IT Network Systems Administration Module A Cisco Network

LKSN2019_ITNSA

Test Project IT Network Systems Administration

Module A – Cisco Network Environment

Submitted by:

ITNSA-ID Team

Date: 13.02.19 LKSN2019_ITNSA

Version: 1.0 © WorldSkills International

2 of 11

Contents Introduction .................................................................................................................................................. 3 NETWORK ISLAND TASK ..............................................................................................................................4

BASIC CONFIGURATION ............................................................................................................................................ 4 SWITCHING CONFIGURATION ...................................................................................................................................5 ROUTING CONFIGURATION ...................................................................................................................................... 6 SERVICES CONFIGURATION ...................................................................................................................................... 6 SECURITY CONFIGURATION ..................................................................................................................................... 6 MONITORING AND BACKUP CONFIGURATION ......................................................................................................... 7 WAN & VPN CONFIGURATION ................................................................................................................................... 7

LAYER 1 NETWORK DIAGRAM ...................................................................................................................... 8 LAYER 2 NETWORK DIAGRAM ...................................................................................................................... 9 LAYER 3 NETWORK DIAGRAM ..................................................................................................................... 10



3 of 11

Introduction to Test Project

This Test Project proposal consists of the following document/file: LKSN2019_ITNETWORK_MODUL_A.pdf

Introduction Network technologies knowledge has become essential nowadays for people who want to build a successful

career in any IT engineering field. This test project contains a lot of challenges from real life experience,

primarily IT integration and IT outsourcing. If you are able to complete this project with the high score, you are

definitely ready to implement network infrastructure for any multi-branch enterprise.

Description of project and tasks This test project is designed using a variety of network technologies that should be familiar from the Cisco

certification tracks. Tasks are broken down into following configuration sections:

Basic configuration

Switching

WAN

Routing

Services

Security

Monitoring and backup

WAN and VPN

All sections are independent but all together they build very complex network infrastructure. Some tasks are

pretty simple and straight forward; others may be tricky. You may see that some technologies are expected to

work on top of other technologies. For example, IPv6 routing is expected to run on top of configured VPNs,

which are, in turn, expected to run on top of IPv4 routing, which is, in turn, expected to run on top of PPPoE,

and so on. It is important to understand that if you are unable to come up with a solution in the middle of such

technology stack it doesn’t mean that the rest of your work will not be graded at all. For example, you may not

configure IPv4 routing that is required for VPN because of IP reachability but you can use static routes and

then continue to work with VPN configuration and everything that runs on top. You won’t receive points for

IPv4 routing in this case but you will receive points for everything that you made operational on top as long as

functional testing is successful.

NOTE:

RADIUS VM (Debian 9.5) Username : root / skill39 Password : Skill39 PC1 (Ubuntu 16.04) Username : skill39 Password : Skill39



4 of 11

NETWORK ISLAND TASK

BASIC CONFIGURATION Configure domain name lksn2019.com for HQ2, BR1, and FW2

Create user lksn2019 with password yogyakarta on HQ2, BR1, and FW2

o Only scrypt hash of the password should be stored in configuration. (This requirement only

applies to the routers, NOT the ASA Firewalls)

o User should have maximum privileges.

Configure new AAA model for HQ2, BR1, and FW2.

o Remote console (vty) authentication should use local username database.

o After successful authentication on vty line users should automatically land in privileged mode

(except for FW2).

o Enable login authentication on local console.

o After successful authentication on local console user should land in user mode with minimal

privileges (privilege level 1).

o After successful authentication on local console of BR1 router user should automatically land

in privileged mode with maximal privileges.

Configure RADIUS authentication for all remote consoles (vty) on HQ2 router.

o Authentication sequence:

RADIUS server

Local username database

o Use “cisco1” as the shared key.

o Use port numbers 1812 for authentication and 1813 for accounting.

o IP address of the RADIUS server is 192.168.10.10

o Configure automatic authorization — after successful authentication on RADIUS server user

should automatically land in privileged mode with maximal privileges.

o Test RADIUS authentication using radius/cisco1 credentials.

Configure diy as a privileged mode password for HQ2, BR1, and FW2.

o Password should be stored in configuration in plain text (not in hash).

o Configure privileged mode authorization on FW2. For example:

#Connect to FW1 using SSH or Console

Username: lksn2019

Password: yogyakarta

Type help or '?' for a list of available commands.

FW1> enable

Password: diy

FW1#

o Set the mode where all the passwords in the configuration are stored as a reversible cipher

text.

Create all necessary interfaces, subinterfaces and loopbacks on ALL devices. Use IP addressing

according to the L3 diagram.

o Use VLAN101 as a virtual interface for SW1, SW2 and SW3 switches. Use IP address

192.168.10.51 for SW1

192.168.10.52 for SW2

192.168.10.53 for SW3.

o For HQ1 and HQ2 use automatic IPv6 addresses generation (EUI-64) for LAN1 subnet.

HQ2, BR1, and FW2 devices should be accessible using SSH protocol version 2. For FW2 allow

SSH connection on the “inside” interface.

Configure current local time zone (GMT +7) on HQ1 router.



