5/1 al 27/1 del 2010, Academia local Cisco, Rosario
Instructor: Ernesto Vilarrasa
Administración / Spanning tree /
VLAN / Wireless
LAN / Seguridad
Parte 3
Comunicación Inter VLAN:
Supongamos debemos escalar nuestra red a mas dispositivos mediante otro switch, y debemos conectar
nuestros servers a un switch de core, la topología quedaría de la siguiente manera:
Agregamos un swtich multilayer a la topología, este tiene funcionalidades de routing, por lo que deberíamos
configurar en el nuevo switch:
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname SW_LAYER3
SW_LAYER3(config)#vtp domain cisco
Changing VTP domain name from NULL to cisco
SW_LAYER3(config)#vtp pass cisco
Setting device VLAN database password to cisco
SW_LAYER3(config)#vtp
mode client configuramos en modo cliente para recibir
info sobre
Setting device to VTP CLIENT
mode. las
vlan existentes
SW_LAYER3(config)#int gig0/1 definimos un uplink troncal
SW_LAYER3(config-if)#switchport mode trunk
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up
SW_LAYER3(config-if)#^Z
SW_LAYER3#
SW_LAYER3#sh
vlan verificamos la autoconfiguración de vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gig0/2
10 vlan10
active
20 vlan20
active
30 seguridad active
50 pruebas active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
SW_LAYER3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW_LAYER3(config)#vtp
mode server ahora redefinimos el switch de core como
server VTP
Setting device to VTP SERVER mode.
SW_LAYER3(config)#int
vlan 10 asignamos una dirección IP a cada vlan,
ésta
será el default gateway de los host de cada vlan
%LINK-5-CHANGED: Interface Vlan10, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to up
SW_LAYER3(config-if)#ip add 192.168.10.1 255.255.255.0
SW_LAYER3(config-if)#exit
SW_LAYER3(config)#int vlan 20
%LINK-5-CHANGED: Interface Vlan20, changed state to up
SW_LAYER3(config-if)#ip add 192.168.20.1 255.255.255.0
SW_LAYER3(config-if)#exit
SW_LAYER3(config)#int vlan 50
%LINK-5-CHANGED: Interface Vlan50, changed state to up
SW_LAYER3(config-if)#ip add 192.168.50.1 255.255.255.0
SW_LAYER3(config-if)#exit
SW_LAYER3(config)#ip
routing activamos el enrutamiento de layer 3
SW_1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW_1(config)#vtp mode client ahora redefinimos este switch de core como cliente VTP,
Setting device to VTP CLIENT mode. recordemos
que el VTP server es SW_LAYER3
SW_1(config)#^Z
SW_1#
Verificación de la conectividad de extremo a extremo:
PC>tracert 192.168.20.2
Tracing route to 192.168.20.2 over a maximum of 30 hops:
1 109 ms 62 ms 63 ms 192.168.10.1
2 * 110 ms 125 ms 192.168.20.2
Trace complete.
Para agregarle una verdadera funcionalidad, podemos
configurar parámetros
para filtrar tráfico no deseado:
Verificación preliminar:
PC>
PC>ping
192.168.10.2 llegamos desde un host de vlan 10 a otro de
vlan 20
Pinging 192.168.10.2 with 32 bytes of data:
Reply from 192.168.10.2: bytes=32 time=125ms TTL=127
Reply from 192.168.10.2: bytes=32 time=125ms TTL=127
Reply from 192.168.10.2: bytes=32 time=110ms TTL=127
Reply from 192.168.10.2: bytes=32 time=111ms TTL=127
Ping statistics for 192.168.10.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 110ms, Maximum = 125ms, Average = 117ms
SW_LAYER3# aplicamos una ACL para permitir sólo el tráfico ICMP desde este host a un
host específico
SW_LAYER3#conf t
SW_LAYER3(config)#access-list
101 permit icmp host 192.168.20.2 host 192.168.10.2
SW_LAYER3(config)#int
vlan 10 la asignamos a la vlan correspondiente
SW_LAYER3(config-if)#ip access-group 101 out
SW_LAYER3(config-if)#^Z
SW_LAYER3#
SW_LAYER3#sh access-lists 101 verificamos funcionalidad
Extended IP access list 101
permit icmp host 192.168.20.2 host 192.168.10.2 (8 match(es))
SW_LAYER3#
Verificación del bloqueo de tráfico:
PC>ipconfig
IP
Address......................: 192.168.20.3 este es otro host
Subnet Mask.....................: 255.255.255.0
Default Gateway.................: 192.168.20.1
PC>ping 192.168.10.2
Pinging 192.168.10.2 with 32 bytes of data:
Reply from 192.168.20.1: Destination host unreachable.
Reply from 192.168.20.1: Destination host unreachable.
Reply from 192.168.20.1: Destination host unreachable.
Reply from 192.168.20.1: Destination host unreachable. ping rechazado
Ping statistics for 192.168.10.2:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Verificación de tráfico permitido:
PC>ipconfig
IP Address......................: 192.168.20.2
Subnet Mask.....................: 255.255.255.0
Default Gateway.................: 192.168.20.1
PC>ping 192.168.10.2
Pinging 192.168.10.2 with 32 bytes of data:
Reply from 192.168.10.2: bytes=32 time=125ms TTL=127
Reply from 192.168.10.2: bytes=32 time=95ms TTL=127
Reply from 192.168.10.2: bytes=32 time=78ms TTL=127
Reply from 192.168.10.2: bytes=32 time=109ms TTL=127
Ping statistics for 192.168.10.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 78ms, Maximum = 125ms, Average = 101ms
PC>
Enrutamiento inter vlan mediante un router: una
opción es conectar un router
con una interfaz en cada vlan ó una interfaz con
etiquetado 802.1q y configurar
subinterfaces para cada vlan.
SW_LAYER3#conf t
SW_LAYER3(config)#int gi0/2 configuramos un uplink hacia el router
SW_LAYER3(config-if)#switchport mode trunk
SW_LAYER3(config-if)#exit
SW_LAYER3(config)#int
vlan 10 desabilitamos las direciones de IP de las
vlan
SW_LAYER3(config-if)#no ip
address
SW_LAYER3(config-if)#exit
SW_LAYER3(config)#int vlan 20
SW_LAYER3(config-if)#no ip address
SW_LAYER3(config-if)#exit
SW_LAYER3(config)#^Z
Configuramos el router:
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#int
fast 0/0 nos aseguramos que esta interfaz no
trabajará
Router(config-if)#no
ip address como una interfaz normal
Router(config-if)#int
fast0/0.10 generamos una subinterfaz por cada vlan
Router(config-subif)#encapsulation
dot1q 10 configuramos el etiquetado 802.1q
Router(config-subif)#ip address 192.168.10.1 255.255.255.0 asignamos una IP
Router(config-subif)#exit para esa correspondiente vlan
Router(config)#int fast0/0.20
Router(config-subif)#encapsulation dot1q 20
Router(config-subif)#ip address 192.168.20.1 255.255.255.0
Router(config-subif)#exit
Router(config)#int
fast0/0.50 aquí verificamos que primero se debe
configurar el 802.1q
Router(config-subif)#ip
address 192.168.50.1 255.255.255.0 y luego asignar una IP
% Configuring IP routing on a
LAN subinterface is only allowed if that
subinterface is already
configured as part of an IEEE 802.10, IEEE 802.1Q,
or ISL vLAN.
Router(config-subif)#encapsulation dot1q 50
Router(config-subif)#ip address 192.168.50.1 255.255.255.0
Router(config-subif)#exit
Router(config)#int fast 0/0
Router(config-if)#no shut activamos la interfaz
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
%LINK-5-CHANGED: Interface FastEthernet0/0.10, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0.10, changed state to up
%LINK-5-CHANGED: Interface FastEthernet0/0.20, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0.20, changed state to up
%LINK-5-CHANGED: Interface FastEthernet0/0.50, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0.50, changed state to up
Router(config-if)#^Z
Router#
Verificamos conectividad inter vlan:
PC>ipconfig
IP Address......................: 192.168.20.2
Subnet Mask.....................: 255.255.255.0
Default Gateway.................: 192.168.20.1
PC>ping 192.168.10.2
Pinging 192.168.10.2 with 32 bytes of data:
Reply from 192.168.10.2: bytes=32 time=187ms TTL=127
Reply from 192.168.10.2: bytes=32 time=156ms TTL=127
Reply from 192.168.10.2: bytes=32 time=158ms TTL=127
Reply from 192.168.10.2: bytes=32 time=157ms TTL=127
Ping statistics for 192.168.10.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 156ms, Maximum = 187ms, Average = 164ms
PC>
www.vilarrasa.com.ar
(2010)
Rosario, Argentina