Chapter 17. Blueprint for Connecting and Securing a Branch Office

<feature><title>Terms You’ll Need to Understand:</title> <objective>

VLAN

</objective>
<objective>

VTP

</objective>
<objective>

Trunk

</objective>
<objective>

Port security

</objective>
<objective>

Default route

</objective>
<objective>

NAT

</objective>
</feature>
<feature><title>Concepts and Techniques You’ll Need to Master:</title> <objective>

VLAN creation and naming

</objective>
<objective>

Assigning switch ports to a VLAN

</objective>
<objective>

Setting VTP parameters

</objective>
<objective>

Building trunk links

</objective>
<objective>

Port Security

</objective>
<objective>

Subnetting

</objective>
<objective>

Assigning IP addresses to a switch and to router interfaces

</objective>
<objective>

Establishing PPP WAN connections

</objective>
<objective>

Creating and applying IP access control lists to manage Telnet, ICMP, and inbound Internet connections

</objective>
<objective>

Configuring and troubleshooting a static default route

</objective>
<objective>

Configuring and troubleshooting OSPF dynamic routing

</objective>
<objective>

Configuring static NAT and PAT using a pool of addresses

</objective>
</feature>

Introduction

This chapter presents several configuration requirements for installing and connecting a new switch and router in a branch office. Your job is to assess the scenario and determine what configurations need to be applied to meet the given requirements. All the skills you practice here are testable; your goal is to finish all the labs in fewer than 30 minutes.

Caution

Do not perform any of these lab exercises on equipment that is connected to a live/production network. If in doubt, ask your network administrator if what you are about to do is approved.

Switch Configuration Requirements

Some of the switch configuration concepts for this scenario are included in the list that follows. As you review them, you should start to visualize and plan what they are asking you to do. Imagine the commands to perform these actions, and especially the order in which you will execute them. Drawing a network diagram for yourself is never a bad idea. Ideally, you should be able to fully visualize your design and the configurations needed to implement it. With practice, you can “be the packet” in your mind.

  • Creating and naming a VLAN

  • Assigning switch ports to a VLAN

  • Setting port security

  • Setting VTP parameters

  • Building trunk links

  • Assigning IP address and default gateway

You have been given a new 2960 switch that your company recently purchased for the new Vancouver branch office. Two additional switches will be installed at a later date as well, and we will make preparations for that. Your tasks will be as follows:

  1. On the switch, assign a host name of VAN-SW-A.

  2. Create and name the following VLANs without entering the VLAN database:

    • VLAN 10, name resources.

    • VLAN 20, name staff.

    • VLAN 30, name Voice (this VLAN is for future use).

  3. Assign the following port settings:

    • Port fa0/1 through 10 in VLAN 10.

    • Port fa0/11 through 22 in VLAN 20.

    • Port Gi0/1 is a trunk port to the router (remember that the 2960 does not support ISL trunks). You are instructed to configure the trunks as 100Mbps, Full Duplex.

    • Port fa0/23 is a trunk port to VAN-SW-B (to be added later).

    • Port fa0/24 is a trunk port to VAN-SW-C (to be added later).

  4. Verify your VLAN and trunk settings.

  5. Configure VTP: VAN-SW-A is the server for the VTP domain Exam Cram, with the password of cisco.

  6. Verify your VTP settings.

  7. Assign the switch the IP address of 172.16.0.2 /26.

  8. Set the switch’s default gateway to 172.16.0.1.

  9. Set port fa0/1 through fa0/10 to allow connection from only one MAC address, and make that port shut down if more than one MAC connects. These ports will connect to servers in the Resources VLAN.

  10. Set the privileged EXEC password to cisco. This password should be encrypted.

  11. Secure Telnet access to the switch by applying the password cisco23 to the first five VTY lines.

  12. Secure local console access with the password of ciscocon.

VAN-SW-A Solution

The following configuration is a good solution to the scenario requirements. There are other switch configurations that would achieve the same goals; we have tried to include as many testable commands as possible. Remark lines (indicated by “!”) after the commands indicate which task the lines above it solve.

