Hi all , I am doing out a network here and I am unsure about some of the commands needed to do what is stated in the question. Would be appreciated if was given some help
1. Hostnames as per diagram
2. DLS1 is the VTP Server
DLS2 + ALS1 are VTP Clients
ALS2 is VTP transparent
VTP domain is practice.com
VTP password is practice
DLS1(config)#vtp domain CISCO
DLS1(config)#vtp mode server
DLS1(config)# vtp domain practice.com
DLS1(config)# vtp password practice
DLS2(config)#vtp domain CISCO
DLS2(config)#vtp mode client
ALS1(config)#vtp domain CISCO
ALS1(config)#vtp mode client
ALS2(config)#vtp domain CISCO
ALS2(config)#vtp mode transparent
3. VlANS
VLAN 2 10.2.0.0/24 STUDENT
VLAN 3 10.3.0.0/24 LECTURER
VLAN 4 10.4.0.0/24 MANAGEMENT
DLS1(config)#vlan 2
DLS1(config-vlan)#name STUDENT
DLS1(config-vlan)#exit
DLS1(config)#vlan 3
DLS1(config-vlan)#name LECTURER
DLS1(config-vlan)#exit
DLS1(config)#vlan 4
DLS1(config-vlan)#name MANAGEMENT
DLS1(config-vlan)#exit
3.Disable all ports. Enable on a needs be basis
DLS1(config)#interface range fastEthernet 0/1 - 24
DLS1(config-if-range)#shutdown
DLS2(config)#interface range fastEthernet 0/1 - 24
DLS2(config-if-range)#shutdown
ALS1(config)#interface range fastEthernet 0/1-24
ALS1(config-if-range)#shutdown
ALS2(config)#interface range fastEthernet 0/1-24
ALS2(config-if-range)#shutdown
I know how to turn the ones I need on
5. Trunking between DLS1 and DLS2 is using ISL
All other trunk uses DOT1Q
Untagged traffic carried on VLAN 3
DLS1(config)# interface range fastEthernet 0/1 - 2
DLS1(config-if-range)# switchport trunk encapsulation isl
DLS1(config-if-range)# switchport mode trunk
DLS1(config)# interface range fastEthernet 0/7 - 8
DLS1(config-if-range)# switchport trunk encapsulation dot1q
DLS1(config-if-range)# switchport mode trunk
DLS2(config)# interface range fastEthernet 0/1 - 2
DLS2(config-if-range)# switchport trunk encapsulation isl
DLS2(config-if-range)# switchport mode trunk
DLS2(config)# interface range fastEthernet 0/3 - 4
DLS2(config-if-range)# switchport trunk encapsulation dot1q
DLS2(config-if-range)# switchport mode trunk
ALS1(config)# interface range fastEthernet 0/3 - 4
ALS1(config-if-range)# switchport trunk encapsulation dot1q
ALS1(config-if-range)# switchport mode trunk
ALS1(config)# interface range fastEthernet 0/5 - 6
ALS1(config-if-range)# switchport trunk encapsulation isl
ALS1(config-if-range)# switchport mode trunk
ALS2(config)# interface range fastEthernet 0/7- 8
ALS2(config-if-range)# switchport trunk encapsulation isl
ALS2(config-if-range)# switchport mode trunk
ALS2(config)# interface range fastEthernet 0/5- 6
ALS2(config-if-range)# switchport trunk encapsulation isl
ALS2(config-if-range)# switchport mode trunk
Don't know how to do untaggged.
