In this lab, you are going to convert a flat network into a full routed network, by using the layer 3 features of the switch you have.
Rather than building a new network from scratch, we will convert the existing network step-by-step, so that each step can be rolled back individually if it doesn't work, aiming to keep any disruption as localised as possible.
Work together closely in your group, to make sure you all know what's happening at each step. Since you all have your laptops on the wired network, you will be able to tell if you have broken your campus!
The network we are aiming to build looks like this:
Routed campus network
Notice how the core switch has turned into a core router. We will do this by using its layer 3 features.
hostX.ws.nsrc.org
. The username and password are given out in classEach group has a block of "public" IP addresses 100.64.X.0/24 (where X is your group number), and will be using private addresses from the 10.0.0.0/8 range.
We have designed the following VLAN and addressing plan for you to use:
Building | Network | VLAN | IPv4 | NAT to | IPv6 |
---|---|---|---|---|---|
- | Fallback NAT | - | - | 100.64.X.140 | - |
NOC | Servers | 2 | 100.64.X.0/25 | - | fd12:3456:X:2::/64 |
NOC | P2P border-core | 3 | 100.64.X.128/30 | - | fd12:3456:X:3::/64 |
Admin (1) | Wired | 10 | 10.1.0.0/24 | 100.64.X.141 | fd12:3456:X:a::/64 |
Library (2) | Wired | 20 | 10.2.0.0/24 | 100.64.X.142 | fd12:3456:X:14::/64 |
Science (3) | Wired | 30 | 10.3.0.0/24 | 100.64.X.143 | fd12:3456:X:1e::/64 |
Business (4) | Wired | 40 | 10.4.0.0/24 | 100.64.X.144 | fd12:3456:X:28::/64 |
Arts (5) | Wired | 50 | 10.5.0.0/24 | 100.64.X.145 | fd12:3456:X:32::/64 |
Extend this plan in the obvious way if you have additional "buildings".
Rationale:
10.<bldg>.0.0/16
for each building; this makes it easy to tell which building an addres belong to, just by looking at the second number.This plan allows for 255 buildings before you have to subdivide IP blocks, and 409 buildings before you have to subdivide the VLAN ranges; it should suit a moderately large campus.
Before we start renumbering buildings, it is worth getting the NAT rules ready. Our plan has a separate public IP address for each building subnet. This has two big advantages:
We are also going to be using public addresses in parts of our network, and it's important that NAT is not used for those.
Apply the following configuration on the border router:
ip nat pool NAT140 100.64.X.140 100.64.X.140 prefix-length 25
ip nat pool NAT141 100.64.X.141 100.64.X.141 prefix-length 25
ip nat pool NAT142 100.64.X.142 100.64.X.142 prefix-length 25
ip nat pool NAT143 100.64.X.143 100.64.X.143 prefix-length 25
ip nat pool NAT144 100.64.X.144 100.64.X.144 prefix-length 25
ip nat pool NAT145 100.64.X.145 100.64.X.145 prefix-length 25
ip nat pool NAT146 100.64.X.146 100.64.X.146 prefix-length 25
ip nat inside source list 141 pool NAT141 overload
ip nat inside source list 142 pool NAT142 overload
ip nat inside source list 143 pool NAT143 overload
ip nat inside source list 144 pool NAT144 overload
ip nat inside source list 145 pool NAT145 overload
ip nat inside source list 146 pool NAT146 overload
ip nat inside source list 199 pool NAT140 overload
access-list 141 permit ip 10.1.0.0 0.0.0.255 any
access-list 142 permit ip 10.2.0.0 0.0.0.255 any
access-list 143 permit ip 10.3.0.0 0.0.0.255 any
access-list 144 permit ip 10.4.0.0 0.0.0.255 any
access-list 145 permit ip 10.5.0.0 0.0.0.255 any
access-list 146 permit ip 10.6.0.0 0.0.0.255 any
! Lab workaround: do not NAT anything coming from 10.10.0.X address
access-list 199 deny ip 10.10.0.0 0.0.0.255 any
! NAT anything else with a private source IP
access-list 199 permit ip 10.0.0.0 0.255.255.255 any
access-list 199 permit ip 172.16.0.0 0.15.255.255 any
access-list 199 permit ip 192.168.0.0 0.0.255.255 any
Do a "show run". The configuration probably still includes your existing NAT config:
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
ip nat inside source list 101 interface FastEthernet0/0 overload
(Optionally you could remove this; if so, these users would start using the new "fallback address" .140 for their NAT public address)
CHECKPOINT: Ensure that your clients on 192.168.0 are still able to access the Internet. To check what IP address they are being NAT'd to, make an ssh connection from a client to your DHCP VM. Then inside the VM, use the commands "w" and "netstat -nt" to see the source IP address of the connection.
