Command Problems

[TheBigDog]

Hi all , I am doing out a network here and I am unsure about some of the commands needed to do what is stated in the question. Would be appreciated if was given some help

1.   Hostnames as per diagram
2.   DLS1 is the VTP Server
        DLS2 + ALS1 are VTP Clients
        ALS2 is VTP transparent
        VTP domain is practice.com
        VTP password is practice

DLS1(config)#vtp domain CISCO
DLS1(config)#vtp mode server
DLS1(config)# vtp domain practice.com
DLS1(config)# vtp password practice
DLS2(config)#vtp domain CISCO
DLS2(config)#vtp mode client
ALS1(config)#vtp domain CISCO
ALS1(config)#vtp mode client
ALS2(config)#vtp domain CISCO
ALS2(config)#vtp mode transparent

3. VlANS
VLAN 2   10.2.0.0/24   STUDENT
VLAN 3   10.3.0.0/24   LECTURER
VLAN 4   10.4.0.0/24   MANAGEMENT

DLS1(config)#vlan 2
DLS1(config-vlan)#name STUDENT
DLS1(config-vlan)#exit
DLS1(config)#vlan 3
DLS1(config-vlan)#name LECTURER
DLS1(config-vlan)#exit
DLS1(config)#vlan 4
DLS1(config-vlan)#name MANAGEMENT
DLS1(config-vlan)#exit

3.Disable all ports. Enable on a needs be basis
DLS1(config)#interface range fastEthernet 0/1 - 24
DLS1(config-if-range)#shutdown
DLS2(config)#interface range fastEthernet 0/1 - 24
DLS2(config-if-range)#shutdown
ALS1(config)#interface range fastEthernet 0/1-24
ALS1(config-if-range)#shutdown
ALS2(config)#interface range fastEthernet 0/1-24
ALS2(config-if-range)#shutdown

I know how to turn the ones I need on

5. Trunking between DLS1 and DLS2 is using ISL
All other trunk uses DOT1Q
Untagged traffic carried on VLAN 3

DLS1(config)# interface range fastEthernet 0/1 - 2
DLS1(config-if-range)# switchport trunk encapsulation isl
DLS1(config-if-range)# switchport mode trunk

DLS1(config)# interface range fastEthernet 0/7 - 8
DLS1(config-if-range)# switchport trunk encapsulation dot1q
DLS1(config-if-range)# switchport mode trunk


DLS2(config)# interface range fastEthernet 0/1 - 2
DLS2(config-if-range)# switchport trunk encapsulation isl
DLS2(config-if-range)# switchport mode trunk

DLS2(config)# interface range fastEthernet 0/3 - 4
DLS2(config-if-range)# switchport trunk encapsulation dot1q
DLS2(config-if-range)# switchport mode trunk

ALS1(config)# interface range fastEthernet 0/3 - 4
ALS1(config-if-range)# switchport trunk encapsulation dot1q
ALS1(config-if-range)# switchport mode trunk

ALS1(config)# interface range fastEthernet 0/5 - 6
ALS1(config-if-range)# switchport trunk encapsulation isl
ALS1(config-if-range)# switchport mode trunk

ALS2(config)# interface range fastEthernet 0/7- 8
ALS2(config-if-range)# switchport trunk encapsulation isl
ALS2(config-if-range)# switchport mode trunk

ALS2(config)# interface range fastEthernet 0/5- 6
ALS2(config-if-range)# switchport trunk encapsulation isl
ALS2(config-if-range)# switchport mode trunk

Don't know how to do untaggged.




6. Configure Ether channel between ALS1 and ALS2

ALS1(config)#interface range fastEthernet 0/5- 6
ALS1(config-if-range)#channel-group 1 mode desirable 
ALS1(config-if-range)# switchport mode trunk
ALS1(config)#channel –group 1 mode desirable

ALS1(config)#interface range fastEthernet 0/5- 6
ALS1(config-if-range)#channel-group 1 mode desirable 
ALS1(config-if-range)# switchport mode trunk
ALS1(config)#channel –group 1 mode desirable