6. Configure Ether channel between ALS1 and ALS2
ALS1(config)#interface range fastEthernet 0/5- 6
ALS1(config-if-range)#channel-group 1 mode desirable
ALS1(config-if-range)# switchport mode trunk
ALS1(config)#channel –group 1 mode desirable
ALS1(config)#interface range fastEthernet 0/5- 6
ALS1(config-if-range)#channel-group 1 mode desirable
ALS1(config-if-range)# switchport mode trunk
ALS1(config)#channel –group 1 mode desirable
6A Configure management interface on ALS1 and ALS2
7. Configure rapid per vlan spanning tree
DLS1 is root per VLAN 2
Back up root for VLAN 3 and 4
DLS1(config)# spanning-tree mode rapid-pvst
DLS1(config)#spanning-tree vlan 2 root primary
DLS1(config)#spanning-tree vlan 3 root secondary
DLS1(config)#spanning-tree vlan 4 root secondary
DLS2 is the root for VLAN 3 + 4
Backup root for VLAN 2
DLS2(config)#spanning-tree vlan 3 root primary
DLS2(config)#spanning-tree vlan 4 root primary
DLS2(config)#spanning-tree vlan 2 root secondary
8. Configure DLS1 and DLS2 for routing
DLS1 routes for VLAN 2
Back up routing for VLAN 3, 4
DLS1(config)# int vlan 2
DLS1(config)# ip address 10.2.0.3 255.255.255.0
DLS1(config)# standby 1 ip 10.2.0.1
DLS1(config)# standby 1 preempt
DLS1(config)# standby 1 priority 150
DLS1(config)# int vlan 3
DLS1(config)# ip address 10.3.0.3 255.255.255.0
DLS1(config)# standby 1 ip 10.3.0.1
DLS1(config)# standby 1 preempt
DLS1(config)# standby 1 priority 100
DLS1(config)# int vlan 4
DLS1(config)# ip address 10.4.0.3 255.255.255.0
DLS1(config)# standby 1 ip 10.4.0.1
DLS1(config)# standby 1 preempt
DLS1(config)# standby 1 priority 100
DLS2 routes for VLAN 3 + 4
Backup routing for VLAN 2
DLS2(config)# int vlan 3
DLS2(config)# ip address 10.3.0.3 255.255.255.0
DLS2(config)# standby 1 ip 10.3.0.1
DLS2(config)# standby 1 preempt
DLS2(config)# standby 1 priority 150
DLS2(config)# int vlan 4
DLS2(config)# ip address 10.4.0.3 255.255.255.0
DLS2(config)# standby 1 ip 10.4.0.1
DLS2(config)# standby 1 preempt
DLS2(config)# standby 1 priority 150
DLS2(config)# int vlan 2
DLS2(config)# ip address 10.2.0.3 255.255.255.0
DLS2(config)# standby 1 ip 10.2.0.1
DLS2(config)# standby 1 preempt
DLS2(config)# standby 1 priority 100
9. Configure DHCP Server on DLS1
To allocate ip addresses to management, student + lectures
10. Configure access ports on all switches
Ports fa0/9 for management
10 -15 for student
16 – 20 for lectures
Enable appropriate ports as per topology
DLS2(config)# interface fastEthernet 0/9
DLS2(config-if)# switchport mode access
DLS2(config-if)# switchport access vlan 4
DLS2(config-if)# spanning-tree portfast
ALS1(config)# interface range fastEthernet 0/10 - 15
ALS1(config-if)# switchport mode access
ALS1(config-if)# switchport access vlan 3
ALS1(config-if)# spanning-tree portfast
ALS2(config)# interface fastEthernet 0/16 - 20
ALS2(config-if)# switchport mode access
ALS2(config-if)# switchport access vlan 2
ALS2(config-if)# spanning-tree portfast
11. Ensure ports that are access ports go directly from blocking to forwarding
12. Disable cdp and http traffic on DLS1
DLS1# configure terminal
DLS1(config-if)# no ip http server
DLS1(config-if)# end
DLS1# configure terminal
DLS1(config-if)# no ip http server
DLS1(config-if)# end
13. Enable http on DLS1
DLS1# configure terminal
DLS1(config)# cdp run
DLS1(config)# end
14. Configure console security on ALS1
Password Fiona
If the port is inactive for 1 minute the connection should be terminated
ALS1# config
ALS1(config)# line con 0
ALS1(config)# password Fiona
ALS1(config)# exec-timeout 1 00
15. Configure VTY access on DLS2
Users should only be able to connect using ssh for domain Sligo.com, using a username Fiona and secure password as Mitchell. Data that passes across the connection should be encrypted using a KSA key size 5/2. The user has 5 authentication retrier for ssh
16. Ensure student, cannot communicate with users on management VLAN
17. Configure VTY connect on DLS1 to allow
Telnet only for users in the management VLAN using a password Mitchell
18. All password that are plaintext should be encrypted using MD7 encryption do this on DLS1
19. On ALS1 only allow, mac address to be learned. The port should shut down if an illegal mac address is learned.
If the port goes into error disable state due to a security violation it should recover after 3 minutes.
