Test Project

IT Network Systems Administration

Module A – Cisco Network Environment

Submitted by:
ITNSA-ID Team

LKSN2019_ITNSA
Contents
Introduction .................................................................................................................................................. 3
NETWORK ISLAND TASK ..............................................................................................................................4
BASIC CONFIGURATION ............................................................................................................................................ 4
SWITCHING CONFIGURATION ...................................................................................................................................5
ROUTING CONFIGURATION ...................................................................................................................................... 6
SERVICES CONFIGURATION ...................................................................................................................................... 6
SECURITY CONFIGURATION ..................................................................................................................................... 6
MONITORING AND BACKUP CONFIGURATION ......................................................................................................... 7
WAN & VPN CONFIGURATION ................................................................................................................................... 7
LAYER 1 NETWORK DIAGRAM ...................................................................................................................... 8
LAYER 2 NETWORK DIAGRAM ...................................................................................................................... 9
LAYER 3 NETWORK DIAGRAM ..................................................................................................................... 10

Date: 13.02.19 Version: 1.0

2 of 11
LKSN2019_ITNSA © WorldSkills International
Introduction to Test Project
This Test Project proposal consists of the following document/file:
 LKSN2019_ITNETWORK_MODUL_A.pdf

Introduction
Network technologies knowledge has become essential nowadays for people who want to build a successful
career in any IT engineering field. This test project contains a lot of challenges from real life experience,
primarily IT integration and IT outsourcing. If you are able to complete this project with the high score, you are
definitely ready to implement network infrastructure for any multi-branch enterprise.

Description of project and tasks

This test project is designed using a variety of network technologies that should be familiar from the Cisco
certification tracks. Tasks are broken down into following configuration sections:
 Basic configuration
 Switching
 WAN
 Routing
 Services
 Security
 Monitoring and backup
 WAN and VPN
All sections are independent but all together they build very complex network infrastructure. Some tasks are
pretty simple and straight forward; others may be tricky. You may see that some technologies are expected to
work on top of other technologies. For example, IPv6 routing is expected to run on top of configured VPNs,
which are, in turn, expected to run on top of IPv4 routing, which is, in turn, expected to run on top of PPPoE,
and so on. It is important to understand that if you are unable to come up with a solution in the middle of such
technology stack it doesn’t mean that the rest of your work will not be graded at all. For example, you may not
configure IPv4 routing that is required for VPN because of IP reachability but you can use static routes and
then continue to work with VPN configuration and everything that runs on top. You won’t receive points for
IPv4 routing in this case but you will receive points for everything that you made operational on top as long as
functional testing is successful.

NOTE:
RADIUS VM (Debian 9.5)
Username : root / skill39
Password : Skill39

PC1 (Ubuntu 16.04)

Username : skill39
Password : Skill39

Date: 13.02.19 Version: 1.0

3 of 11
LKSN2019_ITNSA © WorldSkills International
NETWORK ISLAND TASK
BASIC CONFIGURATION
 Configure domain name lksn2019.com for HQ2, BR1, and FW2
 Create user lksn2019 with password yogyakarta on HQ2, BR1, and FW2
o Only scrypt hash of the password should be stored in configuration. (This requirement only
applies to the routers, NOT the ASA Firewalls)
o User should have maximum privileges.
 Configure new AAA model for HQ2, BR1, and FW2.
o Remote console (vty) authentication should use local username database.
o After successful authentication on vty line users should automatically land in privileged mode
(except for FW2).
o Enable login authentication on local console.
o After successful authentication on local console user should land in user mode with minimal
privileges (privilege level 1).
o After successful authentication on local console of BR1 router user should automatically land
in privileged mode with maximal privileges.
 Configure RADIUS authentication for all remote consoles (vty) on HQ2 router.
o Authentication sequence:
 RADIUS server
 Local username database
o Use “cisco1” as the shared key.
o Use port numbers 1812 for authentication and 1813 for accounting.
o IP address of the RADIUS server is 192.168.10.10
o Configure automatic authorization — after successful authentication on RADIUS server user
should automatically land in privileged mode with maximal privileges.
o Test RADIUS authentication using radius/cisco1 credentials.
 Configure diy as a privileged mode password for HQ2, BR1, and FW2.
o Password should be stored in configuration in plain text (not in hash).
o Configure privileged mode authorization on FW2. For example:
#Connect to FW1 using SSH or Console
Username: lksn2019
Password: yogyakarta
Type help or '?' for a list of available commands.
FW1> enable
Password: diy
FW1#
o Set the mode where all the passwords in the configuration are stored as a reversible cipher
text.
 Create all necessary interfaces, subinterfaces and loopbacks on ALL devices. Use IP addressing
according to the L3 diagram.
o Use VLAN101 as a virtual interface for SW1, SW2 and SW3 switches. Use IP address
 192.168.10.51 for SW1
 192.168.10.52 for SW2
 192.168.10.53 for SW3.
o For HQ1 and HQ2 use automatic IPv6 addresses generation (EUI-64) for LAN1 subnet.
 HQ2, BR1, and FW2 devices should be accessible using SSH protocol version 2. For FW2 allow
SSH connection on the “inside” interface.
 Configure current local time zone (GMT +7) on HQ1 router.

