Listas de Control de Acceso Estándar
1-Armado de Maqueta
2-Habilite protocolo de ruteo para que sean alcanzables todas las redes
Router3(config)#router rip
Router3(config-router)#net
Router3(config-router)#network 200.210.222.0
Router3(config-router)#network 200.210.222.132
Router3(config-router)#version 2
4-Habilite el acceso por terminal virtual VTY
5-Verifique que todas las PC pueden administrar remotamente todos los routers
login as: admin
Using keyboard-interactive authentication
Router_3>en
Router_3#
Password:
6-Aplicar listas de acceso a las interfaces para que las PC no accedan por administración remota.
access-list 10 deny 200.210.220.2
access-list 10 deny 200.210.221.2
access-list 10 deny 200.210.222.2
access-list 10 permit any
access-list 102 deny tcp 10.96.0.0 0.31.255.255 10.64.0.0 0.31.255.255 eq smtp
access-list 102 permit ip any any
7-Conteste las siguientes preguntas
*¿Funcionan los Pings entre las PC?
Si
*¿Como se podría limitar solo el acceso a la consola sin limitar todo el tráfico?
Delimitando un rango en las redes que hay que negar
8-Aplique la misma lista de control de acceso ahora a las terminales virtuales VTY
Router_3(config)#int g 0/0
Router_3(config-if)#ip access-group 10 in
Router_3(config-if)#line vty 0 4
Router_3(config-line)#access
Router_3(config-line)#access-class 10 in
Router_3(config-line)#end
9-Verifique el estatus de las terminales con el comando show lines
Router_3#show running-config
Building configuration...
Current configuration : 2121 bytes
!
! Last configuration change at 02:39:47 UTC Fri May 6 2016
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router_3
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$Kv16$DTwQKzJs1NLNX2rEz5Lok/
!
no aaa new-model
!
!
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 10.96.0.1
!
ip dhcp pool pool
network 10.96.0.0 255.224.0.0
default-router 10.96.0.1
!
!
!
ip domain name cisco.com
ip cef
ipv6 unicast-routing
ipv6 cef
multilink bundle-name authenticated
!
!
cts logging verbose
!
!
license udi pid CISCO2901/K9 sn FJC1853A09U
!
!
username admin secret 5 $1$zRxs$XfZtH3OK0NtZXoggtZWy4/
!
redundancy
!
!
ip ssh version 2
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 10.96.0.1 255.224.0.0
ip access-group 102 in
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 200.210.222.1 255.255.255.128
ip access-group 10 in
duplex auto
speed auto
!
interface Serial0/0/0
ip address 200.210.222.134 255.255.255.252
clock rate 64000
!
interface Serial0/0/1
ip address 10.192.0.1 255.224.0.0
clock rate 64000
!
router ospf 1
network 10.96.0.0 0.31.255.255 area 0
network 10.160.0.0 0.31.255.255 area 0
network 10.192.0.0 0.31.255.255 area 0
!
router rip
version 2
network 172.16.0.0
network 200.165.200.0
network 200.210.220.0
network 200.210.221.0
network 200.210.222.0
network 209.165.200.0
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
!
ipv6 router rip process1
!
!
!
access-list 10 deny 200.210.220.2
access-list 10 deny 200.210.221.2
access-list 10 deny 200.210.222.2
access-list 10 permit any
access-list 102 deny tcp 10.96.0.0 0.31.255.255 10.64.0.0 0.31.255.255 eq smtp
access-list 102 permit ip any any
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 10 in
login local
transport input ssh
!
scheduler allocate 20000 1000
!
end
2-Habilite protocolo de ruteo para que sean alcanzables todas las redes
Router3(config)#router rip
Router3(config-router)#net
Router3(config-router)#network 200.210.222.0
Router3(config-router)#network 200.210.222.132
Router3(config-router)#version 2
3-Verifique mediante Ping que todas las PC se alcancen unas con otras
4-Habilite el acceso por terminal virtual VTY
Username Admin secret cisco
Line vty 0 4
Secret class
Login local
login as: admin
Using keyboard-interactive authentication
Router_3>en
Router_3#
Password:
6-Aplicar listas de acceso a las interfaces para que las PC no accedan por administración remota.
