This document outlines the configuration steps for a network that includes multiple switches and routers divided into different blocks. The key steps are:
1. Configure switches and routers with hostnames, passwords, trunking, VTP, VLANs, SVIs, OSPF, RIP, NAT, DHCP, NTP, CDP, port security and access lists according to diagrams.
2. Set up VTP servers, clients and transparent switches to propagate VLANs. Configure OSPF and RIP routing.
3. Configure NAT on routers to translate source IPs, and DHCP for address assignment. Set up NTP to synchronize time.
4. Develop a testing plan to verify connectivity and functionality across
3. West Office Switch Block
ak
im
AD
IC
H
E
1. Configure each switch with the following:
hostname
Console password: “ccna2”
Vty password: “ccna2” (only Telnet should be allowed through the vty lines 0 4)
Privileged password: “ccna2”
Message of the day banner: “Non-Authorized access to this switch is prohibited”
2. Configure all trunk links between switches using the IEEE 802.1Q trunking protocol. The trunking
should be in dynamic desirable mode.
On all trunks, configure the native vlan to be the management vlan.
Check trunking between all switches and make sure trunking is ON.
3. Configure each switch with the vtp mode as depicted in the diagram.
On the vtp server switch, configure vtp version 2.
On the vtp server switch, configure the vtp domain name “ccna2.org”.
4. Protect all switches with vtp password “ccna2”.
5. Configure the three vlans 63, 87 and 99 on the vtp server. Do not assign any port yet. Check out if
the vlans propagated to the vtp client switches. What about the vtp transparent switch.
You might need to manually configure the vlans 63, 87 and 99 on the vtp transparent switch.
Configure the vtp transparent switch with vtp version 2
Configure the vtp transparent switch with vtp domain “ccna2.org”
6. Populate vlans on each switch with ports as shown in the diagram.
Check vlans and vlan port membership on all switches.
7. Configure the SVI for vlan 99 on all switches as follows:
Switch
SW1
SW2
SW3
SW4
SVI
99
99
99
99
IP Address and Subnet Mask
172.16.99.1 255.255.255.0
172.16.99.2 255.255.255.0
172.16.99.3 255.255.255.0
172.16.99.4 255.255.255.0
H
8. From any switch, you should be able to telnet and access any other switch in this block. Once you
access a switch remotely, check the following:
Ping to the other switches using the management SVI IP address
Display configured Vlans
Display Vtp status
Check established Trunk links
3
4. East Office Switch Block
ak
im
AD
IC
H
E
1. Configure each switch with the following:
hostname as depicted in the diagram
Console password: “ccna2”
Vty password: “ccna2” (only Telnet should be allowed through the vty lines 0 4)
Privileged password: “ccna2”
Message of the day banner: “Non-Authorized access to this switch is prohibited”
2. Configure all trunk links between switches using the IEEE 802.1Q trunking protocol. The trunking
should be in dynamic desirable mode.
On all trunks, configure the native vlan to be the management vlan.
Check trunking between all switches and make sure trunking is ON.
3. Configure each switch with the vtp mode as depicted in the diagram.
On the vtp server switch, configure vtp version 2.
On the vtp server switch, configure the vtp domain name “ccna2.org”.
4. Protect all switches with vtp password “ccna2”.
5. Configure the three vlans 21, 34 and 88 on the vtp server. Do not assign any port yet. Check out if
the vlans propagated to the vtp client switches. What about the vtp transparent switch.
You might need to manually configure the vlans 21, 34 and 88 on the vtp transparent switch.
Configure the vtp transparent switch with vtp version 2
Configure the vtp transparent switch with vtp domain “ccna2.org”
6. Populate vlans on each switch with ports as shown in the diagram.
Check vlans and vlan port membership on all switches.
7. Configure the SVI for vlan 88 on all switches as follows:
Switch
SW5
SW6
SW7
SW8
SVI
88
88
88
88
IP Address and Subnet Mask
172.16.88.5 255.255.255.0
172.16.88.6 255.255.255.0
172.16.88.7 255.255.255.0
172.16.88.8 255.255.255.0
H
8. From any switch, you should be able to telnet and access any other switch in this block. Once you
access a switch remotely, check the following:
Ping to the other switches using the management SVI IP address
Display configured Vlans
Display Vtp status
Check established Trunk links
4
5. Data Center Switch Block
AD
IC
H
E
1. Configure each switch with the following:
hostname as depicted in the diagram
Console password: “ccna2”
Vty password: “ccna2” (only Telnet should be allowed through the vty lines 0 4)
Privileged password: “ccna2”
Message of the day banner: “Non-Authorized access to this switch is prohibited”
2. Configure all trunk links between switches using the IEEE 802.1Q trunking protocol. The trunking
should be in dynamic desirable mode.
