ENSA (Version 7.00) Final PT Skills Assessment Exam (PTSA) Answers (2024)

Enterprise Networking, Security, and Automation ( Version 7.00) – ENSA Final PT Skills Assessment (PTSA)

A few things to keep in mind while completing this activity:

1. Do not use the browser Back button or close or reload any exam windows during the exam.
2. Do not close Packet Tracer when you are done. It will close automatically.
3. Click the Submit Assessment button in the browser window to submit your work.

Topology

Addressing Table

Scenario

In this Packet Tracer Skills Assessment, you will configure the devices in a small network. You will complete all tasks in PT Physical Mode. You will not have access to the logical topology.

You will place devices in proper locations and power them on. You will configure routers, switches, and PCs to support IPv4 connectivity for hosts. The routers and switches must be managed securely. You will configure Single-Area OSPFv2, NAT, and access control lists. Further, you will backup up your working configurations to a TFTP server and upload a working configuration to another device.
Furthermore, different versions of the IOS image are used in switches. You will update a switch to use the latest IOS.

Instructions

Part 1: Place Devices in Proper Locations and Connect them with Proper Cables

Step 1: Place devices in proper Locations inside the main wiring closet

In the Physical Mode place network devices in the following locations:

• Organize the rack for ease of configuration. Place R1, R2, S1, S2, S3, and S4 from top down, with some space between the devices.
• Drag two 4331 routers, R1 and R2, from the shelf to the rack.
• Drag four switches, S1, S2, S3, and S4, from the shelf to the rack.
• Move PC-C to Table1, on the left, and place it in the left-hand area of the tabletop
• Move the DNS server to Table1, on the left, and place it in the right-hand area of the tabletop.
• Move PC-A to Table2, on the right, and place it in the left-hand area of the tabletop.
• Move PC-B to Table2, on the right, and place it in the right-hand area of the tabletop.

Step 2: Make sure all devices are powered on.

Power on all devices.

Step 3: Connect devices according to the network topology.

Use the logical topology diagram to connect the devices to the correct ports with correct cables.

Instructions:
Use a Copper Cross-Over cable (orange cable) to connect two routers using the G0/0/0 port. Use a Copper Straight-Through cable (green cable) to connect the remaining devices according to the correct ports on the topology diagram.

Part 2: Configure Basic Devices Settings

All configurations are made through a direct console connection.

Step 1: Configure PCs with IPv4 addresses

Use the addressing table to manually configure the PCs with full IP addressing.

Step 2: Configure router R1 and R2

a. Configure R1 and R2 with the following:

1. Prevent the router from attempting to resolve incorrectly entered commands as domain names.
2. Router name: R1 or R2.
3. Encrypted privileged EXEC secret password: ciscoenpass.
4. Console access password: ciscoconpass.
5. Set the minimum password length to 10 characters.
6. Encrypt the clear text passwords.
7. Configure an appropriate MOTD Banner.

Answer:

Router(config)#no ip domain lookup Router(config)#hostname R1R1(config)#enable secret ciscoenpassR1(config)#line console 0R1(config-line)#password ciscoconpassR1(config-line)#loginR1(config-line)#exitR1(config)#security passwords min-length 10R1(config)#service password-encryption R1(config)#banner motd #Unauthorized Acess is Prohibited#

Router(config)#no ip domain lookup Router(config)#hostname R2R2(config)#enable secret ciscoenpassR2(config)#line console 0R2(config-line)#password ciscoconpassR2(config-line)#loginR2(config-line)#exitR2(config)#security passwords min-length 10R2(config)#service password-encryption R2(config)#banner motd #Unauthorized Acess is Prohibited#

b. Configure the interfaces of routers R1 and R2 as follows.

1. Configure interface G0/0/0 with a description and IPv4 addressing.
2. Configure interface G0/0/1 with a description and IPv4 addressing.
3. Configure interface G0/0/2 with a description and IPv4 addressing.
4. All interfaces should be ready to send and receive traffic.