5 of 11

SWITCHING CONFIGURATION Configure VTP version 2 on SW1, SW2 and SW3. Use SW1 as VTP server, SW2 and SW3 as

clients. Use LKSN as VTP domain name and 2019 as a password. VLAN database on all switches

should contain following VLANs:

o VLAN 101 with name LAN1.

o VLAN 102 with name VOICE.

o VLAN 103 with name EDGE.

On SW1, SW2 and SW3 switches configure dynamic trunking protocol:

o For Gi1/1 and Gi2/1 ports on SW1 switch configure mode that will listen for trunk negotiation

but won’t initiate it itself.

o For Gi1/1 ports on SW2 switch and for Gi2/1 ports on SW3 switch configure mode that will

initiate trunk negotiation.

o Configure ports Gi0/1-3 on SW1 and SW2 for traffic transmission using IEEE 802.1q

protocol.

Configure link aggregation between switches SW1 and SW2. Use following port-channel number 1.

o SW2 switch should use PAgP desirable mode.

o SW3 switch should use PAgP auto mode.

Configure spanning tree protocol:

o For ALL switches use STP protocol version which is compatible with 802.1w standard.

o SW2 switch should be STP root in VLAN 101. In case of SW2 failure, SW3 should become a

root.


root.


root.

o For traffic transmission in VLANs 101, 102 and 103 on SW1 and SW2 use ports that are not

participating in channel-groups.

Turn on root guard on SW2 port which is connected to RADIUS VM.

Configure portfast on SW3 switch which is connected to PC1.

LAN1 subnet traffic between HQ1 router and SW1 switch should be forwarded without IEEE 802.1q

tag.



6 of 11

ROUTING CONFIGURATION Configure EIGRP with AS number 2019 on ISP1, ISP2, HQ1, HQ2 and BR1 routers according to the

routing diagram. Enable routing updates authentication. Use MD5 algorithm with DIY key.

Configure BGP on ISP1, ISP2, HQ1, and HQ2 according to the routing diagram.

o Routers HQ1 and HQ2 should exchange routing updates using iBGP

o Configure route filtering so that route 209.136.0.0/16 won’t be present in routing table on

HQ1 router.

Configure OSPFv2 on HQ1, HQ2, BR1 routers and FW1, FW2 firewalls according to the routing

diagram.

Configure OSPFv3 on HQ1, HQ2, and BR1 routers according to the routing diagram.

On BR1 router configure OSPF route redistribution only for Loopback10 subnet into EIGRP AS

2019.

SERVICES CONFIGURATION Configure dynamic port translation on HQ1 and HQ2 routers for LAN1 subnet so that all internal IPv4

addresses are translated into IPv4 address of the interface which is connected to the INET10 and

INET20 subnets respectively.

Configure first-hop redundancy protocols on HQ1 and HQ2 routers:

o Configure GLBP group for LAN1 subnet:

Group number 100

Use 192.168.10.252 as the virtual IP address

Configure priority 151 for HQ1 router and 101 for HQ2 router.

o Configure HSRP group for LAN2 subnet:

Group number 200

Use 192.168.20.252 as the virtual IP address

Configure priority 121 for HQ1 router and 111 for HQ2 router.

Configure DHCP using following parameters:

o On HQ1 router for LAN subnet:

Network address — 192.168.10.0/24;

Default gateway — virtual IP address of GLBP group;

DNS server — 192.168.10.10;

Exclude first 50 usable addresses from DHCP pool.

DHCP server should assigned 192.168.10.10 to the “RADIUSSRV” server.

o Make sure “RADIUSSRV” server and “PC1” are configured as DHCP clients

SECURITY CONFIGURATION Configure role-based access control on BR1 router:

o Create user1, user2, user3 with yogyakarta password.

o Create view-context “show_view”:

Include “show version” command

Include all unprivileged commands of “show ip *”

Include “who” command

user1 should land in this context after successful authentication on local or remote

console.

o Create view-context “ping_view”:

Include “ping” command

Include “traceroute” command



7 of 11

user2 should land in this context after successful authentication on local or remote

console.

o Create superview-context that combines these 2 contexts. user3 should land in this

superview-context after successful authentication on local or remote console.

o Make sure that users cannot issue any other commands within contexts that are assigned to

them (except show banner and show parser, which are implicitly included in any view).

On port of SW3 switch which is connected to PC1 enable and configure port-security using following

parameters:

o Maximum MAC addresses — 2

o MAC addresses should be automatically saved in running configuration.

o In case of policy violation, security message should be displayed on the console; port should

not go to err-disabled state.

Turn on DHCP snooping on SW2 switch for LAN1 subnet. Use internal flash to keep DHCP-

snooping database.

MONITORING AND BACKUP CONFIGURATION Configure logging of system messages on HQ1 router and FW1 firewall. All logs including

informational messages should be sent to the RADIUSRV server (location /var/log/hq1.log and

/var/log/fw1.log).

Configure SNMP v2c on HQ1 router and FW1 firewall :

o Use read-only community string snmp_ro

o Configure device location Indonesia, ID

o Configure system contact [email protected]

Configure configuration backup on HQ1 router:

o Backup copy of running configuration should be automatically saved on RADIUS server

using TFTP each time configuration is saved (copied to startup);

o Use following naming convention for backup files: <hostname><time>.cfg

o Location for configuration backup files is /srv/tftp/ on RADIUSSRV server

WAN & VPN CONFIGURATION Configure ISP1 router as PPPoE server and ISP2 router as PPPoE client. Use PAP for

authentication with papuser\yogyakarta credentials.

Configure GRE tunnel between HQ1 and BR1 routers:

o Use Tunnel100 as VTI for all routers;

o Assign IPv6 addresses 2001::1/64 and 2001::2/64 for tunnel of HQ1 and BR1 respectfully;

Configure IKEv2 IPsec Site-to-Site VPN on FW1, FW2 firewalls:

o Phase 1 parameters:

Hash – MD5

Encryption – AES-128

DH group – 5

Authentication – pre-shared key (cisco1)

o Phase 2 parameters:

Protocol – ESP

Encryption – AES-128

Hash – MD5

o For transmission through IPsec tunnel permit all TCP traffic from network of IP address of

HQ2 subinterface in LAN2 subnet to network of IP address of BR2 interface in LAN3 subnet.



8 of 11

LAYER 1 NETWORK DIAGRAM

Gi0/1

Gi1/1 Gi1/2

Gi0/3

Gi0/2

Gi0/1

Gi0/2

Gi0/3 Gi0/3

Gi0/2

Gi0/1

Gi1

/2

Gi1

/1

Gi0/1

Gi0/2 Gi0/2

Gi0

/1G

i0/2

Gi0

/1

Gi0

/1

Gi0/2 Gi0/2

Gi0/2Gi0/1

Gi0/3 Gi0/2

Gi0/1

Gi0/1

HQ1 HQ2

ISP1 ISP2

BR1

Gi1/0 Gi1/0 eth1ens33

RADIUSSRV PC1



9 of 11


Gi0/1

Gi1/1Gi1/2

Gi0/3

Gi0/2

Gi0/3 Gi0/3

Gi1

/2

Gi1

/1

Gi0/1Gi0/2 Gi0/2

Gi0

/1G

i0/2

Gi0

/1

Gi0

/1

Gi0/2 Gi0/2

Gi0/2Gi0/1 Gi0/1

Gi0/1

HQ1 HQ2

ISP1 ISP2

BR1

PO3 PO3

Dialer 1VT1

Vlan103

Gi1/0Vlan101 Gi1/0 Vlan101

RADIUSSRV PC1



10 of 11


Gi0/1

Gi0/2

Gi0/2 Gi0/1

Gi0

/2

HQ1

HQ2

ISP2 ISP2

BR1

LAN1

192.168.10.0/24

a1f:ea75:ca75::0/64VOICE

192.168.20.0/24

EDGE

192.168.30.0/24

Gi0/1.101

Gi0/1.101

Gi0

/1.1

01

Gi0

/1.1

01

.254

.254

.254

.253

Gi0/1.101

Gi0/1.101

.253

.253

22.22.22.22/32

Loopback102

11.11.11.11/32

Loopback101

INET10

20.19.7.0/30.2 .1

209.136.0.1/16

Loopback100

8.8

.8.8

/32

Lo

op

back

8

INET1

20.19.8.0/30

INET20

20.19.7.4/30

.6

.5

INET30

20.19.7.8/30Gi0/3

.9

Gi0/2

.10

Gi0

/1

.13

Gi0

/1

.14

.252

Gi0/2

.1

13

8.7

6.0

.1/1

6

Lo

op

back

20

0

8.8.4.4/32

Loopback4

Gi0

/1

.2

LAN2

10.20.30.0/24

Gi0/2

.253

Gi0

/2

.254

INET40

20.19.7.12/30

1.1.1.1/32Loopback1

dead:beef:1::1/12810.10.10.10/32

Loopback10

dead:beef:11::1/128

dead:beef:22::1/128



11 of 11

ROUTING DIAGRAM

BGP AS 65001

Loopback101

11.11.11.11/32

Loopback102

22.22.22.22/32

BGP AS 65002

EIGRP AS 2019

INET10

20.19.7.0/30

INET20

20.19.7.4/30

INET30

20.19.7.8/30

OSPF Area 3

Loopback10

10.10.10.10/32

OSPF Area 0

INET1

20.19.8.0/30

OSPF Area 1

LAN1

192.168.10.0/24

EDGE

192.168.30.0/24

VOICE

192.168.20.0/24

OSPF Area 2

INET3

10.20.30.0/24

OSPFv3 Area 0

LAN1

A1f:ea75:ca75::0/64

Loopback1

dead:beef:1::1/128

Loopback100

209.136.0.0/16

BGP AS 65003

Loopback200

138.76.1.0/16

BGP AS 65004

Loopback1

1.1.1.1/32

INET40

20.19.7.12/30

Loopback101

dead:beef:11::1/128

Loopback102

dead:beef:22::1/128

Documents

IT Network Systems Administration Module A Cisco Network