Escenario de prácticas de
túneles GRE y ACL para CCNA Security, Ctrl-F
Fecha: 22/3/2013
Escenario
Es un escenario realizado en Packet Tracert,
disponible en ftp://ftp.vilarrasa.com.ar/
user y pass: ccna
como Ejercicio 22 de Marzo CCNASec.pkt
En este escenario, la red Rosario se esconde del
resto de la WAN a través de NAT, salvo si se ingresa
por túneles tipo GRE, ya que estos terminan en dos sucursales de la empresa (Córdoba y
Mendoza).
Detalle de las instrucciones:
1. Contratistas: acceden sólo a 192.168.1.10 vía https (tiene un port forwarding a 10.0.1.10 de la red WAN)
2. Cordoba: accede sólo a 192.168.1.11 vía http o
https
3. sólo a 192.168.1.12 vía FTP
4. Mendoza: accede sólo a 192.168.1.13 vía http o
https
5. sólo a 192.168.1.12 vía FTP
6. Syslog server: 192.168.1.11 (tiene un port forwarding a 10.0.1.11 de la red WAN)
7. NTP server: 192.168.1.11
8. Sólo PC 192.168.1.123 accede por telnet a los
equipos
Solución:
Túneles GRE
Rosario(config)#int tunnel 0
Rosario(config-if)#ip add 10.10.1.1
255.255.255.252
Rosario(config-if)#tunnel source fa0/1
Rosario(config-if)#tunnel destination 10.0.2.10
Rosario(config-if)#exit
Rosario(config)#int tunnel 1
Rosario(config-if)#ip add 10.10.2.1
255.255.255.252
Rosario(config-if)#tunel source fa0/1
Rosario(config-if)#tunnel destination 10.0.2.14
Rosario(config-if)#exit
Rosario(config)#router eigrp 101 (para ver las redes inside)
Rosario(config-router)#no auto (sin importancia, ver CCNA 2)
Rosario(config-router)#network 10.10.1.0 0.0.0.3 (túnel a Córdoba)
Rosario(config-router)#network 10.10.2.0 0.0.0.3 (túnel a Mendoza)
Rosario(config-router)#net 192.168.1.0 0.0.0.255 (red local)
Rosario(config-router)#end
Rosario#
Cordoba(config)#int tunnel 0
Cordoba(config-if)#ip add 10.10.1.2
255.255.255.252
Cordoba(config-if)#tun so fa0/1
Cordoba(config-if)#tun dest 10.0.1.1
Cordoba(config-if)#exit
Cordoba(config)#router eigrp 101 (para ver las redes inside)
Cordoba(config-router)#no auto (sin importancia, ver CCNA 2)
Cordoba(config-router)#network 10.10.1.0 0.0.0.3 (túnel a Rosario)
Cordoba(config-router)#net 192.168.2.0 0.0.0.255 (red local)
Cordoba(config-router)#end
%DUAL-5-NBRCHANGE: IP-EIGRP 101: Neighbor 10.10.1.1
(Tunnel0) is up: new adjacency
Cordoba#
Mendoza(config)#int tunnel 0
Mendoza(config-if)#ip add 10.10.2.2
255.255.255.252
Mendoza(config-if)#tun so fa0/1
Mendoza(config-if)#tun dest 10.0.1.1
Mendoza(config-if)#exit
Mendoza(config)#router eigrp 101 (para ver las redes inside)
Mendoza(config-router)#no auto (sin importancia, ver CCNA 2)
Mendoza(config-router)#network 10.10.2.0 0.0.0.3 (túnel a Rosario)
Mendoza(config-router)#net 192.168.3.0 0.0.0.255 (red local)
Mendoza(config-router)#end
%DUAL-5-NBRCHANGE: IP-EIGRP 101: Neighbor 10.10.2.1
(Tunnel0) is up: new adjacency
Mendoza#
Rosario#sh ip route
(verificación)
---resumido---
10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
C
10.0.1.0/24 is directly connected, FastEthernet0/1
D
10.0.2.0/30 [90/30720] via 10.0.1.254, 00:22:55, FastEthernet0/1
D
10.0.2.4/30 [90/33280] via 10.0.1.254, 00:22:55, FastEthernet0/1
D
10.0.2.8/30 [90/286720] via 10.0.1.254, 00:22:55, FastEthernet0/1
D
10.0.2.12/30 [90/286720] via 10.0.1.254, 00:22:55, FastEthernet0/1
C
10.10.1.0/30 is directly connected, Tunnel0
C
10.10.2.0/30 is directly connected, Tunnel1
