VLAN
</objective> <objective>VTP
</objective> <objective>Trunk
</objective> <objective>Port security
</objective> <objective>Default route
</objective> <objective>NAT
</objective> </feature><feature><title>Concepts and Techniques You’ll Need to Master:</title> <objective>VLAN creation and naming
</objective> <objective>Assigning switch ports to a VLAN
</objective> <objective>Setting VTP parameters
</objective> <objective>Building trunk links
</objective> <objective>Port Security
</objective> <objective>Subnetting
</objective> <objective>Assigning IP addresses to a switch and to router interfaces
</objective> <objective>Establishing PPP WAN connections
</objective> <objective>Creating and applying IP access control lists to manage Telnet, ICMP, and inbound Internet connections
</objective> <objective>Configuring and troubleshooting a static default route
</objective> <objective>Configuring and troubleshooting OSPF dynamic routing
</objective> <objective>Configuring static NAT and PAT using a pool of addresses
</objective> </feature>This chapter presents several configuration requirements for installing and connecting a new switch and router in a branch office. Your job is to assess the scenario and determine what configurations need to be applied to meet the given requirements. All the skills you practice here are testable; your goal is to finish all the labs in fewer than 30 minutes.
Some of the switch configuration concepts for this scenario are included in the list that follows. As you review them, you should start to visualize and plan what they are asking you to do. Imagine the commands to perform these actions, and especially the order in which you will execute them. Drawing a network diagram for yourself is never a bad idea. Ideally, you should be able to fully visualize your design and the configurations needed to implement it. With practice, you can “be the packet” in your mind.
Creating and naming a VLAN
Assigning switch ports to a VLAN
Setting port security
Setting VTP parameters
Building trunk links
Assigning IP address and default gateway
You have been given a new 2960 switch that your company recently purchased for the new Vancouver branch office. Two additional switches will be installed at a later date as well, and we will make preparations for that. Your tasks will be as follows:
On the switch, assign a host name of VAN-SW-A.
Create and name the following VLANs without entering the VLAN database:
VLAN 10, name resources.
VLAN 20, name staff.
VLAN 30, name Voice (this VLAN is for future use).
Assign the following port settings:
Port fa0/1 through 10 in VLAN 10.
Port fa0/11 through 22 in VLAN 20.
Port Gi0/1 is a trunk port to the router (remember that the 2960 does not support ISL trunks). You are instructed to configure the trunks as 100Mbps, Full Duplex.
Port fa0/23 is a trunk port to VAN-SW-B (to be added later).
Port fa0/24 is a trunk port to VAN-SW-C (to be added later).
Verify your VLAN and trunk settings.
Configure VTP: VAN-SW-A is the server for the VTP domain Exam Cram, with the password of
cisco.Verify your VTP settings.
Assign the switch the IP address of 172.16.0.2 /26.
Set the switch’s default gateway to 172.16.0.1.
Set port fa0/1 through fa0/10 to allow connection from only one MAC address, and make that port shut down if more than one MAC connects. These ports will connect to servers in the Resources VLAN.
Set the privileged EXEC password to
cisco. This password should be encrypted.Secure Telnet access to the switch by applying the password
cisco23to the first five VTY lines.Secure local console access with the password of
ciscocon.
The following configuration is a good solution to the scenario requirements. There are other switch configurations that would achieve the same goals; we have tried to include as many testable commands as possible. Remark lines (indicated by “!”) after the commands indicate which task the lines above it solve.
