BCMSN30LG PDF

BCMSN
Building Cisco
Multilayer Switched
Networks
Version 3.0
Lab Guide
Text Part Number: 97-2371-01

Corporate Headquarters European Headquarters Americas Headquarters Asia Pacific Headquarters
Cisco Systems, Inc. Cisco Systems International BV Cisco Systems, Inc. Cisco Systems, Inc.
170 West Tasman Drive Haarlerbergpark 170 West Tasman Drive 168 Robinson Road
San Jose, CA 95134-1706 Haarlerbergweg 13-19 San Jose, CA 95134-1706 #28-01 Capital Tower
USA 1101 CH Amsterdam USA Singapore 068912
www.cisco.com The Netherlands www.cisco.com www.cisco.com
Tel: 408 526-4000 www-europe.cisco.com Tel: 408 526-7660 Tel: +65 6317 7777
800 553-NETS (6387) Tel: 31 0 20 357 1000 Fax: 408 527-0883 Fax: +65 6317 7799
Fax: 408 526-4100 Fax: 31 0 20 357 1100
Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax numbers are listed on the
Cisco.comWebsiteatwww.cisco.com/go/offices.
Argentina Australia Austria Belgium Brazil Bulgaria Canada Chile China PRC Colombia Costa Rica Croatia Cyprus Czech Republic
Denmark Dubai, UAE Finland France Germany Greece Hong Kong SAR Hungary India Indonesia Ireland
Israel Italy Japan Korea Luxembourg Malaysia Mexico The Netherlands New Zealand Norway Peru Philippines
Poland Portugal Puerto Rico Romania Russia Saudi Arabia Scotland Singapore Slovakia Slovenia South Africa
Spain Sweden Switzerland Taiwan Thailand Turkey Ukraine United Kingdom United States Venezuela Vietnam Zimbabwe
2006 Cisco Systems, Inc. All rights reserved. CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of
Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access
Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press,
Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare,
GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace,
MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare,
SlideCast, SMARTnet, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates
in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (0601R)
DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED AS IS. CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN
CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF
THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED
WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR
PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. This learning product may contain early release
content, and while Cisco believes it to be accurate, it falls subject to the disclaimer above.
BCMSN
Lab Guide
Overview
This guide presents the instructions and other information concerning the lab activities for this
course. You can find the solutions in the lab activity Answer Key.
Outline
This guide includes these activities:
Quiz 1-1: Describing the Campus Infrastructure Module
Lab 1-2: Getting Started with Cisco Catalyst Equipment
Lab 2-1: Configuring VLANs and VTP
Lab 3-1: Configuring Primary and Backup Root Bridges
Lab 3-2: Implementing PVRST
Lab 3-3: Implementing MST
Lab 3-4: Configuring EtherChannel
Lab 3-5: Troubleshooting Spanning Tree
Quiz 4-1: Describing Routing Between VLANs
Lab 4-2: Routing Between VLANs
Lab 5-1: Enabling and Optimizing HSRP
Lab 6-1: Configuring Switches for WLANs
Lab 6-2: Setting Up the WLAN Controller
Lab 6-3: Configuring the Controller via the Web Browser
Lab 6-4: Configuring a Wireless Client (Optional)
Lab 7-1: Configuring IP Telephony Support
Case Study 8-1: Applying Security Practices to Secure Devices in the Campus
Case Study 8-2: Using Security Tools to Secure Devices in the Campus
Lab 8-3: Applying Security Tools
Answer Key
Quiz 1-1: Describing the Campus Infrastructure Module
This quiz tests the knowledge that you gained in this module.
Activity Objective
In this activity, you will answer questions about the Campus Infrastructure module of the
ECNM. After completing this activity, you will be able to meet this objective:
Identify the functions and relationships of the components of the ECNM
Visual Objective
There is no visual objective for this activity.
Activity Procedure
Answer these questions based on the figures. Write your answers in the appropriate spaces.
Q1) In the figure, label these elements:

A) Enterprise Campus
B) Enterprise Edge
C) Service Provider Edge
Enterprise Composite Model

Functional Areas
2006 Cisco Systems, Inc. All rights reserved. BCMSN v3.04
2 Building Cisco Multilayer Switched Networks (BCMSN) v3.0 2006 Cisco Systems, Inc.
A) Enterprise Campus
B) Enterprise Edge
C) Edge Distribution
D) Service Provider Edge
Modules in the Enterprise Campus
2006 Cisco Systems, Inc. Lab Guide 3

A) core
B) distribution
C) access
Campus Infrastructure Module
Pull Out Network Diagram
Network Diagram

Lab 1-2: Getting Started with Cisco Catalyst
Equipment
Complete this lab activity to practice what you learned in the related module.
Activity Objective
The Cisco switches and routers for your building and floor have all the cables preconnected and
ready for use. In this activity, you will observe and interpret the bootup processes and prepare
the switches for operation. After completing this activity, you will be able to meet these
objectives:
Run Telnet to connect to the remote lab
Access and use the class menu to verify connectivity to the remote lab terminal server
Establish a connection to the access and distribution switches and verify connectivity
Verify the initial switch configuration and connectivity between the switches
Visual Objective
The figure illustrates what you will accomplish in this activity.
Visual Objective
Required Resources
These are the resources and equipment that are required to complete this activity:
A PC connected to an onsite laboratory or a PC with an Internet connection to access the
remote laboratory equipment
A terminal server connected to the console port of each laboratory device, if using a remote
laboratory
The building and floor assignment provided by your instructor
Network Diagram
The figure shows the network layout for this activity.
Network Diagram

Command List
The table describes the commands that are used in this activity. The commands are listed in
alphabetical order so that you can easily locate the information that you need. Refer to this list
if you need assistance with the configuration commands during the activity.
Configuration Commands
Command Description
configure terminal From privileged EXEC mode, enters global configuration mode
copy running-config Adds the current configuration to the default configuration in

startup-config memory
description description Assigns a description to an interface
duplex duplex Sets up the duplex configuration on a Fast Ethernet interface
enable password password Enters the privileged EXEC mode command interpreter
exec-timeout 0 0 Sets the timeout for an EXEC session to 0 minutes and 0

seconds (no timeout)
exit Exits the current mode
hostname hostname Sets the hostname
interface fastethernet | Enters interface configuration mode for a Cisco Catalyst switch
gigabitethernet slot/port with a Fast Ethernet or Gigabit Ethernet interface installed
interface range Selects a range of interfaces to configure

fastethernet |
gigabitethernet
slot/starting_port -
ending_port
interface vlan 1 ip address Enters interface configuration mode, and enters the VLAN to
ip-address which the IP information is assigned
line [aux | console | Specifies the line to be configured for synchronous logging of
vty] beginning-line- messages
number [ending-line-
number]
logging console Enables logging messages to the console port
logging synchronous Enables synchronous logging of messages
login Enables password checking
no ip domain-lookup Disables hostname translation for the IP Domain Name System
password password Configures user authentication
ping ip-address Sends an ICMP echo to the designated IP address, using the
default settings of size and response window time
service timestamps log Enables log and debugging time stamps

uptime
service timestamps log

datetime [msec] [localtime]
[show-timezone]
Command Description
show cdp neighbor detail Shows CDP neighbor detailed entries, including the name of the
device, the number and type of the local interface, the number
of seconds the CDP advertisement is valid, the device type, the
device product number, and the port ID
show cdp neighbors Displays the CDP neighbor entries
show interfaces Displays interface switch port information about a Fast Ethernet
fastethernet mod/port interface
switchport
show interfaces status Displays the line status of all interfaces
show running-config Displays the contents of the running configuration file
shutdown Shuts down an interface
no shutdown Enables an interface
speed speed Sets the line speed
switchport mode access Sets trunking mode to access unconditionally
telnet ip-address Starts a terminal emulation program from a PC, router, or switch
that permits you to access network devices remotely over the
network
Job Aids
There are no job aids for this activity.

Activity Preparation
Your instructor will provide setup information that you need to complete this and subsequent
lab activities. Your instructor will also assign you to a building and floor. Fill out the following
information as provided by your instructor.
Note The term workstation refers to the device that you are using to access the course lab
equipment; the PC router is a device in the lab equipment group.
Basic Lab Activity Parameters
Value Information Provided by Your Instructor
Your workgroup
(for example Building 1, Floor 1)
IP address of your workstation
IP address of the default gateway
Subnet mask
IP address of the terminal server
Username to access the terminal server
Password to access the terminal server
PC router interface speed
PC router interface duplex
Refer to the tables titled Building and Floor Assignments and IP Address Assignments to
identify the switches that you are responsible for configuring, based on the assignment from
your instructor. In the table, X = your pod number, and Y = the VLAN number.
Building and Floor Assignments
PC IP Access IP Distribution IP IP
Router Port Address Switch Port Address Switch Port Address Mask
xPCy VLAN1 10.x.1.5/6 xASWy VLAN1 10.x.1.3/4 xDSWy VLAN1 10.x.1.y /16
1PC1 VLAN1 10.1.1.5 1ASW1 VLAN1 10.1.1.3 1DSW1 VLAN 1 10.1.1.1 /16
Use the IP Address Assignments table as an aid in configuring the access layer and distribution
layer switches in this activity. Complete the information by looking at the Building and Floor
Assignments table and the topology that follows for this activity.

IP Address Assignments
Value Information from Instructor
Pod number
Floor number (Odd/Even)
Value Information from Topology Diagram
Your access switch name (such as 1ASW1)
Your access switch IP address (such as 10.1.1.3)
Your access switch subnet mask 255.255.0.0
Your distribution switch name

(primary switch for which you are responsible, such as 1DSW1)
Your distribution switch IP address (primary switch for which

you are responsible, such as 10.1.1.1)
Your distribution switch subnet mask 255.255.0.0
All enable passwords san-fran
All login passwords (line vty 0 4) cisco
Task 1: Configure the PC Router

To start, you will configure the Client PC device. The lab uses Cisco routers to simulate
client devices. You will access these routers using the same method in Tasks 1 and 2.
The purpose of this task is to set up your PC with the basic configuration to establish network
connectivity. You will configure the hostname and IP addressing. Please refer to your network
diagram for interface connections. Because the switches in the lab have no configuration, you
cannot perform inband management yet. You must access your client switch via the menu
system for your appropriate building and floor menu. You are connecting to the switch via its
console. You must then enter privileged EXEC mode before entering the global configuration
mode. Hostname, passwords, IP addressing, and port definitions are some of the items that you
will configure. Refer to the network diagram for interface information and connections. Your
instructor will inform you which building and floor you will configure.
Activity Procedure
Complete these steps:
Step 1 Establish a connection to your PC and enter privileged EXEC mode.
Step 2 Use the command show interface status to document the type of interfaces on your
PC router (for example, FastEthernet).
Step 3 Enter global configuration mode.
Step 4 Configure the hostname of the switch according to your worksheet.
Step 5 Configure the enable password to be san-fran.
Step 6 Configure the login passwords to be cisco. Configure logging synchronous on the
console. Disable console timeouts.
Step 7 Configure Ethernet interface 4 with the appropriate IP address. This interface is used
because on the 871 router this is the only true interface. The other interfaces are part
of the built-in hub and are slaved to interface VLAN1. Do not configure VLAN1 with
an IP address.
Step 8 Because the PC needs to simulate a client, disable routing.
Activity Verification
You have completed this task when you attain this result:
Your Ethernet interface is active, and the IP address is correctly configured. Use the show
ip interface brief command to verify.
Task 2: Establish a Connection to the Building Access Switch

for Configuration
Multiple buildings in the enterprise campus connect to redundant backbone switches. Each
building has two Building Distribution switches. There are two floors in each building. Each
floor has a Building Access switch. The purpose of this task is to set up your Building Access
switch with the basic configuration to establish network connectivity.
Activity Procedure
Step 1 Establish a connection to your Building Access switch and enter privileged EXEC
mode.
access switch (for example, FastEthernet).

Step 5 Configure the switch to use date and time stamping on all logging and debugging
output.
Step 7 Configure the switch to disable the logging of messages to the switch console to
prevent distracting output while you perform the initial configuration. You will
enable console logging when configuration of the switch is completed.
Step 8 Configure the Telnet password to be cisco. Configure logging synchronous on the
Step 9 Disable IP Domain Name System hostname translation. This becomes very helpful
in the event of a typing error while in privileged EXEC mode.
Step 10 The inband management of the switches in your network will be via VLAN1.
Configure the VLAN1 IP address and subnet mask (255.255.0.0 or /16) of your
switch. (Refer to the IP Address Assignments table in the Activity Preparation
section of this activity to find the correct IP address.)

Step 11 Configure the Fast Ethernet 0/3 interface to the PC router with an appropriate
description (for example, PC router).
Step 12 Configure the interfaces 0/9, 0/10, 0/11 and 0/12 (which connect your Building
Access switch to each Building Distribution switch in your building) as 100 MB,
full-duplex, with an appropriate description (for example, 1ASW3 0/9 1DSW1
0/1).
Step 13 Configure all interfaces to be in static access administrative and operational mode.
This is a best practice, which you should complete.
Step 14 Ensure that you have exited from the configuration mode (Ctrl-Z or end) and are
now working in the privileged EXEC mode. Use the show interfaces status
command to verify your configuration.
Step 15 Use the show interfaces type 0/9 switchport command to verify your
configuration.
Step 16 Enable logging of system messages to your console by entering the global
configuration mode, entering logging console, and then exiting configuration mode.
Step 17 Save your configuration.
Step 18 Proceed to Task 3.
You have completed this task when you attain these results:
Verify all interfaces used are up and active.
Attempt to ping the client router to verify connectivity.
Task 3: Configure the Building Distribution Switches

Now that you have configured your Building Access switches, you are ready to configure the
two Building Distribution switches in each building. Only one person needs to configure each
Building Distribution switch, and your instructor will designate this person. You will access the
Building Distribution switches in the same manner that you accessed the switches in Task 2. If
you have any questions, please ask your instructor.
The purpose of this task is to set up your Building Distribution switches with the basic
configuration to establish network connectivity. You will configure the hostname, passwords,
IP addressing, and port definitions. Again, please refer to your network diagram for interface
information.
Activity Procedure
Step 1 Establish a connection to your Building Distribution switch and enter privileged
EXEC mode.
distribution switch (for example, Gigabit).
Step 5 Configure the switch to use date and time stamping on all logging and debugging
output. (This will be used in the lab activities for this course.)
Step 7 Disable the logging of messages to the switchs console to prevent distracting output
while you perform this initial configuration. You will enable console logging when
configuration of the switch is completed.
Step 8 Configure the Telnet password to be cisco. Configure logging synchronous on the
Step 9 Disable IP Domain Name System hostname translation. This becomes very helpful
in the event of a typing error while in privileged EXEC mode.
Step 10 The inband management of the switches in your network will be via VLAN1.
Configure the VLAN1 IP address and subnet mask (255.255.0.0 or /16) of your
switch. (Refer to the IP Address Assignments table in the Activity Preparation
section of this lab activity.)
Step 11 Disable the interfaces 0/112 on all distribution switches, and configure them to be
in static access administrative and operational mode. This is a best practice.
Step 12 Configure the interfaces 0/1, 0/2, 0/3, and 0/4 (which connect the Building
Distribution switch to each Building Access switch in your building) as 100 MB,
full-duplex, with an appropriate description (for example, 1DSW1 0/1 1ASW3
0/9).
Step 13 Configure the interfaces 0/5 and 0/6 (which connect one Building Distribution
switch to the other Building Distribution switch in your building) as 1000 MB, full-
duplex, with an appropriate description (for example, 1DSW1 Gig 1/0/5-6
1DSW2 Gig 1/0/5-6). Use the interface range command for simplicity.
Step 14 Configure Gigabit Ethernet port 1/0/9 (which connects the Building Distribution
switch to the Campus Backbone switch 1) with an appropriate description (for
example, 1DSW1 Gig 1/0/9 BBSW1 Gig 2/1). Set the speed to 1000 MB, full-
duplex for the Gigabit Ethernet interface.
Step 15 Configure Gigabit Ethernet port 1/0/10 (which connects the Building Distribution
switch to Campus Backbone switch 2) with an appropriate description (for example,
1DSW1 Gig 1/0/10 BBSW2 Gig 2/25). Set the speed to 1000 MB, full-duplex for
the Gigabit Ethernet interface.
Step 16 Use the show interfaces status command to verify your configuration.
Step 17 Enable logging of system messages to your console by entering the global
configuration mode, entering logging console, and then exiting configuration mode
All configured interfaces are up and active. Use the command show ip interface brief to
verify.
Proceed to Task 4 to complete verification of this lab.

Task 4: Verify the Initial Switch Configuration and Connectivity
Between the Switches
After everyone in your group has completed tasks 1 through 3, you should have complete
network connectivity.
In this task, you will test and verify that all switches can communicate with each other. You
may use ping commands from your switches. You may also telnet from your Building Access
switch to any other switch within the enterprise campus and use the ping command.
Activity Procedure
Step 1 From your Building Access switch, ping a Building Distribution switch. Your
display should be similar to this example:
1ASW1#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2
seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =
1/3/4 ms
1ASW1#
Step 2 Ping the other Building Distribution switch in your building. Your display should be
similar to this example:
1ASW1#ping 10.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2
seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =
1/202/1000 ms
1ASW1#
Step 3 From the Building Distribution switches, use the show cdp command to verify
connectivity to the backbone switches:
1DSW1#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source
Route Bridge
S - Switch, H - Host, I - IGMP, r Repeater
DeviceID Local Intrfce Holdtme Capability Platform

Port ID
BBSW1 Gig 1/0/9 123 R S I WS-C4503 Gig
2/1
BBSW2 Gig 1/0/10 122 R S I WS-C4503 Gig
2/25
1DSW2 Gig 1/0/5 176 R S I WS-C3750G-Gig
1/0/5
1DSW2 Gig 1/0/6 137 R S I WS-C3750G-Gig
1/0/6
1ASW1 Gig 1/0/1 124 S I WS-C2950G-Fas
0/9
0/10
0/11
0/12
1DSW1#
Step 4 Exit back to privileged EXEC mode and close the Telnet window.
Step 5 Notify your instructor that you have completed the activity.
You have completed this activity when you obtain these results:
You can successfully log in to the terminal server and navigate the menus to access your
workgroup switch and workgroup router.
You can clear the connections to your workgroup switch and workgroup router.
You configured the Building Access switches, Building Distribution layer switches, and the
PCs.
You tested basic connectivity within your network.
On some pings, there was one lost packet (.) and then four good packets. You should know
why that occurred.
CDP was necessary to confirm connectivity between the distribution switches and the
backbone switches. You should know why a ping test would not work.

Lab 2-1: Configuring VLANs and VTP
Activity Objective
In this activity you will configure VLANs and a VTP. After completing this activity, you will
be able to meet these objectives:
Create a VTP management domain
Configure trunking
Configure VLANs
Verify the VTP and VLAN status
Associate VLANs with ports on your switch
Visual Objective
Visual Objective
Required Resources
A PC connected to an onsite laboratory or a PC with an Internet connection, required to
access the remote laboratory equipment
laboratory
The building and floor assignment specified by your instructor
Network Diagram
The figure shows the network layout for this lab activity.
Network Diagram
Command List
The table describes the commands that are used in this activity.
Configuration Commands
Command Description

gigabitethernet slot/port with a Fast Ethernet or Gigabit Ethernet interface installed

interface range Selects a range of interfaces to configure
fastethernet |
gigabitethernet
slot/starting_port -
ending_port
name vlan-name Specifies a name for a VLAN for either VLAN database or
VLAN configuration mode
no interface vlan vlan-id Disables a VLAN interface

type
show interface interface- Displays the switch port configuration of the interface
id switchport
show interface trunk Displays the trunk configuration of the interface
show vlan Displays VLAN information
show vtp status Verifies the VTP configuration
shutdown/no shutdown Shuts down or enables an interface
switchport access vlan Specifies the default VLAN, which is used if the interface stops
vlan-id trunking
switchport mode access Puts the interface into permanent nontrunking mode and
negotiates to convert the link into a nontrunk link
switchport mode trunk Puts the interface into permanent trunking mode and negotiates
to convert the link into a trunk link
switchport nonegotiate Turns off DTP negotiation
switchport trunk allowed Configures the list of VLANs allowed on the trunk.
vlan remove vlan-list
switchport trunk Specifies 802.1Q encapsulation on the trunk link
encapsulation dot1q
switchport trunk Specifies ISL encapsulation on the trunk link
encapsulation isl
network
vlan database Enters VLAN configuration mode
vlan vlan-id Creates a VLAN in either VLAN database or configuration mode
vtp domain domain-name Sets the VTP domain name in either the VLAN database or
configuration mode
vtp mode [ client | Sets the VTP mode

server | transparent ]
Job Aids
There are no job aids for this lab activity.
Use the visual objective to determine the VLAN to which each PC router belongs; it is the first
of the two VLANs on your Building Access switch.
Use the network diagram to determine which port connects to your primary Building
Distribution switch.
Building Access Switch VLANs
Access VLAN # VLAN ID Access VLAN # VLAN ID

Switch Switch
xASWy 11 or 12 BxFy-Pri xASWy 11 or 12 BxFy-Pri

13 or 14 BxFy-Alt 13 or 14 BxFy-Alt
1ASW1 11 B1F1-Pri 4ASW1 41 B4F1-Pri

13 B1F1-Alt 43 B4F1-Alt
Building Distribution Switch VLANs
VLAN ID VLAN Name
251 Backbone-VLAN-251
252 Backbone-VLAN-252

Building VTP Domains
Building VTP Domain Name
Building X buildingX
Examples
Pod 1 Building1
Pod 2 Building2
Pod 3 Building3
Pod 4 Building4
Pod 5 Building5
Pod 6 Building6
Note The VTP domain name is case sensitive.
Building Access Switch VLAN Assignments
Access Switch Trunk VLANs
xASWy 1, 11, 13, 10021005
1ASW1 1,11,13, 10021005
1ASW2 1,12,14, 10021005
2ASW1 1,21,23, 10021005
2ASW2 1,22,24, 10021005
3ASW1 1,31,33, 10021005
3ASW2 1,32,34, 10021005
4ASW1 1,41,43, 10021005
4ASW2 1,42,44, 10021005
5ASW1 1,51,53, 10021005
5ASW2 1,52,54, 10021005
Building Distribution Switch VLAN Assignments
Building Distribution Switch VLANs Allowed on the Distribution-Switch-

to-Distribution Switch Trunks
XDSW1 XDSW2 1,X1-X4,10021005
Examples
1DSW1 1DSW2 1,11-14,10021005
2DSW1 2DSW2 1,21-24,10021005
3DSW1 3DSW2 1, 31-34, 10021005
4DSW1 4DSW2 1, 41-44, 10021005
5DSW1 5DSW2 1, 51-54, 10021005
6DSW1- 6DSW2 1, 61-64, 10021005
Task 1: Create a VTP Management Domain

In this task, you will define a VTP management domain in your Building Access switch. To
determine the VTP domain name of your building, refer to the Building VTP Domains table in
the Activity Preparation section for this activity.
You configure VLAN information using the configure terminal command to enter global
configuration mode. In most network environments, it is good practice to use VTP passwords
and manually configure each switch with the proper VTP domain name and password.
Activity Procedure
Step 1 Establish a connection to your access switch and enter privileged EXEC mode.
Step 2 From global configuration mode, configure the VTP domain name.
Step 3 Establish a connection to your distribution switch and enter privileged EXEC mode.
Step 4 From global configuration mode, configure the VTP domain name.
Execute a show running-configuration command to ensure that the domain name is
accurate.

