config.docx
TRANSCRIPT
config-if)#encapsulation hdlcconfig)# interface s0/0/0config-if)#encapsulation ppp
show interfacesshow interfaces serialdebug pppundebug all
R1# hostname R1username R2 password cisco
ppp authenticarion papppp pap sent-username R1 password ciscooooooppp auhentication CHAP
R2# hostname R2username R1 password cisco
ppp authenticarion papppp pap sent-username R2 password ciscooooooppp auhentication CHAP
show frame-relay map
config)# interface s0/0/0encapsulation frame-relay
encapsulation frame-relay ietfframe-relay interface-dlci 110exitexit
.interface s0/0/0.ip address 10.1.1.1 255.255.255.0.encapsulation frame-relay.bandwidth 64.no frame-relay inverse-arp(opcional si es que se quiere que no ).frame-relay map ip 10.1.1.2 102 broadcast
cisco(mapa estatico)(frame relay publica al vecino con la ip
10.1.1.1 su etiqueta 102).no shutdown
interface s0/0/0no ip addressencapsulation frame-relayno shutexit
interface s0/0/0.102 point-to-pointip address 10.1.1.1 255.255.255.252bandwidth 64frame-relay interface-dlci 102exit
interface s0/0/0.103 point-to-pointip address 10.1.1.5 255.255.255.252bandwidth 64frame-relay interface-dlci 103exit
debug frame-relay lmi
sh interfacessh frame-relay lmish frame-relay pvcsh frame-relay map
Lineas VTY--------------------------------config)#hostname r2config)# ip domain-name cisco.comconfig)#crypto key generate rsaconfig)#username student secret cisco
config)#line vty 0 4config-line)#no transport inputconfig-line)#transport input sshconfig-line)#login localconfig-line)#exec-tomeout 3 (tiempode sesion inactiva)config-line)#exitconfig)#ip ssh time-out 15config)#ip ssh autentication-retries 2
--------------------------------Inabilitar por seguridad--------------------------------no cdp runno ip source-routeno ip classlessno ip service tcp-small-serversno ip service udp-small-serverno ip fingerno service fingerno ip bootp serverno ip http serverno ip name-server
no boot networkno service config
no access-list 0access-list 70 deny deny
no snmp-server enable trapsno snmp-server system-shutdownno snmp-server trap-auth
----------------------------------Comandos relacionados con Debug:----------------------------------config)# service timestamps debug datetime msec/agrega una marca horaria a un debug o mensaje de registro/
#show processes/muestra el uso del cpu por procesos/
#no debug all/inabilita todos los comandos debug/
#terminal monitor/muestra el resultado de debug en la version actual vty/
----------------------------------RIP-----------------------------------config)#router ripconfig-router)#passive-interface defaultconfig-router)#no passive-interface s0/0/0
config)#key chain RIP_KEY(nombre)config-keychain)#key 1(identificador)config-keychain-key)#key-string ciscoexitexit
config)# int s0/0/0config-if)#ip rip authentication mode md5config-if)#ip rip authentication key-chain RIP_KEY
--------------------------------EIGRP--------------------------------config)#key chain EIGRP_KEY(nombre)config-keychain)#key 1(identificador)config-keychain-key)#key-string ciscoexitexit
config)# int s0/0/0config-if)#ip authentication mode eigrp 1 md5config-if)#ip authentication key-chain eigrp 1 EIGRP_KEY
-------------------------------------OSPF-------------------------------------config)#interface s0/0/0config-if)#ip ospf message-digest-key 1 md5 ciscoconfig-if)#ip ospf authentication message-digestconfig-if)#exitconfig)#router ospf 10config-router)# area 0 authentication message-digest
--------------------------------------bloqueo de router--------------------------------------#auto secure
acl estandar (1-199 y 1300-1999) mas cerca al destinoacl extendida(100-199 y 2000-2699) mas cerca al origen---------------------------------------
-estandar-----------------------config)#access-list 10 permit 192.168.10.0
#show access-listconfig)#no access-list 10
config)#access-list 10 remark Permit host from the 192.168.10.0 LAN(inserta un comentario con remark de maximo 100 caracteres)config)#access-list 10 permit 192.168.10.0
192.168.10.10 0.0.0.0 = host 192.168.10.10
0.0.0.0 255.255.255.255. = deny