On all trunks, configure the native vlan to be the management vlan.
Check trunking between all switches and make sure trunking is ON.
3. Configure each switch with the vtp mode as depicted in the diagram.
On one vtp server switch only, configure vtp version 2.
On one vtp server switch only, configure the vtp domain name “ccna2.org”.
4. Protect all switches with vtp password “ccna2”.
5. Configure the three vlans 11, 55 and 77 on the vtp server (SW11). Do not assign any port yet. Check
out if the vlans propagated to the other vtp server and vtp client switches.
6. Populate vlans on the vtp client switches only with ports as shown in the diagram.
Check vlans and vlan port membership on the vtp client switches.
7. Configure the SVI for vlan 77 on all switches as follows:
SVI
77
77
77
77
ak
im
Switch
SW9
SW10
SW11
SW12
IP Address and Subnet Mask
172.16.77.9 255.255.255.0
172.16.77.10 255.255.255.0
172.16.77.11 255.255.255.0
172.16.77.12 255.255.255.0
H
8. From any switch, you should be able to telnet and access any other switch in this block. Once you
access a switch remotely, check the following:
Ping to the other switches using the management SVI IP address
Display configured Vlans
Display Vtp status
Check established Trunk links
5
6. Configuring OSPF Domain
Area 0
Fa0/0
Fa0/1
S0/0/0
S0/0/1
Fa0/0.21
Fa0/0.34
Fa0/1
S0/0/1
Fa0/0.21
Fa0/0.34
Fa0/1
Fa0/1
S0/0/0
Fa0/1
Fa0/1
Area 100
AD
Device
IC
H
E
1. Configure routers in the OSPF domain R1, R2, R3, R4, R5 and R6 with the following:
Hostname as depicted in the diagram
Console password: “ccna2”
Vty password: “ccna2” (only SSH should be allowed through the vty lines 0 4)
Privileged password: “ccna2”
Message of the day banner: “Non-Authorized access to this router is prohibited”
IP domain name: “ccna2.com”
SSH Server version 2 with 1024 bits of key length
Local account database with the following account: username cisco password ccna2
2. Configure the Fast Ethernet 0/21 ports of both switches SW7 and SW8 as trunk ports with no
trunking negotiation.
3. Configure sub-interfaces for Fast Ethernet interface 0/0 of routers R2 and R3 using the IP addresses
as depicted in the diagram and with the IEEE 802.1Q encapsulation for routing between the vlans 21
and 34.
4. Configure the OSPF routing protocol following the table below:
R1
ak
im
R2
R3
R4
R5
R6
S0/0/0
S0/0/0
S0/0/1
H
R7
5.
6.
7.
8.
9.
S0/0/1
Configure R4 as DR and R5 as BDR on the LAN segment 192.168.0.0/24
Configure R2 as DR and R3 as BDR on the LAN Segments 192.168.21.0/24 and 192.168.34.0/24
Configure the hello interval on Fa0/1 of R4 to be 5 seconds.
Disable all OSPF hello advertisements to LANs where no OSPF routers exist (West Office LANs).
On router R6, advertise a default route via OSPF to the OSPF domain. To achieve this, you should
first assign IP addresses to the interfaces on the two serial links s0/0/0 and s0/0/1 and then
configure two static default routes on R6 pointing to R8 serial interfaces. Only one static default
route must be advertised through OSPF. If that route goes down, the other static route should be
advertised to the OSPF Domain.
6
7. Configuring RIPv2
AD
IC
H
E
1. Configure router R8 with the following:
Hostname as depicted in the diagram
Console password: “ccna2”
Vty password: “ccna2” (only SSH should be allowed through the vty lines 0 4)
Privileged password: “ccna2”
Message of the day banner: “Non-Authorized access to this router is prohibited”
IP domain name: “ccna2.com”
SSH Server version 2 with 1024 bits of key length
Local account database with the following account: username cisco password ccna2
2. Configure the interfaces Fa0/0, Fa0/1, S0/0/0 and S0/0/1 with IP addresses as depicted in the
diagram.
