Escenario de práctica módulo 6
CCNASec
Fecha: 6 de Marzo 2013 Instructor: Ernesto
Vilarrasa
Escenario
El desafío de este escenario es agregar 4 servers a
la granja y conectarlos a SW2.
Este último no tieme puertos disponibles (tiene 10
ports de 1000 Mbps), por lo que se reemplazará por un Catalyst 2960 24+2,
ya que los todos los servers trabajan a 100 Mbps,
quedando 2 puertos trunk a 1000 Mpbs.
La idea del laboratorio es pasar gradualmente las
configuraciones y conexiones para minimizar al máximo el downtime de la red,
sin descuidar los aspectos de seguridad aprendidos
en el módulo, utilizar el sentido común y simular el trabajo bajo presión.
Este escenario también es válido para el capítulo de
seguridad de CCNA 3 (Exploration 3)
El escenario original es: Escenario Ctrl F CCNASec
2013 con ZBF e IPS y SW security.pka
El escenario final es: Escenario Ctrl F CCNASec 2013
escenario reemplazo SW resuelto.pka
Escenarios disponibles en: ftp://ftp.vilarrasa.com.ar/ user y pass:ccna
Verificamos VTP para aprender las VLANs en el SW
nuevo:
Core#sh vtp status
VTP Version : 2
Configuration
Revision : 14
Maximum VLANs supported
locally : 1005
Number of existing
VLANs : 11
VTP Operating Mode : Server
VTP Domain Name : CCNASec
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x91 0x26 0xAF 0xF1
0x91 0x87 0xD0 0x28
Configuration last
modified by 0.0.0.0 at 3-1-93 00:00:00
Local updater ID is
192.168.1.1 on interface Vl1 (lowest numbered VLAN interface found)
Core#
Core#sh vtp password
VTP Password: PasswordVTP
Core#
Configuración inicial del SW de reemplazo: (sabemos que es un SW nuevo,
de lo contrario, verificar revisión VTP
o borrar vlan.dat , startup-config y ejecutar
reload)
Switch#conf t
Enter configuration
commands, one per line. End with
CNTL/Z.
Switch(config)#host
SW_reemplazo
SW_reemplazo(config)#int
range Gi1/1-2
SW_reemplazo(config-if-range)#switchport
mode trunk
SW_reemplazo(config-if-range)#exit
(por elmomento permitimos todas las vlans)
SW_reemplazo(config)#vtp
domain CCNASec
Changing VTP domain name
from NULL to CCNASec
SW_reemplazo(config)#vtp
password PasswordVTP
Setting device VLAN
database password to PasswordVTP
SW_reemplazo(config)#end
SW_reemplazo#
Verificamos el troncal UP:
%LINK-5-CHANGED: Interface
GigabitEthernet1/1, changed state to up
%LINEPROTO-5-UPDOWN: Line
protocol on Interface GigabitEthernet1/1, changed state to up
Verificamos VLANs en SW nuevo:
SW_reemplazo#sh vlan
VLAN Name Status Ports
----
-------------------------------- --------- -------------------------------
1 default active
Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6,
Fa0/7, Fa0/8
Fa0/9, Fa0/10,
Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15,
Fa0/16
Fa0/17, Fa0/18,
Fa0/19, Fa0/20
Fa0/21, Fa0/22,
Fa0/23, Fa0/24
Gig1/2
10 vlan10 active
20 vlan20 active
30 vlan30 active
40 vlan40 active
50 invitados active
99 aislada active
---resumido---
SW_reemplazo#
Verificamos configuración de puertos en SW a
reemplazar:
SW2#sh runn
Building configuration...
Current configuration :
2079 bytes
!
---resumido---
!
hostname SW2
!
