lunes, 25 de noviembre de 2013

Políticas de Cisco EoX - Línea de tiempo y compromisos en HW y SW OS



Definiciones EoX








HitosAcrónimoDefinición Global Cisco
End of Life External AnnouncementAvailableThe date that the end of sale and end of life of a product is announced to the general public.
End of SaleEoSaleThe last date to order the product through Cisco point-of-sale mechanisms. The product is no longer for sale after this date.
End of Software Maintenance ReleaseEoSWMThe last date that Cisco Engineering may release any software maintenance releases or bug fixes to the software product. After this date, Cisco Engineering will no longer develop, repair, maintain, or test the product software.
End of Routine Failure AnalysisEoRFAThe last possible date Cisco may perform a routine failure analysis to determine the root cause of an engineering- or manufacturing-related issue.
End of Service Contract RenewalEoSCRThe last date to extend or renew a service contract for the product. The extension or renewal period may not extend beyond the last date of support.
Last Date of SupportLDoSThe last date to receive service and support for the product. After this date, all support services for the product are unavailable, and the product becomes obsolete.


Ejemplos del ciclo de vida de equipos Cisco



Product IDEOX PB #1End of Life External Announce DateEoSale DateEoSWM DateEoRFA DateEoSCR DateLDoS Date
WS-C3560-8PC-SEOL905528-JAN-1329-JUL-1329-JUL-1429-JUL-1424-OCT-1731-JUL-18
WS-C3750G-12S-SEOL804431-JAN-1230-JAN-1330-JAN-1430-JAN-1430-APR-1731-JAN-18
WS-C3750E-24TD-EEOL804431-JAN-1230-JAN-1330-JAN-1430-JAN-1430-APR-1731-JAN-18
WS-C3750E-24TD-EEOL804431-JAN-1230-JAN-1330-JAN-1430-JAN-1430-APR-1731-JAN-18
WS-C3560-8PC-SEOL905528-JAN-1329-JUL-1329-JUL-1429-JUL-1424-OCT-1731-JUL-18
WS-C3560-8PC-SEOL905528-JAN-1329-JUL-1329-JUL-1429-JUL-1424-OCT-1731-JUL-18
WS-C3750G-24PS-SEOL804431-JAN-1230-JAN-1330-JAN-1430-JAN-1430-APR-1731-JAN-18
WS-C3750G-24PS-SEOL804431-JAN-1230-JAN-1330-JAN-1430-JAN-1430-APR-1731-JAN-18
WS-C3750E-24TD-EEOL804431-JAN-1230-JAN-1330-JAN-1430-JAN-1430-APR-1731-JAN-18
WS-C3750E-24TD-EEOL804431-JAN-1230-JAN-1330-JAN-1430-JAN-1430-APR-1731-JAN-18
WS-C3750G-24PS-SEOL804431-JAN-1230-JAN-1330-JAN-1430-JAN-1430-APR-1731-JAN-18
WS-C3560-8PC-SEOL905528-JAN-1329-JUL-1329-JUL-1429-JUL-1424-OCT-1731-JUL-18
WS-C3750E-24TD-SEOL804431-JAN-1230-JAN-1330-JAN-1430-JAN-1430-APR-1731-JAN-18
WS-C3750E-24TD-EEOL804431-JAN-1230-JAN-1330-JAN-1430-JAN-1430-APR-1731-JAN-18
WS-C3750E-24TD-EEOL804431-JAN-1230-JAN-1330-JAN-1430-JAN-1430-APR-1731-JAN-18
WS-C3750G-24PS-SEOL804431-JAN-1230-JAN-1330-JAN-1430-JAN-1430-APR-1731-JAN-18
WS-C3750G-12S-SEOL804431-JAN-1230-JAN-1330-JAN-1430-JAN-1430-APR-1731-JAN-18
WS-C3750G-12S-SEOL804431-JAN-1230-JAN-1330-JAN-1430-JAN-1430-APR-1731-JAN-18
WS-C3750G-12S-SEOL804431-JAN-1230-JAN-1330-JAN-1430-JAN-1430-APR-1731-JAN-18
WS-C3750G-12S-SEOL804431-JAN-1230-JAN-1330-JAN-1430-JAN-1430-APR-1731-JAN-18
WS-C3750G-24PS-SEOL804431-JAN-1230-JAN-1330-JAN-1430-JAN-1430-APR-1731-JAN-18
WS-C3750E-24TD-EEOL804431-JAN-1230-JAN-1330-JAN-1430-JAN-1430-APR-1731-JAN-18
WS-C3560-8PC-SEOL905528-JAN-1329-JUL-1329-JUL-1429-JUL-1424-OCT-1731-JUL-18
WS-C2960-8TC-LEOL905528-JAN-1329-JUL-1329-JUL-1429-JUL-1424-OCT-1731-JUL-18
WS-C3560-8PC-SEOL905528-JAN-1329-JUL-1329-JUL-1429-JUL-1424-OCT-1731-JUL-18
WS-C3560-8PC-SEOL905528-JAN-1329-JUL-1329-JUL-1429-JUL-1424-OCT-1731-JUL-18


