Answer Document

Task 1: Configure VLAN, Voice VLAN, VTP and Inter-VLAN Routing in HQ (15 minutes)
Step 1: Configure VTP Settings on F2SW1 and F1SW1. F2SW1 is server and F1SW1 is client The domain name is HQ The password is cisco Configure F2SW1 as server and set the domain name and password.
F2SW1(config)#vtp mode server F2SW1(config)#vtp domain HQ F2SW1(config)#vtp password cisco

Now configure F1SW1 as client and set the domain name and password.
F1SW1(config)#vtp mode server F1SW1(config)#vtp domain HQ F1SW1(config)#vtp password cisco

Step 2: Configure Trunking on F2SW1 and F1SW1 Trunking ports for F2SW1 and F1SW1 are all ports attached to another switch or router. Set all trunking ports to trunk mode, and assign VLAN 6 as the native VLAN. On F2SW1, configure port Fa0/1 and Fa0/24 as trunk port.
F2SW1(config)#int fa0/1 F2SW1(config-if)#switchport F2SW1(config-if)#switchport F2SW1(config-if)#exit F2SW1(config)#int fa0/24 F2SW1(config-if)#switchport F2SW1(config-if)#switchport F2SW1(config-if)#exit mode trunk trunk native vlan 6

mode trunk trunk native vlan 6

On F1SW1, configure port Fa0/24 as trunk port.

F1SW1(config)#int fa0/24 F1SW1(config-if)#switchport mode trunk F1SW1(config-if)#switchport trunk native vlan 6 F1SW1(config-if)#exit

Prepared by: Md. Manirul Islam (manirul@aiub.edu)

Step 3: Create and Name the VLANs

Create and name the following VLANs on F2SW1 only: VLAN 1, name = default VLAN 2, name = wireless VLAN 3, name = programmers VLAN 4, name = sales VLAN 5, name = server VLAN 6, name = mgmt&native F2SW1(config)#vlan 2 F2SW1(config-vlan)#name wireless F2SW1(config-vlan)#vlan 3 F2SW1(config-vlan)#name programmers F2SW1(config-vlan)#vlan 4 F2SW1(config-vlan)#name sales F2SW1(config-vlan)#vlan 5 F2SW1(config-vlan)#name server F2SW1(config-vlan)#vlan 6 F2SW1(config-vlan)#name mgmt&native

Step 4: Verify VLAN Configuration

After creating the VLANs, return to privileged EXEC and issue the show vlan brief command to verify the creation of the new VLANs. F2SW1#show vlan brief VLAN Name Status Ports ---- -------------------------------- --------- -----------------1 default active Fa0/1, Fa0/2, Fa0/3
Fa0/4, Fa0/5, Fa0/6 Fa0/7, Fa0/8, Fa0/9 Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/14, Fa0/15 Fa0/16, Fa0/17, Fa0/18 Fa0/19, Fa0/20, Fa0/21 Fa0/22, Fa0/23, Fa0/24

2 wireless 3 programmers 4 sales 5 server 6 mgmt&native 1002 fddi-default 1003 token-ring-default 1004 fddinet-default 1005 trnet-default F2SW1#

active active active active active active active active active

Prepared by: Md. Manirul Islam (manirul@aiub.edu)

Step 5: Verify VLANs were sent to F1SW1

The newly created VLANs in F2SW1 should now be propagated to F1SW1. Issue the show vlan brief command in privileged EXEC mode to verify the VLAN information in F1SW1. F1SW1#show vlan brief VLAN Name Status Ports ---- -------------------------------- --------- -----------------1 default active Fa0/1, Fa0/2, Fa0/3
Fa0/4, Fa0/5, Fa0/6 Fa0/7, Fa0/8, Fa0/9 Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/14, Fa0/15 Fa0/16, Fa0/17, Fa0/18 Fa0/19, Fa0/20, Fa0/21 Fa0/22, Fa0/23, Fa0/24