!
spanning-tree mode pvst
!
interface
GigabitEthernet0/1 (será Gi1/1)
switchport trunk allowed vlan 1,10,20,30,40,50
switchport mode trunk
!
interface
GigabitEthernet1/1 (será Gi1/2)
switchport trunk allowed vlan 1,10,20,30,40,50
switchport mode trunk
!
interface
GigabitEthernet2/1 (será Fa0/2)
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0060.5CEE.C398
spanning-tree portfast
!
interface
GigabitEthernet3/1 (será Fa0/3)
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0060.2FA4.778B
spanning-tree portfast
!
interface
GigabitEthernet4/1 (será Fa0/4)
switchport access vlan 20
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 000C.855A.7A66
spanning-tree portfast
!
interface
GigabitEthernet5/1 (será Fa0/5)
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0060.5C5E.E9CE
spanning-tree portfast
!
interface
GigabitEthernet6/1 (será Fa0/6)
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 000A.F3B0.B2B7
spanning-tree portfast
!
interface
GigabitEthernet7/1 (será Fa0/7)
switchport mode access
switchport port-security
switchport port-security mac-address sticky
spanning-tree portfast
!
interface
GigabitEthernet8/1 (será Fa0/8)
switchport mode access
switchport port-security
switchport port-security mac-address sticky
spanning-tree portfast
!
interface
GigabitEthernet9/1 (sin utilizar, será Fa0/9)
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security mac-address sticky
spanning-tree portfast
shutdown
!
interface Vlan1
ip address 192.168.1.4 255.255.255.0
(cambiaremos a otra IP provisoriamente para evitar IP duplicadas)
!
ip default-gateway
192.168.1.1
!
!
---resumido---
!
end
Script de migración:
conf t
!
interface
GigabitEthernet1/1
switchport mode trunk
switchport trunk allowed vlan 1,10,20,30,40,50
exit
!
interface
GigabitEthernet1/2
switchport mode trunk
switchport trunk allowed vlan 1,10,20,30,40,50
exit
!
interface FastEthernet0/3
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0060.2FA4.778B
spanning-tree portfast
exit
!
interface FastEthernet0/4
switchport access vlan 20
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 000C.855A.7A66
spanning-tree portfast
exit
!
interface FastEthernet0/5
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0060.5C5E.E9CE
spanning-tree portfast
exit
!
interface FastEthernet0/6
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 000A.F3B0.B2B7
spanning-tree portfast
exit
!
interface FastEthernet0/7
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0050.0F14.2825
spanning-tree portfast
exit
!
interface FastEthernet0/8
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 00D0.5868.9DDA
spanning-tree portfast
exit
interface FastEthernet0/9 (2do server nuevo)
switchport mode access
switchport access vlan 10
switchport port-security
switchport port-security mac-address sticky
spanning-tree portfast
no shutdown (esta interface estaba
baja)
exit
interface range
FastEthernet0/1-2 (estas interfaces eran los trunk,
ahora serán 1er server nuevo y hhtp)
switchport mode access
switchport access vlan 10
switchport port-security
switchport port-security mac-address sticky
spanning-tree portfast
exit
interface FastEthernet0/10 (3er server nuevo)
switchport mode access
switchport access vlan 10
switchport port-security
switchport port-security mac-address sticky
spanning-tree portfast
exit
interface FastEthernet0/11 (4to server nuevo)
switchport mode access
switchport access vlan 10
switchport port-security
switchport port-security mac-address sticky
spanning-tree portfast
exit
interface range
FastEthernet0/12-24 (sin utilizar)
switchport mode access
switchport mode access vlan 99 (vlan
aislada)
switchport port-security
switchport port-security mac-address sticky
spanning-tree portfast
shut (puertos apagados)
exit
!
interface Vlan1
ip address 192.168.1.5 255.255.255.0 (cambiamos
IP durante transición, normalizamos al final)
no shut
exit
!
ip default-gateway
192.168.1.1
!
end
Vemos en SW2 cual es el port del server que migramos
para saber en cual port conectaremos en SW nuevo:
%LINK-5-CHANGED: Interface
GigabitEthernet3/1, changed state to down
%LINEPROTO-5-UPDOWN: Line
protocol on Interface GigabitEthernet3/1, changed state to down
Etapa de migración 1 a 1:
Reemplazamos IP de administración:
SW_reemplazo#conf t
Enter configuration
commands, one per line. End with
CNTL/Z.
