RL 2014-2015 Practic Sample2 Sol

Test Practic RL
Varianta sample2, ianuarie 2015
Rezolv
ari
1.
Subpunctul (a)
Cele trei ret, ele cont, in, respectiv, 2 stat, ii, 4 stat, ii s, i 5 stat, ii. Avem as, adar nevoie de o subret, ea cu
masca /30 (o astfel de ret, ea poate cont, ine 23230 2 = 2 stat, ii) s, i de doua subret, ele cu masca /29
(o astfel de subret, ea poate cont, ine 23229 2 = 6 stat, ii).
Pornim de la ret, eaua 1.1.1.01100000/27. Dorim sa obt, inem, pentru nceput doua subret, ele cu
masca /29. Adic
a 1.1.1.011XY000/29. Alocam spat, iul 1.1.1.01100000/29 pentru a doua ret, ea
din topologie s, i spat, iul 1.1.1.01101000/29 pentru a treia ret, ea din topologie.
Mai r
am
an spat, iile 1.1.1.01110000/29 s, i 1.1.1.01111000/29. Alegem primul spat, iu pentru a
obt, ine o subret, ea cu masca /30 rezult
and, astfel, 1.1.1.01110000/30.
Cele trei spat, ii pentru cele trei subret, ele, sunt as, adar:
1.1.1.01110000/30, adic
a 1.1.1.112/30 pentru prima ret, ea (cea cu 2 stat, ii)
1.1.1.01100000/29, adic
a 1.1.1.96/29 pentru a doua ret, ea (cea cu 4 stat, ii)
1.1.1.01101000/29, adic
a 1.1.1.104/29 pentru a treia ret, ea (cea cu 5 stat, ii)
Subpunctele (b), (c) s, i (d)

Vom configura pe stat, ii urm
atoarele adrese:
prima ret, ea: 1.1.1.113/30, 1.1.1.114/30; masca n format zecimal este 255.255.255.252
a doua ret, ea: 1.1.1.97/29, 1.1.1.98/29, 1.1.1.99/29, 1.1.1.100/29; masca n format
zecimal este 255.255.255.248
a treia ret, ea: 1.1.1.105/29, 1.1.1.106/29, 1.1.1.107/29, 1.1.1.108/29, 1.1.1.109/29;
masca n format zecimal este 255.255.255.248
In PacketTracer se acceseaz
a fiecare stat, ie (Desktop IP Configuration) s, i se completeaza adresa
IP s, i masca de ret, ea corespunz
atoare. Apoi se verifica folosind mesaje PacketTracer (n dreapta iconul Add Simple PDU sau tasta p) sau direct din consola unei stat, ii (Desktop Command Prompt,
urmat de o comand
a ping $adresaIP, unde $adresa IP este adresa unei alte stat, ii din ret, ea).
Solut, ia se g
ases, te n fis, ierul rl_practic_2014-2015_sample2_ex1_sol.pkt.
2.
Subpunctul (a)
Pentru dezactivarea rul
arii STP acces
am switch-ul Switch0 s, i intram n modul de configurare:
Switch0>en
Switch0#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch0(config)#
Informat, ii despre dezactivarea STP se gasesc la adresa http://www.cisco.com/en/US/docs/switches/
lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/swstp.html#wp1108279.
Dezactiv
am STP pe VLAN-ul implicit (1) cu posibilitatea de a salva configurat, ia s, i verificam configurat, ia:
Switch0(config)#no spanning-tree vlan 1
Switch0(config)#^Z
Switch0#
%SYS-5-CONFIG_I: Configured from console by console
Test Practic RL
Varianta sample2
ianuarie 2015
Switch0#copy running-config startup-config

