Switch(config)# hostname S1 S1(config)# d. Configure password encryption. S1(config)# service password-encryption S1(config)# e.

Assign class as the secret password for privileged EXEC mode access. S1(config)# enable secret class S1(config)# f. Prevent unwanted DNS lookups. S1(config)# no ip domain-lookup S1(config)# g. Configure a !"D #anner. S1(config)# banner motd # Enter Text message. End with the character #. Unauthorized access is strictly prohibited. # S1# configure terminal S1(config)# vlan 99 S1(config-vlan)# e it S1(config)# interface vlan99 % !"E#$%T%-&-'#(%)"* ine +rotocol on !nterface ,lan--. changed state to down S1(config-if)# ip address 19!.1"#.1.! !$$.!$$.!$$.% S1(config-if)# no shutdown S1(config-if)# e it S1(config)# S1(config)# interface range f%&1 ' !()g%&1 - ! S1(config-if-range)# switchport access vlan 99 S1(config-if-range)# e it S1*config+# ip default-gateway 19!.1"#.1.1 S1*config+# line con % S1(config-line)# password cisco S1(config-line)# login S1(config-line)# logging synchronous S1(config-line)# e it S1(config)# o. Configure the virtual terminal $vty% lines for the switch to allow "elnet access. &f you do not configure a vty password' you are una#le to telnet to the switch. S1(config)# line S1(config-line)# S1(config-line)# S1(config-line)# vty % 1$ password cisco login end

S1*config+# vlan 99 S1(config-vlan)# name ,anagement S1(config-vlan)# e it S1(config)# i. Configure the ()AN ** management interface &P address' as shown in the Addressing "a#le' and ena#le the interface. S1(config)# interface vlan 99 S1(config-if)# ip address 1-!.1".99.11 !$$.!$$.!$$.% S1(config-if)# no shutdown S1(config-if)# end S1# config t S1(config)# interface f%&$ S1(config-if)# switchport mode access S1(config-if)# switchport access vlan 99 S1(config-if)# interface f%&" S1(config-if)# switchport mode access S1(config-if)# switchport access vlan 99 S1(config-if)# end S1*config+# ip domain-name ../0-1ab.com #. Create a local user data#ase entry for use when connecting to the switch via SS+. "he user should have administrative level access. Note, "he password used here is N!" a strong password. &t is merely #eing used for la# purposes. S1(config)# username admin privilege 1$ secret sshadmin c. Configure the transport input for the vty lines to allow SS+ connections only' and use the local data#ase for authentication. S1(config)# line S1(config-line)# S1(config-line)# S1(config-line)# vty % 1$ transport input ssh login local e it

-rom the S. C)&' enter interface configuration mode for the port that connects to /.. S1(config)# interface f%&$ 0% Shut down the port. S1(config-if)# shutdown 1% Ena#le port security on -234. S1(config-if)# switchport port-security Note, Entering the switchport port-security command sets the ma5imum AC addresses to . and the violation action to shutdown. "he switchport port-security maximum and switchport port-security violation commands can #e used to change the default #ehavior. 6% Configure a static entry for the AC address of /. 723. interface recorded in Step 0a. S1(config-if)# switch+ort +ort-sec/rit0 mac-address xxxx.xxxx.xxxx $5555.5555.5555 is the actual AC address of the router 723. interface% Note, !ptionally' you can use the switchport port-security mac-address sticky command to add all the secure running configuration. 4% Ena#le the switch port. S1(config-if)# no shutdown S1(config-if)# end S1# show port-security interface f%&$ interface f%&1 switch+ort mode tr/n1 switch+ort tr/n1 allowed vlan 1.12.3.42 interface range f%&!-!( switch+ort mode access sh/tdown interface range f2514-16 switch+ort access vlan 32 interface range f251--37 switch+ort access vlan 42 sh/tdown

AC addresses that are dynamically learned on a port $up to the ma5imum set% to the switch