access-list 10 deny 200.210.220.2
access-list 10 deny 200.210.221.2
access-list 10 deny 200.210.222.2
access-list 10 permit any
access-list 102 deny tcp 10.96.0.0 0.31.255.255 10.64.0.0 0.31.255.255 eq smtp
access-list 102 permit ip any any
7-Conteste las siguientes preguntas
*¿Funcionan los Pings entre las PC?
Si
*¿Como se podría limitar solo el acceso a la consola sin limitar todo el tráfico?
Delimitando un rango en las redes que hay que negar
8-Aplique la misma lista de control de acceso ahora a las terminales virtuales VTY
Router_3(config)#int g 0/0
Router_3(config-if)#ip access-group 10 in
Router_3(config-if)#line vty 0 4
Router_3(config-line)#access
Router_3(config-line)#access-class 10 in
Router_3(config-line)#end
9-Verifique el estatus de las terminales con el comando show lines
Router_3#show running-config
Building configuration...
Current configuration : 2121 bytes
!
! Last configuration change at 02:39:47 UTC Fri May 6 2016
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router_3
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$Kv16$DTwQKzJs1NLNX2rEz5Lok/
!
no aaa new-model
!
!
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 10.96.0.1
!
ip dhcp pool pool
network 10.96.0.0 255.224.0.0
default-router 10.96.0.1
!
!
!
ip domain name cisco.com
ip cef
ipv6 unicast-routing
ipv6 cef
multilink bundle-name authenticated
!
!
cts logging verbose
!
!
license udi pid CISCO2901/K9 sn FJC1853A09U
!
!
username admin secret 5 $1$zRxs$XfZtH3OK0NtZXoggtZWy4/
!
redundancy
!
!
ip ssh version 2
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 10.96.0.1 255.224.0.0
ip access-group 102 in
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 200.210.222.1 255.255.255.128
ip access-group 10 in
duplex auto
speed auto
!
interface Serial0/0/0
ip address 200.210.222.134 255.255.255.252
clock rate 64000
!
interface Serial0/0/1
ip address 10.192.0.1 255.224.0.0
clock rate 64000
!
router ospf 1
network 10.96.0.0 0.31.255.255 area 0
network 10.160.0.0 0.31.255.255 area 0
network 10.192.0.0 0.31.255.255 area 0
!
router rip
version 2
network 172.16.0.0
network 200.165.200.0
network 200.210.220.0
network 200.210.221.0
network 200.210.222.0
network 209.165.200.0
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
!
ipv6 router rip process1
!
!
!
access-list 10 deny 200.210.220.2
access-list 10 deny 200.210.221.2
access-list 10 deny 200.210.222.2
access-list 10 permit any
access-list 102 deny tcp 10.96.0.0 0.31.255.255 10.64.0.0 0.31.255.255 eq smtp
access-list 102 permit ip any any
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 10 in
login local
transport input ssh
!
scheduler allocate 20000 1000
!
end
miércoles, 27 de abril de 2016
OSPF de área única
1. Armado de la maqueta
2. Verificar conectividad con PING desde el Router hacia PC y Router vecinos
3.Habilite OSPF de área 0
R2(config)#router ospf 10
R2(config-router)#network 200.210.221.0 0.0.0.255 area 0
R2(config-router)#network 200.210.222.128 0.0.0.3 area 0
R2(config-router)#network 200.210.222.132 0.0.0.3 area 0
R2(config-router)#end
4. Verificar el anuncio de redes con "show ip route"
Router#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is not set
O 200.210.220.0/24 [110/129] via 200.210.222.133, 00:03:13, Serial0/0/1
O 200.210.221.0/24 [110/65] via 200.210.222.133, 00:09:23, Serial0/0/1
200.210.222.0/24 is variably subnetted, 5 subnets, 3 masks
C 200.210.222.0/25 is directly connected, GigabitEthernet0/1
L 200.210.222.1/32 is directly connected, GigabitEthernet0/1
O 200.210.222.128/30
[110/128] via 200.210.222.133, 00:03:23, Serial0/0/1
C 200.210.222.132/30 is directly connected, Serial0/0/1
L 200.210.222.134/32 is directly connected, Serial0/0/1
Router#
5.Conteste las siguientes preguntas:
-¿Cuantas redes aparecen en la tabla de enrutamiento?
