MODUL

PRAKTIKUM JARINGAN KOMPUTER LABORATORIUM JARINGAN KOMPUTER

FAKULTAS TEKNIK ELEKTRO - UNISMA

Oleh :

Disetujui : ...... / ....... / ................ ./Malang

LABORATORIUM JARINGAN KOMPUTER JURUSAN

TEKNIK ELEKTRO - INFORMATIKA FAKULTAS TEKNIK UNIVERSITAS ISLAM MALANG

2009

NAMA

NRP

AS-PRAK

JURUSAN

KELOMPOK SB1

1

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA

FAKULTAS TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010

LAPORAN KEGIATAN Judul Praktikum : .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Nama Kelompok : ...............................................................................

......................................................................

......................................................................

......................................................................

......................................................................

................. ........... ... ................. ........... ... ........

Deskripsi Praktikum :

......................................................................

......................................................................

......................................................................

................. ........... ... ................. ........... ... ........

1. Alat dan Bahan

2. Langkah Kerja

3. Analisis

2

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS

TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010

4. Kesimpulan

5. Saran

Diketahui Ass. praktikum

Malang, ..........................................

( )

3

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS

TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010

MODUL I

ESTABLISHING A LOCAL AREA NETWORK

I. DESCRIPTION (MATERI )

1. Objectives

To establish a local Area Network consisting of three personal computers running the

Linux operating system, and a hub.

Physically connect computers (cabling)

Configure IP addresses using ifconfig

Manipulate routing table using route

2. Background Reading

Knowledge of network addressing standards and Linux system administration relating

to Local Area Networks is necessary for this lab. Online Linux documentation can be

found at www.tldp.org, also there are some other web site like ilmukomuter.com,

tebarilmu.org and linux.or.id. Specifically, read the man pages on ifconfig, route ,

traceroute and chkconfig. For information about network cabling and addressing,

Implementasi Jaringan Komputer dengan Linux Red Hat by Husni, Andi Publisher, is

recommended. If you have enough time, read books about CCNA (Cisco Certified

Network Associate) Exam Guide is a better.

II. BEGINNING ASSIGMENT (TUGAS PENDAHULUAN)

1. What do you khow about LAN?

2. Mention and Description the component of LAN ?

III. PRACTICUM (PRAKTIKUM)

A. Required Equipment (Alat dan Bahan)

1. Four PCs (with Linux OS), include PC Gateway. At LabSI, there are 12 PCs, so you can

devide your class to 3 groups.

2. PC’s should be equipped with Network Interface Cards (three PCs with one card but gateway

PC must have 2 ethernet card) 3. One switch

4. One Router with Ethernet interface 5. Cables (UTP Cat 5e or 6)

B. PROCEDURE (Langkah-langkah praktikum)

1. Setup a physical LAN

a) First, determine which cables are necessary for the available hardware

b) Insert one end of the cable into the Switch and the other end of the cable into the host

computer.

c) Connect all host computers to the Switch as in the figure below

4

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS

TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010

Sample Lab A

2. Host set-up (e.g. IP address and netmask) using iJconJig

a) iJconJig command usage for this part of the lab will be to configure network interface devices. This includes adding the IP address and the netmask for the host.

b) Boot each host machine and log on with your user-name. c) Open a new terminal on each host and log on as root.

$ su -

# password

d) Check network interface settings using iJconJig # ifconfig –a

e) Verify that eth0 exists on each host by checking the output from above

J) Set the ethernet interface at each host using iJconJig

This will assign an ip address and network mask to the host. The following is a sample.

For host 1: #ifconfig eth0 192.168.1.1 netmask 255.255.255.0

g) Verify communication among the machines by using the ping command.

On host 1 ping the other two hosts. #ping 192.168.1.2

------- output ----

#ping 192.168.1.3

------- output ----

On host A run traceroute to the other hosts

#traceroute 192.168.1.2

o u t p u t

#traceroute 192.168.1.3

o u t p u t

h) Changes using iJconJig at this point are not permanent and will be lost on reboot. To make

the configuration effective on reboot you need to edit the file /etc/sysconfig/networks-

scripts/ifcfg-eth0 to have the following settings.

# contents of ifcfg-eth0

DEVICE = eth0

BROADCAST = 192.168.1.255

IPADDR = 192.168.1.1

NETMASK = 255.255.255.0

NETWORK = 192.168.1.0

ONBOOT = yes

5

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS

TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010

BOOTPROTO = none

i) Check that the network script has been added to the default init levels. # chkconfig --list

j) If the network script is not on add it using chkconfig. This command adds the network

script to the current run level. # chkconfig --add network

3. Manipulate routing tables using route

a) The route command is used to look at the hosts routing table and can be used to add or

delete routes from the table. It has the following syntax: route add|del –net|-host target [gateway] [metric] [device]

route manipulates the kernel's IP routing table. Its primary use is to set up static routes to

specific hosts or networks via an interface after it has been configured with the ifconfig

command. The command route with no arguments displays the routing table.

