2023 National Vocational College Skills Competition
G Z073 Network system management competition
Module A: Network Construction
Volume II
directory
(2) Wired network configuration
(3) Wireless network configuration
(4) Export network configuration
(5) Network operation and maintenance configuration
Appendix 2: Address Planning Form
【Instructions for Answering Questions】
1. For the login information involved in the competition questions, please refer to the " Competition Equipment System Platform User and Password Instructions "
2. For the submission of competition results , please refer to the "Contest Results Submission Confirmation Form" and submit relevant documents strictly according to the requirements (note, in order to avoid file loss, please do not directly edit the files on the USB flash drive).
task list
(1) Basic configuration
1. According to the topology diagram in Appendix 1, the address planning table in Appendix 2, and the device number table in Appendix 3, configure the device interface and host name information.
2. Enable the SSH server function on all network devices. The user name and password are admin, Test@123456. The password is in plain text. The privileged password is Test@123456.
3. Deploy the SNMP function on all network devices, configure SNMP messages for all devices, and send Trap messages to the host 192.1.100.100. The version adopts V2C, and the community for reading and writing is "Test@123".
(2) Wired network configuration
1. Perform VLAN pruning on the trunk links of the entire network.
2. Enable the edge port and BPDU protection function in S3 and S4; after the loop is detected, the processing method is to close the port. If the port detection enters the disabled state, it will automatically recover after setting 200 seconds.
3. The DHCP server is set up on S3, S4, GW1, and GW2 devices to dynamically assign IP addresses to LAN terminals.
4. The two interconnected links (G 0/1, G 0/2) of S5 enable link aggregation and adopt LACP dynamic aggregation mode.
5. Beijing Comprehensive Service Center runs OSPF among R2, S1, and S2, belongs to area 0, and has a process number of 10; runs OSPF between S1, S3 and S2, and S4 respectively, and belongs to area 0, and defines processes based on production, office, and management services The numbers are 11, 12, 13.
6. OSPF is running between R3 and S5 in the Shanghai Management Center, belonging to area 0 and process number 20. A static routing protocol runs between AC1, AC2, and S5.
7. The export devices of each center use static routing protocols to the Internet.
8. Deploy IBGP between R2, S1, and S2, with AS number 100; define R2 as a route reflector RR, and use Loopback 0 interface to establish a BGP neighbor relationship.
9. The LAN of Beijing Comprehensive Service Center realizes the security isolation of each business through MPLS VPN technology. R2, S1, and S2 enable MPLS packet forwarding and LDP label forwarding protocols.
10. The production VRF name is SC, the RD value is 100:1, and the RT value is customized; the office VRF name is BG, the RD value is 100:2, and the RT value is customized; the management VRF name is GL, and the RD value is 100:3 , RT value customization.
11. Through the MPLS VPN technology, mutual visits between VPN terminals are realized, mutual visits between production and office VPNs are prohibited, and management VPNs can communicate with production and office VPNs. Office VPN terminal users of the Beijing Comprehensive Service Center can access the Internet.
12. An IPv6 network is deployed on the intranet of the Beijing Comprehensive Service Center, and the OSPF V3 routing protocol is enabled on the intranet, with process number 14. Between R2, S1, and S2 belong to area 0, between S1 and S3 belong to area 1, and between S2 and S4 belong to area 2. VLAN40 service terminals can automatically obtain addresses from gateways S3 and S4 through stateless.
13. Intranet VLAN40 IPv6 terminals in Beijing Comprehensive Service Center need to access the WAN address 30.0.0.1. For this reason, NAT-PT is deployed on the R2 router to realize dynamic translation of IPv6 addresses. The specific plan for the intranet IPv6 address translation address pool is 12.1.1.3- 12.1.1.5, 30.0.0.1 translates to 2001:21:1::2.
14. It is required that OSPF protocol packets do not appear in the terminal network segment; reduce unnecessary OSPF negotiation packets; all routing protocols publish specific network segments; need to publish Loopback addresses; optimize OSPF related configurations to speed up OSPF convergence; A class of external routing patterns.
(3) Wireless network configuration
CII Group Company intends to invest 120,000 yuan (network equipment procurement part) for wireless network coverage of leased buildings. The first floor of the building is equipped with a product exhibition hall, meeting room, reception and office. There is no suspended ceiling in the exhibition hall, and the original strong electricity is laid through PVC trunking. The project requires full wireless coverage on the first floor (not required to cover the restroom), and there are printers and public computers at the reception (105~108), which need to use wired access to the network, and the signal strength is greater than 65DB. The company's 2.4GHz frequency band is used for the R&D system. The new wireless network requires the use of all 5GHz frequency bands. The layout is shown in Figure 1.