Sígueme también en:





jueves, 7 de noviembre de 2013

Mejores practicas configuraciones Cisco - NTP Update Calendar Disabled

NTP Update Calendar Disabled




ExcepciónNTP Update Calendar Disabled
CategoriaIP Applications
Tipo OSIOS
Reisgolow
DescripciónSome platforms have a battery-powered hardware clock, referred to in the command-line interface (CLI) as the "calendar," in addition to the software based system clock. The hardware clock runs continuously, even if the router is powered off or rebooted. If the software clock is synchronized to an outside time source via NTP, it is a good practice to periodically update the hardware clock with the time learned from NTP. Otherwise, the hardware clock will tend to gradually lose or gain time (drift), and the software clock and hardware clock may become out of synchronization with each other. The ntp update-calendar command will enable the hardware clock to be periodically updated with the time specified by the NTP source. The hardware clock will be updated only if NTP has synchronized to an authoritative time server.
URL referenciantp update-calendar
Cacción correctivantp update-calendar
AdveretenciaMany lower-end routers (for example, the Cisco 2500 series or the Cisco 2600 series) do not have hardware clocks, so this command is not available on those platforms.


Más "Mejoras de practicas de configuraciones Cisco" AQUÍ



Sígueme también en:





Mejores practicas configuraciones Cisco - Standby delay minimum reload not configured

Standby delay minimum reload not configured





ExcepciónStandby delay minimum reload not configured
CategoriaIP Applications
Tipo OSIOS
Riesgomedio
Descripción"When configuring HSRP, Cisco recommens using the 'standby delay minimum|reload' command to prevent blackholing of traffic. This allows time for all ports in the VLAN to come up after a reload or module reset. In a subsecond timer scenario, hellos could be lost with CPU busy after reload.
Recomendación"If the active router fails or is removed from the network, then the standby router will automatically become the new active router. If the former active router comes back online, you can control whether it takes over as the active router by using the standby preempt command.

However, in some cases, even if the standby preempt command is not configured, the former active router will resume the active role after it reloads and comes back online. Use the standby delay minimum reload command to set a delay period for HSRP group initialization. This command allows time for the packets to get through before the router resumes the active role.

We recommend that all HSRP routers have the standby delay minimum reload configured with a minimum delay time of 30 seconds and a minimum reload time of 60 seconds.

The delay will be cancelled if an HSRP packet is received on an interface.

The standby delay minimum reload interface configuration command delays HSRP groups from initializing for the specified time after the interface comes up. "
Referencia URLStandby Delay Minimum Reload
Acción correctiva Under the interface mode, configure
Router(config)# interface ethernet x/y
Router(config-if)# standby delay minimum 30 reload 60





Sígueme también en:





Mejores practicas configuraciones Cisco - NTP not protected by ACL

NTP not protected by ACL




ExcepciónNTP not protected by ACL
CategoriaIP Applications;Security
Tipo OSIOS
Riesgomedio
DescripciónIn addition to an NTP authentication schema NTP can be protected through use of an access-list to further limit access privileges. If the source IP address matches the access-lists for more than one access type, the first type is granted. If no access groups are specified, all access types are granted to all systems. If any access groups are specified, only the specified access types will be granted.
Acción correctiva
access-list 40 permit 1.1.1.5
access-list 40 permit 1.1.1.6
ntp access-group peer 40





