We continue to analyze the tasks of the Network module of the WorldSkills Championship in the Network and System Administration competency.
The following tasks will be considered in the article:
- On ALL devices, create virtual interfaces, subinterfaces, and loopback interfaces. Assign IP addresses according to the topology.
- Enable the SLAAC mechanism for issuing IPv6 addresses in the MNG network on the RTR1 router interface;
- On virtual interfaces in VLAN 100 (MNG) on switches SW1, SW2, SW3, enable IPv6 auto-configuration mode;
- On ALL devices (except PC1 and WEB) manually assign link-local addresses;
- On ALL switches, disable ALL ports not used in the job and transfer to VLAN 99;
- On switch SW1, enable lockout for 1 minute if the password is entered incorrectly twice within 30 seconds;
- All devices must be available for management via SSH protocol version 2.
The network topology at the physical layer is presented in the following diagram:
The network topology at the data link layer is shown in the following diagram:
The network topology at the network layer is shown in the following diagram:
presetting
Before performing the above tasks, it is worth setting up basic switching on switches SW1-SW3, as it will be more convenient to check their settings in the future. The switching setup will be described in detail in the next article, but for now only the settings will be defined.
First of all, you need to create vlans with numbers 99, 100 and 300 on all switches:
SW1(config)#vlan 99
SW1(config-vlan)#exit
SW1(config)#vlan 100
SW1(config-vlan)#exit
SW1(config)#vlan 300
SW1(config-vlan)#exit
The next step is to transfer the g0 / 1 interface on SW1 to vlan number 300:
SW1(config)#interface gigabitEthernet 0/1
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 300
SW1(config-if)#exit
Interfaces f0 / 1-2, f0 / 5-6, which look towards other switches, should be switched to trunk mode:
SW1(config)#interface range fastEthernet 0/1-2, fastEthernet 0/5-6
SW1(config-if-range)#switchport trunk encapsulation dot1q
SW1(config-if-range)#switchport mode trunk
SW1(config-if-range)#exit
On the switch SW2 in trunk mode there will be interfaces f0 / 1-4:
SW2(config)#interface range fastEthernet 0/1-4
SW2(config-if-range)#switchport trunk encapsulation dot1q
SW2(config-if-range)#switchport mode trunk
SW2(config-if-range)#exit
On the switch SW3 in trunk mode there will be interfaces f0 / 3-6, g0 / 1:
SW3(config)#interface range fastEthernet 0/3-6, gigabitEthernet 0/1
SW3(config-if-range)#switchport trunk encapsulation dot1q
SW3(config-if-range)#switchport mode trunk
SW3(config-if-range)#exit
At this stage, the switches will be configured to allow the exchange of tagged packets, which will be required to complete the tasks.
1. On ALL devices, create virtual interfaces, subinterfaces, and loopback interfaces. Assign IP addresses according to the topology.
Router BR1 will be configured first. According to the L3 topology, here it is necessary to configure a loopback interface, aka loopback, numbered 101:
// Π‘ΠΎΠ·Π΄Π°Π½ΠΈΠ΅ loopback
BR1(config)#interface loopback 101
// ΠΠ°Π·Π½Π°ΡΠ΅Π½ΠΈΠ΅ ipv4-Π°Π΄ΡΠ΅ΡΠ°
BR1(config-if)#ip address 2.2.2.2 255.255.255.255
// ΠΠΊΠ»ΡΡΠ΅Π½ΠΈΠ΅ ipv6 Π½Π° ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΠ΅
BR1(config-if)#ipv6 enable
// ΠΠ°Π·Π½Π°ΡΠ΅Π½ΠΈΠ΅ ipv6-Π°Π΄ΡΠ΅ΡΠ°
BR1(config-if)#ipv6 address 2001:B:A::1/64
// ΠΡΡ
ΠΎΠ΄ ΠΈΠ· ΡΠ΅ΠΆΠΈΠΌΠ° ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠΈΡΠΎΠ²Π°Π½ΠΈΡ ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΠ°
BR1(config-if)#exit
BR1(config)#
To check the status of the created interface, you can use the command show ipv6 interface brief
:
BR1#show ipv6 interface brief
...
Loopback101 [up/up]
FE80::2D0:97FF:FE94:5022 //link-local Π°Π΄ΡΠ΅Ρ
2001:B:A::1 //IPv6-Π°Π΄ΡΠ΅Ρ
...
