Scenario6_WirelessLAN_V1.2.

pptx
Scenario 6 – Wireless LAN

Loopback 0 Loopback 0
Loopback 1 OSPF
Loopback 0 Server LAN 45.20.5.5
OSPF Database Server 255.255.255.255
External Web Site

OSPF 65 Area 0 Geelong SY/Y

SW/W SZ/Z ISP
Malvern Gateway
SX/X Router Loopback 1
Router Router
Internal Serial ISP Link 180.0.0.1/32
‘The Internet’
Network Address
Fa 0/0
Corporate Network Address 221.1.1.0/30
135.40.0.0/21
Trunk for Inter-VLAN
Routing

Fa 0/2
Fa 0/1 Trunk
MalvernA MalvernB Fa 0/9 VLAN1
Switch Fa 0/1 Switch MWRS1
Wireless
Fa 0/3 Fa 0/6 Router
Internet
Port
Wireless
Connection
PC1 PC2
VLAN101 PC3W
VLAN201
Wireless
LAN

Note: The Scenario should be started in the Lab using the Lab Kits. 1
 Scenario 6 -Tasks
1. By Pass Startup Configuration
a) On each router ensure router config-register is set to 0x2142: router(config)# config-register 0x2142
b) To check the configuration register setting, use – show version
c) Why would you do this ? - refer page 16

2. Do not configure enable passwords OR line console passwords on router and switches, unless specified by the task

3. VLSM Design
a) Design Internal IP VLSM Addressing Scheme with: VLAN 101 Plumbing 600 hosts, VLAN 201 Electrical 240 hosts , VLAN 1 6 hosts,
Wireless LAN 100 hosts Internal serial 2 hosts, Geelong Server LAN loopback 1 20 hosts , Geelong OSPF loopback0 2 hosts,
Malvern OSPF loopback0 2 hosts
b) Document assignment of ip addresses to router interfaces and PC Hosts

4. Cable Connection
a) Connect Malvern router Fa 0/0 to MalvernA switch port Fa 0/2
b) Check routers are connected via serial link
c) Connect a PC to MalvernA Switch Fa 0/3 and to MalvernB Switch Fa0/6 switch ports
d) Do Not connect switches at this stage

5. Line Console Configuration

Configure the line console on each router and switch, as shown below:
line console 0
logging synchronous
exec-timeout 0 0

6. Message of the Day (MOTD) Configuration

Configure a MOTD, recording your name and student id, only on the Malvern router, as shown below:
banner motd &
Welcome to Malvern
<Your Family Name>
<Your Student Id>
&
2
 Scenario 6 -Tasks
7. VTP (VLAN Trunking Protocol) Switch Configuration
a) Refer LabC3 4-1_4.4.1 Basic VTP Configuration P161, LabC3 3-1_3.5.1 Basic VLAN Configuration P121
b) Delete the vlan.dat file to remove old VLANs from the switches, use - delete vlan.dat
c) Ensure the switches are NOT physically connected to each other
d) Configure switch MalvernA as VTP Server and switch MalvernB as VTP Client, with domain trade, password cisco
e) Configure only VLANs 101 Plumbing and 201 Electrical on switch MalvernA
f) Configure Fa 0/1 as trunk port on each switch, then connect the switches, the VLAN details should now be passed from MalvernA to MalvernB
g) Configure Fa0/2 on switch MalvernA as a trunk port to Malvern router

8. Trouble Shooting VTP

a) To check VTP status of switch, use - show vtp status
b) To check VLANs created or passed to switch MalvernB use – show vlan brief
c) Problems ? – check password, domain name, vtp mode on each switch

9. Switch Configuration
a) Refer LabC3 2-1_2.5.1 Basic Switch configuration P63
e) Assign ports: VLAN 101 3-5, VLAN 201 6-8, please ensure ports from 9 onwards are left in VLAN1 for use by CCNA1\2 students
f) Assign Interface VLAN1 an IP address for management purposes
g) Set Port Security mac address sticky on ports 3 to 5, max 1, with violation shutdown
h) Set a static mac address on Fa 0/6 to the MAC address of PC2

10. Trouble Shooting Port Security

To check port security is enabled, use - show port-security

11. Network IP Address Configuration

a) Configure the router interfaces and loopbacks with ip addresses
b) Malvern Router
i) Refer LabC3 6-1_6.4.1 Basic Inter-VLAN Routing P249
ii) Configure Inter-VLAN routing on Fa 0/0
– Create separate sub-interface for VLANs 1, 101 and 201
– Assign each sub-interface with an ip address
c) Configure PC1 and PC2 Hosts with specified VLAN
i) IP address and subnet mask.
ii) Default Gateway IP address. 3
 Scenario 6 -Tasks

12. Trouble Shooting Point-to-Point Single Link Testing

a) This test is to check that each individual link in the network is working.
b) Ping (command) – ensure you can ping from one end of each link to the other:
– PC to Router in same subnet/VLAN/network.
– PC to PC in same subnet/VLAN/network.
– Router to each direct neighbour Router over a serial link.
c) Link NOT working ? - Common problems:
– Physical connection not made.
– The clock rate is not configured on DCE interface of a serial link.
– An incorrect IP address or subnet mask is configured on one interface of a link
– The interface is shutdown.

13. Trouble Shooting Inter-VLAN Routing Test

a) This test is to check Inter-VLAN routing is working
b) Ping PC1 – VLAN101 to PC2 – VLAN201

14. Routing Protocol Configuration

Configure the Routing Protocol on the Routers:
a) Malvern
– OSPF, advertise each subnet separately using wildcards
b) Geelong
– OSPF, do not advertise the external network address
– Configure default route to ISP Router
– Redistribute default route to Malvern Router
c) ISP Router
– Configure a static route (at default class level) to your internal network

4
 Scenario 6 -Tasks

15. Trouble Shooting OSPF Neighbor Adjacency

a) Verify that the routers have formed an adjacency with each other, use - show ip ospf neighbor
b) Adjacency NOT Formed ? - If an adjacency has not formed it could be due to:
i) subnet masks on each end of link do not match
ii) the directly connected network is not included in the network statements
c) Other trouble shooting commands: show ip protocols, show ip ospf, show ip ospf interface

16. Trouble Shooting End-to-End Path Testing

a) This test is to check that the routing - static and dynamic, is working.
b) Ping from PC Hosts in VLAN101 and VLAN201 to External Web Server
c) Use traceroute to pin point problems.
d) Check if a subnet is missing from a routing table, use - show ip route
e) End-to-End Path Test Failed ? - Common problems:
– Default gateway IP address not configured on a PC.
– PC connected to incorrect interface.
– Incorrect static route on ISP
– Subnet missing from routing table

17. Wireless Router Configuration

a) Refer to page 9 and LabC3 7-1_7.5.1 Basic Wireless Configuration P291
b) On MWRS1 Wireless Router configure:
i) Internet Port with VLAN 1 IP address ii) SSID as W<student id> iii) DHCP to provide addresses for Wireless LAN PCs
iv) allow inbound ping requests
c) Connect a straight through UTP cable between MalvernB Switch Fa 0/9 (port in VLAN1) and Internet Port on Wireless Router

5
 Scenario 6 -Tasks
18. Telnet Access to Routers
a) Configure line vty with password cisco and login, so you can connect to each router can via Telnet
b) This allows you to test your ACLs. NO enable password is required as you are NOT configuring the router

19. Access List Requirements

a) Refer LabC4 5-1_5.5.1 Basic Access Control Lists
b) You must create NAMED Standard and Extended ACLs based on following requirements:
– PCs in VLAN 101 permitted HTTP access to External Web Server and denied ALL other access to External Web Server
– PCs in VLAN 201 permitted PING access to External Web Server and denied ALL other access to External Web Server
– PCs in VLAN 201 permitted HTTP access to Database Server and denied ALL other access to Database Server
– PCs in VLAN 101 permitted PING access to Database Server and denied ALL other access to Database Server
– PCs in VLAN 201 permitted PING access to PCs in VLAN 101
– PCs in VLAN 101 denied PING access to PCs in VLAN 201
– Only PCs in VLAN 201 permitted TELNET access to router Malvern
– Only PCs in VLAN 101 permitted TELNET access to router Geelong
– Access to the Internet:
• All PCs have ALL access to “The Internet” which represents the rest of world.
• Access to the “The Internet” should be permitted by using: permit ip any any
– Note: ALL means IP, PING means ICMP

6
 Scenario 6 - Tasks
20. Creating and Configuring NAMED Access Lists
a) Refer LabC4 5-1_5.5.1 Basic Access Control Lists
b) Identify each requirement then Create a ACL rule for each requirement.
c) Create NAMED access list, consider the ordering of the rules, using Notepad with the following structure, :

! Deletes previous version of access list

no ip access-list extended ACLVLAN<Id>
! Insert Latest version of access list
ip access-list extended ACLVLAN<Id>

ACL rules

! For most situations this should be the last rule ie permit all other access to “The Internet”
permit ip any any

d) Combine ACL rules as required to form your access list, carefully consider the order in which the rules should be arranged.
e) Paste ACL from Notepad into router (router must be in global configuration mode)
f) Place ACL on correct interface

21. Trouble Shooting Access Lists

It is important to verify that the ACLs actually work as intended, refer to the steps below:
1. show access-lists
If all rules tested go to 5
Identify which rule you want to test
2. clear access-list counters
Clear any counts against the ACL rules
3. Go to PC in VLAN<Id> perform test eg ping, telnet, IE Browser etc to trigger a match with the identified rule
4. show access-lists
Was the identified rule matched ?
• Yes - Repeat process go to 1
• No – Debug
– Was another rule matched ?
– Where no rules matched ?
– Check syntax and order of rules – make changes – Repeat process go to 1
5. Trouble Shooting completed

7
 Scenario 6 - Submission and Completion

1. Scenarios can be completed individually or as a group

2. If a scenario is completed as a group, each member of the group must make a separate submission via Blackboard

3. Scenarios should be started in the lab using the lab kits. The Lab 477B-107 is a Packet Tracer free zone.

4. If you do not complete the scenario in the lab, you can take the configurations and complete the scenario using NetLab or Packet Tracer

5.Submission

Submit ONE file ONLY (each member of a group must make a separate submission) via Blackboard by Sunday 11.55pm 3/10/2010
(Please ensure you are using the Internet Explorer Browser when you are submitting !)
Two options:
a) Configuration details (as one text file: s<Student Id>.txt)
i) Routers - show run, show ip route, show ip interface brief, show access-lists
ii) Switches – show run, show vlan, show port-security, show vtp status
b) Packet Tracer V5.3 file as s<Student Id>.pkt
Note: No submissions will be will be accepted by email, Can only submit once.

8
 How to Set up a Wireless Router

• First Configure your Wireless Router

– Refer LabC3 7-1_7.5.1 Basic Wireless Configuration .
– Use W< student id > as the SSID.

