Grading The exam is divided into two parts. If the exam is conducted in two separate sessions, hand out Part 1 on planning and let the students complete it. Then have them turn in Part 1 so that you can grade it before the second session. Return Part 1 to the students at the start of the second session, which is a hands-on session. If there are problems with the planning in Part 1, the student will know of them before starting on Part 2. If both parts of the exam are done in one session, you should still grade Part 1 before the students start on Part 2. Students must complete Part 1 before starting Part 2. Suggested point totals are listed for the main fill-in-the-blank questions. They currently total 100 points, but can be adjusted or changed as desired. Divide the correct points by the possible points for an overall percentage grade. Exam Time The suggested time allowed to complete each part is 50 minutes. Part 2 takes longer than 50 minutes. At the instructors discretion, the amount of time allowed may be adjusted. Part 2 of the exam can be split into two parts to accommodate class schedules. Part 3 starts at Task 5 Configuring ACLs.
All contents are Copyright 19922010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 1 of 30
To save time and avoid splitting Part 2, have the equipment set up and cabled for the students prior to starting device configuration.
Exam Overview
This skills-based assessment is the final practical exam for the course CCNA Discovery Designing and Supporting Computer Networks. The exam is divided into two parts, and Part 1 must be completed before Part 2. When you have completed Part 1, give it to the instructor to check before starting Part 2. In Part 1, you start with a test plan for the connecting the Team-A remote office to the Stadium Network. Appendix A in this exam contains the test plan. In Part 1, you develop the IP subnet scheme, document the device interfaces, and create an installation checklist. In Part 2, you build the network and configure the Team-A routers and switches using Cisco IOS CLI commands. The Team-A branch office router BR2 connects the local network to the Stadium Network router Edge3 through a simulated Frame Relay switch. The Stadium router provides access to the Team-A server. The EIGRP routing protocol is used between the Team-A remote office router and the Stadium Network router.
Scenario
The new equipment has arrived for the remote Team-A office, and it is ready to be installed and tested. Team-A ordered an 1841 router to connect to the main Stadium Headquarters Edge3 router through a Frame Relay service provider network. They also ordered a backup DSL link through the ISP. The ISP router and simulated Frame Relay router are preconfigured. The ISP link has assigned IP addresses. A test plan for testing the new equipment and configurations in the NetworkingCompany lab has already been created.
Objectives
Part 1 Using a network design and test plan, create an IP addressing plan and document the network device interfaces. Create an installation checklist based on the test plan. Part 2 Connect and configure the network equipment and verify network connectivity.
Required Equipment
The following equipment is required for each student: ISP router with two Fast Ethernet interfaces (preconfigured by the instructor) Router to simulate a Frame Relay switch with two serial interfaces (preconfigured by the instructor) Two 1841 routers (or other router with one serial interface and two Fast Ethernet interfaces) One computer to act as the Discovery Server (using the Discovery Server Live CD). Optionally, the ISP router loopback address can be used. If the loopback address is used, it restricts the protocols that can be filtered using an ACL. One 2960 switch (or other switch) or crossover cable to connect the Discovery Server to the ISP router Ethernet 2960 switches for Team-A Two Windows XP-based PCs Cat 5 and serial cabling, as necessary
All contents are Copyright 19922010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 2 of 30
Step 3: Allocate blocks of addresses to each area of the network. [10 points, two for each block] VLSM and VLAN Plan
VLSM block size (Number of IPs) 512 (9 bits) N/A 256 16 64 128 4 468
Network Area Team-X block size to subdivide Edge3 Discovery Server local network Edge3 user local network (Sim Lo0) BR2 local network / VLANs VLAN 1 (Default/mgmt IP) VLAN 11 (Name: Dept-11, Ports 3-11 on switches S1, S2) VLAN 12 (Name: Dept-12, Ports 12-24 on switches S1, S2) BR2 to Edge3 Frame Relay WAN link Total users and total block sizes
IP Address Range 172.2X.0.0/23 172.17.0.0/16 172.21.0.0/24 172.21.1.192/28 172.21.1.128/26 172.21.1.0/25 172.21.1.208/30 N/A
Step 4: Select IP addresses for use when configuring devices. [14 points, one for each IP address/mask and one for each gateway]
Write the addresses and subnet masks (/##) from the IP Address Plan next to the appropriate devices and interfaces on the test plan network topology diagram.
