Ruijie Network Skills Contest-2019 National Competition Real Questions [2019 National Vocational Skills Contest High Vocational Group Computer Network Application Competition Real Questions-Volume H] AC/AP/EG partial answers

Ruijie Network Skills Contest-2019 National Competition Real Questions [2019 National Vocational Skills Contest High Vocational Group Computer Network Application Competition Real Questions-Volume H] AC/AP/EG partial answers

Disclaimer: Writing articles about these competitions is just to facilitate the learning of motivated students in some areas. The blogger himself is just out of good intentions. Therefore, the blogger has no obligation to personal service, not to mention not getting a penny. The reason for this is because Some of the classmates who asked me to ask questions had a bad attitude, so I deleted a lot of my personal contact information. The competition itself has nothing to do with me. It is only related to your own personal learning ability, and you can’t understand me. There is no relationship, those who understand will naturally understand, I tried my best, you are free!

This is the real question of Ruijie Network Skills Competition-2019 National Competition [The real question of Computer Network Application Competition for Higher Vocational Group of 2019 National Vocational Skills Competition-Volume H] AC/AP/EG partial answers

Related Links:
Ruijie Network Skills Competition-2019 National Competition Real Questions [2019 National Vocational Skills Competition High Vocational Group Computer Network Application Competition Real Questions-Volume H] Detailed explanation of the answers to the routing exchange part

3. Basic deployment of wireless network The
branch company uses EG1 as the DHCP server for wireless users and wireless FIT AP;
service dhcp
ip dhcp excluded-address 192.1.50.252 192.1.50.254
ip dhcp excluded-address 192.1.60.252 192.1.60.254
!
Ip dhcp pool AP
option 138 ip 10.2.0.12
network 192.1.50.0 255.255.255.0
default-router 192.1.50.254
!
ip dhcp pool yonghu
network 192.1.60.0 255.255.255.0
default-router 192.1.60.254
Create branch intranet SSID as Ruijie_Fit_XX (provided on XX site) , WLAN ID is 1, AP-Group is Ruijie, intranet wireless users can automatically obtain VLAN60 address after associating with SSID.
In order to reduce AC performance pressure, Fit AP uniformly adopts local forwarding mode;

FW-WS6008-VAC(config)#wlan-config 1 Ruijie_Fit_1
FW-WS6008-VAC(config-wlan)#TUnnel LOcal
FW-WS6008-VAC(config-wlan)#exi
FW-WS6008-VAC(config)#ap-group Ruijie
FW-WS6008-VAC(config-group)#interface-mapping 1 60 ap-wlan-id 1
FW-WS6008-VAC(config-group)#tunnel local wlan 1 vlan 60
FW-WS6008-VAC(config-group)#exi

4. Wireless security deployment
The wireless users connected to the Fit AP use WPA2 encryption when accessing the wireless network, and the encryption password is XX (provided on site);

FW-WS6008-VAC(config)#wlansec 1
FW-WS6008-VAC(config-wlansec)#security rsn enable 
FW-WS6008-VAC(config-wlansec)#security rsn ciphers aes enable 
FW-WS6008-VAC(config-wlansec)#security rsn akm psk enable 
FW-WS6008-VAC(config-wlansec)#security rsn akm psk set-key ascii 12345678

Limit the maximum number of people with each radio card of the AP to 16;
adjust the powerlocal power value of the 2.4G band radio card to 20, and the power local power value of the 5.8G band radio card to 100 to minimize the impact of co-channel interference;
adjust 5.8 The wireless frequency bandwidth of the G radio frequency card is 40MHz to increase the data transmission bandwidth; in
order to ensure that the terminal walks to the edge area covered by the AP, the terminal can initiate roaming in time, and adjust the Coverage-area-control power parameter: 5.8G Coverage-area-control power Adjusted to 17db, 2.4G Coverage-area-control power adjusted to 10db;

