Você está na página 1de 68


Introduction to LINUX OS


ENTC 425

To familiarize students with the powerful, robust and open operating system called

Networking applications have traditionally been hosted upon Unix servers due to the
robust nature of the operating system. Sun Microsystems was one of the first widely
accepted Unix platforms adopted for networking applications. The Sun platforms utilize
proprietary architectures and subsystem interconnections and therefore are much more
expensive than the PC. Recently, a group of researchers developed a BSD-compatible
Unix operating system for the PC. This open, PC based, Unix operating system is called

Linux is a multitasking, multi-user operating system, which means that many people can
run many different applications on one computer simultaneously. For most of your
explorations in the world of Linux, you'll be talking to the system through a shell, a
program that takes the commands you type and translates them into instructions for the
operating system. This can be compared to the COMMAND.COM program under MS-DOS,
which does essentially the same thing. A shell is just one interface to Linux. There are
many possible interfaces--like the X Window System, which lets you run commands by
using the mouse and keyboard.
Most Linux systems use a standard layout for files so that system resources and programs
can be easily located. This layout forms a directory tree, which starts at the ``/'' directory,
also known as the ``root directory''. Directly underneath / are important subdirectories:
/bin, /etc, /dev, and /usr, among others. These directories in turn contain other
directories, which contain system configuration files, programs, and so on.
In particular, each user has a home directory, which is the directory set aside for that
user to store his or her files. Usually, user home directories are contained under /home,
and are named for the user owning that directory. Eg. Larry's home directory will be

Basic Unix Commands

cd ..
cd /games
cat A
mv A Z
cp one two
rm abc
mkdir games
rmdir games

go up a folder
go to games directory
gives list of contents
tells what directory you are located
displays the file A
a text-editor
an advanced text editor
moves file A to file Z
copies file "one" to file "two"
delete file "abc"
makes a directory called games
removes the directory called games
print something on the screen
show a list of the current users
tells how long it's been since the server was last shut down
shows date and time according to the computer
shows who is logged in under the system
searches and returns info about the word you searched for
changes file/directory permission
for compressing files
for uncompressing them.
logs you out
gives the round trip time to the web site pinged.
provides the manual, or instructions, for a command

Unix / Linux Networking commands

(If you are using Linux workstations then you need to specify /sbin/command name)








Checking the ARP Cache

arp -a

eth0 at 00:c0:4f:a0:87:03
This command gives the content of the ARP Cache and the entries in the ARP
Cache lasts for about 20 minutes after which they are purged. Note that the
command is followed by a -a, this is called a flag and is used to specify options
for a command. Each command is documented in a manual page accessed
through the man command.
Interface Details

ifconfig -a

lo0: flags=849<UP,LOOPBACK,RUNNING,MULTICAST> mtu 8232
inet netmask ff000000
inet netmask ffffff00 broadcast
The details regarding the interface can be seen from using the ifconfig
command. This displays one entry for all the interface connected to the system
and also the loop back interface details.( Loop Back Address is
You can also get your interface details using the command

netstat -in

Routing Table
netstat -nr



You can see the routing table on your machine using the above command


Ping Messages
ping <destination>
Ping messages are ICMP query messages. The station sending the ping messages will
initiate the PING REQUEST message for which the server mentioned will respond by
sending a PING REPLY message. Ping is actually a program that sends an ICMP
echo request message.
Ping Reply Format : <no of bytes> <ip address> <ICMP Seq. No> <time to live>
<Round Trip Time>
Usage : ping www.tamu.edu
Pinging mimir.tamu.edu [] with 32 bytes of data:
Reply from bytes=32 time<10ms TTL=253
Reply from bytes=32 time<10ms TTL=253
Reply from bytes=32 time<10ms TTL=253
Ping statistics for
Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
traceroute <destination>
Usage : traceroute www.tamu.edu
1 exit-130c ( 2.211 ms 1.667 ms 1.312 ms
2 pluto ( 1.249 ms 1.230 ms 1.066 ms
3 hrbb-1-hrbb-nb-e-8.net.tamu.edu ( 2.250 ms 2.245 ms 1.950 ms
4 csce-osr-1--bb-PE-g-1.net.tamu.edu ( 2.884 ms 2.705 ms 2.351 ms
5 mimir.tamu.edu ( 2.244 ms * 4.022 ms
The traceroute command builds a table of all devices located between the source
and the destination. Information is provided about the delay occurred between the
source and each device. Traceroute is actually a cleverly written program that
uses the ping (ICMP echo request) program in conjunction with the time-to-live
field of the IP header.

File Transfer Protocol

FTP is used to transfer files from remote stations to a local station. There are 2 TCP
connections opened by an FTP request for transferring data as shown in the diagram

Commonly used modes of operation are ASCII and BINARY. FTP operates at the well
known ports 21 & 23.
Commands associated with ftp are:





Configuring Network Interfaces

The following commands are used to configure interfaces in the Unix environment.
Depending upon the PATH of the system, the command call might require a /sbin/ before
typing the command.
Taking the interface from active or up status to down:
ifconfig eth0 down
Taking the interface from down to up:
ifconfig eth0 up
Once down, you can alter the IP address of the network interface as shown below:
ifconfig eth0 <ip address> netmast <subnet mask>
Routes can be added to the station by indicating the network, subnet address and gateway
for each route using the route command:
route add net <ip address> netmask <subnet mask> gw <ip address>
The default gateway can be set using the following route command:
route add default gw <ip address>

Network Configuration Files

Go to /etc/sysconfig directory and open the network file (use any editor like NEdit). The
defaultdomain, nodename, and default gateway information are mentioned here. The
default gateway is the address to which your host will first route all packets.
You need to have a ifcfg-interface file in your /etc/sysconfig/network-scripts directory.
Ethernet cards are usually called eth0 or eth1 depending on which interface you are using
(if your workstation has more than one Ethernet cards). The loopback interface is lo. In
your workstation the filename will be ifcfg-eth0. This file will contain the following
information: IP address, netmask, Network address, and Broadcast address. Check these
files for whether they have correct updated information.

PROCEDURE: Basic Unix Commands





Using a text editor, create four files called name1, name2 name4,
containing the first middle and Last names of all your group members (one
member per file).
Use the man pages to look up the operation of the tar command, make sure to
look at the DESCRIPTION section.
tar all the commands into a single file and save it as group_name.tar,
replace group_name with the actual name of your group! Make sure you can
extract the individual name files, before you check-off.
Create a directory called /home/group_name and move your compressed file
into that directory. Verify it arrived by using the ls command. Uncompress
the file and type the following command ls l , ls al, ls n*.
When typing the -l flag after ls the output includes a list of permissions
which indicate the ability of three different entities to read, write, and
execute a file or directory. The three entities from left to right are the
owner, group and others.
EXAMPLE: rwxrw-r-- would allow the owner to read/write/execute while
the group would only be able to read/write and everyone else could only read.


Use the chmod command to change the permissions on your compressed file
so that all users can read and write to the file (owner, group, and others). A
quick example of the chmod command is shown below
EXMAPLE: chmod o=rw group_name.tar which will alter the others
permissions to read/write for the file indicated for more information use the
man pages.


Disconnect the LINUX computer from the Laboratory network and connect it
to the Catalyst 2912 switch located at the station. Bring the Ethernet interface
down and alter the IP address to 172.16.10.x, where x is between 1-254 and





does not conflict with your other lab group members. Therefore each LINUX
computer should have a unique IP address. The net-mask should be to indicate that the host ID is only 8-bits long and is located at
the end of the address.
Attempt to ping www.tamu.edu.
Bring the eth0 interface down and alter the IP address back to the original
address. Set the default gateway to 10.a.b.254, where a and b are unique to
each LAN station. Look at the network diagram to find the appropriate
numbers for a and b.
Ping www.yahoo.com and note the IP address of this site. If you have trouble,
attempt to ping a known IP address by number ping
(dns.tamu.edu). If you can ping a known IP address, then you are probably
having trouble resolving the text address to a number and need to reset the
DNS of the terminal. You can alter the DNS server address in the
/etc/resolv.conf file by adding the line nameserver <ip address> on the
second line.
Display the address resolution protocol (ARP) table of your terminal. Ping
www.cisco.com and then display the ARP table again. Do you notice a
difference? Now discover the route (all terminals between you and ) to
www.sbc.com .
Call the TA over to your station and check-off your ability to extract and
display the contents of name1, name2 name4. Then show the altered
permissions on your compressed file. Finally explain the operation of the
ARP table and how it was altered after pinging cisco.com.

Prelab Questions:

What are the features of UNIX?

What is a shell? What is a shell script?
What does FTP stand for and what is its purpose?
What is the purpose of NIS, NFS, DNS, DHCP, BOOTP?
What are the different classes of IP addresses available?
What are loop back addresses and broadcast addresses?

Lab Questions:
NONE Make sure to check-off your exercise before leaving

Module 2

IP Configuration
ENTC 425


Setting Up LAN in Unix/Linux & Windows


ENTC 425


To set up a Local Area Network using Unix/Linux boxes and Windows stations. This Lab
will also reinforce the Unix/Linux operating system through the use of some basic
commands as well as networking related commands.

Linux is based on the POSIX operating system standard, which was derived from Unix.
Unix is compatible with Linux at the system call level, meaning most programs written
for either Unix or Linux can be recompiled to run on the other system, with little or no
modification. There are many different kinds of Linux distributions, such as Red Hat,
Caldera, SuSe, Mandrake, Slackware and Debian. Red Hat is by far the most popular
in the industry.
Linux itself is the core of the operating system. The kernel is the Master of all operations.
It is responsible for starting and stopping the programs, handling memory request,
handling network connections etc. All Linux distributions come with the same kernel,
however, each one offers different tools for configurations like Red Hat has a very cool
interface for installation which makes it very easy for first time users.
Some major Differences between Windows NT and Linux

Microsoft has integrated the GUI (Graphical User Interface) into the core
operating system but Linux has kept it separately. The X-Window System
interface employed by Linux is run as a user-level application, which makes it
more stable. If the GUI fails, the OS is still up and running.
Windows uses Registry as the configuration database, where as Linux uses text
files for the configurations.

This list is very long and non-exhaustive. For interested readers, more differences can be
found at http://www.pcquest.com/content/linux.

