4. Configure load balancing for traffic. (Only IPv4) (a) Configure traffic balancing between HQ site and internet so that the channel through HQ1 is preferred. (b) Configure traffic balancing between HQ site and BR sites so that the channel through HQ2 is preferred. If HQ2 goes down, the channel through HQ1 is used. https://www.cisco.com/c/zh_tw/support/docs/ip/ip-routed-protocols/47121-pbr-cmds-ce.html 1. Configure NAT. https://medium.com/璿的筆記本/ipv4救星-nat-9a487c53f970 2. Configure DHCP. https://www.jannet.hk/dynamic-host-configuration-protocol-dhcp-zh-hant/ 3. Configure FHRP on DSW1 and DSW2. https://www.jannet.hk/first-hop-redundancy-protocol-fhrp-zh-hant/ 4. Configure remote monitoring using SNMP on HQ1, HQ2 and FW1. https://networklessons.com/cisco/ccie-routing-switching/how-to-configure-snmpv2-on-cisco-ios-router 5. Configure ISP as NTP server. All network devices should synchronize time from ISP. https://www.jannet.hk/network-time-protocol-ntp-zh-hant/ 1. Configure console authentication on all network devices. (a) Use local account. Create user admin with password Skill39. (b) After successful authentication, users should automatically land in priviledged mode (except FW1) ``` username admin password Skill39 ``` ``` line console 0 login local privilege level 15 ``` 2. Configure SSH version 2 for remote access on HQ1 and HQ2. To configure SSH version 2 for remote access on HQ1 and HQ2 with RADIUS server authentication, backup authentication using a local account, and restrict SSH access only to HQ-CLI, you can follow these steps: 1. Configure SSH version 2 on HQ1 and HQ2: ``` configure terminal crypto key generate rsa modulus 2048 ip ssh version 2 ``` 2. Configure RADIUS server authentication: (a) Use HQ-SRV as the RADIUS server and Skill39 as the shared key: ``` aaa new-model aaa authentication login default group radius local aaa authentication enable default group radius enable aaa server radius dynamic-author client HQ-SRV key Skill39 ``` 3. Test RADIUS authentication using the provided users and password: (a) Configure user1 with maximum privilege level: ``` username user1 privilege 15 password Skill39 ``` (b) Configure user2 with privilege level 5: ``` username user2 privilege 5 password Skill39 ``` 4. Configure user2 to be able to configure interface IP settings and administratively enable/disable interfaces: ``` privilege interface level 5 ip privilege interface level 5 shutdown ``` 5. Configure backup authentication using a local account if the RADIUS server goes down: ``` aaa authentication login default group radius local aaa authentication enable default group radius enable ``` 6. Restrict SSH access only to HQ-CLI: (a) Specify the allowed source IP address (HQ-CLI) for SSH access: ``` ip access-list standard SSH-ACL permit <HQ-CLI-IP> ``` (b) Apply the access list to the VTY lines for SSH access: ``` line vty 0 15 access-class SSH-ACL in ``` 7. Save the configuration by typing "write" or "copy running-config startup-config" to ensure the changes are retained after a reboot. Repeat these steps on both HQ1 and HQ2 to configure SSH version 2 with RADIUS server authentication, backup authentication, and restricted SSH access. Configure port-security on the port which is connected to HQ-CLI using following parameters: (a) Maximum MAC address – 2 (b) In case of policy violation, security message should be displayed on the console, port should be disabled. (c) Recover disabled port after 3 minutes. To configure port security on the port connected to HQ-CLI with the specified parameters, you can follow these steps: 1. Access the configuration interface or management console of the network device. 2. Enter privileged EXEC mode by typing "enable" and entering the privileged EXEC password if prompted. 3. Enter global configuration mode by typing "configure terminal". 4. Locate the interface connected to HQ-CLI and enter interface configuration mode for that port. For example, if it is interface GigabitEthernet 0/1, use the following command: ``` interface GigabitEthernet 0/1 ``` 5. Configure port security with the specified parameters: (a) Set the maximum MAC address to 2: ``` switchport port-security maximum 2 ``` (b) Configure the security violation action to display a security message on the console and disable the port: ``` switchport port-security violation restrict ``` (c) Configure the recovery timer for disabled ports to 3 minutes: ``` errdisable recovery interval 180 ``` 6. Save the configuration by typing "write" or "copy running-config startup-config" to ensure the changes are retained after a reboot. Configure DHCP snooping for VLAN 20 on ASW2. https://www.computernetworkingnotes.com/ccna-study-guide/configure-dhcp-snooping-on-cisco-switches.html Switch>enable Switch#configure terminal Switch(config)#ip dhcp snooping Switch(config)#ip dhcp snooping vlan 1 Switch(config)#interface fa0/4 Switch(config-if)#ip dhcp snooping trust Switch(config-if)#exit Switch(config)#exit Switch#