Destination filename [startup-config]?
Building configuration...
[OK]
Switch0#show spanning-tree
No spanning tree instance exists.
Switch0#show spanning-tree vlan 1
No spanning tree instance exists.
Subpunctul (b)
Pentru configurarea de VLAN-uri nu este nevoie sa configuram switch-ul Switch1 ntrucat ambele
stat, ii conectate la acesta (PC3 s, i PC4) se gasesc n acelas, i VLAN (VLAN-ul 10).
In prim
a faz
a vom configura pe switch-ul Switch2 porturile Fa2/1 (portul dintre switch-ul Switch1)
s, i Fa0/1 (portul dintre stat, ia PC6) n modul access pe VLAN-ul 10.
Switch2>en
Switch2#conf t
Enter configuration commands,
Switch2(config)#vlan 10
Switch2(config-vlan)#name 10
Switch2(config-vlan)#exit
Switch2(config)#int fa2/1
Switch2(config-if)#switchport
Switch2(config-if)#exit
Switch2(config)#
one per line. End with CNTL/Z.
mode access
access vlan 10
mode access
access vlan 10
Dup
a aceat
a configurare, dup
a rularea STP, stat, iile PC3, PC4 s, i PC6 vor avea conectivitate, dar nu s, i
stat, ia PC7 care nu a fost nc
a ad
augat
a n VLAN-ul 10. Pentru verificarea conectivitat, ii folosim fie
mesaje PacketTracer (Add Simple PDU sau tasta p) sau comanda ping din consola stat, iilor (Desktop
Command Prompt).
Subpunctul (c)
Pentru a ad
auga stat, ia PC7 n VLAN-ul 10, vom configura:
pe switch-ul Switch3 portul Fa1/1 (portul dinspre stat, ia PC7) n modul acces pe VLAN-ul 10
pe switch-ul Switch3 portul Fa3/1 (portul dinspre switch-ul Switch2) n modul trunchi
pe switch-ul Switch2 portul Fa3/1 (portul dinspre switch-ul Switch3) n modul trunchi
Configurarea este cea de mai jos:
Switch3>en
Switch3#conf t
Switch3(config-vlan)#name zece
Test Practic RL
Varianta sample2
ianuarie 2015
Switch3(config)#
mode access
access vlan 10
mode trunk
trunk allowed vlan 10,20
Switch2#conf t
Switch2(config-if)#switchport mode trunk
Switch2(config-if)#switchport trunk allowed vlan 10,20
Switch2(config)#
In acest moment avem conectivitate ntre toate stat, iile din VLAN-ul 10: PC3, PC4, PC6 s, i PC7.
Subpunctul (d)
Pentru a asigura conectivitatea celor dou
a stat, ii din VLAN-ul 20 (stat, iile PC5 s, i PC8) trebuie doar
s
a realiz
am configur
ari de tip acces pe porturi, ntrucat legatura de tip trunchi ntre switch-urile
Switch2 s, i Switch3 a fost deja realizat
a. Vom configura:
Switch2(config-vlan)#name douazeci
Switch2(config-if)#switchport mode access
Switch2(config-if)#switchport access vlan 20
Switch2(config-if)#^Z
Switch2#
[OK]
Switch2#
Switch3(config-vlan)#name 20
Switch3(config-if)#switchport mode access
Switch3(config-if)#switchport access vlan 20
Switch3(config)#^Z
Switch3#
Test Practic RL
Varianta sample2
ianuarie 2015
[OK]
Switch3#
Mai sus am s, i salvat configurat, ia pentru cele doua switch-uri configurate: Switch2 s, i Switch3.
In acest moment avem conectivitatea ntre cele doua stat, ii din VLAN-ul 20: PC5 s, i PC8.
Solut, ia se g
3.
Subpunctul (a)
Configur
am ret, elele dintre rutere n conformitate cu enunt, ul astfel:
Router0(Fa1/0):
100.100.100.1/30
Router1(Fa0/0):
100.100.100.2/30
Router1(Fa1/0):
200.200.200.1/30
Router2(Fa1/0):
200.200.200.2/30