All contents are Copyright 19922010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 3 of 30
IP Address Plan
Device Name Edge3 Interface Fa0/0 Fa0/1 S0/0/0.101 Lo0 Fa0/1 Fa0/0 Fa0/1.1 Fa0/1.11 Fa0/1.12 S0/0/0.100 Fa0/0 Fa0/1 S0/0/0 S0/0/1 VLAN1 VLAN1 VLAN1 NIC NIC NIC IP Address 172.17.0.1/16 172.16.1.6/30 172.21.1.209/30 172.21.0.1/24 172.16.1.2/30 172.21.1.193/28 172.21.1.129/26 172.21.1.1/25 172.21.1.210/30 172.16.1.1/30 172.16.1.5/30 DLCI 100 DLCI 101 172.21.1.194/28 172.21.1.195/28 172.17.0.2/16 172.21.1.130/26 172.21.1.2/25 172.17.1.1/16 Subnet Mask 255.255.0.0 255.255.255.252 255.255.255.252 255.255.255.0 255.255.255.252 255.255.255.240 255.255.255.192 255.255.255.128 255.255.255.252 255.255.255.252 255.255.255.252 N/A N/A 255.255.255.240 255.255.255.240 255.255.0.0 255.255.255.192 255.255.255.128 255.255.0.0 N/A N/A 172.21.1.193/28 172.21.1.193/28 172.17.0.1/16 172.21.1.129/26 172.21.1.1/25 172.17.0.1/16 Default Gateway N/A
BR2
N/A
Team-A Prototype Network Installation Checklist [20 points total, 5 for each group of test items identified]
Installation Steps
All contents are Copyright 19922010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 4 of 30
Step No. 1 2 3 4 5 6 7 8 9 10 11 12
Test 1: Basic Connectivity and VLAN Configuration Devices All devices S1 and S2 S1 S1 S1 S1 S2 S2 S2 BR2 BR2 Configuration Requirements Connect the cables between all devices as shown in the topology diagram. Perform basic switch configuration, including host name, passwords, and VLAN1 IP address. Configure VLANs on S1 and add ports according to the VLAN plan. Configure a VTP domain for Team-A with S1 as the VTP server and a password of cisco. Configure S1 as the STP root switch. Configure a trunk link to BR2 and S2. Configure S2 as the VTP client in the Team-A S1 domain. Add ports to VLANs according to the VLAN plan. Configure a trunk link to S1. Perform basic router configuration on BR2, including host name, passwords, and interface IP addresses. Configure Fa0/0 subinterfaces for inter-VLAN routing. Perform Test 1 according to the test plan. Completed
Step No. 1 2
Test 2: Frame Relay and EIGRP Configuration Configuration Requirements Configure the Serial 0/0/0 interface on BR2 with Frame Relay encapsulation. Configure a point-to-point subinterface for DLCI 100. On BR2, configure the EIGRP routing protocol to advertise the Team-A LANs and the Frame Relay WAN link network. Use EIGRP process ID 200. Disable auto-summary. Configure EIGRP MD5 authentication to accept updates from the Stadium network router Edge3 on the Frame Relay subinterface. Perform basic router configuration on Edge3, including host name, passwords, and interface IP addresses. Configure the Serial 0/0/0 interface on Edge3 with Frame Relay encapsulation. Configure a point-to-point subinterface for DLCI 101. On Edge3, configure the EIGRP routing protocol to advertise the Discovery Server network, the simulated loopback network, and the Frame Relay WAN link network. Use EIGRP process ID 200. Disable auto-summary. Configure EIGRP MD5 authentication to accept updates from the Team-A network router BR2 on the Frame Relay subinterface. Perform Test 2 according to the test plan.
