Custom Lab 1 - L2 Tasks
The tasks below are the first tasks that should be performed for the lab files I’ve included in my earlier post
Task 1.1:
- Ensure all routers can reach their neighbors.
- Prevent data from reaching unintended routers as much as possible
- Shut down unused ports
Points: 2
The actual verification of this task is dependent on other tasks.
SW25:
interface g 1/2
description R1 G0/0
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 13,125
interface g 1/3
description R2 G0/0
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 12,225
interface g 2/0
description R3 G0/0
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 13,325,37
interface g 2/1
description R4 G0/0
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 24,421,425
interface g 2/2
description R5 G0/0
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 35
interface g 2/3
description R6 G0/0
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 56
interface g 3/0
description R7 G0/0
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 277
interface g 3/1
description R8 G0/0
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 89,278
interface g 3/2
description R9 G0/0
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 78,89
interface g 3/3
description R10 and R21 G0/0
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 1012,421
SW26:
interface g 1/2
description R1 G0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 12,19,119
interface g 1/3
description R2 G0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 24,213
interface g 2/0
description R3 G0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 34,35,320
interface g 2/1
description R4 G0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 34,412
interface g 2/2
description R11 G0/0
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 1112
interface g 2/3
description R12 G0/0
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 1215,1112,1012
interface g 3/0
description R13 G0/0
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 1213,1318
interface g 3/1
description R14 G0/0
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 1214,1417
interface g 3/2
description R15 G0/0
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 1516,1517
interface g 3/3
description R16 G0/0
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 1516,1626
SW27:
interface g 1/2
description R5 G0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 56
interface g 1/3
description R6 G0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 276
interface g 2/0
description R7 G0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 37,78
interface g 2/1
description R8 G0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 819
interface g 2/2
description R9 G0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 19,918
interface g 2/3
description R10 G0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 1
shutdown
interface g 3/0
description R17 G0/0
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 1417,1726
interface g 3/1
description R18 G0/0
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 1318
interface g 3/2
description R19 G0/0
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 819
interface g 3/3
description R20 G0/0
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 320
SW28:
interface g 1/2
description R11 G0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 1
shutdown
interface g 1/3
description R12 G0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 1213,1214,412
interface g 2/0
description R13 G0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 213
interface g 2/1
description R14 G0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 1416
interface g 2/2
description R15 G0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 1215
interface g 2/3
description R16 G0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 1416,1617
interface g 3/0
description R17 G0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 1517,1617
interface g 3/1
description R18 G0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 918
interface g 3/2
description R19 G0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 119
interface g 3/3
description R20 and R21 G0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 1
shutdown
Task 1.2
- Ensure that all ports connected to routers will never cause Mac address flushes
- Make sure routers will never receive BPDUs
Points: 2
SW25-28:
interface g 1/2
spanning-tree portfast trunk
spanning-tree bpdufilter enable
interface g 1/3
spanning-tree portfast trunk
spanning-tree bpdufilter enable
interface g 2/0
spanning-tree portfast trunk
spanning-tree bpdufilter enable
interface g 2/1
spanning-tree portfast trunk
spanning-tree bpdufilter enable
interface g 2/2
spanning-tree portfast trunk
spanning-tree bpdufilter enable
interface g 2/3
spanning-tree portfast trunk
spanning-tree bpdufilter enable
interface g 3/0
spanning-tree portfast trunk
spanning-tree bpdufilter enable
interface g 3/1
spanning-tree portfast trunk
spanning-tree bpdufilter enable
interface g 3/2
spanning-tree portfast trunk
spanning-tree bpdufilter enable
interface g 3/3
spanning-tree portfast trunk
spanning-tree bpdufilter enable
Verification:
SW25#show spanning-tree interface g 1/3 portfast
MST0 enabled
MST1 enabled
MST2 enabled
If you do this verification immediately after configuration you might only get vlan 1 here.
SW25#show spanning-tree interface g 1/3 det
Port 8 (GigabitEthernet1/3) of MST0 is designated forwarding
Port path cost 20000, Port priority 128, Port Identifier 128.8.
Designated root has priority 32768, address 5000.0019.0000
Designated bridge has priority 32768, address 5000.0019.0000
Designated port id is 128.8, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
The port is in the portfast mode by portfast trunk configuration
Link type is shared by default, Internal
Bpdu filter is enabled
BPDU: sent 0, received 0
Port 8 (GigabitEthernet1/3) of MST1 is designated forwarding
Port path cost 20000, Port priority 128, Port Identifier 128.8.
Designated root has priority 24577, address 5000.001a.0000
Designated bridge has priority 32769, address 5000.0019.0000
Designated port id is 128.8, designated path cost 10000
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
The port is in the portfast mode by portfast trunk configuration
Link type is shared by default, Internal
Bpdu filter is enabled
BPDU: sent 0, received 0
Port 8 (GigabitEthernet1/3) of MST2 is designated forwarding
Port path cost 20000, Port priority 128, Port Identifier 128.8.
