Ccnlga 002 B

®
Cisco Certified Network Associate
Version 2b
Disclaimer
While every effort has been made to ensure that the information contained in this courseware is free from
errors and omissions and is not misleading in any way, Whitireia New Zealand Limited (trading as
Computer Power Plus) makes no representations or warranties and is not liable for any loss, damage, or
injury of any kind (however caused) under any theory of law including negligence resulting from or in any
way connected with the use of this courseware.
Copyright 2016
© This courseware and the concepts, information and material contained in it are the copyright of
Whitireia New Zealand Limited, a Private Training Establishment (PTE) No. 9344 (trading as Computer
Power Plus) and may not be used or reproduced in whole or in part without the prior written consent of
Whitireia New Zealand Limited. All rights reserved.
Cisco® is a registered trademark of Cisco Systems, Inc
Edition Released: March 2016
Publication No.: CCNLGA002b

Table of contents
CONTENTS
SECTION 1: CCNA ROUTING AND SWITCHING ................................................................. 1-1
Topic 1: Study Process ................................................................................................................... 1-2
Topic 2: Study Plan ......................................................................................................................... 1-5
Day 1 .................................................................................................................................. 1-7
Day 2 ................................................................................................................................. 1-14
Day 3 ................................................................................................................................. 1-27
Day 4 ................................................................................................................................. 1-40
Day 5 ................................................................................................................................. 1-55
Day 6 ................................................................................................................................. 1-67
Day 7 ................................................................................................................................. 1-73
Day 8 ................................................................................................................................. 1-85
Day 9 ................................................................................................................................. 1-91
Day 10 ............................................................................................................................... 1-102
Day 11 ................................................................................................................................ 1-111
Day 12 ............................................................................................................................... 1-117
Day 13 ............................................................................................................................... 1-133
Day 14 ............................................................................................................................... 1-140
Day 15 ............................................................................................................................... 1-149
Day 16 ............................................................................................................................... 1-153
Day 17................................................................................................................................ 1-166
Day 18 ............................................................................................................................... 1-173
Day 19 ............................................................................................................................... 1-186
Day 20 ............................................................................................................................... 1-199
Day 21 ............................................................................................................................... 1-210
i
Table of contents
Day 22............................................................................................................................... 1-224
Day 23............................................................................................................................... 1-230
Day 24............................................................................................................................... 1-231
Day 25............................................................................................................................... 1-245
Day 26............................................................................................................................... 1-262
Day 27............................................................................................................................... 1-268
Day 28............................................................................................................................... 1-281
Day 29............................................................................................................................... 1-294
Day 30............................................................................................................................... 1-299
Day 31 ............................................................................................................................... 1-311
Day 32............................................................................................................................... 1-318
Day 33 to 35 ................................................................................................................... 1-330
Topic 3: VMware Images .............................................................................................................. 1-331
Topic 4: Practical Exercises .......................................................................................................... 1-334
Topic 5: Project................................................................................................................................ 1-338
Topic 6: Internal Final Assessment ............................................................................................ 1-359
Topic 7: External Certification Notes........................................................................................ 1-361
APPENDIX A: Acme Policies ............................................................................................... A-1
APPENDIX B: IOS Security Benchmark .............................................................................. B-1
ii
Introduction
IMPORTANT: This learning guide contains IMPORTANT information! You

should read ALL of the pages in this introduction BEFORE you begin the
module, so that you are familiar with the requirements for the module, and
what you need to do to access resources and complete the module.
INTRODUCTION
This module is an introduction to managing and configuring networking for a small or medium-
sized network using Cisco devices. Networking fundamentals, LAN switching, IP addressing, IP
routing, WAN networking, and routing protocols are all covered.
The CCNA Routing and Switching certification (Cisco Certified Network Associate R&S) is a
foundation specialist course and covers core knowledge of infrastructure networking. CCNA R&S
certified professionals can install, configure, and operate LAN and WAN network services for
small and medium-sized enterprise networks.
In this module you will learn to manage and configure the major aspects of routing and
switching for a small or medium-sized enterprise network using software that simulates Cisco
devices.
Computer Power Plus Cisco Certified Network Associate (CCN) Breakdown

The study for the CCN course comprises one module, with a workload of up to 270 hours
required. 180 hours of this is allocated as on campus study, while another 90 should be spent at
home to complete the workload.
A full breakdown of the study hours, assessments and assessment weighting towards the final
mark for the CCN module is shown below:
Module Component Hours Weighting

Toward Grade
On-campus Study 155
Off-campus Study 75
Project A 8 8%
Workshop 10 10%
Project B 14 22%
Practice Assessment 3
Final Assessment 5 60%
Total 270 100%
Details of the module are covered in Section 1.
Before you start the module, take a minute to read through the section titled Helpful
Information. It explains this learning guides structure and how to follow the instructions and
icons used in this material.
Computer Power Plus iii

Introduction
The suggested study process to follow for the module is detailed in Section 1.
Module Objectives
In this module you will learn how to:
 Describe the operation of IP data networks
 Understand and configure LAN switching technologies
 Describe IP Addressing
 Describe and configure IP routing technologies
 Describe and configure IP services
 Configure network device security
 Troubleshoot IP addressing, routing, and switching problems
 Identify and configure enhanced LAN switching technologies
 Identify, configure, and troubleshoot WAN technologies.
CCN Objectives
This module is designed to teach the Cisco CCNA Routing and Switching certification objectives.
A list of these objectives can be viewed here:
http://tinyurl.com/c6kwmbo
The objectives can be downloaded from here:
http://tinyurl.com/oveamps
A copy of these objectives (topics) is also in the ccn_work folder on your H:\ drive. This is the pdf
file named 200-120_composite2.pdf.
These objectives are also listed in the Introduction section of each of the textbooks listed below.
Resources
 Cisco Certified Network Associate Learning Guide
 CCN Workshop Guide
 Cisco CCNA Routing and Switching 200-120 Official Cert Guide Library by Wendell Odom
(Cisco Press)
 Boson NetSim CCNA Network Simulator software (see Section 1, Topic 3).
iv Computer Power Plus

Introduction
Prerequisites
A+ Certification (AP1/AP2) and Network+ Certification (NWP) or equivalent knowledge.
Assessment
The assessment in this module takes the form of a workshop, a project and a final assessment
which is completed at the conclusion of your study for this module.
A more detailed breakdown of each assessment component and its weighing is provided below.
 Workshop – (10%)
This component is an instructor-supervised two-shift practical workshop, designed to

introduce you to real Cisco equipment and allow you to practise commands on real Cisco
devices. It is compulsory for you to attend and during the workshop you are required to
participate and complete the workshop tasks to the satisfaction of an instructor to be
considered competent.
The details of the workshop are contained in the CCN Workshop Guide which you will be
given a copy of. Take this guide with you to the workshop. It is highly recommended that
you read the workshop guide before you attend the workshop.
 Project – (30%)
The project is split into two parts. Part A is scheduled to be done at about your 23rd study
shift. Part B is to be done at the end of your study of this learning guide. The project involves
two scenarios:
1. Project Part A (8%): Evaluate and audit an existing Cisco-based network and make
recommendations for corrective action where the network does not comply with the
firm’s policy standards and then carry out the actions required.
2. Project Part B (22%): Design a WAN/LAN Cisco based network according to the
requirements, and then build a prototype of it.
You must achieve a score of 50% or more in each part of this assessment component to be
considered competent. If you pass either part on re-assessment, a maximum mark of 50% of
the original weighting will be granted for the assessment component in regards to final
grading. So it is in your best interests that you present a quality project on your first attempt.
 Practice Assessment – (0%)
The practice assessment consists of two parts:
1. An electronic-based practice assessment which is 60 minutes long. It is designed to help

you prepare for the final assessment exam. You must achieve at least 80% in this practice
assessment before you attempt the final assessment. If you do not achieve this 80%
minimum it suggests that you are not at the required level to attempt the final
assessment. It is recommended that you sit the online practice assessment at least twice
and no more than four times to help prepare for the final assessment.
Computer Power Plus v

Introduction
2. A 45 minute paper-based practical assessment involving configuration and / or

troubleshooting of simulated Cisco Device IOSs. You should be aiming to achieve at least
80% in this practice assessment before you attempt the final assessment. It is
recommended that you sit each of the two different versions of this practice assessment
no more than twice to help prepare for the final assessment.
 Final Assessment – (60%)
The final assessment consists of two parts which are attempted one after the other:
1. Electronic-based Assessment - a 120 minute assessment of 42 questions containing a

variety of question types.
2. Paper-based Practical Assessment – a 45 minute practical assessment involving practical

configuration and / or troubleshooting scenarios using simulated Cisco IOS devices.
You must achieve a score of 50% or more in this assessment component to be

considered competent.
Please read Section 1 Topic 6 for detailed information about the final assessment.
Self-Assessment
Throughout the CCN learning guide there are opportunities to complete practical activities from
the main textbooks, and each chapter of the textbooks has multiple-choice questions that
should be completed prior to undertaking the assessments for this module. In addition, there are
practice questions, exercises, and videos on the DVDs, that accompany the textbooks, and the
textbooks come with simulator software and practical labs which you should make use of. These
practical activities and questions are designed to prepare you for the assessments for this
module.
As mentioned above there is also a practise assessment available to help you prepare for the final
assessment.
Optional External Exams

This module assists you to prepare to attempt the CCNA certification exams. The CCNA
certification can be earned in one of two ways:
 Exams Interconnecting Cisco Networking Devices 1 ICND1 (100-101) and Interconnecting

Cisco Networking Devices 2 ICND2 (200-101), or
 Exam Cisco Certified Network Associate CCNA Routing and Switching (200-120).
vi Computer Power Plus

Introduction
HELPFUL INFORMATION
Learning Guide Layout

This learning guide contains different types of study materials as indicated by the following
icons.
Reading icon
This icon indicates that you need to read and study the topic. You may also be
directed to study sections of associated reference materials.
Activity icon
When you see this icon, you have the opportunity to experiment with the
features previously described by completing a practical exercise.
Self-Assessment icon
The assessment icon is used to help reinforce what you have learned
throughout the learning guide to check your understanding. It is also used to
specify any assessment activities that are requirements for assessment.
Timer icon
This icon indicates an estimated study time for a topic.
Hot tip icon
This icon indicates a valuable tip, hint or note.
Computer Power Plus vii

Introduction
STUDY PLAN
The study plan provided below is a helpful tool in making sure that you complete this module in
the time provided.
The CCN module has a workload of approximately 270 hours – 180 hours on campus, and up to
another 90 hours at home. This is the amount of time an average student should spend to
complete the course. You should plan to spend as a minimum this much time studying the
module between the start and finish dates for the course on your Artena Portal schedule.
This module encompasses a wide range of topics and requires intensive study.
The student plan is based on 5 hours study per day at the campus and a further 2.5 hours study
at home. Part time students will need to adjust the plan to meet their study schedule.
To calculate how much time you need to spend per week on study, multiply the number of
weekly hours on your student contract by 1.5. The extra hours above your weekly contract hours
are to be spent studying at home.
For example, a full time student with a contract for 25 on campus hours a week should be aiming
to complete the course in 8 weeks. This involves spending a total of approximately 37 to 38
hours (25 x 1.5) a week studying, including 12 to 13 hours spent studying at home.
This is why 25 hours of class time is considered full time and eligible for student allowances. If you
enrol as a full time student you should not have other activities that affect your ability to devote
at least 37.5 hours a week on your studies, otherwise you will find it difficult to finish the course
by the course end date.
A part time student with a contract for 8 on campus hours a week should be aiming to complete
the course in 23 weeks. This involves spending a total of approximately 12 hours (8 x 1.5) a week
studying, including 4 hours spent studying at home.
If you are not a quick studier or you are a little short on computer experience, you should
probably add 10 per cent to the required study hours and spend more time on home study to
keep up with the required workload. But if you are a fast learner or have a good computer
background, then you can progress faster than your schedule.
To be successful, it is not enough to just read the material. Being a student requires study in
order to learn and retain knowledge and understanding. To learn requires not only reading but
also making notes to summarise the information so that you understand the material and retain
the knowledge. This also includes practising the relevant practical exercises. This also includes
using the Boson NetSim software to practise the relevant practical exercises in the chapters as
well as the Boson labs, and to use the CCNA Network Simulator Lite software to complete its
labs.
This course is quite demanding in terms of workload and requires that you give it your full
attention in order to be successful.
viii Computer Power Plus

Introduction
If a day in the study plan below shows a total time of 300 minutes, it is presumed that the new
content for the day can be studied on campus and revision of what you have learnt that day can
be done at home. On days where the total time is 450 minutes, it is presumed that you will have
to study some new material at home. On these days, you should plan in advance which elements
of the day’s study you will do at home and which you will do on campus. There is a detailed study
plan later in the learning guide (within Section 1) to help you with this decision.
Day Reference Topic Subject Time Dates I will Date

(C=Chapter) (mins) study this Completed
content
1 Introduction Introduction 170
and ICND1 The TCP/IP and OSI Networking 280
C1 Models
Total Time 450
2 ICND1 C2 Fundamentals of Ethernet LANs 225
ICND1 C3 Fundamentals of WANs 225
Total Time 450

3 ICND1 C4 Fundamentals of IPv4 Addressing 165
and Routing
ICND1 C5 Fundamentals of TCP/IP Transport 165
and Applications
Part I Review Networking Fundamentals review 120
Total Time 450

4 ICND1 C6 Building Ethernet LANs with 225
Switches
ICND1 C7 Installing and operating Cisco 225
LAN Switches
Total Time 450
5 ICND1 C8 Configuring Ethernet Switching 225
ICND1 C9 Implementing Ethernet Virtual 225
LANs
Total Time 450
6 ICND1 C10 Troubleshooting Ethernet LANs 225
Part II
Review Ethernet LANs and Switches 225
review
450
Total Time
7 ICND2 C1 Spanning Tree Protocol Concepts 225
ICND2 C2 Spanning Tree Protocol 225
Implementation
Total Time 450
8 ICND2 C3 Troubleshooting LAN Switching 225
Part I Review LAN Switching Review 225
Total Time 450
Computer Power Plus ix

Introduction

content
9 ICND1 C11 Perspectives on IPv4 Subnetting 225
ICND1 C12 Analyzing Classful IPv4 Networks 225
Total Time 450

10 ICND1 C13 Analyzing Subnet Masks 225
ICND1 C14 Analyzing Existing Subnets 225
Total Time 450

11 Part III IP Version 4 Addressing and 225
Review Subnetting Review
ICND1 C 15 Operating Cisco Routers 225
Total Time 450

12 ICND1 C16 Configuring IPv4 Addresses and 225
Routes
ICND1 C17 Learning IPv4 Routes with OSPFv2 225
Total Time 450

13 ICND1 C18 Configuring and Verifying Host 225
Connectivity
Part IV Implementing IP Version 4 Review 225
Review
Total Time 450
14 ICND1 C19 Subnet Design 225
ICND1 C20 Variable-Length Subnet Masks 225
Total Time 450

15 ICND1 C21 Route Summarization 225
Part V Advanced IPv4 Addressing 225

Review Concepts Review
Total Time 450
16 ICND1 C22 Basic IPv4 Access Control Lists 225
ICND1 C23 Advanced IPv4 ACLs and Device 225

Security
Total Time 450
17 ICND1 C24 Network Address Translation 225
Part VI IPv4 Services Review 225
Review
Total Time 450
18 ICND2 C4 Troubleshooting IPv4 Routing 225
Part I
ICND2 C5 Troubleshooting IPv4 Routing 225
Part II
Total Time 450
x Computer Power Plus

Introduction

content
19 ICND2 C6 Creating Redundant First-Hop 225
Routers
ICND2 C7 Virtual Private Networks 225
Total Time 450

20 Part II IP Version 4 Routing Review 225
Review
ICND2 C8 Implementing OSPF for IPv4 225
Total Time 450

21 ICND2 C9 Understanding EIGRP Concepts 225
ICND2 C10 Implementing EIGRP for IPv4 225
Total Time 450

22 ICND2 C11 Troubleshooting IPv4 Routing 225
Protocols
Part III IP Version 4 Routing Protocols 225
Review
Total Time 450
23 Project Project Part A 450
Total Time 450

24 ICND2 C12 Implementing Point-to-Point 225
WANs
ICND2 C13 Understanding Frame Relay 225
Concepts
Total Time 450
25 ICND2 C14 Implementing Frame Relay 225
ICND2 C15 Identifying Other Types of WANs 225
Total Time 450

26 Part IV Wide Area Networks Review 225
Review
ICND1 C25 Fundamentals of IP Version 6 225
Total Time 450

27 ICND1 C26 IPv6 Addressing and Subnetting 225
ICND1 C27 Implementing IPv6 Addressing on 225
Routers
Total Time 450
28 ICND1 C28 Implementing IPv6 Addressing on 225
Hosts
ICND1 C29 Implementing IPv6 Routing 225
Total Time 450
Computer Power Plus xi

Introduction

content
29 ICND1 Part IP Version 6 Review 225
VII Review
ICND2 C16 Troubleshooting IPv6 Routing 225
Total Time 450

30 ICND2 C17 Implementing OSPF for IPv6 225
ICND2 C18 Implementing EIGRP for IPv6 225
Total Time 450

31 ICND2 Part V IP Version 6 Review 225
Review
ICND2 C19 Managing Network Devices 225
Total Time 450

32 ICND2 C20 Managing IOS Files 225
ICND2 C21 Managing IOS Licensing 225
Total Time 450

33 Workshop Workshop Shift 1 300
Project Project Part B 150
Total Time 450

34 Workshop Workshop Shift 2 300
Project Project Part B 150
Total Time 450

35 Project Project Part B 450
Total Time 450

36 1st Practice Assessment
2nd Practice Assessment
Practice questions from DVD
Network Simulator Lite Labs.

Note: Do as many of the Labs for
CCNA1 and CCNA2 from the
DVDs as you have time for.
Note: If you have time you are
recommended to use the
resources listed under the
heading Further Resources on
page 1-329, before sitting the
internal final assessment.
Final Assessment
xii Computer Power Plus

CCNA Routing and Switching Section 1: CCNA Routing and Switching
1.0
SECTION 1
CCNA ROUTING AND SWITCHING
TOPICS
1. Study Process
2. Study Plan
3. VMware Images
4. Practical Exercises
5. Project
6. Internal Final Assessment
7. External Certification Notes
Computer Power Plus 1-1

Section 1: CCNA Routing and Switching CCNA Routing and Switching
TOPIC 1: STUDY PROCESS
In order to implement routing and switching in medium-sized networks using Cisco equipment,
and to handle any questions that Computer Power Plus includes in the assessments or Cisco
includes in the exams, it is important that you understand the concepts, and have a solid
knowledge of the subjects included in CCNA. This should be the purpose of your study of this
unit. Memorising specific questions and answers is not the best way to pass an assessment, and
does not prepare you well for working as a networking technician.
In addition, a single book or Internet resource will never have all the answers. So you should be
prepared to research topics at times and ensure that you understand the concepts behind
procedures.
You also need to gain practical knowledge by practising, and memorise facts, standards, key
concepts and procedures.
Studying in this way will prepare you well for this unit’s assessments and for your future career.
Official Cert Guide Library Textbooks

The main textbooks (which are yours to keep) for the CCN unit are contained in the Cisco CCNA
Routing and Switching 200-120 Official Cert Guide Library by Wendell Odom (Cisco Press). There
are two textbooks in the library pack: Cisco CCENT / CCNA ICND1 100-101 Official Cert Guide and
Cisco CCNA Routing and Switching ICND2 200-101 Official Cert Guide. We will refer to these
textbooks as ICND1 and ICND2.
In the CCNA Official Library package there are two textbooks. This is because the CCNA Routing
and Switching Certification can be passed in two ways. You can choose either a two exam
method (exam 100-101 and 200-101) or a single exam method (200-120). There is a book for each
CCNA exam which can be used separately if studying for the two exam method. If you are
studying for the single exam method, then you need to study both books as the single exam
covers the same knowledge and objectives as that covered by the two exams.
The advantage of the two exam method is that you earn two certifications, namely CCENT and
CCNA. The main disadvantage of the two exam method is that these exams go into more detail
than the single exam and you are expected to know the less significant information from the
textbooks. If you intend to gain the external CCNA certification, the two exam method is more
expensive since it is double the cost as you have to pay for, and sit, two exams.
At Computer Power Plus you will sit a single final assessment which covers the content of both of
the textbooks. This unit is based on the topics from the CCNA 200-120 exam, which are the same
as the topics from both the 100-101 and 200-101 exams combined.
1-2 Computer Power Plus

IMPORTANT NOTE:
If the Cisco Press books contain errors these can be viewed on the following
web pages:
ICND1 book:
http://tinyurl.com/mmxjjy7
ICND2 book:
http://tinyurl.com/lr5zcy6
Click on the Updates tab and then click on the links to view the errors for each of
the two books.
It is recommended that when using the Cisco Press books that you check this
web page.
Suggested Study Process

The suggested study process to follow is:
 Begin your study of the two textbooks (see the detailed instructions in Topic 2).
 Book the CCN workshop.
IMPORTANT NOTE:
Due to the availability of the CCN Workshop at your campus, you should
schedule this once you reach Unit 15 of the study plan. Then you should aim to
complete the remaining study of the textbooks before you attend it at about
your 33rd study shift. Check with an instructor at your campus for the exact
booking procedure.
 Complete and submit Part A of the project.
 Complete your study of the two textbooks (see the detailed instructions in Topic 2).
 Attend the CCN workshop.
 Complete and submit Part B of the project.
 Optional: Practise the online MeasureUp practice exam questions.
 Sit two practice assessments – both the electronic-based assessment and the paper-based
practical assessment.
 Sit the two parts of the final assessment – the electronic-based assessment and the paper-
based practical assessment (see Topic 6 on page 359).

 Optional: Find extra practice questions online and do as many as you can.
 Optional: Sit the external Cisco certification exam.
Information on the CCNA certification on which this unit is based can be found at:
http://tinyurl.com/cq7xd6n
CCN Workshop
The CCN Workshop is a compulsory component and must be completed as part of the CCN unit.
The workshop is a practical introduction to real Cisco equipment and will allow you to practise
many of the commands covered in your study of the textbooks.
The workshop is generally run over two consecutive shifts taking roughly 10 hours to complete. It
consists of 14 exercises which must be completed, and an additional 16 exercises which can be
completed as time allows. You must actively participate in the workshop exercises in order to
have the workshop component signed off by an instructor. Feel free to ask questions and for
help from the instructor supervising the workshop.
During the workshop, the instructor may not always be present, but will be there for the majority
of the time to answer questions or to show you how to do some task. The point of the workshop
is for you to practise and learn the concepts/commands rather than be assessed on whether you
can correctly carry out the exercises perfectly on your own.
The details of the workshop are contained in the CCN Workshop Guide. Please read the guide
before you attend the workshop so that you are familiar with the exercises.

