SRY

ACLs Reflexivas...........................................................................................................................3
Cisco Configuration Professional (CCP)Acceso..........................................................................7
Router Security........................................................................................................................10
Privilege Level..........................................................................................................................12
CLI Views..................................................................................................................................14
SSH...........................................................................................................................................16
Telnet/TCP AAA........................................................................................................................20
Setup AAA:...............................................................................................................................23
AAA Base de datos Local..........................................................................................................25
Banner Messages.....................................................................................................................27
Syslog Features........................................................................................................................29
ACLs Established......................................................................................................................32
ACLs de Tiempo........................................................................................................................36
ACLs Dinámicas........................................................................................................................39
Fragmentation Attack..............................................................................................................42
Protección contra el uso de opciones de IP maliciosas...........................................................44
Protección mensajes ICMP tipo 3 código 1.............................................................................49
TCP Intercept (Redistribucion EIGRP-OSPF)............................................................................52
Proteccion a ataques DoS utilizando Committed Access Rate (CAR)......................................56
Proteccion a ataques Smurf.....................................................................................................57
ACLs IP/ICMP............................................................................................................................59
ACLs para OSPF y EIGRP...........................................................................................................65
Seguridad Telnet IPv6..............................................................................................................69
ACLs para IPv6..........................................................................................................................74
Bloqueo de paquetes de un rango particular usando PBR (Falta Figura)................................81
Filtrado utilizando MQC (Modular Quality of Service)............................................................88
NTP Network Time Protocol....................................................................................................95
Authentication Radius..............................................................................................................99
Autenticación utilizando ACS /Tacacs+..................................................................................101
Creación de Grupos...............................................................................................................102
Configuración de server AAA.................................................................................................104
Creación de Usuarios.............................................................................................................107
Configuración de cliente AAA................................................................................................109
Configuración Router.............................................................................................................111
CBAC.......................................................................................................................................114
Zone Based Firewall I.............................................................................................................116
Zone Based Firewall II............................................................................................................122
Zone Based Firewall III...........................................................................................................128
DHCP one Way.......................................................................................................................133
DHCP Snooping......................................................................................................................140
NAT.........................................................................................................................................145
NAT Dinámico........................................................................................................................146
NAT Estático...........................................................................................................................148
PAT.........................................................................................................................................149
NAT TCP Load Sharing............................................................................................................151
HSRP NAT...............................................................................................................................157
Firewall por Zona Challenge NAT/PAT...................................................................................165
GRE Recursivo........................................................................................................................182
Tunnel GRE IPv6.....................................................................................................................186
1
2019 instructor.duoc@gmail.com
SRY

IPSec Site-to-Site I..................................................................................................................190

IPSec Site-to-Site II.................................................................................................................196
DMVPN............................................................................................................200
DMVPN mapeo estático (fase 1)............................................................................................200

2
2019 instructor.duoc@gmail.com
SRY

ACLs Reflexivas

Setup: Cree la topologia y direccionamiento mostrado.

 Para obtener conectividad extremo a extremo configure EIGRP de 64 bits utilizando en numero de sitema
autónomo 10. Las interfaces loopback0 se deben publicar dentro del dominio EIGRP.

R1
router eigrp n1
address-family ipv4 unicast autonomous-system 10
network 1.0.0.0
network 10.0.0.0

R2
router eigrp n1
address-family ipv4 unicast autonomous-system 10
network 2.0.0.0
network 10.0.0.0

R3
router eigrp n1
address-family ipv4 unicast autonomous-system 10
network 3.0.0.0
network 10.0.0.0

R4
router eigrp n1
address-family ipv4 unicast autonomous-system 10
network 4.0.0.0
network 10.0.0.0

R2#sh ip eigrp neighbors

EIGRP-IPv4 VR(n1) Address-Family Neighbors for AS(10)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 10.1.23.3 Fa0/1 12 00:00:16 48 288 0 6
3
2019 instructor.duoc@gmail.com
SRY

