D3 SBA Student

CCNA Discovery Introducing Routing and Switching in the Enterprise

Skills-Based Assessment

Academy Student Version

Exam Overview

This skills-based assessment is the final practical exam for the course CCNA Discovery – Introducing Routing and Switching in the Enterprise. The exam is divided into two parts, and Part 1 must be completed before Part 2. In Part 1, you develop an IP subnet scheme and document the device interfaces. In Part 2, you cable the network and configure customer routers and switches using Cisco IOS CLI commands. The remote office router routes between the local network and the headquarters router. The headquarters router is configured to provide access to the ISP router. The OSPF routing protocol is used between the remote office and headquarters router. Static routing is used between the headquarters router and the ISP.

The instructor will preconfigure the ISP router and erase the startup configuration in the headquarters router and the remote office router prior to starting the exam.

When you have completed Part 1, give it to the instructor to check before starting on Part 2. You have 50 minutes to complete Part 1. The instructor will inform you of how Part 2 will be conducted and the time allotted,

All contents are Copyright © 1992–2010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 14

Objectives

Part 1 – Create an IP addressing plan and document the network device interfaces.

Part 2 – Connect and configure the network equipment and verify network connectivity.


Skills-Based Assessment – Part 1

Develop the IP Addressing Scheme and Assign Interface Addresses

Step 1: Gather required information.

Use the topology diagram at the beginning of the exam and the following information provided by the instructor to document the network.

a. You will be working with customer AnyCompanyX, where X is the number assigned by the instructor.

Enter the number you are assigned here: AnyCompany___

b. If your local network is connected to the ISP as AnyCompany1, the IP address of the ISP serial 0/0/0 interface is 209.165.201.1/30. If your local network is connected to the ISP as AnyCompany2, the IP address of the ISP serial 0/0/1 interface is 209.165.201.5/30.

If more than one ISP router is being used, additional addresses from the 209.165.201.x/30 range are needed. Check with the instructor to verify the ISP serial interface IP address for you to use.

Enter the ISP serial interface IP address here: _______________________________

c. The base IP address CIDR block from which you will create the VLSM addressing scheme is based on the AnyCompanyX number that you are assigned. If the local network is AnyCompany1, use 192.168.1.0 /24. If the local network is AnyCompany2, use 192.168.2.0 /24.

If more than one ISP router is being used, additional addresses from the 192.168.X.0/24 range are needed. Check with the instructor to verify the correct IP address block for you to use.

Enter the base IP address and subnet mask here: ____________________________

Step 2: Determine the size of each VLSM block to accommodate users.

Develop a VLSM subnet scheme that optimally subnets the base address and allows for three VLANs on the local R2 network, the hosts on the HQ local network, and the WAN link between HQ and R2. The HQ router uses NAT/PAT to translate internal client addresses to the external address.

a. Determine the size of the subnet address block required for a network area or group of users. Fill in the table with this information.

VLSM Subnet Requirements

Network Area Number of Users / IPs

VLSM Block Size / Number of IPs (Powers of 2)

AnyCompanyX block size to subdivide N/A

HQ local network 23

R2 local network / VLANs

VLAN 1 (Default/Mgmt-IP) 5

VLAN 11 (Dept 1) 45

VLAN 12 (Dept 2) 97

R2 to HQ WAN link 2

Total users and total block sizes 172

b. To optimally allocate addresses from the /24 address assigned, sort the block sizes from largest to smallest. Use the table below to order the network areas by the VLSM block size. List the blocks starting with the largest to the smallest.


Network Area / VLAN VLSM Block Size

Step 3: Allocate blocks of addresses to each area of the network.

a. Determine which blocks of the CIDR address to assign to each area of the network or VLAN. You may use the CIDR / VLSM subnet chart (Appendix A) to enter the subnet information for each CIDR block.

b. Fill in the following table based on the subnet information in the VLSM Subnet Requirements tables above.

Network Area / VLAN

VLSM Block Size (Number of Addresses)

Subnet Address and Prefix

Useable Address Range Subnet Mask

R2 – VLAN 12 (Dept 2)

R2 – VLAN 11 (Dept 1)

HQ – Local network (simulated with Lo0)

R2 – VLAN 1 (Default/Mgmt)

R2 – HQ Wan link

Unused IP addresses

c. Have the instructor verify that your addressing scheme is accurate and assigns address space efficiently. You should not have any overlapping subnets and should have unused contiguous blocks of addresses that can be used for future growth.

