Escenario integrador de temas
de CCNA 4
Fecha: 17 de Noviembre del 2012
Escenario (disponible en ftp.vilarrasa.com.ar, user/pass:ccna)
Tramos clave de la solución
Reemplazo del cable DHCP-Server - Telecom-Rosario
por un cable cruzado.
No se puede ingresar a la nube MPLS, entonces:
Inter_Vlan#sh cdp nei
det (buscamos por CDP, tema de CCNA 2)
Device ID: MPLS
Entry address(es):
IP address : 172.16.0.1
Platform: cisco C1841,
Capabilities: Router
Interface: Serial0/0/0,
Port ID (outgoing port): Serial0/0/0
Holdtime: 173
Version :
Cisco IOS Software, 1841
Software (C1841-ADVIPSERVICESK9-M), Version 12.4(15)T1, RELEASE SOFTWARE (fc2)
Technical Support:
http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by
Cisco Systems, Inc.
Compiled Wed 18-Jul-07
04:52 by pt_team
advertisement version: 2
Duplex: full
Inter_Vlan#conf t
Enter configuration
commands, one per line. End with
CNTL/Z.
Inter_Vlan(config)#int
s0/0/0
Inter_Vlan(config-if)#ip
add 172.16.0.2 255.255.255.0 (configuramos la IP mas
cerca por las dudas de una máscara /30)
Inter_Vlan(config-if)#exit
Inter_Vlan(config)#exit
%SYS-5-CONFIG_I:
Configured from console by console
Inter_Vlan#
Inter_Vlan#172.16.0.1 (ingresamos por Telnet)
Trying 172.16.0.1 ...Open
User Access Verification
Password: (cisco)
MPLS>ena
Password: (class)
MPLS#sh runn
Building configuration...
Current configuration :
791 bytes
!
---resumido---
!
interface Serial0/0/0
ip address 172.16.0.1 255.255.255.252
clock rate 4000000
!
interface Serial0/0/1
ip address 10.0.0.5 255.255.255.252
clock rate 4000000
!
---resumido---
!
router eigrp 100
network 10.0.0.0 0.0.0.3 (ver mal
configurada la red)
network 172.16.0.0 0.0.0.3
no auto-summary
!
---resumido---
!
end
MPLS#
MPLS#conf t
Enter configuration
commands, one per line. End with
CNTL/Z.
MPLS(config)#router
eigrp 100
MPLS(config-router)#no
network 10.0.0.0 0.0.0.3
MPLS(config-router)#network
10.0.0.4 0.0.0.3
MPLS(config-router)#^Z
MPLS#wri
Building configuration...
[OK]
MPLS#exit
[Connection to 172.16.0.1
closed by foreign host]
Inter_Vlan#configure
terminal
Enter configuration
commands, one per line. End with
CNTL/Z.
Inter_Vlan(config)#interface
Serial0/0/0
Inter_Vlan(config-if)#ip
address 172.16.0.2 255.255.255.252
Inter_Vlan(config-if)#exit
Inter_Vlan(config)#
Inter_Vlan(config)#router
eigrp 100
Inter_Vlan(config-router)#net
172.16.0.0 0.0.0.3
Inter_Vlan(config-router)#
%DUAL-5-NBRCHANGE: IP-EIGRP
100: Neighbor 172.16.0.1 (Serial0/0/0) is up: new adjacency
Configuraciones de equipos
DHCP server#sh runn
Building configuration...
Current configuration :
834 bytes
!
version 12.4
!
hostname "DHCP
server"
!
ip dhcp pool VLAN100
network 10.0.100.0 255.255.255.0
default-router 10.0.100.1
ip dhcp pool VLAN200
network 10.0.200.0 255.255.255.0
default-router 10.0.200.1
!
interface FastEthernet0/0
ip address 192.168.10.30 255.255.255.224
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.252
!
router ospf 1
log-adjacency-changes
network 192.168.10.0 0.0.0.31 area 0
network 192.168.1.0 0.0.0.3 area 0
!
ip classless
!
end
DHCP server#
Inter_Vlan#sh runn
Building configuration...
