Escenario de práctica módulo 6 CCNASec

Fecha: 6 de Marzo 2013 Instructor: Ernesto Vilarrasa

 

Escenario

 

El desafío de este escenario es agregar 4 servers a la granja y conectarlos a SW2.

Este último no tieme puertos disponibles (tiene 10 ports de 1000 Mbps), por lo que se reemplazará por un Catalyst 2960 24+2,

ya que los todos los servers trabajan a 100 Mbps, quedando 2 puertos trunk a 1000 Mpbs.

La idea del laboratorio es pasar gradualmente las configuraciones y conexiones para minimizar al máximo el downtime de la red,

sin descuidar los aspectos de seguridad aprendidos en el módulo, utilizar el sentido común y simular el trabajo bajo presión.

 

Este escenario también es válido para el capítulo de seguridad de CCNA 3 (Exploration 3)

 

El escenario original es: Escenario Ctrl F CCNASec 2013 con ZBF e IPS y SW security.pka

El escenario final es: Escenario Ctrl F CCNASec 2013 escenario reemplazo SW resuelto.pka

 

Escenarios disponibles en: ftp://ftp.vilarrasa.com.ar/   user y pass:ccna

 

 

Verificamos VTP para aprender las VLANs en el SW nuevo:

 

Core#sh vtp status

VTP Version                     : 2

Configuration Revision          : 14

Maximum VLANs supported locally : 1005

Number of existing VLANs        : 11

VTP Operating Mode              : Server

VTP Domain Name                 : CCNASec

VTP Pruning Mode                : Disabled

VTP V2 Mode                     : Disabled

VTP Traps Generation            : Disabled

MD5 digest                      : 0x91 0x26 0xAF 0xF1 0x91 0x87 0xD0 0x28

Configuration last modified by 0.0.0.0 at 3-1-93 00:00:00

Local updater ID is 192.168.1.1 on interface Vl1 (lowest numbered VLAN interface found)

Core#

 

Core#sh vtp password

VTP Password: PasswordVTP

Core#

 

Configuración inicial del SW de reemplazo: (sabemos que es un SW nuevo, de lo contrario, verificar revisión VTP

o borrar vlan.dat , startup-config y ejecutar reload)

 

Switch#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

Switch(config)#host SW_reemplazo

SW_reemplazo(config)#int range Gi1/1-2

SW_reemplazo(config-if-range)#switchport mode trunk

SW_reemplazo(config-if-range)#exit (por elmomento permitimos todas las vlans)

SW_reemplazo(config)#vtp domain CCNASec

Changing VTP domain name from NULL to CCNASec

SW_reemplazo(config)#vtp password PasswordVTP

Setting device VLAN database password to PasswordVTP

SW_reemplazo(config)#end

SW_reemplazo#

 

Verificamos el troncal UP:

 

%LINK-5-CHANGED: Interface GigabitEthernet1/1, changed state to up

 

%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1, changed state to up

 

 

Verificamos VLANs en SW nuevo:

 

SW_reemplazo#sh vlan

 

VLAN Name                             Status    Ports

---- -------------------------------- --------- -------------------------------

1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4

                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8

                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12

                                                Fa0/13, Fa0/14, Fa0/15, Fa0/16

                                                Fa0/17, Fa0/18, Fa0/19, Fa0/20

                                                Fa0/21, Fa0/22, Fa0/23, Fa0/24

                                                Gig1/2

10   vlan10                           active   

20   vlan20                           active   

30   vlan30                           active   

40   vlan40                           active   

50   invitados                        active   

99   aislada                          active   

---resumido---

SW_reemplazo#

 

Verificamos configuración de puertos en SW a reemplazar:

 

SW2#sh runn

Building configuration...

 

Current configuration : 2079 bytes

!

---resumido---

!

hostname SW2

!

!

spanning-tree mode pvst

!

interface GigabitEthernet0/1 (será Gi1/1)

 switchport trunk allowed vlan 1,10,20,30,40,50

 switchport mode trunk

!

interface GigabitEthernet1/1 (será Gi1/2)

 switchport trunk allowed vlan 1,10,20,30,40,50

 switchport mode trunk

!

interface GigabitEthernet2/1 (será Fa0/2)

 switchport access vlan 10

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 switchport port-security mac-address sticky 0060.5CEE.C398

 spanning-tree portfast

!

interface GigabitEthernet3/1 (será Fa0/3)

 switchport access vlan 10

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 switchport port-security mac-address sticky 0060.2FA4.778B

 spanning-tree portfast

!

interface GigabitEthernet4/1 (será Fa0/4)

 switchport access vlan 20

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 switchport port-security mac-address sticky 000C.855A.7A66

 spanning-tree portfast

!

interface GigabitEthernet5/1 (será Fa0/5)

 switchport access vlan 10

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 switchport port-security mac-address sticky 0060.5C5E.E9CE

 spanning-tree portfast

!

interface GigabitEthernet6/1 (será Fa0/6)

 switchport access vlan 10

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 switchport port-security mac-address sticky 000A.F3B0.B2B7

 spanning-tree portfast

!

interface GigabitEthernet7/1 (será Fa0/7)

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 spanning-tree portfast

!

interface GigabitEthernet8/1 (será Fa0/8)

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 spanning-tree portfast

!

interface GigabitEthernet9/1 (sin utilizar, será Fa0/9)

 switchport access vlan 10

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 spanning-tree portfast

 shutdown

!

interface Vlan1

 ip address 192.168.1.4 255.255.255.0 (cambiaremos a otra IP provisoriamente para evitar IP duplicadas)

!

ip default-gateway 192.168.1.1

!

!

---resumido---

!

end

 

Script de migración:

 

conf t

!

interface GigabitEthernet1/1

 switchport mode trunk

 switchport trunk allowed vlan 1,10,20,30,40,50

 exit

!

interface GigabitEthernet1/2

 switchport mode trunk

 switchport trunk allowed vlan 1,10,20,30,40,50

 exit

!

interface FastEthernet0/3

 switchport access vlan 10

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 switchport port-security mac-address sticky 0060.2FA4.778B

 spanning-tree portfast

 exit

!

interface FastEthernet0/4

 switchport access vlan 20

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 switchport port-security mac-address sticky 000C.855A.7A66

 spanning-tree portfast

 exit

!

interface FastEthernet0/5

 switchport access vlan 10

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 switchport port-security mac-address sticky 0060.5C5E.E9CE

 spanning-tree portfast

 exit

!

interface FastEthernet0/6

 switchport access vlan 10

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 switchport port-security mac-address sticky 000A.F3B0.B2B7

 spanning-tree portfast

 exit

!

interface FastEthernet0/7

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 switchport port-security mac-address sticky 0050.0F14.2825

 spanning-tree portfast

 exit

!

interface FastEthernet0/8

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 switchport port-security mac-address sticky 00D0.5868.9DDA

 spanning-tree portfast

 exit

interface FastEthernet0/9 (2do server nuevo)

 switchport mode access

 switchport access vlan 10

 switchport port-security

 switchport port-security mac-address sticky

 spanning-tree portfast

 no shutdown (esta interface estaba baja)

 exit

interface range FastEthernet0/1-2 (estas interfaces eran los trunk, ahora serán 1er server nuevo y hhtp)

 switchport mode access

 switchport access vlan 10

 switchport port-security

 switchport port-security mac-address sticky

 spanning-tree portfast

 exit

interface FastEthernet0/10 (3er server nuevo)

 switchport mode access

 switchport access vlan 10

 switchport port-security

 switchport port-security mac-address sticky

 spanning-tree portfast

 exit

interface FastEthernet0/11 (4to server nuevo)

 switchport mode access

 switchport access vlan 10

 switchport port-security

 switchport port-security mac-address sticky

 spanning-tree portfast

 exit

interface range FastEthernet0/12-24 (sin utilizar)

 switchport mode access

 switchport mode access vlan 99 (vlan aislada)

 switchport port-security

 switchport port-security mac-address sticky

 spanning-tree portfast

 shut (puertos apagados)

 exit

!

