Case study 2 - Implementing QoS and Security in a Switched Network

DLSwitchA
en
conf t
hostname DLSwitchA
no ip domain-lookup
enable secret cisco
line console 0
password cisco
login
line vty 0 15
password cisco
login
! enable Qos on Distribution layer switches
mls qos
exit

interface vlan 1
ip address 172.16.26.33 255.255.255.240
no shut
! ip default-gateway 172.16.26.17 ! no needed since "Redistribute static" used on core.
exit

! Configure VTP Sever
vtp mode Server
vtp domain CCNP3CASESTUDY
vlan 5 name IP_Phones
vlan 10 name Students
vlan 20 name Staffs
vlan 99 name Unused
exit

! Set DLSwitch to be the vtp root
spanning-tree vlan 1 root primary
spanning-tree vlan 5 root primary
spanning-tree vlan 10 root primary
spanning-tree vlan 20 root primary

! Configure trunking
interface range fa 0/1 - 4
switchport trunk encapsulation dot1q
switchport mode trunk
no shutdown
exit
! Assign interfaces to fast etherchannel
int range fa 0/1 , fa 0/2
channel-group 1 mode desirable
int range fa 0/3 , fa 0/4
channel-group 2 mode desirable
exit

! Shut down unused interfaces and assign them to unused vlan
int range fa 0/5 - 24
switchport mode access
switchport access vlan 99
shut
int gi0/2
switchport mode access
switchport access vlan 99
shut
exit

! Configure pruning on vtp server
vtp pruning

! Configure Default Gateway for all VLAN's
int vlan 5
ip address 172.16.27.1 255.255.255.0
no shut
int vlan 10
ip address 172.16.28.1 255.255.255.0
no shut
int vlan 20
ip address 172.16.29.1 255.255.255.0
no shut
exit

!Cofigure layer 3 routing
ip routing
router eigrp 100
network 172.16.0.0
exit

!Configure QoS policy mapping and DSCP value of 40 for voice traffic enter DLSwitch
mac access-list extended VOICE-DEVICE
permit host 0000.74c7.9648 any
^Z
class-map match-all VOICE-TRAFFIC
match access-group name VOICE-DEVICE
policy-map FROM-ACCESS-LAYER
class VOICE-TRAFFIC
set ip dscp 40
class class-default
trust cos

! Apply QoS policy to interface
interface range fa0/1 – 4
service-policy input FROM-ACCESS-LAYER

! Configure Uplinks to Core Switch
interface gi0/1
no switchport
ip address 172.16.26.18 255.255.255.248
no shut
end

DLSwitchB

en
conf t
hostname DLSwitchB
no ip domain-lookup
enable secret cisco
line console 0
password cisco
login
line vty 0 15
password cisco
login
! enable Qos on Distribution layer switches
mls qos
exit

interface vlan 1
ip address 172.17.26.33 255.255.255.240
no shut
exit

! Configure VTP Sever
vtp mode Server
vtp domain CCNP3CASESTUDY
vlan 5 name IP_Phones
vlan 15 name Students
vlan 25 name Staffs
vlan 99 name Unused
exit

! Set DLSwitch to be the vtp root
spanning-tree vlan 1 root primary
spanning-tree vlan 5 root primary
spanning-tree vlan 15 root primary
spanning-tree vlan 25 root primary

! Configure trunking

interface range fa 0/1 - 4
switchport trunk encapsulation dot1q
switchport mode trunk
no shutdown
exit

! Assign interfaces to fast etherchannel
int range fa 0/1 , fa 0/2
channel-group 1 mode desirable
int range fa 0/3 , fa 0/4
channel-group 2 mode desirable
exit

! Shut down unused interfaces and assign them to unused vlan
int range fa 0/5 - 24
switchport mode access
switchport access vlan 99
shut
int gi0/2
switchport mode access
switchport access vlan 99
shut
exit

!Cofigure layer 3 routing
ip routing
router eigrp 100
network 172.17.0.0
exit

! Configure pruning on vtp server
vtp pruning

! Configure Default Gateway for all VLAN's
int vlan 5
ip address 172.17.27.1 255.255.255.0
no shut
int vlan 15
ip address 172.17.28.1 255.255.255.0
no shut
int vlan 25
ip address 172.17.29.1 255.255.255.0
no shut
exit

