Escenario de prácticas de túneles GRE y ACL para CCNA Security, Ctrl-F

Fecha: 22/3/2013

 

Escenario

 

Es un escenario realizado en Packet Tracert, disponible en ftp://ftp.vilarrasa.com.ar/ user y pass: ccna

como Ejercicio 22 de Marzo CCNASec.pkt

 

En este escenario, la red Rosario se esconde del resto de la WAN a través de NAT, salvo si se ingresa

por túneles tipo GRE, ya que estos terminan en  dos sucursales de la empresa (Córdoba y Mendoza).

 

Detalle de las instrucciones:

 

1. Contratistas: acceden sólo a 192.168.1.10 vía https (tiene un port forwarding a 10.0.1.10 de la red WAN)

2. Cordoba: accede sólo a 192.168.1.11 vía http o https

3.                              sólo a 192.168.1.12 vía FTP

4. Mendoza: accede sólo a 192.168.1.13 vía http o https

5.                                sólo a 192.168.1.12 vía FTP

6. Syslog server: 192.168.1.11 (tiene un port forwarding a 10.0.1.11 de la red WAN)

7. NTP server: 192.168.1.11

8. Sólo PC 192.168.1.123 accede por telnet a los equipos

 

Solución:

 

Túneles GRE

 

Rosario(config)#int tunnel 0

Rosario(config-if)#ip add 10.10.1.1 255.255.255.252

Rosario(config-if)#tunnel source fa0/1

Rosario(config-if)#tunnel destination 10.0.2.10

Rosario(config-if)#exit

Rosario(config)#int tunnel 1

Rosario(config-if)#ip add 10.10.2.1 255.255.255.252

Rosario(config-if)#tunel source fa0/1

Rosario(config-if)#tunnel destination 10.0.2.14

Rosario(config-if)#exit

Rosario(config)#router eigrp 101 (para ver las redes inside)

Rosario(config-router)#no auto (sin importancia, ver CCNA 2)

Rosario(config-router)#network 10.10.1.0 0.0.0.3 (túnel a Córdoba)

Rosario(config-router)#network 10.10.2.0 0.0.0.3 (túnel a Mendoza)

Rosario(config-router)#net 192.168.1.0 0.0.0.255 (red local)

Rosario(config-router)#end

Rosario#

 

Cordoba(config)#int tunnel 0

Cordoba(config-if)#ip add 10.10.1.2 255.255.255.252

Cordoba(config-if)#tun so fa0/1

Cordoba(config-if)#tun dest 10.0.1.1

Cordoba(config-if)#exit

Cordoba(config)#router eigrp 101 (para ver las redes inside)

Cordoba(config-router)#no auto (sin importancia, ver CCNA 2)

Cordoba(config-router)#network 10.10.1.0 0.0.0.3 (túnel a Rosario)

Cordoba(config-router)#net 192.168.2.0 0.0.0.255 (red local)

Cordoba(config-router)#end

 

%DUAL-5-NBRCHANGE: IP-EIGRP 101: Neighbor 10.10.1.1 (Tunnel0) is up: new adjacency

 

Cordoba#

 

Mendoza(config)#int tunnel 0

Mendoza(config-if)#ip add 10.10.2.2 255.255.255.252

Mendoza(config-if)#tun so fa0/1

Mendoza(config-if)#tun dest 10.0.1.1

Mendoza(config-if)#exit

Mendoza(config)#router eigrp 101 (para ver las redes inside)

Mendoza(config-router)#no auto (sin importancia, ver CCNA 2)

Mendoza(config-router)#network 10.10.2.0 0.0.0.3 (túnel a Rosario)

Mendoza(config-router)#net 192.168.3.0 0.0.0.255 (red local)

Mendoza(config-router)#end

 

%DUAL-5-NBRCHANGE: IP-EIGRP 101: Neighbor 10.10.2.1 (Tunnel0) is up: new adjacency

 

Mendoza#

 

Rosario#sh ip route (verificación)

---resumido---

 

