Experiment 3: IP Sub-networks and Router Configuration

Objectives

  1. Setup a simple private sub-network. Determine network parameters for hosts in sub-network.
  2. Configure a host and a router to reach hosts within the sub-network.
  3. Observe the traffic generated by the tracert program to determine the route to a host.
  4. Use a secure shell (ssh) client program

Background

The following topics from class notes: Internet layers, IP addressing, IP routing, rudimentary Ethernet network concepts, ICMP protocols.

References

Network Setup

The network topology is shown below. Virtual LAN network ID and host IP in virtual LAN in the figure are just illustrative values: actual values for the experiment to be assigned by lab instructor. Note that the router has two IP addresses, one for each LAN.

Network topology diagram

Laboratory LAN network ID: 192.168.108.0/24

Procedure

  1. Ask the lab instructor to be assigned a group number (n), a virtual LAN network ID and the host IP in virtual LAN.

  2. Launch putty ssh client. Log-in to the virtual network server (at5030-eng2453server.lakeheadu.ca). The account name is : group<n>, where <n> is the number assigned by the lab instructor. Only one student in the group should log-in.

  3. At the server prompt run startrouter to bring the router virtual machine up:

    group2@vnetserver:~$ startrouter
    mkdir: cannot create directory `workspace': File exists
    0+0 records in
    0+0 records out
    0 bytes (0 B) copied, 1.1313e-05 s, 0.0 kB/s
    Setting up swapspace version 1, size = 524284 KiB
    no label, UUID=9761b76d-aad6-4885-99f1-7918b29427c9
    Core dump limits :
     soft - 0
     hard - NONE
    Checking that ptrace can change system call numbers...OK
    Checking syscall emulation patch for ptrace...OK
    Checking advanced syscall emulation patch for ptrace...OK
    <more output suppressed>
    

    After the router is up, you should see the router login screen:

    Debian GNU/Linux 7 router tty0
    
    line_ioctl: tty0: unknown ioctl: 0x4b64
    router login:
    

    Log-in as ‘root’, password is ‘default’. You have full administrator privileges on the virtual router. The router has three network interfaces:

    • ‘lo’ is the loopback network interface, configured to 127.0.0.1/8. This is a special address that always points to the localhost (the router in this case).
    • ‘eth0’ connected to the laboratory LAN
    • ‘eth1’ connected to the private LAN.
  4. The ip command is used to configure the network interfaces. We’ll use the -f inet option to list addresses configured for the IPv4 protocol (can be abbreviated -4). Run ip -f inet addr show (or abbreviated ip -4 a show) to see configured interfaces:

    root@router:~# ip -f inet addr show
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
        inet 127.0.0.1/8 scope host lo
    

    Only the loopback interface is currently configured. There is no active connection to other computers in the network.

  5. Configure the interface connected to the lab LAN: the university administers the IP addresses in the lab LAN using the DHCP protocol. We’ll request an IP address, network mask and other network parameters to the DHCP server. The router is already configured for this:

    root@router:~# cat /etc/network/interfaces
    # interfaces(5) file used by ifup(8) and ifdown(8)
    auto lo
    iface lo inet loopback
    
    #auto eth0
    iface eth0 inet dhcp
    

    (the cat command is similar to type on the Windows prompt). The ‘#’ character indicates that the line is a comment and is ignored by the system. This configuration is not automatically done at system boot because the ‘auto’ keyword is commented out. To bring eth0 up run:

    root@router:~# ifup eth0
    Internet Systems Consortium DHCP Client 4.2.2
    Copyright 2004-2011 Internet Systems Consortium.
    All rights reserved.
    For info, please visit https://www.isc.org/software/dhcp/
    
    Listening on LPF/eth0/4e:6f:e2:54:aa:5c
    Sending on   LPF/eth0/4e:6f:e2:54:aa:5c
    Sending on   Socket/fallback
    DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 4
    DHCPREQUEST on eth0 to 255.255.255.255 port 67
    DHCPOFFER from 192.168.108.3
    DHCPACK from 192.168.108.3
    bound to 192.168.108.153 -- renewal in 1641 seconds.
    

    Also run ip -4 a show to see all details of the interface configuration:

    root@router:~# ip -4 a show
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
        inet 127.0.0.1/8 scope host lo
    13: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
    +UNKNOWN qlen 1000
        inet 192.168.108.153/24 brd 192.168.108.255 scope global eth0
    

    Now you have connection to the outside world. Verify pinging some address (‘-c 3’ is to send 3 packets only):

    root@router:~# ping -c 3 www.cbc.ca
    PING e5220.g.akamaiedge.net (23.45.133.66) 56(84) bytes of data.
    64 bytes from a23-45-133-66.deploy.static.akamaitechnologies.com (23.45.133.66):
    +icmp_req=2 ttl=54 time=30.6 ms
    64 bytes from a23-45-133-66.deploy.static.akamaitechnologies.com (23.45.133.66):
    +icmp_req=3 ttl=54 time=30.3 ms
    
    --- e5220.g.akamaiedge.net ping statistics ---
    3 packets transmitted, 2 received, 33% packet loss, time 2009ms
    rtt min/avg/max/mdev = 30.388/30.516/30.645/0.216 ms
    
  6. Configure eth1: we will use a static configuration for eth1 since there is no DHCP server running on our private network. Normally the router for a network is assigned the first host address for the network. For example, if your group was assigned 10.10.200.0/24 for the network ID, you should configure your router at 10.10.200.1. We will assign the IP address and add the route to the table directly from the command line using ip command. This is a good approach to change the network configuration on the fly, but keep in mind that the configuration is lost after a reboot. The first command configures the interface (eth1) using the default broadcast address but keeps it disabled, the second command enables the interface:

    ip addr add <address/bits> broadcast + dev <interface>
    ip link set <interface> up
    

    For a permanent configuration, an eth1 entry must be added in /etc/network/interfaces before the eth0 is configured. We will not pursue this approach for this experiment.

