CCNA 2 Version 3 Hands-on Final (Instructors Guide)

Student name _______________________________ Date __________________ Start time ____________

This is the basic setup. The hosts require an operating system with TCP/IP installed and a web browser.

The hands-on final is designed for students to wire and program one side of the internetwork. The
student will be assigned either Anniston or Boaz and its associated components. The GAD router is to be
programmed by the instructor with the provided configuration. This configuration is very lengthy and
should be pasted in sections to prevent overrun.

The student can be assigned one of 10 different versions from either Branch location. The version will
determine the WAN network assigned, as well as the IGRP Autonomous System number. This allows for
20 different combinations plus unlimited variations in the LAN assignments. These are further explained
in the appropriate sections.
Circle one:
Location: Anniston or Boaz
Circle one:
Version 1 2 3 4 5 6 7 8 9 10
Instructor provided information:
The WAN IP network address is _________________ with a subnet mask of _______________.
The local LAN has been assigned an IP network address of ______________________________.
Each subnet of the above network needs to accommodate ___________ host addresses.
Use the ______ useable subnet for the LAN. Do NOT use subnet zero as the first subnet.
The IGRP AS number is ________.

S0/0 (S0)
DCE

GAD

S0/1 (S1)
DCE

S0/0 (S0)

S0/0 (S0)

Anniston

IBM Compatible

Management

Boaz

IBM Compatible

Production

IBM Compatible

Management

IBM Compatible

Production

There are 4 elements of this exam that can be weighted or can be a pass or fail exam.
This exam will occur in stages. Each element is a set of instructions that needs to be accomplished. The
instructor will initial each task as they are completed. Proceed to the next task only after the instructor has
approved the current task.
The 5 elements of this exam are:
12345-

planning
security
cabling
basic configuration
troubleshooting

The basic theme here is that Gadsden (GAD) is regional headquarters of the company. Anniston and Boaz
are branch offices. Each network associate (student) will be responsible for single branch office. The
internetwork team leader (instructor) is responsible for the regional router (GAD).
A network address and specific number of hosts per subnet has been assigned for the local LAN. From the
instructor provided information, the subnet address, the subnet mask, the first and last useable addresses, and

the broadcast address for each sites LAN need to be determined.

This part of the exam is to test the students ability to subnet. This hands-on final allows for many
CCNA 2 Hands-on Version Assignment
combinations. The instructor needs to assign the student a network address to be applied to the LAN,
Router
Final
WAN network
GAD Router Interface IGRP AS
as well as how many hosts per network
are needed. The instructor
can assign the student virtually ANY
segment version
address
address
network (except as below)
and
any
number
of
hosts
per
network
of
3 or more.
number
Anniston 1

192.168.1.0 /24

192.168.1.1

Anniston 10

192.168.10.0 /24

192.168.10.1

Addresses
NOT2to assign to 192.168.2.0
the student:/24
for the LAN:
Anniston
192.168.2.1
192.168.1.0

192.168.10.0
Anniston 3
192.168.3.0 /24
192.168.3.1
192.168.101.0
192.168.110.0
Anniston
4
192.168.4.0 /24
192.168.4.1
172.16.0.0
Anniston
5
192.168.5.0 /24
192.168.5.1
209.0.0.06
Anniston
192.168.6.0 /24
192.168.6.1
Anniston
192.168.7.0 /24
192.168.7.1
62.0.0.0 7
Anniston
192.168.8.0 /24
192.168.8.1
198.0.0.08
Anniston
9 assigned192.168.9.0
192.168.9.1
the network
to the other/24
branch (Anniston
or Boaz)

1
2
3
4
5
6
7
8
9
10

1 in is that192.168.101.0
101that if assigning a
The only issueBoaz
to take care
there must be/24
at least192.168.101.1
10 subnets. That means
Boaz
2
192.168.102.0
/24
192.168.102.1
Class C address, no more than 14 hosts per network and when assigning a Class102
B address no more
Boaz
3
192.168.103.1
103
than 4094 hosts
per network
should 192.168.103.0
be assigned. /24
Boaz
Boaz
Boaz
Boaz
Boaz
Boaz
Boaz

Step 1 Planning

4
5
6
7
8
9
10

192.168.104.0 /24
192.168.105.0 /24
192.168.106.0 /24
192.168.107.0 /24
192.168.108.0 /24
192.168.109.0 /24
192.168.110.0 /24

192.168.104.1
192.168.105.1
192.168.106.1
192.168.107.1
192.168.108.1
192.168.109.1
192.168.110.1

104
105
106
107
108
109
110

Points __________________

The student is asked to plan the network subnets for the first 10 useable networks. The instructor
should plan this ahead of time so they are known.

