Connecting Networks v6.0 – CN Practice Skills Assessment – PT

CCNA Routing and Switching
Connecting Networks

Skill-Based Assessment – Packet Tracer

Connecting Networks v6.0 - CN Practice Skills Assessment - PT 1

 

A few things to keep in mind while completing this activity:

  1.  Do not use the browser Back button or close or reload any Exam windows during the exam.
  2.  Do not close Packet Tracer when you are done. It will close automatically.
  3.  Click the Submit Assessment button to submit your work.
Objectives

In this Packet Tracer Skills Based Assessment, you will do as follows:

  • Configure PPP encapsulation and CHAP authentication for serial links.
  • Configure a GRE tunnel.
  • Configure OSPF.
  • Configure BGP.
  • Configure standard and extended IPv4 ACLs.
  • Configure IPv6 ACLs.

For the sake of time, many repetitive, but important, configuration tasks have been omitted from this assessment. Many of these tasks, especially those related to security, are essential elements of a network configuration. The intent of this activity is not to diminish the importance of full device configurations.

The IP addresses for all the devices have been configured and some of the routing configurations are already completed in this activity.

You are required to configure the devices as follows:

Branch:

  • Configure PPP and CHAP authentication on the appropriate interface.
  • Configure GRE tunnel.
  • Configure OSPF.
  • Configure standard IPv4 ACL.

Customer:

  • Configure standard IPv4 ACLs.

HQ:

  • Configure PPP and CHAP authentication on the appropriate interface.
  • Configure GRE tunnel.
  • Configure OSPF.
  • Configure standard and extended IPv4 ACLs.
  • Configure IPv6 ACLs.

Note: All the routers in AS 65001 are locked and no configurations are performed by the students. Furthermore, all the switches are pre-configured.

Addressing Table

Connecting Networks v6.0 - CN Practice Skills Assessment - PT 2

 

Instructions
Step 1: Configure PPP encapsulation and authentication.

a.  Configure PPP encapsulation for the link between HQ and ISP1 and the link between Branch and ISP1.

b.  Configure CHAP authentication between the links.

c.  Configure the correct username and the password cisco123 for CHAP authentication on both HQ and Branch.

Step 2: Configure a GRE tunnel with routing.

a.  Configure a GRE tunnel between HQ and Branch.

b.  Configure OSPF 1 to route the traffic between the LANs of HQ and Branch through the GRE tunnel. Summarize the networks attached to Branch.

Step 3: Configure BGP.

Configure BGP between ISP1 in Internet cluster and 209.165.202.128/27 network on HQ.

a.  Use AS number 65020 for HQ.

b.  Configure ISP1 as the BGP neighbor.

c.  Only advertise the 209.165.202.128 / 27 network into BGP.

Step 4: Configure ACLs for NAT.

a.  Configure a standard access list numbered 1 on Branch to allow NAT for hosts in network 192.168.0.0 /23.

b.  Configure a standard access list numbered 1 on HQ to allow NAT for hosts in network 192.168.2.0 /24.

c.  Configure a standard access list numbered 1 on Customer to allow NAT for hosts in network 192.168.3.0 /24.

Step 5: Configure a standard ACL to restrict remote access to the Customer router.

A standard ACL named VTY_ADMIN is configured to limit access via VTY to the Customer router. This ACL will only allow hosts from the LAN attached to the G0/1 interface and the hosts from the LANs on Branch router to access the Customer router. All the other connections to VTY should fail.

a.  Configure one ACL named VTY_ADMIN with three ACEs in the following order:

1)     Allow any hosts from the LAN attached to the G0/1 interface of Customer router to access the router.

2)     Allow the hosts from the LANs in the Branch network to Customer router remotely.

3)     All other remote connections are denied.

b.  Apply the ACL to the appropriate interface.

Note: Use the public IPv4 addresses in the ACLs when the private IPv4 addresses have been mapped to public IPv4 addresses.

Step 6: Configure an extended ACL to restrict access to the HQ LAN.

a.  Configure an extended ACL named HTTP_ACCESS that allows Branch LANs, Customer LANs and the LAN inside HQ to access HQ-Server via the web browser.

Configure this ACL with the following 5 ACEs in the following order:

1)     Allow the hosts from the Branch network to access the HQ-Server.

2)     Allow the hosts from the Customer LANs to access the HQ-Server.

3)     Allow the internal network 192.168.2.0 /24 to access the HQ-Server.

4)     Allow ICMP replies to HQ-Server from any networks.

5)     Explicitly deny all other traffic from accessing the HQ-Server.

b.  Apply the ACL to the HQ G0/1 interface.

Note: Use the public IPv4 addresses in the ACLs when the private IPv4 addresses have been mapped to public IPv4 addresses.

Step 7: Configure an IPv6 access list to restrict access to the HQ LAN.

a.  Configure an IPv6 access list named HTTP6_ACCESS that allows Branch LANs, Customer LANs and the LAN inside HQ to access HQ-Server via the web browser.

b.  Configure this ACL with the following 6 ACEs in the following order:

1)     Allow the hosts from the Branch (2001:DB8:ACAD::/64) to access the HQ-Server.

2)     Allow the hosts from the Branch (2001:DB8:ACAD:1::/64) to access the HQ-Server.

3)     Allow the hosts from the Customer LANs to access the HQ-Server.