Figure 1 Floor plan
1. Draw the AP point map (including: AP model, number, channel and other information).
2. Use the wireless geological survey software to output the AP point simulation heat map (the simulation signal strength must be greater than -65db).
3. According to the wireless product price list in Table 1, formulate the budget table for the wireless network engineering project equipment.
Table 1 Wireless Product Price List
Product number |
product features |
Transmission rate |
Recommended/Maximum Points |
power |
Price (yuan) |
AP1 (free-standing type) |
Dual frequency dual stream |
300M/1.167G |
32/256 |
100mw |
6000 |
AP2 (intelligent type) |
Dual frequency dual stream |
300M/600M |
32/256 |
100mw |
11000 |
AP3 (wall type) |
Single frequency single stream |
150M |
12/32 |
60mw |
3500 |
cable 1 |
10m feeder |
N/A |
N/A |
N/A |
1600 |
cable 2 |
15m feeder |
N/A |
N/A |
N/A |
2400 |
antenna |
Dual frequency single stream/single frequency single stream |
N/A |
N/A |
N/A |
500 |
Switch |
24-port POE switch |
N/A |
N/A |
240w |
15000 |
AC |
Wireless Controller |
6*1000M |
32/200 |
40w |
50000 |
4. Configure two AC devices and use a virtualization solution to combine them into one virtual AC.
5. The G 0/3-4 ports between AC1 and AC2 are used as virtual switching links. Configure AC1 as the master and AC2 as the backup. The description of the main device is AC1, and the description of the backup device is AC2.
6. The wireless network adopts the FIT AP+AC scheme, and all APs are associated with the Shanghai management center AC for management.
7. The Beijing Comprehensive Service Center uses the S3 switch as the DHCP server for wireless production 1 users (VLAN 10), office 1 users (VLAN 20) and wireless FIT AP1 (VLAN 30). Use the S4 switch as the DHCP server for wireless production 2 users (VLAN 10), office 2 users (VLAN 20) and wireless FIT AP2 (VLAN 30).
8. In the wireless network deployment of Beijing Comprehensive Service Center, create SSID as BJ_SC_DOT1X_XX; WLANID as 1; AP-GROUP as Admin_BJ; wireless user (authentication user name user1, password is YY) associates with SSID and uses 802.1X authentication method, which can be automatically obtained VLAN10 address (XX, YY provided on site).
9. In the wireless network deployment of Beijing Comprehensive Service Center, create SSID as BJ_BG_WEB_XX; WLANID as 2; AP-GROUP as Admin_BJ; wireless users (authentication user name user2, password YY) associate with SSID and use WEB authentication method to automatically obtain VLAN20 Address (XX, YY provided on site).
10. Guangzhou production center uses GW1/GW2 as the DHCP server for wireless production 1 users (VLAN 10), production 2 users (VLAN 11) and wireless FIT AP3 (VLAN 20).
11. In the wireless network deployment of Guangzhou production center, create SSID as GZ_SC_DOT1X_XX; WLANID as 3; AP-GROUP as Admin_GZ; wireless users (authentication user name user11, password is YY) associate with SSID and use 802.1X authentication method to automatically obtain VLAN10 Address (XX, YY provided on site).
12. In the wireless network deployment of Guangzhou production center, create SSID as: GZ_SC_WEB_XX; WLANID as 4; AP-GROUP as Admin_GZ; wireless users (authentication user name user12, password is YY) associate with SSID and use WEB authentication method to automatically obtain VLAN11 Address (XX, YY provided on site).
13. The login user name and password information will be provided at the certification platform examination site.
14. All APs establish tunnels through the loopback 0 interface of the VAC.
15. The average downlink rate of wireless users is 1000KB/s, and the burst rate is 1600KB/s.
16. The maximum number of point-leaders per AP is 25.
(4) Export network configuration
1. The office terminal of the Beijing Comprehensive Service Center can access the Internet through the NAPT mode of the R2 G 0/0.21 sub-interface of the egress router.
2. The LAN management terminal of the Shanghai Management Center can access the Internet through the egress router R3 NAPT.
3. The production terminal of the Guangzhou production center LAN can access the Internet through the export gateway GW1/GW2 NAPT.
4. The VRRP function is enabled on the intranet of the export gateway of the Guangzhou production center, where GW1 is the master device of production 1, AP management, and network equipment management network segments, with a priority of 255; GW2 is the master device of production 2, with a priority of 255; For backup, the terminal traffic can be seamlessly switched to another device when one of them is down, so as to achieve the purpose of gateway redundancy backup.