b) After the steps from part 2 the route to the network 192.168.1.0 will be in the routing

table. Verify the network is in the routing table using the route command. # route

c) To illustrate the use and functionality of the command route, we will delete an entry and

add an entry to the table. Delete the network 192.168.1.0 using the route command. # route del –net 192.168.1.0 netmask 255.255.255.0

d) Check the routing table and verify that the network has been removed from the routing

table. # route

e) Verify the deleted network is no longer reachable. # ping 192.168.1.3

f) Add individual hosts to the routing table to allow communication. # route add –host 192.168.1.2 dev eth0 #

route add –host 192.168.1.3 dev eth0

g) Verify these hosts are in the routing table. # route

h) Use the ping command to verify communication among the machines has been restored. # ping 192.168.1.2

# ping 192.168.1.3

i) Notice the machines were reachable when either the network or the individual host was in

the routing table. Note also that the exercise manipulating the routing table was

unnecessary since the ifconfig command places the network in the routing table for us.

C. QUESTION (PER TANYAAN)

1. Make a UTP cable to connect directly PC1 to PC2. You have to remember the formula 1-3

2-6 to make a crossover cable.

2. Read your references, mainly CCNA Study Guide or related books, and configure your

Cisco Router, at least the address of Ethernet 0.

3. Please login to your Linux gateway. Use command ip route to configure the gateway,

so your three clients can connect to Router (Cisco) via Gateway. Note that Cisco Router

and three client are in different network (/30 and /24)

4. At home, use your Boson Network Designer to design network diagram of Engineering

Faculty, University of Trunojoyo.

Note: You can use your Boson Network Designer dan Simulator to simulate above problem, but

there are not any Linux shell provided by Boson. Ask your Instructor or Network Engineer to get

network devices like switch, router, and PCs. These devices are available at LabSI, at least for the

first meeting of this lab.

6

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS

TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010

MODUL II

CONNECTING TWO LANS USING ROUTER(S)

IV. DESCRIPTION (MA TERI)

1. Objectives

Connect two LAN’s using a router.

Setup LAN connections

Configure Minicom (underLinux) or Hyperterminal (under Windows)

Assign IP addresses to the router interfaces for network configuration.

2. Background Reading

Go to the Cisco website, or use the Cisco Sybex publication, and read about user mode, user

exec mode, configure terminal, and configure interface. Also, look at how to reset a password.

What register is used for the default configuration of the router?

What register is used to bypass this default register?

V. BEGINNING ASSIGMENT (TUGAS PENDAHULUAN )

1. Describe the function of Route Add and give example ?

2. What is the function of no shutdown in router configuration ?

3. Describe the function of ip route and give the example?

VI. PRACTICUM ( PRAKTIKUM )

A. Required Equipment (Alat dan Bahan)

1. Two established LANs 2. One Router, or four Routers 3. Cables

But all in simulation version, in your Boson Software.

B. Procedure Like in Lab 1 (Langkah-langkah)

1. Setup LAN connections

a) Set up the physical (number 1) connections for the LAN’s.

b) Connect the two LANs to the router using the appropriate cable (see Lab 1 for

LAN setup).

c) Using the above diagram configure the routing tables of each host.

For hosts on network 192.168.1.0 #route add –net 192.168.2.0 netmask 255.255.255.0 \

gw 192.168.1.254 dev eth0

For hosts on network 192.168.2.0 #route add –net 192.168.1.0 netmask 255.255.255.0 \

gw 192.168.2.254 dev eth0

7

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS

TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010

d) On network 192.168.1.0 ping broadcast address 192.168.1.255 to make sure the

HUB/Switch is working. Repeat the procedure for network 192.168.2.0 # ping –c 2 –b 192.168.1.255

Sample Lab B

2. Configure Minicom in Linux, try to use Hyperterminal with your self.

Minicom is used to interface with the router.

a) Verify that minicom has the correct parameters # minicom –s

b) Set the default parameters to: 9600 baud rate

n o p a r i t y 8 data b i ts

one s top b i t no f low control

c) Type minicom to establish a connection to the router. # minicom

Note that you have make rollover cable to connect serial port of PC to Console port of

Cisco router.

3. Configure your Cisco router using Simulator. Cisco Router References give you best

way to connect to the Console, Login and configure your router. If you don’t have a

book, please read your Bosen Network Simulator Help, noooow!.

4. Physical setup #2, use your Network Designer first before Network Simulator. And set

up the physical connections as in the following diagram

5. Configure interfaces on routers.

a) Read about router serial connections to understand the additional configuration

parameters.

8

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS

TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010

b) Identify the interfaces as FastEthernet or Serial. If a serial interface, identify the

DCE end. The show serial Controller command should be helpful. Look this

command up.

What does DCE and DTE stand for? (Data Communication/Terminal

Equipment)

What end provides the clocking mechanism for the cable? (DCE)

c) To configure the router for the network, you need to add an IP address to each

interface of the router.

Router>en

Router#config t

Router(config)# interface fa0/0

Router(config)# ip address xxx.xxx.xxx.xxx subnet mask here

Router (config) #no shut

Sample Lab C

9

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS

TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010

d) What does the no shut command do? (keeps the line logically up even when

physically down)

config t

Enter configuration commands, one per line. End with CNTL/Z.

router1 (config) #int fa0/0

router1(config-if)#ip address 192.168.3.254 255.255.255.0

router1 (config-if) #no shut

router1 (config-if) #int fa0/1

router1(config-if)#ip address 192.168.5.254 255.255.255.0

router1 (config-if) #no shut

router1 (config-if) #int s0/0

router1(config-if)#ip adddress 192.168.6.253 255.255.255.0

router1 (config-if) #no shut

router1 (config-if) #keepalive 0

e) eat this procedure for every interface on every router. Set the interfaces according

to the diagram above.

6. Setup static routes

a) Try to ping network B from network A

b) Why can’t the network be reached?(no route through the network)

c) Setup a route through the network following the bi-directional path R4 R5 R9.

Note: router 5 needs paths to both networks.

Router4#sh ip route

...

Gateway of last resort is not set

C 192.168.4.0/24 is directly connected, Serial0/0

C 198.162.6.0/24 is directly connected, Serial0/1

C 192.168.1.0/24 is directly connected, FastEthernet0/0

Router4#config t

Router4(config)#ip route 192.168.2.0 255.255.255.0 192.168.4.253

Router4 (config) #^Z

router2#config t

router2(config)#ip route 192.168.1.0 255.255.255.0 192.168.9.253

router2 (config) #^Z

router2#sh ip route

router2 #exit

d) Use traceroute (in Windows is known as tracert) to verify the path taken. Redirect

the output to a file to turn in.

tracert 192.168.2.1

e) Setup a more interesting path through the network and use traceroute to turn in a

copy of your path.

10

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS

TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010

C. QUESTION (PER TANYAAN)

1. Back to FT Unijoyo Network Design, please configure all routers and PCs,

include IP address, static routing, telnet server and some passwords are needed

by those routers. Make sure that all routers are online, one connect to each

other. Use ping and tracert to ensure your configuration.

2. Instructor will give some additional assignments and homework

11

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS

TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010

MODUL III

DYNAMIC ROUTING USING RIP, IGRP AND EIGRP

VII. DESCRIPTION (MATERI)

1. Objectives

Objective: Configure RIP, IGRP, and EIGRP on the network

Delete static routes from routing table

Configure dynamic routing protocol, include RIP, IGRP and EIGRP

Change metrics on routers

2. Background Reading

Go to the Cisco website, or use the Cisco Sybex publication, and read about static routes, RIP,

IGRP, and EIGRP routing and changing router metrics. Also, read the man pages on traceroute.

VIII. BEGINNING ASSESMENT (TUGAS PENDAHULUAN )

1. Describe the Dynamic Routing ?

2. Describe RIP and give the example ?

3. Describe IGRP and give the example ?

4. Describe EIGRP and give the example ?

IX. PRACTICUM (PRAKTIKUM)

A. REQUIRED EQUIPMENT(ALAT & BAHAN)

1. Two established LANs

2. Multiple routers depend on router specification, chek your router list in Boson Network

Designer

3. Cables (not used in virtual lab)

B. PROCEDURE LIKE IN LAB 2(LANGKAH-LANGKAH)

Use the diagram of sample lab C in Lab 2 untuk do exercises in this lab session.

1. Delete Static Routes

a) Check the routing table to determine which routes are static.

b) Before activating a dynamic routing protocol remove static routes from the routing table.

Explain why this is or isn’t necessary.

c) Using the ip route command, individually remove all static routes at each router.

This procedure must be done in configuration mode.

router> enable

12

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS

TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010

router# config t

router(config)# no ip route [destination] [netmask] [next hop router]

d) Verify that static routes have been removed from the routing table and repeat procedures

for each router.

Router4#sh ip route

C 192.168.4.0/24 is directly connected, Serial0/0

C 198.162.6.0/24 is directly connected, Serial0/1

C 192.168.1.0/24 is directly connected, FastEthernet0/0

S 192.168.2.0/24 [1/0] via 192.168.4.253

router2#sh ip route

e) Have LAN 1 ping LAN 2. Explain the results.

2. Configure dynamic routing protocol (RIP)

a) What type of protocol is RIP? Why is it considered a “chatty” protocol?

b) What routing problems occur using RIP? How can the problems be solved?

c) Enter the routing protocol configuration mode

router> enable

router# config t

router(config)# router rip

router (config-router) #

d) Enter networks that router should advertise

router (config-router) #network xxx.xxx.xxx. 0

e) Verify which networks are being advertised by looking at the router configuration file.

router# show running-config

...

!

router rip

network 192.168.1.0

network 192.168.4.0

network 192.168.6.0

...

Router4#config t

Router4 (config) #router rip

Router4 (config-router) #redistribute connected

Router4#config t

Router4(config)#no

Router4 (config) #^Z

Router5#config t

Router5(config)#no

Router5 (config) #no

Router5 (config) #^Z

router2#config t

router2(config)#no

router2 (config) #^Z

ip route 192.168.2.0 255.255.255.0

ip route 192.168.2.0 255.255.255.0

ip route 192.168.1.0 255.255.255.0

ip route 192.168.1.0 255.255.255.0

Router4#sh ip route

...

