You have been tasked with implementing the above access control as a pre-condition to installing the servers.
SIMULATION
AAAdot1x Lab
Acme is a small shipping company that has an existing enterprise network comprised of 2
switches;DSW1 and
ASW2. The topology diagram indicates their layer 2 mapping. VLAN 40 is a new VLAN that
will be used to provide the shipping personnel access to the server. For security reasons, it
is necessary to restrict access to
VLAN 20 in the following manner:
– Users connecting to ASW1’s port must be authenticate before they are given access to the network.
-Authentication is to be done via a Radius server:
– Radius server host: 172.120.39.46
– Radius key: rad123
– Authentication should be implemented as close to the host device possible.
– Devices on VLAN 20 are restricted to in the address range of 172.120.40.0/24.
– Packets from devices in the address range of 172.120.40.0/24 should be passed on VLAN 20.
– Packets from devices in any other address range should be dropped on VLAN 20.
– Filtering should be implemented as close to the server farm as possible.
The Radius server and application servers will be installed at a future date. You have been
tasked with implementing the above access control as a pre-condition to installing the
servers. You must use the available
IOS switch features.
You task is complicated by the fact that you only have full access to DSW1, with isolating the cause of these
SIMULATION
Acme is small export company that has an existing enterprise network comprised of 5
switches; CORE,DSW1,
DSW2,ASW1 and ASW2. The topology diagram indicates their desired pre-VLAN spanning
tree mapping.
Previous configuration attempts have resulted in the following issues:
– CORE should be the root bridge for VLAN 20; however, DSW1 is currently the root bridge
for VLAN 20.
– Traffic for VLAN 30 should be forwarding over the gig 1/0/6 trunk port between DSW1 and
DSW2.
However VLAN 30 is currently using gig 1/0/5.
– Traffic for VLAN 40 should be forwarding over the gig 1/0/5 trunk port between DSW1 and
DSW2.
However VLAN 40 is currently using gig 1/0/6.
You have been tasked with isolating the cause the these issuer and implementing the
appropriate solutions. You task is complicated by the fact that you only have full access to
DSW1, with isolating the cause of these issues and implementing the appropriate solutions,
Your task is complicated by the fact that you only have full access to DSW1, with the enable
secret password cisco. Only limited show command access is provided on CORE, and
DSW2 using the enable 2 level with a password of acme. No configuration changes will be
possible on these routers. No access is provided to ASW1 or ASW2.
hostname DSW1
!
enable secret 5 $1$wN16$j5RnayatKfxaKxhX30TVo0
!
no aaa new-model
switch 1 provision ws-c3750g-24t
ip subnet-zero
!
no file verify auto
!
spanning-tree mode pvst
spanning-tree extend systen-id
spanning-tree “vlan 20 priority 28672
spanning-tree vlan 30 priority 24576
!
vlan internal allocation policy ascending
!
interface GigabitEthernet1/0/1
description trunk line to ASW1
switchport trunk encapsulation dotlq
switchport mode trunk
switchport nonegotiate
speed 100
duplex full
!
interface GigabitEthernet1/0/2
shutdown
!
interface GigabitEthernet1/0/3
shutdown
!
interface GigabitEthernet1/0/4
shutdown
!
interface GigabitEthernet1/0/5
description trunk line to DSW 2
switchport trunk encapsulation dotlq
switcbport mode trunk
switchport nonegotiate
speed 100
duplex full
!
interface GigabitEthernet1/0/6
description trunk line to DSW 2
switchport trunk encapsulation dotlq
switchport mode trunk
switchport nonegotiate
speed 100
duplex full
!
interface GigabitEthemet1/0/7
shutdown
!
interface GigabitEthemet1/0/8
shutdown
!
Interface GigabitEthernetl/0/9
description trunk line to CORE
switchport trunk encapsulation dotlq
switchport mode trunk
!
