********************************************** Lab 1 - Configuring Trunking – Dot1q ********************************************** -------- Task 1 -------- ----- SW1 ----- Interface range E 0/2-3 switchport trunk encapsulation dot1q switchport mode Trunk ----- SW3 ----- Interface range E 0/0-1 switchport trunk encapsulation dot1q switchport mode Trunk ********************************************** Lab 2 – Configuring Port Channels – Manual ********************************************** ----- SW1 ----- Interface range E 0/0-1 channel-group 12 mode on no shut ! Interface port-channel 12 switchport trunk encapsulation dot1q switchport mode trunk ----- SW2 ----- Interface range E 0/0-1 channel-group 12 mode on no shut ! Interface port-channel 12 switchport trunk encapsulation dot1q switchport mode trunk ********************************************** Lab 3 – Configuring Port Channels – LACP ********************************************** ----- SW2 ----- Interface range E 0/2-3 channel-group 24 mode active no shut ! Interface port-channel 24 switchport trunk encapsulation dot1q switchport mode trunk ----- SW4 ----- Interface range E 0/0-1 channel-group 24 mode active no shut ! Interface port-channel 24 switchport trunk encapsulation dot1q switchport mode trunk *************************************************** Lab 4 – Configuring VLAN Trunking Protocol (VTP) *************************************************** -------- Task 1 -------- ----- SW1 ----- vtp mode server vtp domain KBITS vtp version 2 vtp password kbits@123 ----- SW2 ----- vtp mode client vtp domain KBITS vtp version 2 vtp password kbits@123 ----- SW3 ----- vtp mode client vtp domain KBITS vtp version 2 vtp password kbits@123 ----- SW4 ----- vtp mode client vtp domain KBITS vtp version 2 vtp password kbits@123 *************************************************** Lab 5 – Configuring VLANs *************************************************** -------- Task 1 -------- Configure Vlans 10,20,30,40,50,60,70,80 for the switching infrastructure. The Vlans should have name assigned to them based on VLAN-XX where XX is the VLAN #. vlan 10 name VLAN-10 vlan 20 name VLAN-20 vlan 30 name VLAN-30 vlan 40 name VLAN-40 vlan 50 name VLAN-50 vlan 60 name VLAN-60 vlan 70 name VLAN-70 vlan 80 name VLAN-80 *************************************************** Lab 6 - PSVTP - Root Bridge Selection/Election *************************************************** -------- Task 1 -------- ----- SW1 ----- spanning-tree vlan 1,10,20,30,40 priority 0 ----- SW2 ----- spanning-tree vlan 1,10,20,30,40 priority 4096 -------- Task 1 -------- ----- SW2 ----- spanning-tree vlan 50,60,70,80 root primary ----- SW1 ----- spanning-tree vlan 50,60,70,80 root secondary *************************************************** Lab 7 – Configuring MST *************************************************** -------- Task 1 -------- ----- SW1 ----- spanning-tree mode mst spanning-tree mst configuration name CCIE-EI revision 1 instance 1 vlan 10,20,30,40 instance 2 vlan 50,60,70,80 ----- SW2 ----- spanning-tree mode mst spanning-tree mst configuration name CCIE-EI revision 1 instance 1 vlan 10,20,30,40 instance 2 vlan 50,60,70,80 ----- SW3 ----- spanning-tree mode mst spanning-tree mst configuration name CCIE-EI revision 1 instance 1 vlan 10,20,30,40 instance 2 vlan 50,60,70,80 ----- SW4 ----- spanning-tree mode mst spanning-tree mst configuration name CCIE-EI revision 1 instance 1 vlan 10,20,30,40 instance 2 vlan 50,60,70,80 *************************************************** Lab 8 - MSTP - Root Bridge Selection/Election *************************************************** -------- Task 1 -------- ----- SW1 ----- spanning-tree mst 1 priority 0 ----- SW2 ----- spanning-tree mst 1 priority 4096 -------- Task 2 -------- ----- SW2 ----- spanning-tree mst 2 priority 0 ----- SW1 ----- spanning-tree mst 2 priority 4096 *************************************************** Lab 9 – Configuring Physical-To-Logical Mapping *************************************************** ++++++++++++++++++++++++++++++++ Steps: ++++++++++++++++++++++++++++++++ 