"urn off negotiation on S.. S1(config)# interface f%&1 S1(config-if)# switchport nonegotiate Disa#le trunking on S. access ports. S1(config)# interface range f%&! ' $ S1(config-if-range)# switchport mode access S1(config-if-range)# switchport access vlan 999 In addition to the blocked port, the only other active port on this switch is the port designated as the root port. Lower the cost of this root port to 1 by issuing the spanning-tree cost 1 interface configuration mode command. S1(config)# interface f%&! S1(config-if)# spanning-tree cost 1# &ssue the no spanning-tree cost 1 interface configuration mode command to remove the cost statement that you created earlier. S1(config)# interface f%&! S1(config-if)# no spanning-tree cost 1# !witch !1 S1(config)# vlan 1% S1(config-vlan)# name User S1(config-vlan)# vlan 99 S1(config-vlan)# name ,anagement S1(config-vlan)# e it S1(config)# interface f%&" S1(config-if)# no shutdown S1(config-if)# switchport mode access S1(config-if)# switchport access vlan 1% S1(config-if)# interface f%&1 S1(config-if)# no shutdown S1(config-if)# switchport mode trunk S1(config-if)# switchport trunk native vlan 99 S1(config-if)# interface f%&2 S1(config-if)# no shutdown S1(config-if)# switchport mode trunk S1(config-if)# switchport trunk native vlan 99 S1(config-if)# interface vlan 99 S1(config-if)# ip address 19!.1"#.1.11 !$$.!$$.!$$.% S1(config-if)# e it S1(config)# spanning-tree vlan 1)1%)99 root secondary S1(config)# spanning-tree mode rapid-pvst S1(config)# interface f%&" S1(config-if)# spanning-tree portfast S1(config-if)# spanning-tree bpduguard enable S!*config+# spanning-tree vlan 1)1%)99 root primary S3(config)# spanning-tree mode rapid-pvst S2*config-if+# switchport mode trunk S4(config-if)# switchport trunk native vlan 99 S4(config-if)# interface f%&2 S4(config-if)# no shutdown S4(config-if)# switchport mode trunk S4(config-if)# switchport trunk native vlan 99 S4(config-if)# interface vlan 99 S4(config-if)# ip address 19!.1"#.1.12 !$$.!$$.!$$.% S4(config-if)# e it S4(config)# spanning-tree mode rapid-pvst a. Configure +S/P on /.. $1(config)# interface g%&1 $1(config-if)# standby 1 ip 19!.1"#.1.!$( $1(config-if)# standby 1 priority 1$% $1(config-if)# standby 1 preempt #. Configure +S/P on /1. $4(config)# interface g%&1 $4(config-if)# standby 1 ip 19!.1"#.1.!$( c. (erify +S/P #y issuing "onfigure #$g# PAgP is a Cisco proprietary protocol for link aggregation. &n Part 0' a link #etween S. and S1 will #e configured using PAgP. !tep 1% "onfigure #$g# on !1 and !&. -or a link #etween S. and S1' configure the ports on S. with PAgP desira#le mode and the ports on S1 with PAgP auto mode. Ena#le the ports after PAgP modes have #een configured. S1(config)# interface range f%&2-( S1(config-if-range)# channel-group 1 mode desirable 8reating a +ort-channel interface #ort-channel 1 S1(config-if-range)# no shutdown S4(config)# interface range f%&2-( S4(config-if-range)# channel-group 1 mode auto 8reating a +ort-channel interface #ort-channel 1 S4(config-if-range)# no shutdown 'erify that the ports have been aggregated. S1# show etherchannel summary "onfigure trunk ports. After the ports have #een aggregated' commands applied at the port channel interface affect all the links that were #undled together. ()AN **. S1(config)# interface port-channel 1 S1(config-if)# switchport mode trunk S1(config-if)# switchport trunk native vlan 99 S4(config)# interface port-channel 1 S4(config-if)# switchport mode trunk S4(config-if)# switchport trunk native vlan 99

anually configure the Po. ports on S. and S1 as trunk ports and assign them to native

"onfigure L$"# )ACP is an open source protocol for link aggregation developed #y the &EEE. &n Part 1' the link #etween S. and S0' and the link #etween S0 and S1 will #e configured using )ACP. Also' the individual links will #e configured as trunks #efore they are #undled together as EtherChannels. !tep 1% "onfigure L$"# between !1 and !(. S1(config)# interface range f%&1-! S1(config-if-range)# switchport mode trunk S1(config-if-range)# switchport trunk native vlan 99 S1(config-if-range)# channel-group ! mode active 8reating a +ort-channel interface #ort-channel 3 S1(config-if-range)# no shutdown S3(config)# interface range f%&1-!

