Hands On Skills Exam – CCNAv7 ENSA Skills Assessment (Answers)

 

CCNAv7 ENSA Skills Assessment – ENSA Final Skills Exam (Equipment)

Your exam may be different

Topology

Hands On Skills Exam - CCNAv7 ENSA Skills Assessment (Answers) 4

Addressing Table

DeviceInterfaceIP AddressSubnet MaskDefault Gateway
R1G0/0/010.67.254.2255.255.255.252N/A
G0/0/1192.168.1.1255.255.255.0N/A
Lo010.52.0.1255.255.255.248N/A
R2G0/0/010.67.254.1255.255.255.252N/A
Lo0209.165.201.1255.255.255.224N/A
G0/0/110.67.1.1255.255.255.0N/A
S1VLAN 1192.168.1.2255.255.255.0192.168.1.1
S2VLAN 110.67.1.2255.255.255.010.67.1.1

Assessment Objectives

  • Part 1: Initialize, Reload and Configure Basic Device Settings (40 points, 40 minutes)
  • Part 2: Configure and Single Area OSPFv2 (20 points, 10 minutes)
  • Part 3: Optimize Single Area OSPFv2 (25 points, 20 minutes)
  • Part 4: Configure Access Control, NAT, and perform configuration backup (15 points, 30 minutes)

Scenario

In this Skills Assessment (SA) you will configure the devices in a small network. You must configure a router, switch and PCs to support IPv4 connectivity for supported hosts. Your router and switch must also be managed securely. You will configure Single-Area OSPFv2, NAT, and access control lists. Further, you will backup up your working configurations to a TFTP server.

Required Resources

  • 2 Routers (Cisco 4221 with Cisco IOS XE Release 16.9.4 universal image or comparable)
  • 2 Switches (Cisco 2960 with Cisco IOS Release 15.2(2) lanbasek9 image or comparable)
  • 2 PCs (Windows with a terminal emulation program, such as Tera Term)
  • Console cables to configure the Cisco IOS devices via the console ports
  • Ethernet cables as shown in the topology

Instructions

Part 1: Initialize, Reload and Configure Basic Device Settings

Total points: 40
Time: 40 minutes

Step 1: Initialize and reload routers and switches.

Erase the startup configurations and VLANs from the router and switch and reload the devices.

Before proceeding, ask your instructor verify device initializations.

On Router R1-R2

Router>enable
Router#erase startup-config
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]
[OK]
Erase of nvram: complete
%SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram
Router#reload

On Switch S1-S2

Switch>enable
Switch#erase startup-config
Switch#delete vlan.dat
Delete filename [vlan.dat]?
Delete flash:/vlan.dat? [confirm]

Switch#reload
Step 2: Configure the routers.

Configuration tasks for R1 and R2 include the following:

TaskSpecificationR1R2
Disable DNS lookup0.5 pt0.5 pt
Router nameR1 or R2, as appropriate0.5 pt0.5 pt
Domain nameccna-lab.com0.5 pt0.5 pt
Encrypted privileged EXEC passwordciscoenpass0.5 pt0.5 pt
Console access passwordciscoconpass0.5 pt0.5 pt
Set the minimum length for passwords10 characters0.5 pt0.5 pt
Create an administrative user in the local
database
Username: admin
Password: admin1pass
0.5 pt0.5 pt
Set login on VTY lines to use local database0.5 pt0.5 pt
Set VTY lines to accept SSH connections only0.5 pt0.5 pt
Encrypt the clear text passwords0.5 pt0.5 pt
Configure an MOTD Banner0.5 pt0.5 pt
Configure interface G0/0/1Set the description
Set the Layer 3 IPv4 address
Activate Interface
2 pts2 pts
Configure interface G0/0/0Set the description
Set the Layer 3 IPv4 address
Activate Interface
2 pts2 pts
Configure interface Lo0Configure IPv4 address0.5 pt0.5 pts
Generate an RSA crypto key1024 bits modulus0.5 pt0.5 pt
R1

Router>enable
Router#config terminal

Router(config)#no ip domain lookup 

Router(config)#hostname R1

R1(config)#ip domain-name ccna-lab.com

R1(config)#enable secret ciscoenpass

R1(config)#line console 0
R1(config-line)#password ciscoconpass
R1(config-line)#login
R1(config-line)#exit 

R1(config)#security passwords min-length 10

R1(config)#username admin secret admin1pass

R1(config)#line vty 0 15
R1(config-line)#login local
R1(config-line)#transport input ssh 
R1(config-line)#exit

R1(config)#service password-encryption 

R1(config)#banner motd #Unauthorized Access is Prohibited#

R1(config)#interface g0/0/0
R1(config-if)#description Connect to R2
R1(config-if)#ip address 10.67.254.2 255.255.255.252
R1(config-if)#no shutdown 

R1(config-if)#interface g0/0/1
R1(config-if)#description Connect to LAN A
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown

R1(config-if)##interface loopback 0
R1(config-if)#ip address 10.52.0.1 255.255.255.248
R1(config-if)#exit

R1(config)#crypto key generate rsa 
How many bits in the modulus [512]: 1024
R1(config)#

Step 3: Configure S1 and S2.

