12/16/24, 5:10 PM Final Lab (Practical) Exam

Final Lab (Practical) Exam

Due Tuesday by 11:59pm
Points 30
Available Nov 26 at 12am - Dec 17 at 11:59pm

Faculty of Information Technology

Final Exam (Practical) Academic Year: 2024-2025 (1)

Course Code & Name: INSY 8211 & Computer Networks

Lecturer: Joshua IRADUKUNDA Deadline: 11:59 p.m. 17th December,

2024

MAX/30 Group Day: (ALL) DURATION: 6Hours


Instructions:
Download the .pka file: The file is available on Canvas. And Reconfigure the network according to
the instructions provided below.
User Profile Configuration: Before starting, locate the User Profile in Packet Tracer.
Update the following fields:
Name: Enter your Student ID.
Additional Info: Enter your Full Name, Class Day, and Group.

Note: If you forget to do this or update it after reconfiguring, your work will not be graded, and all
configurations will reset to zero.

Automatic Grading: The .pka file uses Packet Tracer’s grading system. Your grade will be based on
the accuracy and completeness of your configurations.

Topology

https://canvas.instructure.com/courses/10318784/assignments/51615658 1/23
12/16/24, 5:10 PM Final Lab (Practical) Exam

yourFullName_StudentID_CNetF24-FinalExam.pka

(https://canvas.instructure.com/courses/10318784/files/280333609?wrap=1)

(https://canvas.instructure.com/courses/10318784/files/280333609/download?

download_frd=1)


Packet tracer version: 8.2.2.

1. VLAN, Switch, and IP Configuration

M-SWC

Switch VLAN ID VLAN Name Subnet

10 Students 192.168.10.0/29

20 Administration-Dep 192.168.20.0/29
M-SWC
30 IT-Dep 192.168.30.0/29

99 Management 192.168.99.0/30

G-SWC

Switch VLAN ID VLAN Name Subnet

https://canvas.instructure.com/courses/10318784/assignments/51615658 2/23
12/16/24, 5:10 PM Final Lab (Practical) Exam

10 Students 192.168.10.8/29

20 Administration-Dep 192.168.20.8/29
G-SWC
30 IT-Dep 192.168.31.0/29

99 Management 192.168.99.4/30

N-SWC

Switch VLAN ID VLAN Name Subnet

20 Administration-Dep 192.168.20.16/29
N-SWC
30 IT-Dep 192.168.32.0/29


2. Static Routing

Configure static routes to connect routers to the ISP:

Connection Interfaces Subnet

ISP-R ↔ MASORO-R Serial2/0 to Serial 0/0/0 100.100.100.8/29

ISP-R ↔ GISHUSHU-R Serial3/0 to Serial 0/0/0 150.150.150.152/29

ISP-R ↔ NGOMA-R Serial4/0 to Serial 0/0/0 200.200.200.200/29

Assign the first valid IP of each subnet to the ISP router.

3. NAT/PAT Configuration
4. Public Web Server:
Host the AUCA Registration web page on the MASORO site.
Configure NAT so that the web server is accessible via 100.100.10/29.
https://canvas.instructure.com/courses/10318784/assignments/51615658 3/23
12/16/24, 5:10 PM Final Lab (Practical) Exam

5. PAT Overload:
Translate internal VLANs 10 and 20 using PAT.
Exclude VLAN30 (used for IPsec VPN).

4. Access Control Lists (ACLs)

Requirement Type

Allow intra-campus VLAN communication. Standard

Restrict inter-campus VLAN communication to the same department (e.g., VLAN10 ↔

Extended
VLAN10 only).

Named
Allow IT-Department users (VLAN30) to SSH all routers and switches at MASORO.
ACL

Permit web server access (HTTP only) to all users using http://cnet.auca.ac.rw Extended


5. IPsec VPN Configuration

Set up Site-to-Site IPsec VPN tunnels between campuses using the following detailed configurations.

IPsec Phase 1: ISAKMP Policy

Command Description

crypto isakmp policy 10 Define ISAKMP policy.

encr aes 256 Use AES 256-bit encryption.

authentication pre-share Pre-shared key authentication.

group 5 Use Diffie-Hellman Group 5 for key exchange.

https://canvas.instructure.com/courses/10318784/assignments/51615658 4/23
12/16/24, 5:10 PM Final Lab (Practical) Exam

Pre-Shared Keys

Site Pair Key Remote Address

MASORO ↔ GISHUSHU Masoro&GishushuKey 200.200.200.202/29

MASORO ↔ NGOMA Masoro&NgomaKey 150.150.150.154/29

IPsec Phase 2: Transform Sets

Site Pair Transform Set Encryption & Hashing


MASORO ↔ GISHUSHU Masoro2Gishushu esp-aes 256 esp-sha-hmac

Gishushu2Masoro esp-aes 256 esp-sha-hmac

MASORO ↔ NGOMA Masoro2Ngoma esp-aes 256 esp-sha-hmac

Ngoma2Masoro esp-aes 256 esp-sha-hmac

Crypto Map Configuration

MASORO-R GISHUSHU-R NGOMA-R

Crypto Map MasoroMAP GishushuMAP NgomaMAP

Peer GISHUSHU: MASORO: MASORO:

200.200.200.202/29, 100.100.100.10/29 100.100.100.10/29

https://canvas.instructure.com/courses/10318784/assignments/51615658 5/23
12/16/24, 5:10 PM Final Lab (Practical) Exam

NGOMA:
150.150.150.154/29

PFS Group 5 Group 5 Group 5

SA Lifetime 86400 seconds 86400 seconds 86400 seconds

Masoro2Gishushu,
Transform Set Gishushu2Masoro Ngoma2Masoro
Masoro2Ngoma

Masoro2Gishushu,
Match ACL Gishushu2Masoro Ngoma2Masoro
Masoro2Ngoma


Device Configurations

MASORO-R ROUTER
Router Authentication

Parameter Configuration Description

Username cnet-f24 Set the router's username.

Password/Secret f24-cnet Set the router's password or secret key.

Enable Secret f24-cnet (encrypted) Enable secret password for privileged exec access.

DHCP Configuration

DHCP Pool Name Network Subnet Mask Default Router DNS Server

https://canvas.instructure.com/courses/10318784/assignments/51615658 6/23
12/16/24, 5:10 PM Final Lab (Practical) Exam

Students 192.168.10.0 255.255.255.248 192.168.10.1 192.168.30.2

Administration-Dep 192.168.20.0 255.255.255.248 192.168.20.1 192.168.30.2

IT-Dep 192.168.30.0 255.255.255.248 192.168.30.1 192.168.30.3

IPsec VPN Configuration

Policy Encryption Authentication Group Key Peer Address

ISAKMP AES 256 Pre-shared Group 5 Masoro&NgomaKey 150.150.150.154

ISAKMP AES 256 Pre-shared Group 5 Masoro&GishushuKey 200.200.200.202


Transform Set Transform Type Security Lifetime

Masoro2Gishushu esp-aes 256 esp-sha-hmac 86400 sec

Masoro2Ngoma esp-aes 256 esp-sha-hmac 86400 sec

Crypto Map Configuration

Crypto Map Name Sequence Number Peer Address Transform Set Match Address

MasoroMAP 10 200.200.200.202 Masoro2Gishushu Masoro2Gishushu

MasoroMAP 20 150.150.150.154 Masoro2Ngoma Masoro2Ngoma

NAT Configuration

Source Translation
Source NAT Rule Destination Address Type
Address Address

https://canvas.instructure.com/courses/10318784/assignments/51615658 7/23
12/16/24, 5:10 PM Final Lab (Practical) Exam

NAT for Students and 192.168.10.0

192.168.20.0 0.0.0.7 Serial0/0/0 Overload
Administration 0.0.0.7

Static NAT for Web Server 192.168.30.2 100.100.100.12 TCP (80)

Static NAT for DNS Server 192.168.30.3 100.100.100.14 UDP (53)

Interfaces Configuration

Interface VLAN/Subinterface IP Address Subnet Mask Other Settings

G0/0 No IP Address N/A N/A N/A

G0/0.10 VLAN 10 192.168.10.1 255.255.255.248 NAT Inside

G0/0.20 VLAN 20 192.168.20.1 255.255.255.248 NAT Inside

G0/0.30 VLAN 30 192.168.30.1 255.255.255.248 NAT Inside


G0/0.99 VLAN 99 192.168.99.1 255.255.255.252 N/A

Serial0/0/0 No Subinterface 100.100.100.10 255.255.255.248 NAT Outside, Crypto Map

Serial0/0/1 No IP Address N/A N/A Clock Rate 2000000

Vlan1 Shutdown No IP Address N/A N/A

Routing Configuration

Destination Network Subnet Mask Next Hop IP Address

0.0.0.0 0.0.0.0 100.100.100.9

192.168.31.0 255.255.255.248 100.100.100.9

https://canvas.instructure.com/courses/10318784/assignments/51615658 8/23
12/16/24, 5:10 PM Final Lab (Practical) Exam

192.168.32.0 255.255.255.248 150.150.150.154

Access Lists

Access List Name Type Rules

Masoro2Gishushu Extended Allow IP traffic between 192.168.30.0 and 192.168.31.0

Masoro2Ngoma Extended Allow IP traffic between 192.168.30.0 and 192.168.32.0

Natting10&20Nets Standard Allow 192.168.10.0 and 192.168.20.0 networks

Deny TCP on port 22 (SSH) for all traffic, then permit all
Access List 100 Extended
other IP traffic

Banner Configuration


Line Configuration

Line Type Configuration

Console 0 Login local

Auxiliary 0 N/A

VTY 0-1 Login local, transport input ssh

VTY 2-4 Login

General Steps for Configuration:

1. Authentication Configuration:
Set the router username and secret using the provided credentials.
2. DHCP Pools Setup:
Define and exclude specific IP addresses from the DHCP pools for students, administration, and
IT departments.

https://canvas.instructure.com/courses/10318784/assignments/51615658 9/23
12/16/24, 5:10 PM Final Lab (Practical) Exam

3. VPN Configuration:
Set up ISAKMP policies and keys for two VPN peers (Masoro&GishushuKey and
Masoro&NgomaKey).
Apply the crypto maps to define the transformation sets and lifetime for secure connections.
4. NAT Configuration:
Set up source NAT for specific networks and static NAT for web and DNS servers.
5. Interface Setup:
Configure interfaces for VLANs and assign appropriate IP addresses.
Set the serial interfaces for external communication and apply the necessary crypto map for
IPsec.
6. Routing Configuration:
Set up static routes for proper network communication across interfaces.
7. Access List Setup:
Define the required extended and standard access lists to control traffic flow.
8. Line Configuration:
Enable local login for console and VTY lines, and set up SSH transport for secure management.

GISHUSHU-R ROUTER
1. Username and Password Configuration


Parameter Value

Username cnet-f24

Password f24-cnet

Secret f24-cnet

Set the username and secret password to allow SSH login using local authentication.

2. Create and Configure Crypto Policies for IPsec

ISAKMP Policy: Define the policy for secure ISAKMP (Internet Security Association and Key
Management Protocol) negotiations.

Parameter Value

https://canvas.instructure.com/courses/10318784/assignments/51615658 10/23
12/16/24, 5:10 PM Final Lab (Practical) Exam

Encryption aes 256

Authentication pre-share

Group 5

This configures the ISAKMP policy for encryption using AES 256, pre-shared keys for authentication,
and Diffie-Hellman group 5.

3. Define ISAKMP Pre-shared Keys for Peers

Peer IP Address Pre-shared Key

100.100.100.10 Masoro&GishushuKey

This defines the pre-shared key for IPsec VPN tunnel setup between GISHUSHU-R and MASORO-
R.


4. Configure Crypto Transform Set
Transform Set: Define the security parameters for IPsec encryption and hashing.

Parameter Value

Transform Set Gishushu2Masoro

Encryption esp-aes 256

Integrity esp-sha-hmac

This configures the encryption (AES 256) and hashing (SHA) for IPsec encryption.

5. Apply Crypto Map

Crypto Map: Apply the IPsec settings to the appropriate interface.

https://canvas.instructure.com/courses/10318784/assignments/51615658 11/23
12/16/24, 5:10 PM Final Lab (Practical) Exam

Security
Peer IP PFS
Crypto Map Transform Set Association Access List Name
Address Group
Lifetime

GishushuMAP
100.100.100.10 Gishushu2Masoro 86400 group5 Gishushu2Masoro
10

This configures the IPsec VPN settings for the GISHUSHU-R router with the peer 100.100.100.10
and applies the specified transform set.

6. Configure IP Routing
Static Route: Define routes for the network traffic.

Destination Network Subnet Mask Next-Hop IP Address

0.0.0.0 0.0.0.0 200.200.200.201


192.168.30.0 255.255.255.248 200.200.200.201

This sets up the default route and the route to reach the 192.168.30.0 network via 200.200.200.201.

7. NAT Configuration
NAT Overload: Enable NAT to translate private IP addresses to public IP addresses.

Source List Name Interface NAT Type

Natting10&20Nets Serial0/0/0 overload

This configures NAT for the 192.168.10.0 and 192.168.20.0 networks, using Serial0/0/0 interface for
NAT overload.

8. Create and Apply Access Lists

Access List for IPsec Traffic: Define an access list for the IPsec traffic to be allowed.

https://canvas.instructure.com/courses/10318784/assignments/51615658 12/23
12/16/24, 5:10 PM Final Lab (Practical) Exam

Access List Name Action Source Network Destination Network

Gishushu2Masoro permit 192.168.31.0 0.0.0.7 192.168.30.0 0.0.0.7

This defines the allowed traffic for the IPsec VPN between GISHUSHU-R and MASORO-R.

9. Banner Configuration
Motd Banner: Set a message of the day (MOTD) to display when accessing the router.
This configures a welcome banner to be displayed to users who access the router.

10. SSH Access Configuration

SSH Authentication: Enable SSH access and configure login credentials.

Line Type Login Method Transport


vty 0 1 local ssh

This enables SSH access on virtual terminal lines 0-1 and sets local authentication for user login.

11. DHCP Configuration

Pool Name Network Range Default Router DNS Server

Students 192.168.10.8/29 192.168.10.9 100.100.100.14

Administration-Dep 192.168.20.8/29 192.168.20.9 100.100.100.14

IT-Dep 192.168.31.0/29 192.168.31.1 192.168.30.2

These settings configure DHCP pools for the Students, Administration-Dep, and IT-Dep networks,
assigning the appropriate default gateway and DNS server.

https://canvas.instructure.com/courses/10318784/assignments/51615658 13/23
12/16/24, 5:10 PM Final Lab (Practical) Exam

NGOMA-R ROUTER

Parameter Value

Router Name NGOMA-R

Username cnet-f24

Password/Secret f24-cnet

DHCP Pools and Exclusions Not configured in this router

NAT Configuration Configured with overload and static NAT mappings


These steps provide a structured and comprehensive guide for the configuration of the
NGOMA-R

Step 1: Interface Configuration

GigabitEthernet0/0: This interface is assigned an IP address 192.168.20.17/29 and is set to perform
NAT inside.
GigabitEthernet0/1: This interface is assigned an IP address 192.168.32.1/29, used for
communication with other devices in the network.
Serial0/0/0: This is the external interface for NAT, connected to the peer router. It has the IP
150.150.150.154/29 and is also associated with an IPsec crypto map for secure communication.
Interface Configuration Summary

Interface IP Address Subnet Mask NAT Role

GigabitEthernet0/0 192.168.20.17 255.255.255.248 Inside

GigabitEthernet0/1 192.168.32.1 255.255.255.248 Inside

https://canvas.instructure.com/courses/10318784/assignments/51615658 14/23
12/16/24, 5:10 PM Final Lab (Practical) Exam

Serial0/0/0 150.150.150.154 255.255.255.248 Outside

Step 2: NAT Configuration

Inside NAT Source List: The router performs NAT for the network 192.168.20.16/29 using access
list Natting20Net and overloads the IP address of the Serial0/0/0 interface.
Static NAT Configuration: Not configured in this router for specific IP address mappings.
NAT Configuration Summary

Configuration Value

NAT Source List Natting20Net

Overload Enabled on Serial0/0/0

Static NAT Not configured


Step 3: IP Routing
Routing Table: Static routing is configured for default and specific network routes:
Default route: 0.0.0.0/0 through 150.150.150.153.
Specific route for 192.168.30.0/29 network via 150.150.150.153.
IP Route Configuration Summary

Destination Network Subnet Mask Next Hop

0.0.0.0/0 0.0.0.0 150.150.150.153

192.168.30.0/29 255.255.255.248 150.150.150.153

Step 4: Security and VPN Configuration

IPsec VPN:

https://canvas.instructure.com/courses/10318784/assignments/51615658 15/23
12/16/24, 5:10 PM Final Lab (Practical) Exam

ISAKMP (Internet Security Association and Key Management Protocol) policy is set to AES 256
encryption with pre-shared key authentication using group 5.
IPsec transform set Ngoma2Masoro configured with ESP-AES 256 encryption and ESP-SHA-
HMAC for data integrity.
IPsec crypto map NgomaMAP configured to use the peer IP address 100.100.100.10 with
specified SA (Security Association) lifetime and PFS (Perfect Forward Secrecy) group.

IPsec VPN Configuration Summary

Parameter Value

ISAKMP Policy AES 256 encryption, Pre-shared key, Group 5

ISAKMP Key Masoro&NgomaKey for peer 100.100.100.10

IPsec Transform Set Ngoma2Masoro

Crypto Map NgomaMAP, Peer 100.100.100.10


Step 5: Access Control Lists (ACL)
Extended ACL: Ngoma2Masoro allows traffic from 192.168.32.0/29 to 192.168.30.0/29.
Standard ACL: Natting20Net allows traffic from the 192.168.20.16/29 network.
ACL Configuration Summary

ACL Name Type Source Network Destination Network Action

Ngoma2Masoro Extended 192.168.32.0/29 192.168.30.0/29 Permit

Natting20Net Standard 192.168.20.16/29 N/A Permit

Step 6: User and Authentication Configuration

Username: cnet-f24 with secret password f24-cnet.
Login Access: Local login is configured for VTY lines 0 1 with SSH transport enabled.
User and Authentication Summary

https://canvas.instructure.com/courses/10318784/assignments/51615658 16/23
12/16/24, 5:10 PM Final Lab (Practical) Exam

Parameter Value

Username cnet-f24

Secret Password f24-cnet

VTY Lines 0-1, login local, SSH transport

Step 7: Banner Configuration

The banner provides a welcome message with a security warning for authorized access only and
mentions that unauthorized access will be logged.
Banner Configuration Summary

Step 8: Miscellaneous Settings

Domain Lookup: Disabled (no ip domain-lookup).


Summary of Key Configuration Points:

Configuration Details

Router Name NGOMA-R

Enable Secret Set

NAT Inside Source Configured with overload

IP Routing Static routes set

IPsec VPN Configured with AES 256 and pre-shared keys

ACLs Configured for NAT and VPN traffic

https://canvas.instructure.com/courses/10318784/assignments/51615658 17/23
12/16/24, 5:10 PM Final Lab (Practical) Exam

User Authentication Local login with username cnet-f24

MASORO SWITCH (M-SWC)

Configuration Area Details and Parameters

Hostname Set the hostname to M-SWC.

Domain Name Configure the domain name as cnet.auca.ac.rw.

- Username: cnet-f24 with secret: f24-cnet.

Access Credentials
- Enable secret password: f24-cnet.

- VLAN 10, 20, 30, and 99 are pre-configured.

VLAN Configuration


- VLAN 99 is assigned an IP address:
192.168.99.2/30.

Configure interfaces as follows:

FastEthernet Ports:

- Fa0/1 to Fa0/5: Access mode, VLAN 30.

Interface Assignments - Fa0/10 to Fa0/14: Access mode, VLAN 10.

- Fa0/15 to Fa0/20: Access mode, VLAN 20.

GigabitEthernet Ports:

- Gi0/1: Trunk mode (default VLAN tagging allowed).

https://canvas.instructure.com/courses/10318784/assignments/51615658 18/23
12/16/24, 5:10 PM Final Lab (Practical) Exam

Line Configurations - Lines 0–1 use local login.

GISHUSHU SWITCH (G-SWC)

Below are the instructions and guidelines to configure the GISHUSHU SWITCH, based on the provided
configurations. These guidelines focus on operational interfaces and exclude any down or unused
interfaces.

