Professional Documents
Culture Documents
Router>enable
Router#
Router#conf t
Router(config)#ip route direccion_de_red mascara_de_red direccin_siguiente_salto
Router(config)#interfaz conexin_de_red
Router(config-if)#ip address direccin_de_interfaz mascara_de_interfaz
Router(config-if)#no shutdown
Router(config-if)#clock rate #####
Router(config-if)#ipv6 address direccin_de_interfaz/prefijo_de_red
Router(config)#hostname nuevo_nombre_de_router
Router(config)#banner motd #mensaje_operador#
Router(config)#line console 0
Router(config-line)#password cisco
Router(config-line)#login
Router(config-line)#loggin synchronous
Router(config)#line vty 0 4
Router(config)#enable secret class
Router(config)#service password-encryption
Router# sh run
Router#sh ip route
Router#sh ipv6 route
Router#sh ip interface brief
CONFIGURACION DHCP
Router(config)#ip dhcp pool nombre_de_piscina_de_direcciones
Router(dhcp-router)#network direccin_de_red mascara_de_red
Router(dhcp-router)#default-router direccin_ip_de_router
Router(dhcp-router)#dns-server direccion_del_dns
Router(dhcp-router)#domain-name nombre_de_dominio_de_red
Router(config)#ip dhcp excluded-address direccion_mas_baja direccion_mas_alta
Router(config)#ip dhcp excluded-address direccion_a_excluir
Router(config)#sh ip dhcp bindig
Router(config)#ipv6 unicast-routing
Router(config)#ipv6 dhcp pool nombre_de_piscina_de_direcciones
Router(dhcp-router)#dns-server direccin_ip
Router(dhcp-router)#domain-name nombre
Router(config)#interface conexion_por_donde_sale_dhcpv6
Router(config-if)#ipv6 dhcp server nombre_de_piscina_de_direcciones
TASKs
Task 1. Configure a standard ACL to deny the access from any host on LAN1 to LAN3.
Task 2. Configure an extended IPv4 ACL to allow ftp connection from every host on LAN2 to LAN 1 and deny any other traffic
from LAN1 to any network, except telnet connection from PC3 to PC5 and also except web surfing.
Task 3. Deny any intent of IPv4 tftp transfer from any PC on LAN1, except PC1, to any network and allow all other type of
IPv4 traffic.
Task 4. Deny any IPv6 traffic from LAN 1 to LAN2, except smtp traffic when it is directed to PC2.
Task 1 resolution:
(Configure a standard ACL to deny the access from any host on LAN1 to LAN3)
o Using a numbered ACL:
The numbered standard IPv4 ACL that performs the packet filtering required in task 1 must be configured in Router2
(remember the rule: Put a standard ACL as close as possible to the destination network).
The first sentence must be that denying the packets coming from LAN1:
Router2(config)#access-list 1 deny 172.16.1.0 0.0.0.255
And then, it must be included a sentence that permits all other traffic:
Router2(config)#access-list 1 permit any
(Without this sentence, the implicit deny any sentence that is placed at the end of every ACL would deny also any packet
coming from any network trying to reach LAN3)
Then the ACL must be linked to the interface Fa0/0 on Router2 (as close as possible to the destination network):
Router2(config)#interface f0/0
Router2(config-if)#ip access-group 1 out
(Notice the ACL is set for filtering outside traffic. This is right because a packet going towards LAN3 is actually going out of
the F0/0 from the perspective of Router2)
o Using a named ACL:
The first step must be the declaration of the standard named ACL and then include the ACL correspondent sentences. Lets
use the name TASK1 for the ACL:
Router2(config)#ip access-list standard TASK1
Router2(config-std-nacl)# deny 172.16.1.0 0.0.0.255
Router2(config-std-nacl)# permit any
Then the ACL linking to Fa0/0 on Router2 may be performed using the commands:
Router2(config)#interface f0/0
Router2(config-if)#ip access-group TASK1 out
Task 2 resolution:
(Configure an extended IPv4 ACL to allow ftp connection from every host on LAN2 to LAN 1 and deny any other traffic from
LAN1 to any network, except telnet connection from PC3 to PC5 and also except web surfing)
o Using a numbered ACL:
The numbered extended IPv4 ACL that performs the packet filtering required in task 2 must be configured in Router1
(according to the rule: put an extended ACL as close as possible to the source network).
