Part 2 - LAN & VLAN Configuration (15.05. - 24.05.2024)
By now, you have learned the basics of IP in the lecture, and you are a Pro when it comes to Layer 2 technologies. So, let’s implement a local area network with switches and some basic IP addressing!
We suggest you first read the task as a whole to get an idea of where we are going. Then, try to make a plan for what needs to be done. This is a comparatively small task, but in our experience, students often struggle with problem statements exceeding the two or three sentences they are used to encountering in exams. In the real world, you will encounter way more complex problems, and the details of the requirements may span a hundred pages. Think like a computer scientist - abstract the problem and break it down into manageable chunks, which you can then distribute among your team members. Also, think about the best order to solve the tasks, as there might be dependencies.
Topology Reminder
The Task (Question 1.1)
Your goal for this question is to enable L2 connectivity in the university networks among the admin hosts (A), and among the student hosts (S), but not between admin and student hosts.
Admin hosts and student hosts should still be able to communicate, but only via an L3 router.
This will prevent L2 attacks such as MAC spoofing, which is used to impersonate a different device and get access to sensitive data.
In L2S, you will have to configure the hosts, the switches, and the gateway router CAPE.
Configure the IP addresses and default gateway
Configure an IPv4 address on each host in L2S and for the interfaces of the router CAPE (read “Configure the VLANs” below to find out which interfaces to configure on the router).
For this task, you must use the IPv4 subnet X.200.0.0/23, where X is your group number (you do not have to configure IPv6 addresses for this task).
You are free to use any IP address as long as it is in this subnet.
In addition, every host needs to have an IPv4 default gateway to be able to reach external destinations.
Configure it so that all hosts in the university network use CAPE as the standard gateway.
You find an explanation on how to configure the hosts below.
After last week’s task, you should already be familiar with the basics of FRRouting.
Further details are also explained below.
To test connectivity, you can use ping.
If your solution is correct, hosts within each cluster can reach hosts in the same cluster as well as the default gateway.
Hint
Hosts will not yet be able to reach anything beyond the default gateway, as your L3 topology is not yet configured.
Configure the VLANs
You also have to configure VLANs: use VLAN 10 for admin and VLAN 20 for students. To configure VLANs, you must configure tagged and trunk ports on the switches. We explain how to do that below.
The interface of CAPE connected to L2S in VLAN 10 is named CAPE-L2.10, and the one in VLAN 20 is named CAPE-L2.20 (you can see them with a show interface brief in the FRRouting CLI).
Warning
Do not configure the interface CAPE-L2 (without suffix) in the router CAPE. You cannot reset this address from FRR and restoring your config will not help either.
If you accidentally configured an address for this interface, you can only contact the TAs to reset it for you.
Checking your solution
Use traceroute -n to test your solution.
The -n flag is needed to prevent traceroute from trying to translate the IP addresses to the respective domain names.
This does not work at this point because the DNS server is not yet reachable.
If your solution is correct, you should see in the traceroute output that hosts in the same VLAN can reach each other directly, while hosts in different VLANs have to go through the router.
In this task, only configure IPv4 addresses, and only the southern L2S datacenter.
Note
Use a search engine of your preference to learn more about the term “router on a stick” and how this idea applies to the task above.
Tutorials
See the instructions below to sove this week's tasks.
Configuring Open vSwitch
Open vSwitch is one of the most popular software switches. For instance, it is often used in virtual environments to connect two virtual machines. The following sections explain how you can use and configure the switches in your Mini-Internet.
Naming conventions for the Mini-Internet Switches
On each switch, one port has the name br0 and the corresponding interface has the type internal. This is
a local port used by the host to communicate with the switch. You do not
need to use this port.
The ports to hosts follow the name pattern X-host,
where X is the AS number and host is the hostname (e.g. 84-A_AU for A_AU in AS 84).
