CCNA-2 Skills Based Assessment

advertisement
CCNA-2 Skills Based Assessment
IOS Skills you must retain after CTS1651
Tasks:
1.
2.
3.
4.
5.
6.
7.
8.
Perform Standard Global and Line Configurations
Subnet a given Network to provide the required Networks
Configure IP Addresses on Interfaces and connect Cables
Configure Switch Security, VLANs and Inter-VLAN Routing
Configure OSPF Single Area Routing
Configure Network Address Translation: Static and Dynamic NAT with PAT
Configure DHCP
Configure Standard and Extended Access Control Lists (ACLs)
ISP
Serial Link
Default Route to Internet
200.0.22.1
/28
DMZ-22
Loopback 1
Router-ID
10.0.22.1
/32
Serial 0/0/0
DTE – Bandwidth: 2000 kbps
200.0.22.2
/28
FAST 0/0
DMZ to HQ (via CENTRAL)
192.168.22.1
/29
Loopback 2
Router-ID
10.0.22.2
/32
GIG 0/0
HQ to DMZ (via CENTRAL)
192.168.22.2
/29
GIG 0/1
HQ to CAFE (Crossover)
192.168.22.129
/30
GIG 0/2
Trunk to SALES Switch
No IP Address
GIG 0/2.99
VLAN 99: Management (Native)
192.168.22.17
/28
GIG 0/2.22
VLAN 22: STAFF
192.168.22.33
/27
GIG 0/2.122
VLAN 122: SALES
192.168.22.65
/26
HQ-22
SALES-22
Interface VLAN 99
VLAN 99: Management (Native)
192.168.22.19
/28
STAFF-22
Interface VLAN 99
VLAN 99: Management (Native)
192.168.22.20
/28
CAFE-22
Loopback 3
Router-ID
10.0.22.3
/32
GIG 0/0
CAFE to HQ Link (Crossover)
192.168.22.130
/30
GIG 0/1
CORE Network
192.168.22.225
/27
Laptop
NIC
CORE Network
DHCP
CORP
Corporate Access
CORE Network
192.168.22.230
/27
NOTES:
1.
2.
3.
4.
5.
6.
Secret Password is: class
All other Passwords: cisco
VTY Username is: admin
DNS Server is at: 147.70.101.102
DNS named records: Google.com and Yahoo.com
Maximum Time Limit: 90 Minutes
ADVANCED CONFIGURATIONS:
A.
B.
C.
OSPF ROUTING on ALL Routers
a. Verify Loopback Interfaces and Router-ID; if changed, execute: clear IP OSPF Process
b. In OSPF configuration, set the auto-cost reference-bandwidth to 1000
c. On Interfaces, configure Bandwidth values to reflect actual Link speed
d. On HQ Router: Configure OSPF Priority to 5 GIG 0/0 Interface to CENTRAL Switch
e. On CAFE: Configure a Static Route to 147.70.0.0 255.255.255.0 via CORP at:
192.168.22.230
f. Propagate the Default Route on DMZ, and the Static Route on CAFÉ
g. Set a passive-interface for HQ Interface GIG 0/2.99 (VLAN 99)
DHCP on CAFE Router on CORE Network, so Customers get an IP Address Automatically
a. On CAFÉ Router, exclude the first ten (10) Host IP Addresses on CORE Network
b. Create a DHCP Pool for CUSTOMERS, naming the Pool: CUSTOMER-POOL
i. Default Router is the IP Address on CAFÉ Router
ii. DNS Server is: 147.70.101.102
iii. NetBIOS-name-server is: 147.70.10.35
iv. Domain-Name is your: LASTNAME.NET
v. Configure the DHCP Lease for 1 day, 2 hours and 3 minutes
NETWORK ADDRESS TRANSLATION on DMZ Router:
a. STATIC NAT Translation for your STAFF Switch: 192.168.22.20
i. STAFF Switch should translate to: 200.0.22.3
ii. DYNAMIC NAT Translation on the INTERFACE connected to ISP:
1. Configure a NAT Translation for the SERIAL Interface, with OVERLOAD
D.
E.
2. Configure Access-List 1 to permit NAT for users on Network:
192.168.22.0 /24
b. DYNAMIC NAT Translation using a NAT-POOL:
i. Configure a NAT POOL named SALES-POOL, using the remaining IP
Addresses: 200.0.22.4 - 200.0.22.14
ii. Configure a NAT Translation for this NAT POOL with OVERLOAD
iii. Configure Access-List 2 to permit NAT for SALESMEN on Network:
192.168.22.64 /26
On HQ Router: Configure ACL 122 to filter inbound traffic from CAFÉ Router, as follows:
a. PERMIT TCP any any established
b. ALLOW any inbound IP traffic from Network 192.168.22.224 255.255.255.224
c. ALLOW any inbound IP traffic from 147.70.0.0 /16
d. Block all inbound IP traffic from Network: 41.136.0.0 255.255.0.0
e. Block all inbound Telnet traffic
f. ALLOW any inbound ICMP traffic into your Network
g. ALLOW any inbound TFTP traffic into your Network
h. ALLOW any inbound SSH traffic
i. Block all inbound IP traffic from Network 172.16.0.0 255.255.255.0
j. Block any inbound TCP traffic from Ports greater than 1023
k. Apply the ACL on the inbound Interface connecting your HQ Router to CAFÉ Router
LAPTOP:
a. Obtains an IP Address from CAFE Router automatically, via DHCP
b. Can ping GOOGLE.COM through NAT on your DMZ Router (verify with traceroute)
On the Switches:
A. Security on all Access Ports
a. Enable Port-Security
b. Maximum MAC Addresses on each Switchport is 3, and make them Sticky
c. Violation Mode is SHUTDOWN
B. Trunks are Native VLAN 99
C. Port Assignments:
VLAN
VLAN Name
Access Ports
Trunk Ports
99
MANAGEMENT (Native)
FAST 0/24
GIG 0/1 – 2
22
STAFF
FAST 0/1 – 10
N/A
122
SALES
FAST 0/11 – 23
N/A
Download