2 wireless 3 programmers 4 sales 5 server 6 mgmt&native 1002 fddi-default 1003 token-ring-default 1004 fddinet-default 1005 trnet-default F1SW1#

active active active active active active active active active

Step 6: Assign Ports to VLANs and verify port assignments

Assign ports of F2SW1 to VLANs. Assign Fa0/2 to mgmt&native VLAN, Fa0/3 to sales VLAN, Fa0/4 to voice VLAN, and Fa0/22 and Fa0/23 to server VLAN. The range command greatly reduces the amount of repetitive commands you must enter when configuring the same commands on multiple ports. F2SW1(config)#int fa0/2 F2SW1(config-if)#switchport mode access F2SW1(config-if)#switchport access vlan 6 F2SW1(config-if)#exit F2SW1(config)#int fa0/3 F2SW1(config-if)#switchport mode access F2SW1(config-if)#switchport access vlan 4 F2SW1(config-if)#exit F2SW1(config)#int fa0/4 F2SW1(config-if)#switchport mode access F2SW1(config-if)#switchport voice vlan 1 F2SW1(config-if)#exit F2SW1(config)#int range fa0/22-23 F2SW1(config-if-range)#switchport mode access

Prepared by: Md. Manirul Islam (manirul@aiub.edu)

F2SW1(config-if-range)#switchport access vlan 5 F2SW1(config-if-range)#exit Assign ports of F1SW1 to VLANs. Assign Fa0/1 to sales VLAN, Fa0/2 and Fa0/3 to programmers VLAN, Fa0/4 to voice VLAN, and Fa0/23 to wireless VLAN. F1SW1(config)#int fa0/1 F1SW1(config-if)#switchport mode access F1SW1(config-if)#switchport access vlan 4 F1SW1(config-if)#exit F1SW1(config)#int range fa0/2-3 F1SW1(config-if-range)#switchport mode access F1SW1(config-if-range)#switchport access vlan 3 F1SW1(config-if-range)#exit F1SW1(config)#int fa0/4 F1SW1(config-if)#switchport mode access F1SW1(config-if)#switchport voice vlan 1 F1SW1(config-if)#exit F1SW1(config)#int range fa0/23 F1SW1(config-if-range)#switchport mode access F1SW1(config-if-range)#switchport access vlan 2 F1SW1(config-if-range)#exit After port assignments, return to privileged EXEC and issue the show vlan brief command to check the new port assignments.

Step 7: Assign IP address to Hosts and test Intra-VLAN communication

Assign IP address to TFTP Server, GameWheel Web Server, Mgmt 1, Sales PC1, Sales PC2, and Programmer PC1 and Programmer PC2. At this point you should be able to reach the hosts of the same VLAN. But you wont be able to reach hosts of other VLAN. In order for you to reach hosts of different VLANs, you now need to configure Inter-VLAN routing. Try to ping Sales PC1 (172.16.20.2) to Sales PC2 (172.16.20.3) and you should be successful. PC>ping 172.16.20.3 Pinging 172.16.20.3 with 32 bytes of data: Reply Reply Reply Reply from from from from 172.16.20.3: 172.16.20.3: 172.16.20.3: 172.16.20.3: bytes=32 bytes=32 bytes=32 bytes=32 time=109ms TTL=128 time=63ms TTL=128 time=78ms TTL=128 time=78ms TTL=128

Ping statistics for 172.16.20.3:

Prepared by: Md. Manirul Islam (manirul@aiub.edu)

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 63ms, Maximum = 109ms, Average = 82ms Now try to ping Sales PC1 (172.16.20.2) to Programmer PC1 (172.16.19.2). It will not be successful.

Step 8: Configure Inter-VLAN Routing on router HQ

Using the addressing table, activate Fast Ethernet 0/1 on HQ and configure inter-VLAN routing. The subinterface number corresponds to the VLAN number. HQ(config)#int fa0/1 HQ(config-if)#no shutdown HQ(config-if)#exit HQ(config)#int fa0/1.1 HQ(config-subif)#encapsulation dot1q 1 HQ(config-subif)#ip address 172.16.17.1 HQ(config-subif)#exit HQ(config)#int fa0/1.2 HQ(config-subif)#encapsulation dot1q 2 HQ(config-subif)# ip address 172.16.18.1 HQ(config-subif)#exit HQ(config)#int fa0/1.3 HQ(config-subif)#encapsulation dot1q 3 HQ(config-subif)# ip address 172.16.19.1 HQ(config-subif)#exit HQ(config)#int fa0/1.4 HQ(config-subif)#encapsulation dot1q 4 HQ(config-subif)# ip address 172.16.20.1 HQ(config-subif)#exit HQ(config)#int fa0/1.6 HQ(config-subif)#encapsulation dot1q 5 HQ(config-subif)# ip address 172.16.21.1 HQ(config-subif)#exit HQ(config)#int fa0/1.6 HQ(config-subif)#encapsulation dot1q 6 HQ(config-subif)# ip address 172.16.22.1 HQ(config-subif)#exit

