Phase 1: Identifying Requirements, Putting the Network TogetherScenario NuggetLabs Industries is growing significantly. Due to space limitations, five employees currently share single cubicles at the same time. While this is great for team building, these space limitations are now impacting business productivity. NuggetLabs has now leased an additional office building roughly 20Km from their headquarters location. While this office will eventually connect to the HQ office, it will initially be set up independently. NuggetLabs Industries has heard rumors of your ninja-like network consultation skills and has agreed to pay you an excessive amount of money to design and build their network infrastructure. Gathering Information To help guide this initial configuration, you ve assembled a list of requirements based on various meetings with management. y The new office will initially house 75 employees, each with their own Cisco IP Phone and PC. This office may eventually scale to 200 employees over 5 years. y The Windows admins are planning to install a new pair of redundant servers at the new office. They plan to manage all the IP addresses for DHCP on these servers and are waiting for you to tell them what IP address range they should use. o Windows admins: Jeff Service - (602) 555-1293, Mike Pack (480) 555-9382. y The new office is a two story building with the Main Distribution Frame (MDF) in the northwest corner of the first floor. Because of a workman s strike, poor planning, and other human issues, the Intermediate Distribution Frame (IDF) on the second floor was installed in the southeast corner of the second floor, beyond the reach of typical Ethernet standards. The majority of the employees (roughly 50) will sit on the main floor while the remainder will sit on the second floor. The building contractor has already run the cabling - a single Cat6 Ethernet connection to each cubical / office space which terminates to patch panels in the MDF/IDF area. y NuggetLabs is planning to use a Voice over IP (VoIP) phone system for the new office. Each user will have an assigned IP Phone in their cubical / office space. The installation / management of the phone system itself will be the responsibility of another company; however, the network should be prepared to support the additional devices. y The new office will need WIFI implementations, so to keep budgets in check the company would like to use off-the-shelf Cisco Small Business WAPs. These WAPs are to host two wireless networks: NL-CORP and NL-PUB. Those connecting to NL-CORP should have access to the corporate network and resources. Of course, high-end security is mandatory for this wireless network. Those connecting to NL-PUB should not be prompted for any security requirements but should be limited to Internet access only. y NuggetLabs Industries would like you to assess the network and make recommendations on Internet connectivity options. They would also like to begin evaluating network connections between their offices. y During the discussions, NuggetLabs Industries found that you work primarily from your home office. Because of the value NuggetLabs places on your technical prowess, they have offered to provide an office space located in the MDF for you to use as a lab environment; a "home-away-from-home you can use. However, this lab environment must be completely isolated from the corporate network to not cause any interference to day-to-day operations. Priority 1 Client NL Task Initial Meeting with NL Corporate Create initial questionnaire for on-site visit Discuss upcoming branch office rollout (goals, staff involvement, key contacts) Create NL Proposal Requirements Document Equipment Order VLAN / Subnet List Switchport Connections Physical Visio Diagram Logical Visio Diagram Time 30 180 Assigned 1 NL 15 240 30 30 30 30 com (602) 555.Necessary y IP Subnet(s) . design.com (602)