0 10.1.12.1 Fa0/0 12 00:00:24 42 252 0 5

R3#sh ip eigrp neighbors
EIGRP-IPv4 VR(n1) Address-Family Neighbors for AS(10)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 10.1.34.4 Fa0/0 10 00:00:23 41 246 0 3
0 10.1.23.2 Fa0/1 14 00:00:32 45 270 0 8

R1#sh ip eigrp topology

EIGRP-IPv4 VR(n1) Topology Table for AS(10)/ID(1.1.1.1)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 10.1.34.0/24, 1 successors, FD is 26214400
via 10.1.12.2 (26214400/19660800), FastEthernet0/0
P 10.1.12.0/24, 1 successors, FD is 13107200
via Connected, FastEthernet0/0
P 10.1.23.0/24, 1 successors, FD is 19660800
via 10.1.12.2 (19660800/13107200), FastEthernet0/0
P 2.2.2.0/24, 1 successors, FD is 13189120
via 10.1.12.2 (13189120/163840), FastEthernet0/0
P 3.3.3.0/24, 1 successors, FD is 19742720
via 10.1.12.2 (19742720/13189120), FastEthernet0/0
P 1.1.1.0/24, 1 successors, FD is 163840
via Connected, Loopback0
P 4.4.4.0/24, 1 successors, FD is 26296320
via 10.1.12.2 (26296320/19742720), FastEthernet0/0

R1#ping 2.2.2.2 source 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/12/16 ms

R1#ping 3.3.3.3 source 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/16/20 ms

R1#ping 4.4.4.4 source 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/27/40 ms

4
2019 instructor.duoc@gmail.com
SRY

 R1 y R2 pertenecen a la empresa A. R3 y R4 pertecen a la empresa B. R2 actua como ASBR. Considerando

esto último, configure R2 de manera que permita trafico de retorno considerando las siguientes políticas:
- R2 debe permitir trafico de retorno HTTP que sea originado localmente (en R2) u originado por R1.
- R2 debe permitir trafico de retorno TELNET que sea originado localmente (en R2) u originado por R1.
- R2 debe permitir trafico de retorno TFTP que sea originado localmente (en R2) u originado por R1.

R2
ip access-list extended BORDER-OUT
permit tcp any any eq www reflect TST
permit tcp any any eq telnet reflect TST
permit udp any any eq tftp reflect TST
permit eigrp any any

ip access-list extended BORDER-IN

permit eigrp any any
evaluate TST

interface FastEthernet0/1
ip access-group BORDER-IN in
ip access-group BORDER-OUT out

R4#sh ip route eigrp

Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
D 1.1.1.0 [90/205440] via 10.1.34.3, 00:16:32, FastEthernet0/0
2.0.0.0/24 is subnetted, 1 subnets
D 2.2.2.0 [90/154240] via 10.1.34.3, 00:16:32, FastEthernet0/0
3.0.0.0/24 is subnetted, 1 subnets
D 3.3.3.0 [90/103040] via 10.1.34.3, 00:16:32, FastEthernet0/0
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
D 10.1.12.0/24 [90/204800] via 10.1.34.3, 00:16:32, FastEthernet0/0
D 10.1.23.0/24 [90/153600] via 10.1.34.3, 00:16:32, FastEthernet0/0

R4#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)

R4#telnet 1.1.1.1
Trying 1.1.1.1 ...
% Destination unreachable; gateway or host down

Aunque la dirección 1.1.1.1 se encuentra en la RIB de R4 no es posible acceder via telnet.

5
2019 instructor.duoc@gmail.com
SRY

 Configure Telnet server en R4. Utilice AAA, user admin password cisco.