     10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks

C       10.0.1.0/24 is directly connected, FastEthernet0/1

D       10.0.2.0/30 [90/30720] via 10.0.1.254, 00:22:55, FastEthernet0/1

D       10.0.2.4/30 [90/33280] via 10.0.1.254, 00:22:55, FastEthernet0/1

D       10.0.2.8/30 [90/286720] via 10.0.1.254, 00:22:55, FastEthernet0/1

D       10.0.2.12/30 [90/286720] via 10.0.1.254, 00:22:55, FastEthernet0/1

C       10.10.1.0/30 is directly connected, Tunnel0

C       10.10.2.0/30 is directly connected, Tunnel1

     172.16.0.0/24 is subnetted, 1 subnets

D       172.16.0.0 [90/35840] via 10.0.1.254, 00:22:55, FastEthernet0/1

C    192.168.1.0/24 is directly connected, FastEthernet0/0

D    192.168.2.0/24 [90/289280] via 10.0.1.254, 00:22:55, FastEthernet0/1

D    192.168.3.0/24 [90/289280] via 10.0.1.254, 00:22:55, FastEthernet0/1

Rosario#

 

Cordoba#sh ip route

---resumido---

 

     10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks

D       10.0.1.0/24 [90/33280] via 10.0.2.9, 00:28:55, FastEthernet0/1

D       10.0.2.0/30 [90/30720] via 10.0.2.9, 00:28:55, FastEthernet0/1

D       10.0.2.4/30 [90/30720] via 10.0.2.9, 00:28:55, FastEthernet0/1

C       10.0.2.8/30 is directly connected, FastEthernet0/1

D       10.0.2.12/30 [90/284160] via 10.0.2.9, 00:28:55, FastEthernet0/1

C       10.10.1.0/30 is directly connected, Tunnel0

D       10.10.2.0/30 [90/28160000] via 10.10.1.1, 00:07:53, Tunnel0

     172.16.0.0/24 is subnetted, 1 subnets

D       172.16.0.0 [90/33280] via 10.0.2.9, 00:28:55, FastEthernet0/1

D    192.168.1.0/24 [90/26882560] via 10.10.1.1, 00:07:53, Tunnel0

C    192.168.2.0/24 is directly connected, FastEthernet0/0

D    192.168.3.0/24 [90/28162560] via 10.10.1.1, 00:06:42, Tunnel0

Cordoba#

 

Mendoza#sh ip route

---resumido---

 

     10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks

D       10.0.1.0/24 [90/33280] via 10.0.2.13, 00:27:28, FastEthernet0/1

D       10.0.2.0/30 [90/30720] via 10.0.2.13, 00:27:28, FastEthernet0/1

D       10.0.2.4/30 [90/30720] via 10.0.2.13, 00:27:28, FastEthernet0/1

D       10.0.2.8/30 [90/284160] via 10.0.2.13, 00:27:28, FastEthernet0/1

C       10.0.2.12/30 is directly connected, FastEthernet0/1

D       10.10.1.0/30 [90/28160000] via 10.10.2.1, 00:05:14, Tunnel0

C       10.10.2.0/30 is directly connected, Tunnel0

     172.16.0.0/24 is subnetted, 1 subnets

D       172.16.0.0 [90/33280] via 10.0.2.13, 00:27:28, FastEthernet0/1

D    192.168.1.0/24 [90/26882560] via 10.10.2.1, 00:05:14, Tunnel0

D    192.168.2.0/24 [90/28162560] via 10.10.2.1, 00:05:14, Tunnel0

C    192.168.3.0/24 is directly connected, FastEthernet0/0

Mendoza#

 

ACL de filtrado

 

Rosario(config)#ip access-list ext WAN

Rosario(config-ext-nacl)# permit eigrp any any (para convergencia de la nube WAN)

Rosario(config-ext-nacl)# permit gre host 10.0.2.10 host 10.0.1.1 (acepta paquetes GRE desde Córdoba)

Rosario(config-ext-nacl)# permit gre host 10.0.2.14 host 10.0.1.1 (acepta paquetes GRE desde Mendozaa)

Rosario(config-ext-nacl)# permit tcp 172.16.0.0 0.0.0.255 host 10.0.1.10 eq 443 (punto 1. de los objetivos)

Rosario(config-ext-nacl)# permit udp host 10.0.2.6 host 10.0.1.11 eq 514 (envíos de syslog del router Contratistas)

Rosario(config-ext-nacl)# permit udp host 10.0.2.6 host 10.0.1.11 eq 123 (sincronización NTP del router Contratistas)

