Vous êtes sur la page 1sur 37

L0MBA KOMPETENSI SISWA

SEKOLAH MENENGAH KEJURUAN


TINGKAT PROVINSI JAWA BARAT

CIREBON, OKTOBER 2017

SOAL
MODUL A LINUX ISLAND
(TERBUKA)

BIDANG LOMBA
IT NETWORK SYSTEM ADMIN
(IT NETWORK)

PEMERINTAH PROPINSI JAWA BARAT


DINAS PENDIDIKAN
JL. Dr. Radjiman No. 6 Tel. (022) 4264957, Fax. (022) 4264881
Wisselboard (022) 4264944, 4264957, 4264973
BANDUNG (40171)
1

ISLAND A LINUX ISLAND


CONTENTS
This Test Project proposal consists of the following document/file:
LKS JABAR 2017_ITNSA_MODULA.pdf

INTRODUCTION
The competition has a fixed start and finish time. You must decide how to best divide your
time.
Please carefully read the following instructions!
When the competition time ends, please leave your station in a running state.

PHYSICAL MACHINE (HOST)


FOLDER PATHS
Virtual Machines: C:\LKS\Virtual Machine
ISO Images: C:\LKS\ISO

Password for OS Pre-Install : Skills39

Version: 1.0
LKS-JABAR_ITNSA
Date: 16.08.2017
2

PART I
WORK TASK INSTALLATION (SOLOSRV, SEMARANGSRV)
Note Please use the default configuration if you are not given details.

WORK TASK SERVER SOLOSRV


Configure the server with the hostname, domain and IP specified in the appendix.
o Configure the disk and partitions
Add 3 disk with 7 GB of each disk.
Use the three virtual disks to create a software RAID 5.
Mount it as /files

o Create 30 local UNIX users with password InaSkills2017


Username: user[1-30]. ex: user1, user2, , user30

o Install the services:


1. DNS (bind9)
Configure and install DNS Server with two domain
- skills4future.net to SOLOSRV
- skills39.edu.id to SEMARANGSRV
Create subdomain files.skills4future.net and internal.skills4future.net
Create subdomain monitor.skills39.edu.id and vpn.skills39.edu.id
Create a host www.skills4future.net for IP Public JATENGRO

2. Web Server (apache2 including php5)


Create website http://internal.skills4future.net and http://www.skills4future.net
- Use the following code for index.html in the http://internal.skills4future.net
<html>
<h1>Welcome in the INTERNAL skills4future.net</h1>
</html>

- Use the following code for index.html in the http://www.skills4future.net


<html>
<h1>Welcome in the skills4future.net</h1>
</html>

Make sure http://internal.skills4future.net is protected by authentication


- Allow users from user11 to user20
Enable HTTPs for both sites
- Use a certificate signed by CA Service in SEMARANGSRV
- Make sure no certificate warning is shown.

3. FTP (proftpd)
Enable FTPS
- Use a certificate signed by SEMARANGSRV
Each user (user21 to user30) will have a home directory.

Version: 1.0
LKS-JABAR_ITNSA
Date: 16.08.2017
3

Make sure the user is jailed in their respective website document root directories.
Make sure file transfer to the server is possible.

4. Mail
Make sure user11 to user20 have access via POP3, IMAP and SMTP
Before you finish your project make sure you send an email message from user14 to
user19 and another message from user19 to user14.
Do not delete these email messages.

5. File Server (Samba)


Share MANAGER
o Path is /files/manager
o Give access only to users user1 to user10
o Make sure the share is not shown in the network browser of the clients
Share GUEST
o Path is /files/guest
o Enable read-only access to everyone

6. SSH Server
Install SSH Server
Use RADIUS SEMARANGSRV to authentication users.
Change SSH port default to 1945

WORK TASK SERVER SEMARANGSRV


Configure the server with the hostname, domain and IP specified in the appendix.
o Install the services:
1. CA (openssl)
Configure as CA
CA attributes should be set as follows
- Country code is set to ID
- Organization is set to LKSN2017
Create a root CA certificate
Store the certificate in directory /cert

2. Monitoring Server (Cacti)


Configure Cacti with url http://monitor.skills39.edu.id
Create an admin-user master with password InaSkills2017
Create a graph showing the statistics of the CPU, Memory and interfaces traffic of
JATENGRO

3. RADIUS (FreeRadius)
Create 5 users with password InaSkills2017 for SSH login SOLOSRV
o Username: user[31-35]. ex: user31, user32, , user35
Use InaSkills2017 as share key

Version: 1.0
LKS-JABAR_ITNSA
Date: 16.08.2017
4

4. DHCP
o Create DHCP Pool INTERNAL:
Range: 192.168.150.51 192.168.150.100
Netmask: /25
Gateway: 192.168.150.1
DNS: 172.23.199.3
o DNS-Suffix: skills4future.net
o SOLOCLT should always receive the following IP: 192.168.150.88
o The clients should automatically register their name with the DNS server after they
have been assigned with an IP address by the DHCP server.

Version: 1.0
LKS-JABAR_ITNSA
Date: 16.08.2017
5

PART II
WORK TASK NETWORK CONFIGURATION (JATENGRO)
Note Please use the default configuration if you are not given details.