Date: 13.02.19 Version: 1.0

4 of 11
LKSN2019_ITNSA © WorldSkills International
SWITCHING CONFIGURATION
 Configure VTP version 2 on SW1, SW2 and SW3. Use SW1 as VTP server, SW2 and SW3 as
clients. Use LKSN as VTP domain name and 2019 as a password. VLAN database on all switches
should contain following VLANs:
o VLAN 101 with name LAN1.
o VLAN 102 with name VOICE.
o VLAN 103 with name EDGE.
 On SW1, SW2 and SW3 switches configure dynamic trunking protocol:
o For Gi1/1 and Gi2/1 ports on SW1 switch configure mode that will listen for trunk negotiation
but won’t initiate it itself.
o For Gi1/1 ports on SW2 switch and for Gi2/1 ports on SW3 switch configure mode that will
initiate trunk negotiation.
o Configure ports Gi0/1-3 on SW1 and SW2 for traffic transmission using IEEE 802.1q
protocol.
 Configure link aggregation between switches SW1 and SW2. Use following port-channel number 1.
o SW2 switch should use PAgP desirable mode.
o SW3 switch should use PAgP auto mode.
 Configure spanning tree protocol:
o For ALL switches use STP protocol version which is compatible with 802.1w standard.
o SW2 switch should be STP root in VLAN 101. In case of SW2 failure, SW3 should become a
root.
o SW1 switch should be STP root in VLAN 102. In case of SW3 failure, SW2 should become a
root.
o SW3 switch should be STP root in VLAN 103. In case of SW1 failure, SW1 should become a
root.
o For traffic transmission in VLANs 101, 102 and 103 on SW1 and SW2 use ports that are not
participating in channel-groups.
 Turn on root guard on SW2 port which is connected to RADIUS VM.
 Configure portfast on SW3 switch which is connected to PC1.
 LAN1 subnet traffic between HQ1 router and SW1 switch should be forwarded without IEEE 802.1q
tag.

Date: 13.02.19 Version: 1.0

5 of 11
LKSN2019_ITNSA © WorldSkills International
ROUTING CONFIGURATION
 Configure EIGRP with AS number 2019 on ISP1, ISP2, HQ1, HQ2 and BR1 routers according to the
routing diagram. Enable routing updates authentication. Use MD5 algorithm with DIY key.
 Configure BGP on ISP1, ISP2, HQ1, and HQ2 according to the routing diagram.
o Routers HQ1 and HQ2 should exchange routing updates using iBGP
o Configure route filtering so that route 209.136.0.0/16 won’t be present in routing table on
HQ1 router.
 Configure OSPFv2 on HQ1, HQ2, BR1 routers and FW1, FW2 firewalls according to the routing
diagram.
 Configure OSPFv3 on HQ1, HQ2, and BR1 routers according to the routing diagram.
 On BR1 router configure OSPF route redistribution only for Loopback10 subnet into EIGRP AS
2019.

