WorldSkills Juniors

TEST PROJECT
IT Network Systems
Administration
CONTENTS
CONTENTS ......................................................................................................................................................... 2
INTRODUCTION TO TEST PROJECT .................................................................................................................. 3
INTRODUCTION ................................................................................................................................................ 4
DESCRIPTION OF PROJECT AND TASKS .......................................................................................................... 5
TASKS AND TECHNOLOGIES WITH EXPECTED OPERABILITY ON DAY 1 .............................................................. 5
TASKS AND TECHNOLOGIES WITH EXPECTED OPERABILITY ON DAY 2 .............................................................. 8
TASKS AND TECHNOLOGIES WITH EXPECTED OPERABILITY ON DAY 3 ............................................................ 11
INSTRUCTIONS TO THE COMPETITOR ........................................................................................................... 19
EQUIPMENT, MACHINERY, INSTALLATIONS, AND MATERIALS REQUIRED ............................................... 20
MARKING SCHEME ......................................................................................................................................... 23

Version: 1.0
WSK2019_TPWSJ11_EN 2 of 23
Date: 30.06.19
INTRODUCTION TO TEST PROJECT
The following is a list of sections or information that must be included in all Test Project proposals that are
submitted to WorldSkills.
• Contents including list of all documents, drawings and photographs that make up the Test Project
• Introduction/overview
• Short description of project and tasks
• Instructions to the Competitor
• Equipment, machinery, installations and materials required to complete the Test Project
• Marking scheme (incl. assessment criteria)
• Other

Version: 1.0
WSK2019_TPWSJ11_EN 3 of 23
Date: 30.06.19
INTRODUCTION
This Test Project includes number of tasks based on real-life experience of maintaining IT systems involved in the
integration and outsourcing of corporate computer networks. If you are able to fulfill the task with high grades,
then you will be able to successfully maintain an information infrastructure of a large company, or at least
pretend doing so.

Version: 1.0
WSK2019_TPWSJ11_EN 4 of 23
Date: 30.06.19
DESCRIPTION OF PROJECT AND TASKS
You may notice that some technologies must work in conjunction or on top of other technologies. For example,
dynamic routing should be based on the tunnel configured between organizations. It is important to understand
that if you don't manage to set up a full technology stack, it does not mean that the work will not be assessed.
For example, for remote access you need to configure an IPsec tunnel and launch a GRE tunnel within it. If you
failed to configure IPsec but did configure GRE, you will still receive points for setting up remote access.
The main objective is to obtain a workable system to a greater or a lesser extent, and also to be able to routinely
adjust it and improve it.

TASKS AND TECHNOLOGIES WITH EXPECTED OPERABILITY ON

DAY 1
BASIC CONFIGURATION
1. Set names for all devices and virtual machines in accordance with the topology.
2. Design the IPv4-addressing of local networks on your own with regard to the following requirements:
• Use minimal sufficient size of subnetworks:
• Number of devices in the WINA network: up to 200.
• Number of devices in the WINB, LINA networks: up to 100.
• Number of devices in the LINB network: up to 50.
• Number of devices in the LINRTR network: up to 25.
• Number of devices in the R3 network: up to 10.
• Use frequency ranges of IP addresses where necessary.
• Devices in the DMZ network should use provider-independent (PI) range of IP addresses.
3. IP-addresses for the connection with providers are specified in the Presetting section.
• BGP has been additionally configured for providers, however, it is not mandatory to use them on this day.

THE CONFIGURATION OF THE MAIN OFFICE NETWORK.

1. Switching should be configured as per Topology L2.
(a) Trunks between S1 and S2 switches should be formed by DTP (where S1 initiates the trunk conditioning,
and S2 is waiting for the conditioning).
(b) All other trunks should be configured in the on mode and DTP explicitly turned off.
(c) Devices should be registered in respective VLAN networks.
(d) Each and every unused port of the switches has to be forcibly deactivated.
(e) Use VLAN 99 on all networks devices as the native VLAN.
(f) The configuration of Etherchannel in the current day is not required.
2. The connection between all devices within the main office local network as well as access to the Internet for
all users should be ensured.
(a) Private addresses require NAT configuration.
(b) Used addresses should be associated with domain names.
(c) IPv6 has not been implemented yet in the organization but providers already support it.