255.255.255.0

255.255.255.192

255.255.255.224

255.255.255.0

255.255.255.0

255.255.255.240

At this point you should be able to reach the hosts of different VLANs. Try to ping Sales PC1 (172.16.20.2) to Programmer PC1 (172.16.19.2). It will now be successful.

Prepared by: Md. Manirul Islam (manirul@aiub.edu)

Task 2: Configure DHCP on router HQ (3 minutes)

Configure DHCP for wireless and voice VLAN.
HQ(config)#ip dhcp pool wireless HQ(dhcp-config)# network 172.16.18.0 255.255.255.192 HQ(dhcp-config)# default-router 172.16.18.1 HQ(dhcp-config)#exit HQ(config)#ip dhcp pool voice HQ(dhcp-config)# network 172.16.17.0 255.255.255.0 HQ(dhcp-config)# default-router 172.16.17.1 HQ(dhcp-config)#exit

Wireless PCs and IP Phones should now get IP address from respective DHCP pool.

Task 3: Configure full mesh Frame Relay (8 minutes)

Step 1: Configure and activate the Serial 0/0/0 interface on HQ Configure the interface with the following information: IP Address Frame Relay encapsulation Mappings to BR1 and BR2
HQ(config)#int Se0/0/0 HQ(config-if)#encapsulation frame-relay HQ(config-if)#no shutdown HQ(config-if)#exit HQ(config)#int Se0/0/0.1 point-to-point HQ(config-subif)# description HQ -> BR1 HQ(config-subif)# ip address 10.0.1.1 255.255.255.252 HQ(config-subif)# frame-relay interface-dlci 102 HQ(config-subif)#exit HQ(config)#int Se0/0/0.2 point-to-point HQ(config-subif)# description HQ -> BR2 HQ(config-subif)# ip address 10.0.1.5 255.255.255.252 HQ(config-subif)# frame-relay interface-dlci 103 HQ(config-subif)#exit Return to privileged EXEC and issue the command show frame-relay map command to verify the mapping.

Prepared by: Md. Manirul Islam (manirul@aiub.edu)

Step 2: Configure and activate the Serial 0/0/0 interface on BR1 Configure the interface with the following information: IP Address Frame Relay encapsulation Mappings to HQ and BR2
BR1(config)#int Se0/0/0 BR1(config-if)#encapsulation frame-relay BR1(config-if)#no shutdown BR1(config-if)#exit BR1(config)#int Se0/0/0.1 point-to-point BR1(config-subif)# description BR1 -> HQ BR1(config-subif)# ip address 10.0.1.2 255.255.255.252 BR1(config-subif)# frame-relay interface-dlci 201 BR1(config-subif)#exit BR1(config)#int Se0/0/0.2 point-to-point BR1(config-subif)# description BR1 -> BR2 BR1(config-subif)# ip address 10.0.1.9 255.255.255.252 BR1(config-subif)# frame-relay interface-dlci 203 BR1(config-subif)#exit Return to privileged EXEC and issue the command show frame-relay map command to verify the mapping.

Step 3: Configure and activate the Serial 0/0/0 interface on BR2 Configure the interface with the following information: IP Address Frame Relay encapsulation Mappings to HQ and BR1
BR2(config)#int Se0/0/0 BR2(config-if)#encapsulation frame-relay BR2(config-if)#no shutdown BR2(config-if)#exit BR2(config)#int Se0/0/0.1 point-to-point BR2(config-subif)# description BR2 -> HQ BR2(config-subif)# ip address 10.0.1.6 255.255.255.252 BR2(config-subif)# frame-relay interface-dlci 301 BR2(config-subif)#exit BR2(config)#int Se0/0/0.2 point-to-point BR2(config-subif)# description BR2 -> BR1 BR2(config-subif)# ip address 10.0.1.10 255.255.255.252

Prepared by: Md. Manirul Islam (manirul@aiub.edu)

BR2(config-subif)# frame-relay interface-dlci 302 BR2(config-subif)#exit Return to privileged EXEC and issue the command show frame-relay map command to verify the mapping.

