modul prak jarkom

MODUL PRAKTIKUM JARINGAN KOMPUTER LABORATORIUM JARINGAN KOMPUTER FAKULTAS TEKNIK ELEKTRO - UNISMA Oleh : KELOMPOK SB1 N...

0 downloads 17 Views 896KB Size
MODUL PRAKTIKUM JARINGAN KOMPUTER LABORATORIUM JARINGAN KOMPUTER FAKULTAS TEKNIK ELEKTRO - UNISMA

Oleh : KELOMPOK SB1 NAMA NRP JURUSAN AS-PRAK

Disetujui : ...... / ....... /................ ./Malang

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS TEKNIK UNIVERSITAS ISLAM MALANG 2009

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010

LAPORAN KEGIATAN Judul Praktikum : ....................................................................... Nama Kelompok : ............................................................................... ...................................................................... ...................................................................... ...................................................................... ...................................................................... ...................................................................... Deskripsi Praktikum : ...................................................................... ...................................................................... ...................................................................... ...................................................................... 1. Alat dan Bahan

2. Langkah Kerja

3. Analisis

1

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010

4. Kesimpulan

5. Saran

Diketahui Ass. praktikum Malang, ..........................................

(

2

)

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010

MODUL I ESTABLISHING A LOCAL AREA NETWORK I. DESCRIPTION (MATERI ) 1. Objectives To establish a local Area Network consisting of three personal computers running the Linux operating system, and a hub.   

Physically connect computers (cabling) Configure IP addresses using ifconfig Manipulate routing table using route

2. Background Reading Knowledge of network addressing standards and Linux system administration relating to Local Area Networks is necessary for this lab. Online Linux documentation can be found at www.tldp.org, also there are some other web site like ilmukomuter.com, tebarilmu.org and linux.or.id. Specifically, read the man pages on ifconfig, route , traceroute and chkconfig. For information about network cabling and addressing, Implementasi Jaringan Komputer dengan Linux Red Hat by Husni, Andi Publisher, is recommended. If you have enough time, read books about CCNA (Cisco Certified Network Associate) Exam Guide is a better. II. BEGINNING ASSIGMENT (TUGAS PENDAHULUAN) 1. What do you khow about LAN? 2. Mention and Description the component of LAN ? III. PRACTICUM (PRAKTIKUM) A. Required Equipment (Alat dan Bahan) 1. Four PCs (with Linux OS), include PC Gateway. At LabSI, there are 12 PCs, so you can devide your class to 3 groups. 2. PC’s should be equipped with Network Interface Cards (three PCs with one card but gateway PC must have 2 ethernet card) 3. One switch 4. One Router with Ethernet interface 5. Cables (UTP Cat 5e or 6) B. PROCEDURE (Langkah-langkah praktikum) 1. Setup a physical LAN a) First, determine which cables are necessary for the available hardware b) Insert one end of the cable into the Switch and the other end of the cable into the host computer. c) Connect all host computers to the Switch as in the figure below

3

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010

Sample Lab A 2. Host set-up (e.g. IP address and netmask) using iJconJig a) iJconJig command usage for this part of the lab will be to configure network interface devices. This includes adding the IP address and the netmask for the host. b) Boot each host machine and log on with your user-name. c) Open a new terminal on each host and log on as root. $ su # password

d) Check network interface settings using iJconJig # ifconfig –a

e) Verify that eth0 exists on each host by checking the output from above J) Set the ethernet interface at each host using iJconJig This will assign an ip address and network mask to the host. The following is a sample. For host 1: #ifconfig eth0 192.168.1.1 netmask 255.255.255.0 g) Verify communication among the machines by using the ping command. On host 1 ping the other two hosts. #ping 192.168.1.2 ------- output ---#ping 192.168.1.3 ------- output ----

On host A run traceroute to the other hosts #traceroute 192.168.1.2 o u t p u t #traceroute 192.168.1.3 o u t p u t

h) Changes using iJconJig at this point are not permanent and will be lost on reboot. To make the configuration effective on reboot you need to edit the file /etc/sysconfig/networksscripts/ifcfg-eth0 to have the following settings. # contents of ifcfg-eth0 DEVICE = eth0 BROADCAST = 192.168.1.255 IPADDR = 192.168.1.1 NETMASK = 255.255.255.0 NETWORK = 192.168.1.0 ONBOOT = yes

4

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010 BOOTPROTO = none

i) Check that the network script has been added to the default init levels. # chkconfig --list

j)

If the network script is not on add it using chkconfig. This command adds the network script to the current run level. # chkconfig --add network

