CCNAv7

Switching, Routing, and Wireless Essentials v7.0 (SRWE)

SRWE Practice PT Skills Assessment (PTSA) - Part 2

A few things to keep in mind while completing this activity:

1. Do not use the browser Back button or close or reload any exam windows during the exam.
2. Do not close Packet Tracer when you are done. It will close automatically.
3. Click the Submit Assessment button in the browser window to submit your work.

Addressing Table

Device Interface Address and Prefix

RTR-HQ G0/0/0 192.168.1.1/24

RTR-HQ G0/0/0 2001:db8:acad:1::1/64
RTR-HQ G0/0/0 fe80::1
RTR-HQ G0/0/1 192.168.2.1/24
RTR-HQ G0/0/1 2001:db8:acad:2::1/64
RTR-HQ G0/0/1 fe80::1
RTR-HQ G0/0/2 10.1.0.1/30
RTR-HQ G0/0/2
2001:db8:acad:a::1/64
RTR-HQ G0/0/2
fe80::2
RTR-HQ S0/1/0 10.2.0.1/30
RTR-HQ S0/1/0
2001:db8:acad:b::1/64
RTR-HQ S0/1/0
fe80::2
RTR-HQ S0/1/1 10.4.0.1/30
RTR-HQ S0/1/1
2001:db8:acad:d::1/64
RTR-Office S0/1/1 10.4.0.2/30
S0/1/1
RTR-Office 2001:db8:acad:d::2/64
S0/1/1
RTR-Office fe80::2
RTR-Office G0/0/0 192.168.3.1/24
G0/0/0
RTR-Office 2001:db8:acad:3::1/64
G0/0/0
RTR-Office fe80::1
RTR-Branch G0/0/0.10 192.168.10.1/24
G0/0/0.100 192.168.100.1/24
RTR-Branch G0/0/0.172 172.16.1.1/24
RTR-Branch G0/0/1 DHCP
 Device Interface Address and Prefix
G0/0/1

RTR-Branch 2001:db8:acad:c::2/64
RTR-Branch S0/1/0 10.2.0.2/30
S0/1/0

RTR-Branch 2001:db8:acad:b::2/64
Cloud Router G0/0/0 10.1.0.2/24
Cloud Router G0/0/0 2001:DB8:ACAD:A::2/64
Cloud Router G0/0/1 10.3.0.1/24
Cloud Router G0/0/1 2001:DB8:ACAD:C::1/64
WLC-10 management 192.168.100.254
WLC-10 WLAN 10 192.168.10.254/24
Office Server NIC 192.168.3.122
Office Server NIC 2001:db8:acad:3::122
Web Server NIC 203.0.113.25
Web Server NIC 2001:db8:acad:cafe:25
DNS Server NIC 198.51.100.163
DNS Server NIC 2001:DB8:face::163
Management Host NIC 192.168.100.23
Wireless Host NIC DHCP
RADIUS server NIC 172.16.1.100/24
Host 1 NIC 192.168.1.10/24
ERROR: VARIABLE NOT FOUND NIC 2001:db8:acad:1::10/64
[[Host 1_name]]

Host 2 NIC 192.168.1.11/24

ERROR: VARIABLE NOT FOUND NIC 2001:db8:acad:1::11/64
[[Host 2_name]]

Host 3 NIC 192.168.2.20/24

ERROR: VARIABLE NOT FOUND NIC 2001:db8:acad:2::20/64
[[Host 3_name]]

Host 4 NIC 192.168.2.21/24

ERROR: VARIABLE NOT FOUND NIC 2001:db8:acad:2::21/64
[[Host 4_name]]

Host 5 NIC 192.168.3.30/24

ERROR: VARIABLE NOT FOUND NIC 2001:db8:acad:3::30/64
[[Host 5_name]]

Objectives
In this assessment, you will configure the following:
 = Floating static and default routes in IPv4 and IPv6.
= Host routes in IPv4 and IPv6.
= DHCP pools and scopes.
= Switch security including port security.
= Enhanced LAN security with DHCP snooping, dynamic ARP inspection, PortFast, and BPDU
guard.
= Wireless LAN Controller-based wireless LAN with enterprise authentication.
You will only configure the RTR-HQ and RTR-Branch routers, the SW-1 switch, and the WLC-
10 wireless LAN controller. Access to other devices is not available.

