⬆️ ⬇️

The solution of the WorldSkills tasks of the Network module in the CICA competency. Part 2 - Basic Setup

We continue the analysis of the tasks of the WorldSkills Championship Network module in the “Network and System Administration” competence.



The article will cover the following tasks:



  1. On ALL devices, create virtual interfaces, subinterfaces and loop-type interfaces. Assign IP addresses according to topology.

    ')

    • Enable the SLAAC mechanism to issue IPv6 addresses in the MNG network on the RTR1 interface;
    • On virtual interfaces in VLAN 100 (MNG) on switches SW1, SW2, SW3, enable IPv6 auto configuration mode;
    • On ALL devices (except PC1 and WEB), manually assign link-local addresses;
    • On ALL switches, turn off all ports that are not used in the task and transfer them to VLAN 99;
    • On switch SW1, enable blocking for 1 minute in case of double incorrect password entry within 30 seconds;
  2. All devices must be available for management via SSH version 2.


The network topology at the physical level is presented in the following diagram:







The network topology at the data link layer is presented in the following diagram:







The network topology at the network level is presented in the following diagram:







An example of the solution of all tasks can be viewed in video format.



Below is the pre-configuration of the switches:





Setting up IPv6 addressing, enabling the SLAAC mechanism:





Configure SSH version 2:





Presetting



Before performing the above tasks, it is worthwhile to configure the basic switching on the switches SW1-SW3, since it will be more convenient to check their settings in the future. Switching setup will be described in detail in the next article, but for now only settings will be defined.



First of all, you need to create vlans with numbers 99, 100 and 300 on all switches:



SW1(config)#vlan 99 SW1(config-vlan)#exit SW1(config)#vlan 100 SW1(config-vlan)#exit SW1(config)#vlan 300 SW1(config-vlan)#exit 


The next step is to transfer the interface g0 / 1 to SW1 in vlan number 300:



 SW1(config)#interface gigabitEthernet 0/1 SW1(config-if)#switchport mode access SW1(config-if)#switchport access vlan 300 SW1(config-if)#exit 


Interfaces f0 / 1-2, f0 / 5-6, which look towards other switches, should be switched to trunk mode:



 SW1(config)#interface range fastEthernet 0/1-2, fastEthernet 0/5-6 SW1(config-if-range)#switchport trunk encapsulation dot1q SW1(config-if-range)#switchport mode trunk SW1(config-if-range)#exit 


On switch SW2 in trunk mode, there will be f0 / 1-4 interfaces:



 SW2(config)#interface range fastEthernet 0/1-4 SW2(config-if-range)#switchport trunk encapsulation dot1q SW2(config-if-range)#switchport mode trunk SW2(config-if-range)#exit 


On switch SW3 in trunk mode, there will be interfaces f0 / 3-6, g0 / 1:



 SW3(config)#interface range fastEthernet 0/3-6, gigabitEthernet 0/1 SW3(config-if-range)#switchport trunk encapsulation dot1q SW3(config-if-range)#switchport mode trunk SW3(config-if-range)#exit 


At this stage, the switch settings will allow the exchange of tagged packets, which will be required to complete the tasks.



1. On ALL devices, create virtual interfaces, subinterfaces and loop-type interfaces. Assign IP addresses according to topology.



The first is to configure the BR1 router. According to the L3 topology, you need to configure the loop type interface, also known as loopback, at number 101:



 //  loopback BR1(config)#interface loopback 101 //  ipv4- BR1(config-if)#ip address 2.2.2.2 255.255.255.255 //  ipv6   BR1(config-if)#ipv6 enable //  ipv6- BR1(config-if)#ipv6 address 2001:B:A::1/64 //      BR1(config-if)#exit BR1(config)# 


To check the status of the created interface, you can use the show ipv6 interface brief command:



 BR1#show ipv6 interface brief ... Loopback101 [up/up] FE80::2D0:97FF:FE94:5022 //link-local  2001:B:A::1 //IPv6- ... BR1# 


Here you can see that the loopback is active, its state is UP . If you look below, you can see two IPv6 addresses, although only one command was used to set the IPv6 address. The fact is that FE80::2D0:97FF:FE94:5022 is the link-local address that is assigned when ipv6 is enabled on the interface with the ipv6 enable command.