Sígueme también en:





martes, 5 de noviembre de 2013

Mejores practicas configuraciones Cisco - HSRP Preempt delay not configured

HSRP Preempt delay not configured




ExcepciónHSRP Preempt delay not configured
CategoriaIP Applications
Tipo OSIOS
RiesgoMedio
DescripciónTraffic may be dropped after the primary Hot Standby Router Protocol (HSRP) router becomes active. When switch crashed or reloaded, the HSRP interface may be active before the uplink interface comes up or before Interior Gateway Protocol (IGP) convergence. The client sends traffic to the primary HSRP router, but the primary HSRP router is not ready to send the packet in the L3 domain, so the packet is dropped. After implementing the HSRP preempt delay, the primary HSRP router will not become active before the delay timer expires. The router is ready in uplink or L3 domain when it becomes active. Note: Remove the technology from the profile section while rule development and keep only feature rules.
RecomendaciónAvoid packet drop after the primary HSRP interface becomes active.
Referencia URLConfiguring HSRP
Referencia URLCommand Reference
Acción correctiva"Under the interface .* block, type the following command:

standby group# preempt delay minimum min-seconds

(for example, 'standby 1 preempt delay minimum 180')






Sígueme también en:





miércoles, 30 de octubre de 2013

Mejores practicas configuraciones Cisco - No Redistribution Metrics Defined for EIGRP

No Redistribution Metrics Defined for EIGRP






ExcepciónNo Redistribution Metrics Defined for EIGRP
CategoriaEIGRP
Tipo OSIOS
RiesgoMedio
DescripciónWhen configuring redistribution into EIGRP always define the metrics that EIGRP should use with the metric or default-metric keywords. Each protocol uses different metrics so it is important to define the parameters the EIGRP should use. EIGRP needs five metrics defined when redistributing other protocols: bandwidth, delay, reliability, load, and MTU. The redistribution of IGRP/EIGRP into another IGRP/EIGRP process does not require any metric conversion, so there is no need to define metrics or use the default-metric command during redistribution in these cases.
Recomendación"For example, when configuring rip redistribution into EIGRP, add metrics in one of the following two ways:

router eigrp 1
redistribute rip metric 10000 100 255 1 1500

or

router eigrp 1
redistribute rip default-metric 10000 100 255 1 1500

Note: Values ""10000 100 255 1 1500"" were used as an example. Other values may be used in your environment. The general formats under EIGRP are:

redistributemetric

or

default-metric

URL de referenciaRedistributing Routing Protocols
Acción correctivaDefine metrics when redistributing into EIGRP with the metric or default-metric keywords.
AdvertenciaThe redistribution of IGRP/EIGRP into another IGRP/EIGRP process does not require any metric conversion, so there is no need to define metrics or use the default-metric command during redistribution in these cases.





Sígueme también en:





Mejores practicas configuraciones Cisco - No EIGRP router-id configured

No EIGRP router-id configured





ExcepciónNo EIGRP router-id configured
CategoriaEIGRP
Tipo OSIOS
RiesgoMedio
DescripciónThe router ID is set to the IP address of a loopback interface if one is configured. If no loopback interfaces are configured, the router ID is set to the highest IP address configured on a physical interface. To ensure deterministic behavior the EIGRP router-id should be configured to a chosen address. If a router id isn't set for EIGRP, it is possible that duplicate router ids will prevent external EIGRP routes from being installed in the topology table. To have deterministic behavior, an EIGRP router id should be created on all EIGRP speaking devices.
URL de ReferenciaPreventing Duplicate Router Ids
Acción correctivaConfigure the router id, with the "eigrp router-id" command.


Mejores practicas configuraciones Cisco-EIGRP MD5 Disabled on Interface

EIGRP MD5 Disabled on Interface






ExcepciónEIGRP MD5 Disabled on Interface
CategoriaEIGRP;Security
Tipo OSIOS
RiesgoMedio
DescripciónThis rule detects if EIGRP authentication is configured on an EIGRP enabled interface.
RecomendaciónIt is recommended to apply MD5 authentication that will permit the receipt of EIGRP packets only from authorized hosts on each EIGRP interface.
Referencia URLConfiguring EIGRP Route Authentication
Acción correctivaEnable EIGRP authentication.
AdvertenciaIn some scenarios, there may be many EIGRP-enabled interfaces that do not have EIGRP neighbors.
MD5 authentication is not required in this situation but the interfaces should be passive.


