You are on page 1of 143

CASE STUDY 1: ANALYZING THE PERFORMANCE OF VARIOUS CONFIGURATIONS AND PROTOCOLS IN LAN.

1.1. Establishi ! a L"#al A$%a N%t&"$' (LAN)


The main objective is to set up a Local Area Network,concepts involved in this network are IP addressing and the Address Resolution Protocol (ARP ! The re"uired e"uipment#s are $%&!$'(!$!$ ,$%&!$'(!$!&, $%&!$'(!$!),*ost A *ost + *ost ,, -witch.*/+, three P,0s e"uipped with at least one NI,, one */+ or -witch and the necessar1 cables! 2nce the ph1sical LAN is set up the hosts need to be con3igured using the i3con3ig command! To veri31 communication among the machines the ping command is used! Ne4t, to manipulate the routing tables at the hosts to understand how machines know where to send packets! -ince the i3con3ig command places a de3ault route into the routing tables this route must be deleted! to blind3old the machine! The ping command is used again to show that communication is no longer available! To re5 establish communication the routes are put back into the routing table one host at a time! ,ommunication i once again veri3ied using the ping command! $! &! )! :! 8! '! <! $! &! )! :! 8! '! <! (! RE*UIREMENTS: ) 6indows P, or ) Linu4 P,, 7ach P, must *ave 2ne NI, cards! $ -witch (( port or $ *ub! ) -traight Line LAN(cat58 ,ables with R95:8 -ockets! Power suppl1 ,lass , IP Address! using -tatic IP con3iguration! +asic Network ,on3iguration ,ommands! ;or -witch and P,s! ,isco Packet Tracer '!=!$ PROCEDURES: 2pen The ,I-,2 PA,>7T TRA,7R so3tware! ?raw The Three P, using 7nd ?evice Icons! ?raw The ,I-,2 &: Port -witch /sing -witch icon lists! @ake The ,onnections using -traight5Through 7thernet ,ables! 7nter The IP Address To 7ach @achine! ,heck the IP address 3or 7ver1 P, using i+#" ,i! or i,#" ,i! ,ommand! ,heck The ,onnections using Ping ,ommands! Aiew The @A, Address Table!

PHYSICAL CONNECTIONS :

PC-1 IP ADDRESS :

PC-. IP ADDRESS :

PC-/ IP ADDRESS :

VIE0 THE S0ITCH MAC ADDRESS TA1LE :

C"22a 3 Li % Vi%&: S&it#h4sh"& 2a#-a33$%ss-tabl%

G$a+hi#al Vi%& :

ARP Tabl% F"$ S&it#h : ARP is La1er & to La1er ) mappingB i3 our switches are La1er & and pings are on the same network, there is no arp cash on switches! PING PC 1 - PC . : +i ! command is a Network /tilit1 ,ommand! ping tools use Internet ,ontrol @essage Protocol (I,@P ! ping used to veri31 the connection between source P, to ?estination P,!

#:4+i ! 15..167.1./

PING PC 1 - PC / #:4+i ! 15..167.1./

OSI LAYER ARCHITECTURE :

INPUT PROTOCOL DATA UNIT (PDU):

OUTPUT PROTOCOL DATA UNIT (PDU):

RESULT: Thus the 74periment 6as ,on3igured -uccess3ull1!

1... C" %#ti ! t&" LANs 8si ! 28lti-$"8t%$ t"+"l"!9 &ith stati# $"8t%s :
The main objective is to e4tend routing connection b1 using multiple routers! The concepts include IP addressing and basic network routing principles! ,onnect two LANs topolog1! ?uring router con3iguration

attention is paid to the t1pes o3 inter3aces as additional issues are involved with set5up! ;or e4ample, the serial inter3aces re"uire clocking mechanisms to be set correctl1! 2nce the inter3aces are working the ping command is used to check 3or communication between LANs! The 3ailure o3 communication illustrates the need 3or routes to be established inside the routing in3rastructure! -tatic routes are used to show how packets can be transported through an1 reasonable route! It is run trace route on two di33erent con3igurations to demonstrate the implementation o3 di33erent routes! $! &! )! :! 8! '! <! (! %! $! &! )! :! 8! '! <! (! %! $=! $$! $&! $)! $:! RE*UIREMENTS: : 6indows P, or : Linu4 P,, 7ach P, must *ave 2ne NI, cards! & -witch (( port or & *ub! ' -traight Line LAN(cat58 ,ables with R95:8 -ockets! Power suppl1 ,lass , IP Address! using -tatic IP con3iguration! +asic Network ,on3iguration ,ommands! ;or Router,-witch and P,s! ,isco Packet Tracer '!=!$ & ,isco Routers (@odel $(:$ $ serial cable 3or router to router connection! PROCEDURES: 2pen The ,I-,2 PA,>7T TRA,7R so3tware! ?raw The : P, using 7nd ?evice Icons! ?raw The & ,I-,2 &: Port -witch /sing -witch icon lists! ?raw The & ,isco $(:$ Routers /sing Router icon lists! @ake The ,onnections using -traight5Through 7thernet ,ables! ,on3igure Routers R$ and R&! 7nter The IP Address To 7ach @achine! ,on3iguring -tatic Routing 3or 7ach routers! ,on3iguring RIP Routing 3or 7ach routers! ,heck the IP address 3or 7ver1 P, using i+#" ,i! or i,#" ,i! ,ommand! ,heck the ,onnections using Ping ,ommands! Aiew the @A, Address Table! Aiew the ARP Address Table! view the Routing Table!

PHYSICAL CONNECTIONS :

Ph1sical ,onnection

ROUTER R1 CONFIGURATION RouterC RouterCcon3igure terminal 7nter con3iguration commands, one per line! 7nd with ,NTL.D! Router(con3ig5i3 Cip address $%&!$'(!$!$ &88!&88!&88!= Router(con3ig Cinter3ace -erial=.=.= Router(con3ig5i3 Cip address $%&!$'(!)!$ &88!&88!&88!= Router(con3ig5i3 C SET THE CLOC: RATE Router(con3ig Cinter3ace serial=.=.= Router(con3ig5i3 Cclock rate E -peed (bits per second $&== &:== :(== %'== $%&== )(:== 8'=== ':=== <&=== $&8=== $&(=== $:(=== &8==== 8===== (===== $====== $)===== &======

:====== F)==5:======G ,hoose clockrate 3rom list above Router(con3ig5i3 Cclock rate <&=== ADDING STATIC ROUTING: Router(con3ig5i3 Cip route ?estination NetworkH ?estination N.6 -ubnet@ask HNe4t *op Address Router(con3ig5i3 Cip route $%&!$'(!&!= &88!&88!&88!= $%&!$'(!)!& ADDING RIP ROUTING: RouterCcon3ig terminal Router(con3ig Crouter rip Router(con3ig5router Cnetwork $%&!$'(!$!= Router(con3ig5router Cnetwork &=!=!=!= ROUTER R. CONFIGURATION RouterC RouterCcon3igure terminal 7nter con3iguration commands, one per line! 7nd with ,NTL.D! Router(con3ig5i3 Cip address $%&!$'(!&!$ &88!&88!&88!= Router(con3ig Cinter3ace -erial=.=.= Router(con3ig5i3 Cip address $%&!$'(!)!& &88!&88!&88!= Router(con3ig5i3 C SET THE CLOC: RATE Router(con3ig Cinter3ace serial=.=.= Router(con3ig5i3 Cclock rate E -peed (bits per second $&== &:== :(== %'== $%&== )(:== 8'=== ':=== <&=== $&8=== $&(=== $:(=== &8==== 8===== (===== $====== $)===== &====== :====== F)==5:======G ,hoose clockrate 3rom list above Router(con3ig5i3 Cclock rate <&=== ADDING STATIC ROUTING: Router(con3ig5i3 Cip route ?estination NetworkH ?estination N.6 -ubnet@ask HNe4t *op Address Router(con3ig5i3 Cip route $%&!$'(!$!= &88!&88!&88!= $%&!$'(!)!$ ADDING RIP ROUTING: RouterCcon3ig terminal Router(con3ig Crouter rip

Router(con3ig5router Cnetwork $%&!$'(!&!= Router(con3ig5router Cnetwork &=!=!=!= PC CONFIGURATION: P,5$Gipcon3ig ;ast7thernet= ,onnectionI(de3ault port Link5local IPv' Address!!!!!!!!!I ;7(=II&7=I(;;;I;7+,I$+:, IP Address!!!!!!!!!!!!!!!!!!!!!!I $%&!$'(!$!& -ubnet @ask!!!!!!!!!!!!!!!!!!!!!I &88!&88!&88!= ?e3ault Jatewa1!!!!!!!!!!!!!!!!!I $%&!$'(!$!$ P,5&Gipcon3ig ;ast7thernet= ,onnectionI(de3ault port Link5local IPv' Address!!!!!!!!!I ;7(=II&'=I&;;;I;7'$I+)<, IP Address!!!!!!!!!!!!!!!!!!!!!!I $%&!$'(!$!) -ubnet @ask!!!!!!!!!!!!!!!!!!!!!I &88!&88!&88!= ?e3ault Jatewa1!!!!!!!!!!!!!!!!!I $%&!$'(!$!$ P,5)Gipcon3ig ;ast7thernet= ,onnectionI(de3ault port Link5local IPv' Address!!!!!!!!!I ;7(=II&8=I;;;I;7'?I7?(8 IP Address!!!!!!!!!!!!!!!!!!!!!!I $%&!$'(!&!& -ubnet @ask!!!!!!!!!!!!!!!!!!!!!I &88!&88!&88!= ?e3ault Jatewa1!!!!!!!!!!!!!!!!!I $%&!$'(!&!$ P,5:Gipcon3ig ;ast7thernet= ,onnectionI(de3ault port Link5local IPv' Address!!!!!!!!!I ;7(=II&=$I':;;I;7<'I<A=( IP Address!!!!!!!!!!!!!!!!!!!!!!I $%&!$'(!&!) -ubnet @ask!!!!!!!!!!!!!!!!!!!!!I &88!&88!&88!= ?e3ault Jatewa1!!!!!!!!!!!!!!!!!I $%&!$'(!&!$ ROUTER R1 RUNNING CONFIGURATION: RouterGenable RouterCshow running5con3ig +uilding con3iguration!!! ,urrent con3iguration I <=) b1tes K version $&!: no service timestamps log datetime msec no service timestamps debug datetime msec no service password5encr1ption K hostname Router K K K K K K K K K K K K

K K spanning5tree mode pvst K K K K inter3ace ;ast7thernet=.= ip address $%&!$'(!$!$ &88!&88!&88!= duple4 auto speed auto K inter3ace ;ast7thernet=.$ no ip address duple4 auto speed auto shutdown K inter3ace -erial=.=.= ip address $%&!$'(!)!$ &88!&88!&88!= K inter3ace -erial=.=.$ no ip address K inter3ace Alan$ no ip address shutdown K router rip network &=!=!=!= network $%&!$'(!$!= K ip classless ip route $%&!$'(!&!= &88!&88!&88!= $%&!$'(!)!& K K K K K K K line con = K line au4 = K line vt1 = : login K K K end RouterCcop1 running5con3ig startup5con3ig ?estination 3ilename Lstartup5con3igME +uilding con3iguration!!! L2>M