• How to Associate with the wireless network via REAL Host

– Association with the wireless network is made via real host
– Once the wireless is connected, you will see a gold star and Not
Connected. This means Connected but no IP address has been configured.
– The Host often enabled 802.1x mode which is not appropriate for WEP.
If you get an error about not having a certificate then turn 802.1x off

* Look for the wireless tray icon – bottom right

* Right click
* Select View Available Wireless Networks
* Select Change Advanced Settings
* Select Wireless Networks
* Select your network from the list
* Click Properties
* Select Authentication
* Turn off 802.1x
* Select Association
* Turn off The key is provided for me automatically
* Enter the network key
* OK
* OK

• How to connect to wireless network via VIRTUAL Host

– The interface Network Adapter 2 / Virtual Area Network is used to connect to the wireless network.
– Set Network Adapter 2 to obtain an IP address via DHCP
– Disable the other Network Adapter

9
 ACL Templates

ACL for VLAN <Id> on <Router>

The Access List – Extended Named

ip access-list extended ACLVLAN<Id>

! Only permit HTTP access to External Web Server
permit tcp <source subnet> <wildcard> host <ip address> eq www
! Deny ALL other access to the External Web Server
deny ip <source subnet> <wildcard> host <ip address>
! Only permit PING access to Database Server
permit icmp <source subnet> <wildcard> host <ip address>
! Deny ALL other access to the Database Server
deny ip <source subnet> <wildcard> host <ip address>
! Permit echo-reply to any ping
permit icmp any any echo-reply
! Deny ping access to VLAN <Id>
deny icmp <source subnet> <wildcard> <destination subnet> <wildcard>
! Permit access to The Internet
permit ip any any

Interface Placement, fa 0/0.<Vlan Id> on <Router>

interface fa 0/0.<Vlan Id>

ip access-group ACLVLAN<Id> in

10
 ACL Templates
ACL for Telnet Access on Routers

The Access List – Standard Named

ip access-list standard ACLTelnet

! Permit VLAN<Id> Telnet Access to Router
permit <source subnet> <wildcard>
deny any

Interface Placement, line vty 0 4, on Routers

line vty 0 4
password cisco
login
access-class ACLTelnet in

11
 Inter-VLAN Routing Configuration

• Configure on the Router

interface fa 0/0
description The Physical Interface
no shutdown

interface fa 0/0.<vlan id>

description A logical Sub Interface
description VLAN <vlan Id> <vlan name>
encapsulation dot1q <vlan id>
ip address <dotted decimal> <subnet mask>

12
 Switch Configuration
• Configure VLANS
vlan 101
name Plumbing
vlan 201
name Electrical

• Configure VTP – Virtual Trunking Protocol:

vtp version 2
vtp mode client (or server)
vtp domain trade
vtp password cisco

13
 Switch Configuration
• Configure a switch port (or range of switch ports):

interface fa 0/3 (or interface range fa 0/3 – 6)

switchport access vlan <number> (assigns port to a vlan)

switchport mode access (sets port to access, for PCs)

OR
switchport mode trunk (sets port to trunk, for connection to a router or switch)

switchport port-security (turns security on)

switchport port-security maximum 1

switchport port-security mac-address sticky

switchport port-security violation shutdown (default when turn security on)

OR
switchport port-security violation protect

14
 Switch Commands
Managing the MAC Address Table

• show mac address-table (displays entries in table)

• show mac address-table dynamic (displays only dynamic entries in table)

• clear mac address-table (deletes all entries from table)

• clear mac address-table dynamic (deletes only dynamic entries from table)

15
 By passing the startup-configuration on boot up
I would ask all students to change the configuration register on each router via:

router(config)# config-register 0x2142

Example:

! Router configured with hostname Melb

Melb#
! To change the router's register so that it bypasses the startup-configure
config t
Melb(config)# config-register 0x2142
Melb(config)#end
! To check that the register will be changed
Melb# show version
! When you turn off the router, the next time it is turned on it will bypass startup-configure an will bootup un-configured eg
router>
! To reload startup-configure from NVRAM, if you DO want to use it
router>enable
router#
router#copy startup-configure running-configure
Melb#

! Changing the config register will ensure that from then on the router will bypass the startup-configuration on boot up.

! This means you will not have to first erase someone else's config or do a password recovery, saving time and hassle.

! However you can still get the startup configuration if you want to use it.

16