Answer:

R1(config)#interface GigabitEthernet0/0/0R1(config-if)#description Connection to R2R1(config-if)#ip address 198.51.100.1 255.255.255.252R1(config-if)#no shutdownR1(config-if)#interface GigabitEthernet0/0/1R1(config-if)#description Connection to S2R1(config-if)#ip address 192.168.1.1 255.255.255.0R1(config-if)#no shutdownR1(config-if)#interface GigabitEthernet0/0/2R1(config-if)#description Connection to S1R1(config-if)#ip address 64.100.1.1 255.255.255.248R1(config-if)#no shutdown

R2(config)#interface GigabitEthernet0/0/0R2(config-if)#description Connection to R1R2(config-if)#ip address 198.51.100.2 255.255.255.252R2(config-if)#no shutdownR2(config-if)#interface GigabitEthernet0/0/1R2(config-if)#description Connection to S4R2(config-if)#ip address 172.16.2.1 255.255.255.0R2(config-if)#no shutdownR2(config-if)#interface GigabitEthernet0/0/2R2(config-if)#description Connection to S3R2(config-if)#ip address 209.165.202.129 255.255.255.224R2(config-if)#no shutdown

c. Configure SSH.

1. Domain name: ccna-lab.com.
2. Create an administrative user in the local database:
   • Username: admin
   • Secret Password: admin1pass
3. Set login on VTY lines to use the local database
4. Set VTY lines to accept SSH connections only
5. Use an RSA crypto key with a 1024 bits modulus.
6. Enable SSH using version 2.

Answer:

R1(config)#ip domain name ccna-lab.comR1(config)#username admin secret admin1passR1(config)#line vty 0 15R1(config-line)#login localR1(config-line)#transport input ssh R1(config-line)#exitR1(config)#crypto key generate rsa1024R1(config)#ip ssh version 2

R2(config)#ip domain name ccna-lab.comR2(config)#username admin secret admin1passR2(config)#line vty 0 15R2(config-line)#login localR2(config-line)#transport input ssh R2(config-line)#exitR2(config)#crypto key generate rsa1024R2(config)#ip ssh version 2

Step 3: Configure switches S1, S2, S3, and S4

a. Configure the hostname according to the Addressing Table.
b. Configure Management Interface (SVI) for VLAN 1: Set the IPv4 address and activate the interface.
c. Configure default gateway.
Answer:

Switch(config)#hostname S1S1(config)#interface Vlan1S1(config-if)#ip address 64.100.1.2 255.255.255.248S1(config-if)#no shutdown S1(config-if)#ip default-gateway 64.100.1.1

Switch(config)#hostname S2S2(config)#interface Vlan1S2(config-if)#ip address 192.168.1.2 255.255.255.0S2(config-if)#no shutdown S2(config-if)#ip default-gateway 192.168.1.1

Switch(config)#hostname S3S3(config)#interface Vlan1S3(config-if)#ip address 209.165.202.130 255.255.255.224S3(config-if)#no shutdown S3(config-if)#ip default-gateway 209.165.202.129

Switch(config)#hostname S4S4(config)#interface Vlan1S4(config-if)#ip address 172.16.2.2 255.255.255.0S4(config-if)#no shutdown S4(config-if)#ip default-gateway 172.16.2.1

Part 3: Configure Single Area OSPFv2

Step 1: Configure single-area OSPF routing

a. Configure the OSPF routing process: Use process id 1.
b. Manually configure the router id: Use 0.0.0.1 for R1 and 0.0.0.2 for R2
c. Configure network statements for the appropriate networks on R1 and R2.
Note: For the purposes of this assessment, enter your network statements in the following order:
On R1:

• the G0/0/2 network
• the G0/0/0 network

On R2:

• the G0/0/2 network
• the G0/0/0 network

Answer:

R1(config)#router ospf 1R1(config-router)#router-id 0.0.0.1R1(config-router)#network 64.100.1.0 0.0.0.7 area 0R1(config-router)#network 198.51.100.0 0.0.0.3 area 0

R2(config)#router ospf 1R2(config-router)#router-id 0.0.0.2R2(config-router)#network 209.165.202.128 0.0.0.31 area 0R2(config-router)#network 198.51.100.0 0.0.0.3 area 0

Step 2: Adjust OSPF operation

a. Configure the appropriate interfaces to not forward OSPF updates where they are not required.
b. Configure the reference bandwidth: Adjust the reference bandwidth to 1 Gigabit.
c. Configure the OSPF network as a point-to-point network.
d. Configure the hello time for 30 seconds.
Answer:

R1(config)# router ospf 1R1(config-router)# passive-interface GigabitEthernet0/0/1R1(config-router)# passive-interface GigabitEthernet0/0/2R1(config-router)# auto-cost reference-bandwidth 1000R1(config-router)# exitR1(config)# interface GigabitEthernet0/0/0R1(config-if)# ip ospf network point-to-pointR1(config-if)# ip ospf hello-interval 30

R2(config)# router ospf 1R2(config-router)# passive-interface GigabitEthernet0/0/1R2(config-router)# passive-interface GigabitEthernet0/0/2R2(config-router)# auto-cost reference-bandwidth 1000R2(config-router)# exitR2(config)# interface GigabitEthernet0/0/0R2(config-if)# ip ospf network point-to-pointR2(config-if)# ip ospf hello-interval 30

Part 4: Configure Access Control and NAT

Step 1: Verify connectivity

• PC-B cannot visit the web server.
• PC-C cannot ping PC-A.

Step 2: Configure NAT

a. Configure static NAT on router R1 with a public IP address 64.100.1.7 to allow PC-B to access the web server.
Answer:

R1(config)# ip nat inside source static 192.168.1.5 64.100.1.7R1(config)# interface GigabitEthernet0/0/0R1(config-if)# ip nat outsideR1(config-if)# interface GigabitEthernet0/0/1R1(config-if)# ip nat inside

b. Configure PAT on router R2 to enable some devices on the network attached to the G0/0/1 interface to access the internet

1. Create a NAT pool named IPNAT1 with IP address range of 209.165.202.140 to 209.165.202.150 with the subnet mask of 255.255.255.224.
2. Create a numbered ACL (ACL 1) to allow devices with IP address range of 172.16.2.1 through 172.16.2.15 to access the internet through NAT.
3. Use PAT to allow the range of the public IP addresses to be shared.

Answer:

R2(config)# ip nat pool IPNAT1 209.165.202.140 209.165.202.150 netmask 255.255.255.224R2(config)# ip nat inside source list 1 pool IPNAT1 overloadR2(config)# access-list 1 permit 172.16.2.0 0.0.0.15R2(config)# interface GigabitEthernet0/0/1R2(config-if)# ip nat inside

Step 3: Configure access control on R1

a. Create a standard ACL R1-VTY-LIMIT to allow only PC-B access to the R1 vty lines.
b. Apply the ACL.
Answer:

R1(config)#ip access-list standard R1-VTY-LIMITR1(config-std-nacl)#permit host 192.168.1.5R1(config-std-nacl)#R1(config-std-nacl)#line vty 0 15R1(config-line)#access-class R1-VTY-LIMIT in

Step 4: Configure access control on S1

a. Create a standard ACL S1-VTY-LIMIT to allow only PC-B access to the S1 vty lines.
b. Apply the ACL.
Answer:

S1(config)#ip access-list standard S1-VTY-LIMITS1(config-std-nacl)#permit host 192.168.1.5S1(config-std-nacl)#S1(config-std-nacl)#line vty 0 15S1(config-line)#access-class S1-VTY-LIMIT in

Step 5: Configure access control on R2

a. Create a standard ACL R2-VTY-LIMIT to allow only PC-C access to the R2 vty lines.

b. Create an extended ACL R2-SECURITY to restrict access from the internet

• Allow FTP connections from the PC-B public IP address to the web/DNS server
• Deny all other FTP connections from the internet to the R2 LANs
• Deny all SSH connections from the internet
• Allow all other types of connections from the internet

Your ACL should consist of four statements that correspond to the four requirements above.

c. Apply the ACLs
Answer:

R2(config)#ip access-list standard R2-VTY-LIMITR2(config-std-nacl)#permit host 172.16.2.5R2(config-std-nacl)#R2(config-std-nacl)#line vty 0 15R2(config-line)#access-class R2-VTY-LIMIT inR2(config-line)#exitR2(config)#ip access-list extended R2-SECURITYR2(config-ext-nacl)#permit tcp host 64.100.1.7 host 209.165.202.131 eq ftpR2(config-ext-nacl)#deny tcp any any eq ftpR2(config-ext-nacl)#deny tcp any any eq 22R2(config-ext-nacl)#permit ip any anyR2(config-ext-nacl)#interface GigabitEthernet0/0/0R2(config-if)#ip access-group R2-SECURITY inR2(config-if)#ip nat outside

Step 6: Configure access control on S3

a. Create a standard ACL S3-VTY-LIMIT to allow only PC-C access to the S3 vty lines.
b. Apply the ACL
Answer:

S3(config)#ip access-list standard S3-VTY-LIMITS3(config-std-nacl)#permit host 172.16.2.5S3(config-std-nacl)#S3(config-std-nacl)#line vty 0 15S3(config-line)#access-class S3-VTY-LIMIT inS3(config-line)#login

Part 5: Perform Configuration Backup and IOS Update

Step 1: Use TFTP server to backup device configurations

a. Backup the running configurations of R1, S1, and S2 to the TFTP server on PC-B.
b. Name the configuration files as R1-Run-Config, S1- Run-Config, and S2-Run-Config.

On R1:

R1>enR1#copy running-config tftpAddress or name of remote host []? 192.168.1.5Destination filename [R1-confg]? R1-Run-Config

On S1:

S1>enS1#copy running-config tftpAddress or name of remote host []? 192.168.1.5Destination filename [S1-confg]? S1-Run-Config

On S2:

S2>enS2#copy running-config tftpAddress or name of remote host []? 192.168.1.5Destination filename [S2-confg]? S2-Run-ConfigWriting running-config....!![OK - 1122 bytes]1122 bytes copied in 3.003 secs (373 bytes/sec)

Step 2: Use TFTP server to update/upgrade IOS software

a. Obtain a newer IOS image from the TFTP service on the web/DNS server.
b. The newer version of the switch IOS is c2960-lanbasek9-mz.150-2.SE4.bin.
c. Configure S3 to use this newer version IOS after reloading.

Answer:

S3#copy tftp flash:Address or name of remote host []? 209.165.202.131Source filename []? c2960-lanbasek9-mz.150-2.SE4.binDestination filename [c2960-lanbasek9-mz.150-2.SE4.bin]? Accessing tftp://209.165.202.131/c2960-lanbasek9-mz.150-2.SE4.bin....Loading c2960-lanbasek9-mz.150-2.SE4.bin from 209.165.202.131: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![OK - 4670455 bytes]S3#configure terminal S3(config)#boot system flash:c2960-lanbasek9-mz.150-2.SE4.binS3(config)#exitS3#%SYS-5-CONFIG_I: Configured from console by consoleS3#copy running-config startup-configDestination filename [startup-config]? Building configuration...[OK]S3#reloadProceed with reload? [confirm]

