The following are the tasks you are required to complete in this part of the Self-Study Lab:
Connecting the network
Port, EtherChannel, and Trunking configuration
Inter-VLAN routing configuration
Management and security configuration
Quality of Service configuration
A detailed solution to this part of the Self-Study Lab is in Appendix A.
Connecting the Network
Connect the network as show in Figure 11-1. All Fast Ethernet connections between switches require crossover UTP cables. For the two gigabit Ethernet connections between Switch-A and Switch-B, multi-mode fiber is required with SC connectors.
Configure each switch with the appropriate host name and configure a Telnet/enable password of "cisco."
Port, EtherChannel, and Trunking Configuration
On all switches, configure all Fast Ethernet ports that connect to other switches for 100-Mbps full-duplex operation. On gigabit Ethernet ports, configure speed and duplex according to Cisco's recommendations.
Configure the two physical links that attach Switch-A and Switch-B so that they appear as a single Layer 2 connection. Ensure the configuration meets the following requirements:
A single physical link failure must not affect the spanning-tree topology.
Traffic should be distributed across the links based upon IP source and destination addressing.
Configure the links so that they are optimized for frames exchanged between two network attached storage (NAS) devices.
If receive buffers on either switch become full, configure both switches to send 802.3Z pause frames to temporarily stop the sending of frames.
Configure the two physical links that attach Switch-C and Switch-D so that they appear as a single Layer 2 connection. Ensure the configuration meets the following requirement:
Configure trunks for all Inter-Switch Links (ISLs) in the network as follows:
Trunks between the core switches (Switch-A and Switch-B) must tag all frames with an appropriate VLAN ID. Configure Dynamic Trunking Protocol (DTP) so that the trunk always comes up.
All other trunks should be configured with a standards-based trunking protocol and should always try to actively negotiate trunking where possible.
Configure VLAN Trunking Protocol (VTP) parameters as follows:
Switch-A, Switch-B, and Switch-F should belong to a VTP domain called "ciscolab."
All other switches must be configured to belong to a VTP domain called "ccnp."
Switch-D should ignore VTP messages, but must propagate them to other switches.
All VTP communications must be secured.
Broadcast and multicast traffic within each VLAN should be propagated only to switches that connect active hosts on the VLAN.
Switch-A and Switch-C can write only to the VLAN database. All other switches must be able to read only the VLAN database.
Create the following VLANs, each with a name as indicated in the parenthesis:
VLAN 10 (management)
VLAN 100 (servers100)
VLAN 101 (servers101)
VLAN 200 (users200)
VLAN 201 (users201)
VLAN 202 (phones)
On Switch-A and Switch-B, configure the following VLAN memberships for each interface:
- VLAN 100 Ports 2/3 to 2/24
- VLAN 101 Ports 2/25 to 2/47
On Switch-E, configure the following VLAN memberships for each interface:
- VLAN 200 Fa0/3 to Fa0/12
- VLAN 201 Fa0/13 to Fa0/24
On Switch-F, configure the following VLAN memberships for each interface:
On all switches, configure all 802.1Q trunks so that any traffic sent on VLAN 10 is not tagged.
Configure spanning tree so that Switch-A is the root bridge for all even VLANs and Switch-B is the root bridge for all odd VLANs. Switch-A should be configured as the secondary bridge for all odd VLANs, and Switch-B should be configured as the secondary root bridge for all even VLANs. Configuring spanning-tree timers to ensure that the convergence time of the topology is the most optimal configuration, without placing any additional CPU load on each switch.
Configure the network so that all traffic within even VLANs follows the most optimal path towards the root bridge for even VLANs (Switch-A). Ensure that all traffic within odd VLANs follows the most optimal path towards the root bridge for odd VLANs (Switch-B).
Ensure that all workstation ports attached to VLAN 201 on Switch-E and Switch-F provide network connectivity within a few seconds after being activated. Configure Switch-E and Switch-F so that BPDUs are not sent out these ports by default.
Configure the network so that Switch-E and Switch-F can recover from direct link failures to Switch-C or Switch-D within 3 seconds. Assume that the MAC address tables of Switch-E and Switch-F hold 600 local MAC addresses.
