D3-10.0.1.2 Putting It All Together
D3-10.0.1.2 Putting It All Together
D3-10.0.1.2 Putting It All Together
Page 1 of 17
Objectives
Part A Part B Part C Configure multiple routers using OSPF, PAT and a default route. Configure WAN link using PPP and authentication. Configure multiple switches with port security. Configure ACLs to control network access and to secure routers. Verify connectivity, device configuration, and functionality. Build a multilayer network and connect to a simulated ISP. Configure basic settings on switches with multiple VLANs and VTP. Configure the STP root bridge. Configure basic settings on routers and inter-VLAN routing. Verify basic connectivity, device configuration, and functionality. Analyze the customer work order and proposed network design. Create a VLSM IP addressing scheme.
Background / Preparation
AnyCompany is opening a new branch office (Remote Office 2) and has contracted you to extend the AnyCompany network into the new facilities. Corporate management has also decided that this would be a good time to restructure the existing network to provide increased levels of security and performance. The existing network consists of a head office, which houses 112 employees, and a business office (remote office 1), which houses 200 employees. The new office space (Remote Office 2) will initially house four distinct groups of employees but will expand as the company grows. For this reason, implement VLANs to help manage the traffic. Also use VTP to simplify the task of managing the VLANs. One of the groups occupying the new office is the sales force. This group requires wireless access to the company network. Because security is of great concern, the wireless network must be on its own VLAN. Initially the network in Remote Office 2 will consist of five VLANs. This lab focuses on the configuration of the Cisco 1800 router and 2960 switch, or comparable equipment, using Cisco IOS commands. The information in this lab applies to other routers and switches; however, the command syntax may vary. Depending on the router model, the interfaces may differ. For example, on some routers Serial 0 may be Serial 0/0 or Serial 0/0/0 and Ethernet 0 may be FastEthernet 0/0. It is recommenced to work in teams of three. Each person can be responsible for one of the three switches and its associated host PC. The team can work together to configure the two company routers. The following resources are required: One ISP router with one serial and one FastEthernet interface (preconfigured by instructor) Three Ethernet 2960 switches (or comparable) for Remote Office 2 LAN Two 1841 routers (or other routers), one with a FastEthernet interface and one with two serial interfaces One Wireless Access Point (optional) One Ethernet 2960 switch to connect wired PCs Three Windows XP-based PCs to act as wired clients One Discovery CD Server, preconfigured by instructor (optional if a Loopback is on ISP router) Cat 5 cabling as necessary (straight-through and crossover) Two Serial DTE/DCE cables for WAN links ISP work order (included in this lab)
Page 2 of 17
Part A Review the work order and develop the VLSM subnet scheme
Task 1: Review the customer work order and proposed network.
You have received the following work order from your manager at the ISP. Review the work order to get a general understanding of what is to be done for the customer.
ABC-XYZ-ISP Inc.
Official Work Order
Customer: AnyCompany1 or AnyCompany2 (Circle the customer name assigned by your instructor) Address: 1234 Fifth Street, Anytown Customer Contact: Fred Pennypincher, Chief Financial Officer Phone number: 123-456-7890 Date: _____________
Page 3 of 17
Step 1: Determine the size of the CIDR address block assigned a. The customer has been assigned CIDR network address: ___172.20.0.0/21______ If network customer is AnyCompany1, use 172.20.0.0/22. If network customer is AnyCompany2, use 172.20.4.0/22. b. How many total host IP addresses does this CIDR address block represent? _2046___________________________________ _ Using this address block, you will develop a VLSM subnet scheme that will allow AnyCompanyX to support existing HQ and RO1 networks as well as the new RO2 network. Step 2: Determine the size of each VLSM block to accommodate users a. Based on the CIDR address assigned by the ISP and the number of users in each area or VLAN, optimally subnet this block of addresses to provide sufficient addresses for all offices (HQ, RO1, and RO2) and VLAN requirements. b. To start, determine the size of the subnet address block required for a network area or group of users. Fill in the table with this information. Look at the number of users for each area or subnet and determine the smallest power of 2 that will cover the requirement. As an example, if 93 addresses were required, a VLSM block of 128 (2^7) would be needed. The next smallest power of 2 is 64 (2^6), which does not cover the requirement. A block of 128 results in some unused addresses but also allows for growth. VLSM block size / No. of IPs (powers of 2) 172.20.3.0/25 (128 host 126) 172.20.2.0/24 (256 host 254)
Network Area HQ Network RO1 Network RO2 Network / VLANs VLAN 1 (Server Farm) VLAN 2 (Native/mgmt -IP) VLAN 11 (Dept 1) VLAN 12 (Dept 2) VLAN 13 (Dept 3) VLAN 101 (wireless) WAN link (RO2 to HQ) Total users and block sizes for RO2
N/A
172.20.1.128/27 (32 host 30) 172.20.1.160/28 (16 host 14) 172.20.0.0/25 (128 host 126) 172.20.0.128/25 (128 host 126) 172.20.1.0/26 (64 host 62) 172.20.1.64/26 (64 host 62) 172.20.1.176/30 (4 host 2) 172.20.0.0/24 172.20.1.0/25 172.20.1.128/26 172.20.0.0/24 172.20.1.0/25 172.20.1.128/26 172.20.0.0/24 172.20.1.0/25 172.20.1.128/26 172.20.2.0/24 172.20.3.0/25
618
Page 4 of 17
c.