Switch>
Switch#configure terminal
Switch(config)#hostname VAN-SW-A
! Task 1: Assigns host name
VAN-SW-A(config)#vlan 10
VAN-SW-A(config-vlan)#name Resources
VAN-SW-A(config-vlan)#vlan 20
VAN-SW-A(config-vlan)#name Staff
VAN-SW-A(config-vlan)#vlan 30
VAN-SW-A(config-vlan)#name Voice
VAN-SW-A(config-vlan)#exit
! Task 2: Creates and names VLANs
VAN-SW-A(config)#interface range fa0/1 - 10
VAN-SW-A(config-if-range)#switchport access vlan 10
! Task 3: Assigns ports 1-10 to VLAN 10
VAN-SW-A(config-if-range)#interface range fa0/11 - 22
VAN-SW-A(config-if-range)#switchport access vlan 20
! Task 3: Assigns ports 11-22 to VLAN 20
VAN-SW-A(config-if-range)#interface fa0/23 - 24
VAN-SW-A(config-if-range)#switchport mode trunk
VAN-SW-A(config-if-range)#speed 100
VAN-SW-A(config-if-range)#duplex full
! Task 3: Sets fa0/23 and fa0/24 to
! permanent trunk mode, 100Mbps, Full Duplex
VAN-SW-A(config-if-range)interface gi0/1
VAN-SW-A(config-if)#switchport mode trunk
VAN-SW-A(config-if)#speed 100
VAN-SW-A(config-if)#duplex full
! Task 3:Sets gi0/1 to permanent trunk mode, 100Mbps, Full Duplex
VAN-SW-A(config-if)#<ctrl-z>
VAN-SW-A#
VAN-SW-A#show vlan
VLAN Name                       Status          Ports
---- -------------------------------- --------- -------------------------------
1    default                    active          Gi0/1, Gi0/2

10    Resources          active         Fa0/1, Fa0/2, Fa0/3, Fa0/4,
                                                fa0/5, Fa0/6, Fa0/7,
                                        Fa0/8,
                                                Fa0/9, Fa0/10
20    Staff                     active          Fa0/11, Fa0/12, Fa0/13,
Fa0/14, Fa0/15, Fa0/16,
Fa0/17, Fa0/18, Fa0/19,
Fa0/20Fa0/21

30    Voice                     active
<output truncated>
!
! Task 4: Verifies VLANs and ports assignments
 VAN-SW-A#show interface fa0/23 trunk
Port         Mode         Encapsulation  Status        Native vlan
fa0/23       on           802.1q         not-trunking  1

Port         Vlans allowed on trunk
fa0/23       1-4094

Port         Vlans allowed and active in management domain
Fa0/23       1-4094
Port         Vlans in spanning tree forwarding state and not pruned
Fa0/23       1-4094
!
VAN-SW-A#show interface fa0/24 trunk
Port         Mode         Encapsulation  Status        Native vlan
Fa0/24       on           802.1q         not-trunking  1

Port         Vlans allowed on trunk
Fa0/24       1-4094

Port         Vlans allowed and active in management domain
Fa0/24       1-4094
Port         Vlans in spanning tree forwarding state and not pruned
Fa0/24       1-4094

VAN-SW-A#show interface gi0/1 trunk
Port         Mode         Encapsulation  Status        Native vlan
Gi0/1        on           802.1q         trunking      1

