d3 sba student ans key

All contents are Copyright © 1992–2010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. of 41

CCNA Discovery Introducing Routing and Switching in the Enterprise

Skills-Based Assessment

Academy Student Version – Answer Key

Grading

The exam is divided into two parts. If the exam is conducted in two separate sessions, hand out Part 1 on planning and let the students complete it. Then have them turn in Part 1 so that you can grade it before the second session. Return Part 1 to the students at the start of the second session, which is a hands-on session. If there are problems with the planning in Part 1, the student will know of them before starting on Part 2. If both parts of the exam are done in one session, you should still grade Part 1 before the students start on Part 2. Students must complete Part 1 before starting Part 2.

Suggested point totals are listed for the main fill-in-the-blank questions. They currently total 100 points, but can be adjusted or changed as desired. Divide the correct points by the possible points for an overall percentage grade.

Exam Time

• The time allowed to complete Part 1 is 50 minutes. Part 2 takes longer than 50 minutes.


• At the instructor’s discretion, the amount of time allowed may be adjusted.

• Part 2 of the exam can be split into two parts to accommodate class schedules. Part 3 begins with Task 8: Configure ACL Security on HQ and R2.

• To save time and avoid splitting Part 2, have the equipment set up and cabled for the students prior to starting device configuration.

Exam Overview This skills-based assessment is the final practical exam for the course CCNA Discovery – Introducing Routing and Switching in the Enterprise. The exam is divided into two parts, and Part 1 must be completed before Part 2. In Part 1, you develop an IP subnet scheme and document the device interfaces. In Part 2, you cable the network and configure customer routers and switches using Cisco IOS CLI commands. The remote office router routes between the local network and the headquarters router. The headquarters router is configured to provide access to the ISP router. The OSPF routing protocol is used between the remote office and headquarters router. Static routing is used between the headquarters router and the ISP. The instructor will preconfigure the ISP router and erase the startup configuration in the headquarters router and the remote office router prior to starting the exam.

When you have completed Part 1, give it to the instructor to check before starting on Part 2. You have 50 minutes to complete Part 1. The instructor will inform you of how Part 2 will be conducted and the time allotted,

Instructor Note: For this exam, the ISP router is set up to connect to two sets of student equipment. By adding the second ISP router as shown in the diagram, two additional students can be tested simultaneously using a single Discovery Server. If needed, you can add more ISP routers. Two students can be tested for each ISP router added. See the instructor lab setup diagram and ISP router running-config at the end of this document.

Objectives • Part 1 – Create an IP addressing plan and document the network device interfaces.

• Part 2 – Connect and configure the network equipment and verify network connectivity.

Required Equipment The following equipment is required for each student:

• ISP router with two serial and two Fast Ethernet interfaces (preconfigured by the instructor)

• One computer to act as the Discovery Server (using the Discovery Server Live CD). Optionally, the ISP router can be configured with a loopback address. If the loopback address is used, it restricts the protocols that can be filtered using an ACL.

• One switch or crossover cable to connect the Discovery Server to the ISP router

• One 1841 HQ router (or other router with two serial interfaces)

• One 1841 R2 router (or other router with one serial interface and one Fast Ethernet interface)

• Two Ethernet 2960 switches

• Two Windows XP-based PCs

• Cat 5 and serial cabling, as necessary


Skills-Based Assessment – Part 1 [52 points]

Develop the IP Addressing Scheme and Assign Interface Addresses

Step 1: Gather required information. Use the topology diagram at the beginning of the exam and the following information provided by the instructor to document the network.

a. You will be working with customer AnyCompanyX, where X is the number assigned by the instructor.

Enter the number you are assigned here:

b. If your local network is connected to the ISP as AnyCompany1, the IP address of the ISP serial 0/0/0 interface is 209.165.201.1/30. If your local network is connected to the ISP as AnyCompany2, the IP address of the ISP serial 0/0/1 interface is 209.165.201.5/30.

AnyCompany___

If more than one ISP router is being used, additional addresses from the 209.165.201.x/30 range are needed. Check with the instructor to verify the ISP serial interface IP address for you to use.

Enter the ISP serial interface IP address here: _______________________________

c. The base IP address CIDR block from which you will create the VLSM addressing scheme is based on the AnyCompanyX number that you are assigned. If the local network is AnyCompany1, use 192.168.1.0 /24. If the local network is AnyCompany2, use 192.168.2.0 /24.

If more than one ISP router is being used, additional addresses from the 192.168.X.0/24 range are needed. Check with the instructor to verify the correct IP address block for you to use.

Enter the base IP address and subnet mask here: ____________________________

Step 2: Determine the size of each VLSM block to accommodate users. Develop a VLSM subnet scheme that optimally subnets the base address and allows for three VLANs on the local R2 network, the hosts on the HQ local network, and the WAN link between HQ and R2. The HQ router uses NAT/PAT to translate internal client addresses to the external address.

a. Determine the size of the subnet address block required for a network area or group of users. Fill in the table with this information.

VLSM Subnet Requirements [7 points, one for each VLSM block size]

Network Area Number of Users / IPs

VLSM Block Size / Number of IPs (Powers of 2)

AnyCompanyX block size to subdivide N/A 256 (8 bits) HQ local network 23 32 R2 local network / VLANs VLAN 1 (Default/Mgmt-IP) 5 8 VLAN 11 (Dept 1) 45 64 VLAN 12 (Dept 2) 97 128 R2 to HQ WAN link 2 4 Total users and total block sizes 172 236

b. To optimally allocate addresses from the /24 address assigned, sort the block sizes from largest to smallest. Use the table below to order the network areas by the VLSM block size. List the blocks starting with the largest to the smallest. [3 points for the correct order]


Network Area / VLAN VLSM Block Size R2 – VLAN 12 (Dept 2) 128 R2 – VLAN 11 (Dept 1) 64 HQ – Local network 32 R2 – VLAN 1 (Default/Mgmt-IP) 8 R2 – HQ Wan link 4

Step 3: Allocate blocks of addresses to each area of the network. [15 points, one for each address/prefix, usable range, and subnet mask]

a. Determine which blocks of the CIDR address to assign to each area of the network or VLAN. You may use the CIDR / VLSM subnet chart (Appendix A) to enter the subnet information for each CIDR block.

b. Fill in the following table based on the subnet information in the VLSM Subnet Requirements tables above.