172.16.0.0/24 is subnetted, 1 subnets
D
172.16.0.0 [90/35840] via 10.0.1.254, 00:22:55, FastEthernet0/1
C
192.168.1.0/24 is directly connected, FastEthernet0/0
D
192.168.2.0/24 [90/289280] via 10.0.1.254, 00:22:55, FastEthernet0/1
D
192.168.3.0/24 [90/289280] via 10.0.1.254, 00:22:55, FastEthernet0/1
Rosario#
Cordoba#sh ip route
---resumido---
10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
D
10.0.1.0/24 [90/33280] via 10.0.2.9, 00:28:55, FastEthernet0/1
D
10.0.2.0/30 [90/30720] via 10.0.2.9, 00:28:55, FastEthernet0/1
D
10.0.2.4/30 [90/30720] via 10.0.2.9, 00:28:55, FastEthernet0/1
C
10.0.2.8/30 is directly connected, FastEthernet0/1
D
10.0.2.12/30 [90/284160] via 10.0.2.9, 00:28:55, FastEthernet0/1
C
10.10.1.0/30 is directly connected, Tunnel0
D
10.10.2.0/30 [90/28160000] via 10.10.1.1, 00:07:53, Tunnel0
172.16.0.0/24 is subnetted, 1 subnets
D
172.16.0.0 [90/33280] via 10.0.2.9, 00:28:55, FastEthernet0/1
D
192.168.1.0/24 [90/26882560] via 10.10.1.1, 00:07:53, Tunnel0
C
192.168.2.0/24 is directly connected, FastEthernet0/0
D
192.168.3.0/24 [90/28162560] via 10.10.1.1, 00:06:42, Tunnel0
Cordoba#
Mendoza#sh ip route
---resumido---
10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
D
10.0.1.0/24 [90/33280] via 10.0.2.13, 00:27:28, FastEthernet0/1
D 10.0.2.0/30 [90/30720] via 10.0.2.13,
00:27:28, FastEthernet0/1
D
10.0.2.4/30 [90/30720] via 10.0.2.13, 00:27:28, FastEthernet0/1
D
10.0.2.8/30 [90/284160] via 10.0.2.13, 00:27:28, FastEthernet0/1
C
10.0.2.12/30 is directly connected, FastEthernet0/1
D
10.10.1.0/30 [90/28160000] via 10.10.2.1, 00:05:14, Tunnel0
C
10.10.2.0/30 is directly connected, Tunnel0
172.16.0.0/24 is subnetted, 1 subnets
D
172.16.0.0 [90/33280] via 10.0.2.13, 00:27:28, FastEthernet0/1
D
192.168.1.0/24 [90/26882560] via 10.10.2.1, 00:05:14, Tunnel0
D
192.168.2.0/24 [90/28162560] via 10.10.2.1, 00:05:14, Tunnel0
C
192.168.3.0/24 is directly connected, FastEthernet0/0
Mendoza#
ACL de filtrado
Rosario(config)#ip access-list ext WAN
Rosario(config-ext-nacl)# permit eigrp any any (para convergencia de la nube WAN)
Rosario(config-ext-nacl)# permit gre host
10.0.2.10 host 10.0.1.1 (acepta paquetes GRE desde
Córdoba)
Rosario(config-ext-nacl)# permit gre host
10.0.2.14 host 10.0.1.1 (acepta paquetes GRE desde
Mendozaa)
Rosario(config-ext-nacl)# permit tcp 172.16.0.0
0.0.0.255 host 10.0.1.10 eq 443 (punto 1. de los
objetivos)
Rosario(config-ext-nacl)# permit udp host
10.0.2.6 host 10.0.1.11 eq 514 (envíos de syslog del
router Contratistas)
Rosario(config-ext-nacl)# permit udp host
10.0.2.6 host 10.0.1.11 eq 123 (sincronización NTP del
router Contratistas)
Rosario(config-ext-nacl)# permit tcp host
10.0.2.6 eq 23 host 10.0.1.123 (tráfico de retorno del
punto 5. de los objetivos)
Rosario(config-ext-nacl)#deny ip any any (para monitoreo)
Rosario(config-ext-nacl)# exit
Rosario(config)#int fa0/1
Rosario(config-if)#ip access-group WAN in (aplica a la interface outside)
Rosario(config-if)# ^Z
Rosario#
Contrapruebas
1. Sólo https y no http
2. Sólo la IP 192.168.1.10 (convertida a 10.0.1.10)
3. Sólo la IP 192.168.1.10 (convertida a 10.0.1.10)
4. Sólo la IP 192.168.1.10 (convertida a 10.0.1.10)
5. Ningún otro protocolo
PC>ping 10.0.1.10
Pinging 10.0.1.10 with 32 bytes of data:
Reply from 10.0.1.1: Destination host unreachable.