Version: 1.0
WSK2019_TPWSJ11_EN 5 of 23
Date: 30.06.19
3. Routing between VLAN should be configured for R1 and ASA.
(a) Numbers of sub-interfaces should match VLAN numbers.
(b) Description of ASA interfaces and R1 sub-interfaces should match network names in L3 Topology.
(c) For Internet access, you can use either of the two communication channels.
(d) Gigafon is a preferable connection channel.
(e) Automatic switching to a back-up channel is not required on this day.
4. Access to all network devices via SSHv2 should be ensured.
(a) Access should be granted with the login audit and password test
(b) In case of remote connection to the system with this account, maximum authorities should be
immediately available (15th level)
5. All client's devices (WINCLI3, WINCLI4, LINCLI1) should be assigned addresses as per DHCP
(a) DC1 should act as a DHCP-server.
(b) When necessary, R1 router should act as a DHCP Relay.
(c) DC1 should act as a DNS-server.
6. Arrange the skill39.wsr domain in the main office network.
(a) DC1 should be the main domain controller;
(b) Experts, Competitors, Managers, Visitors, IT subdivisions should be created in the domain;
(c) the following domain groups should be created in respective subdivisions: Experts, Competitors,
Managers, Visitors, IT.
(d) the following users should be created as per the userlist.csv file (file on the DC1's desktop) in the domain:
• all information about users in the file should be entered in Active Directory;
• users should be placed in corresponding subdivisions and groups;
• all created accounts should be active and available;
• the user access name should be created using the following principle: last name + initial letter of the
first name + @skill39.wsr. For example, [email protected].
7. DC2 should be a member of skill39.wsr domain.
8. Configure the WDS role on DC2, which is to facilitate installation of an operating system on WINCLI3 and
WINCLI4:
(a) use the Microsoft Windows 10 Enterprise distribution image, located on one of DC2 hard drives;
(b) computers should automatically become members of the domain with names, indicated on the diagram.
9. At the first user's access to the domain, the welcome animation should be deactivated.
10.All domain members should respond to requests under the ICMP protocol.
11.Hibernation should be deactivated on all clients of the domain, and also, domain members should not be
able to activate this mode in any way.
12.The DNS-server should be configured on DC1.
(a) The server should service the skill39.wsr zone.
(b) Name mapping should be configured according to Table 1.
(c) Requests beyond the skill39.wsr zone should be forwarded to the MOOGLE DNS server Use the
worldskills.ru address for the verification.
13.The NGINX web-server should be configured on the LINDMZ virtual machine.
(a) Use a standard HTTP protocol port.
(b) Website files should be located in the /var/www/ directory.
(c) Create an index.html file as the home page with the following content:
<html><body>

Version: 1.0
WSK2019_TPWSJ11_EN 6 of 23
Date: 30.06.19
<h1>Welcome to DigitalSkills!</h1>
<h3>Server LINDMZ</h3>
</body></html>
(d) The site should be available at web.skill39.wsr domain for clients of the main office local network.
(e) The site should be only available using the domain name; a 404 error page should appear when searched
by the IP address.

CONFIGURATION OF THE BRANCH OFFICE 1 NETWORK

1. The connection between all devices within the branch office local network as well as access to the Internet
for all branch office users should be ensured.
2. DNS-server should be configured on the SRV2 virtual machine taking into account the following
requirements:
(a) The server should service the skill39.wsr zone.
(b) Name mapping should be configured according to Table 1.
(c) Requests beyond the skill39.wsr zone should be forwarded to the MOOGLE DNS server Use the
worldskills.ru address for the verification.
(d) The website files should be located in the /var/dns/ directory.
3. DHCP-server for the local network should be configured on the R2 router:
(a) Use the SRV2 address as the address of the DNS-server for the network clients.
(b) Use ext.skill39.wsr DNS suffix.
(c) The Serial connection must work between the branch office 1 and the main office.
(d) The connection requires to use the PPP protocol
(e) It is also necessary to use a two-way authentification by CHAP
(f) All traffic from the branch office 1 to the DC1 server (with an address dc1.ext.skill39.wsr)
should be transmitted through this connection.