WORK TASK ROUTER JATENGRO


Configure the server with the hostname, domain and IP specified in the appendix.
o Install the services:
1. Routing
Enable routing to router forward IPv4 Packet

2. DHCP Relay
Configure DHCP Relay to SEMARANGSRV for internal client

3. Reverse Proxy (nginx)


Configure a reverse proxy for http://www.skills4future.net
(https://www.skills4future.net), which is hosted by SOLOSRV

4. VPN Server
Configure VPN for access to SOLOSRV and SEMARANGSRV. External clients should
connect to 212.99.45.65
Use address range 10.20.0.1 to 10.20.0.10 and DNS SOLOSRV for VPN clients
For login create a user remote with password InaSkills2017

5. Firewall
External network allows the ICMP packet to interface external JATENGRO
External network can access to http://www.skills4future.net
External network cant access to SOLOSRV and SEMARANGSRV before the vpn
established.
Ensure the vpn client cant access to internal client (SOLOCLT) when the vpn established.
(Can only access to SOLOSRV and SEMARANGSRV)
Deny all other traffic from external to all internal network.

Version: 1.0
LKS-JABAR_ITNSA
Date: 16.08.2017
6

PART III
WORK TASK LINUX CLIENT (JEPARACLT, SOLOCLT)
Note Please use the default configuration if you are not given details.

WORK TASK LINUX EXTERNAL (JEPARACLT)


Note Please use the default configuration if you are not given details.
o Install the base OS and use Gnome for the GUI
o Configure the client with the hostname, domain and IP specified in the appendix.
o Make sure the JEPARACLT can access to http://www.skills4future.net
o Make sure the JEPARACLT can access to SEMARANGSRV and SOLOSRV (via JATENGRO) through
VPN
o Make sure the root CA certificate of SEMARANGSRV is trusted
o Make sure the client certificate is installed
o Install FileZilla FTP client
o Install Icedove mail client
Configure mailbox of user14
Make sure user14 can send mails to user19
o Make sure the client can access samba shares.

WORK TASK LINUX INTERNAL (SOLOCLT)


Note Please use the default configuration if you are not given details.
o Install the base OS and use Gnome for the GUI
o Configure the client with the hostname, domain and IP specified in the appendix.
o Make sure the root CA certificate of SEMARANGSRV is trusted
o Make sure the client certificate is installed
o Install FileZilla FTP client
o Install Icedove mail client
Configure mailbox of user19
Make sure user19 can send mails to user14
o Make sure the client can access samba shares.
Mount the MANAGER SMB share to /mnt/manager on boot using fstab

Version: 1.0
LKS-JABAR_ITNSA
Date: 16.08.2017
7

APPENDIX
SPECIFICATIONS

SOLOSRV
Operating System Linux Debian 7.8
Computer name: SOLOSRV
Root password Nasional2017
User Name: batik
User Password: Semarang2017
eth0: 172.23.199.3/29

SEMARANGSRV
Operating System Linux Debian 7.8
Computer name: SEMARANGSRV
Root password Nasional2017
User Name: batik
User Password: Semarang2017
IP address: 172.23.199.4/29

JATENGRO
Operating System Linux Debian 7.8
Computer name: JATENGRO
Root password Nasional2017
User Name: batik
User Password: Semarang2017
eth0: 212.99.45.65/28
eth1: 172.23.199.1/29
eth2: 192.168.150.1/25

JEPARACLT
Operating System Linux Debian 7.8 (GUI)
Computer name: JEPARACLT
Root password Nasional2017
User Name: Batik
User Password: Semarang2017
IP address: 212.99.45.70/28

Version: 1.0
LKS-JABAR_ITNSA
Date: 16.08.2017
8

SOLOCLT
Operating System Linux Debian 7.8 (GUI)
Computer name: SOLOCLT
Root password Nasional2017
User Name: batik
User Password: Semarang2017
IP address: DHCP

Version: 1.0
LKS-JABAR_ITNSA
Date: 16.08.2017
NETWORK SPESIFICATION

Windows 8.1 Hostmachine (PC1) Windows 8.1 Hostmachine (PC2)


Name : SOLOSRV
OS : Debian 7.8

IP-Address : Host Only Pre-Install


172.23.199.3/29 VMnet1 Name : JEPARACLT (External)
Service: OS : Debian 7.8 (GUI)
- RAID
- DNS IP-Address :
- Web 212.99.45.70/28
- FTP Service:
- Email JATENGRO - OpenVPN Client
- Samba - IceDove
- SSH - Filezilla
SOLOSRV
VMNet1 JEPARACLT
VMNet2

Name : SEMARANGSRV
OS : Debian 7.8 Name : lnxrtr1 Pre-Install
OS : Debian 7.8
Name : SOLOCLT (Internal)
IP-Address : OS : Debian 7.8 (GUI)
172.23.199.4/29 IP-Address :
Service: External : 212.99.45.65/28
Server : 172.23.199.1/29 IP-Address :
- Cacti DHCP From SEMARANGSRV
- FreeRadius Internal : 192.168.150.1/25
Service: Service:
- CA - IceDove
- DHCP Server Host Only - Routing
- DHCP Relay - Filezilla
- Reverse Proxy (nginx)
VMnet2 - DDNS
- Firewall
SEMARANGSRV - OpenVPN Server
SOLOCLT
L0MBA KOMPETENSI SISWA
SEKOLAH MENENGAH KEJURUAN
TINGKAT PROVINSI JAWA BARAT

CIREBON, OKTOBER 2017

SOAL
MODUL B SYSTEM INTEGRATION
(TERBUKA)

BIDANG LOMBA
IT NETWORK SYSTEM ADMIN
(IT NETWORK)

PEMERINTAH PROPINSI JAWA BARAT


DINAS PENDIDIKAN
JL. Dr. Radjiman No. 6 Tel. (022) 4264957, Fax. (022) 4264881
Wisselboard (022) 4264944, 4264957, 4264973
BANDUNG (40171)
1

ISLAND B SYSTEM INTEGRATION ISLAND


CONTENTS
This Test Project proposal consists of the following document/file:
LKS JABAR 2017_ITNSA_MODULB.pdf

INTRODUCTION
The competition has a fixed start and finish time. You must decide how to best divide your
time.
Please carefully read the following instructions!
When the competition time ends, please leave your station in a running state.