4)     Allow the internal network 2001:DB8:ACAD:2::/64 to access the HQ-Server.

5)     Allow ICMP from HQ-Server to the other networks.

6)     Explicitly deny all other traffic from accessing the HQ-Server.

c.  Apply the ACL to the HQ G0/1 interface.

Connecting Networks v6.0 - CN Practice Skills Assessment - PT 3

 

A few things to keep in mind while completing this activity:

  1. Do not use the browser Back button or close or reload any Exam windows during the exam.
  2. Do not close Packet Tracer when you are done. It will close automatically.
  3. Click the Submit Assessment button to submit your work.
Objectives

In this Packet Tracer Skills Based Assessment, you will do as follows:

  • Configure PPP encapsulation and CHAP authentication for serial links.
  • Configure a GRE tunnel.
  • Configure OSPF.
  • Configure BGP.
  • Configure standard and extended IPv4 ACLs.
  • Configure IPv6 ACLs.

For the sake of time, many repetitive, but important, configuration tasks have been omitted from this assessment. Many of these tasks, especially those related to security, are essential elements of a network configuration. The intent of this activity is not to diminish the importance of full device configurations.

The IP addresses for all the devices have been configured and some of the routing configurations are already completed in this activity.

You are required to configure the devices as follows:

Remote:

  • Configure PPP and CHAP authentication on the appropriate interface.
  • Configure GRE tunnel.
  • Configure OSPF.
  • Configure standard IPv4 ACL.

Other:

  • Configure standard IPv4 ACLs.

Main:

  • Configure PPP and CHAP authentication on the appropriate interface.
  • Configure GRE tunnel.
  • Configure OSPF.
  • Configure standard and extended IPv4 ACLs.
  • Configure IPv6 ACLs.

Note: All the routers in AS 65001 are locked and no configurations are performed by the students. Furthermore, all the switches are pre-configured.

Addressing Table

Connecting Networks v6.0 - CN Practice Skills Assessment - PT 4

Instructions
Step 1: Configure PPP encapsulation and authentication.

a.  Configure PPP encapsulation for the link between Main and ISP1 and the link between Remote and ISP1.

b.  Configure CHAP authentication between the links.

c.  Configure the correct username and the password 321cisco for CHAP authentication on both Main and Remote.

Step 2: Configure a GRE tunnel with routing.

a.  Configure a GRE tunnel between Main and Remote.

b.  Configure OSPF 1 to route the traffic between the LANs of Main and Remote through the GRE tunnel. Summarize the networks attached to Remote.

Step 3: Configure BGP.

Configure BGP between ISP1 in Internet cluster and 209.165.202.128/27 network on Main.

a.  Use AS number 65020 for Main.

b.  Configure ISP1 as the BGP neighbor.

c.  Only advertise the 209.165.202.128 / 27 network into BGP.

Step 4: Configure ACLs for NAT.

a.  Configure a standard access list numbered 1 on Remote to allow NAT for hosts in network 192.168.0.0 /23.

b.  Configure a standard access list numbered 1 on Main to allow NAT for hosts in network 192.168.2.0 /24.

c.  Configure a standard access list numbered 1 on Other to allow NAT for hosts in network 192.168.3.0 /24.

Step 5: Configure a standard ACL to restrict remote access to the Other router.

A standard ACL named VTY_ADMIN is configured to limit access via VTY to the Other router. This ACL will only allow hosts from the LAN attached to the G0/1 interface and the hosts from the LANs on Remote router to access the Other router. All the other connections to VTY should fail.

a.  Configure one ACL named VTY_ADMIN with three ACEs in the following order:

1)     Allow any hosts from the LAN attached to the G0/1 interface of Other router to access the router.

2)     Allow the hosts from the LANs in the Remote network to Other router remotely.

3)     All other remote connections are denied.

b.  Apply the ACL to the appropriate interface.

Note: Use the public IPv4 addresses in the ACLs when the private IPv4 addresses have been mapped to public IPv4 addresses.

Step 6: Configure an extended ACL to restrict access to the Main LAN.

a.  Configure an extended ACL named HTTP_ACCESS that allows Remote LANs, Other LANs and the LAN inside Main to access Main-Server via the web browser.

Configure this ACL with the following 5 ACEs in the following order:

1)     Allow the hosts from the Remote network to access the Main-Server.

2)     Allow the hosts from the Other LANs to access the Main-Server.

3)     Allow the internal network 192.168.2.0 /24 to access the Main-Server.

4)     Allow ICMP replies to Main-Server from any networks.

5)     Explicitly deny all other traffic from accessing the Main-Server.

b.  Apply the ACL to the Main G0/1 interface.

Note: Use the public IPv4 addresses in the ACLs when the private IPv4 addresses have been mapped to public IPv4 addresses.

Step 7: Configure an IPv6 access list to restrict access to the Main LAN.

a.  Configure an IPv6 access list named HTTP6_ACCESS that allows Remote LANs, Other LANs and the LAN inside Main to access Main-Server via the web browser.

b.  Configure this ACL with the following 6 ACEs in the following order:

1)     Allow the hosts from the Remote (2001:DB8:ACAD::/64) to access the Main-Server.

2)     Allow the hosts from the Remote (2001:DB8:ACAD:1::/64) to access the Main-Server.

3)     Allow the hosts from the Other LANs to access the Main-Server.

