EWAN Student Lab Skills Based Assessment Answer Key

Procedural Lab Template, Student Version, Required Components

CCNA ExplorationAccessing the WAN: Skills Based Assessment

Student Skills Based Assessment Answer Key

CCNA Exploration: Accessing the WAN Student Skills Based Assessment Lab (Answer Key)Topology Diagram

Addressing Table

DeviceInterfaceIP AddressSubnet MaskDefault Gateway

R1Fa0/110.0.0.1255.255.255.128N/A

S0/0/0172.16.0.1255.255.255.252N/A

S0/0/1172.16.0.9255.255.255.252N/A

R2Lo0209.165.200.161255.255.255.224N/A

S0/0/0172.16.0.2255.255.255.252N/A

S0/0/1172.16.0.5255.255.255.252N/A

R3Fa0/110.0.0.129255.255.255.128N/A

S0/0/0172.16.0.10255.255.255.252N/A

S0/0/1172.16.0.6255.255.255.252N/A

PC1NIC10.0.0.10255.255.255.12810.0.0.1

PC3NIC10.0.0.139255.255.255.12810.0.0.129

Learning ObjectivesTo complete this lab: Cable a network according to the topology diagram

Erase the startup configuration and reload a router to the default state Perform basic configuration tasks on a router Configure and activate interfaces Configure and activate serial interfaces (PPP with CHAP, HDLC, and Frame Relay)

Configure RIP on all the routers

Configure basic router security

Configure ACLs

Configure basic NATScenarioThis lab tests you on the skills and knowledge that you learned in Exploration 4. Use cisco for all passwords in this lab, except for the enable secret password, which is class.

Task 1: Prepare the Network

Step 1: Cable a network that is similar to the one in the topology diagram.

Step 2: Clear any existing configurations on the routers.

Task 2: Perform Basic Device Configurations

Configure the R1, R2, and R3 routers according to the following guidelines:

Configure the router hostname.

Disable DNS lookup.

Configure an EXEC mode password.

Configure a message-of-the-day banner.

Configure a password for console connections. Configure synchronous logging. Configure a password for vty connections.enableconfigure terminalno ip domain-lookupenable secret classbanner motd ^CUnauthorized access strictly prohibited and prosecuted to the full extent of the law^C!!line con 0 exec-timeout 0 0 logging synchronous password cisco login!line vty 0 4password ciscologinendcopy running-config starting-config

Task 3: Configure and Activate Serial and Ethernet Addresses

Step 1: Configure interfaces on R1, R2, and R3.R1:

interface FastEthernet0/1

ip address 10.0.0.1 255.255.255.128 no shutdown!

interface Serial0/0/0

ip address 172.16.0.1 255.255.255.252

clockrate 125000

no shutdown!


ip address 172.16.0.9 255.255.255.252

no shutdown

!

R2:

interface Loopback0

ip address 209.165.200.161 255.255.255.224

!


ip address 172.16.0.2 255.255.255.252

no shutdown!


ip address 172.16.0.5 255.255.255.252

clockrate 125000 no shutdown!R3:


ip address 10.0.0.129 255.255.255.128

no shutdown!


ip address 172.16.0.10 255.255.255.252

clockrate 125000

no shutdown

!


ip address 172.16.0.6 255.255.255.252

no shutdown!

Step 2: Verify IP addressing and interfaces.R1:

R1#show ip interface briefInterface IP-Address OK? Method Status Protocol

FastEthernet0/0 unassigned YES unset administratively down down

FastEthernet0/1 10.0.0.1 YES manual up up

Serial0/0/0 172.16.0.1 YES manual up up


Serial0/1/0 unassigned YES unset administratively down down


R2:

R2#show ip interface brief

Interface IP-Address OK? Method Status Protocol







Loopback0 209.165.200.161 YES manual up upR3:

R3#show ip interface briefInterface IP-Address OK? Method Status Protocol


FastEthernet0/1 10.0.0.129 YES manual up up



Step 3: Configure the PC1 and PC3 Ethernet interfaces.Step 4: Test connectivity between the PCs and routers.Task 4: Configure Serial Interfaces

Step 1: Configure and verify PPP encapsulation with CHAP authentication between R1 and R2. The password is cisco.R1:

username R2 password cisco!interface Serial0/0/0

encapsulation ppp

ppp authentication chap

!R2:

username R1 password 0 cisco


encapsulation ppp


!R1:

R1#show interfaces S0/0/0

Serial0/0/0 is up, line protocol is up

Hardware is GT96K Serial

Internet address is 172.16.0.1/30

MTU 1500 bytes, BW 128 Kbit, DLY 20000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation PPP, LCP Open

Listen: CDPCP

Open: IPCP, loopback not set

Keepalive set (10 sec)

R2:







Encapsulation PPP, LCP Open

Open: IPCP, loopback not set


Step 2: Configure and verify HDLC encapsulation between R2 and R3.

!no extra configuration is needed, The default encapsulation is HDLC

R2:

R2#show interfaces S0/0/1Serial0/0/1 is up, line protocol is up





Encapsulation HDLC, loopback not set


R3:







Encapsulation HDLC, loopback not set


Step 3: Configure Frame Relay between R1 and R3.

