The purpose of this exercise is to build Layer 2 (switched) networks utilizing the concepts explained in today’s design presentation. Students will see how star topology, aggregation, Spanning Tree Protocol and VLANs are put to work.
The classroom is divided into 6 groups, with 7 switches per group. We will start off by building a flat campus network to demonstrate some of the key design concepts mentioned in the presentation. The flat network will be numbered out of a single IPv4 /16 address block and a single IPv6 /64 address block.
The IP addresses for the building (Layer 2) devices will be as follows:
| Device | IPv4 | IPv6 |
|---|---|---|
| core1.campusX | 172.2X.0.2/16 | 2001:DB8:X:1::2/64 |
| dist1-b1.campusX | 172.2X.0.3/16 | 2001:DB8:X:1::3/64 |
| edge1-b1.campusX | 172.2X.0.4/16 | 2001:DB8:X:1::4/64 |
| edge2-b1.campusX | 172.2X.0.5/16 | 2001:DB8:X:1::5/64 |
| dist1-b2.campusX | 172.2X.0.6/16 | 2001:DB8:X:1::6/64 |
| edge1-b2.campusX | 172.2X.0.7/16 | 2001:DB8:X:1::7/64 |
| edge2-b2.campusX | 172.2X.0.8/16 | 2001:DB8:X:1::8/64 |
You will need to replace X with the number of your campus group!
Note: The overall architecture can be found in the IP Address Plan.
The following diagram shows the layout of the devices and all the links for each campus:
The following table shows the connections between each device in the campus:
| Device | Interface | Remote Device | Remote Interface |
|---|---|---|---|
| dist1-bY.campusX | GigabitEthernet1/0 | edge1-bY.campusX | GigabitEthernet0/0 |
| GigabitEthernet1/1 | edge1-bY.campusX | GigabitEthernet0/1 | |
| GigabitEthernet2/0 | edge2-bY.campusX | GigabitEthernet0/0 | |
| core1.campusX | GigabitEthernet0/0 | bdr1.campusX | GigabitEthernet0/1 |
| GigabitEthernet0/1 | dist1-b1.campusX | GigabitEthernet0/0 | |
| GigabitEthernet0/2 | dist1-b2.campusX | GigabitEthernet0/0 | |
| GigabitEthernet0/3 | srv1.campusX | ens3 | |
| bdr1.campusX | GigabitEthernet0/0 | transit1-nren | GigabitEthernet0/X |
| GigabitEthernet0/2 | transit2-nren | GigabitEthernet0/X |
Replace Y with your building number and X with your campus number.
The Workshop Instructors will let you know what the lab environment is. It will either be run on a Virtual Platform, or on real physical switches provided in the Training Room.
Refer to the correct document below for information about logging into the devices that have been assigned to you:
VIRTUAL ENVIRONMENT: Virtual Environment Lab Access Instructions
PHYSICAL HARDWARE: Physical Hardware Lab Access Instructions
Our building network consists of a distribution (aggregation) switch and two edge switches. Each building distribution switch connects to the core switch of our campus network and serve as aggregation points for all the edge switches. Edge switches serve the end users.
Each switch will be named according to the table above: core1.campus1, dist1-b1.campus1, edge2-b1.campus5, etc
Your group should share out the seven switches amongst the team members and configure each one using the example shown below.
Your switches should be given a basic configuration as follows:
Switch> enable
Switch# config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# hostname dist1-b1.campusX
dist1-b1.campusX(config)#Notice how the default Switch(config)# prompt changes to include the hostname of the device.
The rest of the configuration examples throughout these workshop lab notes assume you are in configuration mode (unless otherwise stated).
Cisco devices will always try to look up the DNS for any name or address specified in the command line. You can see this when doing a trace on a router with no DNS server or a DNS server with no in-addr.arpa entries for the IP addresses. We will turn this lookup off for the labs for the time being to speed up traceroutes.
no ip domain lookup
We will now set the domain name of our campus devices, for future use in this workshop.
ip domain name ws.nsrc.org
More modern Cisco devices have a builtin Webserver which tends to be turned on by default. Given this is a potential security risk, we will turn it off (both HTTP listening on port 80 and HTTPS on port 443):
no ip http server
no ip http secure-server
By default, Cisco devices will try all transports available if they don’t recognise what is typed into the command line. This behaviour is annoying especially if making a typo during configuration work, so we will disable the behaviour completely. We will also set the idle-timeout on the console and other ports to 30 minutes - after 30 minutes of no activity on the port, the device will disconnect the connection.
line con 0
transport preferred none
exec-timeout 30 0
!
line aux 0
transport preferred none
exec-timeout 30 0
!
line vty 0 4
transport preferred none
exec-timeout 30 0Note the ! in the configuration snippet above - Cisco IOS uses this as a “comment” line or a separator to space the configuration out to make each section more “readable”. You will see the ! used in the examples throughout the lab notes. There is no need to type it in when you see it in these examples, as it does nothing.
