CCNA 4 Connecting Networks V6.0 – CN Practice Skills Assessment – PT
CCNA Routing and Switching Connecting Networks
Skill-Based Assessment – Packet Tracer
FORM 0
A few things to keep in mind while completing this activity:
- Do not use the browser Back button or close or reload any Exam windows during the exam.
- Do not close Packet Tracer when you are done. It will close automatically.
- Click the Submit Assessment button to submit your work.
Objectives
In this Packet Tracer Skills Based Assessment, you will do as follows:
- Configure PPP encapsulation and CHAP authentication for serial links.
- Configure a GRE tunnel.
- Configure OSPF.
- Configure BGP.
- Configure standard and extended IPv4 ACLs.
- Configure IPv6 ACLs.
For the sake of time, many repetitive, but important, configuration tasks have been omitted from this assessment. Many of these tasks, especially those related to security, are essential elements of a network configuration. The intent of this activity is not to diminish the importance of full device configurations.
The IP addresses for all the devices have been configured and some of the routing configurations are already completed in this activity.
You are required to configure the devices as follows:
Branch:
- Configure PPP and CHAP authentication on the appropriate interface.
- Configure GRE tunnel.
- Configure OSPF.
- Configure standard IPv4 ACL.
Customer:
- Configure standard IPv4 ACLs.
HQ:
- Configure PPP and CHAP authentication on the appropriate interface.
- Configure GRE tunnel.
- Configure OSPF.
- Configure standard and extended IPv4 ACLs.
- Configure IPv6 ACLs.
Note: All the routers in AS 65001 are locked and no configurations are performed by the students. Furthermore, all the switches are pre-configured.
Addressing Table
Instructions
Step 1: Configure PPP encapsulation and authentication.
- Configure PPP encapsulation for the link between HQ and ISP1 and the link between Branch and ISP1.
- Configure CHAP authentication between the links.
- Configure the correct username and the password cisco123 for CHAP authentication on both HQ and Branch.
Step 2: Configure a GRE tunnel with routing.
- Configure a GRE tunnel between HQ and Branch.
- Configure OSPF 1 to route the traffic between the LANs of HQ and Branch through the GRE tunnel. Summarize the networks attached to Branch.
Step 3: Configure BGP.
Configure BGP between ISP1 in Internet cluster and 209.165.202.128/27 network on HQ.
- Use AS number 65020 for HQ.
- Configure ISP1 as the BGP neighbor.
- Only advertise the 209.165.202.128 / 27 network into BGP.
Step 4: Configure ACLs for NAT.
- Configure a standard access list numbered 1 on Branch to allow NAT for hosts in network 192.168.0.0 /23.
- Configure a standard access list numbered 1 on HQ to allow NAT for hosts in network 192.168.2.0 /24.
- Configure a standard access list numbered 1 on Customer to allow NAT for hosts in network 192.168.3.0 /24.
Step 5: Configure a standard ACL to restrict remote access to the Customer router.
A standard ACL named VTY_ADMIN is configured to limit access via VTY to the Customer router. This ACL will only allow hosts from the LAN attached to the G0/1 interface and the hosts from the LANs on Branch router to access the Customer router. All the other connections to VTY should fail.
- Configure one ACL named VTY_ADMIN with three ACEs in the following order:
- Allow any hosts from the LAN attached to the G0/1 interface of the Customer router to access the router.
- Allow the hosts from the LANs in the Branch network to the Customer router remotely.
- All other remote connections are denied.
- Apply the ACL to the appropriate interface.
Note: Use the public IPv4 addresses in the ACLs when the private IPv4 addresses have been mapped to public IPv4 addresses.
Step 6: Configure an extended ACL to restrict access to the HQ LAN.
- Configure an extended ACL named HTTP_ACCESS that allows Branch LANs, Customer LANs and the LAN inside HQ to access HQ-Server via the web browser.
Configure this ACL with the following 5 ACEs in the following order:
- Allow the hosts from the Branch network to access the HQ-Server.
- Allow the hosts from the Customer LANs to access the HQ-Server.
- Allow the internal network 192.168.2.0 /24 to access the HQ-Server.
- Allow ICMP replies to HQ-Server from any networks.
Explicitly deny all other traffic from accessing the HQ-Server.
- Apply the ACL to the HQ G0/1 interface.