TOPIC 2: STUDY PLAN
Plan Overview
As you study each day as outlined below, you should complete the following:
 Do I Know This Already quiz questions in Cisco Press textbooks at the beginning of each
chapter
 Any chapter exercises as directed in the Detailed Plan
 Exam Preparation Tasks at the end of each chapter
 Part Reviews using the software on the DVDs that come with the textbooks as directed in the
Detailed Plan.
There will also be additional exercises and practical labs to complete for each chapter.
IMPORTANT: : In order to make best use of your time it is recommended that

you plan to complete the textbook and Boson NetSim software lab exercises as
well as some studying of the textbooks while you are on-campus, and study the
remainder of the textbooks at home.
As you study it is best to write down what you are learning, by summarising the information in
your own words. The act of writing it down (typing into a Word Processor is not as effective)
helps you to remember it and impress it on your mind. This is why taking your own notes on the
material and re-creating diagrams and tables by hand is a great study technique. Also make lists
of key technical information and terms.
Completing the Exam Preparation Tasks for each chapter, as well as the Part Review found
throughout the textbooks is vital to reinforce your learning. The appendices of the ICND1
textbook give you practice in some of the important skills that you will need in the final
assessment.
Being able to work with the Cisco IOS to configure routing and switching is vital to be successful
in the project and the final assessment. So not only learning and understanding of the material is
required, but extensive practice of the IOS commands is absolutely vital! Completion of exercises
in the textbooks, the Boson Labs (the Boson NetSim software is installed in the VMware image),
and the Network Simulator Lite labs (software is installed from the textbook DVDs) is essential.
To assist you with these tasks, you have been provided with a plan explaining what to do, and a
template for each chapter that you can fill out. This information is found in the Detailed Plan.
Completing these for each day in the plan will help you learn the material.

Detailed Plan
On the following pages, detailed information is provided to guide you in your study of the
resources. For each day, there are two parts:
1. Student Information – this details the resources to be studied, and provides advice on what
to do.
2. Notes – this is a study-aid where you can identify and record what you are learning on each
day. It is an aid to help you remember what you have studied, summarise the main concepts
and terms, and it can be used to prepare for assessments.
Since the Notes sections are provided to assist you, no answers are provided. The answers are to
be found in the textbooks, and you must identify the information for yourself. This is part of the
learning process. You can ask an instructor for advice if you need help, and to confirm your
understanding.
IMPORTANT: It is recommended that you watch the online videos referred to

in this learning guide at home. If you do watch videos on a campus computer,
remember to ask for a set of headphones (if available at your campus) and plug
these into the workstation, so that you do not disturb other students. If the
sound does not work ask an instructor for assistance.
The ICND1 textbook will be referred to as ICND1 and the ICND2 textbook will be referred to as
ICND2 in the Detailed Plan on the following pages.

Day 1 – Student Information
Day: Introduction and ICND1 Chapter 1 – Cisco Press Textbook
Topic: The TCP/IP and OSI Networking Models
Workload: 7.5 Hours (On-campus 5 Hours, Home study 2.5 hours)
Date Started: __________________ Date Finished: _________________
Study Process:
Done Step
  Study ICND1 textbook pages xxx to 10 for an introduction to CCNA and the
Cert library materials.
  Study ICND1 textbook pages 14 to 39.
  Fill in the notes on page 1-8 of this learning guide.
  Complete the “Do I Know This Already?” quiz on ICND1 textbook pages 16 to
17. See how you did by using the answers on the bottom of page 18. If you got
any wrong, locate and review the information in the chapter. Review the
explanations for the answers in Appendix C on the DVD.
  Fill in the notes for this chapter on pages 1-9 to 1-12 of this learning guide.
  Carry out the Exam Preparation Tasks on page 40 of the ICND1 textbook.
Learn the Key Topics. Use pages 1-12 to 1-13 of this learning guide to record
the key terms.

Day 1 – Notes (for you to complete)
Why am I learning this? What will this information help me to do?
Prior Knowledge (What do I know already from this chapter?):

Things to Know – Review the chapter, and in your own words, write a summary/explanation of
the key concepts and main facts in each section of the chapter:
Key topic Explanation
What is the TCP/IP networking

model?
Explain the protocols for the

TCP/IP Transport Layer.

Explain Internet Protocol (IP),

addressing and routing.

What happens at the TCP/IP

Link Layer?
Explain the data encapsulation

process.

What are the main functions

of the OSI model layers?
Terminology (main terms and their meanings – complete the table by writing down your own
explanation):
Term Explanation
Adjacent-layer
interaction
Deencapsulation
Encapsulation
Frame

Networking model
Packet
Protocol Data Unit

(PDU)
Same-layer
interaction
Segment

Day: ICND1 Chapters 2 and 3 – Cisco Press Textbook
Topic: Fundamentals of LANs and WANs
Study Process:
Done Step
45. See how you did by using the answers on the bottom of page 46. If you
got any wrong, locate and review the information in the chapter. Review the
Learn the Key Topics. Complete the Memory Tables for the chapter – see
Appendix M on the DVD. Use pages 1-20 to 1-21 of this learning guide to
record the key terms.
  Make in the notes for this chapter on pages 1-23 to 1-25 of this learning guide.
Appendix M on the DVD. Use page 1-26 of this learning guide to record the
key terms.

Chapter 2

Describe SOHO and Enterprise

LANs.
What are the Ethernet physical

layer standards?

How is data transmitted

between nodes?
What are the pinouts for the

different types of UTP cabling
and what are they used for?

Explain the format of an

Ethernet fame.
How does Ethernet addressing

work?

Explain how switches send

frames (full-duplex and half-
duplex).

explanation):
Term Explanation
Ethernet
IEEE
Wired LAN
Wireless LAN
Ethernet frame
10BASE-T /
100BASE-T /
1000BASE-T
Fast Ethernet
Gigabit Ethernet
Ethernet link

RJ-45
Ethernet port
NIC
Straight-through
cable
Crossover cable
Ethernet address
MAC address
Unicast address
Broadcast address
Frame Check
Sequence

Chapter 3

Describe a leased line and the

components involved.
What equipment is involved in

a WAN link?

How do routers use an HDLC

WAN link?
How do routers use an

Ethernet WAN service?

Describe a DSL and the

hardware involved.
Describe a cable Internet

connection and the hardware
involved.

explanation):
Term Explanation
Leased line
WAN
Telco
Serial interface
HDLC
DTE
DCE
CSU/DSU
DSL
Cable Internet
DSL modem
Ethernet over
MPLS

Topic: Fundamentals of IPv4 and TCP/IP Transport
Study Process:
Done Step
key terms.
key terms.
  Complete the Part I Review on pages 137 to 138 of the ICND1 textbook.

Chapter 4

Explain how an IP packet is

routed from a host to its
destination.
How are IP addresses used for

routing?

Briefly explain IPv4 addresses.
How are IPv4 addresses

grouped?

Describe each of the three

classes of IPv4 networks.
What is IPv4 subnetting?

Provide a brief explanation.

How do routers decide where

to forward packets?
What functions do IPv4

routing protocols carry out?

What is DNS used for?
Explain how ARP operates.
What does the ping

command do?

explanation):
Term Explanation
Host
Default gateway
Routing table
IP network
IP subnet
IP packet
Routing protocol
Dotted-decimal
notation
IPv4 address
Unicast IP address
Subnetting
Host name
DNS
ARP
Ping

Chapter 5

What are some of the

functions carried out at the
TCP/IP Transport layer?
How are TCP port numbers

used to separate application
data?

Describe some popular TCP/IP

applications.
How does UDP work?

Why is QoS important for

some TCP/IP applications?
How is a URL used to contact a

web server?

explanation):
Term Explanation
Connection
establishment
Error detection
Error recovery
Flow control
Forward
acknowledgment
HTTP
Ordered data
transfer
Port
Segment
Sliding windows
URL
VoIP
Web server

Topic: Ethernet LAN Switching and Operating Cisco Switches
Study Process:
Done Step
key terms.
  Study ICND1 textbook pages 169 to 179. After studying pages 169 to 179, read
pages 1-47 to 1-48 below. Then continue with studying ICND1 textbook pages
179 to 194.
key terms. Ensure you understand the main commands on pages 196 to 197 of
the ICND1 textbook.
  Using the information in Topic 4 of the learning guide, carry out the labs
using the Boson NetSim software.
ICND1:
 Switch Basics Part I.

  Optional: using the information in Topic 4 of the learning guide, carry out the
commands from Chapter 7 using the Boson NetSim software.
Example Page Notes
ICND1 7-1 181 You need to access the IOS of a 2960 switch using the
Boson NetSim software before you can carry out this
example. By default, the virtual device will not require
a user EXEC mode logon unless you configure one
(see page 180).
ICND1 7-2 186 Exit configuration mode when finished.
ICND1 7-3 189 Your switch will not have a hostname of hannah but
a generic name.
ICND1 7-4 192 Do not attempt this example. The setup dialog
wizard is supported by the Boson NetSim software in
some of the Boson labs.
ICND1 7-5 193 This example can be successfully completed, but your
output will be different.
  Optional: Watch these two videos:

http://tinyurl.com/m3mc3sw
http://tinyurl.com/m2ppamg

Unit 4 – Notes (for you to complete)
Chapter 6

What actions do switches

perform with frames?
How do switches learn MAC

addresses?
How do switches avoid loops?

What is a broadcast domain?
How do switches segment a

LAN?
What three roles do switches

carry out on a campus LAN?

What is the benefit of NIC

autonegotiation?
What rules and logic do

switches use with the
autonegotiation process?

explanation):
Term Explanation
Hub
Switch
Bridge
Collision domain
MAC
Flooding
STP
Store and forward

switching
Cut-through
switching
Fragment-free
switching
Broadcast domain
VLAN
Autonegotiation
Duplex mismatch

Cisco Switch Console Connections

Pages 176 to 177 of the ICND1 textbook describe how to connect a computer to a Cisco switch in
order to access the IOS’s CLI.
Figure 7-1 on page 173 of the ICND1 textbook shows the front of a modern Cisco switch. On the
right hand side of this figure is where the USB (this uses a USB mini-Type B 5-pin connector) and
RJ-45 console ports are located to which you would cable the computer. You can also connect to
the Ethernet management port on the switch using a standard UTP cable (using RJ-45
connections on both ends of the cable). Figure 1-1 below shows a close-up of these console and
management ports.
FIGURE 1-1: Cisco Switch Ports
You can connect a switch to a Windows computer or a terminal server using one of these three
options:
1. The Ethernet management port - the 10/100 Ethernet management port connection uses a
standard RJ-45 crossover or straight-through cable.
2. The RJ-45 console port - the RJ-45 console port connection uses an RJ-45-to-DB-9 female
cable.
3. The USB console port (USB mini-Type B port) - the USB console port connection uses a USB
Type A to 5-pin mini-Type B cable.
If you use the USB console port, the Cisco Windows USB device driver must be installed on any
PC connected to the console port. Mac OS X or Linux require no special drivers.
The console output always goes to both the RJ-45 and the USB console connectors, but the
console input is active on only one of the console connectors at any one time. The USB console
takes precedence over the RJ-45 console.
Some Cisco switch models do not have these ports on the front, and some models lack the USB
console port. Figure 1-2 below shows the front and back of a switch that does not have front
console ports. The RJ-45 console port on this switch is located on the back of the switch.

FIGURE 1-2: Cisco Switch Front and Back
Console Access Method

There are several ways to access the CLI on a switch. The most common methods are:
Console
The console port is a management port that provides a dedicated management channel that is
used for device maintenance purposes only. The advantage of using a console port is that the
device is accessible even if no networking services have been configured (so the standard 10/100
ports cannot be used), such as when performing an initial configuration of the networking
device. When performing an initial configuration, a computer running terminal emulation
software is connected to the console port of the device using a special cable. Configuration
commands for setting up the switch or router are entered on the connected computer. The
console port can also be used when the networking services have failed and remote access to the
switch is not possible.
By default, console access does not require any form of security. However, the console should be
configured with passwords to prevent unauthorised device access.
Telnet
Telnet is a method for remotely establishing a CLI session of a device over a network. Telnet
sessions require active networking services on the device. The network device must have at least
one active interface configured with an Internet address, such as an IPv4 or IPv6 address. Cisco
devices include a Telnet server that allows users to enter configuration commands from a Telnet
client, and a Telnet client which allows a network administrator to establish a link from the Cisco
device CLI to any other device that supports a Telnet server process.
SSH
The Secure Shell (SSH) protocol provides a remote login similar to Telnet, except that it uses a
more secure method. SSH provides stronger password authentication than Telnet and uses
encryption when transporting session data. This keeps the user ID, password, and the details of
the session private.
Most versions of the Cisco IOS include an SSH server, and generally this is enabled by default.
Cisco devices also include an SSH client that can be used to establish SSH sessions with other
devices.

Chapter 7

Describe the ports on a switch

(e.g. connector type/number
of pins) and what they are
used for.

How can you access the Cisco

IOS CLI?
Explain the differences

between user and enable
modes.

What is configuration mode

used for and explain some of
the configuration submodes?
What types of memory do

switches have?

How do you copy switch

configuration files?
What is setup mode?

explanation):
Term Explanation
CLI
Ports
IOS
Telnet
SSH
User mode
Enable mode
Configuration mode
NVRAM
Startup config
Running config

Topic: Configuring Ethernet Switching and Virtual LANs
Study Process:
Done Step
  Study ICND1 textbook pages 199 to 228. The Note box on page 217 directs
you to view some videos and try some labs. Follow the advice to watch the
relevant videos, but do not do the DVD labs (these will be used as a practice
activity at the conclusion of your study of the book).
key terms. Ensure you understand the main commands on pages 230 to 233.
  Using the information in Topic 4, carry out the commands from Chapter 8
Example Page Notes
ICND1 8-1 / 204 - This example can be successfully completed.
8-2 206
ICND1 8-3 / 209 - This example can be successfully completed.
8-4 210
ICND1 8-5 211 This example can be successfully completed.
ICND1 8-10 / 220 This example can be successfully completed.
8-11

  Using the information in Topic 4, carry out the labs using the Boson NetSim
software.
ICND1:
 Switch Basics Part II.
 Using the System Configuration Dialog for Initial Switch Configurations.
 Switch and Workstation Configuration.
 Enhancing Switch Security 1.
 Initial Switch Configuration.
 Enhancing Switch Security 2.
 IP Addressing on Catalyst 2950 Switches.
 Configuring Telnet on Catalyst 2950 Switches.
 Configuring Trunking on Catalyst 2950 Switches.
 Configuring VLANs on a Catalyst 2950 Switch.
 Deleting VLANs on a Catalyst 2950 Switch.
  Optional: using the information in Topic 4, carry out the commands from
Chapter 9 using the Boson NetSim software.
Example Page Notes

ICND1 9-1 248 This example can be successfully completed if you
setup your network as shown in Figure 9-11.
ICND1 9-3 253 This example can be successfully completed if you
setup your network as shown in Figure 9-12.
  Optional: Watch these two videos:

http://tinyurl.com/ozdawbe
http://tinyurl.com/lm6quop

Chapter 8

What methods can be used to

secure a switch? Give a short
description of each.

How do you protect the

passwords on a switch?
What settings can you

configure on the console and
/ or vty?

What is the VLAN interface

used for?
What port security features do

switches have?

How can you secure unused

switch ports?
explanation):
Term Explanation
Console password
Telnet password
Enable password
Vty line
AAA server
SSH
Banner
VLAN interface
Interface
Fast Ethernet
Port security
Sticky address

Chapter 9

What is the purpose of a

VLAN?
Explain the concept of

trunking.

How do VLAN trunking

protocols transport VLAN
information?
What three methods can be

used to route packets
between different VLANs?

What is VTP used for?
Describe the trunking

administrative modes.
How can you control the

VLANs carried over a trunk?

explanation):
Term Explanation
802.1Q
Trunk
Administrative
mode
Operational mode
VTP
Transparent mode
VLAN
VLAN tagging
Native VLAN
Layer 3 switch
Access interface
Trunk interface

Day: ICND1 Chapter 10 – Cisco Press Textbook
Topic: Troubleshooting Ethernet LANs and Review
Study Process:
Done Step
software.
ICND1:
 Cisco Discovery Protocol.
 CDP.
Example Page Notes
ICND1 10-1 / 274 - This example can be successfully completed if you
10-2 276 setup your network as shown in Figure 10-3.
ICND1 10-7 / 291 - This example can be successfully completed if you
10-8 292 setup your network as shown in Figure 10-6.
  Optional: Watch this video:

http://tinyurl.com/oumo5mr
  Complete the Part II Review on pages 299 to 300 of the ICND2 textbook.

Chapter 10

What is the purpose of CDP?
Why are switch interface

codes useful?

Describe what a duplex

mismatch is.
What can cause Layer 1

interface problems?

Why are MAC address tables

useful?
What are the reasons why a

frame sent from a host in a
VLAN would not reach
another host on a nearby
switch?

explanation):
Term Explanation
CDP
CDP neighbour
Up/up
Duplex mismatch
Input error

Topic: Spanning Tree Protocol Concepts and Implementation

Study Process:
Done Step
15. See how you did by using the answers on the bottom of page 16. If you got
Appendix D on the DVD. Use page 1-79 of this learning guide to record the
key terms.
Learn the Key Topics. Use page 1-84 of this learning guide to record the key
terms. Ensure you understand the main commands on pages 74 to 75.
software.
ICND2:
 Reviewing Switch Configurations.
 Spanning Tree 1.
 VLANs.
 STP and MST.
 Layer 2 EtherChannel.
 EtherChannel Protocols.
 LACP.

Example Page Notes
ICND2 2-1 / 51 & This example can be successfully completed. You
2-2 52 need to setup the devices and links as shown in Figure
2-4 first, because this setup is used in Examples 2-1
and 2-2 in this chapter.
ICND2 2-3 / 53 & This example can be successfully completed.
2-4 54
ICND2 2-7 59 You need to setup the devices and links as shown in
Figure 2-6 first. The channel-group commands shown
in Example 2-7 need to be carried out on switch SW2
as well. The command show spanning-tree vlan 3
may not work. Instead use show spanning-tree vlan
1. The command show etherchannel 1 summary
may not work. Instead use show etherchannel
summary.
ICND2 2-8 63 Do not attempt this example. Just study and
understand the STP troubleshooting process and the
problems in the example.

http://tinyurl.com/m8l9mw8

Chapter 1

What is the purpose of STP?
Explain how 802.1D works.

What states can switch ports

be placed in?
What is the importance of the

STP root switch?

What is a switch root port

used for?
What happens when a switch

detects a change in the STP
topology?

What is the benefit of an

EtherChannel?
explanation):
Term Explanation
STP
Broadcast storm
Convergence
Root port
Root cost
Designated Port
(DP)
BPDU
BID
Hello timer
Listening state
Learning state
EtherChannel
RSTP

Chapter 2

What are the different Cisco

STP modes?
What is PVST+ load

balancing?

What is the importance of the

BID priority setting?
Why are per-VLAN port costs

important?

What does using dynamic

EtherChannels achieve?
Explain what STP tiebreakers

do?

What happens in terms of STP

if a link between two switches
fails?
explanation):
Term Explanation
PVST+
System ID Extension
BID Priority
BPDU Guard
PortChannel
Channel Group
PAgP
LACP

Unit 8 – Student Information
Topic: Troubleshooting LAN Switching and Review
Study Process:
Done Step
Appendix D on the DVD. Ensure you understand the main commands used in
the chapter and how they are used to solve switch problems.
software.
ICND2:
 Troubleshooting Port Security.
 EtherChannel Troubleshooting.
Example Page Notes
ICND2 3-1 to 88, You need to setup the devices and links as shown in
3-3 91, & Figure 3-3 first. This example can be successfully
93 completed.
ICND2 3-4 to 95, Do not attempt this example. Just study and
3-6 97, & understand the switching and VLAN troubleshooting
101 process and the problems in the example.
ICND2 3-7 to 104 This example can be successfully completed. You
3-21 to 119 need to setup the devices and links as shown in Figure
3-5 first, because this setup is used in Examples 3-7 to
3-21 in this chapter. For Examples 3-7 to 3-14 you will
have to create the problems first.
  Complete the Part I Review on pages 125 to 126 of the ICND2 textbook.

Chapter 3

Explain how you would

troubleshoot a problem.
How would you analyse the

behaviour of a Layer 3 packet?

What steps would you take to

isolate a problem?
What can you do to find out

information about the
network?
How can you check for switch

interface problems?

What problems can occur with

speed and duplex settings?
Identify the problems that

port security settings can
cause.

What kind of problems can

VLAN and trunking settings
cause?

Topic: Subnetting and Classful IPv4 networks
Study Process:
Done Step
key terms.
  Practise analysing IP addresses: Complete the practice problems on pages 341

to 343 of the ICND1 textbook. Also practise the problems in Appendix D on
the DVD.
terms.

Chapter 11

What does subnetting an IP

network achieve?
How do routers separate

subnets?
What types of networks/links

require their own subnets?

Describe the parts of an IP

address that define a subnet.
Discuss the concept of VLSM.

What is a classful public IP

network?
Explain how NAT allows the

sharing of private IP network
addresses.
Explain how borrowing bits

from the host part of an
address creates subnets.

How does a subnet mask

identify which part of an
address is the subnet part and
which part is for hosts?
Which subnet addresses

cannot be used for hosts?

explanation):
Term Explanation
Subnet
Classful network
VLSM
Subnet mask
Private IP network
Public IP network
NAT
Host bits
Subnet bits
Network part
Subnet broadcast
address
Static address
Dynamic address

Chapter 12

Outline how a Class A, B, and

C network address and default
mask identify together the
network and host part of the
classful address.

Explain the method you would

use to determine the network
ID, host address range, and
broadcast address of an IP
address.

explanation):
Term Explanation
Classful network
Network ID
Network broadcast
address
Network part
Host part
Loopback address
Default mask

Topic: Analysing Subnet Masks and Existing Subnets
Study Process:
Done Step
  Fill in the notes on page 1-103 of the learning guide.
  Carry out the Exam Preparation Tasks on page 365-367 of the ICND1
textbook. Learn the Key Topics. Complete the Memory Tables for the chapter
– see Appendix M on the DVD. Use page 1-106 of this learning guide to record
the key terms. Ensure that you attempt the practice problems in the chapter,
as well as those in Appendix E on the DVD.
  Follow the advice on page 386 and 388 of the ICND1 textbook, and view the
relevant subnetting videos on the DVD.
  Practise analysing Subnets: Complete the practice problems in tables 14-9 and
14-10 (pages 384 to 391 of the ICND1 textbook). Also practise the problems in
Appendix F on the DVD.
terms.