R1:


encapsulation frame-relay

frame-relay map ip 172.16.0.9 103

frame-relay map ip 172.16.0.10 103 broadcast!

R3:

frame-relay switching



clockrate 125000

frame-relay map ip 172.16.0.9 103 broadcast


frame-relay intf-type dce

!

R1:

R1#show interfaces S0/0/1Serial0/0/1 is up, line protocol is up





Encapsulation FRAME-RELAY, loopback not set


!

R3:







Encapsulation FRAME-RELAY, loopback not set


!Task 5: Configure RIP

Step 1: Configure RIP on R1, R2, and R3.

RIP updates should only be sent on the serial links between the routers. Prevent all other RIP updates on all networks.R1:

router rip

version 2

passive-interface default

no passive-interface Serial0/0/0


network 10.0.0.0

network 172.16.0.0

no auto-summary!

R2:

router rip




network 172.16.0.0

network 209.165.200.0

no auto-summary!

R3:

router rip

version 2




network 10.0.0.0

network 172.16.0.0

no auto-summary!Step 2: Test connectivity with the ping command.

R1:

R1#ping 10.0.0.10Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.0.10, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms



!!!!!


R1#ping 10.0.0.139

Type escape sequence to abort.


!!!!!


R1#ping 172.16.0.2



!!!!!


R1#ping 172.16.0.5



!!!!!




!!!!!




!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/16/16 msR2:

R2#ping 10.0.0.1



!!!!!


R2#ping 10.0.0.10



!!!!!




!!!!!


R2#ping 10.0.0.139



!!!!!


R2#ping 172.16.0.1



!!!!!




!!!!!




!!!!!




!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 12/15/16 msR3:



!!!!!




!!!!!


R3#ping 10.0.0.139



!!!!!


R3#ping 172.16.0.1



!!!!!




!!!!!




!!!!!


R3#ping 172.16.0.9



!!!!!


Step 3: Verify the routing table with the appropriate command.

R1:

R1#show ip route Gateway of last resort is not set

172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks

C 172.16.0.8/30 is directly connected, Serial0/0/1

R 172.16.0.4/30 [120/1] via 172.16.0.10, 00:00:08, Serial0/0/1



10.0.0.0/25 is subnetted, 2 subnets

C 10.0.0.0 is directly connected, FastEthernet0/1

R 10.0.0.128 [120/1] via 172.16.0.10, 00:00:08, Serial0/0/1R2:

R2#show ip route

Gateway of last resort is not set


R 172.16.0.8/30 [120/1] via 172.16.0.6, 00:00:27, Serial0/0/1

[120/1] via 172.16.0.1, 00:00:25, Serial0/0/0





C 209.165.200.160 is directly connected, Loopback0


R 10.0.0.0 [120/1] via 172.16.0.1, 00:00:25, Serial0/0/0

R 10.0.0.128 [120/1] via 172.16.0.6, 00:00:27, Serial0/0/1R3:

R3#show ip route

Gateway of last resort is not set




R 172.16.0.0/30 [120/1] via 172.16.0.9, 00:00:03, Serial0/0/0

R 172.16.0.2/32 [120/1] via 172.16.0.9, 00:00:03, Serial0/0/0


R 10.0.0.0 [120/1] via 172.16.0.9, 00:00:03, Serial0/0/0

C 10.0.0.128 is directly connected, FastEthernet0/1

Task 6: Configure Basic Router Security

Step 1: Enable a secure Telnet login using a local database on R2.

aaa new-model

!

aaa authentication login Auth_Local local

!

line con 0 login authentication Auth_Local

logging synchronous

line vty 0 4

login authentication Auth_Local

Step 2: Disable unused services and interfaces on R2.

no service padno service finger

no service tcp-small-server

no service udp-small-server

no ip http serverno ip bootp server

no ip finger

no ip source-route

no ip gratuitous-arpsinterface FastEthernet0/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp no ip directed-broadcast shutdown

!


no ip address

no ip redirects

no ip unreachables

no ip proxy-arp no ip directed-broadcast shutdown

!


no ip redirects

no ip unreachables

no ip proxy-arp

no ip directed-broadcast!


no ip redirects

no ip unreachables

no ip proxy-arp

no ip directed-broadcast!Step 3: Confirm that R2 is secured.

R1#telnet 172.16.0.2

Trying 172.16.0.2 ... Open

User Access Verification

Username: R1

Password: cisco% Authentication failed

Username: R1

Password: cisco

R2#Task 7: Configure Access Control Lists

Step 1: Allow telnet to R1 and R3 from R2 only.R1:

ip access-list standard telnet

permit 172.16.0.5

permit 172.16.0.1

permit 172.16.0.2

! line vty 0 4

access-class telnet in

!

R3:


permit 172.16.0.5

permit 172.16.0.1

permit 172.16.0.2

! line vty 0 4


!Step 2: Do not allow HTTP, Telnet, and FTP traffic from the Internet to PC1.

!Students should recognize that an extended access list is needed and that it should be placed on the Internet facing interface.