CONFIGURATION OF THE BRANCH OFFICE 2 NETWORK

1. The server of dynamic host configuration protocol for the local network should be configured on the LINRTR
virtual machine:
(a) Use the LINRTR address as the address of the DNS-server for the network clients.
(b) Use skill39.wsr DNS suffix
2. LINRTR should broadcast DNS queries (DNS proxy) from local clients to the MOOGLE server.
3. LINRTR should provide Internet access for the network clients.
4. WINCLI1 should be a member of the PURPLE workgroup.
5. There should be two active accounts on WINCLI1: Administrator/P@ssw0rd, User/P@ssw0rd1. The first
account should be a member of the local administrator group on the computer, the second one should be a
member of the computer user group.
6. Hibernation should be deactivated on WINCLI1, and also, members of the computer user group should not
be able to activate this mode in any way.

CONFIGURATION OF THE BRANCH OFFICE 3 NETWORK

1. The R3 router should ensure access to the Internet for all devices of the branch office.

Version: 1.0
WSK2019_TPWSJ11_EN 7 of 23
Date: 30.06.19
CONFIGURATION OF MOBILE CLIENTS
1. Hibernation should be deactivated on WINNET, and also, the computer user group member should not be
able to activate this mode in any way.

AT THE END OF THE WORKING DAY

• At the end of the working day, it is necessary to make snapshots of all virtual machines in the topology
named AfterDay1, and make a backup copy for all network devices to the file after-day1.cfg.
• Upon completion of the task, the results will be automatically checked.
• All checks will be carried out only by domain names. Connection to network devices will be done via the SSH
protocol.
• If the device or virtual machine is not available for some reason (accounts in the task do not match, network
connectivity is unavailable), this device will not be checked any further.

TASKS AND TECHNOLOGIES WITH EXPECTED OPERABILITY ON

DAY 2
BASIC CONFIGURATION
1. Plan and configure IPv6 addresses on all devices and virtual machines.
(a) Use ranges of IP addresses, delegated by providers. They are specified in Presetting section
(b) All devices and machines in the main office should use a provider-independent (PI) range of IP-addresses.
2. Access to all websites must be ensured via IPv6.
3. Time on all network devices should be synchronized with the MOOGLE server and should be displayed in the
Moscow time zone.
4. Time on all servers and clients in the main office should be synchronized with the MOOGLE server and should
be displayed in the Moscow time zone.

The configuration of the main office network.

1. To allot addresses in WINA and WINB networks, configure the DHCPv6-server for DC1 and ensure its fall-over
protection with help of DC2. At the same time, fall-over protection should be ensured also for all DHCPv4
areas.
2. DC2 should be a backup controller for skill39.wsr domain. The RID pool manager role should be assigned
to this server. The replica of the global directory should be carried only by DC1.
3. All DNS-zones from DC1 should be transferred to DC2.
4. The DNS-zone ext.skill39.wsr should be transferred to DC1 and DC2 from SRV2.
5. SLAAC should work in the LINA network.
6. All clients of WINA, WINB and LINA networks should use DC1 and DC2 as DNS-servers.
7. Monitoring should be activated on all virtual machines and network devices in the main office network.
(a) All devices will be queried from the SRV1 machine.
(b) For that purpose, using SNMPv2c should be enough.
(c) Use the notpublic community string in the "read-only" mode.
8. The connection between internal networks of the main office and branch offices 1, 2 and 3 via Internet
should be ensured with help of GRE-tunneling.
(a) Two tunnel interfaces with numbers 0 and 1 should be created in the main office on the R1 router.
(b) The tunnel number 0 should be used in the Multipoint GRE mode for connection with R2 and R3.
(c) R1 acts as a hub.
(d) Tunnel number 1 should be used for the connection with the LINRTR virtual machine via GRE.