Reply from 10.0.1.1: Destination host unreachable.
Reply from 10.0.1.1: Destination host unreachable.
Reply from 10.0.1.1: Destination host unreachable.
Ping statistics for 10.0.1.10:
Packets:
Sent = 4, Received = 0, Lost = 4 (100% loss),
PC>
6. Se configuran protocolos necesarios
Contratista(config)#logg on (activa envío de mensajes syslog)
Contratista(config)#logg host 10.0.1.11 (define server de mensajes syslog)
%SYS-6-LOGGINGHOST_STARTSTOP: Logging to host
10.0.1.11 port 514 started - CLI initiated
Contratista(config)#service timestamps log
datetime msec
Contratista(config)#ntp server 10.0.1.11
Contratista(config)#ena secret Enable123 (necesario para acceder por Telnet)
Contratista(config)#line vty 0 4
Contratista(config-line)#password cisco
Contratista(config-line)#login (activa Telnet para administración desde PC de sistemas)
Contratista(config)#^Z
Contratista#sh clock
*9:44:51.703 UTC Lun Mar 25 2013
Contratista#
7. Pruebas
Rosario(config)#ip nat inside source static
192.168.1.123 10.0.1.123 (activa NAT para acceder a la
WAN
con IP enmascarada por
seguridad)
PC>telnet 10.0.2.6
Trying 10.0.2.6 ...Open
User Access Verification
Password: ***** (cisco)
Contratista>ena
Password: ******** (Enable123)
Contratista#sh user
Line User Host(s)
Idle Location
0 con
0 idle 00:01:15
* 67 vty 0 idle
00:00:00 10.0.1.123 (IP 192... enmascarada en 10...)
Contratista#sh ip route
(verificación de que la red 192.168.1.0 no existe para este router)
---resumido---
10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
D
10.0.1.0/24 [90/33280] via 10.0.2.5, 11:59:36, FastEthernet0/1
D
10.0.2.0/30 [90/30720] via 10.0.2.5, 11:59:36, FastEthernet0/1
C
10.0.2.4/30 is directly connected, FastEthernet0/1
D
10.0.2.8/30 [90/284160] via 10.0.2.5, 11:59:36, FastEthernet0/1
D
10.0.2.12/30 [90/284160] via 10.0.2.5, 11:59:36, FastEthernet0/1
172.16.0.0/24 is subnetted, 1 subnets
C
172.16.0.0 is directly connected, FastEthernet0/0
Contratista#
Rosario#sh access-lists (verificación)
Extended IP access list WAN
permit
eigrp any any (182 match(es))
permit
gre host 10.0.2.10 host 10.0.1.1 (190 match(es))
permit
gre host 10.0.2.14 host 10.0.1.1 (190 match(es))
permit
tcp 172.16.0.0 0.0.0.255 host 10.0.1.10 eq 443 (49 match(es)) (pruebas desde Contratista)
permit
udp host 10.0.2.6 host 10.0.1.11 eq 514 (5 match(es)) (syslog desde Contratista)
permit
udp host 10.0.2.6 host 10.0.1.11 eq 123 (3 match(es)) (sinconización de reloj desde Contratista)
permit
tcp host 10.0.2.6 eq telnet host 10.0.1.123 (48 match(es)) (pruebas desde Contratista)
deny ip
any any (96 match(es)) (pruebas desde Contratista)
Rosario#
Cordoba(config)#ip access-list ext FILTRO
Cordoba(config-ext-nacl)#permit tcp 192.168.2.0
0.0.0.255 host 192.168.1.11 eq 80 (punto 2. en
objetivos)
Cordoba(config-ext-nacl)#permit tcp 192.168.2.0
0.0.0.255 host 192.168.1.11 eq 443 (punto 2. en objetivos)