Switch> Switch#configure terminal Switch(config)#hostname VAN-SW-A ! Task 1: Assigns host name VAN-SW-A(config)#vlan 10 VAN-SW-A(config-vlan)#name Resources VAN-SW-A(config-vlan)#vlan 20 VAN-SW-A(config-vlan)#name Staff VAN-SW-A(config-vlan)#vlan 30 VAN-SW-A(config-vlan)#name Voice VAN-SW-A(config-vlan)#exit ! Task 2: Creates and names VLANs VAN-SW-A(config)#interface range fa0/1 - 10 VAN-SW-A(config-if-range)#switchport access vlan 10 ! Task 3: Assigns ports 1-10 to VLAN 10 VAN-SW-A(config-if-range)#interface range fa0/11 - 22 VAN-SW-A(config-if-range)#switchport access vlan 20 ! Task 3: Assigns ports 11-22 to VLAN 20 VAN-SW-A(config-if-range)#interface fa0/23 - 24 VAN-SW-A(config-if-range)#switchport mode trunk VAN-SW-A(config-if-range)#speed 100 VAN-SW-A(config-if-range)#duplex full ! Task 3: Sets fa0/23 and fa0/24 to ! permanent trunk mode, 100Mbps, Full Duplex VAN-SW-A(config-if-range)interface gi0/1 VAN-SW-A(config-if)#switchport mode trunk VAN-SW-A(config-if)#speed 100 VAN-SW-A(config-if)#duplex full ! Task 3:Sets gi0/1 to permanent trunk mode, 100Mbps, Full Duplex VAN-SW-A(config-if)#<ctrl-z> VAN-SW-A# VAN-SW-A#show vlan VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Gi0/1, Gi0/2 10 Resources active Fa0/1, Fa0/2, Fa0/3, Fa0/4, fa0/5, Fa0/6, Fa0/7, Fa0/8, Fa0/9, Fa0/10 20 Staff active Fa0/11, Fa0/12, Fa0/13, Fa0/14, Fa0/15, Fa0/16, Fa0/17, Fa0/18, Fa0/19, Fa0/20Fa0/21 30 Voice active <output truncated> ! ! Task 4: Verifies VLANs and ports assignments VAN-SW-A#show interface fa0/23 trunk Port Mode Encapsulation Status Native vlan fa0/23 on 802.1q not-trunking 1 Port Vlans allowed on trunk fa0/23 1-4094 Port Vlans allowed and active in management domain Fa0/23 1-4094 Port Vlans in spanning tree forwarding state and not pruned Fa0/23 1-4094 ! VAN-SW-A#show interface fa0/24 trunk Port Mode Encapsulation Status Native vlan Fa0/24 on 802.1q not-trunking 1 Port Vlans allowed on trunk Fa0/24 1-4094 Port Vlans allowed and active in management domain Fa0/24 1-4094 Port Vlans in spanning tree forwarding state and not pruned Fa0/24 1-4094 VAN-SW-A#show interface gi0/1 trunk Port Mode Encapsulation Status Native vlan Gi0/1 on 802.1q trunking 1 Port Vlans allowed on trunk Gi0/1 1-4094 Port Vlans allowed and active in management domain Gi0/1 1-4094 Port Vlans in spanning tree forwarding state and not pruned Gi0/1 1-4094 !Task 4: Verifies Trunking on Fa0/23-24, Gi0/1 VAN-SW-A#config t VAN-SW-A(config)#vtp domain ExamCram VAN-SW-A(config)#vtp password cisco VAN-SW-A(config)#vtp server VAN-SW-A(config)#exit ! Task 5: Assigns VTP parameters VAN-SW-A#sh vtp status VTP Version : 2 Configuration Revision : 0 Maximum VLANs supported locally : 1005 Number of existing VLANs : 8 VTP Operating Mode : Server VTP Domain Name : ExamCram VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Enabled MD5 digest : 0x3A 0x29 0x86 0x39 0xB4 0x5D 0x58 0xD7 ! ! Task 6:Verifies VTP settings VAN-SW-A#config t VAN-SW-A(config-if)#interface vlan 1 VAN-SW-A(config-if)#ip address 172.16.0.2 255.255.255.192 ! Task 7: Assigns switch IP address VAN-SW-A(config-if)#exit VAN-SW-A(config)#ip default-gateway 172.16.0.1 ! Task 8: Sets switch default gateway VAN-SW-A(config)#int fa0/1 - 10 VAN-SW-A(config-if-range)#switchport port-security VAN-SW-A(config-if-range)#switchport port-security maximum 1 VAN-SW-A(config-if-range)#switchport port-security violation shutdown ! Task 9: Assigns port-security parameters VAN-SW-A(config-if-range)#exit VAN-SW-A(config)#enable secret cisco ! Task 10: Sets encrypted Privileged Exec password VAN-SW-A(config)#line vty 0 4 VAN-SW-A(config-line)#login VAN-SW-A(config-line)#password cisco23 ! Task 11: Sets VTY access password VAN-SW-A(config-line)#line con 0 VAN-SW-A(config-line)#login VAN-SW-A(config-line)#password ciscocon ! Task 12: Sets Console access password <ctrl+z> VAN-SW-A#copy run start VAN-SW-A#exit
The router configurations tasks will touch on the following areas. Remember to think about what these need for configuration and start to plan your approach.
