CCNA Lab Packet Tracer Activity 8.6.1 [Resolved] part 2

Continuation from part 1

Task 8: Assign VLANs and Configure Port Security
Step 1. Assign VLANs to access ports.

Use the VLAN Configuration and Port Mappings table to complete the following requirements:
 - Configure access ports

 -
Assign VLANs to the access ports

Branch B3 LAN Topology
Configure Access ports (on ALL BX-S2 Switches)
B3-S2(config)#int f0/6
B3-S2(config-if)#switchport mode access
B3-S2(config-if)#switchport access vlan 10

B3-S2(config-if)#int fa0/11
B3-S2(config-if)#switchport mode access
B3-S2(config-if)#switchport access vlan 20

B3-S2(config-if)#int fa 0/16
B3-S2(config-if)#switchport mode access
B3-S2(config-if)#switchport access vlan 30
Configure Wireless Port in Access
B3-S3(config)#int fa 0/7
B3-S3(config-if)#swi mode access
B3-S3(config-if)#switchport access vlan 88
Step 2. Configure port security.
Use the following policy to establish port security on the BX-S2 access ports:

 -
Allow only one MAC address

 -
Configure the first learned MAC address to "stick" to the configuration
 - Set the port to shut down if there is a security violation
B3-S2(config)#int range fastEthernet 0/6 - fa 0/24
B3-S2(config-if-range)#switchport port-security
! by default is only 1 MAC, but anyway we will enter this command
B3-S2(config-if-range)#switchport port-security maximum 1
B3-S2(config-if-range)#switchport port-security  mac-address sticky
Step 3. Verify VLAN assignments and port security.
Use the appropriate commands to verify that access VLANs are correctly assigned and that the port security policy has been enabled.

B3-S2#show port-security interface f0/6
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0

Task 9: Configure STP
Step 1. Configure BX-S1 as the root bridge.

Set the priority level to 4096 on BX-S1 so that these switches are always the root bridge for all VLANs.

B3-S1(config)#spanning-tree vlan 1-1001 priority 4096
Step 2. Configure BX-S3 as the backup root bridge.Set the priority level to 8192 on BX-S3 so that these switches are always the backup root bridge for all VLANs.
B2-S3(config)#spanning-tree vlan 1-1001 priority 8192
Step 3. Verify that BX-S1 is the root bridge.
Switch#sh spanning-tree
VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    4097
             Address     00D0.BA3D.2C94
             This bridge is the root
             Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    4097  (priority 4096 sys-id-ext 1)
             Address     00D0.BA3D.2C94
             Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  20

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1            Desg FWD 19        128.1    P2p
Fa0/2            Desg FWD 19        128.2    P2p
Fa0/3            Desg FWD 19        128.3    P2p
Fa0/4            Desg FWD 19        128.4    P2p
Fa0/5            Desg FWD 19        128.5    P2p

VLAN0010
  Spanning tree enabled protocol ieee
  Root ID    Priority    4106
             Address     00D0.BA3D.2C94
             This bridge is the root
             ...
             
VLAN0020
  Spanning tree enabled protocol ieee
  Root ID    Priority    4116
             Address     00D0.BA3D.2C94
             This bridge is the root   
             ...

VLAN0030
  Spanning tree enabled protocol ieee
  Root ID    Priority    4126
             Address     00D0.BA3D.2C94
             This bridge is the root   
             ...

VLAN0088
  Spanning tree enabled protocol ieee
  Root ID    Priority    4184
             Address     00D0.BA3D.2C94
             This bridge is the root       
             ...
             
VLAN0099
  Spanning tree enabled protocol ieee
  Root ID    Priority    4195
             Address     00D0.BA3D.2C94
             This bridge is the root   
             ...             

Task 10: Configure DHCP
Step 1. Configure DHCP pools for each VLAN.

On the Branch routers, configure DHCP pools for each VLAN using the following requirements:
 - Exclude the first 10 IP addresses in each pool for the LANs.
 - Exclude the first 24 IP addresses in each pool for the wireless LANs.
 - The pool name is BX_VLAN## where X is the router number and ## is the VLAN number.
 - Include the DNS server attached to the HQ server farm as part of the DHCP configuration.