Version: 1.0
WSK2019_TPWSJ11_EN 8 of 23
Date: 30.06.19
 (e) The GRE-tunnel on LINRTR should start at the operating system loading.
(f) The tunnel protection is not mandatory on this day.
(g) A direct serial connection between the main office and a branch office should be unmounted at the end
of the day.
(h) IPv4 routing between the main office and branch offices over tunnels must be ensured with OSPFv2
protocol.
(i) Additionally, configure OSPFv3 between R1, R2, and R3 for the IPv6 route exchange.
(j) All traffic between the main office and branch offices should be transmitted via GRE-tunnels.
9. Dynamic routing protocols on Linux computers should use the quagga package.
10.Access to Internet should be ensured continuously.
(a) In case of a failure on the provider side, a back-up channel should be switched to automatically.
(b) In case of a failure on the side a provider, Internet at the user side should work at least via the IPv4
protocol.
(c) In case of a failure on the side of a provider, LINDMZ and WINDMS servers should be available from the
Internet at least via the IPv4 protocol.
11.Interfaces F0/4 and F0/5 connecting switches should be combined in Etherchannel.
(a) The channel should be conditioned with LACP. S2 should wait for conditioning and S1 should initiate it.
(b) Traffic of WINA, WINB, LINA networks should go through this channel. Traffic of the DMZ network
should go through the F0/3 interface, not included in Etherchannel
12.The fall-over protection of the local network should be ensured as follows:
(a) S1 switch should be an STP root in all configured VLAN.
(b) In case of a failure or modification in the switching, STP should be recalculated within 10 seconds.
(c) In case of a connection failure between switches, the traffic of all networks shall go via remaining
channels.
(d) The LINDMZ channel should receive a route dynamically by default via the BGP protocol from R1 and ASA.
(e) R1 and ASA should advertise towards LINDMZ only the default route and filter out other prefixes.
(f) The incoming traffic from the Internet to the LINDMZ server should pass through R1 and switch to ASA
only in case of a provider's failure.
13.The SRV1 virtual machine should provide a remote access service based on OpenVPN technology, taking into
account the following requirements:
(a) The TUN device.
(b) The UDP protocol.
(c) Server port: 8081.
(d) An additional TLS authentification is used.
14.The support of the IPv6 protocol for the NGINX server should be added on the LINDMZ virtual machine.
(a) The website web.skill39.wsr should be also available by the domain name web.skill39.ru via the IPv4
protocol for the Internet clients.
(b) The website web.skill39.wsr should be available by the domain name only via IPv6 protocol for all clients
in the main office network and by the domain name web6.skill39.ru via IPv6 protocol for the Internet
clients.
(c) To ensure the work of domain names web.skill39.ru and web6.skill39.ru , it is necessary to register
them on the nic.moogle.ru website, indicating the server's actual IP-addresses.
(d) The web6 site's files should be located in the /var/www/ip6 directory.
(e) Create an index.html file as the home page for the web6 site with the following content:
(f) <html><body>
(g) <h1><font color=green>Your network is READY for IPv6!</font></h1>

Version: 1.0
WSK2019_TPWSJ11_EN 9 of 23
Date: 30.06.19
 (h) <h3>Server LINDMZ</h3>
(i) </body></html>
15.Use only the IPv6 protocol on the WINDMZ virtual machine.
16.Configure the web-server role on the WINDMZ virtual machine and place a site on it with the following
configuration:
(a) Create an index.html file as the home page with the following content:
<html>
<body>
<b>It's a first project!</b>
</body>
</html>
(b) the site should be available by the domain name project.skill39.wsr for all clients in the main office
network.
(c) the site should be available by the domain name project.skill39.wsr for the Internet clients.
(d) to ensure the operation of the project.skill39.ru domain name, it is necessary to register the domain
name on the nic.moogle.ru domain name, specifying an actual IPv6 address of the server.
17.In the skill39.wsr domain:
(a) create the RAID0-array on the DC2 server with use of two free hard drives. Use G:\ letter to grant access
to it
(b) create a shared folder g:\shares\users:
(c) All domain users, except for Visitors group members, should have write access for this folder;
(d) Visitors group members should not have access rights to this folder;
(e) Disable execution of any program code from the specified folder (note that users should still be able to
save executable files);
(f) limit the space of the indicated folder to100 MB.

CONFIGURATION OF THE BRANCH OFFICE 1 NETWORK

1. The support of the IPv6 protocol for the DNS service should be activated on the SRV2 virtual machine based
on the following requirements:
(a) The server should service the skill39.wsr zone.
(b) Name mapping should be configured according to Table 1.
(c) Requests beyond the skill39.wsr zone should be forwarded to the MOOGLE DNS server Use the
ip6.worldskills.ru address for the verification.
(d) Configure the secondary DNS for the skill39.wsr zone.
(e) Implement the support of the reverse zone permission according to Table 1.
2. Configure the Apache2 web-server on the SRV2 virtual machine.
(a) Use a standard HTTP protocol port.
(b) The website files should be located in the /var/www/ directory.
(c) Create an index.html file as the home page with the following content:
<html><body>
<h1>Welcome to DigitalSkills!</h1>
<h3>Server SRV2</h3>
</body></html>

Version: 1.0
WSK2019_TPWSJ11_EN 10 of 23
Date: 30.06.19
 (d) The site ext.skill39.wsr should be available by the domain name via IPv4 protocol for all clients in the
main office network.