Mejores practicas configuraciones Cisco - Default EIGRP Passive Interface not configured

Default EIGRP Passive Interface not configured




ExcepciónDefault EIGRP Passive Interface not configured.
CategotiaEIGRP
Tipo OSIOS
RiesgoMedio
DescripciónIn large service provider and Enterprise networks, some distribution-layer routers often have a large number of interfaces, for example, at the WAN edge. A common practice to facilitate the configuration of a routing protocol on such routers is to enable the routing processes on a network range matching several of the interfaces. While this technique facilitates the configuration of the routing protocol, enabling routing indiscriminately on several or all interfaces may increase the chances for the insertion of unauthorized routing peers. Also, unnecessary routing protocol exchanges increase CPU overhead on the router. To prevent these problems, one can set all interfaces as passive by default with the 'passive-interface default' command. This command changes the configuration logic to a default passive; therefore, interfaces where router adjacencies are expected need to be configured with the 'no passive-interface' command. Setting an interface as passive disables the sending of routing updates on that interface; hence, adjacencies will not be formed in Open Shortest Path First (OSPF) or Enhanced Interior Gateway Routing Protocol (EIGRP). However, the particular subnet will continue to be advertised to other interfaces.
Acciones correctivas"Under the 'router eigrp' block of configuration, configure the following. The parameters in front of the 'no passive-interface' command are those interfaces that need to participate in EIGRP and form router adjacencies.

   passive-interface default
   no passive-interface
   no passive-interface
   no passive-interface 

AdvertenciaIn routers that have a small number of interfaces, you can choose to manually set the 'passive-interface' command on the interfaces where adjacency is not desired, instead of using the 'passive-interface default' command. Also, the rule does not apply if all layer 3 interfaces are designed to participate in the EIGRP domain.


Mejores practicas configuraciones Cisco - EIGRP auto summarization enabled (default enabled)

EIGRP auto summarization enabled (default enabled)




ExcepciónEIGRP auto summarization enabled (default enabled)
CategoriaEIGRP
Tipo OSIOS
RiesgoAlto
Descripción"EIGRP will automatically summarize on classful routing boundaries. Auto summarization can cause a routing partition under certain circumstances particularly with classful IP routing and where IP addresses are split.
The default behavior of EIGRP auto-summarization changed in Cisco IOS Releases 15.0(1)M, 12.2(33)SRE, 12.2(33)XNE, 12.2(33)SXI4 and later releases to be disabled by default."
Acción correctiva
router eigrp no auto-summary

URL de referencia: EIGRP auto summarization enabled


Mejores practicas configuraciones Cisco - BGP Consistency Check not enabled

BGP Consistency Check not enabled




ExcepciónBGP Consistency Check not enabled
CategoriaBGP;IP routing
Tipo OSIOS
RiesgoMedio
Descripción"A BGP route inconsistency with a peer occurs when an update or withdraw is not sent to a peer, resulting in black-hole routing. BGP Consistency checker will check for inconsistencies in a configurable interval.

Once the process identifies such an inconsistency, it will report the inconsistency with a syslog message, and optionally take action if the auto-repair keyword is specified.

Three options are available:

  • Next-Hop Label Consistency Check
  • RIB-Out Consistency Check
  • Aggregation Consistency Check

Next Hop Label Consistency Check:

When two paths have the same next hop because they are advertised by the same provider edge router (PE), they should also have the same next-hop label. If the labels are different, there is an inconsistency. If the auto-repair keyword is specified, the system will send a route-refresh request.

RIB-Out Consistency Check:

If a network passes an outbound policy and is not sent, or if a network does not pass an outbound policy and is sent, there is an inconsistency. If the auto-repair keyword is specified, the system will send a route-refresh request.

Aggregation Consistency Check:

f specific routes and the aggregated route become out of sync, an inconsistency can occur. Either the error-message keyword or the auto-repair keyword will trigger aggregation reevaluation."


Acción Correctiva!
bgp consistency-checker {error-message | auto-repair} [interval minutes]
!
error-message :System to generate an error message when an inconsistency is observed.
auto-repair : System generates a syslog and also takes an action based on the inconsistency found.
interval : Range is from 5 to 1440 minutes. Interval defaults to 1440 (One Day)

Advertencia"This is applicable for IOS

  • 15.1(2)S
  • Cisco IOS XE 3.3S."