FW-WS6008-VAC(config)#ap-config 5869.6cac.fd4f
You are going to config AP(5869.6cac.fd4f), which is online now.
FW-WS6008-VAC(config-ap)#ap-name FZ1-AP520-AP2
The AP(FZ1-AP520-AP2) is on line.
FW-WS6008-VAC(config-ap)#ap-group Ruijie
FW-WS6008-VAC(config-ap)#sta-limit 16 radio 1
FW-WS6008-VAC(config-ap)#sta-limit 16 radio 2
FW-WS6008-VAC(config-ap)#power local 20 radio 1
FW-WS6008-VAC(config-ap)#power local 100 radio 2
FW-WS6008-VAC(config-ap)#coverage-area-control 10 radio 1
FW-WS6008-VAC(config-ap)#coverage-area-control 17 radio 2
FW-WS6008-VAC(config-ap)#chan-width 40 radio 2
FW-WS6008-VAC(config-ap)#ap-config 5869.6cd6.8fc5
You are going to config AP(5869.6cd6.8fc5), which is online now.
FW-WS6008-VAC(config-ap)#ap-name FZ1-AP520-01
The AP(FZ1-AP520-01) is on line.
FW-WS6008-VAC(config-ap)#ap-name FZ1-AP520-AP1
The AP(FZ1-AP520-AP1) is on line.
FW-WS6008-VAC(config-ap)#ap-group Ruijie
FW-WS6008-VAC(config-ap)# sta-limit 16 radio 1
FW-WS6008-VAC(config-ap)# sta-limit 16 radio 2
FW-WS6008-VAC(config-ap)# power local 20 radio 1
FW-WS6008-VAC(config-ap)# power local 100 radio 2
FW-WS6008-VAC(config-ap)# coverage-area-control 10 radio 1
FW-WS6008-VAC(config-ap)# coverage-area-control 17 radio 2
FW-WS6008-VAC(config-ap)# chan-width 40 radio 2

Turn off low-rate (11b/g 1M, 2M, 5M, 11a 6M, 9M) application access.

FW-WS6008-VAC(config)#ac-controller 
FW-WS6008-VAC(config-ac)#802.11a network rate 6 disabled 
FW-WS6008-VAC(config-ac)#802.11a network rate 9 disabled 
FW-WS6008-VAC(config-ac)#802.11b network rate 1 disabled 
FW-WS6008-VAC(config-ac)#802.11b network rate 2 disabled 
FW-WS6008-VAC(config-ac)#802.11b network rate 5 disabled 
FW-WS6008-VAC(config-ac)#802.11g network rate 5 disabled 
FW-WS6008-VAC(config-ac)#802.11g network rate 2 disabled 
FW-WS6008-VAC(config-ac)#802.11g network rate 1 disabled

Egress NAT deployment The
specific configuration parameters are as follows:
NAT configuration on the egress gateway realizes that both the institution’s internal network terminals and servers can access the Internet, and the internal network IP address is translated to the Internet interface through NAPT;
EG1:

FZ1-EG2000-EG1(config)#ip nat pool nat_pool prefix-length 24
FZ1-EG2000-EG1(config-ipnat-pool)# address interface GigabitEthernet 0/4 match interface GigabitEthernet 0/4           
FZ1-EG2000-EG1(config)# ip nat inside source list 110 pool nat_pool overload
FZ1-EG2000-EG1(config)#ip access-list extended 110
FZ1-EG2000-EG1(config-ext-nacl)# 10 permit ip 192.1.10.0 0.0.0.255 any 
FZ1-EG2000-EG1(config-ext-nacl)# 20 permit ip 192.1.20.0 0.0.0.255 any 
FZ1-EG2000-EG1(config-ext-nacl)# 30 permit ip 192.1.50.0 0.0.0.255 any 
FZ1-EG2000-EG1(config-ext-nacl)# 40 permit ip 192.1.60.0 0.0.0.255 any 
FZ1-EG2000-EG1(config-ext-nacl)#int gi0/1
FZ1-EG2000-EG1(config-if-GigabitEthernet 0/1)#ip nat in 
FZ1-EG2000-EG1(config-if-GigabitEthernet 0/1)#int gi0/2
FZ1-EG2000-EG1(config-if-GigabitEthernet 0/2)#ip nat in 
FZ1-EG2000-EG1(config-if-GigabitEthernet 0/2)#int gi0/4
FZ1-EG2000-EG1(config-if-GigabitEthernet 0/4)#ip nat outside