The ports to other switches have the name X-SWITCHNAME,
84-S3 for the port on S2 to S3 in AS 84.
If there is a port to a router, it is called ROUTERNAMErouter, e.g. ACCRrouter on S1.
Reading the current switch state and configuration
Brief switch overview
To print a brief overview of the switch state and its parameters, you can use the following command:
This command also tells you the VLANs to which each port belongs.
Port status
To get more precise information about the status of the ports, you can use the following command:
Please note that the bandwidths in the output of this command do not correspond to the actual bandwidths used in the assignment.
Current configuration and statistics
To get the current configuration and all the statistics of the switch, you can get a dump of the switch database with the following command:
For example, one entry in the database could look like this:
> 645981b6c 0 false [] 0 {} false [119f5-2be8bf5] [] [] 84-S3 {stp-path-cost="100"}
[] {stp_error_count=0, stp_rx_count=312, stp_tx_count=3} {stp_port_id="8004",
stp_role=alternate, stp_sec_in_state="223", stp_state=blocking} [] [10, 20] []
For instance, this entry is for the port named 84-S3 and
this port is a trunk port in VLANs 10 and 20.
You can use the grep command to filter the output further.
Changing the VLAN configuration
Below are some commands to adapt the VLAN configuration of a switch. To add a port to a VLAN, you can use the following command:
This will add the port PORT_NAME to the VLAN 10.
Since PORT_NAME is in one VLAN only, the port is an access port.
Should you add a port to several VLANs, you can use the following command:
The port PORT_NAME will be in trunk mode for VLANs 10 and 20.
To clear the VLAN configuration on a port (here for a trunk link), you can use the following command:
Configuring Hosts
This section explains how to configure the various hosts (connected to switches and routers) in your Mini-Internet.
Naming conventions
The interface to a router is called
<router-name>router, e.g. CAIRrouter for CAIR.
The loopback interface has the name lo.
The interface to a switch is called X-s where X is the AS number and s the switch name, e.g. 84-S3 for an interface to switch S3 in AS 84.
Reading the configuration
Below, we explain how you can see (i) the available interfaces and their current IP addresses, and (ii) the current default gateway.
Seeing interfaces and their IP addresses
You can see the interfaces with ip address show.
This is the example output on A_AU in AS 128:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
26451: ssh@if26452: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP
link/ether 02:42:9e:80:c8:03 brd ff:ff:ff:ff:ff:ff
inet 158.128.200.3/16 brd 158.128.255.255 scope global ssh
valid_lft forever preferred_lft forever
inet6 fe80::42:9eff:fe80:c803/64 scope link
valid_lft forever preferred_lft forever
29550: 128-S1@if29549: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc netem state UP qlen 1000
link/ether ae:5e:e3:30:22:b8 brd ff:ff:ff:ff:ff:ff
inet 128.201.10.2/24 scope global 128-S1
valid_lft forever preferred_lft forever
inet6 128:201:10::2/48 scope global
valid_lft forever preferred_lft forever
inet6 fe80::ac5e:e3ff:fe30:22b8/64 scope link
valid_lft forever preferred_lft forever
-> , there is an interface named 128-S1 — the interface towards switch S1 in this AS, AS 128.
In the corresponding block, you can see that this interface already has an IPv6 address with a link-wide scope.
When you add another IP address with the commands in the next section, these IP addresses will appear on their own line in this block, and be scoped globally (as desired).
Seeing the default gateway
To see the current default gateway, use ip route; for IPv6, you can use ip -6 route.
Look for the entry starting with default.
Changing the configuration
The host configuration is relatively simple. First, you have to assign an IP address and subnet to one of the interfaces available on the host. For that, you can use the following command:
For example, consider the host connected to KINS in AS 111.
You can assign the required IP address using:
you assign the IP address 111.107.0.1 inside the corresponding /24 subnet to the interface called KINSrouter.
Note that we configure the IP address and the corresponding subnet all at once.