To optimally allocate addresses from the /22 CIDR address, start by sorting the block sizes from largest to smallest. For this lab, add up the individual smaller blocks for each of the VLANs in the RO2 network and allocate a single larger block that will cover all the smaller block requirements. This keeps all of the subnets together for RO2 and aids in route summarization. Use the table below to order the network areas by the VLSM block size. List the large block for the entire RO2 network first, followed by the others. The larger RO2 block will be broken down into smaller subnets later. Network Area / VLAN RO2 total block size (will be subdivided into smaller blocks) RO1 Network HQ Network RO2 - VLAN 11 (Dept 1) RO2 - VLAN 12 (Dept 2) RO2 - VLAN 13 (Dept 3s) RO2 - VLAN 101 (wireless) RO2 - VLAN 1 (Server Farm) RO2 - VLAN 2 (Native/mgmt -IP) RO2 - HQ Wan link VLSM block size starting with the largest first 172.20.0.0/24 172.20.1.0/25 172.20.1.128/26 172.20.2.0/24 172.20.3.0/25 172.20.0.0/25 172.20.0.128/25 172.20.1.0/26 172.20.1.64/26 172.20.1.128/27 172.20.1.160/28 172.20.1.176/30
Step 3: Determine subnet addresses for the CIDR block a. Determine which blocks of CIDR address to assign to each area of the network or VLAN. Use the VLSM subnet chart (Appendix A) to enter the subnet information for each of the CIDR blocks. b. To determine the subnet addresses for the 172.20.0.0/22 or the 172.20.4.0/22 CIDR block, use the subnet calculator tool on the Cisco Network Academy website. With the subnet calculator tool, enter the Base Network Address (172.20.0.0 or 172.20.4.0) and the value of VLSM Mask 1 in dotted decimal, starting with 255.255.252.0 (/22). Click the Actions button Calculate Subnetting using VLSM. Use the same base address and increase the mask length by one each time to fill in the chart. NOTE: Entries for the subnet numbers for the /29 and /30 mask are not included in the table. Subdivide one of the /28s to a /30 for the WAN link. Step 4: Allocate blocks of addresses to each area of the network a. Fill in the following table based on the subnet information in the CIDR/VLSM Subnet Chart and the sorted table of address requirements. Draw lines around each of the blocks in the address table above, or color them in, and label each one according to the network area or VLAN to which it is assigned.
Page 5 of 17
Network Area / VLAN RO2 total block size (will be subdivided into smaller blocks) RO2 VLAN 11 (Dept 1) RO2 VLAN 12 (Dept 2)
Useable Address Range 172.20.0.1 172.20.1.254 172.20.0.1 172.20.0.126 172.20.0.129172.20.0.254 172.20.1.1172.20.1.62 172.20.1.65172.20.1.126 172.20.1.129172.20.1.158 172.20.1.161172.20.1.174 172.20.1.177172.20.1.178
38
172.20.1.0/26
255.255.255.192
52
172.20.1.64/26
255.255.255.192
RO2 VLAN 1 (Server Farm) RO2 VLAN 2 (Native/mgmt IP) RO2 - WAN link
18
172.20.1.128/27
255.255.255.224
172.20.1.160/28
255.255.255.240
172.20.1.176/30
255.255.255.252
RO1 Network
200
172.20.2.0/24
172.20.2.1172.120.2.254 172.20.3.1172.20.3.126
255.255.255.0
HQ Network
112
172.20.3.0/25
255.255.255.128
b. Have the instructor verify that your addressing scheme is accurate and assigns address space efficiently. You should not have any overlapping subnets and should have unused contiguous blocks of addresses that can used for future subnets as the company grows.