3. Configure two default static routes on R8 to point to the serial interfaces on R6. The serial link
10.10.0.0/24 should be the main link and the other link 10.10.1.0/24 should be the backup link.
4. Configure the fast Ethernet 0/22 ports on both switches SW11 and SW12 as Layer-3 routed ports
and assign them IP addresses as depicted in the diagram.
5. Make sure the layer-3 switches are enabled for IP routing.
6. In both layer-3 switches, configure SVI for vlans 11 and 55 with IP addresses as depicted in the
diagram.
7. Configure RIPv2 and enable it on the following interfaces:
Device Interface
ak
im
R8
SW11
SW12
Fa0/0
Fa0/1
Fa0/22
SVI 11
Fa0/22
SVI 55
H
8. Advertise a default route via RIPv2 from router R8 to the RIPv2 domain.
7
8. Configuring NAT
AD
IC
H
E
1. Configure router ISP with the following:
Hostname as depicted in the diagram
Console password: “ccna2”
Vty password: “ccna2” (only SSH should be allowed through the vty lines 0 4)
Privileged password: “ccna2”
Message of the day banner: “Non-Authorized access to this router is prohibited”
IP domain name: “ccna2.com”
SSH Server version 2 with 1024 bits of key length
Local account database with the following account: username cisco password ccna2
2. Configure the serial interfaces S0/1/0 of routers R6 and R8 with assigned IP addresses, as depicted in
the diagram.
3. Configure router ISP with IP addresses assigned to S0/0/0 and S0/0/1 interfaces as shown in the
diagram.
4. All packets leaving R6 and R8 and destined to segment 196.15.60.0/24 should have their source IP
addresses translated into the IP address of the serial interfaces S0/1/0 of both routers. To achieve
this, you need to configure a specific static route on both routers R6 and R8 to segment
196.15.60.0/24 on ISP.
Configuring DHCP and DHCP Spoofing
ak
im
1. Configure DHCP servers on the three (3) routers R1, R2 and R3 to provide IP addresses, Subnet
Masks, default gateways, and DNS IP addresses to hosts in vlans 21, 34, 63 and 87.
2. Configure DHCP snooping on all switches in both East and West blocks to avoid rogue DHCP servers.
This step needs to be configured on real switches since DHCP snooping is not supported on the
current version of Cisco Packet Tracer.
Configuring NTP
H
1. Configure a loopback interface lo0: 172.31.0.1/24 on the router R4 and advertise it through OSPF in
area 0.
2. Set the clock on R4 to GMT time.
3. Configure the clock time zone on R4 and set it to +3
4. Configure R4 as the NTP server for the whole system and set the stratum to 4. This step can be
configured on real routers only and is not yet supported by Cisco Packet Tracer.
5. Configure all the other routers and switches with the clock time zone +3 and then as NTP clients to
synchronize their clocks with the R4 clock at 172.31.0.1.
Configuring CDP
1. For management purpose, you need to configure CDP on all routers only.
2. Disable CDP advertisement on all switches and to those LANs with no routers.
8
9. Configuring Port Security
1. Configure Port Security on all layer-2 switches to be connected to end devices; SW1, SW2, SW3,
SW4, SW5, SW6, SW7, SW8, SW9 and SW10.
2. All switched ports should be configured as sticky ports allowing only one device to connect.
3. In case there is a violation, the switched port will automatically shutdown.
4. You can also shutdown all non connected switch ports.
Configuring Access Lists
IC
H
E
1. On R1, configure an access list such that all hosts in Vlan 63 and 21 should be allowed to access all
servers in the Data Center block except the FTP Server. The access list should also avoid IP spoofing.
2. On R2 and R3, configure an access list such that all hosts in Vlans 87 and 34 should be allowed to
access all servers in the Data Center block except the Web Server. The access list should also avoid
IP spoofing.
Testing
AD
Make sure you keep the default VLAN on switch SW13 and configure it with protection passwords and
remaining configurations as done with the other layer-2 switches.
It is left to you to build a testing strategy with a set of testing steps in order to check and verify the
proper functioning of the whole system.
H
ak
im
It is better to document your testing strategy and learn how to use debug and show commands on both
Cisco routers and Cisco switches.
9