    Check the interfaces are configured by typing ifconfig again (the following is a generic example only, include actual output in your report):

    root@router:~# ip -4 a show
     1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
         inet 127.0.0.1/8 scope host lo
     13: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
         inet 192.168.108.153/24 brd 192.168.108.255 scope global eth0
     14: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
         inet 10.10.200.1/24 scope global eth1
    

    You should be able to ping the host in the private network (the host address was given by the lab instructor):

    root@router:~# ping -c 2 10.10.200.33
    PING 10.10.200.33 (10.10.200.33) 56(84) bytes of data.
    64 bytes from 10.10.200.33: icmp_req=1 ttl=64 time=0.736 ms
    64 bytes from 10.10.200.33: icmp_req=2 ttl=64 time=0.178 ms
    

    Type ‘route’ to print the routing table (include in report):

    root@router:~# ip -4 route show
    default via 192.168.108.1 dev eth0
    10.10.200.0/24 dev eth1  proto kernel  scope link  src 10.10.200.1
    192.168.108.0/24 dev eth0  proto kernel  scope link  src 192.168.108.153
    

    It now appears that the router is ready.

  7. Configure your windows workstation to route packets to your private network (open a cmd.exe window). Basically packets for 10.10.200.0/24 should be forwarded to your router (the host with IP address 192.168.108.153 in this example) for further routing. For this, add an entry in your routing table as follows (include in report):

    C:\>route add 10.10.200.0 mask 255.255.255.0 192.168.108.153
     OK!
    

    The first part specifies the network ID and the last address is the router address, referred as the gateway address. Use route print to see the routing table:

    C:\>route print
    ===========================================================================
    Interface List
     11...00 1d 60 1c cc 7c ......NVIDIA nForce Networking Controller
      1...........................Software Loopback Interface 1
     13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
     14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
    ===========================================================================
    
    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0    192.168.108.1  192.168.108.168     20
           10.10.200.0  255.255.255.0   192.168.108.153  192.168.108.168     21
            127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
    ...
    

    Try pinging the host in the private network. It will not work.

  8. The problem is that the router is refusing to forward packets across interfaces. That is the most common configuration setup for regular linux workstations. IPv4 kernel settings can be found on the following directory:

    root@router:~# ls /proc/sys/net/ipv4/
    conf                                tcp_fin_timeout
    icmp_echo_ignore_all                tcp_frto
    icmp_echo_ignore_broadcasts         tcp_frto_response
    icmp_errors_use_inbound_ifaddr      tcp_keepalive_intvl
    icmp_ignore_bogus_error_responses  tcp_keepalive_probes
    icmp_ratelimit                      tcp_keepalive_time
    icmp_ratemask                       tcp_low_latency
    igmp_max_memberships                tcp_max_orphans
    igmp_max_msf                        tcp_max_ssthresh
    (more files suppressed)
    

    Each file contain a configuration parameter. Parameter values can be seen by typing the file contents:

    root@router:~# cat /proc/sys/net/ipv4/ip_forward
    0
    

    To enable IP packet forwarding set ip_forward to 1 as follows:

    root@router:~# echo 1 > /proc/sys/net/ipv4/ip_forward
    root@router:~# cat /proc/sys/net/ipv4/ip_forward
    1
    

    NOTE: this routing configuration works but it is not secure because it forwards any packet. A more secure setup should use IP packet filter rules to forward only packets that may occur under normal use of the network. (see man iptables for more information).

  9. Now try again pinging the host in the private network from your windows workstation (it should work, include output in your report). Open wireshark on windows, start capturing the network traffic and run the traceroute command as follows (on windows it is tracert):

    C:\>tracert 10.10.200.33
    
    Tracing route to 10.10.200.33 over a maximum of 30 hops
    
      1    <1 ms    <1 ms    <1 ms  dhcp-192-168-108-81.lakeheadu.ca [192.168.108.153]
      2    <1 ms    <1 ms    <1 ms  10.10.200.33
    
    Trace complete.
    

    Stop capturing the interface and locate the packets generated by this program. Include wireshark capture in report.

  10. To verify that you are connecting to the right network, try logging into the host of your private network. Open another putty window. The server name is the IP address of the host in your network (10.10.200.33 in this example), the account name is guest and the password is engi2453. After you log in you should see the following message:

    *********************************************************************
    *
    *                      Routing Successful !
    *
    *********************************************************************
    
    guest@host1:~$
    

    You may logout by typing exit.

  11. After the experiment is finished, stop the router:

    root@router:~# shutdown -h now
    

    When the router is down you will see the server prompt. Type exit to close the connection.

Report preparation and questions

Prepare a formal report of this experiment in pdf format.

  • Include in your report a diagram of the network topology used in the experiment. Show network ID for each segment, IP address for each interface and routing table in each host.
  • Summarize results from experiment. Include outputs indicated in steps 6, 7 and 9.
  • Use the packets captured with wireshark to explain how the tracert program determines the route to a host.
  • Write comments conclusions about this experiment.