Mostrando entradas con la etiqueta Mejores practicas Cisco. Mostrar todas las entradas
Mostrando entradas con la etiqueta Mejores practicas Cisco. Mostrar todas las entradas

lunes, 7 de septiembre de 2015

CCNA 200-120 - Practica 4

CCNA Routing and Switching - Practica 4


CREACIÓN DE UNA RED SIMPLE

 Ahora realizaremos una pequeña red local, con dos pc y dos switch, como se muestra en la siguiente figura:
pequeña-red-cisco


Se realiza la siguiente configuración:
  • PC-A con dirección IP 192.168.1.10 y máscara 255.255.255.0
  • PC-B con dirección IP 192.168.1.11 y máscara 255.255.255.0
  • Conectar con cable derecho desde PC-A a port Fa0/1 Switch1
  • Conectar con cable derecho desde PC-B a port F0/1 Switch2
  • Conectar ambos switch por port Fa0/2
  • Configurar Switch1 y Switch2
  • Hacer pruebas de ping entre PC

1.- Configuración de Switch



Switch1#

Switch1#config t


Enter configuration commands, one per line.  End with CNTL/Z.

Switch1(config)#no ip domain-lookup 

Switch1(config)#enable secret cisco

Switch1(config)#line con 0

Switch1(config-line)#password cisco

Switch1(config-line)#login

Switch1(config-line)#exit

Switch1(config)#banner motd #

Enter TEXT message.  End with the character '#'.
*********************************************************

Acceso Restringido

*********************************************************
#

Switch1(config)#exit

Switch1#

%SYS-5-CONFIG_I: Configured from console by console

Switch1#copy running-config startup-config 

Destination filename [startup-config]? 

Building configuration...

[OK]

Switch1#
2.- Mostrar el estado de las interfaces conectadas en el switch:

 Switch1#sh ip int brief
Interface              IP-Address      OK? Method Status                Protocol

FastEthernet0/1        unassigned      YES manual up                    up

FastEthernet0/2        unassigned      YES manual up                    up

FastEthernet0/3        unassigned      YES manual down                  down

FastEthernet0/4        unassigned      YES manual down                  down

FastEthernet0/5        unassigned      YES manual down                  down

FastEthernet0/6        unassigned      YES manual down                  down

FastEthernet0/7        unassigned      YES manual down                  down

FastEthernet0/8        unassigned      YES manual down                  down

FastEthernet0/9        unassigned      YES manual down                  down

FastEthernet0/10       unassigned      YES manual down                  down

FastEthernet0/11       unassigned      YES manual down                  down

FastEthernet0/12       unassigned      YES manual down                  down

FastEthernet0/13       unassigned      YES manual down                  down

FastEthernet0/14       unassigned      YES manual down                  down

FastEthernet0/15       unassigned      YES manual down                  down

FastEthernet0/16       unassigned      YES manual down                  down

FastEthernet0/17       unassigned      YES manual down                  down

FastEthernet0/18       unassigned      YES manual down                  down

FastEthernet0/19       unassigned      YES manual down                  down

FastEthernet0/20       unassigned      YES manual down                  down

FastEthernet0/21       unassigned      YES manual down                  down

FastEthernet0/22       unassigned      YES manual down                  down

FastEthernet0/23       unassigned      YES manual down                  down

FastEthernet0/24       unassigned      YES manual down                  down

GigabitEthernet0/1     unassigned      YES manual down                  down

GigabitEthernet0/2     unassigned      YES manual down                  down

Vlan1                  unassigned      YES manual administratively down down

Switch1#


 3.- Pruebas de conectividad entre PC-A y PC-B

 PC-A>ipconfig

 FastEthernet0 Connection:(default port)

    Link-local IPv6 Address.........: FE80::207:ECFF:FE65:42B8
   IP Address......................: 192.168.1.10
   Subnet Mask.....................: 255.255.255.0
   Default Gateway.................: 0.0.0.0

 PC-A>ping 192.168.1.11

 Pinging 192.168.1.11 with 32 bytes of data:

 Reply from 192.168.1.11: bytes=32 time=1ms TTL=128
Reply from 192.168.1.11: bytes=32 time=0ms TTL=128
Reply from 192.168.1.11: bytes=32 time=0ms TTL=128
Reply from 192.168.1.11: bytes=32 time=0ms TTL=128

 Ping statistics for 192.168.1.11:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 1ms, Average = 0ms

PC-B>ipconfig

 FastEthernet0 Connection:(default port)

    Link-local IPv6 Address.........: FE80::202:4AFF:FE62:2C2E
   IP Address......................: 192.168.1.11
   Subnet Mask.....................: 255.255.255.0
   Default Gateway.................: 0.0.0.0

 PC-B>ping 192.168.1.10

 Pinging 192.168.1.10 with 32 bytes of data:

 Reply from 192.168.1.10: bytes=32 time=1ms TTL=128
Reply from 192.168.1.10: bytes=32 time=0ms TTL=128
Reply from 192.168.1.10: bytes=32 time=1ms TTL=128
Reply from 192.168.1.10: bytes=32 time=0ms TTL=128

 Ping statistics for 192.168.1.10:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 1ms, Average = 0ms



Si tienes dudas o consultas, te invito a comentar en este blog.......




Subscribete a nuevos contenidos




Síguenos también en:


Publicado por en No hay comentarios:
Etiquetas: , , , , , , , ,

miércoles, 29 de enero de 2014

NTP enabled without time zone


ExceptionNTP enabled without time zone
CategoryIP Applications
OS TypeIOS
Risklow
DescriptionNetwork Time Protocol (NTP) is configured but without a time zone.
Reference URLCommand Reference
Corrective Action "clock timezone "
Caveat Some customers with global networks will use a single time zone for network devices, for example Coordinated Universal Time (GMT), and may not configure a time zone system.

Más "Mejoras de practicas de configuraciones Cisco" AQUÍ



Sígueme también en:



Publicado por en No hay comentarios:
Etiquetas: , ,

NTP authentication not enabled


ExceptionNTP authentication not enabled
CategoryIP Applications;Security
OS TypeIOS
Risklow
Description"NTP is an important tool for troubleshooting and event correlation. Any network device that is accepting NTP should be protected by a firewall or access lists, or have the services disabled to protect against Denial of Service attacks or attempts at unauthorized usage. NTP is disabled by default."
Reference URLNetwork Time Protocol Best Practices White Paper
Corrective Action "ntp authentication-key 777 md5 cisco-ntp
ntp authenticate
ntp trusted-key 777
ntp update-calendar
ntp server 10.100.0.1 key 777 prefer"
Caveat "With NTP authentication enabled, unauthenticated packets are still accepted, which is the lowest validity. To prevent a device from accepting NTP updates from unauthorized servers, use an access list."


Más "Mejoras de practicas de configuraciones Cisco" AQUÍ



Sígueme también en:



Publicado por en No hay comentarios:
Etiquetas: , ,

jueves, 9 de enero de 2014

Plantilla de configuración Switch Cisco

1° Definir VTP:

vlan database
vtp transparent   <--- esto para reset de la revisión y evitar eliminación de vlan al introducir un equipo con revisión superior a la vigente.
exit

vlan database
vtp domain <Name-Domain>
vtp client
vtp password xxxxxxx
exit


2° Conf. Passwords, nombre y otros

conf t
enable secret xxxxxxx
line con 0
 logging synchronous
 exec-timeout 5 0
 password xxxxxxx
line vty 0 4
 logging synchronous
 exec-timeout 5 0
 timeout login response 300
 password xxxxxxxx
 login
line vty 5 15
 logging synchronous
 no login


hostname <xxxxxxx>
udld enable
no ip http server
no setup express
no service pad
no service finger
no ip bootp server
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip source-route
no ip domain-lookup

service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption

logging buffered 8000 debugging
logging xx.xx.xx.xx

spanning-tree mode rapid-pvst
spanning-tree portfast bpduguard default
spanning-tree extend system-id

Para switch en stack agregar:
logging xx.xx.xx.xx

3° Conf. trunk y puertos:


Configuración puertas que utilizan SFP en modalidad trunk

interface GigabitEthernet [Número Interfaz]
description *** to  <lugar> (<Gi?/?> <nombre_equipo> <ip-address>) ***
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan [Listado de Vlans permitidas]
switchport trunk native vlan xxx
switchport mode trunk
switchport nonegotiate
no ip address
speed nonegotiate
no shut


Configuración de puertas RJ-45 en modalidad trunk

Interface GigabitEthernet [Número de Interfaz]
description *** to  <lugar> (<Gi?/?> <nombre_equipo> <ip-address>)]  ***
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan [Listado de Vlans permitidas]
switchport trunk native vlan xxx
switchport mode trunk
switchport nonegotiate
no ip address
speed [10/100/1000]
duplex [half/full]
no shut

Configuración de puertas RJ-45 en modalidad acceso Usuarios

interface GigabitEthernet [Número de Interfaz]
description [Descripción de la puerta]
switchport
switchport access vlan [vlan ID]
switchport voice vlan [vlan ID]
switchport mode access
storm-control broadcast level 1.00 0.50
storm-control action shutdown
storm-control action trap
spanning-tree guard root
spanning-tree portfast
switchport nonegotiate
no ip address
no shut





Configuración de puertas RJ-45 en modalidad acceso para Servidores

interface GigabitEthernet [Número de Interfaz]
description [Descripción de la puerta]
switchport
switchport access vlan [vlan ID]
switchport mode access
spanning-tree rootguard (spanning-tree guard root)
spanning-tree portfast
switchport nonegotiate
no ip address
speed [10/100/1000]
duplex [half/full]
no shut


Configuración de interfaces deshabilitadas

interface GigabitEthernet [Número de Interfaz]
description *** DISPONIBLE ***
switchport access vlan xxx
switchport mode access
storm-control broadcast level 1.00 0.50
storm-control action shutdown
storm-control action trap
spanning-tree guard root
spanning-tree portfast
switchport nonegotiate
no ip address
shutdown
speed nonegotiate


Configuración de interfaces Layer 3

interface GigabitEthernet [Número de Interfaz]
description *** [Nombre] ***
no switchport
ip address [Ip Add][mask]
no ip redirects
no ip unreachables
no ip proxy-arp
ip authentication mode eigrp xx md5
ip authentication key-chain eigrp 68 EIGRP_AUTHENTICATION
ip pim sparse-dense-mode
speed nonegotiate
no shutdown



Configuración de key Layer 3

key chain EIGRP_AUTHENTICATION
 key 1
  key-string xxxxxxxx

Alternativas para los comandos Store-control


 port storm-control broadcast action shutdown
 port storm-control broadcast trap
 port storm-control broadcast threshold rising 20 falling 5

O

 storm-control broadcast level 1.00 0.50
 storm-control action shutdown
 storm-control action trap
!

Configuración Interfaz vlan 1

interface VLAN1
shutdown

Configuración Interfaz vlan XXX

interface VLAN[XXX]
description *** [Name VLAN] ***
ip address [Ip Add][mask]
no ip redirects
no ip unreachables
no ip proxy-arp

Ipdefault Gateway

ip default-gateway

4° Conf clock.


service timestamps debug datetime localtime
service timestamps log datetime localtime
clock timezone scl -4
clock summer-time scl recurring 2 Sat Oct 23:59 2 Sat Mar 23:59
ntp server xx.xx.xx.xx

5° Conf Tacacs.


tacacs-server host xx.xx.xx.xx
tacacs-server key xxxxxx
aaa new-model
aaa authentication login default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated



 7° Conf SNMP.


