miércoles, 30 de octubre de 2013

Mejores practicas configuraciones Cisco - No Redistribution Metrics Defined for EIGRP

No Redistribution Metrics Defined for EIGRP






ExcepciónNo Redistribution Metrics Defined for EIGRP
CategoriaEIGRP
Tipo OSIOS
RiesgoMedio
DescripciónWhen configuring redistribution into EIGRP always define the metrics that EIGRP should use with the metric or default-metric keywords. Each protocol uses different metrics so it is important to define the parameters the EIGRP should use. EIGRP needs five metrics defined when redistributing other protocols: bandwidth, delay, reliability, load, and MTU. The redistribution of IGRP/EIGRP into another IGRP/EIGRP process does not require any metric conversion, so there is no need to define metrics or use the default-metric command during redistribution in these cases.
Recomendación"For example, when configuring rip redistribution into EIGRP, add metrics in one of the following two ways:

router eigrp 1
redistribute rip metric 10000 100 255 1 1500

or

router eigrp 1
redistribute rip default-metric 10000 100 255 1 1500

Note: Values ""10000 100 255 1 1500"" were used as an example. Other values may be used in your environment. The general formats under EIGRP are:

redistributemetric

or

default-metric

URL de referenciaRedistributing Routing Protocols
Acción correctivaDefine metrics when redistributing into EIGRP with the metric or default-metric keywords.
AdvertenciaThe redistribution of IGRP/EIGRP into another IGRP/EIGRP process does not require any metric conversion, so there is no need to define metrics or use the default-metric command during redistribution in these cases.





Sígueme también en:





Mejores practicas configuraciones Cisco - No EIGRP router-id configured

No EIGRP router-id configured





ExcepciónNo EIGRP router-id configured
CategoriaEIGRP
Tipo OSIOS
RiesgoMedio
DescripciónThe router ID is set to the IP address of a loopback interface if one is configured. If no loopback interfaces are configured, the router ID is set to the highest IP address configured on a physical interface. To ensure deterministic behavior the EIGRP router-id should be configured to a chosen address. If a router id isn't set for EIGRP, it is possible that duplicate router ids will prevent external EIGRP routes from being installed in the topology table. To have deterministic behavior, an EIGRP router id should be created on all EIGRP speaking devices.
URL de ReferenciaPreventing Duplicate Router Ids
Acción correctivaConfigure the router id, with the "eigrp router-id" command.


Mejores practicas configuraciones Cisco-EIGRP MD5 Disabled on Interface

EIGRP MD5 Disabled on Interface






ExcepciónEIGRP MD5 Disabled on Interface
CategoriaEIGRP;Security
Tipo OSIOS
RiesgoMedio
DescripciónThis rule detects if EIGRP authentication is configured on an EIGRP enabled interface.
RecomendaciónIt is recommended to apply MD5 authentication that will permit the receipt of EIGRP packets only from authorized hosts on each EIGRP interface.
Referencia URLConfiguring EIGRP Route Authentication
Acción correctivaEnable EIGRP authentication.
AdvertenciaIn some scenarios, there may be many EIGRP-enabled interfaces that do not have EIGRP neighbors.
MD5 authentication is not required in this situation but the interfaces should be passive.


Mejores practicas configuraciones Cisco - Default EIGRP Passive Interface not configured

Default EIGRP Passive Interface not configured




ExcepciónDefault EIGRP Passive Interface not configured.
CategotiaEIGRP
Tipo OSIOS
RiesgoMedio
DescripciónIn large service provider and Enterprise networks, some distribution-layer routers often have a large number of interfaces, for example, at the WAN edge. A common practice to facilitate the configuration of a routing protocol on such routers is to enable the routing processes on a network range matching several of the interfaces. While this technique facilitates the configuration of the routing protocol, enabling routing indiscriminately on several or all interfaces may increase the chances for the insertion of unauthorized routing peers. Also, unnecessary routing protocol exchanges increase CPU overhead on the router. To prevent these problems, one can set all interfaces as passive by default with the 'passive-interface default' command. This command changes the configuration logic to a default passive; therefore, interfaces where router adjacencies are expected need to be configured with the 'no passive-interface' command. Setting an interface as passive disables the sending of routing updates on that interface; hence, adjacencies will not be formed in Open Shortest Path First (OSPF) or Enhanced Interior Gateway Routing Protocol (EIGRP). However, the particular subnet will continue to be advertised to other interfaces.
Acciones correctivas"Under the 'router eigrp' block of configuration, configure the following. The parameters in front of the 'no passive-interface' command are those interfaces that need to participate in EIGRP and form router adjacencies.