Devices in VLAN 100 and VLAN 101 are attached only to the core switches (Switch-A and Switch-B). Ensure that no spanning-tree instance runs for these VLANs on Switch-C, Switch-D, Switch-E,and Switch-F. You cannot explicitly disable spanning tree on any VLAN for this task.
Inter-VLAN Routing Configuration
Configure the connection to Router-A as an 802.1Q trunk, ensuring that Switch-A is configured with the appropriate DTP mode of operation that is compatible with Router-A.
Configure Router-A for inter-VLAN routing. Router-A should use an IP address of 192.168.x.1 on each VLAN, where x represents the VLAN ID. For example, on VLAN 10, Router-A should be configured with an IP address of 192.168.10.1. Also, configure an interface that represents a restricted network attached to Router-A (see Figure 11-1).
Configure all switches in the network with the management IP addressing as indicated in Figure 11-1. Ensure that all switches can ping any device in the network.
Management and Security Configuration
Configure Simple Network Management Protocol (SNMP) on all switches. Configure a read-only string of "cisco" and enable traps for all events to be sent to an SNMP host at 192.168.100.50.
Restrict Telnet access on all switches to only hosts that reside in VLAN 100. Also, restrict SNMP access to the SNMP host at 192.168.100.50.
An Network Time Protocol (NTP) server is available on the network. Configure all switches so that each has similar clock settings as follows:
To ensure the security of the IP phones in VLAN 202, configure the network so that only the communications required to support the IP phones are permitted. All other traffic must be discarded and you must ensure that unauthorized traffic is discarded as soon as possible. The following lists the protocols that must be permitted from the perspective of communications originating from the IP phones:
- Skinny Call Control Protocol (SCCP) TCP traffic sent to a destination port of 2000 on Cisco CallManager
- Voice traffic User Datagram Protocol (UDP) traffic with source and destination ports in the range of 1638432767
- HTTP traffic TCP traffic sent to a destination port 80
- Trivial File Transfer Protocol (TFTP) traffic UDP traffic sent to a destination port of 69
- Dynamic Host Configuration Protocol (DHCP) traffic UDP traffic using a source port of 67 and destination port of 68
- Internet Control Message Protocol (ICMP) traffic (for diagnostic purposes) ICMP echo and echo replies
Configure Switch-E to permit access only to a PC with a MAC address of 0010.0010.0010 on interface Fa0/24. No other devices should be permitted access to the interface. If another device attempts to use the interface, the interface should be shut down immediately.
Configure the core of the network (Switch-A and Switch-B) to permit communications only between VLANs within the local switching infrastructure, ensuring local devices cannot communicate with the protected network (10.0.0.0/8). Configure these requirements using the least amount of configuration possible.
Quality of Service Configuration
Ensure that all traffic generated by all end devices attached to Switch-E is classified as follows upon entry to the network:
All voice traffic should be marked with a Differentiated Services Code Point (DSCP) of 46. Voice control traffic (SCCP) should be marked with a DSCP value of 26.
All SQL server traffic (TCP traffic sent to a destination port of 1433) should be marked with a DSCP of 24.
All other traffic is marked with a DSCP of 8.
Configure Switch-E so that IP phones connected to interfaces Fa0/3Fa0/12 transmit voice in VLAN 202 and data from any attached PCs in VLAN 200. Also ensure that any data received from PCs connected to an IP phone has a class of service (CoS) of three.
Web servers are attached to Switch-A and Switch-B. On the client side of HTTP connections, limit HTTP traffic to 1 Mbps per device (devices connected to Switch-E are considered client side). On the server side, limit HTTP traffic to 1 Mbps per connection (devices connected to Switch-A and Switch-B are considered server side).
Configure the network so that the quality of service (QoS) policy configured at the edge is honored throughout the network. Ensure that all voice packets marked with a DSCP of 46 are placed into a priority queue for transmission where possible (assume that the Ethernet modules on Switch-A are WS-X6148-RJ45 with a transmit port type of 2q2t). Trust the IP precedence of traffic received from Router-A.