Ccna2 project

2014

Hakim ADICHE

Computer Engineering Department - KFUPM

1/1/2014

CCNA 2-Routing and Switching

Hakim

ADIC

HE

2

Hakim

ADIC

HE

3

West Office Switch Block 1. Configure each switch with the following:

hostname

Console password: “ccna2”

Vty password: “ccna2” (only Telnet should be allowed through the vty lines 0 4)

Privileged password: “ccna2”

Message of the day banner: “Non-Authorized access to this switch is prohibited”

2. Configure all trunk links between switches using the IEEE 802.1Q trunking protocol. The trunking

should be in dynamic desirable mode.

On all trunks, configure the native vlan to be the management vlan.

Check trunking between all switches and make sure trunking is ON.

3. Configure each switch with the vtp mode as depicted in the diagram.

On the vtp server switch, configure vtp version 2.

On the vtp server switch, configure the vtp domain name “ccna2.org”.

4. Protect all switches with vtp password “ccna2”.

5. Configure the three vlans 63, 87 and 99 on the vtp server. Do not assign any port yet. Check out if

the vlans propagated to the vtp client switches. What about the vtp transparent switch.

You might need to manually configure the vlans 63, 87 and 99 on the vtp transparent switch.

Configure the vtp transparent switch with vtp version 2

Configure the vtp transparent switch with vtp domain “ccna2.org”

6. Populate vlans on each switch with ports as shown in the diagram.

Check vlans and vlan port membership on all switches.

7. Configure the SVI for vlan 99 on all switches as follows:

Switch SVI IP Address and Subnet Mask

SW1 99 172.16.99.1 255.255.255.0

SW2 99 172.16.99.2 255.255.255.0

SW3 99 172.16.99.3 255.255.255.0

SW4 99 172.16.99.4 255.255.255.0

8. From any switch, you should be able to telnet and access any other switch in this block. Once you

access a switch remotely, check the following:

Ping to the other switches using the management SVI IP address

Display configured Vlans

Display Vtp status

Check established Trunk links

Hakim

ADIC

HE

4

East Office Switch Block 1. Configure each switch with the following:

hostname as depicted in the diagram










On the vtp server switch, configure vtp version 2.

On the vtp server switch, configure the vtp domain name “ccna2.org”.


5. Configure the three vlans 21, 34 and 88 on the vtp server. Do not assign any port yet. Check out if

the vlans propagated to the vtp client switches. What about the vtp transparent switch.

You might need to manually configure the vlans 21, 34 and 88 on the vtp transparent switch.

Configure the vtp transparent switch with vtp version 2

Configure the vtp transparent switch with vtp domain “ccna2.org”

6. Populate vlans on each switch with ports as shown in the diagram.

Check vlans and vlan port membership on all switches.



SW5 88 172.16.88.5 255.255.255.0

SW6 88 172.16.88.6 255.255.255.0

SW7 88 172.16.88.7 255.255.255.0

SW8 88 172.16.88.8 255.255.255.0





Display Vtp status


Hakim

ADIC

HE

5

Data Center Switch Block 1. Configure each switch with the following:

hostname as depicted in the diagram










On one vtp server switch only, configure vtp version 2.

On one vtp server switch only, configure the vtp domain name “ccna2.org”.


5. Configure the three vlans 11, 55 and 77 on the vtp server (SW11). Do not assign any port yet. Check

out if the vlans propagated to the other vtp server and vtp client switches.

6. Populate vlans on the vtp client switches only with ports as shown in the diagram.

Check vlans and vlan port membership on the vtp client switches.



SW9 77 172.16.77.9 255.255.255.0

SW10 77 172.16.77.10 255.255.255.0

SW11 77 172.16.77.11 255.255.255.0

SW12 77 172.16.77.12 255.255.255.0





Display Vtp status


Hak

im A

DICHE

6

Configuring OSPF Domain 1. Configure routers in the OSPF domain R1, R2, R3, R4, R5 and R6 with the following:

Hostname as depicted in the diagram


Vty password: “ccna2” (only SSH should be allowed through the vty lines 0 4)


Message of the day banner: “Non-Authorized access to this router is prohibited”

IP domain name: “ccna2.com”

SSH Server version 2 with 1024 bits of key length

Local account database with the following account: username cisco password ccna2

2. Configure the Fast Ethernet 0/21 ports of both switches SW7 and SW8 as trunk ports with no

trunking negotiation.

3. Configure sub-interfaces for Fast Ethernet interface 0/0 of routers R2 and R3 using the IP addresses

as depicted in the diagram and with the IEEE 802.1Q encapsulation for routing between the vlans 21

and 34.