IP addressing
Subnetting
Inter-VLAN routing
PPP WAN connection
NAT overload to a pool
IP ACLs
OSPF and default routing
The branch office uses a new 2821 series router, with two Gigabit Ethernet interfaces and a serial interface for the PPP WAN connection. The router will perform Inter-VLAN routing using Router-on-a-Stick on Gi0/0 and provide NAT services for connection to the Internet. The ISP will exchange dynamic routing information with this router using OSPF in Area 0. The Voice VLAN should not be included in the OSPF routing. Your tasks are as follows:
Assign the router a hostname of VAN-Gateway.
Configure Inter-VLAN routing by assigning IP addresses to the physical and virtual interfaces. The IP addressing for each interface is as follows:
Gi0/0: 172.16.0.1 /26
S0/0: 192.168.66.65 /28
VLAN 10: 172.16.0.65 /26
VLAN 20: 172.16.0.129 /26
VLAN 30: 172.16.0.193 /26
Set the Serial0/0 encapsulation to PPP.
Allow VLANs 1, 10, and 20 to be translated. Do not allow VLAN 30 to be translated.
The ISP has assigned the range of 192.168.66.66 through 192.168.66.77 as the pool of addresses to translate to. Name the pool
IntPool. Ensure all VLAN 1, 10, and 20 hosts can use addresses from this range.
Prevent all outside networks from pinging any inside network. Until the security team comes in to configure the advanced security settings, allow only IP traffic from established outbound connections inbound on s0/0.
Configure OSPF routing for VLANs 1, 10, and 20 to the ISP network, using Area 0 for all interfaces. Do not advertise the Voice VLAN network.
Configure a static default route to the ISP gateway IP of 192.168.66.78.
The following configuration is a good solution to the problems posed by the scenario. There may be other configs that also work, but again we are emphasizing those that we think you need to know for the test. The remark lines describing the solution to the task are included after the task configuration.
Router#configure terminal Router(config)#hostname VAN-Gateway ! Task 1: Assigns hostname VAN-Gateway(config)#interface gi0/0 VAN-Gateway(config-if)#ip address 172.16.0.1 255.255.255.192 VAN-Gateway(config-if)#no shut VAN-Gateway(config-if)#interface gi0/0.10 VAN-Gateway(config-if)#encapsulation dot1q 10 VAN-Gateway(config-if)#ip address 172.16.0.65 255.255.255.192 VAN-Gateway(config-if)#interface gi0/0.20 VAN-Gateway(config-if)#encapsulation dot1q 20 VAN-Gateway(config-if)#ip address 172.16.0.129 255.255.255.192 VAN-Gateway(config-if)#interface gi0/0.30 VAN-Gateway(config-if)#encapsulation dot1q 30 VAN-Gateway(config-if)#ip address 172.16.0.193 255.255.255.192 ! Configures inter-VLAN routing: Physical interface is native vlan (defaults to VLAN 1); ! Other sub-interfaces are virtual interfaces for their respective VLANs. VAN-Gateway(config-if)#interface s0/0 VAN-Gateway(config-if)#encapsulation ppp VAN-Gateway(config-if)#ip address 192.168.66.65 255.255.255.240 VAN-Gateway(config-if)#no shut VAN-Gateway(config-if)#exit ! Task 3: Configures S0/0 with PPP and correct IP address VAN-Gateway(config)#access-list 1 permit 172.16.0.0 0.0.0.63 VAN-Gateway(config)#access-list 1 permit 172.16.0.64 0.0.0.63 VAN-Gateway(config)#access-list 1 permit 172.16.0.128 0.0.0.63 VAN-Gateway(config)#ip nat pool IntPool 192.168.66.66 192.168.66.77 netmask 255.255.255.240 VAN-Gateway(config)#ip nat inside source list 1 pool IntPool overload VAN-Gateway(config)#interface gi0/0 VAN-Gateway(config-if)#ip nat inside VAN-Gateway(config-if)#interface gi0/0.10 VAN-Gateway(config-if)#ip nat inside VAN-Gateway(config-if)#interface gi0/0.20 VAN-Gateway(config-if)#ip