CONFIGURATION OF THE BRANCH OFFICE 2 NETWORK

1. The LINRTR virtual machine should ensure an automatic delivery of IPv6 settings for local network clients.
(a) Network clients should have access to sites, working with IPv4 and IPv6 protocols. For the verification, you
can use moogle.ru and ip6.moogle.ru addresses.
2. Website files from LINDMZ should be one-way synchronized with SRV2 server.
(a) Synchronization time: 1 minute.
(b) Synchronization directory on LINDMZ: /var/www
(c) Synchronization directory on SRV2 - /var/www
(d) In the event of missing files on LINDMZ, they should be updated on SRV2 but not deleted.
(e) Files index.html should not be synchronized. Initial information in these files on SRV2 should be
preserved.

CONFIGURATION OF MOBILE CLIENTS

1. On the WINNET virtual machine:
(a) Install an OpenVPN remote access client.
(b) Create a configuration file named client.ovpn in the C:\vpn\ directory for the automation of the VPN
connection.
(c) When connecting to the VPN server, no additional parameters should be requested.
(d) Upon completion of the VPN connection, WINNET should be able to access local network resources by
domain names of the skill39.wsr zone.

AT THE END OF THE WORKING DAY

• At the end of the working day, it is necessary to make snapshots of all virtual machines in the topology
named AfterDay2, and make a backup copy for all network devices to the file after-day2.cfg.
• Upon completion of the task, the results will be automatically checked.
• All checks will be carried out only by domain names. Connection to network devices will be done via the SSH
protocol.
• If the device or virtual machine is not available for some reason (accounts in the task do not match, network
connectivity is unavailable), this device will not be checked any further

TASKS AND TECHNOLOGIES WITH EXPECTED OPERABILITY ON

DAY 3
COMPANY NETWORK SECURITY
1. It is necessary to make additional security settings for the protection of already configured services and to
add new security elements according to below requirements.
2. The operation of already configured services may not be disrupted.

THE CONFIGURATION OF THE MAIN OFFICE NETWORK.

1. All GRE-tunnels between the main office and branch offices should be secured with IPSec.
(a) Use IKEv1
(b) Use the two-way key authentification
(c) Use the AES-256 encryption and SHA256 hashes for traffic security.

Version: 1.0
WSK2019_TPWSJ11_EN 11 of 23
Date: 30.06.19
2. Ensure secured administrative access on all network devices
(a) User's passwords and enable-password should be stored as a hash.
(b) The RADIUS protocol should be used as the main authentication method on all main office devices via
NPS-server on DC1.
(i) Users audit and radius must be granted access using the password test.
(ii) These users should belong in the Network Admins group, which is a member of the IT group in the IT
subdivision.
(iii) Network devices should be accessed with these accounts immediately with the access level 15 rights
(iv) The radius user should not be present on network devices
(v) The audit user should be present locally on devices in the case of unavailability of the RADIUS server
(c) In the event of a password attack attempt (at least 3 times in 15 seconds) on R1, it should temporarily
block the access via SSH from the Internet side for 2 minutes. Access from the local network should be
maintained.
3. Use authentication to secure network protocols
(a) OSPFv2
(i) Use the message-digest authentication
(b) SNMP
(i) Use version 3 for all network devices
(ii) Use the DES encryption and SHA hashing.
(iii) Use the snmpuser user with the snmppass password
4. Protocols OSPFv2 and OSPFv3 should not send hello-packages to interfaces not available for a neighborhood.
5. A service for the centralized logging should be configured on the SRV1 virtual machine.
(a) The logs should be stored in /opt/logs/ directory
(b) Logging should be performed in accordance with Table 2.
(c) Messages in log files in the /opt/logs directory should not duplicate.
6. Configure a root certification server (any key length, any encryption algorithms) on WINDMZ:
(a) certification center name: WINROOTCA;
(b) CRL location: http://dc2.skill39.wsr/certenroll/<caname><crlnamesuffix><deltacrlallowed>.crl
(c) AIA location: http://dc2.skill39.wsr/certenroll/<serverdnsname>_<caname><certificatename>.crt
7. Configure a subordinate certification server (name: WINSUBCA) on DC2. In the future, this particular server
should issue all necessary certificates for secure operation of all services:
(a) certificate validity: 3 years.
8. The LINDMZ virtual machine should perform the load balancing for web-services.
(a) Balancing between LINDMZ and SRV2 servers should be executed via the IPv4 protocol by domain names
web.skill39.wsr for internal network clients and web.skill39.ru for Internet network clients.
(b) Balancing between servers LINDMZ and WINDMZ should be done via the DNS service and via IPv6
protocol by domain names web6.skill39.wsr for Internet clients.
(c) Use the round-robin balancing algorithm.
(d) Use the equivalent priority for servers.
(e) Use only previously created sites. No new sites should be created.
9. DNS-servers of the skill39.wsr domain should perform the load balancing for the web-service.
(a) Balancing between servers LINDMZ and WINDMZ should be made via IPv6 protocol by domain names
web6.skill39.wsr for intranet clients.