4)     Allow the internal network 2001:DB8:ACAD:2::/64 to access the Main-Server.

5)     Allow ICMP from Main-Server to the other networks.

6)     Explicitly deny all other traffic from accessing the Main-Server.

c.  Apply the ACL to the Main G0/1 interface.

Connecting Networks v6.0 - CN Practice Skills Assessment - PT 5

 

A few things to keep in mind while completing this activity:

  1. Do not use the browser Backbutton or close or reload any Exam windows during the exam.
  2. Do not close Packet Tracer when you are done. It will close automatically.
  3. Click the Submit Assessmentbutton to submit your work.
Objectives

In this Packet Tracer Skills Based Assessment, you will do as follows:

  • Configure PPP encapsulation and CHAP authentication for serial links.
  • Configure a GRE tunnel.
  • Configure OSPF.
  • Configure BGP.
  • Configure standard and extended IPv4 ACLs.
  • Configure IPv6 ACLs.

For the sake of time, many repetitive, but important, configuration tasks have been omitted from this assessment. Many of these tasks, especially those related to security, are essential elements of a network configuration. The intent of this activity is not to diminish the importance of full device configurations.

The IP addresses for all the devices have been configured and some of the routing configurations are already completed in this activity.

You are required to configure the devices as follows:

Branch1:

  • Configure PPP and CHAP authentication on the appropriate interface.
  • Configure GRE tunnel.
  • Configure OSPF.
  • Configure standard IPv4 ACL.

Branch2:

  • Configure standard IPv4 ACLs.

Corp:

  • Configure PPP and CHAP authentication on the appropriate interface.
  • Configure GRE tunnel.
  • Configure OSPF.
  • Configure standard and extended IPv4 ACLs.
  • Configure IPv6 ACLs.

Note: All the routers in AS 65001 are locked and no configurations are performed by the students. Furthermore, all the switches are pre-configured.

Addressing Table

Connecting Networks v6.0 - CN Practice Skills Assessment - PT 6

 

Instructions
Step 1: Configure PPP encapsulation and authentication.

a.  Configure PPP encapsulation for the link between Corpand ISP1 and the link between Branch1 and ISP1.

b.  Configure CHAP authentication between the links.

c.  Configure the correct username and the password Ciscofor CHAP authentication on both Corp and Branch1.

Step 2: Configure a GRE tunnel with routing.

a.  Configure a GRE tunnel between Corpand Branch1.

b.  Configure OSPF 1to route the traffic between the LANs of Corp and Branch1 through the GRE tunnel. Summarize the networks attached to Branch1.

Step 3: Configure BGP.

Configure BGP between ISP1 in Internet cluster and 209.165.202.128/27 network on Corp.

a.  Use AS number 65020for Corp.

b.  Configure ISP1as the BGP neighbor.

c.  Only advertise the 209.165.202.128 / 27network into BGP.

Step 4: Configure ACLs for NAT.

a.  Configure a standard access list numbered 1on Branch1 to allow NAT for hosts in network 192.168.0.0 /23.

b.  Configure a standard access list numbered 1on Corp to allow NAT for hosts in network 192.168.2.0 /24.

c.  Configure a standard access list numbered 1on Branch2 to allow NAT for hosts in network 192.168.3.0 /24.

Step 5: Configure a standard ACL to restrict remote access to the Branch2 router.

A standard ACL named VTY_ADMIN is configured to limit access via VTY to the Branch2 router. This ACL will only allow hosts from the LAN attached to the G0/1 interface and the hosts from the LANs on Branch1 router to access the Branch2 router. All the other connections to VTY should fail.

a.  Configure one ACL named VTY_ADMINwith three ACEs in the following order:

1)     Allow any hosts from the LAN attached to the G0/1 interface of Branch2 router to access the router.

2)     Allow the hosts from the LANs in the Branch1 network to Branch2 router remotely.

3)     All other remote connections are denied.

b.  Apply the ACL to the appropriate interface.

Note: Use the public IPv4 addresses in the ACLs when the private IPv4 addresses have been mapped to public IPv4 addresses.

Step 6: Configure an extended ACL to restrict access to the Corp LAN.

a.  Configure an extended ACL named HTTP_ACCESSthat allows Branch1 LANs, Branch2 LANs and the LAN inside Corp to access Corp-Server via the web browser.

Configure this ACL with the following 5 ACEs in the following order:

1)     Allow the hosts from the Branch1 network to access the Corp-Server.

2)     Allow the hosts from the Branch2 LANs to access the Corp-Server.

3)     Allow the internal network 192.168.2.0 /24 to access the Corp-Server.

4)     Allow ICMP replies to Corp-Server from any networks.

5)     Explicitly deny all other traffic from accessing the Corp-Server.

b.  Apply the ACL to the CorpG0/1 interface.

Note: Use the public IPv4 addresses in the ACLs when the private IPv4 addresses have been mapped to public IPv4 addresses.

Step 7: Configure an IPv6 access list to restrict access to the Corp LAN.

a.  Configure an IPv6 access list named HTTP6_ACCESSthat allows Branch1 LANs, Branch2 LANs and the LAN inside Corp to access Corp-Server via the web browser.

b.  Configure this ACL with the following 6 ACEs in the following order:

1)     Allow the hosts from the Branch1 (2001:DB8:ACAD::/64) to access the Corp-Server.

