1. The SW and AC enable the telnet login function. The telnet login account only contains "ABC4321", and the password is "ABC4321" in plain text. When logging in to the device through telnet, you need to enter the enable password, and the password is set to "12345" in plain text. (4 points) Explanation: 1 point will be deducted if the admin account is not deleted, and 3 points will be deducted if the privilege value of user A BC4321 is set to 15
SW
AC
2. The Beijing head office and the Nanjing branch rented two bare optical fibers from the operator to realize internal office intercommunication. One bare optical fiber carries the business of the financial department of the company, and the other bare optical fiber carries other internal services. Use related technologies to separate the routing table of the head office's financial segment from the routing table of other business network segments of the company. The financial business is located in the VPN instance name CW. The head office's finance and branch finance can communicate, and the financial department uses RIP between the head office and the branch. Routing realizes mutual access. (5 points) If the results of show ip route vrf CW on S W and show ip route rip on A C are wrong, 0 points for this question.
SW:
AC:
3. Increase the bandwidth between the core of the head office and the export BC as much as possible. (4 points) 2 points for each device, check whether the port is Gigabit full-duplex and configure port aggregation on SW ;
SW
BC
4. In order to prevent the terminal from generating MAC address flooding attacks, please configure port security. A port that has been assigned VLAN41 can learn up to 5 MAC addresses. If a violation occurs, subsequent illegal traffic will be prevented from passing through, and existing traffic will not be affected and a LOG log will be generated; connect to PC1 The interface is a dedicated interface, and only the MAC address of PC1 is allowed to connect. (5 points) 2 points for 7 ports configuration, 1 point for other 3 ports, and the mac address can be changed.
5. On port ethernet1/0/6 of the core switch at the headquarters, limit the bandwidth of packets belonging to the network segment 20.1.41.0 to 10 Mbit/s, and set the burst value to 4 Mbytes. The packets in this network segment that exceed the bandwidth All discarded. (5 points) 2 points for policy -map configuration, 1 point for each other box, ( acl name, class-map name, and policy-map name are variable, and the nesting relationship needs to be corresponding)
6. Configure on the SW that office users are prohibited from accessing the external network during working hours (Monday to Friday 9:00-17:00), and the internal network can be accessed normally. (2 points) The s how clock time must be within the start time of the competition, otherwise 0 points for this question;
7. The SW switch of the headquarters simulates an Internet switch, and realizes the isolation of local routing and Internet routing through a certain technology. The Internet routing instance name is internet. (2 minutes)
8. Enable the following security mechanisms for VLAN50 on the SW. The internal terminals of the business are isolated from each other on the second layer; loop detection is enabled on port 14, and the loop detection interval is 10s. After the loop is found, the port is closed, and the recovery time is 30 minutes. ARP gateway spoofing attack . 6 points, 1 point for port isolation, 1 point for correct arp-guard configuration, 2 points for correct loop detection configuration, and 2 points for correct dhcp snooping .