Version: 1.0
WSK2019_TPWSJ11_EN 12 of 23
Date: 30.06.19
10.All web-sites should use the HTTPS protocol.
(a) Certificated should be signed by WINSUBCA.
(b) Client's operating systems should trust site certificates and not send any warnings.
(c) Configure an automatic redirection of the HTTP protocol to the HTTPS protocol.
11.Configure DC1 as a corporate Direct Access server.
(a) The Direct Access connection should be allowed only for WINCLI4.
(b) Use 203.0.113.10 as an external address for the connection (configure R1 respectively).
(c) No self-verified certificates are allowed for Direct Access configuration. The certificate should be issued by
WINSUBCA.
(d) WINCLI4 should use Direct Access connection from the WINB network.
12.Only users ssh_p andssh_c should be granted remote access to the SRV1 virtual machine via SSH-protocol.
(a) The RADIUS protocol via NPS-server on DC1 should be used as the main authentication method.
(b) Use the password ssh_pass.
(c) The SSH server should use port 1022.
13.LINCLI1 virtual machine should act as a dial-up networking client via SSH protocol.
(a) SRV1 server should be accessed automatically by the correct port, without using its number explicitly in
the connection command
(b) For other servers, port 22 should be used by default.
(c) SRV1 access for the ssh_p account should be based on authentication using public keys.
14.The transfer of local DNS zones should be allowed only towards other DNS servers of the organization. The
transfer of DNS zones to other nods in the network should be prohibited.

CONFIGURATION OF THE BRANCH OFFICE 2 NETWORK

1. A network firewall should be configured on the LINRTR virtual machine.
(a) The access to LINRTR should be allowed only from the local network.
(b) The firewall should not interfere with the work of tunnels and transfer of traffic from the local network to
external networks.

CONFIGURATION OF MOBILE CLIENTS

1. Provide the possibility to connect to the main office network via Anyconnect VPN for the LINNET mobile
client.
(a) The remote connection should be started using the openconnect package.
(b) The remote connection should be launched using the start_vpn.sh script
(c) The VPN tunnel should be disconnected with the stop_vpn.sh script.
(d) Scripts should be located in the /opt/vpn/ directory.
(e) The scripts should be callable from any directory without path specification.

AT THE END OF THE WORKING DAY

• At the end of the working day, it is necessary to make snapshots of all virtual machines in the topology
named After Day3 and make a backup copy for all network devices to the file after-day3.cfg.
• Upon completion of the task, the results will be automatically checked.
• All checks will be carried out only by domain names. Connection to network devices will be done via the SSH
protocol.
• If the device or virtual machine is not available for some reason (accounts in the task do not match, network
connectivity is unavailable), this device will not be checked any further.

Version: 1.0
WSK2019_TPWSJ11_EN 13 of 23
Date: 30.06.19
TABLE1. CONFIGURATION OF DNS SERVICES

Device Domain name Record type

DC1 dc1.ext.skill39.wsr A

DC1 dc1.skill39.wsr A, AAAA, PTR

DC2 dc2.skill39.wsr A, AAAA, PTR

WINCLI3 wincli3.skill39.wsr A, AAAA, PTR

WINCLI4 wincli4.skill39.wsr A, AAAA, PTR

WINDMZ project.skill39.wsr AAAA, PTR

WINDMZ project.skill39.ru AAAA

LINDMZ web.skill39.wsr A

LINDMZ web6.skill39.wsr AAAA

LINDMZ web.skill39.ru A

LINDMZ web6.skill39.ru AAAA

SRV1 srv1.skill39.wsr A

SRV2 ext.skill39.wsr A, AAAA, PTR

LINRTR local IP linrtr.skill39.wsr A

LINRTR global IP br2.skill39.wsr A

R1 r1.skill39.wsr A

ASA asa.skill39.wsr A

S1 s1.skill39.wsr A

S2 s2.skill39.wsr A

R2 r2.ext.skill39.wsr A

Version: 1.0
WSK2019_TPWSJ11_EN 14 of 23
Date: 30.06.19
TABLE 2. LOGGING RULES.