PHYSICAL MACHINE (HOST)


FOLDER PATHS
Virtual Machines: C:\LKS\Virtual Machine
ISO Images: C:\LKS\ISO

Password for OS Pre-Install: Skills39

Version: 1.1
LKS-JABAR_ITNSA
Date: 16.08.2017
2

PART I
WORK TASK INSTALLATION (WINSRV1, WINSRV2,
LNXSRV1, LNXSRV2)
Note Please use the default configuration if you are not given details.

WORK TASK SERVER WINSRV1


Configure the server with the hostname, domain and IP specified in the appendix.
o Modify the default Firewall rules to allow ICMP (ping) traffic
o Install Active Directory Domain Services for indonesiahebat.net.
Create a new Organization Unit named InaHebat2017. All new users and groups must be
created in this OU.
Create the user and security global group with members as indicated in the table in
Appendix. Use InaSkills2017 as the password for all user accounts.
Group Members Total Users
IT it[01 50] 50 users
Marketing mkt[01 50] 50 users
Visitors vtr[01 30] 30 users
Employees IT, Marketing 100 users

o DNS
Create a forward zone called indonesiahebat.net
Create reverse zones for the Network 172.20.31.0; 172.20.32.0; 172.20.33.0
Create a host info.indonesiahebat.net for WINSRV2
Create 2 hosts for LNXSRV1:
- training.indonesiahebat.net
- competition.indonesiahebat.net
o PKI (Public Key Infrastructure)
Install and configure Certificate Service
Install only the Certificate Authority
Create a template for Clients AND Servers
- Name the template ITNSA-ClientServerCert
- Publish the template in Active Directory
- Set the subject name format to common name
o GPO Security Policies
At logon on WINCLNT2, users should see this message before logging in: Message Title:
Welcome to Indonesiahebat2017 with Message Text Only authorized personnel allowed
to access. and prohibit this message on all servers.
All users, except the IT group, are not allowed to access the display settings on the Control
Panel.
disable "First Sign-in Animation" for all Windows 8.1 clients
disable the use of cmd and run for the Visitor group

Version: 1.1
LKS-JABAR_ITNSA
Date: 16.08.2017
3

o VPN SERVER (RRAS)


setup and configure the VPN service (RRAS)
use the following IP Range for the VPN Clients: 172.20.31.21 172.20.32.25
With a VPN connection the user should be able to access to the shares on WINSRV2
Only users in the IT group should be able to connect to the VPN server
Remote Clients should be able to access the VPN server via the IP address 200.132.45.12

WORK TASK SERVER WINSRV2


Configure the server with the hostname, domain and IP specified in the appendix.
o Modify the default Firewall rules to allow ICMP (ping) traffic
o Make WINSRV2 a domain controller in the indonesiahebat.net domain
o Web Server (IIS)
Setup the web server for info.indonesiahebat.net
- Use the following code for index.html in the http://info.indonesiahebat.net
<html>
<h1>Welcome in the INFO Indonesia Hebat</h1>
</html>

o DHCP Server
Create Pool ISCLNT
- Range: 172.20.32.51 172.20.32.100
- Netmask: /25
- Gateway: 172.20.32.1
- DNS: 172.20.31.3
- Option 150 (TFTP) 172.20.32.129

Create Pool VOICE


- Range: 172.20.32.131 172.20.32.200
- Netmask: /25
- Gateway: 172.20.32.129
- DNS: 172.20.31.3
- Option 150 (TFTP) 172.20.32.129

WORK TASK SERVER WINSRV1 & WINSRV2


o Install Distributed File System
Create skills as the root DFS Namespace in a Domain-based namespace in 2008 mode.
Create DFS share folders and configure the folder targets as indicated in the following table.
Enable DFS Replication between WINSRV1 and WINSRV2.

Version: 1.1
LKS-JABAR_ITNSA
Date: 16.08.2017
4

DFS Namespace Share Folders Folder Target Local Folder on both Servers Description
\\indonesiahebat.net\skills\rfolder \\WINSRV1\rfolder C:\share\rfolders On WINSRV1 Folder
s s C:\share\rfolders On WINSRV2 Redirection &
\\WINSRV2\rfolder home folder
s
\\indonesiahebat.net\skills\IT \\WINSRV1\IT C:\share\IT On WINSRV1 Departmental
\\WINSRV2\IT C:\share\IT On WINSRV2 Share for IT
\\indonesiahebat.net\skills\Sales \\WINSRV1\Sales C:\share\Sales On WINSRV1 Departmental
\\WINSRV2\Sales C:\share\Sales On WINSRV2 Share for Sales
\\indonesiahebat.net\skills\Market \\WINSRV1\Mkt C:\share\Mkt On WINSRV1 Departmental
ing \\WINSRV2\Mkt C:\share\Mkt On WINSRV2 Share for
Marketing

o Configure users profiles and share folders:


Create users home folder \\indonesiahebat.net\skills\rfolders\%username% and ensure it is
mapped to Z: at each logon automatically.
- limit the storage space to every home folder to 50MB
- Prevent any .exe and .bat files to be stored on the home folder.
Redirect the Documents folder to
\\indonesiahebat.net\skills\rfolders\username\Documents.
Create departmental share folders on \\indonesiahebat.net\skills\IT,
\\indonesiahebat.net\skills\Sales and \\indonesiahebat.net\skills\Marketing and map the
respective share folder to Y: at logon, depending on the department the user is in. Users
should not be allowed to access other departments or users home shares.

