Packet Tracer CCNA Skills Integration Challenge

Instructor Note: Red font color or Gray highlights indicate text that appears in the instructor copy only.

Topology

Addressing Table

Default Gateway
Device Interface IP Address Subnet Mask DLCI Mapping

G0/0 10.0.1.1 255.255.255.0 N/A

S0/0/0.41 10.255.255.1 255.255.255.252 DLCI 41 to B1

HQ
S0/0/1 10.255.255.253 255.255.255.252 N/A

S0/1/0 209.165.201.1 255.255.255.252 N/A

G0/0.10 10.1.10.1 255.255.255.0 N/A

G0/0.20 10.1.20.1 255.255.255.0 N/A

B1 G0/0.30 10.1.30.1 255.255.255.0 N/A

G0/0.99 10.1.99.1 255.255.255.0 N/A

S0/0/0 10.255.255.2 255.255.255.252 N/A

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 7
Packet Tracer CCNA Skills Integration Challenge

B1-S2 VLAN 99 10.1.99.22 255.255.255.0 10.1.99.1

VLAN Configurations and Port Mappings

VLAN Network
Number Address VLAN Name Port Mappings

10 10.1.10.0/24 Admin Fa0/6

20 10.1.20.0/24 Sales Fa0/11

30 10.1.30.0/24 Production Fa0/16

99 10.1.99.0/24 Mgmt&Native Fa0/1-4

999 N/A BlackHole Unused Ports

Scenario
In this comprehensive CCNA skills activity, the XYZ Corporation uses a combination of Frame Relay and PPP
for WAN connections. Other technologies include NAT, DHCP, static and default routing, EIGRP for IPv4,
inter-VLAN routing, and VLAN configurations. Security configurations include SSH, port security, switch
security, and ACLs.

Requirements
Note: The user EXEC password is cisco and the privileged EXEC password is class.
SSH
Configure HQ to use SSH for remote access.
- Set the modulus to 2048. The domain name is CCNASkills.com.
- The username is admin and the password is adminonly.
- Only SSH should be allowed on VTY lines.
- Modify the SSH defaults: version 2; 60-second timeout; two retries.
Frame Relay
Configure Frame Relay between HQ and B1.
- Refer to the Addressing Table for the IP address, subnet mask, and DLCI.
- HQ uses a point-to-point subinterface and DLCI 41 to connect to B1.
- The LMI type must be manually configured as q933a for HQ and B1.
PPP
Configure the WAN link from HQ to the Internet using PPP encapsulation and CHAP authentication.
- Create a user ISP with the password of cisco.
Configure the WAN link from HQ to NewB using PPP encapsulation and PAP authentication.
- HQ is the DCE side of the link. You choose the clock rate.
- Create a user NewB with the password of cisco.
NAT
Configure static and dynamic NAT on HQ

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 7
Packet Tracer CCNA Skills Integration Challenge

- Allow all addresses for the 10.0.0.0/8 address space to be translated using a standard access list
named NAT.
- XYZ Corporation owns the 209.165.200.240/29 address space. The pool, HQ, uses addresses .241
to .245 with a /29 mask. Configure dynamic NAT with PAT for the pool HQ.
- The WWW.pka website at 10.0.1.2 is registered with the public DNS system at IP address
209.165.200.246 and should be accessible from the Outside Host.
DHCP
On B1, configure a DHCP pool for the Sales VLAN 20 using the following requirements:
- Exclude the first 10 IP addresses in the range.
- The case-sensitive pool name is VLAN20.
- Include the DNS server attached to the HQ LAN as part of the DHCP configuration.
Configure the Sales PC to use DHCP.
Static and Default Routing
Configure HQ with a default route to the Internet and a static route to the NewB LAN. Use the exit
interface as an argument.
EIGRP Routing
Configure and optimize HQ and B1 with EIGRP routing.
- Use autonomous system 100 and disable automatic summarization.
- HQ should advertise the static and default router to B1.
- Disable EIGRP updates on appropriate interfaces.
- Manually summarize EIGRP routes so that the B1 router only advertises the 10.1.0.0/16 address
space to HQ.
Inter-VLAN Routing
Configure B1 for inter-VLAN routing.
- Using the addressing table for branch routers, configure and activate the LAN interface for inter-VLAN
routing. VLAN 99 is the native VLAN.
VLANs and Trunking Configurations
Configure trunking and VLANs on B1-S2.
- Create and name the VLANs listed in the VLAN Configuration and Port Mappings table on B1-S2
only.
- Configure the VLAN 99 interface and default gateway.
- Assign VLANs to the appropriate access ports.
- Set trunking mode to on for Fa0/1 - Fa0/4.
- Disable all unused ports and assign the BlackHole VLAN.
Port Security
Use the following policy to establish port security on the B1-S2 access ports:
- Allow one MAC addresses to be learned on the port.
- Configure the first learned MAC address to stick to the configuration.
- Set the port to shut down if there is a security violation.

