CCNA Routing and Switching:

Connecting Networks
Instructor Packet Tracer Manual

This document is exclusive property of Cisco Systems, Inc. Permission is granted

to print and copy this document for non-commercial distribution and exclusive
use by instructors in the CCNA Routing and Switching: Connecting Networks course
as part of an official Cisco Networking Academy Program.
Packet Tracer – Skills Integration Challenge - OSPF (Instructor
Version)
Instructor Note: Red font color or Gray highlights indicate text that appears in the instructor copy only.
Note: This activity and the similar Packet Tracer - Skills Integration Challenge - EIGRP activity are meant as
resources for you to determine what skills you may not have yet mastered from the previous courses. Refer to
your notes and previous content if you need assistance. But it may be fun initially to see just how much you
retained.
Instructor Note: This activity is provided solely as a method for assessing student mastery from previous
courses. It can be used as a tool to advise the student on remediation strategies.

Topology

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 6
Packet Tracer – Skills Integration Challenge - OSPF

Addressing Table

IPv4 Address Subnet Mask

Device Interface Default Gateway
IPv6 Address/Prefix

10.10.10.1 255.255.255.192 N/A

G0/0
2001:DB8:A:10::1/64 N/A
64.102.139.2 255.255.255.0 N/A
S0/0/0
2001:DB8:A:64::2/64 N/A
R1 10.10.1.1 255.255.255.252 N/A
S0/0/1
2001:DB8:B:1::1/64 N/A
10.10.1.5 255.255.255.252 N/A
S0/1/0
2001:DB8:B:2::1/64 N/A
Link-Local FE80::1 N/A
10.10.2.1 255.255.255.0 N/A
G0/0
2001:DB8:A:2::1/64 N/A
10.10.1.9 255.255.255.252 N/A
S0/0/0
R2 2001:DB8:B:3::1/64 N/A
10.10.1.2 255.255.255.252 N/A
S0/0/1
2001:DB8:B:1::2/64 N/A
Link-Local FE80::2 N/A
10.10.3.1 255.255.255.0 N/A
G0/0
2001:DB8:A:3::1/64 N/A
10.10.1.10 255.255.255.252 N/A
S0/0/0
R3 2001:DB8:B:3::2/64 N/A
10.10.1.6 255.255.255.252 N/A
S0/0/1
2001:DB8:B:2::2/64 N/A
Link-Local FE80::3 N/A
10.10.4.1 255.255.255.0 N/A
G0/0
2001:DB8:A:4::1/64 N/A
R4 64.103.17.2 255.255.255.252 N/A
S0/0/1
2001:DB8:A:103::2/64 N/A
Link-Local FE80::4 N/A
Internet NIC 209.165.44.2 255.255.255.252 209.165.44.1

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 6
Packet Tracer – Skills Integration Challenge - OSPF

2001:DB8:A:209::2/64 FE80::5
10.10.10.10 255.255.255.192 10.10.10.1
Intranet NIC
2001:DB8:A:10::10/64 FE80::1
DHCP assigned DHCP assigned
PC1 - PC6 NIC
Auto Config Auto Config

Scenario
Your business has just expanded into a different town and needs to expand its presence across the Internet.
You are tasked with completing the upgrades to the enterprise network, which includes dual-stacked IPv4 and
IPv6, and a variety of addressing and routing technologies.

Requirements
Note: Although not required, adding additional labeling to the topology may help you as you proceed. All
names and passwords are case-sensitive.
Basic Device Configuration
 Configure the following on R1 and R4.
- Set the device names to match the Addressing Table.
- Set cisco as the encrypted privileged EXEC mode password.
- Set a banner MOTD which includes the word warn.
- Set the IPv4 and IPv6 addresses according to the Addressing Table.
- Assign the link local address to each interface.
SSH
 Configure SSH on R4.
- Set a domain name of R4.
- Create a user of admin with an encrypted password of cisco.
- Create a 2,048-bit RSA key.
- Configure all vty lines to use SSH and a local login.
DHCPv4
 Configure R4 to act as a DHCP server for its LAN.
- Create a DHCP pool using the name R4.
- Assign the appropriate addressing information to the pool including the 209.165.44.2 as the DNS
server.
- Prevent the address used by the router from being distributed to end devices.
NAT
 Configure NAT/PAT on R4 so that all devices on the LAN use the IP address on the Serial 0/0/1 to
access the Internet.
- Use a single statement in access list 1 to define the addresses that will participate in NAT. Allow only
the 10.10.4.0/24 address space.
- Enable NAT/PAT using the access list.
- Configure the appropriate interfaces as NAT inside or outside.

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 6
Packet Tracer – Skills Integration Challenge - OSPF

 Configure PAT on R1.

- Use a single statement in access list 1 to define the addresses that will participate in NAT. Allow only
the 10.10.0.0/16 address space.
- Define a pool named R1 to use all four addresses in the 64.102.139.4/30 address space.
- Assign access list 1 to the R1 pool.
- Configure the appropriate interfaces as NAT inside or outside.
 Configure static NAT on R1 for remote access to Intranet.pka server.
- Use a static NAT statement to redirect TCP port 80 traffic from 64.102.139.2 to 10.10.10.10.
- Use a static NAT statement to redirect TCP port 443 traffic from 64.102.139.2 to 10.10.10.10.
Default Routing
 On R1, configure an IPv4 default route using the next-hop IP address 64.102.139.1.
 On R1, configure an IPv6 default route using the exit interface.
 On R4, configure an IPv4 and IPv6 default route using the exit interface.
OSPF Routing
 Configure OSPFv2 area 0 on R1.
- Use process ID 1.
- Advertise directly connected networks. Do not include the link to the Internet.
- Prevent routing updates from being sent across the LAN interfaces.
- Propagate the default route.
 Configure OSPFv3 area 0 on R1.
- Use process ID 1.
- Assign 1.1.1.1 as the router ID.
- Prevent routing updates from being sent across the LAN interfaces.
- Complete any required OSPFv3 or IPv6 routing configurations.
Instructor Note: The student is not told to configure ipv6 unicast-routing (needed on R1 and R4) nor to
configure the interfaces for OSPFv3 routing on R1. The student should know these configurations are
required before IPv6 and OSPFv3 routing will be fully operational. Also, Packet Tracer 6.0.1 does not grade
the OSPFv3 commands. Use verification commands and connectivity tests to check the students work.
Verify Connectivity
 Configure PC5 and PC6 to use DHCP for IPv4 and Autoconfig for IPv6.
 Verify web access to Internet.pka and Intranet.pka from each six PCs. Be sure to test both IPv4 and
IPv6. Pings are not forwarded from PC5 and PC6 to Intranet.pka.

Device Configs

Router R1
enable
configure terminal
hostname R1
enable secret cisco
ipv6 unicast-routing

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 6
Packet Tracer – Skills Integration Challenge - OSPF

interface GigabitEthernet0/0
ip address 10.10.10.1 255.255.255.192
ip nat inside
ipv6 address FE80::1 link-local
ipv6 address 2001:DB8:A:10::1/64
ipv6 ospf 1 area 0
no shutdown
interface Serial0/0/0
ip address 64.102.139.2 255.255.255.0
ip nat outside
ipv6 address FE80::1 link-local
ipv6 address 2001:DB8:A:64::2/64
ipv6 ospf 1 area 0
no shutdown
interface Serial0/0/1
ip address 10.10.1.1 255.255.255.252
ip nat inside
ipv6 address FE80::1 link-local
ipv6 address 2001:DB8:B:1::1/64
ipv6 ospf 1 area 0
clock rate 4000000
no shutdown
interface Serial0/1/0
ip address 10.10.1.5 255.255.255.252
ip nat inside
ipv6 address FE80::1 link-local
ipv6 address 2001:DB8:B:2::1/64
ipv6 ospf 1 area 0
clock rate 4000000
no shutdown
router ospf 1
passive-interface GigabitEthernet0/0
network 10.10.10.0 0.0.0.63 area 0
network 10.10.1.0 0.0.0.3 area 0
network 10.10.1.4 0.0.0.3 area 0
default-information originate
ipv6 router ospf 1
router-id 1.1.1.1
ip nat pool R1 64.102.139.4 64.102.139.7 netmask 255.255.255.252
ip nat inside source list 1 pool R1 overload
ip nat inside source static tcp 10.10.10.10 80 64.102.139.2 80
ip nat inside source static tcp 10.10.10.10 443 64.102.139.2 443
ip route 0.0.0.0 0.0.0.0 64.102.139.1
ipv6 route ::/0 Serial0/0/0
access-list 1 permit 10.10.0.0 0.0.255.255
banner motd ^CWarning^C
end
copy running-config startup-config

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 5 of 6
Packet Tracer – Skills Integration Challenge - OSPF

Router R4
enable
configure terminal
hostname R4
enable secret cisco
ip dhcp excluded-address 10.10.4.1
ip dhcp pool R4
network 10.10.4.0 255.255.255.0
default-router 10.10.4.1
dns-server 209.165.44.2
ipv6 unicast-routing
username admin secret cisco
ip domain-name R4
interface GigabitEthernet0/0
ip address 10.10.4.1 255.255.255.0
ip nat inside
ipv6 address FE80::4 link-local
ipv6 address 2001:DB8:A:4::1/64
no shutdown
interface Serial0/0/1
ip address 64.103.17.2 255.255.255.252
ip nat outside
ipv6 address FE80::4 link-local
ipv6 address 2001:DB8:A:103::2/64
no shutdown
ip nat inside source list 1 interface Serial0/0/1 overload
ip route 0.0.0.0 0.0.0.0 Serial0/0/1
ipv6 route ::/0 Serial0/0/1
access-list 1 permit 10.10.4.0 0.0.0.255
banner motd ^CWarning^C
line vty 0 4
login local
transport input ssh
crypto key generate rsa
yes
2048

end
copy running-config startup-config

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 6 of 6
Packet Tracer – Skills Integration Challenge - EIGRP (Instructor
Version)
Instructor Note: Red font color or Gray highlights indicate text that appears in the instructor copy only.
Note: This activity and the similar Packet Tracer - Skills Integration Challenge - OSPF activity are meant as
resources for you to determine what skills you may not have yet mastered from the previous courses. Refer to
your notes and previous content if you need assistance. But it may be fun initially to see just how much you
retained.
Instructor Note: This activity is provided solely as a method for assessing student mastery from previous
courses. It can be used as a tool to advise the student on remediation strategies.

Topology

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 8
Packet Tracer – Skills Integration Challenge - EIGRP

Addressing Table

IP Address Subnet Mask

Device Interface IPv6 Address/Prefix Default Gateway

S0/0/0 192.168.3.241 255.255.255.252 N/A

Branch0
S0/0/1 192.168.3.254 255.255.255.252 N/A
G0/0 DHCP Assigned DHCP Assigned N/A
Branch1 S0/0/0 192.168.3.245 255.255.255.252 N/A
S0/0/1 192.168.3.253 255.255.255.252 N/A
G0/0 192.168.2.1 255.255.255.0 N/A
Branch2 S0/0/0 192.168.3.246 255.255.255.252 N/A
S0/0/1 192.168.3.249 255.255.255.252 N/A
G0/0.10 192.168.1.1 255.255.255.128 N/A
G0/0.20 192.168.1.129 255.255.255.192 N/A
G0/0.30 192.168.1.193 255.255.255.224 N/A
G0/0.88 192.168.1.225 255.255.255.240 N/A
Branch3
G0/0.99 192.168.1.241 255.255.255.252 N/A
G0/1 192.168.0.1 255.255.255.0 N/A
S0/0/0 192.168.3.250 255.255.255.252 N/A
S0/0/1 192.168.3.242 255.255.255.252 N/A
S0/0/0 2001:DB8:4::4/64 N/A
S0/0/1 2001:DB8:3::4/64 N/A
Branch4 S0/1/0 2001:DB8:5::4/64 N/A
Router N/A
ID 4.4.4.4
S0/0/0 2001:DB8:1::5/64 N/A
S0/0/1 2001:DB8:3::5/64 N/A
Branch5 Link-local FE80::5 N/A
Router N/A
ID 5.5.5.5
S0/0/0 2001:DB8:4::6/64 N/A
S0/0/1 2001:DB8:2::6/64 N/A
Branch6 Link-local FE80::6 N/A
Router N/A
ID 6.6.6.6

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 8
Packet Tracer – Skills Integration Challenge - EIGRP

G0/0 2001:DB8:7:A::1/64 N/A

G0/1 2001:DB8:7:B::1/64 N/A
S0/0/0 2001:DB8:1::7/64 N/A

Branch7 S0/0/1 2001:DB8:2::7/64 N/A

Link- N/A
Local FE80::7
Router N/A
ID 7.7.7.7
ISP G0/0 209.165.202.129 255.255.255.224 N/A
S1 VLAN 88 192.168.1.226 255.255.255.240 192.168.1.225
S2 VLAN 88 192.168.1.227 255.255.255.240 192.168.1.225
S3 VLAN 88 192.168.1.228 255.255.255.240 192.168.1.225
Host-A NIC DHCP assigned DHCP assigned DHCP assigned
Host-B NIC 192.168.1.130 255.255.255.192 192.168.1.129
Host-C NIC 192.168.1.194 255.255.255.224 192.168.1.193
PC-A NIC 2001:DB8:7:A::A/64 FE80::7
PC-B NIC 2001:DB8:7:B::B/64 FE80::7

VLAN and Port Assignments Table

VLAN Name Interface

10 Students F0/5-11
20 Faculty/Staff F0/12-17, G0/1-2
30 Guest(Default) F0/18-24
88 Management N/A
99 Native F0/1-4

Scenario
You are a network technician new to a company that has lost its last technician in the middle of a system
upgrade. You are tasked with completing upgrades to the network infrastructure that has two locations. Half of
the enterprise network uses IPv4 addressing and the other half uses IPv6 addressing. The requirements also
include a variety of routing and switching technologies.

Requirements
You have console access to Branch3, Branch7, and S3. You can remotely access other devices with the
username admin and password adminpass. The password for accessing privileged EXEC mode is class.
IPv4 Addressing
 Finish designing the IPv4 addressing scheme. Subnets already assigned are using the 192.168.1.0/24
address space. Use the remaining space to meet the following criteria:

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 8
Packet Tracer – Skills Integration Challenge - EIGRP

- 120 hosts for the Student VLAN attached to the Branch3 G0/0.10 interface.
- 60 hosts for the Faculty/Staff VLAN attached to the Branch3 G0/0.20 interface.
 Configure inter-VLAN routing and assign the first available address from each subnet to subinterfaces on
the Branch3 router.
 Assign the second available address in the Faculty/Staff VLAN to Host-B.
IPv4 Routing
 Configure EIGRP for IPv4 on Branch3.
- Enable EIGRP 22.
- Advertise each of the directly connected networks and disable automatic summarization.
- Prevent routing updates from being sent out the LAN interfaces.
- Configure a summary route for the Branch3 LANs and advertise the route to Branch1 and Branch2.
 Configure a directly connected default route on Branch1 pointing to the ISP and propagate it within the
EIGRP updates.
DHCP
 Configure Branch3 to act as a DHCP server for VLAN 10 on S3.
- The case-sensitive pool name is Students.
- The DNS server is 209.165.201.14.
- Exclude the first 10 addresses from the pool.
 Configure Branch1 to receive an IPv4 address from the ISP.
IPv6 Routing
 Configure EIGRP for IPv6 on Branch7.
- Enable IPv6 routing and EIGRP for IPv6 using ASN 222.
- Assign router ID 7.7.7.7.
- Advertise directly connected networks.
- Configure IPv6 summary routes for the LANs and advertise them to directly connected routers.
 Configure a fully specified default route on Branch4 pointing to the ISP and propagate it within the
EIGRP updates.
Basic Switch Security
 Configure S3 with the following security settings.
- Banner MOTD that includes the word warning.
- Console port login and password of cisco.
- Encrypted enable password of class.
- Encrypt plain text passwords.
- Shut down all unused ports.
 Enable port security on S3 on the interfaces that the PCs are connected to.
- Configure as access ports.
- Only allow 1 host per port.
- Enable dynamic learning that stores the MAC address in the running configuration.
- Ensure that port violations disable ports.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 8
Packet Tracer – Skills Integration Challenge - EIGRP

- Configure PortFast and BPDU Guard.

VLAN
 Create and name the VLANs on S3 based on the VLAN Table.
 Assign the switch ports on S3 to VLANs according to the VLAN Table.
 Configure the connection between Branch3 and S1 as a trunk and assign it to VLAN 99.
Spanning Tree
 Configure S3 to use RSTP as the STP mode.
 Assign S3 as the root bridge and S1 as the backup root bridge for VLANs 10 and 20.
 Assign S1 as the root bridge and S3 as the backup root bridge for VLANs 30.
Trunking and EtherChannel
 Set S3 interfaces connected to S1 and S2 as trunks and assign the native VLAN.
 Configure EtherChannel on S3 as desirable.
- Use channel group 2 for trunks to S2.
- Use channel group 3 for trunks to S1.
- Assign the native VLAN.
Connectivity
 All inside devices should be able to ping the outside host.

Device Configs

Router Branch1
enable
configure terminal
interface g0/0
ip address dhcp
router eigrp 22
redistribute static
ip route 0.0.0.0 0.0.0.0 g0/0
end
copy running-config startup-config

Router Branch3
enable
configure terminal
interface g0/0.10
encapsulation dot1q 10
ip address 192.168.1.1 255.255.255.128
interface g0/0.20
encapsulation dot1q 20
ip address 192.168.1.129 255.255.255.192
interface s0/0/0
ip summary-address eigrp 22 192.168.0.0 255.255.254.0 5
interface s0/0/1

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 5 of 8
Packet Tracer – Skills Integration Challenge - EIGRP

ip summary-address eigrp 22 192.168.0.0 255.255.254.0 5

ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp excluded-address 192.168.1.129 192.168.1.139
ip dhcp excluded-address 192.168.1.193 192.168.1.203
ip dhcp pool Students
network 192.168.1.0 255.255.255.128
default-router 192.168.1.1
dns-server 209.165.201.14
ip dhcp pool Faculty/Staff
network 192.168.1.128 255.255.255.192
default-router 192.168.1.129
dns-server 209.165.201.14
ip dhcp pool Guest(Default)
network 192.168.1.192 255.255.255.224
default-router 192.168.1.193
dns-server 209.165.201.14
router eigrp 22
network 192.168.1.0 0.0.0.127
network 192.168.1.128 0.0.0.63
network 192.168.1.192 0.0.0.31
network 192.168.1.224 0.0.0.15
network 192.168.1.240 0.0.0.3
network 192.168.3.248 0.0.0.3
network 192.168.3.240 0.0.0.3
network 192.168.0.0 0.0.0.255
passive-interface GigabitEthernet0/1
passive-interface GigabitEthernet0/0.10
passive-interface GigabitEthernet0/0.20
passive-interface GigabitEthernet0/0.30
passive-interface GigabitEthernet0/0.88
passive-interface GigabitEthernet0/0.99
no auto-summary
end
copy running-config startup-config

Router Branch4
enable
configure terminal
ipv6 route ::/0 Serial0/1/0 2001:DB8:5::1
ipv6 router eigrp 222
redistribute static
end
copy running-config startup-config

Router Branch7
enable
configure terminal
ipv6 unicast-routing

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 6 of 8
Packet Tracer – Skills Integration Challenge - EIGRP

interface g0/0
ipv6 eigrp 222
interface g0/1
ipv6 eigrp 222
interface s0/0/0
ipv6 eigrp 222
ipv6 summary-address eigrp 222 2001:db8:a::/47
interface s0/0/1
ipv6 eigrp 222
ipv6 summary-address eigrp 222 2001:db8:a::/47
ipv6 router eigrp 222
eigrp router-id 7.7.7.7
no shutdown
end
copy running-config startup-config

Switch S1
enable
configure terminal
spanning-tree vlan 10,20 root secondary
spanning-tree vlan 30 root primary
interface GigabitEthernet0/1
switchport trunk native vlan 99
switchport mode trunk
end
copy running-config startup-config

Switch S3
enable
configure terminal
enable secret class
service password-encryption
spanning-tree mode rapid-pvst
spanning-tree vlan 10,20 root primary
spanning-tree vlan 30 root secondary
vlan 10
name Students
vlan 20
name Faculty/Staff
vlan 30
name Guest(Default)
vlan 88
name Management
vlan 99
name Native
interface range f0/5-24, g0/1-2
shutdown
interface range f0/1-2

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 7 of 8
Packet Tracer – Skills Integration Challenge - EIGRP

channel-group 3 mode desirable

switchport mode trunk
switchport trunk native vlan 99
no shutdown
interface range f0/3-4
channel-group 2 mode desirable
switchport trunk native vlan 99
switchport mode trunk
no shutdown
interface range f0/5-11
switchport access vlan 10
switchport mode access
interface range f0/12-17, g0/1-2
switchport access vlan 20
switchport mode access
interface range f0/18-24
switchport access vlan 30
switchport mode access
interface range f0/11, f0/15, f0/24
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security maximum 1
switchport port-security violation shutdown
spanning-tree portfast
spanning-tree bpduguard enable
no shutdown
interface Port-channel 2
switchport mode trunk
switchport trunk native vlan 99
interface Port-channel 3
switchport mode trunk
switchport trunk native vlan 99
interface Vlan88
ip address 192.168.1.228 255.255.255.240
ip default-gateway 192.168.1.225
banner motd "Warning! Unauthorized Access is Prohibited!"
line con 0
password cisco
end
copy running-config startup-config

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 8 of 8
Packet Tracer – Troubleshooting Serial Interfaces (Instructor
Version)
Instructor Note: Red font color or Gray highlights indicate text that appears in the instructor copy only.

Topology

Addressing Table

Device Interface IP Address Subnet Mask Default Route

S0/0/0 (DCE) 64.100.34.17 255.255.255.252 N/A

S0/0/1 (DCE) 64.100.34.21 255.255.255.252 N/A
Telco
S0/1/0 (DCE) 64.100.34.25 255.255.255.252 N/A
S0/1/1 (DCE) 64.100.34.29 255.255.255.252 N/A
R1 S0/0/0 64.100.34.18 255.255.255.252 64.100.34.17
R2 S0/0/1 64.100.34.22 255.255.255.252 64.100.34.21
R3 S0/0/0 64.100.34.26 255.255.255.252 64.100.34.25
R4 S0/0/1 64.100.34.30 255.255.255.252 64.100.34.29

Objectives
Part 1: Diagnose and Repair the Physical Layer
Part 2: Diagnose and Repair the Data Link Layer
Part 3: Diagnose and Repair the Network Layer

Scenario
You have been asked to troubleshoot WAN connections for a local telephone company (Telco). The Telco
router should communicate with four remote sites, but none of them are working. Use your knowledge of the
OSI model and a few general rules to identify and repair the errors in the network.

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 3
Packet Tracer – Troubleshooting Serial Interfaces

Part 1: Diagnose and Repair the Physical Layer

Step 1: Diagnose and repair the cabling.
a. Examine the Addressing Table to determine the location of the DCE connections.
b. Each serial connection has a DCE and a DTE connection. To determine if each Telco interface is using
the correct end of the cable look on the third line of output following the show controllers command.
Telco# show controllers [interface_type interface_num]
c. Reverse any cables that are incorrectly connected.
Note: Cable between Telco and R4 should be reversed and clock rate set on Telco. Serial Cable on R4
should connect to S0/0/1.
Note: In real network settings, the DCE (which sets the clock rate) is typically a CSU/DSU.

Step 2: Diagnose and repair incorrect port connections.

a. Examine the Addressing Table to match each router port with the correct Telco port.
b. Hold the mouse over each wire to ensure that the wires are connected as specified. If not, correct the
connections.

Step 3: Diagnose and repair ports that are shutdown.

a. Show a brief interface summary of each router. Ensure that all of the ports that should be working are not
administratively down.
b. Enable the appropriate ports that are administratively down:
R3(config)# interface s0/0/0
R3(config-if)# no shutdown

Part 2: Diagnose and Repair the Data Link Layer

Step 1: Examine and set clock rates on DCE equipment.
a. All of the DCE cables should be connected to Telco. Show the running configuration of Telco to verify
that a clock rate has been set on each interface.
b. Set the clock rate of any serial interfaces that requires it:
Telco(config)# interface s0/0/0
Telco(config-if)# clock rate 4000000
Telco(config-if)# interface s0/1/1
Telco(config-if)# clock rate 4000000

Step 2: Examine the encapsulation on DCE equipment.

a. All of the serial interfaces should be using HDLC as the encapsulation type. Examine the protocol setting
of the serial interfaces.
Telco# show interface [interface_type interface_num]
b. Change the encapsulation type to HDLC for any interface that is set otherwise:
R4(config)# interface s0/0/1
R4(config-if)# encapsulation hdlc

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 3
Packet Tracer – Troubleshooting Serial Interfaces

Part 3: Diagnose and Repair the Network Layer

Step 1: Verify the IP addressing.
a. Show a brief interface summary of each router. Check the IP addresses against the Addressing Table
and ensure that they are in the correct subnet with their connecting interface.
b. Correct any IP addresses that overlap, or are set to the host or broadcast address:
R1(config)# interface s0/0/0
R1(config-if)# ip address 64.100.34.18 255.255.255.252

Step 2: Verify connectivity between all routers.