denegar un host de una red o subredconfig)#no access-list 1config)#access-list 1 deny 192.168.10.10 0.0.0.0config)#access-list permit 192.168.10.0 0.0.0.255(red o subred 0.0.255.255)config)#interface s0/0/0config-if)#ip access-group 1 out
-----------------------------------------access-list con vty
config)#access-list 21 permit 192.168.10.0 0.0.0.255config)#access-list 21 permit 192.168.11.0 0.0.0.255config)#access-list 21 deny any
config)# line vty 0 4config-line)#loginconfig-line)#password secretconfig-line)#access-class 21 in------------------------------------------
ACL CON NOMBRE
config)#ip access-list standard NO_FTPconfig-std-nacl)#deny host 192.168.11.10config-std-nacl)#permit 192.168.11.0 0.0.0.255config-std-nacl)#interface fa0/0config-if)#ip access-group NO_FTP out
show access-listconfig tip access-list standar WERBSERVER15 permit host 192.168.11.10end
en acls con nombre se pueden editar entrads
------------------------------------------
ACLS EXTENDIDAS
access-list 114 permit tcp 192.168.20.0 0.0.0.255 any eq 23access-list 114 permit tcp 192.168.20.0 0.0.0.255 any eq 21access-list 114 permit tcp 192.168.20.0 0.0.0.255 any eq 20
access-list 114 permit tcp 192.168.20.0 0.0.0.255 any eq telnetaccess-list 114 permit tcp 192.168.20.0 0.0.0.255 any eq ftpaccess-list 114 permit tcp 192.168.20.0 0.0.0.255 any eq ftp-data
ejemplo con filtrado de trafico web 80 y 443-------------------------------------------access-list 103 permit tcp 192.168.10.0 0.0.0.255 any eq 80access-list 103 permit tcp 192.168.10.0 0.0.0.255 any eq 443access-list 104 permit tcp any 192.168.10.0 0.0.0.255 any eq established
interface s0/0/0ip access-group 103 outip access-group 104 in
ejemplo para denergar ftp--------------------------------------------access-list 102 tcp deny 192.168.11.0 0.0.0.255 192.168.10.0many eq 20access-list 102 tcp deny 192.168.11.0 0.0.0.255 192.168.10.0 any eq 21access-list 102 permit ip any anyinterface fa0/1ip access-group 101 in
ejemplo para denegar telnet-------------------------------------------access-list 101 deny tcp 192.168.11.0 0.0.0.255 any eq 23access-list 101 permit ip any any
interface fa0/0ip access-group 101 out
ACL EXTENDIDAS DENOMINADAS--------------------------------------ejemplo permitir navegar solo paginas web:
access-list extended SURFINGpermit tcp 192.168.10.0 0.0.0.255 any eq 80permit tcp 192.168.10.0 0.0.0.255 any eq 443
access-list extended BROWSINGpermir tco 192.168.10.0 0.0.0.255 stablised
interface s0/0/0ip access-group SURFING outip access-group BROWSING in
--------------------------------------
ACL DINAMICAS:-----------------------ejemplo: conexion por medio de telnet ip router 10.2.2.2 la red conectada es 192.168.30.0 y la red a la que se va ha conectar es 192.168.10.0
config)#username student password 0 ciscoconfig)# access-list 110 permit any host 10.2.2.2 eq telnetconfig)#access-list 110 dynamic testlist timeout 15 permit ip 192.168.10.0 0.0.255.255 192.168.30.0 0.0.0.255 (establece el tiempo de 15 minutos de conexion )
interfac s0/0/1ip access-group 101 in(se configura la lista de acceso en la entrada)
line vty 0 4login localautocoomand access-enable host timeout 5 (cuando el usuario se conecte a la linea vty tendra que estar en actiuvudad minimo 5 minutos )
------------------------------------------ACL REFLEXIVA------------------------------------------ip access-list extended OUTBOUNDFILTERSpermit tcp 192.168.0.0 0.0.255.255 any reflect TCPTRAFICTpermit icmp 192.168.0.0 0.0.255.255 any reflect ICMPTRAFICT
ip access-list extended INBOUNDFILTERSevaluate TCPTRAFFICevaluate ICMPTRAFFIC
interface s0/0/0ip access-group INBOUNDFILTERS inip access-group OUTFILTERS out
------------------------------------------ACL BASADA EN TIEMPO------------------------------------------time-range EVERYOTHERDAYperidoic Monday Wednesday Friday 8:00 to 17:00
access-list 101 permi tcp 192.168.10.0 0.0.0.255 any eq telnet time-rage EVERYOTHERDAY
interface s0/0/0ip access-group 101 out
#copy running-confgi startup-config
#copy running-config tftp:
#copy tftp: running-config
#copy tftp: startup-config
#show flash
