Beruflich Dokumente
Kultur Dokumente
Version: 1.0
Date: 16.05.15
1 of 10
Contents
This Test Project proposal consists of the following documentation/files:
1. TP39_ASC2016_pre_EN_Module-C.docx
Bob
Carol
John
Site
HQ
HQ
HQ
Branch
Line
1
2
1
2
1
1
Extension
101
104
102
104
103
201
Version: 1.0
Date: 16.05.15
Call Waiting
Yes
No
No
No
No
No
Device
IP Phone
Softphone
Softphone
IP Phone
2 of 10
f.
g.
h.
i.
j.
k.
l.
m.
n.
Assign the name HQ-CME and Branch-CME to each site respectively. The name should be
displayed on all IP Phones and IP Communicators once they are registered. Configure the
time zone to be GMT -3.
Customize each IP Phone such that the users name instead of the extension number is
displayed on the phone button. Ensure that when receiving a call, the username is shown on
the caller id instead of the extension number.
Caller-ID and DND must be enabled for all phones.
Users must be able to perform Call-forwarding and transfer their calls to other extensions.
Configure Music-on-hold using the attached MOH.wav file given on both sites.
Bob and Alice shares an extension 104. Enable both Bobs and Alices phones to ring
simultaneously should there be an incoming call to 104. E.g. Carol calls 104 and both Bob
and Alice phone will ring. Bob answers the call and Alice sees 104 is off hook.
Configure Call Park on extension 100 on HQ-CME to allow any user to park the call so that
any user can pick up the call upon dialing the call park extension.
Configure Local Directory Services so that users can lookup other users extension number
in both sites via the Services button.
Configure conferencing services to support at least 3 parties in a conference call.
o. On Alices phone, configure button 3 as a dedicated intercom line to Carol. Upon pressing
button 3, Carols phone will automatically answer the call in speakerphone mode with mute
activated and Carol will hear Alices conversation
5. HQ ROUTER CISCO 2901
a. Enable SSH with public key authentication so that users do not need to enter a password.
b. Restrict SSH access to the MNGT network.
c. Configure time synchronization with the NETLUXSRV NTP server.
d. Send logs to the syslog server at LUXSRV placing the logs in folder /var/log/cisco/ inside
file HQ.
e. Configure a Site-to-Site IKEv2 IPsec Tunnel with the REMOTE site. Authenticate and
encrypt all traffic to and from WINSRV and any other traffic as detailed in the access
permissions map. Use a different set of authentication and encryption protocols from the
tunnel between HQ and BRANCH.
f. Using a Zone-Based Firewall restrict what comes in and goes out, to the Internet, to the bare
minimum necessary according to the topology diagram and maps.
6. BRANCH ROUTER CISCO 2901
a. Configure aaa to authenticate SSH logins and enable mode access. The radius server is
LUXSRV.
b. Configure time synchronization with the WINSRV NTP server.
c. Use CBAC (Context-Based Access Control) to restrict what comes in and goes out, to the
Internet, to the bare minimum necessary according to the topology diagram and maps.
7. REMOTE ASA 5505
a. For ease of administration, enable SSH with local authentication. It should accessible from
the inside and the outside network, on port 22222.
b. Configure SSH, FTP, HTTP and HTTPS to be accessible on DMZLUXSRV.
c. Configure a Site-to-Site IKEv2 IPsec Tunnel with the HQ site. Authenticate and encrypt all
traffic to and from WINSRV and any other traffic as detailed in the access permissions map.
Use a different set of authentication and encryption protocols from the tunnel between HQ
and BRANCH.
Version: 1.0
Date: 16.05.15
3 of 10
d. Configure an AnyConnect Remote Access VPN for clients from the Internet to connect
securely.
e. Restrict what comes in and goes out, to the Internet, to the bare minimum necessary
according to the topology diagram and maps.
8. HQSW / BRANCH SWITCHES
a. For ease of administration, enable SSH with local authentication.
b. Configure portfast on all access ports.
c. Configure DHCP snooping where appropriate.
d. Configure an Etherchannel on ports F0/23-F0/24 on both switches. Use a Cisco proprietary
protocol. Load balance should be based on the source mac address.
e. Configure an Etherchannel on ports G0/1-G0/2 on both switches. Use a standards based
protocol. Load balance should be based on the destination mac address.