Task 2: Configure Trunking
In this task, you will identify and set up the links used for trunking. You should always
configure trunking before configuring VLANs. The links between the Building Access
switches and the Building Distribution switches are 802.1Q trunks. The links between the two
Building Distribution switches in each building (for example, 1DSW1 to 1DSW2) are also
trunks. The links between the Building Distribution switches and the Campus Backbone
switches should remain access links.
You are responsible for configuring the uplinks on your Building Access switch. You must
configure the Building Access switch for each link. You must also configure each of the two
Building Distribution switches for each link to your Building Access switch. Make sure each
end of each link is properly configured to become a trunk.
Your instructor will designate someone in each building to convert the links between the two
Building Distribution switches to a trunk.
You may also want to prevent certain VLANs from being carried on certain trunks. It is good
practice to use the switchport trunk allowed command to allow VLANs to be carried on
trunks or to remove them. In this lab activity, the trunk between the Building Access switch and
Building Distribution switch should carry only VLAN traffic destined for your Building Access
switch. To determine the VLANs for each specific access switch, refer to the Building Access
Switch VLANs table in the Activity Preparation section for this lab activity. As an example,
1ASW1 should carry VLANs 1, 11, and 13 only. You will not assign ports on 1ASW1 to any
other VLAN, so do not carry any other VLANs.
It is best practice to hard code the trunk and the encapsulation type and to disable Dynamic
Trunking Protocol (DTP) negotiation. Each end of the link is now configured as switchport
mode access. Do not forget to configure both ends of the link. It is best practice to disable
negotiation with the switchport nonegotiate command. The Trunk Settings table illustrates the
results when using DTP.
Trunk Settings
Setting On Off Auto Desirable
On Trunk Not Trunk Trunk

recommended
Off Not Access Access Access

recommended
Desirable Trunk Access Trunk Trunk
Auto Trunk Access Access Trunk
Note In the table, some configurations are not recommended because they may create a loop.
Use the Configuration Checklist to track the tasks you complete in this lab activity.
Configuration Checklist
Configuration Checklist Item Completed
Trunks configured on Building Access switch
Trunk configured on Building Distribution switch 1
Trunk configured on Building Distribution switch 2
Primary VLAN configured
Alternate VLAN configured
Refer to the network diagram to determine which interfaces you are responsible for
configuring. Remember that you must configure each end of the two links for which you are
responsible.
Activity Procedure
Step 1 Access your access switch and distribution switches.
Step 2 You will be configuring the links between your access switch and the distribution
switches. Identify the interfaces that you will be configuring here:
____________________________________________________
____________________________________________________
Step 3 Switches that support both ISL and dot-1Q encapsulation default to ISL
encapsulation. If you need to configure the encapsulation type to dot-1Q on a switch
that defaults to ISL, use the switchport trunk encapsulation dot1q command to
configure the port as an 802.1Q trunk. The Cisco Catalyst 2950 supports 802.1Q
encapsulation only, and the Cisco Catalyst 3750 supports both ISL and 802.1Q
encapsulation.
Step 4 Restrict the trunk link to carrying the traffic from only specified VLANs. Refer to
the Building Access Switch VLAN Assignments table in the Activity Preparation
section of this lab activity to determine which VLANs to allow on your switches.
Step 5 Configure the port as a trunk.
Step 6 Turn off DTP on your trunk.

Step 7 Make the Gigabit Ethernet interfaces 1/0/5-6 a trunk on your Building Distribution
switch. Carry all VLANs in your building.
Step 8 Verify the configuration with the show interfaces interface-id switchport
command.
Step 9 Verify the configuration of your Building Access switch with the show running-
config command.
Step 10 Verify the configuration of your Building Distribution switch with the show
running-config command.

Note Wait until all members of your building complete the steps in Task 2 of this lab activity before
proceeding to Task 3. Notify your instructor when you finish.
You have configured 802.1Q trunks on the Building Access and Building Distribution
switches.
Task 3: Configure VLANs

You are now ready to configure VLANs. Recall that VTP is used to propagate VLAN
information to all switches participating in the same VTP domain. You will add VLANs 251
and 252 to the Building Distribution switches and place the distribution-switch-to-backbone
switch links into the appropriate VLAN.
Refer to the Building Access Switch VLANs table in the Activity Preparation section of this lab
activity to determine which VLANs you will configure on your switches.
In this task, you will configure the appropriate VLANs on your Building Access switch and on
the Building Distribution switches. You will create one VLAN using VTP transparent mode.
You will create another VLAN using VTP client-server mode.
Activity Procedure
Step 1 Connect to your Building Access switch.
Step 2 Set the VTP mode to client.
Step 3 Attempt to create your building and floor primary VLAN, using the vlan vlan-id
global configuration command.
Were you able to create the VLAN?
____________________________________________________________
Note Recall that you should not be able to create, modify, or delete VLANs while in client mode.
Step 4 Open a Telnet session to connect to a Building Distribution switch from your
Building Access switch.
Step 5 Create your primary VLAN on a Building Distribution switch. Use the vlan vlan-id
global configuration command to create the VLAN and to enter VLAN
configuration mode. Name the VLAN just created with the name vlan-name
command.
Step 6 Return to your Building Access switch and verify that the VLAN was propagated to
it.
Step 7 Set the VTP mode on your Building Access switch to transparent mode.
Step 8 Create your alternate VLAN and enter the correct name.
Step 9 Exit from configuration mode.
Step 10 Use the show vlan command on the Building Access switch to verify that the
VLAN was added.
Was the VLAN added? Why or why not?
____________________________________________________________________
____________________________________________________________________
Note In transparent mode, the config-revision number is set to zero. The switch does not apply
VTP information received. It only passes the information along to other switches; it does not
advertise its VLANs to other switches.
Step 11 Connect to a Building Distribution switch and enter the show vlan command.
Does the alternate VLAN that you just created (for example, VLAN13) appear?
Why or why not?
____________________________________________________________________
____________________________________________________________________
Note Recall that in transparent mode the config-revision number is set to zero. The switch does
not apply VTP information received. It only passes the information along to other switches; it
does not advertise its VLANs to other switches.
Step 12 Set the VTP mode on your Building Access switch to client again.
Which VLANs are available on your Building Access switch? Are any VLANs
missing? Why?
____________________________________________________________________
____________________________________________________________________
Step 13 Ensure that you add your alternate VLAN on a VTP server so that the VLAN will be
propagated to all members of the VTP domain.
Step 14 Configure VLANs 251 and 252 on the Building Distribution switch. Place interface
GigabitEthernet1/0/9 in VLAN251 and GigabitEthernet1/0/10 in VLAN252.
Step 15 Verify the configuration of your Building Distribution switch with the show

You have configured VTP, and all switches on your network contain collaborating and
correct information.
Task 4: Verify the VTP and VLAN Status

After the entire class completes the previous tasks, you will verify that these VLANs exist:
Five default VLANs (1, 1002, 1003, 1004, and 1005)
Six configured VLANs in each building, as follows:
Building X: X1, X2, X3, X4, 251 and 252
Examples:
Building 1: 11, 12, 13, 14, 251, and 252
Building 2: 21, 22, 23, 24, 251, and 252
Recall that you did not allow certain VLANs to cross over certain trunk links. However, you
should still see the VLANs on the Building Access switch because VTP is operating.
In this task, you will observe whether or not the VLANs were propagated across the switches in
the VTP domain.
Activity Procedure
Step 1 On the first Building Distribution switch (for example, 1DSW1), enter the show
vlan command.
Did you see all the VLANs that you expected to see?
____________________________________________________________________
Why were the VLANs from the other buildings propagated or not propagated to the
building?
____________________________________________________________________
Step 2 On the first Building Distribution switch (for example, 1DSW1), enter the show vtp
status command and review the results.
Step 3 On the second Building Distribution switch (for example, 1DSW2), enter the show
vlan command and review the results.
Step 4 On the second Building Distribution switch (for example, 1DSW2), enter the show
vtp status command and review the results.
Step 5 Test connectivity to determine which devices can and cannot ping each other.
If there are connectivity problems, why did they occur?

____________________________________________________________________
____________________________________________________________________
You have successfully propagated the correct VLANs within your VTP domain.
Task 5: Associate VLANs with Ports on Your Switch

Up until this point, your PC router was assigned, by default, to VLAN1. In this task, you will
assign the interface that your PC router uses to your buildings primary VLAN.
On your Building Access switch, you will assign the port that your PC router connects into
(FastEthernet 0/3) to the corresponding VLAN number (for example, XPC1 uses VLANX1,
XPC2 uses VLANX2, and so on).
Activity Procedure
Step 1 Verify that your PC router has connectivity with devices in VLAN1 by using ping
commands. If your PC router cannot successfully ping other devices in VLAN1,
ensure that you have connectivity (ask your instructor for help) before proceeding to
step 2.
Step 2 Assign FastEthernet 0/3 into its primary VLAN. This is the port that connects to
your PC router.
Step 3 Can your PC router ping the other devices in your network? Why or why not?
____________________________________________________________________
____________________________________________________________________
Step 4 Verify the configuration of your Building Access switch with the show running-
config command.
You have completed this activity when you obtain this result:
You have placed your PC router in a different VLAN (not VLAN1) as an access device and
you have verified the connection.

Lab 3-1: Configuring Primary and Backup Root
Bridges
Activity Objective
In this activity, you will configure primary and backup root bridges. After completing this
activity, you will be able to meet these objectives:
Configure a new primary root bridge and a backup root bridge on each VLAN so that the
loop-free topology uses the root bridge as a reference point
Use the show running-config, show spanning-tree detail, show spanning-tree root,
show spanning-tree vlan vlan-id bridge, and show spanning-tree vlan vlan-id root
commands to confirm that the primary root bridge for the specific VLAN has moved to the
new primary root bridge
Verify that a backup root bridge exists
Visual Objective
Visual Objective
Required Resources
Access and distribution switches
Network Diagram
Network Diagram

Command List
Commands Description
spanning-tree portfast default Enables PortFast on all access ports.
spanning-tree vlan vlanid root Forces this switch to be the root switch.
[primary / secondary] The primary root switch priority is 24576.
The secondary root switch priority is
28672.
interface interface-id Changes the spanning tree port priority of
spanning-tree vlan vlanid an interface.
port-priority priority
interface interface-id Changes the Per VLAN Spanning Tree
spanning-tree vlan vlanid path cost of an interface.
cost cost
show spanning-tree detail Displays a detailed summary of interface
information.
show spanning-tree root Displays status and configuration of the
root bridge.
show spanning-tree vlan vlan-id Displays status and configuration of this
bridge switch.
show spanning-tree vlan vlan-id Displays status and configuration of the
root root bridge for a particular VLAN.
Scenario
Each odd-floor team will configure XDSW1 as the primary root bridge for its primary VLAN
and XDSW2 as the secondary root bridge for its alternate VLAN. Each even-floor team will
configure XDSW2 as the primary bridge for its primary VLAN and XDSW1 as the secondary
root bridge for its alternate VLAN.
Use the tables to determine which network devices and VLANs you are responsible for in this
lab activity. Highlight your own devices in the tables.
VLAN Assignments
Access Root Dis. Secondary Access Root Dis. Secondary

Switch VLAN # Switch Dis. Switch Switch VLAN # Switch Dis. Switch
1ASW1 11 1DSW1 1DSW2 4ASW1 41 4DSW1 4DSW2

13 1DSW2 1DSW1 43 4DSW2 4DSW1
Root Bridge VLAN Assignments
Distribution Root VLANs Secondary

Switch VLANs
1DSW1 1, 11, 14 12, 13

1DSW2 12, 13 1, 11, 14
2DSW1 1, 21, 24 22, 23
2DSW2 22, 23 1, 21, 24
3DSW1 1, 31, 34 32, 33
3DSW2 32, 33 1, 31, 34
4DSW1 1, 41, 44 42, 43
4DSW2 42, 43 1, 41, 44
5DSW1 1, 51, 54 52, 53
5DSW2 52, 53 1, 51, 54
6DSW1 1, 61, 64 62, 63
6DSW2 62, 63 1, 61, 64

Task 1: Configure Spanning Tree Primary Root Switch for
VLANs on Distribution Switches
The show spanning-tree vlan command sample output provides details that can help you
better understand spanning tree root bridges. In this task, you will review the show spanning-
tree vlan sample command output that is provided and answer questions to help you better
understand spanning tree.
The default spanning tree behavior does not use the redundant links for any user traffic. In this
task, you will configure STP to perform best-effort load balancing, where the system
administrator decides how STP will be configured to perform static load balancing.
You will configure the appropriate Building Distribution switch to be the root bridge for your
building and floor primary and secondary VLANs. The design goal is to select the appropriate
Building Distribution switch as the primary root bridge for a specific VLAN. Typically, when
you implement a campus network, the resource that you are trying to reach is connected in the
same Building Distribution switch selected as the root. The resource is typically a Layer 3
device to help move traffic off the VLAN.
You may change the bridge ID (BID) priority by using the spanning-tree vlan vlan-id root
primary command.
Activity Procedure
Step 1 Using the tables in the Activity Preparation section of this lab activity, determine the
primary root Building Distribution switches for the VLANs for which you are
responsible in your building and floor.
Step 2 Enable PortFast on all access ports on your assigned access switch.
Step 3 Connect to each of the Building Distribution switches in your building. Configure
the Building Distribution switches as the primary root for the VLANs that you are
responsible for, using the spanning-tree vlan vlan-id root primary command.
Step 4 If you are assigned to floor 1, configure XDSW1 as the root switch for VLAN1.
Step 5 Verify the spanning tree configuration for each VLAN that you are responsible for
on the Building Distribution switches, using the show spanning-tree vlan vlan-id
command.
on the Building Access switches, using the show spanning-tree vlan vlan-id
command.
Step 7 Verify the configuration on your Building Distribution switch with the show
You can demonstrate that you have discovered the root bridges for your VLANs.
Task 2: Configure Spanning Tree Backup Root Switch for

VLANs on Distribution Switches
The show spanning-tree vlan command sample output provides details that can help you
better understand spanning tree root bridges. In this task, you will review the show spanning-
tree vlan sample command output that is provided and answer questions to help you better
understand spanning tree.
The default spanning tree behavior does not use the redundant links for any user traffic. In this
task, you will configure STP to perform best-effort load balancing, where the system
administrator decides how STP will be configured to perform static load balancing.
You will configure the appropriate Building Distribution switch to be secondary (backup) root
bridge for your building and floor primary and secondary VLANs. The term secondary root
bridge indicates which bridge or switch would become the root in the event that the configured
root fails. The design goal is to select the appropriate Building Distribution switch as the
secondary root bridge for a specific VLAN. Typically, when you implement a campus network,
the resource that you are trying to reach is connected in the same Building Distribution switch
selected as the root. The resource is typically a Layer 3 device to help move traffic off the
VLAN.
You may change the BID priority by using the spanning-tree vlan vlan-id root secondary
command.
Activity Procedure
Step 1 Using the tables in the Activity Preparation section of this lab activity, determine the
secondary root Building Distribution switches for the VLANs for which you are
responsible in your building and floor.
Step 2 Connect to each of the Building Distribution switches in your building. Configure
the Building Distribution switches as the secondary root for the VLANs that you are
responsible for.
Step 3 If you are assigned to floor 2, configure XDSW2 as the secondary root switch for
VLAN1.
Step 4 Verify your configuration. If the designated root cost is 28672, you will know that
the bridge is the secondary root.
on the Building Distribution switches, using the show spanning-tree vlan vlan-id
command.
on the Building Access switches, using the show spanning-tree vlan vlan-id
command.

Step 7 Verify the configuration on your Building Distribution switches with the show
You observed an instance of STP for every active VLAN in your building. If you and your
classmates in your building compare your diagrams, you should note that every instance of
STP acted the same way. That is, the same switch is root for every VLAN, the same ports
are forwarded, and the same ports are blocked.
Task 3: Verify Spanning Tree for VLANs on the Distribution

Switches
You will verify the spanning tree topology for your building and floor primary and secondary
VLANs. The sample output of the show spanning-tree vlan command provides details that
can help you better understand spanning tree root bridges.
Activity Procedure
Step 1 Select your Building Access switch from the menu and enter privileged EXEC
mode, using the enable command.
Step 2 Assign your PC router back to VLAN1 on the Building Access switch. Recall that
you placed the PC router in a building and floor VLAN to demonstrate VLAN
connectivity.
Step 3 In privileged EXEC mode, enter the show spanning-tree vlan 1 and show
spanning-tree vlan 1 detail commands to show the spanning tree information for
VLAN1.
Step 4 Look for the root bridge MAC address. Write it down here:
____________________________________________________________________
Step 5 Look for the MAC address of your bridge. Write it down here:
____________________________________________________________________
Step 6 Compare the root bridge MAC address and your bridge MAC address. If they are the
same, you are the root. If they are different, you are not the root.
Step 7 Each nonroot bridge has a root port. What is the root port if you are not the root
bridge?
____________________________________________________________________
Step 8 Refer to the figure labeled VLAN1. Notice that each port has a spanning tree path
cost. What is the path cost at your root port?
____________________________________________________________________
Step 9 Open a connection to the switch connected to the port that is the root port.
Step 10 Refer to the figure again. Trace back to the root bridge. Which switch is the root
bridge?
____________________________________________________________________
Step 11 Refer to the figure again. Write an F for forwarding or a B for blocking on the
appropriate ports. Label the port type as root port (RP), designated port (DP), or
nondesignated port (NDP).
Step 12 Repeat steps 3 through 11 for the other two VLANs for which you are responsible in
your building, first using the figure labeled Primary VLAN and then using the
figure labeled Alternate VLAN.

VLAN1
Note The X in the system names refers to your building number.
Primary VLAN
Alternate VLAN
Step 13 On your Building Distribution switch, review output from the show spanning-tree
vlan command for your primary VLAN:
1DSW1#show spanning-tree vlan vlan-id detail
Using the output from the show spanning-tree vlan command, answer these
questions:
Which spanning tree implementation is running?
What is the BID?
What is the root bridge ID?
What is the root port (if any)?
What is the cost of the root path (if any)?

What is the advertised cost of a designated root on port 1?
Step 14 On your Building Access switch, review this output from the show spanning-tree
vlan command for your primary VLAN:
1ASW1#show spanning-tree vlan vlan-id detail
Step 15 Using the output from the show spanning-tree vlan command, answer these
questions:
What is the BID?
Is this system the root bridge?
What is the cost of the path to the root bridge?
Why is Fast Ethernet 0/3 not shown?
You configured the Building Distribution switches as the root and backup or secondary
root bridges for your VLANs.

Lab 3-2: Implementing PVRST
Activity Objective
In this activity, you will implement the Per VLAN Rapid Spanning Tree (PVRST) protocol.
After completing this activity, you will be able to meet these objectives:
Configure PVRST in access and distribution switches
Ensure that PVRST is working through link failure testing
Visual Objective
Visual Objective
Required Resources
Access switches
Distribution switches
Network Diagram
Network Diagram
Command List
Spanning Tree Commands
Command Description
interface range port- Selects the range of interfaces to be configured

range
spanning-tree mode [rstp] Enables RSTP
[no] shutdown Enables or disables an interface
clear spanning-tree Restarts the STP protocol migration process

detected-protocols
show vlan Shows all configured VLANs on the switch
show spanning-tree Shows summarized statistics for spanning tree including root
summary | detail bridge, current STP states, etc.
show spanning-tree Shows STP statistics for an individual interface

interface Int-ID
show interfaces status Shows a summary of all interfaces and their current status
Job Aids

Scenario
The network is operational; however, users complain about intermittent connectivity failure.
They say that sometimes the network just stops working for about 30 to 50 seconds. After the
period is over, the network connectivity is restored and everything is operational. Your team
believes the brief outages are caused by STP convergence and would like to implement RSTP
to overcome the problem.
Task 1: Investigate Access Switch Convergence After Link

Failure with 802.1D STP
This task will show the convergence time that takes place when a change in the topology takes
place. This will be used as a comparison after you have migrated to RSTP.
Activity Procedure
Step 1 Log in to your access layer switch.
Step 2 Determine if you have any blocked ports by entering the command show spanning-
tree blockedports. Which port(s) were blocked? _________________________
Step 3 Change the VLAN that is associated to the interface connected to your student PC
router to VLAN1.
Step 4 Connect to your student PC router and log in.

Step 5 From your PC router, start a ping session to another PC router. Use an extended ping
with a repeat of 1000. An extended ping is accomplished by executing ping at the
CLI and following the prompts.
Step 6 Leave the ping running and return to your access switch.
Step 7 From your switch, determine the root port by entering the command show
spanning-tree root. What is your root port? _____________________________
Step 8 Enter interface configuration mode for the root port that you determined in the last
step, and shut it down.
Step 9 As soon as you shut down the interface, exit configuration mode and return to your
PC router.
Step 10 On the PC router, is the ping still running? __________
How long did it take for the pings to resume? ________
Step 11 You should have noticed a 30-second outage for the ping traffic.
Step 12 Return to your access switch and enable the interface that you shut down in step 8.
You verified the STP convergence time.
You have examined the resulting changes to an STP convergence.
Task 2: Configure PVRST on Access Switches
To begin RSTP implementation, you are going to start with the access layer switches. In this
task, you are going to configure RSTP on the access switches.
Activity Procedure
Step 1 Log in to your access switch. Enter the command show spanning-tree summary.
What mode is STP running in? _____________
Step 2 To change the STP mode to RSTP, enter the global command spanning-tree mode
rapid-pvst.
Step 3 Enter the command show spanning-tree.
Is the switch now running in PVRST mode? ___________

What is the status of peer switches under the type column?
___________________________________________________________
Note Check to make sure that all of the links connected to other switches are full-duplex. If any of
them are in half-duplex mode, change them to full-duplex by entering the command duplex
full in interface configuration mode. In a situation where you wish to enable rapid spanning
tree but you have only half-duplex -capable devices, you may enter the interface
configuration command spanning-tree link-type point-to-point.
Step 4 Enter the command show spanning-tree detail to examine each root interface.
Make sure they all show as point-to-point.
Step 5 The access switches are complete. Proceed to Task 3 to complete PVRST
configuration on the distribution switches.
You noted the difference between STP and RSTP convergence.