!Configure QoS policy mapping and DSCP value of 40 for voice traffic enter DLSwitch
mac access-list extended VOICE-DEVICE
permit host 0000.74c7.9648 any
^Z
class-map match-all VOICE-TRAFFIC
match access-group name VOICE-DEVICE
policy-map FROM-ACCESS-LAYER
class VOICE-TRAFFIC
set ip dscp 40
class class-default
trust cos

! Apply QoS policy to interface
interface range fa0/1 – 4
service-policy input FROM-ACCESS-LAYER

! Configure Uplinks to Core Switch
interface gi 0/1
no switchport
ip address 172.17.26.18 255.255.255.248
no shut
end


ALSwitchA1 (2950)

en
conf t
hostname ALSwitchA1
enable secret cisco
line console 0
password cisco
login
line vty 0 15
password cisco
login
interface vlan 1
ip address 172.16.26.34 255.255.255.240
no shut
exit
! set vtp mode to client
vtp mode client
! no need to enable QoS globally since we are using 2950 switches as ALSwtiches


! Configure Trunking
interface range fa 0/1 , fa 0/2
switchport mode trunk
no shut
exit

! Assign interfaces to fast etherchannel
int range fa 0/1 - 2
channel-group 1 mode desirable
exit


! Assign interfaces to VLAN and secure unused interfaces

interface range fa 0/3 - 4
switchport mode access
switchport access vlan 5
spanning-tree portfast
!Clasify IPPhones traffic as trusted
mls qos trust cos
exit

interface range fa 0/5 - 8
switchport mode access
switchport access vlan 10
spanning-tree portfast
!Clasify Students traffic as untrusted and cos value is 0
mls qos cos 0
mls qos cos override
exit

interface range fa 0/9 - 12
switchport mode access
switchport access vlan 20
spanning-tree portfast
!Clasify Staffs traffic as trusted and cos value is 2
mls qos cos 2
mls qos trust cos
exit

interface range fa 0/13 - 24
switchport mode access
switchport access vlan 99
shut
exit

interface range gi 0/1 , gi 0/2
switchport mode access
switchport access vlan 99
shut
end

ALSwitchA2

en
conf t
hostname ALSwitchA2
enable secret cisco
line console 0
password cisco
login
line vty 0 15
password cisco
login
interface vlan 1
ip address 172.16.26.35 255.255.255.240
no shut
exit
! set vtp mode to client
vtp mode client

! Configure Trunking
interface range fa 0/1 , fa 0/2
switchport mode trunk
no shut
exit

! Assign interfaces to fast etherchannel
int range fa 0/1 , fa 0/2
channel-group 1 mode desirable
exit

! Assign interfaces to VLAN's and secure
! unused interfaces

interface range fa 0/3 , fa 0/4
switchport mode access
switchport access vlan 5
spanning-tree portfast
!Clasify IPPhones traffic as trusted
mls qos trust cos
exit

interface range fa 0/5 - 8
switchport mode access
switchport access vlan 10
spanning-tree portfast
!Clasify Students traffic as untrusted and cos value is 0
mls qos cos 0
mls qos cos override
exit

interface range fa 0/9 - 12
switchport mode access
switchport access vlan 20
spanning-tree portfast
!Clasify Staffs traffic as trusted and cos value is 2
mls qos cos 2
mls qos trust cos
exit

interface range fa 0/13 - 24
switchport mode access
switchport access vlan 99
shut
exit

interface range gi 0/1 , gi 0/2
switchport mode access
switchport access vlan 99
shut
end

ALSwitchB1

en
conf t
hostname ALSwitchB1
enable secret cisco
line console 0
password cisco
login
line vty 0 15
password cisco
login
interface vlan 1
ip address 172.17.26.34 255.255.255.240
no shut
exit
! set vtp mode to client
vtp mode client


! Configure Trunking
interface range fa 0/3 , fa 0/4
switchport mode trunk
no shut
exit

! Assign interfaces to fast etherchannel
int range fa 0/3 , fa 0/4
channel-group 1 mode desirable
exit