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 3
Packet Tracer – Configuring PAP and CHAP Authentication
(Instructor Version)
Instructor Note: Red font color or Gray highlights indicate text that appears in the instructor copy only.

Topology

Addressing Table

Device Interface IP Address Subnet Mask Default Gateway

G0/0 192.168.10.1 255.255.255.0 N/A

R1
S0/0/0 10.1.1.1 255.255.255.252 N/A
G0/0 192.168.30.1 255.255.255.0 N/A
R2
S0/0/1 10.2.2.2 255.255.255.252 N/A
S0/0/0 10.1.1.2 255.255.255.252 N/A
R3 S0/0/1 10.2.2.1 255.255.255.252 N/A
S0/1/0 209.165.200.225 255.255.255.252 N/A
S0/0/0 209.165.200.226 255.255.255.252 N/A
ISP
G0/0 209.165.200.1 255.255.255.252 N/A
Web NIC 209.165.200.2 255.255.255.252 209.165.200.1
PC NIC 192.168.10.10 255.255.255.0 192.168.10.1
Laptop NIC 192.168.30.10 255.255.255.0 192.168.30.1

Objectives
Part 1: Review Routing Configurations
Part 2: Configure PPP as the Encapsulation Method
Part 3: Configure PPP Authentication

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 3
Packet Tracer – Configuring PAP and CHAP Authentication

Background
In this activity, you will practice configuring PPP encapsulation on serial links. You will also configure PPP PAP
authentication and PPP CHAP authentication.

Part 1: Review Routing Configurations

Step 1: View running configurations on all routers.
While reviewing the router configurations, note the use of both static and dynamic routes in the topology.

Step 2: Test connectivity between computers and the web server.

From PC and Laptop, ping the web server at 209.165.200.2. Both ping commands should be successful.
Remember to give enough time for STP and EIGRP to converge.

Part 2: Configure PPP as the Encapsulation Method

Step 1: Configure R1 to use PPP encapsulation with R3.
Enter the following commands on R1:
R1(config)# interface s0/0/0
R1(config-if)# encapsulation ppp

Step 2: Configure R2 to use PPP encapsulation with R3.

Enter the appropriate commands on R2:
R2(config)# interface s0/0/1
R2(config-if)# encapsulation ppp

Step 3: Configure R3 to use PPP encapsulation with R1, R2, and ISP.
Enter the appropriate commands on R3:
R3(config)# interface s0/0/0
R3(config-if)# encapsulation ppp
R3(config)# interface s0/0/1
R3(config-if)# encapsulation ppp
R3(config)# interface s0/1/0
R3(config-if)# encapsulation ppp

Step 4: Configure ISP to use PPP encapsulation with R3.

a. Click the Internet cloud, then ISP. Enter the following commands:
Router(config)# interface s0/0/0
Router(config-if)# encapsulation ppp
b. Exit the Internet cloud by clicking Back in the upper left corner or by pressing Alt+left arrow.

Step 5: Test connectivity to the web server.

PC and Laptop should be able to ping the web server at 209.165.200.2. This may take some time as
interfaces start working again and EIGRP reconverges.

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 3
Packet Tracer – Configuring PAP and CHAP Authentication

Part 3: Configure PPP Authentication

Step 1: Configure PPP PAP Authentication Between R1 and R3.
Note: Instead of using the keyword password as shown in the curriculum, you will use the keyword secret to
provide a better encryption of the password.
a. Enter the following commands into R1:
R1(config)# username R3 secret class
R1(config)# interface s0/0/0
R1(config-if)# ppp authentication pap
R1(config-if)# ppp pap sent-username R1 password cisco
b. Enter the following commands into R3:
R3(config)# username R1 secret cisco
R3(config)# interface s0/0/0
R3(config-if)# ppp authentication pap
R3(config-if)# ppp pap sent-username R3 password class

Step 2: Configure PPP PAP Authentication Between R2 and R3.

Repeat step 1 to configure authentication between R2 and R3 changing the usernames as needed. Note that
each password sent on each serial port matches the password expected by the opposite router.
R2(config-if)# username R3 secret class
R2(config)# interface s0/0/1
R2(config-if)# ppp authentication pap
R2(config-if)# ppp pap sent-username R2 password cisco

R3(config-if)# username R2 secret cisco

R3(config)# interface s0/0/1
R3(config-if)# ppp authentication pap
R3(config-if)# ppp pap sent-username R3 password class

Step 3: Configure PPP CHAP Authentication Between R3 and ISP.

a. Enter the following commands into ISP. The hostname is sent as the username:
Router(config)# hostname ISP
ISP(config)# username R3 secret cisco
ISP(config)# interface s0/0/0
ISP(config-if)# ppp authentication chap
b. Enter the following commands into R3. The passwords must match for CHAP authentication:
R3(config)# username ISP secret cisco
R3(config)# interface serial0/1/0
R3(config-if)# ppp authentication chap

Step 4: Test connectivity between computers and the web server.

From PC and Laptop, ping the web server at 209.165.200.2. Both ping commands should be successful.
Remember to give enough time for STP and EIGRP to converge.

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 3
Packet Tracer – Troubleshooting PPP with Authentication
(Instructor Version)
Instructor Note: Red font color or Gray highlights indicate text that appears in the instructor copy only.

Topology

Addressing Table

Device Interface IP Address Subnet Mask Default Gateway

G0/1 10.0.0.1 255.255.255.128 N/A

R1 S0/0/0 172.16.0.1 255.255.255.252 N/A
S0/0/1 172.16.0.9 255.255.255.252 N/A
G0/1 209.165.200.161 255.255.255.224 N/A
R2 S0/0/0 172.16.0.2 255.255.255.252 N/A
S0/0/1 172.16.0.5 255.255.255.252 N/A
G0/1 10.0.0.129 255.255.255.128 N/A
R3 S0/0/0 172.16.0.10 255.255.255.252 N/A
S0/0/1 172.16.0.6 255.255.255.252 N/A
ISP G0/1 209.165.200.162 255.255.255.224 N/A
PC1 NIC 10.0.0.10 255.255.255.128 10.0.0.1
PC3 NIC 10.0.0.139 255.255.255.128 10.0.0.129
Web Server NIC 209.165.200.2 255.255.255.252 209.165.200.1

Objectives
Part 1: Diagnose and Repair the Physical Layer
Part 2: Diagnose and Repair the Data Link Layer
Part 3: Diagnose and Repair the Network Layer

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 4
Packet Tracer – Troubleshooting PPP with Authentication

Scenario
The routers at your company were configured by an inexperienced network engineer. Several errors in the
configuration have resulted in connectivity issues. Your boss has asked you to troubleshoot and correct the
configuration errors and document your work. Using your knowledge of PPP and standard testing methods,
find and correct the errors. Make sure that all of the serial links use PPP CHAP authentication, and that all of
the networks are reachable. The passwords are cisco and class.

Part 1: Diagnose and Repair the Physical Layer

Step 1: Diagnose and repair the cabling.
a. Examine the Addressing Table to determine the location of the all connections.
b. Verify cables are connected as specified.
c. Diagnose and repair any inactive interfaces.
R1(config-if)# interface g0/1
R1(config-if)# no shutdown
R1(config)# interface s0/0/0
R1(config-if)# no shutdown
R1(config-if)# interface s0/0/1
R1(config-if)# no shutdown

R2(config)# interface s0/0/0

R2(config-if)# no shutdown
R2(config-if)# interface s0/0/1
R2(config-if)# no shutdown

R3(config)# interface g0/1

R3(config-if)# no shutdown
R3(config-if)# interface s0/0/0
R3(config-if)# no shutdown
R3(config-if)# interface s0/0/1
R3(config-if)# no shutdown

Part 2: Diagnose and Repair the Data Link Layer

Step 1: Examine and set clock rates on the DCE equipment.
Examine the configuration of each router to verify that a clock rate has been set on appropriate interfaces. Set
the clock rate of any serial interfaces that requires it.
R2(config)# interface s0/0/1
R2(config-if)# clock rate 64000

Step 2: Examine the encapsulation on the DCE equipment.

All of the serial interfaces should be using PPP as the encapsulation type. Change the encapsulation type to
PPP for any interface that is set otherwise.
R1(config)# interface s0/0/0

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 4
Packet Tracer – Troubleshooting PPP with Authentication

R1(config-if)# encapsulation ppp

R2(config)# interface s0/0/1

R2(config-if)# encapsulation ppp

R3(config)# interface s0/0/0

R3(config-if)# encapsulation ppp

Step 3: Examine and set CHAP usernames and passwords.

Examine each link to verify that routers are logging into each other correctly. All CHAP passwords are set to
cisco. Use the debug ppp authentication command if needed. Correct or set any usernames and
passwords that need it.
R1(config)# username R3 password cisco
R1(config)# interface s0/0/0
R1(config-if)# ppp authentication chap
R1(config-if)# interface s0/0/1
R1(config-if)# ppp authentication chap

R2(config)# username R1 password cisco

R2(config)# no username R11
R2(config)# interface s0/0/1
R2(config-if)# ppp authentication chap

R3(config)# username R2 password cisco

R3(config)# interface s0/0/0
R3(config-if)# ppp authentication chap
R3(config-if)# interface s0/0/1
R3(config-if)# ppp authentication chap

Part 3: Diagnose and Repair the Network Layer

Step 1: Verify the IP addressing.
Check IP addresses against the Addressing Table and ensure that they are in the correct subnet with their
connecting interface. Correct any IP addresses that overlap, are on the wrong interface, have the wrong
subnet address, or are set to the host or broadcast address.
R1(config)# interface g0/0
R1(config-if)# no ip address
R1(config-if)# interface g0/1
R1(config-if)# ip address 10.0.0.1 255.255.255.128
R1(config-if)# interface s0/0/0
R1(config-if)# ip address 172.16.0.1 255.255.255.252

R2(config)# interface g0/1

R2(config-if)# ip address 209.165.200.161 255.255.255.224

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 4
Packet Tracer – Troubleshooting PPP with Authentication

R3(config)# interface g0/1

R3(config-if)# ip address 10.0.0.129 255.255.255.128
R3(config-if)# interface s0/0/1
R3(config-if)# ip address 172.16.0.6 255.255.255.252

Step 2: Verify full connectivity by tracing a path from PC1 and PC3 to the web server.

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 4
Packet Tracer – Skills Integration Challenge (Instructor Version)
Instructor Note: Red font color or Gray highlights indicate text that appears in the instructor copy only.

Topology

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 5
Packet Tracer – Skills Integration Challenge

Addressing Table

IPv4 Address Subnet Mask

IPv4 and IPv6
Device Interface
Default Gateway
IPv6 Address/Prefix

10.1.1.2 255.255.255.252 N/A

S0/0/0
2001:DB8:A:A::2/64 FE80::1
R1
209.165.200.226 255.255.255.252 N/A
S0/0/1
2001:DB8:B:1::2/64 FE80::1
192.168.1.193 255.255.255.224 N/A
G0/0.1
2001:DB8:A:1::1/64 FE80::2
192.168.1.1 255.255.255.128 N/A
G0/0.15
2001:DB8:A:15::1/64 FE80::2
192.168.1.129 255.255.255.192 N/A
R2 G0/0.25
2001:DB8:A:25::1/64 FE80::2
192.168.1.225 255.255.255.224 N/A
G0/0.99
2001:DB8:A:99::1/64 FE80::2
10.1.1.1 255.255.255.252 N/A
S0/0/0
2001:DB8:A:A::1/64 FE80::2
S1 VLAN 99 192.168.1.226 255.255.255.224 192.168.1.225
192.168.1.2 255.255.255.128 192.168.1.1
PC15 NIC
2001:DB8:A:15::2/64 FE80::2
192.168.1.130 255.255.255.192 192.168.1.129
PC25 NIC
2001:DB8:A:25::2/64 FE80::2
192.168.1.190 255.255.255.192 192.168.1.129
L25 NIC
2001:DB8:A:25::A/64 FE80::2

Background
This activity allows you to practice a variety of skills including configuring VLANs, PPP with CHAP, static and
default routing, using IPv4 and IPv6. Due to the sheer number of graded elements, you can click Check
Results and Assessment Items to see if you correctly entered a graded command. Use the cisco and class
passwords to access privileged EXEC modes of the CLI for routers and switches.

Requirements
Addressing
 The addressing scheme uses the 192.168.1.0/24 address space. Additional address space is available
between VLAN 15 and VLAN 1. VLAN 25 needs enough addresses for 50 hosts. Determine the subnet
and complete the subnet table below.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 5
Packet Tracer – Skills Integration Challenge

VLAN IPv4 Subnet Address Subnet Mask Hosts

1 192.168.1.192 255.255.255.224 20
15 192.168.1.0 255.255.255.128 100
25 192.168.1.128 255.255.255.192 50
99 192.168.1.224 255.255.255.224 20

 Complete the Addressing Table by assigning the following addresses to VLAN 25:
- R2 G0/0.25 - First IPv4 address
nd
- PC25 - 2 IPv4 address
- L25 - Last IPv4 address
 Configure IPv4 addressing on the necessary end devices.
 On R2, create and apply IPv4 and IPv6 addressing to the G0/0.25 subinterface.

VLANs
 On S1, create VLAN 86 and name it BlackHole.
 Configure S1 ports in static mode with the following requirements:
- F0/1 is the native trunk for VLAN 99.
- F0/7 - F0/18 as access ports in VLAN 15.
- F0/19 - F0/24 as access ports in VLAN 25.
- G0/1 - 2 and F0/2 - F0/6 are unused. They should be properly secured and assigned to the
BlackHole VLAN.
 On R2, configure inter-VLAN routing. VLAN 99 is the native VLAN.

PPP
 Configure R1 and R2 to use PPP with CHAP for the shared link. The password for CHAP is cisco.

Routing
 On R1, configure IPv4 and IPv6 default routes using the appropriate exit interface.
 On R2, configure an IPv6 default route using the appropriate exit interface.
 Configure IPv4 OSPF using the following requirements:
- Use process ID 1.
- Routers R1 and R2 are in area 0.
- R1 uses router ID 1.1.1.1.
- R2 uses router ID 2.2.2.2.
- Advertise specific subnets.
- On R1, propagate the IPv4 default route created.
 Configure IPv6 OSPF using the following requirements:
- Use process ID 1.
- Routers R1 and R2 are in area 0.
- Configure OSPF on appropriate interfaces on R1 and R2.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 5
Packet Tracer – Skills Integration Challenge

- R1 uses router ID 1.1.1.1.

- R2 uses router ID 2.2.2.2.

Connectivity
 All devices should be able to ping the web server.

Scripts
Configure PC25 and L25 with IPv4 Addressing

Router R1
enable
config t
ipv6 unicast-routing
username R2 password 0 cisco
interface Serial0/0/0
encapsulation ppp
ppp authentication chap
ipv6 ospf 1 area 0
router ospf 1
network 10.1.1.0 0.0.0.3 area 0
default-information originate
router-id 1.1.1.1
ipv6 router ospf 1
router-id 1.1.1.1
ip route 0.0.0.0 0.0.0.0 Serial0/0/1
ipv6 route ::/0 Serial0/0/1
end
copy running-config startup-config

Router R2
enable
config t
ipv6 unicast-routing
username R1 password 0 cisco
int g0/0
no shut
interface GigabitEthernet0/0.1
encapsulation dot1Q 1
ip add 192.168.1.193 255.255.255.224
ipv6 ospf 1 area 0
interface GigabitEthernet0/0.15
encapsulation dot1Q 15
ip add 192.168.1.1 255.255.255.128
ipv6 ospf 1 area 0
interface GigabitEthernet0/0.25
encapsulation dot1Q 25
ip address 192.168.1.129 255.255.255.192
ipv6 address FE80::2 link-local

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 5
Packet Tracer – Skills Integration Challenge

ipv6 address 2001:DB8:A:25::1/64

ipv6 ospf 1 area 0
interface GigabitEthernet0/0.99
encapsulation dot1Q 99 native
ip add 192.168.1.225 255.255.255.224
ipv6 ospf 1 area 0
interface Serial0/0/0
encapsulation ppp
ppp authentication chap
ipv6 ospf 1 area 0
router ospf 1
router-id 2.2.2.2
network 192.168.1.0 0.0.0.127 area 0
network 192.168.1.128 0.0.0.63 area 0
network 192.168.1.192 0.0.0.31 area 0
network 192.168.1.224 0.0.0.31 area 0
network 10.1.1.0 0.0.0.3 area 0
ipv6 router ospf 1
router-id 2.2.2.2
ipv6 route ::/0 Serial0/0/0
end
copy running-config startup-config

Switch S1
en
conf t
vlan 86
name BlackHole
exit
interface FastEthernet0/1
switchport trunk native vlan 99
switchport mode trunk
interface range Gig0/1 - 2 , FastEthernet0/2 - 6
switchport access vlan 86
switchport mode access
shutdown
interface range FastEthernet0/7 - 18
switchport access vlan 15
switchport mode access
interface range FastEthernet0/19 - 24
switchport access vlan 25
switchport mode access
end
copy running-config startup-config

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 5 of 5
Packet Tracer – Configuring Static Frame Relay Maps (Instructor
Version)
Instructor Note: Red font color or Gray highlights indicate text that appears in the instructor copy only.

Topology

Addressing Table

Device Interface IP Address Subnet Mask Default Gateway

G0/0 192.168.10.1 255.255.255.0 N/A

R1
S0/0/0 10.1.1.1 255.255.255.0 N/A
G0/0 192.168.30.1 255.255.255.0 N/A
R2
S0/0/0 10.1.1.2 255.255.255.0 N/A
S0/0/0 10.1.1.3 255.255.255.0 N/A
R3
S0/1/0 209.165.200.225 255.255.255.224 N/A
ISP S0/0/0 209.165.200.226 255.255.255.224 N/A
Web NIC 209.165.200.2 255.255.255.252 209.165.200.1
PC NIC 192.168.10.10 255.255.255.0 192.168.10.1
Laptop NIC 192.168.30.10 255.255.255.0 192.168.30.1

Objectives
Part 1: Configure Frame Relay
Part 2: Configure Static Frame Relay Maps and LMI Types

Scenario
In this activity, you will configure two static Frame Relay maps. Although the LMI type is autosensed on the
routers, you will statically assign the type by manually configuring the LMI.

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 3
Packet Tracer – Configuring Static Frame Relay Map

Part 1: Configure Frame Relay

Step 1: Configure Frame Relay encapsulation on the S0/0/0 interface of R1.
R1(config)# interface s0/0/0
R1(config-if)# encapsulation frame-relay

Step 2: Configure Frame Relay encapsulation on the S0/0/0 interfaces of R2 and R3.
R2(config)# interface s0/0/0
R2(config-if)# encapsulation frame-relay

R3(config)# interface s0/0/0

R3(config-if)# encapsulation frame-relay

Step 3: Test connectivity.

From the command prompt on PC, verify connectivity to the Laptop, located at 192.168.30.10, using the ping
command.
The ping from PC to Laptop should fail because R1 does not have a route to reach the 192.168.30.0
network. R1 must be configured with a Frame Relay map so that it can find the next hop destination to reach
that network.

Part 2: Configure Static Frame Relay Maps and LMI Types

Each router requires two static maps to reach the other routers. The DLCIs to reach these routers are
provided below.

Step 1: Configure static maps on R1, R2, and R3.

a. Configure R1 to use static frame relay maps. Use DLCI 102 to communicate from R1 to R2. Use DLCI
103 to communicate from R1 to R3. The routers must also support EIGRP multicast on 224.0.0.10;
therefore, the broadcast keyword is required.
R1(config)# interface s0/0/0
R1(config-if)# frame-relay map ip 10.1.1.2 102 broadcast
R1(config-if)# frame-relay map ip 10.1.1.3 103 broadcast
b. Configure R2 to use static Frame Relay maps. Use DLCI 201 to communicate from R2 to R1. Use DLCI
203 to communicate from R2 to R3. Use the correct IP address for each map.
R2(config)# interface s0/0/0
R2(config-if)# frame-relay map ip 10.1.1.1 201 broadcast
R2(config-if)# frame-relay map ip 10.1.1.3 203 broadcast
c. Configure R3 to use static Frame Relay maps. Use DLCI 301 to communicate from R3 to R1. Use DLCI
302 to communicate from R3 to R2. Use the correct IP address for each map.
R3(config)# interface s0/0/0
R3(config-if)# frame-relay map ip 10.1.1.1 301 broadcast
R3(config-if)# frame-relay map ip 10.1.1.2 302 broadcast

Step 2: Configure ANSI as the LMI type on R1, R2, and R3.
Enter the following command on the serial interface for each router:

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 3
Packet Tracer – Configuring Static Frame Relay Map

R1(config-if)# frame-relay lmi-type ansi

R2(config-if)# frame-relay lmi-type ansi
R3(config-if)# frame-relay lmi-type ansi

Step 3: Verify connectivity.

The PC and Laptop should now be able to ping each other and the Web Server.

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 3
Packet Tracer – Configuring Frame Relay Point-to-Point
Subinterfaces (Instructor Version)
Instructor Note: Red font color or Gray highlights indicate text that appears in the instructor copy only.

Topology

Addressing Table

Device Interface IP Address Subnet Mask Default Gateway

G0/0 192.168.10.1 255.255.255.0 N/A

R1 S0/0/0.2 10.1.1.1 255.255.255.252 N/A
S0/0/0.3 10.1.3.2 255.255.255.252 N/A
G0/0 192.168.30.1 255.255.255.0 N/A
R2 S0/0/0.1 10.1.1.2 255.255.255.252 N/A
S0/0/0.3 10.1.2.1 255.255.255.252 N/A
S0/0/0.1 10.1.3.1 255.255.255.252 N/A
R3 S0/0/0.2 10.1.2.2 255.255.255.252 N/A
S0/1/0 209.165.200.225 255.255.255.224 N/A
ISP S0/0/0 209.165.200.226 255.255.255.224 N/A
Web NIC 209.165.200.2 255.255.255.252 209.165.200.1
PC NIC 192.168.10.10 255.255.255.0 192.168.10.1
Laptop NIC 192.168.30.10 255.255.255.0 192.168.30.1

Objectives
Part 1: Configure Frame Relay

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 3
Packet Tracer – Configuring Frame Relay Point-to-Point Subinterfaces

Part 2: Configure Frame Relay Point-to-Point Subinterfaces

Part 3: Verify Configuration and Connectivity

Scenario
In this activity, you will configure Frame Relay with two subinterfaces on each router to reach the other two
routers. You will also configure EIGRP and verify end-to-end connectivity.

Part 1: Configure Frame Relay

Step 1: Configure Frame Relay encapsulation on the S0/0/0 interface of R1.
R1(config)# interface s0/0/0
R1(config-if)# encapsulation frame-relay
R1(config-if)# no shutdown

Step 2: Configure Frame Relay encapsulation on the S0/0/0 interfaces of R2 and R3.
R2(config)# interface s0/0/0
R2(config-if)# encapsulation frame-relay
R2(config-if)# no shutdown

R3(config)# interface s0/0/0

R3(config-if)# encapsulation frame-relay
R3(config-if)# no shutdown

Step 3: Test connectivity.

From the command prompt on PC, verify connectivity to the Laptop, located at 192.168.30.10, using the ping
command.
The ping from PC to Laptop should fail because the R1 router does not have to route to reach the
192.168.30.0 network. R1 must be configured with a Frame Relay on subinterfaces so that it can find the next
hop destination to reach that network.

Part 2: Configure Frame Relay Point-to-Point Subinterfaces

Each router requires two subinterfaces to reach the other routers. The DLCIs to reach these routers are
provided below.

Step 1: Configure subinterfaces on R1, R2, and R3.

a. Configure R1 to use subinterfaces. DLCI 102 is used to communicate from R1 to R2, while DLCI 103 is
used to communicate from R1 to R3.
R1(config)# interface s0/0/0.2 point-to-point
R1(config-subif)# ip address 10.1.1.1 255.255.255.252
R1(config-subif)# frame-relay interface-dlci 102
R1(config-subif)# interface s0/0/0.3 point-to-point
R1(config-subif)# ip address 10.1.3.2 255.255.255.252
R1(config-subif)# frame-relay interface-dlci 103
b. Add network entries to EIGRP autonomous system 1 to reflect the IP addresses above.