Instructor note: Answers may vary depending on the VLSM addressing used. The following sample answers in Steps 3, 4, and 5 are for AnyCompany1.

Network Area / VLAN

VLSM Block Size (Number of Addresses)

Subnet Address and Prefix

Useable Address Range Subnet Mask

R2 – VLAN 12 (Dept 2) 128 192.168.1.0 /25 192.168.1.1 – 192.168.1.126

255.255.255.128

R2 – VLAN 11 (Dept 1) 64 192.168.1.128 /26 192.168.1.129 - 192.168.1.190

255.255.255.192

HQ – Local network (simulated with Lo0)

32 192.168.1.192 /27 192.168.1.193 – 192.168.1.222

255.255.255.224

R2 – VLAN 1 (Default/Mgmt) 8 192.168.1.224/29

192.168.1.225 – 192.168.1.230

255.255.255.248

R2 – HQ Wan link 4 192.168.1.232/30

192.168.1.233 – 192.168.1.234

255.255.255.252

Unused IP addresses 20

c. Have the instructor verify that your addressing scheme is accurate and assigns address space efficiently. You should not have any overlapping subnets and should have unused contiguous blocks of addresses that can be used for future growth.

Step 4: Select IP addresses for use when configuring devices. [22 points, one for IP each address and subnet mask]

Select addresses from the block assigned to an area of the network, and fill in the VLSM block size, IP address and subnet mask for each device/interface in the topology. Include the /# bits mask with the IP address These IP addresses are used in Part 2 when you configure the network equipment.

Note: When you are finished with this step, check with the instructor before proceeding.


Device Interface / IP Address Chart

Device Interface IP Address Subnet Mask HQ-X Serial 0/0/0 192.168.1.234/30 255.255.255.252 Serial 0/0/1

(Use the next address compatible with the ISP serial interface address of AnyCompanyX)

209.165.201.2/30 (AnyCompany1) 209.165.201.6/30 (AnyCompany2)

255.255.255.252

Loopback0 192.168.1.193/27 255.255.255.224 R2 Serial 0/0/0 192.168.1.233/30 255.255.255.252 Fast Ethernet 0/0 None None Subint Fa0/0.1 192.168.1.225/29 255.255.255.248 Subint Fa0/0.11 192.168.1.129/26 255.255.255.192 Subint Fa0/0.12 192.168.1.1/25 255.255.255.128 ISP Serial 0/0/0

(pre-configured) 209.165.201.1/30 (AnyCompany1)

255.255.255.252

ISP Serial 0/0/1 (pre-configured)

209.165.201.5/30 (AnyCompany2)

255.255.255.252

Fa0/0 (pre-configured default gateway for Discovery Server. Optional if ISP loopback is used.)

172.17.0.1 255.255.0.0

S1 VLAN 1 192.168.1.226/29 255.255.255.248 S2 VLAN 1 192.168.1.227/29 255.255.255.248 H1 NIC 192.168.1.130/26 255.255.255.192 H2 NIC 192.168.1.2/25 255.255.255.128 Discovery Server (or ISP Loopback address - pre-configured)

NIC 172.17.1.1/16 255.255.0.0


Step 5: Create a logical network diagram. [5 points] Draw a simple logical network diagram of your AnyCompanyX network. Include the ISP router, the two AnyCompanyX routers (HQ and R2), the switches, the two host computers, the three VLANs, and the Discovery Server. Write the IP address and /# bits subnet mask next to each interface, device, or VLAN using the addresses identified in Step 4. This information is used to configure the AnyCompanyX routers and switches in Part 2 of the exam. Be sure to include the subinterfaces on R2.

Logical Network Diagram for AnyCompany____ (enter number)

Step 6: Check your work with the instructor before going on to Part 2.


Note: This is a sample diagram for the instructor version only. IP addresses may vary based on the VLSM addressing scheme used. If the student desires, interfaces on switch ports may be shown, but are not part of the logical diagram because they do not have IP addresses assigned.


Skills-Based Assessment – Part 2 [48 points] Instructor note: Part 2 of the exam may be split into two parts to accommodate class schedules. Part 3 would begin with Task 8: Configure ACL Security on HQ and R2. To save time and avoid splitting this part of the exam, have the equipment set up and cabled for the students prior to starting device configuration.

Before students start Part 2, configure the ISP router. (See running-config at end of lab.)

Task 1: Build the Network and Connect the Cables Using the topology diagram provided at the beginning of Part 1 and the logical network diagram you created in Step 5, build the network. Connect the AnyCompanyX network HQ-X router to the appropriate ISP router interface: Serial 0/0/0 for AnyCompany1 or S0/0/1 for AnyCompany2 (unless instructed otherwise by the instructor). The ISP router and the Discovery Server should be preconfigured by the instructor.

Instructor note: If the ISP router is configured with a loopback address in lieu of the Discovery Server, the HTTP service in the router must be enabled.

Note: Make sure that the routers and the switches have been erased and have no startup configurations.

The IP addresses used to configure the devices in the following tasks are based on your solution for the VLSM scheme in Part 1.

