D3 SBA Student Ans Key

CCNA Discovery Introducing Routing and Switching in the Enterprise
Skills-Based Assessment Academy Student Version Answer Key
Grading The exam is divided into two parts. If the exam is conducted in two separate sessions, hand out Part 1 on planning and let the students complete it. Then have them turn in Part 1 so that you can grade it before the second session. Return Part 1 to the students at the start of the second session, which is a hands-on session. If there are problems with the planning in Part 1, the student will know of them before starting on Part 2. If both parts of the exam are done in one session, you should still grade Part 1 before the students start on Part 2. Students must complete Part 1 before starting Part 2. Suggested point totals are listed for the main fill-in-the-blank questions. They currently total 100 points, but can be adjusted or changed as desired. Divide the correct points by the possible points for an overall percentage grade. Exam Time The time allowed to complete Part 1 is 50 minutes. Part 2 takes longer than 50 minutes.
All contents are Copyright 19922010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 1 of 41
At the instructors discretion, the amount of time allowed may be adjusted. Part 2 of the exam can be split into two parts to accommodate class schedules. Part 3 begins with Task 8: Configure ACL Security on HQ and R2. To save time and avoid splitting Part 2, have the equipment set up and cabled for the students prior to starting device configuration.
Exam Overview
This skills-based assessment is the final practical exam for the course CCNA Discovery Introducing Routing and Switching in the Enterprise. The exam is divided into two parts, and Part 1 must be completed before Part 2. In Part 1, you develop an IP subnet scheme and document the device interfaces. In Part 2, you cable the network and configure customer routers and switches using Cisco IOS CLI commands. The remote office router routes between the local network and the headquarters router. The headquarters router is configured to provide access to the ISP router. The OSPF routing protocol is used between the remote office and headquarters router. Static routing is used between the headquarters router and the ISP. The instructor will preconfigure the ISP router and erase the startup configuration in the headquarters router and the remote office router prior to starting the exam. When you have completed Part 1, give it to the instructor to check before starting on Part 2. You have 50 minutes to complete Part 1. The instructor will inform you of how Part 2 will be conducted and the time allotted, Instructor Note: For this exam, the ISP router is set up to connect to two sets of student equipment. By adding the second ISP router as shown in the diagram, two additional students can be tested simultaneously using a single Discovery Server. If needed, you can add more ISP routers. Two students can be tested for each ISP router added. See the instructor lab setup diagram and ISP router running-config at the end of this document.
Objectives
Part 1 Create an IP addressing plan and document the network device interfaces. Part 2 Connect and configure the network equipment and verify network connectivity.
Required Equipment
The following equipment is required for each student: ISP router with two serial and two Fast Ethernet interfaces (preconfigured by the instructor) One computer to act as the Discovery Server (using the Discovery Server Live CD). Optionally, the ISP router can be configured with a loopback address. If the loopback address is used, it restricts the protocols that can be filtered using an ACL. One switch or crossover cable to connect the Discovery Server to the ISP router One 1841 HQ router (or other router with two serial interfaces) One 1841 R2 router (or other router with one serial interface and one Fast Ethernet interface) Two Ethernet 2960 switches Two Windows XP-based PCs Cat 5 and serial cabling, as necessary
Page 2 of 41
Skills-Based Assessment Part 1 [52 points]

Develop the IP Addressing Scheme and Assign Interface Addresses
Step 1: Gather required information.
Use the topology diagram at the beginning of the exam and the following information provided by the instructor to document the network. a. You will be working with customer AnyCompanyX, where X is the number assigned by the instructor. Enter the number you are assigned here: AnyCompany___ b. If your local network is connected to the ISP as AnyCompany1, the IP address of the ISP serial 0/0/0 interface is 209.165.201.1/30. If your local network is connected to the ISP as AnyCompany2, the IP address of the ISP serial 0/0/1 interface is 209.165.201.5/30. If more than one ISP router is being used, additional addresses from the 209.165.201.x/30 range are needed. Check with the instructor to verify the ISP serial interface IP address for you to use. Enter the ISP serial interface IP address here: _______________________________ c. The base IP address CIDR block from which you will create the VLSM addressing scheme is based on the AnyCompanyX number that you are assigned. If the local network is AnyCompany1, use 192.168.1.0 /24. If the local network is AnyCompany2, use 192.168.2.0 /24. If more than one ISP router is being used, additional addresses from the 192.168.X.0/24 range are needed. Check with the instructor to verify the correct IP address block for you to use. Enter the base IP address and subnet mask here: ____________________________
Step 2: Determine the size of each VLSM block to accommodate users.