Análisis de las mejores prácticas en configuraciones Cisco

Introducción:

Este apartado, va referido a las recomendaciones que hace Cisco en cuanto a las mejores prácticas en cuanto a las configuraciones de equipamiento Cisco.



CategoriaRiesgoExcepciónOS
BGPMedioBGP Consistency Check not enabledIOS
EIGRPAltoEIGRP auto summarization enabled (default enabled)IOS
EIGRPMedioDefault EIGRP Passive Interface not configured.IOS
EIGRPMedioEIGRP MD5 Disabled on InterfaceIOS
EIGRPMedioNo EIGRP router-id configuredIOS
EIGRPMedioNo Redistribution Metrics Defined for EIGRPIOS
IP ApplicationsMedioHSRP Preempt delay not configuredIOS
IP ApplicationsMedioNTP not protected by ACLIOS
IP ApplicationsMedioStandby delay minimum reload not configuredIOS
IP ApplicationsBajoNTP Update Calendar DisabledIOS
IP ApplicationsBajoNTP authentication not enabledIOS
IP ApplicationsBajoNTP enabled without time zoneIOS
IP ApplicationsBajoNTP source interface not definedIOS
IP ApplicationsBajoNTP summertime not enabledIOS
IP ApplicationsBajoNo redundant NTP serverIOS
IP RoutingMedioIOS Static Route Missing ParametersIOS
IP RoutingMedioRecursive static routes are presentIOS
IP RoutingBajoIP Classless disabledIOS
IP RoutingBajoName Parameter Missing from Static RoutesIOS
IP RoutingBajoNetBIOS UDP broadcasts enabledIOS
InfrastructureAltoCisco IOS Image VerificationIOS
InfrastructureLowExec enabled on line auxIOS
LANAltoSpanning-tree disabled on one or more VLANsIOS
LANMedioBPDU Guard Not EnabledIOS
LANMedioLoopguard not configuredIOS
LANMedioMAC address move notification not enabledIOS
LANMedioPortfast not enabled on access or edge portIOS
LANMedioUDLD Globally DisabledIOS
LANMedioVLANs not cleared from trunkIOS
LANMedioVTP domain name not setIOS
LANBajoComplete Power-on Diagnostics DisabledIOS
LANBajoDynamic trunking is enabled on a static access portIOS
LANBajoStackWise SNMP Traps Not EnabledIOS
ManagementMedioCDP disabled on an interfaceIOS
ManagementMedioLogging to the console is enabledIOS
ManagementMedioLoopback interface not usedIOS
ManagementMedioSNMP server memory traps not enabledIOS
ManagementMedioSyslog level not set to informationalIOS
ManagementMedioWarmStart SNMP Traps Not EnabledIOS
ManagementBajoCPU Thresholding Notification is not enabled.IOS
ManagementBajoColdStart SNMP Traps Not EnabledIOS
ManagementBajoConfiguration Management SNMP Traps Not EnabledIOS
ManagementBajoInterface level syslog events not disabledIOS
ManagementBajoInterface traps not disabled on at least one interfaceIOS
ManagementBajoLinkup and Linkdown SNMP Traps Not EnabledIOS
ManagementBajoMemory Threshold Notifications (I-O) Not EnabledIOS
ManagementBajoMemory Threshold Notifications (Processor) Not EnabledIOS
ManagementBajoNagle service disabledIOS
ManagementBajoNo interface descriptionIOS
ManagementBajoNo redundant SNMP trap receiverIOS
ManagementBajoNo redundant syslog serverIOS
ManagementBajoSNMP Interface Index Persistence not enabledIOS
ManagementBajoSNMP contact not definedIOS
ManagementBajoSNMP location not definedIOS
ManagementBajoSNMP trap source not definedIOS
ManagementBajoSNMP traps not enabledIOS
ManagementBajoSyslog source interface not definedIOS
ManagementBajoThe Call Home feature is not configuredIOS
ManagementBajoThe Enhanced Crashinfo File Collection feature is not configured.IOS
ManagementBajoTimestamping for debugging not set for datetimeIOS
ManagementBajoTimestamping for logging not set for datetimeIOS
ManagementBajoUnnecessary Syslog SNMP trap configuredIOS
SecurityAltoEnable password not adequately protectedIOS
SecurityAltoSNMP access for IPv4 is not protected with an access-list.IOS
SecurityAltoThe aaa authentication login command(s) is/are not configured optimally.IOS
SecurityAltoVlan 1 interface usedIOS
SecurityMedioAAA connection accounting disabledIOS
SecurityMedioAAA system accounting disabledIOS
SecurityMedioDHCP server enabledIOS
SecurityMedioHSRP Updates not authenticatedIOS
SecurityMedioHSRP Virtual MAC Address not modifiedIOS
SecurityMedioHTTP secure-server is enabled.IOS
SecurityMedioHTTP server enabledIOS
SecurityMedioICMP redirects not disabled on an InterfaceIOS
SecurityMedioIOS Software Resilient Configuration secure boot-config disabledIOS
SecurityMedioLocal user account is not protected against potential brute-force attacksIOS
SecurityMedioPAD service enabledIOS
SecurityMedioSNMPv3 not usedIOS
SecurityMedioSSH Not Used or Not Used Exclusively for Remote Access.IOS
SecurityMedioSSH V2 not used for device AccessIOS
SecurityMedioSecurity Password Minimum Length Less Than 8IOS
SecurityMedioUnicast reverse path disabledIOS
SecurityMedioVTY line timeout disabledIOS
SecurityMedioVTY line timeout is longer than 30 minsIOS
SecurityMedioVTY lines not protected with an access listIOS
SecurityBajoA user account is not protected with MD5IOS
SecurityBajoAuthentication SNMP Traps Not EnabledIOS
SecurityBajoBOOTP server enabledIOS
SecurityBajoCDP is enabled globally and active on all interfaces.IOS
SecurityBajoDHCP lease time low or infiniteIOS
SecurityBajoICMP unreachables enabled on all interfaces of this device.IOS
SecurityBajoIP Source Routing enabledIOS
SecurityBajoIP options allowedIOS
SecurityBajoIncorrectly entered commands will generate a DNS lookup.IOS
SecurityBajoPassword recovery is EnabledIOS
SecurityBajoProxy ARP is enabledIOS
SecurityBajoRedundant AAA server unavailableIOS
SecurityBajoSecurity authentication failure rate disabledIOS
SecurityBajoService sequence-numbers not enabledIOS
SecurityBajoTACACS+ packets not being sourced from a specifically defined interfaceIOS
SecurityBajoTCP keepalives not enabled in both directionsIOS