RouterC ROUTER R. RUNNING CONFIGURATION: RouterGenable RouterCshow running5con3ig +uilding con3iguration!!! ,urrent con3iguration I <=) b1tes K version $&!: no service timestamps log datetime msec no service timestamps debug datetime msec no service password5encr1ption K hostname Router K K K K K K K K K K K K K K spanning5tree mode pvst K K K K inter3ace ;ast7thernet=.= ip address $%&!$'(!&!$ &88!&88!&88!= duple4 auto speed auto K inter3ace ;ast7thernet=.$ no ip address duple4 auto speed auto shutdown K inter3ace -erial=.=.= ip address $%&!$'(!)!& &88!&88!&88!= K inter3ace -erial=.=.$ no ip address K inter3ace Alan$ no ip address shutdown K router rip network &=!=!=!=

network $%&!$'(!&!= K ip classless ip route $%&!$'(!$!= &88!&88!&88!= $%&!$'(!)!$ K K K K K K K line con = K line au4 = K line vt1 = : login K K K end RouterCcop1 running5con3ig startup5con3ig ?estination 3ilename Lstartup5con3igME +uilding con3iguration!!! L2>M RouterC

ROUTER R1 ROUTE TA1LE:

RouterCsh ip route

ROUTER R. ROUTE TA1LE: RouterCsh ip route

SHO0 R1 ROUTER ARP TA1LE:

SHO0 R. ROUTER ARP TA1LE:

SHO0 PC ARP TA1LE:

OSI LAYER ARCHITECTURE: R1 ROUTER

R. ROUTER

INPUT PROTOCOL DATA UNIT (PDU):

OUTPUT PROTOCOL DATA UNIT (PDU):

OUT PUT: cIGping $%&!$'(!&!&

cIGping $%&!$'(!$!)

RESULT: Thus the 74periment 6as ,on3igured -uccess3ull1!

1./ A al9;i ! th% +%$,"$2a #% ", <a$i"8s #" ,i!8$ati" s a 3 +$"t"#"ls

2riginal T,P versus the above modi3ied oneI To compare the per3ormance between the operation o3 T,P with congestion control and the operation o3 T,P as implemented ! The main objective is 3or students to e4amine how T,P responds to a congested network! The concepts involved in the lab include network congestion and the host responsibilities 3or communicating over a network! This lab re"uires three P,Ns connected to a switch!2ne P, is designated as the target host and the other two P,Ns will trans3er a 3ile 3rom the target host using ;TP! A load is placed on the network to simulate congestion and the 3ile is trans3erred, 3irst b1 the host using the normal T,P and then b1 the host using the modi3ied version! This procedure is per3ormed multiple times to determine average statistics! The students are then asked to summariOe the results and draw conclusions about the per3ormance di33erences and the underl1ing implications 3or hosts operating in a network environment!

RE*UIREMENTSI 2ne Linu4(3edora Airtual P,! Two 6indows(4p Airtual P,! one 6indows < P, with A@ware 6orkstation ;TP Application la1er protocol T,P Transport la1er protocol Internet ,onnection A@ware 6orkstation %!=!& 6ireshark5win)&5$!$=!=rc$ ,lass , IP Address!

FILE TRANSFER PROTOCOL ;ile Trans3er Protocol (;TP is the standard mechanism provided b1 T,P.IP 3or cop1ing a 3ile 3rom one host to another!

PROCEDURE: -tart the ) virtual machine one b1 one!

0INDO0S =P VIRTUAL PC-1

0INDO0S =P VIRTUAL PC-.

LINU= VIRTUAL PC

@ake the Internet ,onnectivit1 to 1our -1stem Log in to Linu4 virtual @achine Log in to 6indows PP Airtual @achine 2pen The terminal window on 1our Linu4 machine!

L"! i t" $""t 8s%$ a##"8 t

Assi! th% I+ a33$%ss 15..167.1.> C i3con3ig

I stall th% VSFTPD ,t+ s%$<%$ +a#'a!% C 1um install vs3tpd

TE=T MODE INSTALLATION

GRAPHICAL MODE INSTALLATION

P"&%$ " th% <s,t+3 S%$<%$ C chkcon3ig vs3tpd on

Sta$t th% <s,t+3 S%$<i#%s. Cservice vs3tpd start

Ch%#' th% Vs,t+3 S%$<i#% stat8s Cservice vs3tpd status

A33 t#+ +$"t"#"l % t$i%s i t" "8$ I+tabl%s. C iptables 5A INP/T 5p tcp 55dport &= 5j A,,7PT C iptables 5A INP/T 5p tcp 55dport &$ 5j A,,7PT Vi%& th% I+tabl%s <al8%s C iptables 5L

E abl% Li 8? Ma#hi % Fi$%&all C setup 7nable ;TP protocol into 1our 3irewall con3iguration window!

0i 3"&s =P PC-1 I+ A33$%ss Assign the IP Address to 1our 3irst windows PP P, $%&!$'(!$!& cI.Gipcon3ig

Assign The IP Address to 1our second windwos PP P, $%&!$'(!$!)

FTP SERVER CONFIGURATION: 7dit the 3tp server con3iguration 3ile! C vi .etc.vs3tpd.vs3tpd!con3

Ma'% s"2% #ha !%s a 3 a33 s"2% li %s t" 9"8$ <s,t+3.#" , #" ,i!8$ati" ,il% localQrootRpublicQhtml useQlocaltimeRS7-

A33 th% 8s%$ a2%s t" #h$""t@list ,il% C vi .etc!vs3tpd!chrootQlist

A33 9"8$ 8s%$ a2% ,%3"$a

R%sta$t th% <s,t+3 S%$<i#%

Ch%#' th% <s,t+3 s%$<i#% stat8s

S%t th% 1""l%a <al8%s C setsebool 5P 3tpQhomeQdirR$

O th% S%ts%b""l%a C setsebool 5P allowQ3tpdQanonQwrite on

Ch%#' th% 1""l%a Stat8s C getsebool allowQ3tpdQanonQwrite

R%sta$t th% FTP S%$<%$ C service vs3tpd restart

TE=T MODE : G" t" =P PC-1 2pen 1our command prompt windows T1pe the 3ollowing command ,I.G3tp $%&!$'(!$!8 7nter 1our Linu4 userQname and password to login the linu4 machine

put the 3tpGls command linu4 3iles also list out! cop1 the particular 3ile using recv command

3tpG recv sample 3iles has been success3ull1 copied!

Past% th% ,il%s

VIE0 THE FILE CONTENT:

GUI MODE : O+% I t%$ %t E?+l"$%$ T1pe the 3ollowing te4t on Address bar! 3tpI..$%&!$'(!$!8

E t%$ li 8? 2a#hi % 8s%$- a2% a 3 +ass&"$3 ,$" l"!i

Y"8$ Li 8? Ma#hi % has% b% "+% %3 " 9"8$ &%b b$"&s%$ i3 u want an1 3ile 3rom 1our linu4 machine

COPY THE FILE -elect the 3ile! ,op1 -elected 3ile! Paste on 1our windows PP ?esktop

PASTE THE FILE

VIE0 THE FILE CONTENT

TCP PROTOCOL ANALYZING 2pen 6ire5shark application select the inter3ace ! -tart the capture button!

All the incoming and outgoing in3ormation are captured! -ave 1our 6ire5shark capture 3ile!

Aiew the 6ire5shark capture 3ile and Anal1Oing 1our T,P protocol in3ormation#s and congestion#s!

This application ver1 use 3ull 3or protocol Anal1Oing!

0IRE SHAR: DISPLAY MY FTP LOGIN USER NAME AND PASS0ORD

CLOSE THE FTP CONNECTION /sing "uit command 3or close the ;TP connection! shutdown 1our virtual PCAS

RESULT: Thus the e4periment was e4ecute success3ull1!

CASE STUDY B: CONFIGURING A FIRE 0ALL

,onsider a ;ire wall communication server with single inbound modem! ,on3igure the modem to ensure securit1 3or LAN

0hat is Fi$%&allC A 3irewall is a la1er o3 securit1 between 1our home network and the Internet! -ince a router or modem is the main connection 3rom a home network to the Internet, a 3irewall is o3ten packaged with those devices! 7ver1 home network should have a 3irewall to protect its privac1! 3irewalls are a combination o3 hardware and so3tware The hardware part gives 3irewalls e4cellent per3ormance, while the so3tware part allows 3irewalls to be tailored to 1our speci3ic needs! Fi$%&all R8l%s : ;irewall rules block or allow speci3ic tra33ic passing through 3rom one side o3 the router to the other! Inbound rules (6AN to LAN restrict access b1 outsiders to private resources, selectivel1 allowing onl1 speci3ic outside users to access speci3ic resources! 2utbound rules (LAN to 6AN determine what outside resources local users can have access to! A 3irewall has two de3ault rules, one 3or inbound tra33ic and one 3or outbound! The de3ault rules o3 the modem router areI 1. I b"8 3 .. O8tb"8 3 IN1OUND RULES : +lock all access 3rom outside e4cept responses to re"uests 3rom the LAN side OUT1OUND RULES : Allow all access 3rom the LAN side to the outside!

NOTE : Sou can de3ine additional rules that will speci31 e4ceptions to the de3ault rules! +1 adding custom rules, 1ou can block or allow access based on the service or application, source or destination IP addresses, and time o3 da1! Sou can also choose to log tra33ic that matches or does not match the rule 1ou have de3ined!

HO0 TO 0OR: FIRE0ALL :

HO0 TO PROTECT OUR NET0OR: FROM THE HAC:ER ATTAC:S :

FIRE0ALL CARTOON LOGO :

RE*UIREMENTS : $! ,isco Packet Tracer '!=!$ &! ) P, windows or Linu4 P,#s )! 2ne -witch or *ub :! 2ne ?-L @odem 8! 2ne Application -erver '! ,ommunication ,hannels <! ,lass + IP Address! (! +asic ;irewall things! %! +asic Network ,on3iguration ,ommands! PROCEDURE : o 2pen The ,I-,2 PA,>7T TRA,7R so3tware!

o o o o o o o o o

?raw The Three P, using 7nd ?evice Icons! ?raw The ,I-,2 &: Port -witch /sing -witch icon lists! ?raw The ?-L modem using 6AN 7mulation Icon! ?raw The ,loud Icon using 6AN 7mulation Icon! ?raw The -erver using 7nd ?evice Icons! @ake the cable connectivit1! 7nter The IP Address To 7ach @achine (-erver and P,#s ! ,heck the IP address 3or 7ver1 P, using ipcon3ig or i3con3ig ,ommand! ,heck The ,onnections using Ping ,ommands!