WORK TASK SERVER LNXSRV1


Configure the server with the hostname, domain and IP specified in the appendix.
o Create 50 local UNIX users with password InaSkills2017
Username: user[1-50]. ex: user1, user2, , user50
o Web Server (nginx)
Create 2 virtual webhost for training.indonesiahebat.net and
competition.indonesiahebat.net
- Use the following code for index.html in the http://training.indonesiahebat.net
<html>
<h1>Welcome in the TRAINING Indonesia Hebat</h1>
</html>

- Use the following code for index.html in the http://competition.indonesiahebat.net


<html>
<h1>Welcome in the COMPETITION Indonesia Hebat</h1>
</html>

o NTP Server
Set NTP server service. Use local clock as time server source

Version: 1.1
LKS-JABAR_ITNSA
Date: 16.08.2017
5

WORK TASK SERVER LNXSRV2


Configure the server with the hostname, domain and IP specified in the appendix.
o Cacti
Install Cacti
Create an admin-user master with password InaSkills2017
Create a graph showing the statistics of the CPU, Memory and interfaces traffic of the
WINSRV1, WINSRV2, RO1 and SW1

o FreeRadius Server
Configure radius server for router and switch access authentication. Use LKSN2017 as
share key.
Create SW1 with password InaSkills2017. Will be used for switch access authentication.
Create RO1 with password InaSkills2017. Will be used for router access authentication.

Version: 1.1
LKS-JABAR_ITNSA
Date: 16.08.2017
6

PART II
WORK TASK NETWORK CONFIGURATION (RO1, SW1)
Note Please use the default configuration if you are not given details.

WORK TASK ROUTER (RO1) & SWITCH (SW1)


o Use the Indonesia2017 as secret password
o Line console must login with the password InaSkills2017
o Configure AAA login with the lnxsrv1 as Radius Server
o Create username admin and password InaSkills2017 for failover user if RADIUS server is not
available
o Enable SSH Access with authentication using user radius server (lnxsrv1)
o Encrypt all clear text password
o Configure banner MOTD AUTHORIZED ACCESS ONLY
o Configure VLAN and IP Address
Description /
Device Interface VLAN ID IP Address
VLAN Name
Gi0/0 - - 202.132.45.5/27
Gi0/1.30 30 ISSRV-1 172.20.31.1/26
GI0/1.31 31 ISCLNT 172.20.32.1/25
RO1 GI0/1.32 32 VOICE 172.20.32.129/25
Gi0/1.33 33 BRSRV 172.20.33.1/26
Gi0/1.34 34 ISSRV-2 172.20.33.65/26
Gi0/1.99 99 NATIVE 10.0.0.1/28
Fa0/41
99 NATIVE 10.0.0.2/28
Fa0/48
Fa0/1
33 BRSRV -
Fa0/8
Fa0/9 31 Data & 31 = ISCLNT
SW1 -
Fa0/24 32 Voice 32 = VOICE
Fa0/25
30 ISSRV-1 -
Fa0/32
Fa0/33
34 ISSRV-2 -
Fa0/40

WORK TASK ROUTER (RO1)


o Configure the router with the hostname RO1
o Configure DHCP Relay for VLAN ISCLNT and VLAN VOICE to WINSRV2
o Configure NAT / PAT
Configure Static NAT
Static NAT to lnxsrv2 with IP address 202.132.45.11
Static NAT to winsrv1 with IP address 202.132.45.12
Static NAT to lnxsrv1 with IP address 202.132.45.9
Static NAT to winsrv2 with IP address 202.132.45.10

Version: 1.1
LKS-JABAR_ITNSA
Date: 16.08.2017
7

o Telephony Service
Configure max 5 ephone and max 10 ephone-dn
Number 999 is used for paging all phones of the company
Configure button 2 on hqvph1 to call directly to paging extension
Configure Intercom service with the extension 199
o Access Control List (ACL)
Configure Access List with rule below
- Ensure outside can access to all service lnxsrv2 and winsrv1 using IP outside of RO1
- Allow access from outside to web server linxsrv1 and winsrv2
- Deny other traffic from outside to inside
o SNMP
Enable SNMP v2c with LKSN as the read-only community string

WORK TASK SWITCH (SW1)


o Configure the switch with the hostname SW1
o Configure interface vlan 99 with the IP Address 10.0.0.2/28
o Configure port interface
Port 48 trunk mode to ro1
Port 1 for lnxsrv1
Port 2 for lnxsrv2
Port 25 for winsrv1
Port 33 for winsrv2
Port 9 for hqvph1
Port 10 for winclnt2
o Configure port security maximum 3 mac address with violation shutdown for ports to:
lnxsrv1, lnxsrv2, winsrv1, winsrv2 and winclnt2
o In case of violation of the port security the port of the switch must recovery automatic in 30
seconds

Version: 1.1
LKS-JABAR_ITNSA
Date: 16.08.2017
8

PART III
WORK TASK WINDOWS CLIENT (WINCLNT1, WINCLNT2,
IP PHONE)
Note Please use the default configuration if you are not given details.