Task 4: Configure OSPF (5 minutes)

Step 1: Configure OSPF on router HQ
HQ(config)#router ospf 1 HQ(config-router)# network 172.16.16.0 0.0.7.255 area 0 HQ(config-router)# network 10.0.1.0 0.0.0.3 area 0 HQ(config-router)# network 10.0.1.4 0.0.0.3 area 0 HQ(config-router)#exit

Step 2: Configure OSPF on router BR1

BR1(config)#router ospf 1 BR1(config-router)# network 172.16.32.0 0.0.7.255 area 0 BR1(config-router)# network 10.0.1.0 0.0.0.3 area 0 BR1(config-router)# network 10.0.1.8 0.0.0.3 area 0 BR1(config-router)#exit

Step 3: Configure OSPF on router BR2

BR2(config)#router ospf 1 BR2(config-router)# network 172.16.64.0 0.0.7.255 area 0 BR2(config-router)# network 10.0.1.4 0.0.0.3 area 0 BR2(config-router)# network 10.0.1.8 0.0.0.3 area 0 BR2(config-router)#exit

Step 4: Verify OSPF Configuration and examine routing table

Return to privileged EXEC and issue the following commands to verify OSPF configuration. show run show ip ospf neighbor show ip route

Prepared by: Md. Manirul Islam (manirul@aiub.edu)

Task 5: Configure EIGRP (5 minutes)

Step 1: Activate Serial Interface and Configure EIGRP on router BR2
BR2(config)#int Se0/0/1 BR2(config-if)#ip address 192.168.1.2 255.255.255.252 BR2(config-if)#clock rate 64000 BR2(config-if)#no shutdown BR2(config-if)#exit BR2(config)#router eigrp 100 BR2(config-router)# network 192.168.1.0 BR2(config-router)# no auto-summary BR2(config-router)#exit

Step 2: Activate Serial Interface and Configure EIGRP on router BR3

BR3(config)#int Se0/0/1 BR3(config-if)#ip address 192.168.1.1 255.255.255.252 BR3(config-if)#no shutdown BR3(config-if)#exit BR3(config)#router eigrp 100 BR3(config-router)# network 192.168.1.0 BR3(config-router)# network 192.168.2.0 BR3(config-router)# no auto-summary BR3(config-router)#exit

Step 4: Verify EIGRP Configuration on router BR2 and BR3 and examine routing table
Return to privileged EXEC and issue the following commands to verify EIGRP configuration. show show show show run ip eigrp neighbors ip eigrp topology ip route

At this point you should not be able to see OSPF routes in BR3. You need to do mutual redistribution in BR2.

Prepared by: Md. Manirul Islam (manirul@aiub.edu)

Task 6: Configure Mutual Redistribution (3 minutes)

Step 1: Configure mutual redistribution in router BR2
BR2(config)#router eigrp 100 BR2(config-router)# redistribute ospf 1 metric 64000 10 10 10 10 BR2(config-router)#exit BR2(config)#router ospf 1 BR2(config-router)# redistribute eigrp 100 subnets BR2(config-router)#exit

Step 2: Examine routing table changes.

Return to privileged EXEC and issue show ip route command and examine changes in the routing table. You should now be able to see all the OSPF routes in router BR3 and EIGRP routes in HQ and BR1 as well.

Task 7: Configure PPP (3 minutes)

Configure PPP (CHAP) in the Serial link between BR2 and BR3. Use cisco as the password.