Task 2: Configure the HQ Router

Step 1: Configure the router. Assign the host name HQ-X (where X is the number of AnyCompanyX) and the passwords. Configure no domain lookup, and specify the message-of-the-day as “Unauthorized use prohibited”.

Router(config)#hostname HQ-1 HQ-1(config)#line console 0 HQ-1(config-line)#password cisco HQ-1(config-line)#login HQ-1(config-line)#line vty 0 4 HQ-1(config-line)#password cisco HQ-1(config-line)#login HQ-1(config-line)#exit HQ-1(config)#enable secret class HQ-1(config)#no ip domain-lookup HQ-1(config)#banner motd #Unauthorized use prohibited#

Step 2: Configure the HQ router serial and loopback interfaces. The WAN link from HQ to R2 uses default Cisco HDLC encapsulation. The WAN link from HQ to ISP uses PPP with CHAP authentication. The ISP provides the clocking for the HQ router. Refer to the topology diagram at the beginning of Part 1 for other DTE/DCE settings.

HQ-1(config)#interface s0/0/0 HQ-1(config-if)#ip address 192.168.1.234 255.255.255.252 HQ-1(config-if)#clock rate 64000 HQ-1(config-if)#no shutdown HQ-1(config-if)#interface s0/0/1 HQ-1(config-if)#ip address 209.165.201.2 255.255.255.252 HQ-1(config-if)#encapsulation ppp HQ-1(config-if)#ppp authentication chap HQ-1(config-if)#no shutdown HQ-1(config-if)#interface lo0 HQ-1(config-if)#ip address 192.168.1.193 255.255.255.224


Step 3: Create the CHAP user ID and password. For CHAP authentication, configure a username for the ISP router on the HQ router with a password of cisco.

HQ-1(config)#username ISP password cisco

Step 4: Configure OSPF routing for Area 0 on HQ. HQ-1(config)#router ospf 1 HQ-1(config-router)#network 192.168.1.232 0.0.0.3 area 0 HQ-1(config-router)#network 209.165.201.0 0.0.0.3 area 0 HQ-1(config-router)#network 192.168.1.192 0.0.0.31 area 0

Step 5: Configure a default route to the ISP on HQ and propagate this route to R2 using OSPF. HQ-1(config)#ip route 0.0.0.0 0.0.0.0 s0/0/1 HQ-1(config)#router ospf 1 HQ-1(config-router)#default-information originate

Step 6: Configure overloaded NAT (PAT) on HQ. a. Use the IP address on the serial port that connects to the ISP as the overloaded address.

b. Specify the inside and outside NAT interfaces.

c. Permit the entire 192.168.X.0/24 address space to be translated (where X is the number assigned to AnyCompany).

HQ-1(config)#access-list 1 permit 192.168.1.0 0.0.0.255 HQ-1(config)#ip nat inside source list 1 interface s0/0/1 overload HQ-1(config)#interface s0/0/0 HQ-1(config-if)#ip nat inside HQ-1(config-if)#interface lo0 HQ-1(config-if)#ip nat inside HQ-1(config-if)#interface s0/0/1 HQ-1(config-if)#ip nat outside

Step 7: Save the router running-config configuration to startup-config.

Task 3: Configure the Remote Office Router

Step 1: Configure basic setting for the R2 router. Assign the host name and the passwords. Configure no domain lookup, and specify the message-of-the-day as “Unauthorized use prohibited”.

Step 2: Configure the R2 Fast Ethernet subinterfaces and serial interfaces. Define the Fast Ethernet subinterfaces to match the numbers of the VLANs they represent. They should also use 802.1Q encapsulation. VLAN 1 is the native VLAN.

R2(config)#interface fa0/0 R2(config-if)#no shutdown R2(config-if)#interface fa0/0.1 R2(config-subif)#encapsulation dot1Q 1 R2(config-subif)#ip address 192.168.1.225 255.255.255.248 R2(config-subif)#interface fa0/0.11 R2(config-subif)#encapsulation dot1Q 11 R2(config-subif)#ip address 192.168.1.129 255.255.255.192


R2(config-subif)#interface fa0/0.12 R2(config-subif)#encapsulation dot1Q 12 R2(config-subif)#ip address 192.168.1.1 255.255.255.128 R2(config-subif)#interface s0/0/0 R2(config-if)#ip address 192.168.1.233 255.255.255.252 R2(config-if)#no shutdown

Step 3: Configure OSPF routing for Area 0 on R2. Specify the subnet for each R2 interface using the appropriate wildcard mask.

R2(config)#router ospf 1 R2(config-router)#network 192.168.1.0 0.0.0.127 area 0 R2(config-router)#network 192.168.1.128 0.0.0.63 area 0 R2(config-router)#network 192.168.1.224 0.0.0.7 area 0 R2(config-router)#network 192.168.1.232 0.0.0.3 area 0

Step 4: Save the router running-config configuration to startup-config.

Task 4: Configure the Remote Office Switch S1 Note: Be sure to erase the startup-config, delete the vlan.dat file, and reload the switch before beginning the configuration.

Step 1: Configure the basic settings on the S1 switch. Assign the host name and the passwords. Configure no domain lookup, and specify the message-of-the-day as “Unauthorized use prohibited”.

Step 2: Configure the VLANs for S1. Use the VLAN numbers and names in the following table, and assign the ports to each VLAN as indicated. Use this table to configure switch S2 in Task 5.