9. Configure the intranet users of the Beijing company to access the Internet through the outlet BC of the head office, and the intranet users of the branch office to access the Internet through the FW outlet of the branch office. It is required that the traffic of users accessing the Internet on the 9-port VLAN41 service of the core switch of the head office go through the anti-data flow The firewall is accessing the Internet through BC; firewalls untrust1 and trust1 enable security protection, and the parameters adopt default parameters. It is required to have test results (14 points), 2 points for security protection, 1 for tracert results, 2 points, if the result is wrong, 0 points for this question;
FW
result:
10. In order to prevent DOS attacks, the number of MAC, ARP, and ND entries is limited under the vlan50 interface of the headquarters switch. The specific requirements are: a maximum of 20 dynamic MAC addresses, 20 dynamic ARP addresses, and 50 NEIGHBOR tables can be learned item. (3 points)
11. The head office and branches will carry out IPv6 pilots this year, requiring the sales department users of the head office and branches to access each other through IPv6, and the IPV6 services are carried by renting bare fibers. Realize mutual access to ipv6 services between the branch office and the head office; configure static routing between AC and SW so that VLAN50 and VLAN60 can communicate through IPv6; enable IPv6 on VLAN40, and plan the IPv6 service address as follows: (8 points) The next hop ipv6 address needs to be Start with fe 80 , otherwise 4 points will be deducted, and the result of ping 6 is wrong. This question will get 0 points;
SW:
AC:
12. Configure an IPv6 address on the core switch SW of the head office, and enable the routing announcement function. The lifetime of the router announcement is 2 hours, to ensure that the IPv6 terminal in the sales department can obtain an IPv6 address through the DHCP server, and enable the IPV6 dhcp server function on the SW, ipv6 The address range is 2001:da8:50::2-2001:da8:50::100. (6 points) 1 point for correct configuration of D HCP v 6, 1 point for correct routing announcement and announcement lifetime, 4 points for correct result, 0 points for this question if there is no result or wrong result; (D UID in the result is random, may differ from this document)
result:
13. Configure the IPv6 address on the Nanjing branch, and use related features to realize that the IPv6 terminal in the sales department can automatically obtain the IPv6 stateless address from the gateway. ( 6 points) 6 points for being able to obtain a randomly assigned ipv6 address , and must have a temporary ipv6 address;
14. Configure OSPF area 0 between SW and AC, AC and FW, enable link-based MD5 authentication, customize the key, and propagate the default route to access the Internet, so that intranet users of the headquarter and branch offices can access each other, including loopback1 on the AC Address; run a static routing protocol between the head office SW and BC . 18 points, 3 points for enabling MD5 authentication, 12 points for the correct result of show ip route ospf , 3 points for SW and BC configuration static routing;
FW
SW
AC
BC
15. The sales department of the branch obtains an IP address through the DHCP server on the firewall, the server IP address is 20.0.0.254, the address pool range is 20.1.60.10-20.1.60.100, and the dns-server is 8.8.8.8. (5 points) The show dhcp-server binding loopback_addrpool on the firewall has already assigned an IP address, otherwise no points.
16. If the packet receiving rate of port 11 of SW exceeds 30,000, close this port, and the recovery time is 5 minutes; in order to better improve the performance of data forwarding, the packet size in SW exchange is specified as 1600 bytes; (3 points )
17. In order to realize the security management of the firewall, enable PING, HTTP, telnet, and SNMP functions in the Trust security domain of the firewall FW, and enable SSH and HTTPS functions in the Untrust security domain. The snmp server address: 20.10.28.100, community word: skills ( 4 point)
18. Configured on the branch firewall, when the branch VLAN service users access the Internet through the firewall, the public network IPs are reused: 202.22.1.3, 202.22.1.4; to ensure that all sessions generated by each source IP will be mapped to the same fixed IP address, when there is traffic matching this address translation rule, log information will be generated, and the matching log will be sent to UDP 2000 port of 20.10.28.10; (5 points) Security policy configuration is correct 2 points, NAT , address book, log configuration 1 point each;
19. Remote mobile office users access the branch network through a dedicated line, configure it on the firewall FW, and use SSL to only allow access to the internal network VLAN 61. The port number is 4455, and the user name and password are both ABC4321. For the address pool, see Address list; ( 8 points)
4 points for a correct VPN connection and 4 points for a ping . If the ping fails, this question will get 0 points;
20. The branch office has deployed a web server with an ip of 20.10.28.10, which is connected to the DMZ area of the firewall to provide web services for external network users. It is required that intranet users can ping the web server and access the web service on the server (port 80 ) and the remote management server (port 3389), external network users can only access the server web service through the external network address of the firewall. (6 points) 2 points for purpose nat, 4 points for strategy
21. For security reasons, wireless users are highly mobile. When accessing the Internet, web authentication needs to be enabled on the BC. Local authentication is used, and the password account is web4321.