Task 3: Configure PVRST on Distribution Switches
In this task, you will complete the PVRST implementation by configuring the distribution layer
switches.
Activity Procedure
Step 1 On your distribution switch, change the STP mode from PVST to PVRST. Use the
command spanning-tree mode rapid-pvst.
Is the switch now running in PVRST mode? ___________

___________________________________________________________
Note Check to make sure that all of the links connected to other switches are full-duplex. If any of
them are in half-duplex mode, change them to full-duplex by entering the command duplex
full in interface configuration mode. In a situation where you wish to enable rapid spanning
tree but you have only half-duplex-capable devices, you may enter the interface
configuration command spanning-tree link-type point-to-point.
Step 3 Enter the command show spanning-tree detail to examine each root interface.
Make sure they all show as point-to-point. Verify the point-to-point links by using
the command show spanning-tree detail and looking for the interfaces that you just
changed.
You have verified your point-to-point links and interface changes.
Task 4: Investigate Access Switch Convergence After Link
Failure with 802.1w RSTP
Now that PVRST is implemented, you are responsible for testing STP convergence.
Activity Procedure
Step 1 Log in to your access layer switch.
tree blockedports. Which port(s) were blocked? _________________________
Step 3 Connect to your student PC router and log in.
Step 4 From your PC router, start a ping session to another PC router. Use an extended ping
with a repeat of 10000. An extended ping is accomplished by executing ping at the
CLI and following the prompts.
Step 5 Leave the ping running and return to your access switch.
Step 6 From your switch, determine the root port by entering the command show
spanning-tree root. What is your root port? _____________________________
Step 7 Enter interface configuration mode for the root port that you determined in the last
step, and shut it down with the command shutdown.
Step 8 As soon as you shut down the interface, exit configuration mode and return to your
PC router.
Step 9 On the PC router, is the ping still running? ____ Are the pings successful? _____
Step 10 You should have noticed a brief outage for the ping traffic, but the ping should have
resumed again very quickly. If you want to see it in real time, have someone else
perform the shutdown command on your switch port while you are watching the
ping traffic.
Step 11 Return to your access switch and enable the interface that you shut down in step 7.
Correct implementation of RSTP on access- and distribution-layer switches
Verified and tested RSTP configuration

Lab 3-3: Implementing MSTP
Activity Objective
This activity helps familiarize you with MST implementation and tuning. After completing this
activity, you will be able to meet this objective:
Configure MST on the building access and Building Distribution switches and verify the
configuration
Visual Objective
Visual Objective
Required Resources
A terminal server connected to console port of each laboratory device, if using a remote
laboratory
Network Diagram
Network Diagram

Command List
Command Description
instance instance-# vlan Assigns VLANs in the vlan-list to the instance of MST.
vlan-list
name region-name Specifies the configuration name in spanning tree MST
configuration mode. The name has a maximum length of 32
characters and is case sensitive.
revision revision-# Sets the MST configuration revision number.
show spanning-tree Verifies the spanning tree configuration.

interface {{ethernet |
fastethernet |
gigabitethernet}
slot/port} | {port-
channel
port_channel_number}
show spanning-tree mst Displays the MST configuration of the switch.
configuration
show spanning-tree Displays the spanning tree summary.
summary
show spanning-tree vlan Verifies that spanning tree is enabled.
vlan-id
show spanning-tree vlan Displays spanning tree details.
vlan-id detail
shutdown/no shutdown Shuts down or enables an interface.
spanning-tree mode mst Enables multiple-instance spanning tree mode.
spanning-tree mst Enters MST configuration mode.

configuration
spanning-tree mst Configures a switch as the root switch or backup root switch.
instance-id {root
{primary | secondary} | For instance-id, the range is 0 to 15.
{priority prio}}
[diameter dia (Optional) For diameter net-diameter, specify the maximum
[hello-time hello]] number of switches between any two end stations. The range is
2 to 7. This keyword is available for only MST instance 0.
(Optional) For hello-time seconds, specify the interval in

seconds between the generations of configuration messages by
the root switch. The range is 1 to 10 seconds; the default is 2
seconds.
spanning-tree mst pre- Specifies that the port can send only prestandard BPDUs.
standard
spanning-tree vlan vlan- Sets the BID priority for a specific VLAN. This command does
id priority priority not have any effect if the switch is in MST mode.
Job Aids
Task 1: Configure MST on the Access and Distribution
Switches and Verify the Configuration
Because you configured each VLAN separately when running the default PVST, you may not
be using network resources efficiently. MST (IEEE 802.1s) combines the best features of
PVST+ and 802.1Q encapsulation. The goal is to map several VLANs to a reduced number of
spanning tree instances because most networks do not need more than a few logical topologies.
For example, there is no need to run 30 instances of spanning tree for 30 VLANs. If you map
15 VLANs to spanning tree instance 1 and the other 15 VLANs to spanning tree instance 2,
these statements are true:
You can still achieve the desired best-effort load-balancing scheme because half of the
VLANs follow one separate instance.
The CPU is spared by computing only two instances.
You will configure the Building Access switches first; then you will configure the Building
Distribution switches. Refer to the MST VLAN Assignments and Priority table to determine
which instances to configure on the switches.
MST VLAN Assignments and Priority
Building Region MST Distribution Root Bridge Secondary

(Pod #) Name Revision Instance Switch (4096) Root (8192)
Pod 1 building1 1 1 1DSW1 1, 11, 14 12, 13

Pod 1 building1 1 2 1DSW2 12, 13 1, 11, 14
Pod 2 building2 1 1 2DSW1 1, 21, 24 22, 23
Pod 2 building2 1 2 2DSW2 22, 23 1, 21, 24
Pod 3 building3 1 1 3DSW1 1, 31, 34 32, 33
Pod 3 building3 1 2 3DSW2 32, 33 1, 31, 34
Pod 4 building4 1 1 4DSW1 1, 41, 44 42, 43
Pod 4 building4 1 2 4DSW2 42, 43 1, 41, 44
Pod 5 building5 1 1 5DSW1 1, 51, 54 52, 53
Pod 5 building5 1 2 5DSW2 52, 53 1, 51, 54
Pod 6 building6 1 1 6DSW1 1, 61, 64 62, 63
Pod 6 building6 1 2 6DSW2 62, 63 1, 61, 64
Activity Procedure
Step 1 Connect to your Building Access switch.
Step 2 Enter the MST configuration mode, using the spanning-tree mst configuration
command.
Step 3 Map the VLANs to MST instances with the instance instance-# vlan
vlan-list command.

Step 4 Assign a region name to the MST configuration with the name region-name
command.
Step 5 Assign a revision to the MST configuration with the revision revision-# command.
Then exit from MST configuration mode.
Step 6 Configure your switch to use MST by entering the spanning-tree mode mst
command.
Step 7 Exit from configuration mode.
Step 8 Connect to your allocated distribution switch.
Step 9 Enter the MST configuration mode, using the spanning-tree mst configuration
command.
Step 10 Map the VLANs to MST instances with the instance instance-# vlan
vlan-list command.
Step 11 Assign a region name to the MST configuration with the name region-name
command.
Step 12 Assign a revision to the MST configuration with the revision revision-# command.
Step 13 Configure the primary and secondary root switches according to the table, using the
spanning-tree mst instance-# root primary and spanning-tree mst instance-# root
secondary commands.
Is the switch now running in MST mode? ___________
Note The MST implementation on the Cisco Catalyst 2950 Access switches is a prestandard
implementation. It is based on the draft version of the IEEE standard, whereas the MST
implementation in Cisco IOS Release 12.2(25)SEC on the Cisco Catalyst 3750 is based on
the IEEE 802.1s standard.
Step 15 Configure your distribution switch to generate prestandard BPDUs by entering the
spanning-tree mst pre-standard command on the interfaces that connect to the
Building Access switches.
Step 16 Configure your distribution switch to use MST by entering the spanning-tree mode
mst command.
Step 17 Verify configuration with the show spanning-tree mst configuration command.
Is the switch now running in MST mode? ___________
Note If the output generated by step 18 appears strange, enter the clear spanning-tree
detected-protocols command.
Step 19 Return to your access switch and verify the configuration with the show running-
config command. Verify your configuration with the following output, which shows
the required commands in bold. Your switch-specific information, such as IP
addresses and interface descriptions, will be different.
1ASW1#show running-config
Building configuration...
Current configuration : 2164 bytes
spanning-tree mode mst
spanning-tree extend system-id
!
spanning-tree mst configuration
name building1
revision 1
instance 1 vlan 11, 13, 16, 18
instance 2 vlan 12, 14-15, 17
Step 20 On your access switch, explore the spanning-tree port topology for your primary and
alternate VLANs with the show spanning-tree mst instance and the show
spanning-tree vlan vlan-id commands.
1ASW1#show spanning-tree mst 1
###### MST01 vlans mapped: 11,13,16,18
Bridge address 0016.47f6.cec0 priority 32769 (32768 sysid 1)
Root address 0016.46fa.9b00 priority 4097 (4096 sysid 1)
port Fa0/1 cost 200000 rem hops 19
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- -------------------------
Fa0/1 Root FWD 200000 128.1 P2p
Fa0/2 Altn BLK 200000 128.2 P2p
1ASW1#
1ASW1#show spanning-tree vlan 11

MST01
Spanning tree enabled protocol mstp
Root ID Priority 4097
Address 0016.46fa.9b00
Cost 200000
Port 1 (FastEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0016.47f6.cec0
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role Sts Cost Prio.Nbr Type

---------------- ---- --- --------- -------- -------------------------
Fa0/1 Root FWD 200000 128.1 P2p
Fa0/2 Altn BLK 200000 128.2 P2p
1ASW1#
running-config command. Verify your configuration with the following output,
which shows the required commands in bold. Your switch-specific information, such
as IP addresses and interface descriptions, will be different.
1DSW1#show running-config
!
!
name building1
revision 1
instance 1 vlan 11, 13, 16, 18
instance 2 vlan 12, 14-15, 17
!
spanning-tree mst 0-1 priority 24576
spanning-tree mst 2 priority 28672
spanning-tree vlan 1,11,16 priority 24576
spanning-tree vlan 12,15 priority 28672
!
vlan internal allocation policy ascending
!
!
You have successfully configured and verified MST.
Lab 3-4: Configuring EtherChannel
Activity Objective
After completing this activity, you will be able to meet this objective:
Configure EtherChannel on the distribution switches so that the time for spanning tree to
converge after a network event is shortened and available bandwidth is better utilized
Visual Objective
Visual Objective
Required Resources
Access and distribution switches

Network Diagram
Network Diagram
Command List
Configuration and Verification Commands
interface interface-id Unconditionally enable PAgP. Desirable

channel-group channel-group-number mode places an interface into a negotiating
mode desirable state in which the interface initiates
negotiations with other interfaces by sending
PAgP packets. A channel is formed with
another port group in either the desirable or
auto mode. When desirable is enabled, silent
operation is the default.
show running-config interface Displays interface-specific configuration

interface-id information.
show spanning-tree detail Displays a detailed summary of interface

information.
show spanning-tree interface Displays spanning tree information for the

interface-id specified interface.
show spanning-tree summary totals Displays a summary of port states or the total
lines of the spanning tree state section.
Scenario
Teams will configure EtherChannel on the distribution and access switches.
Use the commands listed in the preceding table to configure the network devices and VLANs
that you are responsible for in this lab activity.

Task 1: Configure EtherChannel on the Distribution Switches
EtherChannel is the logical ordering of multiple links (two, four, or eight) to be treated as one
logical link. In this task, you will activate Fast EtherChannels (FECs) or Gigabit EtherChannels
between each of the Building Distribution switches and between the Building Distribution
switches and the Building Access switches backbone.
Some Cisco Catalyst switches run the Port Aggregation Protocol (PAgP) to automatically
negotiate an FEC bundle. Cisco recommends that you allow PAgP to negotiate the bundle,
using the desirable mode if available. Do not forget to configure both switches on the channel.
EtherChannel Mode Options

The table describes the EtherChannel modes and the results when the switches are paired
together.
On Off Auto Desirable

(PAgP Off) (PAgP Off) (PAgP On) (PAgP On)
On FEC bundle Not Not Not

recommended recommended recommended
Off Not No bundle No bundle No bundle

recommended
Desirable Not No bundle FEC bundle FEC bundle

recommended
Auto Not No bundle No bundle FEC bundle

recommended
Note As shown in the table, some configurations are not recommended because they may create
a loop.
Highlight the steps that you are instructed to complete, and then implement them. For
simplicity, you will be asked to use the same channel group on both switches of an
EtherChannel as shown in the table. In a working network environment, there is no requirement
to use the same channel group on both switches.
Access Switch EtherChannel Assignments
Access Chan. Access Chan.

Switch Interface Group Switch Interface Group
1ASW1 Fa 0/9-10 1 4ASW1 Fa 0/9-10 1

Fa 0/11-12 2 Fa 0/11-12 2
1ASW2 Fa 0/9-10 1 4ASW2 Fa 0/9-10 1
Fa 0/11-12 2 Fa 0/11-12 2
2ASW1 Fa 0/9-10 1 5ASW1 Fa 0/9-10 1
Fa 0/11-12 2 Fa 0/11-12 2
2ASW2 Fa 0/9-10 1 5ASW2 Fa 0/9-10 1
Fa 0/11-12 2 Fa 0/11-12 2
3ASW1 Fa 0/9-10 1 6ASW1 Fa 0/9-10 1
Fa 0/11-12 2 Fa 0/11-12 2
3ASW2 Fa 0/9-10 1 6ASW2 Fa 0/9-10 1
Fa 0/11-12 2 Fa 0/11-12 2
Distribution Switch EtherChannel Assignments
Distribution Chan. Distribution Chan.

Switch Interface Group Switch Interface Group
1DSW1 Gig 1/0/1-2 1 4DSW1 Gig 1/0/1-2 1

Gig 1/0/3-4 2 Gig 1/0/3-4 2
Gig 1/0/5-6 3 Gig 1/0/5-6 3
1DSW2 Gig 1/0/1-2 1 4DSW2 Gig 1/0/1-2 1
Gig 1/0/3-4 2 Gig 1/0/3-4 2
Gig 1/0/5-6 3 Gig 1/0/5-6 3
2DSW1 Gig 1/0/1-2 1 5DSW1 Gig 1/0/1-2 1
Gig 1/0/3-4 2 Gig 1/0/3-4 2
Gig 1/0/5-6 3 Gig 1/0/5-6 3
2DSW2 Gig 1/0/1-2 1 5DSW2 Gig 1/0/1-2 1
Gig 1/0/3-4 2 Gig 1/0/3-4 2
Gig 1/0/5-6 3 Gig 1/0/5-6 3
3DSW1 Gig 1/0/1-2 1 6DSW1 Gig 1/0/1-2 1
Gig 1/0/3-4 2 Gig 1/0/3-4 2
Gig 1/0/5-6 3 Gig 1/0/5-6 3
3DSW2 Gig 1/0/1-2 1 6DSW2 Gig 1/0/1-2 1
Gig 1/0/3-4 2 Gig 1/0/3-4 2
Gig 1/0/5-6 3 Gig 1/0/5-6 3

Activity Procedure
Step 1 Establish connectivity to your distribution switch.
Step 2 Configure the EtherChannel groups specified in the table.

1DSW1(config)#interface range gigabitEthernet 1/0/1 2
1DSW1(config-if-range)#channel-group 1 mode desirable
Step 3 Establish connectivity to your access switch.
Step 4 Configure the EtherChannels specified in the table.
Step 5 Verify that the ports have joined into a channel by entering the show interfaces
etherchannel, show etherchannel port-channel, and show etherchannel
summary commands. The bundle will be displayed as a port channel interface (for
example, Po1 for bundle 1).
Step 6 Use show spanning-tree commands to verify that the bundle is treated as a single
link. A two-port Fast EtherChannel has a link cost of 12, a four-port Fast
EtherChannel has a link cost of 8, and a two-port Gigabit EtherChannel has a link
cost of 3 when using PVST.
which shows the required commands in bold. Your switch-specific information,
such as IP addresses and interface descriptions, will be different.
!
interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
no ip address
!
switchport access vlan 51
switchport mode access
no ip address
!
no ip address
!
interface GigabitEthernet1/0/5
description 1DSW1 1/0/5-6 -- BBSW1 2/1-2
no ip address
speed 1000
channel-group 3 mode desirable
!
no ip address
speed 1000
!
no ip address
speed 1000
!
no ip address
speed 1000
!
description 1DSW1 1/0/9-10 -- 1DSW2 1/0/9-10
switchport trunk allowed vlan 1,11-18,10021005
no ip address
duplex full
speed 100

!
description 1DSW1 1/0/9-10 -- 1DSW2 1/0/9-10
switchport trunk allowed vlan 1,11-18,10021005
no ip address
duplex full
speed 100
!
Interfaces Gig 1/0/1-6 are configured as three EtherChannels. You observed that spanning
tree treats the newly created port channels as one logical link.
Lab 3-5: Troubleshooting Spanning Tree
Activity Objective
Troubleshoot trunks and VLANs in a multi-VLAN environment
Troubleshoot spanning tree domains
Troubleshoot STP forwarding
Visual Objective
Visual Objective
Required Resources
Access switches

Network Diagram
Network Diagram
Command List
Command Description
interface range port- Selects the range of interfaces to be configured

range
[no] shutdown Enables or disables an interface
clear spanning-tree Restarts the STP protocol migration process

detected-protocols
show vlan Shows all configured VLANs on the switch
show spanning-tree Shows summarized statistics for spanning tree, including root
summary bridge, current STP states, and so on
show spanning-tree Shows STP statistics for an individual interface

interface Int-ID
show interfaces status Shows a summary of all interfaces and their current status
vlan database Enters VLAN database configuration mode
Job Aids
Scenario
The switching network is no longer working in an optimized fashion. People are complaining
about connectivity failure, and even when the network does seem to work, it is very slow. The
lab switches have been configured to insert problems into the spanning tree domain. It is your
job to troubleshoot the symptoms, document the issues, and resolve any problems.
Task 1: Troubleshoot Spanning Tree on Access Switches

In this task, you will start your troubleshooting process. To begin, you will use your access
switches to find any problems. After you have resolved any issues at the access layer, you will
troubleshoot the distribution layer.
Activity Procedure
Step 1 Log in to your access switch.
Step 2 Enter the command show interfaces status to determine if the correct interfaces are
still operational. Do you see any interfaces that are down that were originally up?
______
Step 3 Fix any down interfaces by re-enabling them with the no shutdown command. Did
all the down interfaces come back up? ______ (If they did not all come back up, that
is okay.)
Step 4 Obviously, using the no shutdown command did not fix all your problems; at least
one of your interfaces is still not operational. What do you believe is causing the
interface to be nonfunctional? _____________________________________
Step 5 Enter the command show vlan to see which VLANs are configured on the switch.
Are there any VLANs that were previously configured that are now missing? _____
Step 6 Re-create the missing VLAN. Did your down interface come up? ______ If so, why
was the interface down?
____________________________________________________
Step 7 Now that your interfaces are operational, is network connectivity restored? _____
Step 8 Use a show spanning-tree summary command to see if STP is running. If the STP
configuration on the access switch looks correct, move on to the distribution
switches.
You have identified the problems injected into the configurations on these switches.
You have corrected the problems that were detected.

Task 2: Troubleshoot Spanning Tree on Distribution Switches
Your access switch problems have been resolved; however, network connectivity is still not
restored. Troubleshoot the distribution layer switches to determine the problem.
Activity Procedure
Step 1 Telnet to your distribution switch and log in.
Step 2 Enter the command show spanning-tree summary. Has anything changed since
you last documented the switch? ______________________________________
Step 3 Enter the command show vlan to examine the VLAN table. Is there anything wrong
with the VLANs? __________________. If so, correct the problem.
Step 4 In the previous activity, one of the VLANs had been removed. To fix the disabled
interface, you re-created the VLAN on the local switch. Does that VLAN show up
on this distribution switch? ________ Should it be there? ________________
Step 5 What would cause the distribution switch and the access switch to lose VLAN
information from each other? _________________________________________
Step 6 Examine the VTP status by using the show vtp status command. Has anything
changed? ____
Step 7 According to the VTP status output, STP looks as if it is configured correctly, but it
is not working. What else could cause VTP to fail between switches?
_________________________________________________________________
Step 8 Enter the VLAN database by using the command vlan database from privileged
EXEC mode. Fix the VTP password by entering the command no vtp password.
Step 9 Ensure that this password is correct on both switches, and then enter the command
clear spanning-tree detected protocols.
Step 10 VTP should become operational, and the switches should learn the appropriate
VLANs.
Step 11 Change your access switch port to the student PC back to the original VLAN.
Spanning tree on the access switches is functioning properly.
Spanning tree on the distribution switches is functioning properly.
VTP is operational.
When you complete this activity, the above listed problems should have been resolved.
Spanning tree should be completely operational, and VTP exchanges should be working
correctly. To verify VTP, you could change the name of one of the VLANs and ensure that the
name change is reflected throughout the VTP domain.
Quiz 4-1: Describing Routing Between VLANs
This quiz allows you to test the knowledge that you gained in this module.
Activity Objective
In this activity, you will answer questions about routing in the LAN setup shown in the figure.
After completing this activity, you will be able to meet this objective:
Correctly describe routing and performance enhancements of multilayer switches between
VLANs
Activity Procedure
The figure shows multilayer switching between VLANs.
Quiz: Describing Routing Between VLANs
Answer these questions based on these assumptions about the VLANs shown in the figure:
CEF is enabled on all interfaces.
No traffic has passed through the device before now.

Q1) What would happen if PC A sent a flow of packets to PC B?
A) No packets would reach the Layer 3 engine.
B) Only the first packet in the flow would reach the Layer 3 engine.
C) Every packet in the flow would reach the Layer 3 engine.
Q2) What would happen if PC A sent a flow of packets to PC C?
B) Only the first packet in the flow would reach the Layer 3 engine in order for
the routing table to be interrogated.
C) Only the first few packets in the flow would reach the Layer 3 engine in order
for the Layer 3 engine to use ARP to locate the host.
D) Every packet in the flow would reach the Layer 3 engine.
Q3) What would happen if PC A sent a flow of packets to PC D?
B) Only the first packet in the flow would reach the Layer 3 engine in order for
the routing table to be interrogated.
C) Only the first few packets in the flow would reach the Layer 3 engine in order
for the Layer 3 engine to use ARP to locate the host.
D) Every packet in the flow would reach the Layer 3 engine.
Lab 4-2: Routing Between VLANs
Caution It is absolutely necessary that all of the previous multilayer switch steps have been
successfully configured and verified by your instructor before proceeding with this activity.
Activity Objective
In the previous lab activities, you configured the Building Distribution switches to support
individual VLANs X1, X2, X3, and X4, creating a typical campus network.
In this activity, you will first remove the VLANs that connect the distribution switches to the
backbone. Then you will assign IP network addresses to the VLANs so that they act as
individual subnets and activate the EIGRP as a Layer 3 routing protocol between the VLANs,
allowing traffic to pass between them. You will then verify the path by pinging between host
PCs. Each PC is on a different VLAN, and the only way this traffic can connect is by
implementing inter-VLAN routing.
Configure a Building Distribution multilayer switch for routing
Configure VLAN interfaces for IP addresses with Layer 3 routing
Reconfigure the IP addresses in your network to enable inter-VLAN routing
Verify the Campus Backbone switch configuration for routing
Verify inter-VLAN Layer 3 routing
Disable routing and verify loss of Layer 3 connectivity

Visual Objective
Visual Objective
Required Resources
A terminal server connected to console port of each laboratory device, if using a remote
laboratory
Network Diagram
Network Diagram

Command List
The tables describe the commands that are used in this activity.
Building Access Switch Commands
Command Description
enable password Enters the privileged EXEC mode command interpreter
gigabit Ethernet slot/port with a Fast Ethernet or Gigabit Ethernet interface installed
ip address ip-address Assigns an IP address and subnet mask to an interface or a

subnet-mask switch
ip default-gateway ip- Assigns a router IP address as the default gateway

address
ping ip-address Sends an Internet Control Message Protocol (ICMP) echo to the
designated IP address, using the default settings of size and
response window time
show ip Displays current IP settings
show running-config Displays the running configuration in memory
network
Building Distribution Switch Commands
Command Description

startup-config NVRAM
interface vlan 1 ip address Enters interface configuration mode and enters the VLAN to
ip-address which the IP information is assigned
ip address ip-address Assigns an IP address and subnet mask to an interface

subnet-mask
ip routing Enables IP routing
login Allows you to log in to the system
mac-address mac-address Enables a static MAC address to be configured on an interface
network ip-address Enables a routing protocol to support a network
no interface vlan Deletes a switch virtual interface (SVI)
no ip classless Sets the routing protocol to classful operation mode
no shutdown Brings up an interface
no switchport Removes the interface from Layer 2 configuration mode (if it is

a physical interface)
no vlan vlan-number Deletes a VLAN from a trunked Gigabit Ethernet interface
passive interface Prevents a Layer 3 interface from forwarding routing protocol

updates
router eigrp AS-number Sets the EIGRP routing protocol to be active in the switch
session module-number Connects the CLI to a session on a module
show ip interface Displays a summary of IP information and status on an interface
show ip protocols Displays the parameters and current state of the active routing
protocol process
show ip route Shows the IP routing protocol information per known routes
show running-config Displays the running configuration in memory
which permits you to access network devices remotely over the
network
Job Aids

Before beginning the lab activity, you will determine the names and IP addresses of the devices
for which you are responsible. You will also verify the IP address of the Building Distribution
switch by pinging it to verify your configuration. Locate your specific device names and IP
addresses in the tables PC Router Names and Configuration, Access Switch Names and
Configuration, Building Access Switch Names and Connected Building Distribution Switches,
and Building Access Switch and VLAN Assignments, and test connectivity to both the
Building Access switch and the Building Distribution switches by pinging them.
PC Router Names and Configuration
Default
PC Router IP Address Gateway IP Mask
1PC1 10.1.11.5 10.1.11.1 /24

1PC2 10.1.12.6 10.1.12.2 /24
2PC1 10.2.21.5 10.2.21.1 /24
2PC2 10.2.22.6 10.2.22.2 /24
3PC1 10.3.31.5 10.3.31.1 /24
3PC2 10.3.32.6 10.3.32.2 /24
4PC1 10.4.41.5 10.4.41.1 /24
4PC2 10.4.42.6 10.4.42.2 /24
5PC1 10.5.51.5 10.5.51.1 /24
5PC2 10.5.52.6 10.5.52.2 /24
6PC1 10.6.61.5 10.6.61.1 /24
6PC2 10.6.62.6 10.6.62.2 /24
Access Switch Names and Configuration
Access Default
Switch IP Address Gateway IP Mask
1ASW1 10.1.1.3 10.1.1.1 /24
1ASW2 10.1.1.4 10.1.1.1 /24
2ASW1 10.2.1.3 10.2.1.1 /24
2ASW2 10.2.1.4 10.2.1.1 /24
3ASW1 10.3.1.3 10.3.1.1 /24
3ASW2 10.3.1.4 10.3.1.1 /24
4ASW1 10.4.1.3 10.4.1.1 /24
4ASW2 10.4.1.4 10.4.1.1 /24
5ASW1 10.5.1.3 10.5.1.1 /24
5ASW2 10.5.1.4 10.5.1.1 /24
6ASW1 10.6.1.3 10.6.1.1 /24
6ASW2 10.6.1.4 10.6.1.1 /24
Building Access Switch Names and Connected Building Distribution Switches
Primary Primary Secondary Secondary

Access Distribution Distribution Distribution Distribution Access
Switch Switch IP Address Switch IP Address Switch
1ASW1 1DSW1 10.1.11.1 1DSW2 10.1.11.2 1ASW1
1ASW2 1DSW2 10.1.12.2 1DSW1 10.1.12.1 1ASW2
2ASW1 2DSW1 10.2.21.1 2DSW2 10.2.21.2 2ASW1
2ASW2 2DSW2 10.2.22.2 2DSW1 10.2.22.1 2ASW2
3ASW1 3DSW1 10.3.31.1 3DSW2 10.3.31.2 3ASW1
3ASW2 3DSW2 10.3.32.2 3DSW1 10.3.32.1 3ASW2
4ASW1 4DSW1 10.4.41.1 4DSW2 10.4.41.2 4ASW1
4ASW2 4DSW2 10.4.42.2 4DSW1 10.4.42.1 4ASW2
5ASW1 5DSW1 10.5.51.1 5DSW2 10.5.51.2 5ASW1
5ASW2 5DSW2 10.5.52.2 5DSW1 10.5.52.1 5ASW2
6ASW1 6DSW1 10.6.61.1 6DSW2 10.6.61.2 6ASW1
6ASW2 6DSW2 10.6.62.2 6DSW1 10.6.62.1 6ASW2
The previous lab activities determined which ports are used to interconnect your switches. Two
VLANs are defined per access switch, although only one of them is used in the lab equipment
at this time (VLANs X1 and X2).