In a real network, you could just point a browser to a site such as "whatsmyip.org". In the lab this doesn't work because we have a second layer of NAT.
Save your changes on the border router (write
); do this after every successful change.
Note that all of our NAT rules explicitly match some private IP address. This means that public IP addresses should not be NAT'd. Note also that the NAT rule for NAT140 covers a wider range than the other rules, so it should only be used for addresses which don't have their own specific rules.
Changing NAT can be tricky to perform on a running router. You may not be able to remove a NAT rule while it is being used. You can clear the NAT state table, but it will be immediately re-populated if there are users on the network. You may need to temporarily disconnect the border while you make the change
Considering layer 3 (routing) only, our starting point looks like this:
+--------+
| Border |
+--------+
|192.168.0.1
|
| 192.168.0.0/24
--+---+-+-+---+---------------
| | | |
.. buildings ..
Note that the core switch doesn't appear in this diagram, because it is not doing any routing.
So the first step we can make is to introduce one new routed subnet. Let's add the new NOC Server network (vlan 2), routed via the core switch, which is about to become the core router.
+--------+
| Border |
+--------+
|192.168.0.1
|
+--- ..
+--- buildings
+--- ..
|
|192.168.0.2 (vlan 1)
+------+
| Core |
+------+
|100.64.X.1 (vlan 2)
|
| 100.64.X.0/25
------+-+---------------------
|
NEW SERVER
So what do we have to do? On the core switch, firstly you need to create vlan 2. "show vlan" will show what VLANs you already have.
! On NEW cisco switches this is done in configuration mode:
conf t
vlan 2
! On OLD Cisco switches there is a separate vlan config mode:
vlan database
vlan 2
exit
Now in configuration mode (conf t
), turn on IP routing globally, and assign routing addresses on Vlan1 and Vlan2 (you may already have done this for Vlan1 as a management address)
ip routing
interface Vlan1
description Legacy network
ip address 192.168.0.2 255.255.255.0
no ip redirects
no ip proxy-arp
interface Vlan2
description NOC Server network
ip address 100.64.X.1 255.255.255.128
no ip redirects
no ip proxy-arp
Now select a port on the switch which you're not currently using (say port 30), and bring out this new vlan on that port.
interface Fa0/30
switchport access vlan 2
Plug a laptop into this port, and give it a static IP address 100.64.X.2
with netmask 255.255.255.128
and gateway 100.64.X.1
From this laptop:
Why not? Think about it, and look at the output of show ip route
on both the core router and the border router. What's missing?
Answer: the core router knows how to reach the 192.168.0.0/24 network (because it's connected to it), but the border router doesn't know how to reach the 100.64.X.0/25 network. So let's fix that:
! On the BORDER router
ip route 100.64.X.0 255.255.255.128 192.168.0.2
While we're at it, the core router also needs to know how to reach other networks, and the old "ip default-gateway" doesn't work for this when routing is enabled.
! On the CORE router
ip route 0.0.0.0 0.0.0.0 192.168.0.1
no ip default-gateway
CHECKPOINT: check that your test laptop on the new NOC Server network is able to ping 10.10.0.241 (which is on the upstream network). If not, debug.