[email protected]] y Grapler Construction Company (various reps) [support@grapler. and implementation plan for their new office by next Friday.. 1.5-2m on average.MikeP@nuggetlabs. NuggetLabs Industries would like you to create a proposal. y Single Internet router (no redundancy) is acceptable y Single core L3 switch (no redundancy) is acceptable y PSTN calling for VoIP network will be handled via SIP Trunk over the Internet y MDF and IDF have sufficient power and cooling for the equipment to be installed . 48% growth) y MDF will be initially set up with two 48 port switches (allowing approx. 44% growth) y PCs and IP Phones will be located no more than 3m from the wall connection.JeffS@nuggetlabs. 2011 Attendees y Bob Phaman [CEO .com (602) 555. will be ordering all necessary equipment and patch cables for the operation y Windows servers will have redundant connections y IDF will be initially set up with a 48 port switch (allowing approx.Necessary y Switch Port Connections y Any Necessary Visio Diagrams Requirements Document Based on company meeting.Objective Based on this information. separate from the network y Suggest options for Internet connectivity Assumptions y Each user will have one workstation y Each user will have one IP phone y Network should handle 1 Gbps Ethernet connections to the desktop y Dual fiber optic cabling run completed from MDF to IDF y Internet connectivity options will be suggested.com] Requirements y Network must initially handle 75 users between two floors y Network must handle both VoIP and Data traffic y Network should handle public(unsecure) and private (secure) WIFI y Private office / lab area created in MDF. November
[email protected]] y Mike Pack [Desktop Support . and installed before the move in date y All cable runs terminate to the IDF or MDF y Each cubical / office will have at least one Cat6 Ethernet connection y JeremyC Consulting Inc. The submission should include the following elements: y Requirements Document y Equipment Order y VLAN(s) . agreed upon.com (480) 555.2791] y Sarah Belittle [CTO .8329] y Jeff Service [Windows Admin Lead . 4 SSlDs .one Internet router o Cisco Routers o Cisco 2900 Series o First Choice Router Cisco 2901 (2) 1 Gbps built-in interfaces (4) card slots (expansion using serial.Phase 1: Brainstorming Requirements y Two stories o First Floor MDF . o Second Floor lDF .. servers. etc.WAP4410N 802.wall mount? Server cabinet? (determine server needs) o Cabling. one of them should be Layer 3 capable o Cisco LAN Access Switches o Cisco 2960 Model Comparison o Cisco 3750-X Model Comparison o First Choice L2 Switch .5m.WS-C2960S-48FPS-L 48-port. 2m. and 3m cables for cubicles. server connections o Fiber optic connection: Patch cables and two SFPs y MDF ..initially housing 25 users y WIFI o Full coverage for first and second floor o Need to perform a wireless site survey (onsite) o Power over Ethernet switches or couplers y VoIP o IP Phone per cubical / office o Need additional 1.5W per port) (4) 1G SFP Uplinks o Mounting. etc. L2 switching 740W PoE (15W per port) (4) 1G SFP Uplinks o First Choice L3 Switch . Offices.11n/g/b 1Gbps.WS-C3750X 48PF-S 48-port. L3 Switching 740W PoE (1.two 48-port PoE switches. ethernet.one 48-port PoE switch o First Choice L2 Switch .WS-C2960S-48FPS-L 48-port.. PoE Capable (802.) Voice capabilities (on-board DSPs) y IDF ..need plenty of spare 1.3af) Supports 4 VLANs.5-3m Cat 5E / 6 Ethernet cabling as PC patch Priority 2 Client NL Task Onsite Visit WiFi Site Survey Get with Windows guys to determine cabinet Time 120 60 Assigned Items Needed y MDF . L2 switching 740W PoE (15W per port) (4) 1G SFP Uplinks y Building .Wireless access points o Cisco Small Business WIFI options o First Choice .initially housing 50 users. 