   passive-interface default
   no passive-interface
   no passive-interface
   no passive-interface 

AdvertenciaIn routers that have a small number of interfaces, you can choose to manually set the 'passive-interface' command on the interfaces where adjacency is not desired, instead of using the 'passive-interface default' command. Also, the rule does not apply if all layer 3 interfaces are designed to participate in the EIGRP domain.


Mejores practicas configuraciones Cisco - EIGRP auto summarization enabled (default enabled)

EIGRP auto summarization enabled (default enabled)




ExcepciónEIGRP auto summarization enabled (default enabled)
CategoriaEIGRP
Tipo OSIOS
RiesgoAlto
Descripción"EIGRP will automatically summarize on classful routing boundaries. Auto summarization can cause a routing partition under certain circumstances particularly with classful IP routing and where IP addresses are split.
The default behavior of EIGRP auto-summarization changed in Cisco IOS Releases 15.0(1)M, 12.2(33)SRE, 12.2(33)XNE, 12.2(33)SXI4 and later releases to be disabled by default."
Acción correctiva
router eigrp no auto-summary

URL de referencia: EIGRP auto summarization enabled


Mejores practicas configuraciones Cisco - BGP Consistency Check not enabled

BGP Consistency Check not enabled




ExcepciónBGP Consistency Check not enabled
CategoriaBGP;IP routing
Tipo OSIOS
RiesgoMedio
Descripción"A BGP route inconsistency with a peer occurs when an update or withdraw is not sent to a peer, resulting in black-hole routing. BGP Consistency checker will check for inconsistencies in a configurable interval.

Once the process identifies such an inconsistency, it will report the inconsistency with a syslog message, and optionally take action if the auto-repair keyword is specified.

Three options are available:

  • Next-Hop Label Consistency Check
  • RIB-Out Consistency Check
  • Aggregation Consistency Check

Next Hop Label Consistency Check:

When two paths have the same next hop because they are advertised by the same provider edge router (PE), they should also have the same next-hop label. If the labels are different, there is an inconsistency. If the auto-repair keyword is specified, the system will send a route-refresh request.

RIB-Out Consistency Check:

If a network passes an outbound policy and is not sent, or if a network does not pass an outbound policy and is sent, there is an inconsistency. If the auto-repair keyword is specified, the system will send a route-refresh request.

Aggregation Consistency Check:

f specific routes and the aggregated route become out of sync, an inconsistency can occur. Either the error-message keyword or the auto-repair keyword will trigger aggregation reevaluation."


Acción Correctiva!
bgp consistency-checker {error-message | auto-repair} [interval minutes]
!
error-message :System to generate an error message when an inconsistency is observed.
auto-repair : System generates a syslog and also takes an action based on the inconsistency found.
interval : Range is from 5 to 1440 minutes. Interval defaults to 1440 (One Day)

Advertencia"This is applicable for IOS

  • 15.1(2)S
  • Cisco IOS XE 3.3S."


Análisis de las mejores prácticas en configuraciones Cisco

Introducción:

Este apartado, va referido a las recomendaciones que hace Cisco en cuanto a las mejores prácticas en cuanto a las configuraciones de equipamiento Cisco.