Aside: we haven't set up DHCP on this network, but a server network wouldn't normally have DHCP anyway
Meanwhile, confirm that all the other clients are still working on the old 192.168.0 network and blissfully unaware of the changes which are taking place.
IMPORTANT: this new network is on public IP addresses and we need to make sure that its outgoing connections are not being subject to NAT!
This should be the case, because our NAT rules explicitly match only private addresses.
To test this, SSH from your test laptop on the new server network to the DHCP server, then type "w" and "netstat -nt" to see the IP address that you are logging in from. This should be the 100.64.X.2 address, not the outside address of the router.
In a real network, you would now renumber your servers one by one, moving them from the 192.168.0.0/24 network onto the new 100.64.X.0/25 network. We will not concern ourself with server renumbering here.
Look at your network now, and check you understand how it is working. Realise that the core switch is now performing two different functions:
A layer 3 switch can be configured to do both roles simultaneously, which is useful while we migrate the network, but in the end we want to end up with a simpler configuration where it is only routing.
Let's now do our first real building. (Maybe in reality you would do the building with the president's office last, not first :-)
+--------+
| Border |
+--------+
|192.168.0.1
|
+--- ..
+--- other buildings
+--- ..
|
|192.168.0.2 (vlan1)
(vlan10)+------+
10.1.0.1| |100.64.X.1 (vlan2)
-----+-----| Core |-----+------
| | | |
NEW ADMIN +------+ NEW SERVER
We can prepare for this change without affecting the users, by creating the new VLAN and assigning it to a spare port, and testing until we're happy.
! On the CORE router
vlan 10
interface Vlan10
description Admin building staff wired network
ip address 10.1.0.1 255.255.255.0
ip helper-address 10.10.0.X
no ip redirects
no ip proxy-arp
You need to tell your DHCP server about the new subnet so it will allocate addresses for it. This needs to be done for every building you migrate.
Edit /etc/dhcp/dhcpd.conf
and add:
subnet 10.1.0.0 netmask 255.255.255.0 {
option routers 10.1.0.1;
range 10.1.0.10 10.1.0.246;
}
Do service isc-dhcp-server restart
, and tail /var/log/syslog
to check there are no errors reported.
In our lab you also need to add a static route on the DHCP server. It should be sufficient to add a single static route covering all your private address space in one go:
# route add -net 10.0.0.0/8 gw 10.10.0.22X
You can make this persistent in /etc/network/interfaces
if you wish.
The border will need a static route to reach the new network.
! On the BORDER router
ip route 10.1.0.0 255.255.255.0 192.168.0.2
Pick a spare port, let's say port 31.
interface FastEthernet0/31
switchport access Vlan10
This allows you to connect a test laptop without affecting the live building.
CHECKPOINT: Give it a complete test. Does the laptop pick up an IP address from the new range? Is it being routed correctly, including to the outside world? Does it NAT to 100.64.X.141 (the NAT address for this new subnet?) If not, debug the problem. Remember that the live admin building has still not been affected at this point.
Finally, locate the port where the Admin building is connected, and make the change.
interface FastEthernet0/NNN
switchport access Vlan10
Note that all the clients in this building will now be on the wrong subnet (they will have 192.168.0 IP addresses until their DHCP lease expires). So you may need to restart them, or temporarily shut down the network ports they are connected to, to force them to pick up a new IP address.
If you are being smart, you would have first reduced the lease time on the DHCP server to (say) 5 minutes, and waited for the old lease time to pass, before making the change. This would guarantee that all devices would pick up a new IP address within 5 minutes.
Note also that you may have some devices on static IP addresses which need manually locating and changing. The best way to locate them is to plug a laptop into another port on Vlan10 (i.e. your test port), configure it statically with an IP address from the old range (192.168.0.N), and then do an IP scan using a tool like "AngryIP" for Windows, or "nmap" for Linux (nmap -sP -n 192.168.0.0/24
)
This will show you any devices on that subnet which have addresses from the old range; your ARP table will then show you the MAC addresses and you can trace them using the mac-address-table in your switches.