Router0>en
Router0#conf t
Router0(config)#int fa1/0
Router0(config-if)#ip address 100.100.100.1 255.255.255.252
Router0(config-if)#no shut
%LINK-5-CHANGED: Interface FastEthernet1/0, changed state to up
Router0(config-if)#
Router0(config-if)#exit
Router0(config)#
Router1>en
Router1#conf t
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
Router1(config-if)#
Router1(config-if)#
Router1(config)#
Router2>en
Router2#conf t
Test Practic RL
Varianta sample2
ianuarie 2015

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to up
Router2(config-if)#
Router2(config)#
Acum ruterele sunt conectate ntre ele. Putem verifica folosind comanda ping:
Router0#ping 100.100.100.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.100.100.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/6/15 ms
Router0#
Router1#ping 100.100.100.1
!!!!!
Router1#ping 200.200.200.2
.!!!!
Router1#
Router2#ping 200.200.200.1
!!!!!
Router2#
Subpunctul (b)
Pentru a avea conectivatea ntre toate ruterele trebuie sa realizam urmatoarele configurari:
pe ruterul Router0 s
a fie ad
augat
a o ruta catre ret, eaua dintre ruterul Router1 s, i Router2
(200.200.200.0/30) av
and ca next hop adresa IP a interfet, ei Fa0/0 de pe ruterul Router1
(100.100.100.2)
Test Practic RL
Varianta sample2
ianuarie 2015
pe ruterul Router2 s
a fie ad
augat
a o ruta catre ret, eaua dintre ruterul Router0 s, i Router1
(100.100.100.0/30) av
and ca next hop adresa IP a interfet, ei Fa1/0 de pe ruterul Router1
(200.200.200.1)
Router0#conf t
Router0(config)#ip route 200.200.200.0 255.255.255.252 100.100.100.2
Router2#conf t
Acum ruterele sunt conectate toate ntre ele. Putem verifica folosind comanda ping:
Router0#ping 200.200.200.2
!!!!!
Router2#ping 100.100.100.1
!!!!!
Subpunctul (c)
Pentru ca ruterul Router1 s
a aib
a acces la ret, ele switch-urilor Switch0 s, i Switch3 trebuie sa realizam
urm
atoarele configur
ari:
ad
aug
am o rut
a c
atre ret, eaua switch-ului Switch0 (1.1.1.0/24) avand ca next hop adresa
interfet, ei Fa1/0 de pe ruterul Router0 (100.100.100.1)
ad
aug
am o rut
a c
atre ret, eaua switch-ului Switch3 (4.4.4.0/24) avand ca next hop adresa
interfet, ei Fa1/0 de pe ruterul Router2 (200.200.200.2)
pe stat, iile PC0 s, i PC1 configur
am ca default gateway adresa IP a interfet, ei Fa0/0 a ruterului
Router0 (1.1.1.1
Router2 (4.4.4.1
Router1#conf t
Configurarea default gateway pe stat, ii se realizeaza prin intermediul interfet, ei grafice PacketTracer
(Desktop IP Configuration Default Gateway).
Verific
am configurarea folosind comanda ping:
Router1(config)#do ping 1.1.1.2
Test Practic RL
Varianta sample2
ianuarie 2015
!!!!!
.!!!!
.!!!!
.!!!!
Router1(config)#
Subpunctul (d)
Pentru ca ruterele Router0 s, i Router2 s
a aiba acces la ret, ele switch-urilor Switch1 s, i Switch2 trebuie
s
a realiz
am urm
atoarele configur
ari:
pe ruterul Router0 ad
aug
am o rut
a catre ret, eaua switch-ului Switch1 (2.2.2.0/24) s, i una
c
atre ret, eaua switch-ului Switch2 (3.3.3.0/24) avand ca next hop adresa interfet, ei Fa0/0 de
pe ruterul Router1 (100.100.100.2)
aug
am o rut
a catre ret, eaua switch-ului Switch1 (2.2.2.0/24) s, i una
c
atre ret, eaua switch-ului Switch2 (3.3.3.0/24) avand ca next hop adresa interfet, ei Fa1/0 de
pe ruterul Router1 (200.200.200.1)
Router1 (2.2.2.1
Router1 (3.3.3.1
Router0#conf t
Router2#conf t
Configurarea default gateway pe stat, ii se realizeaza prin intermediul interfet, ei grafice PacketTracer
(Desktop IP Configuration Default Gateway).
Verific
am configurarea folosind comanda ping:
Test Practic RL
Varianta sample2
ianuarie 2015
Router0(config)#do
[...]
Router0(config)#do
[...]
Router0(config)#do
[...]
Router0(config)#do
[...]
ping 2.2.2.2
Router2(config)#do
[...]
Router2(config)#do
[...]
Router2(config)#do
[...]
Router2(config)#do
[...]
ping 2.2.2.2
ping 2.2.2.3
ping 3.3.3.2
ping 3.3.3.3
ping 2.2.2.3
ping 3.3.3.2
ping 3.3.3.3
Subpunctul (e)
Pentru a definitiva configurat, ia mai trebuie ca ruterul Router0 sa ajunga la ret, eaua switch-ului
Switch3 iar ruterul Router2 s
a ajung
a la ret, eaua switch-ului Switch0. Trebuie sa realizam urmatoarele
configur
ari:
aug
am o rut
a catre ret, eaua switch-ului Switch3 (4.4.4.0/24) avand ca
next hop adresa interfet, ei Fa0/0 de pe ruterul Router1 (100.100.100.2)
aug
am o rut
a catre ret, eaua switch-ului Switch0 (1.1.1.0/24) avand ca
next hop adresa interfet, ei Fa1/0 de pe ruterul Router1 (200.200.200.1)
Router0(config)#do show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, FastEthernet0/0
S 2.2.2.0 [1/0] via 100.100.100.2
S 3.3.3.0 [1/0] via 100.100.100.2
S 4.4.4.0 [1/0] via 100.100.100.2
S 200.200.200.0 [1/0] via 100.100.100.2
Test Practic RL
Varianta sample2
ianuarie 2015