WORK TASK WINDOWS EXTERNAL (WINCLNT1)


Configure the server with the hostname, domain and IP specified in the appendix.
o Connect the WINCLNT1 to the interface Gi0/0 on RO1
o Configure VPN client for connect to winsrv1
o Install and configure Cisco IP Communicator with number 1008

WORK TASK WINDOWS INTERNAL (WINCLNT2)


Configure the server with the hostname, domain and IP specified in the appendix.
o Connect the WINCLNT to the switch VLAN ISCLNT
o Join the notebook to the domain
o Install and configure Cisco IP Communicator with number 1007
o Set the time for use NTP Server LNXSRV1

WORK TASK IP PHONE (HQVPH1)


Note: Please use the default configuration if you are not given the details.
o Connect LAN cables and configure IP addresses
o Configure with number 1003
o Make sure the VoIP-phone is using VLAN 32 for its VoIP-traffic
o The traffic of the connected computer (if any) shall use VLAN 31

Version: 1.1
LKS-JABAR_ITNSA
Date: 16.08.2017
9

APPENDIX
SPECIFICATIONS

WINSRV1
Computer name: WINSRV1
Operating System MS Windows 2012 R2
Domain Name: indonesiahebat.net
Administrator User name: Administrator
Administrator password: InaSkills2017
IP address: 172.20.31.3/26
Domain NetBIOS Name: HEBAT

WINSRV2
Computer name: WINSRV2
Operating System MS Windows 2012 R2
Domain Name: indonesiahebat.net
Administrator User name: Administrator
Administrator password: InaSkills2017
IP address: 172.20.33.67/26
Domain NetBIOS Name: HEBAT

LNXSRV1
Computer name: LNXSRV1
Operating System Linux Debian 7.8
User name: root
Password: InaSkills2017

IP address: 172.20.33.3/26

LNXSRV2
Computer name: LNXSRV2
Operating System Linux Debian 7.8
User name: root
Password: InaSkills2017

IP address: 172.20.33.4/26

Version: 1.1
LKS-JABAR_ITNSA
Date: 16.08.2017
10

WINCLNT1 (EXTERNAL)
Computer name: WINCLNT 1
Operating System MS Windows 8.1
User name: Administrator
Password: InaSkills2017
Domain name: Indonesiahebat.net

IP address: 202.132.45.28/27

WINCLNT2
Computer name: WINCLNT 2
Operating System MS Windows 8.1
User name: Administrator
Password: InaSkills2017
Domain name: indonesiahebat.net

IP address: DHCP

NETWORK SPESIFICATION
VLAN ISSRV-1 (ID: 30) 172.20.31.0/26
VLAN ISCLNT (ID: 31) 172.20.32.0/25
VLAN VOICE (ID: 32) 172.20.32.128/25
VLAN BRSRV (ID: 33) 172.20.33.0/26
VLAN ISSRV-2 (ID:34) 172.20.33.64/26
VLAN NATIVE (ID: 99) 10.0.0.0/28
OUTSIDE 202.132.45.0/27

Version: 1.1
LKS-JABAR_ITNSA
Date: 16.08.2017
NETWORK SPESIFICATION

Windows 8.1 Hostmachine (PC1) Windows 8.1 Hostmachine (PC2)


Pre-Install
Name : winsrv1 Pre-Install
OS : Windows Server 2012 R2
User: Administrator GNS3
Password: InaSkills2017 VMnet1 VMnet1 Name : winsrv2
OS : Windows Server 2012 R2
Domain: indonesiahebat.net
IP-Address : SW1 User: Administrator
172.20.31.3/26 Name : SW1 Password: InaSkills2017
Service: Password:Skills39 Domain: indonesiahebat.net
- AD VLAN: IP-Address :
- DNS VLAN 30: ISSRV-1 172.20.33.67/26
- CA (Certificate Authority) VLAN 31: ISCLNT Service:
- GPO VLAN 32: VOICE - AD
- DFS winsrv1 VLAN 33: BRSRV - DNS
- SNMP VLAN 34: ISSRV-2 winsrv2 - Web Server
- VPN Server (RRAS) VLAN 99: NATIVE - DFS
Service: - SNMP
- Port Security - DHCP Server
- VLAN
Pre-Install - SSH
Name : lnxsrv1 - SNMP
OS : Debian 7.8 Pre-Install
User: root VMnet2 VMnet2 Name :winclnt1 (External)
Password: InaSkills2017 OS : Windows 8.1
Domain: indonesiahebat.net User: Administrator
IP-Address : Password: InaSkills2017
172.20.33.3/26 Domain: indonesiahebat.net
Service: IP-Address :
- Web Server(nginx) RO1 200.132.45.28/27
- NTP Server Name : lnxsrv1 Service:
- SNMP Password: InaSkills2017 - VPN Client
lnxsrv1 IP-Address :
External :200.132.45.33/25
VMnet3 winclnt1
- Softphone
Ext 1008
Gi0/1.30: 172.20.31.1/26
Gi0/1.31: 172.20.32.1/25
Gi0/1.32: 172.20.32.129/25
Gi0/1.33: 172.20.33.1/26
Pre-Install Gi0/1.34: 172.20.33.65/26
Name : lnxsrv2
Gi0/1.99: 10.0.0.1/28
OS : Debian 7.8 Pre-Install
Service Name : winclnt2 (Internal)
User: root
- Routing
Password: InaSkills2017
Domain: indonesiahebat.net
- NAT VMnet3 OS : Windows 8.1
User: Administrator
- ACL Password: InaSkills2017
IP-Address :
- Telephony Service Domain: indonesiahebat.net
172.20.33.4/26
- DHCP Relay IP-Address :
Service:
- SSH DHCP Client
- Cacti
- SNMP Service:
- SNMP
- FreeRadius - Join Domain
- Softphone
lnxsrv2 winclnt2 Ext 1007
L0MBA KOMPETENSI SISWA
SEKOLAH MENENGAH KEJURUAN
TINGKAT PROVINSI JAWA BARAT

CIREBON, OKTOBER 2017

SOAL
MODUL C PT CHALLENGE
(TERBUKA)

BIDANG LOMBA
IT NETWORK SYSTEM ADMIN
(IT NETWORK)

PEMERINTAH PROPINSI JAWA BARAT


DINAS PENDIDIKAN
JL. Dr. Radjiman No. 6 Tel. (022) 4264957, Fax. (022) 4264881
Wisselboard (022) 4264944, 4264957, 4264973
BANDUNG (40171)
1

Instructions
The competition has a fixed start and finish time. You must decide how to best divide your time.
Please carefully read the following instructions!