BR1#
Here you can see that the loopback is active, its state UP. If you look below, you can see two IPv6 addresses, although only one command was used to set the IPv6 address. The fact is that FE80::2D0:97FF:FE94:5022
is the link-local address that is assigned when ipv6 is enabled on the interface with the command ipv6 enable
.
And to view the IPv4 address, a similar command is used:
BR1#show ip interface brief
...
Loopback101 2.2.2.2 YES manual up up
...
BR1#
For BR1, you should immediately configure the g0 / 0 interface, here you just need to set the IPv6 address:
// ΠΠ΅ΡΠ΅Ρ
ΠΎΠ΄ Π² ΡΠ΅ΠΆΠΈΠΌ ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠΈΡΠΎΠ²Π°Π½ΠΈΡ ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΠ°
BR1(config)#interface gigabitEthernet 0/0
// ΠΠΊΠ»ΡΡΠ΅Π½ΠΈΠ΅ ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΠ°
BR1(config-if)#no shutdown
BR1(config-if)#ipv6 enable
BR1(config-if)#ipv6 address 2001:B:C::1/64
BR1(config-if)#exit
BR1(config)#
You can check the settings with the same command show ipv6 interface brief
:
BR1#show ipv6 interface brief
GigabitEthernet0/0 [up/up]
FE80::290:CFF:FE9D:4624 //link-local Π°Π΄ΡΠ΅Ρ
2001:B:C::1 //IPv6-Π°Π΄ΡΠ΅Ρ
...
Loopback101 [up/up]
FE80::2D0:97FF:FE94:5022 //link-local Π°Π΄ΡΠ΅Ρ
2001:B:A::1 //IPv6-Π°Π΄ΡΠ΅Ρ
Next, the ISP router will be configured. Here, according to the task, loopback number 0 will be configured, but in addition, it is preferable to configure the g0 / 0 interface, which should have the address 30.30.30.1, for the reason that nothing will be said about configuring these interfaces in subsequent tasks. First, loopback with number 0 is configured:
ISP(config)#interface loopback 0
ISP(config-if)#ip address 8.8.8.8 255.255.255.255
ISP(config-if)#ipv6 enable
ISP(config-if)#ipv6 address 2001:A:C::1/64
ISP(config-if)#exit
ISP(config)#
Team show ipv6 interface brief
you can verify that the interface is configured correctly. Then interface g0/0 is configured:
BR1(config)#interface gigabitEthernet 0/0
BR1(config-if)#no shutdown
BR1(config-if)#ip address 30.30.30.1 255.255.255.252
BR1(config-if)#exit
BR1(config)#
Next, the RTR1 router will be configured. Here you also need to create a loopback at number 100:
BR1(config)#interface loopback 100
BR1(config-if)#ip address 1.1.1.1 255.255.255.255
BR1(config-if)#ipv6 enable
BR1(config-if)#ipv6 address 2001:A:B::1/64
BR1(config-if)#exit
BR1(config)#
Also on RTR1, you need to create 2 virtual subinterfaces for vlans with numbers 100 and 300. This can be done as follows.
First, enable the g0/1 physical interface with the no shutdown command:
RTR1(config)#interface gigabitEthernet 0/1
RTR1(config-if)#no shutdown
RTR1(config-if)#exit
Then subinterfaces with numbers 100 and 300 are created and configured:
// Π‘ΠΎΠ·Π΄Π°Π½ΠΈΠ΅ ΠΏΠΎΠ΄ΡΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΠ° Ρ Π½ΠΎΠΌΠ΅ΡΠΎΠΌ 100 ΠΈ ΠΏΠ΅ΡΠ΅Ρ
ΠΎΠ΄ ΠΊ Π΅Π³ΠΎ Π½Π°ΡΡΡΠΎΠΉΠΊΠ΅
RTR1(config)#interface gigabitEthernet 0/1.100
// Π£ΡΡΠ°Π½ΠΎΠ²ΠΊΠ° ΠΈΠ½ΠΊΠ°ΠΏΡΡΠ»ΡΡΠΈΠΈ ΡΠΈΠΏΠ° dot1q Ρ Π½ΠΎΠΌΠ΅ΡΠΎΠΌ vlan'a 100
RTR1(config-subif)#encapsulation dot1Q 100
RTR1(config-subif)#ipv6 enable
RTR1(config-subif)#ipv6 address 2001:100::1/64
RTR1(config-subif)#exit
// Π‘ΠΎΠ·Π΄Π°Π½ΠΈΠ΅ ΠΏΠΎΠ΄ΡΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΠ° Ρ Π½ΠΎΠΌΠ΅ΡΠΎΠΌ 300 ΠΈ ΠΏΠ΅ΡΠ΅Ρ
ΠΎΠ΄ ΠΊ Π΅Π³ΠΎ Π½Π°ΡΡΡΠΎΠΉΠΊΠ΅