Device Message type File

LINDMZ, SRV1 auth, authpriv /opt/logs/auth/<hostname>

R1, S1, S2, ASA All notification and more /opt/logs/net/<ip>

important

SRV1, SRV2, LINDMZ Error and more important /opt/logs/linsrv/<hostname

>

L1 TOPOLOGY

Version: 1.0
WSK2019_TPWSJ11_EN 15 of 23
Date: 30.06.19
L2 TOPOLOGY

Version: 1.0
WSK2019_TPWSJ11_EN 16 of 23
Date: 30.06.19
L3 TOPOLOGY

branch office 3

branch office 2

main office branch office 1

Version: 1.0
WSK2019_TPWSJ11_EN 17 of 23
Date: 30.06.19
VPN TOPOLOGY

Version: 1.0
WSK2019_TPWSJ11_EN 18 of 23
Date: 30.06.19
INSTRUCTIONS TO THE COMPETITOR
First of all, read the task description in full. You do not have to complete the tasks in the given order. Some
items of the task may require completion of subsequent items from the task list. Therefore, Competitors choose
the order of execution and time distribution at their own discretion. When designing a task execution plan, it is
advisable to take into account the daily scoring procedure and the list of operated technologies to be checked.
The Test Project has a continuous structure and you are expected to continue its completion on the second and
consecutive days from the moment you left it on the previous day. You will have access to the entire task for all
days of the Competition.
We recommend carefully checking your work results. In particular, we recommend making sure whether DNS
services for client's devices are fully operating.
Also note that at the end of each day Competitors will, in the presence of an Expert, have to turn off all virtual
machines, make their snapshots and then turn on virtual machines in the desired order. The network equipment
will be 'cold' restarted. The workstation may be turned off overnight.
You may keep IP addressing topology at your discretion except for addresses supplied by providers. For example,
for the DC1 server in the WINA network, you can use addresses 172.16.10.156 or 192.168.0.12. However, you
have to make sure that the designed addressing schemes comply with the task requirements.
Virtual machines can have pre-installed software that will be used for checking and scoring and is not
recommended to be deleted.
Access to all virtual Linux machines is configured for root:toor account.
When accessing Windows machines for the first time, follow the expert's instructions. In any case, you should
ensure operability of all machines for the account Administrator/P@ssw0rd with rights of both local and
domain administrators.
If you need to set a password that is not specified in the task and in instructions and appendix files, use:
P@ssw0rd.
Network equipment is accessible over the network from local networks of a respective office via the Telnet
protocol.
R1 - 192.168.0.1/24, ASA - 192.168.0.2/24, S1 - 192.168.0.3/24, S2 - 192.168.0.4/24, VLAN 13 is used. The
access may be obtained from the LINCLI1 machine.
R2 - 192.168.0.1/24. The access may be obtained from the LINCLI2 machine.
R3 - 192.168.0.1/24, VLAN 40 is used. The access may be obtained from the LINCLI3 machine.
Password for the connection and enable: wsr

Version: 1.0
WSK2019_TPWSJ11_EN 19 of 23
Date: 30.06.19
EQUIPMENT, MACHINERY, INSTALLATIONS, AND
MATERIALS REQUIRED
The Test Project can be entirely completed with the use of the equipment and materials specified in the
Infrastructure List.