Building Access Switch and VLAN Assignments
Access VLAN
Switch Port VLAN Name
1ASW1 FA 0/3 11 VLAN11
In previous tasks, each student group configured its Building Access switch for identification
and port configuration. Confer with your group members to assign each task to a student pair.
When your group has verified the lab information, enter the correct information (port number,
system name, password, and so on) in the Port/Name/OK column following the task, or indicate
that the task has been done. Fill in or verify the following information.
Information Port/Name/OK
Access switch name
VLAN1 configured and in operation
Access VLANs correctly configured
Task 1: Configure Switches for Routing
In this task, each student group will configure its Building Distribution switch to support IP
routing. Complete the table as follows, conferring with your group members as necessary:
Place the name of the student pair in the column following the task. The VLANs noted are
for either building group 1 or 2. Check to see which group you are in for the correct
numbers.
Complete the tasks in the order listed. The VLANs that interface with the Building Access
switches are set for passive interface, so they will not forward EIGRP routing protocol
traffic.
Activity Procedure
Step 1 Follow the steps below to remove all multiple spanning tree configurations from the
access and distribution layer switches.
Step 2 Establish connectivity to your access switch and enter global configuration mode:
1ASW3# configure terminal
Step 3 Configure your access switch for PVRST.
1ASW3(config)#spanning-tree mode rapid-pvst
Step 4 Configure your distribution switch for PVRST.
Step 5 Change the address and subnet mask of your PC router from 255.255.0.0 (/16) to
255.255.255.0 (/24) on the network interface.
Step 6 Configure the default gateway on your PC router to be as per the PC Router Names
and Configuration table in the Activity Preparation section. Use the ip default-
gateway ip-address command.
Step 7 Change the subnet mask on your Building Access switch on the VLAN1 interface
from 255.255.0.0 (/16) to 255.255.255.0 (/24).
Step 8 Assign the default gateway for your Building Access switch, using the ip default-
gateway ip-address command.
Step 9 Configure the Fast Ethernet 0/3 interface to reside in your primary VLAN.

Step 10 Verify the configuration on your Building Access switch with the show running-
config command. Verify your configuration with the following output, which shows
the required commands in bold. Your switch-specific information, such as IP
1ASW1#show running-config

!
interface Vlan1
ip address 10.1.1.3 255.255.255.0
Step 11 Verify the configuration on your PC router with the show running-config
command. Verify your configuration with the following output, which shows the
required commands in bold. Your PC router-specific information, such as IP
1PC1#show running-config
!
interface FastEthernet0
ip address 10.1.11.5 255.255.255.0
Step 12 Establish connectivity to your distribution switch and enter global configuration
mode.
Step 13 Remove VLANs 251 and 252 from the switch with the no vlan vlan-number
command. This removes any other connectivity between the switches.
Step 14 Shut down the link between the Building Distribution switches, using interfaces
Gigabit Ethernet 1/0/5 and 1/0/6.
Step 15 Enable IP routing in the switch with the ip routing command. Without this
command, the switch will not accept IP routing information.
Step 16 Enter the no ip classless command to enable classful IP routing operation.
Step 17 Enable EIGRP routing with the router eigrp 1 command.
Step 18 In the router configuration mode, enter network 10.0.0.0 as the routed network.
All requested configuration tasks have been completed. True verification requires that the
remaining tasks be completed first.
Task 2: Configure VLAN Interfaces for IP Addresses with

Layer 3 Routing
In this task, you will configure VLAN interfaces with an IP address and subnet mask so that
they will all be in different broadcast domains, with inter-VLAN routing active between them.
You will also disable the VLAN connections. Complete these steps on your Building
Distribution switch:
Step 1 Configure the IP address and mask on VLAN1. Note that VLAN1 is already in the
switch; you should not delete it. Use the Building Distribution Switch VLAN
Configuration table to determine the correct VLAN1 IP address for your switch. Use
the subnet mask of 255.255.255.0 (/24).
Building Distribution Switch VLAN Configuration
Distribution
Switch VLAN1 IP Address VLANX1 IP Address
1DSW1 1 10.1.1.1. 11 10.1.11.1
1DSW2 1 10.1.1.2 11 10.1.11.2
2DSW1 1 10.2.1.1 21 10.2.21.1
2DSW2 1 10.2.1.2 21 10.2.21.2
3DSW1 1 10.3.1.1 31 10.3.31.1
3DSW2 1 10.3.1.2 31 10.3.31.2
4DSW1 1 10.4.1.1 41 10.4.41.1
4DSW2 1 10.4.1.2 41 10.4.41.2
5DSW1 1 10.5.1.1 51 10.5.51.1
5DSW2 1 10.5.1.2 51 10.5.51.2
6DSW1 1 10.6.1.1 61 10.6.61.1
6DSW2 1 10.6.1.2 61 10.6.61.2

Distribution
Switch VLANX2 IP Address VLANX3 IP Address VLANX4 IP Address
1DSW1 12 10.1.12.1 13 10.1.13.1 14 10.1.14.1
1DSW2 12 10.1.12.2 13 10.1.13.2 14 10.1.14.2
2DSW1 22 10.2.22.1 23 10.2.23.1 24 10.2.24.1
2DSW2 22 10.2.22.2 23 10.2.23.2 24 10.2.24.2
3DSW1 32 10.3.32.1 33 10.3.33.1 34 10.3.34.1
3DSW2 32 10.3.32.2 33 10.3.33.2 34 10.3.34.2
4DSW1 42 10.4.42.1 43 10.4.43.1 44 10.4.44.1
4DSW2 42 10.4.42.2 43 10.4.43.2 44 10.4.44.2
5DSW1 52 10.5.52.1 53 10.5.53.1 54 10.5.54.1
5DSW2 52 10.5.52.2 53 10.5.53.2 54 10.5.54.2
6DSW1 62 10.6.62.1 63 10.6.63.1 64 10.6.64.1
6DSW2 62 10.6.62.2 63 10.6.63.2 64 10.6.64.2
Step 2 Configure the IP address and subnet mask VLANX1 from the Building Distribution
Switch VLAN Configuration table. The VLAN immediately comes up in the switch
when you enter the address information and assign ports to it. (Ports were assigned
to VLANs in a previous lab activity.)
Step 3 Repeat step 2 to configure and activate VLANs X2, X3, and X4.
Step 4 Enable EIGRP routing. Configure VLAN1 and VLANs X1 to X4 as passive

interfaces with the passive-interface command. This approach prevents these
interfaces from forwarding IP routing protocol information.
Note Do not use the passive interface command on any IP interface other than the access
VLANs 1, 11, 12, 13, and 14.
Building Distribution Switch Layer 3 Switching Configuration
Subnet Port XDSW1 BBSW1 BBSW2

IP Address IP Address IP Address
1X1 XDSW1 Gig1/0/9 10.X.1X1.1/24 10.X.1X1.101/24 ---

(BBSW1 2/X)
1X3 XDSW1 Gig1/0/10 10.X.1X3.1/24 --- 10.X.1X2.101/24

(BBSW2 2/24+X)
Subnet Port XDSW1 BBSW1 BBSW2

IP Address IP Address IP Address
1X2 XDSW2 Gig1/0/9 10.X.1X2.2/24 10.X.1X2.202/24 ---

(BBSW1 2/24+X)
1X4 XDSW2 Gig1/0/10 10.X.1X4.2/24 --- 10..1X4.202/24

(BBSW2 2/X)
Examples
Distribution Backbone
Switch Port # IP Address Switch BB Port # BB IP Address
1DSW1 Gig 1/0/9 10.1.111.1 BBS - 1 Gig 2/1 10.1.111.101
1DSW1 Gig 1/0/10 10.1.113.1 BBS - 2 Gig 2/25 10.1.113.101
1DSW2 Gig 1/0/10 10.1.112.1 BBS - 1 Gig 2/25 10.1.112.101
1DSW2 Gig 1/0/9 10.1.114.1 BBS - 2 Gig 2/1 10.1.114.102
2DSW1 Gig 1/0/9 10.2.121.1 BBS - 1 Gig 2/2 10.2.121.101
2DSW1 Gig 1/0/10 10.2.123.1 BBS - 2 Gig 2/26 10.2.123.102
2DSW2 Gig 1/0/10 10.2.122.1 BBS - 1 Gig 2/26 10.2.122.101
2DSW2 Gig 1/0/9 10.2.124.1 BBS - 2 Gig 2/2 10.2.124.102
3DSW1 Gig 1/0/9 10.3.131.1 BBS - 1 Gig 2/3 10.3.131.101
3DSW1 Gig 1/0/10 10.3.133.1 BBS - 2 Gig 2/27 10.3.133.102
3DSW2 Gig 1/0/10 10.3.132.1 BBS - 1 Gig 2/27 10.3.132.101
3DSW2 Gig 1/0/9 10.3.134.1 BBS - 2 Gig 2/3 10.3.134.102
4DSW1 Gig 1/0/9 10.4.141.1 BBS - 1 Gig 2/4 10.4.141.101
4DSW1 Gig 1/0/10 10.4.143.1 BBS - 2 Gig 2/28 10.4.143.102
4DSW2 Gig 1/0/10 10.4.142.1 BBS - 1 Gig 2/28 10.4.142.101
4DSW2 Gig 1/0/9 10.4.144.1 BBS - 2 Gig 2/4 10.4.144.102
5DSW1 Gig 1/0/9 10.5.151.1 BBS - 1 Gig 2/5 10.5.151.101
5DSW1 Gig 1/0/10 10.5.153.1 BBS - 2 Gig 2/29 10.5.153.102
5DSW2 Gig 1/0/10 10.5.152.1 BBS - 1 Gig 2/29 10.5.152.101
5DSW2 Gig 1/0/9 10.5.154.1 BBS - 2 Gig 2/5 10.5.154.102
6DSW1 Gig 1/0/9 10.6.161.1 BBS - 1 Gig 2/6 10.6.161.101
6DSW1 Gig 1/0/10 10.6.163.1 BBS - 2 Gig 2/30 10.6.163.102
6DSW2 Gig 1/0/10 10.6.162.1 BBS - 1 Gig 2/6 10.6.162.101
6DSW2 Gig 1/0/9 10.6.164.1 BBS - 2 Gig 2/30 10.6.164.102
Step 5 Configure the Gigabit Ethernet interfaces 1/0/9 and 1/0/10 as routed ports, using the
IP addresses in the Building Distribution Switch Layer 3 Switching Configuration
table. Remember to use the mask of 255.255.255.0 when configuring the IP
addresses. (To convert the gigabitethernet1/2 interface from a Layer 2 switchport to
a Layer 3 routed physical interface, the no switchport command must be used
before assigning the IP.)
Step 6 Verify the configuration on your Building Distribution switch with the show ip
interfaces brief command. Confirm that all appropriate SVIs have the correct IP
address, all routed ports have the correct IP address, and all appropriated interfaces
are in the up up state.

which shows the required commands in bold. Your switch-specific information,
such as IP addresses and interface descriptions, will be different.
!
interface VLAN1
ip address 10.1.1.1 255.255.255.0
!
interface VLAN11
ip address 10.1.11.1 255.255.255.0
!
interface VLAN12
ip address 10.1.12.1 255.255.255.0
!
interface VLAN13
ip address 10.1.13.1 255.255.255.0
!
interface VLAN14
ip address 10.1.14.1 255.255.255.0
!
ip address 172.16.111.111 255.255.255.0
no switchport
!
ip address 10.1.111.1 255.255.255.0
no switchport
!
ip address 10.1.113.1 255.255.255.0
no switchport
!
router eigrp 1
passive-interface Vlan1
network 10.0.0.0
auto-summary
no eigrp log-neighbor-changes
!

All configurations tasks request are completed as described. Proceed to Task 3 to ensure all
aspects of the lab are complete and operational.
Task 3: Verify Your VLAN Configuration

In this task, you will verify that your VLAN configuration is correct so that you can enable
inter-VLAN routing.
Activity Procedure
Step 1 On your distribution switch, enter the show ip interface brief command to display
your Layer 3 interfaces.
Switch#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
10.0.0/24 is subnetted, 5 subnets
C 10.1.12.0 is directly connected, Vlan12

Step 2 In privileged EXEC mode, use the copy running-config startup-config command
to save your configuration.
Step 3 Consult with the other lab groups to verify that the same information was configured
in their primary switch because it is your secondary switch.

Step 4 Open a Telnet session to your secondary switch. Verify the IP addresses and EIGRP
routing and other routing table information.
All request commands are executed and suggested results achieved.
Task 4: Verify Inter-VLAN Layer 3 Routing

In this task, you will verify inter-VLAN path connectivity between your PC, your Building
Distribution switches, and the other PC routers in the classroom. Everyone should have IP
access now to the Building Distribution switches via VLAN1 and their Building Access
switches.
Activity Procedure
Step 1 Enter the show ip route command. Verify that your routing table is complete.
Step 2 Answer the following questions pertaining to the routing table on your system.
What does the 90 in the [90/3072] indicate for the displayed routes?
____________________________________________________________________
What does the 3072 in the [90/3072] indicate in the same window?
____________________________________________________________________
Can you change either of these numbers (90 or 3072) using Cisco IOS commands?
___________________________________________________________________
Step 3 From your PC router, ping the addresses indicated in the Addresses to Ping table.
Determine which devices can or cannot ping each other.
Addresses to Ping
Your PC PC IP PC Gateway Ping Far PC Ping Far PC Far PC IP Ping

Name Address Address OK? Gateway OK? Name Address OK?
Address
XPC5 10.X.X1.5 10.X.X1.1 10.X.X2.2 XPC6 10.X.X2.6
Examples
1PC1 10.1.11.5 10.1.11.1 10.1.12.2 1PC2 10.1.12.6

1PC2 10.1.12.6 10.1.12.2 10.1.11.1 1PC1 10.1.11.5
2PC1 10.2.21.5 10.2.21.1 10.2.22.2 2PC2 10.2.22.6
2PC2 10.2.22.6 10.2.22.2 10.2.21.1 2PC1 10.2.21.5
3PC1 10.3.31.5 10.3.31.1 10.3.32.2 3PC2 10.3.32.6
3PC2 10.3.32.6 10.3.32.2 10.3.31.1 3PC1 10.3.31.5
4PC1 10.4.41.5 10.4.41.1 10.4.42.2 4PC2 10.4.42.6
4PC2 10.4.42.6 10.4.42.2 10.4.41.1 4PC1 10.4.41.5
5PC1 10.5.51.5 10.5.51.1 10.5.52.2 5PC2 10.5.52.6
5PC2 10.5.52.6 10.5.52.2 10.5.51.1 5PC1 10.5.51.5
6PC1 10.6.61.5 10.6.61.1 10.6.62.2 6PC2 10.6.62.6
Step 4 Check with the other groups to see if they can successfully ping all their systems. If
there are connectivity problems, can you explain what caused them?
___________________________________________________________________
Step 5 Verify end-to-end connectivity, using ping commands. Refer to the Addresses to
Ping table to determine the correct targets. Get the information from all the other
groups to verify that they have correctly configured their switches.
You configured a building distribution Layer 3 switch for routing with EIGRP.
You configured VLAN and switch interfaces with IP addresses and verified the
configuration.
You enabled Layer 3 routing between the individual VLANs and switches as identified by
their active subnets.
You verified the loss of Layer 3 connectivity when the routing protocol was disabled, then
re-enabled the protocol to restore the internetwork.

Lab 5-1: Enabling and Optimizing HSRP
Activity Objective
In this activity, you will enable and optimize HSRP. After completing this activity, you will be
able to meet these objectives:
Configure HSRP on the router
Test HSRP on routers by simulating a failure
Test HSRP tuning enhancements, using the preempt command
Troubleshoot HSRP on the routers
Visual Objective
Visual Objective
Required Resources
laboratory
Network Diagram
Network Diagram
Command List
Command Description
startup-config memory
debug standby Displays all HSRP errors, events, and packets
ip default-gateway Defines the gateway of last resort on the router when IP routing
ip-address is disabled
show standby [interface- Displays HSRP information for the whole switch, for a specific
id [group]] [brief] interface, for an HSRP group, or for an HSRP group on an
[detail] interface
standby group-number ip Enables HSRP and establishes the IP address of the virtual
virtual-router-ip-address router
standby group-number Enables the HSRP router with the highest priority to
preempt immediately become the active router
standby group-number Sets the routers HSRP priority

priority priority

Command Description
network
undebug all Disables debugging
Job Aids
Task 1: Configure HSRP on the Router

In this task, you will configure HSRP for redundancy on each of your Layer 3 devices for your
building and floor VLAN. You will configure basic HSRP functionality and then tune HSRP
for better efficiency.
Activity Procedure
Step 1 Use the table to identify the HSRP address for each VLAN.
VLAN HSRP Addresses
Primary Layer 3 Secondary HSRP

VLAN Device Layer 3 Device HSRP IP Group
X1 XDSW1 XDSW2 10.X.X1.254 1
X2 XDSW2 XDSW1 10.X.X2.254 2
Examples
11 1DSW1 1DSW2 10.1.11.254 1
12 1DSW2 1DSW1 10.1.12.254 2
21 2DSW1 2DSW2 10.2.21.254 1
22 2DSW2 2DSW1 10.2.22.254 2
31 3DSW1 3DSW2 10.3.31.254 1
32 3DSW2 3DSW1 10.3.32.254 2
41 4DSW1 4DSW2 10.4.41.254 1
42 4DSW2 4DSW1 10.4.42.254 2
51 5DSW1 5DSW2 10.5.51.254 1
52 5DSW2 5DSW1 10.5.52.254 2
61 6DSW1 6DSW2 10.6.61.254 1
62 6DSW2 6DSW1 10.6.62.254 2

Step 2 Establish a connection to your assigned Building Distribution switch.
Step 3 Enter privileged EXEC mode.
Step 4 Select the appropriate VLAN interface.

Step 5 Use the standby group-number ip virtual-router-ip-address command to configure
HSRP on the primary and secondary Layer 3 device for the VLAN interface for
which you are responsible.
Step 6 Use the standby group-number priority priority command to lower the priority of
the secondary Layer 3 device, which will force the primary router to become the
active HSRP router. Use a priority of 50 to force the secondary Layer 3 device to
move into standby mode.
Step 7 Verify HSRP operation with the show standby brief command.

Step 8 Answer these questions:
Which router is the active router?
____________________________________________________________________
What is the priority of the active router?
____________________________________________________________________
Which router is the standby router?
____________________________________________________________________
What is the priority of the standby router?
____________________________________________________________________
Is the router with the highest priority active? Why or why not?
____________________________________________________________________
Step 9 Save your switch configuration.
You configured HSRP and were able to verify that HSRP is running between the Layer 3
devices.
Task 2: Test HSRP on Routers by Simulating a Failure

In this task, you will generate network traffic by using a continuous ping. You will simulate a
router failure so that you can observe HSRP and verify that it works correctly.
Activity Procedure
Step 1 Change the default gateway on your PC router, using the ip default-gateway <ip-
address> command to use the virtual HSRP address.
Step 2 Start a continuous ping from your PC router device to a Campus Backbone switch.
Step 3 View the status of HSRP on your VLAN on each Layer 3 device.
Which router is the active HSRP router?
____________________________________________________________________
Step 4 Simulate a router failure by disabling your primary router interface. Enter the
shutdown command on the VLAN interface of the primary Layer 3 device.
Step 5 Observe what happens to your continuous ping.
How many packets were dropped, or for how long was your traffic disrupted?
____________________________________________________________________
Did you expect this result?
____________________________________________________________________
Remember that the default hello interval is 3 seconds, with a 10-second timeout. Can
you explain why you had the delay that you experienced?
____________________________________________________________________
Step 6 Observe the status of HSRP by entering the show standby vlan-id command.
Step 7 Enter the no shutdown command on the VLAN interface of the primary Layer 3
device to re-enable your primary router interface.
Which router is active?
____________________________________________________________________
Which router is the standby?
____________________________________________________________________
You tested HSRP, and failover to the backup router was successful.
Task 3: Test HSRP Tuning Enhancements Using Preempt

Without preempt configured on HSRP, the first router to start HSRP becomes the active router,
regardless of the priority. The purpose of tuning HSRP is similar to tuning spanning tree. You
want the Layer 3 device in 1DSW1 to process IP packets for half of the traffic of specific
VLANs. The other distribution switch should process the other traffic. In the event of a Layer 3
device failure, the other Layer 3 device will process packets. You should ensure that the proper
Layer 3 device is always active if it is up, using the preempt command.
Activity Procedure
Step 1 Configure your primary Layer 3 device with the preempt, using the standby group-
number preempt command.
Step 2 Start a continuous ping on your PC router.

____________________________________________________________________
Step 4 Simulate a router failure by disabling your primary router interface. Enter the
shutdown command on the VLAN interface of the primary Layer 3 device.
Step 7 Re-enable your primary router interface by entering the no shutdown command on
the VLAN interface of the primary Layer 3 device.
Step 8 Observe the status of HSRP by using the show standby vlan-id command.
____________________________________________________________________
____________________________________________________________________
The router with the highest priority became the active router.
Task 4: Troubleshoot HSRP on the Routers

There are many potential issues with HSRP. Recall what happened when you used the
shutdown command to test HSRP. You should have noticed that you did not lose a significant
number of ping packets. When a shutdown is entered on the active router, HSRP cleans up; that
is, it resigns the role of the active router. When you added preempt to HSRP, how long did it
take for the router with the highest priority with preempt to become active? It should not have
taken very long.
Debugging HSRP is very useful in learning how HSRP works. You can watch HSRP transition
through the different states. As time permits, enable HSRP debugging and look at the HSRP
output. You can redo the steps in this lab activity with HSRP debugging enabled, and view
what really occurs with HSRP.
Note Check with your instructor before enabling HSRP debugging.
Activity Procedure
Step 1 Enable HSRP debugging.
Step 2 Repeat portions of the lab activity to observe HSRP as time permits.
Step 3 Review the sample debugging output taken from 1DSW1.