Chapter 13

Explain the format of subnet

masks, including CIDR
prefixes.
How do you convert a CIDR

prefix to a subnet mask?

What two parts of an IP

address does a subnet mask
identify?
Explain why a classful IPv4

address only has two parts?

explanation):
Term Explanation
Binary mask
DDN
Decimal mask
Prefix mask
Slash mask
CIDR mask
Classful addressing
Classless addressing

Chapter 14

How do you define a subnet?

Describe the steps involved.
What does the subnet ID

identify?

What is the subnet broadcast

address used for?
Write down the method that

you will use to find the subnet
ID of an IPv4 address.

Write down the method that

you will use to find the
broadcast address of an IPv4
address.
explanation):
Term Explanation
Resident subnet
Subnet number
Subnet broadcast
address

Topic: Review and Operating Cisco Routers
Study Process:
Done Step
  Complete the Part III Review on pages 397 to 399 of the ICND1 textbook.
  Study ICND1 textbook pages 403 to 420. The same methods that are available
to connect to a switch to manage it (see pages 1-47 to 1-48 of the learning
guide) also can be used to connect to a router.
key terms. Ensure you understand the main commands on page 422.
software.
ICND1:
 Router Basics I.
 Router Basics II.
 Basic Show Commands.
 Saving Router Configurations.
 Cisco Discovery Protocol on a Router.
 Router Remote Access via Telnet.
 Backup using TFTP.
 Trivial File Transfer Protocol.
 Telnet I.
 Basic Router Configuration.
 Advanced Router Configuration.
 Setting Up a Serial Interface

Example Page Notes
ICND1 15-1 413 to This example can be successfully completed.
414
ICND1 15-2 416 to These examples can be successfully completed.
and 15-3 417
Chapter 15

Explain how a CSU/DSU is

used to connect a router to a
leased line?
What hardware is used to

connect a switch to a leased
line (see figure 15-1 on page
407 of ICND1)?

What types of interfaces do

routers have?
Explain the different statuses

that router interfaces may
have.

What are the steps to access

an interface and assign it an
IPv4 address?
What is the clock rate

command used for and why?

explanation):
Term Explanation
CSU/DSU
SOHO
Aux port
Status codes
Clocking
IOS image

Topic: Configuring IPv4 Addressing and OSPFv2 Routing
Study Process:
Done Step
key terms. Ensure you understand the main commands on page 455 to 456.
Example Page Notes
to understand the scenario and the results in this
439 example.
16-4 to need to setup the devices Core, B1, and SW1 (use a
444 2960 switch) and related links as shown in Figure 16-
1 first, because this setup is used in the examples in
this chapter. You will need to configure the IP
addresses on the interfaces on router B1 (see
Examples 16-2) and setup the VLANs and enable
trunking on switch SW1.
ICND1 16-5 to 446 This uses the configuration from examples 16-2 to
16-6 16-4. This Example can be successfully completed.
understand the scenario and the results in this
example.
example.
16-11 to need to setup the devices, IP addresses, and links as
453 shown in Figure 16-16 first, because this setup is
used in these examples.

Appendix M on the DVD. Use pages 1-131 to 1-132 of this learning guide to
record the key terms. Ensure you understand the main commands on page
489 to 490.
  Using the table in Topic 4, carry out the labs using the Boson NetSim software.
ICND1:
 Configuring Router Interfaces.
 Loopback Interfaces.
 Static Routes I.
 OSPF 1.
 Configuring Open Shortest Path First.
 Confirming the Network Configuration.
 IP Addressing.
 Static Routes.
 Default Routes.
  Optional: using the table in Topic 4, carry out the commands from Chapter 17
Example Page Notes
ICND1 17-1 to 477 These examples can be successfully completed. You
486 shown in Figure 17-10 first, because this setup is used
in these examples.
  Optional: Watch these videos:

http://tinyurl.com/m8f3ery
http://tinyurl.com/lepewks
http://tinyurl.com/kdne7qj

Chapter 16

Explain how a host performs

routing.
Explain how a router performs

routing.

What methods do routers use

to add routes to their tables?
Explain how router-on-a-stick

is used to route between
VLAN subnets?

What two methods can you

use to configure the 802.1q
native VLAN?
Explain the method used on a

Layer 3 switch to setup VLAN
routing.

How does secondary IP

addressing work?
What is the zero subnet?
What is a static default route

used for?

explanation):
Term Explanation
Default gateway
Routing table
Connected routes
ROAS
Subnet zero
Subinterface
VLAN interface
CEF
Static route
Default route

Chapter 17

What does a routing protocol

do?
Explain the difference

between interior and exterior
routing protocols?

What metrics do routing

protocols use?
How is administrative distance

used to pick the best route to
a network?

What are LSAs used for?
How are OSPF neighbours

used to gather network path
information?
What is an OSPF Hello

message and what is it used
for?

What are the configuration

steps for OSPF?
What is the wildcard used for

in an OSPF network
command?
What information does the

show ip ospf neighbor
command give you?

What is a loopback interface

and how can it affect the OSPF
RID?
What is an OSPF passive

interface?

explanation):
Term Explanation
Routing protocol
Routed protocols
Convergence
IGP
EGP
AS
Distance vector
Link-state
Classless routing
protocols
Metric
Route redistribution

Administrative
distance
OSPF
LSA
LSDB
OSPF neighbour
Hello message
RID
Single-area OSPF
ABR
Loopback interface


Day: ICND1 Chapter 18 and Part IV Review – Cisco Press Textbook
Topic: Configuring and Verifying Host Connectivity and Part IV Review
Study Process:
Done Step
terms. Ensure you understand the main commands on page 524 to 525.
software.
ICND1:
 Address Resolution Protocol.
 Testing Connectivity with Traceroute.
 Configuring DNS.
 DHCP.
Example Page Notes
505 shown in Figure 18-5 first, because this setup is used
in these examples.
ICND1 18-4 506 You can run this command on your Windows 7
computer.
computer.
computer.
18-8 need to setup the devices, IP addresses, and links as
shown in Figure 18-8 first (you can use a switch to
connect Host A to Host B), because this setup is used
in these examples.


515 shown in Figure 18-9 first (you will need to give the
interfaces on routers R1 and R2 appropriate IP
addresses), because this setup is used in these
examples.
ICND1 18-12 516 Do not attempt these examples. Just study and
to 18-13 to understand the scenario and the results in these
519 examples.
to understand the scenario and the results in this
522 example.

http://tinyurl.com/n8pc7xf
http://tinyurl.com/ohu6fq4
  Complete the Part IV Review on pages 527 to 529 of the ICND1 textbook.

Chapter 18

What is DHCP and what does

it do?
What is a DHCP relay for?
What information does a

DHCP server store?

What is a DHCP pool and how

is it used on a Cisco router?
How does a DHCP server

prevent IP address conflicts?
How does a host use a default

router?

How can the ping command

be used to test IP routes?
What information can the

traceroute command
provide?
What is the telnet tool used

for?

explanation):
Term Explanation
DHCP
DHCP server
DHCP relay agent
Nslookup
Ping
Traceroute

Topic: Subnet Design and VLSM
Study Process:
Done Step
  Fill in the notes for this chapter on pages 1-142 to 1-143 of the learning guide.
terms. Ensure that you attempt the practice problems in the chapter, as well as
those in Appendix G on the DVD.
  Follow the advice on page 546 and 554 of the ICND1 textbook, and view the
relevant videos on the DVD.
  Complete the “Do I Know This Already?” quiz on ICND1 textbook page 562.
See how you did by using the answers on the bottom of page 563. If you got
key terms. Ensure that you attempt the 7 practice problems in the chapter, as
well as those in Appendix H on the DVD.
software.
ICND1:
 Variable Length Subnet Masks.

http://tinyurl.com/cvakvz5

Chapter 19

How do you choose the

number of bits required for
hosts in a subnet?
How do you identify valid

masks that will meet
requirements?

How do you choose the best

mask that meets both the
subnet and host
requirements?
How do you identify all the

subnet IDs for a given IP
address and mask?

explanation):
Term Explanation
Network bits
Host bits
Subnet zero
Broadcast subnet
Subnet broadcast
address

Chapter 20

Explain the concept of VLSM –

what is its purpose?
How do classful routing

protocols support VLSM?

Why is it important that

address ranges do not overlap
when VLSM is used?
How do you identify if there

are overlapping address
ranges?

How do you add a new subnet

to a network that uses a VLSM
design?
explanation):
Term Explanation
Classful routing
protocols
VLSM
VLSM overlaps

Day: ICND1 Chapter 21 and Part V Review – Cisco Press Textbook
Topic: Route Summarisation and Part V Review
Study Process:
Done Step
  Fill in the notes for this chapter on page 1-151 of this learning guide.
those in Appendix I on the DVD.
  Complete the Part V Review on pages 593 to 594 of the ICND1 textbook.
  Book your CCN Workshop!

Chapter 21

What is route summarisation

and why would you use it?
How do you identify the

summary route that best
summarises a group of
subnets?

explanation):
Term Explanation
Overlapping
subnets
Discontiguous
network
Summary route

Topic: Basic and Advanced IPv4 ACLs and Device Security
Study Process:
Done Step
those in Appendix J on the DVD. Ensure you understand the main commands
on page 620.
Example Page Notes
ICND1 22-1 611 This example can be successfully completed. You
to 22-2 to need to setup the devices and links as shown in
612 Figure 22-4 first, because this setup is used in the
examples.
need to setup the devices and links as shown in
Figure 22-8 first, because this setup is used in this
example.
example.
can use R2 from the setup from Figure 22-8 used for
Example 22-3.
  Complete the “Do I Know This Already?” quiz on ICND1 textbook page 624 to

terms. Ensure that you attempt the practice problem in the chapter. Ensure
you understand the main commands on page 649 to 651.
software.
ICND1:
 Standard Access Lists.
 Extended Access Lists.
 Named Access Lists.
 Configuring NTP.
 Numbered Access Lists.
Example Page Notes
ICND1 22-1 611 to This example can be successfully completed. You
to 22-2 612 need to setup the devices and links as shown in Figure
22-4 first, because this setup is used in the examples.
need to setup the devices and links as shown in Figure
22-8 first, because this setup is used in this example.
example.
ICND1 22-5 618 This example can be successfully completed. You can
use R2 from the setup from Figure 22-8 used for
Example 22-3.
to 23-2 & need to setup the devices and links as shown in Figure
633 23-8 first, because this setup is used in Examples 23-1
to 23-2. You can then use the commands in Table 23-
5 to configure the devices.
understand the information and its meaning.
ICND1 23-4 636 These examples can be successfully completed and
to 23-7 to can be completed on any 26xx router in the Boson
639 NetSim software.
For Example 23-6, you should use an extended
access list not a standard one, and then use the
extended syntax for the permit entries. This is because
the Boson NetSim software does not support
standard access lists using the new configuration
style (sequence numbers).
For Example 23-7, you cannot use the no service
tcp.. and no service udp.. commands.

ICND1 23-8 643 This example can be successfully completed and can
to 23-9 to be completed using any 26xx router in the Boson
644 NetSim software.
to 23-11 to understand the information and its meaning.
647

http://tinyurl.com/morj9ky
Chapter 22

What does an ACL do?
What does an ACL match and

what actions do ACLs take
when there is a match?
What types of ACLs are there?

Discuss how an ACL processes

a packet against an ACL.
How do wildcard masks allow

a range of addresses to be
matched by an ACL line?

How do you choose the

correct wildcard mask to
match a range of addresses?
What are the rules to follow

when building an ACL?

explanation):
Term Explanation
ACL
Matching packets
Standard ACL
Extended ACL
ACL wildcard mask

Chapter 23

What is the benefit of an

extended ACL compared to a
standard ACL?
What fields in a packet does

an extended ACL check? There
are five.

What are the rules to follow

when creating an ACL?
What is the benefit of using a

named ACL?

What features do numbered

ACLs provide?
What services can be disabled

to protect Cisco devices?

What are good

recommendations to follow
when implementing an ACL?
Why is configuration of NTP

important?

explanation):
Term Explanation
Named ACL
Extended ACL
NTP

Day: ICND1 Chapter 24 and Part VI Review – Cisco Press Textbook
Topic: Network Address Translation and Part VI Review
Study Process:
Done Step
terms. Complete the Memory Tables for the chapter – see Appendix M on the
DVD. Ensure you understand the main commands on page 679.
software.
ICND1:
 Implementing Network Address Translation Part I.
 Implementing Network Address Translation Part II.
 Static Network Address Translation.
 NAT Overloading – PAT.
 Dynamic NAT.
 Static NAT.
 Many-to-One NAT.
 NAT Pool.
Example Page Notes
24-5 to need to setup the devices and links as shown in Figure
672 24-12 first, and then follow the instructions to
configure the devices because this setup is used in
Examples 24-1 to 24-5 in this chapter.
24-13 first, and then follow the instructions to
configure the devices.

  Complete the Part VI Review on pages 681 to 682 of the ICND1 textbook.

http://tinyurl.com/mfb4koq
Chapter 24

What are the benefits of CIDR

for IPv4?
What are private IP addresses?

Explain how static NAT works.
Explain how dynamic NAT

works.

Explain how PAT works.
What are the steps to

configure static NAT?


configure dynamic NAT?

configure PAT?

explanation):
Term Explanation
CIDR
Private intranets
NAT
Static NAT
Inside local
Inside global
Outside global
Outside local
Dynamic NAT
PAT

Topic: Troubleshooting IPv4 Routing
Study Process:
Done Step
terms.
  Using the information in Topic 4, carry out the commands from ICND2
Example Page Notes
4-3 to need to setup the devices and links as shown in
143 Figure 4-6 first, and then follow the instructions to
use the devices.

150 Figure 4-16 first, and then follow the instructions to
use the devices.
terms. Complete the Memory Tables for the chapter – see Appendix D on the
DVD.
software.
ICND2:
 Review Basic Router Configuration.
 Advanced Extended Access Lists.
 Reviewing Access Lists.

 InterVLAN Routing.
 InterVLAN Routing II.
 Troubleshooting Access Lists.
 IP Access Lists.
Chapter 4

What steps does a router

perform when it receives an IP
packet?
Describe how a packet is

routed end-to-end from one
host to another.

How can ping and extended

ping be used to identify which
device is preventing
communication with a remote
host? Identify the different
tests required to locate the
source of the problem – full
path testing, reverse route,
LAN neighbours, WAN
neighbours.

How can traceroute be used

to identify the router that
could be causing a
communication problem?

explanation):
Term Explanation
Default router
Encapsulation
Deencapsulation
ICMP Echo request
ICMP Echo reply
Forward route
Reverse route
Outgoing interface
TTL (Time To Live)

Chapter 5

What are the steps to ensure

that a host’s IPv4 settings are
correct?
What problem is caused if a

host has a different mask from
the subnet’s router?

What can cause DNS

problems for a host?
What do you need to check to

ensure that router-on-a-stick
is configured correctly?

What are the causes of

problems with DHCP for
hosts?
What can cause LAN

connectivity problems and
what are the common reasons
for interface issues?

How does a router pick the

best route and what
information can you view on a
router to identify a router’s
best route?
How can you identify if VLSM

is in use on a network?

How can you identify

overlapping subnets when
both using VLSM and not
using VLSM?
What steps do you take to

identify if an ACL is causing a
connectivity problem?

explanation):
Term Explanation
Ipconfig
Router-on-a-stick
DHCP relay
Speed mismatch
Overlapping routes

Topic: Redundant First-Hop Routers and VPNs
Study Process:
Done Step
Example Page Notes
197 Figures 6-3 and 6-5 first, and then follow the
instructions to use the devices.
6-7 to need to modify the setup that you used for Example
201 6-3. Page 198 provides advice on how to do this.
Then you can follow the examples.

software.
ICND2:
 Configuring Hot Standby Router Protocol.
 Configuring Virtual Router Redundancy Protocol.
 GRE Tunnels.
 HSRP Interface Tracking.
Example Page Notes
220 Figure 7-5 first. Page 217 provides advice on how to
do this. The configuration should be as shown in
Examples 7-1 and 7-2. Then you can follow the
examples.

Chapter 6

Why is having redundant

network links important?
What does an FHRP do?

Explain how HSRP works and

its main concepts.
How does HSRP support load

balancing?

Explain how GLBP works and

how it load balances packets.
Explain the information about

HSRP that can be learned
using the show standby brief
command.

explanation):
Term Explanation
FHRP
Single point of
failure
HSRP
VRRP
GLBP
Virtual IP address
Load balancing
AVG
GLBP forwarder
Active/standby

Chapter 7

Explain the features of a VPN.
How does a VPN tunnel work?

What are the three types of

VPNs?
What devices are involved in

building and using a VPN?

How does IPsec protect the

data that is travelling over a
VPN?
What is a SSL VPN?

How does routing occur over

a GRE tunnel?
How does a GRE tunnel

operate over an unsecured
network such as the Internet?

explanation):
Term Explanation
VPN
VPN tunnel
VPN client
Intranet VPN
ASA
Extranet VPN
Remote-access VPN
IPsec
Encryption key
SSL
GRE

Day: ICND2 Part II Review and Chapter 8 – Cisco Press Textbook
Topic: Part II Review and Implementing OSPF
Study Process:
Done Step
  Complete the Part II Review on pages 225 to 226 of the ICND2 textbook.
  Complete the “Do I Know This Already?” quiz on ICND2 textbook pages 232
to 233. See how you did by using the answers on the bottom of page 234. If
you got any wrong, locate and review the information in the chapter. Review
the explanations for the answers in Appendix C on the DVD.
DVD. Ensure you understand the main commands on pages 264 to 265 of the
ICND2 textbook.
software.
ICND2:
 OSPF Authentication.
 Planning and Configuring Single-Area OSPF.
 Planning and Configuring Multi-Area OSPF Part I.
 Planning and Configuring Multi-Area OSPF Part II.
 OSPF 2.
 OSPF Routes.
Example Page Notes
8-8 to need to setup the devices, links, and OSPF
260 configurations as shown in Figures 8-16 and 8-17
first. You can use the configurations shown in
Example 8-1 to 8-3 for this. Then you can follow the
examples.


http://tinyurl.com/kgel33d
http://tinyurl.com/l2qtu4a
http://tinyurl.com/mc4ue26
Chapter 8

How does a router choose its

OSPF RID?
Describe the process that

occurs for two routers to
become OSPF neighbours.

What do routers use to

exchange OSPF databases?
What do routers do to
maintain their relationships
with neighbours?

What is a Designated Router

(DR) and what does it do?
What two OSPF neighbour

states are there and what does
this mean?

Explain the different roles

routers can have in an OSPF
area.
What rules do you apply when

you choose the OSPF area a
router interface will be
connected to?

What are the advantages of

using multiple OSPF areas?

router LSA contain?

network LSA contain?


summary LSA contain?
How does a router choose the

best route to a network using
LSDB information?
How do routers choose which

route to use if it knows of
multiple routes from different
sources?


configure OSPFv2?
How do you check that the

correct areas are on each
interface, and, for an area,
what the DR and BDR are?

How is the OSPF cost of a link

calculated?
How do you change the OSPF

interface cost?

explanation):
Term Explanation
2-way state
Full state
ABR
DR
BDR
Fully adjacent
Hello interval
Dead interval
LSA
LSU
Backbone area
AD
OSPF neighbor
RID
SPF
Router LSA
Network LSA
Summary LSA

Topic: Understanding and Implementing EIGRP
Study Process:
Done Step
  Fill in the notes on pages 1-213 to 1-216 of this learning guide.
DVD.
  Fill in the notes on page 1-218 of this learning guide below.
DVD. Ensure you understand the main commands on pages 319 to 320.
software.
ICND2:
 EIGRP and Wildcard Masks.
 EIGRP Authentication I.
 EIGRP.
 EIGRP Routes.

Example Page Notes
302 Figure 10-1 first. You can use the configuration shown
in Example 10-1 to setup EIGRP. Then you can follow
the examples.
313 Figure 10-3 first. This is the same as that used in the
previous examples, with the R4 router added. Then
you can follow the examples.
to 10-18 to understand the information and its meaning.
317

http://tinyurl.com/mmucync
http://tinyurl.com/m6ec5vw
  Using the information in Topic 5 of this learning guide, begin working on your
submission for Part A of the project.

Chapter 9

What are two benefits of using

EIRGP?
Explain what distance vector

means.
What messages do routers

running EIGRP send?

What is the purpose of route

poisoning?
How do routers become

EIGRP neighbours?
Explain how EIGRP update

messages operate.

What metric does EIGRP use

to choose the best routes to
networks? Explain what items
are involved in its calculation.
Why would you use the

bandwidth command to
manually designate the speed
of a serial link?

What is the difference

between an FD and an RD?
Explain what successors and

feasible successors are, and
how they are used in selecting
the best route to a network?

explanation):
Term Explanation
Distance vector
Split horizon
Route poisoning
ASN
Partial updates
FD
RD
Successor

Chapter 10

What are the important

settings when configuring
EIGRP?
Explain how a wildcard mask is

used to specify the classless
network to include in EIGRP.

How can you identify the

interfaces on a router which
are included in EIGRP?
What information about the

EIGRP topology can you learn
from the show ip eigrp
topology command?

What happens if two routes to

a network have the same FD?
How do you identify a router’s

feasible successor to a
network?

How does EIGRP load balance

multiple routes to the same
network, even if the metrics
are different?
Explain autosummarisation
and the problems it can cause
in classless networks.

explanation):
Term Explanation
EIGRP wildcard
mask
Unequal-cost load
balancing
Variance multiplier
Autosummarisation
Discontiguous
classful network

Day: ICND2 Chapter 11 and Part III Review – Cisco Press Textbook
Topic: Troubleshooting IPv4 Routing and Part III Review
Study Process:
Done Step
Appendix D on the DVD. Ensure you understand the main commands on
pages 348 to 349.
software.
ICND2:
 Troubleshooting OSPF.
 Troubleshooting EIGRP.
Example Page Notes
ICND2 11-1 to 327 to This example can be successfully completed. You
11-4 332 need to setup the devices and links as shown in
Figure 11-3 first and use the information on page
327. You will need to follow the instructions as
given on pages 327 to 332 if you wish to create
the problems as explained and use the show
commands to view the output.
Figure 11-5 (similar to Figure 11-3) and use the
information on page 338. You will need to follow
the instructions as given on page 338 if you wish
to create the problems as explained and use the
show commands to view the output.


Figure 11-4 first. You will need to follow the
instructions as given on pages 332 if you wish to
create the problems as explained and use the
show commands to view the output.
ICND2 11-10 339 to This example can be successfully completed.
to 11-15 345
understand the information and its meaning.
  Complete the Part III Review on pages 353 to 354 of the ICND2 textbook.
  Using the information in Topic 5 of this learning guide, continue working on

your submission for Part A of the project.

Chapter 11

What process can you follow

to determine if there are
routing protocol problems?
What commands can you use

to find information about
running routing protocols and
included networks?

Identify the kind of problems

that can occur with EIGRP and
their solutions.

that can occur with OSPF and
their solutions.


that can occur with EIGRP
neighbour relationships and
their solutions.

that can occur with OSPF
neighbour relationships and
their solutions.

Day: Project Part A
Topic: Project
Study Process:
Done Step
  Using the information in Topic 5 of this learning guide, complete and submit
Part A of the project.

Topic: Point-to-Point WANs and Frame Relay Concepts
Study Process:
Done Step
software.
ICND1: Supplemental Labs
 Configuring PPP-PAP-CHAP.
ICND2: Supplemental Labs

 PPP with CHAP Authentication.
 PPP and CHAP.
Example Page Notes
373 Figure 12-11 and use the information on page 371 to
create the setup and use the show commands to
view the output.
12-5 need to setup the devices and links as shown in
Figure 12-11 first, and then follow the instructions to
configure the devices to use PPP instead of HDLC
because this setup is used in Examples 12-4 to 12-5.


to need to setup the devices and links as shown in
382 Figure 12-17 first.
ICND2 12-7 to 382 Do not attempt these examples. Just study and
12-9 to understand the information and its meaning.
384

http://tinyurl.com/p9dflpe
http://tinyurl.com/p3yue98
terms.

http://tinyurl.com/mj585fg

Chapter 12

Explain what hardware

components are involved in a
leased line.

Explain how HDLC operates at

Layer 2 of a leased line.
What are the steps involved in

configuring HDLC for a serial
line?

Briefly discuss how PPP

framing, control protocols,
and authentication work.
What are the general steps to

troubleshoot serial links?

Identify and explain the

problem(s) that can occur at
Layer 1 of a serial link.




explanation):
Term Explanation
Leased line
T1
CPE
CSU/DSU
DTE/DCE
HDLC
PPP
LCP
NCP
PAP
CHAP
Line status
Keepalive

Chapter 13

How does Frame Relay

operate and what
components are involved?
What is a virtual circuit and

how does it work?

Explain the LMI protocol and

how it encapsulates an IP
packet?
What is a DLCI used for

explain why it is locally
significant?

What are the three different IP

addressing configurations that
can be used in Frame Relay
networks?

explanation):
Term Explanation
Frame Relay
LMI
NBMA
PVC
SVC
DLCI
CIR
Full-mesh network
Partial-mesh
network

Topic: Implementing Frame Relay and Other Types of WANs
Study Process:
Done Step
Appendix D on the DVD. Ensure you understand the main commands on page
443.
software.
ICND1:
 Frame Replay Hub-and-Spoke.
 Frame Relay I.
ICND2:
 Frame Relay 2.
 Frame Relay Full Mesh.
 Troubleshooting Frame Relay.
Example Page Notes
ICND2 14-1 to 414 to These examples can be successfully completed. You
14-1 first. You can use the configurations shown in
Examples 14-1 to 14-3 for this. Then you can follow
the examples.
the examples.

ICND2 14-13 426 to These examples can be successfully completed. You

to 14-19 433 need to setup the devices and links as shown in Figure
the examples.
ICND2 14-20 435 to Do not attempt these examples. Just study and
to 14-23 441 understand the commands and output and their
meaning.

http://tinyurl.com/kefazcy
DVD.

Chapter 14

What are the items that must

be planned before
implementing a Frame Relay
network?
What LMI and encapsulation

settings can be configured?
Who determines these?

What is the frame-relay map

command used for?
Why is Frame Relay mapping

required on a NBMA network?

Explain how inverse ARP

works.
For what reason are some

Frame Relay networks
configured on subinterfaces?

What is the difference

between point-to-point and
multipoint subinterfaces?
What types of Frame Relay

networks require a different
OSPF network type?
What problems can occur at

Layer 1 of a Frame Relay link?
What problems can occur at

Layer 2 of a Frame Relay link?

How do you find out the DLCI

for a PVC?
What different
problems/statuses can PVCs
have?


mapping, encapsulation, and
IP addresses?

explanation):
Term Explanation
Inverse ARP
Multipoint
subinterfaces

Chapter 15

Describe the features of an

Ethernet WAN connection.
What is a MPLS VPN and what

benefits does it provide?

What features do ISDN

connections provide?
Describe how DSL works.

Describe how cable Internet

works.
What types of mobile Internet

technologies are there?

What is PPPoE and what is

involved in its configuration?

explanation):
Term Explanation
MPLS
VSAT
ISDN
BRI
PRI
DSL
ADSL
DSLAM
CO
CATV
3G/4G
LTE
PPPoE

Day: ICND2 Part IV Review and ICND1 Chapter 25 – Cisco Press Textbook
Topic: Part IV Review and Fundamentals of IPv6
Study Process:
Done Step
  Complete the ICND2 Part IV Review on pages 465 to 466.
  Fill in the notes on pages 1-263 of this learning guide.
DVD. Ensure that you attempt the practice problems in the chapter. Also
practise the problems in Appendix K on the DVD.

http://tinyurl.com/oarf6y7

Chapter 25

Describe the format of IPv6

addresses.
How does a router route IPv6

addressed packets?

What routing protocols

support IPv6?
What methods can you use to

shorten an IPv6 address?

What method can you use to

expand a shortened IPv6
address?
What does the prefix

designate, and how can you
use it to find the subnet ID?

explanation):
Term Explanation
IPv6
Prefix length
IPv6 prefix

Topic: IPv6 Addressing and Implementation on Routers
Study Process:
Done Step
DVD.
DVD. Ensure that you attempt the practice problems in the chapter.
  Also practise the problems in Appendix L on the DVD. Ensure you understand
the main commands on page 752 of the ICND1 textbook.
software.
ICND1:
 Configuring IPv6.
 Implementing IPv6.

Example Page Notes
742 Figure 27-3 first. You can use the configurations
shown in Examples 27-1 to 27-2 for this. Then you
can follow the examples.
understand the commands and output and their
meaning.
ICND1 27-7 to 745 These examples can be successfully completed. Use
27-8 to the setup you configured for Examples 27-1 to 27-5.
748 Then you can follow the examples.

Chapter 26

What are IPv6 global unicast

and unique local addresses
used for?
Explain how the IPv6 global

routing prefix is used to assign
a unique range of global IPv6
addresses.

What range of IPv6 addresses

are reserved for special
purposes?
Explain the structure of an

IPv6 global unicast address
and how it can be subnetted?

How do you identify each

subnet in an IPv6 global
unicast address?
How do you select an IPv6

unique local prefix address?

How do you assign IPv6

addresses to hosts?
Why is it important to select a

random IPv6 unique local
prefix address?

explanation):
Term Explanation
Global unicast
address
Unique local
address
Global routing
prefix
IPv6 subnet ID
40-bit global ID

Chapter 27

What two methods can be

used to configure a static
unicast IPv6 address on an
interface?
Explain how EUI-64 creates a

unique host ID for an
interface.

What two methods can be

used to configure a dynamic
unicast IPv6 address on an
interface?
What is a link-local IPv6

address and what is it used
for?

By default, how is a link-local

IPv6 address created?
What are IPv6 link-local

multicast addresses used for?

explanation):
Term Explanation
EUI-64
MAC address
Link-local address
Multicast address
Solicited-node
multicast address
Link-local scope

Topic: IPv6 Implementation on Hosts and IPv6 Routing
Study Process:
Done Step
  Fill in the notes on pages 1-284 to 1-288 of this learning guide.
Example Page Notes
28-8 first. You can use the commands learnt in
Chapter 27 for this. Then you can follow the example.
meaning.
28-12 first. You can use the commands learnt in
Chapter 27 for this. Then you can follow the
examples.
775 28-13 first. You can use the commands learnt in
Chapter 27 for this. Then you can follow the
examples.
meaning.

Appendix M on the DVD. Ensure you understand the main commands on
pages 805 to 806.
software.
ICND1:
 Configuring Static and OSPFv3 Routing.
 Configuring Single-Area OSPFv3.
Example Page Notes
need to setup the devices and links as shown in
Figure 28-8 first. You can use the commands learnt
in Chapter 27 for this. Then you can follow the
example.
meaning.
ICND1 28-3 to 771 to These examples can be successfully completed.
28-5 773 You need to setup the devices and links as shown
in Figure 28-12 first. You can use the commands
learnt in Chapter 27 for this. Then you can follow
the examples.
in Figure 28-13 first. You can use the commands
learnt in Chapter 27 for this. Then you can follow
the examples.
meaning.
in Figure 29-1 first. You can use the configurations
shown in Example 29-1 for this. Then you can
follow the examples.
in Figure 29-2 first. Then you can follow the
examples.


examples.
ICND1 29-12 791 These examples can be successfully completed.
to 29-13 You need to setup the devices and links as shown
examples.
ICND1 29-14 796 to These examples can be successfully completed.
to 29-21 804 You need to setup the devices and links as shown
examples.
Chapter 28

What is NDP used for?
How is NDP used to discover

the addresses of routers?

How is NDP used by hosts to

learn the prefix for the local
link?
How is NDP used to discover

the MAC address of IPv6
hosts?

How is NDP used to discover if

an address is already being
used (duplicated)?
How does stateful DHCPv6

provide IPv6 addressing to
hosts?

Explain how a DHCPv6 relay

agent forwards DHCP requests
for hosts.
How does a host using SLAAC

create its own IPv6 address?


stateless DHCPv6 server
provide?
What commands can be used

to verify the IPv6 connectivity
of other routers?

explanation):
Term Explanation
NDP
SLAAC
DAD
RS message
RA message
NS message
NA message
Stateful DHCPv6
Stateless DHCPv6
DHCPv6 relay agent

Chapter 29

How do routers add IPv6

routes to their routing tables?
How are IPv6 static routes

configured on a router?
Discuss both interface and
next-hop addresses.

How do you configure an IPv6

default route for a router?
How is the OSPFv3 RID

selected?


configure single area OSPFv3
routing?
What values used for OSPFv3

by neighbouring routers must
match?
What is a OSPFv3 passive

interface used for?

Day: ICND1 Part VII Review and ICND2 Chapter 16 – Cisco Press Textbook
Topic: Part VII Review and Troubleshooting IPv6 Routing
Study Process:
Done Step
  Complete the ICND1 Part VII Review on pages 809 to 810.
  Study ICND2 textbook pages 471 to 493. You can skip ahead to page 483 as
you have already covered this knowledge in an earlier chapter. If you wish to
review this knowledge then browse over pages 472 to 483.
  Make notes on pages 483 to 493 of the chapter by filling in the notes on
pages 1-296 to 1-298 of this learning guide.
  Carry out the Exam Preparation Tasks on pages 494 to 495 of the ICND2
textbook. Learn the Key Topics. Complete the Memory Tables for the chapter
– see Appendix D on the DVD. Ensure you understand the main commands on
pages 495 to 496.
software.
ICND2:
 Configuring IPv6 Routing.
Example Page Notes
16-3 to understand the commands and output and their
480 meaning.
483 16-11 first. Then you can follow the examples.
meaning.

Chapter 16

What IPv6 problems can affect

hosts and what are their
causes?

routers that affect a host’s
communications?

What problems can affect the

use of DNS in an IPv6
network?
What problems can affect

DHCPv6 for hosts?

What problems can affect IPv6

routing?
How can an ACL affect IPv6

traffic?

Topic: Implementation of OSPF and EIGRP for IPv6
Study Process:
Done Step
DVD. Ensure you understand the main commands on pages 526 to 527.
Example Page Notes
506 17-1 first. Then you can follow the examples.
ICND2 17-5 to 511 to These examples can be successfully completed. Use
17-7 513 the setup you configured for Examples 17-1 to 17-4.
Then you can follow the examples.
517 meaning.
ICND2 17-11 518 These examples can be successfully completed. Use
the setup you configured for Examples 17-1 to 17-7.
Then you can follow the example.
meaning.
ICND2 17-13 521 These examples can be successfully completed. Use
to 17-15 to the setup you configured for Examples 17-1 to 17-4.
523 Configure the cost as shown in Figure 17-7. Then you
can follow the examples.

Appendix M on the DVD. Ensure you understand the main commands on
pages 548 to 549.
software.
ICND2:
 Configuring Multi-Area OSPFv3.
 Troubleshooting OSPFv3.
 EIGRPv6 Configuration.
 EIGRPv6 Troubleshooting.
Example Page Notes
538 18-2 first. Then you can follow the examples. You
need to configure IPv4 routing on all four routers in
the same way as for IPv6 shown in the examples. To
do this see Figure 10-3 and Example 10-8 (page 303)
for IPv4 configuration information for EIGRP.
541 meaning.
ICND2 18-8 to 542 These examples can be successfully completed. Use
18-10 to the setup you configured for Examples 18-1 to 18-5.
545 Then you can follow the examples.

Chapter 17

What different configurations

are required if you implement
multi-area OSPFv3 routing?
What methods can you use to

change the cost of an
interface used in OSPFv3?

What are the main features of

OSPFv3?

the settings on OSPFv3
interfaces?

What problems can affect

OSPFv3 neighbour
relationships?
What are the three types of

LSAs used for OSPFv3?

Describe the mis-

configuration problem that
can affect two routers from
becoming OSPFv3
neighbours.

IPv6 routing when OSPFv3 is
being used?

explanation):
Term Explanation
Interarea prefix LSA
MTU

Chapter 18

What are the main

features/concepts of EIGRPv6?
What two problems can occur

when configuring EIGRPv6
interfaces?

What requirements can cause

problems with EIGRPv6
neighbor relationships if not
set correctly?
What information about

EIGRPv6 can be learnt from
the show ipv6 eigrp
topology command?

What are the troubleshooting

steps you can follow if you
experience problems with
missing routes and suboptimal
routes?

Day: ICND2 Part V Review and Chapter 19 – Cisco Press Textbook
Topic: Part V Review and Managing Network Devices
Study Process:
Done Step
  Complete the ICND2 Part V Review on pages 551 to 552.
DVD.
software.
ICND2:
 NetFlow.
Example Page Notes
meaning.
meaning.
meaning.
meaning.
meaning.

ICND2 19-6 to 573 These examples can be successfully completed.

19-8 to Configure the setup as shown in Figure 19-7 and
574 Example 19-6. Then you can follow the examples.
  Using the information in Topic 5 of this learning guide, begin working on your
submission for Part B of the project.
Chapter 19

What does SNMP do and what

is it used for?
What is a community string

used for?

What are the features of

SNMPv3?
What is Syslog used for?

What are system message

severity levels used for, and
what different levels are
there?
What is required to send and

view Syslog messages?

What does NetFlow do what

packet fields does it record?
What is required to send and

view Netflow data?

explanation):
Term Explanation
SNMP
SNMP agent
MIB
NMS
Traps
Community string
SNMPv3
Syslog
NetFlow
NetFlow collector

Topic: Managing IOS Files and Licensing
Study Process:
Done Step
terms. Ensure you understand the main commands on pages 601 to 602.
Example Page Notes
20-3 to Setup a router and a TFTP server in the Boson
591 NetSim software first. Then copy the router’s IOS to
the TFTP server using the “copy flash tftp”
command. Then you can follow the examples.
meaning.
meaning.

Example Page Notes
21-3 to
615
619 meaning.
  Using the information in Topic 5 of this learning guide, continue working on

your submission for Part B of the project.

Chapter 20

What different types of

memory do routers have and
what is stored in each?
How do you upgrade a

router’s IOS?

What sequence does a router

follow when it boots?
What can the configuration

register be used for?

How does a router choose

which OS to load?
How can you carry out

password recovery on a Cisco
router?

How do you copy

configuration files and where
can you store them?
What is setup mode?

explanation):
Term Explanation
IOS image
NVRAM
ROMMON
ROM
Configuration
register (boot field)
Configuration file
TFTP server
Setup mode

Chapter 21

Explain how Cisco builds

universal IOS images for
devices.
Explain how the IOS is licensed

and the different licences
available.

How can the CLM be used to

activate IOS on devices?
What steps do you follow to

manually activate an IOS
licence?

explanation):
Term Explanation
Universal image
CLM
UDI
PAK
Further Resources:
Essential:
 Install the software from each textbook’s DVD and practise the practice exams.
 Install the Network Simulator Lite Edition software from the DVD and complete the 26 lab
exercises. There are 26 labs that can be installed from the textbooks’ DVDs (13 labs on the
ICND1 DVD, and 13 labs on the ICND2 DVD).
 Watch all the videos on the ICND1 and ICND2 textbooks’ DVDs. The Study Planners (ICND1
Appendix P and ICND2 Appendix G) outline which videos to watch for each chapter of the
textbooks.
 Ensure that you have studied Appendices D to L on the ICND1 textbook’s DVD.
 Complete the CCNA questions at www.measureup.com. Request a key from an Instructor.
 Practise the exercises in the CCN Workshop Guide.
Optional:
 Try out these questions:
http://tinyurl.com/planlh5
 View and use the free videos and resources here:
http://tinyurl.com/oz2dj95
 Watch some of the videos on CCNA here (you will need to watch these at home):
http://www.youtube.com/user/ccie12933/videos
 If you need additional study material you can read this free guide:
http://www.freeccnastudyguide.com/study-guides/ccna/
 To prepare for troubleshooting questions, here is some good advice:

http://www.ccnaskills.com/tshoot01_01/
http://www.ccnaskills.com/tshoot01_02/

Days 33 to 35 – Student Information
Day: Project Part B and Workshop
Topic: Project and Workshop
Study Process:
Done Step
  Using the information in Topic 5 of this learning guide, complete and submit
Part B of the project.
  Attend the CCN workshop.

TOPIC 3: VMWARE IMAGE
You will be provided with one VMware image to use during your unit. A VMware image is a
virtual machine which can run a different operating system. Having multiple virtual machines can
enable you to run multiple operating systems on a single machine. A summary of the image and
its use is shown in Table 1-1.
Image Description Content

win7ccn.default.a07a Windows 7 with Boson NetSim Standard Windows 7 workstation
software with Office 2010 and Boson
NetSim software installed.
TABLE 1-1
IMPORTANT: You can use the Windows 7 image to check your emails or use
the Student Portal.
One advantage of VMware is that your image may be saved so that you can continue your work
from where you left off by asking an instructor set it to ‘keep’. If you wish to repeat an exercise
where it is not easy to wind back the activity an instructor can refresh your image to enable you
to start again.
If an image does not save, then you will lose any work that you have stored in the default
ccn_work folder. Hence it is recommended that you create a folder on your H:\ drive, and then
make a copy of the ccn_work folder and store it in this folder. Then you can work with any files in
this folder and you will not lose any changes that you make to the Boson NetSim .bsn files.
When you log onto your student workstation, the Windows 7 image will automatically load.
Windows will reboot automatically twice, and then you will be able to logon using your student
logon (click in the VMware window, and then use the Ctrl+Alt+Delete keys to open the logon
boxes).
Sometimes a network issue may occur and the Windows 7 image will not load.
You may instead be shown the Linux workstation desktop. There may be a VMware icon on your
desktop which you can open, and inside you will find a VMware shortcut icon for the Windows 7
image. You can double click this to start the Windows 7 image.
Sometimes there may be no VMware icon on the desktop and you will see some other icon. In
this case open the Home shortcut on the desktop and navigate to the KDesktop folder as shown
in Figure 1-3.

FIGURE 1-3: Linux Home Folder
Double click the VMware shortcut which opens a folder, and you will find the Windows 7 image
shortcut (labelled w7ccn.default.a07a). If the folder is empty or missing, contact an instructor.
Double clicking on the Windows 7 image shortcut will open a WMware window. VMware will
open with the image ready to start, similar to that shown in Figure 1-4 where a Windows 7 image
is ready to start.
FIGURE 1-4: VMware image
To start the image, click on the Power On button . This is like a power switch on a
normal PC.
Once you have the image open the easiest way to access the Linux desktop is to click on the
restore button at the top right of the VMware window. This is the centre button shown in Figure
1-5.
FIGURE 1-5: VMware Window Controls

If you already have the current image open in full screen mode, then these buttons will appear
on a bar at the centre top of the screen.
Due to the nature of the Computer Power Plus network and its security requirements, there may
be some activities which cannot be completed from the textbook or require alternative
instructions. See the exercise plan in the next section for a description of exercises which are not
available.
Seek advice from an instructor if you have trouble completing an exercise.
IMPORTANT: When you have completed your work it is important to shut

down the operating system in the image normally. Do not power off the image
or simply close VMware with the image running. This may leave your files locked
and require instructor intervention. Do not turn off the workstation you are
using or you may lose your work. Shut down the workstation operating system
normally using the Windows button, Shut down menu option and allow the
save process to complete.

TOPIC 4: PRACTICAL EXERCISES
Introduction
To be successful with this unit it is essential that you practise using Cisco IOS commands to
configure Cisco devices. You can do this in the following ways:
 Throughout the textbooks there are ‘Examples’ (beginning in ICND1 Chapter 7), most of
which can be completed on-campus using the Boson NetSim software. You should carry out
some of these exercises as you work through each chapter of the textbooks as outlined in the
Study Plan in Topic 2. Most of these examples can be completed using the supplied images
on the Computer Power Plus network. Information on which examples can be completed
and how you can complete them are provided in the Study Plan in Topic 2.
 The Boson NetSim software contains a number of labs which you should practise. These labs
should be practised as you complete the Study Plan in Topic 2. The labs are available in the
Boson NetSim software on the VMware image. Information on which labs can be completed
and how you can complete them are provided in the Study Plan in Topic 2.
 There are 26 labs in the Network Simulator Lite Edition software that can be installed from
the textbooks’ DVDs (13 labs on the ICND1 DVD, and 13 labs on the ICND2 DVD). It is very
important that you try these related labs.
Cisco IOS Simulation Software

Computer Power Plus uses Boson NetSim software to simulate the IOS of a real Cisco device. The
software is designed to allow you to practise many Cisco IOS commands that you would use on a
real Cisco router or switch. You can use the software to create a simulated network using Cisco
devices and then configure them to work together.
Before using the software you should read the Boson NetSim User Manual which is contained in
the documentation that comes with the software. You can access the manual via Start All
Programs Boson Software Boson NetSim 10 Boson NetSim Documentation. This
will help you learn how the software operates and how to add and connect devices, save network
setups and device configurations, and connect to the virtual devices.
To open the Boson NetSim software on the Windows 7 image the steps are:
1. In Windows 7, click Start All Programs Boson Software Boson NetSim LS Client.
2. In the box that appears, enter the details as shown in Figure 1-6 below (the User Name box
must be blank), and then click Connect.

FIGURE 1-6: Connect to Boson Server
3. Click Yes in the next box that appears. After a minute or two the Boson NetSim software
window will be loaded.
You can create a shortcut to the Boson NetSim software on the desktop, by clicking Start All
Programs Boson Software, then right clicking Boson NetSim LS Client on the menu,
selecting Send to from the right click menu, and then Desktop (create shortcut).
Once you have the software open, you can use the included labs, create a network of devices
(called a topology) to carry out the exercises in the textbooks, or load a pre-existing network of
devices using a .bsn file.
In the lower left hand pane are four tabs, three of which can be used as follows:
 Home – In the left hand pane there will be a list of saved network topologies or labs, and any
recently opened labs. In the right hand pane, there are links to create new topologies, open
the manual, or exit the application.
 Labs – You can access the included labs by clicking the Labs tab in the lower left hand pane,
and then the menu of labs will appear in the upper left hand pane. Double click on the name
of the lab and the instructions, as well as a console window for one of the devices for the lab,
will appear in the right hand pane.
 Network Designer – This tab allows you to create a new topology of devices. In the left
hand pane are device types and devices which you can add to the topology in the right hand
pane. You do this by double clicking on the device names or by clicking and holding the
device name, and then dragging it to the right hand pane. You can also add devices using
the Add new device icon from the toolbar.
Network connections between devices in the right hand pane are added by right clicking on
the device and selecting New Connection. You can also use the Add New Connection icon
from the toolbar.
You can load a saved topology from this tab, by using the File menu at the top left or the
Open icon on the toolbar.

Once you have loaded or created a network topology, you click the green coloured circle
button on the toolbar at the top of the window, to load the devices. This will open a new
right hand pane with an instructions box as well as a console window for one of the devices
for the lab (see Figure 1-7). You work on a device using the Consoles box. If you click the
NetMap tab at the top of the right hand pane, you can view the map of the network
topology.
Multiple devices can be opened using the drop down list to the left of Device: in the
Consoles box. You then switch between devices by clicking on the tabs at the bottom of the
Consoles box, which are named after the devices. You can also add a device to the Consoles
box so that you can configure it, by right clicking on the device in the NetMap tab, and
select Configure in Simulator.
You click in the black coloured simulator window and press the Enter key to configure the
selected device.
The Boson NetSim software thus allows you to save network maps and device configurations. If
you do not finish what you are working on during your study shift, you can save your setup to
your H:\ drive and reload it on your next shift and continue where you left off.
Click this to display the network

map, so that you can right click on
devices to run them in the
simulator (Consoles area)
Use this drop down to select

devices to configure in the
window.
Click these
tabs to
select
devices
FIGURE 1-7: NetSim Window
The Boson NetSim User Manual contains detailed instructions about how to use the software.
This Boson video also shows you how to use the Boson NetSim software:
http://tinyurl.com/kdgwzad

IMPORTANT: You will need to view the YouTube video listed above at home,
as you will not be able to access it from the Computer Power Plus network.
Cisco Press Textbook Examples

For many of the examples you may need to setup the devices as required for the example
(usually shown in a figure) before you can carry out the example. You should use model
2960 switches and model 2811 routers in the Boson NetSim software. Also many examples in
the same chapter are based on the same setup, so you will create the setup at the start of the
chapter and then use it as you work through the examples in the chapter.
It is highly recommended that you try out the commands mentioned in the textbooks in the
Command Reference list of each Chapter using the Boson NetSim software, so that you learn
how to use them, especially if you are following along with the explanation of the author and are
in the correct context in the IOS to carry out the command.
Most commands will work but a few commands are not supported by the software.
Do not worry about this, as the simulations in the final assessment will only expect you to actually
use commands that the Boson NetSim software supports. The electronic-based part of the final
assessment will only test if you know these other commands and what they are used for.
IMPORTANT: It should be noted that the Boson NetSim software supports

many, but not all of the IOS mentioned in the textbooks that are available on a
real router or switch. The main commands that you will need to know how to
use for the final assessment can be practised using the Boson NetSim software.
In the CCN Workshop you will also get to use real Cisco equipment to practise
commands.
Boson NetSim Software Labs

To access the labs in the Boson NetSim software click the Labs tab on the lower left hand pane,
and then the menu of labs will appear in the upper left hand pane. You should complete all the
ICND1 and ICND2 labs (the Stand-alone, Sequential, and Scenario labs) in the BOSON NetSim
software on the VMware image during your study of the textbooks (see Topic 2).

TOPIC 5: PROJECT
1320
mins The main objective of this project is to test your understanding in a practical way of many of the
concepts and skills you have learnt throughout the CCN unit and to help you prepare for the
CCN final assessment.
This project is designed to cover the following CCN objectives:
 2.3 Configure and verify initial switch configuration including remote access management.
 2.4 Verify network status and switch operation using basic utilities.
 2.6 Configure and verify VLANs.
 2.7 Configure and verify trunking on Cisco switches.
 3.3 Identify the appropriate IPv4 addressing scheme using VLSM and summarisation to
satisfy addressing requirements in a LAN/WAN environment.
 4.2 Configure and verify utilising the CLI to set basic router configuration.
 4.3 Configure and verify operation status of a device interface.
 4.4 Verify router configuration and network connectivity.
 4.5 Configure and verify routing configuration for a static or default route given specific
routing requirements.
 4.7 Configure and verify OSPF.
 4.8 Configure and verify interVLAN routing (router-on-a-stick).
 4.11 Configure and verify EIGRP (single AS).
 5.1 Configure and verify DHCP (IOS router).
 5.3 Configure and verify ACLs in a network environment.
 5.5 Configure and verify NAT for given network requirements.
 6.1 Configure and verify network device security features.
 6.2 Configure and verify switch port security.
 8.2 Configure and verify a basic WAN serial connection.
 8.3 Configure and verify a PPP connection between Cisco routers.
 8.4 Configure and verify frame relay on Cisco routers.

Skills that are important for any IT professional in the workplace include problem solving and
decision making, curiosity, and the ability to find, select, structure, and evaluate information, and
creative and critical evaluation. NZQA (New Zealand Qualifications Authority) require students
studying at Level 6 and above to be able to analyse problems, generate solutions, and apply
processes to problems. This project is designed to not only test your knowledge of CCNA
objectives, but it is also designed to help you learn soft skills, which are vital to your success in
the workplace.
The self-directed CCN Project comprises two parts, each of which must be completed and
submitted as part of this unit. Together they are worth 30% of your grade for the unit. Part A is
scheduled to be done at about your 23rd study shift. Part B is to be done at the end of your study
of the official certification guide textbooks.
The project contains two parts as follows:
 Part A Security and Operational Audit (worth 8% of your grade) – A scenario where you
must evaluate and audit an existing Cisco-based network and make recommendations for
corrective action where the network does not comply with the firm’s policy standards. Then
you carry out the actions required.
 Part B Network Implementation (worth 22% of your grade) – A scenario where you must
design a WAN/LAN network according to certain requirements and then build a prototype
of part of it.
You must complete this assessment on your own and research any extra information you feel is
needed to complete the project. You can ask an instructor to clarify the instructions, and for
advice, but they cannot assist you in completing the tasks required – you must carry out the tasks
yourself!
The project will be assessed on a scale as follows:
 Part A: 0 to 36 marks.
 Part B: 0 to 94 marks.
A pass mark of 50% or more for each part indicates competency achieved (CA) for each part of
the project.
Task Part A Part B
Maximum
Marks 36 94
To be assessed as competent, you must satisfactorily complete both parts of the project by
submitting documentation and completing practical tasks as listed on the submission sheets.

IMPORTANT: PLEASE READ THIS CAREFULLY BEFORE COMPLETING THE

PROJECT
You must submit the two parts of the project before you can attempt the final
assessment.
The Project has two parts, Part A and Part B, both of which must be completed.
Each part of the project is assessed on a Pass / Resubmit basis and can be
resubmitted until you achieve 50% or more. If you are asked to resubmit / redo
either of the two parts of the project you will only be awarded a maximum of
50% of the marks for that part, even if you achieve more than that on the
second or subsequent resubmissions of that part.
To be awarded more than 50% of the marks for a part you must earn those
marks on your first attempt. Therefore, you should ensure your first submission
/ assessment of either part of the project is your only one in order to achieve a
good result. This will require you to spend the time to ensure you submit a
quality project for each part.
Part A:
You should attempt all of the practical tasks that comprise Part A and submit
the required documentation. At least 18 marks must be earned to pass the part.
Part B:
You should attempt all of the practical tasks that comprise Part B and submit
the required documentation. At least 47 marks must be earned to pass the part.
The instructor will enter a mark into Artena when you have satisfactorily
demonstrated competence in each part of the project, which will award you up
to 30% toward your final grade depending on the marks you earn from each
part of the project.
The assessment incorporates a variety of methods including technical requirements

documentation, written answers, practical problem solving activities and practical testing.
Students are advised that they may be asked to personally demonstrate their project work to an
instructor to ensure that the relevant competency standards are being met.
You may be required to undertake study, research and assessment practice outside of regular
shift times in order to complete the assessment. Students are reminded that they are expected to
spend at least an extra 50% more time researching and furthering their understanding of the
concepts being taught studying at home, as they do on-campus, to become competent in this
unit.
A breakdown of the marks available for each step is listed on the project submission sheet
for each part.

Project Instructions
While there is a lot of information in the the scenario below, not all of it is relevant to you. As is
the case in a real-world situation, you may be supplied with a lot of information as part of a job
but not all of it will be required. It is up to you to read through the information and pick out what
information you need to do your job. This is an important real-life skill that you need to learn.
Hence you should read through all the information, and as you do so, write down the
information that is relevant to what you are asked to do in the project tasks. Then once you have
finished going through all the information, you will be able to re-organise the information you
have written down, and this will help you carry out this project.
You will need:
 Windows 7 CCN image.
 CCN unit textbooks.
Note: Before you start the student PC and logon to the network, ask an
instructor to ensure that your CCN image is set to ‘Keep’. This is required to
ensure that any changes you make on the images are retained while you
complete each part of the project.
It is recommended that you create a folder on your H:\ drive, and then make a
copy of the ccn_work folder and store it in this folder. Then you can work with
any files in this folder and you will not lose any changes you make to Boson files.
You will need to complete the following tasks:

Part A: Security and Operational Audit
Acme Accountants is a medium-sized accounting firm with two sites within a large city.
In view of the possible expansion of the firm to a new third location, a new full-time Network
Administrator has been employed. Up to now, a number of outside contractors have been used
to administer the firm’s network, with the result that there is a wide variety of systems and
documentation.
The new Network Administrator is attempting to gain an understanding of the current state of
the network and to plan for the new third site. In view of this, two contractors have been hired to
evaluate the current systems.
You have been contracted to evaluate the firm’s current Cisco-based network system. Since the
firm uses Cisco equipment and the setup is not complicated, a specialist with your level of Cisco
skills is required to evaluate these systems. The administrator has supplied you with a copy of the
firm’s network policy that he wishes the firm’s network to comply with (see Appendix A). He also
wishes the firm’s network to comply with some requirements from the CIS (Center for Internet
Security) Level 1 Cisco security benchmark where applicable to the current network environment
(see Appendix B).
Your job is:
 to develop a simple audit plan based on these requirements (note: some requirements in the
CIS Level 1 benchmark are not applicable to Acme Accountants since the firm does not
operate some features listed in the benchmarks)
 to carry out an audit of some of the devices on the Cisco network
 to make any necessary changes you find are required to comply with the requirements
 to report the result of your audit and the changes required.
The main focus will be on security but the administrator also wishes the operational design and
setup of the Cisco network to be checked.
In addition, it appears that some parts of the network are not operational (the backup Internet
connection to the ISP device should remain non-operational – ISP2 is the current Internet
connection). Also some devices have routing and switching protocols running that are
unnecessary, so they must be disabled. You are also required to identify and fix any problems
with the network.
The Boson NetSim software topology and multiple device configurations file (.bsn file) for this
task is located in the CCNA_work folder on your H:\ drive. It is labelled as ccnprojectpartafinal.
The password for devices is AcmeAcc.

The requirements of this task are as follows:
1. In line with the CIS Level 1 benchmark and the firm’s security policy, identify and document
in a table the configurations you will be auditing on each device. Only the following 10
items from the CIS Level 1 benchmark document are applicable: 1.1.2.1, 1.1.2.4, 1.1.2.6, 1.1.3.3,
1.1.4.1, 1.1.4.2, 1.1.4.4, 1.2.2.1, 1.2.2.5 and 1.2.4.1.
The table headings you can use are (an example is shown):
CIS 2.2
Questions Findings Benchmark Standard/Best Practice
Is the Cisco Discovery CDP should be disabled on the

Yes / No 1.2.2.1
Protocol disabled on router if it is not used by any
the router? application.
(5 marks)
2. As part of a team of two, you are required to carry out an audit of some of the devices on the
Cisco network to ensure that the requirements identified in Step 1 are being applied. The
other administrator will audit the rest of the devices.
Lists of the devices that need to be audited are shown below:
List
Version Devices to Audit Who
V1 Day of Birth between 1 to 15 of

2621corp, 2621base, router1, switch3
the month
V2 2621corp, acmer2, router1, acmes2, Day of Birth between 16 to 31

acmes1 of the month
If the date of your birth is between the 1st and the 15th of the month, you need to check the
V1 list of devices.
If the date of your birth is between the 16th and the 31st of the month, you need to check the
V2 list of devices.
Record on page 2 of the Part A Submission Sheet which list you are auditing for your
project.
Create a table which lists the relevant devices and settings that you need to check, based on
the table you created in Step 1. Then carry out the audit by loading the .bsn file and check
the devices within the Boson NetSim software.
Note in a table what changes are required in a column called Correction(s) required, and
carry out the changes. Name the device using the name shown within the Boson NetSim
software netmap.

The table headings you can use are (an example is shown):
Device Item Setting Correction(s) required
xxxxcorp 1 CDP is on No cdp run
(22 marks)
3. Fix any network communication problems using the appropriate commands.
(6 marks)
4. Document any other operational recommendations you notice that are needed on the
network.
(3 marks)
5. Save your configuration changes within the Boson NetSim software and include the .bsn file
in a .zip file as part of your project submission (name the file studentIDCCNPartA.zip where
studentID is your student ID number).
(Part A Total 36 marks)
Once you have completed all the required documentation and have created / configured the
required Boson NetSim software files from Part A submit the required files and documentation
along with your submission sheets as follows:
 Add the completed documents and files for Part A of the project to a .zip file named
studentIDCCNPartA.zip (where studentID is your studentID number) and email it to the
appropriate marking email address shown below as part of your project submission.
Auckland Campus: marking-auck@mail.computerpower.ac.nz
Wellington Campus: marking-wgtn@mail.computerpower.ac.nz
Christchurch Campus: marking-chch@mail.computerpower.ac.nz
 Fill out the front of your Project Submission Sheet (complete all parts on the submission
sheet otherwise the project will not be marked), place it in your Submission Envelope, and
hand it over to an instructor.

CCN PROJECT PART A SUBMISSION SHEET

Include this page with the submission of your project documents
Student ID Shift Date
Marker Date Marks
/ 36
Check that you have done the following:
 Submit all the completed project files and documentation by emailing a .zip file of these
files to the email address marking-xxxx@mail.computerpower.ac.nz where xxxx is the
location of your Computer Power Plus Campus (e.g. wgtn for wellington, chch for
christchurch, or auck for auckland).
 Submit this sheet and any required printed documents in your submission envelope to an
instructor. Submissions not meeting these conditions will be returned to you for attention.
 Signed the declaration below.

DECLARATION:
The work presented in this project is to the best of my knowledge original, except as
acknowledged in the text, and the material has not been submitted, either in whole or in part, for
any academic award at this or any other tertiary institution. I promise not to share this project in
part or whole with any other student at CPP or outside this campus.
Signed: ………………………………………..………………………………. Date: …………………………………………
This project part contributes 8% to the final grade for this unit.
What Constitutes a Pass mark?

You must fulfil the requirements of the deliverables as outlined over the page.
All of your submission must be your own work – it is not acceptable to use the work of other
students in your submission!
If you do not earn 50% or more of the marks for this part, then the project will be judged as
unsatisfactory and will be returned to you for correction and re-submission. If you are asked to
resubmit this part of the project you will only be able to achieve a maximum mark of 50% for this
part. Therefore it is in your best interests to produce a quality project submission on your first
attempt for each part.
The determination on whether you have satisfied the criteria of each section is at the discretion
of the instructor marking your project.
Please detach this cover page and hand it in with any other documents.

Specification Marks Marks

Available Awarded
Part A 1. Well-formatted list of items 5
Please tick: V1 □ V2 □
2a. Appropriate security items on the checklist
2621Corp 1.5
2621base 1
AcmeR2 1
Router1 4
Switch3 4.5
AcmeS2 1.5
AcmeS1 3
2b. Security changes carried out
2621Corp 1.5
2621base 1
AcmeR2 1
Router1 4
Switch3 4.5
AcmeS2 1.5
AcmeS1 3
3. Network problems fixed 6
4. Appropriate list of operational recommendations 3
Total Marks Earned
36
% of Total Marks Min 50% %
50% or more Competent otherwise Not Yet Competent (circle) If

below 50% ask to Resubmit (circle) Resubmit C / NYC
Key for Results: C = Competent NYC = Not Yet Competent

Part B: Network Implementation
Buzz Manufacturing/Wholesaling is a large multinational company that is expanding into New

Zealand and Australia. To support their new operations in the region they require a new network
to be implemented.
They have contracted you to plan the IP addressing and services for their new network.
You are thus required to design the full network for their new operation (in Steps 1 to 4)
and build a prototype of part of the network (in Steps 5 and 6).
The following is some information about the company’s planned IT infrastructure:
 The company will have new locations in three Australian cities. The locations will be
connected using leased-line serial links. Frame Relay will be used to connect to the Auckland
office.
 All locations use OSPF.
 At the Sydney site the company wants to create VLANs to control broadcasts and logically
group users in the Admin team and the Sales team. The company also wants to use private
addresses and DHCP throughout the WAN.
 NAT must be implemented for Internet connectivity. Internet access will be provided for New
Zealand via the Auckland office and for Australia via the Sydney office.
 The main New Zealand office in Auckland will have an Admin Team who will have their own
area in the office. The Auckland office also has a Development Team and a Sales Team which
will each have employees all over the building so will require the use of VLANs.
 The company will also have a Sales office located in Wellington which will be connected to
the Auckland office via a serial link.
 The Brisbane office will contain the main link to the Head Office in the US.
 All locations use IPv4 addressing.
Some other facts about the company’s plans include:
 15 employees will be in the Development team in Auckland.
 9 employees will be in the Sales team in Auckland.
 4 employees will be in the Admin team in Auckland.
 There will be 2 servers on the Admin subnet based in Auckland.
 5 employees will be in the Wellington sales office.

 There will be 5 servers on the Admin subnet based in Sydney.
 There will be 50 staff in the Sydney office (22 employees in the Admin team and 28
employees in the Sales team) and 25 staff in both the Melbourne and Brisbane offices.
 Each employee will have a company computer or laptop (host).
Hint: As shown in Figure 1-8, use PC’s to present the ISP’s in Auckland and
Sydney.
Figure 1-8 shows the logical diagram of the required network for Buzz
Manufacturing/Wholesaling.
FIGURE 1-8: Buzz Manufacturing/Wholesaling Logical Diagram
The specific IP addressing requirements that the company has stipulated include:
 Expect 100% growth of current IP requirements for number of hosts when determining the
size of subnets. Internet and serial connection subnets will not grow, so these subnets do not
require doubling.
 All networking devices must have IP addresses.
 Server, router, and switch addresses are assigned statically.
 A DHCP server on a router at each location assigns PC workstation addresses. Assign an

appropriately sized DHCP subnet for each LAN.

 Use subnet 200.100.100.0 /24 for the Sydney site connection to the Internet and 200.100.50.0
/24 for the Auckland site Internet connection.
 Subnet the 172.16.0.0 network for internal addressing with IP subnet zero enabled.
 The company expects you to use a VLSM design to maximise the use of IP addresses. Follow
best practice in your VLSM design to avoid IP address overlaps.
 Include a management IP address for each switch.
 Apply /30 subnets on all serial interfaces.
 Put the DCE for each of the three serial connections on the Wellington, Melbourne, and
Brisbane routers.
The requirements of this part of the project that you need to complete are as follows:
1. IP Network Plan (Serial Links, Subnets, Addresses)
Based on the information given in the scenario about the company’s requirements for the new
network, plan the IP addressing scheme that you will use for the network.
To achieve this you are required to produce a table that includes the following information (an
example is shown):
Gateway -
Number of 100%
Network ID Available Excluded IP
Subnet Employees growth Max
with slash IP address
Name /Devices Increase Hosts
notation addresses from DHCP
Required of Hosts
scope
Wellington 172.16.1.129
5 + Switch 5 14 172.16.1.128/28 129-142
Office to
172.16.1.130
You should include all subnets including internet connection and serial connection subnets in
this table.
Once you have produced your IP network Plan table, request an instructor to check and
signoff your plan. The instructor may provide you with advice if your plan requires modification
before it can be signed off.
You must have your plan signed off on the Project Part B Submission Sheet before you carry out
the remaining steps to ensure that your network design will met the requirements for the
project.
(6 marks)

2. IP Equipment Plan
Based on your plan from Step 1 assign appropriate addresses to routers and switches in each
subnet.
For each location, including the Internet, create an additional set of tables which shows the
details for each router and switch at each location (you will need 14 tables). Some fields in the
router tables and switch tables will be filled in during a later step, such as VLAN number.
The following are the details required for each router:
 Location, Router Name, Interface or Sub Interface Type/Number, Description, DCE or DTE,
Speed or Clock Rate, Network Number, Interface/Sub IP Address, and Subnet Mask.
The table headings you can use are:
Router Name: xxxx (Location name)
Interface or Description DCE or Speed Network Interface/sub Subnet

Sub Interface DTE or Number interface IP Mask
Type/Number Clock Address
Rate
The following are the details required for each switch:
 Location, Switch Name, Switch IP address, Interface or Sub Interface Type/Port Number,
Description, Network Number, Subnet Mask, VLAN, Switchport Type, and Encapsulation (if
needed).
The table headings you can use are:
Switch Name: xxxx (Location name)
Switch IP address: x.x.x.x
Interface or Description Network Subnet VLAN Switchport Encapsulation

Sub Number Mask Type (if needed)
Interface
Type/Port
Number
Also assign and list PC/workstation and server addresses for each PC in each subnet in each
location in Figure 1-8.
The workstation addresses will be dynamic so you do not need to include specific addresses
for these, except for servers and PCs representing ISPs. Only one PC/workstation is required
in each LAN or VLAN. You do not need to add a PC/workstation for every server or PC in your
design.
The ISP’s connections are to use a PC/workstation as well.
Write this information in a separate table with the following headings:

Subnet Name PC or Server IP Address Subnet Gateway

Name Mask
(25.5 marks)
3. NAT
Two routers, one in Sydney and one in Auckland, will perform NAT on the Internet connections.
Information to configure the routers and devices is as follows:
 Define the NAT pool. The pool consists of only one address.
 Define an access control list, which will permit traffic from all internal (172.16.0.0 /16)
addresses using the Internet connections, and deny all other traffic.
 Establish dynamic source translation, specifying the NAT pool and the ACL defined in the
previous steps.
 Specify the inside and the outside NAT interfaces.
 Prevent external traffic from entering the internal network using private IP addresses.
 Connect a workstation to the external Internet ports to simulate an ISP server. Configure
these workstations with an appropriate IP address, subnet mask, and default gateway.
Plan the NAT configuration and the ISP server configuration. Document your settings.
The table format you can use for each router is:
Item Configured Values
Name of NAT pool
ACL number
ISP server IP address
ISP server subnet mask
ISP server default Gateway
(4 marks)
The practical implementation of NAT and ACLs is marked and carried out in Step 5.

4. Switching (VLANs)
You need to design the VLANs for the Sydney and Auckland sites. The company has provided the
following information:
 Sydney requires three VLANs (not shown in Figure 1-8): The default management VLAN and
two additional VLANs. Name the two new VLANs Admin and Sales.
 Auckland requires three VLANs (not shown in Figure 1-8): The default management VLAN
and two additional VLANs. Name the two new VLANs Development and Sales.
 The servers located in Sydney will be in the Admin VLAN.
 Switch S3 in the building in Auckland is connected in a loop to S1 (not shown in Figure 1-8 so
you need to set this up) so that if switch S2 fails, an alternative path is used.
 Unassigned ports are to remain in the default VLAN.
 PC ports can be placed into PortFast mode.
You also need to design the configuration for the switches used in the Auckland Admin,
Wellington, Brisbane, and Melbourne subnets. These switches do not require any VLANs other
than the native VLAN.
Create a table to document the switch configuration at each site. The table headings you can use
are:
Switch IP Gateway Management STP

Name Address VLAN Root
(3 marks)
The Sydney switch is to meet the following requirements:
 Contains two VLANs.
 Ports 2-4 to VLAN1, ports 5-7 to Admin, and ports 8-10 to Sales.
 Interface FA0/1 of the Sydney router to be connected to port 1 and configure for trunking.
 Two workstations connected to the switch – one to a VLAN2 port, and the other to a VLAN3
port.
The Auckland switches are to meet the following requirements:
 Two VLANs on each switch.
 Trunking configured between the switches.
 Ports 4-6 to VLAN1, ports 7-9 to Development, and ports 10-12 to Sales on each switch.

 Interface FA0/1 of the Auckland router to be connected to port 1 on one of the switches and
configure for trunking.
 Switch S3 to be connected to switch S1.
 Two workstations connected to the switch – one to a VLAN2 port, and the other to a VLAN3
port.
The Auckland Admin, Wellington, Brisbane, and Melbourne switches should be connected to
their respective routers using port FA0/1. These switches do not require any VLANs other than
the native VLAN. Ports 2-16 are to be used for hosts in the subnet.
Update the switch tables from Step 2 to include the VLAN and port information for each
workstation, the inter-connect between the switches, and the inter-connect to the router.
(8 marks)
5. Configure Equipment
To demonstrate your network design, you are required to use the Boson NetSim software to
build a prototype of part of the proposed network. You must design the network topology and
configure the devices for the New Zealand part of the network only. You must include the
Sydney router, but only for the purposes of configuring the frame relay connection to New
Zealand.
You should use model 2960 switches and model 2811 routers in the Boson NetSim software
(you will need to use a 3620 router for the Auckland internal router).
Your network setup in the Boson NetSim software should therefore look like this:

FIGURE 1-9: Boson Network Layout
Ensure that you carry out the following for the New Zealand network:
 Configure each router and switch with an appropriate hostname and enable password (use
‘cisco’). You do not need to configure any other security options.
 Also configure the appropriate subinterfaces for VLAN routing.
 One router will perform DHCP for each site. Configure these routers as follows:
o Using appropriate DHCP pool(s) to cover the subnets range as documented in Step 1.
Configure the DHCP pool(s) on the routers. Setting a DNS server and lease time is not
required.
o Configure the workstations to obtain their IP addresses automatically.
 Configure the serial connections as appropriate.
 Use the network you created using the Boson NetSim software to carry out the configuration
of NAT and the Internet connections as documented in Step 3.
 Configure the Frame Relay connection using your network as follows:

o Configure the serial links on both the Sydney router and the Auckland router to use
Frame Relay encapsulation. You need to include the Sydney router in your Boson NetSim
design to achieve this. You do not need to configure anything else on the Sydney router.
 ACLs – configure ACLs to prevent users using itunes (port UDP 5353 and TCP 3689) on the
network.
 Routing – configure OSPF on the New Zealand routers. All OSPF routers are in a single OSPF
area: area 10. Use 20 as the process ID.
 Vlans and Inter-Vlan routing – using the information from Step 2 and 4, configure the
Auckland switches and routers to meet the requirements. InterVLAN routing is to be
configured on the appropriate router.
(42.5 marks)
6. Testing and Troubleshooting

You need to demonstrate for the client the network’s functionality. By completing the steps up to
this point you have created a prototype of the New Zealand network.
Now you need to test your prototype. The company has specified that the following network
testing be carried out and documented:
 Demonstrate routing between VLANs at each site. Three tests are required. Here is an
example:
From VLAN/SW To VLAN/SW Type Hosts Pass/Fail
 Verify communication between each subnet. To achieve this test that the Wellington subnet
PC can communicate with all other subnets. At least five tests are required. Troubleshoot
and fix any problems in the network until it works properly. Here is an example:
Source Destination Type Result
Wellington PC Host on Auckland Admin LAN Ping Pass
(5 marks)
7. Report
After the network has been successfully designed, and the prototype has been implemented and
tested, you must provide a report which includes the documents from all the above steps.
It is recommended that all tables be completed using a spreadsheet program such as Microsoft
Excel.

The following items must be included in the final report:
 IP Network Plan table (Step 1).
 IP Equipment Plan tables (from Step 2).
 NAT configuration table (from Step 3).
 Switch configuration table (from Step 4).
 Output of testing tables (from Step 6).
You must also supply the network design and device configuration file (.bsn file) from the Boson
NetSim software that you have configured.
Submit the documents and files as part of your project submission.
(Part B Total 94 marks)
Once you have completed all the required documentation and have created / configured the
required Boson NetSim software files from Part B, submit the required files and documentation
along with your submission sheets as follows:
 Add the completed documents and files for Part B of the project to a .zip file named
studentIDCCNpartB.zip (where studentID is your studentID number) and email it to the
appropriate marking email address shown below as part of your project submission.
Auckland Campus: marking-auck@mail.computerpower.ac.nz
Wellington-campus: marking-wgtn@mail.computerpower.ac.nz
Christchurch Campus: marking-chch@mail.computerpower.ac.nz
 Fill out the front of your Project Submission Sheet (complete all parts on the submission
sheet otherwise the project will not be marked), place it in your Submission Envelope, and
hand it over to an instructor.

CCN PROJECT PART B SUBMISSION SHEET

Include this page with the submission of your project documents
Student ID Shift Date
Marker Date Marks
/ 94
Check that you have done the following:
 Submit all the completed project files and documentation by emailing a .zip file of these
files to the email address marking-xxxx@mail.computerpower.ac.nz where xxxx is the
location of your Computer Power Plus Campus (e.g. wgtn for wellington, chch for
christchurch, or auck for auckland).
 Submit this sheet and any required printed documents in your submission envelope to an
instructor. Submissions not meeting these conditions will be returned to you for attention.
 Signed the declaration below.
DECLARATION:
The work presented in this project is to the best of my knowledge original, except as
acknowledged in the text, and the material has not been submitted, either in whole or in part, for
any academic award at this or any other tertiary institution. I promise not to share this project in
part or whole with any other student at CPP or outside this campus.
Signed: ………………………………………..……………………………… Date: ………………………………………….
This project part contributes 22% to the final grade for this unit.
What Constitutes a Pass mark?

You must fulfil the requirements of the deliverables as outlined over the page.
All of your submission must be your own work – it is not acceptable to use the work of other
students in your submission!
If you do not earn 50% or more of the marks for this part, then the project will be judged as
unsatisfactory and will be returned to you for correction and re-submission. If you are asked to
resubmit this part of the project you will only be able to achieve a maximum mark of 50% for this
part. Therefore it is in your best interests to produce a quality project submission on your first
attempt for each part.
The determination on whether you have satisfied the criteria of each section is at the discretion
of the instructor marking your project.
Please detach this cover page and hand it in with any other documents.

Specification Marks Marks

Available Awarded
Part B 1. IP Network Plan complete and accurate 6
Instructor: ________________________________________
2. IP Equipment Plan
Router interface information tables (x 6) 9
Switch interface information tables (x 8) 12
PC\Workstation IP addressing table 4.5
3. NAT configuration tables (x 2) 4
4. Switch VLAN table complete 3
Switch interface VLAN information 8
5. Device Configuration
Wellington Router settings (10 items) 5
Auckland External Router settings (15 items) 7.5
Auckland Internal Router settings ( 17 items) 8.5
Sydney Router settings (4 items) 2
Auckland Switch 1 settings (11 items) 5.5
Auckland Switch 2 settings (10 items) 5
Auckland Switch 3 settings (10 items) 5
Wellington Switch settings (4 items) 2
Auckland Admin Switch settings (4 items) 2
6. Testing output tables complete 5
Total Marks Earned
94
% of Total Marks Min 50% %
50% or more Competent otherwise Not Yet Competent (circle) If
below 50% ask to Resubmit (circle) Resubmit C / NYC
Key for Results: C = Competent NYC = Not Yet Competent

TOPIC 6: INTERNAL FINAL ASSESSMENT
Internal CCN Final Assessment

To pass this unit you must sit, and successfully pass, the final assessment. You are also required to
complete and submit the CCN Project before attempting the final assessment.
If you decide to sit the external 200-120 exam (we recommend the single exam method), before
you attempt it you should sit and pass the CPP final assessment. Passing it with a high pass mark
will indicate that you are most likely ready to sit the external Cisco exam.
You must sit the final assessment to pass the unit, and you should sit it before attempting the
optional external exam. The only way to pass the Computer Power Plus CCN unit is to pass the
final assessment. Passing the external Cisco exam is not sufficient to be credited with a pass for
this unit.
The final assessment consists of two parts both of which must be attempted one after the other
in the same shift:
1. A 120 minute electronic assessment comprising 42 questions that you sit in the exam bay as
usual.
2. A 45 minute practical assessment involving practical configuration and / or

troubleshooting of simulated Cisco IOS devices. You will be presented with scenario(s) that
you will need to solve or answer questions about. This will involve loading topologies using
the Boson NetSim software, and then using the devices to carry out the required
configuration, fix the problem, or identify the information.
You will need to score 50% or higher to pass the final assessment. The higher the pass mark you
get the higher the grade you will earn. If you intend to sit the external Cisco certification exam, it
is highly recommended that you achieve a pass of at least 70% in the final assessment. If your
pass mark is less than 70%, this indicates that you may find the external exam difficult to pass and
it may be better that you do not attempt it.
IMPORTANT: The final assessment counts towards 60% of your grade for the
unit. The external exam does not count towards your final grade for the CCN
unit.

Exam Result Objectives

On your Computer Power Plus electronic final assessment or practice assessment report the
objectives for any questions that you got wrong will be listed. These objectives directly
correspond to the topics on the Cisco website at http://tinyurl.com/c6kwmbo .
A copy of the objectives (topics) is also available in the ccn_work folder on your H:\ drive. This is
the .pdf file named 200-120_composite2.pdf.
The exam topics in the Cisco press textbooks are split between the ICND1 and ICND2 exams, but
these exam topics are the same as those for the 200-120 single exam and match the objectives
for this Computer Power Plus CCN unit.
The lists of objectives are found in the Introduction section of each textbook - page xxxiv of the
ICND1 textbook and page xxxi of the ICND2 textbook. While ICND1 objectives are covered in the
ICND1 textbook and ICND2 objectives are covered in the ICND2 textbook, these objectives cover
all of the CCNA topics and in some cases cover the same topics.
The exam topics in the textbooks are broken down using tables. The tables contain the main
topic (highlighted in black colour) broken down into further subtopics, each with corresponding
chapters of the textbook.
To locate the material in your textbooks that covers a Computer Power Plus CCN final
assessment or practice assessment question you need to do the following:
 Identify the objective number from your results report. For example, the Objective 2-6
Configure and verify VLANs will be listed if you got a question wrong that tested that topic.
 From the .pdf file named 200-120_composite2.pdf stored in the ccn_work folder on your
H:\ drive, identify the major topic the objective is included under. For example, Objective 2-6
from your results report is a sub-topic for Topic 2.0 LAN switching technologies. This
information can also be found on the Cisco website:
 Look in the ICND1 textbook on pages xxxiv – xli or in the ICND2 textbook on pages xxxi –
xxxix. Locate the table(s) headed with the appropriate exam topic. For example, locate the
table(s) headed LAN switching technologies. Table I-2 and I-8 cover this topic.
 In the appropriate table(s) locate the objective and sub-topic for the question you got
wrong. For example, the sub-topic Configure and verify VLANs is listed in Table I-2 (but not
Table I-8 in this example, but it could be for a different objective).
 Use the listed chapters for the sub-topic to revise the material for the objective. For example,
chapter 9 in the ICND1 textbook covers the sub-topic Configure and verify VLANs.

TOPIC 7: EXTERNAL CERTIFICATION NOTES
Overview
The Cisco CCNA (Cisco Certified Network Associate) Routing and Switching certification is an
foundation level networking specialist certification that measures an individual’s ability to install,
configure, and operate LAN, WAN, and dial access services for small networks (100 nodes or
fewer), including, but not limited to use of, these protocols: IPv4 and IPv6, EIGRP, OSPF, Serial,
Frame Relay, VLANs, Ethernet, NAT, VPNs, and Access Lists. As a Cisco Certified Network
Associate, you will be in an entry-level position with the ability to handle networking jobs. This
unit teaches students the skills needed to obtain entry-level IT jobs which involve installing and
configuring networks. It also helps students develop some of the skills needed to become
network technicians, computer technicians, or cable installers.
The CCNA R&S 200-120 exam is the qualifying exam available to candidates pursuing a single-
exam option for the Cisco Certified Network Associate CCNA certification. The exam will certify
that the successful candidate has the important knowledge and skills necessary to select,
connect, configure, and troubleshoot the various Cisco networking devices in a small to
medium-sized network. The exam covers topics on:
 Connecting to a WAN
 Implementing network security
 Routing and switching fundamentals
 The TCP/IP and OSI models and IP addressing (both IPv4 and IPv6)
 WAN technologies
 Operating and configuring IOS devices
 Extending switched networks with VLANs
 Determining IP routes
 Managing IP traffic with access lists
 Establishing point-to-point connections and Frame Relay connections.
The CCNA certification thus covers the following knowledge and skills:
 Networking Fundamentals
 Routing and Switching in the Enterprise
 Designing and Supporting Computer Networks
 IPv4 and IPv6 Addressing, Routing, and Services
 Routing Protocols and Concepts
 LAN Switching and Protocols
 Accessing the WAN.

External Exam
Exam Code 200-120 single exam
Number of
50 to 60
Questions
Multiple choice, drag and drop, select and place, and fill in the blank type
questions. One to three simulation exercises using the Cisco IOS. See
pages 629 to 630 of the ICND2 textbook for information on the types of
exam questions you could be asked. You can also experience these types
of exam questions by clicking the Review type of exam questions link on
Exam format
the webpage:
Exam questions are in sequence, and do not allow a candidate to "mark"
and return to an exam question. Please note that this means that you
CANNOT go back and review any of your answers.
Exam Duration 90 minutes
Minimum Passing
825 out of 1000
Score
The single exam option is the most popular route to earning the CCNA; however, a two-exam
option is available. Both options test students on the same material (topics).
1. CCNA Exam 200-120 – The exam will certify that the successful candidate has important
knowledge and skills necessary to install, operate, and troubleshoot a small to medium-sized
enterprise branch network. The exam covers topics on Operation of IP Data Networks, LAN
Switching Technologies, IP addressing (IPv4/IPv6), IP Routing Technologies, IP Services,
Network Device Security, Troubleshooting, and WAN Technologies.
OR
1. Interconnecting Cisco Networking Devices Part 1 Exam 100-101 – Certifies that the
successful candidate has important knowledge and skills necessary to install, operate, and
troubleshoot a small branch office network.
2. Interconnecting Cisco Networking Devices Part 2 Exam 200-101 – Certifies that the
successful candidate has important knowledge and skills necessary to install, operate, and
troubleshoot a small to medium-size enterprise branch network.
Exam Objectives
Your textbooks have exam objectives listed near the front. If you wish you can visit the following
Cisco website and view a copy of the latest CCNA exam objectives for your reference:
http://tinyurl.com/oveamps

IMPORTANT: You should ensure that as a minimum, you know how to

configure the major areas of Cisco routers and switches specified in the
objectives before you take the exam. PRACTISE, PRACTISE, and PRACTISE again
until you are able to successfully configure these areas of the Cisco IOS
software.
Self-Test Material Provided With the Textbooks

Everything you need to do for self-testing is to be found on the DVDs included with the
textbooks (labs and practice questions). You can install the testing software onto your student
image or at home.
MeasureUp Practice Exams

We provide MeasureUp practice exams to you to help you prepare for the external certification
exam if you wish to sit it. These questions can also assist with your knowledge for the Computer
Power Plus CCN final assessment. Please talk to an instructor to get an access key for the
MeasureUp website.
Tasks to Practise
Before you take the exam ensure that you are comfortable with the following concepts and skills:
Routing:
 Routing tables
 Configure routes and routers, and router interfaces
 Configure VLAN routing
 Protocols and configure EIGRP and OSPF
 Design, configure, and test routing
Switching:
 Introduction to broadcast domains, switch operation, and MAC addresses
 Configure switch management interface and port security
 Configure EtherChannel and connect switches
 Configure VLAN membership, Spanning Tree, 802.1q trunking operation
 Configure, and verify switch operations
 Troubleshoot virtual LANs and interVLAN Routing
Addressing:
 Implement IP addressing, DHCP configuration, and NAT operation
 Practice subnets, classless IP addressing and routing, VLSM, subnetting methods, and IPv6

 Route summarisation and aggregation
 IP addressing design and configuration (IPv4 and IPv6)
ACLs:
 ACL basics
 Verify, implement, and troubleshoot ACLs in the enterprise
 Review ACLs and use to implement security
Other:
 WAN technologies and devices required for network and Internet connections
 Implement data link protocols including PPP, Ethernet, Frame Relay, and HDLC
 Communications application and transport protocols
 Network management and IOS images
 Configure, verify, and troubleshoot basic NAT
 Implement VPNs
Exam Taking Tips

The way to approach the Cisco external exam is on each question make one of three decisions:
1. If you DO NOT know the answer then try to work out what the best answer is. Since you
CANNOT come back at the end of the exam and try again, you have to pick an answer
before you can continue.
2. This is a very important fact about the CCNA exam. You can only go forward – you cannot
return to previously answered questions!
3. If you THINK YOU KNOW the answer but are not 100% sure, answer the question. Your first
impression will be better than wasting too much time pondering the question.
4. If you are 100% CERTAIN you know the right answer, answer it and move on.
5. For the non-simulation questions you should therefore spend no more than 90 seconds on
each.
6. You should aim to spend no more than 5 to 10 minutes maximum per simulation question.
Answer as much of it as you can. If you still cannot solve the problem or answer all the
questions or have not finished the required configuration, then you should move on. But
note that is it difficult to pass the exam if you do not complete most of each simulation
question successfully.

7. A very important topic is subnetting so make sure you understand how to subnet very
quickly (both IPv4 and IPv6).
If any time is left after doing all the questions, then the exam will simply finish. If you have not
completed all the questions, the exam will also finish when the time runs out and it will mark the
questions that you have answered.
Simulation Exam Questions

The simulations in the exam can involve any of the exam topics, so the best way to prepare is to
practise using all the main commands. There are three main types of simulations as follows:
1. You may be asked to configure a device or function.

2. You may be asked to fix a problem.
3. You may be asked to answer some questions about a network (you use ‘show’ commands on
devices to identify the information).
Cisco does not tell you how many points you will get for each correctly solved simulation. You
will still receive some credit if you cannot solve the simulation completely but are able to
complete parts of it, or if you only get some of the questions correct. So be careful with the
simulations and prepare well for them by writing and practicing all the main commands as much
as possible.
Simulations are important in the exam, and you may have to solve one to three simulations. You
need to successfully complete as much of these as possible. Even if you answer all the other
questions perfectly in the exam, if you fail the simulations completely, it is difficult to reach the
passing score of 825.
In the simulation questions in the exam, there is usually one PC connected to each router or
switch that you need to configure or connect to. Just click on this PC in the network map to be
taken to the CLI of the router or switch (there is no need to type telnet or do anything else).
External Exam Booking Instructions

The external CCNA exams must be sat at a Pearson Vue testing centre. They cannot be sat at a
Prometric testing centre.
It is your responsibility to book for the external exam(s) if you wish to attempt them.
You will need to book and pay for an exam with Pearson Vue at this website:
http://www.vue.com/cisco/
We recommend that you book your exam at least one week in advance, in order to get the day
and time that you wish.
Sitting the Exam

After you book an exam, you are informed as to when and where the exam will take place. Try to
arrive at least 15 minutes early. You must supply two forms of identification - one of which must
be a photo ID - to be admitted into the testing room.

All exams are completely closed book. In fact, you are not permitted to take anything into the
test area, but you are given a blank sheet of paper and a pen, or in some cases, an erasable
plastic sheet and an erasable pen. Immediately write down on that sheet of paper all the
information you have memorised for the test. You are allowed some time to compose yourself,
record this information, and take a sample orientation exam before you begin the real thing.
It is best to take the orientation test before taking your first exam, but because they are all more
or less identical in layout, behaviour, and controls, you probably do not need to do this more
than once. When you complete a Cisco certification exam, the software tells you whether you
have passed or failed. If you need to retake an exam, you have to schedule a new test and pay
another exam fee.
Further advice on preparing and taking the exam can be found in Chapter 22 of the ICND2
textbook.
Cisco Exam Resit Policy

1. Candidates who fail an exam must wait a period of five (5) calendar days, beginning the day
after the failed attempt, before they may retest for the same exam.
2. If a candidate has passed an exam, he/she cannot take it again within 180 days.
Cisco Recertification Policy

CCNA Routing and Switching certifications are valid for three years. To recertify, pass ONE of the
following before the certification expiration date:
 Pass any current Associate-level exam except for ICND1 exam, or
 Pass any current 642-XXX Professional-level or any 300-XXX Professional-level exam, or
 Pass any current 642-XXX Cisco Specialist exam (excluding Sales Specialist exams or
MeetingPlace Specialist exams, Implementing Cisco TelePresence Installations (ITI) exams,
Cisco Leading Virtual Classroom Instruction exams, or any 650 online exams), or
 Pass any current CCIE Written Exam, or
 Pass the current CCDE Written Exam OR current CCDE Practical Exam, or
 Pass the Cisco Certified Architect (CCAr) interview AND the CCAr board review to extend
lower certifications.
If you decide to pursue the two-exam method and you sit and pass the 100-101 exam (ICND1),
then you currently have a three-year period in which to complete and pass the 200-101 exam
(ICND2) to earn the CCNA certification.
The full Cisco exam policies can be found here:
http://www.cisco.com/web/learning/exams/policies.html

CCNA Routing and Switching Appendix A: Acme Policies
A APPENDIX A
ACME POLICIES
Device Security Policy
1.0 Purpose
This document describes a required minimal security configuration for all routers and switches
connecting to a production network or used in a production capacity at or on behalf of Acme
Accountants.
2.0 Scope
All routers and switches connected to Acme Accountants production networks are affected.
Routers and switches within internal, secured labs are not affected.
3.0 Policy
Every router and switch must meet the following configuration standards:
1. Devices should be named using Acmexn where x is R for router or S for switch, and n is a
unique number.
2. The enable password on the router or switch must be kept in a secure encrypted form. The
router must have the enable password set to the current production router password.
3. Disallow the following:
4. IP directed broadcasts
5. Incoming packets at the router sourced with invalid addresses
6. All web services running on router
7. Unused interfaces
8. Switch access ports must be secured to prevent new unknown devices being connected.
9. The router must be included in the corporate management system with a designated point
of contact.
10. Each router must have the following statement posted in clear view:
"UNAUTHORISED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have

explicit permission to access or configure this device. All activities performed on this
device may be logged, and violations of this policy may result in disciplinary action, and
may be reported to law enforcement. There is no right to privacy on this device."
Computer Power Plus A-1

Appendix A: Acme Policies CCNA Routing And Switching
11. Telnet may never be used across any network to manage a router except from the designed
IT subnet, or unless there is a secure tunnel protecting the entire communication path. SSH is
the preferred management protocol for routers.
4.0 Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up to and
including termination of employment.
A-2 Computer Power Plus

CCNA Routing and Switching Appendix A: Acme Policies
Remote Access Policy
1.0 Purpose
The purpose of this policy is to define standards for connecting to Acme Accountant’s network
from any host. These standards are designed to minimise the potential exposure to Acme
Accountants from damages which may result from unauthorised use of Acme Accountants
resources.
2.0 Scope
This policy applies to all Acme Accountants employees, contractors, vendors and agents with a
Acme Accountants-owned or personally-owned computer or workstation used to connect to the
Acme Accountants network. This policy applies to remote access connections used to do work on
behalf of Acme Accountants, including reading or sending email and viewing intranet web
resources.
Remote access implementations that are covered by this policy include, but are not limited to,
dial-up modems, Frame Relay, ISDN, DSL, VPN, SSH, and cable modems, etc.
3.0 Policy
3.1 General
1. It is the responsibility of Acme Accountants employees, contractors, vendors and agents with
remote access privileges to Acme Accountant’s corporate network to ensure that their
remote access connection is given the same consideration as the user's on-site connection to
Acme Accountants.
2. General access to the Internet for recreational use by immediate household members
through the Acme Accountants Network on personal computers is permitted for employees
that have flat-rate services. The Acme Accountants employee is responsible to ensure the
family member does not violate any Acme Accountants policies, does not perform illegal
activities, and does not use the access for outside business interests. The Acme Accountants
employee bears responsibility for the consequences should the access be misused.
3.2 Requirements
1. At no time should any Acme Accountants employee provide their login or email password to
anyone, not even family members.
2. Acme Accountants employees and contractors with remote access privileges must ensure
that their Acme Accountants-owned or personal computer or workstation, which is remotely
connected to Acme Accountant’s corporate network, is not connected to any other network
at the same time, with the exception of personal networks that are under the complete
control of the user.
3. Acme Accountants employees and contractors with remote access privileges to Acme
Accountant’s corporate network must not use non-Acme Accountants email accounts (i.e.,
Outlook, Yahoo, Gmail), or other external resources to conduct Acme Accountants business,
thereby ensuring that official business is never confused with personal business.
Computer Power Plus A-3

Appendix A: Acme Policies CCNA Routing And Switching
4. Routers for dedicated lines configured for access to the Acme Accountants network must
meet minimum authentication requirements of CHAP.
5. Reconfiguration of a home user's equipment for the purpose of split-tunneling or dual

homing is not permitted at any time.
6. All dedicated lines must use authentication.
7. Non-standard hardware configurations must be approved by the IT Manager.
8. All hosts that are connected to Acme Accountant’s internal networks via remote access
technologies must use the most up-to-date anti-virus software, this includes personal
computers.
9. Personal equipment that is used to connect to Acme Accountant’s networks must meet the
requirements of Acme Accountants-owned equipment for remote access.
10. Organisations or individuals who wish to implement non-standard Remote Access solutions
to the Acme Accountant’s production network must obtain prior approval from the IT
Manager.
4.0 Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up to and
including termination of employment.
A-4 Computer Power Plus

CCNA Routing and Switching Appendix B: IOS Security Benchmark
B
Introduction
APPENDIX B
CISCO IOS SECURITY BENCHMARK
This document defines a set of benchmarks or standards for securing Cisco IOS. The benchmark
is an industry consensus of current best practices as well as reasons for those actions.
Applicability
This document applies to securing Cisco IOS appliances running version 12.x or higher software.
1 Level-1 Benchmark
Description: The Level-1 Benchmark for Cisco IOS represents a prudent level of minimum due
care.
1.1 Management Plane Level 1

Description: Services, settings and data streams related to setting up and examining the static
configuration of the router, and the authentication and authorisation of router administrators.
Examples of management plane services include: administrative telnet and ssh, SNMP, TFTP for
image file upload, and security protocols like RADIUS and TACACS+.
1.1.1 Local Authentication, Authorisation and Accounting (AAA) Rules

Description: Rules in the Local authentication, authorisation and accounting (AAA)
configuration class enforce device access control.
1.1.1.1 Require AAA Service

Description: Verify centralised authentication, authorisation and accounting (AAA) service (new-
model) is enabled.
Rationale: Authentication, authorisation and accounting (AAA) systems provide an authoritative

source for managing and monitoring access for devices. Centralising control improves
consistency of access control, the services that may be accessed once authenticated and
accountability by tracking services accessed. Additionally, centralising access control simplifies
and reduces administrative costs of account provisioning and de-provisioning, especially when
managing a large number of devices.
Remediation: Globally enable authentication, authorisation and accounting (AAA).
1.1.1.2 Require AAA Authentication for Login

Description: Verify authentication, authorisation and accounting (AAA) method(s) configuration
for case-sensitive, local user login authentication.

Computer Power Plus B-1

Appendix B: IOS Security Benchmark CCNA Routing and Switching
Dependencies: Requires: 1.1.1.1 Require AAA Service
Warning: Only “the default method list is automatically applied to all interfaces except those
that have a named method list explicitly defined. A defined method list overrides the default
method list.” (Cisco IOS Security Guide v12.3)
Remediation: Configure AAA authentication method(s) for login authentication.
1.1.1.3 Require AAA Authentication for Enable Mode

Description: Verify authentication, authorisation and accounting (AAA) methods for enable
mode authentication.

Remediation: Configure AAA authentication method(s) for enable authentication.
1.1.1.4 Require AAA Authentication for Local Console and VTY Lines
Description: Verify configurations for all management lines require login using the default or a
named authentication, authorisation and accounting (AAA) method list. If selected, this rule
applies for both local and network AAA.
Rationale: Using AAA authentication for line access to the device provides consistent,
centralised control of your network. The default under AAA (local or network) is to require users
to log in using a valid user name and password. This rule applies for both local and network AAA.
If a named AAA authentication list, other than default, is required then authentication must be
configured explicitly on each IOS line.
Warning: Only “the default method list is automatically applied to all interfaces except those
that have a named method list explicitly defined. A defined method list overrides the default
method list.” (Cisco IOS Security Guide v12.3)
Remediation: Configure management lines to require login using the default or a named AAA
authentication list. This configuration must be set individually for all lines (e.g. aux, console ...).
B-2 Computer Power Plus

1.1.2 Access Rules

Description: Rules in the access class enforce controls for device administrative connections.
1.1.2.1 Require Local User and Encrypted Password

Description: Verify at least one local user exists and ensure all locally defined user passwords are
protected by encryption.
Rationale: Default device configuration does not require strong user authentication potentially
enabling unfettered access to an attacker that can reach the device. Creating a local account with
an encrypted password enforces login authentication and provides a fallback authentication
mechanism for configuration in a named method list in case centralised authentication,
authorisation and accounting services are unavailable.
Remediation: Create a local user with an encrypted, complex (not easily guessed) password. Do
not use "LOCAL PASSWORD”.
1.1.2.2 Require SSH for Remote Device Access

Description: Verify that SSH is the only protocol allowed for remote access to the device.
Rationale: SSH uses RSA public key cryptography to establish a secure connection between a
client and a server. Because connections are encrypted, passwords and other sensitive
information are not exposed in clear text between the administrator's host and the device. SSH
also prevents session hijacking and many other kinds of network attacks. SSH should be
employed to replace Telnet where available.
Remediation: Enable remote administration via SSH for incoming VTY login.
1.1.2.3 Require VTY Transport SSH

Description: Verify secure shell (SSH) access is configured on all management lines.
Rationale: VTY Configuring access control to restrict remote access to those authorised to
manage the device prevents unauthorised users from accessing the system.
Remediation: Apply VTY transport SSH on all management lines.
1.1.2.4 Require Timeout for Login Sessions

Description: Verify device is configured to automatically disconnect sessions after a fixed idle
time.
Rationale: This prevents unauthorised users from misusing abandoned sessions. As an example,
if the administrator goes on vacation and leaves an enabled login session active on his desktop
system. There is a trade-off here between security (shorter timeouts) and usability (longer
timeouts). Check your local policies and operational needs to determine the best value. In most
cases, this should be no more than 5 minutes.
Remediation: Configure device timeout (5 minutes) to disconnect sessions after a fixed idle
time.

1.1.2.5 Forbid Auxiliary Port

Description: Verify that the EXEC process is disabled on the auxiliary (aux) port.
Rationale: Unused ports should be disabled, if not required, since they provide a potential
access path for attackers. Some devices include both an auxiliary and console port that can be
used to locally connect to and configure the device. The console port is normally the primary
port used to configure the device; even when remote, backup administration is required via
console server or Keyboard, Video, Mouse (KVM) hardware. The auxiliary port is primarily used
for dial-up administration, which is rarely used, via an external modem.
Remediation: Disable exec on the auxiliary port.
1.1.2.6 Require Access Control

Description: Verify that management access to the device is restricted to an authenticated local
user on all lines.
Rationale: Configuring access control to restrict remote access to those authorised to manage
the device prevents unauthorised users from accessing the system.
Remediation: Configure remote management restrictions using a local user account for all
Console, Aux and VTY lines.
1.1.2.7 Require VTY ACL

Description: Verify that the required VTY access control list (ACL) exists to restrict inbound
management sessions for all VTY lines.
Rationale: VTY ACLs control what addresses may attempt to log in to your router. Configuring
VTY lines to use an ACL, restricts the sources a user can manage the device from. You should limit
the specific host(s) and or network(s) authorised to connect to and configure the device, via an
approved protocol, to those individuals or systems authorised to administrate the device.
Example, you could limit access to specify hosts, so that your network managers can configure
the devices only by using specific network management workstations. Make sure you configure
all VTY lines to use the same ACL.
Remediation: Configure the VTY ACL that will be used to restrict management access to the
device.
1.1.3 Banner Rules

Description: Rules in the banner class communicate legal rights to users.
1.1.3.1 Require EXEC Banner

Description: Verify an authorised EXEC banner is defined.
Rationale: Presentation of an EXEC banner occurs before displaying the enable prompt, after
starting an EXEC process, normally after displaying the message of the day and login banners
and after the user logs into the device. Network banners are electronic messages that provide
notice of legal rights to users of computer networks.

Remediation: Configure the exec banner presented to a user when accessing the devices
enable prompt.
1.1.3.2 Require Login Banner

Description: Verify an authorised login banner is defined.
Rationale: Presentation of a login banner, to a user attempting to access the device, occurs
before the display of login prompts and usually appears after the message of the day banner.
Network banners are electronic messages that provide notice of legal rights to users of computer
networks.
Remediation: Configure the login banner presented to a user attempting to access the device.
1.1.3.3 Require MOTD Banner

Description: Verify an authorised message of the day (MOTD) banner is defined.
Rationale: Presentation of a MOTD banner occurs when a user first connects to the device,
normally before displaying the login banner and login prompts. Network banners are electronic
messages that provide notice of legal rights to users of computer networks.
Remediation: Configure the message of the day (MOTD) banner presented when a user first
connects to the device.
1.1.4 Password Rules

Description: Rules in the password class enforce secure, local device authentication credentials.
1.1.4.1 Require Enable Secret

Description: Verify an enable secret password is defined using strong encryption to protect
access to privileged EXEC mode (enable mode) which is used to configure the device.
Rationale: Requiring enable secret setting protects privileged EXEC mode. By default, a strong
password is not required, a user can just press the Enter key at the Password prompt to start
privileged mode. The enable password command causes the device to enforce use of a password
to access privileged mode. Enable secrets use a strong, one-way cryptographic hash (MD5). This
is preferred to enable passwords that use a weak, well-known and reversible encryption
algorithm.
Remediation: Configure a strong enable secret password.
1.1.4.2 Require Encrypted Line Passwords

Description: Verify an access password with strong encryption is configured on all management
lines / VTY.
Rationale: This requires a password to be set on each line. Note, that given the use of local
usernames (level 1 – see 1.1.2.1) or TACACS+ (level 2), line passwords will not be used for
authentication. There they are included as a fail-safe to ensure that some password is required

for access to the router in case other AAA options are not configured. Low quality passwords are
easily guessed possibly providing unauthorised access to the router.
Remediation: Configure each line with a strong, encrypted password.
1.1.4.3 Require Encrypted User Passwords

Description: Verify all locally defined users have encrypted passwords configured.
Rationale: If not set, an attacker can gain access to the device without a password if they can
determine a valid username. Low quality passwords are easily guessed possibly providing
unauthorised access to the router.
Remediation: Configure user with an encrypted password Do not use "LOCAL_PASSWORD".

Instead, choose a value that is longer ! than seven characters, and contains upper- and lower-
case letters, ! digits, and punctuation.
1.1.4.4 Require Password Encryption Service

Description: Verify encryption of passwords in device configuration is enabled.
Rationale: This requires passwords to be encrypted in the configuration file to prevent

unauthorised users from learning the passwords by reading the configuration. If this service is
not enabled then many of the devices passwords will be rendered in plain text in its
configuration file. This service ensures passwords are rendered as encrypted strings preventing
an attacker from easily determining the configured value.
Remediation: Enable password encryption service to protect sensitive access passwords in the
device configuration.
1.1.5 SNMP Rules

Description: Rules in the simple network management protocol class (SNMP) enforce secure
network management and monitoring of the device.
1.1.5.1 Forbid SNMP Community String private

Description: Verify configuration does not contain default simple network management
protocol (SNMP) community strings. The configuration cannot include snmp-server community
commands with prohibited community strings.
Rationale: SNMP allows management and monitoring of networked devices. "private" is a well
known default community string. Using easy to guess, well known, community strings poses a
threat that an attacker can effortlessly gain unauthorised access to the device. SNMP should be
disabled unless you absolutely require it for network management purposes. If you require
SNMP, be sure to select SNMP community strings that are strong passwords, and are not the
same as other passwords used for the enable password, line password, BGP key or other
authentication credentials. Consider utilising SNMPv3 which utilises authentication,
authorisation and data privatisation (encryption), when available.
Remediation: Disable default or prohibited SNMP community strings.

1.1.5.2 Forbid SNMP Community String public

Description: Verify configuration does not contain default simple network management
protocol (SNMP) community strings. The configuration cannot include snmp-server community
commands with prohibited community strings.
Rationale: SNMP allows management and monitoring of networked devices. "public" is a well
known default community string. Using easy to guess, well known, community strings poses a
threat that an attacker can effortlessly gain unauthorised access to the device. SNMP should be
disabled unless you absolutely require it for network management purposes. If you require
SNMP, be sure to select SNMP community strings that are strong passwords, and are not the
same as other passwords used for the enable password, line password, BGP key or other
authentication credentials. Consider utilising SNMPv3 which utilises authentication,
authorisation and data privatisation (encryption), when available.
Remediation: Disable default or prohibited SNMP community strings.
1.1.5.3 Forbid SNMP Read and Write Access

Description: Disable simple network management protocol (SNMP), read and write access, if
not in use.
Rationale: SNMP read access allows remote monitoring and management of the device. Older
version of the protocol, such as SNMP versions 1 and 2, do not use any encryption to protect
community strings (passwords). SNMP should be disabled unless you absolutely require it for
network management purposes. If you require SNMP, be sure to select SNMP community strings
that are strong passwords, and are not the same as other passwords used for the device (e.g.
enable password, line password, etc.) or other authentication credentials. Consider utilising
SNMPv3 which utilises authentication, authorisation and data privatisation (encryption), when
available. SNMP versions 1 and 2 use clear-text community strings, which are considered a weak
security implementation.
Remediation: Disable SNMP read and write access if not in used to monitor and or manage
device.
1.1.5.4 Forbid SNMP Write Access

Description: Verify the device will not allow simple network management protocol (SNMP)
write access.
Rationale: Enabling SNMP read-write enables remote (mis)management of the device. Older
version of the protocol, such as SNMP versions 1 and 2, do not use any encryption to protect
community strings (passwords). Enabling write access poses the threat that an attacker can
potentially capture SNMP packets, determine the write community string and remotely
manipulate the device.
Remediation: Disable SNMP write access.

1.1.5.5 Forbid SNMP without ACL

Description: Verify all simple network management protocol (SNMP) access is restricted using
an access control list (ACL.)
Rationale: If ACLs are not applied, then anyone with a valid SNMP community string can
potentially monitor and manage the router. An ACL should be defined and applied for all SNMP
access to limit access to a small number of authorised management stations segmented in a
trusted management zone.
Remediation: Configure SNMP access restrictions via an ACL.
1.1.5.6 Require a Defined SNMP ACL

Description: Verify a defined simple network management protocol (SNMP) access control list
(ACL) exists with rules for restricting SNMP access to the device.
Rationale: SNMP ACLs control what addresses are authorised to manage and monitor the
device via SNMP. If ACLs are not applied, then anyone with a valid SNMP community string may
monitor and manage the router. An ACL should be defined and applied for all SNMP community
strings to limit access to a small number of authorised management stations segmented in a
trusted management zone.
Remediation: Configure SNMP ACL for restricting access to the device from authorised
management stations segmented in a trusted management zone.
1.1.5.7 Require Authorised Read SNMP Community Strings and Access Control
Description: Verify an authorised community string and access control is configured to restrict
read access to the device.
Rationale: SNMP read access should be restricted to authorised management systems, in a

restricted zone, using a community string unique to the managing organisation to prevent
unauthorised device access. If an attacker is able to easily guess or obtain the community string
and can access the device then they can potentially gain sensitive device information using
SNMP.
Remediation: Configure authorised SNMP read community string and restrict access to
authorised management systems. The community string should be unique from all other device
credentials.
1.2 Control Plane Level 1

Description: The control plane covers monitoring, route table updates, and generally the
dynamic operation of the router. Services, settings, and data streams that support and document
the operation, traffic handling, and dynamic status of the router. Examples of control plane
services include: logging (e.g. Syslog), routing protocols, status protocols like CDP and HSRP,
network topology protocols like STP, and traffic security control protocols like IKE. Network
control protocols like ICMP, NTP, ARP, and IGMP directed to or sent by the router itself also fall
into this area.

1.2.1 Clock Rules

Description: Rules in the clock class enforce device time and timestamp settings.
1.2.1.1 Require Clock Timezone - UTC

Description: Verify the timezone for the device clock is configured to coordinated universal
time (UTC) explicitly.
Rationale: Configuring devices with a universal time zone eliminates difficulty troubleshooting
issues across different time zones and correlating time stamps for disparate log files across
multiple devices. Set the clock to UTC 0 (no offset) to aid in root cause analysis of attacks and
network issues.
Remediation: Configure the devices clock time zone to coordinated universal time (UTC)
explicitly.
1.2.1.2 Forbid summer-time clock

Description: Verify clock summer-time is not configured to adjust the device clock for daylight
saving time.
Rationale: The difficulty of troubleshooting and correlating issues across different time zones
increases if the time stamps of individual logs need to be adjusted for summer time clock
settings. Timestamp adjustments can lead to errors when correlating logs across multiple
devices. Employ coordinated universal time (UTC) instead of local time zones and do not use
summer-time, daylight saving, clock adjustments.
Remediation: Disable clock summer-time adjustments.
1.2.2 Global Service Rules

Description: Rules in the global service class enforce server and service controls that protect
against attacks or expose the device to exploitation.
1.2.2.1 Forbid CDP Run Globally

Description: Disable Cisco Discovery Protocol (CDP) service at device level.
Rationale: The Cisco Discovery Protocol is a proprietary protocol that Cisco devices use to
identify each other on a LAN segment. It is useful only in specialised situations, and is considered
a security risk. There have been published denial-of-service (DoS) attacks that use CDP. CDP
should be completely disabled unless there is a need for it.
Remediation: Disable Cisco Discovery Protocol (CDP) service globally.
1.2.2.2 Forbid Finger Service

Description: Disable finger server.
Rationale: Finger is used to find out which users are logged into a device. This service is rarely
used in practical environments and can potentially provide an attacker with useful information.