S3(config-if-range)# switchport mode trunk S3(config-if-range)# switchport trunk native vlan 99 S3(config-if-range)# channel-group ! mode passive 8reating a +ort-channel interface #ort-channel 3 S3(config-if-range)# no shutdown "onfigure L$"# between !( and !&. a. Configure the link #etween S0 and S1 as Po1 and use )ACP as the link aggregation protocol. S!*config+# interface range f%&2-( S3(config-if-range)# switchport mode trunk S3(config-if-range)# switchport trunk native vlan 99 S3(config-if-range)# channel-group 2 mode active 8reating a +ort-channel interface #ort-channel 4 S3(config-if-range)# no shutdown S2*config+# interface range f%&1-! S4(config-if-range)# switchport mode trunk S4(config-if-range)# switchport trunk native vlan 99 S4(config-if-range)# channel-group 2 mode passive 8reating a +ort-channel interface #ort-channel 4 Load switch configurations. )oad the following configurations into the appropriate switch. All switches have the same passwords. "he privileged EXEC password is class. "he password for console and vty access is cisco. As all switches are Cisco devices' the network administrator decided to use Cisco8s PAgP on all port channels configured with EtherChannel. Switch S0 is the root #ridge for all ()ANs in the topology. !witch !1 "onfiguration% hostname S1 interface range f251-37. g251-3 sh/tdown exit ena9le secret class no i+ domain loo1/+ line vt0 2 1& +assword cisco login line con 2 +assword cisco logging s0nchrono/s login exit 1ab ' 3roubleshooting 4ther.hannel vlan 12 name 'ser vlan -"ame :anagement interface range f251-3 switch+ort mode tr/n1 channel-gro/+ 1 mode active switch+ort tr/n1 native vlan -no sh/tdown interface range f254-7 channel-gro/+ 3 mode desira9le switch+ort tr/n1 native vlan -no sh/tdown interface f25; switch+ort mode access switch+ort access vlan 12 no sh/tdown interface vlan -i+ address 1-3.1;6.1.11 3&&.3&&.3&&.2 interface +ort-channel 1 switch+ort tr/n1 native vlan -switch+ort mode tr/n1 interface +ort-channel 3 switch+ort tr/n1 native vlan -switch+ort mode access !witch !( "onfiguration% hostname S3 interface range f251-37. g251-3 sh/tdown exit ena9le secret class no i+ domain loo1/+ line vt0 2 1& +assword cisco login line con 2 +assword cisco logging s0nchrono/s login exit vlan 12 name 'ser vlan -name :anagement s+anning-tree vlan 1.12.-- root +rimar0 1ab ' 3roubleshooting 4ther.hannel interface range f251-3 switch+ort mode tr/n1 channel-gro/+ 1 mode desira9le switch+ort tr/n1 native vlan -no sh/tdown interface range f254-7 switch+ort mode tr/n1 channel-gro/+ 4 mode desira9le switch+ort tr/n1 native vlan -interface vlan -i+ address 1-3.1;6.1.13 3&&.3&&.3&&.2 interface +ort-channel 1 switch+ort tr/n1 native vlan -switch+ort tr/n1 allowed vlan 1.-interface +ort-channel 4 switch+ort tr/n1 native vlan -switch+ort tr/n1 allowed vlan 1.12.-switch+ort mode tr/n1 !witch !& "onfiguration% hostname S4 interface range f251-37. g251-3 sh/tdown exit ena9le secret class no i+ domain loo1/+ line vt0 2 1& +assword cisco login line con 2 +assword cisco logging s0nchrono/s

login exit vlan 12 name 'ser vlan -name :anagement interface range f251-3 interface range f254-7 switch+ort mode tr/n1 channel-gro/+ 4 mode desira9le switch+ort tr/n1 native vlan -no sh/tdown interface f2516 switch+ort mode access switch+ort access vlan 12 no sh/tdown interface vlan -i+ address 1-3.1;6.1.14 3&&.3&&.3&&.2 interface +ort-channel 4 switch+ort tr/n1 native vlan -switch+ort mode tr/n1

