1 ECE 4110 Internetwork Programming Lab 8: Setting up a Network Using VRFs, VLAN, NAT, OSPF Group Number: _________________________ Member Names: _________________________ _________________________ Date Issued: November 22, 2010 Turn-in Due: December 3, 2010 Last Edited: November 20, 2010 This lab requires that you use one of three setups. If a signup sheet has been posted, you must sign up in advance on the lab door. You may reserve each setup for no more than 2 hours at a time. YOU MUST USE THE SAME SETUP EACH TIME YOU WORK ON THIS LAB. A TA must be present for two check-offs of this lab. Also, it would be useful to bring your ECE4110 Lab5 and Lab6 documentation to help you in configuring/troubleshooting the network. Please read the entire lab before you show up to start working on it. Fill this blank in after you make your reservation: We signed up for PLAYSTATION #: _______________ Lab Goals • Configure switches and routers on a network • Understand VLANs and inter-VLAN routing • Understand VRFs (VPN Routing and Forwarding Instances) • Undertand NAT • Understand OSPF processes on a router2 Prelab Questions: 1. What is the purpose of creating VLANs on a switch? 2. How can the devices connected to switch ports associated with multiple VLAN communicate? 3. What is NAT and how it is used in a network? 4. What are some advantages of configuring routing protocols instead of static routes? Check-off Point 0: TA has to make sure that routers are properly reloaded.3 Lab Scenario In this lab, we have an enterprise which has two branches. Each branch network is composed of three subnets: Sales Department, HR Department, and Guest Department. The Guest department is for guests visiting the company office and thus would only need access to the external network (Internet). As shown below, Figure 1 illustrates a layout of the network topology. For simplicity, the ISP network has been summarized to a single router connecting both sites. Figure1: Network Topology Diagram4 Network Setup Requirements: The company would like to enforce the following policies on their network: Policy1: Devices on different VLANs are not allowed to communicate. For example, Sales end-hosts cannot communicate with HR end-hosts within a branch or across branches. Policy2: Devices on Sales and HR network are not allowed to access external network (Internet). Policy3: Guest network devices are only allowed to access external network (Internet). Policy4: Both Sales and HR end-hosts need to be able to communicate with their peer end-hosts in the remote branch. As shown in Figure 1, traffic from Sales network in Branch1 can only traverse within VLAN10 on Branch1 network or traverse to the remote Sales VLAN on Branch2 network (Red dashed-line between the two sites). This is similar for the HR network (Blue dashed-line between the two sites). Both Sales and HR traffic cannot reach the external world (Internet). On the contrary, the Guest network end-hosts can only access the external network (Green dashed-lines). In order to fulfill those network design requirements, there will be a number of configuration tasks which you have to do as well as some progressive checkpoints to verify your configurations along the way. For the following tasks, please complete them using the information shown in Figure 2 (similar to Figure 1 with more details about interfaces and IP assignments).5 Figure 2: Detailed Network Topology6 Task 1: Configuration of Branch1 End-Hosts Configure the end-hosts in Branch1 according to the information in Figure 2 . Hint: The default gateway for the end-hosts is B1-R (3 distinct gateway IPs) For example: The Sales host in port Fa0/6 on the switch: IP address: 10.10.10.10 Subnet Mask: 255.255.255.0 Default Gateway: 10.10.10.1 Task 2: Configuration of Branch1 Switch “B1-SW” Configure Branch1 switch according to Figure 2: - Create three VLANs: VLAN10, VLAN20, VLAN30 - Assign ports to VLAN10, VLAN20, VLAN30 according to Figure 2. Note that Fa0/6, Fa0/7, and Fa0/8 are access ports while Fa0/4 is a trunk port. Hint: Refer to Lab5 for a reference on how to create VLANs and associate ports with them. Task 3: Configuration of Branch1 Router “B1-R” (just connection to B1-SW) Normally, sub-interfaces on B1-R would be configured to allow inter-VLAN communication. In other words, once E0/0.1, E0/0.2, and E0/0.3 are configured with dot1q encapsulation for VLAN10, VLAN20, and VLAN30, the end-hosts in the Sales department would be able to communicate with end-hosts in the HR department. This is done through B1-R as B1-R routing table would have routing entries to reach all of 10.10.10.0/24, 10.10.20.0/24, and 10.10.30.0/24 networks. However, “Policy1” as mentioned earlier in the Network Setup Requirements section indicates that devices on different VLANs are not allowed to communicate. One way to accomplish this is to configure VRFs (VPN Routing and Forwarding instances) on a router. This means a router will have multiple routing tables. Therefore when you configure the sub-interfaces and associate them with different VRFs, packets arriving at those sub-interfaces and destined for networks which are parts of other VRFs will be dropped by the router since it does not have a route to forward them on. 1. Create two VRFs on B1-R: Note that Cisco Express Forwarding (CEF) needs to be enabled to do any Layer 3 IP switching/routing. Recent IOS versions enable CEF by default. Therefore in case you try to run some configuration on a Cisco router and get an error message stating the CEF needs to be enabled prior to continuing with your configuration, you need to run the following command: B1-R(config)# ip cef7 By default, a router has only one routing table, referred to as the “Global” vrf. In this task, you will create two additional VRFs on B1-R named “RED” and “BLUE” as shown below. B1-R(config)# ip vrf RED B1-R(config)# description Sales-Traffic B1-R(config)# rd 1:1 B1-R(config)# ip vrf BLUE B1-R(config)# description HR-Traffic B1-R(config)# rd 2:2 2. Create the sub-interfaces connecting B1-R to B1-SW: You need to configure E0/0.1, E0/0.2, and E0/0.3 on B1-R as follows: E0/0.1 is associated with vrf RED E0/0.2 is associated with vrf BLUE E0/0.3 is associated with the Global vrf