Version: 1.0
Date: 16.05.15
4 of 10
ISPROUTERCISCO1941
INTERFACE S0/0/0
S0/0/1
GE0/0
GE0/1
S0/0/1
BRANCH
S0/0/0
1.1.1.2/29
REMOTE
E0
1.1.1.18/29
1.1.1.10/29
DHCPfromServer:1.1.1.65
1.1.1.126/26assigned from
DHCP Serverat1.1.1.65
DHCPfromServer:1.1.1.65
GE0/0.12
Tunnel
10.0.1.1/24
10.0.1.254/24 fdab:cdef:4::1/64
fdab:cdef:7::1/64
fdab:cdef:4::1/64
LUXSRV PC1NIC1
fdab:cdef:1::2/64
LUXTOP PC1NIC2
fdab:cdef:2::X/64
from DHCP
10.0.0.Xfrom
DHCPServer:
BRANCH Tunnel
LUXVOIP Eth0
HQSW
GE0/1.99
STANDBY
S0/0/1
GE0/1.99
1.1.1.9/29
ISP
GE0/0.11
F0/23
F0/21
Version: 1.0
Date: 16.05.15
10.0.1.3/24
5 of 10
GE0/0.21
GE0/0.12
ISP
S0/0/0
1.1.1.1/29
HQ
Tunnel
fdab:cdef:4::2/64
WINSRV
PC2NIC1
fdab:cdef:3::2/64
WINTOP
PC2NIC2
WINVOIP
Eth0
BRANCHSW
fdab:cdef:3::X/64
fromDHCPServer:
fdab:cdef:1::2/64
172.16.0.Xfrom
DHCPServer:
172.16.0.1
F0/23
F0/21
10.0.1.4/24
INTERFACE
LUXVOIP
Eth0
LUXSRV
PC1NIC1
LUXTOP
PC1NIC2
WINLAPTOP Eth0
G0/1
HQ
G0/0
F0/23
F0/24
BRANCHSW
G0/1
G0/2
BRANCHSWINTERFACEMAP
VLAN9910.0.1.4/24
DEVICE
PC2NIC1
WINTOP
PC2NIC2
G0/1
BRANCH
G0/0
F0/23
HQSW
G0/1
G0/2
NOTE:WINTOPcanbeconnectedtoportF0/9ortotheLUXVOIPphone.
HQSWVLANASSIGNMENT
NETWORK
BRANCHSWVLANASSIGNMENT
VLANID VLANNAME PORTS
NETWORK
10
LUXVOIP
F0/1F0/4
10.0.0.0/24
20
WINVOIP
F0/1F0/4
172.16.0.0/24
11
LUXSRV
F0/5F0/8
fdab:cdef:1::/64
21
WINSRV
F0/5F0/8
fdab:cdef:3::/64
12
12
99
MNGT
99
MNGT
99
NATIVEVLAN
99
F0/24
NOTE:LUXTOPcanbeconnectedtoportF0/9ortotheLUXVOIPphone.
INTERFACE
F0/13F0/16 10.0.1.0/24
NATIVEVLAN
Version: 1.0
Date: 16.05.15
F0/13F0/16 10.0.1.0/24
6 of 10
REMOTEASA5505
INTERFACE E0
IPADDRESS 1.1.1.18/29
ISP
G0/0
E1
E2
192.168.0.1/25
192.168.0.129/25
1.1.1.17/29
REMWINTOP PC2NIC3
DHCP fromServer:192.168.0.1
192.168.0.130/25
NIC2
NIC3
NIC1
NIC2
NIC3
PC2
Eth0
Eth0
Eth0
WINLAPTOP
Bridge Bridge
LUXSRV
Eth0
WINSRV
Eth0
NETLUXTOP Eth0
LUXTOP
Eth0
WINTOP
Eth0
NETLUXSRV Eth0
DMZLUXSRV Eth0
REMWINTOP Eth0
WINLAPTOP Eth0
www
*
Private
IPv4
Public
IPv4
Private IPv6
PublicIPv6
NETLUXSRV www.skills.com
skills.com
1.1.1.126/26
2001:db8:0:1::1/64
DMZLUXSRVwww.brazil.com
brazil.com
2001:db8:0:1::2/64
192.168.0.130/25 1.1.1.19/29
WINSRV
www.saopaulo.com saopaulo.com 172.17.0.1/24
fdab:cdef:3::2/64
LUXSRV
www.rio.com
rio.com
1.1.1.13/29 fdab:cdef:1::2/64
10. DNS SERVERS
DNSSERVERS
RECORD
RECORD
ADDRESS
www.skills.com
skills.com
1.1.1.126/26
ISP
www.brazil.com
brazil.com
1.1.1.19/29
www.rio.com
rio.com
1.1.1.13/29
www.skills.com
skills.com
2001:db8:0:1::1/64
www.brazil.com
brazil.com
2001:db8:0:2::1/64
WINSRV
www.saopaulo.com saopaulo.com
fdab:cdef:3::2/64
www.rio.com
rio.com
fdab:cdef:1::2/64
NOTE:Forwardallother requests to the ISP DNS server.