Networking Interfaces
Linux defines an abstract interface through which the hardware is accessed. This
interface offers a set of operations that is the same for all types of hardware and
basically deals with sending and receiving packets.
For each peripheral networking device, a corresponding interface has to be
present in the kernel. For example, Ethernet interfaces in Linux are called by such
names as eth0 and eth1; PPP(The Point-to-Point Protocol) interfaces are named
ppp0 and ppp1.These interface names are used for configuration purposes when
you want to specify a particular physical device in a configuration command, and
they have no meaning beyond this use.
Before being used by TCP/IP networking, an interface must be assigned an IP
address that serves as its identification when communicating with the rest of the
world. This address is different from the interface name mentioned previously; if
you compare an interface to a door, the address is like the nameplate pinned on it.

A mechanism is needed to map IP addresses onto the addresses of the underlying
network. The mechanism used is the Address Resolution Protocol (ARP).
When ARP wants to find the Ethernet address corresponding to a given IP address, it uses
an Ethernet feature called broadcasting, in which a datagram is addressed to all stations
on the network simultaneously. The broadcast datagram sent by ARP contains a query for
the IP address. Each receiving host compares this query to its own IP address and if it
matches, returns an ARP reply to the inquiring host. The inquiring host can now extract
the sender's Ethernet address from the reply.
Domain Name Service
The Domain Name System (DNS) is a set of protocols and services on a TCP/IP network
which allows users of the network to utilize hierarchical user-friendly names when
looking for other hosts (that is computers) instead of having to remember and use their IP
addresses. This system is used extensively on the Internet and in many private enterprises
today. If youve used a Web browser, Telnet application, FTP utility or other similar
TCP/IP utilities on the Internet, then you have probably used a DNS server.
The DNS protocols best-known function is mapping user-friendly names to IP addresses.
For example, suppose the FTP site at CU Boulder had an IP address of
Most people would reach this computer by specifying FTP.colorado.com and not the
less friendly IP address. Besides being easier to remember, the name is more reliable. The
numeric address could change for any number of reasons, but the name can always be

Before the implementation of DNS, user-friendly computer names were implemented

through the use of HOSTS files containing a list of names and associated IP addresses.
On the Internet, this file was centrally administered and each location would periodically
download a new copy. As the number of machines on the Internet grew, this became an
unmanageable solution. The scalable solution was DNS.
DNS maps to level 7 in the OSI model and can use either UDP or TCP as the underlying
protocol. Resolvers send UDP queries to servers first for increased performance and only
resort to TCP if truncation of the returned data occurs.
The most popular implementation of the DNS protocol BIND was originally developed
at Berkeley for the 4.3 BSD UNIX operating system. The name BIND stands for
Berkeley Internet Name Domain. The primary specifications for DNS are defined in
Requests for Comments (RFCs) 974, 1034, and 1035.

How DNS works:

DNS uses a client/server model in which the DNS server maintains a static database of
domain names mapped to IP addresses. The DNS client, known as the resolver, perform
queries against the DNS servers. The bottom line? DNS maps domain names to IP
address using these steps:
To resolve domain names to an IP address with DNS
Step 1. A client (or resolver) passes its request to its local name server. For example,
the URL term www.idgbooks.com typed into Internet Explorer is passed to the
DNS server identified in the client TCP/IP configuration. This DNS server is
known as the local name server.
Step 2. If, as often happens, the local name server is unable to resolve the request, other
name servers are queried so that the resolver may be satisfied.
Step 3. If all else fails, the request is passed to more and more, higher-level name
servers until the query resolution process starts with far-right term (for instance,
com) or at the top of the DNS tree with root name servers

Dynamic Host Configuration Protocol

Dynamic Host Configuration Protocol (DHCP) allows the dynamic leasing of IP
addresses to those computers configured as DHCP clients. By using DHCP, you are freed
from the burden of manually assigning IP addresses to most of your workstations.
DHCP is used by two types of systems:

DHCP servers. To use DHCP on you Windows NT Serverbased network, you

must have at least one Windows NT server running the Microsoft DHCP service.
This server will need to have a DHCP scope defined that specifies TCP/IP
configurations and a pool of IP addresses that may be assigned to DHCPcompliant clients.

This is accomplished by the DHCP server responding to a request from the DHCP
client for an IP address lease. The DHCP server then selects from its address pool
an unused address that it may lease out to the client. Typically, the DHCP server
also provides additional TCP/IP configuration information for the client.

DHCP clients. When installing TCP/IP on a DHCP client (such as Windows

95/98), you can invoke the ability to have IP addresses assigned automatically by
properly configuring the client.

As long as a DHCP server is on the same network as the client, the server can respond to
the client with an IP address to lease. After leasing the IP address, the DHCP server
loads the TCP/IP configuration information on the client and uses TCP/IP to
communicate. In addition to IP addresses, the DHCP server can also supply DNS server
information to the client.

Apache HTTP Server

HTTP (Hyper Text Transfer Protocol) is the protocol used for the world wide web and
Apache is the server implementation of the HTTP protocol in UNIX/LINUX


Configuring the IP attributes on a windows workstation is certainly simpler than a unix
box. But an incorrect configuration can really mess around with your system, so exercise
caution before you change any addresses, routing table entries or other attributes.
a. Go to Start -> Settings -> Control Panel -> Network. Double click on TCP/IP option
and this will open a window with the current IP settings. Modify the entries in the IP
address, Netmask, domain name, dns server, domain name and default gateway
b. You can specify an IP and its subnet mask to a network interface or let windows
acquire all necessary information for you automatically through DHCP (Dynamic
Host Configuration Protocol).
Note: We dont have DHCP running in the lab

c. Specify the gateway for the subnet where the network interface is currently located.
All IP packets sending outside the subnet will be forwarded via the gateway. In our
case the gateway address is the router port to which your LAN is connected. If you
configure the IP address by DHCP, the DHCP server, if properly configured, may
assign a gateway as well.

d. Specify proper host and domain name (Host: Pent X; Domain: tamu.edu). Also
specify proper DNS (Domain Name Server) to have an IP-domainname translation
service. DNS not only provides you convenience of not having to remember those IP
numbers, but also plays a role in host identification, which is important in security
TAMU DNS Severs are:,
e. To display the Routing table go to Start -> Run -> type command.
You will reach the DOS shell .
C:\>Route print
Try the following commands and observe the results.
C:\>Route delete <ip address><gateway>
C:\Route Add <ip address> <gateway>
C:\Route print.
Some useful tools for debugging a windows network configuration are as follows:
1. The status of the network configuration can be checked using the netstat nr
command. This gives the routing table and the active TCP/UDP connection setup
between your workstation and a remote host
2. You can also use winipcfg command to see current configuration for a specific
network interface, and to make some changes in the configuration.
3. Ping command. Use this command to check connectivity to other workstations in
your subnet, as well as the workstations on the other subnet.
4. traceroute command. Use this command to identify all network elements that fall
between your network and destination network.


Setting up a LAN using Unix/Linux

Disconnect all network station computers from the Laboratory network and connect them
to the station Catalyst 2912 switch. Alter the IP addresses of each computer to match the
following configuration.
S 2912


MS 98







Once you have finished the IP configurations, make sure you have connectivity between
all stations by pinging between them. Have the TA check-off your stations before
continuing to the next procedure. If you are having trouble with this procedure, refer to
exercise 3 for some LINUX networking commands.

PROCEDURE II: Building a LINUX Server

Perform a network installation of Redhat LINUX 7.3 from the lanwan.tamu.edu server.
When setting up your server, make sure to install the following components:

Apache Web Server

FTP Server
Samba File Server

For assistance on the network installation of Redhat 7.3 LINUX OS, see the LINUX
tutorial below:
To perform a network installation of Redhat Linux 7.3, you must first create
two floppy disks: one disk to boot into the initial linux environment, and
another disk containing drivers for your network adapter.
FTP to lanwan.tamu.edu with
Username netlab
Password letmein
Change to the /rh73net/dosutils folder and get rawrite.exe. Next, go to the
/rh73net/images folder and get bootnet.img and drvnet.img. Have two
formatted floppy disks on hand.

Execute the commands

rawrite.exe f bootnet.img d a:
rewrite.exe f drvnet.img d a:
for each disk.
Now we can install RedHat Linux 7.3. Boot the system that will have RH 7.3
installed with the first disk that was created with rawrite. At the boot prompt,
type linux dd. Answer yes to having a driver disk and insert the second disk
that was created when prompted.
Proceed through the prompts until questioned on the installation method.
Choose FTP. Next, set a static IP address, noting which lan you are connected
to. The nameserver is
Now enter the information for the FTP server. The FTP site name is
lanwan.tamu.edu. The Red Hat directory is /export/home/netlab/rh73net.
Check use non-anonymous ftp. The account information is the same as
above. If successful, Red Hat images should begin to transfer.
The type of system you want to install is a server type. Select Autopartition for
the partitioning scheme. Proceed with the install until asked what package
groups you want. Be sure to select Classic X Windows, X Window System,
Gnome, Window File Server, Anonymous FTP Server, Web Server and DNS

Create a small webpage for the Apache server using any HTML editor you choose.
Group members are to make a homepage for themselves with a link to each from the
main page.
You will need to have a hostname for your server and an IP address.

PROCEDURE III: Configure MS Networking

Setup both the Windows 98 and Windows 2000 machines to interface with the filesharing LINUX software called Samba. Create four users and an administrator on
Samba. Each user should have a personal directory and access to a shared temporary
directory. The administrator should have access to all directories.
Both Windows machines should be configured for DHCP with the LINUX server acting
as the DHCP server. For hints on DHCP installation see the information following the
lab questions for lab 4.
When you complete this exercise, have the TA check you off.

Prelab Questions:
1. Explain the operation of the DHCP protocol?
a. Show a sample configuration of a DHCP server being used to support 12
machines, make sure to include the list of IP addresses on the server and
the lease time.
b. Defend your choices of both.
2. Explain how DNS operates.
a. Make sure to include an example lookup for a URL. In your example,
what would happen if the campus DNS server could not resolve the
b. Where is the DNS server of last resort?

Lab Questions:

What is the difference between redirection and piping?