Develop a VLSM subnet scheme that optimally subnets the base address and allows for three VLANs on the local R2 network, the hosts on the HQ local network, and the WAN link between HQ and R2. The HQ router uses NAT/PAT to translate internal client addresses to the external address. a. Determine the size of the subnet address block required for a network area or group of users. Fill in the table with this information.
VLSM Subnet Requirements [7 points, one for each VLSM block size]
Network Area AnyCompanyX block size to subdivide HQ local network R2 local network / VLANs VLAN 1 (Default/Mgmt-IP) VLAN 11 (Dept 1) VLAN 12 (Dept 2) R2 to HQ WAN link Total users and total block sizes Number of Users / IPs N/A 23 5 45 97 2 172 VLSM Block Size / Number of IPs (Powers of 2) 256 (8 bits) 32 8 64 128 4 236
b. To optimally allocate addresses from the /24 address assigned, sort the block sizes from largest to smallest. Use the table below to order the network areas by the VLSM block size. List the blocks starting with the largest to the smallest. [3 points for the correct order]
All contents are Copyright 19922010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 3 of 41
Network Area / VLAN R2 VLAN 12 (Dept 2) R2 VLAN 11 (Dept 1) HQ Local network R2 VLAN 1 (Default/Mgmt-IP) R2 HQ Wan link
VLSM Block Size 128 64 32 8 4
Step 3: Allocate blocks of addresses to each area of the network. [15 points, one for each address/prefix, usable range, and subnet mask]
a. Determine which blocks of the CIDR address to assign to each area of the network or VLAN. You may use the CIDR / VLSM subnet chart (Appendix A) to enter the subnet information for each CIDR block. b. Fill in the following table based on the subnet information in the VLSM Subnet Requirements tables above. Instructor note: Answers may vary depending on the VLSM addressing used. The following sample answers in Steps 3, 4, and 5 are for AnyCompany1.
Network Area / VLAN R2 VLAN 12 (Dept 2) R2 VLAN 11 (Dept 1) HQ Local network (simulated with Lo0) R2 VLAN 1 (Default/Mgmt) R2 HQ Wan link Unused IP addresses c.
VLSM Block Size (Number of Addresses) 128 64 32 8 4 20
Subnet Address and Prefix 192.168.1.0 /25 192.168.1.128 /26 192.168.1.192 /27 192.168.1.224/29 192.168.1.232/30
Useable Address Range 192.168.1.1 192.168.1.126 192.168.1.129 192.168.1.190 192.168.1.193 192.168.1.222 192.168.1.225 192.168.1.230 192.168.1.233 192.168.1.234
Subnet Mask 255.255.255.128 255.255.255.192 255.255.255.224 255.255.255.248 255.255.255.252
Have the instructor verify that your addressing scheme is accurate and assigns address space efficiently. You should not have any overlapping subnets and should have unused contiguous blocks of addresses that can be used for future growth.
Step 4: Select IP addresses for use when configuring devices. [22 points, one for IP each address and subnet mask]
Select addresses from the block assigned to an area of the network, and fill in the VLSM block size, IP address and subnet mask for each device/interface in the topology. Include the /# bits mask with the IP address These IP addresses are used in Part 2 when you configure the network equipment. Note: When you are finished with this step, check with the instructor before proceeding.
Page 4 of 41
Device Interface / IP Address Chart
Device
HQ-X
Interface
Serial 0/0/0 Serial 0/0/1 (Use the next address compatible with the ISP serial interface address of AnyCompanyX) Loopback0
IP Address
192.168.1.234/30 209.165.201.2/30 (AnyCompany1) 209.165.201.6/30 (AnyCompany2) 192.168.1.193/27 192.168.1.233/30 None 192.168.1.225/29 192.168.1.129/26 192.168.1.1/25 209.165.201.1/30 (AnyCompany1) 209.165.201.5/30 (AnyCompany2) 172.17.0.1
Subnet Mask
255.255.255.252 255.255.255.252
255.255.255.224 255.255.255.252 None 255.255.255.248 255.255.255.192 255.255.255.128 255.255.255.252 255.255.255.252 255.255.0.0
R2
Serial 0/0/0 Fast Ethernet 0/0 Subint Fa0/0.1 Subint Fa0/0.11 Subint Fa0/0.12
ISP ISP
Serial 0/0/0 (pre-configured) Serial 0/0/1 (pre-configured) Fa0/0 (pre-configured default gateway for Discovery Server. Optional if ISP loopback is used.)
S1 S2 H1 H2 Discovery Server (or ISP Loopback address - pre-configured)
VLAN 1 VLAN 1 NIC NIC NIC
192.168.1.226/29 192.168.1.227/29 192.168.1.130/26 192.168.1.2/25 172.17.1.1/16
255.255.255.248 255.255.255.248 255.255.255.192 255.255.255.128 255.255.0.0
Page 5 of 41
Step 5: Create a logical network diagram. [5 points]

Draw a simple logical network diagram of your AnyCompanyX network. Include the ISP router, the two AnyCompanyX routers (HQ and R2), the switches, the two host computers, the three VLANs, and the Discovery Server. Write the IP address and /# bits subnet mask next to each interface, device, or VLAN using the addresses identified in Step 4. This information is used to configure the AnyCompanyX routers and switches in Part 2 of the exam. Be sure to include the subinterfaces on R2.
Logical Network Diagram for AnyCompany____ (enter number)
Step 6: Check your work with the instructor before going on to Part 2.
Page 6 of 41
Note: This is a sample diagram for the instructor version only. IP addresses may vary based on the VLSM addressing scheme used. If the student desires, interfaces on switch ports may be shown, but are not part of the logical diagram because they do not have IP addresses assigned.
Page 7 of 41
Skills-Based Assessment Part 2 [48 points]

Instructor note: Part 2 of the exam may be split into two parts to accommodate class schedules. Part 3 would begin with Task 8: Configure ACL Security on HQ and R2. To save time and avoid splitting this part of the exam, have the equipment set up and cabled for the students prior to starting device configuration. Before students start Part 2, configure the ISP router. (See running-config at end of lab.)
Task 1: Build the Network and Connect the Cables

Using the topology diagram provided at the beginning of Part 1 and the logical network diagram you created in Step 5, build the network. Connect the AnyCompanyX network HQ-X router to the appropriate ISP router interface: Serial 0/0/0 for AnyCompany1 or S0/0/1 for AnyCompany2 (unless instructed otherwise by the instructor). The ISP router and the Discovery Server should be preconfigured by the instructor. Instructor note: If the ISP router is configured with a loopback address in lieu of the Discovery Server, the HTTP service in the router must be enabled. Note: Make sure that the routers and the switches have been erased and have no startup configurations. The IP addresses used to configure the devices in the following tasks are based on your solution for the VLSM scheme in Part 1.
Task 2: Configure the HQ Router

Step 1: Configure the router.
Assign the host name HQ-X (where X is the number of AnyCompanyX) and the passwords. Configure no domain lookup, and specify the message-of-the-day as Unauthorized use prohibited. Router(config)#hostname HQ-1 HQ-1(config)#line console 0 HQ-1(config-line)#password cisco HQ-1(config-line)#login HQ-1(config-line)#line vty 0 4 HQ-1(config-line)#password cisco HQ-1(config-line)#login HQ-1(config-line)#exit HQ-1(config)#enable secret class HQ-1(config)#no ip domain-lookup HQ-1(config)#banner motd #Unauthorized use prohibited#
Step 2: Configure the HQ router serial and loopback interfaces.

The WAN link from HQ to R2 uses default Cisco HDLC encapsulation. The WAN link from HQ to ISP uses PPP with CHAP authentication. The ISP provides the clocking for the HQ router. Refer to the topology diagram at the beginning of Part 1 for other DTE/DCE settings. HQ-1(config)#interface s0/0/0 HQ-1(config-if)#ip address 192.168.1.234 255.255.255.252 HQ-1(config-if)#clock rate 64000 HQ-1(config-if)#no shutdown HQ-1(config-if)#interface s0/0/1 HQ-1(config-if)#ip address 209.165.201.2 255.255.255.252 HQ-1(config-if)#encapsulation ppp HQ-1(config-if)#ppp authentication chap HQ-1(config-if)#no shutdown HQ-1(config-if)#interface lo0 HQ-1(config-if)#ip address 192.168.1.193 255.255.255.224
Page 8 of 41
Step 3: Create the CHAP user ID and password.

For CHAP authentication, configure a username for the ISP router on the HQ router with a password of cisco. HQ-1(config)#username ISP password cisco
Step 4: Configure OSPF routing for Area 0 on HQ.