When the competition time ends, please save your file and add your ID in the end of the filename
(change the XX), leave the Cisco Packet Tracer program and your workstation in a running state.

DO NOT FORGET TO SAVE YOUR PACKET TRACER FILE REGULARLY!


(The Cisco Packet Tracer program may crash and you could lose marks!)

Description of project and tasks


Network diagram has preconfigured.
All devices can be connected with IPv4 and IPv6 according to the instruction below!

ALL INFRASTRUCTURE, SERVERS AND CLIENTS


1. Configure according to the network diagram and tables.
2. Configure host name, enable mode password (encrypted), SSH version 2 with 1024 bit RSA keys,
logging synchronous in line vty 0-4 and users in the table 5.

ISP ROUTER
1. For ease of administration, enable SSH with local authentication, isp.net for domain name.
2. Do not configure any kind of static or dynamic routing.
3. Configure PPP CHAP authentication on the Serial Link between ISP and HQ router with Skills39 as
the password.

HQ / BRANCH ROUTERES
1. See the appendix to understand IP addressing, services and network diagram.
2. Configure an IPv6 over IPv4 Point-to-Point ipv6ip between the two routers, going through the ISP
router.
3. Configure default static route to ISP using next-hop address, EIGRPv6 and OSPFv3 routing via
tunnel. OSPFv3 routing serves as a backup routing protocol. When EIGRPv6 is running then we
should only see EIGRPv6 routes in the routing table.

HQ EIGRPv6 100 Routing BRANCH EIGRPv6 100 Routing


Fdab:cdef:1::/64 Fdab:cdef:3::/64
Fdab:cdef:4::/64 Fdab:cdef:4::/64
Fdab:cdef:7::/64

Version: 1.1
LKS-JABAR_ITNSA
Date: 16.08.2017
2

HQ OSPFv6 area 0 Routing with process ID 100 BRANCH OSPFv6 area 0 Routing with process
ID 100
Fdab:cdef:1::/64 Fdab:cdef:3::/64
Fdab:cdef:4::/64 Fdab:cdef:4::/64
Fdab:cdef:7::/64

-Dont send routing updates on interface serial0/0/0

4. Configure High Availability routing for the MGMT IPV4 with group 1. Use a protocol that will use
only one of the two routers, preferably the HQ router.

5. Configure VoIP system with the following settings:


Site Extension Ephone- Device Server
DN
HQ 101 1 IP phone LUXVOIP
10.0.0.1/24
HQ 102 2 Softphone WINLAPTOP
Branch 201 1 IP phone WINVOIP 172.16.0.1/24

-Enable auto assign from directory number 1 to 10.


-Max phone and directory are 20.
-IP phone/softphone can communicate between HQ and Branch site.
-DHCP information in the DHCP Services section.
-Clock time zone UTC 7

6. Configure AAA to authenticate SSH logins, idnux.local for domain-name, the radius server is
LUXSRV for HQ and WINSRV for BRANCH, Skills39 for radius-key and use cisco local user as a fall
back if RADIUS becomes unavailable.
7. Restrict SSH access to the MGMT IPv6 and IPv4 network, MGMT-IPv6-net and MGMT-net for ACL-
name with the standard type.
8. Configure time synchronization with the NETLUXSRV NTP server that has authentication to use it.
Use key 1 and Password Skills39.
9. Send logs to the syslog server at LUXSRV for HQ and WINSRV for BRANCH.
10.Configure NAT overload in HQ for MGMT IPv4 Network for internet access, Use MGMT-net for
ACL so WINLAPTOP can access NETLUXSRV.

REMOTE ASA 5505


1. For ease of administration, enable SSH with local authentication, idnux.local for domain-name. It
should accessible from the inside network.
2. Create object network named INSIDE to specify an inside network and configure NAT for internet
access using outside interface so REMWINTOP can access NETLUXSRV.
3. Create object network named DMZLUXSRV to specify a single host and configure NAT for HTTP
and HTTPS on DMZLUXSRV to accessible from the outside network with IP 1.1.1.19.
4. Configure ACL named FROM-INTERNET to allow HTTP and HTTPS access from the outside
network to the DMZLUXSRV.

Version: 1.1
LKS-JABAR_ITNSA
Date: 16.08.2017
3

HQSW / BRANCH SWITCHES


1. For ease of administration, enable SSH with local authentication, idnux.local for domain-name.
2. Configure portfast on all access ports.
3. Configure an Etherchannel on ports Gig0/1-Gig0/2 on both switches. Use a standard based
protocol.
4. Use Port-Channel 1 for both Vlan 99 and Vlan 12.

HQSW - C2960 SWITCH


1. Configure port security; WINLAPTOP is the only device allowed on the MGMT Vlan on Fa0/13
with violation shutdown the port.
2. Configure port F0/11 to receive all traffic that is received and sent on port F0/5.
3. Configure DHCP snooping on F0/21, F0/22, Fa0/13 and a port connected to IPphone. Enable on
All VLANs. No IP DHCP snooping information option.
4. On the Etherchannel on ports Gig0/1-Gig0/2, this switch should not attempt to negotiate an
EtherChannel.

BRANCHSW - C2960 SWITCH


1. Configure DHCP snooping on F0/21, FA0/22, and port connected to IPphone. Enable on All VLANs.
No IP DHCP snooping information option.
2. On the Etherchannel on ports Gig0/1-Gig0/2, this switch should attempt to negotiate an
EtherChannel

DHCP Services
1. Configure DHCP service on ISP, HQ, BRANCH, HQSW and REMOTE with the setting in the table 4.