What is relative and absolute path in Unix/Linux file system?
List the important system directories of Unix/Linux and state their significance?
Discuss about each of the protocol discussed during your lab?
Given the following host IP addresses and net-masks identify the six numbered
devices as switches (S) or routers (R). Letters are hosts, numbers are devices and
lines represent ethernet segments.
(Reminder: Switches and Hubs are used within the same subnet whereas routers
and gateways are used for routing between different subnets)



(Show detailed working for problem #2)

6. What do you think would happen if the net-mask were specified incorrectly for a
subnet? Please explain with an example.
7. Consider the following scenario: My default router can ping the outside world. I
can ping my default router. I can also ping the outside world but no one from
outside can ping me. What do you think is probably happening here?
8. If you have a network with 5 different LANs, each supporting 10 terminals, how
would you configure all the terminals to operate with DHCP. Make sure to
include a network diagram showing the different LANs and each DHCP server.
Take into consideration that intrer-LAN traffic requires the use of a networking
9. Can all of a companys machines utilize DHCP?
a. If not explain what servers a company would not want to have DHCP?
b. Is DHCP a security risk? Explain
c. What are some other disadvantages of DHCP?




Implement a DHCP Server and DHCP Clients and learn the functional operation of
DHCP protocol.


DHCP Server Setup

DHCP server for UNIX

We are using the DHCP software was downloaded from ftp://ftp.isc.org/isc/dhcp/
1. After you download unpack it. After you do cd into the distribution directory and
type: ./configure
2. It will take some time to configure the settings. After it is done type: make and
make install.
DHCP server configuration
3. When done with installation type ifconfig -a. You should see something like this:
eth0 Link encap:10Mbps Ethernet HWaddr 00:C0:4F:D3:C4:62
inet addr: Bcast: Mask:
RX packets:2875542 errors:0 dropped:0 overruns:0
TX packets:218647 errors:0 dropped:0 overruns:0
Interrupt:11 Base address:0x210
Note: If it doesn't say MULTICAST you should reconfigure your kernel and add
multicast support. On most systems you will not need to do this.
Next step is to add route for
"In order for dhcpd to work correctly with picky DHCP clients (e.g., Windows 95), it
must be able to send packets with an IP destination address of
Unfortunately, Linux insists on changing into the local subnet
broadcast address (here, that's This results in a DHCP protocol violation,
and while many DHCP clients don't notice the problem, some (e.g., all Microsoft DHCP
clients) do. Clients that have this problem will appear not to see DHCPOFFER messages
from the server."

Type: route add -host dev eth0

4. Create a configuration file and enter the setup information
Type: vi /etc/dhcp.conf

The sample script file to assign IP addresses randomly. This can be done with settings
as follows (this text must be located in dhcp.conf):
# Sample /etc/dhcpd.conf
# (add your comments here)
default-lease-time 600;
max-lease-time 7200;
option subnet-mask;
option broadcast-address 10.10.X.255;
option routers 10.10.X.254;
option domain-name-servers (LANS 2-4),;
option domain-name "tamu.edu";
subnet netmask {
range 10.10.X.20 10.10.X.30;
ddns-update-style ad-hoc;
This will result in DHCP server giving a client an IP address from the range 10.10.X.2010.10.X.30. It will lease an IP address for 600 seconds if the client doesn't ask for
specific time frame. Otherwise the maximum (allowed) lease will be 7200 seconds. The
server will also "advise" the client that it should use as its subnet mask, as its broadcast address, 10.10.X.254 as the router/gateway and and as its DNS servers.
Your task is to write the script to set up the DHCP server for your LAN.
Starting the server
There is only one thing to do before starting the server. In most cases DHCP installation
doesn't create a dhcpd.leases files. This file is used by DHCPd to store information about
current leases. It is in the plain text form so you can view it during the operation of
DHCPd. To create dhcpd.leases type:
6. touch /var/state/dhcp/dhcpd.leases
This will create an empty file (file size = 0). Some of the older version of dhcpd 2.0
placed the file in /etc/dhcpd.leases. You do not need to make any changes to the leases file
it will be manipulated by the dhcpd. If you get a message saying that file exists simply
ignore it and go to the next step.
You can now invoke the DHCP server. Simply type (or include in the bootup scripts)
This will invoke dhcpd on eth0 device. If you want to invoke it on another device simply
supply it on the command line e.g.
/usr/sbin/dhcpd eth1

To stop the server type the following

ps A|grep dhcp
kill <pid>

Now, we will start the server on the debugging mode and put the server in foreground.
You can do this by typing

/usr/sbin/dhcpd -d -f

Then boot up one of your clients and check out the console of your server. You will see a
number of debugging messages come up. If everything works out fine you are done :-).
Quit dhcpd and start it without the -d -f and arguments. If you want dhcpd to start at
boot-up include dhcpd in e.g.

Client Setup

Save it and reboot

Type winipcfg and
address allotted and
protocol functioning.
Observer the
exchanges and how
protocol works.

your computer.
check the IP
lease time and the
the DHCP

Module 3

Basic Switching & Routing

ENTC 425


Internetworking with Static Routes and VLANs



ENTC 425

Learn to internetwork sets of virtual local area networks (VLAN) using the Cisco
Catalyst 2912 switch and the Cisco 2522 Routers.

The Cisco Catalyst 29xx switch is a managed switch with xx ports.

Catalyst 29xx Switches

Protocols Supported:

Ethernet: IEEE 802.3, 10BaseT

Fast Ethernet: IEEE 802.3u, 100BaseTX

VLAN trunking/tagging: IEEE 802.1Q

Spanning-Tree Protocol: IEEE 802.1D

We will be learning to configure VLANs along with trunking and encapsulation of

Cisco Discovery Protocol
CDP is a device-discovery protocol that is both media and protocol independent. CDP is
available on all Cisco products, including routers, switches, bridges, and access servers.
Using CDP, a device can advertise its existence to other devices and receive information

about other devices on the same LAN. CDP enables Cisco products to exchange
information with each other regarding their MAC addresses, IP addresses, and outgoing
interfaces. CDP runs over the data link layer only, which allows two systems that support
different network-layer protocols to learn about each other. Each device configured for
CDP sends periodic messages to a multicast address. Each device advertises at least one
address at which it can receive Simple Network Management Protocol (SNMP)
Spanning Tree Protocol
STP is a bridge protocol that enables a learning bridge to dynamically work around loops
in a network topology by creating a spanning tree. Bridges exchange BPDU messages
with other bridges to detect loops and then remove the loops by shutting down selected
bridge interfaces.
STP maintains a network of multiple bridges or switches. When the topology changes,
the STP transparently reconfigures bridges and switches to avoid the creation of loops by
placing ports in forwarding or blocking state. Each bridge group has a separate instance
of the STP.
STP parameters are set for each bridge group. For each spanning tree instance, you
configure a set of global options with a set of port parameters. The port parameter list
contains only ports that are members of a given bridge group. The Layer 3 switch routers
support a maximum of 16 bridge groups, which run their own instance of spanning tree.
Virtual LANS
A VLAN configures switches and routers according to logical rather than physical
topologies. Using VLANs, a network administrator can combine any collection of LAN
segments within an internetwork into an autonomous user group, which appears as a
single LAN. VLANs logically segment the network into different broadcast domains so
that packets are switched only between ports within the VLAN. Typically, a VLAN
corresponds to a particular subnet, although not necessarily.
Basics of Switching
Heres how a switch works: As data passes through the switch, it examines addressing
information attached to each data packet. From this information, the switch determines
the packets destination on the network. It then creates a virtual link to the destination and
sends the packet there.
The efficiency and speed of a switch depends on its algorithms, its switching fabric, and
its processor. Its complexity is determined by the layer at which the switch operates in the
OSI (Open Systems Interconnection) Reference Model (see above). Traditionally
switches operate at layer 2 (MAC + PHY) with no knowledge of IP addresses. As

computing power has advanced some new switches provide built in router, thus adding
layer 3 features.
Layer 2 Switches (The Data-Link Layer)
Layer 2 switches operate using physical network addresses. Physical addresses, also
known as link-layer, hardware, or MAC-layer addresses, identify individual devices.
Most hardware devices are permanently assigned this number during the manufacturing
Switches operating at Layer 2 are very fast because theyre just sorting physical
addresses, but they usually arent very smartthat is, they dont look at the data packet
very closely to learn anything more about where its headed.
Layer 3 Switches (The Network Layer)
Layer 3 switches use network or IP addresses that identify locations on the network. They
read network addresses more closely than Layer 2 switchesthey identify network
locations as well as the physical device. A location can be a LAN workstation, a location
in a computers memory, or even a different packet of data traveling through a network.
Switches operating at Layer 3 are smarter than Layer 2 devices and incorporate routing
functions to actively calculate the best way to send a packet to its destination. But
although theyre smarter, they may not be as fast if their algorithms, fabric, and processor
dont support high speeds.
A router is a special purpose computer, with lots of memory but no disk storage.
Routers work at Layer 3 of the OSI model and route packets based on the destination
address in the network layer. Bridges work at Layer 2 of the OSI model and forward
packets based on the MAC address. A bridge does no routing; rather, it decides whether
or not a packet received on one interface should be forwarded out the other based on the
MAC address.
Routers are capable of routing between different mediafrom Ethernet to Token Ring,
for example. Most of todays high-end routers are modular. They can be fit with
interfaces for multiple Ethernet segments, Token Ring segments, FDDI, HSSI (high
speed serial interface), ATM, BRI, and standard serial interfaces. Modern routers are
also multi-protocolthat is, they can route many different protocols between interfaces.
Each router also has a console and auxiliary port used for maintenance, dial back-up, and
configuration. Routers route traffic based on the destination network or destination
When configuring a router, each interface (except for the console/aux interface) needs to
be told which networking protocols will be routed (ex. IP) and which routing protocol (
ex. RIP) should be used. In addition to IP, other common routed network protocols
include Novell (IPX/SPX), AppleTalk, DecNET, Banyan Vines, OSI, and others. Other
common routing protocols include RIP (Routing Information Protocol), IGRP, (Interior

Gateway Routing Protocol), EIGRP (Enhanced IGRP), OSPF (Open Shortest Path First)
and BGP (Border Gateway Protocol). The routing protocols allow routers to exchange
routing information
The Cisco Router Console Interface

All Cisco routers have at least a console port, a 25-pin female serial port or an 8 pin RJ45
female port. To access the router, you need to connect a serial cable between the console
port of a router and a PCs serial port. Then you can access the router through a Telnet
Attach one end of the console cable to the serial port on the PC and the other end to the
console port on the selected router. To talk to the router, use Start>Run>Telnet <router
ip address>.
Basics of CISCO IOS:
All CISCO Networking devices have a Operating System called the Internetworking
Operating System. There are 4 different modes of operation of the IOS they are the ROM
Monitor mode which is the mode when the IOS is not loaded, the Exec Command Mode
when the user logs in to the networking device, the Enable Prompt which is a privileged
mode, and the Configuration mode.
Only user level commands can be executed at the > prompt. User level commands are
mainly the show commands. As you will see later, these are very useful in
troubleshooting a routing problem. Configuration changes must be made at enable level;
they will not work at user level. Enable level allows you to actually change the
configuration settings on the router, including set-up of interfaces and configuring IP
addresses. To enter enable level, you must type enable at the user level prompt >.
User EXEC Mode
The default command mode for the CLI is user EXEC mode. The EXEC commands
available at the user EXEC level are a subset of those available at the privileged EXEC
level. In general, the user EXEC commands allow you to connect to remote devices,
change terminal settings on a temporary basis, perform basic tests, and list system
information. The prompt for user EXEC mode is the name of the device followed by an
angle bracket: Router>.
Privileged EXEC Mode
Privileged EXEC mode is password protected, and allows the use of all EXEC mode
commands available on the system. To enter privileged EXEC mode from user EXEC
mode, use the enable command. Privileged EXEC mode allows access to global
configuration mode through the use of the enable command. The privileged EXEC mode
prompt consists of the devices host name followed by the pound sign: Router# .