rommon1>IP_ADDRESS=192.168.1.2rommon2>IP_SUBNET_MASK=255.255.255.0rommon3>DEFAULT_GATEWAY=192.168.1.1rommon4>TFTP_SERVER=192.168.1.1rommon5>TFTP_FILE=c1841-ipbase-mz.123-14.t7.bin
rommon1>tftpdnld
--------------------------------reset password--------------------------------
rommon1>confreg 0x2142rommon2>resetrouter>enable
cargar la configuracion, cambiar la clave y luego:
config)#config-register 0x2102#wr
-------------------------Servidor dhcp-------------------------config)#ip dhcp excluded-address (ips excluidas)config)#ip dhcp excluded-address 192.168.10.1 192.168.10.9
config)#ip dhcp pool LAN-POOL-1dhcp-config)#network 192.168.10.0 255.255.255.0dhcp-config)#default-router 192.168.10.1dhcp-config)#domain-name span.comdhcp-config)#end
#show ip dhcp binding
#show ip dhcp server statistics
#show ip dhcp pool
----------------------------una interface con cliente----------------------------config)#interface fa0/0config-if)#ip address dhcpconfig-if)#no shut
#show ip int fa0/0
---------------------------dhcp relay (cuando dhcp se encuentra en otra red)---------------------------#config tconfig)#interface fa0/0config-if)#ip helper-address 192.168.11.5config-if)#end
en la PC:ipconfig /releaseipconfig /renew---------------------------como router relay se puede configurar lo siguiente:Puerto 37: Tiempo Puerto 49: TACACSPuerto 53: DNSPuerto 67: Cliente DHCP/BOOTPPuerto 68: Servidor de DHCP/BOOTPPuerto 69: TFTPPuerto 137: Servicio de nombres NetBIOSPuerto 138: Servicio de datagrama NetBIOS)----------------------------Verificacion de Relay DHCP-----------------------------# show runing-config
---- depuracion del dhcp#access-list 100 permit ip host 0.0.0.0 host 255.255.255.255#debug ip packet detail 100
NAT estatico------------------en este escenrio la interface s0/0/0 esta conectada a la red internay la s0/1/0 a la red externa con la ip publica--------------------------#ip nat inside source static 192.168.10.254 209.165.200.154#interface serial0/0/0#ip nat inside#interface serial0/1/0#ip nat outside
-------------------NAT DINAMICO-------------------se sebe de traducir un rango ip privado a un rango publicos0/0/0 interface a redes privadass0/1/0 interface a redes publicas----------------------
#ip nat pool NAT-POLL1 209.165.200.226 209.165.200.240 netmask 255.255.255.224(se crea rango de direciones publicas)#access-list 1 permit 192.168.0.0 0.0.255.255 (se crea la lista de direcciones privadas)
#ip nat inside source list 1 poll NAT-POOL1(SI SOLO SE TIENE UNA DIRECCION DE SALIDA)#ip nat inside source list 1 interface serial0/1/0
#interface s0/0/0#ip nat inside#interface s0/1/0#ip nat outside
---------------------------
NAT DINAMICO SOBRECARGA-------------------se sebe de traducir un rango ip privado a un rango publicos0/0/0 interface a redes privadass0/1/0 interface a redes publicas----------------------
#ip nat pool NAT-POLL1 209.165.200.226 209.165.200.240 netmask 255.255.255.224(se crea rango de direciones publicas)#access-list 1 permit 192.168.0.0 0.0.255.255 (se crea la lista de direcciones privadas)
#ip nat inside source list 1 poll NAT-POOL1 overload(SI SOLO SE TIENE UNA DIRECCION DE SALIDA)#ip nat inside source list 1 interface serial0/1/0 overload
#interface s0/0/0#ip nat inside#interface s0/1/0#ip nat outside
-----------------------------------comprobaciones-----------------------------------
#show ip nat translations
#show ip nat translations verbose
#show ip nat statistics
#clear ip nat translation *(elimina todas las entradas de la tabla)#show ip nat translations(elimina la entrada a la tabla )#debug ip nat
----------------------config)#ipv6 address 2001.DB8:2222:7272::72/64
dual stack:config)#ipv6 unicast-routing(habilita el envio de trafico ipv6)config)#interface fa0/0config-if)#ip address 192.168.99.1 255.255.255.0config-if)#ipv6 address 3ffe:b00:c18:1::3/127
config-if)ipv6 address ipv6prefix/prefix-lengh eui-64
-------ipv6 unicast-routingipv6 router rip rt0
interface fa0/0ipv6 address 2001:db8:1:1::/64 eui-64ipv6 rip rt0 enable
sh ipv6 interfacesh ipv6 interface briefsh ipv6 neighborssh ipv6 protocolssh ipv6 ripsh ipv6 routesh ipv6 route summaysh ipv6 staticsh ipv6 static 2001:db8:666:0/16sh ipv6 static interface s0/0/0sh ipv6 static detail