Ccna2 project
-
Upload
khaled-al-shaikh -
Category
Education
-
view
321 -
download
1
Transcript of Ccna2 project
2014
Hakim ADICHE
Computer Engineering Department - KFUPM
1/1/2014
CCNA 2-Routing and Switching
Hakim
ADIC
HE
2
Hakim
ADIC
HE
3
West Office Switch Block 1. Configure each switch with the following:
hostname
Console password: “ccna2”
Vty password: “ccna2” (only Telnet should be allowed through the vty lines 0 4)
Privileged password: “ccna2”
Message of the day banner: “Non-Authorized access to this switch is prohibited”
2. Configure all trunk links between switches using the IEEE 802.1Q trunking protocol. The trunking
should be in dynamic desirable mode.
On all trunks, configure the native vlan to be the management vlan.
Check trunking between all switches and make sure trunking is ON.
3. Configure each switch with the vtp mode as depicted in the diagram.
On the vtp server switch, configure vtp version 2.
On the vtp server switch, configure the vtp domain name “ccna2.org”.
4. Protect all switches with vtp password “ccna2”.
5. Configure the three vlans 63, 87 and 99 on the vtp server. Do not assign any port yet. Check out if
the vlans propagated to the vtp client switches. What about the vtp transparent switch.
You might need to manually configure the vlans 63, 87 and 99 on the vtp transparent switch.
Configure the vtp transparent switch with vtp version 2
Configure the vtp transparent switch with vtp domain “ccna2.org”
6. Populate vlans on each switch with ports as shown in the diagram.
Check vlans and vlan port membership on all switches.
7. Configure the SVI for vlan 99 on all switches as follows:
Switch SVI IP Address and Subnet Mask
SW1 99 172.16.99.1 255.255.255.0
SW2 99 172.16.99.2 255.255.255.0
SW3 99 172.16.99.3 255.255.255.0
SW4 99 172.16.99.4 255.255.255.0
8. From any switch, you should be able to telnet and access any other switch in this block. Once you
access a switch remotely, check the following:
Ping to the other switches using the management SVI IP address
Display configured Vlans
Display Vtp status
Check established Trunk links
Hakim
ADIC
HE
4
East Office Switch Block 1. Configure each switch with the following:
hostname as depicted in the diagram
Console password: “ccna2”
Vty password: “ccna2” (only Telnet should be allowed through the vty lines 0 4)
Privileged password: “ccna2”
Message of the day banner: “Non-Authorized access to this switch is prohibited”
2. Configure all trunk links between switches using the IEEE 802.1Q trunking protocol. The trunking
should be in dynamic desirable mode.
On all trunks, configure the native vlan to be the management vlan.
Check trunking between all switches and make sure trunking is ON.
3. Configure each switch with the vtp mode as depicted in the diagram.
On the vtp server switch, configure vtp version 2.
On the vtp server switch, configure the vtp domain name “ccna2.org”.
4. Protect all switches with vtp password “ccna2”.
5. Configure the three vlans 21, 34 and 88 on the vtp server. Do not assign any port yet. Check out if
the vlans propagated to the vtp client switches. What about the vtp transparent switch.
You might need to manually configure the vlans 21, 34 and 88 on the vtp transparent switch.
Configure the vtp transparent switch with vtp version 2
Configure the vtp transparent switch with vtp domain “ccna2.org”
6. Populate vlans on each switch with ports as shown in the diagram.
Check vlans and vlan port membership on all switches.
7. Configure the SVI for vlan 88 on all switches as follows:
Switch SVI IP Address and Subnet Mask
SW5 88 172.16.88.5 255.255.255.0
SW6 88 172.16.88.6 255.255.255.0
SW7 88 172.16.88.7 255.255.255.0
SW8 88 172.16.88.8 255.255.255.0
8. From any switch, you should be able to telnet and access any other switch in this block. Once you
access a switch remotely, check the following:
Ping to the other switches using the management SVI IP address
Display configured Vlans
Display Vtp status
Check established Trunk links
Hakim
ADIC
HE
5
Data Center Switch Block 1. Configure each switch with the following:
hostname as depicted in the diagram
Console password: “ccna2”
Vty password: “ccna2” (only Telnet should be allowed through the vty lines 0 4)
Privileged password: “ccna2”
Message of the day banner: “Non-Authorized access to this switch is prohibited”
2. Configure all trunk links between switches using the IEEE 802.1Q trunking protocol. The trunking
should be in dynamic desirable mode.
