Packet Tracer – CCNA Skills Integration Challenge Instructions Answers Packet Tracer – CCNA Skills Integration Challenge Instructions Answers
2.8 (9) votes

Packet Tracer – CCNA Skills Integration Challenge

Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.


Addressing Table

VLAN Configurations and Port Mappings


In this comprehensive CCNA skills activity, the XYZ Corporation uses a combination of eBGP and PPP for WAN connections. Other technologies include NAT, DHCP, static and default routing, EIGRP for IPv4, inter-VLAN routing, and VLAN configurations. Security configurations include SSH, port security, switch security, and ACLs.

Note: Only HQ, B1, B1-S2, and the PCs are accessible. The user EXEC password is cisco and the privileged EXEC password is class.



•  Configure the WAN link from HQ to the Internet using PPP encapsulation and CHAP authentication.

°  Create a user ISP with the password of cisco.

•  Configure the WAN link from HQ to NewB using PPP encapsulation and PAP authentication.

° Create a user NewB with the password of cisco.

Note: The ppp pap sent-username is not graded by Packet Tracer. However, it must be configured before the link will come up between HQ and NewB.

HQ(config)# interface s0/1/0
HQ(config-if)# encapsulation ppp
HQ(config-if)# ppp authentication chap
HQ(config-if)# exit
HQ(config)# username ISP password cisco
HQ(config)# interface s0/0/1
HQ(config-if)# encapsulation ppp
HQ(config-if)# ppp authentication pap
HQ(config-if)# ppp pap sent-username HQ password cisco
HQ(config-if)# exit
HQ(config)# username NewB password cisco


•  Configure eBGP between HQ and the Internet.

°  HQ belongs to AS 65000.

°  The IP address for the BGP router in the Internet cloud is

°  Advertise the network to the Internet.

HQ(config)# router bgp 65000
HQ(config-router)# neighbor remote-as 65001
HQ(config-router)# network mask


•  Configure dynamic NAT on HQ

°  Allow all addresses for the address space to be translated using a standard access list named NAT.

°  XYZ Corporation owns the address space. The pool, HQ, uses addresses .241 to .245 with a /29 mask. Bind the NAT ACL to the pool HQ. Configure PAT.

°  The connections to the Internet and HQ-DataCenter are outside XYZ Corporation.

HQ(config)# ip access-list standard NAT
HQ(config-std-nacl)# permit
HQ(config-std-nacl)# exit
HQ(config)# ip nat pool HQ netmask
HQ(config)# ip nat inside source list NAT pool HQ overload
HQ(config)# interface s0/1/0
HQ(config-if)# ip nat outside
HQ(config-if)# interface g0/1
HQ(config-if)# ip nat outside
HQ(config-if)# interface s0/0/0
HQ(config-if)# ip nat inside
HQ(config-if)# interface s0/0/1
HQ(config-if)# ip nat inside
HQ(config-if)# interface g0/0
HQ(config-if)# ip nat inside

Inter-VLAN Routing

•  Configure B1 for inter-VLAN routing.

°  Using the addressing table for branch routers, configure and activate the LAN interface for inter-VLAN routing. VLAN 99 is the native VLAN.

B1(config)# interface g0/0
B1(config-if)# no shutdown
B1(config-if)# interface g0/0.10
B1(config-subif)# encapsulation dot1q 10
B1(config-subif)# ip address
B1(config-subif)# interface g0/0.20
B1(config-subif)# encapsulation dot1q 20
B1(config-subif)# ip address
B1(config-subif)# interface g0/0.30
B1(config-subif)# encapsulation dot1q 30
B1(config-subif)# ip address
B1(config-subif)# interface g0/0.99
B1(config-subif)# encapsulation dot1q 99 native
B1(config-subif)# ip address

Static and Default Routing

•  Configure HQ with a static route to the NewB LAN. Use the exit interface as an argument.

•  Configure B1 with a default route to HQ. Use the next-hop IP address as an argument.

HQ(config)# ip route serial 0/0/1
B1(config)# ip route

EIGRP Routing

•  Configure and optimize HQ and B1 with EIGRP routing.

°  Use autonomous system 100.

°  Disable EIGRP updates on appropriate interfaces.

HQ(config)# router eigrp 100
HQ(config-router)# network
HQ(config-router)# passive-interface g0/0
HQ(config-router)# passive-interface s0/0/1

B1(config)# router eigrp 100
B1(config-router)# network
B1(config-router)# passive-interface g0/0.10
B1(config-router)# passive-interface g0/0.20
B1(config-router)# passive-interface g0/0.30
B1(config-router)# passive-interface g0/0.99

VLANs and Trunking Configurations

Note: Logging to the console is turned off on B1-S2 so that the Native VLAN mismatch messages will not interrupt your configurations. If you would prefer to view console messages, enter the global configuration command logging console.

•  Configure trunking and VLANs on B1-S2.

°  Create and name the VLANs listed in the VLAN Configuration and Port Mappings table on B1-S2 only.

°  Configure the VLAN 99 interface and default gateway.

