CCNP Swith Case Study 4 Answers

Case Study 4: VLAN Redundancy & Security
Instructions
Implement the International Exports network shown in the topology diagram

using the information and instructions in the scenario. Implement the design
on the lab set of routers and switches. Verify that all configurations are
operational and functioning according to the guidelines.
Topology Diagram
Scenario
International Exports requires their network to be divided into VLANs for security
purposes. Staff and Staff workers need access to the Internet via the ISP,
whereas the NetAdmin VLAN 10 is solely used within the LAN for configuring
and monitoring network devices.
1. Connect all the devices and configure interface IP addresses as per the
topology diagram.
2. Configure all switches for VTPv3, and use it to configure VLANs on all
switches as per the topology diagram. Connect Host PCs to VLANs as per the
topology diagram.
3. Move all unused switch ports to a blackhole VLAN, and ensure that they are
disabled and secured on all switches.
4. Configure IEEE 802.1Q trunks on all interlinks between the Distribution and
Access layer switches, and aggregate into EtherChannels, as per the
topology diagram. Use VLAN 999 as the native VLAN.
5. Create a layer 3 EtherChannel between the Distribution layer switches.
6. Manually prune VLAN access to the trunks, so that only the user VLANs and
the native VLAN is allowed.
7. Configure management IP addresses for all network devices (except R1) in
VLAN 10, and configure them for SSH access from only PC1.
8. Configure DLS2 as a DHCP/DHCPv6 server for VLANs 20 and 30, and
statically assign a suitable IPv4/IPv6 address for PC1. Ensure that all
switches have a management IP address in the VLAN 10 network for remote
access from PC1 using IPv4 & IPv6.
9. Configure MST on all switches. Set DLS1 to be the root bridge for VLAN 10,
and DLS2 to be the root bridge for VLANs 20 and 30. Use VTPv3 to
propagate MST configuration.
10. Configure DLS1 & DLS2 to provide inter-VLAN routing for all IPv4/v6
networks. Configure EIGRP between DLS1 and DLS2, ensuring all VLAN
interfaces are passive.
11. Use static and default IPv4/v6 routes to provide access to/from R1.
12. Configure HSRPv2 on DLS1 and DLS2, selecting IP addresses appropriate
for the addressing scheme. Configure MD5 authentication using a key-chain
valid for the current month.
13. Ensure that Internet access for all user VLANs is via DLS1.
14. Use interface tracking on DLS1 & DLS2 to ensure that HSRP active devices
will failover if their link to R1 fails.
15. Implement switchport security on ALS1, so that ports in VLANs 20 & 30 will
automatically allow only one PC to be attached to a port and saved to the
running-config, and will shutdown in the event of illegal access. Use a static
mapping for the port connected to PC1.
16. Configure portfast and bpduguard on all ALS access ports. Use rootguard to
prevent ALS1 from assuming the root role.
17. Use authenticated NTP to synchronise calendar clocks within the network,
using R1 as the NTP server. Secure NTP client peerings on R1 using an
ACL.
ALS1
!
hostname ALS1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$MuM.$u5o30xV3yOlkdNBKc.0/D0
!
no aaa new-model
clock summer-time BST recurring
system mtu routing 1500
!
no ip domain-lookup
!
crypto pki trustpoint TP-self-signed-1476029952
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1476029952
revocation-check none
rsakeypair TP-self-signed-1476029952
!
!
crypto pki certificate chain TP-self-signed-1476029952
certificate self-signed 01
3082023D 308201A6 A0030201 02020101 300D0609 2A864886 F70D0101
04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D
43657274
69666963 6174652D 31343736 30323939 3532301E 170D3933 30333031
30303031
35395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504
