CCNA-2 Skills Based Assessment IOS Skills you must retain after CTS1651 Tasks: 1. 2. 3. 4. 5. 6. 7. 8. Perform Standard Global and Line Configurations Subnet a given Network to provide the required Networks Configure IP Addresses on Interfaces and connect Cables Configure Switch Security, VLANs and Inter-VLAN Routing Configure OSPF Single Area Routing Configure Network Address Translation: Static and Dynamic NAT with PAT Configure DHCP Configure Standard and Extended Access Control Lists (ACLs) ISP Serial Link Default Route to Internet 200.0.22.1 /28 DMZ-22 Loopback 1 Router-ID 10.0.22.1 /32 Serial 0/0/0 DTE – Bandwidth: 2000 kbps 200.0.22.2 /28 FAST 0/0 DMZ to HQ (via CENTRAL) 192.168.22.1 /29 Loopback 2 Router-ID 10.0.22.2 /32 GIG 0/0 HQ to DMZ (via CENTRAL) 192.168.22.2 /29 GIG 0/1 HQ to CAFE (Crossover) 192.168.22.129 /30 GIG 0/2 Trunk to SALES Switch No IP Address GIG 0/2.99 VLAN 99: Management (Native) 192.168.22.17 /28 GIG 0/2.22 VLAN 22: STAFF 192.168.22.33 /27 GIG 0/2.122 VLAN 122: SALES 192.168.22.65 /26 HQ-22 SALES-22 Interface VLAN 99 VLAN 99: Management (Native) 192.168.22.19 /28 STAFF-22 Interface VLAN 99 VLAN 99: Management (Native) 192.168.22.20 /28 CAFE-22 Loopback 3 Router-ID 10.0.22.3 /32 GIG 0/0 CAFE to HQ Link (Crossover) 192.168.22.130 /30 GIG 0/1 CORE Network 192.168.22.225 /27 Laptop NIC CORE Network DHCP CORP Corporate Access CORE Network 192.168.22.230 /27 NOTES: 1. 2. 3. 4. 5. 6. Secret Password is: class All other Passwords: cisco VTY Username is: admin DNS Server is at: 147.70.101.102 DNS named records: Google.com and Yahoo.com Maximum Time Limit: 90 Minutes ADVANCED CONFIGURATIONS: A. B. C. OSPF ROUTING on ALL Routers a. Verify Loopback Interfaces and Router-ID; if changed, execute: clear IP OSPF Process b. In OSPF configuration, set the auto-cost reference-bandwidth to 1000 c. On Interfaces, configure Bandwidth values to reflect actual Link speed d. On HQ Router: Configure OSPF Priority to 5 GIG 0/0 Interface to CENTRAL Switch e. On CAFE: Configure a Static Route to 147.70.0.0 255.255.255.0 via CORP at: 192.168.22.230 f. Propagate the Default Route on DMZ, and the Static Route on CAFÉ g. Set a passive-interface for HQ Interface GIG 0/2.99 (VLAN 99) DHCP on CAFE Router on CORE Network, so Customers get an IP Address Automatically a. On CAFÉ Router, exclude the first ten (10) Host IP Addresses on CORE Network b. Create a DHCP Pool for CUSTOMERS, naming the Pool: CUSTOMER-POOL i. Default Router is the IP Address on CAFÉ Router ii. DNS Server is: 147.70.101.102 iii. NetBIOS-name-server is: 147.70.10.35 iv. Domain-Name is your: LASTNAME.NET v. Configure the DHCP Lease for 1 day, 2 hours and 3 minutes NETWORK ADDRESS TRANSLATION on DMZ Router: a. STATIC NAT Translation for your STAFF Switch: 192.168.22.20 i. STAFF Switch should translate to: 200.0.22.3 ii. DYNAMIC NAT Translation on the INTERFACE connected to ISP: 1. Configure a NAT Translation for the SERIAL Interface, with OVERLOAD D. E. 2. Configure Access-List 1 to permit NAT for users on Network: 192.168.22.0 /24 b. DYNAMIC NAT Translation using a NAT-POOL: i. Configure a NAT POOL named SALES-POOL, using the remaining IP Addresses: 200.0.22.4 - 200.0.22.14 ii. Configure a NAT Translation for this NAT POOL with OVERLOAD iii. Configure Access-List 2 to permit NAT for SALESMEN on Network: 192.168.22.64 /26 On HQ Router: Configure ACL 122 to filter inbound traffic from CAFÉ Router, as follows: a. PERMIT TCP any any established b. ALLOW any inbound IP traffic from Network 192.168.22.224 255.255.255.224 c. ALLOW any inbound IP traffic from 147.70.0.0 /16 d. Block all inbound IP traffic from Network: 41.136.0.0 255.255.0.0 e. Block all inbound Telnet traffic f. ALLOW any inbound ICMP traffic into your Network g. ALLOW any inbound TFTP traffic into your Network h. ALLOW any inbound SSH traffic i. Block all inbound IP traffic from Network 172.16.0.0 255.255.255.0 j. Block any inbound TCP traffic from Ports greater than 1023 k. Apply the ACL on the inbound Interface connecting your HQ Router to CAFÉ Router LAPTOP: a. Obtains an IP Address from CAFE Router automatically, via DHCP b. Can ping GOOGLE.COM through NAT on your DMZ Router (verify with traceroute) On the Switches: A. Security on all Access Ports a. Enable Port-Security b. Maximum MAC Addresses on each Switchport is 3, and make them Sticky c. Violation Mode is SHUTDOWN B. Trunks are Native VLAN 99 C. Port Assignments: VLAN VLAN Name Access Ports Trunk Ports 99 MANAGEMENT (Native) FAST 0/24 GIG 0/1 – 2 22 STAFF FAST 0/1 – 10 N/A 122 SALES FAST 0/11 – 23 N/A