3 4 5 6
7 8
Edge3
Step No. 1 2 3
Test 3: Backup Link Configuration Configuration Requirements Configure a floating static route on BR2 to the Discovery Server network using the Ethernet connection to the ISP router. Configure a floating static route on Edge3 to the Team-A remote LAN using the Ethernet connection to the ISP router. Perform Test 3 according to the test plan.
Page 5 of 30
All contents are Copyright 19922010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Step No. 1
Devices BR2
Edge3
Test 4: ACL Filtering Configuration Requirements Configure a VTY ACL to permit telnet only from the stadium Edge3 router (S0/0/0 IP address or Fa0/1 IP address). Apply the ACL to BR2 VTY 0-4 inbound. Configure an extended numbered or named ACL to permit access to the Discovery Server only from the remote Team-A LAN. Apply the ACL to Edge3 Fa0/0 outbound. Perform Test 4 according to the test plan.
All contents are Copyright 19922010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 6 of 30
Task 2: Configure and Perform Test 1 Basic Connectivity and VLAN Configuration
Step 1: Build and configure the portion of the network being tested.
Refer to the installation checklist for the steps required. Instructor note: See device configs at the end of the exam.
Test 1 Testing Procedures [17 points, one for each item verified]
Configuration Items to Verify BR2 basic config (host, password, IPs) BR2 interface status BR2 routing table (VLANs) BR2 subinterfaces on Fa0/0 Command Used show running-config show ip interfaces brief show ip route show vlans Check
All contents are Copyright 19922010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 7 of 30
BR2 subinterfaces 802.1Q encap S1 VLANs and port assignments S1 802.1Q trunk ports S1 is root switch S1 is VTP server S2 basic config (host, password, IPs) S2 VLANs and port assignments S2 802.1Q trunk ports S2 is VTP client Ping from S1 or S2 to BR2 Telnet from S1 or S2 to router BR2 Ping from the hosts to their default gateways Verify inter-VLAN routing by pinging from H1 to H2
show vlans show show show show show show show show vlan brief interfaces trunk spanning-tree vtp status running-config vlan brief interfaces trunk vtp status
Step 4: Have the instructor verify all Test 1 test items before going on to Test 2.
Task 3: Configure and Perform Test 2 Frame Relay and EIGRP Configuration
Step 1: Build and configure the portion of the network being tested.
Refer to the installation checklist for the steps required. Instructor note: See device configs at the end of the exam.
Test 2 Testing Procedures [10 points, one for each item verified]
Configuration Items to Verify BR2 configuration for Frame Relay, EIGRP, and MD5 authentication BR2 Frame Relay status of point-to-point links BR2 Frame Relay permanent virtual circuit (PVC) status and statistics BR2 Frame Relay Local Management Command Used show running-config show frame-relay map show frame-relay pvc show frame-relay lmi
Page 8 of 30
Check
All contents are Copyright 19922010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Interface (LMI) statistics BR2 EIGRP routing configuration BR2 routing table (EIGRP routes) Ping from hosts H1 and H2 to the Edge3 router Ping from hosts H1 and H2 to the Discovery Server Verify path that packets are taking from H1 to the Discovery Server Verify EIGRP MD5 authentication as it occurs
show running-config show ip route ping IP address ping IP address tracert or traceroute IP debug eigrp packet
Step 4: Have the instructor verify all Test 2 test items before going on to Test 3.
Test 3 Testing Procedures [10 points, two for each item verified]
Configuration Items to Verify BR2 and Edge3 floating static route configuration BR2 routing table with primary Frame Relay link up and backup link down BR2 routing table with primary Frame Relay link down and backup link up Ping test output from H1 and H2 to Discovery Server Tracert test output from H1 and H2 to Discovery Server showing use of backup route through the ISP Command Used show running-config show ip route show ip route Check
All contents are Copyright 19922010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 9 of 30
Step 4: Have the instructor verify all Test 3 test items before going on to Test 4.