Configure on Branch Routers
DHCP Exclude pools

B3(config)#ip dhcp excluded-address 10.3.10.1 10.3.10.10
B3(config)#ip dhcp excluded-address 10.3.20.1 10.3.20.10
B3(config)#ip dhcp excluded-address 10.3.30.1 10.3.30.10
B3(config)#ip dhcp excluded-address 10.3.88.1 10.3.88.24
Configure VLAN pools
B3(config)#ip dhcp pool B3_VLAN10
B3(dhcp-config)#network 10.3.10.0 255.255.255.0
B3(dhcp-config)#dns-server 10.0.1.4
B3(dhcp-config)#default-router 10.3.10.1

B3(config)#ip dhcp pool B3_VLAN20
B3(dhcp-config)#network 10.3.20.0 255.255.255.0
B3(dhcp-config)#dns-server 10.0.1.4
B3(dhcp-config)#default-router 10.3.20.1

B3(config)#ip dhcp pool B3_VLAN30
B3(dhcp-config)#network 10.3.30.0 255.255.255.0
B3(dhcp-config)#dns-server 10.0.1.4
B3(dhcp-config)#default-router 10.3.30.1

B3(config)#ip dhcp pool B3_VLAN88
B3(dhcp-config)#network 10.3.88.0 255.255.255.0
B3(dhcp-config)#dns-server 10.0.1.4
B3(dhcp-config)#default-router 10.3.88.1
Step 2. Configure the PCs to use DHCP.
Currently, the PCs are configured to use static IP addresses. Change this configuration to DHCP.

B3-PC3>ipconfig /renew
IP Address......................: 10.3.30.11
Subnet Mask.....................: 255.255.255.0
Default Gateway.................: 10.3.30.1
DNS Server......................: 10.0.1.4
B3-PC3>ping www.cisco.com
Pinging 209.165.202.134 with 32 bytes of data:
Request timed out.
Reply from 209.165.202.134: bytes=32 time=71ms TTL=125
Reply from 209.165.202.134: bytes=32 time=112ms TTL=125

Ping statistics for 209.165.202.134:
    Packets: Sent = 3, Received = 2, Lost = 1 (34% loss),
Approximate round trip times in milli-seconds:
    Minimum = 71ms, Maximum = 112ms, Average = 91ms
Control-C
B3-PC3>

Step 3. Verify that the PCs and wireless routers have an IP address.
Activate Wireless Connection

PC-with-Wireless>ipconfig /renew
IP Address......................: 192.168.3.100
Subnet Mask.....................: 255.255.255.0
Default Gateway.................: 192.168.3.1
DNS Server......................: 10.0.1.4
PC-with-Wireless>ping www.cisco.com
Pinging 209.165.202.134 with 32 bytes of data:
Reply from 209.165.202.134: bytes=32 time=130ms TTL=124
Reply from 209.165.202.134: bytes=32 time=131ms TTL=124
Step 4. Verify connectivity.
All PCs physically attached to the network should be able to ping the www.cisco.com web server.

First, was tested port-security on int fa 0/11 (add another switch with 2 PC attached).
When initial  PC was reconnected, port was shuted down (port security).
B3-S2#sh port-sec int fa 0/11
Port Security              : Enabled
Port Status                : Secure-shutdown
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 1
Last Source Address:Vlan   : 0000.0CEA.CDE5:20
Security Violation Count   : 1
B3-S2#
! copy run star, Actually reloaded SW,because Packet Tracer was not clearing port-security properly
B3-S2#clear port-security all
PC>ipconfig /renew
IP Address......................: 10.3.10.11
Subnet Mask.....................: 255.255.255.0
Default Gateway.................: 10.3.10.1
DNS Server......................: 10.0.1.4
PC>ping www.cisco.com
Pinging 209.165.202.134 with 32 bytes of data:
Reply from 209.165.202.134: bytes=32 time=125ms TTL=125
Reply from 209.165.202.134: bytes=32 time=86ms TTL=125
Reply from 209.165.202.134: bytes=32 time=120ms TTL=125
Reply from 209.165.202.134: bytes=32 time=120ms TTL=125

Task 11: Configure a Firewall ACL
Step 1. Verify connectivity from Outside Host.
The Outside Host PC should be able to ping the server at www.xyzcorp.com.