Step 4: Select IP addresses for use when configuring devices.

Select addresses from the block assigned to an area of the network, and fill in the VLSM block size, IP address and subnet mask for each device/interface in the topology. Include the /# bits mask with the IP address These IP addresses are used in Part 2 when you configure the network equipment.

Note: When you are finished with this step, check with the instructor before proceeding.


Device Interface / IP Address Chart

Device Interface IP Address Subnet Mask HQ-X Serial 0/0/0

Serial 0/0/1(Use the next address compatible with the ISP serial interface address of AnyCompanyX)

Loopback0

R2 Serial 0/0/0

Fast Ethernet 0/0

Subint Fa0/0.1

Subint Fa0/0.11

Subint Fa0/0.12

ISP Serial 0/0/0(pre-configured)

209.165.201.1/30 (AnyCompany1)

255.255.255.252

ISP Serial 0/0/1(pre-configured)

209.165.201.5/30(AnyCompany2)

255.255.255.252

Fa0/0 (pre-configured default gateway for Discovery Server. Optional if ISP loopback is used.)

172.17.0.1 255.255.0.0

S1 VLAN 1

S2 VLAN 1

H1 NIC

H2 NIC

Discovery Server (or ISP Loopback address - pre-configured)

NIC 172.17.1.1/16 255.255.0.0


Step 5: Create a logical network diagram.

Draw a simple logical network diagram of your AnyCompanyX network. Include the ISP router, the two AnyCompanyX routers (HQ and R2), the switches, the two host computers, the three VLANs, and the Discovery Server. Write the IP address and /# bits subnet mask next to each interface, device, or VLAN using the addresses identified in Step 4. This information is used to configure the AnyCompanyX routers and switches in Part 2 of the exam. Be sure to include the subinterfaces on R2.

Logical Network Diagram for AnyCompany____ (enter number)

Step 6: Check your work with the instructor before going on to Part 2.



Skills-Based Assessment – Part 2

Task 1: Build the Network and Connect the Cables

Using the topology diagram provided at the beginning of Part 1 and the logical network diagram you created in Step 5, build the network. Connect the AnyCompanyX network HQ-X router to the appropriate ISP router interface: Serial 0/0/0 for AnyCompany1 or S0/0/1 for AnyCompany2 (unless instructed otherwise by the instructor). The ISP router and the Discovery Server should be preconfigured by the instructor.

Note: Make sure that the routers and the switches have been erased and have no startup configurations.

The IP addresses used to configure the devices in the following tasks are based on your solution for the VLSM scheme in Part 1.

Task 2: Configure the HQ Router

Step 1: Configure the router.

Assign the host name HQ-X (where X is the number of AnyCompanyX) and the passwords. Configure no domain lookup, and specify the message-of-the-day as “Unauthorized use prohibited”.

Step 2: Configure the HQ router serial and loopback interfaces.

The WAN link from HQ to R2 uses default Cisco HDLC encapsulation. The WAN link from HQ to ISP uses PPP with CHAP authentication. The ISP provides the clocking for the HQ router. Refer to the topology diagram at the beginning of Part 1 for other DTE/DCE settings.

Step 3: Create the CHAP user ID and password.

For CHAP authentication, configure a username for the ISP router on the HQ router with a password of cisco.

Step 4: Configure OSPF routing for Area 0 on HQ.

Step 5: Configure a default route to the ISP on HQ and propagate this route to R2 using OSPF.

Step 6: Configure overloaded NAT (PAT) on HQ.

a. Use the IP address on the serial port that connects to the ISP as the overloaded address.

b. Specify the inside and outside NAT interfaces.

c. Permit the entire 192.168.X.0/24 address space to be translated (where X is the number assigned to AnyCompany).

Step 7: Save the router running-config configuration to startup-config.

Task 3: Configure the Remote Office Router

Step 1: Configure basic setting for the R2 router.

Assign the host name and the passwords. Configure no domain lookup, and specify the message-of-the-day as “Unauthorized use prohibited”.


Step 2: Configure the R2 Fast Ethernet subinterfaces and serial interfaces.

Define the Fast Ethernet subinterfaces to match the numbers of the VLANs they represent. They should also use 802.1Q encapsulation. VLAN 1 is the native VLAN.

Step 3: Configure OSPF routing for Area 0 on R2.

Specify the subnet for each R2 interface using the appropriate wildcard mask.