3
-¿Cuantas deberían de aparecer?
3
6.Verifique estatus de OSPF
-show ip ospf
Router#show ip ospf
Routing Process "ospf 1" with ID 200.210.222.1
Start time: 00:07:32.828, Time elapsed: 00:35:42.156
Supports only single TOS(TOS0) routes
Supports opaque LSA
Supports Link-local Signaling (LLS)
Supports area transit capability
Supports NSSA (compatible with RFC 3101)
Event-log enabled, Maximum number of events: 1000, Mode:
cyclic
Router is not originating router-LSAs with maximum metric
Initial SPF schedule delay 5000 msecs
Minimum hold time between two consecutive SPFs 10000 msecs
Maximum wait time between two consecutive SPFs 10000 msecs
Incremental-SPF disabled
Minimum LSA interval 5 secs
Minimum LSA arrival 1000 msecs
LSA group pacing timer 240 secs
Interface flood pacing timer 33 msecs
Retransmission pacing timer 66 msecs
Number of external LSA 0. Checksum Sum 0x000000
Number of opaque AS LSA 0. Checksum Sum 0x000000
Number of DCbitless external and opaque AS LSA 0
Number of DoNotAge external and opaque AS LSA 0
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
--More-- Number of areas transit capable is 0
External flood list length 0
IETF NSF helper support enabled
Cisco NSF helper support enabled
Reference bandwidth unit is 100 mbps
Area BACKBONE(0)
(Inactive)
Number of interfaces in this area is 2
Area has no authentication
SPF algorithm last executed 00:00:26.424
ago
SPF algorithm executed 2 times
Area ranges are
Number of LSA 1. Checksum Sum 0x0074CA
Number of opaque link LSA 0. Checksum Sum
0x000000
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0
Flood list length 0
-show ip ospf neighbor
Router#show ip ospf neighbor
interface
GigabitEthernet0/1 is up, line protocol is up
Internet Address 200.210.222.1/25, Area 0, Attached
via Network Statement
Process ID 1, Router ID 200.210.222.1, Network Type
BROADCAST, Cost: 1
Topology-MTID Cost Disabled Shutdown Topology
Name
0 1
no no
Base
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 200.210.222.1, Interface
address 200.210.222.1
No backup designated router on this network
Timer intervals configured, Hello 10, Dead 40, Wait
40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:02
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 2/2, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 0, maximum is 0
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 0, Adjacent neighbor count is 0
Suppress hello for 0 neighbor(s)
Serial0/0/1 is up, line protocol is up
Internet Address 200.210.222.134/30, Area 0, Attached
via Network Statement
Process ID 1, Router ID 200.210.222.1, Network Type
POINT_TO_POINT, Cost: 64
--More-- Topology-MTID Cost Disabled Shutdown
Topology Name
--More-- 0
64 no
no Base
--More-- Transmit Delay is 1 sec, State
POINT_TO_POINT
--More-- Timer intervals configured, Hello 10,
Dead 40, Wait 40, Retransmit 5
--More-- oob-resync timeout 40
--More-- Hello due in 00:00:01
--More-- Supports Link-local Signaling (LLS)
--More-- Cisco NSF helper support enabled
--More-- IETF NSF helper support enabled
--More-- Index 1/1, flood queue length 0
--More-- Next 0x0(0)/0x0(0)
--More-- Last flood scan length is 1, maximum is
1
--More-- Last flood scan time is 0 msec, maximum