(5 points) 3 points for successful certification and 2 points for the process;
22. Due to the relatively low bandwidth of the link between the branch office and the Internet, the export only has a bandwidth of 200M. It is necessary to configure iQOS in the firewall. The total P2P traffic in the system cannot exceed 100M. At the same time, the maximum download bandwidth of each user is limited to 2M, and the upload is 1M. Priority protection For HTTP applications, 100M bandwidth is reserved for http. (6 points) 3 points for each qos strategy;
23. In order to purify the Internet environment, it is required to make relevant configurations on the firewall FW, prohibit wireless users from working from Monday to Friday from 9:00 to 18:00 in the email content containing "virus" and "gambling" content, and record the log. (5 points) 1 point will be deducted for every mistake, until all deductions are exhausted;
24. Since the wireless of the head office is managed by the wireless controller of the branch office, in order to prevent the wireless from being unusable due to the failure of the dedicated line, the head office and the branch office use the Internet as a backup link for mutual access between the wireless AP and AC of the head office. The communication between the AP management segment and the wireless AC is realized through IPSEC technology between FW and BC. The specific requirements are to use the pre-shared password as ABC4321, IKE phase 1 uses DH group 1, 3DES and MD5 encryption party, and IKE phase 2 uses ESP-3DES , MD5. 1 5 points, 0 points for this question if the result is wrong;
FW
BC
25. Users in the head office access the Internet through BC. BC adopts routing mode, and relevant configurations are done on BC to allow internal network users of the head office (excluding finance) to access the Internet through the BC external network port ip. 3 points;
26. Configure PPTP vpn on BC so that extranet users can access the intranet address on SW of the head office through PPTP vpn. User name is test and password is test23. 3 points, 0 points for wrong results;
27. In order to increase the egress bandwidth of the branch, increase the bandwidth between the branch AC and the egress FW as much as possible. 3 points, 1 point for each frame;
FW:
AC:
28. Configure the url filtering policy on BC to prohibit the internal network users of the head office from accessing the external network www.skillchina.com from Monday to Friday from 8:00 am to 18:00 pm. 3 points; 2 points for configuration, 0.5 points for time plan and address book ;
29. Enable the IPS policy on the BC to implement IPS protection for the internal network users of the head office to access external network data, protect the server, client and malware detection, and reject and record the log after an attack is detected. 3 points;
30. The export bandwidth of the headquarters is low, and the total bandwidth is only 200M. In order to prevent intranet users from using p2p Thunder to download a large amount of bandwidth, it is necessary to limit the traffic downloaded by internal employees using P2P tools. The maximum uplink and downlink bandwidth is 50M, so as not to occupy too much P2P traffic More egress network bandwidth, enable blocking records. 4 points, 1 point for line bandwidth configuration, 3 points for rule configuration;
31. Through the BC setting, the users of the head office are prohibited from playing games from 9:00 to 18:00 from Monday to Friday during working hours, and the blocking records are enabled. 4 points, 2 points per box
32. Restrict the internal network users of the head office to access the Internet web video and instant messaging. The maximum downlink bandwidth is 20M, uploading is 10M, and blocking records are enabled; 4 points, instant messaging shows "ALL " or "3 97 kinds";
33. Turn on the blacklist alarm function on the BC, the level is in the early warning state, and send email alarms and record logs, and when the cpu usage is greater than 80%, and the memory usage is greater than 80%, send email alarms and record logs, and the level is critical. The sending email address is [email protected], and the receiving email address is [email protected]. 4 points
3 4. There is a website server in the branch directly connected to the WAF, the address is 20.10.28.10, the port is 8080, and the configuration is to send the service access log, WEB protection log, and service monitoring log information to the syslog log server, and the IP address is 20.10.28.6 , UDP port 514; 4 points (Note: no points will be given if the log server status is not enabled)
3 5. Configure on the branch's WAF to protect session security and enable cookie reinforcement and encryption. 3 points