We will need to change the escape sequence for the console and vtys from the default value of CTRL ^ because that sequence isn’t transmitted by the web interface we use to access the router consoles. Instead we will use CTRL C which is ASCII 3.
line con 0
escape-character 3
line aux 0
escape-character 3
line vty 0 4
escape-character 3
!
All router usernames should be cndlab with password being lab-PW. The enable password (which takes the operator into configuration mode) needs to be lab-EN1.
Please do not change the username or password to anything else, or leave the password unconfigured (access to vty ports is not possible if no password is set). It is essential for a smooth operating lab that all participants have access to all routers.
Recent Cisco IOS (and IOS-XE) software is starting to deprecate the type 5 encryption which has been Cisco’s standard since the mid 1990s. Cisco has introduced a new type 9 encryption (using the scrypt hashing algorithm2), and we will use that on our switches as they support this. Newer software platforms use type 9 by default.
username cndlab algorithm-type scrypt secret lab-PW
!
enable algorithm-type scrypt secret lab-EN
!
service password-encryptionThe service password-encryption directive tells the router to encrypt all passwords stored in the router’s configuration (apart from enable secret3 which is already encrypted).
In order to let you remotely log in to your device in future modules of this workshop, you need to configure a password for all virtual terminal lines.
aaa new-model
aaa authentication login default local
aaa authentication enable default enableThis series of commands tells the router to look locally for standard user login (the username password pair set earlier), and to the locally configured enable secret for the enable login. By default, login will be enabled on all vtys for other teams to gain access.
A vital part of any Internet operational system is to record logs. The router by default will display system logs on the router console. However, this is undesirable for Internet operational routers, as the console is a 9600 baud connection, and can place a high processor interrupt load at the time of busy traffic on the network. However, the router logs can also be recorded into a buffer on the router – this takes no interrupt load and it also enables to operator to check the history of what events happened on the router.
no logging console
logging buffer 8192 debugwhich disables console logs and instead records all logs in a 8192 byte buffer set aside on the router. To see the contents of this internal logging buffer at any time, the command show log should be used at the command prompt. Note that the 8192 byte buffer size is default on many IOS versions so it is quite likely you may not see the above buffer setting appearing in the running configuration. You could try another size if you wish, for example 4096; this also means the buffer is short to scroll through, but obviously a shorter log history is saved.
And we also want to set up improved time-stamping for the log messages as well:
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone yearwhich will give resolution down to milliseconds, and include the year as well.
Depending on which environment is used, you will find that your switch might have a default login banner already set. We will modify this so that it is a bit more informative:
banner login ^
Campus Network Design and Operations Workshop Lab
Network Startup Resource Center
^Note the ^ symbol - this is used as the marker for the start and end of the banner text.
This banner will notify administrators every time they connect to the device. In real life, we’d also include wording about authorised access, authorised use, and that the device is being monitored.
Cisco IOS also supports other banner types, but we will not use any of those in this lab. They are shown for information below:
Switch(config)#banner ?
LINE c banner-text c, where 'c' is a delimiting character
config-save Set message for saving configuration
exec Set EXEC process creation banner
incoming Set incoming terminal line banner
login Set login banner
motd Set Message of the Day banner
prompt-timeout Set Message for login authentication timeout
slip-ppp Set Message for SLIP/PPP
The use of telnet is considered obsolete given that everything is set in the clear when communicating with other devices. This includes passwords and other confidential information.
Cisco devices have telnet enabled by default. We are going to disable telnet and configure the campus devices to use ssh instead. We already created the domain name earlier, so we can now generate the SSH key pairs for the device:
crypto key generate rsa modulus 2048We will use a modulus of 2048 - key sizes supported are 360 to 4096, and a modulus of at least 768 is the minimum for SSH version 2. In real life, we’d probably make the modulus 4096.
Next we set the SSH version to be version 2:
ip ssh version 2Finally we enable SSH access to our device (disabling telnet at the same time) by:
line vty 0 4
transport input ssh
!Note that Cisco devices by default have all incoming transports activated; if you try:
Switch(config)#line vty 0 4
Switch(config-line)#transport input ?
all All protocols
none No protocols
pad X.3 PAD
rlogin Unix rlogin protocol
ssh TCP/IP SSH protocol
telnet TCP/IP Telnet protocolthe device will display the options available. By specifying only ssh, we disable all other incoming transports.
SSHv2 is now configured on the device, and ready to use in future labs.
Network monitoring tools will be demonstrated by the instructors towards the end of the workshop. To allow those tools to access your campus devices, we need to enable SNMP as per the following configuration example which uses SNMPv3 configuration syntax.