4. Configure the OSPF routing protocol following the table below:

Device Area 0 Area 100

R1

Fa0/0

Fa0/1

S0/0/0

S0/0/1

R2

Fa0/0.21

Fa0/0.34

Fa0/1

S0/0/1

R3

Fa0/0.21

S0/0/1 Fa0/0.34

Fa0/1

R4 Fa0/1

S0/0/0

R5 Fa0/1 S0/0/0

R6 Fa0/1

R7 S0/0/0

S0/0/1

5. Configure R4 as DR and R5 as BDR on the LAN segment 192.168.0.0/24

6. Configure R2 as DR and R3 as BDR on the LAN Segments 192.168.21.0/24 and 192.168.34.0/24

7. Configure the hello interval on Fa0/1 of R4 to be 5 seconds.

8. Disable all OSPF hello advertisements to LANs where no OSPF routers exist (West Office LANs).

9. On router R6, advertise a default route via OSPF to the OSPF domain. To achieve this, you should

first assign IP addresses to the interfaces on the two serial links s0/0/0 and s0/0/1 and then

configure two static default routes on R6 pointing to R8 serial interfaces. Only one static default

route must be advertised through OSPF. If that route goes down, the other static route should be

advertised to the OSPF Domain.

Hakim

ADIC

HE

7

Configuring RIPv2 1. Configure router R8 with the following:









2. Configure the interfaces Fa0/0, Fa0/1, S0/0/0 and S0/0/1 with IP addresses as depicted in the

diagram.

3. Configure two default static routes on R8 to point to the serial interfaces on R6. The serial link

10.10.0.0/24 should be the main link and the other link 10.10.1.0/24 should be the backup link.

4. Configure the fast Ethernet 0/22 ports on both switches SW11 and SW12 as Layer-3 routed ports

and assign them IP addresses as depicted in the diagram.

5. Make sure the layer-3 switches are enabled for IP routing.

6. In both layer-3 switches, configure SVI for vlans 11 and 55 with IP addresses as depicted in the

diagram.

7. Configure RIPv2 and enable it on the following interfaces:

Device Interface

R8 Fa0/0

Fa0/1

SW11 Fa0/22

SVI 11

SW12 Fa0/22

SVI 55

8. Advertise a default route via RIPv2 from router R8 to the RIPv2 domain.

Hakim

ADIC

HE

8

Configuring NAT 1. Configure router ISP with the following:









2. Configure the serial interfaces S0/1/0 of routers R6 and R8 with assigned IP addresses, as depicted in

the diagram.

3. Configure router ISP with IP addresses assigned to S0/0/0 and S0/0/1 interfaces as shown in the

diagram.

4. All packets leaving R6 and R8 and destined to segment 196.15.60.0/24 should have their source IP

addresses translated into the IP address of the serial interfaces S0/1/0 of both routers. To achieve

this, you need to configure a specific static route on both routers R6 and R8 to segment

196.15.60.0/24 on ISP.

Configuring DHCP and DHCP Spoofing 1. Configure DHCP servers on the three (3) routers R1, R2 and R3 to provide IP addresses, Subnet

Masks, default gateways, and DNS IP addresses to hosts in vlans 21, 34, 63 and 87.

2. Configure DHCP snooping on all switches in both East and West blocks to avoid rogue DHCP servers.

This step needs to be configured on real switches since DHCP snooping is not supported on the

current version of Cisco Packet Tracer.

Configuring NTP 1. Configure a loopback interface lo0: 172.31.0.1/24 on the router R4 and advertise it through OSPF in

area 0.

2. Set the clock on R4 to GMT time.

3. Configure the clock time zone on R4 and set it to +3

4. Configure R4 as the NTP server for the whole system and set the stratum to 4. This step can be

configured on real routers only and is not yet supported by Cisco Packet Tracer.

5. Configure all the other routers and switches with the clock time zone +3 and then as NTP clients to

synchronize their clocks with the R4 clock at 172.31.0.1.

Configuring CDP 1. For management purpose, you need to configure CDP on all routers only.

2. Disable CDP advertisement on all switches and to those LANs with no routers.

Hakim

ADIC

HE

9

Configuring Port Security 1. Configure Port Security on all layer-2 switches to be connected to end devices; SW1, SW2, SW3,

SW4, SW5, SW6, SW7, SW8, SW9 and SW10.

2. All switched ports should be configured as sticky ports allowing only one device to connect.

3. In case there is a violation, the switched port will automatically shutdown.

4. You can also shutdown all non connected switch ports.

Configuring Access Lists 1. On R1, configure an access list such that all hosts in Vlan 63 and 21 should be allowed to access all

servers in the Data Center block except the FTP Server. The access list should also avoid IP spoofing.

2. On R2 and R3, configure an access list such that all hosts in Vlans 87 and 34 should be allowed to

access all servers in the Data Center block except the Web Server. The access list should also avoid

IP spoofing.

Testing Make sure you keep the default VLAN on switch SW13 and configure it with protection passwords and

remaining configurations as done with the other layer-2 switches.

It is left to you to build a testing strategy with a set of testing steps in order to check and verify the

proper functioning of the whole system.

It is better to document your testing strategy and learn how to use debug and show commands on both

Cisco routers and Cisco switches.

Hakim

ADIC

HE

Ccna2 project

Education

Transcript of Ccna2 project