R4
username admin password cisco

aaa new-model
aaa authentication login default local-case

line vty 0 4
login authentication default

R1#telnet 4.4.4.4
Trying 4.4.4.4 ... Open
User Access Verification
Username: admin
Password:cisco
R4>

R2#sh access-lists
Extended IP access list BORDER-IN
10 permit eigrp any any (1748 matches)
20 evaluate TST
Extended IP access list BORDER-OUT
10 permit tcp any any eq www reflect TST
20 permit tcp any any eq telnet reflect TST (34 matches)
30 permit udp any any eq tftp reflect TST
40 permit eigrp any any
Reflexive IP access list TST
permit tcp host 4.4.4.4 eq telnet host 10.1.12.1 eq 17999 (41 matches) (time left 231)

R4>
[Connection to 4.4.4.4 closed by foreign host]
R1#

Despues de 5 minutos, el timeout predefinido por el proceso elimina la ACL temporal (TST). R1 utiliza el puerto
origen 17999 (es aleatorio) y el puerto 23 destino. Podemos notar que R2 permite el tráfico de retorno.

6
2019 instructor.duoc@gmail.com
SRY

Cisco Configuration Professional (CCP)Acceso

Este laboratorio comprende la instalación y ejecución de la aplicación CCP.

 Asignar el direccionamiento mostrado (routers y PC).
 R1 y R2 deben utilizar EIGRP 1 como IGP y deben publicar las loopbacks0 respectivas.
 Habilitar en R1 HTTP o HTTPs
 Crear usuario admin y asignarle un nivel de privilegios 15, use password cisco.
 Configurar en ambos router SSH y Telnet.
 Instalar el archivo cisco-config-pro-k9-pkg-2_5-en.exe en el PC.
 Comprobar que el PC tiene conectividad con R1.
 Abrir aplicación CCP

Nota: El dispositivo que será configurado a través de CCP debe tener configurado HTTP o HTTPS. La
autenticación utilizando HTTPS debe ser establecido para usar la base de datos local del dispositivo.

R1
router eigrp 1
network 10.0.0.0
network 100.0.0.0
neighbor 10.1.12.2 GigabitEthernet0/0
no auto-summary

ip http server
ip http authentication local
ip http secure-server

username admin privilege 15 password cisco

R2
router eigrp 1
network 10.0.0.0
neighbor 10.1.12.1 GigabitEthernet0/0
no auto-summary

7
2019 instructor.duoc@gmail.com
SRY

R2#show ip eigrp neighbors

EIGRP-IPv4 Neighbors for AS(1)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 10.1.12.1 Gi0/0 14 01:00:40 186 1116 0 10

R1#ping 100.1.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.1.1.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/37/60 ms

Puesto que tenemos conectividad con el PC CCP entonces activamos la aplicación CCP.
En la ventana Select / Manage Community debemos ingresar la información de usuario y password que
configuramos en R1 y la IP de R1. Le damos OK. Luego debemos descubrir al Router R1. Para esto
utilizamos seleccionamos Discover.

Si todo está correctamente configurado deberíamos ver el dispositivo descubierto. Con CCP tenemos un
amplio espectro de configuración. Configure DHCP utilizando CCP.

8
2019 instructor.duoc@gmail.com
SRY

9
2019 instructor.duoc@gmail.com
SRY

Router Security
 En R1 configurar de manera que solo se permita configurar passwords con un mínimo de 5
caracteres.
 Las password deben ser ilegibles si utilizamos el comando show running-config.
 Crear el usuario admin password cisco. Si accedemos por consola deberemos loguearnos en la
base de datos local.

R1
security passwords min-length 5

R1(config)#enable password nico

% Invalid Password length - must contain 5 to 25 characters. Password configuration failed

R1(config)#enable password cisco

R1
service password-encryption

R1#show running-config | include enable

enable password 7 094F471A1A0A

R1
username admin password cisco

line con 0
login local

R1#exit
R1 con0 is now available
Press RETURN to get started.

User Access Verification

Username:admin
Password:cisco
R1>enable
R1#

10
2019 instructor.duoc@gmail.com
SRY

 En R1 habilitar un timeout de expiración de consola en 2 horas con 30 segundos.

Normalmente el tiempo de expiración lo dejo en infinito (exec-timeout 0 0) para no tener que loguearme
a cada rato si ese plazo se vence, como en este caso se requiere ingresar los valores utilizaremos
ventanas de tiempo grandes.