Global Configuration Mode

Global configuration commands generally apply to features that affect the system as a
whole, rather than just one protocol or interface. You can also enter any of the specific
configuration modes listed in the following section from global configuration mode.
To enter global configuration mode, use the configure terminal privileged EXEC
command. The router prompt for global configuration mode is indicated by the term
config in parenthesis: Router(config)# .
ROM Monitor Mode
If your router or access server does not find a valid system image to load, the system will
enter read-only memory (ROM) monitor mode. ROM monitor (ROMMON) mode can
also be accessed by interrupting the boot sequence during startup. From ROM monitor
mode, you can boot the device or perform diagnostic tests.
To enter ROM monitor mode, use the Break key (Cntl-C) during the first 60 seconds of
start-up. The router prompt is indicated by an angle bracket by itself or the term
ROMMON followed by a number and an angle bracket: > or rommon1> .

VLAN Tutorial:
Cisco 29XX



1. Log onto 29XX Switch.

2. Switch to enable mode.
3. Do a show vlan and show vtp status to see if there are any VLANs
configured and the VTP domain name and operating mode.
4. Set your domain name using these commands:
Switch#vlan database
Switch(vlan)#vtp domain telecom
5. Set up 2 workstations, one with IP address and the other,
netmask for both is
6. Connect workstation 1 to port 1 of the switch, and workstation 2 to port 9 of the
7. By default, every port of the switch is a member of VLAN 1 (the native VLAN).
Check this by doing a show vlan.
8. Test and make sure the 2 workstations can ping each other.
9. Add a VLAN to the switch. Go back to vlan database mode and enter:
Switch(vlan)#vlan 2 name telecom 1
10. Do a show vlan to see that is has been entered.
11. Associate ports 9 and 10 with VLAN 2:
Switch#config t
Switch(config)#int fast 0/9
Switch(config-if)#switchport access vlan 2
Switch(config-if)#int fast 0/10
Switch(config-if)#switchport access vlan 2

12. Try pinging one workstation from the other (you should not be able to). Even
though both workstations are configured on the same subnet, and are also
physically connected to the same switch, they cannot see each other because they
are now in 2 different broadcast domains.
13. Move the RJ45 jack from port 1 (VLAN 1) to port 10 (VLAN 2). The stations
should now be able to ping each other once again since they are now both
members of VLAN 2(remember to wait for the led to turn from amber to green).
14. Now lets remove VLAN 2 from the switchs configuration:
Switch#vlan database
Switch(vlan)#no vlan 2
15. Verify that VLAN 2 is now deleted with show vlan. Notice that entries for
ports Fa0/9 and Fa0/10 are missing!
16. Check the running-config with sh run. Notice that they are still configured for
VLAN 2. The ports must now be reverted back to the native VLAN 1:
Switch#config t
Switch(config)# int fast 0/9
Switch(config-if)#no switchport access vlan 2
Switch(config-if)int fast 0/10
Switch(config-if)#no switchport access vlan 2
17. The switch is now configured with every port back as a member VLAN 1.

Static Route Configuration Tutorial:

This tutorial should be performed on the Cisco 2514 routers at the lab stations. The idea
is to familiarize you with the commands so you can perform the procedures.
1. Establish a hyper terminal connection from a laboratory station to the router
(note: three routers are provided so three people should be performing this
2. Password:
3. Enable Password:

When you first connect to the router and provide the password, you enter EXEC mode,
the first mode in which you can issue commands from the command-line. From here you
can use such unprivileged commands as ping, telnet, and rlogin. You can also use some of
the show commands to obtain information about the system. In unprivileged mode you use
commands like, show version to display the version of the IOS the router is running.
Typing show ? will display all the show commands available in the mode you are presently
4. Router>show ?
The prompt for EXEC mode is Router>. The command for help is show ?.Once you hit
enter after typing show ? the various commands will be displayed.
5. Go through each option and get an idea on what each command does. To do
this you type show command- name. Also familiarize yourselves with what
options each command supports. Then type the command at the command line
and see the output.
You must enter privileged mode to configure the router. You do this by using the
command enable. Privileged mode will usually be password protected unless the router is
unconfigured.. When you issue the command enable and provide the password, you will
enter privileged mode.
6. Router > enable
To help the user keep track of what mode they are in, the command-line prompt changes
each time you enter a different mode. When you switch from unprivileged mode to
privileged mode, the prompt changes from:
Router> to Router#
The router functions in many modes. The normal or EXEC mode has the router name at
the prompt. The enable mode allows you to make changes to the router setup. This is
characterized by the Router# prompt . The config mode allows you to make changes to

the NVRAM (Non Volatile RAM ) of the router directly. This has the Router(Config)>
prompt. You can reach enable mode by typing enable. Similarly you can reach the
configuration mode by typing configuration. You will quit the mode by typing end or
If you have just turned on the router, it will be completely unconfigured. If it is already
configured, you may want to view its current configuration. Even if it has not been
previously configured, you should familiarize yourself with the show commands before
beginning to configure the router. Enter privileged mode by issuing the command enable,
then issue several show commands to see what they display. Remember, the command
show ? will display all the show commands available in the current mode. Definitely try out
the following commands:
7. Router#show interfaces
Router#show ip protocols
Router#show ip route
Router#show ip arp
When you enter privileged mode by using the command enable, you are in the top-level
mode of privileged mode, also known in this document as "parent mode." It is in this toplevel or parent mode that you can display most of the information about the router. As
you now know, you do this with the show commands. Here you can learn the
configuration of interfaces and whether they are up or down. You can display what IP
protocols are in use, such as dynamic routing protocols. You can view the route and ARP
tables, and these are just a few of the more important options.
As you configure the router, you will enter various sub-modes to set options, then return
to the parent mode to display the results of your commands. You also return to the parent
mode to enter other sub-modes. To return to the parent mode, you hit ctrl-z. This puts any
commands you have just issued into affect, and returns you to parent mode.
Global configuration (config)
To configure any feature of the router, you must enter configuration mode. This is the
first sub-mode of the parent mode. In the parent mode, you issue the command config.
8. Router#config
As demonstrated above, the prompt changes to indicate the mode that you are now in.
In connfiguration mode you can set options that apply system-wide, also refered to as
"global configurations." For instance, it is a good idea to name your router so that you
can easily identify it. You do this in configuration mode with the hostname command.

9. Router(config)#hostname Cisco2500
As demonstrated above, when you set the name of the host with the hostname command,
the prompt immediately changes by replacing Router with Cisco2500. (Note: It is a good
idea to name your routers with an organized naming scheme.)
Setting up DNS
Another useful command issued from config mode is the command to designate the DNS
server to be used by the router:
10. Router(config)#ip name-server aa.bb.cc.dd
Configuring interfaces
Cisco 2500 has 2 ethernet ports Ethernet 0 and Ethernet 1. Therefore, to display the
configuration of that interface you use the command:
11. Router#show interface ethernet 1
Router#show interface ethernet 0
Here is an example of configuring a ethernet port with an IP address:
12. Router#config t
Router(config)#interface Ethernet 0
Router(config-if)#ip address
Router(config-if)#no shutdown
Then to verify configuration:
13. Router#show interface ethernet 0
Note the no shutdown command. An interface may be correctly configured and physically
connected, yet be "administratively down." In this state it will not function. The
command for causing an interface to be administratively down is shutdown .
In the Cisco IOS, the way to reverse or delete the results of any command is to simply put
no infront of it. For instance, if we wanted to unassign the IP address we had assigned to
interface Ethernet 0:
14. Router#config t

Router(config)#interface Ethernet 0
Router(config-if)#no ip address
Configuring most interfaces for LAN connections might consist only of assigning a
network layer address and making sure the interface is not administratively shutdown.
Static Routing
IP routing is automatically enabled on Cisco routers. If it has been previously disabled on
your router, you turn it back on in config mode with the command ip routing.
15. Router(config)#ip routing
There are two main ways a router knows where to send packets. The administrator can
assign static routes, or the router can learn routes by employing a dynamic routing
These days static routes are generally used in very simple networks or in particular cases
that necessitate their use. To create a static route, the administrator tells the router
operating system that any network traffic destined for a specified network layer address
should be forwarded to a similiarly specified network layer address. In the Cisco IOS this
is done with the ip route command.
16. Router#config
Router#show ip route

Two things to be said about this example. First, the packet destination address must
include the subnet mask for that destination network. Second, the address it is to be
forwarded to is the specified address of the next router along the path to the destination.
This is the most common way of setting up a static route, and the only one this document
covers. Be aware, however, that there are other methods.
Setting up Gateway of Last Resort
It is necessary to set the default gateway. This identifies the default router that takes care
of the packet to be routed when there is no match to the packets ip address in the routing
17. Router#config
Router#show ip route

Dynamic routing protocols, running on connected routers, enable those routers to share
routing information. This enables routers to learn the routes available to them. The
advantage of this method is that routers are able to adjust to changes in network
topologies. If a route is physically removed, or a neighbor router goes down, the routing
protocol searches for a new route. Routing protocols can even dynamically choose
between possible routes based on variables such as network congestion or network
reliability. We will do them in our next lab.
Saving your configuration
Once you have configured routing on the router, and you have configured individual
interfaces, your router should be capable of routing traffic. Give it a few moments to talk
to its neighbors, then issue the commands show ip route and show ip arp. There should now
be entries in these tables learned from the routing protocol.
If you turned the router off right now, and turned it on again, you would have to start
configuration over again. Your running configuration is not saved to any perminent
storage media. You can see this configuration with the command show running-config.
18. Router#show running-config
You do want to save your successful running configuration. Issue the command copy
running-config startup-config.
19. Router#copy running-config startup-config
Your configuration is now saved to non-volatile RAM (NVRAM). Issue the command
20. Router#show startup-config
Now any time you need to return your router to that configuration, issue the command
copy startup-config running-config.
Router#copy startup-config running-config
Inevitably, there will be problems. Usually, it will come in the form of a user notifying
you that they can not reach a certain destination, or any destinattion at all. You will need
to be able to check how the router is attempting to route traffic, and you must be able to
track down the point of failure.
You are already familiar with the show commands, both specific commands and how to
learn what other show commands are available. Some of the most basic, most useful
commands you will use for troubleshooting are:

21. Router#show interfaces

Router#show ip protocols
Router#show ip route
Router#show ip arp
Testing connectivity
It is very possible that the point of failure is not in your router configuration, or at your
router at all. If you examine your router's configuration and operation and everything
looks good, the problem might be be farther up the line. In fact, it may be the line itself,
or it could be another router, which may or may not be under your administration.
One extremely useful and simple diagnostic tool is the ping command. Ping is an
implementation of the IP Message Control Protocol (ICMP). Ping sends an ICMP echo
request to a destination IP address. If the destination machine receives the request, it
responds with an ICMP echo response. This is a very simple exchange that consists of:
22. Router#ping xx.xx.xx.xx
If the ping test is successful, you know that the destination you are having difficulty
reaching is alive and physically reachable. If there are routers between your router and
the destination you are having difficulty reaching, the problem might be at one of the
other routers. Even if you ping a router and it responds, it might have other interfaces that
are down, its routing table may be corrupted, or any number of other problems may exist.
To see where packets that leave your router for a particular destination go, and how far,
use the trace command.
23. Router#trace xx.xx.xx.xx
It may take a few minutes for this utility to finish, so give it some time. It will display a
list of all the hops it makes on the way to the destination.

debug commands
The debug command is one of the key diagnostic tools for troubleshooting difficult
problems on a router. debug enables monitoring points in the IOS and generates
messages that describe what the IOS is doing and seeing. Beware some debug options
create so many messages that the IOS cannot process them all, possibly crashing the IOS.
Some helpful debug commands:
no debug all
debug ip packet
debug ip icmp
debug ip rip

diasables all debugs

issues log messages for each IP packet sent and received
issues log messages for ICMP echo replies (ping responses)
issues log messages for each RIP update

Router Examination Commands

Router Examination Commands are Cisco IOS commands that are used to examine the
status of a router. Each command permits examination of a different configurable
component of the router. Some of them are show version, show processes, show
buffers, show protocols, show ip protocol, show memory, show ip route, show flash,
show interfaces. Try the commands and observer the output.
The most important command, which you will use pretty often, will be the ip command.
At this point you should be familiar with the different commands available from the
command line.
Setting up the LAN
24. Now take a look at the link states for each link connected to the router.
Router(enable)# show ip interfaces
This will show which links are active, which are down, which are configured but
not in use yet and which are not configured at all.
25. View the Routing Table
Router(enable)show ip route
Adding Static Routes
The commands to add an entry and deleting in the routing table is
ip route <network address > <router/gateway> <mask>
no ip route <network address > <router/gateway> <mask>
26. First add the Domain Name Server
Router(config)# ip name-server <ip address>
27. Add the default route
Router(config)# ip <proxies address>
28. Ping within the subnet and also try reaching a remote site. Troubleshoot your
configuration until you can achieve this.

Tannenbaum provides an excellent introduction to routers and routing protocols in the
Network Layer chapter of this book. It is a good idea to review routing tables and
routing protocols. You can also go to the websites listed below to review a very nicely
presented introduction to routing schemes and protocols.

PROCEDURE I: Simple Inter-Network

Setup the following simple network using one router and the 2912 switch. Configure two
VLANs on the switch and use the IP addresses shown in the figure.

R 2522

S 2912





MS 98






Check your configuration by using the ping and traceroute commands. You will be
required to perform an FTP transfer between the MS 2K machine and your LINUX
server. You should also be able to access the Apache webserver from any machine.
Have the TA check off your completed network.
HINT: Dont forget to set default routes in the terminals!

PROCEDURE II: Advanced Inter-Network

Setup the following network using all three routers and the 2912 switch. Configure three
VLANs on the switch and use the IP addresses shown in the figure.


Router 1



Router 2

Router 3




S 2912



MS 98






You should begin by configuring the VLANs and making sure you cannot ping between
the networks. Then configure/connect router 3 and make sure you can ping from the
LINUX box to the MS 2K machine. Now proceed with the other devices. The ONLY
way to successfully implement a network is through piece-wise implementation and
verification of success.
Check your configuration by using the ping and traceroute commands. You will be
required to perform an FTP transfer between the MS 2K machine and your LINUX
server. You should also be able to access the Apache webserver from any machine.
You have just configured:
1. A campus network with router 3 and an edge router (router 2)
2. A wide-area connection to a webserver connected through router 1
Have the TA check off your completed network.

Prelab Questions:
1. What is Packet Switching? Specifically, explain how a device can ensure two
packets arriving simultaneously can both exit the same port without collisions.
What is the major advantage of switching over hubs? Given the answers to the
above questions, draw a conclusion about the limiting factors of a switch (be
specific and explain your answer there is a lot of literature available discussion
the design limitations of a switch).
2. What are VLANS and how do they differ from ordinary LANS?
3. Explain ISL trunking in no less than 2 pages (include diagrams).
4. What are the benefits of hierarchical routing and of flat routing?
5. What is a static route and what is a dynamic route?

Lab Questions:

Describe the Pros and Cons of Packet switching vs Circuit Switching?

What are the advantages of using VLANs?
Give a practical scenario where VLANs can be used?
Design question


PC 1

PC 2



PC 5

PC 6

PC 4
PC 3

1. Which PCs can reach (or view) each other at Layer 2 (Show combinations)?
2. Can PC 3 reach PC1? What addresses must PC3 know (be careful) to be able to send
packets to PC1?
3. If PC1 only has the IP address of the PC5, how would it communicate with PC5, Show
all the steps.
4. If PC2 only knows the MAC address of the PC5, how would it communicate with PC5?
5. If there were no VLANS would this change your answer to previous question? Go back
over each of the first four questions and state your new answer assuming (if it changed)
assuming all three VLANs were removed and all the PCs were on the same LAN.

Module 4

Advanced Switching & Routing

ENTC 425


Advanced Networking Dynamic Routing Protocols



ENTC 425

Learn to implement 802.1q trunking between LANs. Learn to implement and analyze the
dynamic routing protocols RIP and OSPF.

Virtual LANs enable network managers to group users logically rather than by physical
location. A virtual LAN (VLAN) is an emulation of a standard LAN that allows data
transfer and communication to occur without the traditional restraints placed on the
network. It can also be considered a broadcast domain set up within a switch. With
VLANs, switches can support more than one subnet (or VLAN) on each switch, and give
routers and switches the opportunity to support multiple subnets on a single physical link.
A group of devices that belong to the same VLAN, but are part of different LAN
segments, are configured to communicate as if they were part of the same LAN segment.
Layer 3 switching supports up to 244 VLAN sub interfaces per system.
VLANs enable efficient traffic separation and provide excellent bandwidth utilization.
VLANs also alleviate scaling issues by logically segmenting the physical LAN structure
into different subnetworks so that packets are switched only between ports within the
same VLAN. This can be very useful for security, broadcast containment, and
A trunk is a physical point-to-point ethernet link, which carries multiple virtual links,
alleviating the physical port constraints. Trunks carry the traffic of multiple VLANs over
a single link and allow to extend VLANs across an entire network.
A trunk is a point-to-point link carrying several VLANs. The purpose of a trunk is to save
ports when creating a link between two devices implementing VLANs, typically two
switches. In the following diagram, we can see two VLANs that we want available on
two switches, Sa and Sb. The first easy method to implement is to create two physical
links between the devices, each one carrying the traffic for a VLAN:

Of course, this solution does not scale. If we wanted to add a third VLAN, we would
need to sacrifice two additional ports. This design is also inefficient in terms of load
sharing; the traffic on some VLANs may not justify a dedicated link. A trunk will bundle
virtual links over one physical link, as shown in the next diagram:

Here, the unique physical link between the two switches is able to carry traffic for any
VLAN. In order to achieve this, each frame sent on the link is tagged by Sa so that Sb
which VLAN it belongs to. Different tagging schemes exist. The most common for
Ethernet segments are:

ISL (this is the original Cisco proprietary InterSwitch Link protocol)

802.1q (the IEEE standard we will focus on in this document)

Basic Characteristics of 802.1q Trunking

Tagging Mechanism
802.1q uses an internal tagging mechanism. Internal means that a tag is inserted within
the frame (with ISL, the frame is encapsulated instead):

Note that on a 802.1q trunk, one VLAN is NOT tagged. This VLAN, named the native
VLAN, must be configured the same on each side of the trunk. This way, we can deduce
to which VLAN a frame belongs when we receive a frame with no tag.
The tagging mechanism implies a modification of the frame; the trunking device inserts a
4-byte tag and recomputes the frame check sequence (FCS):

The EtherType field identifying the 802.1q frame is 0x8100. In addition to the 12-bit
VLAN-ID, 3 bits are reserved for 802.1p priority tagging.
Also, note that inserting a tag into a frame that already has the maximum Ethernet size
creates a 1522 byte frame that can be considered as a "baby giant" by the receiving
equipment. The 802.3 committee is extending the maximum standard frame size to
address this issue.
Routing between VLANS is acheieved by encapsulating the packets from the VLANS.
There are 2 methods used

Inter-Switch Link (ISL)ISL is a Cisco-proprietary trunking

IEEE 802.1Q802.1Q is an industry-standard trunking encapsulation
IEEE 802.1Q VLAN Encapsulation
802.1Q VLAN encapsulation uses a one-level, packet tagging scheme to multiplex
VLANs across a single physical link, while maintaining strict adherence to the individual
VLAN domains. 802.1Q can have access ports or untagged ports where frames are
assigned to VLANs based on a port VLAN identifier (PVID), or native VLAN for the
port. It can also have trunked ports where some frames can be tagged and others
untagged. 802.1Q uses Per VLAN Spanning Tree Plus (PVST+), mapping multiple
spanning trees to the spanning tree of pure 802.1Q switches. IEEE 802.1Q VLAN
encapsulation is supported over the internal and external gigabit router ports..
Inter-Switch Link VLAN Encapsulation
Layer 3-switching software also supports Inter-Switch Link (ISL) encapsulation over the
external Gigabit Ethernet ports or if configured as a GEC. The Catalyst 4003 and 4006
Layer 3 Services module can be deployed in environments with the ISL trunking protocol
and can route between external gigabit ports running ISL and internal gigabit ports
running 802.1Q stations. External ports support ISL, which use one PVST+ over ISL

INTRODUCTION (Dynamic Routing Protocols)

Routing Information Protocol (RIP)
The Routing Information Protocol (RIP) is a distance-vector protocol that uses hop count
as its metric. RIP is widely used for routing traffic in the global Internet and is an interior
gateway protocol (IGP), which means that it performs routing within a single
autonomous system. Exterior gateway protocols, such as the Border Gateway Protocol
(BGP), perform routing between different autonomous systems.. The latest enhancement
to RIP is the RIP 2 specification, which allows more information to be included in RIP
packets and provides a simple authentication mechanism.
Routing Updates
RIP sends routing-update messages at regular intervals and when the network topology
changes. When a router receives a routing update that includes changes to an entry, it
updates its routing table to reflect the new route. The metric value for the path is
increased by one, and the sender is indicated as the next hop. RIP routers maintain only
the best next hop (the route with the lowest metric value) to a destination. After
updating its routing table, the router immediately begins transmitting routing updates to
inform other network routers of the change. These updates are sent independently of the
regularly scheduled updates that RIP routers send.
RIP Routing Metric
RIP uses a single routing metric (hop count) to measure the distance between the source
and a destination network. Each hop in a path from source to destination is assigned a
hop-count value, which is typically 1. When a router receives a routing update that
contains a new or changed destination-network entry, the router adds one to the metric
value indicated in the update and enters the network in the routing table. The IP address
of the sender is used as the next hop.
RIP prevents routing loops from continuing indefinitely by implementing a limit on the
number of hops allowed in a path from the source to a destination. The maximum number
of hops in a path is 15. If a router receives a routing update that contains a new or
changed entry, and if increasing the metric value by one causes the metric to be infinity
(that is, 16), the network destination is considered unreachable.
RIP Stability Features
To adjust for rapid network-topology changes, RIP specifies a number of stability
features that are common to many routing protocols. RIP, for example, implements the
split-horizon and hold-down mechanisms to prevent incorrect routing information from
being propagated. In addition, the RIP hop-count limit prevents routing loops from
continuing indefinitely.

RIP Timers
RIP uses numerous timers to regulate its performance. These include a routing-update
timer, a route timeout, and a route-flush timer. The routing-update timer clocks the
interval between periodic routing updates. Generally, it is set to 30 seconds, with a small
random number of seconds added each time the timer is reset to prevent collisions. Each
routing-table entry has a route-timeout timer associated with it. When the route-timeout
timer expires, the route is marked invalid but is retained in the table until the route-flush
timer expires.
OSPF: Open Shortest Path First
This is based on Dijkstras Shortest Path Algorithm. Routers accumulate Link State
Information dynamically using Link State Advertisements (LSA) and build a dynamically
changing topological map of the network with respect to them. Routers calculate the
shortest path to a network or node with them as root using various Shortest Path
Algorithms (SPF) and then route the packets through the best path. The shortest path here
means the path through which the packet will encounter the least delay, so it is not
necessarily the shortest geographical path. To compute a route metric this protocol takes
into account the traffic and bandwidth of each link in the path to the destination. This
allows load balancing. Another advantage of OSPF is that the router need not be aware of
the entire network map to route packets. Also this protocol uses an authentication scheme
between routers when the LSA updates are made. Since each router routes independently,
this protocol is easier to debug than RIP.
Once set up, an OSPF router broadcasts 5 types of control packets:
a. Hello Packet: This is an I am alive signal. It serves the purpose of identifying
neighbors and existing routers.
b. Database Description Packet: This facilitates exchange of information between
routers detailing their respective routing tables to check if any data is missing from
their respective topological database.
c. Link State Request Packet: This asks other routers for data that has been
determined to be missing or outdated from the topological database.
d. Link State Update Packet: This sends out the data requested by a router via the Link
State Request Packet.
e. Link State Acknowledge Packet: This is an acknowledgement sent out for the
update received.

VLAN Trunking Tutorial:

VLAN Trunking Tutorial for the 29XX Switch and 2600 Router


int fa0/1

Cisco 29XX

int fa0/20
int fa0/0
Trunking VLAN 2 and
int fa0/9

Cisco 2600 Router



Set up the 29XX Switch

1. Set up VLAN 2 and VLAN 3 on the 29XX Switch (do not use the native VLAN 1
for this exercise). For help on setting up VLANs, please refer to the previous
VLAN Tutorial. Use Port 1 for VLAN2, and Port 9 for VLAN3.
2. We will now set up a VLAN trunk between the 29XX Switch and the 2600
The 2500 Routers do not support VLAN trunks because their
ports are only 10 Mbit (VLAN trunks require 100 Mbit links).
3. Set up two workstations. Workstation 1 will have IP address (gw and Workstation 2 will have (gw,
4. Connect Workstation 1 to Port 1 and Workstation 2 to Port 9.
5. Set up Port 20 on the 29XX Switch to do VLAN trunking, using 802.1q
encapsulation, forwarding all VLAN traffic. Connect this port to Fastethernet 0/0
on the 2600 Router.
Switch(config)#int fa 0/20
Switch(config-if)#switchport mode trunk
Switch(config-if)#switchport trunk encap dot1q
Switch(config-if)#switchport trunk allowed vlan all

Set up the 2600 Router

6. Log into the 2600 Router and go to enable mode.
7. Enable Fastethernet 0/0.
Router#config t
Router(config)#int fast 0/0
Router(config-if)no shut
8. Configure the subinterfaces. Fastethernet 0/0.1 will have encapsulation of dot1q,
with an associated VLAN number of 2. Its ip address will be
Router(config)#int fast 0/0.1
Router(config-if)#encap dot1q 2
Router(config-if)#ip address
9. Fastethernet 0/0.2 will also have encapsulation of dot1q, with an associated
VLAN number of 3. Its ip address will be
Router(config-if)#int fast 0/0.2
Router(config-if)#encap dot1q 3
Router(config-if)#ip address
10. The workstations should now be able to ping and traceroute each other
11. Attempt to ping both the actual and virtual interfaces on the router. Can you ping
all the interfaces from both machines?

Router Configuration Tutorial:

Use hyper-terminal to access the routers through the Console Port.









Network Layout
1. Set up the IP Address on each of the interfaces given by your TA.
2. Start the sniffer on your desktop (the software is called Distinct Network
Monitor). You can do so by clicking on start ->Programs -> Distinct -> Network
3. Set the sniffer to capture UDP packets on screen (the TA will show you how to do
4. In the router set debug mode on by typing debug ip rip
5. Enable RIP routing by typing:
Router(config)> router rip
This should be done in all the routers.
6. The routers can now communicate with each other through rip protocol. The
group working on7000new router should be able to see the rip update packets on
their console terminal. The group on 4000 router can see the updates by typing
show log. The 7000 router doesnt show any log as it has the old IOS version
installed. The group working on 7000 router can see the update messages on the
other routers.
7. Also see the packets captured by the sniffer and answer the questions.
8. Try removing one of the links and see how the routing tables are updated.
9. Now disable the RIP routing using
Router(config)> no router rip

10. Now enable the OSPF protocol
Router(config)> router ospf 1
Router(config)> network area 10
11. Put the router in debug mode and see the packets exchanged.
12. Remove one of the links and see how the routes are being updated.
13. You must get yourself checked off by your TA.


Procedure I : Implement 802.1q Trunking

This procedure will require the use of either a Cisco 2600 router or a Cisco 3640 router.
The AUI ports provided on the 2500 series routers do not support encapsulation and
therefore cannot be used for 802.1q trunking. Implement an 802.1q trunk from the 2600
(3640) to the Catalyst 2912 switch through Ethernet port E0. Verify the operation of the
trunk by placing Lab computers on each network and performing ping and traceroute
commands. Make sure you can ping the logical IP addresses of the trunk. Enable RIP on
the router.
You will have to assign VLANs in the switch and configure it for trunking.

R 2600 (3640)


S 2912

MS 98




Switch VLAN0




When completed the configuration, have your TA check-off the trunk and begin the
Connect a lab computer to VLAN0 and begin an Ethereal capture. Perform a
ping from the LINUX box to the MS 98 computer and monitor the frames sent
through VLAN0.
Perform the procedure described above with the Ethereal operating on
Perform the same procedure with the Ethereal operating on VLAN B.
Draw a conclusion about how the frames traverse through the switch and be
ready to describe in detail in the lab questions.

Procedure II : Implement a RIP Network

Design and implement a small network employing the dynamic routing protocol RIP.
This lab calls for all three 2500 routers, one 2600 (3640) router and the 2912 switch. Set
up the network as shown below with all routers running RIP on every interface (even
logical interfaces!).

Router A

Ethernet LAN 1

Router B

Ethernet LAN 2


Router D

Ethernet LAN 3


Router C


Router A

Router B









S 2912




Router C


Router D

Design guidelines and suggestions:

1. VLAN Assignments (suggested)
VLAN 0: 1 port
VLAN 1: 2 ports
VLAN 2: 3 ports
VLAN 3: 3 ports
VLAN 4: 3 ports
2. Router to Router LAN
Router A B
Router B C
VLAN 3 (
Router C D
VLAN 4 (
Router D A
VLAN 1 ()
3. Assign Gateways the address of x.x.x.254. There should only be ONE gateway
for each LAN (VLAN)

Draw a detailed diagram with all interfaces labeled and all IP addresses shown
(even for the logical links). Have the TA check this before you begin
configuring the network.
Setup Router A first and implement the trunk and all VLANS in the switch.
Verify you have setup the switch correctly before you begin.
Check your configuration after each change proceed in an organized fashion
so that problem can be found and fixed before you connect all the equipment.
Some problems with dynamic routing can remain even after you have fixed a
problem so make sure you have the configuration setup correctly BEFORE
you engage RIP.