www.saopaulo.com saopaulo.com
172.17.0.1/24
DMZLUXSRV
NOTE:Forwardallother requests to the ISP DNS server.
SERVER
Version: 1.0
Date: 16.05.15
7 of 10
VOIPEXTENSION MAP
HOST
User VOiPDEVICE EXTENSION
LUXVOIP
Alice Cisco7960
101, 104
REMWINTOP Bob
CiscoIPC
102, 104
WINLAPTOP_1 Carol CiscoIPC
103
WINVOIP
John Cisco7960
201
CME SERVER
HQCME
HQCME
HQCME
BRANCHCME
IPADDRESS/MASK
DEFAULT GATEWAY
DNSSERVER
NETLUXSRV
1.1.1.126/26assignedfromDHCPServerat1.1.1.65
1.1.1.65assignedfromDHCPServerat1.1.1.65
ISP
WINLAPTOP_1 1.1.1.X/26assignedfromDHCPServerat1.1.1.65
1.1.1.65assignedfromDHCPServerat1.1.1.65
ISP
NETLUXTOP
1.1.1.X/26assignedfromDHCPServerat1.1.1.65
1.1.1.65assignedfromDHCPServerat1.1.1.65
ISP
LUXVOIP
10.0.0.XfromDHCP Server:10.0.0.1
10.0.0.1assignedfromDHCPServerat10.0.0.1
LUXSRV
fdab:cdef:1::2/64
fdab:cdef:1::1/64
WINSRV
LUXTOP
fdab:cdef:2::X/64fromDHCPServer:fdab:cdef:1::2/64
Automaticlinklocalassignedbyrouter
WINSRV
WINLAPTOP_2 DHCPfromServer:10.0.1.3
10.0.1.XassignedfromDHCPServerat1.0.1.3
WINSRV
WINVOIP
DHCPfromServer:172.16.0.1
172.16.0.1assignedfromDHCPServerat172.16.0.1
WINSRV
fdab:cdef:3::2/64
fdab:cdef:3::1/64
WINSRV
WINTOP
fdab:cdef:2::X/64fromDHCPServer:fdab:cdef:1::2/64
Automaticlinklocalassignedbyrouter
WINSRV
DMZLUXSRV
192.168.0.130/25
192.168.0.129/25
DMZLUXSRV
192.168.0.1assignedfromDHCPServerat192.168.0.1
DMZLUXSRV
REMWINTOP 192.168.0.XfromDHCPServer:192.168.0.1
NOTE:WINLAPTOP_1andWINLAPTOP_2isthesamephysicalmachine,thelaptop.