*Mar 1 20:26:25.314: %LINK-3-UPDOWN: Interface Vlan11,
changed state to up
*Mar 1 20:26:26.170: %SYS-5-CONFIG_I: Configured from console
by console
*Mar 1 20:26:26.314: %LINEPROTO-5-UPDOWN: Line protocol on
Interface Vlan11, changed state to up
*Mar 1 20:26:35.318: SB11: Vl11 Hello out 10.1.11.1 Speak
pri 100 ip 10.1.11.254
pri 100 ip 10.1.11.254
pri 100 ip 10.1.11.254
pri 100 ip 10.1.11.254
*Mar 1 20:26:45.318: SB11: Vl11 Hello out 10.1.11.1 Standby
pri 100 ip 10.1.11.254
*Mar 1 20:26:45.318: %STANDBY-6-STATECHANGE: Vlan11 Group 11
state Standby -> Active
*Mar 1 20:26:45.318: SB11: Vl11 Hello out 10.1.11.1 Active
pri 100 ip 10.1.11.254
pri 100 ip 10.1.11.254
pri 100 ip 10.1.11.254
pri 100 ip 10.1.11.254
pri 100 ip 10.1.11.254
pri 100 ip 10.1.11.254
pri 100 ip 10.1.11.254
pri 100 ip 10.1.11.254
pri 100 ip 10.1.11.254
pri 100 ip 10.1.11.254
pri 100 ip 10.1.11.254

pri 100 ip 10.1.11.254
pri 100 ip 10.1.11.254
*Mar 1 20:27:21.518: SB11: Vl11 Resign out 10.1.11.1 Active
pri 100 ip 10.1.11.254
*Mar 1 20:27:21.518: %STANDBY-6-STATECHANGE: Vlan11 Group 11
state Active -> Init
*Mar 1 20:27:21.518: SB11: Vl11 Resign out 10.1.11.1 Init
pri 100 ip 10.1.11.254
*Mar 1 20:27:23.518: %LINK-5-CHANGED: Interface Vlan11,
changed state to administratively down
*Mar 1 20:27:24.518: %LINEPROTO-5-UPDOWN: Line protocol on
Interface Vlan11, changed state to down
1DSW1#undebug all
All possible debugging has been turned off
1DSW1#
Step 4 Note these items in the debug output:
Only VLAN11 is configured on 1DSW1 for HSRP. HSRP has not been
configured on 1DSW2. The VLAN11 interface is initially in the shutdown state.
VLAN11 is activated by entering the no shutdown command.
Notice that the interface transitions into speak state from init state when
activated.
The speak state lasts for the timeout interval, which defaults to 10 seconds. The
hello interval default is 3 seconds.
During the speak state, no active or standby packets were heard, so HSRP
expired both the standby and active routers. Thus, this switch immediately
transitioned into standby state from the speak state after the 10 seconds, then
immediately into the active state.
At the end of the debug, interface VLAN11 was administratively shut down.
Notice that HSRP resigns the role as the active router, and then the interface
shuts down.
Finally, the interface is returned to the init state, which it was in when the
debugging process was started.
You executed the show and debug commands, and you understand how HSRP works.
Lab 6-1: Configuring Switches for WLANs
Activity Objective
In this activity, you will configure the switch for DHCP and configure VLANs on the switch.
Configure VLANs on the WLAN switch WSW1
Configure DHCP on the WLAN switch WSW1
Prepare the switch for a WLAN controller and a lightweight access point
Visual Objective
WLAN Lab
Required Resources
Computer with access to the switch CLI
Lab map diagram and table with IP addressing and other parameters for your group

Command List
Cisco IOS Switch CLI Commands
Command Description
enable Enters privileged mode
configure terminal Enables the configuration level of the Cisco IOS software
vlan <vlan-number> Creates the VLAN
ip dhcp pool <name> Enables the configuration level of the DHCP pool
network <net> <mask> Configures the network for the DHCP pool
default-gateway <ip-addr> Configures the default gateway for the DHCP pool
interface <name> Enables the configuration of the interface
switchport mode access Puts the interface into access mode
switchport access vlan Puts the interface into the VLAN

<number>
spantree portfast Configures PortFast on a switch access port
ip address <addr> <mask> Configures the IP address
exit Closes the current configuration level
end Returns to the global configuration menu
copy run start Saves the CLI changes
Job Aids
These job aids are available to help you complete the lab activity.
Lab Map IP Addressing, Naming Conventions, and Information: Groups 1-4
Group 1-1 Group 1-2 Group 2-1 Group 2-2
VLAN Number 111 112 121 122
Switchport
Connected to
Fa 0/1 or Gi 0/1 Fa 0/3 or Gi 0/3 Fa 0/5 or Gi 0/5 Fa 0/7 or Gi 0/7
Wireless LAN
Controller
Switchport
Connected to Fa 0/2 or Gi 0/2 Fa 0/4 or Gi 0/4 Fa 0/6 or Gi 0/6 Fa 0/8 or Gi 0/8
Access Point
DHCP Pool
group11 group12 group21 group22
Name
DHCP Network 192.168.111.0 /24 192.168.112.0 /24 192.168.121.0 /24 192.168.122.0 /24
DHCP Default
192.168.111.1 192.168.112.1 192.168.121.1 192.168.122.1
Router
VLAN Interface Vlan111 Vlan112 Vlan121 Vlan122
IP Address of
192.168.111.1 /24 192.168.112.1 /24 192.168.121.1 /24 192.168.122.1 /24
VLAN Interface
Subnet Mask for

255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0
All Addressing
VLAN Number 131 132 141 142
Switchport
Connected to
Fa 0/9 or Gi 0/9 Fa 0/11 or Gi 0/11 Fa 0/13 or Gi 0/13 Fa 0/15 or Gi 0/15
Wireless LAN
Controller
Switchport
Connected to Fa 0/10 or Gi 0/10 Fa 0/12 or Gi 0/12 Fa 0/14 or Gi 0/14 Fa 0/16 or Gi 0/16
Access Point
DHCP Pool
Name
DHCP Network 192.168.131.0 /24 192.168.132.0 /24 192.168.141.0 /24 192.168.142.0 /24
DHCP Default
192.168.131.1 192.168.132.1 192.168.141.1 192.168.142.1
Router
VLAN Interface Vlan131 Vlan132 Vlan141 Vlan142
IP Address of
192.168.131.1 /24 192.168.132.1 /24 192.168.141.1 /24 192.168.142.1 /24
VLAN Interface
Subnet Mask for

255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0
All Addressing

Task 1: Connect to the Switch for the WLAN
In this task, you will connect to the switch for the wireless equipment of your group.
Activity Procedure
Step 1 Connect to the lab terminal server.
Step 2 Open a console connection to the access switch (#ASW#) of your group.
Step 3 Open a Telnet session from your access switch to the switch for the WLAN (WSW1
/ 192.168.100.3) in the core of the lab.
Note The lab requires that you have connectivity from your access switch to the core of the lab.
You have access to the command line of the switch for the WLAN lab (WSW1).
Task 2: Configure the Switch

In this task, you will configure the switch for the wireless equipment of your group.
Activity Procedure
Step 1 Enter configuration mode of the switch:

WSW1# configure terminal
Step 2 Create the VLAN:

WSW1(config)# vlan <number>
WSW1(config-vlan)# exit
Step 3 Configure the VLAN interface:

WSW1(config)# interface vlan <number>
WSW1(config-if)# ip address <address> <mask>
WSW1(config-if)# no shutdown
WSW1(config-if)# exit
Step 4 Create the DHCP pool:

WSW1(config)# ip dhcp pool <name>
WSW1(config-dhcp)# network <network> <mask>
WSW1(config-dhcp)# default-router <address>
WSW1(config-dhcp)# exit
Step 5 Configure the interface connected to the WLAN controller of your group:
WSW1(config)# interface fastethernet #/#
WSW1(config-if)# description <WLC-name>
WSW1(config-if)# switch access vlan <number>
WSW1(config-if)# switch mode access
WSW1(config-if)# spantree portfast
Step 6 Configure the interface connected to the access point of your group:
WSW1(config-if)# description <AP-name>
WSW1(config-if)# switch access vlan <number>
WSW1(config-if)# switch mode access
WSW1(config-if)# spantree portfast
WSW1(config-if)# exitSave your configuration:
WSW1# copy running-config startup-config
Step 7 Verify your configuration:

WSW1# show running-config
Note You will see configurations from other groups on the switch, which you can ignore.
The VLAN is created.
The DHCP pool is configured.
Both interfaces of your group are in your VLAN.
Both interfaces and the VLAN interface are up.
Use these commands to verify the configuration of your WLAN controller. The output is
provided as a reference.
Step 1 Verify your configuration:

WSW1# show vlan
Step 2 Verify PoE on the switch:

WSW1# show power inline
Step 3 Verify the status of the interfaces:
WSW1# show ip interface brief
Step 4 Verify the MAC address table of the switch:

WSW1# show mac-address
Note Unused interfaces are not shown in this output. Only the configuration for group 1-1 and
group 1-2 is shown.

Lab 6-2: Setting Up the WLAN Controller
Activity Objective
In this activity, you will create a basic configuration for the WLAN controller. The purpose is
to establish console management connectivity to the controller, become familiar with the
startup wizard that runs on initial startup, and complete the necessary steps to establish an SSL
web connection to the controller. In this activity, you will create the initial configuration of the
WLAN controller, using the CLI. After completing this activity, you will be able to meet these
objectives:
View the boot options screen and select the correct option to continue the system boot
sequence
Answer questions presented by the startup wizard
Input basic configuration information when prompted by the startup wizard
Visual Objective
WLAN Lab
Required Resources
A WLAN controller and a lightweight access point
A computer with connectivity to the terminal server of the lab and a terminal program
Command List
WLAN Controller CLI Commands
Command Description
? Displays basic command set or all options for a basic

command
help Displays help
config Configuration command
clear Clears selected configuration elements
ping Sends ICMP echo packets to a specified IP address
reset system Restarts controller
config prompt Configures the controller prompt
config network Configures network parameters
save config Saves controller configuration
debug Displays action on the controller
show Displays controller options and settings
exit Returns to previous command level
logout Exits this session; any unsaved changes are lost
Job Aids

WLAN Controller
1WLC1 1WLC2 2WLC1 2WLC2
Name / Prompt
AP Name 1AP1 1AP2 2AP1 2AP2
Admin
cisco cisco cisco cisco
Username
Admin Password cisco cisco cisco cisco
Management
Interface IP 192.168.111.2 192.168.112.2 192.168.121.2 192.168.122.2
Address
Subnet Mask for

255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0
All Addressing
Default Router IP
192.168.111.1 192.168.112.1 192.168.121.1 192.168.122.1
Address
Management
0 0 0 0
Interface VLAN
Management
1 1 1 1
Port Number
DHCP Server 192.168.111.1 192.168.112.1 192.168.121.1 192.168.122.1
AP-Manager IP
192.168.111.3 192.168.112.3 192.168.121.3 192.168.122.3
Address
AP Transport
Layer 3 Layer 3 Layer 3 Layer 3
Mode
Virtual Gateway
1.1.1.11 1.1.1.12 1.1.1.21 1.1.1.22
IP Address
Mobility Group
Name
WLAN SSID wlan11 wlan12 wlan21 wlan22
Static IP
No No No No
Address
Radius Server IP
None None None None
Address
Auto RF Yes Yes Yes Yes
Second SSID open11 open12 open21 open22
802.11a Channel 36 40 44 48
WLAN Controller
Name / Prompt
Admin
Username
Management
Interface IP 192.168.131.2 192.168.132.2 192.168.141.2 192.168.142.2
Address
Subnet Mask for

255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0
All Addressing
Default Router IP
192.168.131.1 192.168.132.1 192.168.141.1 192.168.142.1
Address
Management
0 0 0 0
Interface VLAN
Management
1 1 1 1
Port Number
DHCP Server 192.168.131.1 192.168.132.1 192.168.141.1 192.168.142.1
AP-Manager IP
192.168.131.3 192.168.132.3 192.168.141.3 192.168.142.3
Address
AP Transport
Mode
Virtual Gateway
1.1.1.31 1.1.1.32 1.1.1.41 1.1.1.42
IP Address
Mobility Group
Name
Static IP
No No No No
Address
Radius Server IP
None None None None
Address
802.11a Channel 36 40 44 48

Task 1: Console Connection
In this task, you will create a basic configuration for the WLAN controller. The purpose is to
establish console management connectivity to the controller, become familiar with the startup
wizard that runs on initial startup, and complete the necessary steps to establish an SSL web
connection to the controller.
Activity Procedure
Step 1 Connect to the terminal server of the lab.
Step 2 Open a console connection to the WLAN controller (xWLC#) of your pod.
Step 3 Press Enter. You should see the login prompt from the WLAN controller.
You have access to the console of the WLAN controller and received the command
prompt.
Task 2: Initial Configuration

In this task, you will configure the WLAN controller of your group.
Step 1 Log in with username cisco and password cisco.
Step 2 (Cisco Controller) > reset system
Step 3 Now the WLAN controller reboots.

Step 4 View the boot messages.
Step 5 Press Esc to see the additional boot options before the system autobooting.
Step 6 Which of the options that follow will allow you to set the system back to factory
defaults? _____
Cisco Bootloader (Version 3.2.78.0)
.o88b. d888888b .d8888. .o88b. .d88b.

d8P Y8 `88' 88' YP d8P Y8 .8P Y8.
8P 88 `8bo. 8P 88 88
8b 88 `Y8b. 8b 88 88
Y8b d8 .88. db 8D Y8b d8 `8b d8'
`Y88P' Y888888P `8888Y' `Y88P' `Y88P'
Model WLC2006
Booting Primary Image...
Press <ESC> now for additional boot options...
Boot Options
Please choose an option from below:
1. Run primary image (Version 3.2.78.0) (active)

2. Run backup image (Version 3.1.105.0)
3. Manually upgrade primary image
4. Change active boot image
5. Clear Configuration
Please enter your choice:_
Step 7 Reset the controller back to factory default settings now by selecting 5. What
happened? ____________________________
Step 8 Which option should you use to continue with the normal boot sequence?
__________________________________________________________
Step 9 Select the correct option and continue with the system boot sequence now.
Task 3: Initial Controller Configuration: The Startup Wizard

In this task, you will configure the basic connectivity parameters necessary for the system to
communicate over the network with other devices, including the management workstation.
Answer the questions that follow, referring to the appropriate lab map for your group. After you
have all the necessary information, answer the questions presented by the startup wizard.
Activity Procedure
Answer these questions.
Step 1 What group are you in? _______________________________________________
Step 2 What is the name of your WLAN controller? __________________________
Step 3 What name will you use for your administrative user? ___________________
Step 4 What will you use for the administrative password on your system? ____________
Step 5 What is the management interface IP address assigned to your system? __________
Step 6 What is the management interface IP netmask assigned to your system? _________
Step 7 What is the management interface default router IP address? __________________

Step 8 What is the management interface VLAN ID? ______________________________
Step 9 What is the port that you will assign the management interface to? ______________
Step 10 What is the management interface DHCP server IP address? ___________________
Step 11 What is the AP-manager IP address? ______________________________________
Step 12 What layer AP transport mode will you be using? ___________________________
Step 13 What address will you assign for your virtual gateway IP address? _____________
Step 14 What is your mobility/RF group name? __________________________________
Step 15 What is your network name (SSID)? ____________________________________
Step 16 Will you allow static IP addresses for your wireless users? ___________________
Step 17 What is the IP address of the RADIUS server? ______________________________
Step 18 Which 802.11 radios are you going to use? (For this setup, enable 802.11a,b,and g.)
____________________________________________________________________
Step 19 Are you going to enable auto RF? _______________________________________
You should now be able to run the startup wizard and configure the system, using the
information that you have collected.
Task 4: Run the CLI Startup Wizard

In this task, you will apply power to your system and run the CLI startup wizard. Follow the
configuration steps as they are presented to you by the startup wizard, making sure that you
provide the proper answers for your system. Each controller uses different values, so make sure
that you use the lab map for your specific group to answer the questions.
Activity Procedure
Step 1 After completing the previous steps, your controller should have completed the boot
sequence and prompt for the first answer.
Step 2 The startup wizard will ask you to provide configuration information. What is the
first bit of information that you are asked to provide? ____________________
Please note that the [Return] will go back, erase the input from the previous
questions, and allow re-entry.
Step 3 Complete the startup wizard by supplying the proper values that you collected
earlier. Please note that the capitalized options are the default to any question.
Step 4 When asked Service Interface IP Address Configuration [none][DHCP], answer
none for static. This question does appear on a Cisco WLC2006 controller.
Step 5 When asked Configure a RADIUS Server now? [YES][no], you should answer
no. What happened when you entered your no response? ____________________
Step 6 What happened when the startup wizard finished asking for data? _______________
Step 7 Carefully watch the system reboot. What is the Cisco AireOS version that is running
on your system? _________________
Step 8 Log in to your controller, using the name and password that you have configured on
the controller.
Step 9 Change the prompt on your controller to the name of your group (group##)
(Cisco Controller) > config prompt group##
Step 10 Enable Telnet access to the WLAN controller:

(group##) > config network telnet enable
Step 11 Enable web access (http) to the WLAN controller:
(group##) > config network webmode enable
Step 12 Save your new configuration:

(group##) > save config
Your controller is now configured; your access point can now associate with your WLAN
controller. In the next lab, you will configure the WLAN controller and the wireless network.
Task 5: Verify Configurations

In this task, you will look at the current configuration parameters by using the show command.
If you type show and press the Return key, you will have a new prompt.
Activity Procedure
Step 1 Type show and press the Return key. What does the prompt look like now?
_______________
Step 2 Type ?. What happens? _______________________
Step 3 What command would you use to view the controller configuration parameters?
___________________________
Step 4 Given that you have setup an 802.11a radio network, what command would you use
to look at the current network parameters? _______________________
Step 5 What is the beacon interval set to? _______________
Step 6 Look at your interfaces that were set up when you ran the startup wizard. Which
command allows you to see the currently configured interfaces? ________________
Step 7 Which command allows you to see the management interface MAC address?
_____________________
Step 8 To remove the show prompt and return to the CLI root, which command will you
use? _______________________
Use these commands to verify the configuration of your WLAN controller. The output is
provided as a reference.

Step 1 Verify the configured interfaces:
(group##) > show interface summary
Step 2 Verify the configured SSID:
(group##) > show wlan summary
Step 3 Verify that the access point has registered to the controller:
(group##) > show ap summary
Note It takes about 2 to 3 minutes until your access point associates with your controller. If you do
not see your access point on the controller after 5 minutes, use this procedure.
Step 4 Open a Telnet session from your access switch to the switch for the WLAN (WSW1
/ 192.168.100.3) in the core of the lab and temporarily shut down the interface
connected to the access point of your group.
Step 5 Disable the interface and turn off power for the access point:
WSW1(WSW1# configure terminal
WSW1(config-if)# shutdown
Step 6 Wait about 15 seconds.
Step 7 Enable the interface and turn on power for the access point:
Step 8 Wait 2 to 3 minutes until your access point associates with your controller. You can
verify this with the show ap summary command.
Lab 6-3: Configuring the Controller via the Web
Browser
Activity Objective
In this activity, you will use the web browser to configure the controller. After completing this
activity, you will be able to meet these objectives:
Open the web browser and connect to the controller by entering the IP address of the
controller
Establish a controller web session to your WLAN controller
Use the controller web to monitor the WLAN controller, log in, and answer questions
Use the controller web to configure a WLAN
Use the controller web to configure connectivity to the WLAN controller
Use the controller web to save configuration changes
Use the capabilities of the controller web to modify the default auto RF values
Use the controller web to check network connectivity
Visual Objective
WLAN Lab

Required Resources
A WLAN controller and a lightweight access point
A computer with connectivity to the terminal server of the lab and a terminal program
Command List
There is no command list for this lab activity.
Job Aids
WLAN Controller
Name / Prompt
Admin
Username
Management
Interface IP 192.168.111.2 192.168.112.2 192.168.121.2 192.168.122.2
Address
Subnet Mask for

255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0
All Addressing
Default Router IP
192.168.111.1 192.168.112.1 192.168.121.1 192.168.122.1
Address
Management
0 0 0 0
Interface VLAN
Management
1 1 1 1
Port Number
DHCP Server 192.168.111.1 192.168.112.1 192.168.121.1 192.168.122.1
AP-Manager IP
192.168.111.3 192.168.112.3 192.168.121.3 192.168.122.3
Address
AP Transport
Mode
Virtual Gateway
1.1.1.11 1.1.1.12 1.1.1.21 1.1.1.22
IP Address
Mobility Group
Name
Static IP
No No No No
Address
Radius Server IP
None None None None
Address
802.11a Channel 36 40 44 48

WLAN Controller
Name / Prompt
Admin
Username
Management
Interface IP 192.168.131.2 192.168.132.2 192.168.141.2 192.168.142.2
Address
Subnet Mask for

255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0
All Addressing
Default Router IP
192.168.131.1 192.168.132.1 192.168.141.1 192.168.142.1
Address
Management
0 0 0 0
Interface VLAN
Management
1 1 1 1
Port Number
DHCP Server 192.168.131.1 192.168.132.1 192.168.141.1 192.168.142.1
AP-Manager IP
192.168.131.3 192.168.132.3 192.168.141.3 192.168.142.3
Address
AP Transport
Mode
Virtual Gateway
1.1.1.31 1.1.1.32 1.1.1.41 1.1.1.42
IP Address
Mobility Group
Name
Static IP
No No No No
Address
Radius Server IP
None None None None
Address
802.11a Channel 36 40 44 48
Task 1: Setting Up a Controller Web Session
Another way to access the system is through controller web. With controller web, you can use
your browser to access the system, view configuration details, and modify your system
configurations. The first thing you must do is to establish a secure connection between your
browser and WLAN controller. The steps that follow will help you establish the controller web
session and start examining the WLAN controller via the browser.
Activity Procedure
Step 1 Connect with your PC to the lab.
Note Note: This step depends on the connection to the lab. Your instructor will provide the
required information.
Step 2 Make sure that you have IP connectivity between your laptop PC and your WLAN
controller. Can you ping the controller? _______
Step 3 Start Internet Explorer on your computer.
Step 4 At the address line, initiate a secure HTTP session to your WLAN controller. Use
the IP address of the management port of your controller.
https://<ipaddr>
Step 5 You may see another screen appear indicating that you are going to view the
information over a secure connection. Click OK to continue.
Security Alert Dialog Box

Step 6 What are the issues that the window is pointing out? _________________________
Step 7 Is your connection secure? _________
Step 8 If you wish, you can select the View Certificate option to see details about this
certificate.
Step 9 When you are ready to open the web browser session, click the Yes button to
continue.
Task 2: Using the Controller Web Interface

In this task, the first thing you must do to open the controller web session on your WLAN
controller is to log in. You will use the login name and password that you set up when you ran
the setup wizard. To begin your session, click the Login button.
Activity Procedure
Enter Network Password
Step 1 Enter your user name and password. Click OK to log in. The next screen that
appears is your initial view.
Monitor Summary
Step 2 Which controller web window are you presented when you first log in?
___________________________
Step 3 Notice the controller web window that you are currently in. There are a number of
controller web windows available, each providing you information about the current
status of your WLAN controller. There are several subviews available in most
controller web windows.
Step 4 On the Monitor > Summary screen, you should see one access point under the
heading Access Point Summary. This is the GUI equivalent of the show ap
summary command on the command line.
Step 5 If the access point count is zero, the access point of your group has not associated to
your WLAN controller. In this case, reboot your access point by shutting down the
switch port to which the access point is connected. This procedure was outlined at
the end of the previous lab. Verify also the configuration of the switchports on the
wireless lab switch (WSW1).
Step 6 You can use the Monitor > Statistics window to look at various statistics at the
controller and port level.

Step 7 Take a look at the Monitor > Statistics > Controller screen.
Step 8 Change to the Monitor > Ports view.
Step 9 View the status for port 1 by clicking View Stats.
Step 10 With the controller web utility, you can obtain detailed information about the
activity taking place on each port. What ports are enabled and indicate a link up on
your WLAN controller?

Step 11 If you want a detailed look at the activity on one of your ports that indicates a link is
up, how would you get to that information?
Task 3: Using the Controller Web Interface: WLANs

In this task, you will learn how to create a WLAN, using the controller web. Remember that
your first WLAN was created using the setup wizard in lab 6-2.
Activity Procedure
Step 1 Click the WLANs tab at the top of the page.
Step 2 From the menu bar, choose the WLAN option to view the wireless network that you
created earlier with the setup wizard.
Step 3 Do the SSID and the authentication information match what you originally
configured on your controller? ______________
Step 4 If you wanted to create a second WLAN to support guests without using 802.1x,
how would you use the controller web to start the process?
Step 5 Now take the first step in creating a new WLAN.
Step 6 Use open## (see lab map for second SSID name) for your SSID.
Step 7 Click Apply.

If you perform the last step correctly, you should see a screen similar to the one seen here.
After you have created the new WLAN, you can provide all the configuration details. In the
WLAN edit screen, you will provide the details for both the General Policies and the Security
Policies that will govern this WLAN instance. You will come back to this screen later to
configure the WLAN to support a wireless client.
Step 8 Set Layer 2 Security to None.