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 7
Packet Tracer CCNA Skills Integration Challenge

Access List Policy

Because HQ is connected to the Internet, configure a named ACL called HQINBOUND in the following
order:
- Allow inbound HTTP requests to the WWW.pka server.
- Allow only established TCP sessions from the Internet.
- Allow only inbound ping replies from the Internet.
- Explicitly block all other inbound access from the Internet.
Connectivity
Verify full connectivity from each PC to WWW.pka and www.cisco.pka.

Device Configs

Router HQ
enable
conf t
username ISP password cisco
username NewB password cisco
username admin password adminonly
ip domain-name CCNASkills.com
crypto key generate rsa
1024
line vty 0 16
transport input ssh
login local
ip ssh version 2
ip ssh authentication-retries 2
ip ssh time-out 60
interface Gig0/0
ip nat inside
interface Serial0/0/0
encapsulation frame-relay
frame-relay lmi-type q933a
no shut
interface Serial0/0/0.41 point-to-point
ip address 10.255.255.1 255.255.255.252
frame-relay interface-dlci 41
ip nat inside
interface Serial0/0/1
description Link to NewB
ip address 10.255.255.253 255.255.255.252
encapsulation ppp
ppp authentication pap
ppp pap sent-username HQ password cisco
ip nat inside
no shut
interface Serial0/1/0
description Link to ISP

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 7
Packet Tracer CCNA Skills Integration Challenge

encapsulation ppp
ppp authentication chap
ip access-group HQINBOUND in
ip nat outside
router eigrp 100
passive-interface Gig0/0
passive-interface Serial0/0/1
passive-interface Serial0/1/0
network 10.0.0.0
redistribute static
no auto-summary
ip nat pool HQ 209.165.200.241 209.165.200.245 netmask 255.255.255.248
ip nat inside source list NAT pool HQ overload
ip nat inside source static 10.0.1.2 209.165.200.246
ip route 0.0.0.0 0.0.0.0 Serial0/1/0
ip route 10.4.5.0 255.255.255.0 Serial0/0/1
ip access-list standard NAT
permit 10.0.0.0 0.255.255.255
ip access-list extended HQINBOUND
permit tcp any host 209.165.200.246 eq www
permit tcp any any established
permit icmp any any echo-reply
deny ip any any
line vty 0 15
login local
transport input ssh
end

Router B1
enable
conf t
ip dhcp excluded-address 10.1.20.1 10.1.20.10
ip dhcp pool VLAN20
network 10.1.20.0 255.255.255.0
default-router 10.1.20.1
dns-server 10.0.1.4
interface Gig0/0
no shut
interface Gig0/0.10
description Admin VLAN 10
encapsulation dot1Q 10
ip address 10.1.10.1 255.255.255.0
interface Gig0/0.20
description Sales VLAN 20
encapsulation dot1Q 20
ip address 10.1.20.1 255.255.255.0
interface Gig0/0.30
description Production VLAN 30
encapsulation dot1Q 30

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 5 of 7
Packet Tracer CCNA Skills Integration Challenge

ip address 10.1.30.1 255.255.255.0

interface Gig0/0.99
description Mgmt&Native VLAN 99
encapsulation dot1Q 99 native
ip address 10.1.99.1 255.255.255.0
interface Serial0/0/0
ip address 10.255.255.2 255.255.255.252
encapsulation frame-relay
frame-relay lmi-type q933a
ip summary-address eigrp 100 10.1.0.0 255.255.0.0 5
no shut
router eigrp 100
passive-interface Gig0/0.10
passive-interface Gig0/0.20
passive-interface Gig0/0.30
passive-interface Gig0/0.88
passive-interface Gig0/0.99
network 10.0.0.0
no auto-summary
end

Switch B1-S2
enable
conf t
vlan 10
name Admin
vlan 20
name Sales
vlan 30
name Production
vlan 99
name Mgmt&Native
vlan 999
name BlackHole
interface range FastEthernet0/1-4
switchport trunk native vlan 99
switchport mode trunk
interface range fa0/5,fa0/7-10,fa0/12-15,fa0/17-24,g0/1-2
description Unused port
switchport access vlan 999
switchport mode access
shutdown
interface FastEthernet0/6
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security mac-address sticky
interface FastEthernet0/11
switchport access vlan 20

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 6 of 7
Packet Tracer CCNA Skills Integration Challenge

switchport mode access

switchport port-security
switchport port-security mac-address sticky
interface FastEthernet0/16
switchport access vlan 30
switchport mode access
switchport port-security
switchport port-security mac-address sticky
interface Vlan99
ip address 10.1.99.22 255.255.255.0
ip default-gateway 10.1.99.1
end

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 7 of 7