SPANNINGTREEINFORMATIONFORVLAN99
PRIMARYROOTBRIDGE
HQSW
SECONDARYROOTBRIDGE
BRANCHSW
HQSWLINKS
F0/23, F0/24
BRANCHSWLINKS
F0/23, F0/24
VLANSALLOWEDON LINKS
99
NATIVEVLAN
99
SPANNINGTREEINFORMATIONFORVLAN12
PRIMARY ROOT BRIDGE
BRANCHSW
SECONDARY ROOT BRIDGE
HQSW
HQSWLINKS
G0/1,G0/2
BRANCHSWLINKS
G0/1,G0/2
CISCO EQUIPMENTMANAGEMENTACCOUNTS
ACCOUNT
PASSWORD PRIVILEDGELEVEL
root
Skills39
15
cisco
Skills39a
1
enablesecret Skills39
LINUXUSERACCOUNTS
PASSWORD
ACCOUNT
root
Skills39
luxadmin
RADIUSUSERACCOUNTS
ACCOUNT
PASSWORD PRIVILEDGELEVEL
super
Skills39
15
basic
Skills39a
1
enablesecret Skills39
Version: 1.0
Date: 16.05.15
REMOTEACCESSVPNUSERACCOUNTS
PASSWORD
ACCOUNT
vpn1
Skills39
vpn2
vpn3
8 of 10
HTTP
HTTPS
NETLUXSRV
NTPSTRATUM1SERVER
SSH
HOST
SERVICES
SSH
RADIUS
LUXSRV
DHCP
SYSLOG
HOST
SERVICES
HTTP
WINSRV HTTPS
DNS
HOST
SERVICES
SSH
DMZLUXSRV HTTP
HTTPS
NETLUXSRV
HOST
LUXSRV
HOST
SERVICES
HTTP
HTTPS
NTPSTRATUM 1SERVER
SSH
ICMP
SERVICES
SSH
RADIUS
DHCP
SYSLOG
ICMP
SERVICES
HTTPS
DNS
ICMP
HOST
DMZLUXSRV
WINTOP WINLAPTOP_2REMWINTOP
SERVICES
SSH
HTTP
HTTPS
ICMP
HTTP
WINSRV
SECUREDACCESSONLY
LEGEND:
Duetolicense
limitations.
ACCESSALLOWED
ACCESSDENIED
NOTE:BesidesthisHostAccessPermissionsMap,youmusttakeintoaccounttheaccesstoandfromtheinfrastructureequipment.
Version: 1.0
Date: 16.05.15
9 of 10
PUBLICINTERNET
ISPROUTERCISCO1941
1.1.1.126/26
1.1.1.XfromDHCP
Server:1.1.1.65
1.1.1.XfromDHCP
Server:1.1.1.65
REMOTEACCESSVPNFORINTERNETCLIENTS
ADDRESSPOOL:192.168.100.32192.168.100.47
NETLUXSRVskills.com
NETLUXTOP
WINLAPTOP_1
CiscoIPC:103
S0/0/11.1.1.9/29
eHWIC 1
G0/01.1.1.17/29
S
eHWIC 0
SERIAL 1
SYS ACT POE
AUX
G0/0
SEE
HWIC HWIC
HWICD
MANUAL
BEFORE
INSTSAELRLAA
I TLIO0
N
9ESW
LNK
PW R
PWR
LNK PWR
LNK PWR
LNK PW R
LNK PWR
LNK PW R
LNK PWR
LNK
2A/S 2SHDSL
CONN
LNK
EN
L0
L1
CONN
1
USB
EN
EN
CF 0
S0/0/01.1.1.1/29
CF 1
CONSOLE
ISM/WLAN
G0/1 G0/11.1.1.65/26
SitetoSiteIKEv2IPsecTunnelbetweenHQandtheASAREMOTEsite
IPv6overIPv4PointtoPointGREoverIPSecTunnel
fdab:cdef:4::1/64
fdab:cdef:4::2/64
BRANCHROUTERCISCO2901
HQROUTERCISCO2901
Cisco 2900 Series
100-240V~
2-1A
50-60 Hz
SYS
ACT
S0/0/11.1.1.10/29
POE
EHWIC 3
EHWIC 2
EHWIC 1
EHWIC 0
SYS
ACT
EHWIC 3
EHWIC 2
EHWIC 1
EHWIC 0
S2
2901
S1
1
HWIC-4T
CONN
EN
CF 1
ISM
G0/0.12fdab:cdef:2::1/64
10
11
13
19
1X
VLAN99
10.0.1.3/24
ST
R
F0/21
12
14
20
CF 0
15
21
16
22
17
23
F0/23Catalyst 2960
18
24
G0/1.9910.0.1.2/24
G0/0.12fdab:cdef:2::2/64