67.2-10 10.255.0 VLAN VLAN 64 VLAN 66 Description Corporate Office Client VoIP Client Data Server Public WiFi Lab Network Management Internet DMZ 255.0 10.66.1.0 VLAN 71 255.254.1.0 10.0) IP Address 10.255.1.255.255.66.1.176.11 to 10.1.1 10.0 10.1.192.0 107.1.0 10.1.1 10.1.0 VLAN 68 255.64.0 10.0 10.0 .245 10.2-10 10.71.67.64.255 Mask 255.0/21 (255.1.1.1.255.240 Mask 255.0 10.68.70.255.69.65.66.1.66.1.255.1.1.1.0 10.255 Mask 255.20.1.1.255.1.11 to 10.255.1.1.248.245 10.254.0 255.Equipment List Name NL-B1-SW1 NL-B1-SW2 NL-B1-SW3 NL-B1-RT1 NL-B1-WI1 NL-B1-WI2 NL-B1-WI3 Device 3750X 2960S 2960S 2901 WAP4410N WAP4410N WAP4410N Function Core L3 Switch L2 Switch L2 Switch Internet Router WiFi Access Point WiFi Access Point WiFi Access Point Qty 1 1 1 1 4 1 Location MDF MDF IDF MDF Ceiling Ceiling Ceiling Function Core L3 Switch T1 T1 1G 48 48 48 2 1 1 1 1G 48 4 10G Name NL-B1-SW1 4 Port Gigabit SFP Redundant PSU SMARTnet Fibre SFP (SX) Rack Mount Kit Device WS-C3750X-48PF-S C3KX-NM-1G C3KX-PWR-715WAC GLC-SX-MM C3KX-RACK-KIT 10G IP Addressing Scheme Network 10.0 255.254.1-63.255.255.0 VLAN 70 255.255.65.240 VLAN 10 Branch 1 Summary: 10.64.64.254.65.246-254 10.255.64.66.65.255.0 10.67.255.1.64.0 10.255.0 VLAN 69 255.0 VLAN 64 Client VoIP VLAN Description 64 Client VoIP Network NL-B1-SW1 VLAN 64 IP (Default Gateway) Reserved Client VoIP DHCP Scope Reserved Client VoIP Broadcast VLAN 66 Client Data VLAN Description 66 Client Data Network NL-B1-SW1 VLAN 66 IP (Default Gateway) Reserved Client Data DHCP Scope Reserved Client Data Broadcast IP Address 10.1.67.246-254 10. 1.243 107.1.20.71.249 107.20.20.1.20.176.71.176.71.176.242 107.1.2-5 10.176.71.255.68.240 .1 10.255.1.5 10.252 107.176.20.253 107.176.20.250 107.7 10.20.71.68.0 IP Address 107.251-254 10.244 107.176.240 107.20.176.247 107.176.20.255.20.2 10.0 10.1.20.1.68.20.4 10.68.71.8 10.1.246 107.1.1 10.1.255 Mask 255.71.6 10.255.1.68.176.241 107.1.71.0 10.255.IP Address 10.1.7 10.176.176.245 107.0 VLAN 68 Server VLAN Description 68 Server Network NL-B1-SW1 VLAN 68 IP (Default Gateway) Reserved NL-B1-DC01 NL-B1-DC02 NL-B1-CUCMBE Reserved Server Broadcast VLAN 71 Network Management VLAN Description 71 Management Network NL-B1-SW1 NL-B1-SW2 NL-B1-SW3 NL-B1-RT1 NL-B1-WI1 NL-B1-WI2 NL-B1-WI3 Management Broadcast VLAN 10 Internet DMZ VLAN Description 10 DMZ Network ISP Gateway NL-B1-RT1 External IP (Fa0/0) Unused Unused Unused Unused Unused Unused Unused Unused Unused Unused Unused Unused DMZ Broadcast IP Address 10.1.20.176.3 10.6 10.1.20.1.255 Mask 255.176.248 107.176.20.255.1.20.71.176.68.251 107.254 107.68.68.255 Mask 255. Port List Physical G0/1 2 3 4 5 6 7 8 9 VLAN / TRUNK / IP Trunk Trunk V10 V10 V10 V10 V68 V68 NL-B1-SW1 Remote Remote Device Interface NL-B1-SW2 G0/1 NL-B1-SW2 G0/2 ISP NL-B1-RT1 G0/0 Reserved Reserved NL-B1-DC01 LAN1 NL-B1-DC02 LAN1 Notes EtherChannel 1 EtherChannel 1 CCT ID 392021 External Interface Windows Server 2008 R2 Windows Server 2008 R2 Physical G0/1 2 3 4 5 6 7 8 9 10 VLAN / TRUNK / IP Trunk Trunk V68 V68 V68 V68 V68 V68 V64v.66d NL-B1-SW2 Remote Remote Device Interface NL-B1-SW1 G0/1 NL-B1-SW1 G0/2 Reserved Reserved Reserved Reserved NL-B1-DC01 LAN2 NL-B1-DC02 LAN2 Client NIC Client NIC Notes EtherChannel 1 EtherChannel 1 Windows Server 2008 R2 Windows Server 2008 R2 .66d V64v. Physical Layout Logical Layout . You must now begin with the configuration of the switch infrastructure based on the following requirements. and installed at the NuggetLabs branch office facility.Phase 2: Configuring the Switch Infrastructure Scenario All the equipment you suggested has been purchased. delivered. Note: VLAN Database mode must be used to configure any VLANs on the switches Hint: NL_B1_SW1#vlan database . Enable) should be set to cisco o Logon banner o Three hour console port timeout o Synchronous logging on the console port o Telnet / SSH enabled (use nuggetlabs. 71 y Configure Etherchannel connections between (SW1 and SW2) and (SW1 and SW3). 69. Use GNS3 to determine appropriate physical connections. 69. which includes: o Hostname o Passwords (CON. If a VLAN is not necessary on a switch. 66 (Client) VLANs 64.255. 71 (WAP) NL-B1-SW3 Trunk Trunk VLANs 64.2.2.255. The Etherchannel should be hardcoded as ON (does not use any LACP or PAGP negotiation).0 255. This interface should be assigned the first IP address from each of the VLAN subnets listed in the following table.1 10.1. Ensure each interface is functional (not shut down).135 as the NTP sewer) o Management VLAN / IP address (use the following table) VLAN 71 Network Management VLAN 71 NL-B1-SW1 71 NL-B1-SW2 71 NL-B1-SW3 IP Address 10. 