Note: Use the public IPv4 addresses in the ACLs when the private IPv4 addresses have been mapped to public IPv4 addresses.
Step 7: Configure an IPv6 access list to restrict access to the HQ LAN.
- Configure an IPv6 access list named HTTP6_ACCESS that allows Branch LANs, Customer LANs and the LAN inside HQ to access HQ-Server via the web browser.
- Configure this ACL with the following 6 ACEs in the following order:
- Allow the hosts from the Branch (2001:DB8:ACAD::/64) to access the HQ-Server.
- Allow the hosts from the Branch (2001:DB8:ACAD:1::/64) to access the HQ-Server.
- Allow the hosts from the Customer LANs to access the HQ-Server.
- Allow the internal network 2001:DB8:ACAD:2::/64 to access the HQ-Server.
- Allow ICMP from HQ-Server to the other networks.
- Explicitly deny all) other traffic from accessing the HQ-Server.
- Apply the ACL to the HQ G0/1 interface.
Answers – Instructions
On Router: HQ – Main – Corp (Note: Username & Password for CHAP authentication)
en conf ter username ISP1 password cisco123 (or Cisco or cisco321) int s0/0/0 encapsulation ppp ppp authentication chap exit interface tunnel 0 ip address 172.16.1.1 255.255.255.252 tunnel source s0/0/0 tunnel destination 209.165.200.225 exit router ospf 1 network 192.168.2.0 0.0.0.255 area 0 network 172.16.1.0 0.0.0.3 area 0 exit router bgp 65020 network 209.165.202.128 mask 255.255.255.224 neighbor 209.165.200.230 remote-as 65001 exit Access-list 1 permit 192.168.2.0 0.0.0.255 ip access-list extended HTTP_ACCESS permit tcp host 209.165.200.225 host 209.165.202.158 eq 80 permit tcp host 209.165.200.238 host 209.165.202.158 eq 80 permit tcp 192.168.2.0 0.0.0.255 host 209.165.202.158 eq 80 permit icmp any host 209.165.202.158 echo-reply deny ip any any int g0/1 ip access-group HTTP_ACCESS out exit ipv6 access-list HTTP6_ACCESS permit tcp host 2001:DB8:ACAD:C::225 host 2001:DB8:ACAD:B::158 eq 80 permit tcp host 2001:DB8:ACAD:E::238 host 2001:DB8:ACAD:B::158 eq 80 permit tcp 2001:DB8:ACAD:2::/64 host 2001:DB8:ACAD:B::158 eq 80 permit icmp any host 2001:DB8:ACAD:B::158 echo-reply deny ip any any interface g0/1 ipv6 traffic-filter HTTP6_ACCESS out
On Router: Branch – Remote – Branch1 (Note: Username & Password for CHAP authentication)
en conf ter username ISP1 password cisco123 (or Cisco or cisco321) int s0/0/0 encapsulation ppp ppp authentication chap exit interface tunnel 0 ip address 172.16.1.2 255.255.255.252 tunnel source s0/0/0 tunnel destination 209.165.200.229 exit router ospf 1 network 192.168.0.0 0.0.1.255 area 0 network 172.16.1.0 0.0.0.3 area 0 exit Access-list 1 permit 192.168.0.0 0.0.1.255
On Router: Customer – Other – Branch2
en conf ter Access-list 1 permit 192.168.3.0 0.0.0.255 ip access-list standard VTY_ADMIN permit 192.168.3.0 0.0.0.255 permit 209.165.200.225 0.0.0.3 deny any Line vty 0 4 Access-class VTY_ADMIN in
Answers – Instructions
On Router: HQ – Main – Corp (Note: Username & Password for CHAP authentication)