CategoriaRiesgoExcepciónOS
BGPMedioBGP Consistency Check not enabledIOS
EIGRPAltoEIGRP auto summarization enabled (default enabled)IOS
EIGRPMedioDefault EIGRP Passive Interface not configured.IOS
EIGRPMedioEIGRP MD5 Disabled on InterfaceIOS
EIGRPMedioNo EIGRP router-id configuredIOS
EIGRPMedioNo Redistribution Metrics Defined for EIGRPIOS
IP ApplicationsMedioHSRP Preempt delay not configuredIOS
IP ApplicationsMedioNTP not protected by ACLIOS
IP ApplicationsMedioStandby delay minimum reload not configuredIOS
IP ApplicationsBajoNTP Update Calendar DisabledIOS
IP ApplicationsBajoNTP authentication not enabledIOS
IP ApplicationsBajoNTP enabled without time zoneIOS
IP ApplicationsBajoNTP source interface not definedIOS
IP ApplicationsBajoNTP summertime not enabledIOS
IP ApplicationsBajoNo redundant NTP serverIOS
IP RoutingMedioIOS Static Route Missing ParametersIOS
IP RoutingMedioRecursive static routes are presentIOS
IP RoutingBajoIP Classless disabledIOS
IP RoutingBajoName Parameter Missing from Static RoutesIOS
IP RoutingBajoNetBIOS UDP broadcasts enabledIOS
InfrastructureAltoCisco IOS Image VerificationIOS
InfrastructureLowExec enabled on line auxIOS
LANAltoSpanning-tree disabled on one or more VLANsIOS
LANMedioBPDU Guard Not EnabledIOS
LANMedioLoopguard not configuredIOS
LANMedioMAC address move notification not enabledIOS
LANMedioPortfast not enabled on access or edge portIOS
LANMedioUDLD Globally DisabledIOS
LANMedioVLANs not cleared from trunkIOS
LANMedioVTP domain name not setIOS
LANBajoComplete Power-on Diagnostics DisabledIOS
LANBajoDynamic trunking is enabled on a static access portIOS
LANBajoStackWise SNMP Traps Not EnabledIOS
ManagementMedioCDP disabled on an interfaceIOS
ManagementMedioLogging to the console is enabledIOS
ManagementMedioLoopback interface not usedIOS
ManagementMedioSNMP server memory traps not enabledIOS
ManagementMedioSyslog level not set to informationalIOS
ManagementMedioWarmStart SNMP Traps Not EnabledIOS
ManagementBajoCPU Thresholding Notification is not enabled.IOS
ManagementBajoColdStart SNMP Traps Not EnabledIOS
ManagementBajoConfiguration Management SNMP Traps Not EnabledIOS
ManagementBajoInterface level syslog events not disabledIOS
ManagementBajoInterface traps not disabled on at least one interfaceIOS
ManagementBajoLinkup and Linkdown SNMP Traps Not EnabledIOS
ManagementBajoMemory Threshold Notifications (I-O) Not EnabledIOS
ManagementBajoMemory Threshold Notifications (Processor) Not EnabledIOS
ManagementBajoNagle service disabledIOS
ManagementBajoNo interface descriptionIOS
ManagementBajoNo redundant SNMP trap receiverIOS
ManagementBajoNo redundant syslog serverIOS
ManagementBajoSNMP Interface Index Persistence not enabledIOS
ManagementBajoSNMP contact not definedIOS
ManagementBajoSNMP location not definedIOS
ManagementBajoSNMP trap source not definedIOS
ManagementBajoSNMP traps not enabledIOS
ManagementBajoSyslog source interface not definedIOS
ManagementBajoThe Call Home feature is not configuredIOS
ManagementBajoThe Enhanced Crashinfo File Collection feature is not configured.IOS
ManagementBajoTimestamping for debugging not set for datetimeIOS
ManagementBajoTimestamping for logging not set for datetimeIOS
ManagementBajoUnnecessary Syslog SNMP trap configuredIOS
SecurityAltoEnable password not adequately protectedIOS
SecurityAltoSNMP access for IPv4 is not protected with an access-list.IOS
SecurityAltoThe aaa authentication login command(s) is/are not configured optimally.IOS
SecurityAltoVlan 1 interface usedIOS
SecurityMedioAAA connection accounting disabledIOS
SecurityMedioAAA system accounting disabledIOS
SecurityMedioDHCP server enabledIOS
SecurityMedioHSRP Updates not authenticatedIOS
SecurityMedioHSRP Virtual MAC Address not modifiedIOS
SecurityMedioHTTP secure-server is enabled.IOS
SecurityMedioHTTP server enabledIOS
SecurityMedioICMP redirects not disabled on an InterfaceIOS
SecurityMedioIOS Software Resilient Configuration secure boot-config disabledIOS
SecurityMedioLocal user account is not protected against potential brute-force attacksIOS
SecurityMedioPAD service enabledIOS
SecurityMedioSNMPv3 not usedIOS
SecurityMedioSSH Not Used or Not Used Exclusively for Remote Access.IOS
SecurityMedioSSH V2 not used for device AccessIOS
SecurityMedioSecurity Password Minimum Length Less Than 8IOS
SecurityMedioUnicast reverse path disabledIOS
SecurityMedioVTY line timeout disabledIOS
SecurityMedioVTY line timeout is longer than 30 minsIOS
SecurityMedioVTY lines not protected with an access listIOS
SecurityBajoA user account is not protected with MD5IOS
SecurityBajoAuthentication SNMP Traps Not EnabledIOS
SecurityBajoBOOTP server enabledIOS
SecurityBajoCDP is enabled globally and active on all interfaces.IOS
SecurityBajoDHCP lease time low or infiniteIOS
SecurityBajoICMP unreachables enabled on all interfaces of this device.IOS
SecurityBajoIP Source Routing enabledIOS
SecurityBajoIP options allowedIOS
SecurityBajoIncorrectly entered commands will generate a DNS lookup.IOS
SecurityBajoPassword recovery is EnabledIOS
SecurityBajoProxy ARP is enabledIOS
SecurityBajoRedundant AAA server unavailableIOS
SecurityBajoSecurity authentication failure rate disabledIOS
SecurityBajoService sequence-numbers not enabledIOS
SecurityBajoTACACS+ packets not being sourced from a specifically defined interfaceIOS
SecurityBajoTCP keepalives not enabled in both directionsIOS

