Sie sind auf Seite 1von 6

CCNA Exploration v4.

Laboratorio Final.

Demonstrate a comprehensive mastery of the skills covered in CCNA Discovery and Exploration courses 1
through 4:

Select internetworking devices and cable according to topology

Design an efficient addressing scheme using VLSM
Configure Frame Relay
Configure PPP with CHAP authentication
Configure VLANs and VTP
Implement Inter-VLAN routing
Configure EIGRP, static and default routing
Configure DHCP and request forwarding
Configure static and dynamic NAT
Implement basic security using access control lists (ACLs)
Configure switch port security
You are the Network Administrator for AnyCompany, a mid-size corporation. The headquarters office is
located in one city and a new branch office is opening soon in another city. Your job is to bring the branch
office online as soon as possible. You will design a new addressing scheme, configure a primary and
secondary WAN link, set up DHCP and NAT and implement some standard security measures.
Task 1: Setup the Lab Equipment.
Cable the equipment as shown in the graphic. Label the graphic with the appropriate interface names if
they are different than those shown. Note which interfaces are DCE.
Task 2: Develop the Addressing Scheme.
Design an appropriate VLSM addressing scheme using the following method to assign subnets and
interface addresses. Maximize the number of host addresses at each level of subnetting.
st nd rd
NOTE: When referring to subnets by number (1 , 2 , 3 , etc.), subnet zero is considered the 1
Step 1: Determine the 1 level of subnetting.
Subnet to provide enough address space for the 100 hosts on VLAN 10. Assign the 2
subnet to VLAN 10. Save the 1 subnet range for the next step. Assign the 1 valid host address in the
2 subnet to the VLAN 10 subinterface on the BR router.
Step 2: Determine the 2
level of subnetting.
Subnet the 1 subnet range from Step 1 to provide enough address space for 50 hosts on VLAN 20. Save
the 1 subnet range for the next step. Assign the 2 subnet to VLAN 20. Assign the 1 valid host
address in this subnet to the VLAN 20 subinterface on the BR router.
Step 3: Determine the 3 level of subnetting.
Subnet the 1 subnet range from Step 2 to provide enough address space for 20 hosts on VLAN 30. Save
the 1 subnet range for the next step. Assign the 2 subnet to VLAN 30. Assign the 1 valid host
address in this subnet to the VLAN 30 subinterface on the BR router.
Step 4: Determine the 4 level of subnetting.
Subnet the 1 subnet range from Step 3 to provide enough address space for the 10 servers attached to
the HQ LAN. Save the 1 subnet range for the next step. Assign the 2 subnet to this Server Farm.
Assign the 1 valid host address in this subnet to the FastEthernet 0/1 interface on the HQ router. This
address should be If it is not, then check your work in the previous subnetting levels
Step 5: Determine the 5


level of subnetting.