is 0 msec
--More-- Neighbor Count is 1, Adjacent neighbor
count is 1
--More-- Adjacent with neighbor 200.210.222.133
--More-- Suppress hello for 0 neighbor(s)
Router#
-show ip ospf interface
Router#show ip ospf interface
database rpo outer
OSPF Router with
ID (200.210.222.1) (Process ID 1)
Router
Link States (Area 0)
LS age: 621
Options: (No TOS-capability, DC)
LS Type: Router Links
Link State ID: 200.210.222.1
Advertising Router: 200.210.222.1
LS Seq Number: 8000000B
Checksum: 0x2A70
Length: 60
Number of Links: 3
Link connected to: a
Stub Network
(Link ID)
Network/subnet number: 200.210.222.0
(Link Data) Network
Mask: 255.255.255.128
Number of MTID metrics: 0
TOS 0 Metrics: 1
Link connected to:
another Router (point-to-point)
(Link ID) Neighboring
Router ID: 200.210.222.133
--More-- (Link
Data) Router Interface address: 200.210.222.134
--More-- Number of MTID metrics: 0
--More-- TOS 0 Metrics: 64
--More--
Link connected to: a
Stub Network
(Link ID)
Network/subnet number: 200.210.222.132
(Link Data) Network
Mask: 255.255.255.252
Number of MTID metrics: 0
TOS 0 Metrics: 64
LS age: 439
Options: (No TOS-capability, DC)
LS Type: Router Links
Link State ID: 200.210.222.129
Advertising Router: 200.210.222.129
LS Seq Number: 80000002
Checksum: 0x1618
Length: 60
Number of Links: 3
Link connected to:
another Router (point-to-point)
(Link ID) Neighboring
Router ID: 200.210.222.133
(Link Data) Router
Interface address: 200.210.222.129
Number of MTID metrics: 0
TOS 0 Metrics: 64
--More--
Link connected to: a
Stub Network
(Link ID)
Network/subnet number: 200.210.222.128
(Link Data) Network
Mask: 255.255.255.252
Number of MTID metrics: 0
TOS 0 Metrics: 64
Link connected to: a
Stub Network
(Link ID)
Network/subnet number: 200.210.220.0
(Link Data) Network
Mask: 255.255.255.0
Number of MTID metrics: 0
TOS 0 Metrics: 1
LS age: 439
Options: (No TOS-capability, DC)
LS Type: Router Links
Link State ID: 200.210.222.133
Advertising Router: 200.210.222.133
LS Seq Number: 8000000A
Checksum: 0xD732
Length: 84
Number of Links: 5
--More--
--More-- Link connected to: a Stub Network
--More-- (Link
ID) Network/subnet number: 200.210.221.0
(Link Data) Network
Mask: 255.255.255.0
Number of MTID metrics: 0
TOS 0 Metrics: 1
Link connected to:
another Router (point-to-point)
(Link ID) Neighboring
Router ID: 200.210.222.1
(Link Data) Router
Interface address: 200.210.222.133
Number of MTID metrics: 0
TOS 0 Metrics: 64
Link connected to: a
Stub Network
(Link ID)
Network/subnet number: 200.210.222.132
(Link Data) Network
Mask: 255.255.255.252
Number of MTID metrics: 0
TOS 0 Metrics: 64
Link connected to:
another Router (point-to-point)
(Link ID) Neighboring
Router ID: 200.210.222.129
(Link Data) Router
Interface address: 200.210.222.130
Number of MTID metrics: 0
TOS 0 Metrics: 64
--More-- Link connected to: a Stub Network
--More-- (Link
ID) Network/subnet number: 200.210.222.128
--More-- (Link
Data) Network Mask: 255.255.255.252
Number of MTID metrics: 0
TOS 0 Metrics: 64
Router#
7. Documente
-Las direcciones de los neighbors
200.210.222.134
200.210.222.129
-Identifique el Designated Router
200.210.222.133
-Anote cuál es la distancia administrativa de OSPF
Distancia administrativa= 110
