1 Initial setup

Each group is provided with a layer 3-capable switch, but in its out-of-the-box default flat switch configuration. There is an uplink to a Linux virtual machine which is acting as border router and DHCP server.

1.1 Layer 1/2 diagram

           |eth0
      +----+---+
      | Border |
      | Router/|
      |  DHCP  |
      +----+---+
           |eth1
           |
           |vlan1
    +------+------+
    |    Core     |
    |   Switch    |
    +--+---+---+--+
       |   |   |vlan1
       |   |   |
      [=] [=] [=]

        LAPTOPS

1.2 Layer 3 diagram

In this diagram, replace X with your group number.

        ^
        |10.10.0.X
     +--+---+
     | RTR/ |
     | DHCP |
     +--+---+
        |.254
        |                 Subnet 192.168.X.0/24
  ------+----+---+---+--------------------------- 
             |   |   |  DHCP .10-.246
             |   |   |  pool
            [=] [=] [=]

             LAPTOPS

2 Initial setup

Everyone in the group should connect their laptop to their group's switch with a CAT5 cable, and turn off their wireless interface.

Check that:

• Everyone picks up an IP address 192.168.X.0/24
• Everyone is able to route to the Internet

Each laptop represents a "building" in the campus network. Give each laptop a designation like "Library", "Computer Lab", "President's Office" etc.

Copy out the layer 1 diagram and annotate it showing which switch port corresponds to which building.

If sticky labels are available, also label each CAT5 cable with the building name.

3 Design

You are now going to design, on paper, a new routed campus network.

• Draw a new layer 3 diagram for the desired final campus network. This will have a router in the middle, which is your layer 3 switch. (This device doesn't appear in the original layer 3 diagram because it wasn't acting as a router).
• You should have one routed network per building, and a server network. You may also need a link network between your core router and the border router.
• Draw up an addressing plan, showing which subnets you have allocated for which purpose. The range 10.1X.0.0/16 is available to you, where X is your group number; you may allocate as many subnets as you need from this range. It's up to you whether you retain your existing 192.168.X.0/24 range somewhere in your network, or renumber out of it.
• Allocate IP addresses to anything which has a fixed IP (e.g. router interfaces) and include these on your layer 3 diagram.
• Think about the forwarding tables on each device. Where will default route point? Does any device need static routes in addition to default route?
• Since your core router is a layer 3 switch, also allocate a VLAN ID for each subnet. Avoid using VLAN ID 0 or 1 as these typically have special purposes in switches.

When you have finished it, show your design to the instructors. Some of you may be asked to explain it in front of the class.

4 Planning

You are now going to make a plan for converting your original network into the final network, step by step.

It may be helpful to start by brainstorming all the changes which will be required, and then assemble them into a usable sequence of steps.

Points to remember:

• Make small incremental changes, not a big-bang rebuild
• Plan to migrate one building at a time. For example, one building can move to a new subnet while the other buildings still remain on the 192.168.X.0/24 subnet and are unaffected.
• At key points make a new layer 1/2 or layer 3 diagram as appropriate, showing what has changed
• Include test steps, and explain how you would perform the tests
• Make sure you're clear how each step would be rolled back
• Identify steps which will cause an outage to the network and who will be affected

Again, when you have finished, show your plan to the instructors. You may also be asked to explain it in front of the class.

5 Rollout

Go ahead and implement your plan to reconfigure your campus!

Try to minimise outages to the laptops (buildings).

You do not need to complete the entire set of changes, but aim to get at least one "building" on a new IP range and routed through the core router. Check that it is still able to ping people who are on the old network.

5.1 Lab access instructions

• Windows users may want to download putty.exe for use as an ssh, telnet and serial console client.
• Your group's layer 3 switch is completely unconfigured. You will need to access it initially using a serial console cable. You are free to make whatever configuration changes you like, including enabling telnet/ssh.
• The router/DHCP server can be accessed by ssh to 192.168.X.1. You are free to reconfigure this however you like. You should also be able to get to it as 10.10.0.X on the wireless network. If you completely lock yourself out, ask the instructor who can get a serial console onto it in the VM environment.
• Usernames and passwords for the router/DHCP server will be given out in the class.
• It is very helpful to install wireshark (Windows) or be able to use tcpdump (Linux/OSX) for examining packets going to and from your laptop.

6 Useful notes

6.1 Cisco configuration

# Basic setup
hostname <NAME>
!
aaa new-model
aaa authentication login default local
aaa authentication enable default enable
username nsrc secret nsrc
enable secret nsrc
service password-encryption
line vty 0 4
 transport preferred none
line console 0
 transport preferred none
!
no logging console
logging buffered 8192 debugging
no ip domain-lookup
ipv6 unicast-routing

# Enable ssh
ip domain-name ws.nsrc.org
crypto key generate rsa 2048
ip ssh version 2
line vty 0 4
 transport input ssh

# Disable VTP and PVST (Cisco proprietary protocols), use MST/RSTP instead
vtp mode transparent
spanning-tree mode mst

# Set root bridge priority to 4096
spanning-tree mst 0 4096

# List VLANs/create a VLAN
show vlan
vlan database
 vlan 10
 exit

# Configure a switch port as access port to a VLAN
interface FastEthernet0/1
 switchport access vlan 10
 switchport mode access

# Configure a switch port as a tagged trunk
interface FastEthernet0/1
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 10,20,30
 switchport mode trunk

# Enable layer 3 functionality
ip routing

# Create an router IP interface on a VLAN
interface Vlan10
 ip address 192.0.2.254 255.255.255.0

# Enable DHCP relay
interface Vlan10
 ip helper-address 6.7.8.9

# Show forwarding table
show ip route

# Add default route
ip route 0.0.0.0 0.0.0.0 1.2.3.4

# Shutdown a port (to force client to re-DHCP)
interface FastEthernet0/1
 shutdown
 ! wait about 5 seconds
 no shutdown

# ARP cache manipulation
show ip arp
clear ip arp

6.2 Linux configuration

6.2.1 Routing

• To add a static route:

  route add -net x.x.x.x/x gw y.y.y.y

• To make this change persist across reboots, edit /etc/network/interfaces and add lines like this:

  auto eth1
  iface eth1 inet static
  address 192.168.X.254
  netmask 255.255.255.0
  post-up route add -net x.x.x.x/x gw y.y.y.y
  pre-down route del -net x.x.x.x/x gw y.y.y.y

6.2.2 DHCP server

• The configuration file is /etc/dhcp/dhcpd.conf
• After config changes, restart using service isc-dhcp-server restart
• Logs can be viewed using grep dhcpd /var/log/syslog

• For each subnet you want to serve, add a subnet declaration like this.

  subnet 10.1.1.0 netmask 255.255.255.0 {
    option routers 10.1.1.254;
    option subnet-mask 255.255.255.0;
    option domain-name "ws.nsrc.org";
    option domain-name-servers 10.10.0.241;   # this is the class DNS server
    range 10.1.1.10 10.1.1.246;
    default-lease-time 300;
    max-lease-time 300;
  }

• You can monitor DHCP traffic using tcpdump -i eth1 -nnev -s0 udp port 67

• The server should only be listening on the eth1 interface. This is defined in /etc/default/isc-dhcp-server