1 Overview

1.1 Objectives

In this lab you are going to create a simple flat network. This is not a good design for a campus network, but rather is a starting point for improvement!

Here is a diagram of what you are going to build:

Flat campus network

Flat campus network

Each group has a physical switch, an uplink into a virtualized Cisco 7200 border router, and a VM host which is your DHCP server.

Each participants's laptop will take the place of one of the campus buildings: NOC, Admin etc. If there are more than six people in a group then choose your own names for the additional buildings.

All buildings are on the same subnet 192.168.0.0/24, and there is NAT at the border so all outbound traffic is NAT'd to the external address of the border router.

1.2 Kit access instructions

2 Make physical connections

Connect the uplink cable into the switch. Also connect an ethernet cable from each participant's laptop into the switch.

If labels are available, label each ethernet cable with the building name.

However at this point nothing will work, as you have not configured your border router or DHCP server.

3 Configure border router

Only one person can be making changes on the border router, so nominate someone in your group to work at the console, but work together as a group.

Connect to the virtual console port as described under "Kit access instructions". Hit Enter, and answer "no" if you see this prompt:

Would you like to enter the initial configuration dialog? [yes/no]:

More log messages may appear. Hit enter to get a Router> prompt.

Go into enable mode and configuration mode:

Router>enable
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.

Now apply the following configuration, remembering to change "X" to your group number. Copy-paste is fine. Lines beginning with "!" are just comments.

! Set the hostname you see in the command line prompt
hostname groupX-border                   << change X

! Set up authentication
aaa new-model
username cisco password 0 cisco
enable secret cisco

! Enable ssh and disable telnet
no ip domain lookup
ip domain-name ws.nsrc.org
crypto key generate rsa modulus 2048
ip ssh version 2
line vty 0 15
  transport input ssh

! Configure the external interface
interface FastEthernet0/0
  no shutdown
  description Uplink to REN
  ip address 10.10.0.22X 255.255.255.0   << change X
  no ip redirects
  no ip proxy-arp
  ip nat outside

! Configure the internal interface
interface FastEthernet0/1
  no shutdown
  description Campus network
  ip address 192.168.0.1 255.255.255.0
  ip helper-address 10.10.0.X            << change X
  no ip redirects
  no ip proxy-arp
  ip nat inside

! Configure NAT and default gateway
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
ip nat inside source list 101 interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 10.10.0.254

Once you have done this, exit configuration mode and save your configuration to NVRAM.

groupX-border(config)#end
groupX-border#
*Mar  1 18:49:17.675: %SYS-5-CONFIG_I: Configured from console by console
groupX-border#write
Building configuration...
[OK]

3.1 Testing

Now test what you have done:

4 DHCP server

A real campus network will use a DHCP server to allocate addresses. For this network we will build one using Linux.

Although a simple DHCP server normally sits on the same subnet as the clients, in our case the DHCP server is on a different subnet. This is the purpose of the "ip helper-address" statement you configured on the router: any DHCP broadcasts will be relayed to the remote DHCP server to deal with.

Again, since your group only has a single DHCP server, you will need to nominate someone to type the commands.

Login to the DHCP server using the username/password you were given, and become root:

$ sudo -s
[sudo] password for sysadm:
#

4.1 Install dhcp server package

# apt-get update
# apt-get install isc-dhcp-server

Edit the file /etc/default/isc-dhcp-server and amend the INTERFACES line so it looks like this:

INTERFACES="eth0"

Edit the file /etc/dhcp/dhcpd.conf, remove any existing contents and replace with the following:

ddns-update-style none;
option domain-name "ws.nsrc.org";
option domain-name-servers 10.10.0.241;

default-lease-time 3600;
max-lease-time 7200;

log-facility local7;

# This declaration is to enable listening on eth0
# without actually giving out any addresses
subnet 10.10.0.0 netmask 255.255.255.0 {
}

# Now list the remote subnet(s) you wish to serve
subnet 192.168.0.0 netmask 255.255.255.0 {
  range 192.168.0.10 192.168.0.246;
  option routers 192.168.0.1;
}

Then restart the server:

# service isc-dhcp-server restart

4.2 Static route

There is one special thing you have to do in this lab setup which you wouldn't normally have to do. The DHCP packets from the border router are sent with a source address of the subnet gateway (192.168.0.1), and the replies go back to this address. Because your DHCP VM can't reach this address via its default gateway, you need to add a static route so that it can.

# route add -net 192.168.0.0/24 gw 10.10.0.22X

(Remember to change "X" to your group number, so it points to your Cisco as the next hop)

To make this route persistent, so that it comes up even if your VM reboots, edit /etc/network/interfaces as follows:

... (keep the loopback interface) ...

auto eth0
iface eth0 inet dhcp
       # Disable UDP checksum offloading on virtio; it breaks when
       # packets traverse Dynamips
       post-up ethtool --offload eth0 tx off

       # Static routes to internal networks
       post-up route add -net 192.168.0.0/24 gw 10.10.0.22X
       pre-down route del -net 192.168.0.0/24 gw 10.10.0.22X

This will automatically add the route when the eth0 interface is brought up.

4.3 Testing

Now test what you have done.

The following two commands will monitor the dhcp server operation and any inbound/outbound DHCP packets. Run them in two separate windows.

Now plug in a laptop to the switch. If necessary, unplug the laptop for 5 seconds and reconnect it. Check if it receives an IP address and DNS server address from the DHCP server.

Each laptop should get a different 192.168.0.N IP address, and they should all get 10.10.0.241 as their DNS server. They should have full Internet connectivity.

5 Switch

Notice that you have not yet done any configuration on the switch! It's just being completely dumb.

If you have spare time, you can give it a management IP address so you can manage it over the network.

Connect to it using a serial console, and configure a management IP address on the "Vlan1" interface:

interface Vlan1
  ip address 192.168.0.2 255.255.255.0
ip default-gateway 192.168.0.1

You should also be able to configure a hostname, authentication and ssh in the same way as you did for the router.

6 Conclusion

Congratulations, you have built a flat network! It works with the small number of devices you have connected. However, can you describe why this is not a good design for a larger campus network?