3. Manipulate routing tables using route a) The route command is used to look at the hosts routing table and can be used to add or delete routes from the table. It has the following syntax: route add|del –net|-host target [gateway] [metric] [device]

route manipulates the kernel's IP routing table. Its primary use is to set up static routes to specific hosts or networks via an interface after it has been configured with the ifconfig command. The command route with no arguments displays the routing table. b) After the steps from part 2 the route to the network 192.168.1.0 will be in the routing table. Verify the network is in the routing table using the route command. # route

c) To illustrate the use and functionality of the command route, we will delete an entry and add an entry to the table. Delete the network 192.168.1.0 using the route command. # route del –net 192.168.1.0 netmask 255.255.255.0

d) Check the routing table and verify that the network has been removed from the routing table. # route

e) Verify the deleted network is no longer reachable. # ping 192.168.1.3

f) Add individual hosts to the routing table to allow communication. # route add –host 192.168.1.2 dev eth0 # route add –host 192.168.1.3 dev eth0

g) Verify these hosts are in the routing table. # route

h) Use the ping command to verify communication among the machines has been restored. # ping 192.168.1.2 # ping 192.168.1.3

i)

Notice the machines were reachable when either the network or the individual host was in the routing table. Note also that the exercise manipulating the routing table was unnecessary since the ifconfig command places the network in the routing table for us.

C. QUESTION (PER TANYAAN) 1. Make a UTP cable to connect directly PC1 to PC2. You have to remember the formula 1-3 2-6 to make a crossover cable. 2. Read your references, mainly CCNA Study Guide or related books, and configure your Cisco Router, at least the address of Ethernet 0. 3. Please login to your Linux gateway. Use command ip route to configure the gateway, so your three clients can connect to Router (Cisco) via Gateway. Note that Cisco Router and three client are in different network (/30 and /24) 4. At home, use your Boson Network Designer to design network diagram of Engineering Faculty, University of Trunojoyo. Note: You can use your Boson Network Designer dan Simulator to simulate above problem, but there are not any Linux shell provided by Boson. Ask your Instructor or Network Engineer to get network devices like switch, router, and PCs. These devices are available at LabSI, at least for the first meeting of this lab.

5

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010

MODUL II CONNECTING TWO LANS USING ROUTER(S) IV. DESCRIPTION (MA TERI)

1. Objectives    

Connect two LAN’s using a router. Setup LAN connections Configure Minicom (underLinux) or Hyperterminal (under Windows) Assign IP addresses to the router interfaces for network configuration.

2. Background Reading Go to the Cisco website, or use the Cisco Sybex publication, and read about user mode, user exec mode, configure terminal, and configure interface. Also, look at how to reset a password. 

What register is used for the default configuration of the router?



What register is used to bypass this default register?

V. BEGINNING ASSIGMENT (TUGAS PENDAHULUAN ) 1. 2. 3.

Describe the function of Route Add and give example ? What is the function of no shutdown in router configuration ? Describe the function of ip route and give the example?

VI. PRACTICUM ( PRAKTIKUM ) A. Required Equipment (Alat dan Bahan) 1. Two established LANs 2. One Router, or four Routers 3. Cables But all in simulation version, in your Boson Software.

B. Procedure Like in Lab 1 (Langkah-langkah) 1. Setup LAN connections a) Set up the physical (number 1) connections for the LAN’s. b) Connect the two LANs to the router using the appropriate cable (see Lab 1 for LAN setup). c) Using the above diagram configure the routing tables of each host. For hosts on network 192.168.1.0 #route add –net 192.168.2.0 netmask 255.255.255.0 \ gw 192.168.1.254 dev eth0

For hosts on network 192.168.2.0

#route add –net 192.168.1.0 netmask 255.255.255.0 \ gw 192.168.2.254 dev eth0

6

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010 d) On network 192.168.1.0 ping broadcast address 192.168.1.255 to make sure the HUB/Switch is working. Repeat the procedure for network 192.168.2.0 # ping –c 2 –b 192.168.1.255

Sample Lab B

2. Configure Minicom in Linux, try to use Hyperterminal with your self. Minicom is used to interface with the router. a) Verify that minicom has the correct parameters # minicom –s

b) Set the default parameters to:     

96 0 0 b au d r a te no parity 8 data bits one stop bit no f l o w c on tr ol

c) Type minicom to establish a connection to the router. # minicom

Note that you have make rollover cable to connect serial port of PC to Console port of Cisco router. 3. Configure your Cisco router using Simulator. Cisco Router References give you best way to connect to the Console, Login and configure your router. If you don’t have a book, please read your Bosen Network Simulator Help, noooow!. 4. Physical setup #2, use your Network Designer first before Network Simulator. And set up the physical connections as in the following diagram 5. Configure interfaces on routers. a) Read about router serial connections to understand the additional configuration parameters.