5. Enable the GRE tunnel between R3 and R2, and carry the OSPF protocol in the tunnel, so that the intranet of Shanghai Management Center and Beijing Comprehensive Service Center can be connected (the access rules follow the MPLS VPN plan).
6. The L2TP tunnel is enabled between GW1/GW2 and R2, and the OSPF protocol is carried in the tunnel to connect the Guangzhou production center with the Beijing comprehensive service center intranet (the access rules follow the MPLS VPN plan). The two are mutual backups, and when one of them is down, business traffic can be automatically switched to another L2TP tunnel for forwarding.
7. The L2TP tunnel authentication user name and password are both Test@123, and the L2TP tunnel password is Test@123. The L2TP user address pool is 172.16.0.1—172.16.0.254, and the server L2TP tunnel interface refers to the local loopback 1 interface address.
8. IPsecVPN encrypts data in GRE and L2TP tunnels, and the encryption algorithm defined by the isakmp policy uses 3des. The hash algorithm uses md5, and the pre-shared password is Test@123. DH uses group 2. In addition, the conversion set myset defines the encryption authentication method as esp-des esp-md5-hmac. The encrypted map is defined as mymap.
9. On the egress gateway GW1, set a blacklist to prohibit LAN users from accessing the www.exam.com website through a browser.
(5) Network operation and maintenance configuration
1. After the entire network is connected, enter the network monitoring operation and maintenance stage. The operation and maintenance software has been installed in the virtual machine of the PC, and all network devices (except APs) in the topology are monitored through the operation and maintenance platform. The test site provides the user name and password information for logging in to the operation and maintenance platform.
2. Bring the monitored equipment into the monitoring scope through the operation and maintenance platform; through the topology configuration function, configure the network topology into the platform.
3. The three Internet links provided by Unicom operators are used as key monitoring links. The names of the three links are R1-R2, R1-R3, and R1-S7 respectively. Various link index information can be monitored in the status information.
4. Customize the large screen for monitoring (name: Chinaskills_network), and display the network topology, CPU usage, memory usage, link operation status, collector Server status, latest alarm information, and alarm level statistics on the large screen in real time middle.
(6) SDN network configuration
1. The test site provides the user name and password information for logging in to the SDN controller.
2. S6 completes basic IP, VLAN and port configuration to ensure traditional network connectivity, and uses openflow1.3 version to connect to the SDN controller to issue policies (based on traditional table entry forwarding) to achieve the purpose of traffic forwarding control.
3. The SDN controller sends the flow table to S6 to prohibit all traffic from passing by default.