VLAN Number VLAN Name Ports Assigned Notes VLAN 1 (default VLAN) default None VLAN 1 cannot be

renamed VLAN 11 (Dept 1 users) Dept1 3 to 11 VLAN 12 (Dept 2 users) Dept2 12 to 24

S1(config)#vlan 11 S1(config-vlan)#name Dept1 S1(config-vlan)#vlan 12 S1(config-vlan)#name Dept2 S1(config-vlan)#exit S1(config-if-range)#interface range fa0/3-11 S1(config-if-range)#switchport mode access S1(config-if-range)#switchport access vlan 11 S1(config-if-range)#interface range fa0/12-24 S1(config-if-range)#switchport mode access S1(config-if-range)#switchport access vlan 12 S1(config-if-range)#exit


Step 3: Assign an IP address to the Management VLAN 1 on S1. Assign the VLAN 1 address according to the Device Interface / IP Address chart in Part 1, Step 4. Configure the switch with a default gateway to router R2 for VLAN 1.

S1(config-if)#interface vlan1 S1(config-if)#ip address 192.168.1.226 255.255.255.248 S1(config-if)#no shutdown S1(config-if)#exit S1(config)#ip default-gateway 192.168.1.225

Step 4: Configure S1 switch ports. Configure switch ports Fa0/1 and Fa0/2 as 802.1Q trunks so that they can carry VLAN information.

S1(config)#interface fa0/1 S1(config-if)#switchport mode trunk S1(config-if)#interface fa0/2 S1(config-if)#switchport mode trunk

Step 5: Configure S1 as the root switch for STP. Change the priority of native VLAN 1 so that it becomes the root switch.

S1(config)#spanning-tree vlan 1 priority 4096

Step 6: Configure a VTP domain. Configure the AnyCompanyX domain name on S1 and assign the password cisco.

S1(config)#vtp domain AnyCompany1 S1(config)#vtp mode server S1(config)#vtp password cisco

Step 7: Configure switch port security. Configure port security for port Fa0/9 on switch S1. When port security is configured, connecting any other host disables the port.

S1(config)#interface fa0/9 S1(config-if)#shutdown S1(config-if)#switchport port-security S1(config-if)#switchport port-security mac-address sticky S1(config-if)#no shutdown S1(config-if)#end

Step 8: Save the S1 switch running-config configuration to startup-config.

Task 5: Configure the Remote Office Switch S2 Note: Be sure to erase the startup-config, delete the vlan.dat file, and reload the switch before beginning the configuration.

Step 1: Configure the basic settings on the S2 switch. Assign the host name and the passwords. Configure no domain lookup, and specify the message-of-the-day as “Unauthorized use prohibited”.

Step 2: Configure a VTP domain. Configure the AnyCompanyX domain name on S2 and assign the password cisco.


S2(config)#vtp domain AnyCompany1 S2(config)#vtp mode client S2(config)#vtp password cisco

Step 3: Assign ports to the VLANs. Use the information in the table in Task 4, Step 2 to assign ports to the VLANs.

S2(config-if-range)#interface range fa0/3-11 S2(config-if-range)#switchport mode access S2(config-if-range)#switchport access vlan 11 S2(config-if-range)#interface range fa0/12-24 S2(config-if-range)#switchport mode access S2(config-if-range)#switchport access vlan 12 S2(config-if-range)#exit

Step 4: Assign an IP address to the Management VLAN 1 on S2. Assign the VLAN 1 address according to the Device Interface / IP Address table in Part 1, Step 4. Configure the switch with a default gateway to router R2 for VLAN 1.

S2(config-if)#interface vlan1 S2(config-if)#ip address 192.168.1.227 255.255.255.248 S2(config-if)#no shutdown S2(config-if)#exit S2(config)#ip default-gateway 192.168.1.225

Step 5: Configure switch port Fa0/2 as an 802.1Q trunk to carry VLAN information. S2(config)#interface fa0/1 S2(config-if)#switchport mode trunk S2(config-if)#interface fa0/2 S2(config-if)#switchport mode trunk

Step 6: Configure switch port security. Configure port security for port Fa0/15 on switch S2. When port security is configured, connecting any other host disables the port.

S2(config)#interface fa0/15 S2(config-if)#shutdown S2(config-if)#switchport port-security S2(config-if)#switchport port-security mac-address sticky S2(config-if)#no shutdown S2(config-if)#end

Step 7: Save the S2 switch running-config configuration to startup-config.

Task 6: Configure Host IP Addresses Configure each host IP address, subnet mask, and default gateway using the information in the Device Interface / IP Address chart in Part 1, Step 4.


Task 7: Verify Device Configurations and Basic Connectivity [33 points, one for each item verified with command output and checked by instructor]

Before configuring ACLs in the next task, verify the items listed in the table and indicate which command you used. Include the IP address to be pinged when verifying connectivity. Have the instructor check off each item when verified.

Instructor note: Other commands than the ones listed may be used if they verify the same information. See the end of the lab for the show-run output and sample output for other commands on HQ, R2, S1, and S2.

Configuration Items to Verify Command Used Check HQ basic config (host, pass, IPs) show running-config

HQ routing table (OSPF, static/default) show ip route

HQ NAT config (ACL, interfaces, etc.) show running-config

R2 basic config (host, pass, IPs) show running-config

R2 routing table (OSPF, static/default) show ip route

R2 subinterfaces on Fa0/0 show vlans

R2 subinterfaces encapsulation show vlans

S1 basic config (host, pass, IPs) show running-config

S1 VLANs show vlan brief

S1 ports in correct VLANs show vlan brief

S1 802.1Q trunk ports show interfaces trunk

S1 is root switch show spanning-tree

S1 is VTP server show vtp status

S1 port security show running-config, show port-security

S2 basic config (host, pass, IPs) show running-config

S2 VLANs show vlan brief

S2 ports in correct VLANs show vlan brief

S2 802.1Q trunk ports show interfaces trunk

S2 is VTP client show vtp status

S2 port security show running-config, show port-security

Connectivity Items to Verify

Ping S1 from H1 and H2 Ping IP address

Ping S2 from H1 and H2 ping IP address

Ping R2 default gateway from H1 and H2 ping IP address

Ping R2 default gateway from S1 and S2 ping IP address

Ping from H1 to H2 (between VLANs) ping IP address

Ping HQ from R2 ping IP address

Ping from H1 and H2 to HQ S0/0/0 ping IP address

Ping from H1 and H2 to HQ Lo0 (HQ LAN) ping IP address

Ping from H1 and H2 to ISP S0/0/0 ping IP address

Ping from H1 and H2 to ISP Discovery Server ping IP address

Web browser from H1 and H2 to Discovery Server (or ISP router Loopback)