Port         Vlans allowed on trunk
Gi0/1        1-4094

Port         Vlans allowed and active in management domain
Gi0/1        1-4094
Port         Vlans in spanning tree forwarding state and not pruned
Gi0/1        1-4094
!Task 4: Verifies Trunking on Fa0/23-24, Gi0/1
VAN-SW-A#config t
VAN-SW-A(config)#vtp domain ExamCram
VAN-SW-A(config)#vtp password cisco
VAN-SW-A(config)#vtp server
VAN-SW-A(config)#exit
! Task 5: Assigns VTP parameters
VAN-SW-A#sh vtp status
VTP Version                     : 2
Configuration Revision          : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 8
VTP Operating Mode              : Server
VTP Domain Name                 : ExamCram
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Disabled
VTP Traps Generation            : Enabled
MD5 digest                      : 0x3A 0x29 0x86 0x39 0xB4 0x5D 0x58 0xD7
!
! Task 6:Verifies VTP settings
VAN-SW-A#config t
VAN-SW-A(config-if)#interface vlan 1
VAN-SW-A(config-if)#ip address 172.16.0.2  255.255.255.192
! Task 7: Assigns switch IP address
VAN-SW-A(config-if)#exit
VAN-SW-A(config)#ip default-gateway 172.16.0.1
! Task 8: Sets switch default gateway
VAN-SW-A(config)#int fa0/1 - 10
VAN-SW-A(config-if-range)#switchport port-security
VAN-SW-A(config-if-range)#switchport port-security maximum 1
VAN-SW-A(config-if-range)#switchport port-security violation shutdown
! Task 9: Assigns port-security parameters
VAN-SW-A(config-if-range)#exit
VAN-SW-A(config)#enable secret cisco
! Task 10: Sets encrypted Privileged Exec password
VAN-SW-A(config)#line vty 0 4
VAN-SW-A(config-line)#login
VAN-SW-A(config-line)#password cisco23
! Task 11: Sets VTY access password
VAN-SW-A(config-line)#line con 0
VAN-SW-A(config-line)#login
VAN-SW-A(config-line)#password ciscocon
! Task 12: Sets Console access password
<ctrl+z>
VAN-SW-A#copy run start
VAN-SW-A#exit

Router Configuration Requirements

The router configurations tasks will touch on the following areas. Remember to think about what these need for configuration and start to plan your approach.

  • IP addressing

  • Subnetting

  • Inter-VLAN routing

  • PPP WAN connection

  • NAT overload to a pool

  • IP ACLs

  • OSPF and default routing

The branch office uses a new 2821 series router, with two Gigabit Ethernet interfaces and a serial interface for the PPP WAN connection. The router will perform Inter-VLAN routing using Router-on-a-Stick on Gi0/0 and provide NAT services for connection to the Internet. The ISP will exchange dynamic routing information with this router using OSPF in Area 0. The Voice VLAN should not be included in the OSPF routing. Your tasks are as follows:

  1. Assign the router a hostname of VAN-Gateway.

  2. Configure Inter-VLAN routing by assigning IP addresses to the physical and virtual interfaces. The IP addressing for each interface is as follows:

    • Gi0/0: 172.16.0.1 /26

    • S0/0: 192.168.66.65 /28

    • VLAN 10: 172.16.0.65 /26

    • VLAN 20: 172.16.0.129 /26

    • VLAN 30: 172.16.0.193 /26

  3. Set the Serial0/0 encapsulation to PPP.

  4. Configure NAT as follows:

    • Allow VLANs 1, 10, and 20 to be translated. Do not allow VLAN 30 to be translated.

    • The ISP has assigned the range of 192.168.66.66 through 192.168.66.77 as the pool of addresses to translate to. Name the pool IntPool. Ensure all VLAN 1, 10, and 20 hosts can use addresses from this range.

  5. Prevent all outside networks from pinging any inside network. Until the security team comes in to configure the advanced security settings, allow only IP traffic from established outbound connections inbound on s0/0.

  6. Configure OSPF routing for VLANs 1, 10, and 20 to the ISP network, using Area 0 for all interfaces. Do not advertise the Voice VLAN network.

  7. Configure a static default route to the ISP gateway IP of 192.168.66.78.

Router Solution

The following configuration is a good solution to the problems posed by the scenario. There may be other configs that also work, but again we are emphasizing those that we think you need to know for the test. The remark lines describing the solution to the task are included after the task configuration.