Step 1: Configure router BR2

BR2(config)# username BR3 password 0 cisco BR2(config)# int s0/0/1 BR2(config-if)# encapsulation ppp BR2(config-if)# ppp authentication chap BR2(config-if)# ppp pap sent-username BR2 password 0 cisco

Step 2: Configure router BR3

BR3(config)# username BR2 password 0 cisco BR3(config)# int s0/0/1 BR3(config-if)# encapsulation ppp BR3(config-if)# ppp authentication chap BR3(config-if)# ppp pap sent-username BR3 password 0 cisco

Task 8: Configure Static and Default Route (5 minutes)

Step 1: Assign IP address to Fa0/0 and activate the interface on router HQ
HQ(config)#int fa0/0 HQ(config-if)#ip add 200.2.2.18 255.255.255.252 HQ(config-if)#no shutdown

10

Prepared by: Md. Manirul Islam (manirul@aiub.edu)

Step 2: Configure Default Route to ISP on router HQ

HQ(config)# ip route 0.0.0.0 0.0.0.0 200.2.2.17

Step 3: Redistribute Default Route

HQ(config)# route ospf 1 HQ(config-router)# redistribute static subnets HQ(config-router)# default-information originate HQ(config-router)# exit

Step 4: Assign IP address to Fa0/0 and activate the interface on router ISP
ISP(config)#int fa0/0 ISP(config-if)#ip add 200.2.2.17 255.255.255.252 ISP(config-if)#no shutdown

Step 5: Configure Static Route to HQ on router ISP

ISP(config)# ip route 199.99.9.32 255.255.255.224 200.2.2.18

Task 9: Configure Static and Dynamic NAT on router HQ (7 minutes)

Step 1: Define the pool of usable public IP addresses
HQ(config)# ip nat pool public_access 199.99.9.40 199.99.9.62 netmask 255.255.255.224

Step 2: Define an access list named SRC that will match the inside private IP addresses
HQ(config)# ip access-list standard SRC HQ(config-std-nacl)# permit 172.16.16.0 HQ(config-std-nacl)# permit 172.16.32.0 HQ(config-std-nacl)# permit 172.16.64.0 HQ(config-std-nacl)# permit 192.168.2.0 0.0.7.255 0.0.7.255 0.0.7.255 0.0.0.255

Step 3: Define the NAT translation from inside list to outside pool
HQ(config)# ip nat inside source list SRC pool public_access

Step 4: Specify the interfaces

The active interfaces on the router need to be identified as either inside or outside interfaces with respect to NAT. To do this, use the ip nat inside or ip nat outside command. HQ(config)#int fa0/0 HQ(config-if)#ip nat outside HQ(config-if)#int fa0/1.1 HQ(config-subif)#ip nat inside HQ(config-subif)#int fa0/1.2 HQ(config-subif)#ip nat inside

11

Prepared by: Md. Manirul Islam (manirul@aiub.edu)

HQ(config-subif)#int fa0/1.3 HQ(config-subif)#ip nat inside HQ(config-subif)#int fa0/1.4 HQ(config-subif)#ip nat inside HQ(config-subif)#int fa0/1.5 HQ(config-subif)#ip nat inside HQ(config-subif)#int fa0/1.6 HQ(config-subif)#ip nat inside HQ(config-subif)#int S0/0/0.1 HQ(config-subif)#ip nat inside HQ(config-subif)#int S0/0/0.2 HQ(config-subif)#ip nat inside

Step 5: Configure Static Mapping on router HQ for GameWheel Web Server

HQ(config)# ip nat inside source static 172.16.21.3 199.99.9.33

Task 10: Configure ACL on router ISP to restrict private IP address block (3 minutes)
Step 1: Define an access list named RST that will match the private IP address block
ISP(config)# ip access-list standard RST HQ(config-std-nacl)# deny 10.0.0.0 0.255.255.255 HQ(config-std-nacl)# deny 172.16.0.0 0.15.255.255 HQ(config-std-nacl)# deny 192.168.0.0 0.0.255.255 HQ(config-std-nacl)# permit any

Step 2: Apply ACL

ISP(config)# int fa0/0 ISP(config-if)#ip access-group RST in

Task 11: Test and Verify (3 minutes)

Assign IP Address to Fa0/1 on router ISP and assign IP address to Public Web Server ISP(config)# int fa0/1 ISP(config-if)#ip address 100.1.1.1 255.255.255.224 ISP(config-if)#no shut Now do the following test: Ping/browse GameWheel Web Server (199.99.9.33) from Public Web Server (100.1.1.10). Ping/browse Public Web Server (100.1.1.10) from any host PC in HQ. Ping/browse Public Web Server (100.1.1.10) from host PC in BR3. Copy router HQ running-configuration into TFTP server. All the tests should now be successful.

12

Prepared by: Md. Manirul Islam (manirul@aiub.edu)