4. The SDN controller sends the flow table to the S6 to release the DHCP and ARP traffic one by one.
5. The SDN controller sends the flow table to the S6 to release the IP traffic (10.0.0.0/8) from the Guangzhou production center (10.4.0.0/16) to the Beijing comprehensive service center and Shanghai management center, and other traffic is handled by itself according to business access requirements. Analysis added.
6. The distribution of the flow table needs to achieve network load redundancy to ensure that if any one of the S6 dual uplink lines is interrupted, the traffic can be switched to another line for normal forwarding.
Appendix 2: Address Planning Form
equipment |
Interface/VLAN |
Interface/VLAN description |
Two-story/three-story planning |
illustrate |
S1 |
G 0/24 |
Connect_To_R2 |
10.1.0.1/30 2001:10:1::1/64 |
Cascade R2 |
VLAN11 |
SC1-Connect |
10.1.1.1/30 |
Production 1VPN interconnection |
|
VLAN12 |
BG1-Connect |
10.1.2.1/30 |
Office 1VPN Internet |
|
VLAN13 |
GL1-Connect |
10.1.3.1/30 |
Management 1VPN interconnection |
|
VLAN14 |
IPv6-Connect |
2001:10:1:4::1/64 |
IPv6 interconnection |
|
LoopBack 0 |
\ |
10.0.0.1/32 |
OSPF 10 |
|
LoopBack11 |
\ |
10.1.4.1/32 |
Production 1 OSPF 11 Router-id |
|
LoopBack12 |
\ |
10.1.4.2/32 |
Office 1 OSPF 12 Router-id |
|
LoopBack13 |
\ |
10.1.4.3/32 |
Management 1 OSPF 13 Router-id |
|
S3 |
VLAN11 |
SC1-Connect |
10.1.1.2/30 |
Production 1VPN interconnection |
VLAN12 |
BG1-Connect |
10.1.2.2/30 |
Office 1VPN Internet |
|
VLAN13 |
GL1-Connect |
10.1.3.2/30 |
Management 1VPN interconnection |
|
VLAN14 |
IPv6-Connect |
2001:10:1:4::2/64 |
IPv6 interconnection |
|
VLAN10 |
SC1-Terminal |
10.1.10.254/24 |
production terminal |
|
VLAN20 |
BG1-Terminal |
10.1.20.254/24 |
office terminal |
|
VLAN30 |
GL1-Terminal |
10.1.30.254/24 |
G0/21(AP) |
|
VLAN40 |
IPv6-Terminal |
2001:10:1:40::254/64 |
IPv6 terminal |
|
LoopBack11 |
\ |
10.1.4.4/32 |
Production 1 OSPF 11 Router-id |
|
LoopBack12 |
\ |
10.1.4.5/32 |
Office 1 OSPF 12 Router-id |
|
LoopBack13 |
\ |
10.1.4.6/32 |
Management 1 OSPF 13 Router-id |
|
LoopBack14 |
\ |
10.1.4.7/32 |
IPv6 OSPF 14 Router-id |
|
S2 |
G 0/24 |
Connect_To_R2 |
10.2.0.1/30 2001:10:2::1/64 |
Cascade R2 |
VLAN11 |
SC2-Connect |
10.2.1.1/30 |
Production 2VPN interconnection |
|
VLAN12 |
BG2-Connect |
10.2.2.1/30 |
Office 2VPN interconnection |
|
VLAN13 |
GL2-Connect |
10.2.3.1/30 |
Management 2VPN interconnection |
|
VLAN14 |
IPv6-Connect |
2001:10:2:4::1/64 |
IPv6 interconnection |
|
LoopBack 0 |
\ |
10.0.0.2/32 |
OSPF 10 |
|
S2 |
LoopBack11 |
\ |
10.2.4.1/32 |
Production 2 OSPF 11 Router-id |
LoopBack12 |
\ |
10.2.4.2/32 |
Office 2 OSPF 12 Router-id |
|
LoopBack13 |
\ |
10.2.4.3/32 |
Management 2 OSPF 13 Router-id |
|
S4 |
VLAN11 |
SC2-Connect |
10.2.1.2/30 |
Production 2VPN interconnection |
VLAN12 |
BG2-Connect |
10.2.2.2/30 |
Office 2VPN interconnection |
|
VLAN13 |
GL2-Connect |
10.2.3.2/30 |
Management 2VPN interconnection |
|
VLAN14 |
IPv6-Connect |
2001:10:2:4::2/64 |
IPv6 interconnection |
|
VLAN10 |
SC2-Terminal |
10.2.10.254/24 |
生产终端 |
|
VLAN20 |
BG2-Terminal |
10.2.20.254/24 |
办公终端 |
|
VLAN30 |
