/password you were given, and become root:
$ sudo -s
[sudo] password for sysadm:
#
# apt-get update
# apt-get install isc-dhcp-server
Edit the file /etc/default/isc-dhcp-server
and amend the INTERFACES line so it looks like this:
INTERFACES="eth0"
Edit the file /etc/dhcp/dhcpd.conf
, remove any existing contents and replace with the following:
ddns-update-style none;
option domain-name "ws.nsrc.org";
option domain-name-servers 10.10.0.241;
default-lease-time 3600;
max-lease-time 7200;
log-facility local7;
# This declaration is to enable listening on eth0
# without actually giving out any addresses
subnet 10.10.0.0 netmask 255.255.255.0 {
}
# Now list the remote subnet(s) you wish to serve
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.10 192.168.0.246;
option routers 192.168.0.1;
}
Then restart the server:
# service isc-dhcp-server restart
There is one special thing you have to do in this lab setup which you wouldn't normally have to do. The DHCP packets from the border router are sent with a source address of the subnet gateway (192.168.0.1), and the replies go back to this address. Because your DHCP VM can't reach this address via its default gateway, you need to add a static route so that it can.
# route add -net 192.168.0.0/24 gw 10.10.0.22X
(Remember to change "X" to your group number, so it points to your Cisco as the next hop)
To make this route persistent, so that it comes up even if your VM reboots, edit /etc/network/interfaces
as follows:
... (keep the loopback interface) ...
auto eth0
iface eth0 inet dhcp
# Disable UDP checksum offloading on virtio; it breaks when
# packets traverse Dynamips
post-up ethtool --offload eth0 tx off
# Static routes to internal networks
post-up route add -net 192.168.0.0/24 gw 10.10.0.22X
pre-down route del -net 192.168.0.0/24 gw 10.10.0.22X
This will automatically add the route when the eth0 interface is brought up.
Now test what you have done.
The following two commands will monitor the dhcp server operation and any inbound/outbound DHCP packets. Run them in two separate windows.
tail -f /var/log/syslog
tcpdump -i eth0 -nnv -s0 udp port 67
Now plug in a laptop to the switch. If necessary, unplug the laptop for 5 seconds and reconnect it. Check if it receives an IP address and DNS server address from the DHCP server.
Each laptop should get a different 192.168.0.N IP address, and they should all get 10.10.0.241 as their DNS server. They should have full Internet connectivity.
Notice that you have not yet done any configuration on the switch! It's just being completely dumb.
If you have spare time, you can give it a management IP address so you can manage it over the network.
Connect to it using a serial console, and configure a management IP address on the "Vlan1" interface:
interface Vlan1
ip address 192.168.0.2 255.255.255.0
ip default-gateway 192.168.0.1
You should also be able to configure a hostname, authentication and ssh in the same way as you did for the router.
Congratulations, you have built a flat network! It works with the small number of devices you have connected. However, can you describe why this is not a good design for a larger campus network?