PHYSICAL CONNECTIONS :

SERVER IP ADDRESS : -7RA7RGipcon3ig ;ast7thernet= ,onnectionI(de3ault port Link5local IPv' Address!!!!!!!!!I ;7(=II&=$I');;I;7+$I:(&% IP Address!!!!!!!!!!!!!!!!!!!!!!I $<&!$'!=!$ -ubnet @ask!!!!!!!!!!!!!!!!!!!!!I &88!&88!=!= ?e3ault Jatewa1!!!!!!!!!!!!!!!!!I =!=!=!= PC-1 IP ADDRESS : P,Gipcon3ig ;ast7thernet= ,onnectionI(de3ault port Link5local IPv' Address!!!!!!!!!I ;7(=II&=$I,%;;I;7':I8$(7 IP Address!!!!!!!!!!!!!!!!!!!!!!I $<&!$'!=!& -ubnet @ask!!!!!!!!!!!!!!!!!!!!!I &88!&88!=!= ?e3ault Jatewa1!!!!!!!!!!!!!!!!!I =!=!=!= PC-. IP ADDRESS : P,Gipcon3ig ;ast7thernet= ,onnectionI(de3ault port Link5local IPv' Address!!!!!!!!!I ;7(=II&=$I,%;;I;7':I8$(7 IP Address!!!!!!!!!!!!!!!!!!!!!!I $<&!$'!=!& -ubnet @ask!!!!!!!!!!!!!!!!!!!!!I &88!&88!=!=

?e3ault Jatewa1!!!!!!!!!!!!!!!!!I =!=!=!= PC-/ IP ADDRESS : P,Gipcon3ig ;ast7thernet= ,onnectionI(de3ault port Link5local IPv' Address!!!!!!!!!I ;7(=II&%=I&$;;I;7+,I,?A8 IP Address!!!!!!!!!!!!!!!!!!!!!!I $<&!$'!=!: -ubnet @ask!!!!!!!!!!!!!!!!!!!!!I &88!&88!=!= ?e3ault Jatewa1!!!!!!!!!!!!!!!!!I =!=!=!= GRAPHICAL VIE0 : SERVER IP ADDRESS :

PC-1 IP ADDRESS :

PC-. IP ADDRESS :

PC-/ IP ADDRESS :

1EFORE THE FIRE0ALL CONFIGURATION : I,@P ping command is a Network /tilit1 ,ommand! ping tools use Internet ,ontrol @essage Protocol (I,@P ! ping used to veri31 the connection between source P, to ?estination P,! PING 1ET0EEN 0AN PC TO SERVER USING ICMP PROTOCOL : ping was success3ul between the -erver and Remote P,!

HTTP 2pen the an1 P, web +rowser t1pe the server IP address in address bar! ( httpI..$<&!$'!=!$ ! 6e can access the web page 3rom the server! 0E1 PAGE ACCESS 1ET0EEN SERVER TO 0AN PC USING TCP PROTOCOL : 6eb Page can Access success3ul on Remote P, 3rom the -erver!

AFTER THE FIRE0ALL CONFIGURATION : 6e use ;irewall Inbound Rules! +lock all access 3rom outside e4cept responses to re"uests 3rom the LAN side N"t% : I D% 9 ICMP +$"t"#"l S%$<i#%s ,$"2 th% "8t si3% N%t&"$' I All"& TCP +$"t"#"l S%$<i#%s ,$"2 th% "8t si3% N%t&"$'

I D% 9 ICMP +$"t"#"l S%$<i#%s ,$"2 th% "8t si3% N%t&"$'

I All"& TCP +$"t"#"l S%$<i#%s ,$"2 th% "8t si3% N%t&"$' ICMP : ping command is a Network /tilit1 ,ommand! ping tools use Internet ,ontrol @essage Protocol (I,@P ! ping used to veri31 the connection between source P, to ?estination P,! PING 1ET0EEN 0AN PC TO SERVER USING ICMP PROTOCOL : ping was not success3ul between the -erver and Remote P,! +ecause i block the out side network I,@P -ervices!

Pi ! &as "t s8##%ss,8l HTTP 2pen the an1 P, web +rowser t1pe the server IP address in address bar! ( httpI..$<&!$'!=!$ ! 6e can access the web page 3rom the server! 0E1 PAGE ACCESS 1ET0EEN SERVER TO 0AN PC USING TCP PROTOCOL : 6eb Page can Access success3ul on Remote P, 3rom the -erver! +ecause i Allow the T,P protocol -ervices 3rom the out side Network!

0%b Pa!% #a A##%ss s8##%ss,8l

RESULT : Thus the ;irewall 74periment was ,on3igured -uccess3ull1!

CASE STUDY .: RIP AND OSPF R%3ist$ib8ti"


This case stud1 addresses the issue o3 integrating Routing In3ormation Protocol (RIP networks with 2pen -hortest Path ;irst (2-P; networks! @ost 2-P; networks also use RIP to communicate with hosts or to communicate with portions o3 the inter5network that do not use 2-P;! This case stud1 should provide e4amples o3 how to complete the 3ollowing phases in redistributing in3ormation between RIP and 2-P; networks, including the 3ollowing topicsI

,on3iguring a RIP Network Adding 2-P; to the ,enter o3 a RIP Network Adding 2-P; Areas -etting /p @utual Redistribution

PHYSICAL CONNECTIONS :

RIP AND OSPF R%3ist$ib8ti"


@ost 2-P; networks also use RIP to communicate with hosts or to communicate with portions o3 the inter5network that do not use 2-P;! ,isco supports both the RIP and 2-P; protocols and provides a wa1 to e4change routing in3ormation between RIP and 2-P; networks!

$! &! )! :! 8! '! <! (! %!

RE*UIREMENTS: ,I-,2 $(:$ @odel : Routers! Two ( port switchs! Two 7nd ?evice P,#s ,ommunication medias (-erial ,able and copper straight through cable ! ,lass , IP Address! Routing Protocols (RIP and 2-P; ! Router iso con3iguration commands! ,isco Packet Tracer '!=!$!e4e Power suppl1!

PROCEDURES : C" ,i!8$i ! a RIP N%t&"$' A RIP network illustrates a RIP network! ;our sites are connected with s%$ial li %s!The RIP network uses a Class Caddress!7ach site has a contiguous set o3 network numbers ROUTER RD NET0OR: CONFIGURATION: inter3ace ;ast7thernet=.= ip address $%&!$'(!)!$ &88!&88!&88!= duple4 auto speed auto K inter3ace -erial=.=.= ip address $%&!$'(!&!& &88!&88!&88!= K inter3ace -erial=.=.$ ip address $%&!$'(!:!& &88!&88!&88!= K router rip network $%&!$'(!&!= network $%&!$'(!)!= network $%&!$'(!:!= ROUTER R/ NET0OR: CONFIGURATION: inter3ace -erial=.=.= ip address $%&!$'(!$!& &88!&88!&88!= K inter3ace -erial=.=.$ ip address $%&!$'(!&!$ &88!&88!&88!= K ROUTER R1 NET0OR: CONFIGURATION: K inter3ace -erial=.=.= ip address $%&!$'(!8!& &88!&88!&88!= K

inter3ace -erial=.=.$ ip address $%&!$'(!:!$ &88!&88!&88!= K

ROUTER R. NET0OR: CONFIGURATION: K inter3ace ;ast7thernet=.= ip address $%&!$'(!'!$ &88!&88!&88!= duple4 auto speed auto K inter3ace -erial=.=.= ip address $%&!$'(!$!$ &88!&88!&88!= K inter3ace -erial=.=.$ ip address $%&!$'(!8!$ &88!&88!&88!= K A33i ! OSPF t" th% C% t%$ ", a RIP N%t&"$' : A common 3irst step in converting a RIP network to 2-P; is to add backbone routers that run both RIP and 2-P;, while the remaining network devices run RIP! These backbone routers are 2-P; autonomous s1stem boundar1 routers! 7ach autonomous s1stem boundar1 router controls the 3low o3 routing in3ormation between 2-P; and RIP ROUTER R/ OSPF CONFIGURATION: K router osp3 $ network $%&!$'(!$!= =!=!=!&88 area = K ROUTER R1 OSPF CONFIGURATION: K router osp3 $ network $%&!$'(!8!= =!=!=!&88 area = K A33i ! OSPF A$%as : ROUTER R. OSPF CONFIGURATION: router osp3 $ network $%&!$'(!$!= =!=!=!&88 area = network $%&!$'(!'!= =!=!=!&88 area $ K S%tti ! U+ M8t8al R%3ist$ib8ti" :

MUTUAL REDISTRI1UTION

@utual redistribution between RIP and 2-P; networks is running both 2-P; and RIP! R1 ROUTER MUTUAL REDISTRI1UTION : router osp3 $ log5adjacenc15changes redistribute rip subnets network $%&!$'(!8!= =!=!=!&88 area = K router rip redistribute osp3 $ metric $= network $%&!$'(!:!= R/ ROUTER MUTUAL REDISTRI1UTION : router osp3 $ log5adjacenc15changes redistribute rip subnets network $%&!$'(!$!= =!=!=!&88 area = K router rip redistribute osp3 $ metric $= network $%&!$'(!&!= NOTE: I 74plain The basic concept o3 RIP AN? 2-P; Redistribution! I3 1ou want @ore Advanced RIP AN? 2-P; Redistribution ,oncept! ROUTER R1 RUNNING CONFIGURATION FILE : K version $&!: no service timestamps log datetime msec no service timestamps debug datetime msec no service password5encr1ption

K hostname Router K spanning5tree mode pvst K inter3ace ;ast7thernet=.= no ip address duple4 auto speed auto shutdown K inter3ace ;ast7thernet=.$ no ip address duple4 auto speed auto shutdown K inter3ace -erial=.=.= ip address $%&!$'(!8!& &88!&88!&88!= K inter3ace -erial=.=.$ ip address $%&!$'(!:!$ &88!&88!&88!= K inter3ace Alan$ no ip address shutdown K router osp3 $ log5adjacenc15changes redistribute rip subnets network $%&!$'(!8!= =!=!=!&88 area = K router rip redistribute osp3 $ metric $= network $%&!$'(!:!= K ip classless K line con = K line au4 = K line vt1 = : login K end

ROUTER R. RUNNING CONFIGURATION FILE : K version $&!: no service timestamps log datetime msec no service timestamps debug datetime msec no service password5encr1ption K hostname Router K spanning5tree mode pvst K inter3ace ;ast7thernet=.= ip address $%&!$'(!'!$ &88!&88!&88!= duple4 auto speed auto K inter3ace ;ast7thernet=.$ no ip address duple4 auto speed auto shutdown K inter3ace -erial=.=.= ip address $%&!$'(!$!$ &88!&88!&88!= K inter3ace -erial=.=.$ ip address $%&!$'(!8!$ &88!&88!&88!= K inter3ace Alan$ no ip address shutdown K router osp3 $ log5adjacenc15changes network $%&!$'(!$!= =!=!=!&88 area = network $%&!$'(!'!= =!=!=!&88 area $ K router rip K ip classless K line con = K line au4 = K line vt1 = : login