R1
line con 0
exec-timeout 120 30

R1#show line console 0 | section Timeouts

Timeouts: Idle EXEC Idle Session Modem Answer Session Dispatch
02:00:30 never none not set
Idle Session Disconnect Warning
never
Login-sequence User Response
00:00:30
Autoselect Initial Wait
not set

11
2019 instructor.duoc@gmail.com
SRY

Privilege Level
 En R1 crear dos usuarios con las siguientes características
 Definir password para modo privilegiado utilizando la palabra clave cisco.
Usuario Password Comandos disponibles (EXEC)
admin cisco Todos los comandos (high privilege)
noc network Show, ping, traceroute

R1
username noc privilege 2 password network

privilege exec level 2 traceroute

privilege exec level 2 ping
privilege exec level 2 show

username admin privilege 15 password cisco

Para forzar a que los usuarios se tengan que identificar (login) con la base de datos local utilizamos:

R1
line con 0
login local

O alternativamente podemos utilizar AAA local.

aaa new-model
aaa authentication login default local none

R1#exit
R1 con0 is now available

Press RETURN to get started.

%SYS-5-CONFIG_I: Configured from console by console

User Access Verification

Username: noc
Password:network

R1#show privilege
Current privilege level is 2

R1#conf t
^
% Invalid input detected at '^' marker.

12
2019 instructor.duoc@gmail.com
SRY

R1#ping 10.2.2.2
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/72/100 ms

Ahora comprobamos el nivel de privilegio del usuario admin.

R2#exit
R2 con0 is now available
Press RETURN to get started.

User Access Verification

Username: admin
Password:cisco

R2#show privilege
Current privilege level is 15

R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#
R2(config)#router bgp 20.20

13
2019 instructor.duoc@gmail.com
SRY

CLI Views

 Configurar CLI Views en R2.

 Crear dos perfiles con las siguientes características:

Usuario Password View Comandos

ADMIN admin Todos los comandos show
salvo show version. ping,
configure.
NOC noc ping

R2
aaa new-model
enable secret cisco

R2#enable view
Password:cisco

R2#
%PARSER-6-VIEW_SWITCH: successfully set to view 'root'.

configure terminal

parser view ADMIN

secret admin
commands exec include configure
commands exec exclude show version
commands exec include all show

parser view NOC

secret noc
commands exec include-exclusive ping

R2#disable
R2>
R2>enable view ADMIN
Password:admin
R2#show ?
aaa Show AAA values
access-expression List access expression
access-lists List access lists
acircuit Access circuit info
adjacency Adjacent nodes
aliases Display alias commands
alignment Show alignment information
ancp ANCP information
aps APS information
14
2019 instructor.duoc@gmail.com
SRY

archive Archive functions

*
*
R2#show version
^
% Invalid input detected at '^' marker.

R2#configure
Configuring from terminal, memory, or network [terminal]?
Enter configuration commands, one per line. End with CNTL/Z.

R2(config)#?
Configure commands:
do-exec To run exec commands in config mode
exit Exit from configure mode

R2(config)#end
^
% Invalid input detected at '^' marker.

R2(config)#exit

Entramos con el perfil de NOC y comprobamos que solo tenemos la opción ping

R2#exit
R2>
R2>enable view NOC
Password:noc

R2#?
Exec commands:
do-exec Mode-independent "do-exec" prefix support
enable Turn on privileged commands
exit Exit from the EXEC
ping Send echo messages
show Show running system information

R2#ping 10.1.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/42/52 ms

15
2019 instructor.duoc@gmail.com
SRY

SSH

 Configurar enrutamiento estático o dinámico de manera que exista conectividad completa entre
todos los routers incluyendo su interfaces loopbacks0.
 Configurar Telnet en R1utilizando password r111.
 Configurar Telnet en R2 para sesiones entrantes y SSH para sesiones salientes, solo se permite
establecer sesión SSH con los ID (loopbacks0) de cada router. Utilizar las siguientes políticas:
- Domain Name: duoc.cl
- Utilizar version SSH 2.0 (1.9)
- Autentificar en función de base de datos local utilizando AAA
- La autentificación solo se debe establecer en line VTY.
- Mostrar eventos SSH en consola de R1, sesion exitosas y fallidas.
- El usuario para SSH es el siguiente:

Usuario Password
jadmin cisco123
 R1 puede acceder a R2 a través de telnet pero desde R2 solo puede acceder a R3 a utilizando SSH.
 Configurar en R3 SSH para sesiones entrantes, solo se permite establecer sesión SSH con los ID
(loopbacks0) de cada router. Utilizar las siguientes políticas:
- Domain Name: duoc.cl
- Utilizar version SSH 2.0 (1.9)
- Autentificar en función de base de datos local utilizando AAA
- La autentificación solo se debe establecer en line VTY.
- Mostrar eventos SSH en consola de R1, sesion exitosas y fallidas.
- El usuario para SSH es el siguiente:

Usuario Password
admin cisco
 Configure la password cisco para acceder al modo privilegiado en todos los routers.

R1
router eigrp 1
network 10.0.0.0
no auto-summary
16
2019 instructor.duoc@gmail.com
SRY

R2
router eigrp 1
network 10.0.0.0
no auto-summary

R3
router eigrp 1
network 10.0.0.0
no auto-summary

R2#show ip eigrp neighbors

EIGRP-IPv4 Neighbors for AS(1)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 10.1.23.3 Fa0/1 10 00:00:11 159 954 0 3
0 10.1.12.1 Fa0/0 13 00:00:13 1571 5000 0 4

R1#sh ip route eigrp

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks

D 10.1.23.0/24 [90/30720] via 10.1.12.2, 00:01:12, FastEthernet0/0
D 10.2.2.2/32 [90/156160] via 10.1.12.2, 00:01:12, FastEthernet0/0
D 10.3.3.3/32 [90/158720] via 10.1.12.2, 00:00:06, FastEthernet0/0

Configuracion lines VTY.

R1
line vty 0 4
password cisco
login

enable secret cisco

R2
ip domain-name duoc.cl
crypto key generate rsa usage-keys
How many bits in the modulus [512]: 1024

17
2019 instructor.duoc@gmail.com
SRY

%SSH-5-ENABLED: SSH 1.99 has been enabled

ip ssh logging events

aaa new-model
username jadmin password cisco123
aaa authentication login VTY-LOCAL local

line vty 0 4
login authentication VTY-LOCAL
transport input telnet
transport output ssh

R3
ip domain-name duoc.cl
crypto key generate rsa usage-keys
How many bits in the modulus [512]: 1024

%SSH-5-ENABLED: SSH 1.99 has been enabled

ip ssh logging events

aaa new-model
username admin password cisco
aaa authentication login VTY-LOCAL local

line vty 0 4
login authentication VTY-LOCAL
transport input ssh

R1 accederá a R2 a través de telnet, pero desde R2 solo podrá acceder a R3 a través SSH, es decir, al
perímetro de seguridad.

R1#telnet 10.2.2.2
Trying 10.2.2.2 ... Open

User Access Verification

Username: jadmin
Password:cisco123

R2>enable
Password:cisco

R2#telnet 10.3.3.3
% telnet connections not permitted from this terminal
18
2019 instructor.duoc@gmail.com
SRY

R2#ssh -l admin -c 3des 10.3.3.3

Password:cisco
R3>en
Password:cisco

R3#
*Aug 17 10:41:11.059: %SSH-5-SSH2_SESSION: SSH2 Session request from 10.1.23.2 (tty = 0) using crypto
cipher '3des-cbc', hmac 'hmac-sha1' Succeeded
R3#
*Aug 17 10:41:14.523: %SSH-5-SSH2_USERAUTH: User 'admin' authentication for SSH2 Session from
10.1.23.2 (tty = 0) using crypto cipher '3des-cbc', hmac 'hmac-sha1' Succeeded

R3#show users
Line User Host(s) Idle Location
* 0 con 0 idle 00:00:00
2 vty 0 admin idle 00:01:00 10.1.23.2

Interface User Mode Idle Peer Address

19
2019 instructor.duoc@gmail.com
SRY

Telnet/TCP AAA

 Cree el direccionamiento mostrado.