Background / Scenario
XYZ Corp. is reworking their network. You have been asked to prototype the network in Packet
Tracer for evaluation by senior network staff.

Instructions

Part 1: Configure Switch Security

In this part of the assessment you will configure switch SW-1 with switch security features.
Switch ports FastEthernet0/1 to FastEthernet0/5 are the active switch ports. Port
GigabitEthernet0/1 is a dedicated link to router RTR-HQ. All other ports should be secured.

Step 1: Configure VLANs

a. Configure VLAN 10 with name users.
b. Configure VLAN 999 with the name unused.

Step 2: Configure active switch ports.

On the active switch ports configure the following:
a. Configure FastEthernet 0/1 through 0/5 and GigabitEthernet 0/1 as static access ports in
VLAN 10.
b. Activate port security on the ports.
1) Configure the active ports to accept a maximum of 4 MAC addresses.
2) If a violation occurs, configure the ports to drop frames from the unauthorized MAC
address, log it, and send an alert.
3) MAC addresses should be present in the MAC address table for a maximum of 10
minutes before they are removed.
4) Ports should add the learned MAC addresses to the running configuration.
5) Configure the MAC address of Host 1 as a static address on port FastEthernet0/1.
c. Protect against DHCP snooping.
Note: In this simulated network, DHCP snooping may not operate correctly in Packet
Tracer. Configure it as you would normally. You will receive full credit for a configuration
that meets the requirements below.
1) Activate DHCP snooping globally.
2) Activate DHCP snooping for the two VLANs that you configured.
 3) Configure the ports to limit the rate to 5 DHCP packets per second.
4) Configure the port that links to the router as trusted.
d. Guard against ARP attacks by implementing DAI.
1) Activate DAI globally.
2) Activate DAI on the two VLANs.
3) Configure the port that links to the router as trusted.
e. Mitigate STP attacks by configuring BPDUguard and PortFast on the active ports.

Step 3: Secure unused switch ports.

a. Move all unused switch ports to VLAN 999.
b. Configure all unused switch ports as static access ports.
c. Deactivate all unused switch ports.

Part 2: Configure Addressing and DHCP

You will configure DHCP and interface addressing on router RTR-Branch to prepare for
implementing the wireless LAN controller network.

Step 1: Configure and address a subinterface for the WLAN user network.
a. Configure subinterface 10 on the router interface that is connected to the switch SW-4.
b. The router should provide router-on-a-stick routing to VLAN 10.
c. Configure the subinterface with the address from the Addressing Table.

Step 2: Configure a DHCP pool for WLAN user network.

a. Exclude the router interface address and the management address of the WLC.
b. Configure a DHCP pool that will be used by hosts that are connecting to the WLAN.
1) Name the pool WLAN-hosts.
2) Configure the pool to use addresses in the 192.168.10.0/24 network.
3) The pool should also provide the default gateway and DNS server addresses.

Step 3: Configure an interface as a DHCP client.

On RTR-Branch, configure the interface that is connected to Cloud Router to receive its
address over DHCP.

Part 3: Configure Static Routes

In this part of the assessment you will configure static, default, floating static, and host routes in
both IPv4 andI Pv6. You will configure the RTR-HQ and RTR-Branch routers. XYZ Corp. has
decided that it wants to use static routing between all its networks. In addition, the company
wants to use the Ethernet links between routers for most data traffic and reserve serial link
between RTR-HQ and RTR-Branch for backup purposes in case one of the Ethernet links
becomes unavailable. You will be configuring floating static and default routes.