BRANCHSWC2960SWITCH
RP
1
7
2
8
3
9
4
10
5
11
6
12
S
MA
4X
10.0.1.4/24
54
65
34
E2 E1 E0
VLAN3dmz192.168.0.129/25
VLAN1inside192.168.0.1/25
F0/21
15
21
16
22
17
23
F0/23
Catalyst 2960
SERIES
18
24
2
3
X
14X
24X
1
2X
F0/24
14
20
13X
1
2
ST
DU
13
19
1
1
X
1X
G0/0.12STANDBYAuto
assignedlinklocaladdress
SERIES
ST
AT
RESET
2
G0/0.21fdab:cdef:3::1/64
G0/1.99STANDBY10.0.1.254/24
VLAN99
G0/0
G0/1.20172.16.0.1/24
SYST
1
1
3X
2X
Power
48VDC
CONSOLE
S
L
PVDM1 PVDM0
G0/0.12STANDBYAutoassigned
linklocaladdress
Console
G0/1
G0/0.11 fdab:cdef:1::1/64
G0/1.9910.0.1.1/24
HQSWC2960SWITCH
3
SB
EN
G0/0
G0/1.1010.0.0.1/24
G0/1.99STANDBY10.0.1.254/24
HWIC-4T
0
CONSOLE
S
L
PVDM1 PVDM0
2901
S0
SB
EN
G0/1
RPS
SYST
MA
S
L
AUX
S3
S2
S0
CONN
EN
CF 0
G0/1.99fdab:cdef:7::1/64
50-60 Hz
S0/0/01.1.1.2/29
POE
VLAN2outside1.1.1.18/29
REMOTEASA5505
100-240V~
2-1A
S
L
AUX
S3
S1
CF 1
ISM
Lo0fdab:cdef:5::1/64 Lo1fdab:cdef:6::1/64
ST
PL
AT
DU
SP
PL
EE
SP
EE
MODE
MODE
F0/1
F0/5
F0/9
F0/13
Option A
G0/1 G0/2
F0/1
F0/5
F0/9
F0/24
G0/1 G0/2
HAROUTINGSTANDBY:Autoassigned linklocaladdress
2PORTETHERCHANNELSTPTrunkVlan12Only
HAROUTINGSTANDBY:10.0.1.254
2PORTETHERCHANNELSTPTrunkVlan99Only
DMZLUXSRVbrazil.com
192.168.0.130/25
Option A
REMWINTOP
CiscoIPC
Ext:102,104
DHCPfromServer:
192.168.0.1
ABC
DEF
4
GHI
5
JKL
6
MNO
7
PQRS
8
TUV
services
settings
9
WXYZ
i
messages
directories
OptionB
#
OPER
WINLAPTOP_2
LUXVOIP
LUXSRVrio.com
Ext:101,104
10.0.0.XfromDHCP
Server:10.0.0.1
fdab:cdef:1::2/64
LUXTOP
fdab:cdef:2::X/64
fromDHCPServer:
fdab:cdef:1::2/64
fdab:cdef:7::X/64
fromDHCPServer:
fdab:cdef:7::1/64
2
ABC
3
DEF
messages
directories
4
GHI
5
JKL
6
MNO
services
settings
7
PQRS
8
TUV
9
WXYZ
OptionB
#
OPER
WINVOIP
10.0.1.Xfrom
DHCPServer:10.0.1.3
Ext:201
172.16.0.XfromDHCP
Server: 172.16.0.1
WINSRVsaopaulo.com
fdab:cdef:3::2/64
WINTOP
fdab:cdef:2::X/64
fromDHCPServer:
fdab:cdef:1::2/64
fdab:cdef:1::/64
CISCO IP
PHO
NE
7960
CISCO IP
PHO
NE
7960
fdab:cdef:7::/64
HQEIGRP100
Rout ith
Au hentication
fdab:cdef:3::/64
BRANCHEIGRP100
Routingwith
Authentication
fdab:cdef:4::/64
Lo0fdab:cdef:5::1/64
BRANCH
EIGRP200
Routing
HQ O P rea 0
withA hentication
fdab:cdef:4::/64
BRANCH SPF
Area th
A thentication
fdab:cdef:3::/64
EIGRP200Redistributioninto
OSPFArea0andEIGRP100
BRANCH OSPF
Are 1
fdab:cdef:1::2/64
fdab:cdef:4::/64
fdab:cdef:4::/64
Lo1fdab:cdef:6::1/64
fdab:cdef:7::/64
WSC2015_TP39_Module-C_EN
Version: 3.0
Date: 28.04.15
10 of 10