K end

ROUTER R/ RUNNING CONFIGURATION FILE : K version $&!: no service timestamps log datetime msec no service timestamps debug datetime msec no service password5encr1ption K hostname Router K spanning5tree mode pvst K inter3ace ;ast7thernet=.= no ip address duple4 auto speed auto shutdown K inter3ace ;ast7thernet=.$ no ip address duple4 auto speed auto shutdown K inter3ace -erial=.=.= ip address $%&!$'(!$!& &88!&88!&88!= K inter3ace -erial=.=.$ ip address $%&!$'(!&!$ &88!&88!&88!= K inter3ace Alan$ no ip address shutdown K router osp3 $ log5adjacenc15changes redistribute rip subnets network $%&!$'(!$!= =!=!=!&88 area = K router rip redistribute osp3 $ metric $= network $%&!$'(!&!= K ip classless K

line con = K line au4 = K line vt1 = : login K end

ROUTER RD RUNNING CONFIGURATION FILE : K version $&!: no service timestamps log datetime msec no service timestamps debug datetime msec no service password5encr1ption K hostname Router K spanning5tree mode pvst K inter3ace ;ast7thernet=.= ip address $%&!$'(!)!$ &88!&88!&88!= duple4 auto speed auto K inter3ace ;ast7thernet=.$ no ip address duple4 auto speed auto shutdown K inter3ace -erial=.=.= ip address $%&!$'(!&!& &88!&88!&88!= K inter3ace -erial=.=.$ ip address $%&!$'(!:!& &88!&88!&88!= K inter3ace Alan$ no ip address shutdown K router rip network $%&!$'(!&!= network $%&!$'(!)!= network $%&!$'(!:!= K ip classless

K line con = K line au4 = K line vt1 = : login K end

PING 1ET0EEN 15..167.6.. TO 15..167./.. :

PING 1ET0EEN 15..167./.. TO 15..167.6.. :

ROUTING TA1LE : ;or a ,isco router, the I2- command sh"& i+ $"8t% displa1s the routes in the routing table! There are several t1pes o3 routes that can appear in the routing tableI Di$%#tl9-C" %#t%3 R"8t%s: 6hen the router powers up, the con3igured inter3aces are enabled! As the1 become operational, the router stores the directl1 attached local network addresses as connected routes in the routing table! ;or ,isco routers, these routes are identi3ied in the routing table with the +$%,i? C! These routes are automaticall1 updated whenever the inter3ace is recon3igured or shutdown! Stati# R"8t%s: A network administrator can manuall1 con3igure a static route to a speci3ic network! A static route does not change until the administrator manuall1 recon3igures it! These routes are identi3ied in the routing table with the +$%,i? S! D9 a2i#all9-U+3at%3 R"8t%s (D9 a2i# R"8t%s) : ?1namic routes are automaticall1 created and maintained b1 routing protocols! Routing protocols are implemented in programs that run on routers and that e4change routing in3ormation with other routers in the network! ?1namicall15updated routes are identi3ied in the routing table with the pre3i4 that corresponds to the t1pe o3 routing protocol that created the route, 3or e4ample R is used 3or the Routing In3ormation Protocol (RIP ! D%,a8lt R"8t% : The de3ault route is a t1pe o3 static route which speci3ies a gatewa1 to use when the routing table does not contain a path to use to reach the destination network! It is common 3or de3ault routes to point to the ne4t router in the path to the Internet -ervice Provider! I3 a subnet has onl1 one router, then that router is automaticall1 the de3ault gatewa1, because all network tra33ic to and 3rom that local network has no option but to travel through that router! RIP:

It is a distance vector routing protocol!

send the complete routing table out to all inter3ace ever1 )= seconds! Rip onl1 use hop count to determine best wa1 to remote Network! @a4imum allowable hop count is $8 OSPF: 2pen -hortest Path ;irst (2-P; is a non5proprietar1 link5state routing protocol described in R;, &)&(! identi3ied in the routing table with the +$%,i? O ! /ses the -P; algorithm to calculate the lowest cost to a destination -ends routing updates onl1 when the topolog1 changesB does not send periodic updates o3 the entire routing table! Provides 3ast convergence -upports AL-@ and discontiguous subnets Provides route authentication

RESULT : Thus the 74periment 6as con3igured -uccess3ull1!

CASE STUDY 6 : DEFINING ACCESS LISTS

Access lists de3ine the actual tra33ic that will be permitted or denied, whereas an access group applies an access list de3inition to an inter3ace! Access lists can be used to den1 connections that are known to be a securit1 risk and then permit all other connections, or to permit those connections that are considered acceptable and den1 all the rest! ;or 3irewall implementation, the latter is the more secure method! In this case stud1, incoming email and news are permitted 3or a 3ew hosts, but ;TP, Telnet, and rlogin services are permitted onl1 to hosts on the 3irewall subnet! IP e4tended access lists (range $== to $%% and transmission control protocol (T,P or user datagram protocol (/?P port numbers are used to 3ilter tra33ic! 6hen a connection is to be established 3or email, Telnet, ;TP, and so 3orth, the connection will attempt to open a service on a speci3ied port number! Sou can, there3ore, 3ilter out selected t1pes o3 connections b1 den1ing packets that are attempting to use that service! An access list is invoked a3ter a routing decision has been made but be3ore the packet is sent out on an inter3ace! The best place to de3ine an access list is on a pre3erred host using 1our 3avorite te4t editor! Sou can create a 3ile that contains the access5list commands, place the 3ile (marked readable in the de3ault T;TP director1, and then network load the 3ile onto the router! 0HAT IS ACCESS CONTROL LIST C 2ne o3 the most common methods o3 tra33ic 3iltering is the use o3 access control lists (A,Ls ! A,Ls can be used to manage and 3ilter tra33ic that enters a network, as well as tra33ic that e4its a network! An A,L ranges in siOe 3rom one statement that allows or denies tra33ic 3rom one source, to hundreds o3 statements that allow or den1 packets 3rom multiple sources! The primar1 use o3 A,Ls is to identi31 the t1pes o3 packets to accept or den1! ACLs i3% ti,9 t$a,,i# ,"$ 28lti+l% 8s%s s8#h as: -peci31ing internal hosts 3or NAT Identi31ing or classi31ing tra33ic 3or advanced 3eatures such as To- and "ueuing Restricting the contents o3 routing updates Limiting debug output ,ontrolling virtual terminal access to routers Th% ,"ll"&i ! +"t% tial +$"bl%2s #a $%s8lt ,$"2 8si ! ACLs: The additional load on the router to check all packets means less time to actuall1 3orward packets Poorl1 designed A,Ls place an even greater load on the router and might disrupt network usage! Improperl1 placed A,Ls block tra33ic that should be allowed and permit tra33ic that should be blocked!

TYPES OF ACCESS CONTROL LIST : 1.Sta 3a$3 ACLs The -tandard A,L is the simplest o3 the three t1pes! 6hen creating a standard IP A,L, the A,Ls 3ilter based on the source IP address o3 a packet! -tandard A,Ls permit or den1 based on the entire protocol, such as IP! -o, i3 a host device is denied b1 a standard A,L, all services 3rom that host are denied! This t1pe o3 A,L is use3ul 3or allowing all services 3rom a speci3ic user, or LAN, access through a router while den1ing other IP addresses access! -tandard A,Ls are identi3ied b1 the number assigned to them! ;or access lists permitting or den1ing IP tra33ic, the identi3ication number can range 3rom $ to %% and 3rom $)== to $%%%! ..E?t% 3%3 ACLs 74tended A,Ls 3ilter not onl1 on the source IP address but also on the destination IP address, protocol, and port numbers! 74tended A,Ls are used more than -tandard A,Ls because the1 are more speci3ic and provide greater control! The range o3 numbers 3or 74tended A,Ls is 3rom $== to $%% and 3rom &=== to &'%%! /.Na2%3 ACLs Named A,Ls (NA,Ls are either -tandard or 74tended 3ormat that are re3erenced b1 a descriptive name rather than a number! 6hen con3iguring named A,Ls, the router I2- uses a NA,L subcommand mode!

1. STANDARD ACL CONFIGURATION : It is the basic level o3 Access control List con3iguration techni"ue! it permit and den1 the remote hosts to on 1our network! RE*UIREMENTS: ,isco $(:$ model router 2ne switch 2ne dedicated server ;ive 6indows or Linu4 P,#s ,ooper -traight Through ,able ,ooper ,ross over cable ,lass , IP Address and ,lass A IP Address +asic Router Inter3ace ,on3iguration ,ommands! +asic -tandard A,L ,on3iguration ,ommands Ping ,ommand ,isco Packet Tracer '!=!=!e4e PROCEDURE : $! 2pen The ,I-,2 PA,>7T TRA,7R so3tware! &! ?raw The ;IA7 P, using 7nd ?evice Icons! )! ?raw The ,I-,2 &: Port -witch /sing -witch icon lists! :! ?raw The ,I-,2 R2/T7R /sing router icon lists! 8! @ake The ,onnections using -traight5Through 7thernet ,ables and ,ross 2ver ,ables! '! 7nter The IP Address To 7ach @achine Like P,, Router and -erver! <! ,heck the IP address 3or 7ver1 P, using ipcon3ig or i3con3ig ,ommand! (! ,heck The ,onnections using Ping ,ommands! %! ,reate The -tandard Access List ;or Local Network! $=! I ,reate The Access den1 permissions to P,:, P,8, P,'! $$! I ,reate The Access Permit Permission to Remaining P,#s (P,$, P,&, P,) ! $&! Aeri31 1our Access ,ontrol List /sing Ping ,ommand!