7

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010 b) Identify the interfaces as FastEthernet or Serial. If a serial interface, identify the DCE end. The show serial Controller command should be helpful. Look this command up.  What does DCE and DTE stand for? (Data Communication/Terminal Equipment)  What end provides the clocking mechanism for the cable? (DCE) c) To configure the router for the network, you need to add an IP address to each interface of the router. Router>en Router#config t Router(config)# interface fa0/0 Router(config)# ip address xxx.xxx.xxx.xxx Router (config) #no shut

Sample Lab C

8

subnet mask here

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010 d) What does the no shut command do? (keeps the line logically up even when physically down) config t Enter configuration commands, one per line. End with CNTL/Z. router1 (config) #int fa0/0 router1(config-if)#ip address 192.168.3.254 255.255.255.0 router1 (config-if) #no shut router1 (config-if) #int fa0/1 router1(config-if)#ip address 192.168.5.254 255.255.255.0 router1 (config-if) #no shut router1 (config-if) #int s0/0 router1(config-if)#ip adddress 192.168.6.253 255.255.255.0 router1 (config-if) #no shut router1 (config-if) #keepalive 0

e)

eat this procedure for every interface on every router. Set the interfaces according to the diagram above.

6. Setup static routes a) Try to ping network B from network A b) Why can’t the network be reached?(no route through the network) c)

Setup a route through the network following the bi-directional path R4 R5 R9. Note: router 5 needs paths to both networks. Router4#sh ip route ... Gateway of last resort C 192.168.4.0/24 is C 198.162.6.0/24 is C 192.168.1.0/24 is

is not set directly connected, Serial0/0 directly connected, Serial0/1 directly connected, FastEthernet0/0

Router4#config t Router4(config)#ip route 192.168.2.0 255.255.255.0 192.168.4.253 Router4 (config) #^Z router2#config t router2(config)#ip route 192.168.1.0 255.255.255.0 192.168.9.253 router2 (config) #^Z router2#sh ip route router2 #exit

d) Use traceroute (in Windows is known as tracert) to verify the path taken. Redirect the output to a file to turn in. tracert 192.168.2.1

e)

Setup a more interesting path through the network and use traceroute to turn in a copy of your path.

9

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010 C. QUESTION (PER TANYAAN) 1. Back to FT Unijoyo Network Design, please configure all routers and PCs, include IP address, static routing, telnet server and some passwords are needed by those routers. Make sure that all routers are online, one connect to each other. Use ping and tracert to ensure your configuration. 2. Instructor will give some additional assignments and homework

10

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010

MODUL III DYNAMIC ROUTING USING RIP, IGRP AND EIGRP VII. DESCRIPTION (MATERI)

1. Objectives Objective: Configure RIP, IGRP, and EIGRP on the network 

Delete static routes from routing table



Configure dynamic routing protocol, include RIP, IGRP and EIGRP



Change metrics on routers

2. Background Reading Go to the Cisco website, or use the Cisco Sybex publication, and read about static routes, RIP, IGRP, and EIGRP routing and changing router metrics. Also, read the man pages on traceroute.

VIII. BEGINNING ASSESMENT (TUGAS PENDAHULUAN ) 1. 2. 3. 4.

Describe the Dynamic Routing ? Describe RIP and give the example ? Describe IGRP and give the example ? Describe EIGRP and give the example ?

IX. PRACTICUM (PRAKTIKUM)

A. REQUIRED EQUIPMENT(ALAT & BAHAN) 1. Two established LANs 2. Multiple routers depend on router specification, chek your router list in Boson Network Designer 3. Cables (not used in virtual lab)

B. PROCEDURE LIKE IN LAB 2(LANGKAH-LANGKAH) Use the diagram of sample lab C in Lab 2 untuk do exercises in this lab session. 1. Delete Static Routes a) Check the routing table to determine which routes are static. b) Before activating a dynamic routing protocol remove static routes from the routing table. Explain why this is or isn’t necessary. c) Using the ip route command, individually remove all static routes at each router. This procedure must be done in configuration mode. router> enable

11

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010 router# config t router(config)# no ip route [destination] [netmask] [next hop router]

d) Verify that static routes have been removed from the routing table and repeat procedures for each router. Router4#sh ip route C 192.168.4.0/24 C 198.162.6.0/24 C 192.168.1.0/24 S 192.168.2.0/24

is directly connected, Serial0/0 is directly connected, Serial0/1 is directly connected, FastEthernet0/0 [1/0] via 192.168.4.253

Router4#config t Router4(config)#no ip route 192.168.2.0 255.255.255.0 Router4 (config) #^Z Router5#config t Router4#sh ip route Router5(config)#no ... Router5 (config) #no Router5 (config) #^Z router2#config t router2(config)#no router2 (config) #^Z

ip route 192.168.2.0 255.255.255.0 ip route 192.168.1.0 255.255.255.0

ip route 192.168.1.0 255.255.255.0 router2#sh ip route

e) Have LAN 1 ping LAN 2. Explain the results. 2. Configure dynamic routing protocol (RIP) a) What type of protocol is RIP? Why is it considered a “chatty” protocol? b) What routing problems occur using RIP? How can the problems be solved? c) Enter the routing protocol configuration mode router> enable router# config t router(config)# router rip router (config-router) #

d) Enter networks that router should advertise router (config-router) #network xxx.xxx.xxx. 0

e) Verify which networks are being advertised by looking at the router configuration file. router# show running-config ... ! router rip network 192.168.1.0 network 192.168.4.0 network 192.168.6.0 ... Router4#config t Router4 (config) #router rip Router4 (config-router) #redistribute connected