Internet Explorer or other browser to IP address


Configuration Items to Verify Command Used Check Telnet from H1 and H2 to HQ and R2 telnet IP address

Verify HQ NAT translations (display translations after ping, telnet and web browser from H1 or H2 to ISP loopback or Discovery Server)

show ip nat translations

Task 8: Configure ACL Security on HQ and R2 Note: The following commands are based on IP address ranges for one possible solution to the VLSM scheme in Part 1 of the lab.

Step 1: Create and apply an numbered extended ACL on R2. [6 points, one for each instructor check]

The ACL must allow web requests and pings to leave the R2 network if they originated from any location within the R2 AnyCompanyX network. Telnet traffic is permitted if it originates in VLAN 11, and FTP traffic (FTP control and FTP data) is permitted if it originates in VLAN 12. All other traffic is denied.

a. Add an explicit deny statement to the end of the ACL so that statistics can be collected on the number of packets denied. Apply the ACL to the appropriate R2 interface. Include remarks in your ACL to document what it is doing. Have the instructor verify the ACL statements and placement. __________ Instructor check. Example ACL: R2(config)#access-list 101 remark allow web access for R2 internal network R2(config)#access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq www R2(config)#access-list 101 remark allow pings for R2 internal network R2(config)#access-list 101 permit icmp 192.168.1.0 0.0.0.255 any R2(config)#access-list 101 remark allow telnet for VLAN 11 R2(config)#access-list 101 permit tcp 192.168.1.128 0.0.0.63 any eq telnet R2(config)#access-list 101 remark allow FTP for VLAN 12 R2(config)#access-list 101 permit tcp 192.168.1.0 0.0.0.127 any eq ftp-data R2(config)#access-list 101 permit tcp 192.168.1.0 0.0.0.127 any eq ftp R2(config)#access-list 101 deny ip any any R2(config)#interface Serial0/0/0 R2(config)#ip access-group 101 out

b. Test the ACL by pinging from H1 and H2 to the ISP loopback address or the IP address of the Discovery Server. Have the instructor verify. _______ Instructor check. Pings should be successful.

c. Using a browser from H1 and H2, enter the ISP router Loopback0 address or the IP address of the Discovery Server. Have the instructor verify. _________ Instructor check. Should be able to get to the login screen of the router HTTP/SDM interface or the default web page on the Discovery Server.

d. Telnet from host H2 in VLAN 12 to the HQ router using its S0/0/0 IP address. You should not be able to telnet from a host in VLAN 12. Have the instructor verify. _______ Instructor check. The R2 ACL blocks telnet from VLAN 12 hosts.

Telnet from host H1 in VLAN 11 to the HQ router using its S0/0/0 IP address. You should be able to telnet from any host in VLAN 11. Have the instructor verify. _______ Instructor check. The R2 ACL permits telnet from VLAN 11 hosts.

e. Use the show access-lists command to verify that the ACL is working. You should see counts on several ACL statements. Have the instructor verify. _______ Instructor check.


R2#show access-lists

Extended IP access list 101

10 permit tcp 192.168.1.0 0.0.0.255 any eq www (10 matches)

20 permit icmp 192.168.1.0 0.0.0.255 any (4 matches)

30 permit tcp 192.168.1.128 0.0.0.63 any eq telnet (6 matches)

40 permit tcp 192.168.1.0 0.0.0.127 any eq ftp-data

50 permit tcp 192.168.1.0 0.0.0.127 any eq ftp

60 deny ip any any (6 matches)

Step 2: Create and apply a standard ACL to control vty access to the HQ router. [4 points, one for each instructor check]

The ACL should deny vty access for all hosts from any network or interface to the HQ router, except for host H1 on VLAN 11.

a. Add an explicit deny statement to the end of the ACL so that statistics can be collected on the number of packets denied. Apply the ACL to vty lines 0 through 4 on the HQ router. Have the instructor verify the ACL statements and placement. __________ Instructor check.

HQ-1(config)#access-list 2 permit host 192.168.1.130 HQ-1(config)#access-list 2 deny any HQ-1(config)#line vty 0 4 HQ-1(config-line)#access-class 2 in

b. Telnet from host H1 in VLAN 11 to the HQ router using its S0/0/0 IP address. Have the instructor verify. _______ Instructor check. The HQ vty ACL permits telnet from host H1.

c. Change the IP address of H1 to another address that is on VLAN 11, and telnet again from host H1 in VLAN 11 to the HQ router using its S0/0/0 IP address. Have the instructor verify. _______ Instructor check. The HQ vty ACL denies telnet from any host IP address other than the original one for H1.

Use the show access-lists command to verify that the ACL is working. You should see counts on several ACL statements. Have the instructor verify. _______ Instructor check.

HQ-1#sh access-lists

Standard IP access list 1

10 permit 192.168.1.0, wildcard bits 0.0.0.255 (20 matches)

Standard IP access list 2

10 permit 192.168.1.130 (2 matches)

20 deny any (6 matches)

Step 3: On R2 and HQ, save the router running configuration to NVRAM.