On all trunks, configure the native vlan to be the management vlan.
Check trunking between all switches and make sure trunking is ON.
3. Configure each switch with the vtp mode as depicted in the diagram.
On one vtp server switch only, configure vtp version 2.
On one vtp server switch only, configure the vtp domain name “ccna2.org”.
4. Protect all switches with vtp password “ccna2”.
5. Configure the three vlans 11, 55 and 77 on the vtp server (SW11). Do not assign any port yet. Check
out if the vlans propagated to the other vtp server and vtp client switches.
6. Populate vlans on the vtp client switches only with ports as shown in the diagram.
Check vlans and vlan port membership on the vtp client switches.
7. Configure the SVI for vlan 77 on all switches as follows:
Switch SVI IP Address and Subnet Mask
SW9 77 172.16.77.9 255.255.255.0
SW10 77 172.16.77.10 255.255.255.0
SW11 77 172.16.77.11 255.255.255.0
SW12 77 172.16.77.12 255.255.255.0
8. From any switch, you should be able to telnet and access any other switch in this block. Once you
access a switch remotely, check the following:
Ping to the other switches using the management SVI IP address
Display configured Vlans
Display Vtp status
Check established Trunk links
Hak
im A
DICHE
6
Configuring OSPF Domain 1. Configure routers in the OSPF domain R1, R2, R3, R4, R5 and R6 with the following:
Hostname as depicted in the diagram
Console password: “ccna2”
Vty password: “ccna2” (only SSH should be allowed through the vty lines 0 4)
Privileged password: “ccna2”
Message of the day banner: “Non-Authorized access to this router is prohibited”
IP domain name: “ccna2.com”
SSH Server version 2 with 1024 bits of key length
Local account database with the following account: username cisco password ccna2
2. Configure the Fast Ethernet 0/21 ports of both switches SW7 and SW8 as trunk ports with no
trunking negotiation.
3. Configure sub-interfaces for Fast Ethernet interface 0/0 of routers R2 and R3 using the IP addresses
as depicted in the diagram and with the IEEE 802.1Q encapsulation for routing between the vlans 21
and 34.
4. Configure the OSPF routing protocol following the table below:
Device Area 0 Area 100
R1
Fa0/0
Fa0/1
S0/0/0
S0/0/1
R2
Fa0/0.21
Fa0/0.34
Fa0/1
S0/0/1
R3
Fa0/0.21
S0/0/1 Fa0/0.34
Fa0/1
R4 Fa0/1
S0/0/0
R5 Fa0/1 S0/0/0
R6 Fa0/1
R7 S0/0/0
S0/0/1
5. Configure R4 as DR and R5 as BDR on the LAN segment 192.168.0.0/24
6. Configure R2 as DR and R3 as BDR on the LAN Segments 192.168.21.0/24 and 192.168.34.0/24
7. Configure the hello interval on Fa0/1 of R4 to be 5 seconds.
8. Disable all OSPF hello advertisements to LANs where no OSPF routers exist (West Office LANs).
9. On router R6, advertise a default route via OSPF to the OSPF domain. To achieve this, you should
first assign IP addresses to the interfaces on the two serial links s0/0/0 and s0/0/1 and then
configure two static default routes on R6 pointing to R8 serial interfaces. Only one static default
route must be advertised through OSPF. If that route goes down, the other static route should be
advertised to the OSPF Domain.
Hakim
ADIC
HE
7
Configuring RIPv2 1. Configure router R8 with the following:
Hostname as depicted in the diagram
Console password: “ccna2”
Vty password: “ccna2” (only SSH should be allowed through the vty lines 0 4)
Privileged password: “ccna2”
Message of the day banner: “Non-Authorized access to this router is prohibited”
IP domain name: “ccna2.com”
SSH Server version 2 with 1024 bits of key length
Local account database with the following account: username cisco password ccna2
2. Configure the interfaces Fa0/0, Fa0/1, S0/0/0 and S0/0/1 with IP addresses as depicted in the
diagram.