!
hostname Inter_Vlan
!
interface FastEthernet0/0
ip address 192.168.0.2 255.255.255.252
!
interface FastEthernet0/1
no ip address
!
interface
FastEthernet0/1.1
encapsulation dot1Q 1 native
ip address 10.0.1.254 255.255.255.0
!
interface
FastEthernet0/1.100
encapsulation dot1Q 100
ip address 10.0.100.1 255.255.255.0
ip helper-address 192.168.10.30
ip access-group 100 in
!
interface
FastEthernet0/1.200
encapsulation dot1Q 200
ip address 10.0.200.1 255.255.255.0
ip helper-address 192.168.10.30
ip access-group 101 in
!
interface Serial0/0/0
ip address 172.16.0.2 255.255.255.252
!
router eigrp 100
network 172.16.0.0 0.0.0.3
network 10.0.100.0 0.0.0.255
network 10.0.200.0 0.0.0.255
no auto-summary
!
router ospf 1
log-adjacency-changes
network 10.0.100.0 0.0.0.255 area 0
network 10.0.200.0 0.0.0.255 area 0
network 192.168.0.0 0.0.0.3 area 0
network 10.0.1.0 0.0.0.255 area 0
!
ip classless
!
!
access-list 100 deny ip
10.0.100.0 0.0.0.255 10.0.200.0 0.0.0.255
access-list 100 permit udp
any any eq bootps
access-list 100 permit ip
any any
access-list 101 deny ip
10.0.200.0 0.0.0.255 10.0.100.0 0.0.0.255
access-list 101 permit udp
any any eq bootps
access-list 101 permit ip
any any
!
logging trap debugging
logging 192.168.10.1
line con 0
line vty 0 4
login
!
!
!
end
Inter_Vlan#
Switch1#sh runn
Building configuration...
Current configuration :
1189 bytes
!
hostname Switch1
!
!
spanning-tree mode
rapid-pvst
!
!
interface FastEthernet0/24
switchport mode trunk
!
interface GigabitEthernet1/1
switchport mode trunk
!
interface
GigabitEthernet1/2
switchport mode trunk
!
interface Vlan1
ip address 10.0.1.1 255.255.255.0
!
ip default-gateway
10.0.1.254
!
logging trap debugging
logging 192.168.10.1
!
end
Switch1#
Switch2#sh runn
Building configuration...
Current configuration :
1775 bytes
!
hostname Switch2
!
!
spanning-tree mode
rapid-pvst
!
!
interface FastEthernet0/4
switchport access vlan 200
spanning-tree portfast
!
interface FastEthernet0/16
switchport access vlan 100
spanning-tree portfast
!
interface
GigabitEthernet1/1
switchport mode trunk
!
interface
GigabitEthernet1/2
switchport mode trunk
!
interface Vlan1
ip address 10.0.1.2 255.255.255.0
!
ip default-gateway
10.0.1.254
!
logging trap debugging
logging 192.168.10.1
!
end
Switch2#
Switch3#sh runn
Building configuration...
Current configuration :
1143 bytes
!
hostname Switch3
!
!
spanning-tree mode
rapid-pvst
!
interface
GigabitEthernet1/1
switchport mode trunk
!
interface
GigabitEthernet1/2
switchport mode trunk
!
interface Vlan1
ip address 10.0.1.3 255.255.255.0
!
ip default-gateway
10.0.1.254
!
logging trap debugging
logging 192.168.10.1
!
end
Switch3#
Telecom_Rosario#sh runn
Building configuration...
Current configuration :
899 bytes
!
version 12.4
!
hostname Telecom_Rosario
!
interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.252
!
interface FastEthernet0/1
ip address 192.168.1.2 255.255.255.252
!
interface Serial0/0/0
bandwidth 512
ip address 192.168.0.5 255.255.255.252
encapsulation frame-relay
ip ospf network broadcast
!
router ospf 1
log-adjacency-changes
network 192.168.1.0 0.0.0.3 area 0
network 192.168.0.0 0.0.0.3 area 0
network 192.168.0.4 0.0.0.3 area 0
!
ip classless
!
logging trap debugging
logging 192.168.10.1
line con 0
line vty 0 4
login
!
end
Telecom-BsAs#sh runn
Building configuration...
Current configuration :
942 bytes
!
hostname Telecom-BsAs
!
username Borde password 0
Ci5c0
!
interface Serial0/0/0
bandwidth 512
ip address 192.168.0.6 255.255.255.252
encapsulation frame-relay
ip ospf network broadcast
!
interface Serial0/0/1
ip address 192.168.0.9 255.255.255.252
encapsulation ppp
ppp authentication chap
clock rate 125000
!
router ospf 1
log-adjacency-changes
network 192.168.0.4 0.0.0.3 area 0
network 192.168.0.8 0.0.0.3 area 0
!
ip classless
!
logging trap debugging
logging 192.168.10.1
!
end
Borde#sh runn
Building configuration...