WORKSTATION PRESETTING
• open-vm-tools package.
1. All pre-installed Windows-machines have VMWare guest tools installed with an executed sysprep command.
2. A range of additional packages and applications as well as documentation are available on Moogle.ru server,
simulating a real Internet operation.
3. All network devices are configured for remote administration from respective local networks via Telnet
protocol. ASDM distribution kit and AnyConnect client image are copied to the network firewall.
1. Parameters of Internet providers rendering services to organization or individuals.
(a) GOSTELECOM
i. IPv4 address/Mask: 77.34.141.141/22
ii. Gateway: 77.34.140.1
iii. IPv6 address/Mask: 2a01:620::2018/64
iv. Gateway: 2a01:620::1
v. Delegated prefix: 2a01:620:1337::/48
vi. AS: 12332
(b) GIGAFON
i. IPv4 address/Mask: 178.207.179.6/29
ii. Gateway: 178.207.179.1
iii. IPv6 address/Mask: 2a03:d000:2000::2000/64
iv. Gateway: 2a03:d000:2000::1
v. Delegated prefix: 2a03:d000:2001::/48
vi. AS: 31133
(c) TTL
i. IPv4 address/Mask: 62.33.111.111/25
ii. Gateway: 62.33.111.1
iii. IPv6 address/Mask: 2a02:f800:f9:f4::f12/64
iv. Gateway: 2a02:f800:f9:f4::f1
v. Delegated prefix: 2a02:f800:f5::/48
vi. AS: 20485

Version: 1.0
WSK2019_TPWSJ11_EN 20 of 23
Date: 30.06.19
 (d) PURPLE
i. IPv4 address/Mask: 2.2.1.101/24
ii. Gateway: 2.2.1.1
iii. IPv6 address/Mask: 2a01:cb00:d:e::101/64
iv. Gateway: 2a01:cb00:d:e::1
v. Delegated prefix: 2a01:cb00:e:1000::/56
vi. AS: 3215
(e) WATERFONE
i. IPv4 address/Mask: 84.64.44.24/28
ii. Gateway: 84.64.44.17
iii. IPv6 address/Mask: 2001:5000:0005:1002::1111/64
iv. Gateway: 2001:5000:0005:1002::1
v. Delegated prefix: 2001:5000:0005:1003::/64
vi. AS: 1273
(f) MOOGLE
i. IPv4 prefixes: 172.110.32.0/21, 172.217.0.0/16, 8.8.8.0/24
ii. IPv6 prefixes: 2001:4860::/32, 2600:1900::/28
iii. AS: 15169
iv. Address IPv4 of the global DNS server: 8.8.8.8
v. Address IPv6 of the global DNS server: 2001:4860:4860::8888
(g) ROAMING
i. IPv4 address/Mask: DHCP (12.12.12.0/24)
ii. Gateway: DHCP (12.12.12.1)
iii. IPv6 address/Mask: DHCP
iv. Gateway: DHCP
v. AS: 7018
(h) Provider-independent (PI) addresses and ASN in the main office
i. IPv4 address/Mask: 203.0.113.0/24
ii. IPv6 address/Mask: 3001:2:3::/48
iii. AS: 64500

Version: 1.0
WSK2019_TPWSJ11_EN 21 of 23
Date: 30.06.19
2. BGP settings are configured for Gostelecom and Gigafon providers.
a. The neighborhood is configured via IPv4 from the gateway address to the address dedicated by a
provider through a physical interface and numbers of the above autonomous systems.
b. All providers advertise delegated prefixes to "Internet".
c. Provider-independent prefix is not advertized.
3. VLAN settings on the Hypervisor's virtual switches have been already configured under Topology L2 and L3.
Virtual machines are connected to correct subnetworks.

Version: 1.0
WSK2019_TPWSJ11_EN 22 of 23
Date: 30.06.19
MARKING SCHEME
Assessed criteria have different weight depending on their complexity. The Scoring Scheme is built in such a
way that each item is assessed only once. For example, the task suggests setting correct names for all devices;
this criterion will be assessed on the first day only once and this criterion will not be assessed repeatedly. The
same items can be tested and scored more than once if they are configured differently or run on a different-class
device.
It should be noted that an automatic result scoring is implied for this task.
The procedure for task result scoring will be performed at the end of each competition day; the scoring will be
only carried out on the technologies, which are expected to be operating at the end of the current competition
day. Competitors can complete their tasks "in advance" but they need to make sure not to compromise the
operability of the current competition day technologies. For example, the first competition day's task requires
setting up a web-server operating via HTTP-protocol, while the third day's task requires activation of the HTTPS
forwarding. If competitors activate the HTTPS forwarding on the first day, most likely they will not get points for
the running HTTP protocol at the end of the first day.
Verification will be made with the use of domain names. There will be no IP-based verification.

Version: 1.0
WSK2019_TPWSJ11_EN 23 of 23
Date: 30.06.19