SERVICES CONFIGURATION
 Configure dynamic port translation on HQ1 and HQ2 routers for LAN1 subnet so that all internal IPv4
addresses are translated into IPv4 address of the interface which is connected to the INET10 and
INET20 subnets respectively.
 Configure first-hop redundancy protocols on HQ1 and HQ2 routers:
o Configure GLBP group for LAN1 subnet:
 Group number 100
 Use 192.168.10.252 as the virtual IP address
 Configure priority 151 for HQ1 router and 101 for HQ2 router.
o Configure HSRP group for LAN2 subnet:
 Group number 200
 Use 192.168.20.252 as the virtual IP address
 Configure priority 121 for HQ1 router and 111 for HQ2 router.
 Configure DHCP using following parameters:
o On HQ1 router for LAN subnet:
 Network address — 192.168.10.0/24;
 Default gateway — virtual IP address of GLBP group;
 DNS server — 192.168.10.10;
 Exclude first 50 usable addresses from DHCP pool.
 DHCP server should assigned 192.168.10.10 to the “RADIUSSRV” server.
o Make sure “RADIUSSRV” server and “PC1” are configured as DHCP clients

SECURITY CONFIGURATION
 Configure role-based access control on BR1 router:
o Create user1, user2, user3 with yogyakarta password.
o Create view-context “show_view”:
 Include “show version” command
 Include all unprivileged commands of “show ip *”
 Include “who” command
 user1 should land in this context after successful authentication on local or remote
console.
o Create view-context “ping_view”:
 Include “ping” command
 Include “traceroute” command

Date: 13.02.19 Version: 1.0

6 of 11
LKSN2019_ITNSA © WorldSkills International
  user2 should land in this context after successful authentication on local or remote
console.
o Create superview-context that combines these 2 contexts. user3 should land in this
superview-context after successful authentication on local or remote console.
o Make sure that users cannot issue any other commands within contexts that are assigned to
them (except show banner and show parser, which are implicitly included in any view).
 On port of SW3 switch which is connected to PC1 enable and configure port-security using following
parameters:
o Maximum MAC addresses — 2
o MAC addresses should be automatically saved in running configuration.
o In case of policy violation, security message should be displayed on the console; port should
not go to err-disabled state.
 Turn on DHCP snooping on SW2 switch for LAN1 subnet. Use internal flash to keep DHCP-
snooping database.

MONITORING AND BACKUP CONFIGURATION

 Configure logging of system messages on HQ1 router and FW1 firewall. All logs including
informational messages should be sent to the RADIUSRV server (location /var/log/hq1.log and
/var/log/fw1.log).
 Configure SNMP v2c on HQ1 router and FW1 firewall :
o Use read-only community string snmp_ro
o Configure device location Indonesia, ID
o Configure system contact [email protected]
 Configure configuration backup on HQ1 router:
o Backup copy of running configuration should be automatically saved on RADIUS server
using TFTP each time configuration is saved (copied to startup);
o Use following naming convention for backup files: <hostname><time>.cfg
o Location for configuration backup files is /srv/tftp/ on RADIUSSRV server

WAN & VPN CONFIGURATION

 Configure ISP1 router as PPPoE server and ISP2 router as PPPoE client. Use PAP for
authentication with papuser\yogyakarta credentials.
 Configure GRE tunnel between HQ1 and BR1 routers:
o Use Tunnel100 as VTI for all routers;
o Assign IPv6 addresses 2001::1/64 and 2001::2/64 for tunnel of HQ1 and BR1 respectfully;
 Configure IKEv2 IPsec Site-to-Site VPN on FW1, FW2 firewalls:
o Phase 1 parameters:
 Hash – MD5
 Encryption – AES-128
 DH group – 5
 Authentication – pre-shared key (cisco1)
o Phase 2 parameters:
 Protocol – ESP
 Encryption – AES-128
 Hash – MD5
o For transmission through IPsec tunnel permit all TCP traffic from network of IP address of
HQ2 subinterface in LAN2 subnet to network of IP address of BR2 interface in LAN3 subnet.