Configuration tasks for the switches include the following:

TaskSpecificationS1S2
Disable DNS lookup0.5 pt0.5 pt
Switch nameS1 or S2, as appropriate0.5 pt0.5 pt
Domain nameccna-lab.com0.5 pt0.5 pt
Encrypted privileged EXEC passwordciscoenpass0.5 pt0.5 pt
Console access passwordciscoconpass0.5 pt0.5 pt
Shutdown all unused interfaces0.5 pt0.5 pt
Create an administrative user in the local databaseUsername: admin
Password: admin1pass
0.5 pt0.5 pt
Set login on VTY lines to use local database0.5 pt0.5 pt
Set VTY lines to accept SSH connections only0.5 pt0.5 pt
Encrypt the clear text passwords0.5 pt0.5 pt
Configure an MOTD Banner0.5 pt0.5 pt
Generate an RSA crypto key1024 bits modulus0.5 pt0.5 pt
Configure Management Interface (SVI) for VLAN 1
(the Management VLAN)
Set the Layer 3 IPv4 address0.5 pt0.5 pt
Configure Default Gateway0.5 pt0.5 pt

S1

Switch>enable
Switch#configure terminal 

Switch(config)#no ip domain-lookup 

Switch(config)#hostname S1

S1(config)#ip domain-name ccna-lab.com

S1(config)#enable secret ciscoenpass

S1(config)#line console 0
S1(config-line)#password ciscoconpass
S1(config-line)#login
S1(config-line)#exit

S1(config)#interface range f0/1-4, f0/7-24, g0/1-2
S1(config-if-range)#shutdown 
S1(config-if-range)#exit

S1(config)#username admin secret admin1pass

S1(config)#line vty 0 15
S1(config-line)#login local 
S1(config-line)#transport input ssh 
S1(config-line)#exit

S1(config)#service password-encryption 

S1(config)#banner motd #Unauthorized access or use prohibited#

S1(config)#crypto key generate rsa 
How many bits in the modulus [512]: 1024

S1(config)# interface vlan 1
S1(config-if)#ip address 192.168.1.2 255.255.255.0
S1(config-if)#no shutdown 
S1(config-if)#exit

S1(config)#ip default-gateway 192.168.1.1


Points for Step 1 (5 points):
Enter score here.
Points for Step 2 (21 points):
Enter score here.
Points for Step 3 (14 points):
Enter score here.
Instructor Sign-off Part 1:
Instructor Sign-off
Total points for Part 1 (40 points):
Enter score here.

Part 2: Configure Single Area OSPFv2

Total points: 10
Time: 10 minutes

Configuration tasks for R1 and R2 include the following:

TaskSpecificationR1R2
Configure the OSPF routing processUse process id 11 pt1 pt
Manually configure the router idUse 0.0.0.1 for R1 and 0.0.0.2 for R21 pt1 pt
Configure network statementsConfigure a network statement for each locally attached network using a wild card mask that matches each network’s subnet mask
Note: R2 Lo0 network should not be included in the OSPF process.
3 pts3 pts

R1

User Access Verification

Password: ciscoconpass

R1>enable
Password: ciscoenpass
R1#configure terminal 

R1(config)#router ospf 1
R1(config-router)#router-id 0.0.0.1
R1(config-router)#network 10.67.254.0 0.0.0.3 area 0
R1(config-router)#network 192.168.1.0 0.0.0.255 area 0
R1(config-router)#network 10.52.0.0 0.0.0.7 area 0
R1(config-router)#


Instructor Sign-off Part 2
Instruction Sign-off
Total Points (10 points):
Enter score here.

Part 3: Optimize Single-Area OSPFv2

Total points: 20
Time: 20 minutes

Step 1: Configure R1.

