Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

basic schema design and security mechanisms for slowing down bandwidth

Hi to all!

At first I am sorry for a lot of noob questions - I am just beginner in networking.

I have LAN with 1 SW (cisco catalyst 2950 series), 1 R (cisco 2501), one Apache server on Linux machine (Fedora) and 5 computers . My task is to test my application for preventing DoS attacks on the computer with Apache. My network design is on the image, but if will be necessery, I can change it (I can use more switches and routers like this). So my noob questions are:

1.) will this desing work? How can I connect these to LANs to router? do I need one more router? can I connect SW ethernet port to router's console port?

2.) I have erased SW and R configuration. I have configured only interfaces and RIP protocol with networks 10.0.0.0/8 and 192.168.0.0/24. what else I need to configure for making possible viewing webpage from computer with apache on other computer?

3.) what is "ip http server" setting?

4.) i need to send TCP, UDP, HTTP and ICMP packets from computers to apache (is it default allowed?).

5.) i need to use all bandwidth for DoS attack, so i need to disable security mechanisms (configurations are erased, so what else do i need to disable or set up?) I heard only about storm-control, but it is disabled.

6.) do I need to setup something like this for full speed on devices?

interface range fa 0/1 - 3

speed 100

duplex full

7.) last question is, I want to monitor protocols and ports of packets sent from computers to apache computer or bandwidth usage (bits/s). Does have SW/R some mechanisms for statistics like this?

Thank you very much.

Matej

2 REPLIES
Silver

basic schema design and security mechanisms for slowing down ban

Matej Mihalech wrote:

Hi to all!

At first I am sorry for a lot of noob questions - I am just beginner in networking.

I have LAN with 1 SW (cisco catalyst 2950 series), 1 R (cisco 2501), one Apache server on Linux machine (Fedora) and 5 computers . My task is to test my application for preventing DoS attacks on the computer with Apache. My network design is on the image, but if will be necessery, I can change it (I can use more switches and routers like this). So my noob questions are:

1.) will this desing work? How can I connect these to LANs to router? do I need one more router? can I connect SW ethernet port to router's console port?

2.) I have erased SW and R configuration. I have configured only interfaces and RIP protocol with networks 10.0.0.0/8 and 192.168.0.0/24. what else I need to configure for making possible viewing webpage from computer with apache on other computer?

3.) what is "ip http server" setting?

4.) i need to send TCP, UDP, HTTP and ICMP packets from computers to apache (is it default allowed?).

5.) i need to use all bandwidth for DoS attack, so i need to disable security mechanisms (configurations are erased, so what else do i need to disable or set up?) I heard only about storm-control, but it is disabled.

6.) do I need to setup something like this for full speed on devices?

interface range fa 0/1 - 3

speed 100

duplex full

7.) last question is, I want to monitor protocols and ports of packets sent from computers to apache computer or bandwidth usage (bits/s). Does have SW/R some mechanisms for statistics like this?

Thank you very much.

Matej

The 2950 switch and 2501 router are pretty old, low specification devices, so you might run into performance problems. Be aware of this. The 2950 also is not, from memory, a layer 3 switch, so it does *no* routing.

To answer your questions 9I'm assuming some basic knowlege of how to use IOS, so these commands are indicative only).

The 2501 has only one ethernet port, so you can't connect the way you have in your diagram. Youc an not connect an ethernet port to the router console port - the console port is a serial connection, by default running at 9600/8N1, and is not convertable to ethernet.

To make your required network work, you'd need to do the following.

1) Configure your 2501 ethernet port for dot1q VLAN trunking by doing something like this

interface fastethernet0

no shutdown

speed 100

duplex full

no ip address

interface fastethernet0.2

encapsulation dot1q 2

ip address 10.0.0.4 255.0.0.0

interface fastethernet0.3

encapsulation dot1q 3

ip address 192.168.0.1 255.255.255.0

Setup in this manner you don't need routing protocols such as RIP because both routes will be directly connected, and the router will know how to get between them without anything fancy.

Then connect the ethernet interface of your 2501 to a port on your 2950 switch - I'll assume it's a 24 port switch, so I'll use interface f0/24

Create VLAN's 2 & 3 for your devices by doing this (2950 is so old the IOS method us creating VLAN's won't work, from memory)

vlan database

vlan 2 name workstations

vlan 3 name server

interface f0/24

switchport trunk encapsulation dot1q

switchport mode trunk

speed 100

duplex full

switchport trunk allowed vlans 2-3

You can create a VLAN interface for management of your switch at the same time if you like

interface vlan2

ip address 10.0.0.7 255.0.0.0

no shutdown

Then connect your devices. You will need to configure each switchport into an appropriate VLAN - for example, if you are connecting your server to port f0/23

interface f0/23

switchport mode access

spanning-tree portfas

switchport access vlan 3

Use "switchport access vlan2" for your workstation ports.

The "ip http server" setting on switches/routers enables management via the web - on these old devices, turn it off, as it's next to useless. Type "no ip http server" in configuration mode.

There is no packet filtering or security enabled on these devices by default, so you can just sling whatever you like at the Apache server.

Unfortunately, owing to the fact you only have one ethernet port to uplink to the router, you will never be able to saturate the server. The best you will manage is 50 megabits per second (half in, half out) because you have to trunk back to the switch to get to the server. If you really need to flood the server, you either need a better router (one wit two ethernet ports) or a layer-3 capable switch (so you can eliminate the trunk and just use the in-built routing capabilities between subnets).

And finally - you won't be able to monitor protocols/ports using this hardware. You *could* setup a MONITOR/MIRROR port and use a separate PC running wireshark or something to monitor the trunk port, but that'd need additional hardware (PC's), and a bit more configuration.

Phew. Hope that helps a bit. Basically, to do the loading you want, you need better/different hardware, but you can come close with what you've got.

Cheers.

New Member

basic schema design and security mechanisms for slowing down ban

does 2501 support router on a stick?

615
Views
0
Helpful
2
Replies
CreatePlease to create content