2)     Allow the hosts from the Branch1 (2001:DB8:ACAD:1::/64) to access the Corp-Server.

3)     Allow the hosts from the Branch2 LANs to access the Corp-Server.

4)     Allow the internal network 2001:DB8:ACAD:2::/64 to access the Corp-Server.

5)     Allow ICMP from Corp-Server to the other networks.

6)     Explicitly deny all other traffic from accessing the Corp-Server.

c.  Apply the ACL to the CorpG0/1 interface.

Answers – Intructions

On Router 1: HQ – Main – Corp (Note: Username & Password for CHAP authentication)

en
conf ter
username ISP1 password cisco123 (or Cisco or 321cisco)
int s0/0/0
encapsulation ppp
ppp authentication chap
exit

interface tunnel 0
ip address 172.16.1.1 255.255.255.252
tunnel source s0/0/0
tunnel destination 209.165.200.225
tunnel mode gre ip
exit

router ospf 1
network 192.168.2.0 0.0.0.255 area 0
network 172.16.1.0 0.0.0.3 area 0
exit

router bgp 65020
network 209.165.202.128 mask 255.255.255.224
neighbor 209.165.200.230 remote-as 65001
exit

access-list 1 permit 192.168.2.0 0.0.0.255

ip access-list extended HTTP_ACCESS
permit tcp host 209.165.200.225 host 209.165.202.158 eq 80
permit tcp host 209.165.200.238 host 209.165.202.158 eq 80
permit ip 192.168.2.0 0.0.0.255 host 209.165.202.158
permit icmp any host 209.165.202.158 echo-reply
deny ip any any

int g0/1
ip access-group HTTP_ACCESS out
exit

ipv6 access-list HTTP6_ACCESS
permit tcp 2001:DB8:ACAD::/64 host 2001:DB8:ACAD:B::158 eq 80
permit tcp 2001:DB8:ACAD:1::/64 host 2001:DB8:ACAD:B::158 eq 80
permit tcp 2001:DB8:ACAD:3::/64 host 2001:DB8:ACAD:B::158 eq 80
permit ipv6 2001:DB8:ACAD:2::/64 host 2001:DB8:ACAD:B::158
permit icmp any host 2001:DB8:ACAD:B::158 echo-reply
deny ipv6 any host 2001:DB8:ACAD:B::158

interface g0/1
ipv6 traffic-filter HTTP6_ACCESS out

On Router 2: Branch – Remote – Branch1 (Note: Username & Password for CHAP authentication)

en
conf ter
username ISP1 password cisco123 (or Cisco or 321cisco)
int s0/0/0
encapsulation ppp
ppp authentication chap
exit

interface tunnel 0
ip address 172.16.1.2 255.255.255.252
tunnel source s0/0/0
tunnel destination 209.165.200.229
tunnel mode gre ip
exit

router ospf 1
network 172.16.1.0 0.0.0.3 area 0
network 192.168.0.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
exit

access-list 1 permit 192.168.0.0 0.0.1.255

On Router 3: Customer – Other – Branch2

en
conf t
access-list 1 permit 192.168.3.0 0.0.0.255

ip access-list standard VTY_ADMIN
permit 192.168.3.0 0.0.0.255
permit host 209.165.200.225
deny any

line vty 0 4
access-class VTY_ADMIN in

Download Packet Tracer file:


Related Articles

guest
33 Comments
Inline Feedbacks
View all comments
Amy Stewert
Amy Stewert
10 months ago

100% with the script below:

@@@@@@@@@@@@@@@@@ On Router 1: HQ – Main – Corp

En
Config t
Int s0/0/0
Encapsulation ppp
Ppp authentication chap
Exit
Username ISP1 password cisco123
Int Tunnel 0
Tunnel mode gre ip
Tunnel source s0/0/0
Tunnel destination 209.165.200.225
Ip address 172.16.1.1 255.255.255.252
exit
router ospf 1
network 192.168.2.0 0.0.0.255 area 0
network 172.16.1.0 0.0.0.3 area 0
exit
route bgp 65020
neighbor 209.165.200.230 remote-as 65001
network 209.165.202.128 mask 255.255.255.224
exit
access-list 1 permit 192.168.2.0 0.0.0.255
exit
exit

en
config t
ip access-list extended HTTP_ACCESS
permit tcp host 209.165.200.225 host 209.165.202.158 eq 80
permit tcp host 209.165.200.238 host 209.165.202.158 eq 80
permit ip 192.168.2.0 0.0.0.255 host 209.165.202.158
permit icmp any host 209.165.202.158 echo-reply
deny ip any any
exit
int g0/1
ip access-group HTTP_ACCESS out
exit
ipv6 access-list HTTP6_ACCESS
permit tcp 2001:DB8:ACAD::/64 host 2001:DB8:ACAD:B::158 eq 80
permit tcp 2001:DB8:ACAD:1::/64 host 2001:DB8:ACAD:B::158 eq 80
permit tcp 2001:DB8:ACAD:3::/64 host 2001:DB8:ACAD:B::158 eq 80
permit ipv6 2001:DB8:ACAD:2::/64 host 2001:DB8:ACAD:B::158
permit icmp any host 2001:DB8:ACAD:B::158 echo-reply
int g0/1
ipv6 traffic-filter HTTP6_ACCESS out
exit