03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31
34373630
32393935 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030
81890281
8100B79A 19803AB5 724E36ED 123C5152 FA58AC23 67E08B8F B03FC44C
BEA4EF1C
C22E8E5F FB34F0AD 4DDB59C7 0D714E70 BE5CD36F D8BA0F0E 07BE6F87
9D4730DD
534DDBAB B0AF851E D7DA3F6E A0681526 3A0C1740 9FD77E89 140C04FC
9A63EA3F
4C89C0C1 92512709 70D78439 2CBC1504 F6C7F7EB F98E8FEC 3C9BBE3F
A18F4749
04270203 010001A3 65306330 0F060355 1D130101 FF040530 030101FF
30100603
551D1104 09300782 05414C53 312E301F 0603551D 23041830 16801422
4E592544
BC7F7F99 4C4189FF 79B8BB41 5808EB30 1D060355 1D0E0416 0414224E
592544BC
7F7F994C 4189FF79 B8BB4158 08EB300D 06092A86 4886F70D 01010405
00038181
0035B2F7 49440CF3 F73B0612 236F6650 6AF9780E 26B907A3 C31A2816
7504C2D6
173B3246 975FD811 C66F735E 343F9CA4 475C0D1E 17BD7E69 6EE58FC2
A0570FBE
12DA9406 D0874C0D 0E969ABC BE3408A2 13FBC7D2 842154F8 FB0D9D0B
AA59041E
E07F9916 F9F58338 B958526E 24C7CC0E 9FB859C7 51AD15B7 CFBFF18E
8AC32687 F4
quit
!
spanning-tree mode mst
spanning-tree extend system-id
!
spanning-tree mst configuration
instance 1 vlan 10, 999
!
vlan internal allocation policy ascending
!
interface Port-channel1
switchport trunk native vlan 999
switchport trunk allowed vlan 10,20,30,999
switchport mode trunk
switchport nonegotiate
!
!
interface FastEthernet0/1
channel-group 1 mode on
!
!
!
!
switchport access vlan 666
switchport mode access
shutdown
spanning-tree portfast
spanning-tree bpduguard enable
!
switchport port-security
switchport port-security mac-address 001c.c09c.dfa2 vlan access
!
shutdown
!
shutdown
!
shutdown
!
shutdown
!
shutdown
!
switchport port-security mac-address sticky
switchport port-security mac-address sticky 001c.c0c0.bfbe vlan access
!
shutdown
!
shutdown
!
shutdown
!
shutdown
!
shutdown
!
switchport port-security mac-address sticky
switchport port-security mac-address sticky 001c.c09c.def3 vlan access
!
shutdown
!
shutdown
!
shutdown
!
shutdown
!
shutdown
!
shutdown
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 172.16.10.3 255.255.255.0
ipv6 address FE80::3 link-local
ipv6 address 2001:DB8:CAFE::3/64
!
ip default-gateway 172.16.10.254
ip http server
ip http secure-server
access-list 99 permit 172.16.10.10
!
line con 0
logging synchronous
line vty 0 4
access-class 99 in
password cisco
logging synchronous
login
transport input ssh
line vty 5 15
login
!
ntp clock-period 36029187
ntp server 114.114.114.1
end
DLS1
hostname DLS1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$T8RH$cnjz9X8wIZjiCBKaXqV8X/
!
no aaa new-model
!
track 1 interface FastEthernet0/6 line-protocol
ip routing
no ip domain-lookup
ip domain-name IE.com
!
! ipv6 unicast-routing
!
key chain HSRP_KC
key 11
key-string ciscoNov
accept-lifetime local 00:00:00 Nov 1 2016 01:00:00 Dec 1 2016
send-lifetime local 00:00:00 Nov 1 2016 00:00:00 Dec 1 2016
!
!
!
30820243 308201AC A0030201 02020101 300D0609 2A864886 F70D0101
04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D
43657274
69666963 6174652D 33363637 33313939 3336301E 170D3933 30333031
30303031
30325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504
03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33
36363733
31393933 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030
81890281
8100AF61 EE4F9A7D EE948192 2A8C5F25 3D31515F 2C137DCA EA32532B
B9FC0013
4B4FBA9E A9F1AC47 B3D5035F 014F3EC2 416DDECF 335A3483 56142560
0CF509B5
DE54AA2C 9020B66B 69717700 9AA7D448 E82617B3 66BCDE70 261CE9EC
1A5CAB80
492F79E1 7D6080CB D5EC3664 BBEEAEDF 335A059D 9EDD45B6 16C72853
DC918D17
DACD0203 010001A3 6B306930 0F060355 1D130101 FF040530 030101FF
30160603
551D1104 0F300D82 0B444C53 312E4945 2E636F6D 301F0603 551D2304
18301680
144E8F18 66F02B8B D2203498 B599B609 8E7C7E68 8C301D06 03551D0E
04160414