miércoles, 23 de octubre de 2013

Configuración Cisco PPP y CHAP

Configuración Cisco PPP y CHAP


Escenario


Se realizara la configuración de pc y equipos cisco, en una topología punto a punto, se empleará encapsulación PPP y autenticación CHAP



Configuración Cisco PPP y CHAP



  • PC1 --> 192.168.1.100 / 255.255.255.0, gateway 192.168.1.1
  • Router1 --> G0/0 192.168.1.1 / 255.255.255.0, S0/0/0 200.200.200.1 / 255.255.255.252 



  • PC2 --> 192.168.2.100 / 255.255.255.0, gateway 192.168.2.1
  • Router2 --> G0/0 192.168.2.1 / 255.255.255.0, S0/0/0 200.200.200.2 / 255.255.255.252



  • Router1 y Router2, encapsulación PPP
  • Password protocolo autenticación  CHAP "cisco"



Desarrollo

1. Uso de Cisco Packet Tracer para realizar las pruebas.
2. Configuración de PC1 y PC2 con sus respectivas direcciones IP y gateway.
3. Configuración de Router1 como sigue:
hostname Router1
!
username Router2 password 0 cisco

!
interface GigabitEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface GigabitEthernet0/2
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface Serial0/0/0
 ip address 200.200.200.1 255.255.255.252
 mtu 150
 encapsulation ppp
 ppp authentication chap
!
interface Serial0/0/1
 no ip address
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
ip classless
ip route 192.168.2.0 255.255.255.0 Serial0/0/0 
!

line con 0
!
line aux 0
!
line vty 0 4
 login
!
end

Router1#


4. Configuración de Router2 como sigue:

hostname Router2
!
username Router1 password 0 cisco
!
interface GigabitEthernet0/0
 ip address 192.168.2.1 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface GigabitEthernet0/2
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface Serial0/0/0
 ip address 200.200.200.2 255.255.255.252
 encapsulation ppp
 ppp authentication chap
!
interface Serial0/0/1
 no ip address
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
ip classless
ip route 192.168.1.0 255.255.255.0 Serial0/0/0 
!
line con 0
!
line aux 0
!
line vty 0 4
 login
!
end


Router2#


Prueba de comunicación

1. Pruebas de vecindad entre los router:

Router1#show cdp n
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
Device ID    Local Intrfce   Holdtme    Capability   Platform    Port ID
Switch       Gig 0/0          133            S       2960        Gig 1/1
Router2      Ser 0/0/0        141            R       C2900       Ser 0/0/0


Router2#show cdp n
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
Device ID    Local Intrfce   Holdtme    Capability   Platform    Port ID
Switch       Gig 0/0          136            S       2960        Gig 1/1
Router1      Ser 0/0/0        149            R       C2900       Ser 0/0/0