66 (Client) VLANs 64.0 255.254. SW2. 69.1.1.71. NTP configured (use 64. y Configure the links between the switches to forward traffic for all necessary VLANs. 71 (WAP) y Create a routed interface on NL-B1-SW1 for each of the VLANs.71.1. and SW3.32. o VLAN 64: Client Voice o VLAN 66: Client Data o VLAN 68: Server o VLAN 69: Public WIFI o VLAN 70: Private LAB o VLAN 71: Management o VLAN 10: Internet DMZ NL-B1-SW1 All VLANs NL-B1-SW2 VLAN 64. y Assign the necessary ports to VLANs based on the following table.0/30 subnet should be configured as a routed interface on F1/15 .71.3 Mask 255. 66 (Client) VLANs 66. Note: The 10. Port Fa1/0 1 2 3 4 13 14 15 NL-B1-SW1 Trunk Trunk Trunk Trunk VLAN 68 (Server) VLAN 70 (Lab) Routed Port NL-B1-SW2 Trunk Trunk VLANs 64.255.2 and 4.255.Requirements To help guide this initial configuration.2.2. you've assembled a list of requirements. lf a VLAN does switch. 66.com as your domain and admin / cisco for SSH credentials) o HTTP management disabled o DNS name resolution set to 4.2 10. it should not be configured.255.0 Description y Configure the necessary VLANs on SW1.3 o Clock set. 69. 66 (Client) VLANs 64.73. the trunk should not forward traffic for it. 66 (Client) VLANs 66. 66 (Client) VLANs 64. y Each switch will need a base configuration. VTY.255. 66 (Client) VLANs 64. 66. 71 NL-B1-SW3 VLAN 64. 66 (Client) VLANs 64. 0 Mask 255.0 10.255.1.255.255.0 255.1. or Server using the management interface IP .70. y Configure the Server and PC with the following configuration: Server NIC 10.1. Enable all interfaces not being used for a switch uplink for Portfast.66.254.0 255.64.252 VLAN VLAN 64 VLAN 66 VLAN 68 VLAN 69 VLAN 70 VLAN 71 n/a Description Client VoIP Client Data Server Public WiFi Lab Network Management Point-to-Point y Configure NL_B1_SW1 as the root of the Spanning Tree network for all VLANs.1 PC1 NIC 10.71.69.1.255.1.1 PC2 NIC 10.68.1.66. PC.1.66.0 10.1 Interface: IP Address: Gateway: y Testing o PC1 should be able to ping PC2 o PC1 and PC2 should both be able to perform a ping and traceroute to the Server o The show spanning-tree output should reveal that NL_B1_SW1 is the root bridge o You should be able to Telnet and SSH to each switch.Network 10.255.1.68.0 10.1.0 255.50 10.0 255.254.1.0 10.255.1.255.66.0 10.0 255.254.255.1.1.51 10.255.50 10.68.67.65.0 10.0 10.255.1.66.1.255.255.0 255.0 10. They will be using a VPN connection to connect back to the corporate office.Phase 3: Configuring the Internet Connection and VPN Tunnel Scenario Following your advice. the NuggetLabs branch office has installed a 50Mbps Digital Subscriber Line (DSL) connection. . VTY.2.2. you ve assembled the following list of objectives: y The NuggetLabs branch office router (NL_B1_RT1) needs a base configuration which includes the following: o Hostname o Passwords (CON. NOTE: Since the server does not have a VTY password configured.30. NL_B1_RT1 should be able to ping Internet address (i.8.S0) is reachable from the public IP address 172. AUX.100.2.8 from any device in the NL branch network (test using PC1) o Verify NAT entries appear for the connections oh NL_B1_RT1 o Telnet to the Server (10.8.236) from the corporate office (NL_CORP_RT1).8) y Configure a static default route on NL_B1_SW1 using the inside IP address of NL_B1_RT1 to reach the Internet. "Password required but none set" is expected and indicates a successful test.2 or 8.68.1.1) to reach the Internet.2.2. Once this default route is in place.100.30.Requirements To help guide this initial configuration.2 / 30 Fa 0/1 172.236. 8.com as your domain and admin/cisco for SSH credentials) o HTTP management disabled o DNS name resolution set to 4.3 o Clock set.32.e.100. 