Si el equipo ya esta OK para ser monitoreado (registrado en Toolnet) y conformidad de NSS activar monitoreo.

snmp-server community xxxxxxx RO
snmp-server community xxxxxx RW
snmp-server location <xxxxxxx>
snmp-server contact xxxxxx
snmp-server chassis-id
snmp-server enable traps chassis
snmp-server enable traps module
snmp-server enable traps config
snmp-server enable traps event-manager
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server host xx.xx.xx.xx  version 2c xxxxxx


**************************************************************************************************************************


Sígueme también en:



Publicado por en No hay comentarios:
Etiquetas: , , , ,

jueves, 7 de noviembre de 2013

Mejores practicas configuraciones Cisco - NTP Update Calendar Disabled

NTP Update Calendar Disabled




ExcepciónNTP Update Calendar Disabled
CategoriaIP Applications
Tipo OSIOS
Reisgolow
DescripciónSome platforms have a battery-powered hardware clock, referred to in the command-line interface (CLI) as the "calendar," in addition to the software based system clock. The hardware clock runs continuously, even if the router is powered off or rebooted. If the software clock is synchronized to an outside time source via NTP, it is a good practice to periodically update the hardware clock with the time learned from NTP. Otherwise, the hardware clock will tend to gradually lose or gain time (drift), and the software clock and hardware clock may become out of synchronization with each other. The ntp update-calendar command will enable the hardware clock to be periodically updated with the time specified by the NTP source. The hardware clock will be updated only if NTP has synchronized to an authoritative time server.
URL referenciantp update-calendar
Cacción correctivantp update-calendar
AdveretenciaMany lower-end routers (for example, the Cisco 2500 series or the Cisco 2600 series) do not have hardware clocks, so this command is not available on those platforms.


Más "Mejoras de practicas de configuraciones Cisco" AQUÍ



Sígueme también en:



Publicado por en No hay comentarios:
Etiquetas: ,

Mejores practicas configuraciones Cisco - Standby delay minimum reload not configured

Standby delay minimum reload not configured





ExcepciónStandby delay minimum reload not configured
CategoriaIP Applications
Tipo OSIOS
Riesgomedio
Descripción"When configuring HSRP, Cisco recommens using the 'standby delay minimum|reload' command to prevent blackholing of traffic. This allows time for all ports in the VLAN to come up after a reload or module reset. In a subsecond timer scenario, hellos could be lost with CPU busy after reload.
Recomendación"If the active router fails or is removed from the network, then the standby router will automatically become the new active router. If the former active router comes back online, you can control whether it takes over as the active router by using the standby preempt command.

However, in some cases, even if the standby preempt command is not configured, the former active router will resume the active role after it reloads and comes back online. Use the standby delay minimum reload command to set a delay period for HSRP group initialization. This command allows time for the packets to get through before the router resumes the active role.

We recommend that all HSRP routers have the standby delay minimum reload configured with a minimum delay time of 30 seconds and a minimum reload time of 60 seconds.

The delay will be cancelled if an HSRP packet is received on an interface.

The standby delay minimum reload interface configuration command delays HSRP groups from initializing for the specified time after the interface comes up. "
Referencia URLStandby Delay Minimum Reload
Acción correctiva Under the interface mode, configure
Router(config)# interface ethernet x/y
Router(config-if)# standby delay minimum 30 reload 60





Sígueme también en:



Publicado por en 1 comentario:
Etiquetas: ,

Mejores practicas configuraciones Cisco - NTP not protected by ACL

NTP not protected by ACL




ExcepciónNTP not protected by ACL
CategoriaIP Applications;Security
Tipo OSIOS
Riesgomedio
DescripciónIn addition to an NTP authentication schema NTP can be protected through use of an access-list to further limit access privileges. If the source IP address matches the access-lists for more than one access type, the first type is granted. If no access groups are specified, all access types are granted to all systems. If any access groups are specified, only the specified access types will be granted.
Acción correctiva
access-list 40 permit 1.1.1.5
access-list 40 permit 1.1.1.6
ntp access-group peer 40





Sígueme también en:



Publicado por en No hay comentarios:
Etiquetas: ,

martes, 5 de noviembre de 2013

Mejores practicas configuraciones Cisco - HSRP Preempt delay not configured

HSRP Preempt delay not configured




ExcepciónHSRP Preempt delay not configured
CategoriaIP Applications
Tipo OSIOS
RiesgoMedio
DescripciónTraffic may be dropped after the primary Hot Standby Router Protocol (HSRP) router becomes active. When switch crashed or reloaded, the HSRP interface may be active before the uplink interface comes up or before Interior Gateway Protocol (IGP) convergence. The client sends traffic to the primary HSRP router, but the primary HSRP router is not ready to send the packet in the L3 domain, so the packet is dropped. After implementing the HSRP preempt delay, the primary HSRP router will not become active before the delay timer expires. The router is ready in uplink or L3 domain when it becomes active. Note: Remove the technology from the profile section while rule development and keep only feature rules.
RecomendaciónAvoid packet drop after the primary HSRP interface becomes active.
Referencia URLConfiguring HSRP
Referencia URLCommand Reference
Acción correctiva"Under the interface .* block, type the following command:

standby group# preempt delay minimum min-seconds

(for example, 'standby 1 preempt delay minimum 180')