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 3
Packet Tracer – Configuring Frame Relay Point-to-Point Subinterfaces

R1(config)# router eigrp 1

R1(config-router)# network 10.1.1.0 0.0.0.3
R1(config-router)# network 10.1.3.0 0.0.0.3
c. Configure R2 to use subinterfaces. DLCI 201 is used to communicate from R2 to R1, while DLCI 203 is
used to communicate from R2 to R3. Use the correct IP address in the Address Table for each
subinterface.
R2(config)# interface s0/0/0.1 point-to-point
R2(config-subif)# ip address 10.1.1.2 255.255.255.252
R2(config-subif)# frame-relay interface-dlci 201
R2(config-subif)# interface s0/0/0.3 point-to-point
R2(config-subif)# ip address 10.1.2.1 255.255.255.252
R2(config-subif)# frame-relay interface-dlci 203
R2(config-subif)# exit
d. Add the appropriate EIGRP entries to R2 for autonomous system of 1.
R2(config)# router eigrp 1
R2(config-router)# network 10.1.1.0 0.0.0.3
R2(config-router)# network 10.1.2.0 0.0.0.3
e. Configure R3 to use subinterfaces. DLCI 301 is used to communicate from R3 to R1, while DLCI 302 is
used to communicate from R3 to R2. Use the correct IP address for each subinterface.
R3(config)# interface s0/0/0.1 point-to-point
R3(config-subif)# ip address 10.1.3.1 255.255.255.252
R3(config-subif)# frame-relay interface-dlci 301
R3(config-subif)# interface s0/0/0.2 point-to-point
R3(config-subif)# ip address 10.1.2.2 255.255.255.252
R3(config-subif)# frame-relay interface-dlci 302
R3(config-subif)# exit
f. Add the appropriate EIGRP entries to R3 for autonomous system of 1.
R3(config)# router eigrp 1
R3(config-router)# network 10.1.3.0 0.0.0.3
R3(config-router)# network 10.1.2.0 0.0.0.3

Part 3: Verify Configuration and Connectivity

Step 1: Verify the Frame Relay configuration.
Show information about Frame Relay and the connections that have been made. Note the fields for BECN,
FECN, DE, DLCI, and LMI TYPE.
R1# show frame-relay map
R1# show frame-relay pvc
R1# show frame-relay lmi

Step 2: Verify end-to-end connectivity.

The PC and Laptop should be able to ping each other and the Web Server.

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 3
Packet Tracer – Skills Integration Challenge (Instructor Version)
Instructor Note: Red font color or Gray highlights indicate text that appears in the instructor copy only.

Topology

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 5
Packet Tracer – Skills Integration Challenge

Addressing Table
Device Interface IPv4 Address Subnet Mask Default Gateway

S0/0/0 10.0.0.1 255.255.255.248 N/A

R1
S0/0/1 209.165.201.2 255.255.255.252 N/A

G0/0 10.1.100.1 255.255.255.0 N/A

R2
S0/0/0 10.0.0.2 255.255.255.248 N/A

G0/0 10.1.150.1 255.255.255.0 N/A

R3
S0/0/0 10.0.0.3 255.255.255.248 N/A

G0/0 10.1.200.1 255.255.255.0 N/A

R4
S0/0/0 10.0.0.4 255.255.255.248 N/A

Web NIC 209.165.200.226 255.255.255.252 209.165.200.225

PC2 NIC 10.1.100.10 255.255.255.0 10.1.100.1

PC3 NIC 10.1.150.10 255.255.255.0 10.1.150.1

Tablet PC NIC 10.1.150.20 255.255.255.0 10.1.150.1

Laptop NIC 10.1.200.10 255.255.255.0 10.1.200.1

DLCI Mappings
From / To R1 R2 R3 R4
R1 - 102 103 104
R2 201 - 203 204
R3 301 302 - 304
R4 401 402 403 -

Background
This activity allows you to practice a variety of skills, including configuring Frame Relay, PPP with CHAP,
EIGRP, static, and default routing.

Requirements
R1
 Configure R1 to use PPP with CHAP on the link to the Internet. ISP is the router hostname. The
password for CHAP is cisco.
 Configure a default route to the Internet. Use the exit interface.
 Configure a static route to the LAN on R4. Use the next-hop IP address.
 Configure EIGRP.
- Use AS number 100.
- Advertise the entire 10.0.0.0/8 network and disable automatic summarization.

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 5
Packet Tracer – Skills Integration Challenge

- Propagate the default route.

 Configure full mesh Frame Relay.
- Configure Frame Relay encapsulation.
- Configure a map to each of the other routers. The PVC to R4 uses IETF encapsulation.
- The LMI type is ANSI.

R2 and R3
 Configure EIGRP.
- Use AS number 100.
- Advertise the entire 10.0.0.0/8 network and disable automatic summarization.
- Do not send EIGRP messages out the LAN interfaces.
 Configure full mesh Frame Relay.
- Configure Frame Relay encapsulation.
- Configure a map to each of the other routers. The PVC to R4 uses IETF encapsulation.
- The LMI type is ANSI.

R4
 Configure static and default routing.
- Configure a static route for each of the LANs on R2 and R3. Use the next-hop IP address.
- Configure a default route to R1. Use the next-hop IP address.
 Configure full mesh Frame Relay.
- Configure Frame Relay encapsulation using IETF.
- Configure a map to each of the other routers.
- The LMI type is ANSI.

Verify End-to-End Connectivity

 All end devices should now be able to ping each other and the Web Server.
 If not, click Check Results to see what configurations you may still be missing. Implement necessary
fixes and retest for full end-to-end connectivity.

Configuration Scripts
Router R1
en
conf t
username ISP password 0 cisco
interface Serial0/0/0
encapsulation frame-relay
frame-relay map ip 10.0.0.2 102 broadcast
frame-relay map ip 10.0.0.3 103 broadcast
frame-relay map ip 10.0.0.4 104 broadcast ietf
frame-relay lmi-type ansi
interface Serial0/0/1
encapsulation ppp
ppp authentication chap

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 5
Packet Tracer – Skills Integration Challenge

router eigrp 100

network 10.0.0.0
no auto-summary
redistribute static
ip route 0.0.0.0 0.0.0.0 Serial0/0/1
ip route 10.1.200.0 255.255.255.0 10.0.0.4
end
copy run start

Router R2
en
conf t
interface Serial0/0/0
encapsulation frame-relay
frame-relay map ip 10.0.0.1 201 broadcast
frame-relay map ip 10.0.0.3 203 broadcast
frame-relay map ip 10.0.0.4 204 broadcast ietf
frame-relay lmi-type ansi
router eigrp 100
network 10.0.0.0
no auto-summary
passive-interface g0/0
end
copy run start

Router R3
en
conf t
interface Serial0/0/0
encapsulation frame-relay
frame-relay map ip 10.0.0.1 301 broadcast
frame-relay map ip 10.0.0.2 302 broadcast
frame-relay map ip 10.0.0.4 304 broadcast ietf
frame-relay lmi-type ansi
router eigrp 100
network 10.0.0.0
no auto-summary
passive-interface g0/0
end
copy run start

Router R4
en
conf t
interface Serial0/0/0
encapsulation frame-relay ietf
frame-relay map ip 10.0.0.1 401 broadcast
frame-relay map ip 10.0.0.2 402 broadcast

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 5
Packet Tracer – Skills Integration Challenge

frame-relay map ip 10.0.0.3 403 broadcast

frame-relay lmi-type ansi
ip route 0.0.0.0 0.0.0.0 10.0.0.1
ip route 10.1.100.0 255.255.255.0 10.0.0.2
ip route 10.1.150.0 255.255.255.0 10.0.0.3
end
copy run start

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 5 of 5
Packet Tracer – Investigating NAT Operation (Instructor Version)
Instructor Note: Red font color or Gray highlights indicate text that appears in the instructor copy only.

Topology

Objectives
Part 1: Investigate NAT Operation Across the Intranet
Part 2: Investigate NAT Operation Across the Internet
Part 3: Conduct Further Investigations

Scenario
As a frame travels across a network, the MAC addresses may change. IP addresses can also change when a
packet is forwarded by a device configured with NAT. In this activity, we will investigate what happens to IP
addresses during the NAT process.

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 3
Packet Tracer – Investigating NAT Operation

Part 1: Investigate NAT Operation Across the Intranet

Step 1: Wait for the network to converge.
It might take a few minutes for everything in the network to converge. You can speed the process up by
clicking on Fast Forward Time.

Step 2: Generate an HTTP request from any PC in the Central domain.

a. Open the Web Browser of any PC in the Central domain and type the following without pressing enter or
clicking Go: http://branchserver.pka.
b. Switch to Simulation mode and edit the filters to show only HTTP requests.
c. Click Go in the browser, a PDU envelope will appear.
d. Click Capture / Forward until the PDU is over D1 or D2. Record the source and destination IP
addresses. To what devices do those addresses belong? 10.X.X.X and 64.100.200.1 The PC and R4.
e. Click Capture / Forward until the PDU is over R2. Record the source and destination IP addresses in the
outbound packet. To what devices do those addresses belong? 64.100.100.X and 64.100.200.1 The first
address is not assigned to an interface. R4 is the second address.
f. Login to R2 using ‘class’ to enter privileged EXEC and show the running configuration. The address
came from the following address pool:
ip nat pool R2Pool 64.100.100.3 64.100.100.31 netmask 255.255.255.224
g. Click Capture / Forward until the PDU is over R4. Record the source and destination IP addresses in the
outbound packet. To what devices do those addresses belong? 64.100.100.X and 172.16.0.3. The first
address is from R2Pool on R2. Branchserver.pka is the second address.
h. Click Capture / Forward until the PDU is over Branserver.pka. Record the source and destination TCP
port addresses in the outbound segment.
i. On both R2 and R4, run the following command and match the IP addresses and ports recorded above to
the correct line of output:
R2# show ip nat translations
R4# show ip nat translations
j. What do the inside local IP addresses have in common? They are reserved for private use.
k. Did any private addresses cross the Intranet? No.
l. Return to Realtime mode.

Part 2: Investigate NAT Operation Across the Internet

Step 1: Generate an HTTP request from any computer in the home office.
a. Open the Web Browser of any computer in the home office and type the following without pressing enter
or clicking Go: http://centralserver.pka.
b. Switch to Simulation mode. The filters should already be set to show only HTTP requests.
c. Click Go in the browser, a PDU envelope will appear.
d. Click Capture / Forward until the PDU is over WRS. Record the inbound source and destination IP
addresses and the outbound source and destination addresses. To what devices do those addresses
belong? 192.168.0.X and 64.100.100.2, 64.104.223.2 and 64.100.100.2 The computer and R2, WRS and
R2.

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 3
Packet Tracer – Investigating NAT Operation

e. Click Capture / Forward until the PDU is over R2. Record the source and destination IP addresses in the
outbound packet. To what devices do those addresses belong? 64.104.223.2 and 10.10.10.2 WRS and
centralserver.pka.
f. On R2, run the following command and match the IP addresses and ports recorded above to the correct
line of output:
R2# show ip nat translations
g. Return to Realtime mode. Did all of the web pages appear in the browsers? Yes.

Part 3: Conduct Further Investigations

a. Experiment with more packets, both HTTP and HTTPS. There are many questions to consider such as:
- Do the NAT translation tables grow?
- Does WRS have a pool of addresses?
- Is this how the computers in the classroom connect to the Internet?
- Why does NAT use four columns of addresses and ports?

Suggested Scoring Rubric

Question Possible Earned

Activity Section Location Points Points

Part 1: Request a Web Step 2d 12

Page Across the Intranet
Step 2e 12
Step 2g 13
Step 2j 12
Step 2k 12
Part 1 Total 61
Part 2: Request a Web Step 1d 13
Page Across the Internet
Step 1e 13
Step 1g 13
Part 2 Total 39
Total Score 100

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 3
Packet Tracer – Configuring Static NAT (Instructor Version)
Instructor Note: Red font color or Gray highlights indicate text that appears in the instructor copy only.

Topology

Objectives
Part 1: Test Access without NAT
Part 2: Configure Static NAT
Part 3: Test Access with NAT

Scenario
In IPv4 configured networks, clients and servers use private addressing. Before packets with private
addressing can cross then Internet, they need to be translated to public addressing. Servers that are
accessed from outside the organization are usually assigned both a public and a private static IP address. In
this activity, you will configure static NAT so that outside devices can access and inside server at its public
address.

Part 1: Test Access without NAT

Step 1: Attempt to connect to Server1 using Simulation Mode.
a. From PC1 or L1, attempt to connect to the Server1 web page at 172.16.16.1. Use the Web Browser to
browse Server1 at 172.16.16.1. The attempts should fail.
b. From PC1, ping the R1 S0/0/0 interface. The ping should succeed.

Step 2: View R1 routing table and running-config.

a. View the running configuration of R1. Note that there are no commands referring to NAT.
b. Verify that the routing table does not contain entries referring to the IP addresses used by PC1 and L1.
c. Verify that NAT is not being used by R1.
R1# show ip nat translations

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 2
Packet Tracer – Configuring Static NAT

Part 2: Configure Static NAT

Step 1: Configure static NAT statements.
Refer to the Topology. Create a static NAT translation to map the Server1 inside address to its outside
address.
R1(config)# ip nat inside source static 172.16.16.1 64.100.50.1

Step 2: Configure interfaces.

Configure the correct inside and outside interfaces.
R1(config)# interface g0/0
R1(config-if)# ip nat inside
R1(config)# interface s0/0/0
R1(config-if)# ip nat outside

Part 3: Test Access with NAT

Step 1: Verify connectivity to the Server1 web page.
a. Open the command prompt on PC1 or L1, attempt to ping the public address for Server1. Pings should
succeed.
b. Verify that both PC1 and L1 can now access the Server1 web page.

Step 2: View NAT translations.

Use the following commands to verify the static NAT configuration:
show running-config
show ip nat translations
show ip nat statistics

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 2
Packet Tracer – Configuring Dynamic NAT (Instructor Version)
Instructor Note: Red font color or Gray highlights indicate text that appears in the instructor copy only.

Topology

Objectives
Part 1: Configure Dynamic NAT
Part 2: Verify NAT Implementation

Part 1: Configure Dynamic NAT

Step 1: Configure traffic that will be permitted.
On R2, configure one statement for ACL 1 to permit any address belonging to 172.16.0.0/16.
R2(config)# access-list 1 permit 172.16.0.0 0.0.255.255

Step 2: Configure a pool of address for NAT.

Configure R2 with a NAT pool that uses all four addresses in the 209.165.76.196/30 address space.
R2(config)# ip nat pool any-name-here 209.165.76.196 209.165.76.199 netmask
255.255.255.252
Notice in the topology there are 3 network ranges that would be translated based on the ACL created. What
will happen if more than 2 devices attempt to access the Internet? The additional devices would be denied
access until one of the previous translations timed out freeing up an address to use.

Step 3: Associate ACL1 with the NAT pool.

R2(config)# ip nat inside source list 1 pool any-name-here

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 2
Packet Tracer – Configuring Dynamic NAT

Step 4: Configure the NAT interfaces.

Configure R2 interfaces with the appropriate inside and outside NAT commands.
R2(config)# interface s0/0/0
R2(config-if)# ip nat outside
R2(config-if)# interface s0/0/1
R2(config-if)# ip nat inside

Part 2: Verify NAT Implementation

Step 1: Access services across the Internet.
From the web browser of L1, PC1, or PC2, access the web page for Server1.

Step 2: View NAT translations.

View the NAT translations on R2.
R2# show ip nat translations

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 2
Packet Tracer – Implementing Static and Dynamic NAT (Instructor
Version)
Instructor Note: Red font color or Gray highlights indicate text that appears in the instructor copy only.

Topology

Objectives
Part 1: Configure Dynamic NAT with PAT
Part 2: Configure Static NAT
Part 3: Verify NAT Implementation

Part 1: Configure Dynamic NAT with PAT

Step 1: Configure traffic that will be permitted for NAT translations.
On R2, configure a standard ACL named R2NAT that uses three statements to permit, in order, the following
private address spaces:192.168.10.0/24, 192.168.20.0/24, and 192.168.30.0/24.
R2(config)# ip access-list standard R2NAT
R2(config-std-nacl)# permit 192.168.10.0 0.0.0.255
R2(config-std-nacl)# permit 192.168.20.0 0.0.0.255
R2(config-std-nacl)# permit 192.168.30.0 0.0.0.255

Step 2: Configure a pool of addresses for NAT.

Configure R2 with a NAT pool named R2POOL that uses the first three addresses in the 209.165.202.128/30
address space. The fourth address is used for static NAT later in Part 2.
R2(config)# ip nat pool R2POOL 209.165.202.128 209.165.202.130 netmask
255.255.255.252

Step 3: Associate the named ACL with the NAT pool and enable PAT.
R2(config)# ip nat inside source list R2NAT pool R2POOL overload

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 2
Packet Tracer – Implementing Static and Dynamic NAT

Step 4: Configure the NAT interfaces.

Configure R2 interfaces with the appropriate inside and outside NAT commands.
R2(config)# inte fa0/0
R2(config-if)# ip nat inside
R2(config-if)# inte s0/0/0
R2(config-if)# ip nat inside
R2(config-if)# inte s0/0/1
R2(config-if)# ip nat inside
R2(config-if)# inte s0/1/0
R2(config-if)# ip nat outside

Part 2: Configure Static NAT

Refer to the Topology. Create a static NAT translation to map the local.pka inside address to its outside
address.
R2(config)# ip nat inside source static 192.168.20.254 209.165.202.131

Part 3: Verify NAT Implementation

Step 1: Access services across the Internet.
a. From the web browser of PC1, or PC3, access the web page for cisco.pka.
b. From the web browser for PC4, access the web page for local.pka.

Step 2: View NAT translations.

View the NAT translations on R2.
R2# show ip nat translations

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 2
Packet Tracer – Configuring Port Forwarding on a Linksys Router
(Instructor Version)
Instructor Note: Red font color or Gray highlights indicate text that appears in the instructor copy only.

Topology

Addressing Table

Device Interface IP Address Subnet Mask

Internet 209.165.134.1 255.255.255.252

LA
LAN 192.168.0.1 255.255.255.0

Objectives
Part 1: Configure Port Forwarding
Part 2: Verify Remote Connectivity to ServerA

Scenario
Your friend wants to play a game with you on your server. Both of you are at your respective homes,
connected to the Internet. You need to configure your SOHO (Small Office, Home Office) router to port
forward HTTP requests to your server so that your friend can access the game lobby web page.

Part 1: Configure Port Forwarding

a. From the web browser on LaptopA, access LA by entering the LAN IP address, 192.168.0.1. The
username is admin and the password is cisco123.
b. Click Applications & Gaming. In the first dropdown on the left, choose HTTP and then enter 192.168.0.2
in the “To IP Address” column. This configures LA to forward port 80 to 192.168.0.2. Check the Enabled
box next to the address column.
c. Scroll to the bottom and click Save Settings.

Part 2: Verify Remote Connectivity to ServerA

From the web browser on PCA, enter the Internet IP address for LA. The game server web page should
appear.

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 1
Packet Tracer – Verifying and Troubleshooting NAT
Configurations (Instructor Version)
Instructor Note: Red font color or Gray highlights indicate text that appears in the instructor copy only.

Topology

Addressing Table

Device Interface IP Address Subnet Mask Default Gateway

G0/0 10.4.10.254 255.255.255.0 N/A

R1 G0/1 10.4.11.254 255.255.255.0 N/A
S0/0/1 10.4.1.2 255.255.255.252 N/A
S0/0/0 209.165.76.194 255.255.255.224 N/A
R2
S0/0/1 10.4.1.1 255.255.255.252 N/A
Server1 NIC 64.100.201.5 255.255.255.0 64.100.201.1
PC1 NIC 10.4.10.1 255.255.255.0 10.4.10.254
PC2 NIC 10.4.10.2 255.255.255.0 10.4.10.254
L1 NIC 10.4.11.1 255.255.255.0 10.4.11.254
L2 NIC 10.4.11.2 255.255.255.0 10.4.11.254

Objectives
Part 1: Isolate Problems

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 3
Packet Tracer – Verifying and Troubleshooting NAT Configurations

Part 2: Troubleshoot NAT Configuration

Part 3: Verify Connectivity

Scenario
A contractor restored an old configuration to a new router running NAT. But, the network has changed and a
new subnet was added after the old configuration was backed up. It is your job to get the network working
again.

Part 1: Isolate Problems

Ping Server1 from PC1, PC2, L1, L2, and R2. Record the success of each ping. Ping any other machines as
needed.

Part 2: Troubleshoot NAT Configuration

Step 1: View the NAT translations on R2.
If NAT is working, there should be table entries.

Step 2: Show the running configuration of R2.

The NAT inside port should align with the private address, while the NAT outside port should align with the
public address.

Step 3: Correct the Interfaces.

Assign the ip nat inside and ip nat outside commands to the correct ports.
R2(config)# interface Serial0/0/0
R2(config-if)# ip nat outside
R2(config-if)# interface Serial0/0/1
R2(config-if)# ip nat inside

Step 4: Ping Server1 from PC1, PC2, L1, L2, and R2.
Record the success of each ping. Ping any other machines as needed.

Step 5: View the NAT translations on R2.

If NAT is working, there should be table entries.

Step 6: Show Access-list 101 on R2.

The wildcard mask should encompass both the 10.4.10.0 network and the 10.4.11.0 network.

Step 7: Correct the Access-list.

Delete access-list 101 and replace it with a similar list that is also one statement in length. The only difference
should be the wildcard.
R2(config)# no access-list 101
R2(config)# access-list 101 permit ip 10.4.10.0 0.0.1.255 any

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 3
Packet Tracer – Verifying and Troubleshooting NAT Configurations

Part 3: Verify Connectivity

Step 1: Verify connectivity to Server1.
Record the success of each ping. All hosts should be able to ping Server1, R1, and R2. Troubleshoot if the
pings are not successful.

Step 2: View the NAT translations on R2.

NAT should display many table entries.

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 3
Packet Tracer – Skills Integration Challenge (Instructor Version)
Instructor Note: Red font color or Gray highlights indicate text that appears in the instructor copy only.

Topology

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 10
Packet Tracer – Skills Integration Challenge

Addressing Table
Instructor Note: The student version has blanks in place of all variables shown in double brackets.

Device Interface IP Address Subnet Mask Default Gateway

G0/0.15 [[R1G0sub15Add]] [[R1G0sub15SM]] N/A

G0/0.30 [[R1G0sub30Add]] [[R1G0sub30SM]] N/A
G0/0.45 [[R1G0sub45Add]] [[R1G0sub45SM]] N/A
[[R1Name]] G0/0.60 [[R1G0sub60Add]] [[R1G0sub60SM]] N/A
S0/0/0 [[R1S000Add]] 255.255.255.252 N/A
S0/0/1 [[R1S001Add]] 255.255.255.252 N/A
S0/1/0 [[R1S010Add]] 255.255.255.252 N/A
G0/0 [[R2G00Add]] [[R2R3LanSM]] N/A
[[R2Name]] S0/0/0 [[R2S000Add]] 255.255.255.252 N/A
S0/0/1 [[R2S001Add]] 255.255.255.252 N/A
G0/0 [[R3G00Add]] [[R2R3LanSM]] N/A
[[R3Name]] S0/0/0 [[R3S000Add]] 255.255.255.252 N/A
S0/0/1 [[R3S001Add]] 255.255.255.252 N/A
[[S1Name]] VLAN 60 [[S1VLAN60Add]] [[R1G0sub60SM]] [[R1G0sub60Add]]
[[PC1Name]] NIC DHCP Assigned DHCP Assigned DHCP Assigned

VLANs and Port Assignments Table

VLAN Number - Name Port assignment Network

15 - Servers F0/11 - F0/20 [[R1-VLANsrvNet]]

30 - PCs F0/1 - F0/10 [[R1-VLANpcNet]]
45 - Native G0/1 [[R1-VLANntvNet]]
60 - Management VLAN 60 [[R1-VLANmanNet]]

Scenario
This culminating activity includes many of the skills that you have acquired during this course. First, you will
complete the documentation for the network. So make sure you have a printed version of the instructions.
During implementation, you will configure VLANs, trunking, port security and SSH remote access on a switch.
Then, you will implement inter-VLAN routing and NAT on a router. Finally, you will use your documentation to
verify your implementation by testing end-to-end connectivity.

Documentation
You are required to fully document the network. You will need a print out of this instruction set, which will
include an unlabeled topology diagram:

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 10
Packet Tracer – Skills Integration Challenge

- Label all the device names, network addresses and other important information that Packet Tracer
generated.
- Complete the Addressing Table and VLANs and Port Assignments Table.
- Fill in any blanks in the Implementation and Verification steps. The information is supplied when
you launch the Packet Tracer activity.