Designated root has priority 24578, address 5000.001b.0000
Designated bridge has priority 32770, address 5000.0019.0000
Designated port id is 128.8, designated path cost 10000
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
The port is in the portfast mode by portfast trunk configuration
Link type is shared by default, Internal
Bpdu filter is enabled
BPDU: sent 0, received 0
Especially look at the last two lines of each block. Those should state
Bpdu filter is enabled
BPDU: sent 0, received 0
Task 1.3
- Vlans can only be created on SW27
- Network admins that don’t have the password should not be able to create any new vlans
- Use password Cisc0
Points: 1
SW25,SW26,SW28: vtp version 3 vtp mode server vtp domain CCIE vtp password Cisc0 hidden
</details>
## Task 1.4
- Configure Spanning-Tree as follows:
- All redundant links between switches need to appear to as single links
- Optimize convergence for these links
- Use a standards based protocol for all configurations in this task when possible
- Ensure that all vlans can traverse all links between the switches (unless blocked by STP)
- Configuration of Spanning-Tree must be automatically distributed between switches. Only SW25 can be used to configure STP
Points: 3
<details>
<summary><b>Task 1.4 solution</b></summary>
SW25: interface range g0/0-1 channel-group 1 mode active interface range g0/2-3 channel-group 2 mode active interface range g1/0-1 channel-group 3 mode active interface range po1,po2,po3 switchport trunk encapsulation dot1q switchport mode trunk spanning-tree link-type point-to-point ! vtp mode server mst spanning-tree mst configuration name CCIE revision 10 instance 1 vlan 1,13,19,35,37,89,119,125,213,225,277,325,421,425,819,1213,1215,1417,1517,1617 instance 2 vlan 12,24,34,56,78,100,200,276,278,300,320,412,918,1012,1112,1214,1318,1416,1516,1626,1726 ! exit spanning-tree mode mst
SW26: interface range g0/0-1 channel-group 1 mode active interface range g0/2-3 channel-group 2 mode active interface range g1/0-1 channel-group 3 mode active interface range po1,po2,po3 switchport trunk encapsulation dot1q switchport mode trunk spanning-tree link-type point-to-point ! vtp mode client mst
SW27: interface range g0/0-1 channel-group 1 mode active interface range g0/2-3 channel-group 2 mode active interface range g1/0-1 channel-group 3 mode active interface range po1,po2,po3 switchport trunk encapsulation dot1q switchport mode trunk spanning-tree link-type point-to-point ! vtp mode client mst
SW28: interface range g0/0-1 channel-group 1 mode active interface range g0/2-3 channel-group 2 mode active interface range g1/0-1 channel-group 3 mode active interface range po1,po2,po3 switchport trunk encapsulation dot1q switchport mode trunk spanning-tree link-type point-to-point ! vtp mode client mst
</details>
## Task 1.5
- Traffic for all even vlans from SW25 to SW28 must traverse SW27
- Traffic for all odd vlans from SW25 to SW28 must traverse SW26
- Ensure that if either of these switches fail the traffic between SW25 and SW28 will still not use their direct links
- When the Spanning-Tree root bridge changes, ensure all switches report this in their logs
Points: 2
<details>
<summary><b>Task 1.5 solution</b></summary>
SW26: spanning-tree mst 1 root primary spanning-tree mst 2 root secondary spanning-tree logging
SW27: spanning-tree mst 2 root primary spanning-tree mst 1 root secondary spanning-tree logging
SW25,SW28: spanning-tree logging
</details>
## Task 1.6
- Create PPPoE sessions between R12 and routers 10, 11, 14 and 15
- Authenticate the PPPoE session between R12 and R14 and R15 using a protocol that will never send a password over the line
- Authenticate the PPPoE session between R12 and R10 and R11 using a protocol that does send the password over the line
- Use Cisc0 as password for both authentications
- You must use only one 'username' command on R12
Points: 3
<details>
<summary><b>Task 1.6 solution</b></summary>
R12: username PPPoE password Cisc0 ! interface g0/0.1012 no ip address pppoe enable group R10 interface g0/0.1112 no ip address pppoe enable group R11 interface g0/0.1215 no ip address pppoe enable group R15 interface g0/1.1214 no ip address pppoe enable group R14 bba-group pppoe R10 virtual-template 10 interface virtual-template 10 ip address 192.10.12.12 255.255.255.0 mtu 1492 ppp authentication pap bba-group pppoe R11 virtual-template 11 interface virtual-template 11 ip address 192.11.12.12 255.255.255.0 mtu 1492 ppp authentication pap bba-group pppoe R14 virtual-template 14 interface virtual-template 14 ip address 192.12.14.12 255.255.255.0 mtu 1492 ppp authentication chap bba-group pppoe R15 virtual-template 15 interface virtual-template 15 ip address 192.12.15.12 255.255.255.0 mtu 1492 ppp authentication chap
R10: interface g0/1.1012 pppoe-client dial-pool-number 1 no ip address interface Dialer 1 encap ppp ip address 192.10.12.10 255.255.255.0 dialer pool 1 mtu 1492 ppp pap sent-username PPPoE password Cisc0
R11: interface g0/0.1112 pppoe-client dial-pool-number 1 no ip address interface Dialer 1 encap ppp ip address 192.11.12.11 255.255.255.0 dialer pool 1 mtu 1492 ppp pap sent-username PPPoE password Cisc0
R14: interface g0/0.1214 pppoe-client dial-pool-number 1 no ip address interface Dialer 1 encap ppp ip address 192.12.14.14 255.255.255.0 dialer pool 1 mtu 1492 ppp chap hostname PPPoE ppp chap password Cisc0
R15: interface g0/1.1215 pppoe-client dial-pool-number 1 no ip address interface Dialer 1 encap ppp ip address 192.12.15.15 255.255.255.0 dialer pool 1 mtu 1492 ppp chap hostname PPPoE ppp chap password Cisc0
</details>