Step 1: Configure static routes on RTR-HQ.

 a. Configure IPv4 default routes to the cloud using the Ethernet link as the preferred link and
the serial link as the floating backup. Use an administrative distance of 10 for the backup
route. These routes should be configured as directly connected routes.
Note: Ethernet interfaces will give a warning when configured without a next-hop address.
In this configuration, the interface is point-to-point, so the warning can be ignored.
b. Ensure that the device is configured to route IPv6.
c. Configure IPv6 default routes to the cloud. Use the Ethernet link as the primary route, and
the serial link as the floating backup. Use an administrative distance of 10 for the backup
route. These routes should specify the next hop interface address.
d. Configure IPv4 static routes to the Branch LAN WLAN user network following the same
guidelines as above for type of route and administrative distance.
e. Configure IPv4 and IPv6 host routes on RTR-HQ to the Office Server on the Office LAN.
Create a directly connected route for IPv4 and a next-hop route for IPv6.

Step 2: Configure static routes on RTR-Branch.

RTR-Branch must also be configured with static routes to the other three networks in the XYZ
Corp. network. It will require floating static and default routes in IPv4 and IPv6 following the
same guidelines as were used for the RTR-HQ static routes.
o IPv6 routes use next-hop address arguments.
o IPv4 routes use exit interface arguments.
o All routes should prefer the Ethernet links over the serial link.
o Backup floating routes use an administrative distance of 10.
a. Configure IPv4 default routes to the cloud using the Ethernet link as the preferred link and
the serial link as the backup.
b. Ensure that the device is configured to route IPv6.
c. Configure IPv6 default routes to the cloud. Use the Ethernet link as the primary route, and
the serial link as backup. Use an administrative distance of 10 for the backup route. These
routes should specify the next hop interface address.

Part 4: Configure a Wireless LAN using a Wireless LAN Controller

In this part of the assessment, you will configure the wireless LAN controller to provide access
wireless access to the network. Username and password are the default admin/admin.
Connect to the WLC over HTTPS to the management interface.

Step 1: Configure a VLAN interface.

a. Create a new interface and name it WLAN 10. The interface should use VLAN 10 and
physical port 1.
b. Use the information in the addressing table to configure the addressing settings for the
interface. The interface will be using a DHCP pool that is configured on the subinterface
that is assigned to VLAN 10 on router RTR-Branch.

Step 2: Configure a RADIUS server.

a. Configure the WLC with the RADIUS server IPv4 address.
b. Use a shared secret of RADsecret.
Step 3: Configure a Wireless LAN.
a. Create a new WLAN. Name it WLAN 10 and configure the SSID as SSID-10.
b. The wireless LAN should use the VLAN interface that was previously configured.
c. Configure the WLAN to use the WPA2 security policy and dot1x Authentication Key
Management.
d. Configure the WLAN to use the RADIUS server that was previously configured to
authenticate wireless users.
e. Open the Advanced tab and scroll down to the Flexconnect sections. Activate FlexConnect
Local Switching and FlexConnect Local Auth.
f. Verify that the WLAN is configured and operational.

Step 4: Configure a DHCP scope for the management network.

Configure a new DHCP scope to be used by the LAPs and other management devices on the
network.
a. Name the DHCP scope Wired_Admin.
b. Start the scope at address 192.168.100.240. End the scope at address 192.168.100.249.
c. Other information that is required can be found in the Addressing Table.

Step 5: Configure an SNMP server.

Configure an SNMP server to receive traps from the WLC.
a. Use the community name branch-wireless.
b. Use 172.16.1.100 as the server address.

Step 6: Configure the wireless host.

Configure the Wireless Host to connect to the WLAN.
a. Create a new wireless profile on the host. Use the name work net for the profile.
b. Configure the profile for the SSID of the WLAN.
c. Use enterprise authentication with a username of user1 and password of user1Pass.
d. When you are finished, click Connect to Network. It will take time for the connection to be
established.