Implementation
Note: All devices in the topology except [[R1Name]], [[S1Name]], and [[PC1Name]] are fully configured. You
do not have access to the other routers. You can access all the servers and PCs for testing purposes.
Implement to following requirements using your documentation:
[[S1Name]]
 Configure remote management access including IP addressing and SSH:
- Domain is cisco.com
- User [[UserText]] with password [[UserPass]]
- Crypto key length of 1024
- SSH version 2, limited to 2 authentication attempts and a 60 second timeout
- Clear text passwords should be encrypted.
 Configure, name and assign VLANs. Ports should be manually configured as access ports.
 Configure trunking.
 Implement port security:
- On Fa0/1, allow 2 MAC addresses that are automatically added to the configuration file when
detected. The port should not be disabled, but a syslog message should be captured if a violation
occurs.
- Disable all other unused ports.
[[R1Name]]
 Configure inter-VLAN routing.
 Configure DHCP services for VLAN 30. Use LAN as the case-sensitive name for the pool.
 Implement routing:
- Use OSPF process ID 1 and router ID 1.1.1.1
- Configure one network statement for the entire [[DisplayNet]] address space
- Disable interfaces that should not send OSPF messages.
- Configure a default route to the Internet.
 Implement NAT:
- Configure a standard, one statement ACL number 1. All IP addresses belonging to the [[DisplayNet]]
address space are allowed.
- Refer to your documentation and configure static NAT for the File Server.
- Configure dynamic NAT with PAT using a pool name of your choice, a /30 mask, and these two public
addresses:
[[NATPoolText]]
[[PC1Name]]

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 10
Packet Tracer – Skills Integration Challenge

Verify [[PC1Name]] has received full addressing information from [[R1Name]].

Verification
All devices should now be able to ping all other devices. If not, troubleshoot your configurations to isolate and
solve problems. A few tests include:
 Verify remote access to [[S1Name]] by using SSH from a PC.
 Verify VLANs are assigned to appropriate ports and port security is in force.
 Verify OSPF neighbors and a complete routing table.
 Verify NAT translations and statics.
- Outside Host should be able to access File Server at the public address.
- Inside PCs should be able to access Web Server.
 Document any problems you encountered and the solutions in the Troubleshooting Documentation
table below.

Troubleshooting Documentation

Problem Solution

Suggested Scoring Rubric

Packet Tracer scores 70 points. Documentation is worth 30 points.

ID:[[indexAdds]][[indexNames]]

*****************************************************
ISOMORPH ID KEY:
ID = XY where;
X = indexAdds for /24 private address space
Y = indexNAMES for device names
Note: Each seed contains variables that are independent
of the other seeds. You do not need to test all the

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 10
Packet Tracer – Skills Integration Challenge

various combinations.
=======================================================
ISOMORPH ID = 00
=======================================================
!HQ!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
en
conf t
ip dhcp pool LAN
network 172.16.15.32 255.255.255.224
default-router 172.16.15.33
interface GigabitEthernet0/0
no shutdown
interface GigabitEthernet0/0.15
encapsulation dot1Q 15
ip address 172.16.15.17 255.255.255.240
ip nat inside
interface GigabitEthernet0/0.30
encapsulation dot1Q 30
ip address 172.16.15.33 255.255.255.224
ip nat inside
interface GigabitEthernet0/0.45
encapsulation dot1Q 45 native
ip address 172.16.15.1 255.255.255.248
interface GigabitEthernet0/0.60
encapsulation dot1Q 60
ip address 172.16.15.9 255.255.255.248
router ospf 1
router-id 1.1.1.1
passive-interface GigabitEthernet0/0
network 172.16.15.0 0.0.0.255 area 0
!
ip nat pool TEST 209.165.200.225 209.165.200.226 netmask 255.255.255.252
ip nat inside source list 1 pool TEST overload
ip nat inside source static 172.16.15.18 209.165.200.227
ip route 0.0.0.0 0.0.0.0 Serial0/1/0
access-list 1 permit 172.16.15.0 0.0.0.255
interface s0/0/0
ip nat inside
interface s0/0/1
ip nat inside
interface s0/1/0
ip nat outside
end
wr
!!!!!!!!!!!!!!!!!!!!!!!!

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 5 of 10
Packet Tracer – Skills Integration Challenge

!HQ-Sw!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!
en
conf t
int vlan 60
ip add 172.16.15.10 255.255.255.248
no shut
ip default-gateway 172.16.15.9
vlan 15
name Servers
vlan 30
name PCs
vlan 45
name Native
vlan 60
name Management
interface range fa0/1 - 10
switchport mode access
switchport access vlan 30
interface fa0/1
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address sticky
switchport port-security violation restrict
interface range fa0/11 - 20
switchport mode access
switchport access vlan 15
interface g0/1
switchport mode trunk
switchport trunk native vlan 45
interface range fa0/21 - 24 , g0/2
shutdown
ip domain-name cisco.com
crypto key gen rsa
1024

user HQadmin pass ciscoclass

service password-encryption
ip ssh version 2
ip ssh auth 2
ip ssh time 60
line vty 0 15
login local
transport input ssh

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 6 of 10
Packet Tracer – Skills Integration Challenge

=======================================================
ISOMORPH ID = 11
=======================================================
!Admin!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
en
conf t
ip dhcp pool LAN
network 10.10.10.192 255.255.255.192
default-router 10.10.10.193
interface GigabitEthernet0/0
no shutdown
interface GigabitEthernet0/0.15
encapsulation dot1Q 15
ip address 10.10.10.161 255.255.255.224
ip nat inside
interface GigabitEthernet0/0.30
encapsulation dot1Q 30
ip address 10.10.10.193 255.255.255.192
ip nat inside
interface GigabitEthernet0/0.45
encapsulation dot1Q 45 native
ip address 10.10.10.129 255.255.255.240
interface GigabitEthernet0/0.60
encapsulation dot1Q 60
ip address 10.10.10.145 255.255.255.240
router ospf 1
router-id 1.1.1.1
passive-interface GigabitEthernet0/0
network 10.10.10.0 0.0.0.255 area 0
interface s0/0/0
ip nat inside
interface s0/0/1
ip nat inside
interface s0/1/0
ip nat outside
!
ip nat pool TEST 198.133.219.128 198.133.219.129 netmask 255.255.255.252
ip nat inside source list 1 pool TEST overload
ip nat inside source static 10.10.10.162 198.133.219.130
ip route 0.0.0.0 0.0.0.0 Serial0/1/0
access-list 1 permit 10.10.10.0 0.0.0.255
end
wr
!!!!!!!!!!!!!!!!!!!!!!!!
!Admin-Sw!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 7 of 10
Packet Tracer – Skills Integration Challenge

en
conf t
int vlan 60
ip add 10.10.10.146 255.255.255.240
no shut
ip default-gateway 10.10.10.145
vlan 15
name Servers
vlan 30
name PCs
vlan 45
name Native
vlan 60
name Management
interface range fa0/1 - 10
switchport mode access
switchport access vlan 30
interface fa0/1
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address sticky
switchport port-security violation restrict
interface range fa0/11 - 20
switchport mode access
switchport access vlan 15
interface g0/1
switchport mode trunk
switchport trunk native vlan 45
interface range fa0/21 - 24 , g0/2
shutdown
ip domain-name cisco.com
crypto key gen rsa
1024

user Admin pass letmein

service password-encryption
ip ssh version 2
ip ssh auth 2
ip ssh time 60
line vty 0 15
login local
transport input ssh

===============================================================
ISOMORPH ID: 22

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 8 of 10
Packet Tracer – Skills Integration Challenge

===============================================================
!Central!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
en
conf t
ip dhcp pool LAN
network 192.168.45.128 255.255.255.192
default-router 192.168.45.129
interface GigabitEthernet0/0
no shutdown
interface GigabitEthernet0/0.15
encapsulation dot1Q 15
ip address 192.168.45.65 255.255.255.192
ip nat inside
interface GigabitEthernet0/0.30
encapsulation dot1Q 30
ip address 192.168.45.129 255.255.255.192
ip nat inside
interface GigabitEthernet0/0.45
encapsulation dot1Q 45 native
ip address 192.168.45.17 255.255.255.240
interface GigabitEthernet0/0.60
encapsulation dot1Q 60
ip address 192.168.45.33 255.255.255.240
router ospf 1
router-id 1.1.1.1
passive-interface GigabitEthernet0/0
network 192.168.45.0 0.0.0.255 area 0
interface s0/0/0
ip nat inside
interface s0/0/1
ip nat inside
interface s0/1/0
ip nat outside
!
ip nat pool TEST 64.100.32.56 64.100.32.57 netmask 255.255.255.252
ip nat inside source list 1 pool TEST overload
ip nat inside source static 192.168.45.66 64.100.32.58
ip route 0.0.0.0 0.0.0.0 Serial0/1/0
access-list 1 permit 192.168.45.0 0.0.0.255
end
wr
!!!!!!!!!!!!!!!!!!!!!!!!
!Cnt-Sw!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
en
conf t

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 9 of 10
Packet Tracer – Skills Integration Challenge

int vlan 60
ip add 192.168.45.34 255.255.255.240
no shut
ip default-gateway 192.168.45.33
vlan 15
name Servers
vlan 30
name PCs
vlan 45
name Native
vlan 60
name Management
interface range fa0/1 - 10
switchport mode access
switchport access vlan 30
interface fa0/1
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address sticky
switchport port-security violation restrict
interface range fa0/11 - 20
switchport mode access
switchport access vlan 15
interface g0/1
switchport mode trunk
switchport trunk native vlan 45
interface range fa0/21 - 24 , g0/2
shutdown
ip domain-name cisco.com
crypto key gen rsa
1024

user CAdmin pass itsasecret

service password-encryption
ip ssh version 2
ip ssh auth 2
ip ssh time 60
line vty 0 15
login local
transport input ssh

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 10 of 10
Packet Tracer – Configuring VPNs (Optional) (Instructor Version)
Instructor Note: Red font color or Gray highlights indicate text that appears in the instructor copy only.

Topology

Addressing Table

Device Interface IP Address Subnet Mask Default Gateway

G0/0 192.168.1.1 255.255.255.0 N/A

R1
S0/0/0 10.1.1.2 255.255.255.252 N/A
G0/0 192.168.2.1 255.255.255.0 N/A
R2 S0/0/0 10.1.1.1 255.255.255.252 N/A
S0/0/1 10.2.2.1 255.255.255.252 N/A
G0/0 192.168.3.1 255.255.255.0 N/A
R3
S0/0/1 10.2.2.2 255.255.255.252 N/A
PC-A NIC 192.168.1.3 255.255.255.0 192.168.1.1
PC-B NIC 192.168.2.3 255.255.255.0 192.168.2.1
PC-C NIC 192.168.3.3 255.255.255.0 192.168.3.1

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 9
Packet Tracer – Configuring VPNs (Optional)

ISAKMP Phase 1 Policy Parameters

Parameters R1 R3

Key distribution method Manual or ISAKMP ISAKMP ISAKMP

Encryption algorithm DES, 3DES, or AES AES AES
Hash algorithm MD5 or SHA-1 SHA-1 SHA-1
Authentication method Pre-shared keys or RSA pre-share pre-share
Key exchange DH Group 1, 2, or 5 DH 2 DH 2
IKE SA Lifetime 86400 seconds or less 86400 86400
ISAKMP Key cisco cisco

Bolded parameters are defaults. Other parameters need to be explicitly configured.

IPsec Phase 2 Policy Parameters

Parameters R1 R3

Transform Set VPN-SET VPN-SET

Peer Hostname R3 R1
Peer IP Address 10.2.2.2 10.1.1.2
Network to be encrypted 192.168.1.0/24 192.168.3.0/24
Crypto Map name VPN-MAP VPN-MAP
SA Establishment ipsec-isakmp ipsec-isakmp

Objectives
Part 1: Enable Security Features
Part 2: Configure IPsec Parameters on R1
Part 3: Configure IPsec Parameters on R3
Part 4: Verify the IPsec VPN

Scenario
In this activity, you will configure two routers to support a site-to-site IPsec VPN for traffic flowing from their
respective LANs. The IPsec VPN traffic will pass through another router that has no knowledge of the VPN.
IPsec provides secure transmission of sensitive information over unprotected networks such as the Internet.
IPsec acts at the network layer, protecting and authenticating IP packets between participating IPsec devices
(peers), such as Cisco routers.

Part 1: Enable Security Features

Step 1: Activate securityk9 module.
The Security Technology Package license must be enabled to complete this activity.

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 9
Packet Tracer – Configuring VPNs (Optional)

Note: Both the user EXEC and privileged EXEX pass word is cisco.
a. Issue the show version command in the user EXEC or privileged EXEC mode to verify that the Security
Technology Package license is activated.
----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
-----------------------------------------------------------------
ipbase ipbasek9 Permanent ipbasek9
security None None None
uc None None None
data None None None

Configuration register is 0x2102

b. If not, activate the securityk9 module for the next boot of the router, accept the license, save the
configuration, and reboot.
R1(config)# license boot module c2900 technology-package securityk9
R1(config)# end
R1# copy running-config startup-config
R1# reload
c. After the reloading is completed, issue the show version again to verify the Security Technology
Package license activation.
Technology Package License Information for Module:'c2900'

----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
-----------------------------------------------------------------
ipbase ipbasek9 Permanent ipbasek9
security securityk9 Evaluation securityk9
uc None None None
data None None None
d. Repeat Steps 1a to 1c with R3.

Part 2: Configure IPsec Parameters on R1

Step 1: Test connectivity.
Ping from PC-A to PC-C.

Step 2: Identify interesting traffic on R1.

Configure ACL 110 to identify the traffic from the LAN on R1 to the LAN on R3 as interesting. This interesting
traffic will trigger the IPsec VPN to be implemented whenever there is traffic between R1 to R3 LANs. All
other traffic sourced from the LANs will not be encrypted. Remember that due to the implicit deny any, there is
no need to add the statement to the list.
R1(config)# access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.3.0
0.0.0.255

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 9
Packet Tracer – Configuring VPNs (Optional)

Step 3: Configure the ISAKMP Phase 1 properties on R1.

Configure the crypto ISAKMP policy 10 properties on R1 along with the shared crypto key cisco. Refer to the
ISAKMP Phase 1 table for the specific parameters to configure. Default values do not have to be configured
therefore only the encryption, key exchange method, and DH method must be configured.
R1(config)# crypto isakmp policy 10
R1(config-isakmp)# encryption aes
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 2
R1(config-isakmp)# exit
R1(config)# crypto isakmp key cisco address 10.2.2.2

Step 4: Configure the ISAKMP Phase 2 properties on R1.

Create the transform-set VPN-SET to use esp-3des and esp-sha-hmac. Then create the crypto map VPN-
MAP that binds all of the Phase 2 parameters together. Use sequence number 10 and identify it as an ipsec-
isakmp map.
R1(config)# crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac
R1(config)# crypto map VPN-MAP 10 ipsec-isakmp
R1(config-crypto-map)# description VPN connection to R3
R1(config-crypto-map)# set peer 10.2.2.2
R1(config-crypto-map)# set transform-set VPN-SET
R1(config-crypto-map)# match address 110
R1(config-crypto-map)# exit

Step 5: Configure the crypto map on the outgoing interface.

Finally, bind the VPN-MAP crypto map to the outgoing Serial 0/0/0 interface. Note: This is not graded.
R1(config)# interface S0/0/0
R1(config-if)# crypto map VPN-MAP

Part 3: Configure IPsec Parameters on R3

Step 1: Configure router R3 to support a site-to-site VPN with R1.
Now configure reciprocating parameters on R3. Configure ACL 110 identifying the traffic from the LAN on R3
to the LAN on R1 as interesting.
R3(config)# access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.1.0
0.0.0.255

Step 2: Configure the ISAKMP Phase 1 properties on R3.

Configure the crypto ISAKMP policy 10 properties on R3 along with the shared crypto key cisco.
R3(config)# crypto isakmp policy 10
R3(config-isakmp)# encryption aes
R3(config-isakmp)# authentication pre-share
R3(config-isakmp)# group 2
R3(config-isakmp)# exit
R3(config)# crypto isakmp key cisco address 10.1.1.2

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 9
Packet Tracer – Configuring VPNs (Optional)

Step 3: Configure the ISAKMP Phase 2 properties on R1.

Like you did on R1, create the transform-set VPN-SET to use esp-3des and esp-sha-hmac. Then create the
crypto map VPN-MAP that binds all of the Phase 2 parameters together. Use sequence number 10 and
identify it as an ipsec-isakmp map.
R3(config)# crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac
R3(config)# crypto map VPN-MAP 10 ipsec-isakmp
R3(config-crypto-map)# description VPN connection to R1
R3(config-crypto-map)# set peer 10.1.1.2
R3(config-crypto-map)# set transform-set VPN-SET
R3(config-crypto-map)# match address 110
R3(config-crypto-map)# exit

Step 4: Configure the crypto map on the outgoing interface.

Finally, bind the VPN-MAP crypto map to the outgoing Serial 0/0/1 interface. Note: This is not graded.
R3(config)# interface S0/0/1
R3(config-if)# crypto map VPN-MAP

Part 4: Verify the IPsec VPN

Step 1: Verify the tunnel prior to interesting traffic.
Issue the show crypto ipsec sa command on R1. Notice that the number of packets encapsulated,
encrypted, decapsulated and decrypted are all set to 0.
R1# show crypto ipsec sa

interface: Serial0/0/0
Crypto map tag: VPN-MAP, local addr 10.1.1.2

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer 10.2.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 10.1.1.2, remote crypto endpt.:10.2.2.2

path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/0
current outbound spi: 0x0(0)
<output omitted>

Step 2: Create interesting traffic.

Ping PC-C from PC-A.

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 5 of 9
Packet Tracer – Configuring VPNs (Optional)

Step 3: Verify the tunnel after interesting traffic.

On R1, re-issue the show crypto ipsec sa command. Now notice that the number of packets is more than 0
indicating that the IPsec VPN tunnel is working.
R1# show crypto ipsec sa

interface: Serial0/0/0
Crypto map tag: VPN-MAP, local addr 10.1.1.2

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer 10.2.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 0
#pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

local crypto endpt.: 10.1.1.2, remote crypto endpt.:10.2.2.2

path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/0
current outbound spi: 0x0A496941(172583233)
<output omitted>

Step 4: Create uninteresting traffic.

Ping PC-B from PC-A.

Step 5: Verify the tunnel.

On R1, re-issue the show crypto ipsec sa command. Finally, notice that the number of packets has not
changed verifying that uninteresting traffic is not encrypted.

Configuration Scripts

Router R1
en
conf t
license boot module c2900 technology-package securityk9
yes
end
copy ru st

reload

en
conf t

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 6 of 9
Packet Tracer – Configuring VPNs (Optional)

service password-encryption
hostname R1
enable secret cisco
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key cisco address 10.2.2.2
crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac
crypto map VPN-MAP 10 ipsec-isakmp
description VPN conection to R3
set peer 10.2.2.2
set transform-set VPN-SET
match address 110
ip name-server 0.0.0.0
spanning-tree mode pvst
interface gig0/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
no shut
interface Serial0/0/0
ip address 10.1.1.2 255.255.255.252
clock rate 128000
crypto map VPN-MAP
no shut
router eigrp 100
passive-interface FastEthernet0/0
network 10.1.1.0 0.0.0.3
network 192.168.1.0
no auto-summary
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
banner motd ~
************ AUTHORIZED ACCESS ONLY *************
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.~
logging trap debugging
line con 0
password cisco
login
line aux 0
line vty 0 4
password cisco
login
end
copy ru st

Router R3
en
conf t

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 7 of 9
Packet Tracer – Configuring VPNs (Optional)

license boot module c2900 technology-package securityk9

yes
end
copy ru st

reload

en
conf t
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
hostname R3
enable secret cisco
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key cisco address 10.1.1.2
crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac
crypto map VPN-MAP 10 ipsec-isakmp
description VPN connection to R1
set peer 10.1.1.2
set transform-set VPN-SET
match address 110
ip name-server 0.0.0.0
spanning-tree mode pvst
interface gig0/1
ip address 192.168.3.1 255.255.255.0
duplex auto
speed auto
no shut
interface Serial0/0/1
ip address 10.2.2.2 255.255.255.252
crypto map VPN-MAP
no shut
router eigrp 100
passive-interface FastEthernet0/1
network 10.2.2.0 0.0.0.3
network 192.168.3.0
no auto-summary
ip classless
access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
banner motd ~
************ AUTHORIZED ACCESS ONLY *************
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.~
line con 0
password 7 cisco

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 8 of 9
Packet Tracer – Configuring VPNs (Optional)

login
line vty 0 4
password 7 cisco
login
end
copy ru st

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 9 of 9
Packet Tracer – Configuring GRE (Instructor Version)
Instructor Note: Red font color or Gray highlights indicate text that appears in the instructor copy only.

Topology

Addressing Table

Device Interface IP Address Subnet Mask Default Gateway

G0/0 192.168.1.1 255.255.255.0 N/A

RA S0/0/0 64.103.211.2 255.255.255.252 N/A
Tunnel 0 10.10.10.1 255.255.255.252 N/A
G0/0 192.168.2.1 255.255.255.0 N/A
RB S0/0/0 209.165.122.2 255.255.255.252 N/A
Tunnel 0 10.10.10.2 255.255.255.252 N/A
PC-A NIC 192.168.1.2 255.255.255.0 192.168.1.1
PC-C NIC 192.168.2.2 255.255.255.0 192.168.2.1

Objectives
Part 1: Verify Router Connectivity
Part 2: Configure GRE Tunnels
Part 3: Verify PC Connectivity

Scenario
You are the network administrator for a company which wants to set up a GRE tunnel to a remote office. Both
networks are locally configured, and need only the tunnel configured.

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 4
Packet Tracer – Configuring GRE

Part 1: Verify Router Connectivity

Step 1: Ping RA from RB.
a. Use the show ip interface brief command on RA to determine the IP address of the S0/0/0 port.
b. From RB ping the IP S0/0/0 address of RA.

Step 2: Ping PCA from PCB.

Attempt to ping the IP address of PCA from PCB. We will repeat this test after configuring the GRE tunnel.
What were the ping results? Why? The pings failed because there is no route to the destination.

Part 2: Configure GRE Tunnels

Step 1: Configure the Tunnel 0 interface of RA.
a. Enter into the configuration mode for RA Tunnel 0.
RA(config)# interface tunnel 0
b. Set the IP address as indicated in the Addressing Table.
RA(config-if)# ip address 10.10.10.1 255.255.255.252
c. Set the source and destination for the endpoints of Tunnel 0.
RA(config-if)# tunnel source s0/0/0
RA(config-if)# tunnel destination 209.165.122.2
d. Configure Tunnel 0 to convey IP traffic over GRE.
RA(config-if)# tunnel mode gre ip
e. The Tunnel 0 interface should already be active. In the event that it is not, treat it like any other interface.
RA(config-if)# no shutdown

Step 2: Configure the Tunnel 0 interface of RB.

Repeat Steps 1a – e with RB. Be sure to change the IP addressing as appropriate.
RB(config)# interface tunnel 0
RB(config-if)# ip address 10.10.10.2 255.255.255.252
RB(config-if)# tunnel source s0/0/0
RB(config-if)# tunnel destination 64.103.211.2
RB(config-if)# tunnel mode gre ip
RB(config-if)# no shutdown

Step 3: Configure a route for private IP traffic.

Establish a route between the 192.168.X.X networks using the 10.10.10.0/30 network as the destination.
RA(config)# ip route 192.168.2.0 255.255.255.0 10.10.10.2
RB(config)# ip route 192.168.1.0 255.255.255.0 10.10.10.1

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 4
Packet Tracer – Configuring GRE

Part 3: Verify Router Connectivity

Step 1: Ping PCA from PCB.
Attempt to ping the IP address of PCA from PCB. The ping should be successful.

Step 2: Trace the path from PCA to PCB.

Attempt to trace the path from PCA to PCB. Note the lack of public IP addresses in the output.

