Case Study 3 Voice and Security in a Switched Network

Topology Diagram

Lo 0 200.200.10.5/32 EIGRP AS 100

GATEWAY

Fa0/0 Fa0/1 192.168.1.0/30

192.168.0.0/30

Fa0/24
Fa0/12 Fa0/24
Fa0/12
Fa0/6 Fa0/11 Fa0/11
DLS1
Fa0/10 Fa0/10 DLS2
Fa0/9 Fa0/9
DHCP Server
Fa0/7 Fa0/8 Fa0/7 Server Farm
Fa0/8
VLAN 150
172.16.150.0/24
Fa0/15-20

Fa0/10
Fa0/10
Fa0/8 Fa0/8 Fa0/7
Fa0/7
Fa0/9
Fa0/9

ALS1 ALS2

VLAN 10 VLAN 20
VLAN 10 VLAN 20 172.16.10.0/24 172.16.20.0/24
172.16.10.0/24 172.16.20.0/24 Fa0/1-6 Fa0/13-24
Fa0/1-6 Fa0/13-24

Instructions
Plan, design, and implement the International Travel Agency switched network as shown in the
diagram and described below. Implement the design on the lab set of switches. Verify that all
configurations are operational and functioning according to the guidelines.

1 

 
 Scenario

The International Travel Agency has two distribution switches, DLS1 and DLS2, and two access
layer switches, ALS1 and ALS2. Configure a group of switches as follows:
 

• Place all switches in VTP domain CISCO and set DLS1 and DLS2 as VTP server.
• Make sure that all inter-switch links are statically set as 802.1q trunks
• Create etherchannels for each set of trunk links between each of the switches.
• Create the following VLANs in the VTP domain:
o 10 Staff
o 20 Students
o 99 Parking
o 100 Management
o 110 Voice
• Configure the following interfaces as access ports
VLAN 10 VLAN 20 VLAN100
DLS1 Fa0/6
ALS1 Fa0/1-6 Fa0/13-24
ALS2 Fa0/1-6 Fa0/13-24
• Place all unused interfaces into the Parking VLAN, and make sure in access mode and
shut down
• Configure Spanning-tree as follows on each switch: MST instance 1 – VLAN 10, 20. Make
primary on DLS1 and Secondary on DLS2. MST instance 2 – VLAN 100, 110. Make
primary on DLS2 and Secondary on DLS1.
• For HSRP Gateway addresses use the following: VLAN 10: 172.16.10.1/24, VLAN 20:
172.16.20.1/24, VLAN100: 172.16.100.1, VLAN 110: 172.16.100.1/24
• For Management create SVI addresses on each switch. Make sure your can ping each
device.
• Create a layer 3 interface on DLS1 and DLS2. Give the following IP addresses: DLS1
192.168.0.2/30, DLS2 192.168.1.2/30.
• Create HSRP on the two DL Switches so that DLS1 is active for VLANs 10,20, and DLS2 is
active for VLANs 100, 110. Include the pre-empt option, and configure interface tracking on
the links to the GATEWAY router.
• Configure GATEWAY with relevant IP addresses,
• Configure EIGRP with an AS of 100 disable automatic summarization.
• Enable PortFast on all access ports
• Protect the primary and secondary root bridge with root guard
• Enable UDLD protection on all switchports interfaces on all switches, using the command
to place the port in the error-disable state if a violation occurs.
• Enable QoS globally on each switch.
• On the Staff VLAN manually configure these ports to trust Cisco phones for QoS, using
VLAN 110 as the voice VLAN, for both AL switches.
• Configure DHCP spoofing to trust all trunk ports as well as interface fa0/6 on DLS1. Limit
the rate of DHCP requests on all user access ports to 15 pps.
• Configure ALS1 Fa0/13-24 for port security. Allow only up to three MAC addresses to be
learned on each port and then drop any traffic from other MAC addresses.
• Configure ALS2 Fa0/18 to only allow the MAC address 1234.1234.1234 and to go to
protected mode if a violation occurs.
2 

 
 • You are going to add a server farm to DLS2, but each server in the farm is to be isolated
from each other.
• On DLS2 add VLAN 150 Server_Farm
• Add routing and HRSP information for VLAN150 making DLS2 the primary and DLS1 the
standby. Use the network 172.16.150.0/24
• Change DLS2 vtp mode to transparent. Create VLAN 151 as an isolated VLAN, and VLAN
152 as a community VLAN. Associate VLANs 151,152 with the Primary VLAN 150
• Configure DLS2 interface Fa0/15 for the isolated VLAN 151 and interfaces fa0/18-20 for the
community VLAN 152.
• Create an ACL to separate the student and staff VLANs
• A temporary staff member is going to be assigned to DSL1 Fa0/3 with an IP address of
172.16.10.150. Assign this interface to the Staff VLAN and create a VACL to block access
to the rest of the Staff VLAN, and still have access to the rest of the network.
• Configure SSH on GATEWAY to allow remote access. Use the ip domain name as
sshremote.lab. Add a user Admin password sshuser. Test ssh access with PuTTY.

3