Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
LKSN2019_ITNSA
Test Project IT Network Systems Administration
Module A – Cisco Network Environment
Submitted by:
ITNSA-ID Team
Date: 13.02.19 LKSN2019_ITNSA
Version: 1.0 © WorldSkills International
2 of 11
Contents Introduction .................................................................................................................................................. 3 NETWORK ISLAND TASK ..............................................................................................................................4
BASIC CONFIGURATION ............................................................................................................................................ 4 SWITCHING CONFIGURATION ...................................................................................................................................5 ROUTING CONFIGURATION ...................................................................................................................................... 6 SERVICES CONFIGURATION ...................................................................................................................................... 6 SECURITY CONFIGURATION ..................................................................................................................................... 6 MONITORING AND BACKUP CONFIGURATION ......................................................................................................... 7 WAN & VPN CONFIGURATION ................................................................................................................................... 7
LAYER 1 NETWORK DIAGRAM ...................................................................................................................... 8 LAYER 2 NETWORK DIAGRAM ...................................................................................................................... 9 LAYER 3 NETWORK DIAGRAM ..................................................................................................................... 10
Date: 13.02.19 LKSN2019_ITNSA
Version: 1.0 © WorldSkills International
3 of 11
Introduction to Test Project
This Test Project proposal consists of the following document/file: LKSN2019_ITNETWORK_MODUL_A.pdf
Introduction Network technologies knowledge has become essential nowadays for people who want to build a successful
career in any IT engineering field. This test project contains a lot of challenges from real life experience,
primarily IT integration and IT outsourcing. If you are able to complete this project with the high score, you are
definitely ready to implement network infrastructure for any multi-branch enterprise.
Description of project and tasks This test project is designed using a variety of network technologies that should be familiar from the Cisco
certification tracks. Tasks are broken down into following configuration sections:
Basic configuration
Switching
WAN
Routing
Services
Security
Monitoring and backup
WAN and VPN
All sections are independent but all together they build very complex network infrastructure. Some tasks are
pretty simple and straight forward; others may be tricky. You may see that some technologies are expected to
work on top of other technologies. For example, IPv6 routing is expected to run on top of configured VPNs,
which are, in turn, expected to run on top of IPv4 routing, which is, in turn, expected to run on top of PPPoE,
and so on. It is important to understand that if you are unable to come up with a solution in the middle of such
technology stack it doesn’t mean that the rest of your work will not be graded at all. For example, you may not
configure IPv4 routing that is required for VPN because of IP reachability but you can use static routes and
then continue to work with VPN configuration and everything that runs on top. You won’t receive points for
IPv4 routing in this case but you will receive points for everything that you made operational on top as long as
functional testing is successful.
NOTE:
RADIUS VM (Debian 9.5) Username : root / skill39 Password : Skill39 PC1 (Ubuntu 16.04) Username : skill39 Password : Skill39
Date: 13.02.19 LKSN2019_ITNSA
Version: 1.0 © WorldSkills International
4 of 11
NETWORK ISLAND TASK
BASIC CONFIGURATION Configure domain name lksn2019.com for HQ2, BR1, and FW2
Create user lksn2019 with password yogyakarta on HQ2, BR1, and FW2
o Only scrypt hash of the password should be stored in configuration. (This requirement only
applies to the routers, NOT the ASA Firewalls)
o User should have maximum privileges.
Configure new AAA model for HQ2, BR1, and FW2.
o Remote console (vty) authentication should use local username database.
o After successful authentication on vty line users should automatically land in privileged mode
(except for FW2).
o Enable login authentication on local console.
o After successful authentication on local console user should land in user mode with minimal
privileges (privilege level 1).
o After successful authentication on local console of BR1 router user should automatically land
in privileged mode with maximal privileges.
Configure RADIUS authentication for all remote consoles (vty) on HQ2 router.
o Authentication sequence:
RADIUS server
Local username database
o Use “cisco1” as the shared key.
o Use port numbers 1812 for authentication and 1813 for accounting.
o IP address of the RADIUS server is 192.168.10.10
o Configure automatic authorization — after successful authentication on RADIUS server user
should automatically land in privileged mode with maximal privileges.
o Test RADIUS authentication using radius/cisco1 credentials.
Configure diy as a privileged mode password for HQ2, BR1, and FW2.
o Password should be stored in configuration in plain text (not in hash).
o Configure privileged mode authorization on FW2. For example:
#Connect to FW1 using SSH or Console
Username: lksn2019
Password: yogyakarta
Type help or '?' for a list of available commands.
FW1> enable
Password: diy
FW1#
o Set the mode where all the passwords in the configuration are stored as a reversible cipher
text.
Create all necessary interfaces, subinterfaces and loopbacks on ALL devices. Use IP addressing
according to the L3 diagram.
o Use VLAN101 as a virtual interface for SW1, SW2 and SW3 switches. Use IP address
192.168.10.51 for SW1
192.168.10.52 for SW2
192.168.10.53 for SW3.
o For HQ1 and HQ2 use automatic IPv6 addresses generation (EUI-64) for LAN1 subnet.
HQ2, BR1, and FW2 devices should be accessible using SSH protocol version 2. For FW2 allow
SSH connection on the “inside” interface.
Configure current local time zone (GMT +7) on HQ1 router.
Date: 13.02.19 LKSN2019_ITNSA
Version: 1.0 © WorldSkills International
5 of 11
SWITCHING CONFIGURATION Configure VTP version 2 on SW1, SW2 and SW3. Use SW1 as VTP server, SW2 and SW3 as
clients. Use LKSN as VTP domain name and 2019 as a password. VLAN database on all switches
should contain following VLANs:
o VLAN 101 with name LAN1.
o VLAN 102 with name VOICE.
o VLAN 103 with name EDGE.
On SW1, SW2 and SW3 switches configure dynamic trunking protocol:
o For Gi1/1 and Gi2/1 ports on SW1 switch configure mode that will listen for trunk negotiation
but won’t initiate it itself.
o For Gi1/1 ports on SW2 switch and for Gi2/1 ports on SW3 switch configure mode that will
initiate trunk negotiation.
o Configure ports Gi0/1-3 on SW1 and SW2 for traffic transmission using IEEE 802.1q
protocol.
Configure link aggregation between switches SW1 and SW2. Use following port-channel number 1.
o SW2 switch should use PAgP desirable mode.
o SW3 switch should use PAgP auto mode.
Configure spanning tree protocol:
o For ALL switches use STP protocol version which is compatible with 802.1w standard.
o SW2 switch should be STP root in VLAN 101. In case of SW2 failure, SW3 should become a
root.
o SW1 switch should be STP root in VLAN 102. In case of SW3 failure, SW2 should become a
root.
o SW3 switch should be STP root in VLAN 103. In case of SW1 failure, SW1 should become a
root.
o For traffic transmission in VLANs 101, 102 and 103 on SW1 and SW2 use ports that are not
participating in channel-groups.
Turn on root guard on SW2 port which is connected to RADIUS VM.
Configure portfast on SW3 switch which is connected to PC1.
LAN1 subnet traffic between HQ1 router and SW1 switch should be forwarded without IEEE 802.1q
tag.
Date: 13.02.19 LKSN2019_ITNSA
Version: 1.0 © WorldSkills International
6 of 11
ROUTING CONFIGURATION Configure EIGRP with AS number 2019 on ISP1, ISP2, HQ1, HQ2 and BR1 routers according to the
routing diagram. Enable routing updates authentication. Use MD5 algorithm with DIY key.
Configure BGP on ISP1, ISP2, HQ1, and HQ2 according to the routing diagram.
o Routers HQ1 and HQ2 should exchange routing updates using iBGP
o Configure route filtering so that route 209.136.0.0/16 won’t be present in routing table on
HQ1 router.
Configure OSPFv2 on HQ1, HQ2, BR1 routers and FW1, FW2 firewalls according to the routing
diagram.
Configure OSPFv3 on HQ1, HQ2, and BR1 routers according to the routing diagram.
On BR1 router configure OSPF route redistribution only for Loopback10 subnet into EIGRP AS
2019.