Page 6 of 17
Subnet Mask 255.255.255.252 255.255.255.252 255.255.255.128 255.255.255.0 255.255.255.252 None 255.255.255.224 255.255.255.240 255.255.255.128 255.255.255.128 255.255.255.192 255.255.255.192 255.255.255.252
Gateway N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
None
First 172.20.1.129 First 172.20.1.161 First 172.20.0.1 First 172.20.0.129 First 172.20.1.1 First 172.20.1.65
Fa0/0 S1 (RO2) S2 (RO2) S3 (RO2) H1 H2 H3 ISPserver VLAN 2 VLAN 2 VLAN 2 NIC NIC NIC NIC
N/A
172.20.1.161 172.20.1.161 172.20.1.161 172.20.0.1 172.20.0.129 172.20.1.1
193.11.22.1
Step 2: Have the instructor check your work for this task before going on to Part B.
Page 7 of 17
Part B Physically construct the network and perform basic device configuration
Task 1: Build the network and connect cables to the interfaces and ports indicated
Connect your AnyCompanyX network router HQ to the ISP router. The ISP router and the Discovery CD Server should be preconfigured by the instructor. If ISP router is configured with a Loopback address in lieu of the Discovery CD Server, the HTTP server in the router must be enabled. If you are unsure, check with your instructor. NOTE: Make sure that the routers and the switches have been erased and have no startup configurations. Instructions for erasing both switch and router are provided in the Lab Manual, located on Academy Connection in the Tools section. NOTE: SDM Enabled Routers If the startup-config is erased in an SDM enabled router, SDM will no longer come up by default when the router is restarted. It will be necessary to build a basic router configuration using IOS commands. The steps provided in this lab use IOS commands and do not require the use of SDM. If you wish to use SDM, refer to the instructions in the Lab Manual, located on the Academy Connection in the Tools section or contact your instructor if necessary. The IP addresses used to configure the devices in the following tasks should be based on your solution for the VLSM scheme. NOTE: VLAN Mismatch Messages - You may want to wait until after the switches are configured to connect the trunk links. Otherwise, native VLAN mismatch messages come up until all switches are configured.
Page 8 of 17
Step 3: Create CHAP user ID and password Configure a username for the ISP router on the HQ router with a password of cisco for use with CHAP authentication. Step 4: Save the router running-config configuration to startup-config Step 5: Copy the router running-config to a text editor and save it for later use, if needed a. Open a text editor such as Windows Notepad. b. Issue the show running-config command. c. Copy the output and paste it into the text editor. d. Save the file on the Windows Desktop as HQ.txt.
Step 3: Save the router running-config configuration to startup-config Step 4: Copy the router running-config to a text editor and save it for later use, if needed a. Open a text editor such as Windows Notepad. b. Issue the show running-config command. c. Copy the output and paste it into the text editor. d. Save the file on the Windows Desktop as R2.txt. NOTE: If you need to use this file later, you will need to edit it to clean it up and make sure that the necessary interfaces have the no shutdown command applied to them.
Step 2: Configure the VLANs for Remote office 2 on S1 using the VLAN numbers and names shown in the chart below Assign ports to each VLAN as indicated. Use the same chart to configure switches S2 and S3: RO2 VLAN Number VLAN 1 (default VLAN) VLAN 2 (Native/mgmt IP) VLAN 11 (Dept 1 users) VLAN 12 (Dept 2 users) VLAN 13 (Dept 3 users) VLAN Name default Mgmnt Dept1 Dept2 Dept3 Ports assigned Ports 4-5 Port 23 Ports 6 to 11 Ports 12 to 17 Ports 18 to 22
Page 9 of 17
Notes
Step 3: Assign an IP address to the Management VLAN 2 on S1 a. Assign the VLAN 2 address according to the Device Interface / IP Address Chart in Part A, Task 3, Step1.
b. Configure the switch with a default gateway to router R2 for VLAN 2.
