IERG4831 Lab01 P.

Lab01 Design and Implementation of SOHO Networks

Objectives:
- Build a simple switching network for a small company with the following requirements:
o Hosts are connected to broadband router via network switch
o A server is connected to broadband router directly but in a separate network (DMZ)
- Configure broadband router such that:
o Hosts can access both DMZ and Internet
o Hosts in DMZ can access Internet, but not Intranet
o Internet can access a web server in DMZ

Prerequisite:
- IERG4090:Lab00 Basics of GNS3 and Cisco IOS
- GNS3 Documentation: https://docs.gns3.com/
- Getting started with GNS3: https://streaming.ine.com/c/ine-getting-started-with-gns3
- Cisco IOS and CLI: http://www.danscourses.com/CCNA-1/cisco-ios-and-cli.html
- DD-WRT Wiki: http://www.dd-wrt.com/wiki/index.php/Main_Page

Network Topology:

Innovation Engineering Company Ltd. is a small startup company. The office has ten PCs and one web server. The ten
PCs can access the Internet via a broadband router. The web server (mrtg-1) can be accessed by the Intranet hosts
and the Internet but it cannot access hosts in Intranet. You are provided with ten PCs (labvpc-1 to 9, Chrome-1), a
web server (mrtg-1) and a broadband router (BBR) for connecting the Internet.

Procedures:

Task 0: Start the ISP devices. [0 mark]

Start ISP-GW, ISP and ISP-H1. Modifications on these devices are strictly prohibited.

Verify the Internet connections by the Auxiliary console of ISP-H1: ping intranet.ie.cuhk.edu.hk

If it is failed, check the Internet connection of your host computer (must be in IE network or connected to IE VPN).
 IERG4831 Lab01 P.2
Task 1: Link up the devices as shown in the network topology diagram. [5 marks]
Note: Save project once the devices are linked.

Task 2: Start the company network devices. [5 marks]

Start BBR and SW.

Configure SW via console. All ports should be configured as layer 2 static access port. Save the configurations.

Task 3: Access the administration page of BBR. [5 marks]

Configure the network of chrome-1 by using GNS3s device configuration tool. The web browser in chrome-1 will be
used to access the administration page of BBR. Make your own decision on the network configuration of chrome-1
so that it can access the Internet in the future.

Configuration for GNS3 docker container chrome:

https://www.youtube.com/watch?v=ZWhesu5RJeE

Start chrome-1. Use GNS3s console tool to access its web browser. Go to the administration page of BBR via the
web browser. The default URL of DD-WRTs management web interface is:

http://192.168.1.1/

Configure the login name and password on BBR to be root and admin respectively.

Task 4: Configure WAN address in BBR. [10 marks]

Configure Static IP address and DNS address for BBR WAN interface (eth0) according to the information provided in
the topology diagram.

Configure BBR so that it can masquerade DNS request for hosts in Intranet and DMZ.

After configuration, chrome-1 should be able to access the Internet. Verify it by access http://www.google.com

Task 5: Configuration of DHCP services in BBR. [15 marks]

Configure the MAC address for labvpc1-labvpc9 via GNS3s Device Configure tool. Edit the network configuration and
insert a new line under the line iface eth0.:

hwaddress ether 02:34:56:78:90:01

where 34:56:78:90 is the last eight digits of your SID (e.g. 1234567890 )
For the last octet, use 01 - 09 for labvpc01 - labvpc09 respectively.

Configure labvpc-1 to labvpc-9 to get their IP address via DHCP with the following restrictions:
- labvpc-1 to labvpc-5 should receive IP address .101 to .105 respectively.
- labvpc-6 to labvpc-9 should receive dynamic IP address in the range of .110 - .119 randomly.

All labvpc resolve DNS via BBR.

Verify your configuration by PING test to intranet.ie.cuhk.edu.hk

 IERG4831 Lab01 P.3
Task 6: Configure DMZ in BBR. [20 marks]

Create and configure br1 (DMZ) with IP address provided in the topology diagram. Setup DHCP service on br1. Join
eth2 to br1.
Setup Networking Bridging, Assign to Bridge, Port Setup [br1], DHCPD

Configure the network of mrtg-1 using DHCP. BBR should lease a fixed IP to mrtg-1 and be able to resolve DNS
request. Verify your configuration by PING test to intranet.ie.cuhk.edu.hk.

Configure BBR such that hosts in DMZ (br1) cannot access hosts in Intranet (br0). Use PING test to test your result in
both direction. In other words, a rule has to be built so as to block packet forwarding of any new connections from
br1 to br0.
https://help.ubuntu.com/community/IptablesHowTo ( conntrack, ctstate )
Administration Commands . add a firewall rule and Save Firewall

After configuration, hosts in br0 can PING to hosts in br1 (mrtg-1) but not in reverse direction.

Task 7: Configure port forwarding in BBR. [15 marks]

Start web service in mrtg-1 by console command: lighttpd -f /etc/lighttpd/lighttpd.conf -D &

Verify your configuration by chrome-1 to browse the URL: http://mrtg-1/test.html

Configure BBR such that Internet host (ISP-H1) can access the web service in mrtg-1. Rules involve:
- Allow tcp port 80 input from eth0
- Allow tcp port 80 to be forwarded from eth0 to br1
- Perform port forwarding such that mrtg-1s web service can be exposed

http://linuxforall.blogspot.hk/2008/01/setting-dmz-with-iptables.html
http://www.systutorials.com/816/port-forwarding-using-iptables/
Administration Commands . add firewall rules and Save Firewall

Verify the configuration by ISP-H1 to browse the URL: http://10.16.1.101/test.html

Task 8: MRTG for BBR. [10 marks]

Configure SNMP in BBR with read-only community name to be CUHK

https://www.dd-wrt.com/wiki/index.php/Multi_Router_Traffic_Grapher

Configure mrtg-1 such that MRTG chart will be built for BBR. Study the script /root/mycfgmaker.sh in mrtg-1.
Use this script to build the MRTG config. Start the mrtg process by running the commands below:
cd /var/www/mrtg/cfg
mrtg /var/www/mrtg/cfg/XXX.cfg

where XXX is the name used in mycfgmaker.sh

Verify your result by browsing the URL: http://mrtg-1/XXX/ from chome-1 and the corresponding URL from ISP-H1.

--- Total 80 marks ---

--- End of Lab ---
 IERG4831 Lab01 P.4
Note on lab submission:
- After finish the lab, save the configurations in all devices. Then save the projects in GNS3.
- Exit the GNS3 and then restart the lab again. Make sure that your setup can be recovered. If not, you have to
do the lab again until you can save your setup properly. If the tutor cannot recover your lab, it will be scored
with ZERO mark even you have submitted lab report properly.
- In the terminal, change directory to /home/gns3/GNS3/projects/IERG4831. You should see the
project directory there. Archive your project directory by the command sudo tar cfz XXX.tar.gz
XXX where XXX is the folder name of your lab.
- Retrieve the archive file via SCP or Copy and Paste to your desktop computer.
- ZIP the lab report and the lab archive (XXX.tar.gz) into a single file with filename SID_LabXX.zip where SID
is your student ID.
- Submit it to the tutor via eLearning System.