Using the chart below, plan the first 10 usable subnets of the LAN network address assigned to you.
Subnet
(useable)

Subnet
Address

Subnet
mask

First host

Last host

Broadcast

(/x)
1
2
3
4
5
6
7
8
9
10

The configuration provided for the GAD router accommodates a variety of address for the WAN to the
branch. The WAN assignment will be based on the version number and the serial port on the GAD router.
The WAN connected to serial 0/0 (from GAD to Anniston) is assigned to use networks 192.168.1.0
192.168.10.0. If the student on the Anniston site is assigned version 1 of the final, the 192.168.1.0
network should be assigned and an IGRP AS of 1 will be used.
The WAN assignments for the serial 0/1 (from GAD to Boaz), offsets the version number by 100. If the
student on the Boaz site is assigned version 1 of the final, the 192.168.101.0 network should be assigned
and an IGRP AS of 101 will be used.
The WAN interface of GAD is assigned the lowest useable address in the network.

Identify and use the second lowest useable WAN address for your S0 interface of the router assigned to you
_________________________.
The subnet number should be equal to the version number assigned to the student.
For

The student should properly select the address ranges for the Production and Management hosts. The
most significant bit of the host range should divide the address ranges. For example, if the subnet is
172.16.1.128 /26 the address range of the subnet would be 172.16.1.129 172.16.1.191. The lower
address range (production) is 172.16.1.129 172.16.1.159. The upper address range (management) is
172.16.1.160- 172.16.1.190. This chart below shows the binary representation of the last octet this
example.
Number

Lower
Range
Upper
Range

129
191
160
190

Network Bits

1
1
1
1

0
0
0
0

Host
Decision
Bit
0
0
1
1

Remaining Host Bits

0
0
0
1

0
1
0
1

0
1
0
1

0
1
0
1

1
0
0
0

"Security" purposes, all of the production floor workstations will be assigned the lower half of the IP address
numbers of the subnet assigned by the instructor. All of network devices and management stations will be
assigned the upper half of the IP address numbers of the subnet assigned by the instructor. From this upper
half range of addresses, the Ethernet router interface is to be assigned the highest useable address.
Identify the required IP address of the Ethernet interface on your assigned router. ___________________
The host configurations must also be planned. Using the chart below, complete the host information.
Branch:
Anniston or Boaz
Production Host Range
(Lower half)
Management Host Range
(Upper half)

IP address range

Production Host
IP address ___________________________
Subnet Mask __________________
Default Gateway ___________________________
Management Host
IP address ___________________________
Subnet Mask __________________
Default Gateway ___________________________
Before proceeding to the next step have instructor approve this step.
Instructor _______________________________

Step2 Security
Points __________________
There are several security concerns in the internetwork. Access Control List(s) should be developed to
address these issues. The following are the concerns:
1. The company has an intranet web server host that all systems can reach at IP address 172.16.0.1 with
only HTTP access. No other protocols will be permitted to this site.
2. The company also has a server pool in the 209.0.0.0 /24 network. The server pool addresses are
divided into halves. The servers in the upper half of the address range should only be reachable by
management hosts (all IP protocols). The servers in the lower half of the address range should be
reachable by all LAN hosts (all IP protocols). The servers should not be accessible any other hosts.
3. The company has discovered an Internet Web server at 198.0.0.1 that is known to contain viruses.
All hosts are to be banned from reaching this site.
Before proceeding to the next step have instructor approve this step.
Instructor ______________________________

Step 3 Cabling
Points __________________
Now that the planning process is complete, it is time to construct the Physical layer. Using the diagram,
connect all the associated hardware for the local branch.
This should be a straightforward process. As long as the student uses the proper cables and does not
omit any of the connections. A hub can be substituted for a switch. When using a switch, make sure
that all custom configurations are erased. In particular, make sure the switch is using a single VLAN. If
using a hub, make sure that the student does not use an uplink port.
Below is a checklist to assure the proper connection.
Device

connection to Switch/Hub

S0/0 or S0/1
connection

[ ]

Anniston

Cat 5 straight

Serial (DTE)