Test 4 Testing Procedures [12 points, two each for each item verified]
Configuration Items to Verify ACL configuration on Team-A and Stadium routers Access list output on both routers Telnet to BR2 from any host other than Edge3 Telnet from Edge3 to BR2 On H1, connect to the Discovery Server using URL http://server.discovery.ccna or IP address 172.17.1.1 Attempt to access the Discovery Server from the Edge3 Lo0 simulated internal network using extended ping with the source address of the Edge3 interface Lo0 IP address. The ACL should block the attempt. Command Used show running-config show access-lists telnet IP address telnet IP address Open browser or ping IP address ping (pinging with no argument prompts for extended commands, including source IP address) Instructor note: If necessary, show the student how to do the extended ping command to perform this test item. Check
Step 4: Have the instructor verify all Test 3 test items before going on to Test 4.
All contents are Copyright 19922010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 10 of 30
Step 5: Save the running configs for each networking device to a file. [7 points]
Save the output from BR2, Edge3, S1, and S2 to a single text file on your desktop and name it XXX-D4-SBAConfigs.txt, where XXX are your initials. Show it to the instructor. _________ Instructor check
All contents are Copyright 19922010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 11 of 30
Tests to run: Test 1: Basic Connectivity and VLAN Configuration o o o o Verify physical and IP connectivity between devices on the prototype network Demonstrate the VLAN and VTP configuration Demonstrate routing of traffic between VLANs Document operation
Test 2: Frame Relay and EIGRP Configuration o o o o Demonstrate functionality of primary Frame Relay link Demonstrate MD5 authentication process Demonstrate routing to remote resources Document operation
Test 3: Backup Link Configuration o o Demonstrate that traffic takes the alternate route if the Frame Relay link goes down Document operation
Test 4: ACL Filtering o o Demonstrate filtering of traffic to devices and resources from various sources Document operation
All contents are Copyright 19922010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 12 of 30
Equipment
Quantity required 2 Additional options or software required none Cisco IOS software version 12.2 or later
3 1 2
Preconfigured router to simulate ISP; can be 1841 with two Fast Ethernet interfaces Preconfigured router to simulate Frame Relay switch 2960 Layer 2 switch Discovery Server Personal computer end devices V.35 DTE cables V.35 DCE cables Cat 5 or above straight-through patch cables Cat 5 or above crossover patch cables Console cable
none
Configured as a Frame Relay switch none HTTP and FTP server software Fast Ethernet NIC
Substitute Any router with two Ethernet or Fast Ethernet interfaces capable of running 802.1q protocol Any router or multilayer switch that can support two separate Ethernet networks Any Cisco router with two serial interfaces Any 2950 or 2960 model switch
any
12.2 or later
12.2 or later
none
2 2 5
none
none
n/a
none
none
none
All contents are Copyright 19922010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 13 of 30
All contents are Copyright 19922010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 14 of 30
Procedures
1. Build the topology according to the Design and Topology diagram. Assign IP addresses to all devices according to the IP Address Plan, and activate interfaces. 2. Create a basic configuration on all Team-A and Stadium Network devices 3. Configure Team-A LAN devices S1, S2, and BR2 to support VLANs. 4. Console into one of the switches in the topology, and ping BR2. Record any anomalies. 5. Telnet from the switch to router BR2, and verify that you can start a session. 6. Verify that the BR2 routing table contains routes to each VLAN. 7. Ping from the hosts to their default gateways and between VLANs to each other. 8. Record the output of the show running-config and show interfaces commands for BR2, Edge3, and switches S1 and S2 in a text file, using a text editor such as Notepad. Record the output of the show vlans command for BR2 and switches S1 and S2. Save this file for later analysis.