2. Tabla de ruta

Router1#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

     192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C       192.168.1.0/24 is directly connected, GigabitEthernet0/0
L       192.168.1.1/32 is directly connected, GigabitEthernet0/0
S    192.168.2.0/24 is directly connected, Serial0/0/0
     200.200.200.0/24 is variably subnetted, 3 subnets, 2 masks
C       200.200.200.0/30 is directly connected, Serial0/0/0
L       200.200.200.1/32 is directly connected, Serial0/0/0
C       200.200.200.2/32 is directly connected, Serial0/0/0



Router2#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

S    192.168.1.0/24 is directly connected, Serial0/0/0
     192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
C       192.168.2.0/24 is directly connected, GigabitEthernet0/0
L       192.168.2.1/32 is directly connected, GigabitEthernet0/0
     200.200.200.0/24 is variably subnetted, 3 subnets, 2 masks
C       200.200.200.0/30 is directly connected, Serial0/0/0
C       200.200.200.1/32 is directly connected, Serial0/0/0
L       200.200.200.2/32 is directly connected, Serial0/0/0


3. Pruebas de conectividad desde los pc

Ping desde PC 192.168.1.100 a 192.168.2.100


PC>ping 192.168.2.100

Pinging 192.168.2.100 with 32 bytes of data:

Reply from 192.168.2.100: bytes=32 time=1ms TTL=126
Reply from 192.168.2.100: bytes=32 time=1ms TTL=126
Reply from 192.168.2.100: bytes=32 time=1ms TTL=126
Reply from 192.168.2.100: bytes=32 time=6ms TTL=126

Ping statistics for 192.168.2.100:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:

    Minimum = 1ms, Maximum = 6ms, Average = 2ms



Ping desde PC 192.168.2.100 a 192.168.1.100

PC>ping 192.168.1.100

Pinging 192.168.1.100 with 32 bytes of data:

Reply from 192.168.1.100: bytes=32 time=2ms TTL=126
Reply from 192.168.1.100: bytes=32 time=1ms TTL=126
Reply from 192.168.1.100: bytes=32 time=1ms TTL=126
Reply from 192.168.1.100: bytes=32 time=7ms TTL=126

Ping statistics for 192.168.1.100:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:

    Minimum = 1ms, Maximum = 7ms, Average = 2ms


Aquí lo puedes ver en video


Configuracion PPP y CHAP con Cisco Packet Tracer


martes, 22 de octubre de 2013

Configuración de vlan en Switch Cisco

Creando VLAN en Catalyst Switch Cisco


Para el aprendizaje de como crear vlan en un switch Cisco, por ejemplo switch 2950, 2960, etc., usaremos el siguiente diagrama:

creacion-de-vlan-con-cisco-packet-tracer


Para la simulación usaremos Cisco Packet Tracer, y realizaremos las siguientes tareas:

1. Esta topología de red, va a manejar dos segmentos de redes con sus respectivas VLAN asignadas:

Vlan 10 --> Segmento de red 192.168.1.0 / 255.255.255.0 --> Vlan name: red-10
Vlan 20 --> Segmento de red 192.168.2.0 /255.255.255.0 --> Vlan name: red-20

2. PC-red-10, se le asignará la IP 192.168.1.1 / 255.255.255.0, asignado a la VLAN 10
    PC-red-20, se le asignará la IP 192.168.2.1 / 255.255.255.0, asignado a la VLAN 20
    
    Server 1, se le asignará la IP 192.168.1.100 / 255.255.255.0, asignado a la VLAN 10
    Server 0, se le asignará la IP 192.168.2.200 / 255.255.255.0, asignado a la VLAN 20

3. Switch 0, se crearán las VLAN 10 y 20, e interfaz trunk
    Switch 1, se crearán las VLAN 10 y 20, e interfaz trunk.

   Switch 0, f0/1, asignado a VLAN 10
   Switch 0, f0/2, asignado a VLAN 20
   Switch 0, G1/1, interfaz trunk

   Switch 1, f0/1, asignado a VLAN 10
   Switch 1, f0/2, asignado a VLAN 20
   Switch 1, G1/1, interfaz trunk



Comprobación de creación de VLAN


1. show vlan:

Switch0#show vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/3, Fa0/4, Fa0/5, Fa0/6
                                                Fa0/7, Fa0/8, Fa0/9, Fa0/10
                                                Fa0/11, Fa0/12, Fa0/13, Fa0/14
                                                Fa0/15, Fa0/16, Fa0/17, Fa0/18
                                                Fa0/19, Fa0/20, Fa0/21, Fa0/22
                                                Fa0/23, Fa0/24, Gig1/2
10   red-10                           active    Fa0/1
20   red-20                           active    Fa0/2
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0
10   enet  100010     1500  -      -      -        -    -        0      0
20   enet  100020     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        0      0
1003 tr    101003     1500  -      -      -        -    -        0      0
1004 fdnet 101004     1500  -      -      -        ieee -        0      0
1005 trnet 101005     1500  -      -      -        ibm  -        0      0

Remote SPAN VLANs
------------------------------------------------------------------------------


Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
Switch0#


2. show int f0/1 switchport

Switch0#show int f0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
Access Mode VLAN: 10 (red-10)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Appliance trust: none
Switch0#


3. show int f0/2 switchport

Switch0#show int f0/2 switchport
Name: Fa0/2
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
Access Mode VLAN: 20 (red-20)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Appliance trust: none


4. show int g1/1 switchport:

Switch0#show int g1/1 switchport
Name: Gig1/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false

Appliance trust: none


Resultados:


1. Ping desde PC-red-10 a Server 1, OK:

PC>ping 192.168.1.100

Pinging 192.168.1.100 with 32 bytes of data:

Reply from 192.168.1.100: bytes=32 time=0ms TTL=128
Reply from 192.168.1.100: bytes=32 time=0ms TTL=128
Reply from 192.168.1.100: bytes=32 time=0ms TTL=128
Reply from 192.168.1.100: bytes=32 time=0ms TTL=128

Ping statistics for 192.168.1.100:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

2. Ping desde PC-red-10 a Server 0, falla:

PC>ping 192.168.2.100

Pinging 192.168.2.100 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.2.100:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),


3. Ping desde PC-red-20 a Server 1, falla:

PC>ping 192.168.1.100

Pinging 192.168.1.100 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.1.100:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),


4. Ping desde PC-red-20 a Server 0, OK

PC>ping 192.168.2.100

Pinging 192.168.2.100 with 32 bytes of data:

Reply from 192.168.2.100: bytes=32 time=0ms TTL=128
Reply from 192.168.2.100: bytes=32 time=0ms TTL=128
Reply from 192.168.2.100: bytes=32 time=0ms TTL=128
Reply from 192.168.2.100: bytes=32 time=0ms TTL=128

Ping statistics for 192.168.2.100:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms


Conclusiones:


1. Dentro de un switch podemos tener varias VLAN creadas, esta se comunicaran con otros, en la media que:
  • Los equipos que intentan conectarse pertenescan al mismo Vlan ID
  • Los equipos están dentro del mismo segmento IP
  • Los puertos de los switch estén asignados a las respectivas VLAN que comunican con el equipo final
  • Los switch estén configurados para transportar distintas VLAN (interfaz trunk)
2. No hay comunicación entre los segmentos 192.168.1.0/24 y 192.168.2.0/24, debido a que no hay un router o un switch layer 3. Esto lo veremos en otro artículo


Lo puedes ver en Video también







miércoles, 9 de octubre de 2013

Analizador de Redes Wireshark 

Capítulo 1

Comando PING


Que tal amigos, hoy hablaremos de utilidades de diagnóstico de redes, como el comando ping, veremos como se ven los paquetes en un analizador de red como Wireshark


El comando "ping" que viene del acrónimo Packet Internet Groper, que significa "Buscador o rastreador de paquetes en redes", es una utilidad de diagnóstico de redes que comprueba el estado de equipos conectados a una red de datos local o remota TCP/IP por medio de paquetes ICMP.

Ping trabaja en la capa de red, el protocolo IP encapsula el mensaje ICMP dentro de un paquete y lo envía. En el paquete se distinguen dos conjuntos de datos, la Cabecera IP, que contiene los datos estándar de la Capa de red, y el subpaquete ICMP, que contiene los datos de control. En la Cabecera IP se especifican los valores protocolo como 1 y tipo de servicio como 0 de forma obligatoria. En el subpaquete ICMP se especifican los valores tipo de mensaje ICMP a 8 (petición) ó 0 (respuesta) y code a 0 (en ambos casos).