PHYSICAL CONNECTION :

-TAN?AR? A,,7-- LI-T

IP ADDRESS FOR EACH MACHINES : PC-1 IP ADDRESS :

PC-. IP ADDRESS :

PC-/ IP ADDRESS :

PC-D IP ADDRESS :

PC-> IP ADDRESS :

ROUTER R1 FAST ETHERNET INTERFACE EFE AND INTERFACE EF1 IP ADDRESS :

OUTSIDE NET0OR: SERVER IP ADDRESS :

CHEC: THE NET0OR: CONNECTIVITY USING PING COMMAND 1EFORE THE STANDARD ACCESS LIST CONTROL CONFIGURATION : PING PC-1 TO SERVER :

PING PC-. TO SERVER :

CONFIGURE THE STANDARD ACCESS LIST CONTROL LIST:

N26 I ?7NS T*R77 R7@2T7 P, A,,7-- P7R@I--I2N! IN @S R2/T7R R$! *7R7 A;T7R ,*7,> T*7 PINJ ,2NN7,TIAITS +7T677N P, ),:,8 T2 -7RA7R! ping 6A/N -/,,7--;/L +7,A/-7 I +L2,> T*7 P, ), :, 8 R7T/7-T! PING PC-/ TO SERVER :

PING PC-D TO SERVER :

PING PC-> TO SERVER :

RI ROUTER RUNNING CONFIGURATION : K version $&!: no service timestamps log datetime msec no service timestamps debug datetime msec no service password5encr1ption K hostname Router K spanning5tree mode pvst K K inter3ace ;ast7thernet=.= ip address $%&!$'(!$!$ &88!&88!&88!= ip access5group $$ in duple4 auto speed auto K inter3ace ;ast7thernet=.$ ip address $=!$=!$=!$= &88!=!=!=

duple4 auto speed auto K inter3ace Alan$ no ip address shutdown K ip classless K K access5list $$ den1 host $%&!$'(!$!' access5list $$ den1 host $%&!$'(!$!8 access5list $$ den1 host $%&!$'(!$!: access5list $$ permit an1 K K line con = K line au4 = K line vt1 = : login K K end R1 ROUTER ROUTING TA1LE :

.. E=TENDED ACL : 74tended A,Ls 3ilter not onl1 on the source IP address but also on the destination IP address, protocol, and port numbers! 74tended A,Ls are used more than -tandard A,Ls because the1 are more speci3ic and

provide greater control! The range o3 numbers 3or 74tended A,Ls is 3rom $== to $%% and 3rom &=== to &'%%! RE*UIREMENTS : $! 2ne ,isco &%'= switch or other comparable switch &! Two ,isco $(:$ or e"uivalent routers, each with a serial and an 7thernet inter3ace )! Three 6indows5based P,s, at least one with a terminal emulation program, and all set up as hosts :! At least one R95:85to5?+5% connector console cable to con3igure the routers and switch 8! Three straight5through 7thernet cables '! 2ne crossover 7thernet cable <! 2ne &5part ?T7.?,7 serial crossover PROCEDURE : $! ,onnect the -erial =.=.= inter3ace o3 Router $ to the -erial =.=.= inter3ace o3 Router & using a serial cable! &! ,onnect the ;a=.= inter3ace o3 Router $ to the ;a=.$ port o3 -witch $ using a straight5through cable! )! ,onnect a console cable to each P, to per3orm con3igurations on the routers and switch! :! ,onnect *ost $ to the ;a=.) port o3 -witch $ using a straight5through cable! 8! ,onnect *ost & to the ;a=.& port o3 -witch $ using a straight5through cable! '! ,onnect a crossover cable between *ost ) and the ;a=.= inter3ace o3 Router &! PHYSICAL CONNECTIONS :

P%$,"$2 basi# #" ,i!8$ati" " R"8t%$ 1 K version $&!: no service timestamps log datetime msec no service timestamps debug datetime msec no service password5encr1ption K hostname R$ K spanning5tree mode pvst K i t%$,a#% FastEth%$ %tEFE i+ a33$%ss 15..167.1.1 .>>..>>..>>.E i+ a##%ss-!$"8+ 1E1 i duple4 auto speed auto K

inter3ace ;ast7thernet=.$ no ip address duple4 auto speed auto shutdown K i t%$,a#% S%$ialEFEFE i+ a33$%ss 15..167.1>.1 .>>..>>..>>.E i+ a##%ss-!$"8+ 1E1 i K inter3ace -erial=.=.$ no ip address shutdown K inter3ace Alan$ no ip address shutdown K router rip network $%&!$'(!$!= network $%&!$'(!$8!= K ip classless K a##%ss-list 1E1 +%$2it i+ h"st 15..167.>.1E h"st 15..167.1>.1 a##%ss-list 1E1 +%$2it i+ h"st 15..167.>.1E h"st 15..167.1.1 a##%ss-list 1E1 3% 9 i+ a 9 h"st 15..167.1>.1 a##%ss-list 1E1 3% 9 i+ a 9 h"st 15..167.1.1 a##%ss-list 1E1 +%$2it i+ a 9 a 9 a##%ss-list 1E1 3% 9 i+ a 9 a 9 K line con = K line au4 = K line vt1 = : login K end P%$,"$2 basi# #" ,i!8$ati" " R"8t%$ 1 K version $&!: no service timestamps log datetime msec no service timestamps debug datetime msec no service password5encr1ption K hostname R& K spanning5tree mode pvst K i t%$,a#% FastEth%$ %tEFE i+ a33$%ss 15..167.>.1 .>>..>>..>>.E i+ a##%ss-!$"8+ 1E1 "8t duple4 auto speed auto

K inter3ace ;ast7thernet=.$ no ip address duple4 auto speed auto shutdown K inter3ace -erial=.=.= ip address $%&!$'(!$8!& &88!&88!&88!= K inter3ace -erial=.=.$ no ip address shutdown K inter3ace Alan$ no ip address shutdown K router rip network $%&!$'(!8!= network $%&!$'(!$8!= K ip classless K a##%ss-list 1E1 +%$2it i+ h"st 15..167.1.1E h"st 15..167.>.1E a##%ss-list 1E1 3% 9 i+ 15..167.1.E E.E.E..>> h"st 15..167.>.1E a##%ss-list 1E1 +%$2it i+ a 9 a 9 a##%ss-list 1E1 3% 9 i+ a 9 a 9 K line con = K line au4 = K line vt1 = : login K end

PERMIT HTTP AND DENY ICMP:

PERMIT HTTP G DENY ICMP R1 ROUTER CONFIGURATION : K version $&!: no service timestamps log datetime msec no service timestamps debug datetime msec no service password5encr1ption K hostname Router K spanning5tree mode pvst K inter3ace ;ast7thernet=.= ip address $%&!$'(!$!$ &88!&88!&88!= duple4 auto speed auto K i t%$,a#% FastEth%$ %tEF1 i+ a33$%ss 1B..16.1/.1 .>>..>>.E.E i+ a##%ss-!$"8+ 1EE "8t duple4 auto speed auto K inter3ace Alan$ no ip address shutdown K ip classless K K a##%ss-list 1EE +%$2it t#+ a 9 h"st 1B..16.1/.. %H &&& a##%ss-list 1EE 3% 9 i#2+ a 9 h"st 1B..16.1/.. 8 $%a#habl% K line con = K line au4 = K line vt1 = : login

K end PERMIT HTTP: E=TENDED ACCESS LIST 1EE

a##%ss-list 1EE +%$2it t#+ a 9 h"st 1B..16.1/.. %H &&& DENY ICMP:

a##%ss-list 1EE 3% 9 i#2+ a 9 h"st 1B..16.1/.. 8 $%a#habl%

DENY AND PERMIT TELNET :

PERMIT AND DENY TELNET CONNECTION R1 ROUTER CONFIGURATION : K version $&!: no service timestamps log datetime msec no service timestamps debug datetime msec no service password5encr1ption K hostname R$ K % abl% s%#$%t > I1I2ER$IIAMOT 5O7OiB1F.D6#*:sF K aaa %&-2"3%l K aaa a8th% ti#ati" l"!i TT l"#al K 8s%$ a2% t%l %t +ass&"$3 E t%l %t K spanning5tree mode pvst K inter3ace ;ast7thernet=.= ip address $%&!$'(!$!$ &88!&88!&88!= duple4 auto speed auto K inter3ace ;ast7thernet=.$ no ip address duple4 auto speed auto shutdown K i t%$,a#% S%$ialEFEFE i+ a33$%ss 1E.1E.1E.1 .>>.E.E.E i+ a##%ss-!$"8+ 1E1 i

K inter3ace -erial=.=.$ no ip address shutdown K inter3ace Alan$ no ip address shutdown K router rip network $=!=!=!= network $%&!$'(!$!= K ip classless K a##%ss-list 1E1 3% 9 t#+ h"st 1B..16.1/.1 h"st 15..167.1.1 %H t%l %t a##%ss-list 1E1 +%$2it t#+ h"st 1E.1E.1E.. h"st 15..167.1.1 %H t%l %t K line con = K line au4 = K li % <t9 E D l"!i a8th% ti#ati" TT K end R. ROUTER CONFIGURATION : K version $&!: no service timestamps log datetime msec no service timestamps debug datetime msec no service password5encr1ption K hostname Router K spanning5tree mode pvst K inter3ace ;ast7thernet=.= ip address $<&!$'!$)!$ &88!&88!=!= duple4 auto speed auto K inter3ace ;ast7thernet=.$ no ip address duple4 auto speed auto shutdown K inter3ace -erial=.=.= ip address $=!$=!$=!& &88!=!=!= K inter3ace -erial=.=.$ no ip address shutdown K

inter3ace Alan$ no ip address shutdown K router rip network $=!=!=!= network $<&!$'!=!= K ip classless K line con = K line au4 = K line vt1 = : login K end DENY TELNET CONNECTION FROM 1B..16.1/.1 : E?t% 3%3 IP a##%ss list 1E1

a##%ss-list 1E1 3% 9 t#+ h"st 1B..16.1/.1 h"st 15..167.1.1 %H t%l %t PERMIT TELNET CONNECTION FROM 1E.1E.1E.. :

a##%ss-list 1E1 +%$2it t#+ h"st 1E.1E.1E.. h"st 15..167.1.1 %H t%l %t T7L N7T /-7R NA@7 I t%l %t T7L N7T PA--62R? I t%l %t R$ R2/T7R PRIAIL7J7 PA--62R? It%l %t PERMIT FTP : E?t% 3%3 IP A##%ss List

a##%ss-list 1EE +%$2it t#+ a 9 h"st 1B..16.1/.. %H ,t+ FTP LOG IN FROM PC 15..167.1..

a##%ss list 1EE +%$2it t#+ a 9 h"st 1B..16.1/.. !t 1E./ R1 ROUTER CONFIGURATION : K version $&!: no service timestamps log datetime msec no service timestamps debug datetime msec no service password5encr1ption K hostname Router K

spanning5tree mode pvst K inter3ace ;ast7thernet=.= ip address $%&!$'(!$!$ &88!&88!&88!= duple4 auto speed auto K i t%$,a#% FastEth%$ %tEF1 i+ a33$%ss 1B..16.1/.1 .>>..>>.E.E i+ a##%ss-!$"8+ 1EE "8t duple4 auto speed auto K inter3ace Alan$ no ip address shutdown K ip classless K access5list $== permit tcp an1 host $<&!$'!$)!& e" www access5list $== den1 icmp an1 host $<&!$'!$)!& unreachable a##%ss-list 1EE +%$2it t#+ a 9 h"st 1B..16.1/.. %H ,t+ a##%ss-list 1EE +%$2it t#+ a 9 h"st 1B..16.1/.. $a !% .E ,t+ a##%ss-list 1EE +%$2it t#+ a 9 h"st 1B..16.1/.. %H .E a##%ss-list 1EE +%$2it t#+ a 9 h"st 1B..16.1/.. !t 1E./ K line con = K line au4 = K line vt1 = : login K 7nd PERMIT DNS AND NTP :