Cordoba(config-ext-nacl)#permit tcp 192.168.2.0
0.0.0.255 host 192.168.1.12 eq 21 (punto 3. en
objetivos)
Cordoba(config-ext-nacl)#permit tcp 192.168.2.0
0.0.0.255 host 192.168.1.12 eq 20 (puerto de DATA
transfer)
Cordoba(config-ext-nacl)#deny ip any any (para monitoreo)
Cordoba(config-ext-nacl)#exit
Cordoba(config)#int fa0/0
Cordoba(config-if)#ip access-group FILTRO in (aplica ACL en la interface)
Cordoba(config-if)#exit
Cordoba(config)#ntp server 192.168.1.11 (activa NTP para sincronizar relojes)
Cordoba(config)#logg on (activa
envío de mensajes syslog)
Cordoba(config)#logg trap deb (activa nivel de detalle máximo para los mensajes -único en
Packet Tracer)
Cordoba(config)#logg host 192.168.1.11 (define server de mensajes syslog)
%SYS-6-LOGGINGHOST_STARTSTOP: Logging to host
192.168.1.11 port 514 started - CLI initiated
Cordoba(config)#service timestamps log datetime
msec (agrega marca horaria de milisegundos en el
mensaje syslog)
Cordoba(config)#^Z
Cordoba#
Mendoza(config)#ip access-list ext FILTRO
Mendoza(config-ext-nacl)#permit tcp 192.168.3.0
0.0.0.255 host 192.168.1.13 eq 80 (punto 4. en
objetivos)
Mendoza(config-ext-nacl)#permit tcp 192.168.3.0
0.0.0.255 host 192.168.1.13 eq 443 (punto 4. en
objetivos)
Mendoza(config-ext-nacl)#permit tcp 192.168.3.0
0.0.0.255 host 192.168.1.12 eq 21 (punto 5. en
objetivos)
Mendoza(config-ext-nacl)#permit tcp 192.168.3.0
0.0.0.255 host 192.168.1.12 eq 20 (puerto de DATA
transfer)
Cordoba(config-ext-nacl)#deny ip any any (para monitoreo)
Mendoza(config-ext-nacl)#exit
Mendoza(config)#int fa0/0
Mendoza(config-if)#ip access-group FILTRO in
Mendoza(config-if)#exit
Mendoza(config)#ntp server 192.168.1.11 (activa NTP para sincronizar relojes)
Mendoza(config)#logg on (activa
envío de mensajes syslog)
Mendoza(config)#logg trap deb (activa nivel de detalle máximo para los mensajes -único en
Packet Tracer)
Mendoza(config)#logg host 192.168.1.11 (define server de mensajes syslog)
%SYS-6-LOGGINGHOST_STARTSTOP: Logging to host
192.168.1.11 port 514 started - CLI initiated
Mendoza(config)#service timestamps log datetime
msec (agrega marca horaria de milisegundos en el
mensaje syslog)
Mendoza(config)#^Z
Para pruebas desde Córdoba y Mendoza, debemos
desactivar el NAT inside ya que no permite activarse en las interfaces tunnel.
Rosario(config)#int fa0/0
Rosario(config-if)#no ip nat inside (dejará de funcionar Contratista)
Rosario(config-if)#^Z
Rosario#
Verificamos en equipo Cisco 1841 real
Concentrador_VPN(config)#int tunnel 0
Concentrador_VPN(config-if)#ip nat inside (soporta NAT)
Concentrador_VPN(config-if)#description Tunel
hacia Cordoba (soporta descripción, Packet Tracer no)
Concentrador_VPN(config-if)#bandwidth 4000 (define la velocidad del enlace -por defecto 9 Kbps- sólo
impacta en el EIGRP y no
Concentrador_VPN(config-if)#end en la velocidad real del enlace, ver CCNA 2)
Volvamos al Packet Tracer....