miércoles, 23 de octubre de 2013

Configuración Cisco PPP y CHAP

Configuración Cisco PPP y CHAP


Escenario


Se realizara la configuración de pc y equipos cisco, en una topología punto a punto, se empleará encapsulación PPP y autenticación CHAP



Configuración Cisco PPP y CHAP



  • PC1 --> 192.168.1.100 / 255.255.255.0, gateway 192.168.1.1
  • Router1 --> G0/0 192.168.1.1 / 255.255.255.0, S0/0/0 200.200.200.1 / 255.255.255.252 



  • PC2 --> 192.168.2.100 / 255.255.255.0, gateway 192.168.2.1
  • Router2 --> G0/0 192.168.2.1 / 255.255.255.0, S0/0/0 200.200.200.2 / 255.255.255.252



  • Router1 y Router2, encapsulación PPP
  • Password protocolo autenticación  CHAP "cisco"



Desarrollo

1. Uso de Cisco Packet Tracer para realizar las pruebas.
2. Configuración de PC1 y PC2 con sus respectivas direcciones IP y gateway.
3. Configuración de Router1 como sigue:
hostname Router1
!
username Router2 password 0 cisco

!
interface GigabitEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface GigabitEthernet0/2
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface Serial0/0/0
 ip address 200.200.200.1 255.255.255.252
 mtu 150
 encapsulation ppp
 ppp authentication chap
!
interface Serial0/0/1
 no ip address
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
ip classless
ip route 192.168.2.0 255.255.255.0 Serial0/0/0 
!

