Curso personalizado de capacitación al area sistemas para NNN ( reservado )

                        5/1 al 27/1 del 2010, Academia local Cisco, Rosario

                        Instructor: Ernesto Vilarrasa

 

                    Administración  / Spanning tree /  VLAN / Wireless LAN / Seguridad

                                                                                                 Parte 1

                                                                           Parte 2

                                                                             Parte 3

 

Comunicación Inter VLAN:

 

 

Supongamos debemos escalar nuestra red a mas dispositivos mediante otro switch, y debemos conectar

nuestros servers a un switch de core, la topología quedaría de la siguiente manera:

 

 

Agregamos un swtich multilayer a la topología, este tiene funcionalidades de routing, por lo que deberíamos

configurar en el nuevo switch:

 

Switch#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

Switch(config)#hostname SW_LAYER3

SW_LAYER3(config)#vtp domain cisco

Changing VTP domain name from NULL to cisco

SW_LAYER3(config)#vtp pass cisco

Setting device VLAN database password to cisco

SW_LAYER3(config)#vtp mode client configuramos en modo cliente para recibir info sobre

Setting device to VTP CLIENT mode.                              las vlan existentes

SW_LAYER3(config)#int gig0/1      definimos un uplink troncal

SW_LAYER3(config-if)#switchport mode trunk

 

%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to down

%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up

SW_LAYER3(config-if)#^Z

SW_LAYER3#

SW_LAYER3#sh vlan verificamos la autoconfiguración de vlan

 

VLAN Name                             Status    Ports

---- -------------------------------- --------- -------------------------------

1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4

                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8

                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12

                                                Fa0/13, Fa0/14, Fa0/15, Fa0/16

                                                Fa0/17, Fa0/18, Fa0/19, Fa0/20

                                                Fa0/21, Fa0/22, Fa0/23, Fa0/24

                                                Gig0/2

10   vlan10                           active   

20   vlan20                           active   

30   seguridad                        active   

50   pruebas                          active   

1002 fddi-default                     act/unsup

1003 token-ring-default               act/unsup

1004 fddinet-default                  act/unsup

1005 trnet-default                    act/unsup

 

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

1    enet  100001     1500  -      -      -        -    -        0      0

 

SW_LAYER3#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

SW_LAYER3(config)#vtp mode server ahora redefinimos el switch de core como server VTP

Setting device to VTP SERVER mode.

SW_LAYER3(config)#int vlan 10 asignamos una dirección IP a cada vlan, ésta

                              será el default gateway de los host de cada vlan

%LINK-5-CHANGED: Interface Vlan10, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to up

SW_LAYER3(config-if)#ip add 192.168.10.1 255.255.255.0

SW_LAYER3(config-if)#exit

SW_LAYER3(config)#int vlan 20

%LINK-5-CHANGED: Interface Vlan20, changed state to up

SW_LAYER3(config-if)#ip add 192.168.20.1 255.255.255.0

SW_LAYER3(config-if)#exit

SW_LAYER3(config)#int vlan 50

%LINK-5-CHANGED: Interface Vlan50, changed state to up

SW_LAYER3(config-if)#ip add 192.168.50.1 255.255.255.0

SW_LAYER3(config-if)#exit

SW_LAYER3(config)#ip routing activamos el enrutamiento de layer 3

 

SW_1#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

SW_1(config)#vtp mode client ahora redefinimos este switch de core como cliente VTP,

Setting device to VTP CLIENT mode.       recordemos que el VTP server es SW_LAYER3

SW_1(config)#^Z

SW_1#

 

Verificación de la conectividad de extremo a extremo:

 

PC>tracert 192.168.20.2

 

Tracing route to 192.168.20.2 over a maximum of 30 hops:

 

  1   109 ms    62 ms     63 ms     192.168.10.1

  2   *         110 ms    125 ms    192.168.20.2

 

Trace complete.

 

Para agregarle una verdadera funcionalidad, podemos configurar parámetros

para filtrar tráfico no deseado:

 

Verificación preliminar:

 

PC>

PC>ping 192.168.10.2 llegamos desde un host de vlan 10 a otro de vlan 20

 

Pinging 192.168.10.2 with 32 bytes of data:

 

Reply from 192.168.10.2: bytes=32 time=125ms TTL=127

Reply from 192.168.10.2: bytes=32 time=125ms TTL=127

Reply from 192.168.10.2: bytes=32 time=110ms TTL=127

Reply from 192.168.10.2: bytes=32 time=111ms TTL=127

 

Ping statistics for 192.168.10.2:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 110ms, Maximum = 125ms, Average = 117ms

 

SW_LAYER3# aplicamos una ACL para permitir sólo el tráfico ICMP desde este host a un host específico

SW_LAYER3#conf t

SW_LAYER3(config)#access-list 101 permit icmp host 192.168.20.2 host 192.168.10.2

SW_LAYER3(config)#int vlan 10 la asignamos a la vlan correspondiente

SW_LAYER3(config-if)#ip access-group 101 out

SW_LAYER3(config-if)#^Z

SW_LAYER3#

SW_LAYER3#sh access-lists 101 verificamos funcionalidad

Extended IP access list 101

    permit icmp host 192.168.20.2 host 192.168.10.2 (8 match(es))

SW_LAYER3#

 

Verificación del bloqueo de tráfico:

 

PC>ipconfig

 

IP Address......................: 192.168.20.3 este es otro host

Subnet Mask.....................: 255.255.255.0

Default Gateway.................: 192.168.20.1

 

PC>ping 192.168.10.2

 

Pinging 192.168.10.2 with 32 bytes of data:

 

Reply from 192.168.20.1: Destination host unreachable.