13

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS

TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010

Router4 (config-router)#network 192.168.4.0

Router4 (config-router)#network 192.168. 6.0

Router4 (config-router)#network 192.168.1.0

Router4 (config-router) #^Z

Router4#show run

f) View the routing table for each router and verify RIP is working.

Router4#sh ip route

g) Explain what is meant by advertising a network and why is it important?

h) The two LANs should be able to communicate. From LAN A use traceroute to see which

routers are forwarding the massages.

lanA# tracert 192.168.2.1

i) Why do the messages follow the route shown from the previous step?

3. Change metrics on routers

a) Review the offset-list command and identify each parameter.

b) How does changing the metric at a router change the route through the network?

c) (routers have different distances in which case there might be a shorter path)

d) Add offset metrics to the router closest to each LAN to force the protocol to find a

different route from the one determined in part 2-h. router1(config-router)# offset-list 0 out 16 s0/0

Router4#config t

Router4 (config) #router rip

Router4(config-router)#offset-list 0 out 5 s0/0

Router4 (config-router) #^Z

e) What exactly do the previous commands do?

(updates to the interface are offset by the given value so the corresponding

interface thinks the distance is further than it really is)

f) Verify the offsets by looking at the configuration file.

router# show running-config

...

!

router rip

offset-list 0 out 16 Serial0/0

offset-list 0 out 5 FastEthernet0/1

network 192.168.1.0

network 192.168.4.0

...

g) Run traceroute on network A and network B to view the route A takes to B and B takes to

A. Are the routes different? Why/Why not?

(The routes should be different since router 5 thinks it takes router 4 5 hops to get to Lan

A but router 1 can get there in 1 hop. The messages going out of router 4 are only

affected in that the responses will take the different route. )

14

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS

TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010

C. QUESTION (PER TANYAAN)

5. With FT Unij oyo Network Design, delete all static routing policy and apply RIP routing

protocol on your routers so all devices are possible to access other devices. Use ping,

tracert, sh ip route and related command to check your network configuration. Don’t forget

to disconnect a channel or line and see new routes are taken by data when one host send

packets to another one.

6. Try to implement IGRP and EIGRP routing protocol for network design of sample lab B,

sample Lab C dan FT Unijoyo network!

Note: You have to understand RIP, IGRP and EIGRP routing protocol and configuration

before exercise this lab, make sure you have read references before come in to the labSI.

7. Instructor’s assignments (please dech!)

15

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS

TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010

MODUL IV

DYNAMIC ROUTING USING OSPF

X. DESCRIPTION (MATERI)

1. Objective

Objective: Configure OSPF on the network

Understand the concepts of OSPF routing protocol

Configure dynamic routing protocol using OSPF

At last, u know that networking is not easy, not just cabling and ip address and all device will

operate on ur mind. Networking need skill and more skills, need to study hard.

2. Background Reading

Go to the Cisco website, or use the Cisco Sybex publication, and read about dynamic routing with

OSPF. You can read following tutorial to understand OSPF, we have downloaded that from Cisco

website.

OSPF configuration includes only a few required steps, but it has many optional steps. After an

OSPF design has been chosen—a task that may be complex in larger IP internetworks—the

configuration may be as simple as enabling OSPF on each router interface and placing that

interface in the correct OSPF area.

This section shows a simple configuration example of a single-area OSPF internetwork. For

reference, the following list outlines the configuration steps as well as a brief reference to the

required commands:

Step 1 Enter OSPF configuration mode for a particular OSPF process

using the router ospf process-id global command.

Step 2 Configure the OSPF router ID by:

(Optional) a. Configuring the router-id id-value router subcommand.

b. Configuring an IP address on a loopback interface.

Step 3 Configure one or more network ip-address wildcard-m ask area

area-id router subcommands, with any matched interfaces being

added to the listed area.

Step 4 (Optional)

Step 5 (Optional)

Change the interface Hello and Dead intervals using the ip ospf hello-interval time and ip ospf dead-interval time interface subcommands.

Impact routing choices by tuning interface costs as follows:

c. Configure costs directly using the ip ospf cost value interface subcommand.

d. Change interface bandwidths using the bandwidth value interface subcommand.

e. Change the numerator in the formula to calculate the cost based on the interface bandwidth, using the auto-cost reference- bandwidth value router subcommand.

Step 6 Configure OSPF authentication:

16

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS

TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010

(Optional) f. On a per-interface basis using the ip ospf authentication interface subcommand.

g. For all interfaces in an area using the area authentication

router subcommand.

Step 7 Configure support for multiple equal-cost routes using the

(Optional) maximum-paths number router subcommand.

OSPF Single-Area Configuration

OSPF configuration differs only slightly from RIP configuration when a single OSPF area is

used. The best way to describe the configuration, and the differences with the configuration

of the other routing protocols, is to use an example. Following Figure shows a sample

network, and code shows the configuration on Albuquerque.

interface ethernet 0/0

ip address 10.1.1.1 255.255.255.0

interface serial 0/0

ip address 10.1.4.1 255.255.255.0

interface serial 0/1

ip address 10.1.6.1 255.255.255.0

!

router ospf 1

network 10.0.0.0 0.255.255.255 area 0

The configuration correctly enables OSPF on all three interfaces on Albuquerque. First, the

router ospf 1 global command puts the user in OSPF configuration mode. The router ospf

command has a parameter called the OSPF process-id. In some instances, you might want to

run multiple OSPF processes in a single router, so the router command uses the processid to

distinguish between the processes. The process-id does not have to match on each router, and

it can be any integer between 1 and 65,535.

The network command tells a router to enable OSPF on each matched interface, discover

neighbors on that interface, assign the interface to that area, and advertise the subnet

connected to each interface. In this case, the network 10.0.0.0 0.255.255.255 area 0

command matches all three of Albuquerque's interfaces because the OSPF network

command matches interfaces using an address and a wildcard-style mask like those used with

IP ACLs. The wildcard mask shown in above example is 0.255.255.255, with address

17

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS

TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010

10.0.0.0. This combination matches all addresses that begin with 10 in the first octet. So, this

one network command matches all three of Albuquerque's interfaces, puts them in Area 0,

and causes Albuquerque to try to discover neighbors on those interfaces. It also causes

Albuquerque to advertise the three connected subnets.

The next example shows an alternative configuration for Albuquerque that also enables

OSPF on every interface. In this case, the IP address for each interface is matched with a

different network command. The wildcard mask of 0.0.0.0 means that all 32 bits must be

compared, and they must match—so the network commands include the specific IP address

of each interface, respectively. Many people prefer this style of configuration in production

networks, because it removes any ambiguity about the interfaces on which OSPF is running.

interface ethernet 0/0

ip address 10.1.1.1 255.255.255.0

interface serial 0/0

ip address 10.1.4.1 255.255.255.0

interface serial 0/1

ip address 10.1.6.1 255.255.255.0

! router ospf 1 network 10.1.1.1 0.0.0.0 area 0

network 10.1.4.1 0.0.0.0 area 0

network 10.1.6.1 0.0.0.0 area 0

XI. BEGINNING ASSESMENT (TUGAS PENDAHULUAN )

1. Describe Dynamic Routing Using OSPF !

2. Give the example of command in Dynamic Routing Using OSPF and explain !

XII. PRACTICUM (PRAKTIKUM)

A. REQUIRED EQUIPMENT (ALAT & BAHAN)

3. Two established LANs 4. Multiple routers depend on router specification, chek your router list in Boson Network

Designer

5. Cables (not used in virtual lab)

B. PROCEDURE LIKE IN LAB 3 (LANGKAH-LANGKAH)

C. QUESTION ( PERTANYAAN )

6. Delete previous routing protocol configuration, use sh ip ro to see your active routes

installed in router.

7. Use design of sample lab C and try to configure all router using OSPF routing protocol

8. With design of FT Unijoyo Network, add OSPF routing protocol at all Lab router to

connect one to each other. Don’t give OSPF to FT router. Use ping, and tracert to check

your configuration.

9. Instructor’s assignments.

18

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS

TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010

MODUL V AND VI

NAT and ACLs

XIII. DESCRIPTION (MATERI)

1. Objectives

Objective: Configure OSPF on the network

Understand the concepts of Network Address Translation (NAT) and Access-list (ACL)

Configure ACL and NAT at gateway or router so client’s IP address will be translated to

particular IP address, or clients with private IP address can connect to Internet using public IP

address on gateway.

2. Background Reading

Go to the Cisco website, or use the Cisco Sybex publication, and read about ACL and NAT. You

can read following tutorials as an instead, we have downloaded these from Cisco website.

Standard IP Access List

ACL configuration tends to be simpler than the task of interpreting the meaning and actions

taken by an ACL. To that end, this section presents a plan of attack for configuring ACLs.

Then it shows a couple of examples that review both the configuration and the concepts

implemented by those ACLs.

The generic syntax of the standard ACL configuration command is

access-list access-list-number {deny | permit} source [source-wildcard]

A standard access list uses a series of access-list commands that have the same number. The

access-list commands with the same number are considered to be in the same list, with the

commands being listed in the same order in which they were added to the configuration.

Each access-list command can match a range of source IP addresses. If a match occurs, the ACL

either allows the packet to keep going (permit action) or discards the packet (deny action). Each

standard ACL can match all, or only part, of the packet’s source IP address.

Note that for standard IP ACLs, the number range for ACLs is 1 to 99 and 1300 to 1999.

Step 1 Plan the location (router and interface) and direction (in or out) on

that interface:

a. Standard ACLs should be placed near to the destination of the

packets so that it does not unintentionally discard packets that

should not be discarded.

b. Because standard ACLs can only match a packet’s source IP

address, identify the source IP addresses of packets as they go in

the direction that the ACL is examining.