Answer script

R1

enableconfigure terminal no ip domain lookuphostname R1enable secret ciscoenpassline console 0password ciscoconpassloginexitsecurity passwords min-length 10service password-encryption banner motd #Unauthorized Acess is Prohibited#interface GigabitEthernet0/0/0description Connection to R2ip address 198.51.100.1 255.255.255.252no shutdowninterface GigabitEthernet0/0/1description Connection to S2ip address 192.168.1.1 255.255.255.0no shutdowninterface GigabitEthernet0/0/2description Connection to S1ip address 64.100.1.1 255.255.255.248no shutdownip domain name ccna-lab.comusername admin secret admin1passline vty 0 15login localtransport input ssh exitcrypto key generate rsa1024ip ssh version 2router ospf 1router-id 0.0.0.1network 64.100.1.0 0.0.0.7 area 0network 198.51.100.0 0.0.0.3 area 0exitrouter ospf 1passive-interface GigabitEthernet0/0/1passive-interface GigabitEthernet0/0/2auto-cost reference-bandwidth 1000exitinterface GigabitEthernet0/0/0ip ospf network point-to-pointip ospf hello-interval 30exitip nat inside source static 192.168.1.5 64.100.1.7interface GigabitEthernet0/0/0ip nat outsideinterface GigabitEthernet0/0/1ip nat insideip access-list standard R1-VTY-LIMITpermit host 192.168.1.5line vty 0 15access-class R1-VTY-LIMIT inexit

R2

enableconfigure terminal no ip domain lookuphostname R2enable secret ciscoenpassline console 0password ciscoconpassloginexitsecurity passwords min-length 10service password-encryption banner motd #Unauthorized Acess is Prohibited#interface GigabitEthernet0/0/0description Connection to R1ip address 198.51.100.2 255.255.255.252no shutdowninterface GigabitEthernet0/0/1description Connection to S4ip address 172.16.2.1 255.255.255.0no shutdowninterface GigabitEthernet0/0/2description Connection to S3ip address 209.165.202.129 255.255.255.224no shutdownip domain name ccna-lab.comusername admin secret admin1passline vty 0 15login localtransport input ssh exitcrypto key generate rsa1024ip ssh version 2router ospf 1router-id 0.0.0.2network 209.165.202.128 0.0.0.31 area 0network 198.51.100.0 0.0.0.3 area 0exitrouter ospf 1passive-interface GigabitEthernet0/0/1passive-interface GigabitEthernet0/0/2auto-cost reference-bandwidth 1000exitinterface GigabitEthernet0/0/0ip ospf network point-to-pointip ospf hello-interval 30exitip nat pool IPNAT1 209.165.202.140 209.165.202.150 netmask 255.255.255.224ip nat inside source list 1 pool IPNAT1 overloadaccess-list 1 permit 172.16.2.0 0.0.0.15interface GigabitEthernet0/0/1ip nat insideip access-list standard R2-VTY-LIMITpermit host 172.16.2.5line vty 0 15access-class R2-VTY-LIMIT inexitip access-list extended R2-SECURITYpermit tcp host 64.100.1.7 host 209.165.202.131 eq ftpdeny tcp any any eq ftpdeny tcp any any eq 22permit ip any anyinterface GigabitEthernet0/0/0ip access-group R2-SECURITY inip nat outsideexit

S1

enableconfigure terconfigure terminal hostname S1interface Vlan1ip address 64.100.1.2 255.255.255.248no shutdown ip default-gateway 64.100.1.1ip access-list standard S1-VTY-LIMITpermit host 192.168.1.5line vty 0 15access-class S1-VTY-LIMIT inexit

S2

enableconfigure terminal hostname S2interface Vlan1ip address 192.168.1.2 255.255.255.0no shutdown ip default-gateway 192.168.1.1

S3

enableconfig terhostname S3interface Vlan1ip address 209.165.202.130 255.255.255.224no shutdown ip default-gateway 209.165.202.129ip access-list standard S3-VTY-LIMITpermit host 172.16.2.5line vty 0 15access-class S3-VTY-LIMIT in

S4

enableconfig terhostname S4interface Vlan1ip address 172.16.2.2 255.255.255.0no shutdown ip default-gateway 172.16.2.1

Download Packet Tracer file (.pka)