°  Set trunking mode to on for F0/1 – F0/4.

°  Assign VLANs to the appropriate access ports.

°  Disable all unused ports and assign the BlackHole VLAN.

B1-S2(config)# vlan 10
B1-S2(config-vlan)# name Admin
B1-S2(config-vlan)# vlan 20
B1-S2(config-vlan)# name Sales
B1-S2(config-vlan)# vlan 30
B1-S2(config-vlan)# name Production
B1-S2(config-vlan)# vlan 99
B1-S2(config-vlan)# name Mgmt&Native
B1-S2(config-vlan)# vlan 999
B1-S2(config-vlan)# name BlackHole
B1-S2(config)# interface vlan 99
B1-S2(config-if)# ip address
B1-S2(config-if)# exit
B1-S2(config)# ip default-gateway
B1-S2(config)# interface range f0/1 - 4
B1-S2(config-if-range)# switchport mode trunk
B1-S2(config-if-range)# switchport trunk native vlan 99
B1-S2(config-if-range)# exit
B1-S2(config)# interface f0/6
B1-S2(config-if)# switchport mode access
B1-S2(config-if)# switchport access vlan 10
B1-S2(config-if)# interface f0/11
B1-S2(config-if)# switchport mode access
B1-S2(config-if)# switchport access vlan 20
B1-S2(config-if)# interface f0/16
B1-S2(config-if)# switchport mode access
B1-S2(config-if)# switchport access vlan 30
B1-S2(config-if)# exit
B1-S2(config)# interface range f0/5, f0/7-10, f0/12-15, f0/17-24, g0/1-2
B1-S2(config-if-range)# switchport access vlan 999
B1-S2(config-if-range)# shutdown

Port Security

•  Use the following policy to establish port security on the B1-S2 access ports:

°  Allow two MAC addresses to be learned on the port.

°  Configure the learned MAC addresses to be added to the configuration.

°  Set the port to send a message if there is a security violation. Traffic is still allowed from the first two MAC addresses learned.

B1-S2(config)# interface range f0/6, f0/11, f0/16
B1-S2(config-if-range)# switchport port-security
B1-S2(config-if-range)# switchport port-security maximum 2
B1-S2(config-if-range)# switchport port-security mac-address sticky
B1-S2(config-if-range)# switchport port-security violation restrict


•  Configure HQ to use SSH for remote access.

°  Set the modulus to 2048. The domain name is CCNASkills.com.

°  The username is admin and the password is adminonly.

°  Only SSH should be allowed on VTY lines.

°  Modify the SSH defaults: version 2; 60-second timeout; two retries.

HQ(config)# ip domain-name CCNASkills.com
HQ(config)# crypto key generate rsa

HQ(config)# username admin password adminonly
HQ(config)# line vty 0 4
HQ(config-line)# transport input ssh
HQ(config-line)# login local
HQ(config-line)# exit
HQ(config)# ip ssh version 2
HQ(config)# ip ssh time-out 60
HQ(config)# ip ssh authentication-retries 2


•  On B1, configure a DHCP pool for the Sales VLAN 20 using the following requirements:

°  Exclude the first 10 IP addresses in the range.

°  The case-sensitive pool name is VLAN20.

°  Include the DNS server attached to the HQ LAN as part of the DHCP configuration.

•  Configure the Sales PC to use DHCP.

B1(config)# ip dhcp excluded-address
B1(config)# ip dhcp pool VLAN20
B1(dhcp-config)# network
B1(dhcp-config)# default-router
B1(dhcp-config)# dns-server

Click Sales PC > Desktop > IP Configuration
Change to DHCP and verify PC gets addressing information

Access List Policy

•  Because HQ is connected to the Internet, configure and apply a named ACL called HQINBOUND in the following order:

°  Allow inbound BGP updates (TCP port 179) for any source to any destination.

°  Allow inbound HTTP requests from any source to the HQ-DataCenter network.

°  Allow only established TCP sessions from the Internet.

°  Allow only inbound ping replies from the Internet.

°  Explicitly block all other inbound access from the Internet.

HQ(config)# ip access-list extended HQINBOUND
HQ(config-ext-nacl)# permit tcp any any eq 179
HQ(config-ext-nacl)# permit tcp any eq www
HQ(config-ext-nacl)# permit tcp any any established
HQ(config-ext-nacl)# permit icmp any any echo-reply
HQ(config-ext-nacl)# deny ip any any
HQ(config-ext-nacl)# exit
HQ(config)# interface s0/1/0
HQ(config-if)# ip access-group HQINBOUND in


•  Verify full connectivity from each PC to WWW.pka and www.cisco.pka.

•  The Outside Host should be able to access the webpage at WWW.pka.

•  All the test in Scenario 0 should be successful.

Related Articles

Leave a Reply

1 Comment threads
0 Thread replies
Most reacted comment
Hottest comment thread
1 Comment authors
Ramona Recent comment authors
newest oldest


I really need this CCNA SIC, and it says that the package is not available, when I am trying to download it, can you please help me?

Thank you!

Send this to a friend