Router#configure terminal
Router(config)#hostname VAN-Gateway
! Task 1: Assigns hostname
VAN-Gateway(config)#interface gi0/0
VAN-Gateway(config-if)#ip address 172.16.0.1 255.255.255.192
VAN-Gateway(config-if)#no shut
VAN-Gateway(config-if)#interface gi0/0.10
VAN-Gateway(config-if)#encapsulation dot1q 10
VAN-Gateway(config-if)#ip address 172.16.0.65 255.255.255.192
VAN-Gateway(config-if)#interface gi0/0.20
VAN-Gateway(config-if)#encapsulation dot1q 20
VAN-Gateway(config-if)#ip address 172.16.0.129 255.255.255.192
VAN-Gateway(config-if)#interface gi0/0.30
VAN-Gateway(config-if)#encapsulation dot1q 30
VAN-Gateway(config-if)#ip address 172.16.0.193 255.255.255.192
! Configures inter-VLAN routing: Physical interface is native vlan (defaults to VLAN 1);
! Other sub-interfaces are virtual interfaces for their respective VLANs.
VAN-Gateway(config-if)#interface s0/0
VAN-Gateway(config-if)#encapsulation ppp
VAN-Gateway(config-if)#ip address 192.168.66.65 255.255.255.240
VAN-Gateway(config-if)#no shut
VAN-Gateway(config-if)#exit
! Task 3: Configures S0/0 with PPP and correct IP address
VAN-Gateway(config)#access-list 1 permit 172.16.0.0 0.0.0.63
VAN-Gateway(config)#access-list 1 permit 172.16.0.64 0.0.0.63
VAN-Gateway(config)#access-list 1 permit 172.16.0.128 0.0.0.63
VAN-Gateway(config)#ip nat pool IntPool 192.168.66.66 192.168.66.77 netmask 255.255.255.240
VAN-Gateway(config)#ip nat inside source list 1 pool IntPool overload
VAN-Gateway(config)#interface gi0/0
VAN-Gateway(config-if)#ip nat inside
VAN-Gateway(config-if)#interface gi0/0.10
VAN-Gateway(config-if)#ip nat inside
VAN-Gateway(config-if)#interface gi0/0.20
VAN-Gateway(config-if)#ip nat inside
VAN-Gateway(config-if)#interface s0/0
VAN-Gateway(config-if)#ip nat outside
VAN-Gateway(config-if)#exit
! Task 4: Configures NAT with ACL permitting specified networks,
! a NAT pool with valid addresses and mask,
! a NAT statement identifying source and destination for translation,
! and "inside" and "outside" interfaces.
VAN-Gateway(config)#access-list 101 deny icmp any any
VAN-Gateway(config)#access-list 101 permit ip any any established
VAN-Gateway(config)#interface s0/0
VAN-Gateway(config-if)#ip access-group 101 in
VAN-Gateway(config-if)#exit
! Task 5: Applies specified security with ACL on the outside interface
VAN-Gateway(config)#router ospf 99
VAN-Gateway(config-router)#network 172.16.0.0  0.0.0.63 area 0
VAN-Gateway(config-router)#network 172.16.0.64  0.0.0.63 area 0
VAN-Gateway(config-router)#network 172.16.0.128 0.0.0.63 area 0
VAN-Gateway(config-router)#network 192.168.66.64  0.0.0.15 area 0
VAN-Gateway(config-router)#exit
! Task 6 : Configures OSPF routing
VAN-Gateway(config)#ip route 0.0.0.0  0.0.0.0  192.168.66.78
VAN-Gateway(config)#exit
! Task 7: Sets default route to ISP
VAN-Gateway#copy run start

Exam Prep Questions

1.

Why was no encapsulation specified for the trunk links on the switch in the preceding scenario?

Exam Prep Questions
  1. Because the Cisco switch supports only Cisco’s Inter-Switch Link trunk protocol.

Exam Prep Questions
  1. Because best practices recommend that trunk protocols be auto-negotiated.

Exam Prep Questions
  1. Because using a standards-based protocol such as 802.1q helps ensure intervendor operability.

Exam Prep Questions
  1. Because the 2960 supports only 802.1q, so the router must be configured to match.

2.

ACL 101 in the preceding router solution uses the keyword established. What is the effect of this configuration?

Exam Prep Questions
  1. Restricts inbound traffic only to established office applications; custom, gaming, or hacker traffic is implicitly denied.

Exam Prep Questions
  1. Allows traffic inbound only in response to outbound requests from an inside host.

Exam Prep Questions
  1. Requires that an established tunnel exist before traffic will be permitted.

Exam Prep Questions
  1. It has no effect without a “permit” statement.

3.

Andy, Stewart, and Gordon have replaced the NICs in some of the servers in the Resource VLAN. When they are restarted, none of them can establish a network connection. What is the most likely problem?

Exam Prep Questions
  1. Defective NICs.

Exam Prep Questions
  1. The switch is behaving as configured.

Exam Prep Questions
  1. Defective switch.

Exam Prep Questions
  1. No route to the network exists.

4.

Examine the following partial configuration from the router. What NAT configuration line is missing?

VAN-Gateway(config)#access-list 1 permit 172.16.0.0 0.0.0.63
VAN-Gateway(config)#access-list 1 permit 172.16.0.64 0.0.0.63
VAN-Gateway(config)#access-list 1 permit 172.16.0.128 0.0.0.63
VAN-Gateway(config)#ip nat pool IntPool 192.168.66.66 192.168.66.77
netmask 255.255.255.240
VAN-Gateway(config)#interface gi0/0
VAN-Gateway(config-if)#ip nat inside
VAN-Gateway(config-if)#interface gi0/0.10
VAN-Gateway(config-if)#ip nat inside
VAN-Gateway(config-if)#interface gi0/0.20
VAN-Gateway(config-if)#ip nat inside
VAN-Gateway(config-if)#interface s0/0
VAN-Gateway(config-if)#ip nat outside

5.

True or false: The Spanning Tree Protocol is running on VAN-SW-A?

Exam Prep Questions
  1. True

Exam Prep Questions
  1. False

6.

How many valid host IPs are available in the VLAN 30 subnet (including those already assigned)?

Exam Prep Questions
  1. 30

Exam Prep Questions
  1. 126

Exam Prep Questions
  1. 14

Exam Prep Questions
  1. 62

7.

The ISP has informed you that it is changing the subnet mask of the connection to its router to /29. Your router’s IP is not changing, but the ISP address is now 192.168.66. All remaining IPs in the subnet are available for the NAT pool. What will the new NAT pool statement look like?

Exam Prep Questions
  1. ip nat pool IntPool 192.168.66.67 192.168.66.70 mask 255.255.255.248

Exam Prep Questions
  1. ip nat pool IntPool 192.168.66.67 192.168.66.70 netmask 0.0.0.248

Exam Prep Questions
  1. ip nat pool IntPool 192.168.66.67 192.168.66.70 netmask 255.255.255.248

Exam Prep Questions
  1. ip nat pool IntPool 192.168.66.66 192.168.66.70 netmask 255.255.255.248

8.

Duncan suggests the following configuration for the VAN-Gateway router. What is the problem with this partial config?

!
VAN-Gateway(config)#interface gi0/0
VAN-Gateway(config-if)#no ip address
VAN-Gateway(config-if)#no shut
VAN-Gateway(config-if)#interface gi0/0.1
VAN-Gateway(config-if)#encapsulation isl 1
VAN-Gateway(config-if)#ip address 172.16.0.1 255.255.255.192
VAN-Gateway(config-if)#interface gi0/0.10
VAN-Gateway(config-if)#encapsulation isl 10
VAN-Gateway(config-if)#ip address 172.16.0.65 255.255.255.192
VAN-Gateway(config-if)#interface gi0/0.20
VAN-Gateway(config-if)#encapsulation isl 20
VAN-Gateway(config-if)#ip address 172.16.0.129 255.255.255.192
VAN-Gateway(config-if)#interface gi0/0.30
VAN-Gateway(config-if)#encapsulation isl 30
VAN-Gateway(config-if)#ip address 172.16.0.193 255.255.255.192
!

9.

Examine the partial configuration that follows. Why is this configuration invalid?

!
VAN-SW-A(config)#router ospf 99
VAN-SW-A(config-router)#network 172.16.0.0  0.0.0.63 area 0
VAN-SW-A(config-router)#network 172.16.0.64  0.0.0.63 area 0
VAN-SW-A(config-router)#network 172.16.0.128 0.0.0.63 area 0
VAN-SW-A(config-router)#network 192.168.66.64  0.0.0.15 area 0
VAN-SW-A(config-router)#exit
!

10.

Examine the partial configuration that follows. Why is this configuration invalid?

!
VAN-SW-A(config)#router ospf 0
VAN-SW-A(config-router)#network 172.16.0.0  0.0.0.63 area 0
VAN-SW-A(config-router)#network 172.16.0.64  0.0.0.63 area 0
VAN-SW-A(config-router)#network 172.16.0.128 0.0.0.63 area 0
VAN-SW-A(config-router)#network 192.168.66.64  0.0.0.15 area 0
VAN-SW-A(config-router)#exit
!

Answers to Exam Prep Questions

1.

Answer D is correct. The 2960 does not support ISL, so the router must be configured for 802.1q. Answer A is incorrect; the switch supports only 802.1q. Answer B is wrong; trunk encapsulation cannot be negotiated between a router and a switch, only between two switches. Even then, best practices recommend hard-coding trunk encapsulation. Answer C is wrong because it is not relevant to this scenario, however true it may be.

2.

Answer B is correct; the established keyword lets traffic back in in response to traffic that was sent out. Answer A is wrong; this sounds more like Network-Based Application Recognition (NBAR), but has nothing to do with the established keyword. Answer C is wrong; there is no requirement for tunnels. Answer D is wrong; it is already part of a permit statement.

3.

Answer B is correct; the switch is configured for port security, so when the MAC addresses of the new NICs attempt to connect to the switch, the ports shut down. Answer A is wrong; it’s unlikely that all the new NICs are defective. Answer C is wrong; given what we know of the config, it is not the most likely problem. Answer D is wrong; hosts do not need a route to their own LAN; our problem here is at Layer 1 and 2, not Layer 3.

4.

Answer A is correct. Answers B and D use invalid syntax; Answer C names the wrong ACL.

5.

Answer A (true) is correct. Spanning Tree is running by default, and we see no evidence of it being disabled (which would be a bad idea anyway).

6.

Answer D is correct. A /26 provides 62 valid hosts. All other answers are incorrect.

7.

Answer C is correct. The remaining available addresses are .67 through .70, and the new mask ends with .248. Answer A is incorrect; the keyword is netmask, not mask. Answer B is wrong; the mask is invalid. Answer D is wrong; the IP range includes the ISP router.

8.

Answer D is correct; if the router uses this config, the switch will not be able to trunk with it. Answer A is therefore incorrect. Answer B is wrong; there is no problem with the IPs and masks. Answer C is wrong; the router will support ISL trunking, but the switch will not.

9.

Answer D is correct. This is a nasty trick question; the command prompt indicates that this config was written for the switch. Even though it would be impossible to get this configuration (the switch would return errors), you can expect some exam questions to be unrealistic in this way. Answer A is wrong; OSPF needs wildcards. Answer B is wrong; there are many valid address/mask formats in OSPF configuration. Answer C is wrong because the configuration was entered on a switch that does not support OSPF (or any routing for that matter).

10.

Answer C is correct; the valid range for the Process ID is 1–65535. Answer B is therefore incorrect. Answer A is not correct; the area ID can be anything from 0 through 65535. Answer D is wrong; the wildcards masks are perfectly valid.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.117.103.28