Configure E&7/P for /.. $1(config)# router eigrp 1 $1(config-ro/ter)# network 19!.1"#.%.% %.%.%.!$$ $1(config-ro/ter)# network 19!.1"#.1.% %.%.%.!$$ $1(config-ro/ter)# network 19!.1"#.!.!$! %.%.%.2 $1(config-ro/ter)# no auto-summary i. Configure E&7/P and a default route to the &SP on /0. $3(config)# router eigrp 1 $3(config-ro/ter)# network 19!.1"#.!.!$! %.%.%.2 $3(config-ro/ter)# redistribute static $3(config-ro/ter)# e it $3(config)# ip route %.%.%.% %.%.%.% !%9.1"$.!%%.!!$ 9. Configure a summary static route on &SP to reach the networks on the /. and /0 routers. !S#(config)# ip route 19!.1"#.%.% !$$.!$$.!$!.% !%9.1"$.!%%.!!" $ppendix $ ) *+"# "onfiguration "ommands

,outer ,1 $1(config)# interface g%&% $1(config-if)# ip helper-address 19!.1"#.!.!$( $1(config-if)# e it $1(config-if)# interface g%&1 $1(config-if)# ip helper-address 19!.1"#.!.!$( ,outer ,( $3(config)# ip dhcp e cluded-address 19!.1"#.%.1 19!.1"#.%.9 $3(config)# ip dhcp e cluded-address 19!.1"#.1.1 19!.1"#.1.9 $3(config)# ip dhcp pool 5161 $3(dhc+-config)# network 19!.1"#.1.% !$$.!$$.!$$.% $3(dhc+-config)# default-router 19!.1"#.1.1 1ab - .onfiguring 7asic 89.:v( on a 5outer $3(dhc+-config)# dns-server !%9.1"$.!%%.!!$ $3(dhc+-config)# domain-name ccna-lab.com $3(dhc+-config)# lease ! $3(dhc+-config)# e it $3(config)# ip dhcp pool 516% $3(dhc+-config)# network 19!.1"#.%.% !$$.!$$.!$$.% $3(dhc+-config)# default-router 19!.1"#.%.1 $3(dhc+-config)# dns-server !%9.1"$.!%%.!!$ $3(dhc+-config)# domain-name $ppendix $% "onfiguration "ommands

"onfigure *+"#vS1(config)# ip dhcp e cluded-address 19!.1"#.1.1 19!.1"#.1.1% S1(config)# ip dhcp pool 89.:1 S1(dhc+-config)# network 19!.1"#.1.% !$$.!$$.!$$.% S1(dhc+-config)# default-router 19!.1"#.1.1 S1(dhc+-config)# dns-server 19!.1"#.1.9 S1(dhc+-config)# lease 2 "onfigure *+"#v- for .ultiple 'L$Ns S1(config)# interface f%&" S1(config-if)# switchport access vlan ! S1(config)# ip dhcp e cluded-address 19!.1"#.!.1 19!.1"#.!.1% S1(config)# ip dhcp pool 89.:! S1(dhc+-config)# network 19!.1"#.!.% !$$.!$$.!$$.% S1(dhc+-config)# default-router 19!.1"#.!.1 S1(dhc+-config)# dns-server 19!.1"#.!.9 S1(dhc+-config)# lease 2 /nable I# ,outing S1(config)# ip routing S1(config)# ip route %.%.%.% %.%.%.% 19!.1"#.1.1% $1(config)# ip route 19!.1"#.!.% !$$.!$$.!$$.% g%&1