interface Vlan1

 ip address 192.168.1.5 255.255.255.0 (cambiamos IP durante transición, normalizamos al final)

no shut

exit

!

ip default-gateway 192.168.1.1

!

end

 

Vemos en SW2 cual es el port del server que migramos para saber en cual port conectaremos en SW nuevo:

 

%LINK-5-CHANGED: Interface GigabitEthernet3/1, changed state to down

 

%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet3/1, changed state to down

 

Etapa de migración 1 a 1:

 

 

 

Reemplazamos IP de administración:

 

SW_reemplazo#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

SW_reemplazo(config)#int vlan 1

SW_reemplazo(config-if)#ip address 192.168.1.4 255.255.255.0

SW_reemplazo(config-if)#^Z

SW_reemplazo#

 

Verificación:

 

SW_reemplazo#sh ip int bri

Interface              IP-Address      OK? Method Status                Protocol

 

FastEthernet0/1        unassigned      YES manual up                    up (1er server nuevo)

FastEthernet0/2        unassigned      YES manual up                    up (http server)

FastEthernet0/3        unassigned      YES manual up                    up (DNS server)

FastEthernet0/4        unassigned      YES manual up                    up (PC de sistemas)

FastEthernet0/5        unassigned      YES manual up                    up (AAA server)

FastEthernet0/6        unassigned      YES manual up                    up (DHCP server)

FastEthernet0/7        unassigned      YES manual up                    up (Sylog server)

FastEthernet0/8        unassigned      YES manual up                    up (NTP server)

FastEthernet0/9        unassigned      YES manual up                    up (2do server nuevo)

FastEthernet0/10       unassigned      YES manual up                    up (3er server nuevo)

FastEthernet0/11       unassigned      YES manual up                    up (4to server nuevo)

FastEthernet0/12       unassigned      YES manual administratively down down

FastEthernet0/13       unassigned      YES manual administratively down down

FastEthernet0/14       unassigned      YES manual administratively down down

FastEthernet0/15       unassigned      YES manual administratively down down

FastEthernet0/16       unassigned      YES manual administratively down down

FastEthernet0/17       unassigned      YES manual administratively down down

FastEthernet0/18       unassigned      YES manual administratively down down

FastEthernet0/19       unassigned      YES manual administratively down down

FastEthernet0/20       unassigned      YES manual administratively down down

FastEthernet0/21       unassigned      YES manual administratively down down

FastEthernet0/22       unassigned      YES manual administratively down down

FastEthernet0/23       unassigned      YES manual administratively down down

FastEthernet0/24       unassigned      YES manual administratively down down

GigabitEthernet1/1     unassigned      YES manual up                    up (trunk a SW1)

GigabitEthernet1/2     unassigned      YES manual up                    up (trunk a Core)

Vlan1                  192.168.1.4     YES manual up                    up (administración Telnet)

SW_reemplazo#

 

Escenario terminado:

 

 

Configuración final:

 

SW_reemplazo#sh runn

Building configuration...

 

Current configuration : 5443 bytes

!

version 12.2

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname SW_reemplazo

!

!

spanning-tree mode pvst

!

interface FastEthernet0/1

 switchport access vlan 10

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 switchport port-security mac-address sticky 00D0.FFAD.603D

 spanning-tree portfast

!

interface FastEthernet0/2

 switchport access vlan 10

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 switchport port-security mac-address sticky 0060.5CEE.C398

 spanning-tree portfast

!

interface FastEthernet0/3

 switchport access vlan 10

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 switchport port-security mac-address sticky 0060.2FA4.778B

 spanning-tree portfast

!

interface FastEthernet0/4

 switchport access vlan 20

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 switchport port-security mac-address sticky 000C.855A.7A66

 spanning-tree portfast

!

interface FastEthernet0/5

 switchport access vlan 10

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 switchport port-security mac-address sticky 0060.5C5E.E9CE

 spanning-tree portfast

!