And to view the IPv4 address, use a similar command:



 BR1#show ip interface brief ... Loopback101 2.2.2.2 YES manual up up ... BR1# 


For BR1, you should immediately configure the g0 / 0 interface; here you just need to set the IPv6 address:



 //      BR1(config)#interface gigabitEthernet 0/0 //   BR1(config-if)#no shutdown BR1(config-if)#ipv6 enable BR1(config-if)#ipv6 address 2001:B:C::1/64 BR1(config-if)#exit BR1(config)# 


You can check the settings using the same show ipv6 interface brief command:



 BR1#show ipv6 interface brief GigabitEthernet0/0 [up/up] FE80::290:CFF:FE9D:4624 //link-local  2001:B:C::1 //IPv6- ... Loopback101 [up/up] FE80::2D0:97FF:FE94:5022 //link-local  2001:B:A::1 //IPv6- 


Next, the ISP router will be configured. Here, the task will be configured loopback number 0, but in addition it is preferable to configure the interface g0 / 0, which should be 30.30.30.1, for the reason that in subsequent tasks nothing will be said about the configuration of these interfaces. First, the loopback number 0 is configured:



 ISP(config)#interface loopback 0 ISP(config-if)#ip address 8.8.8.8 255.255.255.255 ISP(config-if)#ipv6 enable ISP(config-if)#ipv6 address 2001:A:C::1/64 ISP(config-if)#exit ISP(config)# 


You can use the show ipv6 interface brief command to verify that the interface is configured correctly. Then the g0 / 0 interface is configured:



 BR1(config)#interface gigabitEthernet 0/0 BR1(config-if)#no shutdown BR1(config-if)#ip address 30.30.30.1 255.255.255.252 BR1(config-if)#exit BR1(config)# 


Next, the RTR1 router will be configured. Here you also need to create a loopback number 100:



 BR1(config)#interface loopback 100 BR1(config-if)#ip address 1.1.1.1 255.255.255.255 BR1(config-if)#ipv6 enable BR1(config-if)#ipv6 address 2001:A:B::1/64 BR1(config-if)#exit BR1(config)# 


Also on RTR1 it is necessary to create 2 virtual subinterfaces for vlans with numbers 100 and 300. This can be done as follows.



First, enable the g0 / 1 physical interface with the no shutdown command:



 RTR1(config)#interface gigabitEthernet 0/1 RTR1(config-if)#no shutdown RTR1(config-if)#exit 


Then subinterfaces with numbers 100 and 300 are created and configured:



 //     100      RTR1(config)#interface gigabitEthernet 0/1.100 //    dot1q   vlan'a 100 RTR1(config-subif)#encapsulation dot1Q 100 RTR1(config-subif)#ipv6 enable RTR1(config-subif)#ipv6 address 2001:100::1/64 RTR1(config-subif)#exit //     300      RTR1(config)#interface gigabitEthernet 0/1.300 //    dot1q   vlan'a 100 RTR1(config-subif)#encapsulation dot1Q 300 RTR1(config-subif)#ipv6 enable RTR1(config-subif)#ipv6 address 2001:300::2/64 RTR1(config-subif)#exit 


The subinterface number may differ from the vlan number in which it will work, but for convenience, it is better to use the subinterface number that matches the vlan number. If you set the encapsulation type when configuring the subinterface, you should specify the number that matches the vlan number. So after the encapsulation dot1Q 300 subinterface will skip only vlan packets with the number 300.



The final task in this assignment will be RTR2. The connection between SW1 and RTR2 should be in access mode, the switch interface will only allow packets destined for vlan with the number 300 to go to the RTR2 side, as stated in the L2 topology task. Therefore, only the physical interface will be configured on the RTR2 router without creating subinterfaces:



 RTR2(config)#interface gigabitEthernet 0/1 RTR2(config-if)#no shutdown RTR2(config-if)#ipv6 enable RTR2(config-if)#ipv6 address 2001:300::3/64 RTR2(config-if)#exit RTR2(config)# 


Then the g0 / 0 interface is configured:



 BR1(config)#interface gigabitEthernet 0/0 BR1(config-if)#no shutdown BR1(config-if)#ip address 30.30.30.2 255.255.255.252 BR1(config-if)#exit BR1(config)# 


This completes the configuration of the router interfaces for the current task. The remaining interfaces will be configured as the following tasks are completed.



a. Enable the SLAAC mechanism to issue IPv6 addresses on the MNG network on the RTR1 interface


SLAAC is enabled by default. The only thing you need to do is enable IPv6 routing. You can do this with the following command:



 RTR1(config-subif)#ipv6 unicast-routing 


Without this command, the hardware acts as the host. In other words, thanks to the aforementioned command, it is possible to use additional functions of ipv6, including issuing ipv6 addresses, configure routing, and so on.



b. On virtual interfaces in VLAN 100 (MNG) on switches SW1, SW2, SW3, enable IPv6 auto configuration mode


From the L3 topology, it is clear that the switches are connected to the VLAN 100 network. This means that you need to create virtual interfaces on the switches and then assign ipv6 addresses to them by default. The initial configuration was made precisely in order for the switches to get the default addresses from RTR1. You can perform this task with the following list of commands suitable for all three switches:



 //    SW1(config)#interface vlan 100 SW1(config-if)#ipv6 enable //  ipv6   SW1(config-if)#ipv6 address autoconfig SW1(config-if)#exit 


You can check with the same show ipv6 interface brief command:



 SW1#show ipv6 interface brief ... Vlan100 [up/up] FE80::A8BB:CCFF:FE80:C000 // link-local  2001:100::A8BB:CCFF:FE80:C000 //  IPv6- 


In addition to the link-local address, an ipv6 address received from RTR1 appeared. This task was successfully completed, and on the other switches you need to write the same commands.



with. On ALL devices (except PC1 and WEB) manually assign link-local addresses


Thirty-digit ipv6 addresses are not a pleasure for administrators, so it’s possible to manually change the link-local by reducing its length to the minimum value. The tasks say nothing about which addresses to choose, so there is a free choice here.



For example, on switch SW1, you must set the link-local address fe80 :: 10. This can be done with the following command from the configuration mode of the selected interface:



 //     vlan 100 SW1(config)#interface vlan 100 //   link-local  SW1(config-if)#ipv6 address fe80::10 link-local SW1(config-if)#exit 


Now the addressing looks much more attractive:



 SW1#show ipv6 interface brief ... Vlan100 [up/up] FE80::10 //link-local c 2001:100::10 //IPv6- 


In addition to the link-local address, the resulting IPv6 address has also been changed, since the address is issued based on the link-local address.



On the SW1 switch, you only had to set the link-local address on one interface. With the RTR1 router, you need to make more settings - you need to set a link-local on two subinterfaces, on the loopback, and in the following settings the tunnel 100 interface will appear.



To avoid unnecessary writing of commands, you can specify the same link-local address on all interfaces at once. This can be done using the range keyword and then listing all interfaces:



 //      RTR1(config)#interface range gigabitEthernet 0/1.100, gigabitEthernet 0/1.300, loopback 100 //   link-local  RTR1(config-if)#ipv6 address fe80::1 link-local RTR1(config-if)#exit 


When checking the interfaces, you will see that the link-local addresses have been changed on all selected interfaces:



 RTR1#show ipv6 interface brief gigabitEthernet 0/1.100 [up/up] FE80::1 2001:100::1 gigabitEthernet 0/1.300 [up/up] FE80::1 2001:300::2 Loopback100 [up/up] FE80::1 2001:A:B::1 


All other devices are configured in the same way.



d. On ALL switches, disable all ports that are not used in the task and transfer them to VLAN 99


The basic idea is the same method of selecting multiple interfaces for configuration using the range command, and then you should write commands to translate the desired vlan and then turn off the interfaces. For example, at switch SW1, according to L1 topology, ports f0 / 3-4, f0 / 7-8, f0 / 11-24 and g0 / 2 will be turned off. For this example, the setting will be as follows:



 //     SW1(config)#interface range fastEthernet 0/3-4, fastEthernet 0/7-8, fastEthernet 0/11-24, gigabitEthernet 0/2 //   access   SW1(config-if-range)#switchport mode access //   VLAN 99  SW1(config-if-range)#switchport access vlan 99 //   SW1(config-if-range)#shutdown SW1(config-if-range)#exit 


When checking the settings of a well-known command, you should pay attention that all unused ports should have administratively down status, indicating that the port is turned off:



 SW1#show ip interface brief Interface IP-Address OK? Method Status Protocol ... fastEthernet 0/3 unassigned YES unset administratively down down 


To see which vlan port is located, you can use another command:



 SW1#show ip vlan ... 99 VLAN0099 active Fa0/3, Fa0/4, Fa0/7, Fa0/8 Fa0/11, Fa0/12, Fa0/13, Fa0/14 Fa0/15, Fa0/16, Fa0/17, Fa0/18 Fa0/19, Fa0/20, Fa0/21, Fa0/22 Fa0/23, Fa0/24, Gig0/2 ... 


There must be all unused interfaces. It should be noted that it will not be possible to transfer interfaces to vlan if such a vlan is not created. For this purpose, all the necessary vlans for the work were created in the initial configuration.



e. On switch SW1, enable blocking for 1 minute in case of double incorrect password entry within 30 seconds


You can do this with the following command:



 //   60; : 2;  : 30 SW1#login block-for 60 attempts 2 within 30 


You can also check these settings as follows:



 SW1#show login ... If more than 2 login failures occur in 30 seconds or less, logins will be disabled for 60 seconds. ... 


Where it is intelligibly explained that after two unsuccessful attempts within 30 seconds or less, the possibility of entry will be blocked for 60 seconds.



2. All devices must be available for management via SSH version 2



In order for the devices to be available via SSH version 2, you must first configure the equipment, so for informational purposes, the equipment will be configured first with factory settings.



Change the version of the puncture as follows:



 //   SSH  2 Router(config)#ip ssh version 2 Please create RSA keys (of at least 768 bits size) to enable SSH v2. Router(config)# 


The system asks you to create RSA keys for the operation of SSH version 2. Following the advice of a smart system, you can create RSA keys with the following command:



 //  RSA  Router(config)#crypto key generate rsa % Please define a hostname other than Router. Router(config)# 


The system does not allow to execute the command for the reason that the hostname is not changed. After changing the hostname, you need to write the key generation command again:



 Router(config)#hostname R1 R1(config)#crypto key generate rsa % Please define a domain-name first. R1(config)# 


Now the system does not allow to create RSA keys, due to the lack of a domain name. And after installing the domain name, it will be possible to create RSA keys. The RSA key length must be at least 768 bits for SSH version 2 to work:



 R1(config)#ip domain-name wsrvuz19.ru R1(config)#crypto key generate rsa How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys, keys will be non-exportable...[OK] 


The result is that for SSHv2 to work, you need:



  1. Change hostname;
  2. Change domain name;
  3. Generate RSA keys.


In the last article, the settings for changing the hostname and domain name on all devices were presented, therefore, continuing to configure the current devices, you only need to generate RSA keys:



 RTR1(config)#crypto key generate rsa How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys, keys will be non-exportable...[OK] 


SSH version 2 is active, but the device is not yet fully configured. The final step is to configure the virtual consoles:



 //      R1(config)#line vty 0 4 //       SSH RTR1(config-line)#transport input ssh RTR1(config-line)#exit 


In the last article, the AAA model was set up, where on the virtual consoles authentication was set using the local database, and the user, after authentication, had to go directly to the privileged mode. The simplest test of SSH operation is an attempt to connect to your own equipment. RTR1 has a loopback with ip-address 1.1.1.1, you can try to connect to this address:



 //  ssh RTR1(config)#do ssh -l wsrvuz19 1.1.1.1 Password: RTR1# 


After the -l key, the login of the existing user is entered, and then the password. After authentication, the transition immediately to the privileged mode occurs, which means that SSH is configured correctly.

Source: https://habr.com/ru/post/457916/



All Articles