Rosario(config-ext-nacl)# permit tcp host 10.0.2.6 eq 23 host 10.0.1.123 (tráfico de retorno del punto 5. de los objetivos)

Rosario(config-ext-nacl)#deny ip any any (para monitoreo)

Rosario(config-ext-nacl)# exit

Rosario(config)#int fa0/1

Rosario(config-if)#ip access-group WAN in (aplica a la interface outside)

Rosario(config-if)# ^Z

Rosario#

 

 

Contrapruebas

 

1. Sólo https y no http

 

 

2. Sólo la IP 192.168.1.10 (convertida a 10.0.1.10)

 

 

3. Sólo la IP 192.168.1.10 (convertida a 10.0.1.10)

 

 

4. Sólo la IP 192.168.1.10 (convertida a 10.0.1.10)

 

 

5. Ningún otro protocolo

 

PC>ping 10.0.1.10

 

Pinging 10.0.1.10 with 32 bytes of data:

 

Reply from 10.0.1.1: Destination host unreachable.

Reply from 10.0.1.1: Destination host unreachable.

Reply from 10.0.1.1: Destination host unreachable.

Reply from 10.0.1.1: Destination host unreachable.

 

Ping statistics for 10.0.1.10:

    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

 

PC>

 

6. Se configuran protocolos necesarios

 

Contratista(config)#logg on (activa envío de mensajes syslog)

Contratista(config)#logg host 10.0.1.11 (define server de mensajes syslog)

 

%SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 10.0.1.11 port 514 started - CLI initiated

 

Contratista(config)#service timestamps log datetime msec

Contratista(config)#ntp server 10.0.1.11

Contratista(config)#ena secret Enable123 (necesario para acceder por Telnet)

Contratista(config)#line vty 0 4

Contratista(config-line)#password cisco

Contratista(config-line)#login (activa Telnet para administración desde PC de sistemas)

Contratista(config)#^Z

Contratista#sh clock

*9:44:51.703 UTC Lun Mar 25 2013

Contratista#

 

7. Pruebas

 

Rosario(config)#ip nat inside source static 192.168.1.123 10.0.1.123 (activa NAT para acceder a la WAN

                                                                                                                              con IP enmascarada por seguridad)

PC>telnet 10.0.2.6

Trying 10.0.2.6 ...Open

 

User Access Verification

 

Password: ***** (cisco)

Contratista>ena

Password: ******** (Enable123)

Contratista#sh user

    Line       User       Host(s)              Idle       Location

    0 con 0                idle                 00:01:15

* 67 vty 0                idle                00:00:00   10.0.1.123 (IP 192... enmascarada en 10...)

 

Contratista#sh ip route (verificación de que la red 192.168.1.0 no existe para este router)

---resumido---

 

     10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks

D       10.0.1.0/24 [90/33280] via 10.0.2.5, 11:59:36, FastEthernet0/1

D       10.0.2.0/30 [90/30720] via 10.0.2.5, 11:59:36, FastEthernet0/1

C       10.0.2.4/30 is directly connected, FastEthernet0/1

D       10.0.2.8/30 [90/284160] via 10.0.2.5, 11:59:36, FastEthernet0/1

D       10.0.2.12/30 [90/284160] via 10.0.2.5, 11:59:36, FastEthernet0/1

     172.16.0.0/24 is subnetted, 1 subnets

C       172.16.0.0 is directly connected, FastEthernet0/0

Contratista#

 

Rosario#sh access-lists (verificación)

Extended IP access list WAN

    permit eigrp any any (182 match(es))

    permit gre host 10.0.2.10 host 10.0.1.1 (190 match(es))

    permit gre host 10.0.2.14 host 10.0.1.1 (190 match(es))

    permit tcp 172.16.0.0 0.0.0.255 host 10.0.1.10 eq 443 (49 match(es)) (pruebas desde Contratista)

    permit udp host 10.0.2.6 host 10.0.1.11 eq 514 (5 match(es)) (syslog desde Contratista)

    permit udp host 10.0.2.6 host 10.0.1.11 eq 123 (3 match(es)) (sinconización de reloj desde Contratista)

    permit tcp host 10.0.2.6 eq telnet host 10.0.1.123 (48 match(es)) (pruebas desde Contratista)

    deny ip any any (96 match(es)) (pruebas desde Contratista)

Rosario#

 

Cordoba(config)#ip access-list ext FILTRO

Cordoba(config-ext-nacl)#permit tcp 192.168.2.0 0.0.0.255 host 192.168.1.11 eq 80 (punto 2. en objetivos)

Cordoba(config-ext-nacl)#permit tcp 192.168.2.0 0.0.0.255 host 192.168.1.11 eq 443 (punto 2. en objetivos)

Cordoba(config-ext-nacl)#permit tcp 192.168.2.0 0.0.0.255 host 192.168.1.12 eq 21 (punto 3. en objetivos)

Cordoba(config-ext-nacl)#permit tcp 192.168.2.0 0.0.0.255 host 192.168.1.12 eq 20 (puerto de DATA transfer)

Cordoba(config-ext-nacl)#deny ip any any (para monitoreo)

Cordoba(config-ext-nacl)#exit

Cordoba(config)#int fa0/0

Cordoba(config-if)#ip access-group FILTRO in (aplica ACL en la interface)

Cordoba(config-if)#exit

Cordoba(config)#ntp server 192.168.1.11 (activa NTP para sincronizar relojes)

Cordoba(config)#logg on (activa envío de mensajes syslog)

Cordoba(config)#logg trap deb (activa nivel de detalle máximo para los mensajes -único en Packet Tracer)

Cordoba(config)#logg host 192.168.1.11 (define server de mensajes syslog)

%SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.11 port 514 started - CLI initiated

Cordoba(config)#service timestamps log datetime msec (agrega marca horaria de milisegundos en el mensaje syslog)

Cordoba(config)#^Z

Cordoba#

 

Mendoza(config)#ip access-list ext FILTRO

Mendoza(config-ext-nacl)#permit tcp 192.168.3.0 0.0.0.255 host 192.168.1.13 eq 80 (punto 4. en objetivos)

Mendoza(config-ext-nacl)#permit tcp 192.168.3.0 0.0.0.255 host 192.168.1.13 eq 443 (punto 4. en objetivos)

Mendoza(config-ext-nacl)#permit tcp 192.168.3.0 0.0.0.255 host 192.168.1.12 eq 21 (punto 5. en objetivos)

Mendoza(config-ext-nacl)#permit tcp 192.168.3.0 0.0.0.255 host 192.168.1.12 eq 20 (puerto de DATA transfer)

Cordoba(config-ext-nacl)#deny ip any any (para monitoreo)

Mendoza(config-ext-nacl)#exit

Mendoza(config)#int fa0/0

Mendoza(config-if)#ip access-group FILTRO in

Mendoza(config-if)#exit

Mendoza(config)#ntp server 192.168.1.11 (activa NTP para sincronizar relojes)

Mendoza(config)#logg on (activa envío de mensajes syslog)

Mendoza(config)#logg trap deb (activa nivel de detalle máximo para los mensajes -único en Packet Tracer)

Mendoza(config)#logg host 192.168.1.11 (define server de mensajes syslog)

%SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.11 port 514 started - CLI initiated

Mendoza(config)#service timestamps log datetime msec (agrega marca horaria de milisegundos en el mensaje syslog)

Mendoza(config)#^Z

 

Para pruebas desde Córdoba y Mendoza, debemos desactivar el NAT inside ya que no permite activarse en las interfaces  tunnel.

 

Rosario(config)#int fa0/0

Rosario(config-if)#no ip nat inside (dejará de funcionar Contratista)

Rosario(config-if)#^Z

Rosario#

 

Verificamos en equipo Cisco 1841 real

 

Concentrador_VPN(config)#int tunnel 0

Concentrador_VPN(config-if)#ip nat inside (soporta NAT)

Concentrador_VPN(config-if)#description Tunel hacia Cordoba (soporta descripción, Packet Tracer no)

Concentrador_VPN(config-if)#bandwidth 4000 (define la velocidad del enlace -por defecto 9 Kbps- sólo impacta en el EIGRP y no

Concentrador_VPN(config-if)#end                       en la velocidad real del enlace, ver CCNA 2)

 

Volvamos al Packet Tracer....

 

Cordoba#sh access-lists (verificar TODAS las posibilidades hasta encontrar match en todas las ACE)

Extended IP access list FILTRO

    permit tcp 192.168.2.0 0.0.0.255 host 192.168.1.11 eq www (44 match(es))

    permit tcp 192.168.2.0 0.0.0.255 host 192.168.1.11 eq 443 (106 match(es))

    permit tcp 192.168.2.0 0.0.0.255 host 192.168.1.12 eq ftp (11 match(es))

    permit tcp 192.168.2.0 0.0.0.255 host 192.168.1.12 eq 20 (sin matchear pero es el Packet Tracert)

    deny ip any any (46 match(es))

Cordoba#

 

Cordoba#sh clock (verifca NTP)

*11:53:57.891 UTC Lun Mar 25 2013

Cordoba#

 

Mendoza#sh access-lists (verificar TODAS las posibilidades hasta encontrar match en todas las ACE

Extended IP access list FILTRO

    permit tcp 192.168.3.0 0.0.0.255 host 192.168.1.13 eq www (36 match(es))

    permit tcp 192.168.3.0 0.0.0.255 host 192.168.1.13 eq 443 (39 match(es))

    permit tcp 192.168.3.0 0.0.0.255 host 192.168.1.12 eq ftp (12 match(es))

    permit tcp 192.168.3.0 0.0.0.255 host 192.168.1.12 eq 20 (sin matchear pero es el Packet Tracert)

    deny ip any any (86 match(es))

Mendoza#

 

Mendoza#sh clock (verifca NTP)

*11:53:33.751 UTC Lun Mar 25 2013

Mendoza#

 

Verificar syslog en syslog server

 

 

El moño para terminar CCNASec

 

Ya que es la última práctica del curso, lo ideal era configurar aplicando lo aprendido en los módulos, si bien se omitieron

pasos de los módulos 2 y 3 en cuanto a contraseñas y AAA, aquí aplico lo aprendido en el módulo 6 (layer 2 security).

 

Switch#sh ip int bri (verificamos conexiones)

Interface              IP-Address      OK? Method Status                Protocol

 FastEthernet0/1        unassigned      YES manual up                    up

 FastEthernet0/2        unassigned      YES manual up                    up

 FastEthernet0/3        unassigned      YES manual up                    up

 FastEthernet0/4        unassigned      YES manual up                    up

 FastEthernet0/5        unassigned      YES manual up                    up

 FastEthernet0/6        unassigned      YES manual down                  down

 FastEthernet0/7        unassigned      YES manual down                  down

 FastEthernet0/8        unassigned      YES manual down                  down

 FastEthernet0/9        unassigned      YES manual down                  down

 FastEthernet0/10       unassigned      YES manual down                  down

 FastEthernet0/11       unassigned      YES manual down                  down

 FastEthernet0/12       unassigned      YES manual down                  down

 FastEthernet0/13       unassigned      YES manual down                  down

 FastEthernet0/14       unassigned      YES manual down                  down

 FastEthernet0/15       unassigned      YES manual down                  down

 FastEthernet0/16       unassigned      YES manual down                  down

 FastEthernet0/17       unassigned      YES manual down                  down

 FastEthernet0/18       unassigned      YES manual down                  down

 FastEthernet0/19       unassigned      YES manual down                  down

 FastEthernet0/20       unassigned      YES manual down                  down

 FastEthernet0/21       unassigned      YES manual down                  down

 FastEthernet0/22       unassigned      YES manual down                  down

 FastEthernet0/23       unassigned      YES manual down                  down

 FastEthernet0/24       unassigned      YES manual up                    up

 GigabitEthernet1/1     unassigned      YES manual down                  down

 GigabitEthernet1/2     unassigned      YES manual down                  down

 Vlan1                  unassigned      YES manual administratively down down

 

Switch#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

Switch(config)#int vlan 1

Switch(config-if)#ip add 192.168.1.254 255.255.255.0

Switch(config-if)#no shut

 

%LINK-5-CHANGED: Interface Vlan1, changed state to up

 

%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up

 

Switch(config-if)#exit

Switch(config)#logg on (activa syslog)

Switch(config)#log host 192.168.1.11 (envía traps a este server)

 

%SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.11 port 514 started - CLI initiated

 

Switch(config)#service timestamps log datetime msec (para dejar marca de milisegundos en los logs)

Switch(config)#int range fa0/1-5 , fa0/24 (puertos utilizados)

Switch(config-if-range)#spanning-tree portfast (activa sin esperar 50 segundos)

%Warning: portfast should only be enabled on ports connected to a single

 host. Connecting hubs, concentrators, switches, bridges, etc... to this

 interface  when portfast is enabled, can cause temporary bridging loops.