Cordoba#sh access-lists
(verificar TODAS las posibilidades hasta encontrar match en todas las ACE)
Extended IP access list FILTRO
permit
tcp 192.168.2.0 0.0.0.255 host 192.168.1.11 eq www (44 match(es))
permit
tcp 192.168.2.0 0.0.0.255 host 192.168.1.11 eq 443 (106 match(es))
permit
tcp 192.168.2.0 0.0.0.255 host 192.168.1.12 eq ftp (11 match(es))
permit
tcp 192.168.2.0 0.0.0.255 host 192.168.1.12 eq 20 (sin
matchear pero es el Packet Tracert)
deny ip
any any (46 match(es))
Cordoba#
Cordoba#sh clock
(verifca NTP)
*11:53:57.891 UTC Lun Mar 25 2013
Cordoba#
Mendoza#sh access-lists
(verificar TODAS las posibilidades hasta encontrar match en todas las ACE
Extended IP access list FILTRO
permit
tcp 192.168.3.0 0.0.0.255 host 192.168.1.13 eq www (36 match(es))
permit
tcp 192.168.3.0 0.0.0.255 host 192.168.1.13 eq 443 (39 match(es))
permit
tcp 192.168.3.0 0.0.0.255 host 192.168.1.12 eq ftp (12 match(es))
permit
tcp 192.168.3.0 0.0.0.255 host 192.168.1.12 eq 20 (sin
matchear pero es el Packet Tracert)
deny ip
any any (86 match(es))
Mendoza#
Mendoza#sh clock
(verifca NTP)
*11:53:33.751 UTC Lun Mar 25 2013
Mendoza#
Verificar syslog en syslog server
El moño para terminar CCNASec
Ya que es la última práctica del curso, lo ideal era
configurar aplicando lo aprendido en los módulos, si bien se omitieron
pasos de los módulos 2 y 3 en cuanto a contraseñas y
AAA, aquí aplico lo aprendido en el módulo 6 (layer 2 security).
Switch#sh ip int bri (verificamos
conexiones)
Interface IP-Address
OK? Method Status
Protocol
FastEthernet0/1 unassigned YES manual up up
FastEthernet0/2
unassigned YES manual
up up
FastEthernet0/3
unassigned YES manual
up up
FastEthernet0/4
unassigned YES manual
up up
FastEthernet0/5
unassigned YES manual
up up
FastEthernet0/6 unassigned YES manual down down
FastEthernet0/7
unassigned YES manual down down
FastEthernet0/8
unassigned YES manual
down down
FastEthernet0/9
unassigned YES manual
down down
FastEthernet0/10
unassigned YES manual
down down
FastEthernet0/11
unassigned YES manual
down down
FastEthernet0/12
unassigned YES manual
down down
FastEthernet0/13
unassigned YES manual
down down
FastEthernet0/14 unassigned YES manual down down
FastEthernet0/15
unassigned YES manual
down down
FastEthernet0/16
unassigned YES manual
down down
FastEthernet0/17
unassigned YES manual
down down
FastEthernet0/18
unassigned YES manual
down down
FastEthernet0/19
unassigned YES manual
down down
FastEthernet0/20
unassigned YES manual
down down
FastEthernet0/21
unassigned YES manual
down down
FastEthernet0/22
unassigned YES manual
down down
FastEthernet0/23
unassigned YES manual
down down
FastEthernet0/24 unassigned YES manual up up
GigabitEthernet1/1
unassigned YES manual
down down
GigabitEthernet1/2
unassigned YES manual
down down
Vlan1 unassigned YES manual administratively down down
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#int vlan 1
Switch(config-if)#ip add 192.168.1.254
255.255.255.0
Switch(config-if)#no shut
%LINK-5-CHANGED: Interface Vlan1, changed state to
up
%LINEPROTO-5-UPDOWN: Line protocol on Interface
Vlan1, changed state to up
Switch(config-if)#exit
Switch(config)#logg on (activa
syslog)
Switch(config)#log host 192.168.1.11 (envía traps a este server)
%SYS-6-LOGGINGHOST_STARTSTOP: Logging to host
192.168.1.11 port 514 started - CLI initiated
Switch(config)#service timestamps log datetime
msec (para dejar marca de milisegundos en los logs)
Switch(config)#int range fa0/1-5 , fa0/24 (puertos utilizados)
Switch(config-if-range)#spanning-tree portfast (activa sin esperar 50 segundos)
%Warning: portfast should only be enabled on ports
connected to a single
host.
Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is
enabled, can cause temporary bridging loops.
Use with
CAUTION
%Portfast will be configured in 6 interfaces due to
the range command
but will
only have effect when the interfaces are in a non-trunking mode.