nat inside VAN-Gateway(config-if)#interface s0/0 VAN-Gateway(config-if)#ip nat outside VAN-Gateway(config-if)#exit ! Task 4: Configures NAT with ACL permitting specified networks, ! a NAT pool with valid addresses and mask, ! a NAT statement identifying source and destination for translation, ! and "inside" and "outside" interfaces. VAN-Gateway(config)#access-list 101 deny icmp any any VAN-Gateway(config)#access-list 101 permit ip any any established VAN-Gateway(config)#interface s0/0 VAN-Gateway(config-if)#ip access-group 101 in VAN-Gateway(config-if)#exit ! Task 5: Applies specified security with ACL on the outside interface VAN-Gateway(config)#router ospf 99 VAN-Gateway(config-router)#network 172.16.0.0 0.0.0.63 area 0 VAN-Gateway(config-router)#network 172.16.0.64 0.0.0.63 area 0 VAN-Gateway(config-router)#network 172.16.0.128 0.0.0.63 area 0 VAN-Gateway(config-router)#network 192.168.66.64 0.0.0.15 area 0 VAN-Gateway(config-router)#exit ! Task 6 : Configures OSPF routing VAN-Gateway(config)#ip route 0.0.0.0 0.0.0.0 192.168.66.78 VAN-Gateway(config)#exit ! Task 7: Sets default route to ISP VAN-Gateway#copy run start
Answer D is correct. The 2960 does not support ISL, so the router must be configured for 802.1q. Answer A is incorrect; the switch supports only 802.1q. Answer B is wrong; trunk encapsulation cannot be negotiated between a router and a switch, only between two switches. Even then, best practices recommend hard-coding trunk encapsulation. Answer C is wrong because it is not relevant to this scenario, however true it may be. | |
Answer B is correct; the | |
Answer B is correct; the switch is configured for port security, so when the MAC addresses of the new NICs attempt to connect to the switch, the ports shut down. Answer A is wrong; it’s unlikely that all the new NICs are defective. Answer C is wrong; given what we know of the config, it is not the most likely problem. Answer D is wrong; hosts do not need a route to their own LAN; our problem here is at Layer 1 and 2, not Layer 3. | |
Answer A is correct. Answers B and D use invalid syntax; Answer C names the wrong ACL. | |
Answer A (true) is correct. Spanning Tree is running by default, and we see no evidence of it being disabled (which would be a bad idea anyway). | |
Answer D is correct. A /26 provides 62 valid hosts. All other answers are incorrect. | |
Answer C is correct. The remaining available addresses are .67 through .70, and the new mask ends with .248. Answer A is incorrect; the keyword is | |
Answer D is correct; if the router uses this config, the switch will not be able to trunk with it. Answer A is therefore incorrect. Answer B is wrong; there is no problem with the IPs and masks. Answer C is wrong; the router will support ISL trunking, but the switch will not. | |
Answer D is correct. This is a nasty trick question; the command prompt indicates that this config was written for the switch. Even though it would be impossible to get this configuration (the switch would return errors), you can expect some exam questions to be unrealistic in this way. Answer A is wrong; OSPF needs wildcards. Answer B is wrong; there are many valid address/mask formats in OSPF configuration. Answer C is wrong because the configuration was entered on a switch that does not support OSPF (or any routing for that matter). | |
Answer C is correct; the valid range for the Process ID is 1–65535. Answer B is therefore incorrect. Answer A is not correct; the area ID can be anything from 0 through 65535. Answer D is wrong; the wildcards masks are perfectly valid. |