RTR1(config)#interface gigabitEthernet 0/1.300
// Π£ΡΡΠ°Π½ΠΎΠ²ΠΊΠ° ΠΈΠ½ΠΊΠ°ΠΏΡΡΠ»ΡΡΠΈΠΈ ΡΠΈΠΏΠ° dot1q Ρ Π½ΠΎΠΌΠ΅ΡΠΎΠΌ vlan'a 100
RTR1(config-subif)#encapsulation dot1Q 300
RTR1(config-subif)#ipv6 enable
RTR1(config-subif)#ipv6 address 2001:300::2/64
RTR1(config-subif)#exit
The subinterface number may differ from the vlan number in which it will work, but for convenience it is better to use the subinterface number that matches the vlan number. If you set the encapsulation type when configuring the subinterface, you should specify a number that matches the vlan number. So after the command encapsulation dot1Q 300
the subinterface will only let through vlan packets with number 300.
The final task in this task will be the RTR2 router. The connection between SW1 and RTR2 must be in access mode, the switch interface will pass only packets destined for vlan with number 2 towards RTR300, this is stated in the task on the L2 topology. Therefore, only the physical interface will be configured on the RTR2 router without creating sub-interfaces:
RTR2(config)#interface gigabitEthernet 0/1
RTR2(config-if)#no shutdown
RTR2(config-if)#ipv6 enable
RTR2(config-if)#ipv6 address 2001:300::3/64
RTR2(config-if)#exit
RTR2(config)#
Then interface g0/0 is configured:
BR1(config)#interface gigabitEthernet 0/0
BR1(config-if)#no shutdown
BR1(config-if)#ip address 30.30.30.2 255.255.255.252
BR1(config-if)#exit
BR1(config)#
This completes the configuration of router interfaces for the current task. The rest of the interfaces will be configured as the following tasks are completed.
a. Enable the SLAAC mechanism for issuing IPv6 addresses in the MNG network on the RTR1 router interface
The SLAAC mechanism is enabled by default. The only thing to do is enable IPv6 routing. You can do this with the following command:
RTR1(config-subif)#ipv6 unicast-routing
Without this command, the equipment acts as a host. In other words, thanks to the above command, it becomes possible to use additional ipv6 functions, including issuing ipv6 addresses, configuring routing, and so on.
b. On virtual interfaces in VLAN 100 (MNG) on switches SW1, SW2, SW3, enable IPv6 auto-configuration mode
It can be seen from the L3 topology that the switches are connected to VLAN 100. This means that you need to create virtual interfaces on the switches, and only then assign default ipv6 addresses there. The initial configuration was done precisely so that the switches could receive default addresses from RTR1. You can complete this task with the following list of commands that are suitable for all three switches:
// Π‘ΠΎΠ·Π΄Π°Π½ΠΈΠ΅ Π²ΠΈΡΡΡΠ°Π»ΡΠ½ΠΎΠ³ΠΎ ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΠ°
SW1(config)#interface vlan 100
SW1(config-if)#ipv6 enable
// ΠΠΎΠ»ΡΡΠ΅Π½ΠΈΠ΅ ipv6 Π°Π΄ΡΠ΅ΡΠ° Π°Π²ΡΠΎΠΌΠ°ΡΠΈΡΠ΅ΡΠΊΠΈ
SW1(config-if)#ipv6 address autoconfig
SW1(config-if)#exit
You can check it with the same command show ipv6 interface brief
:
SW1#show ipv6 interface brief
...
Vlan100 [up/up]
FE80::A8BB:CCFF:FE80:C000 // link-local Π°Π΄ΡΠ΅Ρ
2001:100::A8BB:CCFF:FE80:C000 // ΠΏΠΎΠ»ΡΡΠ΅Π½Π½ΡΠΉ IPv6-Π°Π΄ΡΠ΅Ρ
In addition to the link-local address, an ipv6 address received from RTR1 appeared. This task has been successfully completed, and the same commands must be written on the remaining switches.