! Assign interfaces to VLAN's and secure
! unused interfaces

interface range fa 0/1 , fa 0/2
switchport mode access
switchport access vlan 5
spanning-tree portfast
!Clasify IPPhones traffic as trusted
mls qos trust cos
exit

interface range fa 0/5 - 8
switchport mode access
switchport access vlan 15
spanning-tree portfast
!Clasify Students traffic as untrusted and cos value is 0
mls qos cos 0
mls qos cos override
exit


interface range fa 0/9 - 12
switchport mode access
switchport access vlan 25
spanning-tree portfast
!Clasify Staffs traffic as trusted and cos value is 2
mls qos cos 2
mls qos trust cos
exit

interface range fa 0/13 - 24
switchport mode access
switchport access vlan 99
shut
exit

interface range gi 0/1 , gi 0/2
switchport mode access
switchport access vlan 99
shut
end

ALSwitchB2
en
conf t
hostname ALSwitchB2
enable secret cisco
line console 0
password cisco
login
line vty 0 15
password cisco
login
interface vlan 1
ip address 172.17.26.35 255.255.255.240
no shut
exit
! set vtp mode to client
vtp mode client

! Configure Trunking
interface range fa 0/3 , fa 0/4
switchport mode trunk
no shut
exit

! Assign interfaces to fast etherchannel
int range fa 0/3 , fa 0/4
channel-group 1 mode desirable
exit

! Assign interfaces to VLAN's and secure
! unused interfaces

interface range fa 0/1 , fa 0/2
switchport mode access
switchport access vlan 5
spanning-tree portfast
!Clasify IPPhones traffic as trusted
mls qos trust cos
exit

interface range fa 0/5 - 8
switchport mode access
switchport access vlan 15
spanning-tree portfast
!Clasify Students traffic as untrusted and cos value is 0
mls qos cos 0
mls qos cos override
exit

interface range fa 0/9 - 12
switchport mode access
switchport access vlan 25
spanning-tree portfast
!Clasify Staffs traffic as trusted and cos value is 2
mls qos cos 2
mls qos trust cos
exit

interface range fa 0/13 - 24
switchport mode access
switchport access vlan 99
shut
exit

interface range gi 0/1 , gi 0/2
switchport mode access
switchport access vlan 99
shut
end

Configure Core Layer Switch

en
conf t
hostname Core
no ip domain-lookup
enable secret cisco
line console 0
password cisco
login
line vty 0 15
password cisco
login
ip default-gateway 172.16.1.1
int gi 0/1
no switchport
ip address 172.16.26.17 255.255.255.248
no shut
exit
int gi 0/2
no switchport
ip address 172.17.26.17 255.255.255.248
no shut
exit
int fa 0/1
no switchport
ip address 172.16.1.2 255.255.255.248
no shut
exit
int range fa 0/2 - 24
no switchport
shut
exit

! Configure simulated server farm
! (each server on separate subnet)
int loop 0
ip address 172.17.1.1 255.255.255.0
no shut
exit
int loop 1
ip address 172.17.2.1 255.255.255.0
no shut
exit
int loop 2
ip address 172.17.3.1 255.255.255.0
no shut
exit
int loop 3
ip address 172.17.4.1 255.255.255.0
no shut
exit
int loop 4
ip address 172.17.5.1 255.255.255.0
no shut
exit

!Cofigure layer 3 routing
ip routing
router eigrp 100
network 172.16.0.0
network 172.17.0.0
! distribure static (default) route.
redistribute static
exit
end

Configure Border Router
en
conf t
hostname Border
no ip domain-lookup
enable secret cisco
line console 0
password cisco
login
line vty 0 4
password cisco
login
ip default-gateway 200.200.100.129

!Configure routing protocol
router eigrp 100
network 172.16.0.0
network 172.17.0.0
network 192.168.0.0
network 200.200.100.0

!Default gateway interface
int fa 0/0
ip address 172.16.1.1 255.255.255.248
no shut

! Apply Qos for voice traffic (8kbps is available) by policy-map
! create access list for voice traffic (suppose UDP 16384 to 32767 represents voice)
access-list 102 permit udp any any range 16384 32767
access-lisy 103 permit tcp any eq 1720 any
! Create class map
class-map match-all VOICE-TRAFFIC
match access-group 102
class-map match-all VOICE-SIGNALING
match access-group 103
! Create policy map
policy-map VOICE-POLICY
class VOICE-SIGNALING
bandwidth 8
class VOICE-TRAFIC
priority 48
class class-default
fair-queue

! Configure multilink interface
interface multilink 1
ip address 200.200.100.130 255.255.255.248
ppp multilink fragment-delay 10
bandwidth 128
ppp multilink interleave
service-policy output VOICE-POLICY
exit