Step 9 Set Admin Status to Enabled.
Step 10 Save this WLAN, using the Apply and Save Configuration buttons.
Step 11 Does your newly created WLAN appear in the WLAN list? ____________
Step 12 What is the Admin Status of your WLAN? What does this mean? (You can use
Help to get information.) _______________________________________
Step 13 Click the blue Edit link. What does this allow you to do? __________________
Step 14 Close the editing window by using the Back button.
Step 15 Remove the WLAN that you have created during initial configuration (wlan##).
Step 16 Now save your configuration before you continue with the next task of this lab
activity.
Step 17 If there is a client configured with your new SSID (open##) configured and no
security (Open Authentication) in the lab, the client will now associate with your
access point. You can see on the Monitor > Summary screen if a client is associated
to your access point.
Step 18 If a client is associated, click Detail under Client Summary to see the list of clients.
From this list you can click Detail to view detailed information about the client. The
client has an IP address, which it received via DHCP.
Note If the client does not have an IP address, you will not be able to test the link. The client
needs to associate to the access point. This may take a few minutes. Check with your
instructor on client status if necessary.
Step 19 Ping the IP address of your WLAN client from your PC or from the command line
of any switch in the lab. The ping traffic is sent via the WLAN connection to the
client. This verifies your WLAN configuration.

Task 4: Using the Controller Web Interface: Controller
In this task, the set of questions will require that you look through many of the other controller
web screens so that you can become familiar with the capabilities. You may need to use the
Edit and New buttons to find some of the answers.
Note If you create any items to find answers to the questions, do not apply the changes or save
the configuration.
Activity Procedure
Answer these questions about the controller:
Step 1 Click the Controller tab at the top of the page.
Step 2 List the interface names and types that are currently configured on your controller.
Step 3 Which configuration options exist for the physical mode assigned to a port?
Step 4 Is a DHCP server configured on the controller by default?
Task 5: Using the Controller Web Interface: Wireless
In this task, the set of questions looks at controller web capabilities to configure and monitor
the wireless aspects of your WLAN controller. To avoid radio interference with other areas in
the building, you will make some adjustments to the default settings.
Activity Procedure
Make the requested adjustments and answer all questions.
Step 1 Click the Wireless tab in the menu bar.
Step 2 What is the name of the access point connected to your controller?
Step 3 What is the MAC address of the access point connected to your controller?
Step 4 What should you do at this point to find more detailed information about your access
points?
Step 5 Which AP mode is assigned to your access point?
Step 6 Which other AP modes are available?

Step 7 What is the operational status of your 802.11a radio interface?
Step 8 What is the operational status of your 802.11b radio interface?
Step 9 What is the S/W version running on your access point?
Step 10 From the Access Points option in the upper left margin, choose 802.11a Radios.
What channel is your 802.11a radio transmitting on?
Step 11 What is the current TX power level?
Step 12 What should you do at this point to find more detailed information about your
802.11a radio?
Step 13 How many WLANs are present on this interface?
Step 14 What are the mandatory data rates for your 802.11a network?
Step 15 What is the 802.11a beacon period set to?
Step 16 Does your system detect any rogue access points?
Step 17 How many rogue access points have a status labeled Alert? Select the Edit option
for a detected rogue indicating an Alert.
Step 18 Do you see any security enabled on the rogue?
Step 19 What is the RSSI value for the detected rogue?
Step 20 Are there any clients associated with the rogue access point that you selected?
Step 21 What options are available in the Update Status drop-down window?
Step 22 From the Global RF option in the left margin, choose 802.11 b/g Network
Step 23 Make sure that the 802.11 b/g network is not enabled.
Step 24 Click the Apply button to save the change to the running configuration on the
controller.
Step 25 From the Access Points option in the left margin, choose All APs.
Step 26 Look at the information displayed about your access point. Can you edit the access
point configuration? _______
Step 27 From the Access Points option in the left margin, choose 802.11a Radios.
Step 28 Look at the information displayed about the .11a radio status. Can you edit the .11a
radio configuration? _______
Step 29 Select the Configure option for your access point and find the section labeled RF
Channel Assignment.

Step 30 Look at your lab map to find the channel # that you will use in the lab activities.
Step 31 Which channel has been assigned to your group? ___________________________
Step 32 In the RF Channel Assignment area, select the Custom option.

Step 33 Set the RF channel assignment to the appropriate value for your group.
Step 34 Select the Configure option and find the section labeled Tx Power Level
Assignment.
Step 35 Set the power level assignment method as Custom.
Step 36 Set the power level assignment to 5.
Step 37 Click the Apply button.

Step 38 Select Save Configuration and confirm your save.
Step 39 Set the Tx power level of the 802.11b/g radio of your access point to the minimum
level in the same way.
Step 40 Select Save Configuration and confirm your save.
Task 6: Using the Controller Web Interface: Management
In this task, you will view management options that are available on the controller.
Activity Procedure
Step 1 Choose the Management option from the controller web menu bar.
Step 2 Notice the options available in the left margin.
Step 3 Are Telnet sessions allowed to the controller? ________

Step 4 Are there any current CLI sessions? ________
Step 5 List the two latest entries in the message log.
Step 6 Choose the System Resource Information option.
Step 7 What is the current CPU usage on your WLAN controller?

Step 8 How many system buffers are in use? _____________________________________
Step 9 Choose the AP Log option in the left margin. What do you see?
Step 10 Select the Get Log option for the listed access point. What information is available?
Task 7: Using the Controller Web Interface: Commands

In this task, you will view and answer questions about the Commands tab.
Activity Procedure
Answer these questions:
Step 1 Choose the Commands option from the controller web menu bar.
Step 2 Notice the options available in the left margin.
Step 3 What information must you have in order to download a software upgrade to your
controller?
Step 4 What types of files can be uploaded from your controller using the Commands
screen?
Step 5 What is the current date and time on your controller? _______________ Is it
correct? ________________
Step 6 Configure the correct date and time on your WLAN controller if it is not correct.
Step 7 Reboot your controller, using the feature provided. What choices are you given?
____________ You do not want to save any recent changes, so select the
appropriate option.
Step 8 Did the system reboot? ________ Use your console connection via the terminal
server to verify.
You have completed this lab when you attain these results:
A controller web session is established.
You were able to use the controller web browser to monitor the controller.
You were able to configure a WLAN, using the web browser.
You were able to save changes, using the web browser.
You were able to use the controller web browser to modify the default auto RF values.
You were able to check connectivity with the controller web browser.
If a client was available in the lab, your client associates with your access point, the WLAN
client received an IP address via DHCP, and you could ping the IP address of the client.

Lab 6-4: Configuring a Wireless Client (Optional)
In this activity, you will gain familiarity with the process of installing and configuring a single
Cisco Aironet wireless client adapter. You will also gain understanding and proficiency in
creating a template for use in multiple card installations and configurations.
Activity Objective
In this activity, you will install the client card for a computer with a supported operating
system. After completing this activity, you will be able to meet these objectives:
Install the CB21AG client card
Configure the CB21AG client card
Required Resources
Laptop with Windows 2000 or Windows XP with administrative rights
CB21AG client card
Cisco Aironet WLAN
Cisco Aironet Desktop Utility (ADU)
Command List
There is no command list for this lab activity.
Job Aids
Profile Name open11 open12 open21 open22
SSID open11 open12 open21 open22
Security None None None None
IP Network 192.168.111.0 /24 192.168.112.0 /24 192.168.121.0 /24 192.168.122.0 /24
Profile Name open31 open32 open41 open42
SSID open31 open32 open41 open42
Security None None None None
IP Network 192.168.131.0 /24 192.168.132.0 /24 192.168.141.0 /24 192.168.142.0 /24
Task 1: Install the CB21AG Client Card

In this task, you will load setup files, insert a card, run the setup program to install drivers and
utilities, and reboot.
Activity Procedure
Step 1 Load the setup file onto a local laptop.
Step 2 Insert CB21AG into the CardBus slot of the laptop.
Step 3 If the Windows Found New Hardware wizard automatically opens, cancel or close
it.
Step 4 Run the setup program to install drivers and utilities.

The computer reboots.
The laptop has a client monitor tool in the system tray and a new utility called ADU is
installed.
The ADU should show some system status for the card.

Task 2: Configure the CB21AG Client Card
In this task, you will configure the installed client card to operate with access points.
Activity Procedure
Step 1 Open the Cisco Aironet Desktop Utility.
Step 2 Click the Profiles Management tab and click New.
Profile Management
Step 3 Look at your lab map to find the profile name and SSID that you will use in this lab
activity.
Step 4 Enter the profile name in the field Profile Name.
Step 5 Enter the SSID in the SSID1 field.
Step 6 Click the Security tab.
Profile Management: Security
Step 7 Select the None option.
Step 8 Click the Advanced tab.
Profile Management: Advanced
Step 9 Uncheck the 802.11a radio (5 GHz 54 Mbps) and click OK.

Profile Management Tab
Step 10 From the Profile Management tab, select your new profile and click the Activate
button.
Step 11 Open the Cisco Aironet Desktop Utility.

Step 12 Click the Current Status tab and verify that you are connected.
Current Status Tab
Step 13 Verify that your WLAN client has associated with your access point.
Step 14 Verify that the PC has received an IP address via DHCP.
Step 15 Verify network connectivity; ping any device on the network from your PC.
Step 16 Click the Current Status tab and click the Advanced button to verify that the MAC
address of your access point is shown on the client utility.
Advanced Status

Step 17 Click the Diagnostics tab.
Diagnostics Tab
Step 18 View the Adapter Information and the Advanced Statistics by clicking the
appropriate buttons.
Step 19 Click the Troubleshooting button and start the test. View the Troubleshooting
Report.
Troubleshooting Report
You configured the WLAN client with an SSID.
Your WLAN client associated to your access point, received an IP address via DHCP, and
you could ping the IP address of the other devices on the network.

Lab 7-1: Configuring IP Telephony Support
Activity Objective
Configure access ports to carry voice traffic in 802.1Q frames
Configure CoS override for data frames on access switches
Configure voice traffic frames into the distribution layer
Configure CoS override for data frames on distribution switches
Visual Objective
Visual Objective
Required Resources
Access switches
Network Diagram
Network Diagram
Command List
Command Description
switchport voice vlan vlan-id Enables voice VLAN on a switch port and associates a VLAN
ID
mls qos trust cos Trusts the CoS value of frames as they arrive at the switch port
mls qos trust device cisco- Makes this trust conditional on a Cisco IP Phone being
phone attached
switchport priority extend cos Sets the CoS value to frames coming from the PC attached to
cos_value the IP phone
show interfaces interface-id Displays voice parameters configured on the interface

switchport
show mls qos interface interface- Displays QoS parameters configured on the interface
id
Job Aids
These job aids are available to help you complete the lab activity. The table lists the voice
VLAN IDs that should be used by the associated access switches.

Voice VLAN IDs
Access Switch Voice VLAN ID
XASW3 2X1
XASW4 2X2
Examples
1ASW1 211
1ASW2 212
2ASW1 221
2ASW2 222
3ASW1 231
3ASW2 232
4ASW1 241
4ASW2 242
5ASW1 251
5ASW2 252
6ASW1 261
6ASW2 262
Scenario
An IP phone has been installed on each users desk. The phone is connected to an access switch
port, and the users PC will be connected to the IP phone. The access and distribution switches
must be configured to use QoS to set priority values for the voice frames coming in the access
switch port and to mark the data traffic from the PC with a lower QoS value.
The access switch port to which the IP phone is connected will represent the QoS trust
boundary. The QoS configuration at the trust boundary will cause the IP phone to set the CoS
value to 0 for all frames arriving from the PC, whereas frames from the IP phone will have their
default CoS value of 5 remain unchangedin other words, they will be trusted. The
distribution switch uplink ports from the access switches will trust the CoS values of frames
arriving from the access switches.
Visual Objective

Task 1: Configure Access Switches to Carry Voice Traffic
To begin the voice implementation, you will configure the access layer switches to support a
voice VLAN.
Activity Procedure
Step 1 Establish connectivity to your assigned access switch and enter global configuration
mode.
Step 2 Configure interface 0/4 with a voice VLAN. This enables 802.1Q trunking on the
port. The actual value of the voice VLAN ID can be found in the table at the
beginning of this lab.
Step 3 Configure the uplink ports to the distribution switches to carry the voice VLAN
traffic.
Step 4 Verify the configuration.
All configuration commands are completed as stated.
Examine the running configuration to verify the commands entered have been added to the
running configuration.
Task 2: Configure User Access Ports for CoS Marking

In this task, you will configure the Fast Ethernet port 0/4 so that the IP phone will mark data
traffic from the PC with a CoS value of 0. The CoS value of the voice traffic frames will be
trusted. It will, therefore, carry the default CoS value of 5 because the frames are inbound
from the phone to the access switch port that is being configured.
Activity Procedure
Step 1 Set the access switch port with the IP phone attached to trust the CoS on the
incoming 802.1Q frame headers.
Step 2 Augment the previous command by instructing the port to trust only Cisco IP
Phones, which can be recognized by the CDP traffic they generate.
Step 3 Set the access port to instruct the IP phone to reset any CoS value of frames from the
PC to 0. This value can be set to anything between 0 and 7.
Step 4 Verify the configuration by using the show running-configuration command and
examining interface Fastethernet port 0/4.
All requested steps have been executed and verified.
Task 3: Configure Distribution Ports to Carry Voice Traffic
You will now configure the distribution switch ports to carry voice VLANs.
Activity Procedure
Step 1 Establish a connection to your distribution switch and enter configuration mode.
Step 2 Configure the trunks to carry all voice VLAN traffic for your building.
All requested steps have been executed.
Use the show running-configuration and show vlan commands to verify the trunk
interfaces are operational and trunking the voice VLAN.
Task 4: Configure Distribution Interfaces to Trust CoS Value

from Access Switches
In this task, you will configure the distribution switches to trust the CoS markings carried in
frames coming in the uplink from your access switch.
Activity Procedure
Step 1 Verify that trunking is still enabled on the uplink port from your access layer switch.
1ASW1# show interface fa0/1 switchport
Step 2 Enable QoS on your primary distribution switch.
1DSW1(config)# mls qos
Step 3 Set the distribution trunk uplink ports to trust all CoS values coming from your
access switches.
1DSW1(config) interface gig1/0/1

1DSW1(config-if)# mls qos trust cos
1DSW1(config-if)# end
Step 4 Verify the configuration.
1DSW1# show mls qos interface gig1/0/1
You have verified the CoS and voice VLAN configuration, using the commands shown
throughout the lab.

Case Study 8-1: Applying Security Practices to
Secure Devices in the Campus
Complete this case study to assess what you learned in the lesson.
Overview
Over the past four years, the network infrastructure at BigCo Manufacturing has grown
immensely. During these four years, the network administrator has hired numerous consultants
to add switches to the infrastructure, and now the administrator is concerned about network
security.
Relevance
Through the use of appropriate security practices, possible security threats can be minimized
and removed.
Activity Objective
In this activity, you will identify any possible security holes in the network infrastructure and
recommend the appropriate action or security solution. After completing this case study, you
will be able to meet these objectives:
Identify possible security threats on a typical network
Recommend the appropriate security solution
Learner Skills and Knowledge

To benefit fully from this activity, you must have the following prerequisite skills and
knowledge:
Basic knowledge of the components that make up the Campus Infrastructure module
Basic knowledge of security practices
Basic knowledge of possible security risks
Job Aids
Read through the following scenario and answer the questions that follow.
Scenario
The BigCo network is designed around the Enterprise Composite Network Model and has core,
distribution, and access layers. The core and distribution layers use redundant links and RSTP;
they do not support any user connections. All connections between the core and distribution
layers are 1 GB in speed and have no QoS configuration.
All user traffic originates in the access layer. At each access layer switch, up to 34 VLANs are
configured for proper traffic segmentation and security. All of these VLANs are carried by
trunk links into the core, where a pair of Layer 3 switches has been configured to route between
VLANs and provide HSRP functionality.
BigCo uses an AAA server for router and switch authentication, and all Cisco device
configuration is conducted over Telnet. When a new switch is placed in service, it is configured
with these parameters:
Default user and enable passwords changed
VTP mode, domain, and root parameters configured
Trunk and EtherChannel links configured
A description configured on all interfaces
vty lines for access and password configured
All other settings are left at their default values.
Lastly, the administrator uses 40 to 50 manufacturing consultants each month. Each of these
consultants brings a laptop and software, and is required to connect to the company network for
access. Currently, these consultants plug into one of five different VLANs, depending on where
they are working in the building or plant. In the past, the network administrator has had some
problems with disgruntled consultants and is worried about someone having too much access.
The network administrator would like you to review the standard configuration and suggest
better security practices where applicable.
Questions
Answer the following questions regarding the scenario above:
List the possible security threats that you have identified in the BigCo Manufacturing network.
Q1) Which of the security threats that you have listed would you consider the highest
priority, and why?
Q2) What suggestions do you have for securing the VLANs and trunk links?

Q3) What suggestions do you have for securing STP?
Q4) What are your suggestions for securing the way BigCo manages the Cisco devices and
servers?
Q5) Do you have any other security suggestions for the network administrator and BigCo
Manufacturing?
Case Study Verification

You have completed this activity when your case study solution includes this information:
Answers to the case study questions
Presentation of Case Study

You may be asked by your instructor to present this case study to the class.
Case Study 8-2: Using Security Tools to Secure
Devices in the Campus
Complete this case study to assess what you learned in the lesson.
Overview
You are being asked to evaluate a network attack in progress and suggest the appropriate
security tactic to reduce or remove the security threat.
Relevance
Proper security tactics and tools should mitigate security attacks.
Activity Objective
In this activity, you will identify the type of attack in progress and suggest a possible solution
to mitigate the security threat. Upon completing this case study, you will be able to meet these
objectives:
Identify security attacks on a switched network
Recommend appropriate security actions to mitigate specific attacks
Learner Skills and Knowledge

To benefit fully from this activity, you must have these prerequisite skills and knowledge:
Basic knowledge of the components that make up the Campus Infrastructure module
Basic knowledge of security threats in the Campus Infrastructure module
Basic knowledge of possible security measures to be taken to mitigate specific threats

Job Aids
Please read through the following scenario and answer the questions that follow.
Scenario
Nettown Library
The Nettown Library network is a large network interconnecting the main library and all the
branch libraries of Nettown. Because of library policy, open access to the network is a must,
and for some time this was not a problem. Recently, however, certain branches have been
complaining of network outages and slow response times, even when the network seems to be
operational at other branches or in other areas of the same branch. The Nettown Library is
concerned that a security attack is being used to slow down and even sometimes prevent
network access at the branches. Because of the configuration consistency among libraries, this
could be a potential risk for all of them.
Each library consists of one to five access layer switches connected to a distribution layer
switch. The distribution layer switch has redundant connections to the core layer. At the access
layer, VLANs have been implemented as shown in the slide to segregate traffic and provide for
customer and employee security.
Public ports located throughout the libraries are in VLAN 300.
Employees are assigned to VLAN 400.
Library communication equipment, such as computerized checkout and check-in machines,
are assigned to VLAN 500.
VLAN1 is used for only management traffic.
Trunking has been disabled at the access layer for any port that is not connected to a
distribution switch. There are no user connections to the distribution switch. Inter-VLAN
routing is provided by an external router that has ACLs configured to prevent unwanted VLAN
hopping. This external router is located in the core and also provides Internet connectivity for
all VLANs.
Because everything is switched from the access layer to the core, spanning tree is heavily relied
on for fault tolerance and network resiliency. In the core and distribution layers, STP security
tactics such as root guard have been enabled. Currently the access switches do not have any
STP security tactics in place, and all ports that are not connected to a distribution switch have
STP PortFast enabled.
At random times, the network oscillates between functional and very slow to nonfunctional.
Network traffic analysis indicates that during the times of slowness, the largest amount of
traffic was being generated by a protocol that is not in use by any library application. The
analysis also showed a suspiciously high physical layer device count. For these two reasons, a
network attack is suspected. When the slowness occurs, it appears to be isolated to users on a
particular switch and may go unnoticed by users connected to other switches. During periods of
slowness, the library staff has noticed high utilization on the affected switches.
Questions
Answer the following questions after reading the scenario above.
Q1) What is the most likely attack being launched against the Nettown Library?
Q2) On what information did you base your answer for question 1?
Q3) Based upon your answers, which show command would display proof of the attack?
Q4) Which security tool(s) can be used to mitigate the attack?
Q5) Other potential attacks could be launched against or through the access switches in the
library, given the lack of switch security. For the potential attacks listed below, fill in
the blank columns. Indicate how to verify whether the attack is occurring, and suggest
a measure that could be implemented to mitigate the attack.

Attack Type Attack Verification Methods Attack Mitigation Measure
MAC Address
Spoofing
DHCP Spoofing
VLAN Hopping by
Double Tagging
VLAN Hopping by
Negotiating a Trunk
Link
Rogue Root STP

Device
Case Study Verification

You have completed this activity when your case study solution includes this information:
Answers to the case study questions
Presentation of Case Study

You may be asked by your instructor to present this case study to the class.
Lab 8-3: Applying Security Tools
Activity Objective
Correctly identify security risks
Select the correct tools to minimize the identified risks
Configure devices to prevent attacks so that the potential risk for network service
interruption or data loss is reduced
Visual Objective
Visual Objective
Required Resources
Access layer switches
Distribution layer switches

Network Diagram
Network Diagram
Command List
ip access-list extended acl-name Creates an extended IP access

{deny | permit} protocol source control list (ACL) to be used for
source-wildcard destination matching packets to an ACL
destination-wildcard [log] whose name or number you
specify, and to enter access-list
configuration mode.
vlan access-map name [number] Creates or modifies a VLAN map

action {drop | forward} entry for VLAN packet filtering.
match {ip | mac} address {name | This entry changes the mode to
number} [name | number] the VLAN access map
configuration.
vlan filter map-name {vlan-list vlan- Applies a VLAN map to one or

list | interface interfacenumber} more VLANs.
switchport port-security Enables port security on an

interface.
switchport port-security mac-address Specifies a secure MAC address

mac-address for the port by entering a 48-bit
MAC address. You can add
additional secure MAC
addresses up to the maximum
value configured.
switchport port-security maximum Sets the maximum number of

value secure MAC addresses for the
interface. The range is 1 to 132.
The default is 1.
switchport port-security violation Sets the security violation mode

{protect | restrict | shutdown} or the action to be taken if port
security is violated. The default is
shutdown.
spanning-tree portfast bpduguard Globally enables the BPDU

default guard feature on PortFast-
enabled ports, and places the
ports that receive BPDUs in an
error-disabled state.
interface interface-id Enables root guard.

spanning-tree guard root
ip dhcp snooping Globally enables DHCP
snooping.
ip dhcp snooping vlan vlan-range Enables DHCP snooping on a

VLAN.
ip dhcp snooping trust Configures a port as trusted for

DHCP snooping purposes.
ip dhcp snooping limit rate rate Configures the number of DHCP

messages that an interface can
receive per second.

Scenario
You are concerned about security on your network. Using the tools discussed in the module,
you are going to implement security in a few different areas. To begin, you will secure the
network from unwanted stations, using port security and VACLs. After the ports are secure,
you will secure STP, using appropriate filters, and prevent unwanted DHCP traffic.
Task 1: Manage Traffic with VACLs and Port Security

In this task, you will configure VACLs and port security to ensure that unwanted traffic does
not traverse the network.
Activity Procedure
Step 1 To begin, ensure that only the PC router can be connected to port FastEthernet 0/3
on the access switch. Before you configure port security, glean the MAC address of
the PC router ethernet0 interface.
Step 2 Enable port security for port 0/3. Ensure that only the PC router MAC address is
allowed.
Step 3 Set the port security violation to shutdown.
Step 4 From your switch, ping the PC router IP address to generate some traffic between
the two devices.
Step 5 Enter the command show port address to see if port security is working. You
should see your PC router MAC address appear.
Step 6 Now that your port connecting to the PC router is secure, you need to define a
VACL for which types of traffic can traverse the switch. Enter global configuration
mode for the access layer switch.
Step 7 To complete this activity, you will need to work with the other team assigned to
your building. Get the MAC address from the PC router ethernet4 interface of your
partner group. Keep in mind that the PC router uses Ethernet port 4 and not ports
0-3. Write the MAC address here: __________________
Step 8 To configure VACLs, you must use the distribution layer switches. Telnet to your
distribution layer switch.
Step 9 Enter global configuration mode and define a VLAN ACL.

Step 10 In config-access-map mode, enter the command match ? What are your matching
options? ____________________________________________________
Step 11 Build a MAC access list.