Switch(config-if-range)#spanning-tree bpduguard enable
(para conexiones accidentales a otro SW)
Switch(config-if-range)#storm-control broadcast
level 10 (para evitar tormenta de ARP u otro
broadcast)
Switch(config-if-range)#switchport
port-security (activa
seguridad de puerto)
Switch(config-if-range)#switchport port-security
mac-address sticky (aprende la MAC de lo que se le conecte)
Switch(config-if-range)#switchport port-security
violation shut (apaga el puerto si se le conecta otra
cosa)
Switch(config-if-range)#exit
Switch(config)#int range fa0/6-23 (puertos sin utilizar)
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#spanning-tree portfast
%Warning: portfast should only be enabled on ports
connected to a single
host.
Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is
enabled, can cause temporary bridging loops.
Use with
CAUTION
%Portfast will be configured in 18 interfaces due to
the range command
but will
only have effect when the interfaces are in a non-trunking mode.
Switch(config-if-range)#spanning-tree bpduguard
enable
Switch(config-if-range)#storm-control broadcast
level 10
Switch(config-if-range)#switchport port-security
Switch(config-if-range)#switchport port-security
mac-address sticky
Switch(config-if-range)#switchport port-security
violation shut
Switch(config-if-range)#shut (apagamos los puertos para evitar posibles conexiones
furtivas)
Switch(config-if-range)#
Switch#
Configuraciones de los equipos
Rosario#sh runn
Building configuration...
Current configuration : 1566 bytes
!
version 12.4
service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Rosario
!
interface Tunnel0
ip address
10.10.1.1 255.255.255.252
tunnel
source FastEthernet0/1
tunnel
destination 10.0.2.10
!
!
interface Tunnel1
ip address
10.10.2.1 255.255.255.252
tunnel
source FastEthernet0/1
tunnel
destination 10.0.2.14
!
!
interface FastEthernet0/0
ip address
192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address
10.0.1.1 255.255.255.0
ip
access-group WAN in
ip nat
outside
duplex auto
speed auto
!
interface Vlan1
no ip
address
shutdown
!
router eigrp 100
network
10.0.1.0 0.0.0.255
auto-summary
!
router eigrp 101
network
192.168.1.0
network
10.10.1.0 0.0.0.3
network
10.10.2.0 0.0.0.3
no
auto-summary
!
ip nat inside source static 192.168.1.10 10.0.1.10
ip nat inside source static 192.168.1.11 10.0.1.11
ip nat inside source static 192.168.1.12 10.0.1.12
ip nat inside source static 192.168.1.13 10.0.1.13
ip nat inside source static 192.168.1.123 10.0.1.123
ip classless
!
!
ip access-list extended WAN
permit eigrp
any any
permit gre
host 10.0.2.10 host 10.0.1.1
permit gre
host 10.0.2.14 host 10.0.1.1
permit tcp
172.16.0.0 0.0.0.255 host 10.0.1.10 eq 443
permit udp
host 10.0.2.6 host 10.0.1.11 eq 514
permit udp
host 10.0.2.6 host 10.0.1.11 eq 123
permit tcp
host 10.0.2.6 eq telnet host 10.0.1.123
deny ip any
any
!
logging trap debugging
logging 192.168.1.11
line con 0
line vty 0 4
login
!
end
Rosario#
Cordoba#sh runn
Building configuration...
Current configuration : 1206 bytes
!
version 12.4
service timestamps log datetime msec
service timestamps debug datetime msec
no service password-encryption
!
hostname Cordoba
!
spanning-tree mode pvst
!
interface Tunnel0
ip address
10.10.1.2 255.255.255.252
tunnel
source FastEthernet0/1
tunnel
destination 10.0.1.1
!
!
interface FastEthernet0/0
ip address
192.168.2.1 255.255.255.0
ip
access-group FILTRO in
duplex auto
speed auto
!
interface FastEthernet0/1
ip address
10.0.2.10 255.255.255.252
duplex auto
speed auto
ipv6 ospf
cost 1
!
interface Vlan1
no ip
address
shutdown
!
router eigrp 100
network
10.0.2.8 0.0.0.3
no
auto-summary
!
router eigrp 101
network
10.10.1.0 0.0.0.3
network
192.168.2.0
no
auto-summary
!
ip classless
ip route 1.1.1.1 255.255.255.255 10.0.1.1
!
!
ip access-list extended FILTRO
permit tcp
192.168.2.0 0.0.0.255 host 192.168.1.11 eq www
permit tcp
192.168.2.0 0.0.0.255 host 192.168.1.11 eq 443
permit tcp
192.168.2.0 0.0.0.255 host 192.168.1.12 eq ftp
permit tcp
192.168.2.0 0.0.0.255 host 192.168.1.12 eq 20
deny ip any
any
!
logging trap debugging
logging 192.168.1.11
line con 0
line vty 0 4
login
pass cisco
!