1. General Settings

Parameter Value

Hostname G-SWC

Domain Name cnet.auca.ac.rw

Enable Secret f24-cnet


Username: cnet-f24
Local Username
secret: f24-cnet

2. VLAN Configuration

VLAN ID Assigned Interfaces

10 FastEthernet0/10, 0/11, 0/12, 0/13, 0/14

20 FastEthernet0/15, 0/16, 0/17, 0/18, 0/19, 0/20

30 FastEthernet0/1, 0/2, 0/3, 0/4, 0/5

3. Trunk Port Configuration

Interface Purpose Mode

GigabitEthernet0/1 Trunk connection Trunk

4. Management VLAN

https://canvas.instructure.com/courses/10318784/assignments/51615658 19/23
12/16/24, 5:10 PM Final Lab (Practical) Exam

VLAN ID IP Address Subnet Mask

99 192.168.99.6 255.255.255.252

5. Interface Configurations

Interface Description Mode

FastEthernet0/1 - 0/5 Assigned to VLAN 30 Access Mode

FastEthernet0/10 - 0/14 Assigned to VLAN 10 Access Mode

FastEthernet0/15 - 0/20 Assigned to VLAN 20 Access Mode

GigabitEthernet0/1 Trunk connection to other switches Trunk Mode

6. Line Configuration

Line Type Authentication Method


VTY 0-1 Local Login (Username: cnet-f24)

Notes:

Ensure that VLANs are properly configured on any connected router or switch for seamless
communication.
Verify trunk settings on GigabitEthernet0/1 to ensure VLAN traffic is passed correctly.
Use VLAN99 for management purposes, and connect to 192.168.99.6 to manage the switch.
Document all configuration changes as part of network administration guidelines.

Other Configurations

Below are the configuration instructions for the N-SWC1, N-SWC2, and the devices in VLAN 20 and
VLAN 30 from NGOMA Campus and Servers From MASORO Campus, as per your requirements.

1. Switch Configuration (N-SWC1 & N-SWC2)

For N-SWC1 and N-SWC2, we will configure the following basic settings:

1. Enable SSH and Telnet Access:

Configure line VTY for both SSH and Telnet access.

https://canvas.instructure.com/courses/10318784/assignments/51615658 20/23
12/16/24, 5:10 PM Final Lab (Practical) Exam

2. Username and Secret Setup:

Configure usernames with their respective secrets for secure login.
3. Domain Name:
Set ip domain-name for domain configuration.
4. Banner Configuration:
Set a login banner for informational purposes.
Configuration for Both N-SWC1 & N-SWC2:
Domain Name: Configures the domain name as cnet.auca.ac.rw.
Credentials: username: cnet-f24 and secret f24-cnet
VTY Lines: Configures line VTY 0-1 for both SSH and Telnet access.
Banner: A banner is displayed when logging into the switch.

2. Device Configuration in VLAN 20 & VLAN 30

PC1 in VLAN 20

Parameter Value

IP Address 192.168.20.18


Subnet Mask 255.255.255.248

Default Gateway 192.168.20.17

DNS Server 100.100.100.14

Laptop1 in VLAN 30

Parameter Value

IP Address 192.168.32.2

Subnet Mask 255.255.255.248

Default Gateway 192.168.32.1

DNS Server 192.168.30.3

https://canvas.instructure.com/courses/10318784/assignments/51615658 21/23
12/16/24, 5:10 PM Final Lab (Practical) Exam

WEB-Server in VLAN 30

Parameter Value

IP Address 192.168.30.2

Subnet Mask 255.255.255.248

Default Gateway 192.168.30.1

DNS Server 192.168.30.3

DNS-TFTP in VLAN 30 (DNS Server for Public and Private Address Resolution)

Parameter Value

IP Address 192.168.30.3

Subnet Mask 255.255.255.248


Default Gateway 192.168.32.1

DNS Server 192.168.30.3

DNS-Server Configuration for Public and Private Address Resolution:

DNS-TFTP serves as the DNS Server for Public Address Resolution.
WEB-Server is used for Private Address Resolution and HTTP Service.

Submission Guidelines
1. Test all configurations for functionality:
VLAN, DHCP, ACL, NAT/PAT, and routing.
VPN tunnel connectivity.
2. Save your graded .pka file with your name in the filename

[e.g. yourFullName_StudentID_CNetF24-FinalExam.pka].

3. Submit your file via the Canvas.

https://canvas.instructure.com/courses/10318784/assignments/51615658 22/23
12/16/24, 5:10 PM Final Lab (Practical) Exam

Good luck!

https://canvas.instructure.com/courses/10318784/assignments/51615658 23/23