SNMP has 3 security levels to choose from as shown in the table below:
| SNMP Security Level | Cisco’s name | Authentication | Encryption |
|---|---|---|---|
| noAuthNoPriv | noauth | no | no |
| authNoPriv | auth | yes | no |
| authPriv | priv | yes | yes |
Note that Cisco has given them non-standard names. For our lab we’ve chosen the “authNoPriv” (which is secure against active attacks, but allows us to see the SNMP data in tcpdump).
First we create the SNMP group:
snmp-server group ReadGroup v3 authThen we define the user “admin” which is a member of this group (the user is what the monitoring system will log in as) including the password “NetManage”:
snmp-server user admin ReadGroup v3 auth sha NetManage(Note that the definition of the user admin will not appear in the displayed configuration.)
And finally we set the location and make the internal interface index number persist through reboots and the addition or removal of interfaces:
snmp-server location Campus Network Design Workshop
snmp ifmib ifindex persistIf your switch or router doesn’t take the snmp ifmib ifindex command, try this SNMP command instead:
snmp-server ifindex persistEven though Cisco IOS is one operating system, the implementation details on different platforms can well be different. The latter format is the syntax used on routers and older ethernet switches. Newer ethernet switches will automatically convert the older format of the command to the newer version.
With the basic configuration in place, save the configuration. To do this, exit from enable mode by typing end or <ctrl>Z, and at the command prompt enter write memory. If you are prompted [confirm] hit enter again. Note we are including the full prompt, as you’d see if you were configuring the Distribution Switch in Building 1.
dist1-b1.campusX(config)# end
dist1-b1.campusX# write memory
Warning: Attempting to overwrite an NVRAM configuration previously written
by a different version of the system image.
Overwrite the previous NVRAM configuration?[confirm]
Building configuration...
Compressed configuration from 3788 bytes to 1832 bytes[OK]
[OK]
dist1-b1.campusX#It is highly recommended that the configuration is saved quite frequently to NVRAM. If the configuration is not saved to NVRAM, any changes made to the running configuration will be lost after a power cycle or virtual machine failure
Log off the switch:
dist1-b1.campusX# exitand then log back in again. Notice how the login sequence has changed, prompting for a username and password from the user, like this:
dist1-b1.campusX con0 is now available
Press RETURN to get started.
User Access Verification
Username:Note that at each checkpoint in the workshop, you should save the configuration to memory – remember that powering the device off will result in it reverting to the last saved configuration in NVRAM.
Now that we have done the initial configuration of all the switches in our campus, we can now configure the Management IP addresses (in IPv4 and IPv6). The following diagram shows the flat network we have just built.
Assign each switch a different IPv4 address and IPv6 address as follows:
interface vlan 1
ip address 172.2X.0.N 255.255.0.0
ipv6 address 2001:DB8:X:1::N/64
no ip redirects
no ip proxy-arp
load-interval 30
no shutdown
endReplace the X with your group number, and N with the address according to the address plan earlier in the notes. Note the load-interval command which will calculate the average traffic load on the interface over a 30 second period (rather than over the default 5 minutes).
Verify connectivity by pinging each switch within the building. Do not continue until you can ping each switch from every other switch in the campus.
HINT: If ping fails, but the configuration seems OK, try doing the following:
interface vlan 1
shutdown
no shutdown
end(this is not normal, but most likely a bug in the IOS code somewhere)
If this still doesn’t work, check your switch configuration to see if you have anything looking like this:
mac-address-table static c40d.5eca.0000 interface GigabitEthernet0/0 vlan 1For some unknown reason, the switch on rare occasions will add static MAC entries. These often point to the wrong interface. If you have entries like these in your configuration, trying shutting down the VLAN 1 interface mentioned, deleting the line by putting a no in front of the offending configuration, and then bringing the VLAN 1 interface back up again. If that doesn’t work (the mac-address-table line is still there), ask your lab instructor.
(this is also not normal, and most likely a bug in the IOS code somewhere)
Question: Are you able to ping all the switches in the network?
If not, check the configuration of your switch and of the other switches as well. All seven switches in the campus should be able to ping each other now.
There is the temptation to simply have a username of cisco and password of cisco as a lazy solution to the username/password problem. Under no circumstances must any service provider operator ever use easily guessable passwords as these on their live operational network. This sentence cannot be emphasized enough. It is quite common for attackers to gain access to networks simply because operators have used familiar or easily guessed passwords.↩
IOS also supports the PBKDF2 hashing algorithm, better known as SHA256. This would appear in the saved configuration as “type 8” encryption.↩
For IOS releases prior to 12.3, the username/secret pair was not available, and operators would have had to configure username/password instead. Do NOT use the username/password combination, nor the enable password directive - these use type-7 encryption which is not secure at all, whereas the secret uses more secure encryption algorithms.↩