This is now starting to look very much like a real routed campus network.
Notice that the link between the core and border routers is still the old, unreliable 192.168.0.0/24 network with most of the campus buildings on it, and therefore a network problem will still affect even the new subnets.
We could leave it there until all the other buildings have been renumbered, but that could take a long time. So instead, we're going to move the old 192.168.0.0/24 network behind the core router now, so it looks like this:
+--------+
| Border |
+--------+
|100.64.X.129
|
|100.64.X.130 (vlan3)
(vlan10)+------+
10.1.0.1| |100.64.X.1 (vlan2)
-----+-----| Core |-----+------
NEW ADMIN | | NEW SERVER
+------+
|192.168.0.1 (vlan1)
|
--+---+-+-+---+--
| | | |
.. other buildings ..
Notice how the 192.168.0.1 address is moving onto the Core router. The core router will become the default gateway for the 192.168.0.0/24 network, instead of the border router.
Furthermore, the Core router is going to be responsible for relaying the DHCP broadcasts from the 192.168.0.0/24 users.
This change does require a network-wide outage, although it's still a relatively small number of steps which can be easily reversed.
Firstly, on the core router, create vlan 3 with the correct IP address and netmask.
! On the CORE router
vlan 3
interface Vlan3
description point-to-point to border
ip address 100.64.X.130 255.255.255.252
no ip redirects
no ip proxy-arp
At this point, we are going to have to break the network. Make sure you have CONSOLE connections to both the core router and the border router (get somebody to put their laptop on wireless to access the border router's console port)
Renumber the inside interface of the border router:
! On the BORDER router
interface Fa0/1
description point-to-point to core
ip address 100.64.X.129 255.255.255.252
Find which port the border router connects to on the core router, and change it to be in vlan 3.
! On the CORE router
interface FastEthernet0/NNN << uplink to border
switchport access vlan 3
At this point, the border and core should be able to ping each other on their new IP addresses - test this. (e.g. on core, ping 100.64.X.129)
However the connectivity to the rest of the campus is still broken. You need to move the 192.168.0.1 IP address onto the core router, and enable DHCP relay:
! On the CORE router
interface vlan1
ip address 192.168.0.1 255.255.255.0
ip helper-address 10.10.0.X
And you need to set up static routes in both directions. The border router needs routes to all networks which are behind the core router:
! On the BORDER router
ip route 192.168.0.0 255.255.255.0 100.64.X.130
no ip route 100.64.X.0 255.255.255.128 192.168.0.2
ip route 100.64.X.0 255.255.255.128 100.64.X.130
no ip route 10.1.0.0 255.255.255.0 192.168.0.2
ip route 10.1.0.0 255.255.255.0 100.64.X.130
And the core router needs a new default route to the outside world:
! On the CORE router
no ip route 0.0.0.0 0.0.0.0 192.168.0.1
ip route 0.0.0.0 0.0.0.0 100.64.X.129
After this, check from the core router you can ping upstream address 10.10.0.241.
In principle all the campus should be working again. However, the default gateway 192.168.0.1 is on a different device with a different MAC address. Client devices may have the wrong MAC address in their ARP tables. You can manually clear the ARP table on those devices (arp -d
).
You might also shutdown and unshut the port they are connected to:
interface FastEthernet0/NNN << port where laptop is connected
shutdown
! wait 5 seconds
no shutdown
This will force them to re-DHCP, and therefore checks that DHCP is working. If not, debug (see previous exercise for how to check DHCP logs)
CHECKPOINT: Ensure that everyone is working again, i.e. everyone on the 192.168.0 network and the new NOC network has full connectivity.
We know that all the buildings will have either 100.64.X.0/24 public addresses or 10.0.0.0/8 private addresses. The border will need to have routes to reach them.