Router2(config)#do show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
S 1.1.1.0 [1/0] via 200.200.200.1
S 2.2.2.0 [1/0] via 200.200.200.1
S 3.3.3.0 [1/0] via 200.200.200.1
S 100.100.100.0 [1/0] via 200.200.200.1
Am folosit comanda do show ip route pentru a vizualiza tabela de comutare a ruterelor s, i pentru
validarea configurat, iei.
Verific
am configurarea dac
a avem conectivitate ntre toate stat, iile. Folosim fie mesaje PacketTracer
(Add Simple PDU sau tasta p) sau comanda ping din consola stat, iilor (Desktop Command Prompt).
Solut, ia se g
4. In prim
a faz
a rul
am scriptul de configurare a topologiei:
root@host:~# ./rl-practical-sample2-prepare 4
Subpunctul (a)
Vom configura adresa 192.168.10.1/24 pe host(veth-red) s, i adresa 192.168.10.2 pe red(eth0).
Avem n vedere s
a ridic
am interfet, ele s, i s
a validam configurat, ia:
root@host:~# ip a a 192.168.10.1/24 dev veth-red
root@host:~# ip l s dev veth-red up
root@host:~# ip a s veth-red
31: veth-red: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
link/ether 0a:31:65:b4:86:d4 brd ff:ff:ff:ff:ff:ff
inet 192.168.10.1/24 scope global veth-red
root@host:~# ip r s dev veth-red
192.168.10.0/24 proto kernel scope link src 192.168.10.1
root@red:~# ip a a 192.168.10.2/24 dev eth0
root@red:~# ip l s dev eth0 up
root@red:~# ip a s eth0
30: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:16:3e:8e:84:21 brd ff:ff:ff:ff:ff:ff
inet 192.168.10.2/24 scope global eth0
inet6 fe80::216:3eff:fe8e:8421/64 scope link
valid_lft forever preferred_lft forever
root@red:~# ip r s
Test Practic RL
Varianta sample2
ianuarie 2015