Outside-PC>ping  www.xyzcorp.com
Pinging 209.165.200.246 with 32 bytes of data:
Request timed out.
Reply from 209.165.200.246: bytes=32 time=80ms TTL=126
Reply from 209.165.200.246: bytes=32 time=80ms TTL=126
Reply from 209.165.200.246: bytes=32 time=60ms TTL=126

Ping statistics for 209.165.200.246:
    Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
    Minimum = 60ms, Maximum = 80ms, Average = 73ms
Outside-PC>

Step 2. Implement a basic firewall ACL.
Because ISP represents connectivity to the Internet, configure a named ACL called FIREWALL in the following order:
 - Allow inbound HTTP requests to the www.xyzcorp.com server.
 - Allow only established TCP sessions from ISP and any source beyond ISP.
 -
Allow only inbound ping replies from ISP and any source beyond ISP.

 -
Explicitly block all other inbound access from ISP and any source beyond ISP.

HQ(config)#ip access-list extended FIREWALL
HQ(config-ext-nacl)#permit tcp any host 209.165.200.246 eq www
HQ(config-ext-nacl)#permit tcp any any established
HQ(config-ext-nacl)#permit icmp any any echo-reply
HQ(config-ext-nacl)#deny ip any any

HQ(config)#int s0/1/0
HQ(config-if)#ip access-group FIREWALL in

Step 3. Verify connectivity from Outside Host.
The Outside Host PC should not be able to ping the server at www.xyzcorp.com. However, the Outside Host PC should be able to request a web page.

Outside-PC>ping  www.xyzcorp.com
Pinging 209.165.200.246 with 32 bytes of data:
Reply from 209.165.201.1: Destination host unreachable.
Reply from 209.165.201.1: Destination host unreachable.
Reply from 209.165.201.1: Destination host unreachable.
Reply from 209.165.201.1: Destination host unreachable.
Ping statistics for 209.165.200.246:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Outside-PC>ipconfig
IP Address......................: 209.165.202.130
Outside Host PC is able to request a web page
NetAdmin-PC>ping 209.165.202.130
Pinging 209.165.202.130 with 32 bytes of data:
Reply from 209.165.202.130: bytes=32 time=120ms TTL=126
Reply from 209.165.202.130: bytes=32 time=50ms TTL=126
Reply from 209.165.202.130: bytes=32 time=50ms TTL=126
Reply from 209.165.202.130: bytes=32 time=20ms TTL=126

Ping statistics for 209.165.202.130:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 20ms, Maximum = 120ms, Average = 60ms
NetAdmin-PC>

Task 12: Configure Wireless Connectivity
Step 1. Verify the DHCP configuration.
Each BX-WRS router should already have IP addressing from the DHCP of the BX router for VLAN 88.

Step 2. Configure the Network Setup/LAN settings.
The "Router IP" on the Status page in the GUI tab should be the first IP of the 10.X.40.0 /24 subnet. Leave all other settings at the default.

Step 3. Configure the wireless network settings.
The SSIDs for the routers are BX-WRS_LAN where the X is the Branch router number.
The WEP key is 12345ABCDE

Setup Wireless Branch B3 Router
Step 4. Configure the wireless routers for remote access.
Configure the administration password as cisco123 and enable remote management.

Activate Remote Administration for WEB GUI, set passw- cisco123

Step 5. Configure the BX-PC4 PCs to access the wireless network using DHCP.

B3-PC4>ping www.cisco.com
Pinging 209.165.202.134 with 32 bytes of data:
Request timed out.
Reply from 209.165.202.134: bytes=32 time=180ms TTL=124
Reply from 209.165.202.134: bytes=32 time=150ms TTL=124
Reply from 209.165.202.134: bytes=32 time=140ms TTL=124

Ping statistics for 209.165.202.134:
    Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
    Minimum = 140ms, Maximum = 180ms, Average = 156ms
B3-PC4>
Step 6. Verify connectivity and remote management capability.
Each wireless PC should be able to access the www.cisco.com web server.
Verify remote management capability by accessing the wireless router through the web browser.

From NetAdmin Browser access  http://10.3.88.2/, user- admin, pass- cisco123

Task 13: Network Troubleshooting
Step 1. Break the network.
One student leaves the room, if necessary, while another student breaks the configuration.

Step 2. Troubleshoot the problem.
The student returns and uses troubleshooting techniques to isolate and solve the problem.

Step 3. Break the network again.
The students switch roles and repeat steps 1 and 2.

Links

http://www.invialgo.com/2012/packet-tracer-activity-8-6-1-answer-100/