Step 2 Configure one or more access-list global configuration commands

to create the ACL, keeping the following in mind:

a. The list is searched sequentially, using first-match logic. In other

words, when a packet matches one of the access-list statements, the

search is over, even if the packet would match subsequent

19

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS

TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010

statements.

b. The default action, if a packet does not match any of the access-list

commands, is to deny (discard) the packet.

Step 3 Enable the ACL on the chosen router interface, in the correct

direction, using the ip access-group number {in | out} interface

subcommand.

The example below attempts to stop Bob’s traffic to Server 1. As shown in the figure, Bob is not

allowed to access Server 1. The configuration enables an ACL for all packets going out R1’s

Ethernet0 interface. The ACL matches the source address in the packet—Bob’s IP address. Note

that the access-list commands are at the bottom of the example because the show running-

config command also lists them near the bottom, after the interface configuration commands.

interface Ethernet0

ip address 172.16.1.1 255.255.255.0

ip access-group 1 out

!

access-list 1 remark stop all traffic whose source IP is Bob

access-list 1 deny 172.16.3.10 0.0.0.0

access-list 1 permit 0.0.0.0 255.255.255.255

First, focus on the basic syntax of the commands. Standard IP access lists use a number in the

range of 1 to 99 or 1300 to 1999. This example uses ACL number 1 versus the other available

numbers for no particular reason. The access-list commands, under which the matching and

action logic are defined, are global configuration commands. To enable the ACL on an interface

and define the direction of packets to which the ACL is applied, the ip access-group command is

used. In this case, it enables the logic for ACL 1 on Ethernet0 for packets going out the interface.

ACL 1 keeps packets sent by Bob from exiting R1’s Ethernet interface, based on the matching

logic of the access-list 1 deny 172.16.3.10 0.0.0.0 command. The wildcard mask of 0.0.0.0

means “match all 32 bits,” so only packets whose IP address exactly matches 1 72. 1 6.3. 1 0 match

this statement and are discarded. The access-list 1 permit 0.0.0.0 255.255.255.255 command,

the last statement in the list, matches all packets, because the wildcard mask of 255.255.255.255

means “don’t care” about all 32 bits. In other words, the statement matches all IP source

addresses. These packets are permitted.

The command access-list 1 remark allows the addition of a text comment, or remark, so that

you can track the purpose of the ACL. The remark only shows up in the configuration; it is not

listed in show command output.

20

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS

TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010

Extended IP Access Lists

This example focuses on understanding the basic syntax. In this case, Bob is denied access to all

FTP servers on R1 ’s Ethernet, and Larry is denied access to Server1 ’s web server.

interface Serial0

ip address 172.16.12.1 255.255.255.0

ip access-group 101 in

!

interface Serial1

ip address 172.16.13.1 255.255.255.0

ip access-group 101 in

!

access-list 101 remark Stop Bob to FTP servers, and Larry to Server1 web

access-list 101 deny tcp host 172.16.3.10 172.16.1.0 0.0.0.255 eq ftp

access-list 101 deny tcp host 172.16.2.10 host 172.16.1.100 eq www

access-list 101 permit ip any any

The first ACL statement prevents Bob’s access to FTP servers in subnet 172. 1 6. 1 .0. The second

statement prevents Larry’s access to web services on Server1. The final statement permits all

other traffic.

Following the permit or deny action, the protocol parameter defines whether you want to check

for all IP packets or just those with TCP or UDP headers. When you check for TCP or UDP port

numbers, you must specify the TCP or UDP protocol.

This example uses the eq parameter, meaning “equals,” to check the destination port numbers for

FTP control (keyword ftp) and HTTP traffic (keyword www). You can use the numeric values—

or, for the more popular options, a more obvious text version is valid. (If you were to enter eq 80,

the config would show eq www.)

In this first extended ACL example, the access lists could have been placed on R2 and R3 instead

of on R1. As you will read near the end of this chapter, Cisco makes some specific

recommendations about where to locate IP ACLs. With extended IP ACLs, Cisco suggests that

you locate them as close as possible to the source of the packet.

interface Ethernet0

ip address 172.16.3.1 255.255.255.0

ip access-group 101 in

access-list 101 remark deny Bob to FTP servers in subnet 172.16.1.0/24

access-list 101 deny tcp host 172.16.3.10 172.16.1.0 0.0.0.255 eq ftp

access-list 101 permit ip any any

ACL 1 0 1 looks a lot like ACL 1 0 1 from previous example, but this time, the ACL does not

bother to check for the criteria to match Larry’s traffic, because Larry’s traffic will never enter

R3’s Ethernet 0 interface. Because the ACL has been placed on R3, near Bob, it watches for

21

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS

TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010

packets Bob sends that enter its Ethernet0 interface. Because of the ACL, Bob’s FTP traffic to

172.16.1.0/24 is denied, with all other traffic entering R3 ’s E0 interface making it into the

network. Thisn example does not show any logic for stopping Larry’s traffic.

Static NAT Configuration

Static NAT configuration, as compared to the other variations of NAT, requires the fewest

configuration steps. Each static mapping between a local (private) address and a global (public)

address must be configured. Additionally, the router must be told on which interfaces it should

use NAT, because NAT does not have to be enabled on every interface.

Step 1 Configure interfaces to be in the inside part of the NAT design using

the ip nat inside interface subcommand.

Step 2 Configure interfaces to be in the outside part of the NAT design using

the ip nat outside interface subcommand.

Step 3 Configure the static mappings with the ip nat inside source static

insidelocal inside-global global configuration command.

In the figure, you can see that FredsCo has obtained Class C network 200.1.1.0 as a registered

network number. That entire network, with mask 255.255.255.0, is configured on the serial link

between FredsCo and the Internet. With a point-to-point serial link, only two of the 254 valid IP

addresses in that network are consumed, leaving 252 addresses.

When planning a NAT configuration, you must find some IP addresses to use as inside global IP

addresses. Because these addresses must be part of some registered IP address range, it is

common to use the extra addresses in the subnet connecting the enterprise to the Internet—for

example, the extra 252 IP addresses in network 200.1.1.0 in this case. The router can also be

configured with a loopback interface and assigned an IP address that is part of a globally unique

range of registered IP addresses.

Following example lists the NAT configuration, using 200.1.1.1 and 200.1.1.2 for the two static

NAT mappings.

NAT# show running-config

!

! Lines omitted for brevity

!

interface Ethernet0/0

ip address 10.1.1.3 255.255.255.0

22

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS

TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010

ip nat inside !

interface Serial0/0

ip address 200.1.1.251 255.255.255.0

ip nat outside !

ip nat inside source static 10.1.1.2 200.1.1.2

ip nat inside source static 10.1.1.1 200.1.1.1

NAT# show ip nat translations NAT# show ip nat statistics

The static mappings are created using the ip nat inside source static command. The inside

keyword means that NAT translates addresses for hosts on the inside part of the network.

The source keyword means that NAT translates the source IP address of packets coming into its

inside interfaces. The static keyword means that the parameters define a static entry, which

should never be removed from the NAT table because of timeout. Because the design calls for

two hosts, 10.1.1.1 and 10.1.1.2, to have Internet access, two ip nat inside commands are

needed.

After creating the static NAT entries, the router needs to know which interfaces are “inside” and

which are “outside.” The ip nat inside and ip nat outside interface subcommands identify each

interface appropriately.

Dynamic NAT Configuration

As you might imagine, dynamic NAT configuration differs in some ways from static NAT, but it

has some similarities as well. Dynamic NAT still requires that each interface be identified as

either an inside or outside interface, and of course static mapping is no longer required. Dynamic

NAT uses an access control list (ACL) to identify which inside local (private) IP addresses need

to have their addresses translated, and it defines a pool of registered public IP addresses to

allocate.

Step As with static NAT, configure interfaces to be in the inside part of the NAT design

1 using the ip nat inside interface subcommand.

Step As with static NAT, configure interfaces to be in the outside part of the NAT

2 design using the ip nat outside interface subcommand.

Step Configure an ACL that matches the packets coming in inside interfaces for which 3 NAT should be performed.

Step Configure the pool of public registered IP addresses using the ip nat pool name

4 first-address last-address mask subnet-mask global configuration command.

Step Enable dynamic NAT by referencing the ACL (Step 3) and pool (Step 4) with the

5 ip nat source list acl-number pool pool-name global configuration command.

The next example uses the same network topology as the previous example. In this case, the

same two inside local addresses, 10.1.1.1 and 10.1.1.2, need translation. The same inside global

addresses used in the static mappings in the previous example, 200.1.1.1 and 200.1.1.2, are

instead placed in a pool of dynamically assignable inside global addresses.

NAT# show running-config

!

! Lines omitted for brevity

!

interface Ethernet0/0

ip address 10.1.1.3 255.255.255.0

ip nat inside

!

interface Serial0/0

23

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS

TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010

ip address 200.1.1.251 255.255.255.0

ip nat outside !

ip nat pool fred 200.1.1.1 200.1.1.2 netmask 255.255.255.252

ip nat inside source list 1 pool fred !

access-list 1 permit 10.1.1.2 access-list 1 permit 10.1.1.1

The configuration for dynamic NAT includes a pool of inside global addresses as well as an IP

access list to define the inside local addresses for which NAT is performed. The ip nat pool

command lists the first and last numbers in a range of inside global addresses. For example, if the

pool needed ten addresses, the command might have listed 200.1.1.1 and 200.1.1.10. The

required netmask parameter performs a kind of verification check on the range of addresses. If

the address range would not be in the same subnet assuming the configured netmask was used,

then IOS will reject the ip nat pool command. In this case, subnet 200.1.1.0, mask

255.255.255.252 (the configured netmask) would include 200.1.1.1 and 200.1.1.2 in the range of

valid addresses, so IOS accepts this command.

Like static NAT, dynamic NAT uses the ip nat inside source command. Unlike static NAT, the

dynamic NAT version of this command refers to the name of the NAT pool it wants to use for

inside global addresses—in this case, fred. It also refers to an IP ACL, which defines the

matching logic for inside local IP addresses. The ip nat inside source list 1 pool fred command

maps between hosts matched by ACL 1 and the pool called fred, which was created by the ip nat

pool fred command.