+%$2it DNS a 3 NTP ROUTER R1 CONFIGURATION : K

version $&!: no service timestamps log datetime msec no service timestamps debug datetime msec no service password5encr1ption K hostname Router K spanning5tree mode pvst K inter3ace ;ast7thernet=.= ip address $%&!$'(!$!$ &88!&88!&88!= duple4 auto speed auto K i t%$,a#% FastEth%$ %tEF1 i+ a33$%ss 1B..16.1/.1 .>>..>>.E.E i+ a##%ss-!$"8+ 1EE "8t duple4 auto speed auto K inter3ace Alan$ no ip address shutdown K ip classless K access5list $== permit tcp an1 host $<&!$'!$)!& e" www access5list $== den1 icmp an1 host $<&!$'!$)!& unreachable access5list $== permit tcp an1 host $<&!$'!$)!& e" 3tp access5list $== permit tcp an1 host $<&!$'!$)!& range &= 3tp access5list $== permit tcp an1 host $<&!$'!$)!& e" &= access5list $== permit tcp an1 host $<&!$'!$)!& gt $=&) a##%ss-list 1EE +%$2it 83+ a 9 h"st 1B..16.1/.. %H 3"2ai a##%ss-list 1EE +%$2it 83+ a 9 h"st 1B..16.1/.. %H 1./ a##%ss-list 1EE +%$2it 83+ a 9 h"st 1B..16.1/./ %H 3"2ai K line con = K line au4 = K line vt1 = : login K K t+ s%$<%$ 1B..16.1/./ '%9 E K end PERMIT NTP FROM ANY HOST :

a##%ss-list 1EE +%$2it 83+ a 9 h"st 1B..16.1/.. %H 1./ PERMIT DNS FROM ANY HOST :

a##%ss-list 1EE +%$2it 83+ a 9 h"st a##%ss-list 1EE +%$2it 83+ a 9 h"st 1B..16.1/.. %H 3"2ai

1B..16.1/./

%H

3"2ai

PERMIT AND DENY EMAIL : 1EFORE THE EMAIL ACL CONFIGURATION :

1EFORE EMAIL ACL CONFIGURATION SEND A EMAIL FROM 8s%$1Jsa2+l%.#"2 TO 8s%$.Jsa2+l%.#"2 :

SEND A EMAIL FROM 8s%$.Jsa2+l%.#"2 TO 8s%$1Jsa2+l%.#"2 :

AFTER EMAIL ACL CONFIGURATION :

R1 ROUTER CONFIGURATION : K version $&!: no service timestamps log datetime msec no service timestamps debug datetime msec no service password5encr1ption K hostname Router K spanning5tree mode pvst K i t%$,a#% FastEth%$ %tEFE i+ a33$%ss 15..167.1.1 .>>..>>..>>.E i+ a##%ss-!$"8+ 1E1 i duple4 auto speed auto K inter3ace ;ast7thernet=.$ ip address $<&!$'!$)!$ &88!&88!=!= duple4 auto speed auto K inter3ace Alan$ no ip address shutdown K router rip network $%&!$'(!$!=

network $%&!$'(!&!= K ip classless K K a##%ss-list 1E1 3% 9 t#+ 15..167.1.E E.E.E..>> h"st 1B..16.1/.D %H s2t+ K line con = K line au4 = K line vt1 = : login K end SEND A EMAIL 8s%$1Jsa2+l%.#"2 TO 8s%$.Jsa2+l%.#"2 :

SEND A EMAIL 8s%$.Jsa2+l%.#"2 TO 8s%$1Jsa2+l%.#"2 :

DENY EMAIL SERVICE FROM 15..167.1.E NET0OR: :

a##%ss list 1E1 3% 9 t#+ 15..167.1.E E.E.E..>> h"st 1B..16.1/.D %H s2t+

RESULT : Thus the e4periment was con3igured success3ull1!

CASE STUDY D: NET0OR: SECURITY


This case stud1 should provide the speci3ic actions 1ou can take to improve the securit1 o3 1our network! +e3ore going into speci3ics, however, 1ou should understand the 3ollowing basic concepts that are essential to an1 securit1 s1stemI : "& 9"8$ % %29 This case stud1 re3ers to attackers or intruders! ,onsider who might want to circumvent 1our securit1 measures and identi31 their motivations! ?etermine what the1 might want to do and the damage that the1 could cause to 1our network! -ecurit1 measures can never make it impossible 3or a user to per3orm unauthoriOed tasks with a computer s1stem! The1 can onl1 make it harder! The goal is to make sure the network securit1 controls are be1ond the attackerNs abilit1 or motivation! C"8 t th% #"st -ecurit1 measures almost alwa1s reduce convenience, especiall1 3or sophisticated users! -ecurit1 can dela1 work and create e4pensive administrative and educational overhead! It can use signi3icant computing resources and re"uire dedicated hardware! 6hen 1ou design 1our securit1 measures, understand their costs and weigh those costs against the potential bene3its! To do that, 1ou must understand the costs o3 the measures themselves and the costs and likelihoods o3 securit1 breaches! I3 1ou incur securit1 costs out o3 proportion to the actual dangers, 1ou have done 1oursel3 a disservice! I3% ti,9 9"8$ ass82+ti" s 7ver1 securit1 s1stem has underl1ing assumptions! ;or e4ample, 1ou might assume that 1our network is not tapped, or that attackers know less than 1ou do, that the1 are using standard so3tware, or that a locked room is sa3e! +e sure to e4amine and justi31 1our assumptions! An1 hidden assumption is a potential securit1 hole! C" t$"l 9"8$ s%#$%ts @ost securit1 is based on secrets! Passwords and encr1ption ke1s, 3or e4ample, are secrets! Too o3ten, though, the secrets are not reall1 all that secret! The most important part o3 keeping secrets is knowing the areas 1ou need to protect! 6hat knowledge would enable someone to circumvent 1our s1stemE Sou should jealousl1 guard that knowledge and assume that ever1thing else is known to 1our adversaries! The more secrets 1ou have, the harder it will be to keep all o3 them! -ecurit1 s1stems should be designed so that onl1 a limited number o3 secrets need to be kept! : "& 9"8$ &%a' %ss%s 7ver1 securit1 s1stem has vulnerabilities! Sou should understand 1our s1stemNs weak points and know how the1 could be e4ploited! Sou should also know the areas that present the largest danger and prevent access to them immediatel1! /nderstanding the weak points is the 3irst step toward turning them into secure areas! Li2it th% s#"+% ", a##%ss Sou should create appropriate barriers inside 1our s1stem so that i3 intruders access one part o3 the s1stem, the1 do not automaticall1 have access to the rest o3 the s1stem! The securit1 o3 a s1stem is onl1 as good as the weakest securit1 level o3 an1 single host in the s1stem! R%2%2b%$ +h9si#al s%#8$it9 Ph1sical access to a computer (or a router usuall1 gives a su33icientl1 sophisticated user total control over that computer! Ph1sical access to a network link usuall1 allows a person to tap that link, jam it, or inject tra33ic into it! It makes no sense to install complicated so3tware securit1 measures when access to the hardware is not controlled

RE*UIREMENTS : $! &! )! :! 8! '! <! (! %! $=! ,I-,2 $(:$ @odel $ Routers! 2ne ( port switch! 2ne Laptop ;or ,onsole Local Administration ! 2ne P, 3or Remote telnet Login! ,lass ,, ,lass + IP Address! +asic Telnet Routing ,on3iguration ,ommands! 2ne ,onsole Roll over cable! Two copper -traight Through ,able! ,isco Packet Tracer '!=!$!e4e Power suppl1!

PROCEDURE : $! &! )! :! 8! '! ,reate console connectivit1 3or Local Administrative Purpose! -ecuring Router ,onsole Inter3ace! ,reating Remote Telnet Access on 1our Router with basic level securit1! 7nable Router /ser Privilege @ode password 3or Remote Telnet Access! *ack +asic Level T1pe < ,onsole and Telnet Router Password! ,reating *igh Level securit1! ,reating @?58 7ncr1ption ,reating AAA Authentication +locking ?ictionar1 Attack! ,reating Named Access List ,ontrol! 7nabling Log ;iles ?atabase 3or ;ailure and -uccess Attempt!

C$%at% #" s"l% #"

%#ti<it9 ,"$ L"#al A32i ist$ati<% P8$+"s%.

,onsole ,onnectivit1 R1 ROUTER CONFIGURATION : K version $&!: no service timestamps log datetime msec no service timestamps debug datetime msec service password5encr1ption K hostname R$ K % abl% +ass&"$3 B E7..D>>DEA16 K spanning5tree mode pvst K inter3ace ;ast7thernet=.= ip address $%&!$'(!$!$ &88!&88!&88!= duple4 auto speed auto K inter3ace ;ast7thernet=.$ no ip address

duple4 auto speed auto shutdown K inter3ace Alan$ no ip address shutdown K ip classless K li % #" E %?%#-ti2%"8t /E E +ass&"$3 B E7..D>>DEA16 l"!i K line au4 = K line vt1 = : password < =(&&:88?=A$' login K end PC-1 IP ADDRESS :

C$%at% C" s"l% L"!i line con = e4ec5timeout )= = S%#8$i ! R"8t%$ C" s"l% I t%$,a#%. password < =(&&:88?=A$' login

TRY TO LOGIN CONSOLE PORT :

,onsole Login C$%ati ! R%2"t% T%l %t A##%ss " 9"8$ R"8t%$ &ith basi# l%<%l s%#8$it9 :

ENA1LE THE TELNET ACCESS : R$(con3ig Cline vt1 = : 1ASIC TYPE B ENCRYPTION R$(con3ig5line Cpassword cisco R$(con3ig5line Clogin R1 ROUTER TELNET CONFIGURATION : K version $&!: no service timestamps log datetime msec

no service timestamps debug datetime msec service password5encr1ption K hostname R$ K % abl% +ass&"$3 B E7..D>>DEA16 K spanning5tree mode pvst K inter3ace ;ast7thernet=.= ip address $%&!$'(!$!$ &88!&88!&88!= duple4 auto speed auto K inter3ace ;ast7thernet=.$ no ip address duple4 auto speed auto shutdown K inter3ace Alan$ no ip address shutdown K ip classless K line con = e4ec5timeout )= = password < =(&&:88?=A$' login K line au4 = K li % <t9 E D +ass&"$3 B E7..D>>DEA16 l"!i K end E abl% R"8t%$ Us%$ P$i<il%!% M"3% +ass&"$3 ,"$ R%2"t% T%l %t A##%ss : R$(con3ig Cenable password cisco This is basic level T1pe < encr1ption! hackers can 7asil1 3ind out This 7ncr1pted Password! Ha#' 1asi# L%<%l T9+% B C" s"l% a 3 T%l %t R"8t%$ Pass&"$3 : $! Jo to 1our Router enter into 1our /ser Privilege mode! &! T1pe R1Ksh $8 i !-#" ,i! )! Aiew 1our Router Running ,on3iguration :! ,op1 1our 7ncr1pted password 8! enable password < E7..D>>DEA16 '! Jo to This 6ebsite Link 7. httpI..www!i3m!net!nO.cookbooks.passwordcracker!html (! Then paste 1our Password on the T1pe < password te4t bo4 %! Then ,lick crack password button $=! Sour password has been success3ull1 ?ecr1pted! $$! 2riginal Password is #is#" $&! 7ncr1pted Password is E7..D>>DEA16

-o ?on#t use the old t1pe < passwords an1more!@ore ?etails Cli#' H%$%

C$%ati ! Hi!h L%<%l s%#8$it9 :

,reating @?8 The password has been hashed using the stronger @?8 algorithm! enable secret password +$i<il%!% 2"3% MD> Pass&"$3 R$(con3ig Cenable secret cisco$&): 2riginal password is 55 cisco$&): 7ncr1pted Password is 55 U$Um7RrU6>kcJR2j?g/mP>rAv"1r$= C$%ati ! AAA A8th% ti#ati" : AuthenticationI Identi3ies users b1 login and password using challenge and response methodolog1 be3ore the user even gains access to the network! ?epending on 1our securit1 options, it can also support encr1ption! AuthoriOationI A3ter initial authentication, authoriOation looks at what that authenticated user has access to do! RA?I/or TA,A,-V securit1 servers per3orm authoriOation 3or speci3ic privileges b1 de3ining attribute5value (AA pairs, which would be speci3ic to the individual user rights! In the ,isco I2-, 1ou can de3ine AAA authoriOation with a named list or authoriOation method!