[ ]

Boaz

Cat 5 straight

Serial (DTE)

[ ]

GAD

n/a

Serial (DCE)

[ ]

Production

Cat 5 straight

n/a

[ ]

Management

Cat 5 straight

n/a

Before proceeding to the next step have instructor approve this step.
Instructor _______________________________

Step 4 Basic Configuration

Points __________________

The student is tested on the same basic configuration elements as have been used in lab throughout
the course. A checklist is provided below for some of the critical configuration items.
Criteria
passwords

Make sure that the student configures the console, secret, and VTY
passwords. (The VTY password can

Host Name

The student should configure the host name of Anniston or Boaz.

IP Address

The FastEthernet should be configured with the highest address in the

subnet. The Serial interface can be configured with any address in the
appropriate Class C EXCEPT the lowest.(GADs interface is .1)

Host Table

Make sure the router has host table entries for GAD

Message of
the Day

Make sure there is a properly functioning MOTD and that it reflects a

proper security message. (Do not attempt to )

Serial 0/0
description

The serial interface should have a description for identifying that it

connects to GADs appropriate interface.

Fa 0/0

This description should identify that it connect to the LAN

Checked

description

Routing
Protocol

The routing protocol should be configured as IGRP with an Autonomous

System Number equal to the version number. There should be 2 network
statements. One for the WAN (192.168.y.0) and one for the network
assigned to the LAN.

Hosts

Make sure the hosts are configured with the appropriate IP address,
subnetmask, and gateway. The routers address (highest address in
subnet) should be the gateway on both hosts.

Connectivity From the hosts command prompt, make sure that the host can ping
GADs Serial interface as well as the loopback interfaces.
172.16.0.1, 209.0.0.1, 209.0.0.254, 62.0.0.1, and 198.0.0.1.
Browsing

Also make sure that the web browser on the host can bring up the login
popup for the loopback interfaces.
172.16.0.1, 209.0.0.1, 209.0.0.254, 62.0.0.1, and 198.0.0.1.

Apply a basic configuration to the router. This configuration should include contain all the normal
configuration items. These include (but not limited to): router name, passwords, interface descriptions,
routing, host table, and a banner to be displayed before login.
The routing and connectivity should be verified before notifying the instructor.
Before proceeding to the next step have instructor approve this step.
Instructor _______________________________

Step 4 Security

Points __________________

This section tests the students skills to design and apply IP ACL lists for different purposes. The
following will require the student to develop a ACL statements for:
- Network to host for a specific protocol
- A range of hosts to a range of hosts all protocols
- Network to specific host all protocols
These can be accomplished using one access list applied in on the FastEthernet interface of applied
out on the serial interface. The answers provided are ONLY examples. There are many ways to
accomplish the intended outcome. Functionality should be tested.

There are several security concerns in the internetwork. Access Control List(s) should be developed to
address these issues. The following are the concerns:
1.
Access-list 100 permit tcp lan_address wildcard host 172.16.0.1 eq 80
Access-list 100 deny ip lan_address wildcard host 172.16.0.1
Where the lan_address is the subnet address of the LAN and the wildcard is the complement of the
subnetmask. Example: subnet 172.18.1.0 255.255.255.0 = address 172.18.1.0 wildcard 0.0.0.255
--- Make sure that the source is the whole subnet not just the specific hosts. --1. The company has an intranet web server host that all systems can reach at IP address 172.16.0.1 with
only HTTP access. No other protocols will be permitted to this site.
2
Access-list 100 deny ip lan_address low_wildcard 209.0.0.128 0.0.0.127
Access-list 100 permit ip lan_address wildcard 209.0.0.0 0.0.0.255
Access-list 100 deny ip any 209.0.0.0 0.0.0.255
Where the lan_address is the subnet address of the LAN and the low_wildcard is the complement of
the subnetmask except the most significant host bit is 0. Example: subnet 172.18.1.0 255.255.255.0
= lan_address 172.18.1.0 low_wildcard 0.0.0.127
Where the lan_address is the subnet address of the LAN and the wildcard is the complement of the
subnetmask. Example: subnet 172.18.1.0 255.255.255.0 = address 172.18.1.0 wildcard 0.0.0.255
---- Make sure that the source is not just the specific hosts. --2. The company also has a server pool in the 209.0.0.0 /24 network. The server pool addresses are divided
into halves. The servers in the upper half of the address range should only be reachable by management hosts
(all IP protocols). The servers in the lower half of the address range should be reachable by all LAN hosts
(all IP protocols). The servers should not be accessible any other hosts.