Device Configs

Router RA
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
hostname RA
license udi pid CISCO2911/K9 sn FTX15242579
spanning-tree mode pvst
interface Tunnel0
ip address 10.10.10.1 255.255.255.252
tunnel source Serial0/0/0
tunnel destination 209.165.122.2
tunnel mode gre ip
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
shutdown
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
shutdown
interface Serial0/0/0
ip address 64.103.211.2 255.255.255.252
interface Serial0/0/1
no ip address
shutdown
interface Vlan1
no ip address
shutdown
ip classless
ip route 192.168.2.0 255.255.255.0 10.10.10.2
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
line con 0

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 4
Packet Tracer – Configuring GRE

line aux 0
line vty 0 4
login
end

Router RB
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
license udi pid CISCO2911/K9 sn FTX152497Z4
spanning-tree mode pvst
interface Tunnel0
ip address 10.10.10.2 255.255.255.252
tunnel source Serial0/0/0
tunnel destination 64.103.211.2
tunnel mode gre ip
interface GigabitEthernet0/0
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
shutdown
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 209.165.122.2 255.255.255.252
!
interface Serial0/0/1
no ip address
shutdown
interface Vlan1
no ip address
shutdown
ip classless
ip route 192.168.1.0 255.255.255.0 10.10.10.1
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
line con 0
line aux 0
line vty 0 4
login
end

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 4
Packet Tracer – Troubleshooting GRE (Instructor Version)
Instructor Note: Red font color or Gray highlights indicate text that appears in the instructor copy only.

Topology

Addressing Table

Device Interface IP Address Subnet Mask Default Gateway

RA G0/0 172.31.0.1 255.255.255.0 N/A

S0/0/0 209.165.122.2 255.255.255.252 N/A
Tunnel 0 192.168.1.1 255.255.255.252 N/A
RB G0/0 172.31.1.1 255.255.255.0 N/A
S0/0/0 64.103.211.2 255.255.255.252 N/A
Tunnel 0 192.168.1.2 255.255.255.252 N/A
PC-A NIC 172.31.0.2 255.255.255.0 172.31.0.1
PC-C NIC 172.31.1.2 255.255.255.0 172.31.1.1

Objectives
 Find and Correct All Network Errors
 Verify Connectivity

Scenario
A junior network administrator was hired to set up a GRE tunnel between two sites and was unable to complete
the task. You have been asked to correct configuration errors in the company network.

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 4
Packet Tracer – Troubleshooting GRE

Part 1: Find and Correct All Network Errors.

Device Error Correction

RA G0/0 IP interface and subnet mask is not interface Tunnel 0

correct. Tunnel address must be removed no ip address
to prevent overlap error.
interface g0/0
ip address 172.31.0.1 255.255.255.0
RA T0 IP address is not correct. interface Tunnel 0
ip address 192.168.1.1 255.255.255.252

RA Static route is not correct. no ip route 172.31.1.0 255.255.255.0 64.103.211.2

ip route 172.31.1.0 255.255.255.0 192.168.1.2

RB Tunnel destination address is not correct. tunnel destination 209.165.122.2

RB Tunnel source port is not correct. tunnel source Serial0/0/0

Part 2: Verify Connectivity

Step 1: Ping PCA from PCB.
Attempt to ping the IP address of PCA from PCB. The ping should be successful.

Step 2: Trace the path from PCA to PCB.

Attempt to trace the path from PCA to PCB. Note the lack of public IP addresses in the output.

Device Configs

Router RA
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
hostname RA
interface Tunnel0
ip address 192.168.1.1 255.255.255.252
tunnel source Serial0/0/0
tunnel destination 64.103.211.2

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 4
Packet Tracer – Troubleshooting GRE

tunnel mode gre ip

interface GigabitEthernet0/0
ip address 172.31.0.1 255.255.255.0
duplex auto
speed auto
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
shutdown
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
shutdown
interface Serial0/0/0
ip address 209.165.122.2 255.255.255.252
interface Serial0/0/1
no ip address
shutdown
interface Vlan1
no ip address
shutdown
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
ip route 172.31.1.0 255.255.255.0 192.168.1.2
line con 0
line aux 0
line vty 0 4
login
end

Router RB
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
hostname RB
interface Tunnel0
ip address 192.168.1.2 255.255.255.252
tunnel source Serial0/0/0
tunnel destination 209.165.122.2
tunnel mode gre ip
interface GigabitEthernet0/0
ip address 172.31.1.1 255.255.255.0
duplex auto
speed auto
interface GigabitEthernet0/1
no ip address
duplex auto

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 4
Packet Tracer – Troubleshooting GRE

speed auto
shutdown
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
shutdown
interface Serial0/0/0
ip address 64.103.211.2 255.255.255.252
interface Serial0/0/1
no ip address
shutdown
interface Vlan1
no ip address
shutdown
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
ip route 172.31.0.0 255.255.255.0 192.168.1.1
line con 0
line aux 0
line vty 0 4
login
end

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 4
Packet Tracer –Configuring GRE over IPsec (Optional) (Instructor
Version)
Instructor Note: Red font color or Gray highlights indicate text that appears in the instructor copy only.

Topology

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 12
Packet Tracer – Configuring GRE Over IPsec (Optional)

Addressing Table

Device Interface IP Address Subnet Mask Default Gateway

R1 G0/0 10.0.0.1 255.0.0.0 N/A

S0/0/0 209.165.118.2 255.255.255.252 N/A
Tunnel 0 192.168.0.1 255.255.255.252 N/A
Tunnel 1 192.168.0.5 255.255.255.252 N/A
R2 G0/0 172.16.0.1 255.255.252.0 N/A
S0/0/0 64.100.13.2 255.255.255.252 N/A
Tunnel 0 192.168.0.2 255.255.255.252 N/A
R3 G0/0 172.16.4.1 255.255.252.0 N/A
S0/0/0 64.102.46.2 255.255.255.252 N/A
Tunnel 0 192.168.0.6 255.255.255.252 N/A
Server1 NIC 10.0.0.2 255.0.0.0 10.0.0.1
L2 NIC 172.16.0.2 255.255.252.0 172.16.0.1
PC3 NIC 172.16.4.2 255.255.252.0 172.16.4.1

Objectives
Part 1: Verify Router Connectivity
Part 2: Enable Security Features
Part 3: Configure IPSec Parameters
Part 4: Configure GRE Tunnels over IPSec
Part 5: Verify Connectivity

Scenario
You are the network administrator for a company which wants to set up a GRE tunnel over IPsec to remote
offices. All networks are locally configured, and need only the tunnel and the encryption configured.

Part 1: Verify Router Connectivity

Step 1: Ping R2 and R3 from R1.
a. From R1, ping the IP address of S0/0/0 on R2.
b. From R1, ping the IP address of S0/0/0 on R3.

Step 2: Ping Server1 from L2 and PC3.

Attempt to ping the IP address of Server1 from L2. We will repeat this test after configuring the GRE tunnel
over IPsec. What were the ping results? Why? The pings failed because there is no route to the destination.

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 12
Packet Tracer – Configuring GRE Over IPsec (Optional)

Step 3: Ping PC3 from L2.

Attempt to ping the IP address of PC3 from L2. We will repeat this test after configuring the GRE tunnel over
IPsec. What were the ping results? Why? The pings failed because there is no route to the destination.

Part 2: Enable Security Features

Step 1: Activate securityk9 module.
The Security Technology Package license must be enabled to complete this activity.
a. Issue the show version command in the user EXEC or privileged EXEC mode to verify that the Security
Technology Package license is activated.
----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
-----------------------------------------------------------------
ipbase ipbasek9 Permanent ipbasek9
security None None None
uc None None None
data None None None

Configuration register is 0x2102

b. If not, activate the securityk9 module for the next boot of the router, accept the license, save the
configuration, and reboot.
R1(config)# license boot module c2900 technology-package securityk9
<Accept the License>
R1(config)# end
R1# copy running-config startup-config
R1# reload
c. After the reloading is completed, issue the show version again to verify the Security Technology
Package license activation.
Technology Package License Information for Module:'c2900'

----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
-----------------------------------------------------------------
ipbase ipbasek9 Permanent ipbasek9
security securityk9 Evaluation securityk9
uc None None None
data None None None
d. Repeat Steps 1a to 1c with R2 and R3.

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 12
Packet Tracer – Configuring GRE Over IPsec (Optional)

Part 3: Configure IPsec Parameters

Step 1: Identify interesting traffic on R1.
a. Configure ACL 101 to identify the traffic from the LAN on R1 to the LAN on R2 and R3 as interesting. This
interesting traffic will trigger the IPsec VPN to be implemented whenever there is traffic between the R1
and R2 - R3 LANs. All other traffic sourced from the LANs will not be encrypted. Remember that because
of the implicit deny any, there is no need to add the statement to the list.
R1(config)# access-list 101 permit ip 10.0.0.0 0.255.255.255 172.16.0.0
0.0.3.255
b. Repeat Step 1a to configure ACL 101 to identify the traffic on the LAN of R3 as interesting.
R1(config)# access-list 101 permit ip 10.0.0.0 0.255.255.255 172.16.4.0
0.0.3.255

Step 2: Configure the ISAKMP Phase 1 properties on R1.

a. Configure the crypto ISAKMP policy 101 properties on R1 along with the shared crypto key cisco. Default
values do not have to be configured therefore only the encryption, key exchange method, and DH method
must be configured.
R1(config)# crypto isakmp policy 101
R1(config-isakmp)# encryption aes
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 5
R1(config-isakmp)# exit
b. Generate isakmp keys for each peer of R1.
R1(config)# crypto isakmp key cisco address 64.100.13.2
R1(config)# crypto isakmp key cisco address 64.102.46.2

Step 3: Configure the ISAKMP Phase 2 properties on R1.

a. Create the transform-set VPN-SET to use esp-aes and esp-sha-hmac. Then create the crypto map
VPN-MAP that binds all of the Phase 2 parameters together. Use sequence number 101 and identify it as
an ipsec-isakmp map.
R1(config)# crypto ipsec transform-set R1_Set esp-aes esp-sha-hmac
R1(config)# crypto map R1_Map 101 ipsec-isakmp
R1(config-crypto-map)# set peer 64.100.13.2
R1(config-crypto-map)# set peer 64.102.46.2
R1(config-crypto-map)# set transform-set R1_Set
R1(config-crypto-map)# match address 101
R1(config-crypto-map)# exit

Step 4: Configure the crypto map on the outgoing interface.

Finally, bind the R1_Map crypto map to the outgoing Serial 0/0/0 interface. Note: This is not graded.
R1(config)# interface S0/0/0
R1(config-if)# crypto map R1_Map

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 12
Packet Tracer – Configuring GRE Over IPsec (Optional)

Step 5: Configure IPsec Parameters on R2 and R3

Repeat Steps 1-4 on R2 and R3. Modify the set, and map names from R1 to R2 and R3. Use the same
extended ACL number, 101. Note that each router only needs one encrypted connection to R1. There is no
encrypted connection between R2 and R3.
R2(config)#access-list 101 permit ip 172.16.0.0 0.0.3.255 10.0.0.0
0.255.255.255
R2(config)#crypto isakmp policy 101
R2(config-isakmp)# encryption aes
R2(config-isakmp)# authentication pre-share
R2(config-isakmp)# group 5
R2(config-isakmp)# exit
R2(config)#crypto isakmp key cisco address 209.165.118.2
R2(config)#crypto ipsec transform-set R2_Set esp-aes esp-sha-hmac
R2(config)#crypto map R2_Map 101 ipsec-isakmp
R2(config-crypto-map)# set peer 209.165.118.2
R2(config-crypto-map)# set transform-set R2_Set
R2(config-crypto-map)# match address 101
R2(config-crypto-map)#interface Serial0/0/0
R2(config-if)# crypto map R2_Map
R2(config-if)#interface Tunnel0
R2(config-if)# ip address 192.168.0.2 255.255.255.252
R2(config-if)# tunnel source Serial0/0/0
R2(config-if)# tunnel destination 209.165.118.2
R2(config-if)# tunnel mode gre ip
R2(config-if)#ip route 10.0.0.0 255.0.0.0 192.168.0.1
R2(config)#end

R3(config)#access-list 101 permit ip 172.16.4.0 0.0.3.255 10.0.0.0

0.255.255.255
R3(config)#crypto isakmp policy 101
R3(config-isakmp)# encryption aes
R3(config-isakmp)# authentication pre-share
R3(config-isakmp)# group 5
R3(config-isakmp)# exit
R3(config)#crypto isakmp key cisco address 209.165.118.2
R3(config)#crypto ipsec transform-set R3_Set esp-aes esp-sha-hmac
R3(config)#crypto map R3_Map 101 ipsec-isakmp
R3(config-crypto-map)# set peer 209.165.118.2
R3(config-crypto-map)# set transform-set R3_Set
R3(config-crypto-map)# match address 101
R3(config-crypto-map)#interface S0/0/0
R3(config-if)# crypto map R3_Map
R3(config-if)#interface Tunnel 0

R3(config-if)# ip address 192.168.0.6 255.255.255.252

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 5 of 12
Packet Tracer – Configuring GRE Over IPsec (Optional)

R3(config-if)# tunnel source serial 0/0/0

R3(config-if)# tunnel destination 209.165.118.2
R3(config-if)# tunnel mode gre ip
R3(config-if)#ip route 10.0.0.0 255.0.0.0 192.168.0.5
R3(config)#end

Part 4: Configure GRE Tunnels over IPSec

Step 1: Configure the Tunnel interfaces of R1.
a. Enter into the configuration mode for R1 Tunnel 0.
R1(config)# interface tunnel 0
b. Set the IP address as indicated in the Addressing Table.
R1(config-if)# ip address 192.168.0.1 255.255.255.252
c. Set the source and destination for the endpoints of Tunnel 0.
R1(config-if)# tunnel source s0/0/0
R1(config-if)# tunnel destination 64.100.13.2
d. Configure Tunnel 0 to convey IP traffic over GRE.
R1(config-if)# tunnel mode gre ip
e. The Tunnel 0 interface should already be active. In the event that it is not, treat it like any other interface.
f. Repeat Steps 1a-f to create the Tunnel 1 interface to R3. Change the addressing where appropriate.
R1(config)# interface tunnel 1
R1(config-if)# ip address 192.168.0.5 255.255.255.252
R1(config-if)# tunnel source s0/0/0
R1(config-if)# tunnel destination 64.102.46.2
R1(config-if)# tunnel mode gre ip

Step 2: Configure the Tunnel 0 interface of R2 and R3.

a. Repeat Steps 1a – e with R2. Be sure to change the IP addressing as appropriate.
R2(config)# interface tunnel 0
R2(config-if)# ip address 192.168.0.2 255.255.255.252
R2(config-if)# tunnel source s0/0/0
R2(config-if)# tunnel destination 209.165.118.2
R2(config-if)# tunnel mode gre ip
b. Repeat Steps 1a – e with R3. Be sure to change the IP addressing as appropriate.
R3(config)# interface tunnel 0
R3(config-if)# ip address 192.168.0.6 255.255.255.252
R3(config-if)# tunnel source s0/0/0
R3(config-if)# tunnel destination 209.165.118.2
R3(config-if)# tunnel mode gre ip

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 6 of 12
Packet Tracer – Configuring GRE Over IPsec (Optional)

Step 3: Configure a route for private IP traffic.

a. Define a route from R1 to the 172.16.0.0 and 172.16.4.0 networks using the next-hop address of the
tunnel interface.
R1(config)# ip route 172.16.0.0 255.255.252.0 192.168.0.2
R1(config)# ip route 172.16.4.0 255.255.252.0 192.168.0.6
b. Define a route from R2 and R3 to the 10.0.0.0 network using the next-hop address of the tunnel interface.
R2(config)# ip route 10.0.0.0 255.0.0.0 192.168.0.1
R3(config)# ip route 10.0.0.0 255.0.0.0 192.168.0.5

Part 5: Verify Connectivity

Step 1: Ping Server1 from L2 and PC3.
a. Attempt to ping the IP address of Server1 from L2 and PC3. The ping should be successful.
b. Attempt to ping the IP address of L2 from PC3. The ping should fail because there is no tunnel between
the two networks.

Configuration Scripts

Router R1
license boot module c2900 technology-package securityk9
access-list 101 permit ip 10.0.0.0 0.255.255.255 172.16.0.0 0.0.3.255
access-list 101 permit ip 10.0.0.0 0.255.255.255 172.16.4.0 0.0.3.255
crypto isakmp policy 101
encryption aes
authentication pre-share
group 5
exit
crypto isakmp key cisco address 64.100.13.2
crypto isakmp key cisco address 64.102.46.2
crypto ipsec transform-set R1_Set esp-aes esp-sha-hmac
crypto map R1_Map 101 ipsec-isakmp
set peer 64.100.13.2
set peer 64.102.46.2
set transform-set R1_Set
match address 101
interface S0/0/0
crypto map R1_Map
interface Tunnel 0
ip address 192.168.0.1 255.255.255.252
tunnel source serial 0/0/0
tunnel destination 64.100.13.2
tunnel mode gre ip
ip route 172.16.0.0 255.255.252.0 192.168.0.2
interface Tunnel 1
ip address 192.168.0.5 255.255.255.252
tunnel source serial 0/0/0

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 7 of 12
Packet Tracer – Configuring GRE Over IPsec (Optional)

tunnel destination 64.102.46.2

tunnel mode gre ip
ip route 172.16.4.0 255.255.252.0 192.168.0.6

Router R2
license boot module c2900 technology-package securityk9
access-list 101 permit ip 172.16.0.0 0.0.3.255 10.0.0.0 0.255.255.255
crypto isakmp policy 101
encryption aes
authentication pre-share
group 5
exit
crypto isakmp key cisco address 209.165.118.2
crypto ipsec transform-set R2_Set esp-aes esp-sha-hmac
crypto map R2_Map 101 ipsec-isakmp
set peer 209.165.118.2
set transform-set R2_Set
match address 101
interface Serial0/0/0
crypto map R2_Map
interface Tunnel0
ip address 192.168.0.2 255.255.255.252
tunnel source Serial0/0/0
tunnel destination 209.165.118.2
tunnel mode gre ip
ip route 10.0.0.0 255.0.0.0 192.168.0.1

Router R3
license boot module c2900 technology-package securityk9
access-list 101 permit ip 172.16.4.0 0.0.3.255 10.0.0.0 0.255.255.255
crypto isakmp policy 101
encryption aes
authentication pre-share
group 5
exit
crypto isakmp key cisco address 209.165.118.2
crypto ipsec transform-set R3_Set esp-aes esp-sha-hmac
crypto map R3_Map 101 ipsec-isakmp
set peer 209.165.118.2
set transform-set R3_Set
match address 101
interface S0/0/0
crypto map R3_Map
interface Tunnel 0
ip address 192.168.0.6 255.255.255.252
tunnel source serial 0/0/0
tunnel destination 209.165.118.2
tunnel mode gre ip

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 8 of 12
Packet Tracer – Configuring GRE Over IPsec (Optional)

ip route 10.0.0.0 255.0.0.0 192.168.0.5

Device Configs

Router R1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
hostname R1
crypto isakmp policy 101
encr aes
authentication pre-share
group 5
crypto isakmp key cisco address 64.100.13.2
crypto isakmp key cisco address 64.102.46.2
crypto ipsec transform-set R1_Set esp-aes esp-sha-hmac
crypto map R1_Map 101 ipsec-isakmp
set peer 64.100.13.2
set peer 64.102.46.2
set transform-set R1_Set
match address 101
license udi pid CISCO2911/K9 sn FTX15241LLM
license boot module c2900 technology-package securityk9
spanning-tree mode pvst
interface Tunnel0
ip address 192.168.0.1 255.255.255.252
tunnel source Serial0/0/0
tunnel destination 64.100.13.2
tunnel mode gre ip
interface Tunnel1
ip address 192.168.0.5 255.255.255.252
tunnel source Serial0/0/0
tunnel destination 64.102.46.2
tunnel mode gre ip
interface GigabitEthernet0/0
ip address 10.0.0.1 255.0.0.0
duplex auto
speed auto
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
shutdown
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
shutdown
interface Serial0/0/0

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 9 of 12
Packet Tracer – Configuring GRE Over IPsec (Optional)

ip address 209.165.118.2 255.255.255.252

crypto map R1_Map
interface Serial0/0/1
no ip address
shutdown
interface Vlan1
no ip address
shutdown
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
ip route 172.16.0.0 255.255.252.0 192.168.0.2
ip route 172.16.4.0 255.255.252.0 192.168.0.6
access-list 101 permit ip 10.0.0.0 0.255.255.255 172.16.0.0 0.0.3.255
access-list 101 permit ip 10.0.0.0 0.255.255.255 172.16.4.0 0.0.3.255
line con 0
line aux 0
line vty 0 4
login
end

Router R2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
hostname R2
crypto isakmp policy 102
encr aes
authentication pre-share
group 5
crypto isakmp key cisco address 209.165.118.2
crypto ipsec transform-set R1_R2_Set esp-aes esp-sha-hmac
crypto map R1_R2_Map 102 ipsec-isakmp
set peer 209.165.118.2
set transform-set R1_R2_Set
match address 102
license udi pid CISCO2911/K9 sn FTX15249J0B
license boot module c2900 technology-package securityk9
spanning-tree mode pvst
interface Tunnel0
ip address 192.168.0.2 255.255.255.252
tunnel source Serial0/0/0
tunnel destination 209.165.118.2
tunnel mode gre ip
interface GigabitEthernet0/0
ip address 172.16.0.1 255.255.252.0
duplex auto
speed auto
interface GigabitEthernet0/1
no ip address

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 10 of 12
Packet Tracer – Configuring GRE Over IPsec (Optional)

duplex auto
speed auto
shutdown
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
shutdown
interface Serial0/0/0
ip address 64.100.13.2 255.255.255.252
crypto map R1_R2_Map
interface Serial0/0/1
no ip address
shutdown
interface Vlan1
no ip address
shutdown
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
ip route 10.0.0.0 255.0.0.0 192.168.0.1
access-list 102 permit ip 172.16.0.0 0.0.3.255 10.0.0.0 0.255.255.255
line con 0
line aux 0
line vty 0 4
login
end

Router R3
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
hostname R3
crypto isakmp policy 103
encr aes
authentication pre-share
group 5
crypto isakmp key cisco address 209.165.118.2
crypto ipsec transform-set R1_R3_Set esp-aes esp-sha-hmac
crypto map R1_R3_Map 103 ipsec-isakmp
set peer 209.165.118.2
set transform-set R1_R3_Set
match address 103
license udi pid CISCO2911/K9 sn FTX1524446J
license boot module c2900 technology-package securityk9
spanning-tree mode pvst
interface Tunnel0
ip address 192.168.0.6 255.255.255.252
tunnel source Serial0/0/0
tunnel destination 209.165.118.2

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 11 of 12
Packet Tracer – Configuring GRE Over IPsec (Optional)

tunnel mode gre ip

interface GigabitEthernet0/0
ip address 172.16.4.1 255.255.255.252
duplex auto
speed auto
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
shutdown
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
shutdown
interface Serial0/0/0
ip address 64.102.46.2 255.255.255.252
crypto map R1_R3_Map
interface Serial0/0/1
no ip address
shutdown
interface Vlan1
no ip address
shutdown
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
ip route 10.0.0.0 255.0.0.0 192.168.0.5
access-list 103 permit ip 172.16.4.0 0.0.3.255 10.0.0.0 0.255.255.255
line con 0
line aux 0
line vty 0 4
login
end

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 12 of 12
Packet Tracer – Skills Integration Challenge (Instructor Version)
Instructor Note: Red font color or Gray highlights indicate text that appears in the instructor copy only.

Topology

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 4
Packet Tracer – Skills Integration Challenge

Addressing Table
Device Interface IPv4 Address Subnet Mask Default Gateway

S0/0/0 10.0.0.1 255.255.255.248 N/A

S0/0/1 209.165.201.2 255.255.255.252 N/A
HQ
Tu0 192.168.1.1 255.255.255.252 N/A
Tu1 192.168.1.5 255.255.255.252 N/A
G0/0 10.1.150.1 255.255.255.0 N/A
S0/0/0 10.0.0.3 255.255.255.248 N/A
R1
Tu0 192.168.1.6 255.255.255.252 N/A
Tu1 192.168.1.9 255.255.255.252 N/A
G0/0 10.1.100.1 255.255.255.0 N/A
S0/0/0 10.0.0.2 255.255.255.248 N/A
R2
Tu0 192.168.1.2 255.255.255.252 N/A
Tu1 162.168.1.10 255.255.255.252 N/A
Web NIC 209.165.200.226 255.255.255.252 209.165.200.225
PC1 NIC 10.1.150.10 255.255.255.0 10.1.150.1
PC2 NIC 10.1.100.10 255.255.255.0 10.1.100.1

DLCI Mappings
From / To HQ R1 R2
HQ - 103 102
R1 301 - 302
R2 201 203 -

Background
This activity allows you to practice a variety of skills, including configuring Frame Relay, PPP with CHAP, NAT
overloading (PAT), and GRE tunnels. The routers are partially configured for you.

Requirements
Note: You only have console access to router R1 and telnet access to router HQ. The username is admin
and the password is adminpass for telnet access.
R1
 Configure full mesh Frame Relay.
- Configure Frame Relay encapsulation.
- Configure a map to each of the other routers using the broadcast keyword.
- The LMI type is ANSI.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 4
Packet Tracer – Skills Integration Challenge

 Configure GRE tunnels to the other routers.