Current configuration :
1284 bytes
!
hostname Borde
!
username Telecom-BsAs
password 0 Ci5c0
!
interface FastEthernet0/1
ip address 200.0.0.1 255.255.255.248
ip access-group 100 in
ip nat outside
!
interface Serial0/0/0
ip address 10.0.0.6 255.255.255.252
ip nat inside
!
interface Serial0/0/1
ip address 192.168.0.10 255.255.255.252
encapsulation ppp
ppp authentication chap
ip nat inside
!
router eigrp 100
redistribute static
network 10.0.0.4 0.0.0.3
no auto-summary
!
router ospf 1
log-adjacency-changes
network 192.168.0.8 0.0.0.3 area 0
default-information originate
!
ip nat inside source list
1 interface FastEthernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0
200.0.0.6
!
!
access-list 1 permit
10.0.100.0 0.0.0.255
access-list 1 permit
10.0.200.0 0.0.0.255
access-list 100 deny icmp host
200.0.0.5 host 200.0.0.1
access-list 100 permit ip
any any
!
logging trap debugging
logging 192.168.10.1
!
end
MPLS#sh runn
Building configuration...
Current configuration :
791 bytes
!
hostname MPLS
!
nterface Serial0/0/0
ip address 172.16.0.1 255.255.255.252
clock rate 4000000
!
interface Serial0/0/1
ip address 10.0.0.5 255.255.255.252
clock rate 4000000
!
router eigrp 100
network 172.16.0.0 0.0.0.3
network 10.0.0.4 0.0.0.3
no auto-summary
!
ip classless
!
end
Pruebas del escenario
Telecom_Rosario#sh
frame-relay map
Serial0/0/0 (up): ip
192.168.0.6 dlci 100, dynamic, broadcast, CISCO, status defined, active
Telecom_Rosario#
Telecom-BsAs#sh
frame-relay map
Serial0/0/0 (up): ip
192.168.0.5 dlci 200, dynamic, broadcast, CISCO, status defined, active
Telecom-BsAs#
PC>ipconfig (Joe the hacker no llega a 200.0.0.1, pero el resto si)
IP
Address......................: 200.0.0.5
Subnet
Mask.....................: 255.255.255.248
Default
Gateway.................: 0.0.0.0
PC>ping 200.0.0.1
Pinging 200.0.0.1 with 32
bytes of data:
Reply from 200.0.0.1:
Destination host unreachable.
Reply from 200.0.0.1:
Destination host unreachable.
Reply from 200.0.0.1:
Destination host unreachable.
Reply from 200.0.0.1:
Destination host unreachable.
Ping statistics for
200.0.0.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
PC>
SERVER>ipconfig
IP
Address......................: 200.0.0.6
Subnet
Mask.....................: 255.255.255.248
Default
Gateway.................: 0.0.0.0
SERVER>ping 200.0.0.1
Pinging 200.0.0.1 with 32
bytes of data:
Reply from 200.0.0.1:
bytes=32 time=63ms TTL=255
Reply from 200.0.0.1:
bytes=32 time=49ms TTL=255
Reply from 200.0.0.1:
bytes=32 time=62ms TTL=255
Reply from 200.0.0.1:
bytes=32 time=34ms TTL=255
Ping statistics for
200.0.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip
times in milli-seconds:
Minimum = 34ms, Maximum = 63ms, Average = 52ms
SERVER>
Borde#sh access-lists
Standard IP access list 1
permit 10.0.100.0 0.0.0.255 (34 match(es))(PAT)
permit 10.0.200.0 0.0.0.255 (8 match(es)) (PAT)
Extended IP access list
100
deny icmp host 200.0.0.5 host 200.0.0.1 (4 match(es))
permit ip any any (11 match(es)) (tráfico
de retorno incluído)
Borde#
Borde#sh ip nat
translations
Pro Inside global Inside local
Outside local Outside global
tcp 200.0.0.1:1027 10.0.100.2:1027 200.0.0.6:80
200.0.0.6:80
tcp 200.0.0.1:1028 10.0.100.2:1028 200.0.0.6:80
200.0.0.6:80
tcp 200.0.0.1:1029 10.0.100.2:1029 200.0.0.6:80
200.0.0.6:80
Borde#
DHCP server# sh ip dhcp
bind (prueba del DHCP)
IP address Client-ID/ Lease expiration Type
Hardware address
10.0.100.2 0002.16EC.D811 -- Automatic
10.0.200.2 0002.17D0.34A6 -- Automatic
DHCP server#
PC>ipconfig (VLAN 200 no llega a VLAN 100 pero sí al resto)
IP
Address......................: 10.0.200.2
Subnet
Mask.....................: 255.255.255.0
Default
Gateway.................: 10.0.200.1
PC>ping 200.0.0.6 (internet)
Pinging 200.0.0.6 with 32
bytes of data:
Reply from 200.0.0.6:
bytes=32 time=343ms TTL=124
Reply from 200.0.0.6:
bytes=32 time=250ms TTL=124
Reply from 200.0.0.6:
bytes=32 time=222ms TTL=124
Reply from 200.0.0.6:
bytes=32 time=250ms TTL=124
Ping statistics for
200.0.0.6:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip
times in milli-seconds:
Minimum = 222ms, Maximum = 343ms, Average = 266ms
PC>ping 10.0.100.2 (VLAN 100)
Pinging 10.0.100.2 with 32
bytes of data:
Reply from 10.0.200.1:
Destination host unreachable.