!
ntp server 192.168.1.11 key 0
!
end
Cordoba#
Contratista#sh runn
Building configuration...
Current configuration : 722 bytes
!
version 12.4
service timestamps log datetime msec
service timestamps debug datetime msec
no service password-encryption
!
hostname Contratista
!
enable secret 5 $1$mERr$CVt1iC2Sl8WrHliCrDS/m/
!
!
spanning-tree mode pvst
!
interface FastEthernet0/0
ip address
172.16.0.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.0.2.6
255.255.255.252
duplex auto
speed auto
!
interface Vlan1
no ip
address
shutdown
!
router eigrp 100
network
172.16.0.0 0.0.0.255
network
10.0.2.4 0.0.0.3
no
auto-summary
!
ip classless
!
!
logging trap debugging
logging 10.0.1.11
line con 0
line vty 0 4
password
cisco
login
!
!
ntp server 10.0.1.11 key 0
!
end
Contratista#
Mendoza#sh runn
Building configuration...
Current configuration : 1164 bytes
!
version 12.4
service timestamps log datetime msec
service timestamps debug datetime msec
no service password-encryption
!
hostname Mendoza
!
!
spanning-tree mode pvst
!
interface Tunnel0
ip address
10.10.2.2 255.255.255.252
tunnel
source FastEthernet0/1
tunnel
destination 10.0.1.1
!
!
interface FastEthernet0/0
ip address
192.168.3.1 255.255.255.0
ip
access-group FILTRO in
duplex auto
speed auto
!
interface FastEthernet0/1
ip address
10.0.2.14 255.255.255.252
duplex auto
speed auto
ipv6 ospf
cost 1
!
interface Vlan1
no ip
address
shutdown
!
router eigrp 100
network 10.0.2.12
0.0.0.3
no
auto-summary
!
router eigrp 101
network
10.10.2.0 0.0.0.3
network
192.168.3.0
no
auto-summary
!
ip classless
!
!
ip access-list extended FILTRO
permit tcp
192.168.3.0 0.0.0.255 host 192.168.1.13 eq www
permit tcp
192.168.3.0 0.0.0.255 host 192.168.1.13 eq 443
permit tcp
192.168.3.0 0.0.0.255 host 192.168.1.12 eq ftp
permit tcp
192.168.3.0 0.0.0.255 host 192.168.1.12 eq 20
deny ip any
any
!
!
logging trap debugging
logging 192.168.1.11
line con 0
line vty 0 4
login
!
!
ntp server 192.168.1.11 key 0
!
end
Mendoza#
Switch#sh runn
Building configuration...
Current configuration : 6070 bytes
!
version 12.2
service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Switch
!
!
spanning-tree mode pvst
!
interface FastEthernet0/1
switchport
mode access
switchport
port-security
switchport
port-security mac-address sticky
switchport
port-security mac-address sticky 0090.213B.205B
spanning-tree portfast
spanning-tree
bpduguard enable
storm-control broadcast level 10
!
interface FastEthernet0/2
switchport
mode access
switchport
port-security
switchport
port-security mac-address sticky
switchport
port-security mac-address sticky 0060.2F6B.ED04
spanning-tree
portfast
spanning-tree bpduguard enable
storm-control broadcast level 10
!
interface FastEthernet0/3
switchport
mode access
switchport
port-security
switchport
port-security mac-address sticky
switchport
port-security mac-address sticky 00E0.8FD2.B042
spanning-tree portfast
spanning-tree bpduguard enable
storm-control broadcast level 10
!
interface FastEthernet0/4
switchport
mode access
switchport
port-security
switchport
port-security mac-address sticky
switchport port-security
mac-address sticky 0010.1190.67B8
spanning-tree portfast
spanning-tree bpduguard enable
storm-control broadcast level 10
!
interface FastEthernet0/5
switchport
mode access
switchport
port-security
switchport
port-security mac-address sticky
switchport
port-security mac-address sticky 000C.CF5A.9328
spanning-tree portfast
spanning-tree bpduguard enable
storm-control broadcast level 10
!
interface FastEthernet0/6
switchport
mode access
switchport
port-security
switchport
port-security mac-address sticky
spanning-tree portfast
spanning-tree bpduguard enable
storm-control broadcast level 10
shutdown
!