12

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010 Router4 (config-router)#network 192.168.4.0 Router4 (config-router)#network 192.168. 6.0 Router4 (config-router)#network 192.168.1.0 Router4 (config-router) #^Z Router4#show run

f) View the routing table for each router and verify RIP is working. Router4#sh ip route

g) Explain what is meant by advertising a network and why is it important? h) The two LANs should be able to communicate. From LAN A use traceroute to see which routers are forwarding the massages. lanA#

i)

tracert 192.168.2.1

Why do the messages follow the route shown from the previous step?

3. Change metrics on routers a) b) c) d)

Review the offset-list command and identify each parameter. How does changing the metric at a router change the route through the network? (routers have different distances in which case there might be a shorter path) Add offset metrics to the router closest to each LAN to force the protocol to find a different route from the one determined in part 2-h. router1(config-router)# offset-list 0 out 16 s0/0 Router4#config t Router4 (config) #router rip Router4(config-router)#offset-list 0 out 5 s0/0 Router4 (config-router) #^Z

e) What exactly do the previous commands do? (updates to the interface are offset by the given value so the corresponding interface thinks the distance is further than it really is) f) Verify the offsets by looking at the configuration file. router# show running-config ... ! router rip offset-list 0 out 16 Serial0/0 offset-list 0 out 5 FastEthernet0/1 network 192.168.1.0 network 192.168.4.0 ...

g) Run traceroute on network A and network B to view the route A takes to B and B takes to A. Are the routes different? Why/Why not? (The routes should be different since router 5 thinks it takes router 4 5 hops to get to Lan A but router 1 can get there in 1 hop. The messages going out of router 4 are only affected in that the responses will take the different route. )

13

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010 C. QUESTION (PER TANYAAN) 5. With FT Unij oyo Network Design, delete all static routing policy and apply RIP routing protocol on your routers so all devices are possible to access other devices. Use ping, tracert, sh ip route and related command to check your network configuration. Don’t forget to disconnect a channel or line and see new routes are taken by data when one host send packets to another one. 6. Try to implement IGRP and EIGRP routing protocol for network design of sample lab B, sample Lab C dan FT Unijoyo network! Note: You have to understand RIP, IGRP and EIGRP routing protocol and configuration before exercise this lab, make sure you have read references before come in to the labSI. 7. Instructor’s assignments (please dech!)

14

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010

MODUL IV DYNAMIC ROUTING USING OSPF X. DESCRIPTION (MATERI) 1. Objective Objective: Configure OSPF on the network   

Understand the concepts of OSPF routing protocol Configure dynamic routing protocol using OSPF At last, u know that networking is not easy, not just cabling and ip address and all device will operate on ur mind. Networking need skill and more skills, need to study hard.

2. Background Reading Go to the Cisco website, or use the Cisco Sybex publication, and read about dynamic routing with OSPF. You can read following tutorial to understand OSPF, we have downloaded that from Cisco website. OSPF configuration includes only a few required steps, but it has many optional steps. After an OSPF design has been chosen—a task that may be complex in larger IP internetworks—the configuration may be as simple as enabling OSPF on each router interface and placing that interface in the correct OSPF area. This section shows a simple configuration example of a single-area OSPF internetwork. For reference, the following list outlines the configuration steps as well as a brief reference to the required commands: Step 1

Enter OSPF configuration mode for a particular OSPF process using the router ospf process-id global command.

Step 2 (Optional)

Configure the OSPF router ID by: a. Configuring the router-id id-value router subcommand.

Step 3

Step 4 (Optional) Step 5 (Optional)

b. Configuring an IP address on a loopback interface. Configure one or more network ip-address wildcard-m ask area area-id router subcommands, with any matched interfaces being added to the listed area. Change the interface Hello and Dead intervals using the ip ospf hello-interval time and ip ospf dead-interval time interface subcommands. Impact routing choices by tuning interface costs as follows: c. Configure costs directly using the ip ospf cost value interface subcommand. d. Change interface bandwidths using the bandwidth value interface subcommand. e. Change the numerator in the formula to calculate the cost based on the interface bandwidth, using the auto-cost referencebandwidth value router subcommand.

Step 6

Configure OSPF authentication:

15

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010 (Optional)

f. On a per-interface basis using the ip ospf authentication interface subcommand. g. For all interfaces in an area using the area authentication router subcommand.

Step 7 (Optional)

Configure support for multiple equal-cost routes using the maximum-paths number router subcommand.