Sígueme también en:



Publicado por en No hay comentarios:
Etiquetas: ,

miércoles, 30 de octubre de 2013

Mejores practicas configuraciones Cisco - No Redistribution Metrics Defined for EIGRP

No Redistribution Metrics Defined for EIGRP






ExcepciónNo Redistribution Metrics Defined for EIGRP
CategoriaEIGRP
Tipo OSIOS
RiesgoMedio
DescripciónWhen configuring redistribution into EIGRP always define the metrics that EIGRP should use with the metric or default-metric keywords. Each protocol uses different metrics so it is important to define the parameters the EIGRP should use. EIGRP needs five metrics defined when redistributing other protocols: bandwidth, delay, reliability, load, and MTU. The redistribution of IGRP/EIGRP into another IGRP/EIGRP process does not require any metric conversion, so there is no need to define metrics or use the default-metric command during redistribution in these cases.
Recomendación"For example, when configuring rip redistribution into EIGRP, add metrics in one of the following two ways:

router eigrp 1
redistribute rip metric 10000 100 255 1 1500

or

router eigrp 1
redistribute rip default-metric 10000 100 255 1 1500

Note: Values ""10000 100 255 1 1500"" were used as an example. Other values may be used in your environment. The general formats under EIGRP are:

redistributemetric

 or

 default-metric
URL de referenciaRedistributing Routing Protocols
Acción correctivaDefine metrics when redistributing into EIGRP with the metric or default-metric keywords.
AdvertenciaThe redistribution of IGRP/EIGRP into another IGRP/EIGRP process does not require any metric conversion, so there is no need to define metrics or use the default-metric command during redistribution in these cases.





Sígueme también en:



Publicado por en No hay comentarios:
Etiquetas: ,

Mejores practicas configuraciones Cisco - No EIGRP router-id configured

No EIGRP router-id configured





ExcepciónNo EIGRP router-id configured
CategoriaEIGRP
Tipo OSIOS
RiesgoMedio
DescripciónThe router ID is set to the IP address of a loopback interface if one is configured. If no loopback interfaces are configured, the router ID is set to the highest IP address configured on a physical interface. To ensure deterministic behavior the EIGRP router-id should be configured to a chosen address. If a router id isn't set for EIGRP, it is possible that duplicate router ids will prevent external EIGRP routes from being installed in the topology table. To have deterministic behavior, an EIGRP router id should be created on all EIGRP speaking devices.
URL de ReferenciaPreventing Duplicate Router Ids
Acción correctivaConfigure the router id, with the "eigrp router-id" command.


Publicado por en No hay comentarios:
Etiquetas: ,

Mejores practicas configuraciones Cisco-EIGRP MD5 Disabled on Interface

EIGRP MD5 Disabled on Interface






ExcepciónEIGRP MD5 Disabled on Interface
CategoriaEIGRP;Security
Tipo OSIOS
RiesgoMedio
DescripciónThis rule detects if EIGRP authentication is configured on an EIGRP enabled interface.
RecomendaciónIt is recommended to apply MD5 authentication that will permit the receipt of EIGRP packets only from authorized hosts on each EIGRP interface.
Referencia URLConfiguring EIGRP Route Authentication
Acción correctivaEnable EIGRP authentication.
AdvertenciaIn some scenarios, there may be many EIGRP-enabled interfaces that do not have EIGRP neighbors.
MD5 authentication is not required in this situation but the interfaces should be passive.


Publicado por en No hay comentarios:
Etiquetas: ,
Suscribirse a: Entradas (Atom)