With. On ALL devices (except PC1 and WEB) manually assign link-local addresses
Thirty-digit ipv6 addresses are not a pleasure for administrators, so it is possible to manually change the link-local, reducing its length to the minimum value. The tasks do not say anything about which addresses to choose, so there is a free choice here.
For example, on switch SW1, you need to set the link-local address fe80::10. This can be done with the following command from the configuration mode of the selected interface:
// ΠΡ
ΠΎΠ΄ Π² Π²ΠΈΡΡΡΠ°Π»ΡΠ½ΡΠΉ ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡ vlan 100
SW1(config)#interface vlan 100
// Π ΡΡΠ½Π°Ρ ΡΡΡΠ°Π½ΠΎΠ²ΠΊΠ° link-local Π°Π΄ΡΠ΅ΡΠ°
SW1(config-if)#ipv6 address fe80::10 link-local
SW1(config-if)#exit
Now addressing looks much more attractive:
SW1#show ipv6 interface brief
...
Vlan100 [up/up]
FE80::10 //link-local Π°Π΄ΡΠ΅c
2001:100::10 //IPv6-Π°Π΄ΡΠ΅Ρ
In addition to the link-local address, the received IPv6 address has also changed, since the address is issued based on the link-local address.
On the SW1 switch, it was necessary to set the address on only one link-local interface. With the RTR1 router, you need to make more settings - you need to set the link-local on two subinterfaces, on the loopback, and in the subsequent settings the tunnel 100 interface will also appear.
To avoid unnecessary writing of commands, you can set the same link-local address on all interfaces at once. You can do this with the keyword range
followed by a listing of all interfaces:
// ΠΠ΅ΡΠ΅Ρ
ΠΎΠ΄ ΠΊ Π½Π°ΡΡΡΠΎΠΉΠΊΠ΅ Π½Π΅ΡΠΊΠΎΠ»ΡΠΊΠΈΡ
ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΠΎΠ²
RTR1(config)#interface range gigabitEthernet 0/1.100, gigabitEthernet 0/1.300, loopback 100
// Π ΡΡΠ½Π°Ρ ΡΡΡΠ°Π½ΠΎΠ²ΠΊΠ° link-local Π°Π΄ΡΠ΅ΡΠ°
RTR1(config-if)#ipv6 address fe80::1 link-local
RTR1(config-if)#exit
When checking the interfaces, you will see that link-local addresses have been changed on all selected interfaces:
RTR1#show ipv6 interface brief
gigabitEthernet 0/1.100 [up/up]
FE80::1
2001:100::1
gigabitEthernet 0/1.300 [up/up]
FE80::1
2001:300::2
Loopback100 [up/up]
FE80::1
2001:A:B::1
All other devices are configured in the same way.
d. On ALL switches, disable ALL ports not used in the job and move to VLAN 99
The main idea is the same way to select multiple interfaces for configuration using the command range
, and then you should write commands for transferring to the desired vlan and then shutting down the interfaces. For example, at switch SW1, according to the L1 topology, ports f0 / 3-4, f0 / 7-8, f0 / 11-24 and g0 / 2 will be disabled. For this example, the setup would be:
// ΠΡΠ±ΠΎΡ Π²ΡΠ΅Ρ
Π½Π΅ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΠΌΡΡ
ΠΏΠΎΡΡΠΎΠ²
SW1(config)#interface range fastEthernet 0/3-4, fastEthernet 0/7-8, fastEthernet 0/11-24, gigabitEthernet 0/2
// Π£ΡΡΠ°Π½ΠΎΠ²ΠΊΠ° ΡΠ΅ΠΆΠΈΠΌΠ° access Π½Π° ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΠ°Ρ
SW1(config-if-range)#switchport mode access
// ΠΠ΅ΡΠ΅Π²ΠΎΠ΄ Π² VLAN 99 ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΠΎΠ²
SW1(config-if-range)#switchport access vlan 99
// ΠΡΠΊΠ»ΡΡΠ΅Π½ΠΈΠ΅ ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΠΎΠ²
SW1(config-if-range)#shutdown
SW1(config-if-range)#exit
When checking the settings with an already known command, you should pay attention that all unused ports must have the status administratively down, indicating that the port is down:
SW1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
...
fastEthernet 0/3 unassigned YES unset administratively down down
To see which vlan the port is in, you can use another command:
SW1#show ip vlan
...
99 VLAN0099 active Fa0/3, Fa0/4, Fa0/7, Fa0/8
Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Fa0/24, Gig0/2
...
