Homework #3 Solution

(1)

Network Administration/System Administration (NTU CSIE, Spring 2017) Homework #3 Solution

Homework #3 Solution

Contact TAs: vegetable@csie.ntu.edu.tw

Network Administration 1

1. (10%)

Acquire the MAC address of 140.112.31.216 by checking the ARP table in the switch, and enter the port of interface by checking different MAC tables till the interface of that MAC address is an end user instead of a switch.

Command example:

core-switch# sh ip arp 140.112.31.216

Protocol Address Age (min) Hardware Addr Type Interface Internet 140.112.31.216 4 10dd.b1a0.0016 ARPA Vlan1 core-switch# show mac address-table address 10dd.b1a0.0016

1 10dd.b1a0.0016 DYNAMIC Po1 core-switch# sh int status | inc Po1

Po1 To 1F-A connected trunk a-full a-1000 core-switch# sh clu mem

1 0000.0000.0000 2000Private Gi1/0/24 1 1 0 Gi4/0/5 7 Up 2 10dd.b1a0.0016 1F-A Gi1/0/49 1 1 0 Gi1/0/26 11 Up 3 1111.1111.1111 1F-B Gi1/0/49 1 1 0 Gi1/0/27 12 Up core-switch# rc 2

1F-A# show mac address-table address 10dd.b1a0.0016 ...

...repeat the above steps 2. (30%)

Open the switch0 CLI:

switch> en switch# conf t

switch(config)# hostname CiscoLab CiscoLab(config)# no ip domain-lookup CiscoLab(config)# enable password CISCO

CiscoLab(config)# service password-encryption CiscoLab(config)# vlan 10

CiscoLab(config-vlan)# exit CiscoLab(config)# vlan 20 CiscoLab(config-vlan)# exit CiscoLab(config)# vlan 99 CiscoLab(config-vlan)# exit

CiscoLab(config)# int range Fa0/1-2

1

(2)

CiscoLab(config-if-range)# switchport mode access CiscoLab(config-if-range)# switchport access vlan 10 CiscoLab(config-if-range)# exit

CiscoLab(config)# int range Fa0/3-4

CiscoLab(config-if-range)# switchport mode access CiscoLab(config-if-range)# switchport access vlan 20 CiscoLab(config-if-range)# exit

CiscoLab(config)# int range Fa0/5

CiscoLab(config-if)# switchport mode access CiscoLab(config-if)# switchport access vlan 99 CiscoLab(config-if)# exit

CiscoLab(config)# int vlan99

CiscoLab(config-if)# ip address 192.168.99.1 255.255.255.0 CiscoLab(config-if)# exit

CiscoLab(config)# line vty 0 4

CiscoLab(config-line)# password cisco CiscoLab(config-line)# login

CiscoLab(config)# exit CiscoLab# write mem 3. (10%)

(a) (2%) Yes, PC2 should be able to ping PC3. We should see the configuration of the cisco to make sure if the settings work. If PC2 cannot ping PC3, use the command sh ru to check the vlan configuration. If there is no record of vlan settings, you may make a mistake during the configuration process.

(b) (4%) Inter-VLAN Routing

Assume there are two VLANs, VLAN 1 (Interface F0/2) and VLAN 2 (Interface F0/3), on the same switch. Make two machines be under F0/2 and F0/3, respectively. Since VLAN 1 (192.168.0.0/24) and VLAN 2 (192.168.1.0/24) belong to different network segments, we need a router responsible for Inter-VLAN routing. Use Trunking (IEEE 802.1Q or Cisco ISL) to connect the router and the switch, and then create sub-interfaces in the router such that each sub-interface corresponds to a VLAN on the switch.

Connection:

Router F0/0 ——– <802.1q/ISL Trunk> ——– Switch F0/1 Switch F0/2 <- PC1

Switch F0/3 <- PC2

Createg a sub-interface for each VLAN. The IP addresses of two sub-interfaces will be served as gateways of VLAN 1 and VLAN 2, respectively.

Router:

interface F0/0

ip address 192.168.0.254 255.255.255.0 interface F0/0.2

encapsulation dot1q 2

ip address 192.168.1.254 255.255.255.0

2

(3)

Switch:

interface F0/1

switchport trunk encapsulation dot1q (No need for Cat.2950) switchport mode trunk

interface F0/2

switchport mode access switchport access vlan 1 interface F0/3

switchport mode access switchport access vlan 2 (c) (4%) Ans: “MayIeatEat?”

(Ref: https://www.m00nie.com/type-7-password-tool/ & choose the option “decrypt”)

3

(4)

Network Administration 2

1. Set up 3 VLAN interfaces on LAN. (VLAN5, VLAN8 and VLAN99)

• Remember to use static IPv4.

• Size of netmask should be less than 31.

• Remember to enable the interface.

2. Enable DHCP servers in 3 VLAN interfaces. (Services -> DHCP server) 3. Rules:

• VLAN5:

(a) BLOCK any to VLAN99 net

(b) BLOCK any to this firewall in 22 and 443 port (c) PASS any to any

• VLAN8:

(a) BLOCK any to VLAN99 net

(b) BLOCK any to this firewall in 22 and 443 port (c) PASS any to any

• VLAN99:

(a) PASS any to VLAN5 net (b) PASS any to VLAN8 net

(c) PASS any to 140.112.30.32 in 22 (ssh) port (d) PASS any to any in 53 (DNS) port

(e) PASS any to this firewall in 22 (ssh) port and 443 (https) port To achieve the subtask 6, do nothing in NAT settings of pfsense.

4