Version: 1.1
LKS-JABAR_ITNSA
Date: 16.08.2017
4

APPENDIX

TABLE 1. IP ADDRESSING TABLE

Device IPv4 IPv6 Interface


ISP 1.1.1.1/29 S0/0/0
1.1.1.9/29 S0/0/1
1.1.1.17/29 Gig0/0
1.1.1.65/26 Gig0/1
NETLUXTOP DHCP from Server: FA0
1.1.1.65
NETLUXSRV 1.1.1.70/26 FA0
HQ 1.1.1.10/29 S0/0/0
10.0.10.1/24 fdab:cdef:1::1/64 GE0/0.11
fdab:cdef:2::1/64 GE0/0.12
10.0.0.1/24 GE0/1.10
10.0.1.1/24 fdab:cdef:7::1/64 GE0/1.99
10.0.1.254/24 GE0/1.99 STANDBY
fdab:cdef:4::1/64 Tunnel0
BRANCH 1.1.1.2/29 S0/0/0
10.0.30.1/24 fdab:cdef:3::1/64 GE0/0.21
fdab:cdef:2::2/64 GE0/0.12
172.16.0.1/24 GE0/1.20
10.0.1.2/24 fdab:cdef:7::2/64 GE0/1.99
10.0.1.254/24 GE0/1.99 STANDBY
fdab:cdef:4::2/64 Tunnel0
LUXSRV 10.0.10.2/24 fdab:cdef:1::2/64 FA0
LUXTOP fdab:cdef:2::10/64 FA0
172.16.0.X from DHCP FA0
LUXVOIP
172.16.0.1
WINLAPTOP 10.0.1.x from DHCP fdab:cdef:7::10/64 FA0
Server: 10.0.1.3
HQSW FA/21 trunk port to
HQ Gig0/1 with
native VLAN 99
FA0/22 trunk port to
HQ Gig0/0
10.0.1.3/24 VLAN99
BRANCHSW FA/21 trunk port to
HQ Gig0/1 with
native VLAN 99
FA0/22 trunk port to
HQ Gig0/0
10.0.1.4/24 VLAN99
WINSRV 10.0.30.2/24 fdab:cdef:3::2/64 FA0
WINTOP fdab:cdef:2::20/64 FA0
WINVOIP 172.16.0.X from DHCP FA0
172.16.0.1

Version: 1.1
LKS-JABAR_ITNSA
Date: 16.08.2017
5

REMOTE 1.1.1.18/29 E0 (VLAN 2 Outside)


Security level 0
192.168.0.1/25 E1 (VLAN 1 Inside)
Security level 100
E2 (VLAN 3 DMZ)
Security level 50
192.168.0.129/25
No forward interface
to inside
REMWINTOP DHCP from Server: FA0
192.168.0.1
DMZLUXSRV 192.168.0.130/25 FA0

TABLE 2.VTP AND VLAN ASSIGNMENT

VTP Version 2
VTP DOMAIN: skills.org
VTP PASSWORD: Skills39
VTP SERVER: HQSW
VTP CLIENT: BRANCHSW

HQSW BRANCHSW
VLAN VLAN VLAN
VLAN ID PORTS NETWORK PORTS NETWORK
NAME ID NAME
F0/1 - F0/4 F0/1 - F0/4
10 LUXVOIP (Voice VLAN; Data 10.0.0.0/24 20 WINVOIP (Voice VLAN; Data 172.16.0.0/24
VLAN is 12) VLAN is 12)
fdab:cdef:1::/64 fdab:cdef:3::/64
11 LUXSRV F0/5 - F0/8 21 WINSRV F0/5 - F0/8
10.0.10.0/24 10.0.30.0/
F0/1-F0/4, F0/9 - F0/1-F0/4, F0/9 -
12 LUXWINTOP fdab:cdef:2::/64 12 LUXWINTOP fdab:cdef:2::/64
F0/12 F0/12
10.0.1.0/24 and 10.0.1.0/24 and
99 MGMT F0/13 - F0/16 99 MGMT F0/13 - F0/16
fdab:cdef:7::/64 fdab:cdef:7::/64
99 NATIVE VLAN 99 NATIVE VLAN

Version: 1.1
LKS-JABAR_ITNSA
Date: 16.08.2017
6

TABLE 3. SPANNING TREE

SPANNING TREE FOR VLAN 99 SPANNING TREE FOR VLAN 12


PRIMARY ROOT PRIMARY ROOT
HQSW BRANCHSW
BRIDGE BRIDGE
SECONDARY SECONDARY
BRANCHSW HQSW
ROOT BRIDGE ROOT BRIDGE
HQSW LINKS Gig0/1, Gig0/2 HQSW LINKS Gig0/1, Gig0/2
BRANCHSW BRANCHSW
Gig0/1, Gig0/2 Gig0/1, Gig0/2
LINKS LINKS
VLANS ALLOWED VLANS ALLOWED
99,12 99,12
ON LINKS ON LINKS
NATIVE VLAN 99 NATIVE VLAN 99

TABLE 4. DHCP SERVERS

DHCP SERVERS
DEFAULT ADDRESS
SERVER POOL NAME NETWORK IP EXCLUDE
ROUTER RANGE
ISP NETLUX 1.1.1.64/26 1.1.1.65-1.1.1.75 Use any IP
HQ LUXVOIP 10.0.0.0/24 10.0.0.1 10.0.0.1-10.0.0.20 address range
172.16.0.0/2 172.16.0.1- from the
BRANCH WINVOIP 172.16.0.1 correct
4 172.16.0.20
subnet
HQSW MGMT-V4 10.0.1.0/24 10.0.1.254 10.0.1.1-10.0.1.4
192.168.0.0/ 192.168.0. 192.168.0.10-
REMOTE dhcpd -
25 1 192.168.0.40