4E8F1866 F02B8BD2 203498B5 99B6098E 7C7E688C 300D0609 2A864886
F70D0101
04050003 81810047 EBBC12D6 CE7E0EDC DADC7261 9709B204 902D2CB7
567F4125
4A0E7D3A A39C7E1E E31AFA1D 8DB4E075 00A6F43B 70CF7B32 55CE76CD
3DD9F01D
48666FBC AE18C96D D519A68F 89C32FB4 2A33A6FB 8D59240E 8071A6C4
0BD597A7
4305F1DF 155C0D70 27B4F827 76909EA4 D18A1EA3 6A14E91C AFB983E0
7F3A9695
0EFA1BE2 9E268D
quit
!
!
!
spanning-tree mst 1 priority 24576
spanning-tree vlan 1 priority 24576
!
!
switchport trunk encapsulation dot1q
!
description L3 Channel-group to DLS2
no switchport
ip address 192.168.12.9 255.255.255.252
ipv6 address 2001:DB8:FEED:2::1/64
ipv6 eigrp 1
!
!
!
no switchport
no ip address
!
no switchport
no ip address
!
!
description Link to R1/ISP
no switchport
ip address 192.168.12.1 255.255.255.252
ipv6 address 2001:DB8:FEED::1/64
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/1
!
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 172.16.10.1 255.255.255.0
ipv6 nd prefix 2001:DB8:CAFE::/64 no-advertise
ipv6 eigrp 1
standby version 2
standby 10 ip 172.16.10.254
standby 10 preempt
standby 10 authentication md5 key-chain HSRP_KC
standby 10 name HSRP_NetAdmin
!
interface Vlan20
ip address 172.16.20.1 255.255.255.0
ipv6 address 2001:DB8:CAFE:1::1/64
ipv6 nd prefix 2001:DB8:CAFE:1::/64 no-advertise
ipv6 nd managed-config-flag
ipv6 eigrp 1
standby version 2
standby 20 ip 172.16.20.254
standby 20 priority 150
standby 20 preempt
standby 20 name HSRP_Staff
standby 20 track 1 decrement 75
!
interface Vlan30
ip address 172.16.30.1 255.255.255.0
ipv6 eigrp 1
standby version 2
standby 30 ip 172.16.30.254
standby 30 preempt
standby 30 name HSRP_Students
!
!
router eigrp 1
network 172.16.0.0
network 192.168.12.8 0.0.0.3
passive-interface Vlan10
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.12.2
ip http server
!
!
ipv6 route ::/0 2001:DB8:FEED::2
ipv6 router eigrp 1
eigrp router-id 1.1.1.1
!
!
!
!
!
line con 0
logging synchronous
line vty 0 4
access-class 99 in
password cisco
logging synchronous
login
transport input ssh
line vty 5 15
login
!
ntp authentication-key 1 md5 08131D401D09351601181B0B382F 7
ntp authenticate
ntp trusted-key 1
ntp server 114.114.114.1 source Vlan10
end
DLS2
hostname DLS2
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$4ydY$vFQPHEMBH7j7ROgdaqEX.0
!
no aaa new-model
!
track 1 interface FastEthernet0/6 line-protocol
ip routing
no ip domain-lookup
ip dhcp excluded-address 172.16.20.1 172.16.20.9
ip dhcp excluded-address 172.16.20.254
ip dhcp excluded-address 172.16.30.1 172.16.30.9
ip dhcp excluded-address 172.16.30.254
!
ip dhcp pool DHCP_PoolV20
network 172.16.20.0 255.255.255.0
default-router 172.16.20.254
!
ip dhcp pool DHCP_PoolV30
network 172.16.30.0 255.255.255.0
default-router 172.16.30.254
!
ipv6 unicast-routing
ipv6 dhcp pool IPv6_V30
address prefix 2001:DB8:CAFE:2::/64 lifetime 86400 43200
dns-server 2001:DB8:FEED:5::1
domain-name IE.com
!
ipv6 dhcp pool IPv6_V20
address prefix 2001:DB8:CAFE:1::/64 lifetime 86400 43200
dns-server 2001:DB8:FEED:5::1
domain-name IE.com
!
key chain HSRP_KC
key 11
key-string ciscoNov
accept-lifetime local 00:00:00 Nov 1 2016 01:00:00 Dec 1 2016
send-lifetime local 00:00:00 Nov 1 2016 00:00:00 Dec 1 2016
!
!
!
3082023D 308201A6 A0030201 02020101 300D0609 2A864886 F70D0101
04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D
43657274
69666963 6174652D 31343336 37313336 3030301E 170D3933 30333031
30303031
30325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504
03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31
34333637
31333630 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030
81890281
8100C0BA 0B445E28 00834287 EAADC3CC 4DA6C599 B8B45955 EE0CC77F
ADACA47A
3B130E69 DDD71A5A D8D0029D A90A3258 905FF63A 02437497 67A556D8
50A3F4C9
422EF0D0 EB9FECAD 49CBFA80 F7699C19 863BDA8C 970336E2 CDF1A452
A9E655D7