- Configure the source port and the destination address.
- Configure the IP address for the tunnel interface according to the Addressing Table.

HQ
 Configure HQ to use PPP with CHAP on the link to the Internet. ISP is the router hostname. The
password for CHAP is cisco.
 Configure GRE tunnels to the other routers.
- Configure the source port and the destination address.
- Configure the IP address for the tunnel interface according to the Addressing Table.
 Configure NAT to share the public IP address configured on interface s0/0/1 with the entire class A
private range.
- Configure access-list 1 for use with NAT.
- Identify the inside and outside interfaces.

Verify End-to-End Connectivity

 All end devices should now be able to ping each other and the Web Server.
 If not, click Check Results to see what configurations you may still be missing. Implement necessary
fixes and retest for full end-to-end connectivity.

Device Configs
Router R1
enable
configure terminal
interface s0/0/0
encapsulation frame-relay
frame-relay map ip 10.0.0.1 301 broadcast
frame-relay map ip 10.0.0.2 302 broadcast
frame-relay lmi-type ansi
interface tunnel 0
ip address 192.168.1.6 255.255.255.252
tunnel source s0/0/0
tunnel destination 10.0.0.1
interface tunnel 1
ip address 192.168.1.9 255.255.255.252
tunnel source s0/0/0
tunnel destination 10.0.0.2
end
copy running-config startup-config

Router HQ
enable
configure terminal
username ISP password cisco
username admin password adminpass
interface s0/0/0

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 4
Packet Tracer – Skills Integration Challenge

ip nat inside
interface s0/0/1
encapsulation ppp
ppp authentication chap
ip nat outside
interface tunnel 0
ip address 192.168.1.1 255.255.255.252
tunnel source s0/0/0
tunnel destination 10.0.0.2
interface tunnel 1
ip address 192.168.1.5 255.255.255.252
tunnel source s0/0/0
tunnel destination 10.0.0.3
ip nat inside source list 1 interface s0/0/1 overload
access-list 1 permit 10.0.0.0 0.255.255.255
line con 0
password ciscopass
login
end
copy running-config startup-config

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 4
Packet Tracer – Configuring Syslog and NTP (Instructor Version)
Instructor Note: Red font color or Gray highlights indicate text that appears in the instructor copy only.

Topology

Objectives
Part 1: Configure Syslog Service
Part 2: Generate Logged Events
Part 3: Manually Set Switch Clocks
Part 4: Configure NTP Service
Part 5: Verify Timestamped Logs

Scenario
In this activity, you will enable and use the Syslog service and the NTP service so that the network
administrator is able to monitor the network more effectively.

Part 1: Configure Syslog Service

Step 1: Enable the Syslog service.
a. Click Syslog, then Services tab.
b. Turn the Syslog service on and move the window so you can monitor activity.

Step 2: Configure the intermediary devices to use the Syslog service.

a. Configure R1 to send log events to the Syslog server.
R1(config)# logging 10.0.1.254
b. Configure S1 to send log events to the Syslog server.
S1(config)# logging 10.0.1.254

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 3
Packet Tracer – Configuring Syslog and NTP

c. Configure S2 to send log events to the Syslog server.

S2(config)# logging 10.0.1.254

Part 2: Generate Logged Events

Step 1: Change the status of interfaces to create event logs.
a. Configure a Loopback 0 interface on R1 then disable it.
R1(config)# interface loopback 0
R1(config-if)# shutdown
b. Turn off PC1 and PC2. Turn them on again.

Step 2: Examine the Syslog events.

a. Look at the Syslog events. Note: All of the events have been recorded; however, the time stamps are
incorrect.
b. Clear the log before proceeding to the next part.

Part 3: Manually Set Switch Clocks

Step 1: Manually set the clocks on the switches.
Manually set the clock on S1 and S2 to the current date and approximate time. An example is provided.
S1# clock set 11:47:00 July 10 2013

Step 2: Enable the logging timestamp service on the switches.

Configure S1 and S2 to send its timestamp with logs it sends to the Syslog server.
S1(config)# service timestamps log datetime msec
S2(config)# service timestamps log datetime msec

Part 4: Configure NTP Service

Step 1: Enable the NTP service.
In this activity, we are assuming that the NTP service is being hosted on a public Internet server. If the NTP
server was private, authentication could also be used.
a. Open the Services tab of the NTP server.
b. Turn the NTP service on and note the date and time that is displayed.

Step 2: Automatically set the clock on the router.

Set the clock on R1 to the date and time according to the NTP server.
R1(config)# ntp server 64.103.224.2

Step 3: Enable the logging timestamp service of the router.

Configure R1 to send its timestamp with the logs that it sends to the Syslog server.
R1(config)# service timestamps log datetime msec

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 3
Packet Tracer – Configuring Syslog and NTP

Part 5: Verify Timestamped Logs

Step 1: Change the status of interfaces to create event logs.
a. Re-enable and then disable the Loopback 0 interface on R1.
R1(config)# interface loopback 0
R1(config-if)# no shutdown
R1(config-if)# shutdown
b. Turn off laptops L1 and L2. Turn them on again.

Step 2: Examine the Syslog events.

Look at the Syslog events. Note: All of the events have been recorded and the time stamps are correct as
configured. Note: R1 uses the clock settings from the NTP server, and S1 and S2 use the clock settings
configured by you in Part 3.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 3
Packet Tracer – Troubleshooting Challenge - Documenting the
Network (Instructor Version)
Instructor Note: Red font color or Gray highlights indicate text that appears in the instructor copy only.

Topology

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 19
Packet Tracer – Troubleshooting Challenge - Documenting the Network

Addressing Table

Device Interface IP Address Subnet Mask Default Gateway

PC1 NIC 10.2.15.10 255.255.255.0 10.2.15.1

PC2 NIC 10.2.25.10 255.255.255.0 10.2.25.1
PC3 NIC 10.2.35.10 255.255.255.0 10.2.35.1
PC4 NIC 10.3.100.4 255.255.255.0 10.3.100.1
PC5 NIC 10.3.100.5 255.255.255.0 10.3.100.1
PC6 NIC 10.4.1.10 255.255.255.0 10.4.1.1
PC7 NIC 10.5.1.10 255.255.255.0 10.5.1.1
DNS
NIC 10.1.100.2 255.255.255.0 10.1.100.1
Server
R1 S0/0/0 10.1.0.4 255.255.255.248 N/A
R1 G0/0 10.4.1.1 255.255.255.0 N/A
R2 S0/0/0 10.1.0.3 255.255.255.248 N/A
R2 G0/0.100 10.3.100.1 255.255.255.0 N/A
R2 G0/0.105 10.3.105.1 255.255.255.0 N/A
R3 S0/0/0 10.1.0.2 255.255.255.248 N/A
R3 G0/0.5 10.2.5.1 255.255.255.0 N/A
R3 G0/0.15 10.2.15.1 255.255.255.0 N/A
R3 G0/0.25 10.2.25.1 255.255.255.0 N/A
R3 G0/0.35 10.2.35.1 255.255.255.0 N/A
R4 S0/0/0 10.1.0.5 255.255.255.248 N/A
R4 G0/0 10.5.1.1 255.255.255.0 N/A
R5 S0/0/0 10.1.0.1 255.255.255.248 N/A
R5 S0/0/1 209.165.201.2 255.255.255.252 N/A
R5 G0/0 10.1.100.1 255.255.255.0 N/A
S1 None None None None
S2 VLAN 105 10.3.105.21 255.255.255.0 10.3.105.1
S3 VLAN 105 10.3.105.22 255.255.255.0 10.3.105.1
S4 VLAN 5 10.2.5.21 255.255.255.0 10.2.5.1
S5 VLAN 5 10.2.5.23 255.255.255.0 10.2.5.1
S6 VLAN 5 10.2.5.22 255.255.255.0 10.2.5.1
S7 None None None None

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 19
Packet Tracer – Troubleshooting Challenge - Documenting the Network

Objectives
Part 1: Test Connectivity
Part 2: Discover PC Configuration Information
Part 3: Discover the Configuration Information of the Default Gateway
Part 4: Discover Routes and Neighbors in the Network
Part 5: Draw the Network Topology

Background / Scenario
This activity covers the steps to take to discover a network using primarily the Telnet, show cdp neighbors
detail, and show ip route commands. This is Part I of a two-part activity. Part II is Packet Tracer -
Troubleshooting Challenge - Using Documentation to Solve Issues.
The topology you see when you open the Packet Tracer activity does not reveal all of the details of the
network. The details have been hidden using the cluster function of Packet Tracer. The network infrastructure
has been collapsed, and the topology in the file shows only the end devices. Your task is to use your
knowledge of networking and discovery commands to learn about the full network topology and document it.

Part 1: Test Connectivity

Packet Tracer needs a little time to converge the network. Ping between the PCs and the www.cisco.com
server to verify convergence and to test the network. All PCs should be able to ping one another as well as
the server. Remember it may take a few pings before they are successful.

Part 2: Discover PC Configuration Information

Step 1: Access the PC1 command prompt.
Click PC1, the Desktop tab, and then Command Prompt.

Step 2: Determine the addressing information for PC1.

To determine the current IP addressing configuration, enter the ipconfig /all command.
Note: In Packet Tracer, you must enter a space between ipconfig and /all.

Step 3: Document the information for PC1 in the addressing table.

PC> ipconfig /all

FastEthernet0 Connection:(default port)

Physical Address................: 0001.97DA.E057
Link-local IPv6 Address.........: FE80::201:97FF:FEDA:E057
IP Address......................: 10.2.15.10
Subnet Mask.....................: 255.255.255.0
Default Gateway.................: 10.2.15.1
DNS Servers.....................: 10.1.100.2
DHCP Servers....................: 0.0.0.0

Step 4: Repeat Steps 1 to 3 for PCs 2 to 7.

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 19
Packet Tracer – Troubleshooting Challenge - Documenting the Network

Part 3: Discover the Configuration Information of the Default Gateway

Step 1: Test connectivity between PC1 and its default gateway.
From PC1, ping the default gateway to ensure that you have connectivity.

Step 2: Telnet to the default gateway.

Use the telnet ip-address command. The IP address is that of the default gateway. When prompted for the
password, type cisco.

Step 3: View current interface configurations.

a. Use both the show ip interface brief and show protocols command to determine the current interface
configurations.
b. Document the subnet mask information from the show protocols command.

Step 4: Document the hostname and interface configuration of the PC1 gateway router in the
addressing table.

Part 4: Discover Routes and Neighbors in the Network

Step 1: On the gateway router for PC1, display the routing table.
a. Display the routing table with the show ip route command. You should see five connected routes and six
routes learned through EIGRIP, one of which is a default route.
b. In addition to the routes, record any other useful information that the routing table provides to help you
further discover and document the network.
c. Determine if there are more IP addresses you can Telnet to continue discovering the network.

Step 2: Discover directly connected Cisco devices.

On the gateway router for PC1, use the show cdp neighbors detail command to discover other directly
connected Cisco devices.

Step 3: Document the neighbor information and test connectivity.

The show cdp neighbors detail command lists information for one neighbor, including its IP address.
Document the hostname and IP address of the neighbor, and then ping the IP address to test connectivity.
The first two or three pings fail while ARP resolves the MAC address.

Step 4: Telnet to the neighbor and discover directly connected Cisco devices.
a. Telnet to the neighbor and use the show cdp neighbors detail command to discover other directly
connected Cisco devices.
b. You should see three devices listed this time. The PC1 gateway router may be listed for each
subinterface.
Note: Use the show interfaces command on the switches to determine the subnet mask information.

Step 5: Document the hostnames and IP addresses of the neighbors and test connectivity.
Document and ping the new neighbors you have discovered. Remember, the first two or three pings fail while
ARP resolves MAC addresses.

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 19
Packet Tracer – Troubleshooting Challenge - Documenting the Network

Step 6: Telnet to each neighbor and check for additional Cisco devices.
Telnet to each of the new neighbors you have discovered, and use the show cdp neighbors detail
command to check for any additional Cisco devices. The access password is cisco.

Step 7: Continue discovering and documenting the network.

Exit the Telnet sessions to return to the default gateway router for PC1. From this router, Telnet to other
devices in the network to continue discovering and documenting the network. Remember to use the show ip
route and show cdp neighbors commands to discover IP addresses you can use for Telnet.
Note: Use the show interfaces command on the switches to determine the subnet mask information.

Step 8: Repeat Steps 1 to 7 as necessary to discover the entire network topology.

Part 5: Draw the Network Topology

Step 1: Draw a topology.
Now that you have discovered all the network devices and documented their addresses, use the Addressing
Table information to draw a topology.
Hint: There is a Frame Relay cloud in the middle of the network.

Step 2: Keep this documentation.

a. Show your topology diagram and Addressing Table to the instructor for verification.
b. Your topology diagram and Addressing Table are needed for Part II of this activity.

Suggested Scoring Rubric

Question Possible Earned

Activity Section Location Points Points

Part 5: Draw the Network

Step 2-a 100
Topology
Part 5 Total 100
Packet Tracer Score 0
Total Score 100

Topology Answer
This topology is a screenshot from the answer network in the PKA. The student’s topology can look quite
different, but the connections should all be the same. A good class exercise is to have the students compare their
correct topology diagrams to see the benefits and limitations of different layouts. This will also help them to
understand that there can be many excellent ways to represent the same network.

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 5 of 19
Packet Tracer – Troubleshooting Challenge - Documenting the Network

Device Configs

Router R1
R1#sh run
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
hostname R1
enable secret class
spanning-tree mode pvst
interface Gig0/0
ip address 10.4.1.1 255.255.255.0
duplex auto
speed auto
interface Gig0/1
no ip address
duplex auto
speed auto
shutdown
interface Serial0/0/0
ip address 10.1.0.4 255.255.255.248
encapsulation frame-relay
interface Serial0/0/1
no ip address
shutdown
interface Vlan1

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 6 of 19
Packet Tracer – Troubleshooting Challenge - Documenting the Network

no ip address
shutdown
router eigrp 1
passive-interface Gig0/0
network 10.0.0.0
no auto-summary
ip classless
line con 0
password cisco
login
line aux 0
line vty 0 4
password cisco
login
end

Router R2
R2#sh run
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
hostname R2
enable secret class
spanning-tree mode pvst
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
interface GigabitEthernet0/0.100
encapsulation dot1Q 100
ip address 10.3.100.1 255.255.255.0
interface GigabitEthernet0/0.105
encapsulation dot1Q 105 native
ip address 10.3.105.1 255.255.255.0
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
shutdown
interface Serial0/0/0
ip address 10.1.0.3 255.255.255.248
encapsulation frame-relay
interface Serial0/0/1
no ip address
shutdown
interface Vlan1
no ip address
shutdown
router eigrp 1

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 7 of 19
Packet Tracer – Troubleshooting Challenge - Documenting the Network

network 10.0.0.0
no auto-summary
ip classless
line con 0
password cisco
login
line aux 0
line vty 0 4
password cisco
login
end

Router R3
R3#sh run
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
hostname R3
enable secret class
spanning-tree mode pvst
interface Gig0/0
no ip address
duplex auto
speed auto
interface Gig0/0.5
encapsulation dot1Q 5 native
ip address 10.2.5.1 255.255.255.0
interface Gig0/0.15
encapsulation dot1Q 15
ip address 10.2.15.1 255.255.255.0
interface Gig0/0.25
encapsulation dot1Q 25
ip address 10.2.25.1 255.255.255.0
interface Gig0/0.35
encapsulation dot1Q 35
ip address 10.2.35.1 255.255.255.0
interface Gig0/1
no ip address
duplex auto
speed auto
shutdown
interface Serial0/0/0
ip address 10.1.0.2 255.255.255.248
encapsulation frame-relay
interface Serial0/0/1
no ip address
shutdown
interface Vlan1
no ip address

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 8 of 19
Packet Tracer – Troubleshooting Challenge - Documenting the Network

shutdown
router eigrp 1
network 10.0.0.0
no auto-summary
ip classless
line con 0
password cisco
login
line aux 0
line vty 0 4
password cisco
login
end

Router R4
R4#sh run
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
hostname R4
enable secret class
spanning-tree mode pvst
interface Gig0/0
ip address 10.5.1.1 255.255.255.0
duplex auto
speed auto
interface Gig0/1
no ip address
duplex auto
speed auto
shutdown
interface Serial0/0/0
ip address 10.1.0.5 255.255.255.248
encapsulation frame-relay
interface Serial0/0/1
no ip address
shutdown
interface Vlan1
no ip address
shutdown
router eigrp 1
passive-interface Gig0/0
network 10.0.0.0
no auto-summary
ip classless
line con 0
password cisco
login
line aux 0

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 9 of 19
Packet Tracer – Troubleshooting Challenge - Documenting the Network

line vty 0 4
password cisco
login
end

Router R5
R5#sh run
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
hostname R5
enable secret class
spanning-tree mode pvst
interface Gig0/0
ip address 10.1.100.1 255.255.255.0
duplex auto
speed auto
interface Gig0/1
no ip address
duplex auto
speed auto
shutdown
interface Serial0/0/0
ip address 10.1.0.1 255.255.255.248
encapsulation frame-relay
ip nat inside
interface Serial0/0/1
ip address 209.165.201.2 255.255.255.252
ip nat outside
no cdp enable
interface Vlan1
no ip address
shutdown
router eigrp 1
passive-interface Gig0/0
passive-interface Serial0/0/1
network 10.0.0.0
default-information originate
no auto-summary
ip nat pool LAN 209.165.202.128 209.165.202.159 netmask 255.255.255.224
ip nat inside source list 1 pool LAN overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/1
access-list 1 permit 10.0.0.0 0.255.255.255
line con 0
password cisco
login
line aux 0
line vty 0 4

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 10 of 19
Packet Tracer – Troubleshooting Challenge - Documenting the Network

password cisco
login
end

Router ISP
ISP#sh run
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
hostname ISP
spanning-tree mode pvst
interface Gig0/0
ip address 209.165.200.225 255.255.255.252
duplex auto
speed auto
interface Gig0/1
no ip address
duplex auto
speed auto
shutdown
interface Serial0/0/0
ip address 209.165.201.1 255.255.255.252
clock rate 64000
interface Serial0/0/1
no ip address
interface Serial0/2/0
no ip address
interface Serial0/2/1
no ip address
interface Vlan1
no ip address
shutdown
ip classless
ip route 209.165.202.128 255.255.255.224 Serial0/0/0
no cdp run
line con 0
line aux 0
line vty 0 4
login
end

Switch S1
S1#sh run
hostname S1
enable secret class
spanning-tree mode pvst
interface FastEthernet0/1
interface FastEthernet0/2

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 11 of 19
Packet Tracer – Troubleshooting Challenge - Documenting the Network

interface FastEthernet0/3
interface FastEthernet0/4
interface FastEthernet0/5
interface FastEthernet0/6
interface FastEthernet0/7
interface FastEthernet0/8
interface FastEthernet0/9
interface FastEthernet0/10
interface FastEthernet0/11
interface FastEthernet0/12
interface FastEthernet0/13
interface FastEthernet0/14
interface FastEthernet0/15
interface FastEthernet0/16
interface FastEthernet0/17
interface FastEthernet0/18
interface FastEthernet0/19
interface FastEthernet0/20
interface FastEthernet0/21
interface FastEthernet0/22
interface FastEthernet0/23
interface FastEthernet0/24
interface GigabitEthernet1/1
interface GigabitEthernet1/2
interface Vlan1
no ip address
shutdown
line con 0
password cisco
login
line vty 0 4
password cisco
login
line vty 5 15
login
end

Switch S2
S2#sh run
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
hostname S2
enable secret class
spanning-tree mode pvst
interface FastEthernet0/1
switchport trunk native vlan 105
switchport mode trunk
interface FastEthernet0/2

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 12 of 19
Packet Tracer – Troubleshooting Challenge - Documenting the Network

switchport trunk native vlan 105

switchport mode trunk
interface FastEthernet0/3
switchport trunk native vlan 105
switchport mode trunk
interface FastEthernet0/4
interface FastEthernet0/5
switchport access vlan 100
switchport mode access
interface FastEthernet0/6
interface FastEthernet0/7
interface FastEthernet0/8
interface FastEthernet0/9
interface FastEthernet0/10
interface FastEthernet0/11
interface FastEthernet0/12
interface FastEthernet0/13
interface FastEthernet0/14
interface FastEthernet0/15
interface FastEthernet0/16
interface FastEthernet0/17
interface FastEthernet0/18
interface FastEthernet0/19
interface FastEthernet0/20
interface FastEthernet0/21
interface FastEthernet0/22
interface FastEthernet0/23
interface FastEthernet0/24
interface GigabitEthernet1/1
interface GigabitEthernet1/2
interface Vlan1
no ip address
shutdown
interface Vlan105
ip address 10.3.105.21 255.255.255.0
line con 0
password cisco
login
line vty 0 4
password cisco
login
line vty 5 15
login
end

Switch S3
S3#sh run
no service timestamps log datetime msec
no service timestamps debug datetime msec

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 13 of 19
Packet Tracer – Troubleshooting Challenge - Documenting the Network

no service password-encryption
hostname S3
enable secret class
spanning-tree mode pvst
interface FastEthernet0/1
interface FastEthernet0/2
switchport trunk native vlan 105
switchport mode trunk
interface FastEthernet0/3
switchport trunk native vlan 105
switchport mode trunk
interface FastEthernet0/4
interface FastEthernet0/5
interface FastEthernet0/6
interface FastEthernet0/7
interface FastEthernet0/8
interface FastEthernet0/9
interface FastEthernet0/10
switchport access vlan 100
switchport mode access
interface FastEthernet0/11
interface FastEthernet0/12
interface FastEthernet0/13
interface FastEthernet0/14
interface FastEthernet0/15
interface FastEthernet0/16
interface FastEthernet0/17
interface FastEthernet0/18
interface FastEthernet0/19
interface FastEthernet0/20
interface FastEthernet0/21
interface FastEthernet0/22
interface FastEthernet0/23
interface FastEthernet0/24
interface GigabitEthernet1/1
interface GigabitEthernet1/2
interface Vlan1
no ip address
shutdown
interface Vlan105
ip address 10.3.105.22 255.255.255.0
ip default-gateway 10.3.1.1
line con 0
password cisco
login
line vty 0 4
password cisco
login
line vty 5 15

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 14 of 19
Packet Tracer – Troubleshooting Challenge - Documenting the Network

login
end

Switch S4
S4#sh run
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
hostname S4
enable secret class
spanning-tree mode pvst
spanning-tree vlan 1,5,15,25,35 priority 4096
interface FastEthernet0/1
switchport trunk native vlan 5
switchport mode trunk
interface FastEthernet0/2
switchport trunk native vlan 5
switchport mode trunk
interface FastEthernet0/3
switchport trunk native vlan 5
switchport mode trunk
interface FastEthernet0/4
switchport trunk native vlan 5
switchport mode trunk
interface FastEthernet0/5
switchport trunk native vlan 5
switchport mode trunk
interface FastEthernet0/6
interface FastEthernet0/7
interface FastEthernet0/8
interface FastEthernet0/9
interface FastEthernet0/10
interface FastEthernet0/11
interface FastEthernet0/12
interface FastEthernet0/13
interface FastEthernet0/14
interface FastEthernet0/15
interface FastEthernet0/16
interface FastEthernet0/17
interface FastEthernet0/18
interface FastEthernet0/19
interface FastEthernet0/20
interface FastEthernet0/21
interface FastEthernet0/22
interface FastEthernet0/23
interface FastEthernet0/24
interface GigabitEthernet1/1
interface GigabitEthernet1/2
interface Vlan1

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 15 of 19
Packet Tracer – Troubleshooting Challenge - Documenting the Network

no ip address
shutdown
interface Vlan5
ip address 10.2.5.21 255.255.255.0
ip default-gateway 10.2.5.1
line con 0
password cisco
login
line vty 0 4
password cisco
login
line vty 5 15
login
end

Switch S5
S5#sh run
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
hostname S5
enable secret class
spanning-tree mode pvst
interface FastEthernet0/1
switchport trunk native vlan 5
switchport mode trunk
interface FastEthernet0/2
switchport trunk native vlan 5
switchport mode trunk
interface FastEthernet0/3
switchport trunk native vlan 5
switchport mode trunk
interface FastEthernet0/4
switchport trunk native vlan 5
switchport mode trunk
interface FastEthernet0/5
interface FastEthernet0/6
interface FastEthernet0/7
interface FastEthernet0/8
interface FastEthernet0/9
interface FastEthernet0/10
interface FastEthernet0/11
interface FastEthernet0/12
interface FastEthernet0/13
interface FastEthernet0/14
interface FastEthernet0/15
interface FastEthernet0/16
interface FastEthernet0/17
interface FastEthernet0/18

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 16 of 19
Packet Tracer – Troubleshooting Challenge - Documenting the Network

interface FastEthernet0/19
interface FastEthernet0/20
interface FastEthernet0/21
interface FastEthernet0/22
interface FastEthernet0/23
interface FastEthernet0/24
interface GigabitEthernet1/1
interface GigabitEthernet1/2
interface Vlan1
no ip address
shutdown
interface Vlan5
ip address 10.2.5.23 255.255.255.0
ip default-gateway 10.2.5.1
line con 0
password cisco
login
line vty 0 4
password cisco
login
line vty 5 15
login
end

Switch S6
S6#sh run
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
hostname S6
enable secret class
spanning-tree mode pvst
interface FastEthernet0/1
switchport trunk native vlan 5
switchport mode trunk
interface FastEthernet0/2
switchport trunk native vlan 5
switchport mode trunk
interface FastEthernet0/3
switchport trunk native vlan 5
switchport mode trunk
interface FastEthernet0/4
switchport trunk native vlan 5
switchport mode trunk
interface FastEthernet0/5
interface FastEthernet0/6
switchport access vlan 15
switchport mode access
interface FastEthernet0/7

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 17 of 19
Packet Tracer – Troubleshooting Challenge - Documenting the Network

interface FastEthernet0/8
interface FastEthernet0/9
interface FastEthernet0/10
interface FastEthernet0/11
switchport access vlan 25
switchport mode access
interface FastEthernet0/12
interface FastEthernet0/13
interface FastEthernet0/14
interface FastEthernet0/15
interface FastEthernet0/16
switchport access vlan 35
switchport mode access
interface FastEthernet0/17
interface FastEthernet0/18
interface FastEthernet0/19
interface FastEthernet0/20
interface FastEthernet0/21
interface FastEthernet0/22
interface FastEthernet0/23
interface FastEthernet0/24
interface GigabitEthernet1/1
interface GigabitEthernet1/2
interface Vlan1
no ip address
shutdown
interface Vlan5
ip address 10.2.5.22 255.255.255.0
ip default-gateway 10.2.5.1
line con 0
password cisco
login
line vty 0 4
password cisco
login
line vty 5 15
login
end

Switch S7
S7#sh run
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
hostname S7
enable secret class
spanning-tree mode pvst
interface FastEthernet0/1
interface FastEthernet0/2

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 18 of 19
Packet Tracer – Troubleshooting Challenge - Documenting the Network

interface FastEthernet0/3
interface FastEthernet0/4
interface FastEthernet0/5
interface FastEthernet0/6
interface FastEthernet0/7
interface FastEthernet0/8
interface FastEthernet0/9
interface FastEthernet0/10
interface FastEthernet0/11
interface FastEthernet0/12
interface FastEthernet0/13
interface FastEthernet0/14
interface FastEthernet0/15
interface FastEthernet0/16
interface FastEthernet0/17
interface FastEthernet0/18
interface FastEthernet0/19
interface FastEthernet0/20
interface FastEthernet0/21
interface FastEthernet0/22
interface FastEthernet0/23
interface FastEthernet0/24
interface GigabitEthernet1/1
interface GigabitEthernet1/2
interface Vlan1
no ip address
shutdown
line con 0
line vty 0 4
login
line vty 5 15
login
end

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 19 of 19
Packet Tracer – Troubleshooting Enterprise Networks 1 (Instructor
Version)
Instructor Note: Red font color or Gray highlights indicate text that appears in the instructor copy only.