Subnet for WAN links. This should provide four subnets. Assign the 4 subnet to VLAN 1. BR
trunk subinterface Fa0/0.1 should get the 1 address and ALSw VLAN 1 should get the 2 address.
Assign the 3 subnet to the Frame Relay PVC. Assign the 2 subnet to the PPP link. In both instances,
assign HQ the first address in the subnet.
You should have as your only available address space that has not be assigned. All other
addresses in the address space have been assigned.
Step 6: Fill in the topology address table.
Fill in the device topology address table on page 1 with your addressing design and label the topology with
the assigned subnets.
Also label the interfaces with the last octet of the IP address for that interface. For example, if the IP
address for an interface is, label the interface as .33.
Task 3: Configure Basic Router and Switch Settings.
Step 1: Erase and reload the routers and switch.
Erase the configuration on all routers and switches and reload without saving changes. Make sure any
VLAN databases are deleted.
Step 2: Configure each device with basic parameters.
Name the device.
Create host table entries for all internetworking devices, except the ISP router.
Set the enable secret password to class.
Set the console and vty passwords to cisco.
Encrypt all passwords.
Disable DNS lookup.
Create a Message of the Day saying Unauthorized Use Prohibited.
Allow subnet zero.
Enable IOS HTTP server feature.
Prevent console messages from interrupting your commands.
Prevent the router from automatically logging out an idle console or Telnet session.
Address, enable and describe all cabled IP interfaces.
Set the clock rate to 64000 on any DCE interfaces
Step 3: On router BR, configure VLAN subinterfaces as shown in the topology.
Task 4: Configure Frame Relay.
Headquarters and the branch office share a PVC that has been set up by the service provider in the Frame
Relay switch (router FRSw or the ATLAS 550). Use the default encapsulation, LMI type of ANSI, and the
correct DLCI. After configuring both sides of the PVC, verify with show frame-relay map. You should have
output very similar to the following:
HQ# show frame-relay map
Serial0/0/0 (up): ip dlci 102(0x15,0x450), dynamic,
broadcast,, status defined, active
BR# show frame-relay map
Serial0/0/0 (up): ip dlci 201(0x14,0x440), dynamic,
broadcast,, status defined, active
NOTE: If using the ATLAS 550, you will see other inactive DLCIs.
If using a router as the Frame Relay switch you should see the following
output from FRSw.
FRSw# show frame-relay route
Input Intf Input Dlci Output Intf Output Dlci Status
Serial0/0 102 Serial0/1 201 active
Serial0/1 201 Serial0/0 102 active
Task 5: Configure PPP with Chap Authentication.

Headquarters and the branch office share a backup PPP link. This link should activate only if the Frame
Relay link fails. Configure this link to use PPP and CHAP with a password of Knockknock. After
configuring PPP and CHAP, verify that both interfaces are up/up.
NOTE: Backup routing is configured in Task 8.
Task 6: Configure VLANs and VTP on Switch ALSw.
Step 1: Create the VLAN names and numbers according to the topology.
Step 2: Configure this switch as the VTP server and set the VTP domain name to
This will prevent a new switch from accidentally coming online and potentially
changing the VLAN configuration.
Step 3: Specify the default gateway.
Step 4: Set the spanning tree priority to a number lower than the default.
This will prevent a new switch from accidentally becoming the root bridge.
Step 5: Configure an access port for each of the three VLANs and a trunk port to the BR router.
Refer to the topology diagram for the port to use in each case.
Step 6: Configure an IP address for interface VLAN 1.
Step 7: Test your configuration by pinging BR from ALSw.
If the pings are not successful, troubleshoot until they are.
Task 7: Configure EIGRP Routing.
Step 1: Set a default route on HQ.
Point the default route to the next-hop IP address of ISP at
Step 2: Configure EIGRP on HQ.
Make sure that no routing updates are forwarded out to the ISP, the server farm or out the
PPP link. Redistribute the default route to BR and disable automatic route summarization.
Step 3: Configure EIGRP on BR.
Make sure that no updates are forwarded out to the switch or out the PPP link. Disable automatic route
Task 8: Configure Backup Routing.
If the Frame Relay link goes down, the PPP link must become the route of choice.
Step 1: Configure four floating static routes on HQ pointing to the four VLANs on BR.
Step 2: Configure a floating static default route on BR pointing to the PPP interface.
Step 3: Test the backup link
To test your static configurations, shut down both sides of the Frame Relay link to test the PPP backup
link. Display the routing table for the HQ and BR routers to verify that the floating static routes have been
installed. You will need to wait for the EIGRP routes to expire before the floating static routes become
Task 9: Configure DHCP on HQ.
The HQ router is responsible for supplying IP addresses and other configuration information to devices
that attach to ALSw. Multiple DHCP pools must be set up on HQ to provide addresses for clients on each
of the ALSw VLANs. Do not configure DHCP on BR.
Step 1: Exclude the first three addresses from each pool on HQ.
Step 2: Configure a DHCP address pool for each VLAN on HQ
The DHCP pools are configured on HQ to centralize DHCP administration and to accommodate future
LAN host expansion.
Step 3: Configure as the DNS server and as the
domain name.
Task 10: Configure DHCP Request Forwarding.
Step 1: Configure DHCP forwarding on the BR router
Enter the commands necessary to forward DHCP requests to HQ. Make sure this will occur
with either the Frame Relay link or the PPP link.
Step 2: Verify the DHCP clients obtained a proper address.
Check the IP configuration on the three hosts attached to ALSw. Make sure that each received an IP
address appropriate for the VLAN to which it is attached. If not, troubleshoot as necessary. Verify the
DHCP server information on HQ. Output from DHCP show commands should look similar to the output
NOTE: You may need to issue the ipconfig /release and ipconfig /renew commands on each host.
Step 3: Verify host connectivity using ping.
The hosts should be able to ping all interface addresses on HQ as well as each other. If not,
troubleshoot as necessary.
Task 11: Configure Static and Dynamic NAT.