6A Configure management interface on ALS1 and ALS2


7. Configure rapid per vlan spanning tree
DLS1 is root per VLAN 2
Back up root for VLAN 3 and 4

DLS1(config)# spanning-tree mode rapid-pvst
DLS1(config)#spanning-tree vlan 2 root primary
DLS1(config)#spanning-tree vlan 3 root secondary
DLS1(config)#spanning-tree vlan 4 root secondary

DLS2 is the root for VLAN 3 + 4
Backup root for VLAN 2

DLS2(config)#spanning-tree vlan 3 root primary
DLS2(config)#spanning-tree vlan 4 root primary
DLS2(config)#spanning-tree vlan 2 root secondary


8. Configure DLS1 and DLS2 for routing
DLS1 routes for VLAN 2
Back up routing for VLAN 3, 4

DLS1(config)# int vlan 2
DLS1(config)# ip address 10.2.0.3 255.255.255.0
DLS1(config)# standby 1 ip 10.2.0.1
DLS1(config)# standby 1 preempt
DLS1(config)# standby 1 priority 150
DLS1(config)# int vlan 3
DLS1(config)# ip address 10.3.0.3 255.255.255.0
DLS1(config)# standby 1 ip 10.3.0.1
DLS1(config)# standby 1 preempt
DLS1(config)# standby 1 priority 100
DLS1(config)# int vlan 4
DLS1(config)# ip address 10.4.0.3 255.255.255.0
DLS1(config)# standby 1 ip 10.4.0.1
DLS1(config)# standby 1 preempt
DLS1(config)# standby 1 priority 100


DLS2 routes for VLAN 3 + 4
Backup routing for VLAN 2
DLS2(config)# int vlan 3
DLS2(config)# ip address 10.3.0.3 255.255.255.0
DLS2(config)# standby 1 ip 10.3.0.1
DLS2(config)# standby 1 preempt
DLS2(config)# standby 1 priority 150
DLS2(config)# int vlan 4
DLS2(config)# ip address 10.4.0.3 255.255.255.0
DLS2(config)# standby 1 ip 10.4.0.1
DLS2(config)# standby 1 preempt
DLS2(config)# standby 1 priority 150
DLS2(config)# int vlan 2
DLS2(config)# ip address 10.2.0.3 255.255.255.0
DLS2(config)# standby 1 ip 10.2.0.1
DLS2(config)# standby 1 preempt
DLS2(config)# standby 1 priority 100



9. Configure DHCP Server on DLS1
To allocate ip addresses to management, student + lectures

10. Configure access ports on all switches
Ports fa0/9 for management
10 -15 for student
16 – 20 for lectures
Enable appropriate ports as per topology

DLS2(config)# interface fastEthernet 0/9
DLS2(config-if)# switchport mode access
DLS2(config-if)# switchport access vlan 4
DLS2(config-if)# spanning-tree portfast

ALS1(config)# interface range fastEthernet 0/10 - 15
ALS1(config-if)# switchport mode access
ALS1(config-if)# switchport access vlan 3
ALS1(config-if)# spanning-tree portfast

ALS2(config)# interface fastEthernet 0/16 - 20
ALS2(config-if)# switchport mode access
ALS2(config-if)# switchport access vlan 2
ALS2(config-if)# spanning-tree portfast


11. Ensure ports that are access ports go directly from blocking to forwarding

12. Disable cdp and http traffic on DLS1
DLS1# configure terminal
DLS1(config-if)# no ip http server
DLS1(config-if)# end
DLS1# configure terminal
DLS1(config-if)# no ip http server
DLS1(config-if)# end


13. Enable http on DLS1
DLS1# configure terminal
DLS1(config)# cdp run
DLS1(config)# end

14. Configure console security on ALS1
Password Fiona
If the port is inactive for 1 minute the connection should be terminated
ALS1# config
ALS1(config)# line con 0
ALS1(config)# password Fiona
ALS1(config)# exec-timeout 1 00

15. Configure VTY access on DLS2
Users should only be able to connect using ssh for domain Sligo.com, using a username Fiona and secure password as Mitchell. Data that passes across the connection should be encrypted using a KSA key size 5/2. The user has 5 authentication retrier for ssh

16. Ensure student, cannot communicate with users on management VLAN

17. Configure VTY connect on DLS1 to allow
Telnet only for users in the management VLAN using a password Mitchell

18. All password that are plaintext should be encrypted using MD7 encryption do this on DLS1

19.  On ALS1 only allow, mac address to be learned. The port should shut down if an illegal mac address is learned.
If the port goes into error disable state due to a security violation it should recover after 3 minutes.