Verific
am folosind comanda ping:
root@red:~# ping 192.168.10.1
PING 192.168.10.1 (192.168.10.1) 56(84) bytes of data.
64 bytes from 192.168.10.1: icmp_req=1 ttl=64 time=0.071 ms
^C
--- 192.168.10.1 ping statistics --1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.071/0.071/0.071/0.000 ms
Vom configura adresa 192.168.20.1/24 pe host(veth-green) s, i adresa 192.168.20.2 pe green(eth0).
Avem n vedere s
a ridic
root@host:~# ip a a 192.168.20.1/24 dev veth-green
root@host:~# ip l s dev veth-green up
root@host:~# ip a s veth-green
34: veth-green: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
link/ether 1e:2f:76:82:85:de brd ff:ff:ff:ff:ff:ff
inet 192.168.20.1/24 scope global veth-green
root@host:~# ip r s dev veth-green
root@green:~# ip a a 192.168.20.2/24 dev eth0
root@green:~# ip l s dev eth0 up
root@green:~# ip a s eth0
link/ether 00:16:3e:d1:b2:95 brd ff:ff:ff:ff:ff:ff
inet6 fe80::216:3eff:fed1:b295/64 scope link
root@green:~# ip r s
Verific
root@green:~# ping 192.168.20.1
^C
Vom configura adresa 192.168.30.1/24 pe host(veth-blue) s, i adresa 192.168.30.2 pe blue(eth0).
Avem n vedere s
a ridic
root@host:~# ip a a 192.168.30.1/24 dev veth-blue
root@host:~# ip l s dev veth-blue up
root@host:~# ip a s veth-blue
37: veth-blue: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
link/ether ca:40:75:73:78:f3 brd ff:ff:ff:ff:ff:ff
inet 192.168.30.1/24 scope global veth-blue
root@host:~# ip r s dev veth-blue
root@blue:~# ip a a 192.168.30.2/24 dev eth0
root@blue:~# ip l s dev eth0 up
root@blue:~# ip a s eth0
Test Practic RL
Varianta sample2
ianuarie 2015
link/ether 00:16:3e:32:0f:ae brd ff:ff:ff:ff:ff:ff
inet6 fe80::216:3eff:fe32:fae/64 scope link
root@blue:~# ip r s
Verific
root@blue:~# ping 192.168.30.1
^C
Subpunctul (b)
Pentru conectivitate ntre stat, iile de tip containere trebuie sa realizam urmatorii pas, i:
ad
augarea default gateway pe fiecare container; adresa este adresa interfet, ei veth corespunzatoare
de pe stat, ia host
activarea rut
arii pe stat, ia host
root@red:~# ip r a default via 192.168.10.1
root@red:~# ip r s dev eth0
default via 192.168.10.1
root@green:~# ip r a default via 192.168.20.1
root@green:~# ip r s
default via 192.168.20.1 dev eth0
192.168.20.0/24 dev eth0 proto kernel scope link src 192.168.20.2
root@blue:~# ip r a default via 192.168.30.1
root@blue:~# ip r s
default via 192.168.30.1 dev eth0
192.168.30.0/24 dev eth0 proto kernel scope link src 192.168.30.2
root@host:~# sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
Verific
am conectivitatea ntre containere:
root@red:~# ping 192.168.20.2 # OK de la red la green
root@red:~# ping 192.168.30.2 # OK de la red la blue
root@green:~# ping 192.168.10.2 # OK de la green la red
root@green:~# ping 192.168.30.2 # OK de la green la blue
root@blue:~# ping 192.168.10.2 # OK de la blue la red
root@blue:~# ping 192.168.20.2 # OK de la blue la green
Test Practic RL
Varianta sample2
ianuarie 2015
Subpunctul (c)
Pentru conectivitate la Internet a containerelor trebuie sa configuram o regula de NAT (MASQUERADE)
pe stat, ia host.
root@host:~# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
root@host:~# iptables -t nat -L POSTROUTING -n -v
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
Verific
am conectivitatea de pe containere la google.com:
root@red:~# ping google.com
PING google.com (173.194.112.102) 56(84) bytes of data.
64 bytes from fra07s30-in-f6.1e100.net (173.194.112.102): icmp_req=1 ttl=48 time=38.1 ms
^C
--- google.com ping statistics --1 packets transmitted, 1 received, 0% packet loss, time 0ms
root@green:~# ping google.com
^C
root@blue:~# ping google.com
^C
5. In prim
a faz
a rul
Subpunctul (a)
Pentru a permite traficul FTP c
atre stat, ia green doar de la stat, ia red configuram iptables astfel:
permitem traficul FTP de la stat, ia red la green
respingem traficul FTP de la orice stat, ie catre green; ntrucat va trebui sa blocam s, i stat, ia host
vom folosi s, i lant, ul OUTPUT
root@host:~# iptables -t filter -A FORWARD -s 20.20.20.2 -d 30.30.30.2 -p tcp --dport 21 -j ACCEPT
root@host:~# iptables -t filter -A FORWARD -d 30.30.30.2 -p tcp --dport 21 -j REJECT
root@host:~# iptables -t filter -A OUTPUT -d 30.30.30.2 -p tcp --dport 21 -j REJECT
root@host:~# iptables -t filter -L -n -v
Chain INPUT (policy ACCEPT 84 packets, 6160 bytes)
Test Practic RL
Varianta sample2
ianuarie 2015
Chain
pkts
0
0
FORWARD (policy ACCEPT 0 packets, 0 bytes)