SERVICES CONFIGURATION Configure dynamic port translation on HQ1 and HQ2 routers for LAN1 subnet so that all internal IPv4
addresses are translated into IPv4 address of the interface which is connected to the INET10 and
INET20 subnets respectively.
Configure first-hop redundancy protocols on HQ1 and HQ2 routers:
o Configure GLBP group for LAN1 subnet:
Group number 100
Use 192.168.10.252 as the virtual IP address
Configure priority 151 for HQ1 router and 101 for HQ2 router.
o Configure HSRP group for LAN2 subnet:
Group number 200
Use 192.168.20.252 as the virtual IP address
Configure priority 121 for HQ1 router and 111 for HQ2 router.
Configure DHCP using following parameters:
o On HQ1 router for LAN subnet:
Network address — 192.168.10.0/24;
Default gateway — virtual IP address of GLBP group;
DNS server — 192.168.10.10;
Exclude first 50 usable addresses from DHCP pool.
DHCP server should assigned 192.168.10.10 to the “RADIUSSRV” server.
o Make sure “RADIUSSRV” server and “PC1” are configured as DHCP clients
SECURITY CONFIGURATION Configure role-based access control on BR1 router:
o Create user1, user2, user3 with yogyakarta password.
o Create view-context “show_view”:
Include “show version” command
Include all unprivileged commands of “show ip *”
Include “who” command
user1 should land in this context after successful authentication on local or remote
console.
o Create view-context “ping_view”:
Include “ping” command
Include “traceroute” command
Date: 13.02.19 LKSN2019_ITNSA
Version: 1.0 © WorldSkills International
7 of 11
user2 should land in this context after successful authentication on local or remote
console.
o Create superview-context that combines these 2 contexts. user3 should land in this
superview-context after successful authentication on local or remote console.
o Make sure that users cannot issue any other commands within contexts that are assigned to
them (except show banner and show parser, which are implicitly included in any view).
On port of SW3 switch which is connected to PC1 enable and configure port-security using following
parameters:
o Maximum MAC addresses — 2
o MAC addresses should be automatically saved in running configuration.
o In case of policy violation, security message should be displayed on the console; port should
not go to err-disabled state.
Turn on DHCP snooping on SW2 switch for LAN1 subnet. Use internal flash to keep DHCP-
snooping database.
MONITORING AND BACKUP CONFIGURATION Configure logging of system messages on HQ1 router and FW1 firewall. All logs including
informational messages should be sent to the RADIUSRV server (location /var/log/hq1.log and
/var/log/fw1.log).
Configure SNMP v2c on HQ1 router and FW1 firewall :
o Use read-only community string snmp_ro
o Configure device location Indonesia, ID
o Configure system contact [email protected]
Configure configuration backup on HQ1 router:
o Backup copy of running configuration should be automatically saved on RADIUS server
using TFTP each time configuration is saved (copied to startup);
o Use following naming convention for backup files: <hostname><time>.cfg
o Location for configuration backup files is /srv/tftp/ on RADIUSSRV server
WAN & VPN CONFIGURATION Configure ISP1 router as PPPoE server and ISP2 router as PPPoE client. Use PAP for
authentication with papuser\yogyakarta credentials.
Configure GRE tunnel between HQ1 and BR1 routers:
o Use Tunnel100 as VTI for all routers;
o Assign IPv6 addresses 2001::1/64 and 2001::2/64 for tunnel of HQ1 and BR1 respectfully;
Configure IKEv2 IPsec Site-to-Site VPN on FW1, FW2 firewalls:
o Phase 1 parameters:
Hash – MD5
Encryption – AES-128
DH group – 5
Authentication – pre-shared key (cisco1)
o Phase 2 parameters:
Protocol – ESP
Encryption – AES-128
Hash – MD5
o For transmission through IPsec tunnel permit all TCP traffic from network of IP address of
HQ2 subinterface in LAN2 subnet to network of IP address of BR2 interface in LAN3 subnet.
Date: 13.02.19 LKSN2019_ITNSA
Version: 1.0 © WorldSkills International
8 of 11
LAYER 1 NETWORK DIAGRAM
Gi0/1
Gi1/1 Gi1/2
Gi0/3
Gi0/2
Gi0/1
Gi0/2
Gi0/3 Gi0/3
Gi0/2
Gi0/1
Gi1
/2
Gi1
/1
Gi0/1
Gi0/2 Gi0/2
Gi0
/1G
i0/2
Gi0
/1
Gi0
/1
Gi0/2 Gi0/2
Gi0/2Gi0/1
Gi0/3 Gi0/2
Gi0/1
Gi0/1
HQ1 HQ2
ISP1 ISP2
BR1
Gi1/0 Gi1/0 eth1ens33
RADIUSSRV PC1
Date: 13.02.19 LKSN2019_ITNSA
Version: 1.0 © WorldSkills International
9 of 11
LAYER 2 NETWORK DIAGRAM
Gi0/1
Gi1/1Gi1/2
Gi0/3
Gi0/2
Gi0/3 Gi0/3
Gi1
/2
Gi1
/1
Gi0/1Gi0/2 Gi0/2
Gi0
/1G
i0/2
Gi0
/1
Gi0
/1
Gi0/2 Gi0/2
Gi0/2Gi0/1 Gi0/1
Gi0/1
HQ1 HQ2
ISP1 ISP2
BR1
PO3 PO3
Dialer 1VT1
Vlan103
Gi1/0Vlan101 Gi1/0 Vlan101
RADIUSSRV PC1
Date: 13.02.19 LKSN2019_ITNSA
Version: 1.0 © WorldSkills International
10 of 11
LAYER 3 NETWORK DIAGRAM
Gi0/1
Gi0/2
Gi0/2 Gi0/1
Gi0
/2
HQ1
HQ2
ISP2 ISP2
BR1
LAN1
192.168.10.0/24
a1f:ea75:ca75::0/64VOICE
192.168.20.0/24
EDGE
192.168.30.0/24
Gi0/1.101
Gi0/1.101
Gi0
/1.1
01
Gi0
/1.1
01
.254
.254
.254
.253
Gi0/1.101
Gi0/1.101
.253
.253
22.22.22.22/32
Loopback102
11.11.11.11/32
Loopback101
INET10
20.19.7.0/30.2 .1
209.136.0.1/16
Loopback100
8.8
.8.8
/32
Lo
op
back
8
INET1
20.19.8.0/30
INET20
20.19.7.4/30
.6
.5
INET30
20.19.7.8/30Gi0/3
.9
Gi0/2
.10
Gi0
/1
.13
Gi0
/1
.14
.252
Gi0/2
.1
13
8.7
6.0
.1/1
6
Lo
op
back
20
0
8.8.4.4/32
Loopback4
Gi0
/1
.2
LAN2
10.20.30.0/24
Gi0/2
.253
Gi0
/2
.254
INET40
20.19.7.12/30
1.1.1.1/32Loopback1
dead:beef:1::1/12810.10.10.10/32
Loopback10
dead:beef:11::1/128
dead:beef:22::1/128
Date: 13.02.19 LKSN2019_ITNSA
Version: 1.0 © WorldSkills International
11 of 11
ROUTING DIAGRAM
BGP AS 65001
Loopback101
11.11.11.11/32
Loopback102
22.22.22.22/32
BGP AS 65002
EIGRP AS 2019
INET10
20.19.7.0/30
INET20
20.19.7.4/30
INET30
20.19.7.8/30
OSPF Area 3
Loopback10
10.10.10.10/32
OSPF Area 0
INET1
20.19.8.0/30
OSPF Area 1
LAN1
192.168.10.0/24
EDGE
192.168.30.0/24
VOICE
192.168.20.0/24
OSPF Area 2
INET3
10.20.30.0/24
OSPFv3 Area 0
LAN1
A1f:ea75:ca75::0/64
Loopback1
dead:beef:1::1/128
Loopback100
209.136.0.0/16
BGP AS 65003
Loopback200
138.76.1.0/16
BGP AS 65004
Loopback1
1.1.1.1/32
INET40
20.19.7.12/30
Loopback101
dead:beef:11::1/128
Loopback102
dead:beef:22::1/128