All contents are Copyright 19922010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 15 of 30
All contents are Copyright 19922010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 16 of 30
Procedures
1. Configure Frame Relay on the Team-A and Stadium Network routers. 2. Configure EIGRP with MD5 on Team-A and Stadium Network routers. 3. Record the output of the debug eigrp packet command on the Team-A router to verify MD5 authentication. 4. Record the router output of the show running-config and show ip route commands. 5. Record the router output for the Frame Relay circuit using the show frame-relay map, show framerelay pvc, and show frame-relay lmi commands. 6. Record ping results from the hosts H1 and H2 to the Edge3 router and the Discovery Server. 7. Use tracert or traceroute to verify that packets are taking the primary Frame Relay link.
All contents are Copyright 19922010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
All contents are Copyright 19922010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 18 of 30
Procedures
1. Configure floating static routes on the Team-A and Stadium Network routers to the Discovery Server through the ISP router. 2. Cause the Frame Relay link from BR2 to SP-FR to fail by shutting down the Serial 0/0/0 interface on BR2. 3. Display the routing table for BR2 and Edge3 using the show ip route command to verify that the floating static route through the ISP is installed in the routing table. Record the results. 4. Ping from the hosts H1 and H2 to the Discovery server at URL http://server.discovery.ccna or IP address 172.17.1.1. Record the results. 5. Verify that packets are taking the backup simulated DSL link using tracert from H1 or traceroute from BR2.
All contents are Copyright 19922010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 19 of 30
All contents are Copyright 19922010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 20 of 30
Procedures
1. Configure an ACL on the Team-A router BR2 and the Stadium Edge3 router to control traffic as described in the Test 4 goals. 2. Telnet to BR2 from any host other than Edge3, and then telnet from Edge3 to BR2. Record the results. 3. Open a browser on H1 and connect to the Discovery Server using URL http://server.discovery.ccna or IP address 172.17.1.1. Record the results. 4. Attempt to access the Discovery Server from the Edge3 Internet network using extended ping with a source address of interface Lo0 IP address. Record the results.
All contents are Copyright 19922010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 21 of 30
router eigrp 200 network 172.21.1.192 0.0.0.15 network 172.21.1.128 0.0.0.63 network 172.21.1.0 0.0.0.127 network 172.21.1.228 0.0.0.3 ! no auto-summary ! ip route 172.17.0.0 255.255.0.0 172.16.1.1 130 ! ip http server no ip http secure-server ! banner motd ^CUnauthorized use prohibited^C ! access-list 1 permit 172.21.1.229 access-list 1 permit 172.16.1.6 access-list 1 deny any ! line con 0 password cisco login line aux 0 line vty 0 4 access-class 1 in password cisco login !
no ip address encapsulation frame-relay no shutdown ! interface Serial0/0/0.101 point-to-point ip address 172.21.1.209 255.255.255.252 ip authentication mode eigrp 200 md5 ip authentication key-chain eigrp 200 MYCHAIN frame-relay interface-dlci 101 ! interface Serial0/0/1 no ip address shutdown ! interface Lo0 description Edge3 local LAN ip address 172.21.0.1 255.255.255.0 ! interface Vlan1 no ip address ! router eigrp 200 network 172.17.0.0 0.0.255.255 network 172.21.0.0 0.0.0.255 network 172.21.1.228 0.0.0.3 no auto-summary ! ip route 172.21.1.0 255.255.255.0 172.16.1.5 130 ! ip http server no ip http secure-server ! ip access-list extended Server-Access remark Allow only Team-A LAN access to server permit ip 172.21.1.0 0.0.0.255 host 172.17.1.1 remark Deny and log all other traffic deny ip any any log banner motd #Unauthorized use prohibited# ! line con 0 password cisco login line aux 0 line vty 0 4 password cisco login