interface FastEthernet0/6

 switchport access vlan 10

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 switchport port-security mac-address sticky 000A.F3B0.B2B7

 spanning-tree portfast

!

interface FastEthernet0/7

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 switchport port-security mac-address sticky 0050.0F14.2825

 spanning-tree portfast

!

interface FastEthernet0/8

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 switchport port-security mac-address sticky 00D0.5868.9DDA

 spanning-tree portfast

!

interface FastEthernet0/9

 switchport access vlan 10

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 switchport port-security mac-address sticky 000C.CF22.C115

 spanning-tree portfast

!

interface FastEthernet0/10

 switchport access vlan 10

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 switchport port-security mac-address sticky 00E0.B094.E827

 spanning-tree portfast

!

interface FastEthernet0/11

 switchport access vlan 10

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 switchport port-security mac-address sticky 000C.8506.822B

 spanning-tree portfast

!

interface FastEthernet0/12

 switchport access vlan 99

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 spanning-tree portfast

 shutdown

!

interface FastEthernet0/13

 switchport access vlan 99

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 spanning-tree portfast

 shutdown

!

interface FastEthernet0/14

 switchport access vlan 99

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 spanning-tree portfast

 shutdown

!

interface FastEthernet0/15

 switchport access vlan 99

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 spanning-tree portfast

 shutdown

!

interface FastEthernet0/16

 switchport access vlan 99

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 spanning-tree portfast

 shutdown

!

interface FastEthernet0/17

 switchport access vlan 99

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 spanning-tree portfast

 shutdown

!

interface FastEthernet0/18

 switchport access vlan 99

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 spanning-tree portfast

 shutdown

!

interface FastEthernet0/19

 switchport access vlan 99

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 spanning-tree portfast

 shutdown

!

interface FastEthernet0/20

 switchport access vlan 99

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 spanning-tree portfast

 shutdown

!

interface FastEthernet0/21

 switchport access vlan 99

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 spanning-tree portfast

 shutdown

!

interface FastEthernet0/22

 switchport access vlan 99

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 spanning-tree portfast

 shutdown

!

interface FastEthernet0/23

 switchport access vlan 99

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 spanning-tree portfast

 shutdown

!

interface FastEthernet0/24

 switchport access vlan 99

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 spanning-tree portfast

 shutdown

!

interface GigabitEthernet1/1

 switchport trunk allowed vlan 1,10,20,30,40,50

 switchport mode trunk

!

interface GigabitEthernet1/2

 switchport trunk allowed vlan 1,10,20,30,40,50

 switchport mode trunk

!

interface Vlan1

 ip address 192.168.1.5 255.255.255.0

!

ip default-gateway 192.168.1.1

!

!

line con 0

!

line vty 0 4

 login

line vty 5 15

 login

!

!

end

 

SW_reemplazo#

 

Mejoras que hubiesen facilitado la migración:

 

Dentro de las buenas prácticas es recomendable agregarle descripción a todo, esto facilita mucho la resolución de problemas.

 

SW_reemplazo#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

SW_reemplazo(config)#int fa0/1

SW_reemplazo(config-if)#description 1er server nuevo

SW_reemplazo(config-if)#exit

SW_reemplazo(config)#int fa0/2

SW_reemplazo(config-if)#desc HTTP server

SW_reemplazo(config-if)#^Z

 

SW_reemplazo#sh runn

Building configuration...

 

Current configuration : 5546 bytes

!

version 12.2

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname SW_reemplazo

!

!

spanning-tree mode pvst

!

interface FastEthernet0/1

 description 1er server nuevo

 switchport access vlan 10

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 switchport port-security mac-address sticky 00D0.FFAD.603D

 spanning-tree portfast

!

interface FastEthernet0/2

 description HTTP server

 switchport access vlan 10

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 switchport port-security mac-address sticky 0060.5CEE.C398

 spanning-tree portfast

!

---resumido---

!

end

 

SW_reemplazo#

 

(2013) Crazy tales for insane people

Rosario, Argentina