4.1.30.254.at this point.100. NTP configured (use 64. .101.235 (simulated public for purposes of the lab).231 to 172.30.2.230 / 24 y Configure a static default route on NL_B1_RT1 using the IP address of the ISP router (172. Enable) should be set to cisco o Logon banner o Three hour console port timeout o Synchronous logging on the console port o Telnet / SSH enabled (use nuggetlabs.30.2 and 4.2. the message. o NOTE: NAT should be configured so only the specific subnets at the Branch office are processed by NAT on NL_B1_RT1 o The email server (10.2.73.1. y Configure NAT in such a way that the following requirements are met: o Subnets provisioned for the branch office are able to reach the Internet using a pool of public BP addresses from 172.8. y Testing . you should be able to accomplish the following: o Ping the Internet address 4.50) from its public IP address (172.68.2.30.100.135 as the NTP server) y The IP addresses for NL_B1_RT1 should be configured as follows: Fa 0/0 10.8. 1.1) o NL_CORP_SW1 should be able to ping any of the VI.64.1) VLAN 3: CORP_DATA (10.1.66.1) VLAN 66: Client DATA (10.1.1.y Configure a VPN connection between the NuggetLabs branch office facility and the corporate site using the following information (NOTE: this is beyond the current CCNA exam requirements.1) .AN interfaces on NL_B1_SW1 including: VLAN 64: Client VOICE (10. you will need to configure both NL_B1_RT1 and NL_CORP T1 for this exercise): o Interesting traffic: all subnets at both offices should forward over the VPN connection o Pre-shared key between sites: CBTNuggets-Key!!! o Phase 1 (ISAKMP) Settings: Encryption: AES-128 Hashing: SHA1 Protection: DH2 o Phase 2 (IPSEC) Settings: Encryption: AES-128 Hashing: SHA1 No PFS o NAT: Be sure to adjust NAT appropriately for the VPN connection y Testing o NL_B1_SW1 should be able to ping any of the VLAN interfaces on NL_CORP_SW1 including: VLAN 2: CORP_VOICE (10.2.3. implementing the corporate office as the backbone and their first branch office as a different area (which allows for summarization in the network).Phase 4: Routing Using OSPF Scenario Now that the NuggetLabs branch facility Internet and VPN connection is functional. . MPLS connection on the 172. NOTE: To stay (somewhat) within CCNA Exam requirements. you would like to implement OSPF routing between both offices.100.30. assume the ISP has created a private. Because NuggetLabs is a growing organization.0/24 network between the NuggetLabs Branch Office and the NuggetLabs Corporate Office. you intend to design their OSPF network for scalability. 1.254. Use the password "cisco" when forming all neighbor relationships.1.0.2). o Devices should use secure (hashed) OSPF authentication to ensure rogue devices cannot join as an OSPF neighbor. y Optimize OSPF o Ensure NL_CORP_RT1 and NL_B1_RT1 become the designated OSPF router for their respective Ethernet segments. NL_CORP_SW1 and NL_B1_SW1 should be exempted from the DR election completely.1.2. Use one additional OSPF network statement with a wildcard mask of 0. Use the password "cisco" when forming all neighbor relationships. o All networks internal to the corporate office should be in Area 0. Networks connecting to the branch office should be in Area 1. o Devices internal to the corporate office should receive a single. summarized branch office route representing all internal branch office networks (with the exception of the 10.1. . Only non-passive interfaces need be configured for OSPF authentication. o Verify an OSPF default route now exists on both L3 switches. o Devices should use secure (hashed) OSPF authentication to ensure rogue devices cannot join as an OSPF neighbor. o Use only one OSPF network statement with an exact wildcard mask to advertise the corporate network. you ve assembled the following list of objectives: y Configure the NuggetLabs corporate office to support OSPF o The NL_CORP_RT1 router (the OSPF ABR) should use the Routero OSPF should run on both NL_CORP_RT1 and NL_CORP_SW1 (Router ID 1.Requirements To help guide this configuration. o All networks in use at the branch office should be in Area 1. Area 0 networks into a single route when advertise to other OSPF