line con 0
!
line aux 0
!
line vty 0 4
 login
!
end

Router1#


4. Configuración de Router2 como sigue:

hostname Router2
!
username Router1 password 0 cisco
!
interface GigabitEthernet0/0
 ip address 192.168.2.1 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface GigabitEthernet0/2
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface Serial0/0/0
 ip address 200.200.200.2 255.255.255.252
 encapsulation ppp
 ppp authentication chap
!
interface Serial0/0/1
 no ip address
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
ip classless
ip route 192.168.1.0 255.255.255.0 Serial0/0/0 
!
line con 0
!
line aux 0
!
line vty 0 4
 login
!
end


Router2#


Prueba de comunicación

1. Pruebas de vecindad entre los router:

Router1#show cdp n
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
Device ID    Local Intrfce   Holdtme    Capability   Platform    Port ID
Switch       Gig 0/0          133            S       2960        Gig 1/1
Router2      Ser 0/0/0        141            R       C2900       Ser 0/0/0


Router2#show cdp n
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
Device ID    Local Intrfce   Holdtme    Capability   Platform    Port ID
Switch       Gig 0/0          136            S       2960        Gig 1/1
Router1      Ser 0/0/0        149            R       C2900       Ser 0/0/0


2. Tabla de ruta

Router1#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

     192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C       192.168.1.0/24 is directly connected, GigabitEthernet0/0
L       192.168.1.1/32 is directly connected, GigabitEthernet0/0
S    192.168.2.0/24 is directly connected, Serial0/0/0
     200.200.200.0/24 is variably subnetted, 3 subnets, 2 masks
C       200.200.200.0/30 is directly connected, Serial0/0/0
L       200.200.200.1/32 is directly connected, Serial0/0/0
C       200.200.200.2/32 is directly connected, Serial0/0/0



Router2#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

S    192.168.1.0/24 is directly connected, Serial0/0/0
     192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
C       192.168.2.0/24 is directly connected, GigabitEthernet0/0
L       192.168.2.1/32 is directly connected, GigabitEthernet0/0
     200.200.200.0/24 is variably subnetted, 3 subnets, 2 masks
C       200.200.200.0/30 is directly connected, Serial0/0/0
C       200.200.200.1/32 is directly connected, Serial0/0/0
L       200.200.200.2/32 is directly connected, Serial0/0/0


3. Pruebas de conectividad desde los pc

Ping desde PC 192.168.1.100 a 192.168.2.100


PC>ping 192.168.2.100

Pinging 192.168.2.100 with 32 bytes of data:

Reply from 192.168.2.100: bytes=32 time=1ms TTL=126
Reply from 192.168.2.100: bytes=32 time=1ms TTL=126
Reply from 192.168.2.100: bytes=32 time=1ms TTL=126
Reply from 192.168.2.100: bytes=32 time=6ms TTL=126

Ping statistics for 192.168.2.100:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:

    Minimum = 1ms, Maximum = 6ms, Average = 2ms



Ping desde PC 192.168.2.100 a 192.168.1.100

PC>ping 192.168.1.100

Pinging 192.168.1.100 with 32 bytes of data:

Reply from 192.168.1.100: bytes=32 time=2ms TTL=126
Reply from 192.168.1.100: bytes=32 time=1ms TTL=126
Reply from 192.168.1.100: bytes=32 time=1ms TTL=126
Reply from 192.168.1.100: bytes=32 time=7ms TTL=126

Ping statistics for 192.168.1.100:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:

    Minimum = 1ms, Maximum = 7ms, Average = 2ms


Aquí lo puedes ver en video


Configuracion PPP y CHAP con Cisco Packet Tracer


martes, 22 de octubre de 2013

Configuración de vlan en Switch Cisco

Creando VLAN en Catalyst Switch Cisco


Para el aprendizaje de como crear vlan en un switch Cisco, por ejemplo switch 2950, 2960, etc., usaremos el siguiente diagrama:

creacion-de-vlan-con-cisco-packet-tracer


Para la simulación usaremos Cisco Packet Tracer, y realizaremos las siguientes tareas:

1. Esta topología de red, va a manejar dos segmentos de redes con sus respectivas VLAN asignadas:

Vlan 10 --> Segmento de red 192.168.1.0 / 255.255.255.0 --> Vlan name: red-10
Vlan 20 --> Segmento de red 192.168.2.0 /255.255.255.0 --> Vlan name: red-20