Configuration Tasks for R1 include the following:

TaskSpecificationPoints
Configure passive interfacesConfigure all interfaces that are not directly connected to an OSPF neighbor to be passive3 points
Configure the reference bandwidthAdjust the reference bandwidth to 1 Gigabit2 points
Configure Loopback 0 to report the mask it is configured with instead of a host maskConfigure Loopback0 as a point-to-point network for OSPF2 points
Tune the timers for your networkConfigure the hello time for 30 seconds1 point

Router 1

R1>enable
Password: ciscoenpass
R1#configure terminal 

R1(config)#router ospf 1

R1(config-router)#passive-interface g0/0/1
R1(config-router)#passive-interface loopback 0

R1(config-router)#auto-cost reference-bandwidth 1000
R1(config-router)#exit

R1(config)#interface loopback 0
R1(config-if)#ip ospf network point-to-point 
R1(config-if)#exit

R1(config)#interface g0/0/0
R1(config-if)#ip ospf hello-interval 30
R1(config-if)#
Step 2: Configure R2.

Configuration tasks for R2 include the following:

TaskSpecificationPoints
Configure passive interfacesConfigure all interfaces that are not directly connected to an OSPF neighbor to be passive2 points
Configure the reference bandwidthAdjust the reference bandwidth to 1 Gigabit2 points
Provide default routing for the OSPF domainConfigure a static default route with loopback 0 as the exit interface, then share the default information with other OSPF speakers5 points
Tune the timers for your networkConfigure the hello time for 30 seconds1 point
Tune the DR/BDR election to favor R2Set the OSPF priority for R2 to a value of 502 points

Router 2

R2>en
Password: ciscoenpass
R2#configure terminal 

R2(config)#router ospf 1

R2(config-router)#passive-interface g0/0/1
R2(config-router)#passive-interface loopback 0

R2(config-router)#auto-cost reference-bandwidth 1000

R2(config)#ip route 0.0.0.0 0.0.0.0 loopback 0
R2(config)#router ospf 1
R2(config-router)#default-information originate 
R2(config-router)#exit 

R2(config)#interface g0/0/0
R2(config-if)#ip ospf hello-interval 30

R2(config-if)#ip ospf priority 50
R2(config-if)#exit
R2(config)#

Points for Step 1 (8 points)
Enter score here.
Points for Step 2 (12 points)
Enter score here.
Instructor Sign-off Part 3:
Instructor Sign-off
Total points (20 points):
Enter score here.

Part 4: Configure Access Control, NAT, and perform configuration backup

Total points: 30
Time: 30 minutes

Step 1: Configure host computers.

Configure the host computers PC-A and PC-B with IPv4 addresses. (4 points)

DescriptionPC-APC-B
IP Address192.168.1.5010.67.1.50
Subnet Mask255.255.255.0255.255.255.0
Default Gateway192.168.1.110.67.1.1

PC-A
Hands On Skills Exam - CCNAv7 ENSA Skills Assessment (Answers) 5
PC-B
Hands On Skills Exam - CCNAv7 ENSA Skills Assessment (Answers) 6

After configuring each host computer, perform the following tests: (4 points)

SourceTargetProtocolExpected Result
PC-APC-BPing
(C:\>ping 10.67.1.50)
Success
PC-Ahttps://209.165.201.1HTTPS
(On browser, access: https://209.165.201.1)
Success
PC-A209.165.201.1SSH
C:\>ssh -l admin 209.165.201.1
Enter password: admin1pass
Success
PC-B209.165.201.1SSH
C:\>ssh -l admin 209.165.201.1
Enter password: admin1pass
Success

If you get different results, troubleshoot your OSPF and host configurations.

Note: If you are unable to access 209.165.201.1 via https, enter ip http secure-server at R2 CLI.

R2(config)# ip http secure-server
Step 2: Configure Access Control on R2.

Create and apply an access control list on R2 named R2-SECURITY to do the following:

TaskSpecificationPoints
Create an access control listR2-SECURITY2 points
Control HTTP and HTTPS trafficOnly hosts from the 10.0.0.0/8 network are allowed to reach the web server at 209.165.201.12 points
Control SSH trafficSSH is not allowed to the address 209.165.201.12 points
Permit trafficAll other traffic, regardless of protocol, is allowed2 points
Apply the ACLFilter traffic originating from R12 points

On Router R2

R2(config)#ip access-list extended R2-SECURITY
R2(config-ext-nacl)#deny tcp any host 209.165.201.1 eq 443
R2(config-ext-nacl)#deny tcp any host 209.165.201.1 eq 22
R2(config-ext-nacl)#permit ip any any 
R2(config-ext-nacl)#exit

R2(config)#interface g0/0/0
R2(config-if)#ip access-group R2-SECURITY in

After configuring and applying the ACL, perform the following tests: (2 points)

SourceTargetProtocolExpected Result
PC-APC-BPingSuccess
PC-Ahttps://209.165.201.1HTTPSFailure
PC-A209.165.201.1SSHFailure
PC-B209.165.201.1SSHSuccess

If you get different results, double check your ACL configuration and application.

Step 3: Configure NAT.