3
Access-list 100 deny ip any host 198.0.0.1
3. The company has discovered an Internet Web server at 198.0.0.1 that is known to contain viruses. All
hosts are to be banned from reaching this site.
Tests
1.
The web browser on both hosts can bring up the login of IP address 172.16.0.1 but neither can ping
nor telnet.
2.
Management host can browse, ping, telnet 209.0.0.1 and 209.0.0.254. Production host can browse,
ping, telnet 209.0.0.1 but NOT 209.0.0.254.
3.
Neither host can browse, ping, telnet 198.0.0.1.
4.
The web browser on both hosts can bring up the login of IP address 62.0.0.1 (can also ping, telnet..)

Before proceeding to the next step have instructor approve this step.
Instructor _______________________________

Step 5 Troubleshooting

Points __________________ (Optional)

This is an important part of the hands-on exam. The instructor should be more interested in the
troubleshooting methodology than correcting the problems. Students should not extensively use the
show run command. They should also not be allowed to paste the configuration back into the router to
correct the problem.
The student should use and document the appropriate show and debug commands to isolate the
problems.
As a general rule, one Physical layer problem and one configuration problem should be introduced.
Now that everything successfully configured, the instructor create some problems. The steps and commands
used correct these issues must be documented. The show run command should be used only as a last resort.
Symptom / Cause

Commands / Results

Instructor _______________________________
Grade ______________________________

Detailed Solutions

End time __________________

Initials

These are some recommended problems to be introduced and commands/methods to diagnose them.
Physical Issues
Pull the Cat 5 cable partially out of the router or hub far enough to turn of link lights or put a
bad/wrong Cat 5 cable in LAN.
- show interfaces or show ip interface brief
Power off router or remove power cord.
- visual inspection
Reverse the cable on the serial connection (DTE DCE)
- show interfaces or show ip interface brief
- show controller serial
- show cdp neighbor
Connect 2 DCE cables back to back on the serial connection
- show interfaces or show ip interface brief
- show controller seria
- show cdp neighborl
Configuration Issues
Shutdown an interface
Example :
if)# shutdown
Commands for troubleshooting
- show interfaces or show ip interface brief
Change the IP address to a similar one in another subnet
Example changing 172.32.24.1 /24 to 172.32.42.1 /24
if)#ip address 172.32.42.1 255.255.255.0
Commands for troubleshooting
- show interfaces or show ip interface brief
- show ip route
Change the network statements in the routing protocol to similar network
Example changing 172.32.0.0 to 172.23.0.0
-router)# no network 172.32.0.0
-router)#network 172.23.0.0 ]
Commands for troubleshooting
- show ip route
- show ip protocols
Change the IGRP autonomous system number to something similar
Example changing AS from 102 to 120
config)#no router igrp 102
config)#no router igrp 120
-router)#network xxx.yyy.zzz.aaa
-router)#network rrr.sss.ttt.uuu
Commands for troubleshooting
- show ip route
- show ip protocols

Remove the IGRP routing protocol

Example removing AS 102
config)#no router igrp 102
Commands for troubleshooting
- show ip route
- show ip protocols
Use a static route to override the route from the routing protocol to send traffic to null 0 (or to some other
ACTIVE interface)
Example rerouting route 172.16.0.0 255.255.0.0 to null 0
config)#ip route 172.16.0.0 255.255.0.0 null 0
Commands for troubleshooting
- show ip route
- show ip protocols
Change the secret password so student has to do password recovery
Example change secret password to sneaky
config)#enable secret sneaky
When introducing configuration changes a couple of things need to be done to insure the student does
not easily find the problems. One of these issues is that the changes are captured in the history buffer on
the router. The student can use the arrow keys (ctrl-p) or show history to see the changes made. Another
is that if the configuration changes made to the router are not saved to start up, the student can restart the
router to correct the configuration problems. A final issue is that the terminal emulation program often
has a buffer that will keep a copy of the changes. The student an look through the buffer to see the
changes that have been made.
]
For the reasons above, it is recommended that steps be taken to prevent the student from an easy fix.
After the configuration changes are made to inject a problem in the students router:
- issue a copy running-config startup-config command
- power cycle the router
- close the terminal session.