HQ-1(config)#router ospf 1 HQ-1(config-router)#network 192.168.1.232 0.0.0.3 area 0 HQ-1(config-router)#network 209.165.201.0 0.0.0.3 area 0 HQ-1(config-router)#network 192.168.1.192 0.0.0.31 area 0
Step 5: Configure a default route to the ISP on HQ and propagate this route to R2 using OSPF.
HQ-1(config)#ip route 0.0.0.0 0.0.0.0 s0/0/1 HQ-1(config)#router ospf 1 HQ-1(config-router)#default-information originate
Step 6: Configure overloaded NAT (PAT) on HQ.

a. Use the IP address on the serial port that connects to the ISP as the overloaded address. b. Specify the inside and outside NAT interfaces. c. Permit the entire 192.168.X.0/24 address space to be translated (where X is the number assigned to AnyCompany). HQ-1(config)#access-list 1 permit 192.168.1.0 0.0.0.255 HQ-1(config)#ip nat inside source list 1 interface s0/0/1 overload HQ-1(config)#interface s0/0/0 HQ-1(config-if)#ip nat inside HQ-1(config-if)#interface lo0 HQ-1(config-if)#ip nat inside HQ-1(config-if)#interface s0/0/1 HQ-1(config-if)#ip nat outside
Step 7: Save the router running-config configuration to startup-config.
Task 3: Configure the Remote Office Router

Step 1: Configure basic setting for the R2 router.
Assign the host name and the passwords. Configure no domain lookup, and specify the message-of-the-day as Unauthorized use prohibited.
Step 2: Configure the R2 Fast Ethernet subinterfaces and serial interfaces.

Define the Fast Ethernet subinterfaces to match the numbers of the VLANs they represent. They should also use 802.1Q encapsulation. VLAN 1 is the native VLAN. R2(config)#interface fa0/0 R2(config-if)#no shutdown R2(config-if)#interface fa0/0.1 R2(config-subif)#encapsulation dot1Q 1 R2(config-subif)#ip address 192.168.1.225 255.255.255.248 R2(config-subif)#interface fa0/0.11 R2(config-subif)#encapsulation dot1Q 11 R2(config-subif)#ip address 192.168.1.129 255.255.255.192
R2(config-subif)#interface fa0/0.12 R2(config-subif)#encapsulation dot1Q 12 R2(config-subif)#ip address 192.168.1.1 255.255.255.128 R2(config-subif)#interface s0/0/0 R2(config-if)#ip address 192.168.1.233 255.255.255.252 R2(config-if)#no shutdown
Step 3: Configure OSPF routing for Area 0 on R2.

Specify the subnet for each R2 interface using the appropriate wildcard mask. R2(config)#router ospf 1 R2(config-router)#network R2(config-router)#network R2(config-router)#network R2(config-router)#network 192.168.1.0 0.0.0.127 area 0 192.168.1.128 0.0.0.63 area 0 192.168.1.224 0.0.0.7 area 0 192.168.1.232 0.0.0.3 area 0
Step 4: Save the router running-config configuration to startup-config.
Task 4: Configure the Remote Office Switch S1

Note: Be sure to erase the startup-config, delete the vlan.dat file, and reload the switch before beginning the configuration.
Step 1: Configure the basic settings on the S1 switch.

Step 2: Configure the VLANs for S1.

Use the VLAN numbers and names in the following table, and assign the ports to each VLAN as indicated. Use this table to configure switch S2 in Task 5. VLAN Number VLAN 1 (default VLAN) VLAN 11 (Dept 1 users) VLAN 12 (Dept 2 users) VLAN Name default Dept1 Dept2 Ports Assigned None 3 to 11 12 to 24 Notes VLAN 1 cannot be renamed
S1(config)#vlan 11 S1(config-vlan)#name Dept1 S1(config-vlan)#vlan 12 S1(config-vlan)#name Dept2 S1(config-vlan)#exit S1(config-if-range)#interface range fa0/3-11 S1(config-if-range)#switchport mode access S1(config-if-range)#switchport access vlan 11 S1(config-if-range)#interface range fa0/12-24 S1(config-if-range)#switchport mode access S1(config-if-range)#switchport access vlan 12 S1(config-if-range)#exit
Page 10 of 41
Step 3: Assign an IP address to the Management VLAN 1 on S1.

Assign the VLAN 1 address according to the Device Interface / IP Address chart in Part 1, Step 4. Configure the switch with a default gateway to router R2 for VLAN 1. S1(config-if)#interface vlan1 S1(config-if)#ip address 192.168.1.226 255.255.255.248 S1(config-if)#no shutdown S1(config-if)#exit S1(config)#ip default-gateway 192.168.1.225
Step 4: Configure S1 switch ports.

Configure switch ports Fa0/1 and Fa0/2 as 802.1Q trunks so that they can carry VLAN information. S1(config)#interface fa0/1 S1(config-if)#switchport mode trunk S1(config-if)#interface fa0/2 S1(config-if)#switchport mode trunk
Step 5: Configure S1 as the root switch for STP.

Change the priority of native VLAN 1 so that it becomes the root switch.
S1(config)#spanning-tree vlan 1 priority 4096
Step 6: Configure a VTP domain.

Configure the AnyCompanyX domain name on S1 and assign the password cisco. S1(config)#vtp domain AnyCompany1 S1(config)#vtp mode server S1(config)#vtp password cisco
Step 7: Configure switch port security.

Configure port security for port Fa0/9 on switch S1. When port security is configured, connecting any other host disables the port. S1(config)#interface fa0/9 S1(config-if)#shutdown S1(config-if)#switchport port-security S1(config-if)#switchport port-security mac-address sticky S1(config-if)#no shutdown S1(config-if)#end
Step 8: Save the S1 switch running-config configuration to startup-config.
Task 5: Configure the Remote Office Switch S2

Note: Be sure to erase the startup-config, delete the vlan.dat file, and reload the switch before beginning the configuration.
Step 1: Configure the basic settings on the S2 switch.

Step 2: Configure a VTP domain.

Configure the AnyCompanyX domain name on S2 and assign the password cisco.
S2(config)#vtp domain AnyCompany1 S2(config)#vtp mode client S2(config)#vtp password cisco
Step 3: Assign ports to the VLANs.

Use the information in the table in Task 4, Step 2 to assign ports to the VLANs. S2(config-if-range)#interface range fa0/3-11 S2(config-if-range)#switchport mode access S2(config-if-range)#switchport access vlan 11 S2(config-if-range)#interface range fa0/12-24 S2(config-if-range)#switchport mode access S2(config-if-range)#switchport access vlan 12 S2(config-if-range)#exit
Step 4: Assign an IP address to the Management VLAN 1 on S2.

Assign the VLAN 1 address according to the Device Interface / IP Address table in Part 1, Step 4. Configure the switch with a default gateway to router R2 for VLAN 1. S2(config-if)#interface vlan1 S2(config-if)#ip address 192.168.1.227 255.255.255.248 S2(config-if)#no shutdown S2(config-if)#exit S2(config)#ip default-gateway 192.168.1.225
Step 5: Configure switch port Fa0/2 as an 802.1Q trunk to carry VLAN information.
S2(config)#interface fa0/1 S2(config-if)#switchport mode trunk S2(config-if)#interface fa0/2 S2(config-if)#switchport mode trunk
Step 6: Configure switch port security.