! Tell router that the virtual interface multilink 1 will use this physical interface s0/0
interface s0/0
ppp multilink group 1
exit

! Configure map-class to define the shape of the traffic to Remote1 router
map-class frame-relay PHUC
frame-relay cir 128000
frame-relay bc 128000
frame-relay be 0
frame-relay fair-queue

! Configure Frame relay traffic shaping to Remote 1
int s 0/1
encapsulation frame-relay
interface s0/1.103 point-to-point
frame-relay interface-dlci 103
ip address 192.168.0.1 255.255.255.248
no shut
! Apply FRTS to interface
frame-relay traffic-shaping
interface s0/1.103
frame-relay class PHUC
exit

! Configure nat
ip nat pool PHUC 200.200.100.136 200.200.200.254 netmask 255.255.255.128
access-list 10 permit 172.16.27.0 0.0.0.255
access-list 10 permit 172.16.28.0 0.0.0.255
access-list 10 permit 172.16.29.0 0.0.0.255
access-list 10 permit 172.17.27.0 0.0.0.255
access-list 10 permit 172.17.28.0 0.0.0.255
access-list 10 permit 172.17.29.0 0.0.0.255
access-list 10 permit 192.168.0.0 0.0.255.255
access-list 10 deny any
ip nat inside source list 10 pool PHUC overload

! Add static addresses
ip nat inside source static 172.17.1.1 200.200.100.131
ip nat inside source static 172.17.2.1 200.200.100.132
ip nat inside source static 172.17.3.1 200.200.100.133
ip nat inside source static 172.17.4.1 200.200.100.134
ip nat inside source static 172.17.5.1 200.200.100.135

int s0/0
ip nat outside
int fa 0/0
ip nat inside
exit
! Configure Static Routes
ip route 172.16.0.0 255.255.0.0 172.16.1.2
ip route 172.17.0.0 255.255.0.0 172.16.1.2
ip route 192.168.0.0 255.255.0.0 192.168.0.1
end
Configure Remote1 Router
en
conf t
hostname Remote1
no ip domain-lookup
enable secret cisco
line console 0
password cisco
login
line vty 0 4
password cisco
login

!Configure routing protocol
router eigrp 100
network 172.16.0.0
network 172.17.0.0
network 192.168.0.0
network 200.200.100.0

! Configure map-class to define the shape of the traffic
map-class frame-relay PHUC
frame-relay cir 128000
frame-relay bc 128000
frame-relay be 0
frame-relay fair-queue

!Configure Frame relay traffic sharping to Remote 1
int s 0/0
encapsulation frame-relay
interface s0/0.301 point-to-point
frame-relay interface-dlci 301
ip address 192.168.0.2 255.255.255.248
! Apply FRTS to interface
frame-relay traffic-shaping
interface s0/0.301
frame-relay class PHUC
no shut
exit
end


Configure CountyOffice Router
en
conf t
hostname CountyOffice
no ip domain-lookup
enable secret cisco
line console 0
password cisco
login
line vty 0 4
password cisco
login

!Configure routing protocol
router eigrp 100
network 172.16.0.0
network 172.17.0.0
network 192.168.0.0
network 200.200.100.0

! Apply Qos for voice traffic (8kbps is available) by policy-map
! create access list for voice traffic (suppose UDP 16384 to 32767 represents voice)
access-list 102 permit udp any any range 16384 32767
access-lisy 103 permit tcp any eq 1720 any
! Create class map
class-map match-all VOICE-TRAFFIC
match access-group 102
class-map match-all VOICE-SIGNALING
match access-group 103
! Create policy map
policy-map VOICE-POLICY
class VOICE-SIGNALING
bandwidth 8
class VOICE-TRAFIC
priority 48
class class-default
fair-queue

! Configure multilink interface
interface multilink 1
ip address 200.200.100.129 255.255.255.248
ppp multilink fragment-delay 10
bandwidth 128
ppp multilink interleave
service-policy output VOICE-POLICY
exit

! Tell router that the virtual interface multilink 1 will use this physical interface s0/0
interface s0/0
ppp multilink group 1
exit
end

Mod ơi, hình die rùi.

file đính kèm down ko được, admin up lại dùm với

Die rùi, dạo này Admin đâu rùi ta, ko thấy. Mình cũng đang cần nè, up lại dùm :)