3. Configure two default static routes on R8 to point to the serial interfaces on R6. The serial link
10.10.0.0/24 should be the main link and the other link 10.10.1.0/24 should be the backup link.
4. Configure the fast Ethernet 0/22 ports on both switches SW11 and SW12 as Layer-3 routed ports
and assign them IP addresses as depicted in the diagram.
5. Make sure the layer-3 switches are enabled for IP routing.
6. In both layer-3 switches, configure SVI for vlans 11 and 55 with IP addresses as depicted in the
diagram.
7. Configure RIPv2 and enable it on the following interfaces:
Device Interface
R8 Fa0/0
Fa0/1
SW11 Fa0/22
SVI 11
SW12 Fa0/22
SVI 55
8. Advertise a default route via RIPv2 from router R8 to the RIPv2 domain.
Hakim
ADIC
HE
8
Configuring NAT 1. Configure router ISP with the following:
Hostname as depicted in the diagram
Console password: “ccna2”
Vty password: “ccna2” (only SSH should be allowed through the vty lines 0 4)
Privileged password: “ccna2”
Message of the day banner: “Non-Authorized access to this router is prohibited”
IP domain name: “ccna2.com”
SSH Server version 2 with 1024 bits of key length
Local account database with the following account: username cisco password ccna2
2. Configure the serial interfaces S0/1/0 of routers R6 and R8 with assigned IP addresses, as depicted in
the diagram.
3. Configure router ISP with IP addresses assigned to S0/0/0 and S0/0/1 interfaces as shown in the
diagram.
4. All packets leaving R6 and R8 and destined to segment 196.15.60.0/24 should have their source IP
addresses translated into the IP address of the serial interfaces S0/1/0 of both routers. To achieve
this, you need to configure a specific static route on both routers R6 and R8 to segment
196.15.60.0/24 on ISP.
Configuring DHCP and DHCP Spoofing 1. Configure DHCP servers on the three (3) routers R1, R2 and R3 to provide IP addresses, Subnet
Masks, default gateways, and DNS IP addresses to hosts in vlans 21, 34, 63 and 87.
2. Configure DHCP snooping on all switches in both East and West blocks to avoid rogue DHCP servers.
This step needs to be configured on real switches since DHCP snooping is not supported on the
current version of Cisco Packet Tracer.
Configuring NTP 1. Configure a loopback interface lo0: 172.31.0.1/24 on the router R4 and advertise it through OSPF in
area 0.
2. Set the clock on R4 to GMT time.
3. Configure the clock time zone on R4 and set it to +3
4. Configure R4 as the NTP server for the whole system and set the stratum to 4. This step can be
configured on real routers only and is not yet supported by Cisco Packet Tracer.
5. Configure all the other routers and switches with the clock time zone +3 and then as NTP clients to
synchronize their clocks with the R4 clock at 172.31.0.1.
Configuring CDP 1. For management purpose, you need to configure CDP on all routers only.
2. Disable CDP advertisement on all switches and to those LANs with no routers.
Hakim
ADIC
HE
9
Configuring Port Security 1. Configure Port Security on all layer-2 switches to be connected to end devices; SW1, SW2, SW3,
SW4, SW5, SW6, SW7, SW8, SW9 and SW10.
2. All switched ports should be configured as sticky ports allowing only one device to connect.
3. In case there is a violation, the switched port will automatically shutdown.
4. You can also shutdown all non connected switch ports.
Configuring Access Lists 1. On R1, configure an access list such that all hosts in Vlan 63 and 21 should be allowed to access all
servers in the Data Center block except the FTP Server. The access list should also avoid IP spoofing.
2. On R2 and R3, configure an access list such that all hosts in Vlans 87 and 34 should be allowed to
access all servers in the Data Center block except the Web Server. The access list should also avoid
IP spoofing.
Testing Make sure you keep the default VLAN on switch SW13 and configure it with protection passwords and
remaining configurations as done with the other layer-2 switches.
It is left to you to build a testing strategy with a set of testing steps in order to check and verify the
proper functioning of the whole system.
It is better to document your testing strategy and learn how to use debug and show commands on both
Cisco routers and Cisco switches.
Hakim
ADIC
HE