2. PC-red-10, se le asignará la IP 192.168.1.1 / 255.255.255.0, asignado a la VLAN 10
    PC-red-20, se le asignará la IP 192.168.2.1 / 255.255.255.0, asignado a la VLAN 20
    
    Server 1, se le asignará la IP 192.168.1.100 / 255.255.255.0, asignado a la VLAN 10
    Server 0, se le asignará la IP 192.168.2.200 / 255.255.255.0, asignado a la VLAN 20

3. Switch 0, se crearán las VLAN 10 y 20, e interfaz trunk
    Switch 1, se crearán las VLAN 10 y 20, e interfaz trunk.

   Switch 0, f0/1, asignado a VLAN 10
   Switch 0, f0/2, asignado a VLAN 20
   Switch 0, G1/1, interfaz trunk

   Switch 1, f0/1, asignado a VLAN 10
   Switch 1, f0/2, asignado a VLAN 20
   Switch 1, G1/1, interfaz trunk



Comprobación de creación de VLAN


1. show vlan:

Switch0#show vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/3, Fa0/4, Fa0/5, Fa0/6
                                                Fa0/7, Fa0/8, Fa0/9, Fa0/10
                                                Fa0/11, Fa0/12, Fa0/13, Fa0/14
                                                Fa0/15, Fa0/16, Fa0/17, Fa0/18
                                                Fa0/19, Fa0/20, Fa0/21, Fa0/22
                                                Fa0/23, Fa0/24, Gig1/2
10   red-10                           active    Fa0/1
20   red-20                           active    Fa0/2
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0
10   enet  100010     1500  -      -      -        -    -        0      0
20   enet  100020     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        0      0
1003 tr    101003     1500  -      -      -        -    -        0      0
1004 fdnet 101004     1500  -      -      -        ieee -        0      0
1005 trnet 101005     1500  -      -      -        ibm  -        0      0

Remote SPAN VLANs
------------------------------------------------------------------------------


Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
Switch0#


2. show int f0/1 switchport

Switch0#show int f0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
Access Mode VLAN: 10 (red-10)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Appliance trust: none
Switch0#


3. show int f0/2 switchport

Switch0#show int f0/2 switchport
Name: Fa0/2
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
Access Mode VLAN: 20 (red-20)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Appliance trust: none


4. show int g1/1 switchport:

Switch0#show int g1/1 switchport
Name: Gig1/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false

Appliance trust: none


Resultados:


1. Ping desde PC-red-10 a Server 1, OK:

PC>ping 192.168.1.100

Pinging 192.168.1.100 with 32 bytes of data:

Reply from 192.168.1.100: bytes=32 time=0ms TTL=128
Reply from 192.168.1.100: bytes=32 time=0ms TTL=128
Reply from 192.168.1.100: bytes=32 time=0ms TTL=128
Reply from 192.168.1.100: bytes=32 time=0ms TTL=128

Ping statistics for 192.168.1.100:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

2. Ping desde PC-red-10 a Server 0, falla:

PC>ping 192.168.2.100

Pinging 192.168.2.100 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.2.100:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),


3. Ping desde PC-red-20 a Server 1, falla:

PC>ping 192.168.1.100

Pinging 192.168.1.100 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.1.100:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),


4. Ping desde PC-red-20 a Server 0, OK

PC>ping 192.168.2.100

Pinging 192.168.2.100 with 32 bytes of data:

Reply from 192.168.2.100: bytes=32 time=0ms TTL=128
Reply from 192.168.2.100: bytes=32 time=0ms TTL=128
Reply from 192.168.2.100: bytes=32 time=0ms TTL=128
Reply from 192.168.2.100: bytes=32 time=0ms TTL=128

Ping statistics for 192.168.2.100:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms


Conclusiones:


1. Dentro de un switch podemos tener varias VLAN creadas, esta se comunicaran con otros, en la media que:
  • Los equipos que intentan conectarse pertenescan al mismo Vlan ID
  • Los equipos están dentro del mismo segmento IP
  • Los puertos de los switch estén asignados a las respectivas VLAN que comunican con el equipo final
  • Los switch estén configurados para transportar distintas VLAN (interfaz trunk)
2. No hay comunicación entre los segmentos 192.168.1.0/24 y 192.168.2.0/24, debido a que no hay un router o un switch layer 3. Esto lo veremos en otro artículo


Lo puedes ver en Video también