end
DSW1# Show sp
DSW1# Show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 0016. 4658. f300
Cost 19
Port 9 (GigabitEthernet/0/9)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0016. 46fa. 9b00
Hello Time 2 sec Max Age 20 sec Forward Delay I5 sec
Aging Time 300
VLAN0020
Spanning three enabled protocol ieee
Root ID Priority 28692
Address 0016. 46fa. 9b00
This bridge is the root
Bridge ID Priority 28692 (priority 28672 sys-id-ext 20)
Address 0016. 46fa. 9b00
Hello Time 2 sec Max Age 20 sec Forward Delay I5 sec
Aging Time 300
VLAN0020
Spanning three enabled protocol ieee
Root ID Priority 28692
Address 0016. 46fa. 9b00
This bridge is the root
Bridge ID Priority 28692 (priority 28672 sys-id-ext 20)
Address 0016. 46fa. 9b00
Hello Time 2 sec Max Age 20 sec Forward Delay I5 sec
Aging Time 300
VLAN0030
Spanning three enabled protocol ieee
Root ID Priority 24606
This bridge is the root
Bridge ID Priority 28692 (priority 28672 sys-id-ext 20)
Address 0016. 46fa. 9b00
Hello Time 2 sec Max Age 20 sec Forward Delay I5 sec
Aging Time 300
VLAN0040
Spanning three enabled protocol ieee
Root ID Priority 24616
Address 0016. 46fa. 6a00
Cost 19
Port 9 (GigabitEthernet/0/9)
Hello Time 2 sec Max Age 20 sec Forward Delay I5 sec
Bridge ID Priority 32808 (priority 32768 sys-id-ext 40)
Address 0016. 46fa. 9b00
Hello Time 2 sec Max Age 20 sec Forward Delay I5 sec
Aging Time 300
DSW1#
Configure the Multilayer Switch so that PCs from VLAN 2 and VLAN 3 can communicate with the Server.
SIMULATION
Configure the Multilayer Switch so that PCs from VLAN 2 and VLAN 3 can communicate with the Server.
You have been finished the following tasks:
SIMULATION
Each of these vlans has one host each on its ports
SVI on vlan 1 – ip 192.168.1.11
Switch B Ports 3, 4 connected to ports 3 and 4 on Switch A
Port 15 connected to Port on Router.
Tasks to do:
1. Use non proprietary mode of aggregation with Switch B being the initiator
— Use LACP with B being in Active mode
2. Use non proprietary trunking and no negotiation
— Use switchport mode trunk and switchport trunk encapsulation dot1q
3. Restrict only to the VLANs needed
— Use either VTP pruning or allowed VLAN list. The preferred method is using allowed
VLAN list
4. SVI on VLAN 1 with some ip and subnet given
5. Configure switch A so that nodes other side of Router C are accessible
— on switch A the default gateway has to be configured.
6. Make switch B the root
You have been tasked with competing the needed configuring of SwitchA and SwitchB.
SIMULATION
Scenario:
You work for SWITCH.com. They have just added a new switch (SwitchB) to the existing
network as shown in the topology diagram.
RouterA is currently configured correctly and is providing the routing function for devices on
SwitchA and SwitchB. SwitchA is currently configured correctly, but will need to be modified
to support the addition of SwitchB. SwitchB has a minimal configuration. You have been
tasked with competing the needed configuring of SwitchA and SwitchB. SwitchA and
SwitchB use Cisco as the enable password.
Configuration Requirements for SwitchA
The VTP and STP configuration modes on SwitchA should not be modified.
+ SwitchA needs to be the root switch for vlans 11, 12, 13, 21, 22 and 23. All other vlans
should be left are their default values.
Configuration Requirements for SwitchB
+ Vlan 21
++ Name: Marketing
++ will support two servers attached to fa0/9 and fa0/10
+ Vlan 22
++ Name: Sales
++ will support two servers attached to fa0/13 and fa0/14
+ Vlan 23
++ Name: Engineering
++ will support two servers attached to fa0/15 and fa0/16
+ Access ports that connect to server should transition immediately to forwarding state
upon detecting the connection of a device.
+ SwitchB VTP mode needs to be the same as SwitchA.
+ SwitchB must operate in the same spanning tree mode as SwitchA
+ No routing is to be configured on SwitchB
+ Only the SVI vlan 1 is to be configured and it is to use address 192.168.1.11/24
Inter-switch Connectivity Configuration Requirements
+ For operational and security reasons trunking should be unconditional and Vlans 1, 21,
22 and 23 should tagged when traversing the trunk link.
+ The two trunks between SwitchA and SwitchB need to be configured in a mode that
allows for the maximum use of their bandwidth for all vlans. This mode should be done with
a non-proprietary protocol, with SwitchA controlling activation.
+ Propagation of unnecessary broadcasts should be limited using manual pruning on this
trunk link.
Which two of the following statements are true?
Refer to the exhibit.
Which two of the following statements are true? (Choose two)
What need to be done to make the group for VLAN 101 function properly?
What need to be done to make the group for VLAN 101 function properly?
What needs to be done to make the group function properly?
HOTSPOT
What needs to be done to make the group function properly?
what will be the resulting priority value of the VLAN 105 HSRP group on router DSW2?
HOTSPOT
If GigabitEthemet1/0/1 on DSW2 is shutdown, what will be the resulting priority value of the VLAN 105 HSRP group on router DSW2?
what circumstances should an administrator prefer local VLANs over end-to-end VLANs?
Under what circumstances should an administrator prefer local VLANs over end-to-end VLANs?