R2:

ip access-list extended PC1-in

deny tcp any host 10.0.0.10 eq ftp

deny tcp any host 10.0.0.10 eq ftp-data

deny tcp any host 10.0.0.10 eq telnet

deny tcp any host 10.0.0.10 eq www

permit ip any any

!interface Loopback0

ip access-group PC1-in in

!

Step 3: Do not allow PC1 to receive traffic from the 10.0.0.128 /25 network.R1:

ip access-list extended pc3-out

deny ip 10.0.0.128 0.0.0.127 any

permit ip any any

!interface FastEthernet0/1

ip access-group pc3-out out!

Step 4: Verify that PC3 cannot ping PC1, but can ping 10.0.0.1.

C:\ >ping 10.0.0.10

Pinging 10.10.10.1 with 32 bytes of data:

Request timed out.

Request timed out.

Request timed out.

Request timed out.

Ping statistics for 10.10.10.1:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),C:\ >ping 10.0.0.1

Pinging 10.0.0.1 with 32 bytes of data:

Reply from 10.0.0.1: bytes=32 time=1ms TTL=255





Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 1ms, Maximum = 2ms, Average = 1ms

Task 8: Configure NAT.

Step 1: Configure NAT to allow PC3 to ping PC1.

R3:

ip nat inside source list NAT interface Serial0/0/1 overload

!

ip access-list standard NAT

permit 10.0.0.128 0.0.0.127!


ip nat inside


ip nat outside

!


ip nat outside

!

Step 2: Verify that PC3 can reach PC1.

C:\ >ping 10.0.0.10Pinging 10.0.0.10 with 32 bytes of data:






Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 1ms, Maximum = 2ms, Average = 1ms

Task 9: Document the Router ConfigurationsR1:

!

hostname R1

!

boot-start-marker

boot-end-marker

!

enable secret class!

ip cef

!

no ip domain lookup

!


!


no ip address

shutdown

!


ip address 10.0.0.1 255.255.255.128

ip access-group PC3-out out

!


ip address 172.16.0.1 255.255.255.252

encapsulation ppp

clockrate 125000


!


ip address 172.16.0.9 255.255.255.252




!

router rip

version 2




network 10.0.0.0

network 172.16.0.0

no auto-summary

!


permit 172.16.0.5

permit 172.16.0.2

!

ip access-list extended pc3-out

deny ip 10.0.0.128 0.0.0.127 any

permit ip any any

!

line con 0

exec-timeout 5 0

password cisco logging synchronous

line aux 0

line vty 0 4


password cisco!

endR2:

no service pad

service password-encryption

!

hostname R2

!

boot-start-marker

boot-end-marker

!

enable secret class!

aaa new-model

!

!

aaa authentication login Auth_Local local

!

aaa session-id common

!

no ip source-route

no ip gratuitous-arps

ip cef

!

no ip bootp server

no ip domain lookup

!


username ccna password 0 cisco

!

interface Loopback0

ip address 209.165.200.161 255.255.255.224

ip access-group PC1-in in

!


no ip address

no ip redirects

no ip unreachables

no ip proxy-arp no ip directed-broadcast

shutdown!


no ip address

no ip redirects

no ip unreachables


shutdown

!


ip address 172.16.0.2 255.255.255.252

no ip redirects

no ip unreachables


encapsulation ppp


!


ip address 172.16.0.5 255.255.255.252

no ip redirects

no ip unreachables


clockrate 125000

!

router rip




network 172.16.0.0

network 209.165.200.0

no auto-summary

!

no ip http server

!

ip access-list extended PC1-in

deny tcp any host 10.0.0.10 eq ftp

deny tcp any host 10.0.0.10 eq ftp-data

deny tcp any host 10.0.0.10 eq telnet

deny tcp any host 10.0.0.10 eq www

permit ip any any

!

no cdp run

!

line con 0

exec-timeout 5 0

logging synchronous

line aux 0

line vty 0 4 exec-timeout 5 0

login authentication Auth_Local

!

endR3:

hostname R3

!

no ip domain lookup

frame-relay switching

!


no ip address

shutdown

!


ip address 10.0.0.129 255.255.255.128

ip nat inside

!


ip address 172.16.0.10 255.255.255.252

ip nat outside


clockrate 125000



no frame-relay inverse-arp

frame-relay intf-type dce

!


ip address 172.16.0.6 255.255.255.252

ip nat outside

!

router rip

version 2




network 10.0.0.0

network 172.16.0.0

no auto-summary

!

ip nat inside source list NAT interface Serial0/0/1 overload

!

ip access-list standard NAT

permit 10.0.0.128 0.0.0.127


permit 172.16.0.5

permit 172.16.0.2

!

line con 0

exec-timeout 5 0

password cisco logging synchronous

line aux 0

line vty 0 4


password cisco!

end

Task 10: Clean Up

Erase the configurations and reload the routers. Disconnect and store the cabling. For PC hosts that are normally connected to other networks, such as the school LAN or to the Internet, reconnect the appropriate cabling and restore the TCP/IP settings.

All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.Page 1 of 18All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.Page 2 of 18

Documents

EWAN Student Lab Skills Based Assessment Answer Key