EG2：

FW-EG2000-EG2(config)#ip access-list ex 110
FW-EG2000-EG2(config-ext-nacl)#permit ip 172.16.0.0 0.0.3.255 any
FW-EG2000-EG2(config-ext-nacl)#exit
FW-EG2000-EG2(config)#ip nat pool nat_pool prefix-length 24
FW-EG2000-EG2(config-ipnat-pool)# address interface GigabitEthernet 0/4 match interface GigabitEthernet 0/4  
FW-EG2000-EG2(config)#int gi0/1
FW-EG2000-EG2(config-if-GigabitEthernet 0/1)#ip nat in 
FW-EG2000-EG2(config-if-GigabitEthernet 0/1)#int gi0/4
FW-EG2000-EG2(config-if-GigabitEthernet 0/4)#ip nat out

Configure the egress gateway EG1 so that the Telnet service of the switching S1 (192.XX.100.1) device can be accessed through the Internet, and map its address to the operator line, the mapped address is 11.1.2.10, and the mapped port is 23333.
EG1:

FZ1-EG2000-EG1(config)# ip nat in source static tcp 192.1.100.1 23 11.1.2.10 23333

Web Portal user authentication deployment
Enable the Web Portal authentication service on the gateway EG1. The authentication username and password are both user1 and user2;
wired users need to perform WEB authentication to access the Internet;
wireless users do not need to perform WEB authentication on the EG to access the Internet.



Application flow control deployment
EG1 limits the rate of Internet WEB traffic per IP 1000Kbps for intranet access, and the total intranet WEB traffic does not exceed 20Mbps, and the channel name is defined as WEB.





User behavior strategy deployment
EG1 enables audit functions based on website visits, email receiving and sending, IM chats, forum postings, and search engine multiple applications;

EG1 blocks and audits the use of P2P application software during working hours from Monday to Saturday from 09:00 to 17:00 (named work). The name of the audit strategy is defined as P2P.


VPN deployment
In order to realize the security of data exchange between the headquarters server area and branch offices, VPN technology is used for security protection for the data exchanged. The specific plan is as follows:
GRE Over IPSec VPN nesting function is enabled between EG1 and EG2 egress gateways;
GRE tunnel internal bearer OSPF protocol enables the internal network connection between the main and branch organizations;
IPSec uses static point-to-point mode, esp transmission mode encapsulation protocol, isakmp strategy definition encryption algorithm uses 3des, hash algorithm uses md5, pre-shared password is ruijie, and DH uses group 2. The conversion set myset defines the encryption authentication method as esp-3des esp-md5-hmac, the ACL number of the stream of interest is 103, and the encryption map is defined as mymap;
EG1:

FZ1-EG2000-EG1(config)#ip access-list ex 103
FZ1-EG2000-EG1(config-ext-nacl)#permit ip 11.1.2.10 0.0.0.0 11.1.1.10 0.0.0.0
FZ1-EG2000-EG1(config-ext-nacl)#exit
FZ1-EG2000-EG1(config)#crypto isakmp key 0 ruijie address 11.1.1.10
FZ1-EG2000-EG1(config)#crypto isakmp policy 1
FZ1-EG2000-EG1(isakmp-policy)#au pre-share
FZ1-EG2000-EG1(isakmp-policy)#ha md5
FZ1-EG2000-EG1(isakmp-policy)#encryption 3des
FZ1-EG2000-EG1(isakmp-policy)#group 2
FZ1-EG2000-EG1(isakmp-policy)#exit
FZ1-EG2000-EG1(config)#crypto ipsec transform-set myset esp-3des esp-md5-hmac
FZ1-EG2000-EG1(cfg-crypto-trans)#exit
FZ1-EG2000-EG1(config)#crypto map mymap 10 ipsec-isakmp
FZ1-EG2000-EG1(config-crypto-map)#match address 103
FZ1-EG2000-EG1(config-crypto-map)#set transform-set myset
FZ1-EG2000-EG1(config-crypto-map)#set peer 11.1.1.10
FZ1-EG2000-EG1(config-crypto-map)#int gi0/4
FZ1-EG2000-EG1(config-if-GigabitEthernet 0/4)#crypto map mymap
EG1(config)#int tunn 0
EG1(config-if-Tunnel 0)#tun source 11.1.2.10
EG1(config-if-Tunnel 0)#tun destination 11.1.1.10
EG1(config-if-Tunnel 0)#ip address 11.1.5.2 30
EG1(config-if-Tunnel 0)#rou ospf 30
EG1(config-router)#network 11.1.5.2 0.0.0.3 a 0