OSPF Single-Area Configuration OSPF configuration differs only slightly from RIP configuration when a single OSPF area is used. The best way to describe the configuration, and the differences with the configuration of the other routing protocols, is to use an example. Following Figure shows a sample network, and code shows the configuration on Albuquerque.

interface ethernet 0/0 ip address 10.1.1.1 255.255.255.0 interface serial 0/0 ip address 10.1.4.1 255.255.255.0 interface serial 0/1 ip address 10.1.6.1 255.255.255.0 ! router ospf 1 network 10.0.0.0 0.255.255.255 area 0

The configuration correctly enables OSPF on all three interfaces on Albuquerque. First, the router ospf 1 global command puts the user in OSPF configuration mode. The router ospf command has a parameter called the OSPF process-id. In some instances, you might want to run multiple OSPF processes in a single router, so the router command uses the processid to distinguish between the processes. The process-id does not have to match on each router, and it can be any integer between 1 and 65,535. The network command tells a router to enable OSPF on each matched interface, discover neighbors on that interface, assign the interface to that area, and advertise the subnet connected to each interface. In this case, the network 10.0.0.0 0.255.255.255 area 0 command matches all three of Albuquerque's interfaces because the OSPF network command matches interfaces using an address and a wildcard-style mask like those used with IP ACLs. The wildcard mask shown in above example is 0.255.255.255, with address

16

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010 10.0.0.0. This combination matches all addresses that begin with 10 in the first octet. So, this one network command matches all three of Albuquerque's interfaces, puts them in Area 0, and causes Albuquerque to try to discover neighbors on those interfaces. It also causes Albuquerque to advertise the three connected subnets. The next example shows an alternative configuration for Albuquerque that also enables OSPF on every interface. In this case, the IP address for each interface is matched with a different network command. The wildcard mask of 0.0.0.0 means that all 32 bits must be compared, and they must match—so the network commands include the specific IP address of each interface, respectively. Many people prefer this style of configuration in production networks, because it removes any ambiguity about the interfaces on which OSPF is running. interface ethernet 0/0 ip address 10.1.1.1 255.255.255.0 interface serial 0/0 ip address 10.1.4.1 255.255.255.0 interface serial 0/1 ip address 10.1.6.1 255.255.255.0 ! router ospf 1 network 10.1.1.1 0.0.0.0 area 0 network 10.1.4.1 0.0.0.0 area 0 network 10.1.6.1 0.0.0.0 area 0

XI. BEGINNING ASSESMENT (TUGAS PENDAHULUAN ) 1. Describe Dynamic Routing Using OSPF ! 2. Give the example of command in Dynamic Routing Using OSPF and explain !

XII. PRACTICUM (PRAKTIKUM) A. REQUIRED EQUIPMENT (ALAT & BAHAN) 3. Two established LANs 4. Multiple routers depend on router specification, chek your router list in Boson Network Designer 5. Cables (not used in virtual lab)

B. PROCEDURE LIKE IN LAB 3 (LANGKAH-LANGKAH) C. QUESTION ( PERTANYAAN ) 6. 7. 8.

9.

Delete previous routing protocol configuration, use sh ip ro to see your active routes installed in router. Use design of sample lab C and try to configure all router using OSPF routing protocol With design of FT Unijoyo Network, add OSPF routing protocol at all Lab router to connect one to each other. Don’t give OSPF to FT router. Use ping, and tracert to check your configuration. Instructor’s assignments.

17

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010

MODUL V AND VI NAT and ACLs XIII. DESCRIPTION (MATERI)

1. Objectives Objective: Configure OSPF on the network  

Understand the concepts of Network Address Translation (NAT) and Access-list (ACL) Configure ACL and NAT at gateway or router so client’s IP address will be translated to particular IP address, or clients with private IP address can connect to Internet using public IP address on gateway.

2. Background Reading Go to the Cisco website, or use the Cisco Sybex publication, and read about ACL and NAT. You can read following tutorials as an instead, we have downloaded these from Cisco website.

Standard IP Access List ACL configuration tends to be simpler than the task of interpreting the meaning and actions taken by an ACL. To that end, this section presents a plan of attack for configuring ACLs. Then it shows a couple of examples that review both the configuration and the concepts implemented by those ACLs. The generic syntax of the standard ACL configuration command is access-list access-list-number {deny | permit} source [source-wildcard]

A standard access list uses a series of access-list commands that have the same number. The access-list commands with the same number are considered to be in the same list, with the commands being listed in the same order in which they were added to the configuration. Each access-list command can match a range of source IP addresses. If a match occurs, the ACL either allows the packet to keep going (permit action) or discards the packet (deny action). Each standard ACL can match all, or only part, of the packet’s source IP address. Note that for standard IP ACLs, the number range for ACLs is 1 to 99 and 1300 to 1999. Step 1

Plan the location (router and interface) and direction (in or out) on that interface: a. Standard ACLs should be placed near to the destination of the packets so that it does not unintentionally discard packets that should not be discarded. b. Because standard ACLs can only match a packet’s source IP address, identify the source IP addresses of packets as they go in the direction that the ACL is examining.