Step 4: Save the router running-config configuration to startup-config.

Task 4: Configure the Remote Office Switch S1

Note: Be sure to erase the startup-config, delete the vlan.dat file, and reload the switch before beginning the configuration.

Step 1: Configure the basic settings on the S1 switch.


Step 2: Configure the VLANs for S1.

Use the VLAN numbers and names in the following table, and assign the ports to each VLAN as indicated. Use this table to configure switch S2 in Task 5.

VLAN Number VLAN Name Ports Assigned Notes

VLAN 1 (default VLAN) default None VLAN 1 cannot be renamed

VLAN 11 (Dept 1 users) Dept1 3 to 11

VLAN 12 (Dept 2 users) Dept2 12 to 24

Step 3: Assign an IP address to the Management VLAN 1 on S1.

Assign the VLAN 1 address according to the Device Interface / IP Address chart in Part 1, Step 4. Configure the switch with a default gateway to router R2 for VLAN 1.

Step 4: Configure S1 switch ports.

Configure switch ports Fa0/1 and Fa0/2 as 802.1Q trunks so that they can carry VLAN information.

Step 5: Configure S1 as the root switch for STP.

Change the priority of native VLAN 1 so that it becomes the root switch.

Step 6: Configure a VTP domain.

Step 7: Configure switch port security.

Configure port security for port Fa0/9 on switch S1. When port security is configured, connecting any other host disables the port.

Step 8: Save the S1 switch running-config configuration to startup-config.


Task 5: Configure the Remote Office Switch S2

Note: Be sure to erase the startup-config, delete the vlan.dat file, and reload the switch before beginning the configuration.

Step 1: Configure the basic settings on the S2 switch.


Step 2: Configure a VTP domain.

Configure the AnyCompanyX domain name on S2 and assign the password cisco.

Step 3: Assign ports to the VLANs.

Use the information in the table in Task 4, Step 2 to assign ports to the VLANs.

Step 4: Assign an IP address to the Management VLAN 1 on S2.

Assign the VLAN 1 address according to the Device Interface / IP Address table in Part 1, Step 4. Configure the switch with a default gateway to router R2 for VLAN 1.

Step 5: Configure switch port Fa0/2 as an 802.1Q trunk to carry VLAN information.

Step 6: Configure switch port security.

Configure port security for port Fa0/15 on switch S2. When port security is configured, connecting any other host disables the port.

Step 7: Save the S2 switch running-config configuration to startup-config.

Task 6: Configure Host IP Addresses

Configure each host IP address, subnet mask, and default gateway using the information in the Device Interface / IP Address chart in Part 1, Step 4.

Task 7: Verify Device Configurations and Basic Connectivity

Before configuring ACLs in the next task, verify the items listed in the table and indicate which command you used. Include the IP address to be pinged when verifying connectivity. Have the instructor check off each item when verified.

Configuration Items to Verify Command Used CheckHQ basic config (host, pass, IPs)

HQ routing table (OSPF, static/default)

HQ NAT config (ACL, interfaces, etc.)

R2 basic config (host, pass, IPs)

R2 routing table (OSPF, static/default)

R2 subinterfaces on Fa0/0

R2 subinterfaces encapsulation

S1 basic config (host, pass, IPs)


Configuration Items to Verify Command Used CheckS1 VLANs

S1 ports in correct VLANs

S1 802.1Q trunk ports

S1 is root switch

S1 is VTP server

S1 port security

S2 basic config (host, pass, IPs)

S2 VLANs

S2 ports in correct VLANs

S2 802.1Q trunk ports

S2 is VTP client

S2 port security

Connectivity Items to VerifyPing S1 from H1 and H2

Ping S2 from H1 and H2

Ping R2 default gateway from H1 and H2

Ping R2 default gateway from S1 and S2

Ping from H1 to H2 (between VLANs)

Ping HQ from R2

Ping from H1 and H2 to HQ S0/0/0

Ping from H1 and H2 to HQ Lo0 (HQ LAN)

Ping from H1 and H2 to ISP S0/0/0

Ping from H1 and H2 to ISP Discovery Server

Web browser from H1 and H2 to Discovery Server (or ISP router Loopback)

Telnet from H1 and H2 to HQ and R2

Verify HQ NAT translations (display translations after ping, telnet and web browser from H1 or H2 to ISP loopback or Discovery Server)

Task 8: Configure ACL Security on HQ and R2

Step 1: Create and apply an numbered extended ACL on R2.