@@@@@@@@@@@@@@@@@ On Router 2: Branch – Remote – Branch1

En
Config t
Int s0/0/0
Encapsulation ppp
Ppp authentication chap
Exit
username ISP1 password cisco123
int Tunnel 0
tunnel mode gre ip
tunnel source s0/0/0
tunnel destination 209.165.200.229
ip address 172.16.1.2 255.255.255.252
exit
router ospf 1
network 192.168.0.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
network 172.16.1.0 0.0.0.3 area 0
exit
exit

en
config t
access-list 1 permit 192.168.0.0 0.0.1.255

@@@@@@@@@@@@@@@@@ On Router 3: Customer – Other – Branch2

en
conf t
access-list 1 permit 192.168.3.0 0.0.0.255

ip access-list standard VTY_ADMIN
permit 192.168.3.0 0.0.0.255
permit host 209.165.200.225
deny any
exit

line vty 0 4
access-class VTY_ADMIN in
exit
ip access-list extended HTTP_ACCESS

Nabila
Nabila
1 year ago
Awaiting for approval

Hi,I wanted to download pka file for CCNA 4.Please anyone help me.

Brice
Brice
1 year ago

Hi, I want to download the packettracert file to this lab ?

Jens
Jens
1 year ago

HI, is this the final exam for CCNA 4?

miha
miha
2 years ago

HI, is this the final exam for CCNA 4? I am asking because scan ospf and scan eigrp are inluded in ccna 3, same with rse 3 , are part of ccna 3, scaling networks , for this reason I don’t understand why are in this ccna 4. I would appreciatte if someone can answer. Thanks

Mariusz Sawicki
Mariusz Sawicki
2 years ago
Awaiting for approval

interface tunnel 0
tunnel source s0/0/1 ( żle )
tunnel source s0/0/0 ( dobrze)

Andrew
Andrew
2 years ago
Awaiting for approval

i got an 88 on type 2 of the test. there was a problem with R1 GRE Tunnel Settings -Network:[[R1Name]]:Ports:Tunnel0:Source. there was also a problem with R1 ACL HTTP6_ACCESS – Network:[[R1Name]]:ACLV6:HTTP6_ACCESS.
Any help for the correct configurations of this would be appreciated.

Clive
Clive
2 years ago
Awaiting for approval

Can i please get a link to PKA file that shows the progress

Dass
Dass
2 years ago
Awaiting for approval

Thanks my friend, I will do this in a few days can you tell me if this its fixed and working to obtein 100, I ask cause I see a lots of replies with other changes on it, and keep going your web help me a lot

spengergasse mit zukunft
spengergasse mit zukunft
2 years ago
Awaiting for approval

well i got just above 70 %

CPY
CPY
2 years ago

At step 7 you forgot “deny any any” which is actually the 6th ACE. 6 ACE is required in step 7.
And the correct HQ configuration is “tunnel source s0/0/1 not s0/0/0

dawud
dawud
2 years ago
Awaiting for approval

im confused about the whole process. can any one kindly brief me on it.

Kyle Austria
Kyle Austria
2 years ago
Awaiting for approval

Hi! Is the configuration instructions updated? Because it is stated in the instructions for the VTY_ADMIN ACL that we need to allow any hosts on the Customer LAN, but the configuration used is:
ip access-list standard VTY_ADMIN
permit 192.168.3.0 0.0.0.255
permit host 209.165.200.225
deny any

And i think it should be like this:
ip access-list standard VTY_ADMIN
permit 192.168.3.0 0.0.0.255
permit 209.165.200.224 0.0.0.3
deny any

Please correct me if I’m wrong. Thanks a lot!

ccna-student
ccna-student
2 years ago
Awaiting for approval

ip access-list extended HTTP_ACCESS
permit tcp host 209.165.200.225 host 209.165.202.158 eq 80
permit tcp host 209.165.200.238 host 209.165.202.158 eq 80
permit ip 192.168.2.0 0.0.0.255 host 209.165.202.158
permit icmp any host 209.165.202.158 echo-reply
deny ip any host 209.165.202.158

int g0/1
ip access-group HTTP_ACCESS out
exit

ipv6 access-list HTTP6_ACCESS
permit tcp 2001:DB8:ACAD::/64 host 2001:DB8:ACAD:B::158 eq 80
permit tcp 2001:DB8:ACAD:1::/64 host 2001:DB8:ACAD:B::158 eq 80
permit tcp 2001:DB8:ACAD:3::/64 host 2001:DB8:ACAD:B::158 eq 80
permit ipv6 2001:DB8:ACAD:2::/64 host 2001:DB8:ACAD:B::158
permit icmp any host 2001:DB8:ACAD:B::158 echo-reply
deny ipv6 any host 2001:DB8:ACAD:B::158

inter g0/1
ipv6 traffic-filter HTTP6_ACCESS out

Just got 100%

p.s. why deny ip any any ? it says to a specific server (host) 2001:DB8:ACAD:B::158

people read more carefully the tasks on each step – the same applies for the ipv4 extended list

ccna-student
ccna-student
2 years ago
Awaiting for approval

https://drive.google.com/file/d/1h-8Uk0iAb1OjjtNw2tkJe9zYTfewClu7/view

The pkt file for practice by Christian Augusto Romero Goyzueta who also has a video for this lab on youtube.

https://www.youtube.com/watch?v=G7hpISV-f8g

Hope this will help.