Rather than adding a separate static route for each subnet, we can add big routes which cover the entire address space we have available:
! On the BORDER
ip route 10.0.0.0 255.0.0.0 100.64.X.130
ip route 100.64.X.0 255.255.255.0 100.64.X.130
! now you can remove the more specific routes you have
no ip route 10.1.0.0 255.255.255.0 100.64.X.130
no ip route 100.64.X.0 255.255.255.128 100.64.X.130
However there is a downside: if someone pings an unused address, the packet may bounce back and forth between the border router and the core (which has a default route pointing back at the border).
We can solve this problem by adding a Null0 route on the core:
! On the CORE
ip route 10.0.0.0 255.0.0.0 Null0
ip route 100.64.X.0 255.255.255.0 Null0
Now packets for unused addresses will arrive at the core and be discarded.
CHECKPOINT: After this change, make sure everything is still working.
Now you've successfully moved one building onto its new routed subnet, repeat for all the other buildings, one at a time.
Eventually there will be no users left on the 192.168.0.0 network, and no access ports in Vlan1. You can then remove the IP address and helper from Vlan1. Since Vlan1 is the default VLAN, you may or may not be able to remove it entirely from the switch. You can also remove the NAT for 192.168.0.0/24 on the border router, if you have not done so already.
# Basic setup
hostname <NAME>
!
aaa new-model
aaa authentication login default local
aaa authentication enable default enable
username nsrc secret nsrc
enable secret nsrc
service password-encryption
line vty 0 15
transport preferred none
line console 0
transport preferred none
!
no logging console
logging buffered 8192 debugging
no ip domain-lookup
ipv6 unicast-routing
# Enable ssh
ip domain-name ws.nsrc.org
crypto key generate rsa modulus 2048
ip ssh version 2
line vty 0 15
transport input ssh
# Disable VTP and PVST (Cisco proprietary protocols), use MST/RSTP instead
vtp mode transparent
spanning-tree mode mst
# Set root bridge priority to 4096
spanning-tree mst 0 4096
# List VLANs/create a VLAN
show vlan
# Create a VLAN (new software)
vlan 10
# Create a VLAN (old software - not in configuration mode)
vlan database
vlan 10
exit
# Configure a switch port as access port to a VLAN
interface FastEthernet0/1
switchport mode access
switchport access vlan 10
# Configure a switch port as a tagged trunk
interface FastEthernet0/1
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,30
# Enable layer 3 functionality
ip routing
# Create an router IP interface on a VLAN
interface Vlan10
ip address 192.0.2.1 255.255.255.0
# Enable DHCP relay
interface Vlan10
ip helper-address 6.7.8.9
# Show forwarding table
show ip route
# Add static route
ip route 10.10.1.0 255.255.255.0 1.2.3.4
# Add default route
ip route 0.0.0.0 0.0.0.0 1.2.3.4
# Shutdown a port (to force client to re-DHCP)
interface FastEthernet0/1
shutdown
! wait about 5 seconds
no shutdown
# ARP cache manipulation
show ip arp
clear ip arp
/etc/dhcp/dhcpd.conf
service isc-dhcp-server restart
grep dhcpd /var/log/syslog
For each subnet you want to serve, add a subnet declaration like this.
subnet 10.1.1.0 netmask 255.255.255.0 {
option routers 10.1.1.1;
option subnet-mask 255.255.255.0;
option domain-name "ws.nsrc.org";
option domain-name-servers 10.10.0.241; # this is the class DNS server
range 10.1.1.10 10.1.1.246;
default-lease-time 300;
max-lease-time 300;
}
tcpdump -i eth0 -nnev -s0 udp port 67
The server should only be listening on the eth0
interface. This is defined in /etc/default/isc-dhcp-server
To add a static route:
route add -net x.x.x.x/x gw y.y.y.y
To make this change persist across reboots, edit /etc/network/interfaces
and add lines like this:
auto eth0
iface eth0 inet dhcp
post-up route add -net x.x.x.x/x gw y.y.y.y
pre-down route del -net x.x.x.x/x gw y.y.y.y