Topology

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 3
Packet Tracer – Troubleshooting Enterprise Networks 1

Addressing Table

Device Interface IP Address Subnet Mask Default Gateway

S0/0/0 10.1.1.1 255.255.255.252 N/A

R1
S0/0/1 10.3.3.1 255.255.255.252 N/A
G0/0 192.168.40.1 255.255.255.0 N/A
G0/1 DHCP assigned DHCP assigned N/A
R2
S0/0/0 10.1.1.2 255.255.255.252 N/A
S0/0/1 10.2.2.1 255.255.255.252 N/A
G0/0.10 192.168.10.1 255.255.255.0 N/A
G0/0.20 192.168.20.1 255.255.255.0 N/A
G0/0.30 192.168.30.1 255.255.255.0 N/A
R3
G0/0.88 192.168.88.1 255.255.255.0 N/A
S0/0/0 10.3.3.2 255.255.255.252 N/A
S0/0/1 10.2.2.2 255.255.255.252 N/A
S1 VLAN 88 192.168.88.2 255.255.255.0 192.168.88.1
S2 VLAN 88 192.168.88.3 255.255.255.0 192.168.88.1
S3 VLAN 88 192.168.88.4 255.255.255.0 192.168.88.1
PC1 NIC DHCP assigned DHCP assigned DHCP assigned
PC2 NIC DHCP assigned DHCP assigned DHCP assigned
PC3 NIC DHCP assigned DHCP assigned DHCP assigned
TFTP Server NIC 192.168.40.254 255.255.255.0 192.168.40.1

Background
This activity uses a variety of technologies you have encountered during your CCNA studies, including VLANs,
STP, routing, inter-VLAN routing, DHCP, NAT, PPP, and Frame Relay. Your task is to review the requirements,
isolate and resolve any issues, and then document the steps you took to verify the requirements.

Requirements
VLANs and Access
 S2 is the spanning-tree root for VLAN 1, 10, and 20. S3 is the spanning-tree root for VLAN 30 and 88.
 The trunk links connecting the switches are in native VLAN 99.
 R3 is responsible for inter-VLAN routing and serves as the DHCP server for VLANs 10, 20, and 30.
Routing
 Each router is configured with EIGRP and uses AS 22.
 R2 is configured with a default route pointing to the ISP and redistributes the default route.
 NAT is configured on R2 and no untranslated addresses are permitted to cross the Internet.

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 3
Packet Tracer – Troubleshooting Enterprise Networks 1

WAN Technologies
 The serial link between R1 and R2 uses Frame Relay.
 The serial link between R2 and R3 uses HDLC encapsulation.
 The serial link between R1 and R3 uses PPP with CHAP.
Connectivity
 Devices should be configured according to the Addressing Table.
 Every device should be able to ping every other device.

Troubleshooting Documentation

Device Problem Solution

R1 R1 and R2 are not forming an adjacency interface Serial0/0/0

encapsulation frame-relay

R1 Username and passwords are incorrect username R3 password 0 ciscoccna

R2 TFTP Server cannot ping the Outside interface g0/0

Host no ip nat outside
ip nat inside
interface g0/1
ip nat outside
R2 Default route is pointing to the incorrect no ip route 0.0.0.0 0.0.0.0 g0/0
interface ip route 0.0.0.0 0.0.0.0 g0/1
S1 Native VLAN mismatch interface range fa0/1-4
switchport trunk native vlan 99
S2 This switch is not the root bridge for spanning-tree vlan 1,10,20 root primary
VLANs 1, 10, and 20
S3 The PCs do not pull a DHCP address interface g0/1
switchport mode trunk

Verification Documentation
Capture output from verification commands and provide documentation proving that each of the requirements has
been satisfied.
Instructor’s Note: The answer key for this section is left blank because there are many ways to verify the
requirements.

Suggested Scoring Rubric

Packet Tracer scores 60 points. The troubleshooting documentation and instructor verification is worth 40 points.

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 3
Packet Tracer – Troubleshooting Enterprise Networks 2 (Instructor
Version)
Instructor Note: Red font color or Gray highlights indicate text that appears in the instructor copy only.

Topology

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 4
Packet Tracer – Troubleshooting Enterprise Networks 2

Addressing Table

Device Interface IPv6 Address/Prefix Default Gateway

G0/0 2001:DB8:ACAD:A::1/64 N/A

R1 S0/0/0 2001:DB8:ACAD:12::1/64 N/A
S0/0/1 2001:DB8:ACAD:31::1/64 N/A
G0/0 2001:DB8:CC1E:A::1/64 N/A
G0/1 2001:DB8:ACAD:F::2/64 N/A
R2
S0/0/0 2001:DB8:ACAD:12::2/64 N/A
S0/0/1 2001:DB8:ACAD:23::2/64 N/A
G0/0 2001:DB8:CAFE:2::1/64 N/A
G0/1 2001:DB8:CAFE:3::1/64 N/A
R3
S0/0/0 2001:DB8:ACAD:31::2/64 N/A
S0/0/1 2001:DB8:ACAD:23::1/64 N/A
Admin_PC1 NIC 2001:DB8:CAFE:2::2/64 FE80::3
Admin_PC2 NIC 2001:DB8:CAFE:3::2/64 FE80::3
Host_A NIC DHCP Assigned DHCP Assigned
Host_B NIC DHCP Assigned DHCP Assigned
TFTP Server NIC 2001:DB8:CC1E:A::2/64 FE80::2
Outside Host NIC 2001:DB8:CC1E:F::1/64 FE80::4

Background
This activity uses IPv6 configurations that include DHCPv6, EIGRPv6, and IPv6 default routing. Your task is to
review the requirements, isolate and resolve any issues, and then document the steps you took to verify the
requirements.

Requirements
DHCPv6
 Host_A and Host_B are assigned through IPv6 DHCP configured on R1.
IPv6 Routing
 Each router is configured with IPv6 EIGRP and uses AS 100.
 R3 is advertising a summary route to R2 and R1 for the two R3 LANs.
 R2 is configured with a fully specified default route pointing to the ISP.
Connectivity
 Devices should be configured according to the Addressing Table.
 Every device should be able to ping every other device.

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 4
Packet Tracer – Troubleshooting Enterprise Networks 2

Troubleshooting Documentation

Device Error Correction

R1 Host_A and Host_B do not get interface g0/0

addressing from R1 because the IPv6 ipv6 dhcp server R1_LAN
DHCPv6 pool is not assigned under the
G0/0 interface.
R1 Interface S0/0/1 is configured with the int s0/0/1
wrong IPv6 address. no ipv6 address 2001:DB8:ACAD:32::1/64
ipv6 address 2001:DB8:ACAD:31::1/64
R1 S3 is connected to the wrong interface of Switch the cable in the topology from
R1. G0/1 to G0/0

R2 The default route has the incorrect next- no ipv6 route ::/0 GigabitEthernet0/0
hop address configured. 2001:DB8:ACAD:F::
ipv6 route ::/0 GigabitEthernet0/1
2001:DB8:ACAD:F::1
R2 IPv6 EIGRP is configured with the wrong int g0/0
autonomous system. no ipv6 eigrp 1000
ipv6 eigrp 100
R3 IPv6 EIGRP 100 is shutdown. ipv6 router eigrp 100
no shutdown
R3 EIGRP summary address is incorrectly int s0/0/0
advertised on S0/0/1. no ipv6 summary-address eigrp 100
2001:DB8:CAFE::/65 5
ipv6 summary-address eigrp 100
2001:DB8:CAFÉ:2::/63 5
int s0/0/1
no ipv6 summary-address eigrp 100
2001:DB8:CAFE::/65 5
ipv6 summary-address eigrp 100
2001:DB8:CAFE:2::/63 5

Verification Documentation
Capture output from verification commands and provide documentation proving that each of the requirements has
been satisfied.
Note: Some EIGRPv6 commands are not scored in Packet Tracer v6.0.1. Your instructor will verify that all
requirements are met.
Instructor’s Note: The answer key for this section is left blank because there are many ways to verify the
requirements. For grading purposes, note that the EIGRPv6 summary routes are not graded in Packet Tracer.
Also, Packet Tracer does not grade the next hop address in the fully specified IPv6 default route. Check the
student’s file to verify configurations.

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 4
Packet Tracer – Troubleshooting Enterprise Networks 2

Suggested Scoring Rubric

Packet Tracer scores 50 points. The troubleshooting documentation and instructor verification is worth 50 points.

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 4
Packet Tracer – Troubleshooting Enterprise Networks 3 (Instructor
Version)
Instructor Note: Red font color or Gray highlights indicate text that appears in the instructor copy only.

Topology

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 5
Packet Tracer – Troubleshooting Enterprise Networks 3

Addressing Table

Device Interface IP Address Subnet Mask Default Gateway

G0/0 192.168.10.1 255.255.255.0 N/A

R1 S0/0/0 10.1.1.1 255.255.255.252 N/A
S0/0/1 10.3.3.1 255.255.255.252 N/A
G0/0 209.165.200.225 255.255.255.224 N/A
G0/1 192.168.20.1 255.255.255.0 N/A
R2
S0/0/0 10.1.1.2 255.255.255.252 N/A
S0/0/1 10.2.2.1 255.255.255.252 N/A
G0/1 192.168.30.1 255.255.255.0 NN/A
R3 S0/0/0 10.3.3.2 255.255.255.252 N/A
S0/0/1 10.2.2.2 255.255.255.252 N/A
S1 VLAN10 DHCP assigned DHCP assigned DHCP assigned
S2 VLAN11 192.168.11.2 255.255.255.0 N/A
S3 VLAN30 192.168.30.2 255.255.255.0 N/A
PC1 NIC DHCP assigned DHCP assigned DHCP assigned
PC2 NIC 192.168.30.10 255.255.255.0 192.168.30.1
TFTP Server NIC 192.168.20.254 255.255.255.0 192.168.20.1

Background
This activity uses a variety of technologies you have encountered during your CCNA studies, including routing,
port security, EtherChannel, DHCP, NAT, PPP, and Frame Relay. Your task is to review the requirements, isolate
and resolve any issues, and then document the steps you took to verify the requirements.
Note: This activity begins with a partial score.

Requirements
DHCP
 R1 is the DHCP server for the R1 LAN.
Switching Technologies
 Port security is configured to only allow PC1 to access S1's F0/3 interface. All violations should disable
the interface.
 Link aggregation using EtherChannel is configured on S2, S3, and S4.
Routing
 All routers are configured with OSPF process ID 1 and no routing updates should be sent across
interfaces that do not have routers connected.
 R2 is configured with a default route pointing to the ISP and redistributes the default route.
 NAT is configured on R2 and no untranslated addresses are permitted to cross the Internet.

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 5
Packet Tracer – Troubleshooting Enterprise Networks 3

WAN Technologies
 The serial link between R1 and R2 uses Frame Relay.
 The serial link between R2 and R3 uses HDLC encapsulation.
 The serial link between R1 and R3 uses PPP with PAP.
Connectivity
 Devices should be configured according to the Addressing Table.
 Every device should be able to ping every other device.

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 5
Packet Tracer – Troubleshooting Enterprise Networks 3

Troubleshooting Documentation

Device Error Correction

There is an incorrect default gateway in

DHCP pool ip dhcp pool Access
R1 default-router 192.168.10.1

The default route propagation should not router ospf 1

R1 be configured on this router no default-information originate

The default route propagation should be router ospf 1

R2 configured on this router default-information originate
interface s0/0/1
R2 Incorrect encapsulation on S0/0/1 encapsulation hdlc
router ospf 1
no passive-interface default
R3 is not forming an adjacency with R1 passive-interface g0/1
R3 and R2
interface FastEthernet0/3
switchport access vlan 10
switchport mode access
switchport port-security
Port security was configured on the switchport port-security mac-address
S1 incorrect interface sticky

Interface G1/1 switchport is not interface g1/1

S3 configured as a trunk port switchport mode trunk
interface range f0/1-2
no channel-group 3 mode auto
channel-group 2 mode auto

interface range f0/3-4

no channel-group 2 mode auto
S4 Port channels are configured incorrectly channel-group 3 mode auto

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 5
Packet Tracer – Troubleshooting Enterprise Networks 3

Verification Documentation
Capture output from verification commands and provide documentation proving that each of the requirements has
been satisfied.
Instructor’s Note: The answer key for this section is left blank because there are many ways to verify the
requirements.

Suggested Scoring Rubric

Packet Tracer scores 60 points. The troubleshooting documentation and instructor verification is worth 40 points.

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 5 of 5
Packet Tracer – Troubleshooting Challenge - Using
Documentation to Solve Issues (Instructor Version)
Instructor Note: Red font color or Gray highlights indicate text that appears in the instructor copy only.

Topology

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 19
Packet Tracer – Troubleshooting Challenge - Using Documentation to Solve Issues

Addressing Table

Device Interface IP Address Subnet Mask Default Gateway

PC1 NIC 10.2.15.10 255.255.255.0 10.2.15.1

PC2 NIC 10.2.25.10 255.255.255.0 10.2.25.1
PC3 NIC 10.2.35.10 255.255.255.0 10.2.35.1
PC4 NIC 10.3.100.4 255.255.255.0 10.3.100.1
PC5 NIC 10.3.100.5 255.255.255.0 10.3.100.1
PC6 NIC 10.4.1.10 255.255.255.0 10.4.1.1
PC7 NIC 10.5.1.10 255.255.255.0 10.5.1.1
DNS Server NIC 10.1.100.2 255.255.255.0 10.1.100.1
S0/0/0 10.1.0.4 255.255.255.248 N/A
R1
G0/0 10.4.1.1 255.255.255.0 N/A
S0/0/0 10.1.0.3 255.255.255.248 N/A
R2 G0/0.100 10.3.100.1 255.255.255.0 N/A
G0/0.105 10.3.105.1 255.255.255.0 N/A
S0/0/0 10.1.0.2 255.255.255.248 N/A
G0/0.5 10.2.5.1 255.255.255.0 N/A
R3 G0/0.15 10.2.15.1 255.255.255.0 N/A
G0/0.25 10.2.25.1 255.255.255.0 N/A
G0/0.35 10.2.35.1 255.255.255.0 N/A
S0/0/0 10.1.0.5 255.255.255.248 N/A
R4
G0/0 10.5.1.1 255.255.255.0 N/A
S0/0/0 10.1.0.1 255.255.255.248 N/A
R5 S0/0/1 209.165.201.2 255.255.255.252 N/A
G0/0 10.1.100.1 255.255.255.0 N/A
S1 None None None None
S2 VLAN 105 10.3.105.21 255.255.255.0 10.3.105.1
S3 VLAN 105 10.3.105.22 255.255.255.0 10.3.105.1
S4 VLAN 5 10.2.5.21 255.255.255.0 10.2.5.1
S5 VLAN 5 10.2.5.23 255.255.255.0 10.2.5.1
S6 VLAN 5 10.2.5.22 255.255.255.0 10.2.5.1
S7 None None None None

Objectives

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 19
Packet Tracer – Troubleshooting Challenge - Using Documentation to Solve Issues

Part 1: Gather Documentation

Part 2: Test Connectivity
Part 3: Gather Data and Implement Solutions
Part 4: Test Connectivity

Scenario
This is Part II of a two-part activity. Part I is Packet Tracer - Troubleshooting Challenge - Documenting
the Network, which you should have completed earlier in the chapter. In Part II, you will use your
troubleshooting skills and documentation from Part I to solve connectivity issues between PCs.

Part 1: Gather Documentation

Step 1: Retrieve network documentation.
To successfully complete this activity, you will need your documentation for the Packet Tracer -
Troubleshooting Challenge - Documenting the Network activity you completed previously in this chapter.
Locate that documentation now.

Step 2: Documentation requirements.

The documentation you completed in the previous activity should have an accurate topology and addressing
table. If necessary, update your documentation to reflect an accurate representation of a correct answer from
the Packet Tracer - Troubleshooting Challenge - Documenting the Network activity. You may need to
consult with your instructor.
Instructor Note: The student must have a complete and accurate picture of the answer network from the
previous activity, Packet Tracer - Troubleshooting Challenge - Documenting the Network. You will need
to either verify that the student’s previous work is correct or provide accurate documentation.

Part 2: Test Connectivity

Step 1: Determine location of connectivity failure.
At the end of this activity, there should be full connectivity between PC to PC and PC to the www.cisco.pka
server. However, right now you must determine where connectivity fails by pinging from:
• PCs to www.cisco.pka server
• PC to PC
• PC to default gateway

Step 2: What pings were successful?

Document both the successful and failed pings.
None of the PCs can ping the www.cisco.pka server. PC1, PC2, and PC3 can ping each other. PC4 and PC5
can ping each other. All PCs can ping their respective default gateways.

Part 3: Gather Data and Implement Solutions

Step 1: Choose a PC to begin gathering data.
Choose any PC and begin gathering data by testing connectivity to the default gateway. You can also use
traceroute to see where connectivity fails.

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 19
Packet Tracer – Troubleshooting Challenge - Using Documentation to Solve Issues

Step 2: Telnet to the default gateway and continue gathering data.

a. If the PC you chose does not have connectivity to its default gateway, choose another PC to approach
the problem from a different direction.
b. After you have established connectivity through a default gateway, the login password is cisco and the
privileged EXEC mode password is class.

Step 3: Use troubleshooting tools to verify the configuration.

At the default gateway router, use troubleshooting tools to verify the configuration with your own
documentation. Remember to check switches in addition to the routers. Be sure to verify the following:
• Addressing information
• Interface activation
• Encapsulation
• Routing
• VLAN configuration
• Duplex or speed mismatches

Step 4: Document network symptoms and possible solutions.

As you discover symptoms of the PC connectivity issue, add them to your documentation.
Instructor Note: The following is only one way the student might progress through this activity. The student
can start from any PCs, except www.cisco.pka. For this sample answer, we started at PC4.
Problem 1: From PC4, you can access the default gateway, R2. Telnet to R2 and verify the routing table. R2
only has directly connected routes, so verify the current interface configuration using the show protocols or
show ip interface brief command. Careful examination of the IP addresses will reveal that the S0/0/0
address is incorrect. It should be 10.1.0.3 instead of 10.1.100.3. The show ip protocols command reveals no
problems with the EIGRP configuration on R2.
Solution 1: Configure the correct IP address for the S0/0/0 interface on R2.
Problem 2: After EIGRP converges on R2, use the show ip route command to gather further information
about possible problems. R2 has correct connected routes but only has two EIGRP routes. Missing routes
include the four VLANs for R3, the R1 LAN, and the R4 LAN. Pinging R3 is successful, so telnet to R3.
Because R2 is not receiving routes from R3, check the EIGRP configuration on R3 with the show ip
protocols command. R3 is sending and receiving EIGRP updates and is advertising the correct network.
However, automatic networks summarization is in effect. Therefore, R3 is only sending the classful 10.0.0.0/8
network in EIGRP periodic updates.
Solution 2: Configure R3 with the no auto-summary command.
Problem 3: Exit back to R3 and check the routing table. Routes are missing for the R1 and R4 LANs. Test
connectivity to R1 and R4 by ping the serial interfaces for those routers. Pings to R1 fail but succeed to R4.
Telnet to R4. On R4, display the routing table. R4 has no EIGRP routes, so use show ip protocols command
to verify EIGRP routing. The command generates no output under the Routing for Networks section, so
EIGRP is either not configured correctly. Use show run command to check the EIGRP commands. EIGRP is
missing the network command.
Solution 3: Configure R4 with the EIGRP command, network 10.0.0.0.
Problem 4: After EIGRP converges, check the R4 routing table. The R1 LAN is still missing. Because the
pings to R1 fail, access R1 from PC6. First, ping the default gateway address and then telnet into R1. Display
the routing table. Notice that only the F0/0 network is in the routing table. Check the interface configuration
with show ip interface brief command. The S0/0/0 interface is physically “up” but the data link layer is

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 19
Packet Tracer – Troubleshooting Challenge - Using Documentation to Solve Issues

“down”. Investigate S0/0/0 with the show interface command. The encapsulation is set to PPP instead of
Frame Relay.
Solution 4: Change the S0/0/0 interface encapsulation on R1 from PPP to Frame Relay with the
encapsulation frame-relay command. All PCs should now be able to ping each other.
Problem 5: PCs still cannot ping the www.cisco.pka server. From any device, test connectivity and then telnet
to R5. Investigate the interface status with the show ip interface brief command. The S0/0/1 interface is
administratively down.
Solution 5: Activate the S0/0/1 interface on R5 with the no shutdown command.
Problem 6: PCs still can’t ping the www.cisco.pka server. However, PCs can ping the DNS server. The
problem is either with the R5 configuration or the ISP configuration. Because you do not have access to the
ISP router, check the configuration on R5. The show run command reveals that R5 is using NAT. The
configuration is missing the NAT statement that binds the NAT pool to the access list.
Solution 6: Configure R5 with the ip nat inside source list 1 pool LAN overload command.

Step 5: Make changes based on your solutions from the previous step.

Part 4: Test Connectivity

Step 1: Test PC connectivity.
a. All PCs should now be able to ping each other and the www.cisco.pka server. If you changed any IP
configurations, create new pings because the prior pings use the old IP address.
b. If there are still connectivity issues between PCs or PC to server, return to Part 3 and continue
troubleshooting.

Step 2: Check results.