20. On ALS1 ports 5,6,7,8 ensure broadcast traffic does not exceed 20%
21. On DLS2 made sure the minimum password length is 5 character long
DLS2#security passwords min-length 5
22. On DLS2 made sure if a user tries to illegally enter into systems 5 times in a 2 minute period they are locked out for 5 minutes
login block-for 5 attempts 5 within 2
DLS2(config)#login block-for 5 attempts 5 within 2
Where much is given, much can be received. :) Your text or an online search should be able to produce the command syntax needed to finish this exercise. This is a good exercise, by the way... a full summary of a number of concepts.
I don't see DHCP scopes defined or ip helper statements on the other switches pointing to DLS1.
Need to do the SSH stuff... and to keep communication from happening from student to management, you will need an ACL statement.
19 requires port-security statements. You're looking for "sticky" commands in this case.
20 calls for policing or shaping statements... if you don't want to drop outright, go with shaping. If the traffic is discardable, policing.
21 and 22 look good to me.
One more thing - what VLANs are being shared on the trunks? I don't see anything about that in your commands.
Here's how people do VTP in the real world.
switch(config)# vtp mode transparent
*move to the next switch and do the same*
:problem?:
vtpv3 ain't so bad. You have to manually force a server into primary master in enable (not conf). In fact you can demote all servers to secondary and only promote on demand (i.e. to make changes), and any primary status is lost on reboot i.e. all servers come up as secondary as standard.
If vtpv2 had this kind of behaviour, the entire vtp protocol wouldn't have this stigma. Heck on a conceptual level its just an orchestrator isn't it? :professorcat:
Quote from: TheBigDog on December 05, 2015, 07:03:51 PM
5. Trunking between DLS1 and DLS2 is using ISL
All other trunk uses DOT1Q
Untagged traffic carried on VLAN 3
Don't know how to do untaggged.
** set the native vlan on the trunk port configuration
Quote from: TheBigDog on December 05, 2015, 07:03:51 PM
9. Configure DHCP Server on DLS1
To allocate ip addresses to management, student + lectures
*** need to set DHCP server configuration on switch
Quote from: TheBigDog on December 05, 2015, 07:03:51 PM
11. Ensure ports that are access ports go directly from blocking to forwarding
*** spanning tree issue, look there, command is like #spanning-tree p<somthing>...
Quote from: TheBigDog on December 05, 2015, 07:03:51 PM
13. Enable http on DLS1
DLS1# configure terminal
DLS1(config)# cdp run
DLS1(config)# end
***This command sets CDP to run, has nothing to do with HTTP
starts with #no ip
Not event gonna comment on 15-20 until you at least give them a try.
rest looks pretty good
Quote from: wintermute000 on December 06, 2015, 07:16:05 PM
vtpv3 ain't so bad. You have to manually force a server into primary master in enable (not conf). In fact you can demote all servers to secondary and only promote on demand (i.e. to make changes), and any primary status is lost on reboot i.e. all servers come up as secondary as standard.
If vtpv2 had this kind of behaviour, the entire vtp protocol wouldn't have this stigma. Heck on a conceptual level its just an orchestrator isn't it? :professorcat:
Yeah I'll agree with ya. Also if you're running non-default MST config it has added benefit. Otherwise, I really don't see the point. In the worst case, manual copy/paste is the suck but very manageable.. otherwise there's plenty of other automation platforms to push out VLAN config in addition to configuration outside of VLANs.
This is a really awesome exercise. Do you guys know where I can get exercises/labs like this (that wont cost me an arm and leg)? Doesn't have to be on equipment. Just something like this on paper would be fine. I copied every line in this and had a lot of fun writing down the commands.
Quote from: flipmode on February 06, 2016, 08:22:05 AM
This is a really awesome exercise. Do you guys know where I can get exercises/labs like this (that wont cost me an arm and leg)? Doesn't have to be on equipment. Just something like this on paper would be fine. I copied every line in this and had a lot of fun writing down the commands.
I'm putting together some lab exercises in the forum here. What would you like to see more of? I'll get to work on it, even if it means that I have to learn it, too!
I made a thread for requests: http://www.networking-forums.com/index.php?topic=744