Fecha: 25 de Agosto 2011 Instructor: Ernesto
Vilarrasa
con un costo OSPF de 782,
luego de la inyección de paquetes, el costo disminuye debido al mayos ancho
de banda vía LAN (dos segmentos
de 100 mbps para alcanzar el falso destino)
Obviamente esta red, al no existir
realmente, pasa a ser inalcanzable para los hosts, aunque figure en la tabla de enrutamiento.
ACA#show
runn
Building
configuration...
!
hostname
ACA
!
ip
dhcp excluded-address 192.168.0.2
ip
dhcp excluded-address 192.168.0.3
!
ip
dhcp pool POOL
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
!
interface
FastEthernet0/0
no ip address
shutdown
!
interface
FastEthernet0/1
description LAN
ip address 192.168.0.1 255.255.255.0
ip access-group 100 in (asocia la ACL a esta interfaz)
!
interface Serial0/0/0
ip address 10.0.0.1 255.255.255.252
ip ospf message-digest-key 1 md5 clave
clock rate 125000
!
interface
Serial0/0/1
ip address 10.0.0.5 255.255.255.252
ip ospf message-digest-key 1 md5 clave
!
router
ospf 1
log-adjacency-changes
area 0 authentication message-digest
passive-interface FastEthernet0/1 (no publica por esta interfaz, o sea si conectamos
network 10.0.0.0 0.0.0.3 area 0 un sniffer en la red, no capturamos tráfico de protocolos
network 10.0.0.4 0.0.0.3 area de enrutamiento, pero SI se incluye esta interfaz
en el enrutamiento)
network 192.168.0.0 0.0.0.255 area 0
!
access-list
100 deny ospf any any (deniega tráfico OSPF
entrante,es un segmento final, sólo PCs)
access-list
100 permit ip any any (permite el resto, también
puede hacerse mas específico)
!
end
ACA#show
ip route
10.0.0.0/30 is subnetted, 2 subnets
C 10.0.0.0 is directly connected,
Serial0/0/0
C 10.0.0.4 is directly connected,
Serial0/0/1
C 192.168.0.0/24 is directly connected,
FastEthernet0/1
O 192.168.1.0/24 [110/782] via 10.0.0.6,
00:15:16, Serial0/0/1 (balance de carga por igual
costo,
[110/782] via 10.0.0.2,
00:15:16, Serial0/0/0 formula: 10^8/1544000 [BW bps])
ACA#show
access-lists
Extended
IP access list 100
10 deny ospf any any (142 matches) (deniega tráfico OSPF vía red local)
20 permit ip any any (99 matches)
Note: The area authentication command in the configuration enables authentication for all the interfaces of the router in a particular area.
You can also use the ip ospf authentication command under the interface to configure plain text authentication for the interface.
This command can be used if a different authentication method or no authentication method is configured under the area to which the interface belongs.
It overrides the authentication method configured for the area. This is useful if different interfaces that belong to the same area need to use different
authentication methods.
Caution: When EIGRP message authentication is added to the interface of a router, that router stops receiving routing messages from its peers until
they are also configured for message authentication. This does interrupt routing communications on your network.
Router#configure terminal
Router(config)#key chain EIGRPSECURE
Router(config-keychain)#key 1
Router(config-keychain-key)#key-string securetraffic
Router(config-keychain-key)#exit
Router(config)# router eigrp 100
Router(config-router)#network 192.168.1.0 0.0.0.3
Router(config-router)#passive-interface fastEthernet 0/0
Router(config-router)#exit
Router(config)#interface serial 0/0/0
Router(config-if)#ip address 192.168.1.2 255.255.255.252
Router(config-if)#ip authentication mode eigrp 100 md5
Router(config-if)#ip authentication key-chain eigrp 100 EIGRPSECURE
Router(config-if)#exit
Router#
Router#debug eigrp packets
17:43:43: EIGRP: ignored packet from 192.168.1.1 (invalid authentication)
17:43:45: EIGRP: ignored packet from 192.168.1.1 (invalid authentication)
Fuente: http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a00807f5a63.shtml
Sexy girls don´t understand about networking
(2011) Ernesto Vilarrasa