Reply from 10.0.200.1:
Destination host unreachable.
Reply from 10.0.200.1:
Destination host unreachable.
Reply from 10.0.200.1:
Destination host unreachable.
Ping statistics for
10.0.100.2:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
PC>
Inter_Vlan#sh
access-lists
Extended IP access list
100
deny ip 10.0.100.0 0.0.0.255 10.0.200.0 0.0.0.255 (4
match(es))
permit udp any any eq bootps (3 match(es)) (para verificar DHCP)
permit ip any any (10 match(es))
Extended IP access list
101
deny ip 10.0.200.0 0.0.0.255 10.0.100.0 0.0.0.255 (4 match(es))
permit udp any any eq bootps (3 match(es)) (para verificar DHCP)
permit ip any any (4 match(es))
Inter_Vlan#
Pruebas de Spanning-tree
Pruebas de contingencia vía MPLS
Inter_Vlan#sh ip route (antes de la caída de Frame relay)
Codes: C - connected, S -
static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF
inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type
2
E1 - OSPF external type 1, E2 - OSPF external type 2,
E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia -
IS-IS inter area
* - candidate default, U - per-user static route, o -
ODR
P - periodic downloaded static route
Gateway of last resort is
192.168.0.1 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 4 subnets, 3 masks
D 10.0.0.4/30 [90/2681856] via
172.16.0.1, 00:13:00, Serial0/0/0 (segmento
MPLS-Borde)
C 10.0.100.0/24 is directly connected,
FastEthernet0/1.100 (VLAN 100)
C 10.0.200.0/24 is directly connected,
FastEthernet0/1.200 (VLAN 200)
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.0.0/30 is directly connected,
Serial0/0/0 (segmento hacia MPLS)
192.168.0.0/30 is subnetted, 3 subnets
C 192.168.0.0 is directly connected,
FastEthernet0/0 (segmento hacia Telecom-Rosario)
O 192.168.0.4 [110/196] via 192.168.0.1,
00:00:17, FastEthernet0/0 (segmento Frame-Relay)
O 192.168.0.8 [110/260] via 192.168.0.1,
00:00:17, FastEthernet0/0 (segmento PPP)
192.168.1.0/30 is subnetted, 1 subnets
O 192.168.1.0 [110/2] via 192.168.0.1,
00:30:20, FastEthernet0/0 (segmento
Telecom-Rosario-DHCP)
192.168.10.0/27 is subnetted, 1 subnets
O 192.168.10.0 [110/3] via 192.168.0.1,
00:30:20, FastEthernet0/0 (red Syslog)
O*E2 0.0.0.0/0 [110/1] via
192.168.0.1, 00:09:24, FastEthernet0/0 (ver mas abajo
la AD de EIGRP)
Inter_Vlan#sh ip route (después de la caída de Frame relay)
Codes: C - connected, S -
static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF
inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type
2
E1 - OSPF external type 1, E2 - OSPF external type 2, E -
EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia -
IS-IS inter area
* - candidate default, U - per-user static route, o -
ODR
P - periodic downloaded static route
Gateway of last resort is
172.16.0.1 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 4 subnets, 3 masks
D 10.0.0.0/8 is a summary, 00:34:14,
Null0
D 10.0.0.4/30 [90/2681856] via
172.16.0.1, 00:14:08, Serial0/0/0
C 10.0.100.0/24 is directly connected,
FastEthernet0/1.100
C 10.0.200.0/24 is directly connected,
FastEthernet0/1.200
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
D 172.16.0.0/16 is a summary, 00:34:14,
Null0
C 172.16.0.0/30 is directly connected,
Serial0/0/0
192.168.0.0/30 is subnetted, 1 subnets
C 192.168.0.0 is directly connected, FastEthernet0/0
192.168.1.0/30 is subnetted, 1 subnets
O 192.168.1.0 [110/2] via 192.168.0.1,
00:31:28, FastEthernet0/0
192.168.10.0/27 is subnetted, 1 subnets