 Configure OSPF para lograr conectividad end to end.
 En los routers cree y publique las loopback0 con el format 10.X.X.X/24 donde la X representa el
número del router.

R1
interface Loopback0
ip ospf network point-to-point
ip ospf 1 area 0

interface FastEthernet0/0
ip ospf 1 area 0

router ospf 1
router-id 1.1.1.1

R2
interface FastEthernet0/0
ip ospf 1 area 0

interface FastEthernet0/1
ip ospf 1 area 0

router ospf 1
router-id 2.2.2.2

20
2019 instructor.duoc@gmail.com
SRY

R2#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
1.1.1.1 1 2WAY/DROTHER 00:00:35 10.1.12.1 FastEthernet0/0

R2#show ip ospf neighbor fastEthernet 0/0

Neighbor ID Pri State Dead Time Address Interface
1.1.1.1 1 FULL/DR 00:00:32 10.1.12.1 FastEthernet0/0

R3
interface FastEthernet0/1
ip ospf 1 area 0

router ospf 1
router-id 3.3.3.3

interface Loopback0
ip ospf network point-to-point
ip ospf 1 area 0

R2#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
3.3.3.3 1 FULL/BDR 00:00:36 10.1.23.3 FastEthernet0/1
1.1.1.1 1 FULL/DR 00:00:34 10.1.12.1 FastEthernet0/0

R1#sh ip route ospf

Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
O 10.1.23.0/24 [110/2] via 10.1.12.2, 00:36:51, FastEthernet0/0
O 10.3.3.0/24 [110/3] via 10.1.12.2, 00:01:01, FastEthernet0/0

 Comience a capturar tráfico en la interface física de R3.

 Habilite telnet en R3. Solo permita una conexión con origen 10.1.1.1 para el puerto 23. Utilice las
credenciales:
- USER: admin
- PASS: admin

 Verifique las credenciales utilizadas en Wireshark ->Analyze || Follow || TCP Stream.

 Nota: Utilice AAA para esta tarea.

R3
username admin password admin

aaa new-model
aaa authentication login VTY local-case none

line vty 0 4
privilege level 15

21
2019 instructor.duoc@gmail.com
SRY

login authentication VTY

R1#telnet 10.3.3.3
Trying 10.3.3.3 ... Open

User Access Verification

Username: admin
Password:admin

R3#

R3#show line vty 0 4

Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int
* 2 VTY - - - - - 4 0 0/0 -
3 VTY - - - - - 0 0 0/0 -
4 VTY - - - - - 0 0 0/0 -
5 VTY - - - - - 0 0 0/0 -
6 VTY - - - - - 0 0 0/0 -

 ¿Porque la ventana de flujo TCP (Follow muestra al usuario con username duplicado?
 Realice la misma experiencia para SSH, y compruebe los resultados entregados por Wireshark
->Analyze || Follow || TCP Stream.
 ¿Cuantas conexiones concurrentes permite las líneas VTY del router?

22
2019 instructor.duoc@gmail.com
SRY

Setup AAA:
Configurar AAA en R1 con las siguientes características para la autentificación:
 Crear usuario U4 password cisco.
 Proceso AAA debe pedir usuario y contraseña utilizando Usuario: , Password: . El usuario solo
puede acceder al router utilizando sistema case sensitive.
 Crear banner que tenga el siguiente mensaje $ Autentificación AAA $
 El maximo número de intentos es 3 antes de volver a pedir autenticación, luego se bloqueará el
permiso para el usuario.
 Si el usuario no puede autentificarse se debe desplegar el siguiente mensaje: AUTENTIFICACIÓN
INVALIDA, INTENTELO NUEVAMENTE
 El usuario debe autentificarse en función de la base de datos local
Para poder probar inmediatamente lo que hemos configurado podríamos habilitar el login en la consola.