bytes target prot opt in out source destination
0 ACCEPT tcp -- * * 20.20.20.2 30.30.30.2 tcp dpt:21
0 REJECT tcp -- * * 0.0.0.0/0 30.30.30.2 tcp dpt:21 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 41 packets, 4132 bytes)

0 0 REJECT tcp -- * * 0.0.0.0/0 30.30.30.2 tcp dpt:21 reject-with icmp-port-unreachable
Folosim clientul ftp pentru verificare:
root@host:~# ftp 30.30.30.2 # Conexiune refuzata de la host la green
ftp: connect: Connection refused
ftp>
root@host:~# ftp 20.20.20.2 # Conexiune OK de la host la red (nu am stricat altceva)
Connected to 20.20.20.2.
220 (vsFTPd 2.3.5)
Name (20.20.20.2:root): ^C
root@red:~# ftp 30.30.30.2 # Conexiune OK de la red la green
220 (vsFTPd 2.3.5)
Name (30.30.30.2:root): ^C
root@blue:~# ftp 30.30.30.2 # Conexiune refuzata de la blue la green
ftp: connect: Connection refused
ftp>
root@blue:~# ftp 20.20.20.2 # Conexiune OK de la blue la red (nu am stricat altceva)
220 (vsFTPd 2.3.5)
Name (20.20.20.2:root): ^C
Subpunctul (b)
Pentru a permite comunicarea ICMP a stat, iei red doar cu stat, ia host realizam o configurare simpla:
respingem traficul ICMP pe lant, ul iptables FORWARD pe stat, ia host
root@host:~# iptables -t filter -A FORWARD -p icmp -d 20.20.20.2 -j REJECT
Folosim comanda ping pentru verificare:
root@host:~# ping 20.20.20.2 # OK de la host la red
^C
root@green:~# ping 20.20.20.2 # Respins de la green la red
From 30.30.30.1 icmp_seq=1 Destination Port Unreachable
^C
--- 20.20.20.2 ping statistics --1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms
Test Practic RL
Varianta sample2
ianuarie 2015
root@green:~# ping 40.40.40.2 # OK de la green la blue (nu am stricat altceva)