Edward
Edward
2 years ago

I just finished the exam last January 10, 2019, I got 100% from the configurations stated above, hope this info helps.

BambleBee
BambleBee
2 years ago
Awaiting for approval

Why I have always 85% if I have had written same commands 2 times ? Could it be possible by version of Packet Tracer 7.1.1 something wrong ?

cris
cris
2 years ago
Awaiting for approval

How Can I download the lab ?

Rasad
Rasad
3 years ago
Awaiting for approval

i got 95% score
just add : tunnel mode gre ip

Student0684
Student0684
3 years ago
Awaiting for approval

Where do I download the packet tracer for this one?

Rami
Rami
3 years ago
Awaiting for approval

In the HQ – Main- Corp router when configuring the tunnels , the tunnel source should be s0/0/1 instead of s0/0/0

Kevin Norholt
Kevin Norholt
3 years ago
Awaiting for approval

In my opinion, the HTTP_ACCESS access list is wrong. The question states Allow the internal network 192.168.2.0 /24 to access the HQ-Server via the web browser. However, the ACL states permit ip 192.168.2.0 0.0.0.255 host 209.165.202.158, meaning that all IP is permitted (not just port 80). It think the proper ACL should be permit ip host 209.165.200.238 host 209.165.202.158 eq 80. Any comments?

whaleh8er
whaleh8er
3 years ago
Awaiting for approval

I just scored 100% here is the config file from each router:

HQ-Main-Corp

en
conf t

username ISP1 password cisco123
int s0/0/0
encapsulation ppp
ppp authentication chap
exit

interface tunnel 0
ip address 172.16.1.1 255.255.255.252
tunnel source s0/0/0
tunnel destination 209.165.200.225
exit

router ospf 1
network 192.168.2.0 0.0.0.255 area 0
network 172.16.1.0 0.0.0.3 area 0
exit

router bgp 65020
network 209.165.202.128 mask 255.255.255.224
neighbor 209.165.200.230 remote-as 65001
exit

Access-list 1 permit 192.168.2.0 0.0.0.255

ip access-list extended HTTP_ACCESS
permit tcp host 209.165.200.225 host 209.165.202.158 eq www
permit tcp host 209.165.200.238 host 209.165.202.158 eq www
permit ip 192.168.2.0 0.0.0.255 host 209.165.202.158
permit icmp any host 209.165.202.158 echo-reply
deny ip any any
exit
int g0/1
ip access HTTP_ACCESS out
exit

ipv6 access-list HTTP6_ACCESS
permit tcp 2001:DB8:ACAD::/64 host 2001:DB8:ACAD:B::158 eq 80
permit tcp 2001:DB8:ACAD:1::/64 host 2001:DB8:ACAD:B::158 eq 80
permit tcp 2001:DB8:ACAD:3::/64 host 2001:DB8:ACAD:B::158 eq 80
permit ip 2001:DB8:ACAD:2::/64 host 2001:DB8:ACAD:B::158
permit icmp any host 2001:DB8:ACAD:B::158 echo-reply
exit
int g0/1
ipv6 traffic-filter HTTP6_ACCESS out
exit

Branch-Remote-Branch1

en
conf t
username ISP1 password cisco123
int s0/0/0
encapsulation ppp
ppp authentication chap
exit

interface tunnel 0
ip address 172.16.1.2 255.255.255.252
tunnel source s0/0/0
tunnel destination 209.165.200.229
exit

router ospf 1
network 192.168.0.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
network 172.16.1.0 0.0.0.3 area 0
exit

Access-list 1 permit 192.168.0.0 0.0.1.255

Customer – Other – Branch2

en
conf t
Access-list 1 permit 192.168.3.0 0.0.0.255

ip access-list standard VTY_ADMIN
permit 192.168.3.0 0.0.0.255
permit host 209.165.200.225
deny any
Line vty 0 4
Access-class VTY_ADMIN in

richard
richard
3 years ago

i got a 97% on this, but the only problem I have is the VTY_ADMIN

whaleh8er
whaleh8er
3 years ago
Awaiting for approval

The OSPF advertized networks for the Branch – Remote – Branch1 router needs to be:

router ospf 1
network 192.168.0.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
network 172.16.1.0 0.0.0.3 area 0

Please change the line that reads:
network 192.168.0.0 0.0.1.255 area 0 = scores as wrong

whaleh8er
whaleh8er
3 years ago
Awaiting for approval

Newest language for steps 6 and 7:

Step 6: Configure an extended ACL to restrict access to the Corp LAN.

Configure an extended ACL named HTTP_ACCESS that allows Branch1 LANs, Branch2 LANs and the LAN inside Corp to access Corp-Server via the web browser. You must use the host and any keywords where appropriate.

a. Configure this ACL with the following 5 ACEs in the following order:

1) Use the NAT-translated public address to allow the hosts from the Branch1 LANs to access the NAT-translated public address of Corp-Server via a web browser.

2) Use the NAT-translated public address to allow the hosts from the Branch2 LAN to access the NAT-translated public address of Corp-Server via a web browser.

3) Allow the Corp internal network 192.168.2.0 /24 to access the Corp-Server.

4) Allow ICMP echo replies to Corp-Server from any network.

5) Explicitly deny all other traffic from accessing Corp-Server.

b. Apply the ACL to the Corp G0/1 interface.