Step 4: Save the running configurations for each networking device to a file. [5 points] Save the output from HQ-X, R2, S1, and S2 to a single text file on your desktop and name it XXX-D3-SBA-Configs.txt (where XXX are your initials). Show it to the instructor. _________ Instructor check.


Appendix A Instructor note: For student version of lab, remove the values and colors from the body of the chart. Leave the headings in bold for the first 3 rows and the words “Subnet # (octets 3&4)” in row 5, column 1. Remove the Possible Solution at the end of this spreadsheet.

CIDR / VLSM Subnet Chart AnyCompanyX ____

Base Address: ________________ (192.168.X.0) Subnet Mask: 255.255.255.0

CIDR mask /24 /25 /26 /27 /28 /29 /30

Dot mask (octets 3&4) 255.0 255.128 255.192 255.224 255.240 255.248 255.252

Number of hosts possible 256 128 64 32 16 8 4

Subnet # (octets 3 & 4) 1.0 1.0 1.0 1.0 1.0 1.0 1.0

1.4

1.8 1.8

1.12

1.16 1.16 1.16

1.20

1.24 1.24

1.28

1.32 1.32 1.32 1.32

1.36

1.40 1.40

1.44

1.48 1.48 1.48

1.52

1.56 1.56

1.60

1.64 1.64 1.64 1.64 1.64

1.68

1.72 1.72

1.76

1.8 1.80 1.80

1.84

1.88 1.88

1.92

1.96 1.96 1.96 1.96

. 1.100

1.104 1.104

1.108

1.112 1.112 1.112

1.116

1.120 1.120

1.124


1.128 1.128 1.128 1.128 1.128 1.128

1.132

1.136 1.136

1.140

1.144 1.144 1.144

1.148

1.152 1.152

1.156

1.160 1.160 1.160 1.160

1.164

1.168 1.168

1.172

1.176 1.176 1.176

1.180

1.184 1.184

1.188

1.192 1.192 1.192 1.192 1.192

1.196

1.200 1.200

1.204

1.208 1.208

1.212

1.216 1.216

1.220

1.224 1.224 1.224 1.224

1.228

1.232 1.232

1.236

1.240 1.240 1.240

1.244

1.248 1.248

1.252

Possible Solution Color code Area / VLAN Block size Subnet / Prefix R2 VLAN 12 128 192.168.1.0/25 R2 VLAN 11 64 192.168.1.128/26 HQ Network 32 192.168.1.192/27 R2 VLAN 1 8 192.168.1.224/27 R2/HQ WAN link 4 192.168.1.232/27 Unused addresses 20 Total 256


Appendix B

HQ-1 Router Config (1841 – Cisco IOS 12.4) Plus sample command outputs Instructor note: Config items to be tested are highlighted in green

HQ-1#show running-config

Building configuration...

Current configuration : 1650 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname HQ-1

!

enable secret 5 $1$k611$ET5OUWkjhCLvgkWJg36yQ0

enable password cisco

!

no ip domain lookup

!

username ISP-A password 0 cisco

!

interface Loopback0

ip address 192.168.1.193 255.255.255.224

!

interface FastEthernet0/0

no ip address

shutdown

duplex auto

speed auto

!


no ip address

shutdown

duplex auto

speed auto

!


interface Serial0/0/0

ip address 192.168.1.234 255.255.255.252

ip nat inside

clock rate 64000

!


ip address 209.165.201.2 255.255.255.252

ip nat outside

encapsulation ppp

ppp authentication chap

!

interface Vlan1

no ip address

!

router ospf 1

log-adjacency-changes

network 192.168.1.192 0.0.0.31 area 0

network 192.168.1.232 0.0.0.3 area 0

network 209.165.201.0 0.0.0.3 area 0

default-information originate

!

ip route 0.0.0.0 0.0.0.0 Serial0/0/1

!

!

ip http server

no ip http secure-server

ip nat inside source list 1 interface Serial0/0/1 overload

!

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 2 permit 192.168.1.130

access-list 2 deny any

!

banner motd ^CUnauthorized use prohibited^C

!

line con 0

password cisco

login

line aux 0


line vty 0 4

access-class 2 in

password cisco

login

!

end

HQ-1#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

209.165.201.0/24 is variably subnetted, 2 subnets, 2 masks

C 209.165.201.1/32 is directly connected, Serial0/0/1



O 192.168.1.0/25 [110/65] via 192.168.1.233, 00:57:54, Serial0/0/0


O 192.168.1.224/29 [110/65] via 192.168.1.233, 00:57:54, Serial0/0/0

O 192.168.1.224/29 [110/65] via 192.168.1.233, 00:57:54, Serial0/0/0

O 192.168.1.128/26 [110/65] via 192.168.1.233, 00:57:54, Serial0/0/0

S* 0.0.0.0/0 is directly connected, Serial0/0/1

HQ-1#

HQ-1#show ip nat translations

Pro Inside global Inside local Outside local Outside global

icmp 209.165.201.2:512 192.168.1.2:512 172.17.1.1:512 172.17.1.1:512

tcp 209.165.201.2:1090 192.168.1.2:1090 172.17.1.1:80 172.17.1.1:80

tcp 209.165.201.2:1175 192.168.1.130:1175 172.17.1.1:23 172.17.1.1:23

HQ-1#


R2 Router Config (1841 – Cisco IOS 12.4) Plus sample command outputs

R2#show running-config



!

version 12.4




!

hostname R2

!

enable secret 5 $1$wQ9o$JKvDTtgVJY9qSV1KB6mZ7/


!

no ip domain lookup

!


no ip address

duplex auto

speed auto

!

interface FastEthernet0/0.1

encapsulation dot1Q 1 native

ip address 192.168.1.225 255.255.255.248

!


encapsulation dot1Q 11

ip address 192.168.1.129 255.255.255.192

!


encapsulation dot1Q 12

ip address 192.168.1.1 255.255.255.128

!


no ip address


shutdown

duplex auto

speed auto

!


ip address 192.168.1.233 255.255.255.252

ip access-group 101 out

no fair-queue

!


no ip address

shutdown

!

interface Vlan1

no ip address

!

router ospf 1

log-adjacency-changes

network 192.168.1.0 0.0.0.127 area 0

network 192.168.1.128 0.0.0.63 area 0

network 192.168.1.224 0.0.0.7 area 0

network 192.168.1.232 0.0.0.3 area 0

!

ip http server


!

access-list 101 remark allow web access for R2 internal network

access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq www

access-list 101 remark allow pings for R2 internal network

access-list 101 permit icmp 192.168.1.0 0.0.0.255 any

access-list 101 remark allow telnet for VLAN 11

access-list 101 permit tcp 192.168.1.128 0.0.0.63 any eq telnet

access-list 101 remark allow FTP for VLAN 12

access-list 101 permit tcp 192.168.1.0 0.0.0.127 any eq ftp-data

access-list 101 permit tcp 192.168.1.0 0.0.0.127 any eq ftp

access-list 101 deny ip any any

!

!



!

line con 0

password cisco

login

line aux 0

line vty 0 4

password cisco

login

!

end

R2#sh ip route








Gateway of last resort is 192.168.1.234 to network 0.0.0.0

209.165.201.0/30 is subnetted, 1 subnets

O 209.165.201.0 [110/128] via 192.168.1.234, 03:01:40, Serial0/0/0


C 192.168.1.0/25 is directly connected, FastEthernet0/0.12



O 192.168.1.193/32 [110/65] via 192.168.1.234, 03:01:40, Serial0/0/0


O*E2 0.0.0.0/0 [110/1] via 192.168.1.234, 03:01:40, Serial0/0/0

R2#sh vlans


Virtual LAN ID: 1 (IEEE 802.1Q Encapsulation)

vLAN Trunk Interface: FastEthernet0/0.1

This is configured as native Vlan for the following interface(s) :

FastEthernet0/0

Protocols Configured: Address: Received: Transmitted:

IP 192.168.1.225 2211 2194

Other 0 384

3376 packets, 706302 bytes input

2578 packets, 327975 bytes output




IP 192.168.1.129 512 2338

Other 0 27






IP 192.168.1.1 23016 1486

Other 0 21



ISP-A Router Config (1841 – Cisco IOS 12.4) Plus sample command outputs. Configured by instructor


ISP-A#sh running-config



!

version 12.4




!

hostname ISP-A

!

enable secret 5 $1$9Vz7$DM5oMilgvcjBS5O/ojl2Z.


!

no ip domain lookup

!

username HQ-1 password 0 cisco

username HQ-2 password 0 cisco

!


description Gateway for ISP Web Server

ip address 172.17.0.1 255.255.0.0

duplex auto

speed auto

!


no ip address

shutdown

duplex auto

speed auto

!


description Connection to AnyCompany1 network

ip address 209.165.201.1 255.255.255.252

encapsulation ppp

no fair-queue



!


description Connection to AnyCompany2 network

ip address 209.165.201.5 255.255.255.252

encapsulation ppp

clock rate 64000


!

interface Vlan1

no ip address

!

ip route 209.165.201.0 255.255.255.252 Serial0/0/0

ip route 209.165.201.4 255.255.255.252 Serial0/0/1

!

!

ip http server


!


!

line con 0

password cisco

login

line aux 0

line vty 0 4

password cisco

login

!

scheduler allocate 20000 1000

end

Note: AnyCompany2 is not connected, so the route to 209.165.201.4/30 is not present in the routing table. ISP-A#sh ip route









Gateway of last resort is not set

C 172.17.0.0/16 is directly connected, Loopback0




S1 Switch Config (2960 – Cisco IOS 12.2) Plus sample command outputs S1#show running-config



!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime


!

hostname S1

!

enable secret 5 $1$hhGK$.eOmFIEBgkDnl.Gm6MkyD1


!

no aaa new-model

ip subnet-zero

!

no ip domain-lookup

!

spanning-tree mode pvst

spanning-tree extend system-id

spanning-tree vlan 1 priority 4096

!

vlan internal allocation policy ascending


!


switchport mode trunk

!



!


switchport access vlan 11

switchport mode access

!




!




!




!




!




!




switchport port-security

switchport port-security mac-address sticky

switchport port-security mac-address sticky 000b.db04.a5cd

(Note: MAC address is learned dynamically and will vary)


!




!




!




!




!




!




!




!




!




!





!




!




!




!




!




!

interface GigabitEthernet0/1

!


!

interface Vlan1

ip address 192.168.1.226 255.255.255.248

no ip route-cache

!

ip default-gateway 192.168.1.225

ip http server

!

banner motd ^CCUnauthorized use prohibited^C

!

line con 0

password cisco


login

line vty 0 4

password cisco

login

line vty 5 15

password cisco

login

!

end

S1#

S1#show vlan brief

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Gi0/1, Gi0/2

11 Dept1 active Fa0/3, Fa0/4, Fa0/5, Fa0/6

Fa0/7, Fa0/8, Fa0/9, Fa0/10

Fa0/11

12 Dept2 active Fa0/12, Fa0/13, Fa0/14, Fa0/15

Fa0/16, Fa0/17, Fa0/18, Fa0/19

Fa0/20, Fa0/21, Fa0/22, Fa0/23

Fa0/24

1002 fddi-default act/unsup

1003 token-ring-default act/unsup

1004 fddinet-default act/unsup

1005 trnet-default act/unsup

S1#

S1#

S1#show interfaces trunk

Port Mode Encapsulation Status Native vlan

Fa0/1 on 802.1q trunking 1


Port Vlans allowed on trunk

Fa0/1 1-4094


Fa0/2 1-4094

Port Vlans allowed and active in management domain

Fa0/1 1,11-12

Fa0/2 1,11-12

Port Vlans in spanning tree forwarding state and not pruned

Fa0/1 1,11-12

Fa0/2 1,11-12

S1#

S1#

S1#show spanning-tree

VLAN0001

Spanning tree enabled protocol ieee

Root ID Priority 4097

Address 001d.4635.0c80

This bridge is the root

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 4097 (priority 4096 sys-id-ext 1)



Aging Time 300

Interface Role Sts Cost Prio.Nbr Type

---------------- ---- --- --------- -------- --------------------------------

Fa0/1 Desg FWD 19 128.1 P2p


VLAN0011










Aging Time 300


---------------- ---- --- --------- -------- --------------------------------




VLAN0012









Aging Time 300


---------------- ---- --- --------- -------- --------------------------------



S1#

S1#

S1#show vtp status

VTP Version : 2

Configuration Revision : 2

Maximum VLANs supported locally : 255

Number of existing VLANs : 7

VTP Operating Mode : Server

VTP Domain Name : AnyCompany1


VTP Pruning Mode : Disabled

VTP V2 Mode : Disabled

VTP Traps Generation : Disabled

MD5 digest : 0x86 0x1A 0x63 0x7B 0x6F 0xDC 0xD9 0x8C

Configuration last modified by 0.0.0.0 at 3-1-93 00:07:14

Local updater ID is 192.168.1.226 on interface Vl1 (lowest numbered VLAN interfa

ce found)

S1#

S1#

S1#

S1#show port-security

Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action

(Count) (Count) (Count)

---------------------------------------------------------------------------

Fa0/9 1 1 0 Shutdown

---------------------------------------------------------------------------

Total Addresses in System (excluding one mac per port) : 0

Max Addresses limit in System (excluding one mac per port) : 8320

S1# 7677777767

S2 Switch Config (2960 – Cisco IOS 12.2) Plus sample command outputs

S2#show running-config



!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime


!

hostname S2

!

enable secret 5 $1$2NCL$Q/ICmXfABr8mOF70h7H2A0


!

no aaa new-model


ip subnet-zero

!

no ip domain-lookup

!

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!



!



!




!




!




!




!




!





!




!




!




!




!




!




!




switchport port-security

switchport port-security mac-address sticky

switchport port-security mac-address sticky 0007.e963.ce53

(Note: MAC address is learned dynamically and will vary)

!




!





!




!




!




!




!




!




!




!


!


!

interface Vlan1

ip address 192.168.1.227 255.255.255.248


no ip route-cache

!

ip default-gateway 192.168.1.225

ip http server

!

banner motd ^CCUnauthorized use prohibited^C

!

line con 0

password cisco

login

line vty 0 4

password cisco

login

line vty 5 15

password cisco

login

!

end

S2#

S2#

S2#

S2#show vlan brief

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Fa0/1, Gi0/1, Gi0/2

11 VLAN0011 active Fa0/3, Fa0/4, Fa0/5, Fa0/6

Fa0/7, Fa0/8, Fa0/9, Fa0/10

Fa0/11

12 VLAN0012 active Fa0/12, Fa0/13, Fa0/14, Fa0/15

Fa0/16, Fa0/17, Fa0/18, Fa0/19

Fa0/20, Fa0/21, Fa0/22, Fa0/23

Fa0/24

1002 fddi-default act/unsup

1003 token-ring-default act/unsup

1004 fddinet-default act/unsup

1005 trnet-default act/unsup


S2#

S2#

S2#

S2#show interfaces trunk

Port Mode Encapsulation Status Native vlan


Port Vlans allowed on trunk

Fa0/2 1-4094

Port Vlans allowed and active in management domain

Fa0/2 1,11-12

Port Vlans in spanning tree forwarding state and not pruned

Fa0/2 1,11-12

S2#

S2#

S2#

S2#show spanning-tree

VLAN0001




Cost 19

Port 2 (FastEthernet0/2)



Address 001d.4662.7b00


Aging Time 300


---------------- ---- --- --------- -------- --------------------------------

Fa0/2 Root FWD 19 128.2 P2p


VLAN0011




Cost 19






Aging Time 300


---------------- ---- --- --------- -------- --------------------------------


VLAN0012




Cost 19






Aging Time 300


---------------- ---- --- --------- -------- --------------------------------


Fa0/15 Desg FWD 19 128.15 P2p

S2#


S2#

S2#

S2#show vtp status

VTP Version : 2

Configuration Revision : 2

Maximum VLANs supported locally : 255

Number of existing VLANs : 7

VTP Operating Mode : Client

VTP Domain Name : AnyCompany1

VTP Pruning Mode : Disabled

VTP V2 Mode : Disabled

VTP Traps Generation : Disabled

MD5 digest : 0xC3 0xA3 0x05 0x9F 0x27 0x3D 0xC0 0x03

Configuration last modified by 0.0.0.0 at 3-1-93 00:12:24

S2#

S2#

S2#

S2#show port-security

Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action

(Count) (Count) (Count)

---------------------------------------------------------------------------

Fa0/15 1 1 0 Shutdown

---------------------------------------------------------------------------

Total Addresses in System (excluding one mac per port) : 0

Max Addresses limit in System (excluding one mac per port) : 8320

S2#

S2#

S2#

S2#

d3 sba student ans key

Documents

role sts cost

banner motd

banner motd

cisco public

explicit deny

ip http secure

max addresses

virtual lan