Step 2

Configure one or more access-list global configuration commands to create the ACL, keeping the following in mind: a. The list is searched sequentially, using first-match logic. In other words, when a packet matches one of the access-list statements, the search is over, even if the packet would match subsequent

18

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010 statements. b. The default action, if a packet does not match any of the access-list commands, is to deny (discard) the packet. Step 3

Enable the ACL on the chosen router interface, in the correct direction, using the ip access-group number {in | out} interface subcommand.

The example below attempts to stop Bob’s traffic to Server 1. As shown in the figure, Bob is not allowed to access Server 1. The configuration enables an ACL for all packets going out R1’s Ethernet0 interface. The ACL matches the source address in the packet—Bob’s IP address. Note that the access-list commands are at the bottom of the example because the show runningconfig command also lists them near the bottom, after the interface configuration commands.

interface Ethernet0 ip address 172.16.1.1 255.255.255.0 ip access-group 1 out ! access-list 1 remark stop all traffic whose source IP is Bob access-list 1 deny 172.16.3.10 0.0.0.0 access-list 1 permit 0.0.0.0 255.255.255.255

First, focus on the basic syntax of the commands. Standard IP access lists use a number in the range of 1 to 99 or 1300 to 1999. This example uses ACL number 1 versus the other available numbers for no particular reason. The access-list commands, under which the matching and action logic are defined, are global configuration commands. To enable the ACL on an interface and define the direction of packets to which the ACL is applied, the ip access-group command is used. In this case, it enables the logic for ACL 1 on Ethernet0 for packets going out the interface. ACL 1 keeps packets sent by Bob from exiting R1’s Ethernet interface, based on the matching logic of the access-list 1 deny 172.16.3.10 0.0.0.0 command. The wildcard mask of 0.0.0.0 means “match all 32 bits,” so only packets whose IP address exactly matches 1 72. 1 6.3. 1 0 match this statement and are discarded. The access-list 1 permit 0.0.0.0 255.255.255.255 command, the last statement in the list, matches all packets, because the wildcard mask of 255.255.255.255 means “don’t care” about all 32 bits. In other words, the statement matches all IP source addresses. These packets are permitted. The command access-list 1 remark allows the addition of a text comment, or remark, so that you can track the purpose of the ACL. The remark only shows up in the configuration; it is not listed in show command output.

19

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010 Extended IP Access Lists This example focuses on understanding the basic syntax. In this case, Bob is denied access to all FTP servers on R1 ’s Ethernet, and Larry is denied access to Server1 ’s web server. interface Serial0 ip address 172.16.12.1 255.255.255.0 ip access-group 101 in ! interface Serial1 ip address 172.16.13.1 255.255.255.0 ip access-group 101 in ! access-list 101 remark Stop Bob to FTP servers, and Larry to Server1 web access-list 101 deny tcp host 172.16.3.10 172.16.1.0 0.0.0.255 eq ftp access-list 101 deny tcp host 172.16.2.10 host 172.16.1.100 eq www access-list 101 permit ip any any

The first ACL statement prevents Bob’s access to FTP servers in subnet 172. 1 6. 1 .0. The second statement prevents Larry’s access to web services on Server1. The final statement permits all other traffic. Following the permit or deny action, the protocol parameter defines whether you want to check for all IP packets or just those with TCP or UDP headers. When you check for TCP or UDP port numbers, you must specify the TCP or UDP protocol. This example uses the eq parameter, meaning “equals,” to check the destination port numbers for FTP control (keyword ftp) and HTTP traffic (keyword www). You can use the numeric values— or, for the more popular options, a more obvious text version is valid. (If you were to enter eq 80, the config would show eq www.) In this first extended ACL example, the access lists could have been placed on R2 and R3 instead of on R1. As you will read near the end of this chapter, Cisco makes some specific recommendations about where to locate IP ACLs. With extended IP ACLs, Cisco suggests that you locate them as close as possible to the source of the packet. interface Ethernet0 ip address 172.16.3.1 255.255.255.0 ip access-group 101 in access-list 101 remark deny Bob to FTP servers in subnet 172.16.1.0/24 access-list 101 deny tcp host 172.16.3.10 172.16.1.0 0.0.0.255 eq ftp access-list 101 permit ip any any

ACL 1 0 1 looks a lot like ACL 1 0 1 from previous example, but this time, the ACL does not bother to check for the criteria to match Larry’s traffic, because Larry’s traffic will never enter R3’s Ethernet 0 interface. Because the ACL has been placed on R3, near Bob, it watches for

20

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010 packets Bob sends that enter its Ethernet0 interface. Because of the ACL, Bob’s FTP traffic to 172.16.1.0/24 is denied, with all other traffic entering R3 ’s E0 interface making it into the network. Thisn example does not show any logic for stopping Larry’s traffic.