Date: 13.02.19 Version: 1.0

7 of 11
LKSN2019_ITNSA © WorldSkills International
LAYER 1 NETWORK DIAGRAM

Gi0/3 Gi0/2

ISP1 ISP2
Gi0/1 Gi0/2 Gi0/1

Gi0/2 Gi0/2 Gi0/1

HQ1 HQ2 BR1

Gi0/1

Gi0/1

Gi0/2
Gi0/1
Gi0/2
Gi0/1 Gi0/3 Gi0/1
Gi1/1 Gi1/2 Gi0/2 Gi0/2
Gi1/1

Gi1/2

Gi0/1 Gi0/1
ens33 Gi1/0 Gi0/2 Gi0/2 Gi1/0 eth1
Gi0/3 Gi0/3

RADIUSSRV PC1

Date: 13.02.19 Version: 1.0

8 of 11
LKSN2019_ITNSA © WorldSkills International
LAYER 2 NETWORK DIAGRAM
VT1 Dialer 1

ISP1 ISP2
Gi0/1 Gi0/2 Gi0/1

Gi0/2 Gi0/2 Gi0/1

HQ1 HQ2 BR1

Gi0/2
Gi0/1

Gi0/1

Gi0/1
Gi0/2
Gi0/1
Gi0/3 Vlan103 Gi0/1
Gi1/1 Gi0/2 Gi0/2
Gi1/2
Gi1/1

Gi1/2

Gi0/3 Gi0/3
Vlan101 Gi1/0 Gi1/0 Vlan101
PO3 PO3

RADIUSSRV PC1

Date: 13.02.19 Version: 1.0

9 of 11
LKSN2019_ITNSA © WorldSkills International
LAYER 3 NETWORK DIAGRAM

Loopback200
138.76.0.1/16
Loopback8
Loopback101

8.8.8.8/32
11.11.11.11/32 Loopback100
dead:beef:11::1/128 209.136.0.1/16

Gi0/1.101 INET10 INET30

Gi0/2 Gi0/1 Gi0/3 Gi0/2
.254 20.19.7.0/30 20.19.7.8/30 Loopback4
.2 .1 .9 .10
8.8.4.4/32
Gi0/1.101
HQ1 ISP2 ISP2
.254

Gi0/1.101
.254

Gi0/1
.5

.13
Gi0/2
INET20
20.19.7.4/30 INET40
20.19.7.12/30

Gi0/1
.14
LAN1
192.168.10.0/24
VOICE a1f:ea75:ca75::0/64
192.168.20.0/24 Loopback1
Loopback10 1.1.1.1/32
10.10.10.10/32 dead:beef:1::1/128
BR1
Gi0/1.101

Gi0/2
.254
.253

Gi0/1.101 LAN2
.253 Gi0/2 10.20.30.0/24
.6
EDGE Gi0/1.101
HQ2

Gi0/1
.253
192.168.30.0/24 .253

Loopback102
22.22.22.22/32
dead:beef:22::1/128
Gi0/1 Gi0/2 INET1 Gi0/2
.252 .1 20.19.8.0/30 .2

Date: 13.02.19 Version: 1.0

10 of 11
LKSN2019_ITNSA © WorldSkills International
ROUTING DIAGRAM
EIGRP AS 2019

INET30 OSPFv3 Area 0

20.19.7.8/30

INET10 Loopback101
20.19.7.0/30 LAN1 dead:beef:11::1/128
INET40 A1f:ea75:ca75::0/64
BGP AS 65001 20.19.7.12/30

Loopback101 INET20
11.11.11.11/32 20.19.7.4/30
Loopback1
Loopback102 Loopback102 dead:beef:1::1/128
22.22.22.22/32 dead:beef:22::1/128

OSPF Area 0

INET1
20.19.8.0/30
OSPF Area 3
BGP AS 65002 OSPF Area 2
Loopback10
Loopback100 10.10.10.10/32
209.136.0.0/16 INET3
10.20.30.0/24

OSPF Area 1

BGP AS 65003 BGP AS 65004

LAN1 EDGE
Loopback200 Loopback1
192.168.10.0/24 192.168.30.0/24
138.76.1.0/16 1.1.1.1/32

VOICE
192.168.20.0/24

Date: 13.02.19 Version: 1.0

11 of 11
LKSN2019_ITNSA © WorldSkills International