^C
root@blue:~# ping 20.20.20.2 # Respins de la blue la red
^C
root@blue:~# ping 30.30.30.2 # OK de la blue la geen (nu am stricat altceva)
^C
Subpunctul (c)
Pentru ca stat, ia red s
a poat
a comunica ICMP cu alte stat, ii trebuie ca stat, ia sa poata trimite pachete
IMCP de tip echo-request s, i s
a poat
a primi pachete ICMP de tip echo-reply. Pentru aceasta vom
face urm
atoarea configuare:
inser
am o regul
a n lant, ul FORWARD care accepta pachetele ICMP de tip echo-reply trimise
stat, iei red
restul regulilor r
am
ane ceea ce nseamna ca alte pachete ICMP (de tip echo-request) nu vor
ajunge la stat, ia red s, i, deci, stat, ia nu va putea fi contactata de alte stat, ii
Configurarea este cea de mai jos (exemple de configurare iptables se gasesc la adresa http://www.
thegeekstuff.com/scripts/iptables-rules):
root@host:~# iptables -t filter -L FORWARD -n -v --line-number
Chain FORWARD (policy ACCEPT 2 packets, 168 bytes)
num pkts bytes target prot opt in out source destination
1 5 256 ACCEPT tcp -- * * 20.20.20.2 30.30.30.2 tcp dpt:21
2 2 120 REJECT tcp -- * * 0.0.0.0/0 30.30.30.2 tcp dpt:21 reject-with icmp-port-unreachable
3 3 252 REJECT icmp -- * * 0.0.0.0/0 20.20.20.2 reject-with icmp-port-unreachable
root@host:~# iptables -t filter -I FORWARD 3 -d 20.20.20.2 -p icmp --icmp-type echo-reply -j ACCEPT
root@host:~# iptables -t filter -L FORWARD -n -v --line-number
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 5 256 ACCEPT tcp -- * * 20.20.20.2 30.30.30.2 tcp dpt:21
2 2 120 REJECT tcp -- * * 0.0.0.0/0 30.30.30.2 tcp dpt:21 reject-with icmp-port-unreachable
3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 20.20.20.2 icmptype 0
4 3 252 REJECT icmp -- * * 0.0.0.0/0 20.20.20.2 reject-with icmp-port-unreachable
root@red:~# ping 30.30.30.2 # OK de la red la green
^C
Test Practic RL
Varianta sample2
ianuarie 2015
root@red:~# ping 40.40.40.2 # OK de la red la blue
^C
root@green:~# ping 20.20.20.2 # Respins de la green la red
^C
root@blue:~# ping 20.20.20.2 # Respins de la blue la red
^C
6. In prim
a faz
a rul
Subpunctul (a)
Pentru a conecta stat, iile red s, i green vom realiza urmatorii pas, i:
vom crea bridge-ul br0
vom ad
auga interfat, a de tip veth specifica stat, iei red (adica veth-red) la bridge-ul br0
vom ad
auga interfat, a de tip veth specifica stat, iei green (adica veth-green) la bridge-ul br0
root@host:~# brctl addbr br0
root@host:~# brctl addif br0 veth-red
root@host:~# brctl addif br0 veth-green
root@host:~# ip l s dev br0 up
root@host:~# brctl show br0
bridge name bridge id STP enabled interfaces
br0 8000.7e86d6631dbc no veth-green
veth-red
root@red:~# ping 42.42.42.3
^C
Test Practic RL
Varianta sample2
ianuarie 2015
root@green:~# ping 42.42.42.2