R1
username U4 password cisco
aaa new-model
aaa authentication password-prompt Password:
aaa authentication username-prompt Usuario:
aaa authentication login CONS local-case

R1
User Access Verification

Usuario:u4
Password:cisco

% Authentication failed

Usuario:U4
Password:cisco

R1
aaa authentication banner $ Autentificacion AAA $

R1>exit
Press RETURN to get started.

Autentificacion AAA
Usuario:U4
Password:cisco

23
2019 instructor.duoc@gmail.com
SRY

Para comprobar si funciona esta configuración debemos crear un super usuario en caso de que
bloqueemos al usauario U4. Luego de las pruebas debemos desbloquear al usuario U4.

R1
username admin privilege 15 password cisco
aaa authentication attempts login 3
aaa local authentication attempts max-fail 3

Usuario:U4
Password:111

Usuario:U4
Password:222

Usuario:U4
Password:333

%AAA-5-USER_LOCKED: User U4 locked out on authentication failure

% Authentication failed

Usuario:admin
Password:

R1#show aaa local user lockout

Local-user Lock time
U4 15:20:39 UTC Wed Sep 14 2011

R1#clear aaa local user lockout username U4

R1#
%AAA-5-USER_UNLOCKED: User U4 unlocked by admin on console

Ahora podemos volver a intentarlo como usuario U4.

R1
aaa authentication fail-message $ AUTENTIFICACISN INVALIDA, INTENTELO NUEVAMENTE $

Usuario:U4
Password:1111
AUTENTIFICACISN INVALIDA, INTENTELO NUEVAMENTE
Usuario:U4
Password:cisco
R1>

La configuración nos quedaría de la siguiente manera:

aaa new-model
aaa local authentication attempts max-fail 3

aaa authentication banner ^C Autentificación AAA ^C

aaa authentication fail-message ^C AUTENTICATIOIN INVALIDA, INTENTELO NUEVAMENTE ^C
24
2019 instructor.duoc@gmail.com
SRY

aaa authentication password-prompt Password:

aaa authentication username-prompt Usuario:
aaa authentication login CONS local-case

username U4 password 0 cisco

username admin privilege 15 password 0 cisco

line con 0
login authentication CONS

AAA Base de datos Local

R1-------------------------------------------------------R2
F0/0 10.1.12.0/24 F0/0

R1
interface GigabitEthernet0/0
ip address 10.1.12.1 255.255.255.0
no shut

R2
interface GigabitEthernet0/0
ip address 10.1.12.2 255.255.255.0
no shut

Rx
router eigrp 1
network 10.0.0.0

Escenario 1. Accedemos R2 via telnet usando la pasword de enable (modo exec).

R2
aaa new-model
aaa authentication login TELNET enable
enable secret cisco

line vty 0 4
login authentication TELNET

R1#telnet 10.2.2.2
Trying 10.2.2.2 ... Open

User Access Verification

Password:cisco
Corresponde a la misma
password que configuramos
con enable secret (cisco) 25
2019 instructor.duoc@gmail.com
SRY

R2>
R2>enable
Password:cisco

Escenario 2. Accedemos R2 via telnet usando la base de datos local. Debemos crear un user y su password.
Nota: Borrar configuración anterior. Si está configurado aaa new-model no podremos utilizar la base de datos local
directamente en line vty.

R2
username admin password admin

line vty 0 4
login local

R1#telnet 10.2.2.2
Trying 10.2.2.2 ... Open

User Access Verification

Username: admin
Password:admin
R2>en
Password:cisco

Escenario 3. Accedemos R2 via telnet usando si usar password. Como veremos no tendremos que
autenticarnos. Salvo si queremos entrar al modo privilegiado.