1. Complete the setup and engage RIP on every router (all interfaces).
2. Capture (and save) the routing table on router C.
3. Configure MS 2K station to perform frame captures using Ethereal and begin
frame captures.
4. Disconnect the cable between router D and VLAN 2.
5. Wait ~10 minutes and then end the Ethereal session. Capture (and save) the
routing table on router C.
6. Be prepared to show the router updates that traversed VLAN 3 after the cable
was disconnected.

Prelab Questions:
1. Explain the operations upon a single packet passing through an 802.1q TRUNK
between two different VLANS. Be specific and include diagrams of the header
structure and all frame fields.
2. How is encapsulation different from trunking (be specific)?
a. Define each and highlight differences.
b. How should each be used in a corporate network?
3. What is an administrative distance?
4. Why do routing protocols use metrics?
5. What is convergence time?
6. What is the difference between a routed and routing protocol? Give 2 examples.
7. Compare Static with Dynamic Routes and give scenarios when static route is
preferable to dynamic route and vice versa?
8. Explain the split horizon and hold down mechanisms?
9. Read RFC covering OSPF and provide Byte-level layout of each broadcast packet
Lab Questions:
1. Create a short (5 page) tutorial on configuring 802.1q Trunks between two
VLANS on a Cisco 2912 switch and a Cisco 2600 (3640) router. Include in your
tutorial all necessary commands for each device to configure the VLANs and the
frame captures from procedure 1. Make sure to describe in detail how frames
move through the switch and router, both logically and physically.
2. In report form, explain the events which occurred after disconnecting the cable in
procedure 2. Make sure to use the Ethereal session data to show all the update
packets that traversed VLAN 3. In your report, highlight the routing table being
passed in each frame and make sure to indicate which router was sending the
3. How much time was required for the network to settle that is, how long until
the routing updates were the same? Is this longer or shorter than you expected
considering you understand the RIP protocol?
4. What protocol does RIP use? Which port number does it use?
5. What are the RFCs, which explain, RIP, RIPv2, & BGP?
6. Provide a diagram of your network in procedure 2 including IP addresses and NIC
interface names (E0 etc,.). Attach the configuration of each 2500 router to your

Module 5

Basic Network Security

ENTC 425


ENTC 425

Advanced Routing Network Address Translation &

Access List Set up


In this lab we will be learning about the Network Address Translation and Access
List setting up in Cisco Routers.
The Internet is expanding at an exponential rate. As the amount of information and
resources increases, it is becoming a requirement for even the smallest businesses and
homes to connect to the Internet. Network Address Translation (NAT) is a method of
connecting multiple computers to the Internet (or any other IP network) using one IP
address. This allows home users and small businesses to connect their network to the
Internet cheaply and efficiently.
The impetus towards increasing use of NAT comes from a number of factors:

A world shortage of IP addresses

Security needs
Ease and flexibility of network administration

NAT automatically provides firewall-style protection without any special set-up. That is
because it only allows connections that are originated on the inside network. This means,
for example, that an internal client can connect to an outside FTP server, but an outside
client will not be able to connect to an internal FTP server because it would have to
originate the connection, and NAT will not allow that. It is still possible to make some
internal servers available to the outside world via inbound mapping, which maps certain
well know TCP ports (e.g.. 21 for FTP) to specific internal addresses, thus making
services such as FTP or Web available in a controlled way.
To summarise, a NAT gateway can provide the following benefits:
Firewall protection for the internal network; only servers specifically designated
with "inbound mapping" will be accessible from the Internet
Protocol-level protection
Automatic client computer configuration control
Packet level filtering and routing
The basic purpose of NAT is to multiplex traffic from the internal network and present it
to the Internet as if it was coming from a single computer having only one IP address.

The TCP/IP protocols include a multiplexing facility so that any computer can maintain
multiple simultaneous connections with a remote computer. It is this multiplexing facility
that is the key to single address NAT.
To multiplex several connections to a single destination, client computers label all
packets with unique "port numbers". Each IP packet starts with a header containing the
source and destination addresses and port numbers:
Source address Source port Destination address Destination port
This combination of numbers completely defines a single TCP/IP connection. The
addresses specify the two machines at each end, and the two port numbers ensure that
each connection between this pair of machines can be uniquely identified.
Each separate connection is originated from a unique source port number in the client,
and all reply packets from the remote server for this connection contain the same number
as their destination port, so that the client can relate them back to its correct connection.
In this way, for example, it is possible for a web browser to ask a web server for several
images at once and to know how to put all the parts of all the responses back together.
When any remote server responds to an NAT client, incoming packets arriving at the
NAT gateway will all have the same Destination address, but the destination Port number
will be the unique Source Port number that was assigned by the NAT. The NAT gateway
looks in its port mapping table to determine which "real" client address and port number
a packet is destined for, and replaces these numbers before passing the packet on to the
local client.
This process is completely dynamic. When a packet is received from an internal client,
NAT looks for the matching source address and port in the port mapping table. If the
entry is not found, a new one is created, and a new mapping port allocated to the client:
Incoming packet received on non-NAT port
Look for source address, port in the mapping table
If found, replace source port with previously allocated mapping port
If not found, allocate a new mapping port
Replace source address with NAT address, source port with mapping port
Packets received on the NAT port undergo a reverse translation process:
Incoming packet received on NAT port
Look up destination port number in port mapping table
If found, replace destination address and port with entries from the mapping table
If not found, the packet is not for us and should be rejected
Each client has an idle time-out associated with it. Whenever new traffic is received for a
client, its time-out is reset. When the time-out expires, the client is removed from the
table. This ensures that the table is kept to a reasonable size. The length of the time-out
varies, but taking into account traffic variations on the Internet should not go below 2-3

minutes. Most NAT implementations can also track TCP clients on a per-connection
basis and remove them from the table as soon as the connection is closed. This is not
possible for UDP traffic since it is not connection based.
Because the port mapping table relates complete connection information - source and
destination address and port numbers - it is possible to validate any or all of this
information before passing incoming packets back to the client. This checking helps to
provide effective firewall protection against Internet-launched attacks on the private
Each IP packet also contain checksums that are calculated by the originator. They are
recalculated and compared by the recipient to see if the packet has been corrupted in
transit. The checksums depend on the contents of the packet. Since the NAT must modify
the packet addresses and port numbers, it must also recalculate and replace the
checksums. Careful design in the NAT software can ensure that this extra processing has
a minimal effect on the gateway's throughput. Before doing so it must check for, and
discard, any corrupt packets to avoid converting a bad packet into a good one.
An access list is a sequential collection of permit and deny conditions that apply to IP
addresses. The Cisco IOS software tests addresses against the conditions in an access list
one by one. The first match determines whether the software accepts or rejects the
address. Because the software stops testing conditions after the first match, the order of
the conditions is critical. If no conditions match, the software rejects the address.
The two steps involved in using access lists are as follows:
1. Create an access list by specifying an access list number or name and access
2. Apply the access list to interfaces or terminal lines.

Setting up Network Address Translation


1. Define a NAT Pool from which IP addresses can be used.

Router(enable)# ip nat pool nat1 prefix-length 24
2. Define the inside interface in the Fast Ethernet 0/0 interface
Router(config-if)# ip nat inside

3. Define the outside interface in the Fast Ethernet 0/1 interface

Router(config-if)# ip nat outside
4. Link the Nat Pool with access-list you will be creating (Access List number eg.7)
Router(config-if)# ip nat inside source list 7 pool nat1 nooverload
Overload is used when single IP address is used for all outgoing traffic. The NAT
then is called PAT (Port Address Translation) as all outbound connections are
identified by port numbers.
Configure Access-List
5. Set up a access-list to accept all ip internal address 10.x.x.x to any network
Router(configf)# access list 7 accept any
6. Ping internal and external networks to check whether your configurations are
7. Check the NAT using the following commands
Router(config-if)# show ip nat statistics
Router(config-if)# show ip nat translations

Once you complete the Lab get checked off by TA.

Prelab Questions:

Explain the operation of Network Address Translation.

What is Port Address Translation (PAT)? How is different from NAT?
What are the security benefits of NAT and Access-List?
How would one operate a Web server behind a router employing NAT?

Lab Questions:
1. Show the statistics and translations of your NAT configurations.
2. Create a brief tutorial for configuring NAT on the Cisco 2600 router. Include all
the commands necessary to configure NAT and assign three IP addresses to the
pool. Also make sure to include commands necessary to alter the lease time and
other variables.
3. Using a single router, design a small corporate network with NAT and ACL to
allow the following functionality.
a. Three LANs and one DMZ (you might need trunking)
b. The network must host a Web server
c. The network should use Private IP addresses
d. The network should also employ DHCP
e. Assume 5 hosts for each LAN
f. Make sure none from LAN 3 can communicate with LAN 1.
g. LIST ALL THE COMMANDS for the Cisco 2600 router to implement the
NAT and ACL for your design. Assume you have 5 public addresses
NOTE: Question 3 should take no less than 5 pages if you do it correctly.


Firewall Set up & Configuration



ENTC 425

This lab aims at familiarizing the student with basic concepts of firewall on the Linux

Firewall is used to prevent unauthorized packets and unauthorized users from gaining
access to our network. Network security can be achieved using effective firewalling.
Each packet requesting access into the network or leaving the network is examined and
treated accordingly. This puts the host in which firewalling is done in a Promiscuous
mode. For example packets from within the network may not be routed through the
gateway to the outside world for reasons of security and no packets from outside may be
routed into the network to prevent unauthorized access to the data / information available
from our database.
Firewall setup along with suitable encryption techniques can provide good security to the
A firewall is a security system, designed to prevent unauthorized access to a private or
local network. The system can either be a hardware firewall or a software firewall, or a
combination of both.
There are two types of firewalls.
1. Filtering Firewalls - that block selected network packets.
2. Proxy Servers (sometimes called firewalls) - that make network connections for
A filtering firewall works at the network level. Data is only allowed to leave the system if
the firewall rules allow it. As packets arrive they are filtered by their type, source address,
destination address, and port information contained in each packet.
Many network routers have the ability to perform some firewall services. Filtering
firewalls can be thought of as a type of router. Because of this you need a deep
understanding of IP packet structure to work with one.