Additionally, the finger service can exposed the device Finger of Death denial-of-service (DoS)
attack. From Cisco IOS documentation: "As with all minor services, the Finger service should be
disabled on your system if you do not have a need for it in your network. Any network device
that has UDP, TCP, BOOTP, or Finger services should be protected by a firewall or have the
services disabled to protect against Denial of Service attacks."
Remediation: Disable finger server.
1.2.2.3 Forbid IP BOOTP server

Description: Disable bootstrap protocol (BOOTP) server.
Rationale: From Cisco IOS documentation: "As with all minor services, the async line BOOTP
service should be disabled on your system if you do not have a need for it in your network. Any
network device that has UDP, TCP, BOOTP, or Finger services should be protected by a firewall or
have the services disabled to protect against Denial of Service attacks."
Remediation: Disable unnecessary services such as echo, discard, chargen, etc.
1.2.2.4 Forbid Identification Service

Description: Disable identification (identd) server.
Rationale: Identification protocol enables identifying a users transmission control protocol

(TCP) session. This information disclosure could potentially provide an attacker with information
about users. Services that are not needed should be turned off because they present potential
avenues of attack and may provide information that could be useful for gaining unauthorised
access.
Remediation: Disable ident server.
1.2.2.5 Forbid IP HTTP Server

Description: Disable HTTP server.
Rationale: The HTTP server allows remote management of routers. Unfortunately, it uses simple
HTTP authentication which sends passwords in the clear. This could allow unauthorised access to,
and [mis]management of the router. The http server should be disabled.
Remediation: Disable http server.
1.2.2.6 Forbid Remote Startup Configuration

Description: Disable autoloading of remote configuration files from a network server.
Rationale: Service config allows the device to autoload its startup configuration from a remote
device (e.g. a tftp server). The protocols used to transfer configurations files, such as trivial file
transfer protocol (TFTP) and file transfer protocol (FTP), are not secure. Since these methods are
insecure, an attacker could potentially compromise or spoof the remote configuration service
enabling malicious reconfiguration of the device.
Remediation: Disable auto loading of remote configurations files from a network server.

1.2.2.7 Require TCP keepalives-in Service

Description: Verify transmission control protocol (TCP) keepalives-in service is enabled to kill
abnormally terminated sessions.
Rationale: Stale connections use resources and could potentially be hijacked to gain illegitimate
access. The TCP keepalives-in service generates keepalive packets on idle incoming network
connections (initiated by remote host.) This service allows the device to detect when the remote
host fails and drop the session. If enabled, keepalives are sent once per minute on idle
connections. The closes connection is closed within five minutes if no keepalives are received or
immediately if the host replies with a reset packet.
Remediation: Enable TCP keepalives-in service to kill sessions where the remote side has died.
1.2.2.8 Require TCP keepalives-out Service

Description: Use transmission control protocol (TCP) keepalives-out service to kill abnormally
terminated sessions.
Rationale: Stale connections use resources and could potentially be hijacked to gain illegitimate
access. The TCP keepalives-out service generates keepalive packets on idle outgoing network
connections (initiated by remote host). This service allows the device to detect when the remote
host fails and drop the session. If enabled, keepalives are sent once per minute on idle
connections. The connection is closed within five minutes if no keepalives are received or
immediately if the host replies with a reset packet.
Remediation: Enable TCP keepalives-out service to kill sessions where the remote side has died.
1.2.2.9 Forbid tcp-small-servers

Description: Disable unnecessary services such as echo, discard, chargen, etc.
Rationale: TCP small services: echo, chargen and daytime (including UDP versions) are rarely
used. These services can be leveraged by attackers to launch denial-of-service (DoS) and other
attacks that would be prevented by packet inspection filters provided these services are disabled.
Services that are not needed should be turned off because they present potential avenues of
attack and may provide information that could be useful for gaining unauthorised access.
1.2.2.10 Forbid udp-small-servers

Description: Disable unnecessary services such as echo, discard, chargen, etc.
Rationale: TCP small services: echo, chargen and daytime (including UDP versions) are rarely
used. These services can be leveraged by attackers to launch denial-of-service (DoS) and other
attacks that would be prevented by packet inspection filters provided these services are disabled.
Services that are not needed should be turned off because they present potential avenues of
attack and may provide information that could be useful for gaining unauthorised access.

1.2.2.11 Forbid TFTP Server

Description: Disable trivial file transfer protocol (TFTP) server service.
Rationale: Trivial file transfer protocol (TFTP) is not a secure service. It allows anyone who can
connect to the device to transfer files, such as access control lists, router configurations and
system images.
Remediation: Disable tftp-server service.
1.2.3 Logging Rules

Description: Rules in the logging class enforce controls that provide a record of system activity
and events.
1.2.3.1 Require Logging

Description: Verify logging is enabled.
Rationale: Logging should be enabled to allow monitoring of both operational and security
related events. Logs are critical for responding to general as well as security incidents.
Additionally, device logging is highly recommended or required by most security regulations.
Remediation: Enable logging.
1.2.3.2 Require Logging Buffer

Description: Verify buffered logging (with minimum size) is configured to enable logging to
internal device memory buffer.
Rationale: The device can copy and store log messages to an internal memory buffer. The
buffered data is available only from a router exec or enabled exec session. This form of logging is
useful for debugging and monitoring when logged in to a router.
Remediation: Configure buffered logging (with minimum size). Recommended size is 16000.
1.2.3.3 Require Logging to Device Console

Description: Verify logging to device console is enabled and limited to a rational severity level
to avoid impacting system performance and management.
Rationale: This configuration determines the severity of messages that will generate console
messages. Logging to console should be limited only to those messages required for immediate
troubleshooting while logged into the device. This form of logging is not persistent; messages
printed to the console are not stored by the router. Console logging is handy for operators when
they use the console Warning: It is possible that misconfiguring the logging level to be
excessively verbose or excessive log messages on the console could make it impossible to
manage the device, even on the console.
Remediation: Configure console logging level.

1.2.3.4 Require Logging to Syslog Server

Description: Designate one or more syslog servers to centrally record system logs.
Rationale: Cisco routers can send their log messages to a Unix-style syslog service. A syslog
service simply accepts messages, and stores them in files or prints them according to a simple
configuration file. This form of logging is best because it can provide protected long-term
storage for logs (the devices internal logging buffer has limited capacity to store events).
Additionally, logging to an external system is highly recommended or required by most security
standards.
Remediation: Designate one or more syslog servers by IP address.
1.2.3.5 Require Logging Trap Severity Level

Description: Verify simple network management protocol (SNMP) trap and syslog are set to
required level.
Rationale: This determines the severity of messages that will generate simple network
management protocol (SNMP) trap and or syslog messages. This setting should be set to either
"debugging" (7) or "informational" (6), but no lower.
Remediation: Configure SNMP trap and syslog logging level.
1.2.3.6 Require Service Timestamps for Debug Messages

Description: Configure debug message to include timestamps.
Rationale: Including timestamps in log messages allows correlating events and tracing network
attacks across multiple devices. Enabling service timestamp to mark the time log messages were
generated simplifies obtaining a holistic view of events enabling faster troubleshooting of issues
or attacks.
Remediation: Configure debug message to include timestamps.
1.2.3.7 Require Service Timestamps in Log Messages

Description: Configure logging to include message timestamps.
Rationale: Including timestamps in log messages allows correlating events and tracing network
attacks across multiple devices. Enabling service timestamp to mark the time log messages were
generated simplifies obtaining a holistic view of events enabling faster troubleshooting of issues
or attacks.
Remediation: Configure logging to include message timestamps.
1.2.4 NTP Rules

Description: Rules in the network time protocol (NTP) class enforce synchronization of the
devices clock to trusted, authoritative timer sources.

1.2.4.1 Require Primary NTP Server

Description: Verify configuration of a primary, trusted network protocol (NTP) timeserver used
to synchronize the device clock.
Rationale: Network time protocol (NTP) enables devices to maintain accurate time when
synchronised to a trusted and reliable timeserver. Synchronising system time to a centralised and
trusted time source enables reliable correlation of events based on the actual sequence they
occurred. The ability to accurately, determine the time and sequence events occur in increases
confidence in event data. Accurate system time and events facilitate efficient troubleshooting
and incident response. Additional time sources increase the accuracy and dependability of
system time.
Remediation: Designate a primary, trusted NTP timeserver.
1.2.4.2 Require Secondary NTP Server

Description: Verify configuration of a secondary, trusted network protocol (NTP) timeserver
used to synchronise the device clock.
system time.
Remediation: Designate a secondary, trusted NTP timeserver.
1.2.4.3 Require Tertiary NTP Server

Description: Verify configuration of a tertiary, trusted network protocol (NTP) timeserver used
to synchronise the device clock.
system time.
Remediation: Designate a tertiary, trusted NTP timeserver.
1.3 Data Plane Level 1

Description: Services and settings related to the data passing through the router (as opposed to
direct to it). The data plane is for everything not in control or management planes. Settings on a
router concerned with the data plane include interface access lists, firewall functionality (e.g.
CBAC), NAT, and IPSec. Settings for traffic-affecting services like unicast RPF verification and
CAR/QoS also fall into this area.

1.3.1 Routing Rules

Description: Unneeded services should be disabled.
1.3.1.1 Forbid Directed Broadcast

Description: Disallow IP directed broadcast on each interface.
Rationale: Directed broadcasts permit hosts to send broadcasts across local area network (LAN)
segments. Device interfaces that allow directed broadcasts can be used for "smurf" denial-of-
service (DoS) attacks.
Remediation: Disable directed broadcast on each interface.
1.3.1.2 Forbid IP source-route

Description: Disable source routing.
Rationale: Source routing is a feature of IP whereby individual packets can specify routes. This
feature is used in several kinds of attacks. Cisco routers normally accept and process source
routes. Unless a network depends on source routing, it should be disabled.
Remediation: Disable source routing.
2 Level-2 Benchmark
Description: The Level-2 Benchmark for CISCO IOS represents an enhanced level of due care for
system security.
2.1 Management Plane Level 2

Description: Services, settings, and data streams related to setting up and examining the static
configuration of the router, and the authentication and authorisation of router administrators.
Examples of management plane services include: administrative telnet, SNMP, TFTP for image
file upload, and security protocols like RADIUS and TACACS+.
2.1.1 Authentication, Authorisation and Accounting Rules

Description: Rules in the authentication, authorisation and accounting (AAA) configuration
class enforce centralised device access control.
2.1.1.1 Require AAA Authentication Enable

Description: Verify authentication, authorisation and accounting (AAA) methods for enable
mode authentication (with fall-back) is configured.
Rationale: Authentication, authorisation and accounting (AAA) systems provide an

authoritative source for managing and monitoring access for devices. Centralising control
improves consistency of access control, the services that may be accessed once authenticated
and accountability by tracking services accessed. Additionally, centralising access control
simplifies and reduces administrative costs of account provisioning and de-provisioning,
especially when managing a large number of devices.

Remediation: Configure AAA authentication method(s) for enable authentication (with fall-
back).
2.1.1.2 Require AAA Authentication Login

Description: Verify authentication, authorisation and accounting (AAA) methods for user login
authentication (with fall-back) is configured.

authoritative source for managing and monitoring access for devices. Centralising control
Remediation: Configure AAA authentication method(s) for login authentication (with fall-back).
2.1.1.3 Require AAA Accounting Commands

Description: Verify authentication, authorisation and accounting (AAA) for commands are
configured.

authoritative source for managing and monitoring accounting for devices. Centralising control
Remediation: Configure AAA accounting for commands.
2.1.1.4 Require AAA Accounting Connection

Description: Verify authentication, authorisation and accounting (AAA) accounting for
connections are configured.

Remediation: Configured AAA accounting for connections.
2.1.1.5 Require AAA Accounting Exec

Description: Verify authentication, authorisation and accounting (AAA) accounting for exec is
configured.


Remediation: Configure AAA accounting for exec.
2.1.1.6 Require AAA Accounting Network

Description: Verify authentication, authorisation and accounting (AAA) accounting for network
events are configured.

Remediation: Configure AAA accounting for network events.
2.1.1.7 Require AAA Accounting System

Description: Verify authentication, authorisation and accounting (AAA) accounting for system
events are configured.

Remediation: Configure AAA accounting for system events.
2.2 Control Plane Level 2

Description: Services, settings, and data streams that support and document the operation,
traffic handling, and dynamic status of the router. Examples of control plane services include:
logging (e.g. Syslog), routing protocols, status protocols like CDP and HSRP, network topology
protocols like STP, and traffic security control protocols like IKE. Network control protocols like
ICMP, NTP, ARP, and IGMP directed to or sent by the router itself also fall into this area.
2.2.1 Loopback Rules

Description: Rules in the loopback class enforce virtual interfaces source address
standardisation to enhance security, consistency of device identification and stability. Note that
addresses that are assigned loopback interfaces on device must have routes to communicate
with management devices (syslog, Telnet, TACACS+, SNMP).

2.2.1.1 Require Binding AAA Service to Loopback Interface

Description: Verify authentication, authorisation and accounting (AAA) services are bound to
the loopback interface.
Rationale: This is required so that the AAA server (radius or TACACS+) can easily identify
routers and authenticate requests by their IP address.
Remediation: Bind AAA services to the loopback interface.
2.2.1.2 Require Binding NTP Service to Loopback Interface

Description: Verify the network time protocol (NTP) service is bound to the loopback interface.
Rationale: Set the source address to be used when sending NTP traffic. This may be required if
the NTP servers you peer with filter based on IP address.
Remediation: Bind the NTP service to the loopback interface
2.2.1.3 Require Binding TFTP Service to Loopback Interface

Description: Verify the trivial file transfer protocol (TCTP) client is bound to the loopback
interface.
Rationale: This is required so that the TFTP servers can easily identify routers and authenticate
requests by their IP address.
Remediation: Bind the TFTP client to the loopback interface.
2.2.1.4 Require Loopback Interface

Description: Define and configure one loopback interface.
Rationale: The loopback interface provides a standard interface to be used in logging, time,
routing protocols, and for ACLs limiting administrative access.
Remediation: Define and configure one loopback interface.
2.2.1.5 Forbid Multiple Loopback Interfaces

Description: Define no more than one loopback interface.
Rationale: Alternate loopback addresses create a potential for abuse, mis-configuration, and
inconsistencies. Additional loopback interfaces must be documented and approved prior to use
by local security personnel.
Remediation: Define no more than one loopback interface.
2.3 Data Plane Level 2

Description: Services and settings related to the data passing through the router (as opposed to
directed to it). Basically, the data plane is for everything not in control or management planes.
Settings on a router concerned with the data plane include interface access lists, firewall

functionality (e.g. CBAC), NAT, and IPSec. Settings for traffic-affecting services like unicast RPF
verification and CAR/QoS also fall into this area.
2.3.1 Border Router Filtering

Description: A border-filtering device connects "internal" networks such as desktop networks,
DMZ networks, etc., to "external" networks such as the Internet. If this group is chosen, then
ingress and egress filter rules will be required.
2.3.1.1 Forbid Private Source Addresses from External Networks

Description: Verify the device is configured to restrict access for traffic from external networks
that have source address that should only appear from internal networks.
Rationale: Configuring access controls can help prevent spoofing attacks. To reduce the
effectiveness of IP spoofing, configure access control to deny any traffic from the external
network that has a source address that should reside on the internal network. Include local host
address or any reserved private addresses (RFC 1918). Warning: Verify IP multicast is not required
or in use.
Remediation: Configure ACL for private source address restrictions from external networks.
2.3.1.2 Forbid External Source Addresses on Outbound Traffic

Description: Verify outbound traffic from your network includes only valid internal source
addresses.
Rationale: You can prevent users from spoofing other networks by ensuring that any outbound
traffic from your network uses only source IP addresses that are in your organisation's IP
addresses range. Your ISP can also implement this type of filtering, which is collectively referred
to as RFC 2827 filtering. This filtering denies any traffic that does not have the source address
that was expected on a particular interface.
2.3.2 Neighbor Authentication
2.3.2.1 Require BGP Authentication if Protocol is Used

Description: Verify border gateway protocol (BGP) authentication is enabled, if routing
protocol is used, where feasible.
Rationale: Verifying routing update packets using neighbor authentication reduces the
possibility of the device receiving false route updates that could potentially allow an attacker to
corrupt route tables, compromise network availability or redirect network traffic. Warning: If
you configure the device for neighbor authentication, the neighbor device must be configured
for neighbor authentication with compatible settings otherwise route update packets from the
neighbor device will be rejected.
Remediation: Configure BGP neighbor authentication where feasible.

2.3.2.2 Require EIGRP Authentication if Protocol is Used

Description: Verify enhanced interior gateway routing protocol (EIGRP) authentication is
enabled, if routing protocol is used, where feasible.
Remediation: Configure EIGRP neighbor authentication where feasible.
2.3.2.3 Require OSPF Authentication if Protocol is Used

Description: Verify open shortest path first (OSPF) protocol authentication is enabled, if routing
protocol is used, where feasible.
Remediation: Configure OSPF neighbor authentication where feasible.
2.3.2.4 Require RIPv2 Authentication if Protocol is used

Description: Verify routing information protocol (RIP) version two authentication is enabled, if
routing protocol is used, where feasible.
Remediation: Configure RIPv2 neighbor authentication where feasible.
2.3.3 Routing Rules

Description: Unneeded services should be disabled.
2.3.3.1 Require Unicast Reverse-Path Forwarding

Description: Verify unicast reverse-path forwarding (RPF) is enabled on all external or high risk
interfaces.

Rationale: Verifying the source address of IP traffic against routing rules reduces the possibility
that an attacker can spoof the source of an attack. A number of attacks methods rely on
falsifying the traffic source to create a denial-of-service (DoS) or make it harder to trace the
source of an attack. When enabled, the device checks the source address of the packet against
the interface through which the packet arrived. Packets are dropped if the device determines, by
verifying routing tables, there is no feasible path through the interface for the source address.
Enabling reverse-path verification in environments with asymmetric routes can adversely affect
network traffic.
Remediation: Configure reverse-path verification on all device interfaces.
2.3.3.2 Forbid IP Proxy ARP

Description: Verify proxy ARP is disabled on all interfaces.
Rationale: Proxy ARP breaks the LAN security perimeter, effectively extending a LAN at layer 2
across multiple segments.
Remediation: Disable proxy ARP on all interfaces.
2.3.3.3 Forbid Tunnel Interfaces

Description: Verify no tunnel interfaces are defined.
Rationale: Tunnel interfaces should not exist in general. They can be used for malicious
purposes. If they do exist, the network admins should be well aware of them and what their
purpose is.
Remediation: Do not define any tunnel interfaces.




COURSE EVALUATION SHEET
Your comments help us improve course objectives, content, and instruction.
Name (optional): _________________________ Course Title: CCNA Routing and
Switching
Date: ___________________________________ Campus: ___________________________
Objectives
Did the course/workshop meet its stated objectives?
 Yes  No If no, please explain
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
Did the course/workshop meet your needs?

 Yes  No If no, please explain
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
Course/Workshop Evaluation
How would you rate: Poor Fair Good Excellent
Course/workshop content 1 2 3 4
Quality of instruction 1 2 3 4
Overall satisfaction 1 2 3 4
Relevance of activities 1 2 3 4
Suitability of training facilities 1 2 3 4
Quality of facilitation 1 2 3 4
Usefulness of learning guide(s) 1 2 3 4
Usefulness of resources 1 2 3 4
Comments and Suggestions For Improvement

What did you think was most beneficial about the course/workshop?
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
Continued on the next page.
What did you think was least beneficial about the course/workshop?
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
Please identify by topic any information that should be added, deleted or improved (e.g. form,
clarity, pace, depth, sequence) and explain.
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
Please add any extra comments you may have in the space below.
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
Thank you for taking the time to complete this form, we use the information gathered to
continually review and improve the courses and workshops to make them as relevant and
useful as possible.

Ccnlga 002 B

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ccnlga 002 B

Uploaded by

Copyright:

Available Formats

®

Cisco Certified Network Associate

Cisco® is a registered trademark of Cisco Systems, Inc

Edition Released: March 2016

Publication No.: CCNLGA002b

SECTION 1: CCNA ROUTING AND SWITCHING ................................................................. 1-1

Topic 1: Study Process ................................................................................................................... 1-2

Topic 2: Study Plan ......................................................................................................................... 1-5

Day 1 .................................................................................................................................. 1-7

Day 2 ................................................................................................................................. 1-14

Day 3 ................................................................................................................................. 1-27

Day 4 ................................................................................................................................. 1-40

Day 5 ................................................................................................................................. 1-55

Day 6 ................................................................................................................................. 1-67

Day 7 ................................................................................................................................. 1-73

Day 8 ................................................................................................................................. 1-85

Day 9 ................................................................................................................................. 1-91

Day 10 ............................................................................................................................... 1-102

Day 11 ................................................................................................................................ 1-111

Day 12 ............................................................................................................................... 1-117

Day 13 ............................................................................................................................... 1-133

Day 14 ............................................................................................................................... 1-140

Day 15 ............................................................................................................................... 1-149

Day 16 ............................................................................................................................... 1-153

Day 17................................................................................................................................ 1-166

Day 18 ............................................................................................................................... 1-173

Day 19 ............................................................................................................................... 1-186

Day 20 ............................................................................................................................... 1-199

Day 21 ............................................................................................................................... 1-210

Day 22............................................................................................................................... 1-224

Day 23............................................................................................................................... 1-230

Day 24............................................................................................................................... 1-231

Day 25............................................................................................................................... 1-245

Day 26............................................................................................................................... 1-262

Day 27............................................................................................................................... 1-268

Day 28............................................................................................................................... 1-281

Day 29............................................................................................................................... 1-294

Day 30............................................................................................................................... 1-299

Day 31 ............................................................................................................................... 1-311

Day 32............................................................................................................................... 1-318

Day 33 to 35 ................................................................................................................... 1-330

Topic 3: VMware Images .............................................................................................................. 1-331

Topic 4: Practical Exercises .......................................................................................................... 1-334

Topic 5: Project................................................................................................................................ 1-338

Topic 6: Internal Final Assessment ............................................................................................ 1-359

Topic 7: External Certification Notes........................................................................................ 1-361

APPENDIX A: Acme Policies ............................................................................................... A-1

APPENDIX B: IOS Security Benchmark .............................................................................. B-1

IMPORTANT: This learning guide contains IMPORTANT information! You

Computer Power Plus Cisco Certified Network Associate (CCN) Breakdown

Module Component Hours Weighting

Details of the module are covered in Section 1.

Computer Power Plus iii

 Describe the operation of IP data networks

 Understand and configure LAN switching technologies

 Describe and configure IP routing technologies

 Describe and configure IP services

 Configure network device security

 Troubleshoot IP addressing, routing, and switching problems

 Identify and configure enhanced LAN switching technologies

 Identify, configure, and troubleshoot WAN technologies.

The objectives can be downloaded from here:

 CCN Workshop Guide