SW_reemplazo(config)#int
vlan 1
SW_reemplazo(config-if)#ip
address 192.168.1.4 255.255.255.0
SW_reemplazo(config-if)#^Z
SW_reemplazo#
Verificación:
SW_reemplazo#sh ip int
bri
Interface IP-Address OK? Method Status Protocol
FastEthernet0/1 unassigned YES manual up up (1er server nuevo)
FastEthernet0/2 unassigned YES manual up up (http server)
FastEthernet0/3 unassigned YES manual up up (DNS server)
FastEthernet0/4 unassigned YES manual up up (PC de sistemas)
FastEthernet0/5 unassigned YES manual up up (AAA server)
FastEthernet0/6 unassigned YES manual up up (DHCP server)
FastEthernet0/7 unassigned YES manual up up (Sylog server)
FastEthernet0/8 unassigned YES manual up up (NTP server)
FastEthernet0/9 unassigned YES manual up up (2do server nuevo)
FastEthernet0/10 unassigned YES manual up up (3er server nuevo)
FastEthernet0/11 unassigned YES manual up up (4to server nuevo)
FastEthernet0/12 unassigned YES manual administratively down down
FastEthernet0/13 unassigned YES manual administratively down down
FastEthernet0/14 unassigned YES manual administratively down down
FastEthernet0/15 unassigned YES manual administratively down down
FastEthernet0/16 unassigned YES manual administratively down down
FastEthernet0/17 unassigned YES manual administratively down down
FastEthernet0/18 unassigned YES manual administratively down down
FastEthernet0/19 unassigned YES manual administratively down down
FastEthernet0/20 unassigned YES manual administratively down down
FastEthernet0/21 unassigned YES manual administratively down down
FastEthernet0/22 unassigned YES manual administratively down down
FastEthernet0/23 unassigned YES manual administratively down down
FastEthernet0/24 unassigned YES manual administratively down down
GigabitEthernet1/1 unassigned YES manual up up (trunk a SW1)
GigabitEthernet1/2 unassigned YES manual up up (trunk a Core)
Vlan1 192.168.1.4 YES
manual up up (administración Telnet)
SW_reemplazo#
Escenario terminado:
Configuración final:
SW_reemplazo#sh runn
Building configuration...
Current configuration :
5443 bytes
!
version 12.2
no service timestamps log
datetime msec
no service timestamps
debug datetime msec
no service
password-encryption
!
hostname SW_reemplazo
!
!
spanning-tree mode pvst
!
interface FastEthernet0/1
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 00D0.FFAD.603D
spanning-tree portfast
!
interface FastEthernet0/2
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0060.5CEE.C398
spanning-tree portfast
!
interface FastEthernet0/3
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0060.2FA4.778B
spanning-tree portfast
!
interface FastEthernet0/4
switchport access vlan 20
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 000C.855A.7A66
spanning-tree portfast
!
interface FastEthernet0/5
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0060.5C5E.E9CE
spanning-tree portfast
!
interface FastEthernet0/6
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 000A.F3B0.B2B7
spanning-tree portfast
!
interface FastEthernet0/7
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0050.0F14.2825
spanning-tree portfast
!
interface FastEthernet0/8
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 00D0.5868.9DDA
spanning-tree portfast
!
interface FastEthernet0/9
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 000C.CF22.C115
spanning-tree portfast
!
interface FastEthernet0/10
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 00E0.B094.E827
spanning-tree portfast
!
interface FastEthernet0/11
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 000C.8506.822B
spanning-tree portfast
!