duplex auto speed auto no shutdown ! interface FastEthernet0/1 description backup link to Edge3 ip address 172.16.1.5 255.255.255.252 duplex auto speed auto no shutdown ! interface Serial0/0/0 no ip address shutdown ! interface Serial0/0/1 no ip address shutdown ! interface Vlan1 no ip address ! ip route 172.21.1.0 255.255.255.0 172.16.1.2 ip route 172.17.0.0 255.255.0.0 172.16.1.6 ! banner motd #Unauthorized use prohibited# ! line con 0 password cisco login line aux 0 line vty 0 4 password cisco login
frame-relay intf-type dce frame-relay route 101 interface serial0/0 100 line console 0 password cisco login line vty 0 4 password cisco login
interface FastEthernet0/11 switchport access vlan 11 switchport mode access ! interface FastEthernet0/12 switchport access vlan 12 switchport mode access ! interface FastEthernet0/13 switchport access vlan 12 switchport mode access ! interface FastEthernet0/14 switchport access vlan 12 switchport mode access ! interface FastEthernet0/15 switchport access vlan 12 switchport mode access ! interface FastEthernet0/16 switchport access vlan 12 switchport mode access ! interface FastEthernet0/17 switchport access vlan 12 switchport mode access ! interface FastEthernet0/18 switchport access vlan 12 switchport mode access ! interface FastEthernet0/19 switchport access vlan 12 switchport mode access ! interface FastEthernet0/20 switchport access vlan 12 switchport mode access ! interface FastEthernet0/21 switchport access vlan 12 switchport mode access ! interface FastEthernet0/22 switchport access vlan 12 switchport mode access ! interface FastEthernet0/23 switchport access vlan 12 switchport mode access ! interface FastEthernet0/24 switchport access vlan 12 switchport mode access ! interface Vlan1 ip address 172.21.1.194 255.255.255.240
All contents are Copyright 19922010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 27 of 30
no ip route-cache no shutdown ! ip default-gateway 172.21.1.193 ip http server ! vlan 11 name Dept11 vlan 12 name Dept12 exit ! vtp domain Team-A vtp mode server vtp password cisco ! banner motd ^Unauthorized use prohibited^ ! line con 0 password cisco login line vty 0 4 password cisco login line vty 5 15 password cisco login ! end
interface FastEthernet0/7 switchport access vlan 11 switchport mode access ! interface FastEthernet0/8 switchport access vlan 11 switchport mode access ! interface FastEthernet0/9 switchport access vlan 11 switchport mode access ! interface FastEthernet0/10 switchport access vlan 11 switchport mode access ! interface FastEthernet0/11 switchport access vlan 11 switchport mode access ! interface FastEthernet0/12 switchport access vlan 12 switchport mode access ! interface FastEthernet0/13 switchport access vlan 12 switchport mode access ! interface FastEthernet0/14 switchport access vlan 12 switchport mode access ! interface FastEthernet0/15 switchport access vlan 12 switchport mode access ! interface FastEthernet0/16 switchport access vlan 12 switchport mode access ! interface FastEthernet0/17 switchport access vlan 12 switchport mode access ! interface FastEthernet0/18 switchport access vlan 12 switchport mode access ! interface FastEthernet0/19 switchport access vlan 12 switchport mode access ! interface FastEthernet0/20 switchport access vlan 12 switchport mode access ! interface FastEthernet0/21 switchport access vlan 12
All contents are Copyright 19922010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 29 of 30
switchport mode access ! interface FastEthernet0/22 switchport access vlan 12 switchport mode access ! interface FastEthernet0/23 switchport access vlan 12 switchport mode access ! interface FastEthernet0/24 switchport access vlan 12 switchport mode access ! interface Vlan1 ip address 172.21.1.195 255.255.255.240 no ip route-cache no shutdown ! ip default-gateway 172.21.1.193 ip http server ! vtp domain Team-A vtp mode client vtp password cisco ! banner motd ^Unauthorized use prohibited^ ! line con 0 password cisco login line vty 0 4 password cisco login line vty 5 15 password cisco login ! end
All contents are Copyright 19922010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 30 of 30