Note: Use the the NAT-translated public IPv4 address in the ACL.

Step 7: Configure an IPv6 access list to restrict access to the Corp LAN.

Configure an IPv6 access list named HTTP6_ACCESS that allows the Branch1 LANs, Branch2 LANs and the LAN inside Corp to access Corp-Server via the web browser. You must use the host and any keywords where appropriate. Be sure that the name for the list matches the requirement exactly.

a. Configure this ACL with the following 5 ACEs in the following order:

1) Allow the hosts from the Branch1 LAN 1 to access the Corp-Server.

2) Allow the hosts from the Branch1 LAN 2 to access the Corp-Server.

3) Allow the hosts from the Branch2 LAN to access the Corp-Server.

4) Allow the Corp internal network 2001:DB8:ACAD:2::/64 to access Corp-Server.

5) Allow ICMP echo reply to Corp-Server from other networks.

b. Apply the ACL to the Corp G0/1 interface.

X
X
3 years ago
Awaiting for approval

ip access-list extended HTTP_ACCESS
permit tcp host 209.165.200.225 host 209.165.202.158 eq www
permit tcp host 209.165.200.238 host 209.165.202.158 eq www
permit ip 192.168.2.0 0.0.0.255 host 209.165.202.158
permit icmp any host 209.165.202.158 echo-reply
deny ip any any

Kevin Norholt
Kevin Norholt
3 years ago
Awaiting for approval

Does anyone have the packet tracer file of this lab please?

Kevin Morcine
Kevin Morcine
3 years ago
Awaiting for approval

By any chance, does anyone know from where I can download the packet tracer file for this test please?

DCLERK
DCLERK
3 years ago
Awaiting for approval

Hi – for my exam
For Branch – Remote – Branch1:
1) Adding the Tunnel Mode at the end of Tunnel configuration…
tunnel mode gre ip
was not necessary.

2) change the wildcard mask of 192.168.0.0 from 0.0.1.255 to 0.0.0.255, and Add the network of 192.168.1.0 to the OSPF)
Instead of network 192.168.0.0 0.0.1.255 area 0
put
network 192.168.0.0 0.0.0.255 area 0
network 192.168.0.1 0.0.0.255 area 0
MUST be done for the scores on OSPF on Branch router

3) Even though these 3 ACL name commands appear correct…
ip access-list standard VTY_ADMIN
ip access-list extended HTTP_ACCESS
ipv6 access-list HTTP6_ACCESS
I got all 3 wrong and each was worth 3 points.

4) I disagree with these 5 ACEs…
ipv6 access-list HTTP6_ACCESS
permit tcp 2001:DB8:ACAD::/63 host 2001:DB8:ACAD:B::158 eq 80
permit tcp 2001:DB8:ACAD:3::/64 host 2001:DB8:ACAD:B::158 eq 80
permit ipv6 2001:DB8:ACAD:2::/64 any
permit icmp any any echo-reply
deny ipv6 any any
since deny ipv6 any any is implicit statement.

I did
ipv6 access-list HTTP6_ACCESS
permit tcp 2001:DB8:ACAD::/64 host 2001:DB8:ACAD:B::158 eq 80
permit tcp 2001:DB8:ACAD:1::/64 host 2001:DB8:ACAD:B::158 eq 80
permit tcp 2001:DB8:ACAD:3::/64 host 2001:DB8:ACAD:B::158 eq 80
permit ipv6 2001:DB8:ACAD:2::/64 any
permit icmp any any echo-reply
and got the scores….just like 2) above they prefer you do not summarize networks.

5) I found in Corp-Server the DNS for ip and ipv4 changed….same happened for me.

6) For Customer / Other router IPv6 address for S0/0/0 interface was mistakenly
stated as 2001:DB8:ACAD:E::238/64 when it should have been 2001:DB8:ACAD:F::238/64
and was correctly configured.

nutmeg
nutmeg
3 years ago
Awaiting for approval

Getting a max score of 24 on this. This is what the platform had to say:
You have correctly configured PPP encapsulation and CHAP authentication.
You did not correctly configure the GRE tunnel settings.
You did not correctly configure the OSPF routing in the GRE tunnel.
You did not correctly configure the BGP configurations.
You have correctly configured most of the VTY_ADMIN ACL configurations.
You did not correctly configure and apply the HTTP_ACCESS ACL configurations.
You did not correctly configure and apply the HTTP6_ACCESS ACL configurations.
You have correctly configured and applied some of the NAT ACL configurations.

No idea what’s going wrong. Smells like a bug, since one of the errors was this:
Network:[[R2Name]]:OSPF:1:Networks:192.168.0.0 0.0.0.255 0

Which I see clearly in the above code as being handled. It didn’t mind the IPs along these lines:
172.16.1.0 0.0.0.3 0

But the 192’s all gave errors.