NAT Overload (PAT) Configuration

NAT overload, as mentioned earlier, allows NAT to support many inside local IP addresses with

only one or a few inside global IP addresses. By essentially translating the private IP address and

port number to a single inside global address, but with a unique port number, NAT can support

many (over 65,000) private hosts with only a single public, global address.

Two variations of PAT configuration exist in IOS. If PAT uses a pool of inside global addresses,

the configuration looks exactly like dynamic NAT, except the ip nat inside source list global

command has an overload keyword added to the end. If PAT just needs to use one inside global

IP address, PAT can use one of its interface IP addresses. Because NAT can support over 65,000

concurrent flows with a single inside global address, a single public IP address can support an

entire organization’s NAT needs.

Use the same steps for configuring dynamic NAT, as outlined in the previous section, but include

the overload keyword at the end of the ip nat inside source list global command.

The following checklist details the configuration when using an interface IP address as the sole

inside global IP address:

Step 1 As with dynamic and static NAT, configure inside interfaces with the ip nat inside interface subcommand.

Step 2 As with dynamic and static NAT, configure outside interfaces with

the ip nat outside interface subcommand.

Step 3 As with dynamic NAT, configure an ACL that matches the packets coming in inside interfaces.

Step 4 Configure the ip nat source list acl-number interface interface

name/number overload global configuration command, referring to

the ACL created in Step 3 and to the interface whose IP address will

24

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS

TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010

be used for translations.

Previous example shows a dynamic NAT configuration. To convert it to a PAT configuration,

the ip nat inside source list pool fred overload command would be used instead, simply adding

the overload keyword.

The next example shows PAT configuration using a single interface IP address. Abaove figure

shows the same familiar network, with a few changes. In this case, the ISP has given FredsCo a

subset of network 200.1.1.0: CIDR subnet 200.1.1.248/30. In other words, this subnet has two

usable addresses: 200.1.1.249 and 200.1.1.250. These addresses are used on either end of the

serial link between FredsCo and its ISP. The NAT feature on FredsCo’s router translates all NAT

addresses to its serial IP address, 200.1.1.249.

In the example, which shows the NAT overload configuration, NAT translates using inside

global address 200.1.1.249 only, so the NAT pool is not required. In the example, as implied in

Figure 16-10, host 10.1.1.1 creates two Telnet connections, and host 10.1.1.2 creates one Telnet

connection, causing three dynamic NAT entries, each using inside global address 200.1.1.249,

but each with a unique port number.

NAT# show running-config

!

! Lines Omitted for Brevity

!

interface Ethernet0/0

ip address 10.1.1.3 255.255.255.0

ip nat inside !

interface Serial0/0

ip address 200.1.1.249 255.255.255.252

ip nat outside !

ip nat inside source list 1 interface Serial0/0 overload !

access-list 1 permit 10.1.1.2

access-list 1 permit 10.1.1.1 !

NAT# show ip nat translations NAT# show ip nat statistics

The ip nat inside source list 1 interface serial 0/0 overload command has several parameters,

but if you understand the dynamic NAT configuration, the new parameters shouldn’t be too hard

to grasp. The list 1 parameter means the same thing as it does for dynamic NAT: Inside local IP

25

LABORATORIUM JARINGAN KOMPUTER JURUSAN TEKNIK ELEKTRO - INFORMATIKA FAKULTAS

TEKNIK UNIVERSITAS ISLAM MALANG 2009–2010

addresses matching ACL 1 have their addresses translated. The interface serial 0/0 parameter

means that the only inside global IP address available is the IP address of the NAT router’s

interface serial 0/0. Finally, the overload parameter means that overload is enabled. Without this

parameter, the router does not perform overload, just dynamic NAT.

XIV. BEGINNING ASSESMENT (TUGAS PENDAHULUAN )

1. Describe NAT?

2. Describe ACL? 3. Give the example of command in NAT dan ACL and explain !

XV. PRACTICUM (PRAKTIKUM)

A. REQUIRED EQUIPMENT (ALAT & BAHAN)

4. Two established LANs

5. Multiple routers depend on router specification, chek your router list in Boson Network

Designer

6. Cables (not used in virtual lab)

B. PROCEDURE LIKE IN LAB 3 (LANGKAH-LANGKAH)

i.QUESTION (PER TANYAAN )

10. Use sample design of sample lab A, try to connect some clients to Cisco router using NAT.

Make sure you have terminated routing protocols first.

11. Use sample lab B, configure your router so network A can connect to network B via NAT.

Then, add some lines so only PC with IP 192.168.1.2 and 192.168.1.3 have ability to access

network B, PC with IP address 192.168.1.1 is blocked.

12. Use FT Unijoyo Network design, write some lines so all computer connect to Internet via FT

Router using public IP address 200.20.20.20/28.

13. Configure FT router so only computers in LabSI and LabJarkom can connect to Internet.

Block LabD3 and LabProg, for this example case only ☺.

14. Instructor’s assignments