 Use with CAUTION

 

%Portfast will be configured in 6 interfaces due to the range command

 but will only have effect when the interfaces are in a non-trunking mode.

Switch(config-if-range)#spanning-tree bpduguard enable (para conexiones accidentales a otro SW)

Switch(config-if-range)#storm-control broadcast level 10 (para evitar tormenta de ARP u otro broadcast)

Switch(config-if-range)#switchport port-security  (activa seguridad de puerto)

Switch(config-if-range)#switchport port-security mac-address sticky  (aprende la MAC de lo que se le conecte)

Switch(config-if-range)#switchport port-security violation shut (apaga el puerto si se le conecta otra cosa)

Switch(config-if-range)#exit

Switch(config)#int range fa0/6-23 (puertos sin utilizar)

Switch(config-if-range)#switchport mode access

Switch(config-if-range)#spanning-tree portfast

%Warning: portfast should only be enabled on ports connected to a single

 host. Connecting hubs, concentrators, switches, bridges, etc... to this

 interface  when portfast is enabled, can cause temporary bridging loops.

 Use with CAUTION

 

%Portfast will be configured in 18 interfaces due to the range command

 but will only have effect when the interfaces are in a non-trunking mode.

Switch(config-if-range)#spanning-tree bpduguard enable

Switch(config-if-range)#storm-control broadcast level 10

Switch(config-if-range)#switchport port-security

Switch(config-if-range)#switchport port-security mac-address sticky

Switch(config-if-range)#switchport port-security violation shut

Switch(config-if-range)#shut (apagamos los puertos para evitar posibles conexiones furtivas)

Switch(config-if-range)#

Switch#

 

Configuraciones de los equipos

 

Rosario#sh runn

Building configuration...

 

Current configuration : 1566 bytes

!

version 12.4

service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Rosario

!

interface Tunnel0

 ip address 10.10.1.1 255.255.255.252

 tunnel source FastEthernet0/1

 tunnel destination 10.0.2.10

!

!

interface Tunnel1

 ip address 10.10.2.1 255.255.255.252

 tunnel source FastEthernet0/1

 tunnel destination 10.0.2.14

!

!

interface FastEthernet0/0

 ip address 192.168.1.1 255.255.255.0

 duplex auto

 speed auto

!

interface FastEthernet0/1

 ip address 10.0.1.1 255.255.255.0

 ip access-group WAN in

 ip nat outside

 duplex auto

 speed auto

!

interface Vlan1

 no ip address

 shutdown

!

router eigrp 100

 network 10.0.1.0 0.0.0.255

 auto-summary

!

router eigrp 101

 network 192.168.1.0

 network 10.10.1.0 0.0.0.3

 network 10.10.2.0 0.0.0.3

 no auto-summary

!

ip nat inside source static 192.168.1.10 10.0.1.10

ip nat inside source static 192.168.1.11 10.0.1.11

ip nat inside source static 192.168.1.12 10.0.1.12

ip nat inside source static 192.168.1.13 10.0.1.13

ip nat inside source static 192.168.1.123 10.0.1.123

ip classless

!

!

ip access-list extended WAN

 permit eigrp any any

 permit gre host 10.0.2.10 host 10.0.1.1

 permit gre host 10.0.2.14 host 10.0.1.1

 permit tcp 172.16.0.0 0.0.0.255 host 10.0.1.10 eq 443

 permit udp host 10.0.2.6 host 10.0.1.11 eq 514

 permit udp host 10.0.2.6 host 10.0.1.11 eq 123

 permit tcp host 10.0.2.6 eq telnet host 10.0.1.123

 deny ip any any

!

logging trap debugging

logging 192.168.1.11

line con 0

line vty 0 4

 login

!

end

 

Rosario#

 

Cordoba#sh runn

Building configuration...

 

Current configuration : 1206 bytes

!

version 12.4

service timestamps log datetime msec

service timestamps debug datetime msec

no service password-encryption

!

hostname Cordoba

!

spanning-tree mode pvst

!

interface Tunnel0

 ip address 10.10.1.2 255.255.255.252

 tunnel source FastEthernet0/1

 tunnel destination 10.0.1.1

!

!

interface FastEthernet0/0

 ip address 192.168.2.1 255.255.255.0

 ip access-group FILTRO in

 duplex auto

 speed auto

!

interface FastEthernet0/1

 ip address 10.0.2.10 255.255.255.252

 duplex auto

 speed auto

 ipv6 ospf cost 1

!

interface Vlan1

 no ip address

 shutdown

!

router eigrp 100

 network 10.0.2.8 0.0.0.3

 no auto-summary

!

router eigrp 101

 network 10.10.1.0 0.0.0.3

 network 192.168.2.0

 no auto-summary

!

ip classless

ip route 1.1.1.1 255.255.255.255 10.0.1.1

!

!

ip access-list extended FILTRO

 permit tcp 192.168.2.0 0.0.0.255 host 192.168.1.11 eq www

 permit tcp 192.168.2.0 0.0.0.255 host 192.168.1.11 eq 443

 permit tcp 192.168.2.0 0.0.0.255 host 192.168.1.12 eq ftp

 permit tcp 192.168.2.0 0.0.0.255 host 192.168.1.12 eq 20

 deny ip any any

!

logging trap debugging

logging 192.168.1.11

line con 0

line vty 0 4

 login

 pass cisco

!

!

ntp server 192.168.1.11 key 0

!

end

 

Cordoba#

 

Contratista#sh runn

Building configuration...

 

Current configuration : 722 bytes

!

version 12.4

service timestamps log datetime msec

service timestamps debug datetime msec

no service password-encryption

!

hostname Contratista

!

enable secret 5 $1$mERr$CVt1iC2Sl8WrHliCrDS/m/

!

!

spanning-tree mode pvst

!

interface FastEthernet0/0

 ip address 172.16.0.1 255.255.255.0

 duplex auto

 speed auto

!

interface FastEthernet0/1

 ip address 10.0.2.6 255.255.255.252

 duplex auto

 speed auto

!

interface Vlan1

 no ip address

 shutdown

!

router eigrp 100

 network 172.16.0.0 0.0.0.255

 network 10.0.2.4 0.0.0.3

 no auto-summary

!

ip classless

!

!

logging trap debugging

logging 10.0.1.11

line con 0

line vty 0 4

 password cisco

 login

!

!

ntp server 10.0.1.11 key 0

!

end

 

Contratista#

 

Mendoza#sh runn

Building configuration...

 

Current configuration : 1164 bytes

!

version 12.4

service timestamps log datetime msec

service timestamps debug datetime msec

no service password-encryption

!

hostname Mendoza

!

!

spanning-tree mode pvst

!

interface Tunnel0

 ip address 10.10.2.2 255.255.255.252

 tunnel source FastEthernet0/1

 tunnel destination 10.0.1.1

!

!

interface FastEthernet0/0

 ip address 192.168.3.1 255.255.255.0

 ip access-group FILTRO in

 duplex auto

 speed auto

!

interface FastEthernet0/1

 ip address 10.0.2.14 255.255.255.252

 duplex auto

 speed auto

 ipv6 ospf cost 1

!

interface Vlan1

 no ip address

 shutdown

!

router eigrp 100

 network 10.0.2.12 0.0.0.3

 no auto-summary

!

router eigrp 101

 network 10.10.2.0 0.0.0.3

 network 192.168.3.0

 no auto-summary

!

ip classless

!

!

ip access-list extended FILTRO

 permit tcp 192.168.3.0 0.0.0.255 host 192.168.1.13 eq www

 permit tcp 192.168.3.0 0.0.0.255 host 192.168.1.13 eq 443

 permit tcp 192.168.3.0 0.0.0.255 host 192.168.1.12 eq ftp

 permit tcp 192.168.3.0 0.0.0.255 host 192.168.1.12 eq 20

 deny ip any any

!

!

logging trap debugging

logging 192.168.1.11

line con 0

line vty 0 4

 login

!

!

ntp server 192.168.1.11 key 0

!

end

 

Mendoza#

 

Switch#sh runn

Building configuration...

 

Current configuration : 6070 bytes

!

version 12.2

service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Switch

!