AccountingI

The last WAW is 3or accounting! It provides a wa1 o3 collecting securit1 in3ormation that 1ou can use 3or billing, auditing, and reporting! Sou can use accounting to see what users do once the1 are authenticated and authoriOed! ;or e4ample, with accounting, 1ou could get a log o3 when users logged in and when the1 logged out! E abli ! AAA Router(con3ig C aaa new5model R$(con3ig Cusername cisco secret cisco$&): C" ,i!8$i ! th% TACACSL s%$<%$s Ne4t we need to con3igure the addresses o3 the AAA servers we want to use! This e4ample shows the con3iguration o3 TA,A,-V servers, but the concept applies to RA?I/- servers as well! There are two approaches to con3iguring TA,A,-V servers! In the 3irst, servers are speci3ied in global con3iguration mode using the command tacacs5server to speci31 an IP address and shared secret ke1 3or each serverI Router(con3ig C tacacs5server host $%&!$'(!$!) ke1 @1-ecret>e1$ Router(con3ig C tacacs5server host $%&!$'(!&!) ke1 @1-ecret>e1& 1l"#'i ! Di#ti" a$9 Atta#' : The primar1 intention o3 a dictionar1 attack, unlike a t1pical ?o- attack, is to actuall1 gain administrative access to the device! A dictionar1 attack is an automated process to attempt to login b1 attempting thousands, or even millions, o3 username.password combinations! (This t1pe o3 attack is called a Wdictionar1 attackW because it t1picall1 uses, as a start, ever1 word 3ound in a t1pical dictionar1 as a possible password! As scripts or programs are used to attempt this access, the pro3ile 3or such attempts is t1picall1 the same as 3or ?o- attemptsB multiple login attempts in a short period o3 time!

+lock ?ictionar1 Attack R$(con3ig Clogin block53or $&= attempts ) within '= E?+la ati" : This command -top the ?ictionar1 attacks 3rom the *ackers! Time period in seconds 5$&= seconds attempts 5-et ma4 number o3 3ail attempts 5 8 times within 6atch period 3or 3ail attempts 5 '= seconds C$%ati ! Na2%3 A##%ss List C" t$"l : ,isco I2- versions $$!& and higher can create Named A,Ls (NA,Ls ! In an NA,L, a descriptive name replaces the numerical ranges re"uired 3or -tandard and 74tended A,Ls! Named A,Ls o33er all the 3unctionalit1 and advantages o3 -tandard and 74tended A,LsB onl1 the s1nta4 3or creating them is di33erent! The name given to an A,L is uni"ue! /sing capital letters in the name makes it easier to recogniOe in router command output and troubleshooting! A Named A,L is created with the commandI ip access5list Xstandard H e4tendedY name

-TAN?AR? NA@7? A,L DENY 15..167.1.. :

R1 ROUTER CONFIGURATION : K version $&!: no service timestamps log datetime msec no service timestamps debug datetime msec no service password5encr1ption K hostname R$ K

spanning5tree mode pvst K i t%$,a#% FastEth%$ %tEFE i+ a33$%ss 15..167.1.1 .>>..>>..>>.E i+ a##%ss-!$"8+ 1l"#'-15..167.1.. i duple4 auto speed auto K inter3ace ;ast7thernet=.$ ip address $<&!$'!$)!$ &88!&88!=!= duple4 auto speed auto K inter3ace Alan$ no ip address shutdown K ip classless K i+ a##%ss-list sta 3a$3 1l"#'-15..167.1.. 3% 9 h"st 15..167.1.. +%$2it a 9 K line con = K line au4 = K line vt1 = : login K end PING 1ET0EEN 15..167.1.. TO 1B..16.1/.. : R$(con3ig Cip access5list R$(con3ig5std5nacl Cden1 host $%&!$'(!$!&

standard

+lock5$%&!$'(!$!&

den1 host $%&!$'(!$!& PING 1ET0EEN 15..167.1./ TO 1B..16.1/.. : R$(con3ig Cip access5list standard +lock5$%&!$'(!$!& R$(con3ig5std5nacl Cden1 host $%&!$'(!$!&

R$(con3ig5std5nacl Cpermit an1

permit an1 E abli ! L"! Fil%s Databas% ,"$ Fail8$% a 3 S8##%ss Att%2+t : It store the login attempt success and 3ailure data base!

VIE0 LOG FILES ENTERING ON YOUR ROUTER I +7;2R7 T*7 L2J ;IL7 ,R7ATI2N I

A;T7R T*7 L2J ;IL7 ,R7ATI2N I

RESULT : Thus the 74periment was con3igured success3ull1!

CASE STUDY >

: CONTROLLING TRAFFIC FLO0

In this case stud1, the 3irewall router allows incoming new connections to one or more communication servers or hosts! *aving a designated router act as a 3irewall is desirable because it clearl1 identi3ies the routerNs purpose as the e4ternal gatewa1 and avoids encumbering other routers with this task! In the event that the internal network needs to isolate itsel3, the 3irewall router provides the point o3 isolation so that the rest o3 the internal network structure is not a33ected! ,onnections to the hosts are restricted to incoming 3ile trans3er protocol (;TP re"uests and email services! The incoming Telnet, or modem connections to the communication server are screened b1 the communication server running TA,A,- username authentication! RE*UIREMENTS : $! 2ne ,I-,2 $(:$ @odel $ Routers! &! 2ne ( port switch! )! 2ne P, 3or Remote telnet Login! :! 2ne -erver (TA,A-,V 3or telnet Login Authentication! 8! ,lass ,, ,lass + IP Address! '! +asic Telnet Routing ,on3iguration ,ommands! <! Two copper -traight Through ,able! (! ,isco Packet Tracer '!=!$!e4e %! Power suppl1! PROCEDURE : Lab ObM%#ti<%: an1 one tr1 to telnet the router must be authenticated through AAA server ;irst and in case AAA server is down , router will use his local user accounts database! con3iguration at the routerI 55555555setting telnet 555555555555 Router(con3ig Cenable secret $&): Router(con3ig Cline vt1 = : Router(con3ig5line Clogin Router(con3ig5line Ce4it Router(con3ig Cusername telnet password $&): AAA commands 5555555555enable AAA on the router555555555555 Router(con3ig Caaa new5model set authentication 3or login using two methods , 5555555@ethod $5555555555 using AAA server through TacacsV protocol , 5555555@ethod & 5555555555 using local router user accounts! tell the router what is the IP address 3or TacasV server and ke1 (password to connect toI Router(con3ig Ctacacs5server host $%&!$'(!$!) ke1 $&): con3iguration at AAA server I 555555555A,- -7RA7R55555555555 5555user account 5555 username I tacacs passwordI tacacs tacasV client Ip I$%&!$'(!$!$

ke1 I $&): Now here is 3ew show commands we can use plus one command to unlock an1 user account reach ma4 3ailed attempts to logonI RouterCshow aaa user all RouterCshow aaa sessions RouterCshow aaa local user lockout RouterCclear aaa local user lockout username all ;or best practice tr1 to telnet the router with local 8s%$ a2% t%l %t +ass&"$3 1./D and it will not work then tr1 to use TA,A,- server user name we wrote above I ta#a#s +ass&"$3 ta#a#s and it will work 3ine now disconnect the TA,A,- server or just remove the cable and tr1 to t%l %t the router using telnet and it will work 3ine! remember method $ 3ail , 1ou will not go to method & but i3 method $ is not available then 1ou can go to method & and use it! PHYSICAL CONNECTIONS : TELNET 0ITH OUT TACACS SERVER :

TELNET 0ITH TACACS SERVER :

TELNET CLIENT IP ADDRESS :

TACACS SERVER IP :

TACACSL SERVER CONFIGURATION :

ROUTER RUNNING CONFIGURATION : K version $&!: no service timestamps log datetime msec no service timestamps debug datetime msec no service password5encr1ption K hostname R$ K % abl% s%#$%t > I1I2ER$ID3+RATI!?*a#PV:EC,NVDF K aaa %&-2"3%l N aaa a8th% ti#ati" l"!i 3%,a8lt !$"8+ ta#a#sL l"#al

N 8s%$ a2% t%l %t +ass&"$3 E 1./D K spanning5tree mode pvst K inter3ace ;ast7thernet=.= ip address $%&!$'(!$!$ &88!&88!&88!= duple4 auto speed auto K inter3ace ;ast7thernet=.$ no ip address duple4 auto speed auto shutdown K inter3ace Alan$ no ip address shutdown K ip classless K ta#a#s-s%$<%$ h"st 15..167.1./ '%9 1./D K line con = K line au4 = K li % <t9 E D +ass&"$3 t%l %t l"!i a8th% ti#ati" 3%,a8lt K end

TELNET LOGIN 0ITH OUT TACACS SERVER AUTHENTICATION :

TELNET LOGIN 0ITH TACACS SERVER AUTHENTICATION :

R"8t%$Ksh aaa s%ssi" :

RESULT : Thus the 74periment was con3igured success3ull1!