interface FastEthernet0/12
switchport access vlan 99
switchport mode access
switchport port-security
switchport port-security mac-address sticky
spanning-tree portfast
shutdown
!
interface FastEthernet0/13
switchport access vlan 99
switchport mode access
switchport port-security
switchport port-security mac-address sticky
spanning-tree portfast
shutdown
!
interface FastEthernet0/14
switchport access vlan 99
switchport mode access
switchport port-security
switchport port-security mac-address sticky
spanning-tree portfast
shutdown
!
interface FastEthernet0/15
switchport access vlan 99
switchport mode access
switchport port-security
switchport port-security mac-address sticky
spanning-tree portfast
shutdown
!
interface FastEthernet0/16
switchport access vlan 99
switchport mode access
switchport port-security
switchport port-security mac-address sticky
spanning-tree portfast
shutdown
!
interface FastEthernet0/17
switchport access vlan 99
switchport mode access
switchport port-security
switchport port-security mac-address sticky
spanning-tree portfast
shutdown
!
interface FastEthernet0/18
switchport access vlan 99
switchport mode access
switchport port-security
switchport port-security mac-address sticky
spanning-tree portfast
shutdown
!
interface FastEthernet0/19
switchport access vlan 99
switchport mode access
switchport port-security
switchport port-security mac-address sticky
spanning-tree portfast
shutdown
!
interface FastEthernet0/20
switchport access vlan 99
switchport mode access
switchport port-security
switchport port-security mac-address sticky
spanning-tree portfast
shutdown
!
interface FastEthernet0/21
switchport access vlan 99
switchport mode access
switchport port-security
switchport port-security mac-address sticky
spanning-tree portfast
shutdown
!
interface FastEthernet0/22
switchport access vlan 99
switchport mode access
switchport port-security
switchport port-security mac-address sticky
spanning-tree portfast
shutdown
!
interface FastEthernet0/23
switchport access vlan 99
switchport mode access
switchport port-security
switchport port-security mac-address sticky
spanning-tree portfast
shutdown
!
interface FastEthernet0/24
switchport access vlan 99
switchport mode access
switchport port-security
switchport port-security mac-address sticky
spanning-tree portfast
shutdown
!
interface
GigabitEthernet1/1
switchport trunk allowed vlan 1,10,20,30,40,50
switchport mode trunk
!
interface
GigabitEthernet1/2
switchport trunk allowed vlan 1,10,20,30,40,50
switchport mode trunk
!
interface Vlan1
ip address 192.168.1.5 255.255.255.0
!
ip default-gateway
192.168.1.1
!
!
line con 0
!
line vty 0 4
login
line vty 5 15
login
!
!
end
SW_reemplazo#
Mejoras que hubiesen facilitado la migración:
Dentro de las buenas prácticas es recomendable agregarle
descripción a todo, esto facilita mucho la resolución de problemas.
SW_reemplazo#conf t
Enter configuration
commands, one per line. End with
CNTL/Z.
SW_reemplazo(config)#int
fa0/1
SW_reemplazo(config-if)#description
1er server nuevo
SW_reemplazo(config-if)#exit
SW_reemplazo(config)#int
fa0/2
SW_reemplazo(config-if)#desc
HTTP server
SW_reemplazo(config-if)#^Z
SW_reemplazo#sh runn
Building configuration...
Current configuration :
5546 bytes
!
version 12.2
no service timestamps log
datetime msec
no service timestamps
debug datetime msec
no service
password-encryption
!
hostname SW_reemplazo
!
!
spanning-tree mode pvst
!
interface FastEthernet0/1
description 1er server nuevo
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 00D0.FFAD.603D
spanning-tree portfast
!
interface FastEthernet0/2
description HTTP server
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0060.5CEE.C398
spanning-tree portfast
!
---resumido---
!
end
SW_reemplazo#
(2013) Crazy tales for insane people
Rosario, Argentina