areas. y On the OSPF ABR. y Testing o Verify OSPF neighbors have formed between all relevant Cisco devices o Verify all OSPF .0.2. o Use an OSPF hello timer of 1 second between all OSPF neighbors.appear on all relevant Cisco devices y Advertise a default route from both routers o Remove the static default route from both NL_B1_SW1 and NL_CORP _SW1 o Configure NL_B1_RT1 and NL_CORP_RT1 to advertise a default route unconditionally to NL_B1_SW1 and NL_CORP_SW1. y Configure the NuggetLabs branch office to support OSPF.1 o All VLAN interfaces on NL_CORP_SW1 should be configured as passive with the exception of VLAN 1. o The NL_B1_RT1 router should use the Router ID 1.1.1. Only non-passive interfaces need be configured for OSPF authentication. o OSPF should run on both NL_B1_RT1 and NL_B1_SW1 (Router ID 1.2). o All VLAN interfaces on NL_B1_SW1 should be configured as passive with the exception of F1/15.0/30 link between NL_CORP_SW1 and NL_CORP_RT1). configure two-way summarization o The corporate office should summarize all internal.0 to form neighbors in Area 1. You may not use network commands under the OSPF routing process to advertise these networks. one of the CBTNuggets instructors mentioned that EIG RP is the "best routing protocol in the world . MPLS connection on the 172. To your dismay. one of the other Microsoft Windows technicians at NuggetLabs has begun to learn Cisco technology by taking courses from CBTNuggets. They would now like you to convert your OSPF configuration to EIGRP using ideal parameters. assume the ISP has created a private. The NuggetLab technician has taken this heart and has convinced NuggetLabs management to use EIGRP rather than OSPF.30.0/24 network between the NuggetLabs Branch Office and the NuggetLabs Corporate Office. . NOTE: To stay (somewhat) within CCNA Exam requirements.Phase 5: Routing Using EIGRP Scenario You have just completed your OSPF configuration. Apparently.100. o All interfaces on NL_B1_$W1 should be set as passive with the exception of the interface used to communicate with NL_B1_RT1. o Devices should use secure EIGRP authentication to ensure rogue devices cannot join as an EIGRP neighbor. It is not necessary to configure authentication on passive interfaces. y0u ve assembled the following list of objectives: y Remove all OSPF configuration from NL_CORP_RT1. NL_B1_RT1. Use the password "cisco" when forming all neighbor relationships. and NL_B1_SW1. It is not necessary to configure authentication on passive interfaces. o Verify an EIGRP default route now exists on both L3 switches. o The branch office should summarize all internal networks as a single route when advertising to the corporate office. o EIGRP should run autonomous system 7 on both NL_B1_RT1 and NL_B1_SW1. y Configure the NuggetLabs branch office to support EIGRP. y Configure two-way summarization using NL_B1_RT1 and NL_CORP_RT1 o The corporate office should summarize all internal networks as a single route when advertising to the branch office. o EIGRP should not use automatic summarization o All networks in use at the branch office should be added to the EIGRP routing process. Use the password "cisco" when forming all neighbor relationships. o Devices should use secure EIGRP authentication to ensure rogue devices cannot join as an EIGRP neighbor. o Configure the NuggetLabs corporate office to support EIGRP o EIGRP should run in autonomous system 7 on both NL_CORP_RT1 and NL_CORP_SW1 advertising all corporate networks o EIGRP should not use automatic summarization o All interfaces on NL_CORP_RT1 and NL_CORP_SW1 should be set as passive with the exception of WAN interfaces and interfaces in VLAN1. NL_CORP_SW1. .Requirements To help guide this configuration. y Testing o Verify EIGRP neighbors have formed between all relevant Cisco devices o Verify all EIGRP routes appear on all relevant Cisco devices y Advertise a default route from both routers o Configure NL_B1_RT1 and NL_CORP_RT1 to advertise a default route using redistribution to NL_B1_SW1 and NL_CORP_SW1. Phase 6: Services and Security Scenario The NuggetLabs Branch rollout is successful! All devices are communicating the way they should across the network. . you need to engage DHCP services for the VLAN. In addition. you must now rollout security to protect the Voice VLAN and server VLANs. As the final phase of the implementation. 