Paquete ICMP
Bit 0 - 7Bit 8 - 15Bit 16 - 23Bit 24 - 31
Encabezado IP
(20 bytes)
Versión/IHLTipo de servicioLongitud
Identificaciónflags y offset
Tiempo de vida (TTL)ProtocoloChecksum
Dirección IP origen
Dirección IP destino
ICMP Carga
(8 + bytes)
Tipo de mensajeCodeChecksum
Identificador + Secuencia numérica
Datos (opcional)

Si hacemos un ping y el equipo responde, veremos los siguientes resultados:

C:\Users>ping 10.7.172.1

Haciendo ping a 10.7.172.1 con 32 bytes de datos:
Respuesta desde 10.7.172.1: bytes=32 tiempo=6ms TTL=255
Respuesta desde 10.7.172.1: bytes=32 tiempo=7ms TTL=255
Respuesta desde 10.7.172.1: bytes=32 tiempo=7ms TTL=255
Respuesta desde 10.7.172.1: bytes=32 tiempo=1078ms TTL=255

Estadísticas de ping para 10.7.172.1:
    Paquetes: enviados = 4, recibidos = 4, perdidos = 0
    (0% perdidos),
Tiempos aproximados de ida y vuelta en milisegundos:
    Mínimo = 6ms, Máximo = 1078ms, Media = 274ms


En el analizador de redes Wireshark podemos distinguir los siguientes paquetes:


Wireshark visualizacion comando ping









Si visualizamos la primera trama ( trama 80), nos daremos cuenta que la ip "Source" es la ip local que realiza la petición de ping (10.7.170.32) y la ip "Destination" es la ip del equipo remoto al cual le hacemos el ping.

El protocolo que identifica es el ICMP y para la trama 80 es un "Echo (ping) request".

Se puede ver mejor en la siguiente figura, veremos la trama 80, y sus respectivos Tipo de servicio, Protocolo y Tipo de mensaje ( tipo de mensaje ICMP a 8 (petición):


wireshark-visualización-ping-request

Para la trama 81, que es la respuesta a la trama 80, se visualiza los mismos valores para la cabecera IP y un valor de 0 para el Tipo de mensaje  (Echo ping reply)


wireshark-visualización-ping-reply


Bueno, espero que les sirva, hasta pronto



martes, 8 de octubre de 2013

Video Solarwinds IP Address Tracker

Que tal amigos, en esta oportunidad les mostraré un vídeo de la herramienta IP "Solarwinds IP address Tracker".

Con esta herramienta podemos escanear una subnet en particular, ver en una tabla las ip que están siendo usadas y aquella que se ven disponibles y mucho más:


Video Solarwinds IP Address Tracker




domingo, 6 de octubre de 2013

Video Solarwinds Realtime Bandwidth Monitor

Hola amigos, otro video que les puede servir para ver el ancho de banda de una interface en particular de un switch o router por ejemplo.

A veces queremos saber cuanto es, o que consume nuestra red en términos de tráfico de red, preguntas como, estaremos llegando al máximo de lo contratado con el proveedor de MPLS o internet?. Esta herramienta te puede ayudad a ver el consumo de ancho de banda en tiempo real, tráfico de entrada y salida podemos ver por medio del protocolo de comunicaciones SNMP.

Les dejo el video.


Video Solarwinds Realtime Bandwidth Monitor 




Subscribete a nuevos contenidos




Síguenos también en:




Video Solarwinds SFTP SCP Server

Hola amigos, les dejo otro video llamado "Solarwinds SFTP SCP Server", en este video aprenderás a instalar y a usar esta herramientas de transferencia segura de archivos a través de la red.

Aquí veras como usar el server y un cliente para realizar las transferencias seguras:



Video Solarwinds SFTP SCP Server

Solarwinds SFTP SCP Server






Video Advanced IP Scanner

Dentro de las distintas herramienta para redes IP, les muestro un video que realicé para Advanced IP Scanner, con esta herramientas puedes ver las ip que están en una red en particular, es gratis.

Puedes realizar tareas como, exploración de redes, crear una lista favorita de equipos, herramientas de troubleshooting como el comando ping, tracert, telnet y ssh, herramienta de acceso remoto como radmin, etc.

Es de facil uso, se las dejo:



            Video Advance IP Scanner


advanced-ip-scanner