Static NAT Configuration Static NAT configuration, as compared to the other variations of NAT, requires the fewest configuration steps. Each static mapping between a local (private) address and a global (public) address must be configured. Additionally, the router must be told on which interfaces it should use NAT, because NAT does not have to be enabled on every interface. Step 1

Configure interfaces to be in the inside part of the NAT design using the ip nat inside interface subcommand.

Step 2

Configure interfaces to be in the outside part of the NAT design using the ip nat outside interface subcommand.

Step 3

Configure the static mappings with the ip nat inside source static insidelocal inside-global global configuration command. In the figure, you can see that FredsCo has obtained Class C network 200.1.1.0 as a registered network number. That entire network, with mask 255.255.255.0, is configured on the serial link between FredsCo and the Internet. With a point-to-point serial link, only two of the 254 valid IP addresses in that network are consumed, leaving 252 addresses.

When planning a NAT configuration, you must find some IP addresses to use as inside global IP addresses. Because these addresses must be part of some registered IP address range, it is common to use the extra addresses in the subnet connecting the enterprise to the Internet—for example, the extra 252 IP addresses in network 200.1.1.0 in this case. The router can also be configured with a loopback interface and assigned an IP address that is part of a globally unique range of registered IP addresses. Following example lists the NAT configuration, using 200.1.1.1 and 200.1.1.2 for the two static NAT mappings. NAT# show running-config ! ! Lines omitted for brevity ! interface Ethernet0/0 ip address 10.1.1.3 255.255.255.0

21

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010 ip nat inside ! interface Serial0/0 ip address 200.1.1.251 255.255.255.0 ip nat outside ! ip nat inside source static 10.1.1.2 200.1.1.2 ip nat inside source static 10.1.1.1 200.1.1.1 NAT# show ip nat translations NAT# show ip nat statistics

The static mappings are created using the ip nat inside source static command. The inside keyword means that NAT translates addresses for hosts on the inside part of the network. The source keyword means that NAT translates the source IP address of packets coming into its inside interfaces. The static keyword means that the parameters define a static entry, which should never be removed from the NAT table because of timeout. Because the design calls for two hosts, 10.1.1.1 and 10.1.1.2, to have Internet access, two ip nat inside commands are needed. After creating the static NAT entries, the router needs to know which interfaces are “inside” and which are “outside.” The ip nat inside and ip nat outside interface subcommands identify each interface appropriately.

Dynamic NAT Configuration As you might imagine, dynamic NAT configuration differs in some ways from static NAT, but it has some similarities as well. Dynamic NAT still requires that each interface be identified as either an inside or outside interface, and of course static mapping is no longer required. Dynamic NAT uses an access control list (ACL) to identify which inside local (private) IP addresses need to have their addresses translated, and it defines a pool of registered public IP addresses to allocate. Step 1

As with static NAT, configure interfaces to be in the inside part of the NAT design using the ip nat inside interface subcommand.

Step 2

As with static NAT, configure interfaces to be in the outside part of the NAT design using the ip nat outside interface subcommand.

Step 3

Configure an ACL that matches the packets coming in inside interfaces for which NAT should be performed.

Step 4

Configure the pool of public registered IP addresses using the ip nat pool name first-address last-address mask subnet-mask global configuration command.

Step 5

Enable dynamic NAT by referencing the ACL (Step 3) and pool (Step 4) with the ip nat source list acl-number pool pool-name global configuration command.

The next example uses the same network topology as the previous example. In this case, the same two inside local addresses, 10.1.1.1 and 10.1.1.2, need translation. The same inside global addresses used in the static mappings in the previous example, 200.1.1.1 and 200.1.1.2, are instead placed in a pool of dynamically assignable inside global addresses. NAT# show running-config ! ! Lines omitted for brevity ! interface Ethernet0/0 ip address 10.1.1.3 255.255.255.0 ip nat inside ! interface Serial0/0

22

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010 ip ip ! ip ip !

address 200.1.1.251 255.255.255.0 nat outside nat pool fred 200.1.1.1 200.1.1.2 netmask 255.255.255.252 nat inside source list 1 pool fred access-list 1 permit 10.1.1.2 access-list 1 permit 10.1.1.1

The configuration for dynamic NAT includes a pool of inside global addresses as well as an IP access list to define the inside local addresses for which NAT is performed. The ip nat pool command lists the first and last numbers in a range of inside global addresses. For example, if the pool needed ten addresses, the command might have listed 200.1.1.1 and 200.1.1.10. The required netmask parameter performs a kind of verification check on the range of addresses. If the address range would not be in the same subnet assuming the configured netmask was used, then IOS will reject the ip nat pool command. In this case, subnet 200.1.1.0, mask 255.255.255.252 (the configured netmask) would include 200.1.1.1 and 200.1.1.2 in the range of valid addresses, so IOS accepts this command. Like static NAT, dynamic NAT uses the ip nat inside source command. Unlike static NAT, the dynamic NAT version of this command refers to the name of the NAT pool it wants to use for inside global addresses—in this case, fred. It also refers to an IP ACL, which defines the matching logic for inside local IP addresses. The ip nat inside source list 1 pool fred command maps between hosts matched by ACL 1 and the pool called fred, which was created by the ip nat pool fred command.