The decision has been made that the entire organization should be using addresses in the 10.0.0.0/8 network space. R1’s LAN is out of compliance. There are applications and services running in the R1 LAN that cannot have their IP address changed without the entire system being rebuilt, so NAT is in order. Here are the configuration tasks at R1:

TaskSpecificationPoints
Remove 192.168.1.0/24 from OSPFRemove the appropriate network statement at R12 points
Create an ACL to identify hosts allowed to be translatedCreate an ACL that matches the 192.168.1.0 network2 points
Configure Port Address Translation on the outside interface of R1Configure the NAT association between the ACL and the interface g0/0/0 so that it uses port address translation2 points
Identify the interfaces involved in NATSpecify inside or outside on the appropriate interfaces2 points

On Router R1

R1(config)#router ospf 1
R1(config-router)#no network 192.168.1.0 0.0.0.255 area 0
R1(config-router)#exit

R1(config)#access-list 1 permit 192.168.1.0 0.0.0.255

R1(config)#ip nat inside source list 1 interface g0/0/0 overload 

R1(config)#interface g0/0/0
R1(config-if)#ip nat outside
R1(config-if)#interface g0/0/1
R1(config-if)#ip nat inside 
R1(config-if)#
Step 4: Backup all device configurations.
TaskSpecificationPoints
Using the TFTP server on PC-B, backup the running configuration of all of your devices to PC-B using the TFTP protocol2 points

On 4 devices: R1, R2, S1, S2:

User Access Verification

Password: ciscoconpass

R1/R2/S1/S2>en
Password: ciscoenpass
R1/R2/S1/S2#copy running-config tftp
Address or name of remote host []? 10.67.1.50

If you are testing on a real device, you can install and use SolarwinTFTP on PC-B as TFTP server

Points for Step 1 (8 points):
Enter score here.
Points for Step 2 (12 points):
Enter score here.
Points for Step 3 (8 points):
Enter score here.
Points for Step 4 (2 points):
Enter score here.
Instructor Sign-off Part 4:
Instructor Sign-off
Total points (30 points):
Enter score here.

Part 5: Cleanup

NOTE: DO NOT PROCEED WITH CLEANUP UNTIL YOUR INSTRUCTOR HAS GRADED YOUR SKILLS EXAM AND HAS INFORMED YOU THAT YOU MAY BEGIN CLEANUP.

Unless directed otherwise by the instructor, restore host computer network connectivity, and then turn off power to the host computers.

Before turning off power to the router and switch, remove the NVRAM configuration files (if saved) from both devices.

Disconnect and neatly put away all LAN cables that were used in the Final.

Router Interface Summary Table

Router ModelEthernet Interface #1Ethernet Interface #2Serial Interface #1Serial Interface #2
1800Fast Ethernet 0/0 (F0/0)Fast Ethernet 0/1 (F0/1)Serial 0/0/0 (S0/0/0)Serial 0/0/1 (S0/0/1)
1900Gigabit Ethernet 0/0 (G0/0)Gigabit Ethernet 0/1 (G0/1)Serial 0/0/0 (S0/0/0)Serial 0/0/1 (S0/0/1)
2801Fast Ethernet 0/0 (F0/0)Fast Ethernet 0/1 (F0/1)Serial 0/1/0 (S0/1/0)Serial 0/1/1 (S0/1/1)
2811Fast Ethernet 0/0 (F0/0)Fast Ethernet 0/1 (F0/1)Serial 0/0/0 (S0/0/0)Serial 0/0/1 (S0/0/1)
2900Gigabit Ethernet 0/0 (G0/0)Gigabit Ethernet 0/1 (G0/1)Serial 0/0/0 (S0/0/0)Serial 0/0/1 (S0/0/1)
4221Gigabit Ethernet 0/0/0 (G0/0/0)Gigabit Ethernet 0/0/1 (G0/0/1)Serial 0/1/0 (S0/1/0)Serial 0/1/1 (S0/1/1)
4300Gigabit Ethernet 0/0/0 (G0/0/0)Gigabit Ethernet 0/0/1 (G0/0/1)Serial 0/1/0 (S0/1/0)Serial 0/1/1 (S0/1/1)

Note: To find out how the router is configured, look at the interfaces to identify the type of router and how many interfaces the router has. There is no way to effectively list all the combinations of configurations for each router class. This table includes identifiers for the possible combinations of Ethernet and Serial interfaces in the device.
The table does not include any other type of interface, even though a specific router may contain one. An example of this might be an ISDN BRI interface. The string in parenthesis is the legal abbreviation that can be used in Cisco IOS commands to represent the interface.

Download Packet Tracer & PDF file

[sociallocker id=”57850″]

[/sociallocker]
Tags

Post a Comment

0 Comments
* Please Don't Spam Here. All the Comments are Reviewed by Admin.