The first sentences must be those performing the most specific traffic filtering (according to the ACLs creation rule: the
ACLs sentences must be organized from the specific to the general matches):
Router1(config)#access-list 100 permit tcp 172.16.2.0 0.0.0.127 172.16.1.0 0.0.0.255 eq 20
Router1(config)#access-list 100 permit tcp 172.16.2.0 0.0.0.127 172.16.1.0 0.0.0.255 eq 21
(Notice they must be permitted ports 20 y 21 because both correspond to ftp service. The operator eq means equal to)
Router1(config)#access-list 100 permit tcp host 172.16.2.3 host 172.16.2.135 eq telnet
(It can be used also the protocol name: telnet, instead of the correspondent port: 23)
Router1(config)#access-list 100 permit tcp 172.16.2.0 0.0.0.127 any eq 80
(Thats all: theres no need of denying any other traffic due to the presence of the implicit deny ip any any at the end of
this extended ACL)
Then the ACL must be linked to the interface Fa0/0 on Router1 (as close as possible to the source network):
Router1(config)#interface f0/0
Router1(config-if)#ip access-group 1 in
(Notice the ACL is set for filtering inside traffic, it is traffic entering through the interface F0/0. This is right because a packet
leaving LAN2 is actually going inside the interface F0/0 from the perspective of Router1)
o Using a named ACL:
Task 3 resolution:
(Deny any intent of IPv4 tftp transfer from any PC on LAN1, except PC1, to any network and allow all other type of IPv4
traffic for LAN1).
o Using a numbered ACL:
The numbered extended IPv4 ACL that performs the packet filtering required in task 3 must be configured in Router0
(according to the rule: put an extended ACL as close as possible to the source network).
Router0(config)#access-list 101 permit udp host 172.16.1.2 any eq tftp
Router0(config)#access-list 101 deny udp 172.16.1.0 0.0.0.255 any eq 69
Router0(config)#access-list 101 permit ip 172.16.1.0 0.0.0.255 any
(Notice this time the sentences referring to tftp specify udp as transport protocol, which is correct since tftp uses udp
instead of tcp)
(The last ACLs issued sentence is allowing all traffic from LAN1 to any network, as required by the task. Without this
sentence, the implicit deny ip any any sentence would deny all packets)
Router0(config)#interface f0/0
Router0(config-if)#ip access-group 1 in
o Using a named ACL:
Router0(config)#ip access-list extended TASK3
Router0(config-ext-nacl)# permit udp host 172.16.1.2 any eq tftp
Router0(config-ext-nacl)# deny udp 172.16.1.0 0.0.0.255 any eq 69
Router0(config-ext-nacl)# permit ip 172.16.1.0 0.0.0.255 any
Router0(config)#interface f0/0
Router0(config-if)#ip access-group TASK3 in
Task 4 resolution:
(Deny any IPv6 traffic from LAN 1 to LAN2, except smtp traffic when it is directed to PC2)
Router0(config)#ipv6 access-listTASK4
Router0(config-ipv6-acl)# permit tcp ABCD: : /120 host ABCD: :102 eq smtp
Router0(config-ipv6-acl)# deny ipv6 ABCD: : /120 ABCD: :100 /121
Router0(config-ipv6-acl)# permit ipv6 any any
(The task do not specify any other traffic denial, so the need of the last sentence)
Router0(config)#interface f0/0
Router0(config-if)#ipv6 traffic-filter TASK4 in
NAT configuracin estatico
Router(config)#ip nat inside source static IP_local IP_global
Router(config)#interface conexion_de_red //red conectada a la red privada
Router(config-if)#ip nat inside
Router(config)#interface conexion_de_red //red de salida de la red
Router(config-if)#ip nat outside
Router(config)#ip nat inside source static 192.168.1.1 200.100.15.1
Router(config)#interface Fa 0/0
Router(config-it)#ip nat inside
Router(config)#interface se 0/0/0
Router(config-it)#ip nat outside
NAT configuracion dinamico
Router(config)#ip nat pool nombre IP_inicial IP_final netmask mascara_de_red
Router(config)#access-list numero(1-99) permit direccion_IP wildcard
Router(config)#ip nat inside source list numero_de_ACL pool nombre
Router(config)#interface conexion_de_red //red conectada a la red privada
Router(config-if)#ip nat inside
Router(config)#interface conexion_de_red //red de salida de la red
Router(config-if)#ip nat outside
First lets to declare our pool and name it as one:
Router(config)# ip nat pool one 200.100.15.1 200.100.15.10 netmask 255.255.255.0
