Case Study 2

Implementing QoS and
Security in a Switched
Network

Cisco Networking Academy Program

CCNP 3: Multilayer Switching v3.0

2-3

CCNP 3: Multilayer Switching v3.0

Copyright

 2003, Cisco Systems, Inc.

Introduction

The instructions for this case study are as follows:

1. Cable the network as shown in the diagram.

Note: Fast Ethernet uplinks can be substituted for Gigabit Ethernet uplinks
if necessary.

2. Allocate a Class B private address range for each switch block that will be

configured. The address range is 172.16.0.0 /16 to 172.17.0.0 /16 with a
minimum subnet allocation of 254 hosts, or a /24 bit mask. No device on the
network should have a 16-bit mask, 255.255.0.0, configured. VLANs are
local to each switch block.

Copyright

 2003, Cisco Systems, Inc.

Case Study 2: Implementing QoS and Security in a Switched Network 3-3

Configuration

The following tasks must be achieved:

■

Configure VLAN databases in the switch configurations. Distribution layer
switches will act as VTP servers. Configure access layer switches for client
VTP transactions only. Name the VTP domain CCNP3CASESTUDY.

■

Configure spanning tree to designate the distribution layer switches as the
primary root for all configured VLANs.

■

Use EIGRP as the routing protocol to allow advertisement of local VLANs
to be sent from one switch block to another. EIGRP will also allow for the
advertisement of a default route to the CountyOffice location.

■

Configure security on each network device. The best remote-management
practices include the use of Telnet, Secure Shell (SSH), and secure password
policies. Be selective when granting Telnet, SSH, and web administration
privileges.

■

Configure NAT on the Border router. Configure static NAT translations for
use with the simulated server farm appliances. The public IP address block
is 200.200.100.128 to 200.200.100.255.

■

Allow Internet access to all nodes in the 172.16.X.X to 172.31.X.X and
192.168.X.X IP address ranges through NAT. IP translation should consist
of NAT overload for clients and static NAT for critical devices such as
servers.

■

Configure FEC uplinks between the access layer and distribution layer
switches. Each of these channels should be 802.1q-compliant trunk links
that are capable of transporting all VLAN traffic. Enable the pruning of
unnecessary traffic from nonresident VLANs.

■

Configure VLAN 5 for IP phones, VLANs 10 and 15 for student nodes, and
VLANs 20 and 25 for staff nodes and with the respective VLAN port
assignments on each access layer switch as shown in the network diagram.

■

Use CoS to classify traffic at the access layer. IP phones are CoS-capable
and should be trusted. Do not trust CoS values that may be configured on
student nodes. Set CoS values for all staff nodes to a value of two and these
values should be trusted for any equipment that supports CoS.

■

Use modular QoS to mark packets with a quality of service identifier. Use a
policy map and DSCP value of 40 to flag all voice traffic that enters either
of the distribution-layer switches.

■

Configure link fragmentation and interleaving (LFI) between the Border
router and CountyOffice router. This link will consist of a PPP leased line
with an available bandwidth of 128 kbps. Configure a policy map that will
ensure that 8 kbps is available for voice signaling. Configure priority
queuing for voice traffic and allow all other traffic to default to fair queuing.

■

Configure Frame Relay traffic shaping between the Border and Remote1
routers manually. Traffic across this PVC should be tightly regulated at 128
kbps. Assume a CIR value of 128000 bps, a committed burst (Bc) of 128000
bps, and an excess burst (Be) of zero. Enforce this shaping policy on both
ends of the Frame Relay link.