GL2-Terminal |
10.2.30.254/24 |
G 0/21(AP) |
|
VLAN40 |
IPv6-Terminal |
2001:10:2:40::254/64 |
IPv6终端 |
|
LoopBack11 |
\ |
10.2.4.4/32 |
生产2 OSPF 11 Router-id |
|
LoopBack12 |
\ |
10.2.4.5/32 |
办公2 OSPF 12 Router-id |
|
LoopBack13 |
\ |
10.2.4.6/32 |
管理2 OSPF 13 Router-id |
|
LoopBack14 |
\ |
10.2.4.7/32 |
IPv6 OSPF 14 Router-id |
|
R2 |
G 0/1 |
Connect_To_S1 |
10.1.0.2/30 2001:10:1::2/64 |
|
G 0/2 |
Connect_To_S1 |
10.2.0.2/30 2001:10:2::2/64 |
||
G 0/0 |
Connect_To_R1 |
12.1.1.2/29 |
对接各业务中心 |
|
G 0/0.21 |
Connect_To_R1 |
21.1.1.2/29 |
对接Internet |
|
LoopBack 0 |
\ |
10.0.0.22/32 |
||
LoopBack 1 |
\ |
172.16.0.2/24 |
L2TP隧道 |
|
Tunnel 0 |
\ |
172.17.0.2/24 |
GRE隧道 |
|
LoopBack13 |
\ |
10.1.4.22/32 |
运维管理使用 |
|
R1 |
G 0/1 |
Connect_To_R2 |
12.1.1.1/29 |
|
G 0/1.21 |
Connect_To_R2 |
21.1.1.1/29 |
||
G 0/2 |
Connect_To_R3 |
13.1.1.1/29 |
||
G 0/0 |
Connect_To_S7 |
17.1.1.1/29 |
||
LoopBack 20 |
\ |
20.0.0.1/32 |
模拟IPv4公网 资源 |
|
LoopBack 30 |
\ |
30.0.0.1/32 |
||
R3 |
G 0/1 |
Connect_To_R1 |
13.1.1.2/29 |
|
G 0/2 |
Connect_To_S5 |
10.3.0.1/30 |
||
LoopBack 0 |
\ |
10.3.1.3/32 |
OSPF 20 Router id |
|
Tunnel 0 |
\ |
172.17.0.3/24 |
GRE隧道 |
|
S5 |
G 0/24 |
Connect_To_R3 |
10.3.0.2/30 |
|
AG1 |
Connect_To_VAC |
10.3.0.10/30 |
G 0/1 G 0/2 |
|
LoopBack 0 |
\ |
10.3.1.5/32 |
OSPF 20 Router id |
|
G 0/21 |
Connect_To_IOM |
192.1.100.254/24 |
运维系统 |
|
G 0/22 |
Connect_To_AAA |
194.1.100.254/24 |
认证系统 |
|
VAC |
AG1 |
Connect_To_S5 |
10.3.0.9/30 |
G 1/0/2 G 2/0/2 |
LoopBack 0 |
\ |
10.3.1.12/32 |
OSPF 20 Router id |
|
GW1 |
G 0/0 |
Connect_To_R1 |
17.1.1.2/29 |
|
G 0/1.10 |
SC1-Terminal |
10.4.10.254/24 |
生产1终端 |
|
G 0/1.11 |
SC2-Terminal |
10.4.11.254/24 |
生产2终端 |
|
G 0/1.20 |
AP-Manage |
10.4.20.254/24 |
AP管理 |
|
G 0/1.30 |
Net-Manage |
10.4.30.254/24 |
设备管理 |
|
LoopBack 0 |
\ |
10.4.1.1/32 |
||
Virtual-ppp |
172.16.0.3/24 |
L2tp隧道 |
||
GW2 |
G 0/0 |
Connect_To_R1 |
17.1.1.3/29 |
|
G 0/1.10 |
SC1-Terminal |
10.4.10.253/24 |
生产1终端 |
|
G 0/1.11 |
SC2-Terminal |
10.4.11.253/24 |
生产2终端 |
|
G 0/1.20 |
AP-Manage |
10.4.20.253/24 |
AP管理 |
|
G 0/1.30 |
Net-Manage |
10.4.30.253/24 |
设备管理 |
|
LoopBack 0 |
\ |
10.4.1.2/32 |
||
Virtual-ppp |
\ |
172.16.0.4/24 |
L2tp隧道 |
|
S6 |
G 0/21 |
Connect_To_SDN |
192.168.1.6/24 |
SDN控制器 |
VLAN10 |
SC1-Terminal |
\ |
||
VLAN11 |
SC2-Terminal |
\ |
||
VLAN20 |
AP-Manage |
\ |
G 0/11(AP) |
|
VLAN30 |
Net-Manage |
10.4.30.1/24 |
设备管理 |
|
S7 |
VLAN1 |
HUB |
17.1.1.4/29 |
测试运维使用 |
注:交换设备、安全设备、无线设备的接口编号G 0/x与G1/0/x一致。
附录3:设备编号表
编号 |
锐捷硬件型号 |
H3C硬件型号 |
S1 |
RG-S5760C-48GT4XS-X |
H3C S5560X |
S2 |
RG-S5760C-48GT4XS-X |
H3C S5560X |
S3 |
RG-S5310-24GT4XS-E |
H3C S5560X |
S4 |
RG-S5310-24GT4XS-E |
H3C S5560X |
S5 |
RG-S5310-24GT4XS |
H3C S5560X |
S6 |
RG-S5300-24GT4XS-E |
H3C S5130S |
S7 |
RG-S2910-24GT4XS-E |
H3C S5130S |
GW1 |
RG-EG3210 |
H3C SecPath F1010 |
GW2 |
RG-EG3210 |
H3C SecPath F1010 |
R1 |
RSR20-X-28 |
H3C MSR3600 |
R2 |
RSR20-X-28 |
H3C MSR3600 |
R3 |
RSR20-X-28 |
H3C MSR3600 |
AC1 |
RG-WS6008 |
H3C WX3510 |
AC2 |
RG-WS6008 |
H3C WX3510 |
AP1 |
RG-AP520 |
H3C WA6320 |
AP2 |
RG-AP520 |
H3C WA6320 |
AP3 |
RG-AP850 |
H3C WA6320 |