The ACL must allow web requests and pings to leave the R2 network if they originated from any location within the R2 AnyCompanyX network. Telnet traffic is permitted if it originates in VLAN 11, and FTP traffic (FTP control and FTP data) is permitted if it originates in VLAN 12. All other traffic is denied.

a. Add an explicit deny statement to the end of the ACL so that statistics can be collected on the number of packets denied. Apply the ACL to the appropriate R2 interface. Include remarks in your ACL to document what it is doing. Have the instructor verify the ACL statements and placement. __________

b. Test the ACL by pinging from H1 and H2 to the ISP loopback address or the IP address of the Discovery Server. Have the instructor verify. _______

c. Using a browser from H1 and H2, enter the ISP router Loopback0 address or the IP address of the Discovery Server. Have the instructor verify. _________


d. Telnet from host H2 in VLAN 12 to the HQ router using its S0/0/0 IP address. You should not be able to telnet from a host in VLAN 12. Have the instructor verify. _______

Telnet from host H1 in VLAN 11 to the HQ router using its S0/0/0 IP address. You should be able to telnet from any host in VLAN 11. Have the instructor verify. _______

e. Use the show access-lists command to verify that the ACL is working. You should see counts on several ACL statements. Have the instructor verify. _______

Step 2: Create and apply a standard ACL to control vty access to the HQ router.

The ACL should deny vty access for all hosts from any network or interface to the HQ router, except for host H1 on VLAN 11.

a. Add an explicit deny statement to the end of the ACL so that statistics can be collected on the number of packets denied. Apply the ACL to vty lines 0 through 4 on the HQ router. Have the instructor verify the ACL statements and placement. __________

b. Telnet from host H1

c. Change the IP address of H1 to another address that is on VLAN 11, and telnet again from host H1 in VLAN 11 to the HQ router using its S0/0/0 IP address. Have the instructor verify. _______

Use the show access-lists command to verify that the ACL is working. You should see counts on several ACL statements. Have the instructor verify. _______

Step 3: On R2 and HQ, save the router running configuration to NVRAM.

Step 4: Save the running configurations for each networking device to a file.

Save the output from HQ-X, R2, S1, and S2 to a single text file on your desktop and name it XXX-D3-SBA-Configs.txt (where XXX are your initials). Show it to the instructor. _________


Appendix A

CIDR / VLSM Subnet ChartAnyCompanyX ____

Base Address: ________________ (192.168.X.0) Subnet Mask: 255.255.255.0

CIDR mask /24 /25 /26 /27 /28 /29 /30

Dot mask (octets 3&4) 255.0 255.128 255.192 255.224 255.240 255.248 255.252

Number of hosts possible 256 128 64 32 16 8 4

Subnet # (octets 3 & 4) 1.0 1.0 1.0 1.0 1.0 1.0 1.0

1.4

1.8 1.8

1.12

1.16 1.16 1.16

1.20

1.24 1.24

1.28

1.32 1.32 1.32 1.32

1.36

1.40 1.40

1.44

1.48 1.48 1.48

1.52

1.56 1.56

1.60

1.64 1.64 1.64 1.64 1.64

1.68

1.72 1.72

1.76

1.8 1.80 1.80

1.84

1.88 1.88

1.92

1.96 1.96 1.96 1.96

. 1.100

1.104 1.104

1.108

1.112 1.112 1.112

1.116

1.120 1.120

1.124

1.128 1.128 1.128 1.128 1.128 1.128

1.132

1.136 1.136

1.140

1.144 1.144 1.144


1.148

1.152 1.152

1.156

1.160 1.160 1.160 1.160

1.164

1.168 1.168

1.172

1.176 1.176 1.176

1.180

1.184 1.184

1.188

1.192 1.192 1.192 1.192 1.192

1.196

1.200 1.200

1.204

1.208 1.208

1.212

1.216 1.216

1.220

1.224 1.224 1.224 1.224

1.228

1.232 1.232

1.236

1.240 1.240 1.240

1.244

1.248 1.248

1.252

Possible Solution

Color code Area / VLAN Block size Subnet / Prefix

R2 VLAN 12 128 192.168.1.0/25

R2 VLAN 11 64 192.168.1.128/26

HQ Network 32 192.168.1.192/27

R2 VLAN 1 8 192.168.1.224/27

R2/HQ WAN link 4 192.168.1.232/27

Unused addresses 20

Total 256


Documents

D3 SBA Student