Now declare the private addresses network using an access list numbered with 1 (notice the wildcard mask is the binary
inverse of the standard network mask):
Router(config)#access-list 1 permit 192.168.1.0 0.0.0.255
Now configure the dynamic translation and the inside and outside interfaces:
Router(config)#ip nat inside source list 1 pool one
Router(config)#interface Fa 0/0
Router(config-it)#ip nat inside
Router(config)#interface se 0/0/0
Router(config-it)#ip nat outside
NAT WITH OVERLOADING
Router(config)#access-list numero(1-99) permit direccion_IP wildcard
Router(config)#ip nat inside source list numero_ACL pool nombre overload
Router(config)#ip nat inside source list numero_ACL interface conexion_de_red overload
Router(config)#interface conexion_de_red //red conectada a la red privada
Router(config-if)#ip nat inside
Router(config)#interface conexion_de_red //red de salida de la red
Router(config-if)#ip nat outside
Lets declare the private addresses network using an access list numbered with 1 (notice the wildcard mask is the binary
inverse of the standard network mask):
Router(config)#access-list 1 permit 192.168.1.0 0.0.0.255
Now configure the dynamic translation with overloading and the inside and outside interfaces:
Router(config)#ip nat inside source list 1 interface serial 0/0/0 overload
Router(config)#interface Fa 0/0
Router(config-it)#ip nat inside
Router(config)#interface se 0/0/0
router(config)#int s0/0/0
router(config-if)#clock rate 56000
router(config-if)#bandwidth 56
router(config)#int s0/0/1
router(config-if)#clock rate 1000000
router(config-if)#bandwidth 1000
OSPFv2
Router(config)#router ospf process_id
Router(config-router)#network direccion_IP_red wildcard area area_id
Router(config)#interface s0
Router(config-int)#ip address 10.64.0.1 255.255.255.0
Router(config)#router ospf 1
Router(config-router)#network 10.64.0.0 0.0.0.255 area 0
OSPFv3
Configurar id del router link local todas las interfaces sino hay redistribucion
Router(config)#ipv6 unicast-routing
Router(config-if)#ipv6 ospf process_id area area_id
Quito(config)#ipv6 unicast-routing
Quito(config)#int f0/0
Quito(config-if)#ipv6 ospf 50 area 0
Quito(config)#int s0/0/0
Quito(config-if)#ipv6 ospf 50 area 0
Router(config)#ipv6 unicast-routing
Router(config)#interface f0/0
Router(config-if)#ipv6 ospf 50 area 0
BGP
Router(config)# router bgp numero_AS
Router(config-router)#neighbor ip_enlace_siguiente_salto remote-as numero_AS(igual IBGP diferente EBGP)
Router(config-router)#network direccion_red_propia
REDISTRIBUCION DE OSPF
Router(config)# router ospf 100
Router(config-router)# redistribute rip subnets
Router(config)#router protocolo
Router(c9nfig-router)# passive-interface interface_apagada_redistribucion
VLANS
Switch(config)#vlan numero_vlan
Switch(config-vlan)#name nombre_vlan
Switch(config)#interface interface_asignada_vlan
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan numero_vlan_deseado_a_la_interface
Switch(config)#interface interface_asignada_vlan
Switch(config-if)#switchport mode trunk
Switch(config-if)#switchport mode encapsulation dot1q
Switch(config)#int vlan1
Switch(config-if)#ip add direccion_ip_vlan mascara_de_red
Switch(config-if)#no shutdown
Switch(config)#ip default gateway direccion_gateway_salida
2950(config)#interface range f0/8 f0/12
2950(config-if-range)#switchport mode access
2950(config-if-range)#switchport access vlan 3
2950(config-if-range)#exit
2950(config)#interface fastethernet 0/1
2950(config-if)#switchport mode trunk
Enrutamiento VLANS
STP
Switch(config)#spanning-tree vlan [nmero_de_la_VLAN] priority [valor_de_prioridad]
S1#show spanning-tree
Ponga los switches en modo spanning tree debug con el comando debug spanning-tree events.
S1#debug spanning-tree events
Spanning Tree event debugging is on
SWITCH CAPA 3
Switch# configure terminal
Switch(config)# ip routing
Switch(config)# interface fe0/1
Switch(config-if)# no switchport
Switch(config-if)# ip address 10.10.1.1 255. 255.255.0
Switch(config-if)# no shutdown
Switch(config-if)# interface fe0/2
Switch(config-if)# no switchport
Switch(config-if)# ip address 10.20.1.1 255.255.255.0
Switch(config-if)# no shutdown