NAT Overload (PAT) Configuration NAT overload, as mentioned earlier, allows NAT to support many inside local IP addresses with only one or a few inside global IP addresses. By essentially translating the private IP address and port number to a single inside global address, but with a unique port number, NAT can support many (over 65,000) private hosts with only a single public, global address. Two variations of PAT configuration exist in IOS. If PAT uses a pool of inside global addresses, the configuration looks exactly like dynamic NAT, except the ip nat inside source list global command has an overload keyword added to the end. If PAT just needs to use one inside global IP address, PAT can use one of its interface IP addresses. Because NAT can support over 65,000 concurrent flows with a single inside global address, a single public IP address can support an entire organization’s NAT needs. Use the same steps for configuring dynamic NAT, as outlined in the previous section, but include the overload keyword at the end of the ip nat inside source list global command. The following checklist details the configuration when using an interface IP address as the sole inside global IP address: Step 1

As with dynamic and static NAT, configure inside interfaces with the ip nat inside interface subcommand.

Step 2

As with dynamic and static NAT, configure outside interfaces with the ip nat outside interface subcommand.

Step 3

As with dynamic NAT, configure an ACL that matches the packets coming in inside interfaces.

Step 4

Configure the ip nat source list acl-number interface interface name/number overload global configuration command, referring to the ACL created in Step 3 and to the interface whose IP address will

23

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010 be used for translations. Previous example shows a dynamic NAT configuration. To convert it to a PAT configuration, the ip nat inside source list pool fred overload command would be used instead, simply adding the overload keyword. The next example shows PAT configuration using a single interface IP address. Abaove figure shows the same familiar network, with a few changes. In this case, the ISP has given FredsCo a subset of network 200.1.1.0: CIDR subnet 200.1.1.248/30. In other words, this subnet has two usable addresses: 200.1.1.249 and 200.1.1.250. These addresses are used on either end of the serial link between FredsCo and its ISP. The NAT feature on FredsCo’s router translates all NAT addresses to its serial IP address, 200.1.1.249. In the example, which shows the NAT overload configuration, NAT translates using inside global address 200.1.1.249 only, so the NAT pool is not required. In the example, as implied in Figure 16-10, host 10.1.1.1 creates two Telnet connections, and host 10.1.1.2 creates one Telnet connection, causing three dynamic NAT entries, each using inside global address 200.1.1.249, but each with a unique port number. NAT# show running-config ! ! Lines Omitted for Brevity ! interface Ethernet0/0 ip address 10.1.1.3 255.255.255.0 ip nat inside ! interface Serial0/0 ip address 200.1.1.249 255.255.255.252 ip nat outside ! ip nat inside source list 1 interface Serial0/0 overload ! access-list 1 permit 10.1.1.2 access-list 1 permit 10.1.1.1 ! NAT# show ip nat translations NAT# show ip nat statistics

The ip nat inside source list 1 interface serial 0/0 overload command has several parameters, but if you understand the dynamic NAT configuration, the new parameters shouldn’t be too hard to grasp. The list 1 parameter means the same thing as it does for dynamic NAT: Inside local IP

24

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010 addresses matching ACL 1 have their addresses translated. The interface serial 0/0 parameter means that the only inside global IP address available is the IP address of the NAT router’s interface serial 0/0. Finally, the overload parameter means that overload is enabled. Without this parameter, the router does not perform overload, just dynamic NAT.

XIV. BEGINNING ASSESMENT (TUGAS PENDAHULUAN ) 1. Describe NAT? 2. Describe ACL? 3. Give the example of command in NAT dan ACL and explain !

XV. PRACTICUM (PRAKTIKUM) A. REQUIRED EQUIPMENT (ALAT & BAHAN) 4. Two established LANs 5. Multiple routers depend on router specification, chek your router list in Boson Network Designer 6. Cables (not used in virtual lab)

B. PROCEDURE LIKE IN LAB 3 (LANGKAH-LANGKAH) i.QUESTION (PER TANYAAN )

10. Use sample design of sample lab A, try to connect some clients to Cisco router using NAT. Make sure you have terminated routing protocols first. 11. Use sample lab B, configure your router so network A can connect to network B via NAT. Then, add some lines so only PC with IP 192.168.1.2 and 192.168.1.3 have ability to access network B, PC with IP address 192.168.1.1 is blocked. 12. Use FT Unijoyo Network design, write some lines so all computer connect to Internet via FT Router using public IP address 200.20.20.20/28. 13. Configure FT router so only computers in LabSI and LabJarkom can connect to Internet. Block LabD3 and LabProg, for this example case only . 14. Instructor’s assignments ☺

25