en conf ter username ISP1 password cisco123 (or Cisco or cisco321) int s0/0/0 encapsulation ppp ppp authentication chap exit interface tunnel 0 ip address 172.16.1.1 255.255.255.252 tunnel source s0/0/0 tunnel destination 209.165.200.225 exit router ospf 1 network 192.168.2.0 0.0.0.255 area 0 network 172.16.1.0 0.0.0.3 area 0 exit router bgp 65020 network 209.165.202.128 mask 255.255.255.224 neighbor 209.165.200.230 remote-as 65001 exit Access-list 1 permit 192.168.2.0 0.0.0.255 ip access-list extended HTTP_ACCESS permit tcp host 209.165.200.225 host 209.165.202.158 eq 80 permit tcp host 209.165.200.238 host 209.165.202.158 eq 80 permit tcp 192.168.2.0 0.0.0.255 host 209.165.202.158 eq 80 permit icmp any host 209.165.202.158 echo-reply deny ip any any int g0/1 ip access-group HTTP_ACCESS out exit ipv6 access-list HTTP6_ACCESS permit tcp host 2001:DB8:ACAD:C::225 host 2001:DB8:ACAD:B::158 eq 80 permit tcp host 2001:DB8:ACAD:E::238 host 2001:DB8:ACAD:B::158 eq 80 permit tcp 2001:DB8:ACAD:2::/64 host 2001:DB8:ACAD:B::158 eq 80 permit icmp any host 2001:DB8:ACAD:B::158 echo-reply deny ip any any interface g0/1 ipv6 traffic-filter HTTP6_ACCESS out
On Router: Branch – Remote – Branch1 (Note: Username & Password for CHAP authentication)
en conf ter username ISP1 password cisco123 (or Cisco or cisco321) int s0/0/0 encapsulation ppp ppp authentication chap exit interface tunnel 0 ip address 172.16.1.2 255.255.255.252 tunnel source s0/0/0 tunnel destination 209.165.200.229 exit router ospf 1 network 192.168.0.0 0.0.1.255 area 0 network 172.16.1.0 0.0.0.3 area 0 exit Access-list 1 permit 192.168.0.0 0.0.1.255
On Router: Customer – Other – Branch2
en conf ter Access-list 1 permit 192.168.3.0 0.0.0.255 ip access-list standard VTY_ADMIN permit 192.168.3.0 0.0.0.255 permit 209.165.200.225 0.0.0.3 deny any Line vty 0 4 Access-class VTY_ADMIN in
Answers – Intructions
On Router: HQ – Main – Corp (Note: Username & Password for CHAP authentication)
en conf ter username ISP1 password cisco123 (or Cisco or cisco321) int s0/0/0 encapsulation ppp ppp authentication chap exit interface tunnel 0 ip address 172.16.1.1 255.255.255.252 tunnel source s0/0/0 tunnel destination 209.165.200.225 exit router ospf 1 network 192.168.2.0 0.0.0.255 area 0 network 172.16.1.0 0.0.0.3 area 0 exit router bgp 65020 network 209.165.202.128 mask 255.255.255.224 neighbor 209.165.200.230 remote-as 65001 exit Access-list 1 permit 192.168.2.0 0.0.0.255 ip access-list extended HTTP_ACCESS permit tcp host 209.165.200.225 host 209.165.202.158 eq 80 permit tcp host 209.165.200.238 host 209.165.202.158 eq 80 permit tcp 192.168.2.0 0.0.0.255 host 209.165.202.158 eq 80 permit icmp any host 209.165.202.158 echo-reply deny ip any any int g0/1 ip access-group HTTP_ACCESS out exit ipv6 access-list HTTP6_ACCESS permit tcp host 2001:DB8:ACAD:C::225 host 2001:DB8:ACAD:B::158 eq 80 permit tcp host 2001:DB8:ACAD:E::238 host 2001:DB8:ACAD:B::158 eq 80 permit tcp 2001:DB8:ACAD:2::/64 host 2001:DB8:ACAD:B::158 eq 80 permit icmp any host 2001:DB8:ACAD:B::158 echo-reply deny ip any any interface g0/1 ipv6 traffic-filter HTTP6_ACCESS out
On Router: Branch – Remote – Branch1 (Note: Username & Password for CHAP authentication)
en conf ter username ISP1 password cisco123 (or Cisco or cisco321) int s0/0/0 encapsulation ppp ppp authentication chap exit interface tunnel 0 ip address 172.16.1.2 255.255.255.252 tunnel source s0/0/0 tunnel destination 209.165.200.229 exit router ospf 1 network 192.168.0.0 0.0.1.255 area 0 network 172.16.1.0 0.0.0.3 area 0 exit Access-list 1 permit 192.168.0.0 0.0.1.255
On Router: Customer – Other – Branch2
en conf ter Access-list 1 permit 192.168.3.0 0.0.0.255 ip access-list standard VTY_ADMIN permit 192.168.3.0 0.0.0.255 permit 209.165.200.225 0.0.0.3 deny any Line vty 0 4 Access-class VTY_ADMIN in
More Resources