Your Packet Tracer score should be 70/70. If not, return to Part 2 and continue to troubleshoot and implement
your suggested solutions. You will not be able to click Check Results and see which required components
are not yet completed.

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 5 of 19
Packet Tracer – Troubleshooting Challenge - Using Documentation to Solve Issues

Suggested Scoring Rubric

Question Possible Earned

Activity Section Location Points Points

Part 2: Test Connectivity Step 2-a 15

Part 2 Total 15
Part 3: Gather Data and
Step 4-a 15
Implement Solutions
Part 3 Total 15
Packet Tracer Score 70
Total Score 100

Device Configs

Router R1
R1#sh run
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
hostname R1
enable secret class
spanning-tree mode pvst
interface Gig0/0
ip address 10.4.1.1 255.255.255.0
duplex auto
speed auto
interface Gig0/1
no ip address
duplex auto
speed auto
shutdown
interface Serial0/0/0
ip address 10.1.0.4 255.255.255.248
encapsulation frame-relay
interface Serial0/0/1
no ip address
shutdown
interface Vlan1
no ip address
shutdown
router eigrp 1
passive-interface Gig0/0
network 10.0.0.0
no auto-summary
ip classless
line con 0

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 6 of 19
Packet Tracer – Troubleshooting Challenge - Using Documentation to Solve Issues

password cisco
login
line aux 0
line vty 0 4
password cisco
login
end

Router R2
R2#sh run
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
hostname R2
enable secret class
spanning-tree mode pvst
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
interface GigabitEthernet0/0.100
encapsulation dot1Q 100
ip address 10.3.100.1 255.255.255.0
interface GigabitEthernet0/0.105
encapsulation dot1Q 105 native
ip address 10.3.105.1 255.255.255.0
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
shutdown
interface Serial0/0/0
ip address 10.1.0.3 255.255.255.248
encapsulation frame-relay
interface Serial0/0/1
no ip address
shutdown
interface Vlan1
no ip address
shutdown
router eigrp 1
network 10.0.0.0
no auto-summary
ip classless
line con 0
password cisco
login
line aux 0
line vty 0 4

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 7 of 19
Packet Tracer – Troubleshooting Challenge - Using Documentation to Solve Issues

password cisco
login
end

Router R3
R3#sh run
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
hostname R3
enable secret class
spanning-tree mode pvst
interface Gig0/0
no ip address
duplex auto
speed auto
interface Gig0/0.5
encapsulation dot1Q 5 native
ip address 10.2.5.1 255.255.255.0
interface Gig0/0.15
encapsulation dot1Q 15
ip address 10.2.15.1 255.255.255.0
interface Gig0/0.25
encapsulation dot1Q 25
ip address 10.2.25.1 255.255.255.0
interface Gig0/0.35
encapsulation dot1Q 35
ip address 10.2.35.1 255.255.255.0
interface Gig0/1
no ip address
duplex auto
speed auto
shutdown
interface Serial0/0/0
ip address 10.1.0.2 255.255.255.248
encapsulation frame-relay
interface Serial0/0/1
no ip address
shutdown
interface Vlan1
no ip address
shutdown
router eigrp 1
network 10.0.0.0
no auto-summary
ip classless
line con 0
password cisco
login

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 8 of 19
Packet Tracer – Troubleshooting Challenge - Using Documentation to Solve Issues

line aux 0
line vty 0 4
password cisco
login
end

Router R4
R4#sh run
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
hostname R4
enable secret class
spanning-tree mode pvst
interface Gig0/0
ip address 10.5.1.1 255.255.255.0
duplex auto
speed auto
interface Gig0/1
no ip address
duplex auto
speed auto
shutdown
interface Serial0/0/0
ip address 10.1.0.5 255.255.255.248
encapsulation frame-relay
interface Serial0/0/1
no ip address
shutdown
interface Vlan1
no ip address
shutdown
router eigrp 1
passive-interface Gig0/0
network 10.0.0.0
no auto-summary
ip classless
line con 0
password cisco
login
line aux 0
line vty 0 4
password cisco
login
end

Router R5
R5#sh run

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 9 of 19
Packet Tracer – Troubleshooting Challenge - Using Documentation to Solve Issues

no service timestamps log datetime msec

no service timestamps debug datetime msec
no service password-encryption
hostname R5
enable secret class
spanning-tree mode pvst
interface Gig0/0
ip address 10.1.100.1 255.255.255.0
duplex auto
speed auto
interface Gig0/1
no ip address
duplex auto
speed auto
shutdown
interface Serial0/0/0
ip address 10.1.0.1 255.255.255.248
encapsulation frame-relay
ip nat inside
interface Serial0/0/1
ip address 209.165.201.2 255.255.255.252
ip nat outside
no cdp enable
interface Vlan1
no ip address
shutdown
router eigrp 1
passive-interface Gig0/0
passive-interface Serial0/0/1
network 10.0.0.0
default-information originate
no auto-summary
ip nat pool LAN 209.165.202.128 209.165.202.159 netmask 255.255.255.224
ip nat inside source list 1 pool LAN overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/1
access-list 1 permit 10.0.0.0 0.255.255.255
line con 0
password cisco
login
line aux 0
line vty 0 4
password cisco
login
end

Router ISP
ISP#sh run
no service timestamps log datetime msec

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 10 of 19
Packet Tracer – Troubleshooting Challenge - Using Documentation to Solve Issues

no service timestamps debug datetime msec

no service password-encryption
hostname ISP
spanning-tree mode pvst
interface Gig0/0
ip address 209.165.200.225 255.255.255.252
duplex auto
speed auto
interface Gig0/1
no ip address
duplex auto
speed auto
shutdown
interface Serial0/0/0
ip address 209.165.201.1 255.255.255.252
clock rate 64000
interface Serial0/0/1
no ip address
interface Serial0/2/0
no ip address
interface Serial0/2/1
no ip address
interface Vlan1
no ip address
shutdown
ip classless
ip route 209.165.202.128 255.255.255.224 Serial0/0/0
no cdp run
line con 0
line aux 0
line vty 0 4
login
end

Switch S1
S1#sh run
hostname S1
enable secret class
spanning-tree mode pvst
interface FastEthernet0/1
interface FastEthernet0/2
interface FastEthernet0/3
interface FastEthernet0/4
interface FastEthernet0/5
interface FastEthernet0/6
interface FastEthernet0/7
interface FastEthernet0/8
interface FastEthernet0/9
interface FastEthernet0/10

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 11 of 19
Packet Tracer – Troubleshooting Challenge - Using Documentation to Solve Issues

interface FastEthernet0/11
interface FastEthernet0/12
interface FastEthernet0/13
interface FastEthernet0/14
interface FastEthernet0/15
interface FastEthernet0/16
interface FastEthernet0/17
interface FastEthernet0/18
interface FastEthernet0/19
interface FastEthernet0/20
interface FastEthernet0/21
interface FastEthernet0/22
interface FastEthernet0/23
interface FastEthernet0/24
interface GigabitEthernet1/1
interface GigabitEthernet1/2
interface Vlan1
no ip address
shutdown
line con 0
password cisco
login
line vty 0 4
password cisco
login
line vty 5 15
login
end

Switch S2
S2#sh run
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
hostname S2
enable secret class
spanning-tree mode pvst
interface FastEthernet0/1
switchport trunk native vlan 105
switchport mode trunk
interface FastEthernet0/2
switchport trunk native vlan 105
switchport mode trunk
interface FastEthernet0/3
switchport trunk native vlan 105
switchport mode trunk
interface FastEthernet0/4
interface FastEthernet0/5
switchport access vlan 100

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 12 of 19
Packet Tracer – Troubleshooting Challenge - Using Documentation to Solve Issues

switchport mode access

interface FastEthernet0/6
interface FastEthernet0/7
interface FastEthernet0/8
interface FastEthernet0/9
interface FastEthernet0/10
interface FastEthernet0/11
interface FastEthernet0/12
interface FastEthernet0/13
interface FastEthernet0/14
interface FastEthernet0/15
interface FastEthernet0/16
interface FastEthernet0/17
interface FastEthernet0/18
interface FastEthernet0/19
interface FastEthernet0/20
interface FastEthernet0/21
interface FastEthernet0/22
interface FastEthernet0/23
interface FastEthernet0/24
interface GigabitEthernet1/1
interface GigabitEthernet1/2
interface Vlan1
no ip address
shutdown
interface Vlan105
ip address 10.3.105.21 255.255.255.0
line con 0
password cisco
login
line vty 0 4
password cisco
login
line vty 5 15
login
end

Switch S3
S3#sh run
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
hostname S3
enable secret class
spanning-tree mode pvst
interface FastEthernet0/1
interface FastEthernet0/2
switchport trunk native vlan 105
switchport mode trunk

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 13 of 19
Packet Tracer – Troubleshooting Challenge - Using Documentation to Solve Issues

interface FastEthernet0/3
switchport trunk native vlan 105
switchport mode trunk
interface FastEthernet0/4
interface FastEthernet0/5
interface FastEthernet0/6
interface FastEthernet0/7
interface FastEthernet0/8
interface FastEthernet0/9
interface FastEthernet0/10
switchport access vlan 100
switchport mode access
interface FastEthernet0/11
interface FastEthernet0/12
interface FastEthernet0/13
interface FastEthernet0/14
interface FastEthernet0/15
interface FastEthernet0/16
interface FastEthernet0/17
interface FastEthernet0/18
interface FastEthernet0/19
interface FastEthernet0/20
interface FastEthernet0/21
interface FastEthernet0/22
interface FastEthernet0/23
interface FastEthernet0/24
interface GigabitEthernet1/1
interface GigabitEthernet1/2
interface Vlan1
no ip address
shutdown
interface Vlan105
ip address 10.3.105.22 255.255.255.0
ip default-gateway 10.3.1.1
line con 0
password cisco
login
line vty 0 4
password cisco
login
line vty 5 15
login
end

Switch S4
S4#sh run
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 14 of 19
Packet Tracer – Troubleshooting Challenge - Using Documentation to Solve Issues

hostname S4
enable secret class
spanning-tree mode pvst
spanning-tree vlan 1,5,15,25,35 priority 4096
interface FastEthernet0/1
switchport trunk native vlan 5
switchport mode trunk
interface FastEthernet0/2
switchport trunk native vlan 5
switchport mode trunk
interface FastEthernet0/3
switchport trunk native vlan 5
switchport mode trunk
interface FastEthernet0/4
switchport trunk native vlan 5
switchport mode trunk
interface FastEthernet0/5
switchport trunk native vlan 5
switchport mode trunk
interface FastEthernet0/6
interface FastEthernet0/7
interface FastEthernet0/8
interface FastEthernet0/9
interface FastEthernet0/10
interface FastEthernet0/11
interface FastEthernet0/12
interface FastEthernet0/13
interface FastEthernet0/14
interface FastEthernet0/15
interface FastEthernet0/16
interface FastEthernet0/17
interface FastEthernet0/18
interface FastEthernet0/19
interface FastEthernet0/20
interface FastEthernet0/21
interface FastEthernet0/22
interface FastEthernet0/23
interface FastEthernet0/24
interface GigabitEthernet1/1
interface GigabitEthernet1/2
interface Vlan1
no ip address
shutdown
interface Vlan5
ip address 10.2.5.21 255.255.255.0
ip default-gateway 10.2.5.1
line con 0
password cisco
login

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 15 of 19
Packet Tracer – Troubleshooting Challenge - Using Documentation to Solve Issues

line vty 0 4
password cisco
login
line vty 5 15
login
end

Switch S5
S5#sh run
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
hostname S5
enable secret class
spanning-tree mode pvst
interface FastEthernet0/1
switchport trunk native vlan 5
switchport mode trunk
interface FastEthernet0/2
switchport trunk native vlan 5
switchport mode trunk
interface FastEthernet0/3
switchport trunk native vlan 5
switchport mode trunk
interface FastEthernet0/4
switchport trunk native vlan 5
switchport mode trunk
interface FastEthernet0/5
interface FastEthernet0/6
interface FastEthernet0/7
interface FastEthernet0/8
interface FastEthernet0/9
interface FastEthernet0/10
interface FastEthernet0/11
interface FastEthernet0/12
interface FastEthernet0/13
interface FastEthernet0/14
interface FastEthernet0/15
interface FastEthernet0/16
interface FastEthernet0/17
interface FastEthernet0/18
interface FastEthernet0/19
interface FastEthernet0/20
interface FastEthernet0/21
interface FastEthernet0/22
interface FastEthernet0/23
interface FastEthernet0/24
interface GigabitEthernet1/1
interface GigabitEthernet1/2

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 16 of 19
Packet Tracer – Troubleshooting Challenge - Using Documentation to Solve Issues

interface Vlan1
no ip address
shutdown
interface Vlan5
ip address 10.2.5.23 255.255.255.0
ip default-gateway 10.2.5.1
line con 0
password cisco
login
line vty 0 4
password cisco
login
line vty 5 15
login
end

Switch S6
S6#sh run
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
hostname S6
enable secret class
spanning-tree mode pvst
interface FastEthernet0/1
switchport trunk native vlan 5
switchport mode trunk
interface FastEthernet0/2
switchport trunk native vlan 5
switchport mode trunk
interface FastEthernet0/3
switchport trunk native vlan 5
switchport mode trunk
interface FastEthernet0/4
switchport trunk native vlan 5
switchport mode trunk
interface FastEthernet0/5
interface FastEthernet0/6
switchport access vlan 15
switchport mode access
interface FastEthernet0/7
interface FastEthernet0/8
interface FastEthernet0/9
interface FastEthernet0/10
interface FastEthernet0/11
switchport access vlan 25
switchport mode access
interface FastEthernet0/12
interface FastEthernet0/13

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 17 of 19
Packet Tracer – Troubleshooting Challenge - Using Documentation to Solve Issues

interface FastEthernet0/14
interface FastEthernet0/15
interface FastEthernet0/16
switchport access vlan 35
switchport mode access
interface FastEthernet0/17
interface FastEthernet0/18
interface FastEthernet0/19
interface FastEthernet0/20
interface FastEthernet0/21
interface FastEthernet0/22
interface FastEthernet0/23
interface FastEthernet0/24
interface GigabitEthernet1/1
interface GigabitEthernet1/2
interface Vlan1
no ip address
shutdown
interface Vlan5
ip address 10.2.5.22 255.255.255.0
ip default-gateway 10.2.5.1
line con 0
password cisco
login
line vty 0 4
password cisco
login
line vty 5 15
login
end

Switch S7
S7#sh run
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
hostname S7
enable secret class
spanning-tree mode pvst
interface FastEthernet0/1
interface FastEthernet0/2
interface FastEthernet0/3
interface FastEthernet0/4
interface FastEthernet0/5
interface FastEthernet0/6
interface FastEthernet0/7
interface FastEthernet0/8
interface FastEthernet0/9
interface FastEthernet0/10

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 18 of 19
Packet Tracer – Troubleshooting Challenge - Using Documentation to Solve Issues

interface FastEthernet0/11
interface FastEthernet0/12
interface FastEthernet0/13
interface FastEthernet0/14
interface FastEthernet0/15
interface FastEthernet0/16
interface FastEthernet0/17
interface FastEthernet0/18
interface FastEthernet0/19
interface FastEthernet0/20
interface FastEthernet0/21
interface FastEthernet0/22
interface FastEthernet0/23
interface FastEthernet0/24
interface GigabitEthernet1/1
interface GigabitEthernet1/2
interface Vlan1
no ip address
shutdown
line con 0
line vty 0 4
login
line vty 5 15
login
end

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 19 of 19
Packet Tracer – CCNA Skills Integration Challenge
Instructor Note: Red font color or Gray highlights indicate text that appears in the instructor copy only.

Topology

Addressing Table

Default Gateway
Device Interface IP Address Subnet Mask DLCI Mapping

G0/0 10.0.1.1 255.255.255.0 N/A

S0/0/0.41 10.255.255.1 255.255.255.252 DLCI 41 to B1

HQ
S0/0/1 10.255.255.253 255.255.255.252 N/A

S0/1/0 209.165.201.1 255.255.255.252 N/A

G0/0.10 10.1.10.1 255.255.255.0 N/A

G0/0.20 10.1.20.1 255.255.255.0 N/A

B1 G0/0.30 10.1.30.1 255.255.255.0 N/A

G0/0.99 10.1.99.1 255.255.255.0 N/A

S0/0/0 10.255.255.2 255.255.255.252 N/A

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 7
Packet Tracer – CCNA Skills Integration Challenge

B1-S2 VLAN 99 10.1.99.22 255.255.255.0 10.1.99.1

VLAN Configurations and Port Mappings

VLAN Network
Number Address VLAN Name Port Mappings

10 10.1.10.0/24 Admin Fa0/6

20 10.1.20.0/24 Sales Fa0/11

30 10.1.30.0/24 Production Fa0/16

99 10.1.99.0/24 Mgmt&Native Fa0/1-4

999 N/A BlackHole Unused Ports

Scenario
In this comprehensive CCNA skills activity, the XYZ Corporation uses a combination of Frame Relay and PPP
for WAN connections. Other technologies include NAT, DHCP, static and default routing, EIGRP for IPv4,
inter-VLAN routing, and VLAN configurations. Security configurations include SSH, port security, switch
security, and ACLs.

Requirements
Note: The user EXEC password is cisco and the privileged EXEC password is class.
SSH
 Configure HQ to use SSH for remote access.
- Set the modulus to 2048. The domain name is CCNASkills.com.
- The username is admin and the password is adminonly.
- Only SSH should be allowed on VTY lines.
- Modify the SSH defaults: version 2; 60-second timeout; two retries.
Frame Relay
 Configure Frame Relay between HQ and B1.
- Refer to the Addressing Table for the IP address, subnet mask, and DLCI.
- HQ uses a point-to-point subinterface and DLCI 41 to connect to B1.
- The LMI type must be manually configured as q933a for HQ and B1.
PPP
 Configure the WAN link from HQ to the Internet using PPP encapsulation and CHAP authentication.
- Create a user ISP with the password of cisco.
 Configure the WAN link from HQ to NewB using PPP encapsulation and PAP authentication.
- HQ is the DCE side of the link. You choose the clock rate.
- Create a user NewB with the password of cisco.
NAT
 Configure static and dynamic NAT on HQ

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 7
Packet Tracer – CCNA Skills Integration Challenge

- Allow all addresses for the 10.0.0.0/8 address space to be translated using a standard access list
named NAT.
- XYZ Corporation owns the 209.165.200.240/29 address space. The pool, HQ, uses addresses .241
to .245 with a /29 mask.
- The WWW.pka website at 10.0.1.2 is registered with the public DNS system at IP address
209.165.200.246 and should be accessible from the Outside Host.
DHCP
 On B1, configure a DHCP pool for the Sales VLAN 20 using the following requirements:
- Exclude the first 10 IP addresses in the range.
- The case-sensitive pool name is VLAN20.
- Include the DNS server attached to the HQ LAN as part of the DHCP configuration.
 Configure the Sales PC to use DHCP.
Static and Default Routing
 Configure HQ with a default route to the Internet and a static route to the NewB LAN. Use the exit
interface as an argument.
EIGRP Routing
 Configure and optimize HQ and B1 with EIGRP routing.
- Use autonomous system 100 and disable automatic summarization.
- HQ should advertise the static and default router to B1.
- Disable EIGRP updates on appropriate interfaces.
- Manually summarize EIGRP routes so that the B1 router only advertises the 10.1.0.0/16 address
space to HQ.
Inter-VLAN Routing
 Configure B1 for inter-VLAN routing.
- Using the addressing table for branch routers, configure and activate the LAN interface for inter-VLAN
routing. VLAN 99 is the native VLAN.
VLANs and Trunking Configurations
 Configure trunking and VLANs on B1-S2.
- Create and name the VLANs listed in the VLAN Configuration and Port Mappings table on B1-S2
only.
- Configure the VLAN 99 interface and default gateway.
- Assign VLANs to the appropriate access ports.
- Set trunking mode to on for Fa0/1 - Fa0/4.
- Disable all unused ports and assign the BlackHole VLAN.
Port Security
 Use the following policy to establish port security on the B1-S2 access ports:
- Allow one MAC addresses to be learned on the port.
- Configure the first learned MAC address to stick to the configuration.
- Set the port to shut down if there is a security violation.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 7
Packet Tracer – CCNA Skills Integration Challenge

Access List Policy

 Because HQ is connected to the Internet, configure a named ACL called HQINBOUND in the following
order:
- Allow inbound HTTP requests to the WWW.pka server.
- Allow only established TCP sessions from the Internet.
- Allow only inbound ping replies from the Internet.
- Explicitly block all other inbound access from the Internet.
Connectivity
 Verify full connectivity from each PC to WWW.pka and www.cisco.pka.

Device Configs

Router HQ
enable
conf t
username ISP password cisco
username NewB password cisco
username admin password adminonly
ip domain-name CCNASkills.com
crypto key generate rsa
1024
line vty 0 16
transport input ssh
login local
ip ssh version 2
ip ssh authentication-retries 2
ip ssh time-out 60
interface Gig0/0
ip nat inside
interface Serial0/0/0
encapsulation frame-relay
frame-relay lmi-type q933a
no shut
interface Serial0/0/0.41 point-to-point
ip address 10.255.255.1 255.255.255.252
frame-relay interface-dlci 41
ip nat inside
interface Serial0/0/1
description Link to NewB
ip address 10.255.255.253 255.255.255.252
encapsulation ppp
ppp authentication pap
ppp pap sent-username HQ password cisco
ip nat inside
no shut
interface Serial0/1/0
description Link to ISP

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 7
Packet Tracer – CCNA Skills Integration Challenge

encapsulation ppp
ppp authentication chap
ip access-group HQINBOUND in
ip nat outside
router eigrp 100
passive-interface Gig0/0
passive-interface Serial0/0/1
passive-interface Serial0/1/0
network 10.0.0.0
redistribute static
no auto-summary
ip nat pool HQ 209.165.200.241 209.165.200.245 netmask 255.255.255.248
ip nat inside source list NAT pool HQ overload
ip nat inside source static 10.0.1.2 209.165.200.246
ip route 0.0.0.0 0.0.0.0 Serial0/1/0
ip route 10.4.5.0 255.255.255.0 Serial0/0/1
ip access-list standard NAT
permit 10.0.0.0 0.255.255.255
ip access-list extended HQINBOUND
permit tcp any host 209.165.200.246 eq www
permit tcp any any established
permit icmp any any echo-reply
deny ip any any
line vty 0 15
login local
transport input ssh
end

Router B1
enable
conf t
ip dhcp excluded-address 10.1.20.1 10.1.20.10
ip dhcp pool VLAN20
network 10.1.20.0 255.255.255.0
default-router 10.1.20.1
dns-server 10.0.1.4
interface Gig0/0
no shut
interface Gig0/0.10
description Admin VLAN 10
encapsulation dot1Q 10
ip address 10.1.10.1 255.255.255.0
interface Gig0/0.20
description Sales VLAN 20
encapsulation dot1Q 20
ip address 10.1.20.1 255.255.255.0
interface Gig0/0.30
description Production VLAN 30
encapsulation dot1Q 30

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 5 of 7
Packet Tracer – CCNA Skills Integration Challenge

ip address 10.1.30.1 255.255.255.0

interface Gig0/0.99
description Mgmt&Native VLAN 99
encapsulation dot1Q 99 native
ip address 10.1.99.1 255.255.255.0
interface Serial0/0/0
ip address 10.255.255.2 255.255.255.252
encapsulation frame-relay
frame-relay lmi-type q933a
ip summary-address eigrp 100 10.1.0.0 255.255.0.0 5
no shut
router eigrp 100
passive-interface Gig0/0.10
passive-interface Gig0/0.20
passive-interface Gig0/0.30
passive-interface Gig0/0.88
passive-interface Gig0/0.99
network 10.0.0.0
no auto-summary
end

Switch B1-S2
enable
conf t
vlan 10
name Admin
vlan 20
name Sales
vlan 30
name Production
vlan 99
name Mgmt&Native
vlan 999
name BlackHole
interface range FastEthernet0/1-4
switchport trunk native vlan 99
switchport mode trunk
interface range fa0/5,fa0/7-10,fa0/12-15,fa0/17-24,g0/1-2
description Unused port
switchport access vlan 999
switchport mode access
shutdown
interface FastEthernet0/6
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security mac-address sticky
interface FastEthernet0/11
switchport access vlan 20

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 6 of 7
Packet Tracer – CCNA Skills Integration Challenge

switchport mode access

switchport port-security
switchport port-security mac-address sticky
interface FastEthernet0/16
switchport access vlan 30
switchport mode access
switchport port-security
switchport port-security mac-address sticky
interface Vlan99
ip address 10.1.99.22 255.255.255.0
ip default-gateway 10.1.99.1
end

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 7 of 7