Step 12 Issue a permit for the MAC address of the PC router that you noted in step 7.
Step 13 Configure the VLAN ACL that you created in step 9 to match the MAC access list.
Step 14 You have built a VLAN ACL, using access-list mac-list. Now apply it to the
VLANs.
Step 15 Enter the command show vlan filter access-map NAME to see where it is applied.
Step 16 You can also examine the show access-list output for hits against the ACL.
VACLs and port security have been implemented to restrict unwanted traffic.
Task 2: Secure the Network Against Spanning Tree Attacks

You are using STP to keep the network stable. You would like to ensure that STP is protected
as much as possible from disruptions and intrusions. Using the tools that you learned in the
module, implement STP security.
Activity Procedure
Step 1 In this task, you will ensure that BPDUs are accepted on only the correct interfaces.
You know that interface 0/3 connects to the PC router. You also know that it should
never generate a BPDU unless it is a faulty configuration. Log in to your access
layer switch and enter config mode.
Step 2 Enter interface config mode for interface 0/3.
Step 3 Enable BPDU guard.

Step 4 Now that BPDU guard is enabled, implement root guard to ensure that the access
layer switches do not try to become the root bridges for any VLAN. Log in to your
distribution layer switch.
Step 5 On the distribution switch, identify any port that is not connected to the core
switches (root).
Step 6 Go into each active port that is not considered a root port and enter the spanning-
tree guard root command. By enabling the root guard feature on those ports, you
have ensured that they will never become root ports.
BPDU guard and root guard have been implemented to ensure STP stability.

Task 3: Secure the Network Against DHCP Attacks
You are concerned with rogue DHCP servers being added to your network. Implement DHCP
snooping to ensure that DHCP works as advertised.
Activity Procedure
Step 1 Log in to your access switch.
Step 2 Enable DHCP snooping globally by entering the command ip dhcp snooping.
Step 3 Enter the command ip dhcp snooping information option to enable the data
insertion option (option 82) for DHCP.
Step 4 Determine where (if any) a DHCP server resides. Record the egress port used to get
to it. Which port is it? _________________________
Step 5 Enter interface configuration mode for the port that you identified in step 4.
Step 6 To enable the DHCP snooping feature on the interface, enter the command ip dhcp
snooping trust. This allows the port to accept DHCP response messages.
Step 7 Go to any other active interface that does not connect to the DHCP server and enter
the command ip dhcp snoop limit rate 10. This command configures the interface
to limit all DHCP traffic to 10 pps and disallows the port from having a DHCP
server on it.
Step 8 Specify that the VLAN or VLANs will run DHCP snooping. In global config mode,
enter ip dhcp snooping vlan vlan_id. The vlan-id should match your access
VLANs.
Step 9 Return to exec mode and enter the command show ip dhcp snooping.
1ASW2#show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
11-13
Insertion of option 82 is enabled
Interface Trusted Rate limit (pps)
------------------------ ------- ----------------
FastEthernet0/1 yes unlimited
FastEthernet0/2 yes unlimited
DHCP snooping has been implemented.
Answer Key
The correct answers and expected solutions for the activities that are described in this guide
appear here.
Quiz 1-1 Answer Key: Describing the Campus Infrastructure

Module
When you complete this activity, your answers will be similar to the results here, with
differences that are specific to your device or workgroup:
Q1)
Enterprise Composite Model

Functional Areas

Q2)
Modules in the Enterprise Campus
Q3)
Campus Infrastructure Module
Lab 1-2 Answer Key: Getting Started with Cisco Catalyst
Equipment
Example Configurations
When you complete this activity, your pod configuration will be similar to the results here, with
differences that are specific to your device or workgroup:
Access Switch 1 for Pod 1

version 12.1
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
no service password-encryption
!
hostname 1ASW1
!
enable secret san-fran
!
ip subnet-zero
!
no ip domain-lookup
ip ssh time-out 120
ip ssh authentication-retries 3
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
!
interface FastEthernet0/1
!
!
description --- to 1PC1 --
speed 100
duplex full
!
!

!
!
!
!
description -- 1ASW1 0/9 - 1DSW1 1/0/1
speed 100
duplex full
!
speed 100
duplex full
!
speed 100
duplex full
!
speed 100
duplex full
!
interface GigabitEthernet0/1
!
!
interface Vlan1
ip address 10.1.1.3 255.255.0.0
no ip route-cache
!
ip http server
!
line con 0
exec-timeout 0 0
logging synchronous
line vty 0 4
password cisco
login
line vty 5 15
login
!
no vtp password
!
end
Distribution Switch 1 for Pod 1

version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
!
hostname 1DSW1
!
!
no aaa new-model
switch 1 provision ws-c3750g-24t
ip subnet-zero
no ip domain-lookup
!
no file verify auto
spanning-tree exte
!
!
description --- 1DSW1 G1/0/1 - 1ASW1 FE0/9 --
speed 100
duplex full

!
speed 100
duplex full
!
speed 100
duplex full
!
speed 100
duplex full
!
description -- 1DSW1 1/0/5-6 1DSW2 1/0/5-6 --
speed 10
duplex full
!
speed 10
duplex full
!
shutdown
!
shutdown
!
description -- 1DSW1 1/0/9 - BBS1 -
speed 100
duplex full
!
description -- 1DSW1 1/0/10 - BBS2 - 2/25
speed 100
duplex full
!
shutdown
!
shutdown
!
!
!
!
!
!
!
!
!
!
!

!
!
interface Vlan1
ip address 10.1.1.1 255.255.0.0
!
ip classless
ip http server
ip http secure-server
!
control-plane
!
line con 0
logging synchronous
line vty 0 4
password cisco
no login
line vty 5 15
no login
!
no vtp password
!
end
Router PC for Pod 1

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname 1PC1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
no ip routing
no ip cef
!
!
!
!
!
ip address 10.1.1.5 255.255.0.0
no ip route-cache
speed 100
full-duplex
!
interface Dot11Radio0
no ip address
no ip route-cache
shutdown
station-role root
!
interface Vlan1
no ip address
no ip route-cache
!
ip classless
!
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
logging synchronous

no modem enable
line aux 0
line vty 0 4
password cisco
login
!
no vtp password
scheduler max-task-time 5000
end
Lab 2-1 Answer Key: Configuring VLANs and VTP

differences that are specific to your device or workgroup.
Task 3: Configure VLANs

Step 1 Attempt to create your building and floor primary VLAN, using the vlan vlan-id
global configuration command.
Step 2 Were you able to create the VLAN?
No
Step 3 Use the show vlan command on the Building Access switch to verify that the VLAN
was added.
Was the VLAN added? Why or why not?
Yes, because in transparent mode the VLAN will be created on the local switch
only; other switches will not have the VLAN.
Step 4 Connect to a Building Distribution switch and enter the show vlan command.
Does the alternate VLAN that you just created (for example, VLAN13) appear?
Why or why not?
No; this was created in transparent mode, so it will not be reflected on this switch.
Step 5 Set the VTP mode on your Building Access switch to client again.
Which VLANs are available on your Building Access switch? Are any VLANs
missing? Why?
All VLANs are not visible because client mode allows you to synchronize to all
other server switches.
Task 4: Verify the VTP and VLAN Status

Step 1 On the first Building Distribution switch (for example, 1DSW1), enter the show vlan
command.
Did you see all the VLANs that you expected to see?
Why were the VLANs from the other buildings propagated or not propagated to the
building?
Yes, because all switches are in the same VTP domain, the VLANs are forwarded
everywhere.
Step 2 Test connectivity to determine which devices can and cannot ping each other.
If there are connectivity problems, why did they occur? ______________
No; all pings were good.
Task 5: Associate VLANs with Ports on Your Switch

Step 1 Can your PC router ping the other devices in your network? Why or why not?
No; because you need a router to accomplish inter-VLAN routing.

version 12.1
no service pad
!
hostname 1ASW1
!
!
ip subnet-zero
!
no ip domain-lookup
ip ssh time-out 120
!
no vtp password
!
!
!
!
!
!

speed 100
duplex full
!
!
!
!
!
!
switchport trunk allowed vlan 1,11,13,1002-1005
speed 100
duplex full
!
speed
duplex full
!
speed 100
duplex full
!
speed 100
duplex full
!
!
!
interface Vlan1
ip address 10.1.1.3 255.255.0.0
no ip route-cache
!
ip http server
!
line con 0
exec-timeout 0 0
logging synchronous
line vty 0 4
password cisco
login
line vty 5 15
login
!
Line con 0
exec-timeout 0 0
no vtp password
!
end

!
version 12.2
no service pad

!
hostname 1DSW1
!
!
no aaa new-model
ip subnet-zero
no ip domain-lookup
!
no file verify auto
!
!
!
speed 100
duplex full
!
speed 100
duplex full
!
speed 100
duplex full
!
speed 100
duplex full
!
switchport trunk allowed vlan 1,11-14,1002-1005
speed 10
duplex full
!
speed 10
duplex full
!
shutdown
!
shutdown
!

speed 100
duplex full
!
speed 100
duplex full
!
shutdown
!
shutdown
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Vlan1
ip address 10.1.1.1 255.255.0.0
!
ip classless
ip http server
!
!
!
control-plane
!
!
line con 0
logging synchronous
line vty 0 4
password cisco
no login
line vty 5 15
no login
!
Line con 0
exec-timeout 0 0
no vtp password
!
end

Lab 3-1 Answer Key: Configuring Primary and Backup Root
Bridges
Task 3: Verify Spanning Tree for VLANs on the Distribution Switches

Your answers should be similar to these:
Step 1 Look for the root bridge MAC address. Write it down here:
The MAC address will vary per device. However, it will always be documented by
12 HEX characters (1234.abcd.1a2b). If your switch is the root, the switch will state
that.
Step 2 Look for the MAC address of your bridge. Write it down here:
12 HEX characters (1234.abcd.1a2b). Regardless of which switch is the root, the
device MAC address will always be visible.
Step 3 Each nonroot bridge has a root port. What is the root port if you are not the root
bridge?
The root port will vary, depending upon the switch that you are examining. If the
switch is not the root switch (bridge), then there must be a root port. Examine the
ports, and you will see one that states root.
Step 4 Refer to the figure labeled VLAN1. Notice that each port has a spanning tree path
cost. What is the path cost at your root port?
This value will vary, based upon which switch you are examining and where the root
is located.
Step 5 Refer to the figure again. Trace back to the root bridge. Which switch is the root
bridge?
The root bridge will vary, depending on your configuration.
questions:
Standard spanning tree.
What is the BID?

This will vary on each switch because the BID is a combination of the MAC address
and the priority number.

12 HEX characters (1234.abcd.1a2b).

The root port will vary, depending upon the switch that you are examining. If the
switch is not the root switch (bridge), then there must be a root port. Examine the
ports, and one will state root.
What is the cost of the root path (if any)?
is located.

This value will vary, based upon what switch you are examining and where the root
is located.

This value will vary. based upon which switch you are examining and where the root
is located.

is located.

is located.

is located.
questions:

Standard spanning tree.
What is the BID?

This will vary on each switch because the BID is a combination of the MAC address
and the priority number.

12 HEX characters (1234.abcd.1a2b). If your switch is the root, the switch will state
that.

The root port will vary, depending upon the switch you are examining. If the switch
is not the root switch (bridge), then there must be a root port. Examine the ports, and
one will state root.
Is this system the root bridge?

If your switch is the root the switch, it will state that.

Step 8 What is the cost of the path to the root bridge?
is located.
Why is Fast Ethernet 0/3 not shown?

It is not participating in the STP.

version 12.1
no service pad
!
hostname 1ASW1
!
!
ip subnet-zero
!
no ip domain-lookup
ip ssh time-out 120
!
spanning-tree portfast default
!
!
!
!
!
speed 100
duplex full
!
!
!
!
!
!
speed 100
duplex full
!
speed 100
duplex full
!
speed 100
duplex full
!

speed 100
duplex full
!
!
!
interface Vlan1
ip address 10.1.1.3 255.255.0.0
no ip route-cache
!
ip http server
!
line con 0
logging synchronous
line vty 0 4
password cisco
login
line vty 5 15
login
!
Line con 0
exec-timeout 0 0
no vtp password
!
end
1ASW1#

no service pad
!
hostname 1DSW1
!
!
no aaa new-model
ip subnet-zero
no ip domain-lookup
!
!
!
!
!
!
no file verify auto
!
!
!
!
speed 100
duplex full
!
speed 100
duplex full
!

speed 100
duplex full
!
speed 100
duplex full
!
speed 10
duplex full
!
speed 10
duplex full
!
shutdown
!
shutdown
!
speed 100
duplex full
!
speed 100
duplex full
!
shutdown
!
shutdown
!
!
!
!
!
!
!
!

!
!
!
!
!
interface Vlan1
ip address 10.1.1.1 255.255.0.0
!
ip classless
ip http server
!
!
!
control-plane
!
!
line con 0
logging synchronous
line vty 0 4
password cisco
no login
line vty 5 15
no login
!
line con 0
exec-timeout 0 0
no vtp password
no ip domain-lookup
!
end
Lab 3-2 Answer Key: Implementing PVRST
Task 1: Investigate Access Switch Convergence After Link Failure with 802.1D STP
tree blockedports. Which port(s) were blocked?
Varies based upon how STP negotiated the loop-free topology.
Step 2 From your switch, determine the root port by entering the command show spanning-
tree root. What is your root port?
Varies based upon how STP negotiated the loop-free topology.
Step 3 On the PC router, is the ping still running? __________

How long did it take for the pings to resume?
No, the pings stopped for about 30 seconds.
Task 2: Configure PVRST on Access Switches

Step 1 Log in to your access switch. Enter the command show spanning-tree summary.
What mode is STP running in?
Standard spanning tree is still running.
Is the switch now running in PVRST mode?

Yes, Rapid Spanning Tree is running (RSTP).
Point-to-Point (P2P)
Task 3: Configure PVRST on Distribution Switches

Is the switch now running in PVRST mode?

Yes

Point-to-Point (P2P)
Task 4: Investigate Access Switch Convergence After Link Failure with 802.1w RSTP
tree blockedports. Which port(s) were blocked?
This will vary, based upon how RSTP has negotiated the loop-free topology.
Step 2 From your switch, determine the root port by entering the command show spanning-
tree root. What is your root port?
This will vary, based upon how RSTP has negotiated the loop-free topology.

Step 9 On the PC router, is the ping still running?
Yes
Are the pings successful?

Yes

no service pad
!
hostname 1ASW1
!
!
ip subnet-zero
!
no ip domain-lookup
ip ssh time-out 120
!
!
spanning-tree mode rapid-pvst
!
!
!
!
!
!
speed 100
duplex full
!
!
!
!
!
!
speed 100
duplex full
!
speed 100
duplex full
!
speed 100
duplex full
!

speed 100
duplex full
!
!
!
interface Vlan1
ip address 10.1.1.3 255.255.0.0
no ip route-cache
!
ip http server
!
line con 0
exec-timeout 0 0
logging synchronous
line vty 0 4
password cisco
login
line vty 5 15
login
!
line con 0
exec-timeout 0 0
no vtp password
no ip domain-lookup
!
end

no service pad
!
hostname 1DSW1
!
!
no aaa new-model
ip subnet-zero
no ip domain-lookup
!
!
!
!
!
!
no file verify auto
!
!
!
!
speed 100
duplex full
!
speed 100
duplex full
!

speed 100
duplex full
!
speed 100
duplex full
!
speed 10
duplex full
!
speed 10
duplex full
!
shutdown
!
shutdown
!
speed 100
duplex full
!
speed 100
duplex full
!
shutdown
!
shutdown
!
!
!
!
!
!
!
!
!

!
!
!
!
interface Vlan1
ip address 10.1.1.1 255.255.0.0
!
ip classless
ip http server
!
!
!
control-plane
!
!
line con 0
logging synchronous
line vty 0 4
password cisco
no login
line vty 5 15
no login
!
line con 0
exec-timeout 0 0
no vtp password
no ip domain-lookup
!
end
Lab 3-3 Answer Key: Implementing MST
Task 1: Configure MST on the Access and Distribution Switches and Verify the
Configuration
Is the switch now running in MST mode?
No

Is the switch now running in MST mode?
Yes

no service pad
!
hostname 1ASW1
!
!
ip subnet-zero
!
no ip domain-lookup
ip ssh time-out 120
!
!
!
name building1
instance 1 vlan 1, 11, 13
!

!
!
!
!
!
!
speed 100
duplex full
!
!
!
!
!
!
speed 100
duplex full
!
speed 100
duplex full
!
speed 100
duplex full
!
speed 100
duplex full
!
!
!
interface Vlan1
ip address 10.1.1.3 255.255.0.0
no ip route-cache
!
ip http server
!
line con 0
exec-timeout 0 0
logging synchronous
line vty 0 4
password cisco
login
line vty 5 15
login
!
line con 0
exec-timeout 0 0
no vtp password
no ip domain-lookup

!
end
1ASW1#

no service pad
!
hostname 1DSW1
!
!
no aaa new-model
ip subnet-zero
no ip domain-lookup
!
!
!
!
!
!
no file verify auto
!
!
name building1
revision 1
instance 2 vlan 12, 14
!
!
!
!
speed 100
duplex full
!
speed 100
duplex full
!
speed 100
duplex full
!
speed 100
duplex full
!

speed 10
duplex full
!
speed 10
duplex full
!
shutdown
!
shutdown
!
speed 100
duplex full
!
speed 100
duplex full
!
shutdown
!
shutdown
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Vlan1
ip address 10.1.1.1 255.255.0.0
!
ip classless
ip http server
!
!
!

control-plane
!
!
line con 0
logging synchronous
line vty 0 4
password cisco
no login
line vty 5 15
no login
!
line con 0
exec-timeout 0 0
no vtp password
no ip domain-lookup
!
end
Lab 3-4 Answer Key: Configuring EtherChannel


no service pad
!
hostname 1ASW1
!
!
ip subnet-zero
!
no ip domain-lookup
ip ssh time-out 120
!
!
!
name building1
!
!
!
!
!
flowcontrol send off
!
!
!
speed 100
duplex full
!
!
!
!

!
!
speed 100
duplex full
!
speed 100
duplex full
!
speed 100
duplex full
!
speed 100
duplex full
!
!
!
interface Vlan1
ip address 10.1.1.3 255.255.0.0
no ip route-cache
!
ip http server
!
line con 0
exec-timeout 0 0
logging synchronous
line vty 0 4
password cisco
login
line vty 5 15
login
!
line con 0
exec-timeout 0 0
no vtp password
no ip domain-lookup
!
end

!
version 12.2
no service pad
!
hostname 1DSW1

!
!
no aaa new-model
ip subnet-zero
no ip domain-lookup
!
!
!
!
!
!
no file verify auto
!
!
name building1
revision 1
!
!
!
!
!
!
!
speed 100
duplex full
!
speed 100
duplex full
!
speed 100
duplex full
!

speed 100
duplex full
!
speed 10
duplex full
!
speed 10
duplex full
!
shutdown
!
shutdown
!
speed 100
duplex full
!
speed 100
duplex full
!
shutdown
!
shutdown
!
!
!
!
!
!
!
!
!
!
!

!
!
interface Vlan1
ip address 10.1.1.1 255.255.0.0
!
ip classless
ip http server
!
!
!
control-plane
!
!
line con 0
logging synchronous
line vty 0 4
password cisco
no login
line vty 5 15
no login
!
line con 0
exec-timeout 0 0
no vtp password
no ip domain-lookup
!
end
Lab 3-5 Answer Key: Troubleshooting Spanning Tree

Task 1: Troubleshoot Spanning Tree on Access Switches

Step 1 Obviously, using the no shutdown command did not fix all your problems; at least
one of your interfaces is still not operational. What do you believe is causing the
interface to be nonfunctional?
No VLAN is associated to the interface.
Step 2 Re-create the missing VLAN. Did your down interface come up? Yes
Step 3 Now that your interfaces are operational, is network connectivity restored?
No
Problems Injected
These are the problems that you should have detected:
Ports 9 and 10 shut down on access switches
Lowest VLAN removed from access switches
VLAN names changed for VLAN11 and 14
VTP passwords set to Private on DSW1 and GONE on DSW2
Task 2: Troubleshoot Spanning Tree on Distribution Switches

Step 1 Enter the command show spanning-tree summary. Has anything changed since you
last documented the switch?
Yes, there are missing VLANs, and naming of VLANs is not accurate.
Step 2 Enter the command show vlan to examine the VLAN table. Is there anything wrong
with the VLANs? If so, correct the problem.
Yes, there are missing VLANs, and naming of VLANs is not accurate.
Step 3 In the previous activity, one of the VLANs had been removed. To fix the disabled
interface, you re-created the VLAN on the local switch. Does that VLAN show up
on this distribution switch?
No
Should it be there?
Yes
Step 4 What would cause the distribution switch and the access switch to lose VLAN
information from each other?
VTP domain or passwords are set.
Step 5 Examine the VTP status by using the show vtp status command. Has anything
changed?
No
Step 6 According to the VTP status output, STP looks as if it is configured correctly, but it
is not working. What else could cause VTP to fail between switches?
Passwords could be set and different.

no service pad
!
hostname 1ASW1

!
!
ip subnet-zero
!
no ip domain-lookup
ip ssh time-out 120
!
!
!
name building1
!
!
!
!
!
!
!
!
!
speed 100
duplex full
!
!
!
!
!
!
speed 100
duplex full
!
speed 100
duplex full
!
speed 100
duplex full

!
speed 100
duplex full
!
!
!
interface Vlan1
ip address 10.1.1.3 255.255.0.0
no ip route-cache
!
ip http server
!
line con 0
exec-timeout 0 0
logging synchronous
line vty 0 4
password cisco
login
line vty 5 15
login
!
line con 0
exec-timeout 0 0
no vtp password
no ip domain-lookup
!
end
1ASW1#
no service pad
!
hostname 1DSW1
!
!
no aaa new-model
ip subnet-zero
no ip domain-lookup
!
!
!
!
!
!
no file verify auto
!
!
name building1
revision 1
!
!
!
!

!
!
!
speed 100
duplex full
!
speed 100
duplex full
!
speed 100
duplex full
!
speed 100
duplex full
!
speed 10
duplex full
!
speed 10
duplex full
!
shutdown
!

shutdown
!
speed 100
duplex full
!
speed 100
duplex full
!
shutdown
!
shutdown
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Vlan1
ip address 10.1.1.1 255.255.0.0
!
ip classless
ip http server
!
!
!
control-plane
!
!
line con 0
logging synchronous
line vty 0 4
password cisco
no login
line vty 5 15
no login
!
line con 0
exec-timeout 0 0
no vtp password
no ip domain-lookup
!
end

Quiz 4-1 Answer Key: Describing Routing Between VLANs
The correct answers are listed here.
Q1) A
Q2) C
Q3) C
Lab 4-2 Answer Key: Routing Between VLANs

Task 4: Verify Inter-VLAN Layer 3 Routing

Step 1 Answer the following questions pertaining to the routing table on your system.
What does the 90 in the [90/3072] indicate for the displayed routes?
90 is the administrative distance default value for EIGRP. The lower the value the
more trusted the protocol.
What does the 3072 in the [90/3072] indicate in the same window?
The value 3072 is the composite metric that EIGRP uses to determine the best
path to the destination network. This is based upon BW and delay, but it can also
include reliability, load, and MTU. Lower is better.
Can you change either of these numbers (90 or 3072), using Cisco IOS commands?
You can change both the administrative distance and the composite metric value,
using Cisco IOS commands; however, that topic is not covered in this class.

no service pad
!
hostname 1ASW1
!
!
ip subnet-zero
!
no ip domain-lookup
ip ssh time-out 120
!
!
!
!
!
!
!
speed 100
duplex full
no shutdown
!
!
!
!
!
!
speed 100
duplex full
no shutdown
!

speed 100
duplex full
no shutdown
!
speed 100
duplex full
no shutdown
!
speed 100
duplex full
no shutdown
!
!
!
interface Vlan1
ip address 10.1.1.3 255.255.255.0
no ip route-cache
!
ip default-gateway 10.1.1.1
ip http server
!
line con 0
exec-timeout 0 0
logging synchronous
line vty 0 4
password cisco
login
line vty 5 15
logi
!
line con 0
exec-timeout 0 0
no vtp password
no ip domain-lookup
!
end

no service pad
!
hostname 1DSW1
!
!
no aaa new-model
ip subnet-zero
ip routing
no ip domain-lookup
!
no file verify auto
!
!