20. On ALS1 ports 5,6,7,8 ensure broadcast traffic does not exceed 20%

21. On DLS2 made sure the minimum password length is 5 character long
DLS2#security passwords min-length 5

22. On DLS2 made sure if a user tries to illegally enter into systems 5 times in a 2 minute period they are locked out for 5 minutes
login block-for 5 attempts 5 within 2

DLS2(config)#login block-for 5 attempts 5 within 2

[deanwebb]

Where much is given, much can be received. Your text or an online search should be able to produce the command syntax needed to finish this exercise. This is a good exercise, by the way... a full summary of a number of concepts.

I don't see DHCP scopes defined or ip helper statements on the other switches pointing to DLS1.

Need to do the SSH stuff... and to keep communication from happening from student to management, you will need an ACL statement.

19 requires port-security statements. You're looking for "sticky" commands in this case.

20 calls for policing or shaping statements... if you don't want to drop outright, go with shaping. If the traffic is discardable, policing.

21 and 22 look good to me.

One more thing - what VLANs are being shared on the trunks? I don't see anything about that in your commands.

[NetworkGroover]

Here's how people do VTP in the real world.


switch(config)# vtp mode transparent
*move to the next switch and do the same*

[wintermute000]

vtpv3 ain't so bad. You have to manually force a server into primary master in enable (not conf). In fact you can demote all servers to secondary and only promote on demand (i.e. to make changes), and any primary status is lost on reboot i.e. all servers come up as secondary as standard.


If vtpv2 had this kind of behaviour, the entire vtp protocol wouldn't have this stigma. Heck on a conceptual level its just an orchestrator isn't it? 

[icecream-guy]

5. Trunking between DLS1 and DLS2 is using ISL
All other trunk uses DOT1Q
Untagged traffic carried on VLAN 3


Don't know how to do untaggged.

** set the native vlan on the trunk port configuration

9. Configure DHCP Server on DLS1
To allocate ip addresses to management, student + lectures

*** need to set DHCP server configuration on switch

11. Ensure ports that are access ports go directly from blocking to forwarding

*** spanning tree issue, look there, command is like #spanning-tree p<somthing>...

13. Enable http on DLS1
DLS1# configure terminal
DLS1(config)# cdp run
DLS1(config)# end

***This command sets CDP to run, has nothing to do with HTTP

starts with #no ip

Not event gonna comment on 15-20 until you at least give them a try.

rest looks pretty good

[NetworkGroover]

vtpv3 ain't so bad. You have to manually force a server into primary master in enable (not conf). In fact you can demote all servers to secondary and only promote on demand (i.e. to make changes), and any primary status is lost on reboot i.e. all servers come up as secondary as standard.


If vtpv2 had this kind of behaviour, the entire vtp protocol wouldn't have this stigma. Heck on a conceptual level its just an orchestrator isn't it? 

Yeah I'll agree with ya.  Also if you're running non-default MST config it has added benefit.  Otherwise, I really don't see the point.  In the worst case, manual copy/paste is the suck but very manageable.. otherwise there's plenty of other automation platforms to push out VLAN config in addition to configuration outside of VLANs.

[flipmode]

This is a really awesome exercise. Do you guys know where I can get exercises/labs like this (that wont cost me an arm and leg)? Doesn't have to be on equipment. Just something like this on paper would be fine. I copied every line in this and had a lot of fun writing down the commands.

[deanwebb]

This is a really awesome exercise. Do you guys know where I can get exercises/labs like this (that wont cost me an arm and leg)? Doesn't have to be on equipment. Just something like this on paper would be fine. I copied every line in this and had a lot of fun writing down the commands.

I'm putting together some lab exercises in the forum here. What would you like to see more of? I'll get to work on it, even if it means that I have to learn it, too!

I made a thread for requests: http://www.networking-forums.com/index.php?topic=744