51967FCC 8C51A2BA CD70652B 52055A26 FF44355D ED725D4A C43ED92E
6D67C73B
A1A10203 010001A3 65306330 0F060355 1D130101 FF040530 030101FF
30100603
551D1104 09300782 05444C53 322E301F 0603551D 23041830 16801451
6793169D
71ABD8A3 FE286C0F D61AD892 B1F83030 1D060355 1D0E0416 04145167
93169D71
ABD8A3FE 286C0FD6 1AD892B1 F830300D 06092A86 4886F70D 01010405
00038181
00B6277D 3D2C972B E2FD2040 17230466 79C2CD01 FDA993BE 8B90C6A8
7CF5170F
44DC32FD CDD3044B 74B5660B EC3747E4 46440CC4 63787CF3 F2BAEC6D
14F023DA
2DFFD6B5 18A113D4 99A22F95 1BAAEAE1 78EFA3EC 8C7B6E70 C92CA776
7405E7A0
51C804B3 7D6A1D22 211833F9 5C968516 B1804518 14B982DF 08284CA8
87A0D932 8A
quit
!
!
!
!
!
!
no switchport
ip address 192.168.12.10 255.255.255.252
ipv6 eigrp 1
!
!
!
no switchport
no ip address
!
no switchport
no ip address
!
!
description Link to R1/ISP
no switchport
ip address 192.168.12.5 255.255.255.252
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address 172.16.10.2 255.255.255.0
ipv6 nd prefix 2001:DB8:CAFE::/64 no-advertise
ipv6 eigrp 1
standby version 2
standby 10 ip 172.16.10.254
standby 10 preempt
standby 10 name HSRP_NetAdmin
!
interface Vlan20
ip address 172.16.20.2 255.255.255.0
ipv6 dhcp server IPv6_V20 rapid-commit
ipv6 eigrp 1
standby version 2
standby 20 ip 172.16.20.254
standby 20 preempt
standby 20 name HSRP_Staff
!
interface Vlan30
ip address 172.16.30.2 255.255.255.0
ipv6 dhcp server IPv6_V30 rapid-commit
ipv6 eigrp 1
standby version 2
standby 30 ip 172.16.30.254
standby 30 preempt
standby 30 name HSRP_Students
!
router eigrp 1
network 172.16.0.0
network 192.168.12.8 0.0.0.3
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.12.6
ip http server
!
ipv6 route ::/0 2001:DB8:FEED:1::2
ipv6 router eigrp 1
eigrp router-id 2.2.2.2
!
line con 0
logging synchronous
line vty 0 4
access-class 99 in
password cisco
logging synchronous
login
transport input ssh
line vty 5 15
login
!
ntp authenticate
ntp trusted-key 1
ntp server 114.114.114.1 source Vlan10
end
R1
hostname R1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$Vzct$C8BcrgI5nigzWQrAIzDgr.
!
no aaa new-model
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
license udi pid CISCO2911/K9 sn FCZ193070AX
license boot module c2900 technology-package uck9
license boot module c2900 technology-package datak9
!
interface Loopback0
ip address 114.114.114.1 255.255.255.0
ipv6 address 2001:DB8:114:114::1/64
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
description Link to DLS1
ip address 192.168.12.2 255.255.255.252
duplex auto
speed auto
ipv6 address 2001:DB8:FEED::2/64
!
description Link to DLS2
ip address 192.168.12.6 255.255.255.252
shutdown
duplex auto
speed auto
!
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
clock rate 2000000
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 172.16.10.0 255.255.255.0 192.168.12.5
ip route 172.16.10.0 255.255.255.0 192.168.12.1 10
ip route 172.16.20.0 255.255.255.0 192.168.12.1
ip route 172.16.20.0 255.255.255.0 192.168.12.5 10
ip route 172.16.30.0 255.255.255.0 192.168.12.1
ip route 172.16.30.0 255.255.255.0 192.168.12.5 10
!
ipv6 route 2001:DB8:CAFE::/48 2001:DB8:FEED::1
!
access-list 12 permit 172.16.10.0 0.0.0.3
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
gatekeeper
shutdown
!
line con 0
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 99 in
password cisco
logging synchronous
login
transport input ssh
!
scheduler allocate 20000 1000
ntp authenticate
ntp trusted-key 1
ntp access-group peer 11
ntp access-group serve-only 12
ntp master 3
!
end

CCNP Swith Case Study 4 Answers

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CCNP Swith Case Study 4 Answers

Uploaded by

Copyright:

Available Formats

Case Study 4: VLAN Redundancy & Security

Implement the International Exports network shown in the topology diagram

You might also like