Step 4: Configure S1 switch ports Fa0/1, Fa0/2 and Fa0/3 as 802.1Q trunks The trunks carry VLAN information. Set each trunk to use VLAN 2 as the native VLAN. Step 5: Configure S1 as the root switch for STP Change the priority of native VLAN 2 from the default of 32769 to 4096. Step 6: Configure a VTP domain a. Configure the AnyCompanyX domain name (where X is 1 or 2) on S1 and a password of cisco. b. Configure S1 as the VTP server. Step 7: Save the switch running-config configuration to startup-config Step 8: Copy the switch running-config to a text editor and save it for later use, if needed
Page 10 of 17
Step 4: Configure Switch ports Fa0/2 and Fa0/3 as 802.1Q trunks to carry VLAN information Step 5: Save the switch running-config configuration to startup-config Step 6: Copy the switch running-config to a text editor and save it for later use, if needed
Page 11 of 17
For the ping (icmp) entry, what is the inside local address and port number? ______________________________________________________ For the ping (icmp) entry, what is the inside global address and port number? ______________________________________________________ For the browser connection (tcp) entry, what is the inside local address and port number? ______________________________________________________ For the browser connection (tcp), what is the outside global address and port number? _______________ Step 5: Save the router running configuration to NVRAM.
Page 12 of 17
Step 8: Save the switch running-config configuration to startup-config Step 9: Repeat Steps 1 through 8 to set port security for the other two switches, S2 and S3, and save the running config to startup-config
d. Using a browser from H1, H2, and H3, enter the ISP router Loopback0 address or the IP address of the Discovery CD Server. Were you able to access the web interface of the router or the Web page from the server? __________ e. Telnet from Host H1 in VLAN 11 to the HQ router using its S0/0/0 IP address. Were you able to telnet to it? __________ f. Telnet from Host H2 in VLAN 12 to the HQ router using its S0/0/0 IP address. Were you able to telnet to it? __________ g. Use the show access-lists command to verify that the ACL is working. Step 3: Create and apply a standard ACL to control VTY access to the HQ router a. The ACL should deny hosts from all VLANs on Remote Office 2 except for Host H2 on VLAN 12. This will still allow other hosts on VLAN 12 to access router R2 using telnet. Note: Use an ACL with number 2 b. Apply the ACL to VTY lines 0 through 4 on the R2 router. c. Telnet from Host H2 in VLAN 12 to the HQ router using its S0/0/0 IP address. Were you able to telnet to it? ___ d. Change the IP address of H2 to another one that is on VLAN 12 and telnet again from Host H2 in VLAN 12 to the HQ router using its S0/0/0 IP address. Were you able to telnet to it? ___ e. Use the show access-lists command to verify that the ACLs are working. Step 4: On R2 and HQ, save the router running configuration to NVRAM Router Interface Summary Router Model 800 (806) 1600 1700 1800 2500 2600 Ethernet Interface #1 Ethernet 0 (E0) Ethernet 0 (E0) FastEthernet 0 (Fa0) Fast Ethernet 0/0 (Fa0/0) Ethernet 0 (E0) FastEthernet 0/0 (Fa0/0) Ethernet Interface #2 Ethernet 1 (E1) Ethernet 1 (E1) FastEthernet 1 (Fa1) Fast Ethernet 0/1 (Fa0/1) Ethernet 1 (E1) FastEthernet 0/1 (Fa0/1) Serial 0 (S0) Serial 0 (S0) Serial 0/0/0 (S0/0/0) Serial 0 (S0) Serial 0/0 (S0/0) Serial 1 (S1) Serial 1 (S1) Serial 0/0/1 (S0/0/1) Serial 1 (S1) Serial 0/1 (S0/1) Serial Interface #1 Serial Interface #2
NOTE: To find out exactly how the router is configured, look at the interfaces. Doing this will identify the type of router as well as how many interfaces the router has. There is no way to effectively list all of the combinations of configurations for each router class. What is provided are the identifiers for the possible combinations of interfaces in the device. This interface chart does not include any other type of interface, even though a specific router may contain one. An example of this might be an ISDN BRI interface. The string in parenthesis is the legal abbreviation that can be used in IOS command to represent the interface.
Page 15 of 17
Page 16 of 17
Subnet Mask: 255.255.252.0 3.192 3.192 3.224 3.176 3.192 3.208 3.224 3.240
Area/VLAN RO2 Total Block RO2 VLAN 11 RO2 VLAN 12 RO2 VLAN 13 RO2 VLAN 101 RO2 VLAN 1 RO2 VLAN 2 RO2 WAN link
Block size 512 ___ ___ ___ ___ ___ ___ ___
Subnet / prefix 172.20.0.0 /23 ___.__._.___ /__ ___.__._.___ /__ ___.__._.___ /__ ___.__._.___ /__ ___.__._.___ /__ ___.__._.___ /__ ___.__._.___ /__
___ ___
Page 17 of 17