Configure port security for port Fa0/15 on switch S2. When port security is configured, connecting any other host disables the port. S2(config)#interface fa0/15 S2(config-if)#shutdown S2(config-if)#switchport port-security S2(config-if)#switchport port-security mac-address sticky S2(config-if)#no shutdown S2(config-if)#end
Step 7: Save the S2 switch running-config configuration to startup-config.
Task 6: Configure Host IP Addresses

Configure each host IP address, subnet mask, and default gateway using the information in the Device Interface / IP Address chart in Part 1, Step 4.
Page 12 of 41
Task 7: Verify Device Configurations and Basic Connectivity [33 points, one for each item verified with command output and checked by instructor]
Before configuring ACLs in the next task, verify the items listed in the table and indicate which command you used. Include the IP address to be pinged when verifying connectivity. Have the instructor check off each item when verified. Instructor note: Other commands than the ones listed may be used if they verify the same information. See the end of the lab for the show-run output and sample output for other commands on HQ, R2, S1, and S2.
Configuration Items to Verify

HQ basic config (host, pass, IPs) HQ routing table (OSPF, static/default) HQ NAT config (ACL, interfaces, etc.) R2 basic config (host, pass, IPs) R2 routing table (OSPF, static/default) R2 subinterfaces on Fa0/0 R2 subinterfaces encapsulation S1 basic config (host, pass, IPs) S1 VLANs S1 ports in correct VLANs S1 802.1Q trunk ports S1 is root switch S1 is VTP server S1 port security
Command Used
show running-config show ip route show running-config show show show show running-config ip route vlans vlans
Check
show running-config show vlan brief show vlan brief show interfaces trunk show spanning-tree show vtp status show running-config, show port-security show running-config show vlan brief show vlan brief show interfaces trunk show vtp status show running-config, show port-security
S2 basic config (host, pass, IPs) S2 VLANs S2 ports in correct VLANs S2 802.1Q trunk ports S2 is VTP client S2 port security
Connectivity Items to Verify

Ping S1 from H1 and H2 Ping S2 from H1 and H2 Ping R2 default gateway from H1 and H2 Ping R2 default gateway from S1 and S2 Ping from H1 to H2 (between VLANs) Ping HQ from R2 Ping from H1 and H2 to HQ S0/0/0 Ping from H1 and H2 to HQ Lo0 (HQ LAN) Ping from H1 and H2 to ISP S0/0/0 Ping from H1 and H2 to ISP Discovery Server Web browser from H1 and H2 to Discovery Server (or ISP router Loopback) Ping ping ping ping ping ping ping ping ping ping IP IP IP IP IP IP IP IP IP IP address address address address address address address address address address
Internet Explorer or other browser to IP address

Page 13 of 41
Configuration Items to Verify

Telnet from H1 and H2 to HQ and R2 Verify HQ NAT translations (display translations after ping, telnet and web browser from H1 or H2 to ISP loopback or Discovery Server)
Command Used
telnet IP address show ip nat translations
Check
Task 8: Configure ACL Security on HQ and R2

Note: The following commands are based on IP address ranges for one possible solution to the VLSM scheme in Part 1 of the lab.
Step 1: Create and apply an numbered extended ACL on R2. [6 points, one for each instructor check]
The ACL must allow web requests and pings to leave the R2 network if they originated from any location within the R2 AnyCompanyX network. Telnet traffic is permitted if it originates in VLAN 11, and FTP traffic (FTP control and FTP data) is permitted if it originates in VLAN 12. All other traffic is denied. a. Add an explicit deny statement to the end of the ACL so that statistics can be collected on the number of packets denied. Apply the ACL to the appropriate R2 interface. Include remarks in your ACL to document what it is doing. Have the instructor verify the ACL statements and placement. __________ Instructor check. Example ACL: R2(config)#access-list R2(config)#access-list R2(config)#access-list R2(config)#access-list R2(config)#access-list R2(config)#access-list R2(config)#access-list R2(config)#access-list data R2(config)#access-list R2(config)#access-list 101 101 101 101 101 101 101 101 remark permit remark permit remark permit remark permit allow web access for R2 internal network tcp 192.168.1.0 0.0.0.255 any eq www allow pings for R2 internal network icmp 192.168.1.0 0.0.0.255 any allow telnet for VLAN 11 tcp 192.168.1.128 0.0.0.63 any eq telnet allow FTP for VLAN 12 tcp 192.168.1.0 0.0.0.127 any eq ftp-
101 permit tcp 192.168.1.0 0.0.0.127 any eq ftp 101 deny ip any any
R2(config)#interface Serial0/0/0 R2(config)#ip access-group 101 out b. Test the ACL by pinging from H1 and H2 to the ISP loopback address or the IP address of the Discovery Server. Have the instructor verify. _______ Instructor check. Pings should be successful. c. Using a browser from H1 and H2, enter the ISP router Loopback0 address or the IP address of the Discovery Server. Have the instructor verify. _________ Instructor check. Should be able to get to the login screen of the router HTTP/SDM interface or the default web page on the Discovery Server.
d. Telnet from host H2 in VLAN 12 to the HQ router using its S0/0/0 IP address. You should not be able to telnet from a host in VLAN 12. Have the instructor verify. _______ Instructor check. The R2 ACL blocks telnet from VLAN 12 hosts. Telnet from host H1 in VLAN 11 to the HQ router using its S0/0/0 IP address. You should be able to telnet from any host in VLAN 11. Have the instructor verify. _______ Instructor check. The R2 ACL permits telnet from VLAN 11 hosts. e. Use the show access-lists command to verify that the ACL is working. You should see counts on several ACL statements. Have the instructor verify. _______ Instructor check.
Page 14 of 41
R2#show access-lists Extended IP access list 101 10 permit tcp 192.168.1.0 0.0.0.255 any eq www (10 matches) 20 permit icmp 192.168.1.0 0.0.0.255 any (4 matches) 30 permit tcp 192.168.1.128 0.0.0.63 any eq telnet (6 matches) 40 permit tcp 192.168.1.0 0.0.0.127 any eq ftp-data 50 permit tcp 192.168.1.0 0.0.0.127 any eq ftp 60 deny ip any any (6 matches)
Step 2: Create and apply a standard ACL to control vty access to the HQ router. [4 points, one for each instructor check]
The ACL should deny vty access for all hosts from any network or interface to the HQ router, except for host H1 on VLAN 11. a. Add an explicit deny statement to the end of the ACL so that statistics can be collected on the number of packets denied. Apply the ACL to vty lines 0 through 4 on the HQ router. Have the instructor verify the ACL statements and placement. __________ Instructor check. HQ-1(config)#access-list 2 permit host 192.168.1.130 HQ-1(config)#access-list 2 deny any HQ-1(config)#line vty 0 4 HQ-1(config-line)#access-class 2 in b. Telnet from host H1 in VLAN 11 to the HQ router using its S0/0/0 IP address. Have the instructor verify. _______ Instructor check. The HQ vty ACL permits telnet from host H1. c. Change the IP address of H1 to another address that is on VLAN 11, and telnet again from host H1 in VLAN 11 to the HQ router using its S0/0/0 IP address. Have the instructor verify. _______ Instructor check. The HQ vty ACL denies telnet from any host IP address other than the original one for H1.
Use the show access-lists command to verify that the ACL is working. You should see counts on several ACL statements. Have the instructor verify. _______ Instructor check. HQ-1#sh access-lists Standard IP access list 1 10 permit 192.168.1.0, wildcard bits 0.0.0.255 (20 matches) Standard IP access list 2 10 permit 192.168.1.130 (2 matches) 20 deny any (6 matches)
Step 3: On R2 and HQ, save the router running configuration to NVRAM. Step 4: Save the running configurations for each networking device to a file. [5 points]
Save the output from HQ-X, R2, S1, and S2 to a single text file on your desktop and name it XXX-D3-SBAConfigs.txt (where XXX are your initials). Show it to the instructor. _________ Instructor check.
Page 15 of 41
Appendix A
Instructor note: For student version of lab, remove the values and colors from the body of the chart. Leave the headings in bold for the first 3 rows and the words Subnet # (octets 3&4) in row 5, column 1. Remove the Possible Solution at the end of this spreadsheet.
CIDR / VLSM Subnet Chart