ID: 0
Last updated September 2023.
Version 2.1
Created in Packet Tracer 7.3.1 and Marvel 2.0.7
All contents are Copyright 2023 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
SW-1#sh run
Building configuration...

Current configuration : 4205 bytes

!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname SW-1
!
!
!
!
ip arp inspection vlan 10,999
ip arp inspection validate ip
!
ip dhcp snooping vlan 10,999
ip dhcp snooping
!
spanning-tree mode pvst
spanning-tree extend system-id
!
interface FastEthernet0/1
switchport access vlan 10
ip dhcp snooping limit rate 5
switchport mode access
switchport port-security
switchport port-security maximum 4
switchport port-security mac-address 0001.4329.A790
switchport port-security aging time 10
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/2
switchport access vlan 10
ip dhcp snooping limit rate 5
switchport mode access
switchport port-security
switchport port-security maximum 4
switchport port-security mac-address sticky
switchport port-security aging time 10
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/3
switchport access vlan 10
ip dhcp snooping limit rate 5
switchport mode access
switchport port-security
switchport port-security maximum 4
switchport port-security mac-address sticky
switchport port-security aging time 10
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/4
switchport access vlan 10
ip dhcp snooping limit rate 5
switchport mode access
switchport port-security
switchport port-security maximum 4
switchport port-security mac-address sticky
switchport port-security aging time 10
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/5
switchport access vlan 10
ip dhcp snooping limit rate 5
switchport mode access
switchport port-security
switchport port-security maximum 4
switchport port-security mac-address sticky
switchport port-security aging time 10
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/6
switchport access vlan 999
switchport mode trunk
shutdown
!
interface FastEthernet0/7
switchport access vlan 999
switchport mode trunk
shutdown
!
interface FastEthernet0/8
switchport access vlan 999
switchport mode trunk
shutdown
!
interface FastEthernet0/9
switchport access vlan 999
switchport mode trunk
shutdown
!
interface FastEthernet0/10
switchport access vlan 999
switchport mode trunk
shutdown
!
interface FastEthernet0/11
switchport access vlan 999
switchport mode trunk
shutdown
!
interface FastEthernet0/12
switchport access vlan 999
switchport mode trunk
shutdown
!
interface FastEthernet0/13
switchport access vlan 999
switchport mode trunk
shutdown
!
interface FastEthernet0/14
switchport access vlan 999
switchport mode trunk
shutdown
!
interface FastEthernet0/15
switchport access vlan 999
switchport mode trunk
shutdown
!
interface FastEthernet0/16
switchport access vlan 999
switchport mode trunk
shutdown
!
interface FastEthernet0/17
switchport access vlan 999
switchport mode trunk
shutdown
!
interface FastEthernet0/18
switchport access vlan 999
switchport mode trunk
shutdown
!
interface FastEthernet0/19
switchport access vlan 999
switchport mode trunk
shutdown
!
interface FastEthernet0/20
switchport access vlan 999
switchport mode trunk
shutdown
!
interface FastEthernet0/21
switchport access vlan 999
switchport mode trunk
shutdown
!
interface FastEthernet0/22
switchport access vlan 999
switchport mode trunk
shutdown
!
interface FastEthernet0/23
switchport access vlan 999
switchport mode trunk
shutdown
!
interface FastEthernet0/24
switchport access vlan 999
switchport mode trunk
shutdown
!
interface GigabitEthernet0/1
switchport access vlan 10
ip arp inspection trust
ip dhcp snooping trust
switchport mode access
switchport port-security
switchport port-security maximum 4
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0030.F26A.9054
switchport port-security aging time 10
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/2
switchport access vlan 999
switchport mode trunk
shutdown
!
interface Vlan1
no ip address
shutdown
!
!
!
!
line con 0
!
line vty 0 4
login
line vty 5 15
login
!
!
!
!
end
SW-1#

RTR-Branch#sh run
Building configuration...