All unused interfaces should be here. It is worth noting that it will not be possible to transfer interfaces to a vlan if such a vlan has not been created. For this purpose, in the initial setup, all vlans necessary for work were created.
e. On switch SW1, enable a 1-minute lock if the password is entered incorrectly twice within 30 seconds
You can do this with the following command:
// ΠΠ»ΠΎΠΊΠΈΡΠΎΠ²ΠΊΠ° Π½Π° 60Ρ; ΠΠΎΠΏΡΡΠΊΠΈ: 2; Π ΡΠ΅ΡΠ΅Π½ΠΈΠ΅: 30Ρ
SW1#login block-for 60 attempts 2 within 30
You can also check these settings as follows:
SW1#show login
...
If more than 2 login failures occur in 30 seconds or less,
logins will be disabled for 60 seconds.
...
Where it is lucidly explained that after two unsuccessful attempts within 30 seconds or less, the ability to enter will be blocked for 60 seconds.
2. All devices must be available for management via SSH protocol version 2
In order for devices to be accessible via SSH version 2, you must first configure the equipment, so for the sake of information, the equipment with factory settings will be configured first.
You can change the puncture version as follows:
// Π£ΡΡΠ°Π½ΠΎΠ²ΠΈΡΡ Π²Π΅ΡΡΠΈΡ SSH Π²Π΅ΡΡΠΈΠΈ 2
Router(config)#ip ssh version 2
Please create RSA keys (of at least 768 bits size) to enable SSH v2.
Router(config)#
The system asks to create RSA keys for SSH version 2 functionality. Following the advice of the smart system, you can create RSA keys with the following command:
// Π‘ΠΎΠ·Π΄Π°Π½ΠΈΠ΅ RSA ΠΊΠ»ΡΡΠ΅ΠΉ
Router(config)#crypto key generate rsa
% Please define a hostname other than Router.
Router(config)#
The system does not allow the command to be executed because the hostname has not been changed. After changing the hostname, you need to write the key generation command again:
Router(config)#hostname R1
R1(config)#crypto key generate rsa
% Please define a domain-name first.
R1(config)#
Now the system does not allow you to create RSA keys, due to the lack of a domain name. And after setting the domain name, it will be possible to create RSA keys. RSA keys must be at least 768 bits long for SSH version 2 to work:
R1(config)#ip domain-name wsrvuz19.ru
R1(config)#crypto key generate rsa
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
As a result, it turns out that for SSHv2 to work, it is necessary:
- Change hostname;
- Change domain name;
- Generate RSA keys.
In the last article, the configuration of changing the hostname and domain name on all devices was given, therefore, continuing to configure the current devices, you only need to generate RSA keys:
RTR1(config)#crypto key generate rsa
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
SSH version 2 is active, but the devices are not fully configured yet. The final step is to set up virtual consoles:
// ΠΠ΅ΡΠ΅Ρ
ΠΎΠ΄ ΠΊ Π½Π°ΡΡΡΠΎΠΉΠΊΠ΅ Π²ΠΈΡΡΡΠ°Π»ΡΠ½ΡΡ
ΠΊΠΎΠ½ΡΠΎΠ»Π΅ΠΉ
R1(config)#line vty 0 4
// Π Π°Π·ΡΠ΅ΡΠ΅Π½ΠΈΠ΅ ΡΠ΄Π°Π»Π΅Π½Π½ΠΎΠ³ΠΎ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ΅Π½ΠΈΡ ΡΠΎΠ»ΡΠΊΠΎ ΠΏΠΎ ΠΏΡΠΎΡΠΎΠΊΠΎΠ»Ρ SSH
RTR1(config-line)#transport input ssh
RTR1(config-line)#exit
In the last article, the AAA model was set up, where authentication was set on virtual consoles using a local database, and the user after authentication had to immediately enter privileged mode. The easiest way to check if SSH is working is to try to connect to your own hardware. There is a loopback on RTR1 with ip-address 1.1.1.1, you can try to connect to this address:
//ΠΠΎΠ΄ΠΊΠ»ΡΡΠ΅Π½ΠΈΠ΅ ΠΏΠΎ ssh
RTR1(config)#do ssh -l wsrvuz19 1.1.1.1
Password:
RTR1#
After the key -l
the login of an existing user is entered, and then the password. After authentication, you immediately switch to privileged mode, which means that SSH is configured correctly.
Source: habr.com