AnyCompanyX ____ Base Address: ________________ (192.168.X.0) CIDR mask Dot mask (octets 3&4) Number of hosts possible /24 255.0 256 /25 255.128 128 /26 255.192 64 /27 255.224 32 Subnet Mask: 255.255.255.0 /28 255.240 16 /29 255.248 8 /30 255.252 4
Subnet # (octets 3 & 4)
1.0
1.0
1.0
1.0
1.0
1.0
1.0 1.4
1.8
1.8 1.12
1.16
1.16
1.16 1.20
1.24
1.24 1.28
1.32
1.32
1.32
1.32 1.36
1.40
1.40 1.44
1.48
1.48
1.48 1.52
1.56
1.56 1.60
1.64
1.64
1.64
1.64
1.64 1.68
1.72
1.72 1.76
1.8
1.80
1.80 1.84
1.88
1.88 1.92
1.96
1.96
1.96 . 1.104
1.96 1.100 1.104 1.108
1.112
1.112
1.112 1.116
1.120
1.120 1.124
Page 16 of 41
1.128
1.128
1.128
1.128
1.128
1.128 1.132
1.136
1.136 1.140
1.144
1.144
1.144 1.148
1.152
1.152 1.156
1.160
1.160
1.160
1.160 1.164
1.168
1.168 1.172
1.176
1.176
1.176 1.180
1.184
1.184 1.188
1.192
1.192
1.192
1.192
1.192 1.196
1.200
1.200 1.204
1.208
1.208 1.212
1.216
1.216 1.220
1.224
1.224
1.224
1.224 1.228
1.232
1.232 1.236
1.240
1.240
1.240 1.244
1.248
1.248 1.252
Possible Solution Color code Area / VLAN R2 VLAN 12 R2 VLAN 11 HQ Network R2 VLAN 1 R2/HQ WAN link Unused addresses Total Block size 128 64 32 8 4 20 256 Subnet / Prefix 192.168.1.0/25 192.168.1.128/26 192.168.1.192/27 192.168.1.224/27 192.168.1.232/27
Page 17 of 41
Appendix B
HQ-1 Router Config (1841 Cisco IOS 12.4) Plus sample command outputs
Instructor note: Config items to be tested are highlighted in green HQ-1#show running-config Building configuration...
Current configuration : 1650 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname HQ-1 ! enable secret 5 $1$k611$ET5OUWkjhCLvgkWJg36yQ0 enable password cisco ! no ip domain lookup ! username ISP-A password 0 cisco ! interface Loopback0 ip address 192.168.1.193 255.255.255.224 ! interface FastEthernet0/0 no ip address shutdown duplex auto speed auto ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto !
Page 18 of 41
interface Serial0/0/0 ip address 192.168.1.234 255.255.255.252 ip nat inside clock rate 64000 ! interface Serial0/0/1 ip address 209.165.201.2 255.255.255.252 ip nat outside encapsulation ppp ppp authentication chap ! interface Vlan1 no ip address ! router ospf 1 log-adjacency-changes network 192.168.1.192 0.0.0.31 area 0 network 192.168.1.232 0.0.0.3 area 0 network 209.165.201.0 0.0.0.3 area 0 default-information originate ! ip route 0.0.0.0 0.0.0.0 Serial0/0/1 ! ! ip http server no ip http secure-server ip nat inside source list 1 interface Serial0/0/1 overload ! access-list 1 permit 192.168.1.0 0.0.0.255 access-list 2 permit 192.168.1.130 access-list 2 deny ! banner motd ^CUnauthorized use prohibited^C ! line con 0 password cisco login line aux 0 any
Page 19 of 41
line vty 0 4 access-class 2 in password cisco login ! end
HQ-1#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
209.165.201.0/24 is variably subnetted, 2 subnets, 2 masks C C 209.165.201.1/32 is directly connected, Serial0/0/1 209.165.201.0/30 is directly connected, Serial0/0/1 192.168.1.0/24 is variably subnetted, 5 subnets, 5 masks O C O O O S* HQ-1# 192.168.1.0/25 [110/65] via 192.168.1.233, 00:57:54, Serial0/0/0 192.168.1.232/30 is directly connected, Serial0/0/0 192.168.1.224/29 [110/65] via 192.168.1.233, 00:57:54, Serial0/0/0 192.168.1.224/29 [110/65] via 192.168.1.233, 00:57:54, Serial0/0/0 192.168.1.128/26 [110/65] via 192.168.1.233, 00:57:54, Serial0/0/0 0.0.0.0/0 is directly connected, Serial0/0/1
HQ-1#show ip nat translations Pro Inside global Inside local Outside local 172.17.1.1:512 172.17.1.1:80 Outside global 172.17.1.1:512 172.17.1.1:80 172.17.1.1:23
icmp 209.165.201.2:512 192.168.1.2:512 tcp 209.165.201.2:1090 192.168.1.2:1090
tcp 209.165.201.2:1175 192.168.1.130:1175 172.17.1.1:23 HQ-1#
Page 20 of 41
R2 Router Config (1841 Cisco IOS 12.4) Plus sample command outputs
R2#show running-config Building configuration...
Current configuration : 2062 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R2 ! enable secret 5 $1$wQ9o$JKvDTtgVJY9qSV1KB6mZ7/ enable password cisco ! no ip domain lookup ! interface FastEthernet0/0 no ip address duplex auto speed auto ! interface FastEthernet0/0.1 encapsulation dot1Q 1 native ip address 192.168.1.225 255.255.255.248 ! interface FastEthernet0/0.11 encapsulation dot1Q 11 ip address 192.168.1.129 255.255.255.192 ! interface FastEthernet0/0.12 encapsulation dot1Q 12 ip address 192.168.1.1 255.255.255.128 ! interface FastEthernet0/1 no ip address
shutdown duplex auto speed auto ! interface Serial0/0/0 ip address 192.168.1.233 255.255.255.252 ip access-group 101 out no fair-queue ! interface Serial0/0/1 no ip address shutdown ! interface Vlan1 no ip address ! router ospf 1 log-adjacency-changes network 192.168.1.0 0.0.0.127 area 0 network 192.168.1.128 0.0.0.63 area 0 network 192.168.1.224 0.0.0.7 area 0 network 192.168.1.232 0.0.0.3 area 0 ! ip http server no ip http secure-server ! access-list 101 remark allow web access for R2 internal network access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq www access-list 101 remark allow pings for R2 internal network access-list 101 permit icmp 192.168.1.0 0.0.0.255 any access-list 101 remark allow telnet for VLAN 11 access-list 101 permit tcp 192.168.1.128 0.0.0.63 any eq telnet access-list 101 remark allow FTP for VLAN 12 access-list 101 permit tcp 192.168.1.0 0.0.0.127 any eq ftp-data access-list 101 permit tcp 192.168.1.0 0.0.0.127 any eq ftp access-list 101 deny ! ! ip any any
Page 22 of 41
banner motd ^CUnauthorized use prohibited^C ! line con 0 password cisco login line aux 0 line vty 0 4 password cisco login ! end
R2#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.168.1.234 to network 0.0.0.0
209.165.201.0/30 is subnetted, 1 subnets O 209.165.201.0 [110/128] via 192.168.1.234, 03:01:40, Serial0/0/0 192.168.1.0/24 is variably subnetted, 5 subnets, 5 masks C C C O C 192.168.1.0/25 is directly connected, FastEthernet0/0.12 192.168.1.232/30 is directly connected, Serial0/0/0 192.168.1.224/29 is directly connected, FastEthernet0/0.1 192.168.1.193/32 [110/65] via 192.168.1.234, 03:01:40, Serial0/0/0 192.168.1.128/26 is directly connected, FastEthernet0/0.11
O*E2 0.0.0.0/0 [110/1] via 192.168.1.234, 03:01:40, Serial0/0/0
R2#sh vlans
Page 23 of 41
Virtual LAN ID:
1 (IEEE 802.1Q Encapsulation)
vLAN Trunk Interface:
FastEthernet0/0.1
This is configured as native Vlan for the following interface(s) : FastEthernet0/0
Protocols Configured: IP Other
Address: 192.168.1.225
Received: 2211 0
Transmitted: 2194 384
3376 packets, 706302 bytes input 2578 packets, 327975 bytes output
Virtual LAN ID:
FastEthernet0/0.11
Address: 192.168.1.129
Received: 512 0
Virtual LAN ID:
FastEthernet0/0.12
Address: 192.168.1.1
Received: 23016 0
ISP-A Router Config (1841 Cisco IOS 12.4) Plus sample command outputs. Configured by instructor
Page 24 of 41
ISP-A#sh running-config Building configuration...
Current configuration : 1467 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname ISP-A ! enable secret 5 $1$9Vz7$DM5oMilgvcjBS5O/ojl2Z. enable password cisco ! no ip domain lookup ! username HQ-1 password 0 cisco username HQ-2 password 0 cisco ! interface FastEthernet0/0 description Gateway for ISP Web Server ip address 172.17.0.1 255.255.0.0 duplex auto speed auto ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial0/0/0 description Connection to AnyCompany1 network ip address 209.165.201.1 255.255.255.252 encapsulation ppp no fair-queue ppp authentication chap
Page 25 of 41
! interface Serial0/0/1 description Connection to AnyCompany2 network ip address 209.165.201.5 255.255.255.252 encapsulation ppp clock rate 64000 ppp authentication chap ! interface Vlan1 no ip address ! ip route 209.165.201.0 255.255.255.252 Serial0/0/0 ip route 209.165.201.4 255.255.255.252 Serial0/0/1 ! ! ip http server no ip http secure-server ! banner motd ^CUnauthorized use prohibited^C ! line con 0 password cisco login line aux 0 line vty 0 4 password cisco login ! scheduler allocate 20000 1000 end
Note: AnyCompany2 is not connected, so the route to 209.165.201.4/30 is not present in the routing table. ISP-A#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
Page 26 of 41
E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
172.17.0.0/16 is directly connected, Loopback0 209.165.201.0/24 is variably subnetted, 2 subnets, 2 masks
C C
209.165.201.0/30 is directly connected, Serial0/0/0 209.165.201.2/32 is directly connected, Serial0/0/0
S1 Switch Config (2960 Cisco IOS 12.2) Plus sample command outputs
S1#show running-config Building configuration...
Current configuration : 2780 bytes ! version 12.2 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname S1 ! enable secret 5 $1$hhGK$.eOmFIEBgkDnl.Gm6MkyD1 enable password cisco ! no aaa new-model ip subnet-zero ! no ip domain-lookup ! spanning-tree mode pvst spanning-tree extend system-id spanning-tree vlan 1 priority 4096 ! vlan internal allocation policy ascending
! interface FastEthernet0/1 switchport mode trunk ! interface FastEthernet0/2 switchport mode trunk ! interface FastEthernet0/3 switchport access vlan 11 switchport mode access ! interface FastEthernet0/4 switchport access vlan 11 switchport mode access ! interface FastEthernet0/5 switchport access vlan 11 switchport mode access ! interface FastEthernet0/6 switchport access vlan 11 switchport mode access ! interface FastEthernet0/7 switchport access vlan 11 switchport mode access ! interface FastEthernet0/8 switchport access vlan 11 switchport mode access ! interface FastEthernet0/9 switchport access vlan 11 switchport mode access switchport port-security switchport port-security mac-address sticky switchport port-security mac-address sticky 000b.db04.a5cd (Note: MAC address is learned dynamically and will vary)
! interface FastEthernet0/10 switchport access vlan 11 switchport mode access ! interface FastEthernet0/11 switchport access vlan 11 switchport mode access ! interface FastEthernet0/12 switchport access vlan 12 switchport mode access ! interface FastEthernet0/13 switchport access vlan 12 switchport mode access ! interface FastEthernet0/14 switchport access vlan 12 switchport mode access ! interface FastEthernet0/15 switchport access vlan 12 switchport mode access ! interface FastEthernet0/16 switchport access vlan 12 switchport mode access ! interface FastEthernet0/17 switchport access vlan 12 switchport mode access ! interface FastEthernet0/18 switchport access vlan 12 switchport mode access ! interface FastEthernet0/19
Page 29 of 41
switchport access vlan 12 switchport mode access ! interface FastEthernet0/20 switchport access vlan 12 switchport mode access ! interface FastEthernet0/21 switchport access vlan 12 switchport mode access ! interface FastEthernet0/22 switchport access vlan 12 switchport mode access ! interface FastEthernet0/23 switchport access vlan 12 switchport mode access ! interface FastEthernet0/24 switchport access vlan 12 switchport mode access ! interface GigabitEthernet0/1 ! interface GigabitEthernet0/2 ! interface Vlan1 ip address 192.168.1.226 255.255.255.248 no ip route-cache ! ip default-gateway 192.168.1.225 ip http server ! banner motd ^CCUnauthorized use prohibited^C ! line con 0 password cisco
Page 30 of 41
login line vty 0 4 password cisco login line vty 5 15 password cisco login ! end
S1#
S1#show vlan brief
VLAN Name
Status
Ports
---- -------------------------------- --------- ------------------------------1 11 default Dept1 active active Gi0/1, Gi0/2 Fa0/3, Fa0/4, Fa0/5, Fa0/6 Fa0/7, Fa0/8, Fa0/9, Fa0/10 Fa0/11 12 Dept2 active Fa0/12, Fa0/13, Fa0/14, Fa0/15 Fa0/16, Fa0/17, Fa0/18, Fa0/19 Fa0/20, Fa0/21, Fa0/22, Fa0/23 Fa0/24 1002 fddi-default 1003 token-ring-default 1004 fddinet-default 1005 trnet-default S1# S1# S1#show interfaces trunk act/unsup act/unsup act/unsup act/unsup
Port Fa0/1 Fa0/2
Mode on on
Encapsulation 802.1q 802.1q
Status trunking trunking
Native vlan 1 1
Port Fa0/1
Vlans allowed on trunk 1-4094
Page 31 of 41
Fa0/2
1-4094
Port Fa0/1 Fa0/2
Vlans allowed and active in management domain 1,11-12 1,11-12
Port Fa0/1 Fa0/2 S1# S1#
Vlans in spanning tree forwarding state and not pruned 1,11-12 1,11-12
S1#show spanning-tree
VLAN0001 Spanning tree enabled protocol ieee Root ID Priority Address 4097 001d.4635.0c80
This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID
Priority Address Hello Time
4097
(priority 4096 sys-id-ext 1)
001d.4635.0c80 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface
Role Sts Cost
Prio.Nbr Type
---------------- ---- --- --------- -------- -------------------------------Fa0/1 Fa0/2 Desg FWD 19 Desg FWD 19 128.1 128.2 P2p P2p
Page 32 of 41
Bridge ID
32779
Aging Time 300
Interface
Role Sts Cost
Prio.Nbr Type
---------------- ---- --- --------- -------- -------------------------------Fa0/1 Fa0/2 Fa0/9 Desg FWD 19 Desg FWD 19 Desg FWD 19 128.1 128.2 128.9 P2p P2p P2p
Bridge ID
32780
Aging Time 300
Interface
Role Sts Cost
Prio.Nbr Type
---------------- ---- --- --------- -------- -------------------------------Fa0/1 Fa0/2 Desg FWD 19 Desg FWD 19 128.1 128.2 P2p P2p
S1# S1# S1#show vtp status VTP Version Configuration Revision : 2 : 2
Maximum VLANs supported locally : 255 Number of existing VLANs VTP Operating Mode VTP Domain Name : 7 : Server : AnyCompany1
Page 33 of 41
VTP Pruning Mode VTP V2 Mode VTP Traps Generation MD5 digest
: Disabled : Disabled : Disabled : 0x86 0x1A 0x63 0x7B 0x6F 0xDC 0xD9 0x8C
Configuration last modified by 0.0.0.0 at 3-1-93 00:07:14 Local updater ID is 192.168.1.226 on interface Vl1 (lowest numbered VLAN interfa ce found) S1# S1# S1# S1#show port-security Secure Port MaxSecureAddr (Count) CurrentAddr (Count) SecurityViolation (Count) Security Action
--------------------------------------------------------------------------Fa0/9 1 1 0 Shutdown
--------------------------------------------------------------------------Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 8320 S1# 7677777767
S2 Switch Config (2960 Cisco IOS 12.2) Plus sample command outputs
S2#show running-config Building configuration...
Current configuration : 2743 bytes ! version 12.2 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname S2 ! enable secret 5 $1$2NCL$Q/ICmXfABr8mOF70h7H2A0 enable password cisco ! no aaa new-model
ip subnet-zero ! no ip domain-lookup ! no file verify auto spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! interface FastEthernet0/1 switchport mode trunk ! interface FastEthernet0/2 switchport mode trunk ! interface FastEthernet0/3 switchport access vlan 11 switchport mode access ! interface FastEthernet0/4 switchport access vlan 11 switchport mode access ! interface FastEthernet0/5 switchport access vlan 11 switchport mode access ! interface FastEthernet0/6 switchport access vlan 11 switchport mode access ! interface FastEthernet0/7 switchport access vlan 11 switchport mode access ! interface FastEthernet0/8 switchport access vlan 11
Page 35 of 41
switchport mode access ! interface FastEthernet0/9 switchport access vlan 11 switchport mode access ! interface FastEthernet0/10 switchport access vlan 11 switchport mode access ! interface FastEthernet0/11 switchport access vlan 11 switchport mode access ! interface FastEthernet0/12 switchport access vlan 12 switchport mode access ! interface FastEthernet0/13 switchport access vlan 12 switchport mode access ! interface FastEthernet0/14 switchport access vlan 12 switchport mode access ! interface FastEthernet0/15 switchport access vlan 12 switchport mode access switchport port-security switchport port-security mac-address sticky switchport port-security mac-address sticky 0007.e963.ce53 (Note: MAC address is learned dynamically and will vary) ! interface FastEthernet0/16 switchport access vlan 12 switchport mode access !
Page 36 of 41
interface FastEthernet0/17 switchport access vlan 12 switchport mode access ! interface FastEthernet0/18 switchport access vlan 12 switchport mode access ! interface FastEthernet0/19 switchport access vlan 12 switchport mode access ! interface FastEthernet0/20 switchport access vlan 12 switchport mode access ! interface FastEthernet0/21 switchport access vlan 12 switchport mode access ! interface FastEthernet0/22 switchport access vlan 12 switchport mode access ! interface FastEthernet0/23 switchport access vlan 12 switchport mode access ! interface FastEthernet0/24 switchport access vlan 12 switchport mode access ! interface GigabitEthernet0/1 ! interface GigabitEthernet0/2 ! interface Vlan1 ip address 192.168.1.227 255.255.255.248
Page 37 of 41
no ip route-cache ! ip default-gateway 192.168.1.225 ip http server ! banner motd ^CCUnauthorized use prohibited^C ! line con 0 password cisco login line vty 0 4 password cisco login line vty 5 15 password cisco login ! end
S2# S2# S2# S2#show vlan brief
VLAN Name
Status
Ports
---- -------------------------------- --------- ------------------------------1 11 default VLAN0011 active active Fa0/1, Gi0/1, Gi0/2 Fa0/3, Fa0/4, Fa0/5, Fa0/6 Fa0/7, Fa0/8, Fa0/9, Fa0/10 Fa0/11 12 VLAN0012 active Fa0/12, Fa0/13, Fa0/14, Fa0/15 Fa0/16, Fa0/17, Fa0/18, Fa0/19 Fa0/20, Fa0/21, Fa0/22, Fa0/23 Fa0/24 1002 fddi-default 1003 token-ring-default 1004 fddinet-default 1005 trnet-default act/unsup act/unsup act/unsup act/unsup
Page 38 of 41
S2# S2# S2# S2#show interfaces trunk
Port Fa0/2
Mode on
Encapsulation 802.1q
Status trunking
Native vlan 1
Port Fa0/2
Vlans allowed on trunk 1-4094
Port Fa0/2
Vlans allowed and active in management domain 1,11-12
Port Fa0/2 S2# S2# S2#
Vlans in spanning tree forwarding state and not pruned 1,11-12
S2#show spanning-tree
VLAN0001 Spanning tree enabled protocol ieee Root ID Priority Address Cost Port Hello Time 4097 001d.4635.0c80 19 2 (FastEthernet0/2) 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID
32769
001d.4662.7b00 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface
Role Sts Cost
Prio.Nbr Type
---------------- ---- --- --------- -------- -------------------------------Fa0/2 Root FWD 19 128.2 P2p
Page 39 of 41
Bridge ID
32779
Aging Time 300
Interface
Role Sts Cost
Prio.Nbr Type
---------------- ---- --- --------- -------- -------------------------------Fa0/2 Root FWD 19 128.2 P2p
Bridge ID
32780
Aging Time 300
Interface
Role Sts Cost
Prio.Nbr Type
---------------- ---- --- --------- -------- -------------------------------Fa0/2 Fa0/15 Root FWD 19 Desg FWD 19 128.2 128.15 P2p P2p
S2#
Page 40 of 41
S2# S2# S2#show vtp status VTP Version Configuration Revision : 2 : 2
Maximum VLANs supported locally : 255 Number of existing VLANs VTP Operating Mode VTP Domain Name VTP Pruning Mode VTP V2 Mode VTP Traps Generation MD5 digest : 7 : Client : AnyCompany1 : Disabled : Disabled : Disabled : 0xC3 0xA3 0x05 0x9F 0x27 0x3D 0xC0 0x03
Configuration last modified by 0.0.0.0 at 3-1-93 00:12:24 S2# S2# S2# S2#show port-security Secure Port MaxSecureAddr (Count) CurrentAddr (Count) SecurityViolation (Count) Security Action
--------------------------------------------------------------------------Fa0/15 1 1 0 Shutdown
--------------------------------------------------------------------------Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 8320 S2# S2# S2# S2#
Page 41 of 41

D3 SBA Student Ans Key

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

D3 SBA Student Ans Key

Hochgeladen von

Copyright:

Verfügbare Formate

CCNA Discovery Introducing Routing and Switching in the Enterprise

Skills-Based Assessment Academy Student Version Answer Key

Skills-Based Assessment Part 1 [52 points]

Step 2: Determine the size of each VLSM block to accommodate users.

VLSM Block Size 128 64 32 8 4

VLSM Block Size (Number of Addresses) 128 64 32 8 4 20

Subnet Mask 255.255.255.128 255.255.255.192 255.255.255.224 255.255.255.248 255.255.255.252

Device Interface / IP Address Chart

255.255.255.224 255.255.255.252 None 255.255.255.248 255.255.255.192 255.255.255.128 255.255.255.252 255.255.255.252 255.255.0.0

S1 S2 H1 H2 Discovery Server (or ISP Loopback address - pre-configured)

VLAN 1 VLAN 1 NIC NIC NIC

192.168.1.226/29 192.168.1.227/29 192.168.1.130/26 192.168.1.2/25 172.17.1.1/16

255.255.255.248 255.255.255.248 255.255.255.192 255.255.255.128 255.255.0.0

Step 5: Create a logical network diagram. [5 points]

Logical Network Diagram for AnyCompany____ (enter number)

Skills-Based Assessment Part 2 [48 points]

Task 1: Build the Network and Connect the Cables

Task 2: Configure the HQ Router

Step 2: Configure the HQ router serial and loopback interfaces.

Step 3: Create the CHAP user ID and password.

Step 4: Configure OSPF routing for Area 0 on HQ.

Step 6: Configure overloaded NAT (PAT) on HQ.

Step 7: Save the router running-config configuration to startup-config.

Task 3: Configure the Remote Office Router

Step 2: Configure the R2 Fast Ethernet subinterfaces and serial interfaces.

Step 3: Configure OSPF routing for Area 0 on R2.

Step 4: Save the router running-config configuration to startup-config.

Task 4: Configure the Remote Office Switch S1

Step 1: Configure the basic settings on the S1 switch.

Step 2: Configure the VLANs for S1.

Step 3: Assign an IP address to the Management VLAN 1 on S1.

Step 4: Configure S1 switch ports.

Step 5: Configure S1 as the root switch for STP.

Step 6: Configure a VTP domain.

Step 7: Configure switch port security.

Step 8: Save the S1 switch running-config configuration to startup-config.

Task 5: Configure the Remote Office Switch S2

Step 1: Configure the basic settings on the S2 switch.

Step 2: Configure a VTP domain.

S2(config)#vtp domain AnyCompany1 S2(config)#vtp mode client S2(config)#vtp password cisco

Step 3: Assign ports to the VLANs.

Step 4: Assign an IP address to the Management VLAN 1 on S2.

Step 6: Configure switch port security.

Step 7: Save the S2 switch running-config configuration to startup-config.

Task 6: Configure Host IP Addresses

Configuration Items to Verify

Connectivity Items to Verify

Internet Explorer or other browser to IP address

Configuration Items to Verify

Task 8: Configure ACL Security on HQ and R2

CIDR / VLSM Subnet Chart

Subnet # (octets 3 & 4)

1.96 1.100 1.104 1.108

line vty 0 4 access-class 2 in password cisco login ! end

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

icmp 209.165.201.2:512 192.168.1.2:512 tcp 209.165.201.2:1090 192.168.1.2:1090

tcp 209.165.201.2:1175 192.168.1.130:1175 172.17.1.1:23 HQ-1#

Gateway of last resort is 192.168.1.234 to network 0.0.0.0

O*E2 0.0.0.0/0 [110/1] via 192.168.1.234, 03:01:40, Serial0/0/0

Virtual LAN ID:

1 (IEEE 802.1Q Encapsulation)

vLAN Trunk Interface:

This is configured as native Vlan for the following interface(s) : FastEthernet0/0