Mahmoud Alsamawi
Mahmoud Alsamawi
3 years ago

On Router: Customer – Other – Branch2 (Access-list)
change the network address from 209.165.200.225 0.0.0.3 to 209.165.200.224 0.0.0.3
***************************************************************************************
Access-list 1 permit 192.168.3.0 0.0.0.255
ip access-list standard VTY_ADMIN
permit 192.168.3.0 0.0.0.255
permit 209.165.200.224 0.0.0.3
deny any
Line vty 0 4
Access-class VTY_ADMIN in

C1sc05tud3nt
C1sc05tud3nt
3 years ago

Some of the configurations are missing and wrong….
For HQ – Main – Corp: (Add the Tunnel Mode at the end of Tunnel configuration)
—————————————–
interface tunnel 0
ip address 172.16.1.1 255.255.255.252
tunnel source s0/0/0
tunnel destination 209.165.200.225
tunnel mode gre ip
exit

For Branch – Remote – Branch1: (Add the Tunnel Mode at the end of Tunnel configuration, change the wildcard mask of 192.168.0.0 from 0.0.1.255 to 0.0.0.255, and Add the network of 192.168.1.0 to the OSPF)
—————————————–
interface tunnel 0
ip address 172.16.1.2 255.255.255.252
tunnel source s0/0/0
tunnel destination 209.165.200.229
tunnel mode gre ip
exit

router ospf 1
network 192.168.0.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
network 172.16.1.0 0.0.0.3 area 0
exit

azadirachta
azadirachta
3 years ago

dear brother, please kindly reply me , where i am found .pkt question for practice.

sama
sama
3 years ago
Awaiting for approval

please try this
****************************************
ip access-list extended HTTP_ACCESS
permit tcp 209.165.200.224 0.0.0.3 host 209.165.202.158 eq 80
permit tcp 209.165.200.236 0.0.0.3 host 209.165.202.158 eq 80
permit ip 192.168.2.0 0.0.0.255 any
permit icmp any any echo-reply
deny ip any any
************************************
ipv6 access-list HTTP6_ACCESS
permit tcp 2001:DB8:ACAD::/63 host 2001:DB8:ACAD:B::158 eq 80
permit tcp 2001:DB8:ACAD:3::/64 host 2001:DB8:ACAD:B::158 eq 80
permit ipv6 2001:DB8:ACAD:2::/64 any
permit icmp any any echo-reply
deny ipv6 any any

Mahmoud Alsamawi
Mahmoud Alsamawi
3 years ago
Awaiting for approval

I think also
in the addressing table above Router HQ interface number s0/0/1 is not correct.
I think the correct is s0/0/0 as it’s in the configuration please by sure abut it.
thank you

Mahmoud Alsamawi
Mahmoud Alsamawi
3 years ago

Hi friends
in your configuration IPv4 ACL the addressing networks are wrong and you did not used wildcard mask so I think the correct answers are as folows
*******************************************************
ip access-list extended HTTP_ACCESS
permit tcp 209.165.200.224 0.0.0.3 host 209.165.202.158 eq 80
permit tcp 209.165.200.236 0.0.0.3 host 209.165.202.158 eq 80
permit ip 192.168.2.0 0.0.0.255 any
permit icmp any any echo-reply
deny ip any any

ipv6 access-list HTTP6_ACCESS
permit tcp 2001:DB8:ACAD::/63 host 2001:DB8:ACAD:B::158 eq 80
permit tcp 2001:DB8:ACAD:3::/64 host 2001:DB8:ACAD:B::158 eq 80
permit ipv6 2001:DB8:ACAD:2::/64 any
permit icmp any any echo-reply
deny ipv6 any any

João Pedrosa
João Pedrosa
3 years ago
Awaiting for approval

For router ospf 1 on Branch – Remote – Branch1
instead of the line
network 192.168.0.0 0.0.1.255 area 0
Use this:
network 192.168.0.0 0.0.0.255 area 0

João Pedrosa
João Pedrosa
3 years ago
Awaiting for approval

In Addressing Table, the router HQ – Main – Corp, just have one serial interface s0/0/1.
In configure file you have s0/0/0 for this router instead of s0/0/1 like in Addressing Table

master of disaster
master of disaster
3 years ago
Awaiting for approval

It is obsolete ‘coz it has been changed, but for educational purposes:
@ HTTP_ACCESS
permit icmp any host 209.165.202.158 echo
@HTTP6_ACCESS
permit icmp any host 2001: … :158 echo-request

ACLs being oriented outward you need to allow echo-requests to pass not echo-replies. every echo-reply will pass unharmed by ACL because ACL acts in the opposite direction. use contextual help “?” when you are not sure.

rahmat
rahmat
3 years ago
Awaiting for approval

me 85%. problem in ospf and VTY_ADMIN ACL. please help me.

Paolo
Paolo
3 years ago

I found in Corp-Server the DNS for ip and ipv4 changed. I am not sure….just have a look

Pumpee
Pumpee
3 years ago

Still 94%?

momo
momo
3 years ago

can you pliz give us the option to unlock the topology

Scott
Scott
4 years ago
Awaiting for approval

I just did this on Netacad and got 90%. All ACL errors. I haven’t dug into them yet.

Javdangermouse
Javdangermouse
4 years ago
Awaiting for approval

deny ipV6 any any??

Javdangermouse
Javdangermouse
4 years ago
Awaiting for approval

allow the host from the Branch 2 lans to access the corp-server

IP V6 IS missing

MrBunnyHat
MrBunnyHat
4 years ago

I just finished the exam; I got 94%
For VTY_ADMIN ACL
instead of the line
permit host 209.165.200.225
Use this:
permit 209.165.200.225 0.0.0.3

Keith
Keith
4 years ago
Awaiting for approval

Where can I find the pkt file for this lab?