EG2:

FW-EG2000-EG2(config)#ip access-list ex 103
FW-EG2000-EG2(config-ext-nacl)#permit ip  11.1.1.10 0.0.0.0 11.1.2.10 0.0.0.0
FW-EG2000-EG2(config-ext-nacl)#crypto isakmp key 0 ruijie address 11.1.2.10
FW-EG2000-EG2(config)#crypto isakmp policy 1 
FW-EG2000-EG2(isakmp-policy)#au pre-share 
FW-EG2000-EG2(isakmp-policy)#ha md5 
FW-EG2000-EG2(isakmp-policy)#encryption 3des 
FW-EG2000-EG2(isakmp-policy)#group 2
FW-EG2000-EG2(isakmp-policy)# crypto ipsec transform-set myset esp-3des esp-md5-hmac           
FW-EG2000-EG2(cfg-crypto-trans)#exit
FW-EG2000-EG2(config)#crypto map mymap 10 ipsec-isakmp 
FW-EG2000-EG2(config-crypto-map)#match address 103
FW-EG2000-EG2(config-crypto-map)#set transform-set myset
FW-EG2000-EG2(config-crypto-map)#set peer 11.1.2.10
FW-EG2000-EG2(config-crypto-map)#int gi0/4
FW-EG2000-EG2(config-if-GigabitEthernet 0/4)#crypto map mymap
EG2(config)#int tunn 0
EG2(config-if-Tunnel 0)#tun sou 11.1.1.10
EG2(config-if-Tunnel 0)#tun des 11.1.2.10
EG2(config-if-Tunnel 0)#ip ad 11.1.5.1 30
EG2(config-if-Tunnel 0)#rou ospf 10
EG2(config-router)#network 11.1.5.0 0.0.0.3 a 0

Each office uses the PC desktop SSLVPN client to access the resources published in the headquarters server area, the access address is https://11.1.1.10, the dial-in client obtains address is 10.10.10.0/24, the DNS is 8.8.8.8, and the tunnel resource name is Server includes 172.16.0.0/22 ​​and 10.2.0.12, and the login user name and password are both user1 and user2.

Related Links
Ruijie "2019 National Vocational College Skills Competition" Higher Vocational Group Computer Network Application Competition Sample Questions Volume A (reference to the answers of the software-defined network part)
Ruijie "2019 National Vocational College Skills Competition" Higher Vocational Group Computer Network Application Contest Sample Questions Volume B (Reference to Answers for the Software-Defined Network Part)
Ruijie "2019 National Vocational College Skills Competition" Higher Vocational Group Computer Network Application Contest Sample Questions Volume C (Reference for Software-Defined Network Part Answers)
Ruijie" 2019 National Vocational College Skills Contest "High Vocational Group Computer Network Application Contest Sample Question D (reference for the answers to the software-defined network part)
Ruijie "2019 National Vocational College Skills Contest" High Vocational College Computer Network Application Contest Sample Question E~J Volume (Reference for Answers to Part of the Software Defined Network)
Analysis and Discussion on the Questions of the Software Defined Network of the Ruijie Network Skills Competition

The following three are all open source on Github to help students who participate in the network skills competition.
I hope that those who see it can give me a star and give more students help. Thank you everyone.

Public information used by Ruijie Network Skills Competition

Sample questions / scoring standards / problem-solving process of the national network skill contest

Curriculum Design and Graduation Design