You are on page 1of 4

CCNP3CaseStudy

Topology

Scenario
DigitalTechnologiesInc(DTI)hasanewcityoffice.Thedesignrequiresmaintrunksas
EtherChannels,withbackuplinks,trunkportsandaccessportsusingCatalyst2960(or2950)and
3560(or3550)switches,and2811seriesrouters.Faulttolerantlinksarerequiredsoalllinks,even
thosetoISP,requirebackup.
Staff,atthecityoffice,areinthefollowingsubnets:
1.
2.
3.
4.
5.

Corporate(Manager,Accounts,Secretaries)VLAN10
Sales(Marketing,Sales,Delivery)VLAN20
Servers(attachedtoDLS2)VLAN30
TelephonyVLAN150
Management(Forallswitches)VLAN217

32011MSN

CaseStudy3Autumn2011

Page1

MultipleInstanceSpanningTree(MST)willbeused,incombinationwithPortFastandBPDUguard.
Forloadbalancing,DLS1willberootforCorporateVLAN,SalesVLANandManagementVLAN,and
DLS2willberootforTelephonyVLANandServersVLAN.MultipleHSRPgroupswillbeimplemented
sothatDLS1isactiveforVLAN10,20&217,andDLS2isactiveforVLANs30&150.BackupRouter
willprovidestandbylinksforallVLANs.
GeneralTasks

Connectallthenetworkdevicesaccordingtothenetworkdiagram.(Note:NoIPTelephones
willbeconnectedatthisstage,althoughallconfigurationswillassumetheirpresence.)
OnDL&ALSwitchesuseports3&4fortheEtherChannels(DLS1toALS1&DLS2toALS2).
OnDL&ALSwitchesuseports5&6astrunkportsbetweenthem(DLS1toALS2&DLS2to
ALS1).
Useports7&8forthetrunkportsbetweenALS1&ALS2.
Useport7forthetrunklinkstoISP(DLS1toISP&DLS2toISP).
ALS1hastheonlylinktoBACKUPRouteronport24
Onalldevices,configurethefollowing:
o vtysupportwithusername(Firstnameofeachgroupmember)&passwordcisco,
usingssh.
o consolepasswordcisco
o privilegedEXECmodesecretcisco
o Allhostnames
o Preventbystandersfromreadingpasswordsbyconfiguringallnetworkdevicesto
encryptthecleartextpasswords.

VLANsandVTP
DigitalTechnologiesInc(DTI)requiresVLANsandVTPtobeconfiguredwithintheswitched
network
1. VTP
DomainDTCORP
Passwordcisco
DLS1Server
AllotherswitchesCLIENT
2. FastEtherChannelisbetweenALS1&DLS1,andALS2&DLS2
3. CreateallrequiredVLANsintheVTPDomain
4. ConfigureAccessPortsasfollows:
VLAN10VLAN20VLAN30VLAN150
DLS1nilnilniln/a
DLS2nilnilfa0/2224n/a
ALS1fa0/1013fa0/1420nilallaccessports
ALS2fa0/1013fa0/1422nilallaccessports
5. AllunusedportsaretobeshutdownandplacedintoVLAN539.Thisvlanistothenbe
deleted.

32011MSN

CaseStudy3Autumn2011

Page2

SpanningTree
Configureinstance1forVLANs10,20&217withDLS1asRootBridge,withallotherVLANs
beingininstance2withDLS2asRootBridge.
ConfigurePortFastonallnontrunkports.
InterVLANRouting
EnableInterVLANrouting.ConfigureBackupasarouteronastick.ConfigureHSRPonDLS
1,DLS2andBackupRouter.
ConfigureHSRPonDLS1,DLS2andBackupRoutersothatDLS1istheactiverouterfor
VLANs10,20&217andDLS2istheactiverouterforVLANs30&150,withstandbyforall
VLANsbeingtheotherDLSwitch,withsecondarystandbybeingBackupRouter.Includethe
preemptoptioninallconfiguration.
ConfigureHSRPinterfacetrackingsothatthenextstandbydevicebecomestheactive
deviceiftheFastEthernetlinkbetweenDLS1andISPorDLS2andISPfails.
UsethefollowingAddresses:

VLAN10 10.1.10.0/24
VLAN20 10.1.20.0/24
VLAN30 10.1.30.0/24
VLAN150 10.1.150.0/24
VLAN21710.1.217.0/24
RoutedlinkbetweenDLS1&DLS210.1.1.0/30
InterfaceS0/0/0(facingISP)onBackup 192.168.1.0/30
Interfacefa0/7onDLS1

192.168.1.4/30
Interfacefa0/7onDLS2

192.168.1.8/30
ConfigurevalidaddressesforthehostonALS1(port15)andthehostonALS2
(port20),andserverinVLAN30.
ConfiguretrackingonalllinkstoISP.

AdditionalRequirements

ConfigurearoutedportonbothDLS1andDLS2usinginterfacefa0/24.
Fortestingpurposes,configuretheloopbackaddress2.2.2.2/32onISPRouter.
ConfiguretheStaticroutesfromISPinsuchawaythattheprimaryreturnpathforVLAN10,
20&217isviaDLS1,withprimarybackuptoDLS2,andsecondarybackuptoBackup
Router;andtheprimarypathforVLANs30&150isviaDLS2,withprimarybackupDLS1
andsecondarybackupBackupRouter.
ConfigurePortstickyonallaccessports,allowingonlyasingleuser,andshutdownif
violated.
EnableBPDUguardonallappropriateinterfaces.
ConfigurePortfastanallappropriateports.

32011MSN

CaseStudy3Autumn2011

Page3

PlaceanyportsnotattachedtoaVLANintoVLAN539,placetheseinterfacesinshutdown
modeandthendeletethisvlan.
ConfigureIProutingonDLS1andDLS2,anduseEIGRP(AS10),withautomatic
summarizationdisabled.BackuproutershouldalsouseEIGRPRouting(AS10).
EnableQoSgloballyonallswitches.
OnALS1andALS2,configureaccessportstotrustCiscoIPphonesforQoS.UseVLAN150as
thevoiceVLAN.
EnableDHCPSnoopingtotrustallportsonDLS1andDLS2,buttoonlytrusttrunkportson
theALSwitches.LimittherateofDHCPrequeststo5persecond.
EnableAAA.AuthenticateyourgroupmembersONLYwithusername(eachmembersfirst
name)passwordcisco(hashed).ApplyAAAtotheactivehostports(ALS1port15andALS

2port20)ONLY.

ConfigureanACLtorestrictVTYtraffictothesinglehostonVLAN20attachedtoALS2.
ConfigureasecureHTTPserveronDLS2switch.PermitONLYthehostonVLAN20attached
toALS2Switchtoaccessthisserver.
Disablehttponallotherswitches.
Shutdown/disableallunusedservicesonallswitches.Makealistoftheonesyoudisable.

32011MSN

CaseStudy3Autumn2011

Page4