interface FastEthernet0/7
switchport
mode access
switchport
port-security
switchport
port-security mac-address sticky
spanning-tree
portfast
spanning-tree bpduguard enable
storm-control broadcast level 10
shutdown
!
interface FastEthernet0/8
switchport
mode access
switchport
port-security
switchport
port-security mac-address sticky
spanning-tree portfast
spanning-tree
bpduguard enable
storm-control broadcast level 10
shutdown
!
interface FastEthernet0/9
switchport
mode access
switchport
port-security
switchport
port-security mac-address sticky
spanning-tree portfast
spanning-tree bpduguard enable
storm-control
broadcast level 10
shutdown
!
interface FastEthernet0/10
switchport
mode access
switchport
port-security
switchport
port-security mac-address sticky
spanning-tree portfast
spanning-tree bpduguard enable
storm-control broadcast level 10
shutdown
!
interface FastEthernet0/11
switchport
mode access
switchport
port-security
switchport
port-security mac-address sticky
spanning-tree portfast
spanning-tree bpduguard enable
storm-control broadcast level 10
shutdown
!
interface FastEthernet0/12
switchport
mode access
switchport
port-security
switchport
port-security mac-address sticky
spanning-tree portfast
spanning-tree bpduguard enable
storm-control broadcast level 10
shutdown
!
interface FastEthernet0/13
switchport
mode access
switchport
port-security
switchport
port-security mac-address sticky
spanning-tree portfast
spanning-tree bpduguard enable
storm-control broadcast level 10
shutdown
!
interface FastEthernet0/14
switchport
mode access
switchport
port-security
switchport
port-security mac-address sticky
spanning-tree portfast
spanning-tree bpduguard enable
storm-control broadcast level 10
shutdown
!
interface FastEthernet0/15
switchport
mode access
switchport
port-security
switchport
port-security mac-address sticky
spanning-tree portfast
spanning-tree bpduguard enable
storm-control broadcast level 10
shutdown
!
interface FastEthernet0/16
switchport
mode access
switchport
port-security
switchport
port-security mac-address sticky
spanning-tree portfast
spanning-tree bpduguard enable
storm-control broadcast level 10
shutdown
!
interface FastEthernet0/17
switchport
mode access
switchport
port-security
switchport
port-security mac-address sticky
spanning-tree portfast
spanning-tree
bpduguard enable
storm-control broadcast level 10
shutdown
!
interface FastEthernet0/18
switchport
mode access
switchport
port-security
switchport
port-security mac-address sticky
spanning-tree portfast
spanning-tree bpduguard enable
storm-control broadcast level 10
shutdown
!
interface FastEthernet0/19
switchport
mode access
switchport
port-security
switchport
port-security mac-address sticky
spanning-tree portfast
spanning-tree bpduguard enable
storm-control broadcast level 10
shutdown
!
interface FastEthernet0/20
switchport
mode access
switchport
port-security
switchport
port-security mac-address sticky
spanning-tree portfast
spanning-tree bpduguard enable
storm-control broadcast level 10
shutdown
!
interface FastEthernet0/21
switchport
mode access
switchport
port-security
switchport
port-security mac-address sticky
spanning-tree portfast
spanning-tree bpduguard enable
storm-control broadcast level 10
shutdown
!
interface FastEthernet0/22
switchport
mode access
switchport
port-security
switchport
port-security mac-address sticky
spanning-tree portfast
spanning-tree bpduguard enable
storm-control broadcast level 10
shutdown
!
interface FastEthernet0/23
switchport
mode access
switchport
port-security
switchport
port-security mac-address sticky
spanning-tree portfast
spanning-tree bpduguard enable
storm-control broadcast level 10
shutdown
!
interface FastEthernet0/24
switchport
mode access
switchport
port-security
switchport
port-security mac-address sticky
switchport
port-security mac-address sticky 0030.A347.9601
spanning-tree portfast
spanning-tree bpduguard enable
storm-control broadcast level 10
!
interface GigabitEthernet1/1
!
interface GigabitEthernet1/2
!
interface Vlan1
ip address
192.168.1.254 255.255.255.0
!
logging 192.168.1.11
!
line con 0
!
line vty 0 4
login
line vty 5 15
login
!
!
end
Switch#
(2013) Networking may burn some minds
Rosario, Argentina