TABLE 5. USER ACCOUNTS

CISCO MANAGEMENT ACCOUNTS RADIUS USER ACCOUNTS


PASSWORD PRIVILEDGE ACCOUNT PASSWORD
ACCOUNT
(encrypted) LEVEL super Skills39
root Skills39 15 basic Skills39a
cisco Skills39a 1
enable secret Skills39

Version: 1.1
LKS-JABAR_ITNSA
Date: 16.08.2017
7

TABLE 6. ENABLED SERVICE


HOST SERVICES HOST SERVICES HOST SERVICES HOST SERVICES
NTP RADIUS port 1645, RADIUS port 1645,
Authentication Client = HQ with Client = BRANCH HTTP
Key 1 Key = Skills39 with Key = Skills39
NETLUXSRV
LUXSRV SYSLOG WINSRV SYSLOG DMZLUXSRV HTTPS

NETWORK DIAGRAM

Version: 1.1
LKS-JABAR_ITNSA
Date: 16.08.2017
L0MBA KOMPETENSI SISWA
SEKOLAH MENENGAH KEJURUAN
TINGKAT PROVINSI JAWA BARAT

CIREBON, OKTOBER 2017

SOAL
MODUL D PT TROUBLESHOOTING
(TERBUKA)

BIDANG LOMBA
IT NETWORK SYSTEM ADMIN
(IT NETWORK)

PEMERINTAH PROPINSI JAWA BARAT


DINAS PENDIDIKAN
JL. Dr. Radjiman No. 6 Tel. (022) 4264957, Fax. (022) 4264881
Wisselboard (022) 4264944, 4264957, 4264973
BANDUNG (40171)
1

Pay attention carefully to the topology diagram first!!!

CIscoNeX company use network for connecting 3 branch in Indonesia, Malaysia and Thailand.
After recent network upgrades there was a major power outage in the area so there are many
devices that no longer work on the network. The IT-team did not have time to test the upgrades
before the power outage. The IT manager is sick at home and you have been handed minimum
documentation of the network. Please look at the Engineers notes.

Error report from every Cluster:

REMOTE OFFICE Cluster


1. Internal client cant connect to gateway.

INDONESIA HQ Cluster
1. All clients in the Indonesia HQ cant connect to the Internet.
2. Network of Demak cant be reached from all network in Indonesia HQ.
3. IPPhones cant have extension number.
4. Semarang VoIP & Jepara VoIP cant call each other.

MALAYSIA BRANCH Cluster


1. Network cant work properly, make sure all PCs are connected and working properly.

THAILAND BRANCH Cluster


1. All PC Clients cant connect to Gateway so make sure they can connect to gateway.

Version: 1.1
LKS-JABAR_ITNSA
Date: 16.08.2017
2

ENGINEER NOTES:

INDONESIA HQ
VLAN 1 for voice traffic
EIGRP ID 100

NAT overload for all local network, ACL Number 10

Local telephony service

a. RO-SEMARANG
IP Source: 2.2.2.6
Max IP phones: 20
Max directory number: 20
Directory number: 1xx

b. RO-JEPARA
IP Source: 2.2.2.14
Max IP phones: 20
Max directory number: 20
Directory number: 2xx

MALAYSIA BRANCH Cluster


Static route using next-hop IP.

THAILAND BRANCH Cluster

1. Engineer Notes:
-TH_SW1 VTP Server with domain named THBRANCH, TH_SW2 and TH_SW3 as VTP Client
-All Etherchannel mode is On

2. VLANs:
VLAN ID 100 named Manager
VLAN ID 200 named Sales
VLAN ID 300 named IT

REMOTE OFFICE BRANCH Cluster


You need to analyze the following documentation, some configurations have already configured.

Version: 1.1
LKS-JABAR_ITNSA
Date: 16.08.2017
3

1. Configure REMOTE-RO

a. Configure Hostname, IP Address according to the topology diagram.

b. Configure default route to the ISP using next-hop IP.

2. Configure REMOTE-ASA

a. Hostname: REMOTE-ASA
b. Interfaces:

Interface Name Security Port IP Address NB


VLAN level
1 inside 100 Et0/0 192.168.0.129/25
2 outside 0 Et0/2 1.1.1.18/29
3 DMZ 50 Et0/1 192.168.0.1/25 No
forward to
VLAN 1

c. Configure default route to the REMOTE-RO using next-hop ip.

d. Configure DHCP for inside:


Address range: 192.168.0.140-192.168.0.171
DNS-Server: 192.168.0.130
Gateway: 192.168.1.129
e. Create a local user named admin with password Skills39.

f. Configure SSH with local authentication. It should accessible from the inside and
the outside network.

g. Configure ACL named FROM-INTERNET to allow HTTP packet from the internet
to host dmz-server. Apply ACL to the outside interface.

h. Create an object network named DMZ-SERVER to host dmz-server.

i. Configure HTTP to be accessible on DMZ-SERVER. From the outside ip


1.1.1.19. Can be tested using PC-Testing.

Version: 1.1
LKS-JABAR_ITNSA
Date: 16.08.2017
4

NETWORK DIAGRAM

Gambar Topology Main Cluster

Gambar Topology Cluster Remote Office

Version: 1.1
LKS-JABAR_ITNSA
Date: 16.08.2017
5

Gambar Topology Cluster Thailand Branch

Gambar Topology Cluster Malaysia Branch

Version: 1.1
LKS-JABAR_ITNSA
Date: 16.08.2017
6

Gambar Topology Cluster Indonesia Branch

Version: 1.1
LKS-JABAR_ITNSA
Date: 16.08.2017