Your ISP assigned you the address pool (six useable addresses) that you can use to route
packets onto the Internet.
Step 1: Configure a host for the server farm. Statically configure a host representing the Server Farm
LAN on HQ with the IP address This host will simulate the inside public web server.
Step 2: Verify that the server farm host can ping its default gateway.
Step 3: Configure static NAT.
DNS servers on the Internet have mapped the domain name to,
so statically configure the server farm server host on HQ to always use the address for Internet
Step 4: Configure dynamic NAT with overload.
The rest of the NAT pool is to be used by all the other users on the inside network.
On HQ, set up the pool to dynamically translate internal addresses to the external public addresses
assigned. Make sure you use the Port Address Translation (PAT) feature so that more than seven users
can be on the Internet at one time. (Note: Do NOT use the interface address as part of
your NAT pool). Specify the internal and external interfaces which will participate in NAT.
All hosts should now be able to ping the Internet web server. At this point, you should have FULL
connectivity throughout the entire network. Test connectivity with both the Frame Relay link active and
Task 12: Implement and Verify Security Policy Using Access Control Lists (ACLs).
Step 1: Configure and apply an ACL on HQ.
Allow Internet users to only ping your inside public web server.
Allow Internet users to send ping replies and unreachable messages.
Allow Internet packets that are part of an already established TCP session.
Allow AnyCompanyDomain users to have web access and send ICMP messages to the Internet
Step 2: Configure and apply an ACL on BR.
Make sure users in the Sales and Purchasing VLANs cannot Telnet anywhere. However, all other access
is allowed. (Their Internet traffic will be filtered at HQ).
Step 3: Verify ACL functionality.
Verify that the answer to each of the following questions is yes before you ask your Instructor to check
your implementation. You may also want to capture output from your successful verification to use in
compiling your documentation.
Can ISP ping _______
Does ISPs attempt to Telnet into HQ fail? ______
Can a host on one of the VLANs open a web page on the simulated ISP web server at ______
Can a Finance host Telnet to BR or HQ? ______
Do Sales and Purchasing host Telnet attempts fail? _____
Task 13: Configure Switch Port Security on ALSw.
Step 1: Display the MAC address table entry for H1 on Port Fa0/2 and then clear the dynamic entry.
Step 2: Shutdown Port Fa0/2, configure it as an access port and then configure sticky port security.
Step 3: Ping from the host H1 to the BR router default gateway.
Allow some time to pass and then display the running-config to see the MAC address the switch learned.
Step 4: Remove the host H1 cable from Port Fa0/2 and connect the cable from another host.
Ping from the other host to any IP address to cause a security violation on port Fa0/2. Verify that a security
violation occurred and that the port status is secure-shutdown.
Step 5: Reconnect the original host to its port and restore the port.
Clear the sticky address entry for port Fa0/2 using the clear port-security sticky interface fa0/2 access
command. Shutdown the port and enable it again to return the interface from error disable to
administratively up.
Task 14: Document Device Configurations and Output.
Step 1: Label the topology subnetwork and interface addresses.
Step 2: Complete the IP address table at the beginning of the assessment.
Step 3: Display device outputs for verification.
Display outputs from for the HQ, BR and ALSw devices and paste them to a file on the desktop for review
by the exam administrator. Display the output on HQ and BR routers for the following commands:
show ip route
show ip interface brief

show ip protocols
Display the output on the ALSw switch for the following commands:
show vlan brief
show vtp status