^C
Subpunctul (b)
Pentru a crea o pereche de interfet, e veth folosim comanda ip link (detalii la adresa http://people.
debian.org/~ultrotter/talks/dc10/networking.html): Configurarea este cea de mai jos:
root@host:~# ip link add name veth-conn0 type veth peer name veth-conn1
root@host:~# ip link set dev veth-conn0 up
root@host:~# ip link set dev veth-conn1 up
root@host:~# ip a s
[...]
63: veth-conn1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 96:59:c1:93:7b:a2 brd ff:ff:ff:ff:ff:ff
inet6 fe80::9459:c1ff:fe93:7ba2/64 scope link
64: veth-conn0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 12:eb:e2:15:d5:f2 brd ff:ff:ff:ff:ff:ff
inet6 fe80::10eb:e2ff:fe15:d5f2/64 scope link
Subpunctul (c)
Pentru a conecta stat, ia blue la celelalte stat, ii vom realiza urmatorii pas, i:
vom
vom
vom
vom
vom
crea bridge-ul br1

ad
auga interfat, a de tip veth specifica stat, iei blue (adica veth-blue) la bridge-ul br1
ad
auga interfat, a de leg
ature de tip veth (veth-conn0) la bridge-ul br1
ridica interfat, a br1
ad
auga interfat, a pereche de tip veth (veth-conn1) la bridge-ul br0

root@host:~# brctl addbr br1
root@host:~# brctl addif br1 veth-blue
root@host:~# brctl addif br1 veth-conn0
root@host:~# ip l s dev br1 up
root@host:~# brctl addif br0 veth-conn1
br1 8000.12ebe215d5f2 no veth-blue
veth-conn0
br0 8000.7e86d6631dbc no veth-conn1
veth-green
veth-red
Test Practic RL
Varianta sample2
ianuarie 2015

root@blue:~# ping 42.42.42.2 # Conexiune OK de la blue la red
^C
root@blue:~# ping 42.42.42.3 # Conexiune OK de la blue la green
^C
Subpunctul (d)
Stat, iile de tip container au adrese IP din ret, eaua 42.42.42.0/24. Vom configura adresa 42.42.42.1/24
interfet, ei br1. In acest fel s, i stat, ia host va fi conectata la stat, iile de tip container.
root@host:~# ip a a 42.42.42.1/24 dev br1
root@host:~# ip a s dev br1
62: br1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link/ether 12:eb:e2:15:d5:f2 brd ff:ff:ff:ff:ff:ff
inet 42.42.42.1/24 scope global br1
inet6 fe80::10eb:e2ff:fe15:d5f2/64 scope link
root@host:~# ip r s dev br1
root@host:~# ping 42.42.42.2 # OK de la host la red
^C
root@host:~# ping 42.42.42.3 # OK de la host la green
^C
root@host:~# ping 42.42.42.4 # OK de la host la blue
^C
Test Practic RL
Varianta sample2
ianuarie 2015

RL 2014-2015 Practic Sample2 Sol

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

RL 2014-2015 Practic Sample2 Sol

Încărcat de

Drepturi de autor:

Formate disponibile

Test Practic RL

Varianta sample2, ianuarie 2015

Subpunctele (b), (c) s, i (d)

Switch0#copy running-config startup-config

one per line. End with CNTL/Z.

Configurarea este cea de mai jos:

Enter configuration commands, one per line. End with CNTL/Z.

Router2(config)#ip route 1.1.1.0 255.255.255.0 200.200.200.1

192.168.10.0/24 proto kernel scope link src 192.168.10.2

FORWARD (policy ACCEPT 0 packets, 0 bytes)

Chain OUTPUT (policy ACCEPT 41 packets, 4132 bytes)

root@green:~# ping 40.40.40.2 # OK de la green la blue (nu am stricat altceva)

root@green:~# ping 42.42.42.2

crea bridge-ul br1

Configurarea este cea de mai jos:

Folosim comanda ping pentru verificare:

S-ar putea să vă placă și