!
!
!
speed 100
duplex full
no shutdown
!
speed 100
duplex full
no shutdown
!
speed 100
duplex full
no shutdown
!
speed 100
duplex full
no shutdown
!
shutdown
speed 10
duplex full
no shutdown
!
shutdown
speed 10
duplex full
no shutdown
!
shutdown
!
shutdown
!
no switchport
ip address 10.1.111.1 255.255.255.0
speed 100
duplex full
no shutdown

!
no switchport
ip address 10.1.113.1 255.255.255.0
speed 100
duplex full
no shutdown
!
shutdown
!
shutdown
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Vlan1
ip address 10.1.1.1 255.255.255.0
no shutdown
!
interface Vlan11
ip address 10.1.11.1 255.255.255.0
no shutdown
!
interface Vlan12
ip address 10.1.12.1 255.255.255.0
no shutdown
!
interface Vlan13
ip address 10.1.13.1 255.255.255.0
no shutdown
!
interface Vlan14
ip address 10.1.14.1 255.255.255.0
no shutdown
!
router eigrp 1
network 10.0.0.0
auto-summary
!
no ip classless
ip http server
!
!
!
control-plane
!
!
line con 0

logging synchronous
line vty 0 4
password cisco
no login
line vty 5 15
no login
!
line con 0
exec-timeout 0 0
no vtp password
no ip domain-lookup
!
end
Router PC for Pod 1

!
hostname 1PC1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
no ip routing
no ip cef
!
!
!
!
!
!
ip address 10.1.11.5 255.255.255.0
no ip route-cache
speed 100
full-duplex
!
no ip address
no ip route-cache
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0
36.0 48.0 54.0
station-role root
!
interface Vlan1
no ip address
no ip route-cache
!
ip classless
!
!
no ip http server
!
control-plane
!
!
line con 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
password cisco
login
!
line con 0

exec-timeout 0 0
no vtp password
no ip domain-lookup
!
end
Lab 5-1 Answer Key: Enabling and Optimizing HSRP

Task 1: Configure HSRP on the Router

Step 1 Answer the following questions:
Which router is the active router?

This will depend on the group that you are examining for HSRP.
____________________________________________________________________
What is the priority of the active router?

This value should be 100.
____________________________________________________________________
Which router is the standby router?

This will depend on the group that you are examining for HSRP.
____________________________________________________________________
What is the priority of the standby router?

This value should be 50.
____________________________________________________________________
Is the router with the highest priority active? Yes
Task 2: Test HSRP on Routers by Simulating a Failure

The primary router is now the active HSRP router.
How many packets were dropped, or for how long was your traffic disrupted?
About 5 packets were dropped.
Did you expect this result?

Yes, based upon the dead timer interval of HSRP, this makes sense.
Remember that the default hello interval is 3 seconds, with a 10-second timeout. Can
you explain why you had the delay that you experienced?
Convergence of 10 seconds had to take place before the secondary router assumed
the active HSRP roll.
Step 3 Observe the status of HSRP by entering the show standby vlan-id.

The original standby router is still the new active router.

The original active router is the standby router.
Task 3: Test HSRP Tuning Enhancements Using Preempt


The primary router is the active HSRP router.
Step 2 Observe the status of HSRP by using the show standby vlan-id command.
The primary router is back as the active HSRP router, and the backup is the standby
router.
no service pad
!
hostname 1DSW1
!
!
no aaa new-model
ip subnet-zero
ip routing
no ip domain-lookup
no file verify auto
!

!
!
!
!
speed 100
duplex full
no shutdown
!
speed 100
duplex full
no shutdown
!
speed 100
duplex full
no shutdown
!
shutdown
speed 10
duplex full
no shutdown
!
shutdown
speed 10
duplex full
no shutdown
!
shutdown
!
shutdown
!
no switchport
ip address 10.1.111.1 255.255.255.0
speed 100
duplex full
no shutdown
!
no switchport
ip address 10.1.113.1 255.255.255.0

speed 100
duplex full
no shutdown
!
shutdown
!
shutdown
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Vlan1
ip address 10.1.1.1 255.255.255.0
no shutdown
!
interface Vlan11
ip address 10.1.11.1 255.255.255.0
standby 1 ip 10.1.11.254
standby 1 preempt
no shutdown
!
interface Vlan12
ip address 10.1.12.1 255.255.255.0
standby 2 ip 10.1.12.254
standby 2 priority 50
no shutdown
!
interface Vlan13
ip address 10.1.13.1 255.255.255.0
no shutdown
!
interface Vlan14
ip address 10.1.14.1 255.255.255.0
no shutdown
!
router eigrp 1
network 10.0.0.0
auto-summary
!
no ip classless
ip http server
!
!
!
control-plane
!
!
line con 0

logging synchronous
line vty 0 4
password cisco
no login
line vty 5 15
no login
!
line con 0
exec-timeout 0 0
no vtp password
no ip domain-lookup
!
end
Router PC for Pod 1 Example Configuration

!
hostname 1PC1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
no ip routing
no ip cef
!
!
!
!
!
!
ip address 10.1.11.5 255.255.255.0
no ip route-cache
speed 100
full-duplex
!
no ip address
no ip route-cache
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0
36.0 48.0 54.0
station-role root
!
interface Vlan1
no ip address
no ip route-cache
!
ip classless
!
!
no ip http server
!
!
!
control-plane
!
!
line con 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
password cisco

login
!
line con 0
exec-timeout 0 0
no vtp password
no ip domain-lookup
end
Lab 6-1 Answer Key: Configuring Switches for WLANs

When you complete this activity, your output will be similar to the results here, with
WSW1# show running-config
!
version 12.2
no service pad
!
hostname WSW1
!
no aaa new-model
vtp mode transparent
ip subnet-zero
ip routing
!
ip dhcp pool wlan111
network 192.168.111.0 255.255.255.0
default-router 192.168.111.1
!
ip dhcp pool wlan112
network 192.168.112.0 255.255.255.0
default-router 192.168.112.1
!
!
!
vlan 100,111-112
!
description 1WLC1
spanning-tree portfast
!
description 1AP1
!
description 1WLC2
!
description 1AP2
!
description BBS1 switch
!
description BBS2 switch
!
interface Vlan1
no ip address
shutdown
!

interface Vlan100
ip address 192.168.100.3 255.255.255.0
!
interface Vlan111
ip address 192.168.111.1 255.255.255.0
!
interface Vlan112
ip address 192.168.112.1 255.255.255.0
!
router eigrp 1
passive-interface default
no passive-interface vlan100
network 192.168.0.0 0.0.255.255
no auto-summary
!
ip classless
ip http server
!
control-plane
!
line con 0
line vty 0 15
password cisco
login
!
ntp server 192.168.100.1
end
WSW1# show vlan

VLAN Name Status Ports
---- -------------------------- --------- ----------------------
1 default active Gi0/9, Gi0/10
100 VLAN0100 active Gi0/23, Gi0/24
WSW1# show power inline

Available:370.0(w) Used:61.6(w) Remaining:308.4(w)
Interface Admin Oper Power Device Class Max
(Watts)
--------- ------ ---------- ------- ----------------- ----- ----
Gi0/1 auto off 0.0 n/a n/a 15.4
Gi0/2 auto on 15.4 Ieee PD 3 15.4
The following MAC addresses are examples only.

WSW1# show mac-address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
111 000b.8533.ef80 DYNAMIC Gi0/1
111 000b.8566.3270 DYNAMIC Gi0/2
112 000b.8533.f000 DYNAMIC Gi0/3
112 000b.855e.3be0 DYNAMIC Gi0/4
121 000b.8533.efe0 DYNAMIC Gi0/5
121 000b.8562.23c0 DYNAMIC Gi0/6
122 000b.8533.efa0 DYNAMIC Gi0/7
122 000b.855e.38d0 DYNAMIC Gi0/8
WSW1# show ip interface brief

Interface IP-Address OK? Method Status Protocol
Vlan100 192.168.100.3 YES manual up up
GigabitEthernet0/1 unassigned YES unset up up

Lab 6-2 Answer Key: Setting Up the WLAN Controller

When you complete this activity, your output will be similar to the results here, with
Task 5: Verify Configurations

(group11) > show interface summary
Interface Name Port Vlan Id IP Address Type Ap Mgr
------------------ ---- -------- --------------- ------- ----
ap-manager 1 untagged 192.168.111.3 Static Yes
management 1 untagged 192.168.111.2 Static No
virtual N/A N/A 1.1.1.1 Static No
(group11) > show wlan summary

Number of WLANs.................................. 1
WLAN ID WLAN Name Status Interface Name
------- ---------------------- --------- ----------------------
1 wlan11 Enabled management
(group11) > show ap summary

AP Name Slots AP Model Ethernet MAC Location Port
----------- ----- -------- ----------------- ------------- ----
ap:66:32:70 2 AP1020 00:0b:85:66:32:70 default_location 1
Lab 7-1 Answer Key: Configuring IP Telephony Support

When you complete this activity, your pod configurations will be similar to the results here,
with differences that are specific to your device or workgroup.

no service pad
!
hostname 1ASW1
!
!
ip subnet-zero
!
no ip domain-lookup
ip ssh time-out 120
!
!
!
!
!
!
!
speed 100
duplex full
!
switchport voice vlan 211
mls qos trust device cisco-phone
mls qos trust cos

!
!
!
!
!
switchport trunk allowed vlan 1,11,13,211
speed 100
duplex full
!
speed 100
duplex full
!
speed 100
duplex full
!
speed 100
duplex full
!
!
!
interface Vlan1
ip address 10.1.1.3 255.255.255.0
no ip route-cache
!
ip http server
!
line con 0
exec-timeout 0 0
logging synchronous
line vty 0 4
password cisco
login
line vty 5 15
login
!
line con 0
exec-timeout 0 0
no vtp password
no ip domain-lookup
!
end
no service pad
!
hostname 1DSW1

!
!
no aaa new-model
ip subnet-zero
ip routing
no ip domain-lookup
!
!
mls qos
!
!
no file verify auto
!
!
!
!
shutdown
speed 100
duplex full
mls qos trust cos
!
shutdown
speed 100
duplex full
mls qos trust cos
!
switchport trunk allowed vlan 12,14,212
shutdown
speed 100
duplex full
mls qos trust cos
!
shutdown
speed 100
duplex full
mls qos trust cos
!
shutdown speed 10
duplex full
!

shutdown
speed 10
duplex full
!
shutdown
!
shutdown
!
no switchport
ip address 10.1.111.1 255.255.255.0
speed 100
duplex full
!
no switchport
ip address 10.1.113.1 255.255.255.0
speed 100
duplex full
!
shutdown
!
shutdown
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Vlan1
ip address 10.1.1.1 255.255.255.0
!
interface Vlan11
ip address 10.1.11.1 255.255.255.0
standby 1 ip 10.1.11.254
standby 1 preempt
!
interface Vlan12
ip address 10.1.12.1 255.255.255.0
standby 2 ip 10.1.12.254
!
interface Vlan13
ip address 10.1.13.1 255.255.255.0
!
interface Vlan14
ip address 10.1.14.1 255.255.255.0
!

router eigrp 1
network 10.0.0.0
auto-summary
!
no ip classless
ip http server
!
!
!
control-plane
!
!
line con 0
logging synchronous
line vty 0 4
password cisco
no login
line vty 5 15
no login
!
line con 0
exec-timeout 0 0
no vtp password
no ip domain-lookup
end
1DSW1#
Case Study 8-1 Answer Key: Applying Security Practices to
Secure Devices in the Campus
Your case study and discussion should include these solutions.
Q1) Which of the security threats that you have listed would you consider the highest
priority, and why?
The switching network is open to snooping, VLAN hopping, and VLAN-based attacks,
given the trunking configuration of the switches. AAA is being used for authentication,
but all the usernames and passwords are being typed over Telnet; therefore, usernames
and passwords are in cleartext. Also, there is no mention of inter-VLAN security in
place on the Layer 3 switches. Spanning tree is susceptible to attacks because of a lack
of STP configuration parameters. Lastly, the consultants should be restricted to a
specific VLAN that can be monitored and secured.
Inter-VLAN security must be established immediately. If there is no barrier between

the users and the mission-critical servers, BigCo is susceptible to a number of attacks.
After inter-VLAN security is complete, the consultants need to be restricted.
Q2) What suggestions do you have for securing the VLANs and trunk links?
Trunking should be disabled on all ports that are not used for trunking. The number of
VLANs should be reduced, and security (an access control list) needs to be established
between them.
Q3) What suggestions do you have for securing STP?

STP must be secured at each layer. At the access layer, port security can be used to
limit the number of MAC addresses that can enter the port. BPDU guard should be
configured on all host-facing access ports. Between the distribution and core layers,
STP security, such as root guard, needs to be implemented.
Q4) What are your suggestions for securing the way BigCo manages the Cisco devices and
servers?
Discontinue using Telnet to configure Cisco devices because all information is shown
in cleartext on the wire. Configure devices from the console, or use the latest version of
SSH. Also ensure that service password encryption is used in configurations, so that
any configuration file transfers will not be exposing passwords in clear text.
Q5) Do you have any other security suggestions for the network administrator and BigCo
Manufacturing?
These answers will vary. Comments about the consultants and a general lack of good
security practices are to be assumed.

Case Study 8-2 Answer Key: Using Security Tools to Secure
Devices in the Campus
Your case study and discussion should include these solutions.
Q1) What is the most likely attack being launched against the Nettown Library?
MAC address flooding
Q2) On what information did you base your answer for question 1?
Only certain switches are being affected, and there is high utilization, a high device
count, an uncommon protocol in use, no security tactics in place on access switches,
and no mention of port security.
Q3) Based upon your answers, which show command would display proof of the attack?
The show cam dynamic command would indicate whether the CAM table was
overloaded.
Q4) Which security tool(s) can be used to mitigate the attack?

Port security
Q5) Other potential attacks could be launched against or through the access switches in the
library given the lack of switch security. For the potential attacks listed below, fill in
the blank columns. Indicate how to verify whether the attack is occurring, and suggest
a measure that could be implemented to mitigate the attack.
Attack Type Attack Verification Method Attack Mitigation Measure
MAC Address Record the MAC address of network devices Configure port security to ensure that
Spoofing connected to the switch in question. Ensure that the only one MAC address is associated
device MAC address is associated with the correct with a particular port.
port when it appears in the CAM table.*
Configure 802.1x port authentication to
ensure that a user authenticates to the
network before using a switch port.
DHCP Spoofing View the DHCP leases and see if more IP addresses Configure DHCP snooping
have been consumed than would be likely for
legitimate network devices on each specific subnet.
View IP configuration information on the client device
to ensure that the IP address of the DHCP server is
that of the true DHCP server for the network and not
a false or spoofed DHCP server .
VLAN Hopping It is difficult to verify the existence of this attack. Limit the number of VLANs allowed on
by Double trunk links.
Tagging
Ensure that the native VLAN of trunk
ports is unique; that is,. not a data VLAN.
VLAN Hopping This type of attack is not likely, because trunking

by Negotiating a protocols have been turned off for nontrunk ports on
Trunk Link the access switches.
Rogue Root STP Use show spanning-tree commands to validate Configure BPDU guard on each access
Device where the root switch is located. port.
*Although both of these methods would work, they would require an incredible amount of administrative
time.
Lab 8-3 Answer Key: Applying Security Tools
Task 1: Manage Traffic with VACLs and Port Security

Step 7 To complete this activity, you will need to work with the other team assigned to
your building. Get the MAC address from the PC router ethernet4 interface of your
partner group. Keep in mind that the PC router uses Ethernet port 4 and not ports
0-3. Write the MAC address here:
This MAC address will vary depending on the device. It should be 12 HEX
characters in length (1234.5678.9ABC).
Step 10 In config-access-map mode, enter the command match ? What are your matching
options?
There are various options for this command.
Task 3: Secure the Network Against DHCP Attacks

Step 4 Determine where (if any) a DHCP server resides. Record the egress port used to get
to it. Which port is it?
This port will vary based upon the device that you are examining.

no service pad
!
hostname 1ASW1
!
!
ip subnet-zero
!
no ip domain-lookup
ip ssh time-out 120
!
!

!
!
!
!
!
switchport port-security
switchport port-security mac-address 0016.9d29.0fcd
speed 100
duplex full
spanning-tree bpduguard enable
!
switchport voice vlan 211
mls qos trust device cisco-phone
mls qos trust cos
!
!
!
!
!
speed 100
duplex full
!
speed 100
duplex full
!
speed 100
duplex full
!
speed 100
duplex full
!
!
!
interface Vlan1
ip address 10.1.1.3 255.255.255.0
no ip route-cache
!
ip http server
!
line con 0
exec-timeout 0 0
logging synchronous
line vty 0 4
password cisco
login

line vty 5 15
login
!
line con 0
exec-timeout 0 0
no vtp password
no ip domain-lookup
!
end

no service pad
!
hostname 1DSW1
!
!
no aaa new-model
ip subnet-zero
ip routing
no ip domain-lookup
!
ip multicast-routing distributed
!
mls qos
!
!
!
no file verify auto
!
mac access-list extended MAC
permit host 0016.9d29.0f80 any
permit host 0016.9d29.0fcd any
!
!
!
vlan access-map 1 10
action forward
action forward
action forward
match mac address MAC
vlan filter 1 vlan-list 1-4094
!
!
speed 100
duplex full
mls qos trust cos
!
speed 100
duplex full
mls qos trust cos
!

speed 100
duplex full
mls qos trust cos
!
speed 100
duplex full
mls qos trust cos
!
shutdown
speed 10
duplex full
!
shutdown
speed 10
duplex full
!
shutdown
!
shutdown
!
no switchport
ip address 10.1.111.1 255.255.255.0
ip pim sparse-mode
speed 100
duplex full
!
no switchport
ip address 10.1.113.1 255.255.255.0
ip pim sparse-mode
speed 100
duplex full
!
shutdown
!
shutdown
!
!
!
!
!
!

!
!
!
!
!
!
!
interface Vlan1
ip address 10.1.1.1 255.255.255.0
!
interface Vlan11
ip address 10.1.11.1 255.255.255.0
ip pim sparse-mode
standby 1 ip 10.1.11.254
standby 1 preempt
!
interface Vlan12
ip address 10.1.12.1 255.255.255.0
ip pim sparse-mode
standby 2 ip 10.1.12.254
!
interface Vlan13
ip address 10.1.13.1 255.255.255.0
!
interface Vlan14
ip address 10.1.14.1 255.255.255.0
!
router eigrp 1
network 10.0.0.0
auto-summary
!
no ip classless
ip http server
!
ip pim rp-address 10.1.11.1 1
!
access-list 1 permit 227.1.1.1
!
control-plane
!
!
line con 0
logging synchronous
line vty 0 4
password cisco
no login
line vty 5 15
no login
!
line con 0
exec-timeout 0 0
no vtp password
no ip domain-lookup
!
end
Core Configuration for Backbone Switch Number 1

no service pad
service compress-config
!
hostname BBS1-mod-MAB
!

boot-start-marker
boot system bootflash:cat4000-i9s-mz.122-25.EWA4.bin
boot-end-marker
!
enable password san-fran
!
no aaa new-model
vtp domain ''
vtp mode transparent
ip subnet-zero
!
ip multicast-routing
!
no file verify auto
power redundancy-mode redundant
!
!
!
!
vlan 100
!
!
!
description ---- to 1DSW1-GIG 1/0/9 ---
no switchport
ip address 10.1.111.101 255.255.255.0
ip pim sparse-mode
speed 100
duplex full
!
no switchport
ip address 10.2.121.101 255.255.255.0
ip pim sparse-mode
speed 100
duplex full
!
no switchport
ip address 10.3.131.101 255.255.255.0
ip pim sparse-mode
speed 100
duplex full
!
no switchport
ip address 10.4.141.101 255.255.255.0
ip pim sparse-mode
speed 100
duplex full
!
no switchport
ip address 10.5.151.101 255.255.255.0
ip pim sparse-mode
speed 100
duplex full
!
no switchport
ip address 10.6.161.101 255.255.255.0
ip pim sparse-mode
speed 100
duplex full
!
no switchport
no ip address
speed 100

duplex full
!
no switchport
no ip address
speed 100
duplex full
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
description BBSW1 0/23-24 -- BBSW2 0/23-24
no switchport
ip address 172.16.201.201 255.255.255.0
!
!
no switchport
ip address 10.1.112.101 255.255.255.0
ip pim sparse-mode
speed 100
duplex full
!
no switchport
ip address 10.2.122.101 255.255.255.0
ip pim sparse-mode
speed 100
duplex full
!
no switchport
ip address 10.3.132.101 255.255.255.0
ip pim sparse-mode
speed 100
duplex full
!
no switchport
ip address 10.4.142.101 255.255.255.0
ip pim sparse-mode
speed 100
duplex full
!
no switchport
ip address 10.5.152.101 255.255.255.0

ip pim sparse-mode
speed 100
duplex full
!
no switchport
ip address 10.6.162.101 255.255.255.0
ip pim sparse-mode
speed 100
duplex full
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Vlan1
no ip address
!
interface Vlan100
ip address 192.168.100.1 255.255.255.0
!
router eigrp 1
network 10.0.0.0 0.7.255.255
network 172.16.0.0
network 192.168.0.0 0.0.255.255
no auto-summary
!
router rip
network 172.16.0.0
!
no ip http server
!
!
line con 0
exec-timeout 0 0
password cisco
logging synchronous
login
stopbits 1
line vty 0 4
password cisco
login
!
no ip domain-lookup
!
end

BCMSN30LG PDF

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

BCMSN30LG PDF

Caricato da

Copyright:

Formati disponibili

BCMSN

Text Part Number: 97-2371-01

Q1) In the figure, label these elements:

Enterprise Composite Model

2006 Cisco Systems, Inc. All rights reserved. BCMSN v3.04

Modules in the Enterprise Campus

2006 Cisco Systems, Inc. All rights reserved. BCMSN v3.05

2006 Cisco Systems, Inc. Lab Guide 3

Campus Infrastructure Module

2006 Cisco Systems, Inc. All rights reserved. BCMSN v3.06

2006 Cisco Systems, Inc. All rights reserved. BCMSN v3.02

2006 Cisco Systems, Inc. Lab Guide 5

2006 Cisco Systems, Inc. All rights reserved. BCMSN v3.011

2006 Cisco Systems, Inc. All rights reserved. BCMSN v3.012

2006 Cisco Systems, Inc. Lab Guide 7

copy running-config Adds the current configuration to the default configuration in

description description Assigns a description to an interface

duplex duplex Sets up the duplex configuration on a Fast Ethernet interface

exec-timeout 0 0 Sets the timeout for an EXEC session to 0 minutes and 0

exit Exits the current mode

hostname hostname Sets the hostname

interface range Selects a range of interfaces to configure

logging synchronous Enables synchronous logging of messages

login Enables password checking

no ip domain-lookup Disables hostname translation for the IP Domain Name System

password password Configures user authentication

service timestamps log Enables log and debugging time stamps

service timestamps log

show cdp neighbors Displays the CDP neighbor entries

show interfaces status Displays the line status of all interfaces

show running-config Displays the contents of the running configuration file

shutdown Shuts down an interface

no shutdown Enables an interface

speed speed Sets the line speed

switchport mode access Sets trunking mode to access unconditionally

2006 Cisco Systems, Inc. Lab Guide 9

Basic Lab Activity Parameters

Value Information Provided by Your Instructor

IP address of your workstation

IP address of the default gateway

IP address of the terminal server

Username to access the terminal server

Password to access the terminal server

PC router interface speed

PC router interface duplex

2006 Cisco Systems, Inc. Lab Guide 11

Value Information from Instructor

Floor number (Odd/Even)

Value Information from Topology Diagram

Your access switch name (such as 1ASW1)

Your access switch IP address (such as 10.1.1.3)

Your access switch subnet mask 255.255.0.0

Your distribution switch name

Your distribution switch IP address (primary switch for which

Your distribution switch subnet mask 255.255.0.0

All enable passwords san-fran

All login passwords (line vty 0 4) cisco

Task 1: Configure the PC Router

Step 1 Establish a connection to your PC and enter privileged EXEC mode.

Step 3 Enter global configuration mode.

Step 4 Configure the hostname of the switch according to your worksheet.

Step 5 Configure the enable password to be san-fran.

Step 8 Because the PC needs to simulate a client, disable routing.