Reply from 192.168.20.1: Destination host unreachable.

Reply from 192.168.20.1: Destination host unreachable.

Reply from 192.168.20.1: Destination host unreachable. ping rechazado

 

Ping statistics for 192.168.10.2:

    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

 

Verificación de tráfico permitido:

 

PC>ipconfig

 

IP Address......................: 192.168.20.2

Subnet Mask.....................: 255.255.255.0

Default Gateway.................: 192.168.20.1

 

PC>ping 192.168.10.2

 

Pinging 192.168.10.2 with 32 bytes of data:

 

Reply from 192.168.10.2: bytes=32 time=125ms TTL=127

Reply from 192.168.10.2: bytes=32 time=95ms TTL=127

Reply from 192.168.10.2: bytes=32 time=78ms TTL=127

Reply from 192.168.10.2: bytes=32 time=109ms TTL=127

 

Ping statistics for 192.168.10.2:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 78ms, Maximum = 125ms, Average = 101ms

 

PC>

 

Enrutamiento inter vlan mediante un router: una opción es conectar un router

con una interfaz en cada vlan ó una interfaz con etiquetado 802.1q y configurar

subinterfaces para cada vlan.

 

SW_LAYER3#conf t

SW_LAYER3(config)#int gi0/2 configuramos un uplink hacia el router

SW_LAYER3(config-if)#switchport mode trunk

SW_LAYER3(config-if)#exit

SW_LAYER3(config)#int vlan 10 desabilitamos las direciones de IP de las vlan

SW_LAYER3(config-if)#no ip address

SW_LAYER3(config-if)#exit

SW_LAYER3(config)#int vlan 20

SW_LAYER3(config-if)#no ip address

SW_LAYER3(config-if)#exit

SW_LAYER3(config)#^Z

 

Configuramos el router:

 

Router#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#int fast 0/0 nos aseguramos que esta interfaz no trabajará

Router(config-if)#no ip address              como una interfaz normal

Router(config-if)#int fast0/0.10 generamos una subinterfaz por cada vlan

Router(config-subif)#encapsulation dot1q 10 configuramos el etiquetado 802.1q

Router(config-subif)#ip address 192.168.10.1 255.255.255.0 asignamos una IP

Router(config-subif)#exit                        para esa correspondiente vlan

Router(config)#int fast0/0.20

Router(config-subif)#encapsulation dot1q 20

Router(config-subif)#ip address 192.168.20.1 255.255.255.0

Router(config-subif)#exit

Router(config)#int fast0/0.50 aquí verificamos que primero se debe configurar el 802.1q

Router(config-subif)#ip address 192.168.50.1 255.255.255.0    y luego asignar una IP

 

% Configuring IP routing on a LAN subinterface is only allowed if that

subinterface is already configured as part of an IEEE 802.10, IEEE 802.1Q,

or ISL vLAN.

 

Router(config-subif)#encapsulation dot1q 50

Router(config-subif)#ip address 192.168.50.1 255.255.255.0

Router(config-subif)#exit

Router(config)#int fast 0/0

Router(config-if)#no shut activamos la interfaz

 

%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

%LINK-5-CHANGED: Interface FastEthernet0/0.10, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0.10, changed state to up

%LINK-5-CHANGED: Interface FastEthernet0/0.20, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0.20, changed state to up

%LINK-5-CHANGED: Interface FastEthernet0/0.50, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0.50, changed state to up

Router(config-if)#^Z

Router#

 

Verificamos conectividad inter vlan:

 

PC>ipconfig

 

IP Address......................: 192.168.20.2

Subnet Mask.....................: 255.255.255.0

Default Gateway.................: 192.168.20.1

 

PC>ping 192.168.10.2

 

Pinging 192.168.10.2 with 32 bytes of data:

 

Reply from 192.168.10.2: bytes=32 time=187ms TTL=127

Reply from 192.168.10.2: bytes=32 time=156ms TTL=127

Reply from 192.168.10.2: bytes=32 time=158ms TTL=127

Reply from 192.168.10.2: bytes=32 time=157ms TTL=127

 

Ping statistics for 192.168.10.2:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 156ms, Maximum = 187ms, Average = 164ms

 

PC>

 

 

www.vilarrasa.com.ar (2010)

Rosario, Argentina