Lab Firewall architecture:

| Proxy / |
| Firewall | (LAN) |
/ Internet \----| System |--(HUB)--| Workstation/s |
\_ _ _ _/
\/ \/ \/

Packet Filtering for Security in Linux using ipchains

The start of each packet says where it's going, where it came from, the type of the packet,
and other administrative details. This start of the packet is called the header. The rest of
the packet, containing the actual data being transmitted, is usually called the body.
Some protocols, such TCP, which is used for web traffic, mail, and remote logins, use
the concept of a `connection' -- before any packets with actual data are sent, various setup
packets (with special headers) are exchanged saying `I want to connect', `OK' and
`Thanks'. Then normal packets are exchanged.
A packet filter is a piece of software which looks at the header of packets as they pass
through, and decides the fate of the entire packet. It might decide to deny the packet (ie.
discard the packet as if it had never received it), accept the packet (ie. let the packet go
through), or reject the packet (like deny, but tell the source of the packet that it has done
Under Linux, packet filtering is built into the kernel. Linux ipchains is required to
administer the IP packet filters in Linux.

-[ADC] chain rule-specification [options]

-[RI] chain rulenum rule-specification [options]
-D chain rulenum [options]
-[LFZNX] [chain] [options]
-P chain target [options]
-M [ -L | -S ] [options]

Ipchains is used to set up, maintain, and inspect the IP firewall rules in the Linux kernel.
These rules can be divided into 4 different categories: the IP input chain,the IP output chain,
the IP forwarding chain, and user defined chains.
For each of these categories, a separate table of rules is maintained, any of which might refer to
one of the user-defined chains. See ipfw(4) for more details.
A firewall rule specifies criteria for a packet, and a target. If the packet does not match, the
next rule in the chain is the examined; if it does match, then the next rule is specified by the
value of the target, which can be the name of a user-defined chain, or one of the special
ACCEPT means to let the packet through.
DENY means to drop the packet on the floor.
REJECT means the same as drop, but is more polite and easier to debug, since an
ICMP message is sent back to the sender indicating that the packet was dropped. (Note that
DENY and REJECT are the same for ICMP packets).
MASQ is only legal for the forward and user defined chains, and can only be used when the
kernel is compiled with CONFIG_IP_MASQUERADE defined. With this, packets

will be masqueraded as if they originated from the local host. Furthermore, reverse packets
will be recognized as such and they will be demasqueraded automatically, bypassing the
forwarding chain.
REDIRECT is only legal for the input and user-defined chains and can only be used when the
Linux kernel is com piled with CONFIG_IP_TRANSPARENT_PROXY defined. With
this, packets will be redirected to a local socket, even if they were sent to a remote host. If
the specified redirection port is 0, which is the default value, the destination port of a packet
will be used as the redirection port. When this target is used, an optional extra argument (the
port number) can be supplied. If the end of a user-defined chain is reached, or a rule with
target RETURN is matched, then the next rule in the previous (calling) chain is examined. If
the end of a built-in chain is reached, or a rule in a builtin chain with target RETURN is
matched, the target specified by the chain policy determines the fate of the packet.
The options that are recognized by ipchains can be divided
into several different groups.
These options specify the specific action to perform; only one of them can be specified on the
command line, unless otherwise specified below. For all the long versions of the command
and option names, you only need to use enough letters to ensure that ipchains can
differentiate it from all other options.
-A, --append
Append one or more rules to the end of the selected chain. When the source and/or
destination names resolve to more than one address, a rule will be added for each
possible address combination.
-D, --delete
Delete one or more rules from the selected chain. There are two versions of this
command: the rule can be specified as a number in the chain (starting at 1 for the
first rule) or a rule to match.
-R, --replace
Replace a rule in the selected chain. If the source and/or destination names
resolve to multiple addresses, the command will fail. Rules are numbered starting at 1.
-I, --insert
Insert one or more rules in the selected chain as the given rule number. So, if the
rule number is 1, the rule or rules are inserted at the head of the chain.
-L, --list
List all rules in the selected chain. If no chain is selected, all chains are listed. It is
legal to specify the -Z (zero) option as well, in which case no chain may be
specified. The exact output is effected by the other arguments given.
-F, --flush
Flush the selected chain. This is equivalent to deleting all the rules one by one.
-Z, --zero

Zero the packet and byte counters in all chains. It is legal to specify the -L, --list
(list) option as well, to see the counters immediately before they are cleared; if this
is done, then no specific chain can be specified (they will all be displayed and cleared.
-N, --new-chain
Create a new user-defined chain of the given name. There must be no target of that
name already.
-X, --delete-chain
Delete the specified user-defined chain. There must be no references to the chain
(if there are you must delete or replace the referring rules before the chain can be
deleted). If no argument is given, it will attempt to delete every nonbuiltin chain.
-P, --policy
Set the policy for the chain to the given target. See the section TARGETS for the
legal targets. Only non-userdefined chains can have policies, and neither built-in nor
user-defined chains can be policy targets.
-M, --masquerading
This option allows viewing of the currently mas-queraded connections (in
conjuction with the -L option) or to set the kernel masqerading parameters
(with the -S option).
-S, --set tcp tcpfin udp
Change the timeout values used for masquerading. This command always takes 3
parameters, representing the timeout values (in seconds) for TCP sessions, TCP
sessions after receiving a FIN packet, and UDP packets, respectively. A timeout
value 0 means that the current timeout value of the corresponding entry is
preserved. This option is only allowed in combination with the -M flag.
-C, --check
Check the given packet against the selected chain. This is extremely useful for
testing, as the same kernel routines used to check "real" network packets are used to
check this packet. It can be used to check user-defined chains as well as the builtin
ones. The same arguments used to specify firewall rules are used to construct the
packet to be tested. In particular, the -s (source), -d (destination), -p (protocol),
and -i (interface) flags are compulsory.

Give a (currently very brief) description of the command syntax.

The following parameters make up a rule specification (as
used in the add, delete, replace, append and check commands).
-p, --protocol[!] protocol
The protocol of the rule or of the packet to check. The specified protocol can be
one of tcp, udp, icmp, or all, or it can be a numeric value, repre- senting one of these
protocols or a different one. Also a protocol name from /etc/protocols is
allowed. A "!" argument before the protocol inverts the test. The number zero is
equivalent to all. Protocol all will match with all protocols and is taken as default

when this option is

the check command.




not be used in in combination with

-s, --source [!] address[/mask] [!] [port[:port]]

Source specification. Address can be either a hostname, a network name, or a
plain IP address. The mask can be either a network mask or a plain number,
specifying the number of 1's at the left side of the network mask. Thus, a mask of
24 is equivalent to A "!" argument before the address specification
inverts the sense of the address. The source may include a port specification or ICMP
type. This can either be a service name, a port number, a numeric ICMP type, or
one of the ICMP type names shown by the command ipchains -h icmp Note that many
of these ICMP names refer to both a type and code, meaning that an ICMP
code after the -d flag is illegal. In the rest of this paragraph, a port means either a
port specification or an ICMP type. An inclusive range is can also be specified, using
the format port:port. If the first port is omitted, "0" is assumed; if the
last is omitted, "65535" is assumed. Ports may only be specified in combination with
the tcp, udp, or icmp protocols. A "!" before the port specification inverts the sense.
When the check command is specified, exactly one port is required, and if the -f
(fragment) flag is specified, no ports are allowed. The flag --src is a convenience
alias for this option.
--source-port [!] [port[:port]]
This allows separate specifiction of the source port or port range.
description of the -s flag above for details.The flag --sport is an alias
for this option.

See the

-d, --destination [!] address[/mask] [!] [port[:port]]

Destination specification. See the desciption of the -s (source) flag for a detailed
description of
the syntax.
For ICMP, which does not have ports, a
"destination port" refers to the numeric ICMP code. The flag --dst is a convenience
alias for this option.
--destination-port [!] [port[:port]]
This allows separate specifiction of the ports. See the description of the -s flag
for details. The flag --dport is an alias for this option.
--icmp-type [!] typename
This allows specification of the ICMP type (use the -h icmp option to see valid ICMP
type names). This is often more convenient to appending it to the destination
-j, --jump target
This specifies the target of the rule; ie. what to do if the packet matches it. The
target can be a user-defined chain (not the one this rule is in) or one of the special
targets which decide the fate of the packet immediately. If this option is omitted
in a rule, then matching the rule will have no effect on the packet's fate, but the
counters on the rule will be incremented.
-i, --interface [!] name
Optional name of an interface via which a packet is received, or via which is packet is
going to be sent. When this option is omitted, the empty string is assumed,
which has a special meaning and will match with any interface name. When the "!"

argument is used before the interface name, the sense is inverted. If the interface
name ends in a "+", then any interface which begins with this name will match.
[!] -f, --fragment
This means that the rule only refers to second and furthur fragments of fragmented
packets. Since there is no way to tell the source or destination ports of such a
packet (or ICMP type), such a packet will not match any rules which specify them.
When the "!" argument precedes the "-f" flag, the sense is inverted.

Te firewall script is usually placed in the /etc/rc.d/ directory. There are by default 3 built-in chains
namely the Input chain, Output chain and the Forward chain.

1. First see the ipchain rules that are already configured on the proxy server.
ipchains -L
2. Flush out all the ipchains rules.
ipchains -F
Each chain has a policy associated with it. The policy may be to ACCEPT, DENY or
REJECT all packets.
3. Write a rule to the input chain to drop all the incoming packets.
ipchains P input DENY
or ipchains P input REJECT
4. Add a ipchain rule to drop all the packets in the output chain.
ipchains P output DENY
or ipchains P output REJECT
Check the network by trying to open a browser and connecting to some web site.
5. Prevent forwarding of the packets by adding a rule to the Forward chain.
ipchains P forward DENY
or ipchains P forward REJECT
6. Remove the rules that you just added.
ipchains F
7. Add rules to accept all packets.

ipchains P input ACCEPT

ipchains P output ACCEPT
8. Write a rule to Masquerade the packets coming from private network so that it can
see public network.
ipchains A forward s j MASQ
9. Write a rule accept the ICMP messages from 10.10.9.x network.
ipchains A input -p icmp s j DENY
10. Write a ipchains rule to accept tcp packets.
ipchains A input -p tcp j ACCEPT
11. Write a ipchains rule to accept udp packets.
ipchains A input -p udp j ACCEPT
Now write your own rules to accept dns connection, http connections and
icmp messages.

Go to the linux web site (www.linux.org) and read the pages on Firewall and IP
Forwarding techniques. Our Linux kernel is 2.2 (you have to read for the specific kernel)
.You can also go to Dr.Poochs website http://cs.tamu.edu/faculty/pooch to get more
information on firewalls and attack and defense techniques.
A few other websites are:
Info on ipfwadm utility:
Info on ipchains utility:
This site presents the differences between ipchains & ipfwadm:
General info on firewall setup and architecture: