The solution of WorldSkills tasks of the Network module in the competence of "CCA". Part 2 - Basic Setup

  • Tutorial
We continue to analyze the tasks of the Network module of the WorldSkills championship in the “Network and System Administration” competency.

The following tasks will be considered in the article:

  1. On ALL devices, create virtual interfaces, subinterfaces, and loop interfaces. Assign IP addresses according to the topology.

    • Enable the SLAAC mechanism for issuing IPv6 addresses in the MNG network on the RTR1 router interface;
    • On the virtual interfaces in VLAN 100 (MNG) on switches SW1, SW2, SW3, enable IPv6 auto-configuration mode;
    • On ALL devices (except PC1 and WEB) manually assign link-local addresses;
    • On ALL switches, disable ALL ports that are not used in the job and transfer to VLAN 99;
    • On the SW1 switch, enable the lock for 1 minute in case of a double incorrect password entry within 30 seconds;
  2. All devices must be accessible for SSH version 2 control.

The network topology at the physical level is presented in the following diagram:



The network topology at the data link layer is presented in the following diagram:



The network topology at the network layer is represented in the following diagram:



An example of solving all tasks can be viewed in video format.

The following is a preliminary configuration of the switches:


Configuring IPv6 addressing, enabling the SLAAC mechanism:


Configuring SSH version 2:


Preset


Before completing the above tasks, you should configure basic switching on the SW1-SW3 switches, as it will be more convenient to check their settings in the future. Switching configuration will be described in detail in the next article, but for now only settings will be defined.

The first step is to create vlan'y with numbers 99, 100 and 300 on all switches:

SW1(config)#vlan 99
SW1(config-vlan)#exit
SW1(config)#vlan 100
SW1(config-vlan)#exit
SW1(config)#vlan 300
SW1(config-vlan)#exit

The next step is to translate the g0 / 1 interface to SW1 in vlan number 300:

SW1(config)#interface gigabitEthernet 0/1
SW1(config-if)#switchport mode access 
SW1(config-if)#switchport access vlan 300
SW1(config-if)#exit

Interfaces f0 / 1-2, f0 / 5-6, which look towards other switches, should be switched to trunk mode:

SW1(config)#interface range fastEthernet 0/1-2, fastEthernet 0/5-6
SW1(config-if-range)#switchport trunk encapsulation dot1q
SW1(config-if-range)#switchport mode trunk 
SW1(config-if-range)#exit

On switch SW2 in trunk mode there will be f0 / 1-4 interfaces:

SW2(config)#interface range fastEthernet 0/1-4
SW2(config-if-range)#switchport trunk encapsulation dot1q
SW2(config-if-range)#switchport mode trunk 
SW2(config-if-range)#exit

On the SW3 switch in trunk mode there will be interfaces f0 / 3-6, g0 / 1:

SW3(config)#interface range fastEthernet 0/3-6, gigabitEthernet 0/1
SW3(config-if-range)#switchport trunk encapsulation dot1q
SW3(config-if-range)#switchport mode trunk 
SW3(config-if-range)#exit

At this stage, the switch settings will allow the exchange of tagged packets, which will be required to complete the tasks.

1. On ALL devices, create virtual interfaces, subinterfaces, and loop interfaces. Assign IP addresses according to the topology.


The BR1 router will be the first to configure. According to the L3 topology, here you need to configure a loop type interface, it is loopback, under the number 101:

// Создание loopback
BR1(config)#interface loopback 101
// Назначение ipv4-адреса
BR1(config-if)#ip address 2.2.2.2 255.255.255.255
// Включение ipv6 на интерфейсе
BR1(config-if)#ipv6 enable
// Назначение ipv6-адреса
BR1(config-if)#ipv6 address 2001:B:A::1/64
// Выход из режима конфигурирования интерфейса
BR1(config-if)#exit
BR1(config)#

To check the status of the created interface, you can use the command show ipv6 interface brief:

BR1#show ipv6 interface brief 
...
Loopback101                [up/up]
    FE80::2D0:97FF:FE94:5022	//link-local адрес
    2001:B:A::1			//IPv6-адрес
...
BR1#

Here you can see that loopback is active, its status is UP . If you look below, you can see two IPv6 addresses, although only one command was used to set the IPv6 address. The fact is that FE80::2D0:97FF:FE94:5022this is the link-local address that is assigned when ipv6 is enabled on the interface with the command ipv6 enable.

And to view the IPv4 address, a similar command is used:

BR1#show ip interface brief 
...
Loopback101        2.2.2.2      YES manual up        up 
...
BR1#

For BR1, you should immediately configure the g0 / 0 interface, here you just need to set the IPv6 address:

// Переход в режим конфигурирования интерфейса
BR1(config)#interface gigabitEthernet 0/0
// Включение интерфейса
BR1(config-if)#no shutdown
BR1(config-if)#ipv6 enable 
BR1(config-if)#ipv6 address 2001:B:C::1/64
BR1(config-if)#exit
BR1(config)#

You can check the settings with the same command show ipv6 interface brief:

BR1#show ipv6 interface brief 
GigabitEthernet0/0         [up/up]
    FE80::290:CFF:FE9D:4624	//link-local адрес
    2001:B:C::1			//IPv6-адрес
...
Loopback101                [up/up]
    FE80::2D0:97FF:FE94:5022	//link-local адрес
    2001:B:A::1			//IPv6-адрес

Next, the ISP router will be configured. Here, on the job, loopback with the number 0 will be configured, but in addition, it is preferable to configure the g0 / 0 interface on which the address 30.30.30.1 should be, for the reason that in subsequent tasks nothing will be said about configuring these interfaces. First, loopback with number 0 is configured:

ISP(config)#interface loopback 0
ISP(config-if)#ip address 8.8.8.8 255.255.255.255
ISP(config-if)#ipv6 enable 
ISP(config-if)#ipv6 address 2001:A:C::1/64
ISP(config-if)#exit
ISP(config)#

The team show ipv6 interface briefcan verify that the interface settings are correct. Then the g0 / 0 interface is configured:

BR1(config)#interface gigabitEthernet 0/0
BR1(config-if)#no shutdown 
BR1(config-if)#ip address 30.30.30.1 255.255.255.252
BR1(config-if)#exit
BR1(config)#

Next, RTR1 will be configured. Here you also need to create a loopback at number 100:

BR1(config)#interface loopback 100
BR1(config-if)#ip address 1.1.1.1 255.255.255.255
BR1(config-if)#ipv6 enable 
BR1(config-if)#ipv6 address 2001:A:B::1/64
BR1(config-if)#exit
BR1(config)#

Also on RTR1 it is necessary to create 2 virtual subinterfaces for vlan'ov with numbers 100 and 300. You can do this as follows.

First, enable the physical interface g0 / 1 with the no shutdown command:

RTR1(config)#interface gigabitEthernet 0/1
RTR1(config-if)#no shutdown
RTR1(config-if)#exit 

Subinterfaces with numbers 100 and 300 are then created and configured:

// Создание подынтерфейса с номером 100 и переход к его настройке
RTR1(config)#interface gigabitEthernet 0/1.100
// Установка инкапсуляции типа dot1q с номером vlan'a 100
RTR1(config-subif)#encapsulation dot1Q 100
RTR1(config-subif)#ipv6 enable 
RTR1(config-subif)#ipv6 address 2001:100::1/64
RTR1(config-subif)#exit
// Создание подынтерфейса с номером 300 и переход к его настройке
RTR1(config)#interface gigabitEthernet 0/1.300
// Установка инкапсуляции типа dot1q с номером vlan'a 100
RTR1(config-subif)#encapsulation dot1Q 300
RTR1(config-subif)#ipv6 enable 
RTR1(config-subif)#ipv6 address 2001:300::2/64
RTR1(config-subif)#exit

The subinterface number may differ from the vlan number in which it will work, but for convenience it is better to use the subinterface number that matches the vlan'a number. In the case of setting the encapsulation type when setting up the subinterface, specify the number that matches the number of vlan'a. So after the command, the encapsulation dot1Q 300subinterface will only pass packets of vlan'a with the number 300.

The final in this task will be the RTR2 router. The connection between SW1 and RTR2 must be in access mode, the switch interface will only pass packets destined for vlan'a number 300 towards RTR2, this is stated in the task on the L2 topology. Therefore, only the physical interface will be configured on RTR2 without creating subinterfaces:

RTR2(config)#interface gigabitEthernet 0/1
RTR2(config-if)#no shutdown 
RTR2(config-if)#ipv6 enable
RTR2(config-if)#ipv6 address 2001:300::3/64
RTR2(config-if)#exit
RTR2(config)#

Then the g0 / 0 interface is configured:

BR1(config)#interface gigabitEthernet 0/0
BR1(config-if)#no shutdown 
BR1(config-if)#ip address 30.30.30.2 255.255.255.252
BR1(config-if)#exit
BR1(config)#

This completes the configuration of the router interfaces for the current task. The remaining interfaces will be configured as soon as the following tasks are completed.

a. Enable the SLAAC mechanism to issue IPv6 addresses in the MNG network on the RTR1 router interface

SLAAC is enabled by default. The only thing to do is enable IPv6 routing. You can do this with the following command:

RTR1(config-subif)#ipv6 unicast-routing

Without this command, equipment acts as a host. In other words, thanks to the aforementioned command, it becomes possible to use additional ipv6 functions, including issuing ipv6 addresses, configuring routing, and more.

b. On the virtual interfaces in VLAN 100 (MNG) on switches SW1, SW2, SW3, enable IPv6 auto-configuration mode

It can be seen from the L3 topology that the switches are connected to the VLAN 100 network. This means that you need to create virtual interfaces on the switches, and only then set there to receive default ipv6 addresses. The initial configuration was made precisely so that the switches could receive default addresses from RTR1. You can complete this task with the following list of commands suitable for all three switches:

// Создание виртуального интерфейса
SW1(config)#interface vlan 100
SW1(config-if)#ipv6 enable
// Получение ipv6 адреса автоматически
SW1(config-if)#ipv6 address autoconfig
SW1(config-if)#exit

You can check with the same command show ipv6 interface brief:

SW1#show ipv6 interface brief
...
Vlan100                [up/up]
    FE80::A8BB:CCFF:FE80:C000		// link-local адрес
    2001:100::A8BB:CCFF:FE80:C000	// полученный IPv6-адрес

In addition to the link-local address, an ipv6 address received from RTR1 appeared. This task was successfully completed, and on the other switches it is necessary to write the same commands.

from. On ALL devices (except PC1 and WEB) manually assign link-local addresses

Thirty-digit ipv6 addresses do not please administrators, so you can manually change link-local, reducing its length to the minimum value. Nothing is said in the assignments about which addresses to choose, therefore free choice is provided here.

For example, on switch SW1, you must set the link-local address fe80 :: 10. You can do this with the following command from the configuration mode of the selected interface:

// Вход в виртуальный интерфейс vlan 100
SW1(config)#interface vlan 100
// Ручная установка link-local адреса 
SW1(config-if)#ipv6 address fe80::10 link-local
SW1(config-if)#exit

Now addressing looks much more attractive:

SW1#show ipv6 interface brief
...
Vlan100                [up/up]
    FE80::10		//link-local адреc
    2001:100::10	//IPv6-адрес

In addition to the link-local address, the received IPv6 address has also changed, since the address is issued based on the link-local address.

On switch SW1, you only had to set the link-local address on one interface. With RTR1 router, you need to make more settings - you need to set link-local on two subinterfaces, on loopback, and in the next settings the tunnel 100 interface will still appear.

To avoid unnecessary writing of commands, you can set the same link-local address on all interfaces at once. This can be done using the keyword rangefollowed by a listing of all the interfaces:

// Переход к настройке нескольких интерфейсов
RTR1(config)#interface range gigabitEthernet 0/1.100, gigabitEthernet 0/1.300, loopback 100
// Ручная установка link-local адреса 
RTR1(config-if)#ipv6 address fe80::1 link-local
RTR1(config-if)#exit

When checking the interfaces, it will be possible to see that link-local addresses have been changed on all selected interfaces:

RTR1#show ipv6 interface brief
gigabitEthernet 0/1.100		[up/up]
    FE80::1
    2001:100::1
gigabitEthernet 0/1.300		[up/up]
    FE80::1
    2001:300::2
Loopback100            		[up/up]
    FE80::1
    2001:A:B::1

All other devices are configured in the same way.

d. On ALL switches, disable ALL ports that are not used in the job and transfer to VLAN 99

The main idea is the same way to select several interfaces for configuration using a command range, and only then you should write transfer commands to the desired vlan and then turn off the interfaces. For example, at switch SW1, according to the topology of L1, the ports f0 / 3-4, f0 / 7-8, f0 / 11-24 and g0 / 2 will be turned off. For this example, the setting will be as follows:

// Выбор всех неиспользуемых портов
SW1(config)#interface range fastEthernet 0/3-4, fastEthernet 0/7-8, fastEthernet 0/11-24, gigabitEthernet 0/2
// Установка режима access на интерфейсах
SW1(config-if-range)#switchport mode access 
// Перевод в VLAN 99 интерфейсов
SW1(config-if-range)#switchport access vlan 99
// Выключение интерфейсов
SW1(config-if-range)#shutdown
SW1(config-if-range)#exit

Checking the settings with an already known command, it is worth paying attention that all unused ports should have an administratively down status , notifying that the port is turned off:

SW1#show ip interface brief
Interface          IP-Address   OK? Method   Status                  Protocol
...
fastEthernet 0/3   unassigned   YES unset    administratively down   down

To see which vlan the port is in, you can use another command:

SW1#show ip vlan
...
99   VLAN0099     active    Fa0/3, Fa0/4, Fa0/7, Fa0/8
                            Fa0/11, Fa0/12, Fa0/13, Fa0/14
                            Fa0/15, Fa0/16, Fa0/17, Fa0/18
                            Fa0/19, Fa0/20, Fa0/21, Fa0/22
                            Fa0/23, Fa0/24, Gig0/2
...                          

All unused interfaces should be here. It is worth noting that it will not be possible to translate interfaces into vlan if such a vlan is not created. For this purpose in initial setup all vlan'y necessary for work were created.

e. On the SW1 switch, enable the lock for 1 minute in the event of a double incorrect password entry within 30 seconds

You can do this with the following command:

// Блокировка на 60с; Попытки: 2; В течение: 30с
SW1#login block-for 60 attempts 2 within 30

You can also check these settings as follows:

SW1#show login
...
   If more than 2 login failures occur in 30 seconds or less,
     logins will be disabled for 60 seconds.
...

Where it is intelligibly explained that after two unsuccessful attempts within 30 or less seconds, the login will be blocked for 60 seconds.

2. All devices must be accessible for SSH version 2 protocol management.


In order for devices to be available via SSH version 2, you must first configure the equipment, so for informational purposes, equipment with factory settings will be configured first.

You can change the puncture version as follows:

// Установить версию SSH версии 2
Router(config)#ip ssh version 2
Please create RSA keys (of at least 768 bits size) to enable SSH v2.
Router(config)#

The system asks to create RSA keys for the health of SSH version 2. Following the advice of a smart system, you can create RSA keys with the following command:

// Создание RSA ключей
Router(config)#crypto key generate rsa
% Please define a hostname other than Router.
Router(config)#

The system does not allow the command to be executed because the hostname has not been changed. After changing the hostname, you need to write the key generation command again:

Router(config)#hostname R1
R1(config)#crypto key generate rsa 
% Please define a domain-name first.
R1(config)#

Now the system does not allow creating RSA keys, due to the lack of a domain name. And after installing the domain name, it will be possible to create RSA keys. RSA keys must be at least 768 bits long for SSH version 2 to work:

R1(config)#ip domain-name wsrvuz19.ru
R1(config)#crypto key generate rsa
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

As a result, it turns out that for SSHv2 to work, you need:

  1. Change hostname;
  2. Change domain name;
  3. Generate RSA keys.

In the last article, the settings for changing the hostname and domain name on all devices were given, therefore, continuing to configure the current devices, you only need to generate RSA keys:

RTR1(config)#crypto key generate rsa
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

SSH version 2 is active, but the device is not yet fully configured. The final step will be to configure the virtual consoles:

// Переход к настройке виртуальных консолей
R1(config)#line vty 0 4
// Разрешение удаленного подключения только по протоколу SSH
RTR1(config-line)#transport input ssh
RTR1(config-line)#exit

In the last article, the AAA model was configured, where authentication was set on virtual consoles using a local database, and the user had to immediately enter privileged mode after authentication. The simplest SSH health check is trying to connect to your own hardware. On RTR1 there is a loopback with the ip address 1.1.1.1, you can try to connect to this address:

//Подключение по ssh
RTR1(config)#do ssh -l wsrvuz19 1.1.1.1
Password: 
RTR1#

After the key, the -llogin of the existing user is entered, and then the password. After authentication, it immediately switches to privileged mode, which means that SSH is configured correctly.

Also popular now: