The solution of the WorldSkills tasks of the Network module in the CICA competency. Part 2 - Basic Setup
We continue the analysis of the tasks of the WorldSkills Championship Network module in the “Network and System Administration” competence.
The article will cover the following tasks:
On ALL devices, create virtual interfaces, subinterfaces and loop-type interfaces. Assign IP addresses according to topology. ')
Enable the SLAAC mechanism to issue IPv6 addresses in the MNG network on the RTR1 interface;
On virtual interfaces in VLAN 100 (MNG) on switches SW1, SW2, SW3, enable IPv6 auto configuration mode;
On ALL devices (except PC1 and WEB), manually assign link-local addresses;
On ALL switches, turn off all ports that are not used in the task and transfer them to VLAN 99;
On switch SW1, enable blocking for 1 minute in case of double incorrect password entry within 30 seconds;
All devices must be available for management via SSH version 2.
The network topology at the physical level is presented in the following diagram:
The network topology at the data link layer is presented in the following diagram:
The network topology at the network level is presented in the following diagram:
An example of the solution of all tasks can be viewed in video format.
Below is the pre-configuration of the switches:
Setting up IPv6 addressing, enabling the SLAAC mechanism:
Configure SSH version 2:
Presetting
Before performing the above tasks, it is worthwhile to configure the basic switching on the switches SW1-SW3, since it will be more convenient to check their settings in the future. Switching setup will be described in detail in the next article, but for now only settings will be defined.
First of all, you need to create vlans with numbers 99, 100 and 300 on all switches:
At this stage, the switch settings will allow the exchange of tagged packets, which will be required to complete the tasks.
1. On ALL devices, create virtual interfaces, subinterfaces and loop-type interfaces. Assign IP addresses according to topology.
The first is to configure the BR1 router. According to the L3 topology, you need to configure the loop type interface, also known as loopback, at number 101:
Here you can see that the loopback is active, its state is UP . If you look below, you can see two IPv6 addresses, although only one command was used to set the IPv6 address. The fact is that FE80::2D0:97FF:FE94:5022 is the link-local address that is assigned when ipv6 is enabled on the interface with the ipv6 enable command.
And to view the IPv4 address, use a similar command:
BR1#show ip interface brief ... Loopback101 2.2.2.2 YES manual up up ... BR1#
For BR1, you should immediately configure the g0 / 0 interface; here you just need to set the IPv6 address:
Next, the ISP router will be configured. Here, the task will be configured loopback number 0, but in addition it is preferable to configure the interface g0 / 0, which should be 30.30.30.1, for the reason that in subsequent tasks nothing will be said about the configuration of these interfaces. First, the loopback number 0 is configured:
The subinterface number may differ from the vlan number in which it will work, but for convenience, it is better to use the subinterface number that matches the vlan number. If you set the encapsulation type when configuring the subinterface, you should specify the number that matches the vlan number. So after the encapsulation dot1Q 300 subinterface will skip only vlan packets with the number 300.
The final task in this assignment will be RTR2. The connection between SW1 and RTR2 should be in access mode, the switch interface will only allow packets destined for vlan with the number 300 to go to the RTR2 side, as stated in the L2 topology task. Therefore, only the physical interface will be configured on the RTR2 router without creating subinterfaces:
This completes the configuration of the router interfaces for the current task. The remaining interfaces will be configured as the following tasks are completed.
a. Enable the SLAAC mechanism to issue IPv6 addresses on the MNG network on the RTR1 interface
SLAAC is enabled by default. The only thing you need to do is enable IPv6 routing. You can do this with the following command:
RTR1(config-subif)#ipv6 unicast-routing
Without this command, the hardware acts as the host. In other words, thanks to the aforementioned command, it is possible to use additional functions of ipv6, including issuing ipv6 addresses, configure routing, and so on.
b. On virtual interfaces in VLAN 100 (MNG) on switches SW1, SW2, SW3, enable IPv6 auto configuration mode
From the L3 topology, it is clear that the switches are connected to the VLAN 100 network. This means that you need to create virtual interfaces on the switches and then assign ipv6 addresses to them by default. The initial configuration was made precisely in order for the switches to get the default addresses from RTR1. You can perform this task with the following list of commands suitable for all three switches:
In addition to the link-local address, an ipv6 address received from RTR1 appeared. This task was successfully completed, and on the other switches you need to write the same commands.
with. On ALL devices (except PC1 and WEB) manually assign link-local addresses
Thirty-digit ipv6 addresses are not a pleasure for administrators, so it’s possible to manually change the link-local by reducing its length to the minimum value. The tasks say nothing about which addresses to choose, so there is a free choice here.
For example, on switch SW1, you must set the link-local address fe80 :: 10. This can be done with the following command from the configuration mode of the selected interface:
In addition to the link-local address, the resulting IPv6 address has also been changed, since the address is issued based on the link-local address.
On the SW1 switch, you only had to set the link-local address on one interface. With the RTR1 router, you need to make more settings - you need to set a link-local on two subinterfaces, on the loopback, and in the following settings the tunnel 100 interface will appear.
To avoid unnecessary writing of commands, you can specify the same link-local address on all interfaces at once. This can be done using the range keyword and then listing all interfaces:
d. On ALL switches, disable all ports that are not used in the task and transfer them to VLAN 99
The basic idea is the same method of selecting multiple interfaces for configuration using the range command, and then you should write commands to translate the desired vlan and then turn off the interfaces. For example, at switch SW1, according to L1 topology, ports f0 / 3-4, f0 / 7-8, f0 / 11-24 and g0 / 2 will be turned off. For this example, the setting will be as follows:
When checking the settings of a well-known command, you should pay attention that all unused ports should have administratively down status, indicating that the port is turned off:
SW1#show ip interface brief Interface IP-Address OK? Method Status Protocol ... fastEthernet 0/3 unassigned YES unset administratively down down
To see which vlan port is located, you can use another command:
There must be all unused interfaces. It should be noted that it will not be possible to transfer interfaces to vlan if such a vlan is not created. For this purpose, all the necessary vlans for the work were created in the initial configuration.
e. On switch SW1, enable blocking for 1 minute in case of double incorrect password entry within 30 seconds
SW1#show login ... If more than 2 login failures occur in 30 seconds or less, logins will be disabled for 60 seconds. ...
Where it is intelligibly explained that after two unsuccessful attempts within 30 seconds or less, the possibility of entry will be blocked for 60 seconds.
2. All devices must be available for management via SSH version 2
In order for the devices to be available via SSH version 2, you must first configure the equipment, so for informational purposes, the equipment will be configured first with factory settings.
Change the version of the puncture as follows:
// SSH 2 Router(config)#ip ssh version 2 Please create RSA keys (of at least 768 bits size) to enable SSH v2. Router(config)#
The system asks you to create RSA keys for the operation of SSH version 2. Following the advice of a smart system, you can create RSA keys with the following command:
// RSA Router(config)#crypto key generate rsa % Please define a hostname other than Router. Router(config)#
The system does not allow to execute the command for the reason that the hostname is not changed. After changing the hostname, you need to write the key generation command again:
Now the system does not allow to create RSA keys, due to the lack of a domain name. And after installing the domain name, it will be possible to create RSA keys. The RSA key length must be at least 768 bits for SSH version 2 to work:
R1(config)#ip domain-name wsrvuz19.ru R1(config)#crypto key generate rsa How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
The result is that for SSHv2 to work, you need:
Change hostname;
Change domain name;
Generate RSA keys.
In the last article, the settings for changing the hostname and domain name on all devices were presented, therefore, continuing to configure the current devices, you only need to generate RSA keys:
RTR1(config)#crypto key generate rsa How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
SSH version 2 is active, but the device is not yet fully configured. The final step is to configure the virtual consoles:
In the last article, the AAA model was set up, where on the virtual consoles authentication was set using the local database, and the user, after authentication, had to go directly to the privileged mode. The simplest test of SSH operation is an attempt to connect to your own equipment. RTR1 has a loopback with ip-address 1.1.1.1, you can try to connect to this address:
After the -l key, the login of the existing user is entered, and then the password. After authentication, the transition immediately to the privileged mode occurs, which means that SSH is configured correctly.