1. Configure Trunking between the Switches 2. Create the VLANs that are required 3. Assign Ports to the appropriate VLANs [ONE VLAN AT A TIME] - Physical Port Mapping (Switchport - Access) - Sub-Interface Mapping (Switchport - Trunk) - SVI (Interface vlan XX) -------- VLAN 10 -------- ---- SW1 ---- Interface range E 1/0-1 switchport mode access switchport access vlan 10 Note: As both the Router Ports are Physical Ports (No Sub-interfaces), the corresponding switchport will be Access Ports in the appropriate VLAN -------- VLAN 20 -------- ---- SW2 ---- Interface range E 1/0 switchport mode access switchport access vlan 20 ---- SW3 ---- Interface range E 0/2 switchport trunk encapsulation dot1q switchport mode trunk ---- R3 ---- Interface E 0/0 no shut duplex full Interface E 0/0.1 encapsulation dot1q 20 ip address 192.168.20.3 255.255.255.0 no shut Note: As R3 has a Sub-interfaces (E0/0.1), the corresponding switchport will be Trunk port as it needs to pass the VLAN ID in the packet. -------- VLAN 30 -------- ---- SW2 ---- Interface range E 1/1 switchport mode access switchport access vlan 30 ----- SW1 ----- Ip routing ! Interface vlan 30 ip address 192.168.30.21 255.255.255.0 no shut -------- VLAN 40 -------- ---- SW3 ---- Interface range E 0/3 switchport mode access switchport access vlan 40 ----- SW1 ----- Ip routing ! Interface vlan 40 ip address 192.168.40.21 255.255.255.0 no shut -------- VLAN 50 -------- ---- SW4 ---- Interface range E 0/3 switchport mode access switchport access vlan 50 ----- SW2 ----- Ip routing ! Interface vlan 50 ip address 192.168.50.22 255.255.255.0 no shut ----- R3 ----- Interface E 0/0.2 encapsulation dot1q 50 ip address 192.168.50.3 255.255.255.0 no shut -------- VLAN 60 -------- ---- SW2 ---- Interface vlan 60 ip address 192.168.60.22 255.255.255.0 no shut ---- SW3 ---- ip routing ! Interface vlan 60 ip address 192.168.60.23 255.255.255.0 no shut -------- VLAN 70 -------- ---- SW2 ---- Interface E 1/2 switchport mode access switchport access vlan 70 ---- SW3 ---- Interface E 1/0 switchport mode access switchport access vlan 70 ! Interface vlan 70 ip address 192.168.70.23 255.255.255.0 no shut -------- VLAN 80 -------- ---- SW1 ---- Interface E 1/2 switchport mode access switchport access vlan 80 ---- SW4 ---- Interface E 0/2 switchport mode access switchport access vlan 80 *************************************************** Lab 10 – Configuring L3 Topology and Routing *************************************************** ----- R1 ----- Interface loopback0 ip address 1.1.1.1 255.0.0.0 ! Interface E 0/0 ip address 192.168.10.1 255.255.255.0 no shut duplex full ! Interface E 0/1 ip address 192.168.20.1 255.255.255.0 no shut duplex full ! router eigrp 100 network 192.168.10.0 network 192.168.20.0 network 1.0.0.0 ----- R2 ----- Interface loopback0 ip address 2.2.2.2 255.0.0.0 ! Interface E 0/0 ip address 192.168.10.2 255.255.255.0 no shut duplex full ! Interface E 0/1 ip address 192.168.30.2 255.255.255.0 no shut duplex full ! router eigrp 100 network 192.168.10.0 network 192.168.30.0 network 2.0.0.0 ----- R3 ----- Interface loopback0 ip address 3.3.3.3 255.0.0.0 ! Interface E 0/1 ip address 192.168.80.3 255.255.255.0 no shut duplex full ! router eigrp 100 network 192.168.20.0 network 192.168.50.0 network 192.168.80.0 network 3.0.0.0 ----- R4 ----- Interface loopback0 ip address 4.4.4.4 255.0.0.0 ! Interface E 0/0 ip address 192.168.40.4 255.255.255.0 no shut duplex full ! Interface E 0/1 ip address 192.168.50.4 255.255.255.0 no shut duplex full ! router eigrp 100 network 192.168.40.0 network 192.168.50.0 network 4.0.0.0 ----- R5 ----- Interface loopback0 ip address 5.5.5.5 255.0.0.0 ! Interface E 0/0 ip address 192.168.80.5 255.255.255.0 no shut duplex full ! Interface E 0/1 ip address 192.168.70.5 255.255.255.0 no shut duplex full ! router eigrp 100 network 192.168.70.0 network 192.168.80.0 network 5.0.0.0 ----- R6 ----- Interface loopback0 ip address 6.6.6.6 255.0.0.0 ! Interface E 0/0 ip address 192.168.70.6 255.255.255.0 no shut duplex full ! router eigrp 100 network 192.168.70.0 network 6.0.0.0 ----- SW1 ----- Interface loopback0 ip address 21.21.21.21 255.0.0.0 ! router eigrp 100 network 192.168.30.0 network 192.168.40.0 network 21.0.0.0 ----- SW2 ----- Interface loopback0 ip address 22.22.22.22 255.0.0.0 ! router eigrp 100 network 192.168.50.0 network 192.168.60.0 network 22.0.0.0 ----- SW3 ----- Interface loopback0 ip address 23.23.23.23 255.0.0.0 ! router eigrp 100 network 192.168.60.0 network 192.168.70.0 network 23.0.0.0 ********************************************** Lab 11 - Configuring PortFast ********************************************** -------- Task 1 -------- ----- SW1 ----- Interface range e 1/0-2 spanning-tree portfast ----- SW2 ----- Interface range e 1/0-2 spanning-tree portfast ----- SW3 ----- Interface range e 0/3 , E 1/0 spanning-tree portfast ----- SW4 ----- Interface range e 0/2-3 spanning-tree portfast ********************************************** Lab 12 - Configuring the BPDU Guard Feature ********************************************** -------- Task 1 -------- ----- SW1 ----- Interface range e 1/0-2 spanning-tree bpduguard enable ----- SW2 ----- Interface range e 1/0-2 spanning-tree bpduguard enable ----- SW3 ----- Interface range e 0/3 , E 1/0 spanning-tree bpduguard enable ----- SW4 ----- Interface range e 0/2-3 spanning-tree bpduguard enable -------- Task 2 -------- ----- SW1 ----- errdisable recovery cause bpduguard errdisable recovery interval 180 ----- SW2 ----- errdisable recovery cause bpduguard errdisable recovery interval 180 ----- SW3 ----- errdisable recovery cause bpduguard errdisable recovery interval 180 ----- SW4 ----- errdisable recovery cause bpduguard errdisable recovery interval 180 ********************************************** Lab 13 - Configuring a VACL ********************************************** Requirements: ▪ Deny IGMP in VLAN 10 ▪ Deny TFTP in VLAN 20 ▪ Deny IGMP and TFTP in VLAN 30 ▪ There is a MAC address 0001.0012.2222 trying to attack VLAN 40. Block this MAC address from accessing any device in VLAN 40. ----- SW1 ----- ! 1. Classify the traffic using an IP ACL or a MAC ACL ! VLAN 10 access-list 110 permit igmp any any ! VLAN 20 access-list 120 permit udp any any eq tftp ! VLAN 30 access-list 130 permit igmp any any access-list 130 permit udp any any eq tftp ! VLAN 40 mac access-list extended MAC-ACL permit host 0001.0012.2222 any ! 2. Create the VLAN ACLs and specify the action ! VLAN 10 vlan access-map VACL-10 5 match ip address 110 action drop vlan access-map VACL-10 1000 action forward ! VLAN 20 vlan access-map VACL-20 5 match ip address 120 action drop vlan access-map VACL-20 1000 action forward ! VLAN 30 vlan access-map VACL-30 5 match ip address 130 action drop vlan access-map VACL-30 1000 action forward ! VLAN 40 vlan access-map VACL-40 5 match mac address MAC-ACL action drop vlan access-map VACL-40 1000 action forward ! 3. Apply the VACL to the VLAN vlan filter VACL-10 vlan-list 10 ! vlan filter VACL-20 vlan-list 20 ! vlan filter VACL-30 vlan-list 30 ! vlan filter VACL-40 vlan-list 40 ********************************************** Lab 14 – Configuring Root Guard ********************************************** ----- SW1 ----- Interface range E 0/2-3 spanning-tree guard root ----- SW2 ----- Interface port-channel 24 spanning-tree guard root ********************************************** Lab 15 – Configuring Port-Security ********************************************** ----- SW1 ----- interface Ethernet1/0 switchport port-security mac-address aabb.cc00.0100 switchport port-security ! interface Ethernet1/1 switchport port-security mac-address aabb.cc00.0200 switchport port-security ! interface Ethernet1/2 switchport port-security mac-address aabb.cc00.0500 switchport port-security ----- SW2 ----- interface range E 1/0-2 switchport port-security mac-address sticky switchport port-security ----- SW3 ----- interface E 2/1 Description Connected to an ESXi Server with 2 VMs switchport trunk encapsulation dot1q switchport mode trunk switchport port-security max 2 switchport port-security mac-address sticky switchport port-security ----------------- technet24.ir--------------