66.68. 80.should fail) .1.should succeed) Access TCP port 80 for 10.2.2.2.68. 69.2.64.1.7 (Full Access .1) The Internet o The Data VLAN (66) should only be able to access (all else is restricted): 10. y Configure the following security restrictions for the branch office: o The Voice VLAN (64) should only be able to access (all else is restricted): The NuggetLabs Corporate voice subnet (10.66.1.68.1.should fail) Ping 4.8.8.1.2.should succeed) o From PC2 (VLAN 66) Ping 10.1 (Data VLAN gateway . o All devices should use 4. o Once you have configured DHCP.1 (Corporate Voice VLAN gateway . you ve assembled the following list of objectives: y For testing purposes.should fail) Ping 10.1.6.2 (Voice VLAN gateway (Data VLAN gateway (Corporate Voice VLAN gateway (Internet DNS server .X.NL-B1-WEBO1) The Data VLAN default gateway (10.1.1 (Public WIFI VLAN gateway .NL B1-DC01) 10.X. each VLAN should initially support DHCP assigned addresses from the range 10.1.should succeed) .1.1 Ping 10.68.1 (Data VLAN gateway .7.2. 10.68.66.1.should succeed) Ping 10.1.66.2. 66.1 (Voice VI.2.NL B1-DC02) 10.64.should succeed) .0/24) The Voice VLAN default gateway (10.1.1 (Corporate Voice VLAN gateway .1.69.1. and 70 should support DHCP services o In the initial testing phase.64.2 and 4.2 (lnternet DNS server .should fail) Ping 4.1.2. 443 . The connection will timeout (fail).1 Ping 10.Requirements To help guide this configuration.68.1.6 (Full Access . configure PC1 and PC2 as DHCP clients and verify they receive the expected IP address assignment.1.100 with the correct subnet mask and default gateway. o The voice VLAN should also support DHCP Option 150 (TFTP) to the address 10. and 10.1) The Internet o The Public WIFI VLAN (69) and Private Lab VLAN (70) should only be able to access (all restricted): Their default gateways The Internet y Testing o From PC1 (VLAN 64) Ping 10.should succeed) . o Move PC1 to VLAN 69 and renew the DHCP-assigned address o From PC1 (VLAN 69) Ping 10.1.68.10 .1.1.1. assign PC1 to the voice VLAN (64) while keeping PC2 assigned to the data VLAN (66) y Configure NL_B1_SW1 as a DHCP server for the branch office network using the following parameters: o VLANs 64.8 (TCP 21.10.AN gateway .1.2.1 Ping 4.1. but the access-Iist should register hits on the corresponding entries.should fail) Ping 10.1.1.2 (Internet DNS server .should succeed) Ping 10.3 as their primary and secondary DNS server respectively. Appendix A: Configuring IKE Documentation: 1. Configure pre-shared keys crypto isakmp key <key> address <rempte ip address> Configuring IKE Phase 2: 1. Configure ISAKMP Identity crypto isakmp identity <ip address>|<hostname> 4. Create ISAKMP Policy crypto isakmp policy 100 encryption aes 128 authentication pre-shared group 2 hash sha 3. Document your IKE Phase 1 negotiation criteria (example below) Encryption algorithm: AES-128 Hashing: SHA-1 Authentication: pre-shared Key exchange: Diffie-Hellman Group 2 2. Create mirrored ACLs defining traffic to be encrypted and the traffic expected to be received encrypted Configure IPSec crypto-map crypto map <name> <seq> ipsec-isakmp crypto map MAP 100 ipsec-isakmp match address <acl> set peer <remote ip addr> set pfs <group1|2|5> set transform-set <set> 4. Verify: show crypto isakmp policy . Document your IPSec (IKE Phase 2) negotiation criteria (example below) Encryption algorithm: esp-aes 128 Authentication: esp-sha-hmac Configuring IKE Phase 1: 1. Enable ISAKMPE crypto isakmp enable 2. Create transform sets crypto ipsec transform-set <name> <methods> crypto ipsec transform-set JEREMY esp-aes 128 esp-sha-hmac 2. Configure IPSec lifetime (optional) crypto ipsec security-association lifetime <secs>|<kbytes> 3.