!

spanning-tree mode pvst

!

interface FastEthernet0/1

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 switchport port-security mac-address sticky 0090.213B.205B

 spanning-tree portfast

 spanning-tree bpduguard enable

 storm-control broadcast level 10

!

interface FastEthernet0/2

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 switchport port-security mac-address sticky 0060.2F6B.ED04

 spanning-tree portfast

 spanning-tree bpduguard enable

 storm-control broadcast level 10

!

interface FastEthernet0/3

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 switchport port-security mac-address sticky 00E0.8FD2.B042

 spanning-tree portfast

 spanning-tree bpduguard enable

 storm-control broadcast level 10

!

interface FastEthernet0/4

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 switchport port-security mac-address sticky 0010.1190.67B8

 spanning-tree portfast

 spanning-tree bpduguard enable

 storm-control broadcast level 10

!

interface FastEthernet0/5

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 switchport port-security mac-address sticky 000C.CF5A.9328

 spanning-tree portfast

 spanning-tree bpduguard enable

 storm-control broadcast level 10

!

interface FastEthernet0/6

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 spanning-tree portfast

 spanning-tree bpduguard enable

 storm-control broadcast level 10

 shutdown

!

interface FastEthernet0/7

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 spanning-tree portfast

 spanning-tree bpduguard enable

 storm-control broadcast level 10

 shutdown

!

interface FastEthernet0/8

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 spanning-tree portfast

 spanning-tree bpduguard enable

 storm-control broadcast level 10

 shutdown

!

interface FastEthernet0/9

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 spanning-tree portfast

 spanning-tree bpduguard enable

 storm-control broadcast level 10

 shutdown

!

interface FastEthernet0/10

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 spanning-tree portfast

 spanning-tree bpduguard enable

 storm-control broadcast level 10

 shutdown

!

interface FastEthernet0/11

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 spanning-tree portfast

 spanning-tree bpduguard enable

 storm-control broadcast level 10

 shutdown

!

interface FastEthernet0/12

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 spanning-tree portfast

 spanning-tree bpduguard enable

 storm-control broadcast level 10

 shutdown

!

interface FastEthernet0/13

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 spanning-tree portfast

 spanning-tree bpduguard enable

 storm-control broadcast level 10

 shutdown

!

interface FastEthernet0/14

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 spanning-tree portfast

 spanning-tree bpduguard enable

 storm-control broadcast level 10

 shutdown

!

interface FastEthernet0/15

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 spanning-tree portfast

 spanning-tree bpduguard enable

 storm-control broadcast level 10

 shutdown

!

interface FastEthernet0/16

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 spanning-tree portfast

 spanning-tree bpduguard enable

 storm-control broadcast level 10

 shutdown

!

interface FastEthernet0/17

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 spanning-tree portfast

 spanning-tree bpduguard enable

 storm-control broadcast level 10

 shutdown

!

interface FastEthernet0/18

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 spanning-tree portfast

 spanning-tree bpduguard enable

 storm-control broadcast level 10

 shutdown

!

interface FastEthernet0/19

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 spanning-tree portfast

 spanning-tree bpduguard enable

 storm-control broadcast level 10

 shutdown

!

interface FastEthernet0/20

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 spanning-tree portfast

 spanning-tree bpduguard enable

 storm-control broadcast level 10

 shutdown

!

interface FastEthernet0/21

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 spanning-tree portfast

 spanning-tree bpduguard enable

 storm-control broadcast level 10

 shutdown

!

interface FastEthernet0/22

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 spanning-tree portfast

 spanning-tree bpduguard enable

 storm-control broadcast level 10

 shutdown

!

interface FastEthernet0/23

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 spanning-tree portfast

 spanning-tree bpduguard enable

 storm-control broadcast level 10

 shutdown

!

interface FastEthernet0/24

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 switchport port-security mac-address sticky 0030.A347.9601

 spanning-tree portfast

 spanning-tree bpduguard enable

 storm-control broadcast level 10

!

interface GigabitEthernet1/1

!

interface GigabitEthernet1/2

!

interface Vlan1

 ip address 192.168.1.254 255.255.255.0

!

logging 192.168.1.11

!

line con 0

!

line vty 0 4

 login

line vty 5 15

 login

!

!

end

 

Switch#

 

(2013) Networking may burn some minds

Rosario, Argentina