CASE STUDY 7: INTEGRATING EIGRP (ENHANCED INTERIOR GATE0AY ROUTING PROTOCOL) INTO E=ISTING NET0OR:S
The case stud1 should provide the bene3its and considerations involved in integrating 7nhanced

IGRP i t" th% ,"ll"&i ! t9+%s ", i t%$ %t&"$'s: IPZThe e4isting IP network is running IJRP Novell IPPZThe e4isting IPP network is running RIP and -AP

AppleTalkZThe e4isting AppleTalk network is running the Routing Table @aintenance Protocol (RT@P

6hen integrating 7nhanced IJRP into e4isting networks, plan a phased implementation! Add 7nhanced IJRP at the peripher1 o3 the network b1 con3iguring 7nhanced IJRP on a boundar1 router on the backbone o33 the core network! Then integrate 7nhanced IJRP into the core network RE*UIREMENTS : $! Three ,isco &($$ Routers! &! Three &: Port ,isco -witch! )! ,opper -traight Through ,ables! :! Three -erial Line ,ables! 8! Nine 6indows P,s '! ,lass A and ,lass , IP Address! <! 7igrp Router ,on3iguration commands! (! +asic Network con3iguration commands! %! ,isco Packet Tracer '!=!$!e4e

PROCEDURES : CREATE EIGRP NET0OR: TOPOLOGY : NET0OR: TOPOLOGY :

7IJRP

0hat is EIGRP : 7nhanced Interior Jatewa1 Routing Protocol Advanced distance vector Rapid convergence $==[ loop53ree classless routing 7as1 con3iguration Incremental updates

Load balancing across e"ual5 and une"ual5cost pathwa1s ;le4ible network design @ulticast and unicast instead o3 broadcast address -upport 3or AL-@ and discontiguous subnets @anual summariOation at an1 point in the internetwork -upport 3or multiple network la1er protocols F%at8$%s O, EIGRP : ,isco proprietar1 protocol ,lassless routing protocol Includes all 3eatures o3 IJRP @etric ()& bit I ,omposite @etric (+6 V ?ela1 V load V @T/ V reliabilit1 Administrative distance is %= /pdates are through @ulticast (&&:!=!=!$= @a4 *op count is &88 ($== b1 de3ault -upports IP, IPP and Apple Talk protocols *ello packets are sent ever1 8 seconds ,onvergence rate is 3ast 2vercome The RIP limitations! EIGRP Tabl%s : 7igrp routing Protocol maintains Three tables 3or best routing or path selection to destination Network! $! Neighbor Table &! Topolog1 Table )! Routing Table

Disa3<a ta!%s ", EIGRP : 6orks onl1 on ,isco Routers

Di$%#tl9 C" $%&!$'(!$!= $=!=!=!=

%#t%3 N%t&"$'s " HYDERA1AD R"8t%$

C" ,i!8$i ! EIGRP Router(con3ig C router eigrp Fas noG Router(con3ig5router C network FNetwork I?G Di$%#tl9 C" $%&!$'(!&!= $=!=!=!= $$!=!=!= %#t%3 N%t&"$'s " CHENNAI R"8t%$ :

C" ,i!8$i ! EIGRP : Router(con3ig C router eigrp Fas noG Router(con3ig5router C network FNetwork I?G Di$%#tl9 C" $%&!$'(!)!= $$!=!=!= %#t%3 N%t&"$'s " 1a !al"$% R"8t%$ :

C" ,i!8$i ! EIGRP : Router(con3ig C router eigrp Fas noG Router(con3ig5router C network FNetwork I?G

HYDERA1AD R"8t%$ R8

i ! C" ,i!8$ati" :

K version $&!: no service timestamps log datetime msec no service timestamps debug datetime msec no service password5encr1ption K hostname *S? K spanning5tree mode pvst K inter3ace ;ast7thernet=.= ip address $%&!$'(!$!$8= &88!&88!&88!= duple4 auto speed auto K inter3ace ;ast7thernet=.$ no ip address duple4 auto speed auto shutdown K inter3ace -erial=.).= ip address $=!=!=!$ &88!=!=!= clock rate $:(=== K inter3ace -erial=.).$ no ip address shutdown K inter3ace Alan$ no ip address shutdown K router eigrp $= network $%&!$'(!$!= network $=!=!=!= no auto5summar1 K ip classless K line con = K line au4 = K line vt1 = : login K end

CHENNAI R"8t%$ R8

i ! C" ,i!8$ati" :

K version $&!: no service timestamps log datetime msec no service timestamps debug datetime msec no service password5encr1ption K

hostname ,*7 K spanning5tree mode pvst K inter3ace ;ast7thernet=.= ip address $%&!$'(!&!$8= &88!&88!&88!= duple4 auto speed auto K inter3ace ;ast7thernet=.$ no ip address duple4 auto speed auto shutdown K inter3ace -erial=.&.= ip address $=!=!=!& &88!=!=!= K inter3ace -erial=.&.$ ip address $$!=!=!$ &88!=!=!= K inter3ace Alan$ no ip address shutdown K router eigrp $= network $=!=!=!= network $%&!$'(!&!= network $$!=!=!= no auto5summar1 K ip classless K line con = K line au4 = K line vt1 = : login K end

1a !al"$% R"8t%$ R8

i ! C" ,i!8$ati" :

K version $&!: no service timestamps log datetime msec no service timestamps debug datetime msec no service password5encr1ption K hostname +ANJ K spanning5tree mode pvst K inter3ace ;ast7thernet=.= ip address $%&!$'(!)!$8= &88!&88!&88!= duple4 auto speed auto K

inter3ace ;ast7thernet=.$ no ip address duple4 auto speed auto shutdown K inter3ace -erial=.&.= ip address $$!=!=!& &88!=!=!= K inter3ace -erial=.&.$ no ip address clock rate $====== shutdown K inter3ace Alan$ no ip address shutdown K router eigrp $= network $%&!$'(!)!= network $$!=!=!= no auto5summar1 K ip classless K line con = K line au4 = K line vt1 = : login K end

VERIFY THE NET0OR: CONFIGURATION :

PING 15..167.1./

PING 15..167./..

PING 15..167.../

NEIGH1ORS ROUTING TA1LES : HYDERA1AD ROUTER NEIGH1OR TA1LE :

CHENNAI ROUTER NEIGH1OR TA1LE :

1ANGALORE ROUTER NEIGH1OR TA1LE :

ROUTER TOPOLOGY TA1LES : 1ANGALORE ROUTER TOPOLOGY TA1LE

CHENNAI ROUTER TOPOLOGY TA1LE :

HYDERA1AD ROUTER TOPOLOGY TA1LE

ROUTERS ROUTING TA1LES : 1ANGALORE ROUTER ROUTING TA1LE :

CHENNAI ROUTER ROUTING TA1LE

HYDERA1AD ROUTER ROUTING TA1LE

RESULT : Thus the 74periment was con3igured success3ull1!

CASE STUDY /:

DIAL-ON-DEMAND ROUTING

This case stud1 should describe the use o3 ??R to connect a worldwide network that consists o3 a central site located in @umbai and remote sites located in ,hennai, +angalore, and *1derabad! The 3ollowing scenarios should be consideredI O Ha<i ! th% C% t$al Sit% Dial O8t ?escribe the central and remote site con3igurations 3or three setupsI a central site with one inter3ace per remote site, a single inter3ace 3or multiple remote sites, and multiple inter3aces 3ormultiple remote sites! Include e4amples o3 the usage o3 rotar1 groups and access lists! \ *aving the ,entral and Remote -ites ?ial In and ?ial 2ut ?escribe the central and remote site con3igurations 3or three setupsI central site with one inter3ace per remote site, a single inter3ace 3or multiple remote sites, and multiple inter3aces 3or multiple remote sites! Also describes the usage o3 Point5to5Point Protocol (PPP encapsulation and the ,hallenge *andshake Authentication Protocol (,*AP ! O Ha<i ! R%2"t% Sit%s Dial O8t A common con3iguration is one in which the remote sites place calls to the central site but the central site does not dial out! In a ]star^ topolog1, it is possible 3or all o3 the remote routers to have their serial inter3aces on the same subnet as the central site serial inter3ace! \ /sing ??R as a +ackup to Leased Lines ?escribes the use o3 ??R as a backup method to leased lines and provides e4amples o3 how to use 3loating static routes on single and shared inter3aces! \ /sing Leased Lines and ?ial +ackup ?escribes the use o3 ?ata Terminal Read1 (?TR dialing and A!&8bis dialing with leased lines! 1ASIC CONCEPT OF ISDN DDR: Now i e4plain the basic concept o3 ?ial on ?emand Routing! Now i developing ;ull concept o3 ??R ! i will update soon! RE*UIREMENTS: 2ne ,isco router &)=$ 2ne ,isco router (== Two I-?N +RI inter3ace! +asic ??R con3iguration commands! +asic network con3iguration commands (ping ! I-?N -erial ?,7 cables! +oson Net-im 3or ,,NP v'!= +eta)b

NET0OR: TOPOLOGY:

ROUTERS ISDN PARAMETERS:

CHENNAI ROUTER RUNNING CONFIGURATION: ,*7NNAICsh running5con3ig +uilding con3iguration!!!

K Aersion $&!$ service timestamps debug uptime service timestamps log uptime no service password5encr1ption K hostname ,*7NNAI K ip subnet5Oero K inter3ace -erial= no ip address no ip directed5broadcast bandwidth $8:: shutdown K inter3ace -erial$ no ip address no ip directed5broadcast bandwidth $8:: shutdown K inter3ace 7thernet= no ip address no ip directed5broadcast bandwidth $==== shutdown K inter3ace +ri= ip address $%&!$'(!=!$ &88!&88!&88!= no ip directed5broadcast dialer5group $ isdn switch5t1pe basic5ni isdn spid$ )&$<<(&==$=$== dialer map ip $%&!$'(!=!& name @/@+AI broadcast <<(&==$ encapsulation ppp ppp authentication chap K ip classless no ip http server K K dialer5list $ protocol ip permit K isdn switch5t1pe basic5ni line con = transport input none

line au4 = line vt1 = : K no scheduler allocate end MUM1AI ROUTER RUNNING CONFIGURATION:

@/@+AICsh running5con3ig +uilding con3iguration!!! K Aersion $&!$ service timestamps debug uptime service timestamps log uptime no service password5encr1ption K hostname @/@+AI K ip subnet5Oero K inter3ace 7thernet= no ip address no ip directed5broadcast bandwidth $==== shutdown K inter3ace +ri= ip address $%&!$'(!=!& &88!&88!&88!= no ip directed5broadcast dialer5group $ isdn switch5t1pe basic5ni isdn spid$ )&$<<(&==&=$== dialer map ip $%&!$'(!=!$ name ,*7NNAI broadcast <<(&==& encapsulation ppp ppp authentication chap K ip classless no ip http server K dialer5list $ protocol ip permit K isdn switch5t1pe basic5ni line con = transport input none

line au4 = line vt1 = : K no scheduler allocate end VERIFY ISDN DDR NET0OR: CONNECTIVITY:

CHEC: ISDN STATUS: CHENNAI ROUTER ISDN STATUS:

MUM1AI ROUTER ISDN STATUS:

PING 1ET0EEN T0O ROUTERS:

RESULT: Thus the e4periment was con3igured success3ull1!

You might also like