O 192.168.10.0 [110/3] via 192.168.0.1,
00:31:28, FastEthernet0/0
D*EX 0.0.0.0/0
[170/2707456] via 172.16.0.1, 00:10:22, Serial0/0/0 (ver
AD 170 contra 110 de OSPF)
Inter_Vlan#
Switch1#sh vtp status
VTP Version : 2
Configuration
Revision : 4
Maximum VLANs supported
locally : 255
Number of existing
VLANs : 7
VTP Operating Mode : Server
VTP Domain Name : CCNA4
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0xCE 0x6D 0x67 0x5B
0x98 0x67 0xFF 0x1B
Configuration last
modified by 0.0.0.0 at 3-1-93 00:19:39
Local updater ID is
10.0.1.1 on interface Vl1 (lowest numbered VLAN interface found)
Switch1#
Switch2#sh vtp status
VTP Version : 2
Configuration
Revision : 4
Maximum VLANs supported
locally : 255
Number of existing
VLANs : 7
VTP Operating Mode : Client
VTP Domain Name : CCNA4
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0xCE 0x6D 0x67 0x5B
0x98 0x67 0xFF 0x1B
Configuration last
modified by 0.0.0.0 at 3-1-93 00:19:39
Switch2#
Switch3#sh vtp stat
VTP Version : 2
Configuration
Revision : 4
Maximum VLANs supported
locally : 255
Number of existing
VLANs : 7
VTP Operating Mode : Client
VTP Domain Name : CCNA4
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0xCE 0x6D 0x67 0x5B
0x98 0x67 0xFF 0x1B
Configuration last
modified by 0.0.0.0 at 3-1-93 00:19:39
Switch3#
Bug descubrierto por Luciano Lator (alumno de la clase de CCNA
4)
SERVER>ipconfig
IP
Address......................: 200.0.0.6
Subnet
Mask.....................: 255.255.255.248
Default
Gateway.................: 200.0.0.1
SERVER>ping
10.0.100.1 (debería estar oculto detrás del NAT)
Pinging 10.0.100.1 with 32
bytes of data:
Reply from 200.0.0.1:
bytes=32 time=156ms TTL=252 (responde !!!)
Reply from 200.0.0.1:
bytes=32 time=127ms TTL=252
Reply from 200.0.0.1:
bytes=32 time=142ms TTL=252
Borde#debug ip nat
IP NAT debugging is on
NAT:
s=10.0.100.1->200.0.0.1, d=200.0.0.6 [571] (sólo
muestra las trasducciones Inside-Outside)
NAT:
s=10.0.100.1->200.0.0.1, d=200.0.0.6 [574]
NAT:
s=10.0.100.1->200.0.0.1, d=200.0.0.6 [575]
NAT: s=10.0.100.1->200.0.0.1,
d=200.0.0.6 [577]
Borde#conf t (implementamos solución "casera", esta no es una
lista antispoofing, ya que debería ser
Enter configuration
commands, one per line. End with
CNTL/Z. 10.x.x.x
el orígen y no el destino)
Borde(config)#no
access-list 100
Borde(config)#access-list
100 deny icmp host 200.0.0.5 host 200.0.0.1
Borde(config)#access-list
100 deny ip any 10.0.0.0 0.255.255.255
Borde(config)#access-list
100 deny ip any 172.16.0.0 0.31.255.255
Borde(config)#access-list
100 deny ip any 192.168.0.0 0.0.255.255
Borde(config)#access-list
100 permit ip any any
Borde(config)#^Z
Borde#
SERVER>ping
10.0.100.1 (verificamos)
Pinging 10.0.100.1 with 32
bytes of data:
Reply from 200.0.0.1:
Destination host unreachable.
Reply from 200.0.0.1:
Destination host unreachable.
Reply from 200.0.0.1:
Destination host unreachable.
Reply from 200.0.0.1:
Destination host unreachable.
Ping statistics for
10.0.100.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
SERVER>
Borde#sh access-lists (verificamos en el router)
Standard IP access list 1
permit 10.0.100.0 0.0.0.255 (32 match(es))
permit 10.0.200.0 0.0.0.255
Extended IP access list
100
deny icmp host 200.0.0.5 host 200.0.0.1
deny ip any 10.0.0.0 0.255.255.255 (4 match(es))
deny ip any 172.0.0.0 0.31.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip any any
Borde#
(2012) Burning minds with networking
Rosario, Argentina