To remove an IP address, you can use the following command:
Note that you do not need to remove the existing link-local addresses (cf. example output in “Reading the configuration” above).
At this point, the host knows how it can reach all the IP addresses inside the subnet 111.107.0.1/24.
Unfortunately, we cannot reach any other IP address.
(The subnet declaration tells the host in what subnet it is; the IP address in turn is the address by which other devices can reach this host).
Hence, you normally add a route towards a default gateway that the host uses to reach
all unknown IP addresses.
To do that, use the command:
The commands are identical for IPv6
Coming back to our previous example, to add a route towards the router KINS(connected to the Internet), we could use the following command:
To delete past entries, use
For IPv6, do not delete or change the link-local address (the one starting with
fe80).
Configure the Router Interface
In order to explain in more detail how to configure interfaces, we will first describe their purpose and then tell you about the naming conventions for this project. Next, we will show you how to read and change the interface configuration.
The purpose of an interface
A router interconnects IP networks through several IP interfaces. When receiving a packet from one interface, it forwards it to another based on pre-computed forwarding decisions. Each IP interface must have an IP address configured and must be in a different subnet.
Try to think what would happen if that wasn’t the case.
An interface can have both an IPv4 and IPv6 address.
Interface naming conventions
Each router has interfaces to its neighboring routers whose names follow the pattern port_<neighbor>.
For instance, the interface on ACCR connected to LUAN is named port_LUAN.
Moreover, each router has an interface connected to the host named host and a loopback interface called lo.
An interface connected to another AS is called ext_<AS-number>_<router-name>.
For example, the interface on CAPE in AS 84 connected to ADDI in AS 86 has the name ext_86_ADDI.
Reading interface configurations
To get an overview of the interfaces, use the command
or for a briefer overview
You can get information for one specific interface with
Please ignore the interface
sit0, it comes by default when enabling IPv6 on linux, but we don’t need it.
Changing interface configurations
You must first enter the configuration mode, and then specify the name of the interface you want to configure:
You can verify that the running configuration has been updated correctly with
the command show run.
Warning
Do not configure two different IP addresses on one interface at the same time.
If you have configured a wrong IP address, first remove the address with the no command and then configure a new IP address:
Once you have configured an IP address and a subnet on an interface, the router knows that packets with a destination IP in this subnet must be forwarded to this interface. To show the subnets that are directly connected to your router, you can use the following command.
We see that 2.0.0.0/24 is directly connected and reachable with the interface
INTERFACENAME. At this stage, a packet with a destination IP that is not in
a directly connected subnet will be dropped. If you want your router to know
where to forward packets with an IP destination in a remote subnet, you must
use routing protocols, such as OSPF or BGP (explained in the following tutorial sections).
Additional Resources
Subnetting
This week, you got a first glimpse of the challenges of subnetting. You should be able to do subnet calculations in your head quickly for the exam. More practice problems can be found on this website.
O’REILLY E-Book Library
Through the SLUB you have free student access to a plethora of excellent learning materials for computer science. One of them is the O’REILLY E-Book Library, which would normally cost you about 50$/month for a regular subscription. Take a look at the resources for computer science provided via SLUB DBIS and select OReilly. After logging in, you can access about 57.000 e-books and 30.000 hours of video material. Yuhu! Happy Learning! Why don’t you check it out reading a little more about a commercial vendor’s network device operating system: the Cisco iOS CLI. No vendor-specific knowledge is required for this course, but the above-referenced book chapter (starting with the section “Accessing the CLI with Telnet and SSH”) should give you a deeper understanding of the concept behind the configuration of many network devices today - despite their many differences in detail. We use the open-source FRRouting protocol suite on top of a Linux OS. Its CLI behaves very similarly to the one offered by Cisco iOS, and transferring knowledge from online tutorials on iOS might be helpful for upcoming tasks.
page version 1.0.1 - last edited May 23rd, 2024