Current configuration : 1935 bytes

!
version 15.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname RTR-Branch
!
!
!
!
ip dhcp excluded-address 192.168.10.1
ip dhcp excluded-address 192.168.100.254
!
ip dhcp pool WLAN-hosts
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 198.51.100.163
domain-name cisco.com
!
!
!
no ip cef
ipv6 unicast-routing
!
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface GigabitEthernet0/0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0/0.10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet0/0/0.100
encapsulation dot1Q 1 native
ip address 192.168.100.1 255.255.255.0
!
interface GigabitEthernet0/0/0.172
encapsulation dot1Q 172
ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet0/0/1
ip address dhcp
duplex auto
speed auto
ipv6 address FE80::3 link-local
ipv6 address 2001:DB8:ACAD:C::2/64
!
interface GigabitEthernet0/0/2
media-type sfp
no ip address
duplex auto
speed auto
!
interface Serial0/1/0
ip address 10.2.0.2 255.255.255.252
ipv6 address 2001:DB8:ACAD:B::2/64
clock rate 2000000
!
interface Serial0/1/1
no ip address
clock rate 2000000
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 192.168.1.0 255.255.255.0 10.3.0.1
ip route 192.168.2.0 255.255.255.0 10.3.0.1
ip route 192.168.1.0 255.255.255.0 10.2.0.1 10
ip route 192.168.2.0 255.255.255.0 10.2.0.1 10
!
ip flow-export version 9
!
ipv6 route 2001:DB8:ACAD:1::/64 2001:DB8:ACAD:C::1
ipv6 route 2001:DB8:ACAD:2::/64 2001:DB8:ACAD:C::1
ipv6 route 2001:DB8:ACAD:2::/64 2001:DB8:ACAD:B::1 10
ipv6 route 2001:DB8:ACAD:1::/64 2001:DB8:ACAD:B::1 10
ipv6 route 2001:DB8:CAFE::/64 2001:DB8:ACAD:C::1
ipv6 route 2001:DB8:CAFE::/64 2001:DB8:ACAD:B::1 10
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end

RTR-Branch#

TR-HQ#sh run
Building configuration...

Current configuration : 1561 bytes

!
version 15.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname RTR-HQ
!
!
!
!
!
!
!
!
no ip cef
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface GigabitEthernet0/0/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
ipv6 address FE80::1 link-local
ipv6 address 2001:DB8:ACAD:1::1/64
!
interface GigabitEthernet0/0/1
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
ipv6 address FE80::1 link-local
ipv6 address 2001:DB8:ACAD:2::1/64
!
interface GigabitEthernet0/0/2
media-type sfp
ip address 10.1.0.1 255.255.255.252
duplex auto
speed auto
ipv6 address 2001:DB8:ACAD:A::1/64
!
interface Serial0/1/0
ip address 10.2.0.1 255.255.255.252
ipv6 address 2001:DB8:ACAD:B::1/64
!
interface Serial0/1/1
ip address 10.4.0.1 255.255.255.252
ipv6 address FE80::2 link-local
ipv6 address 2001:DB8:ACAD:D::1/64
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 192.168.10.0 255.255.255.0 10.2.0.2 10
ip route 192.168.100.0 255.255.255.0 10.2.0.2 10
ip route 192.168.100.0 255.255.255.0 10.1.0.2
ip route 192.168.10.0 255.255.255.0 10.1.0.2
ip route 192.168.3.0 255.255.255.0 10.4.0.2
ip route 0.0.0.0 0.0.0.0 10.2.0.2 10
ip route 0.0.0.0 0.0.0.0 10.1.0.2
!
ip flow-export version 9
!
ipv6 route 2001:DB8:ACAD:3::/64 2001:DB8:ACAD:D::2
ipv6 route 2001:DB8:CAFE::/64 2001:DB8:ACAD:A::2
ipv6 route 2001:DB8:CAFE::/64 2001:DB8:ACAD:B::2 10
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end