36. Edit the protection policy and define the maximum length of the HTTP request as 1024 to prevent buffer overflow attacks. 3 points
3 7. To prevent brute-force cracking of the website server, configure the corresponding protection strategy on the WAF for speed limit protection, the name is "anti-brute force cracking", the speed limit frequency is 1 time per second, the severity level is high, and the log is recorded ; 3 points
38. WAF is configured to prevent users from uploading ZIP, DOC, JPG, and RAR format files, and the name of the rule is "prevent file upload"; 4 points , 1 point for rule application, and 3 points for configuration;
39. Configure the corresponding protection rules on the WAF. The name of the rule is "HTTP feature protection", which requires protection against SQL injection , cross-site scripting attack XSS , information leakage, anti-crawler, malicious attacks, etc. Once found, block and send emails immediately Alarm and record log. 4 points
40. Configure "www.skillchina.com" on the WAF, enable weak password detection, and configure the name as "weak password detection". 3 points
41. Configure the anti-cross-site protection function on WAF, the rule name is "anti-cross-site protection" to protect " www.skillchina.com " from attack, the processing action is set to block, and the request method is GET , POST ; 3 points
42. Since the company's IP address is planned in a unified manner, the original wireless network segment IP address is 172.16.0.0/22. In order to avoid address waste, the ip address needs to be reassigned; the requirements are as follows: the company plans to deploy 50 APs in the future; office wireless users vlan 10 is expected to have 300 people, guest user vlan20 and no more than 30 people; 6 points, 2 points per frame;
43. DHCP is configured on the AC, the management VLAN is VLAN100, and the management address is issued to the AP. The first available address in the network segment is the AP management address, and the last available address is the gateway address. The AP registers through DHCP opion 43, and the AC address is loopback1 address; issue IP addresses for wireless users in VLAN10 and 20, and the last available address is the gateway; 6 points, 1 point for enabling DHCP service , 2 points for DHCP address pool configuration , 1 point for wireless IP address configuration , AP registration is successful 2 points, if the AP registration is unsuccessful, 0 points for this question;
AC
44. Configure SSID under NETWORK, the requirements are as follows:
Set SSID ABC4321 , VLAN10 under NETWORK 1, encryption mode is wpa-personal, and its password is 43214321 ; 4 points
45. Set SSID GUEST under NETWORK 2, VLAN20 does not perform authentication and encryption, and do corresponding configuration to hide the SSID; 3 points, 1 point for each item;
46. NETWORK 2 enables the authentication method of built-in portal+local authentication, the account is test and the password is test4321; 6 points, 2 points for configuration, 4 points for client authentication results , 0 points for no results or wrong results;
47. Configure SSID GUEST to prohibit terminal access from 0:00 to 6:00 every morning; GUSET can access up to 10 users, and implement flow control on the GUEST network, uplink 1M, downlink 2M; configure all wireless access users to be isolated from each other; 6 points , 1 point for time-limited configuration, 3 points for qos configuration, 1 point for maximum user, and 1 point for user isolation.
48. Configure that when the AP goes online, if the Image version stored in the AC is different from the AP’s Image version number, the AP will be automatically upgraded; configure the time interval for the frame that the AP sends to the wireless terminal to indicate the existence of the AP to be 2 seconds; configure the AP failure status The timeout period and detected client state timeout time are both 2 hours; 4 minutes; ap automatic upgrade 1 minute, failure state timeout time 1 minute, client state timeout timeout 1 minute, frame interval 1 minute;
49. In order to improve the experience of wifi users and reject the access of weak signal terminals, set the threshold value of terminals lower than 50 to access wireless signals; in order to prevent illegal APs from pretending to be legitimate SSIDs, enable the AP threat detection function; 4 points, signal value setting 2 points , A P threat detection 2 points;
50. By configuring to prevent excessive security authentication connections from consuming CPU resources when multiple APs and ACs are connected, if it is detected that APs and ACs have established connections 5 times within 10 minutes, the connection will not be allowed to continue, and it will return to normal after two hours. 3 points
