You are on page 1of 10

JAN 2013

CONFIDENTIAL

UNIVERSITI KUALA LUMPUR KAMPUS KOTA MALAYSIAN INSTITUTE OF INFORMATION TECHNOLOGY


Name of Course Course Code Lecturer Semester / Year Date Date Submitted Assessment Weight age Course Outcome to achieve: 1. Explain the switching concepts of Cisco switches. 2. Perform basic switch configurations, Virtual LANs (VLANs), Virtual Trunking Protocol (VTP) and Spanning Tree Protocol (STP) and Inter-VLAN. Assessment Components : 1. Report - minimum of 10 pages (excluding cover page & appendix) 2. Teamwork Skills (Group of 2) lecturers observation 3. Presentation LAN Switching INB23704 SHAHIDATUL ARFAH BT BAHARUDIN JAN 2013 (1/2013) 5th March 2013 12th March 2013 ASSIGNMENT 1 Report - 10% Presentation - 5%

INB23704

JAN 2013

CONFIDENTIAL

Task 1 : Chapter 1 Case Study Objectives: Describe hierarchical network design Consolidate the function of the three levels Instruction: 1. Print output from router and switch : i. Show running-config startup-config (2 marks) ii. Show ip route (2 marks) 2. Define the solution for the following problem based on Hierarchy Model. (6 marks) Intro: Green Inc. is expanding and just got another floor on the building they have their main office. The new floor will also need to be connected to Greens network and, because no hierarchy layers were used on the first network design they called you for help. Topology (original):

INB23704

JAN 2013

CONFIDENTIAL

The Scenario: As shown on the topology above, no hierarchy design was used. Foreseeing Greens growth, you decided to design an entirely new network based on the hierarchical model in order to deliver performance, scalability and redundancy. Problem 1 Performance. Within Green Inc. Network, network 1 users need to frequently access a database stored in Server 1.Network 2 users also frequently access a database stored in Server 2. You take a look on the topology handed to you (shown above) and, notice a few performance problems that could be easily solved by a better design. On the topology above, link A is saturated because of traffic from network 1 to server 1and to the Internet. Link B is also saturated because of traffic from network 2 to server 2 and to the Internet. Link C is heavily used because of traffic from network 1 and 2 to the servers and Link D is shared by all users and devices for traffic sent to the internet. Problem 2 Scalability. Greens network doesnt scale easily at the moment. R1 router has no interfaces left and the S1 and S2 switches have all their ports taken. If a new network or department becomes necessary, the current topology wont accept it easily. Problem 3 Redundancy. Greens has no backup links or equipment right now. If any of their links or devices fail, traffic forwarding disruption will occur. Some failures will cause bigger disruptions (a R1 router failure would stop the entire network) other will cause smaller disruptions (a Link A failure would stop network 1 operations) but traffic disruption would happen regardless. After analyzing Greens network problems, you present a new design created to address Greens network main problems. Your new designed is based on The Hierarchical Model.

INB23704

JAN 2013

CONFIDENTIAL

Task 2: Chapter 2 Case Study Objectives: Configure the port-security Enforce the monitor-session concept and configuration. Instruction: Study the following case study and answer Question 1. (4 marks)

Introduction: Green Inc. is experiencing network problems. Helpdesk reports state that all switches frequently stop forwarding frames. Topology:

The Scenario: As shown in the topology above, Green network (designed by you) is based on the hierarchical model. Because of that many redundant links were created. You get to Greens main office and decide to take a look in the Wiring Closet. The switches are in the non-forward-problematic state described via phone. The fact the switches are presenting the problem is good news; troubleshooting intermittent problems might be frustrating.

INB23704

JAN 2013

CONFIDENTIAL

Step 1 Identifying the problem All LEDs of the switches are flashing slowly and at the same frequency. Flashing LEDs is never a good sign: it could mean hardware failure, software failure or even an in-progress attack to the switch. Looking at the switches you have the feeling (yet to be confirmed) Green network is under attack. The suspicion of an attack is not completely subjective, though. Based on the pattern of the flashing LEDs and on the behavior of the switches (not forwarding frames), you suspect of some sort of attack is being performed. You suspect a PC is running malicious software (like some kind of virus) which is attacking the switch. It is very common for malicious software running on user PCs to generate a very high amount of network frames with different source MAC addresses. Such frames, once forwarded to the switch, could overload its MAC forwarding table and keeping it from operate correctly. To test you hypothesis, you connect your laptop to Greens Access Switch 1 and, via the console port, you configure port-security on all switch ports. You adjust the parameters in a way that only allows 1 MAC address per port. With this feature enabled, the switch keeps track of the source MAC address of every single frame which arrives in that port. If the source MAC address changes on a specific port more times than specified in the command, the switch shuts down that port. The commands to configure portsecurity are listed below: Note: Make sure no trunk ports are included in the range of interfaces. S1# configure terminal Enter configuration commands, one per line. End with CNTL/Z. S1(config)# interface range fastethernet 0/0 - 24 S1(config-if)# switchport mode access S1(config-if)# switchport port-security S1(config-if)# switchport port-security maximum 1 S1(config-if)# switchport port-security mac-address sticky S1(config-if)# switchport port-security violation shutdown S1(config-if)# end This will cause the switch to dynamically learn the first source MAC address of the first frame which enters the interface and store it in memory. If another different source MAC address enters that interface (when the application changes the source MAC address to confuse the switch) the switch treats it as a violation and shuts down the interface. A number of source MAC Addresses bigger than the number specified in the command is called a violation. A violation leads to port shutdown by default and the shutdown/no shutdown command must be used to bring the interface up again. For more information about port-security refer to: http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/20ewa/configuration/guid e/port_sec.html Right after you issue the port-security commands, the router logs on your console window that port fa0/11 went down because of a port security violation. Looks like you were lucky and got the bad PC on the first access switch you checked. To ensure that was real, you decide to run a protocol analyzer program. You remove all portsecurity configurations you just did and bring fa0/11 back up because you dont want the switch to shut it down while the protocol analyzer is running.

INB23704

JAN 2013

CONFIDENTIAL

Once the port is up and running again, you connect your laptop to a free port on S1 (port fa0/24, in this case) and start a protocol analyzer program called Wireshark. Wireshark will allow you to see all packets flowing through network 1. If a computer is generating malicious traffic, you will be able to see it. Question 1: You connected your laptop to a switch. A switch has the characteristic of split the network in collision domains and it is correct to assume a different collision domain per switch port. What must be done in the switch to make possible for a laptop to capture network packets through the switch since it splits the network in many different collision domains? Step 2 Cleaning up and testing You got it! Wiresharks output shows many frames with different MAC add resses being injected into port fa0/11. You check the port and learn that only one PC is connected to that port. A quick look at the PC reveals that it has a program running in the background which is generating the fake MAC addresses. Such fake addresses are confusing the switch and keep it from correctly forwarding frames. You shut down the port once more and ask Greens helpdesk staff to clean up the computer. Because the PC was compromised, the best option when cleaning it up is to unplug it from the network, format the hard disk, reinstall the operating system and software, install an anti-virus program and update it. Note: If necessary a data backup must be done before formatting the PC. Note: Sometimes it is important to know how the attacker gained control of the PC. On those cases the PC must be unplugged from the network and analyzed before the clean up. While Greens helpdesk is working on cleaning up the user PC, you decide to enable port security on all ports once more to keep a major network operation interruption from happening again.

INB23704

JAN 2013

CONFIDENTIAL

Task 3 : Chapter 3 Case Study Objectives: Consolidate the VLAN concept and configuration Introduce the router-on-a-stick concept and configuration Instruction: Study the following case and answer Question 1.

(1 marks)

Intro: Ajax Enterprise wants to optimize their network and asked you to lead the project. The Scenario: Ajax increased the number of computers on their network and because of that, they decided to ensure their network will support it with no impact on the performance. Ajax also has no plans to buy new devices now; they want to use the gear they already have. After a study on Ajax network devices, you decide to implement the topology shown below. The topology uses 3 different VLANs to separate traffic: VLAN10, VLAN20 and VLAN30. The router R1 will route between them. Topology:

Step 1 Creating a solution The switch Ajax already has is a layer 2 switch. Since each VLAN will have a different IP subnet, this switch will not be able to route layer 3 packets between the VLANs created in it. In order to route layer 3 packets, a layer 3 network device must be used.

INB23704

JAN 2013

CONFIDENTIAL

Ajax also has a Cisco 1841 router loaded with an IOS version which supports 802.1q trunk protocol and you decided to use it to route layer 3 packets between VLANs. The idea is to configure R1s fastethernet0/0 to speak 802.1q trunk protocol. This will create an 802.1q trunk link between SW1 and R1 through which traffic from all VLANs will flow. In order to separate VLAN traffic into R1, sub-interfaces must be created in R1. Once each VLAN has its own sub-interface, R1 will see each VLAN as a regular interface, place its network into its routing table as a direct connected route and will be able to route between them as usual. When a user device needs to communicate to other user device within the same VLAN, the switch will forward the frames with no R1s help. When devices under different VLANs must communicate (VLAN 10 sending packets to VLAN 30, for example) the switch will use the trunk link to send the frame to R1. R1 will receive the packets via its sub-interface fastEthernet0/0.10 (sub-interface which represents VLAN 10) and, after check its routing table, will realize that to reach the destination address, it must forward the packet via sub-interface fastEthernet0/0.30. Even though fastEthernet0/0.10 and fastEthernet0/0.30 are part of the same physical interface (fastEthernet0/0), from R1s routing stand point, fa0/0.10 and fa0/0.30 are regular interfaces. This solution is called Router-on-a-stick. Note: Router-on-a-stick is only possible if the router supports 802.1q trunk protocol. Step 2 Configuring SW1 You decide to begin the configuration by SW1. You connect the console cable to SW1 console port and create all 3 VLANs: VLAN10, VLAN20 and VLAN30. Once the VLANs are created, you assign the switch ports to the correct VLAN. Since port 24 will be the port connected to R1, it must be configured as an 802.1q link. The VLAN mapping to be used in SW1 is shown below: VLAN ID Port 10 1, 2, 3, 4, 5 20 6, 7, 8, 9, 10 30 11,12,13,14,15 Trunk Link 24 The commands are listed below for future reference: SW1# vlan database SW1(vlan)# vlan 10 name VLAN10 state active SW1(vlan)# vlan 20 name VLAN20 state active SW1(vlan)# vlan 30 name VLAN30 state active SW1(vlan)# exit APPLY completed. Exiting.... SW1# SW1# configure terminal Enter configuration commands, one per line. End with CNTL/Z. SW1(config)# interface range fastethernet 0/1 - 5 SW1(config-if)# switchport mode access SW1(config-if)# switchport access vlan 10 SW1(config-if)# no shut

INB23704

JAN 2013

CONFIDENTIAL

SW1(config)# interface range fastethernet 0/6 - 10 SW1(config-if)# switchport mode access SW1(config-if)# switchport access vlan 20 SW1(config-if)# no shut SW1(config)# interface range fastethernet 0/11 - 15 SW1(config-if)# switchport mode access SW1(config-if)# switchport access vlan 30 SW1(config)# interface fastethernet 0/24 SW1(config-if)# switchport mode trunk SW1(config-if)# switchport trunk encapsulation dot1q SW1(config-if)# no shut SW1(config-if)# end Question 1: What kind of cable must be used to connect SW1 to R1? Once SW1 is configured, it is time to move on to R1. Step 2 Configuring R1 You connected your laptop to R1 to configure it. As stated before, interface fastEthernet0/0 must be configured as a trunk link and the cable connected to SW1s fa0/24 port. Also, 3 sub interfaces must be created in R1 to separate VLAN traffic. You also define the sub-interfaces encapsulation as 802.1q. The commands are listed below: R1(config)# int fa0/0 R1(config)# no ip address R1(config)# no shut R1(config)# int fa0/1.10 R1(config-subif)# encapsulation dot1q 10 R1(config-subif)# ip address 192.168.10.1 255.255.255.0 ! R1(config-subif)# int fa0/0.20 R1(config-subif)# encapsulation dot1q 20 R1(config-subif)# ip address 192.168.20.1 255.255.255.0 ! R1(config-subif)# int fa0/0.30 R1(config-subif)# encapsulation dot1q 30 R1(config-subif)# ip address 192.168.30.1 255.255.255.0 Note: the number at the end of the encapsulation command represents the VLAN ID and must match the VLAN ID configured in the switch.

INB23704

JAN 2013

CONFIDENTIAL

Step 3 Wrapping up Once SW1 and R1 are configured to perform router-on-a-stick, you check the user PCs and devices to ensure they all have proper IP configuration (IP address, default gateway, subnet mask, etc) of the VLAN it belongs. All user devices must use R1s sub-interface representing its VLAN as default gateway. After everything is set, you issue a few pings within the same VLAN and between different VLANs and watch all of them flow successfully.

INB23704

10