R2
aaa new-model
aaa authentication login TELNET none

line vty 0 4
login authentication TELNET

R1#telnet 10.2.2.2
Trying 10.2.2.2 ... Open
R2>

26
2019 instructor.duoc@gmail.com
SRY

Banner Messages
 Configure R1 con el mensaje del dia (message of the day = motd) que se muestra a continuación:

-------------------------------------------------------------------------
Te has conectado al router R1 en el puerto de consola 0.
XXXXXXXX
/| XXXXXXXX|\XXXXXXXXX
/*/ XXXXXXXXXXXXXX\*\XXXXXXXXXXXX
|**\ X _____XXXXXXXXX/**|XXXXXXXXXXXXX
|***\ X_/ \_ /***|___XXXXXXXXXXXX
\******* *******/ XXXXX \\XXXXXXX
\**** / \ *****/ XXXXX \\XXXXXXX
XXXX| 0 0 | XXXXX \XXXXXXX
XXXXX | | XXXXX \XXXXXXX
XXXXXX \ / XXXXX |________//
XXXXXX \ / XXXXX |XXXXXX
XXXXXX | O_O | XXXXX ||XXXXX
XXXXX \ _ / XXXXX \XXX
XXXX| : |XXXX /\ \ _
XXX\_/XXX |\__\ _____/ \ \ ) |_|
XXXXXX< | | | XX| |X\_ | _
XXX/ |X <_> XXXX/ | | | |_|
|___|XXXX| |XXXXXXXXX|___| | \
XXXXXX/ \XXXXXXXX |____|

Empresas Red Bull

Gerencia Informatica

Ubicacion: Av. Bernardo Prat # 1559, Piso 2

!!!! Atencion !!!!
Notificar al Area Administracion de Redes cualquier modificacion.
------------------------------------------------------------------------
Cisco Router 7200

 En el modo de configuración global agregamos:

banner motd ^CC

-------------------------------------------------------------------------
Te has conectado al router $(hostname) en el puerto de consola $(line).
XXXXXXXX
/| XXXXXXXX|\XXXXXXXXX
/*/ XXXXXXXXXXXXXX\*\XXXXXXXXXXXX
|**\ X _____XXXXXXXXX/**|XXXXXXXXXXXXX
|***\ X_/ \_ /***|___XXXXXXXXXXXX
\******* *******/ XXXXX \\XXXXXXX
\**** / \ *****/ XXXXX \\XXXXXXX
XXXX| 0 0 | XXXXX \XXXXXXX
XXXXX | | XXXXX \XXXXXXX
XXXXXX \ / XXXXX |________//
XXXXXX \ / XXXXX |XXXXXX
XXXXXX | O_O | XXXXX ||XXXXX
XXXXX \ _ / XXXXX \XXX
XXXX| : |XXXX /\ \ _
XXX\_/XXX |\__\ _____/ \ \ ) |_|
XXXXXX< | | | XX| |X\_ | _
XXX/ |X <_> XXXX/ | | | |_|
|___|XXXX| |XXXXXXXXX|___| | \
XXXXXX/ \XXXXXXXX |____|

Empresas Red Bull

27
2019 instructor.duoc@gmail.com
SRY

Gerencia Informatica
Ubicacion: Av. Bernardo Prat # 1559, Piso 2
!!!! Atencion !!!!
Notificar al Area Administracion de Redes cualquier modificacion.
------------------------------------------------------------------------
Cisco Router 7200 ^C

28
2019 instructor.duoc@gmail.com
SRY

Syslog Features

 Habilitar Syslog Server en PC. Utilizar aplicación Kiwi Syslog o Syslog Server 1.2.0.
 R1 debe poder enviar mensajes de syslog tanto al server como a la consola. Utilizar loopback0
como interface de sesión. Los mensajes debe ser enviados a partir de log nivel 7.
Nota: El servidor syslog se encuetra en la VM XP.

29
2019 instructor.duoc@gmail.com
SRY

30
2019 instructor.duoc@gmail.com
SRY

R1
logging on
logging origin-id hostname
logging source-interface loopback0
logging 100.1.1.3
logging trap debugging

R1#debug ip packet
R1#debug ip packet
IP packet debugging is on
R1#
IP: s=10.1.12.1 (local), d=224.0.0.10 (GigabitEthernet0/0), len 60, sending broad/multicast
IP: s=10.1.12.1 (local), d=224.0.0.10 (GigabitEthernet0/0), len 60, sending full packet
IP: s=10.1.12.2 (GigabitEthernet0/0), d=224.0.0.10, len 60, rcvd 0
IP: s=10.1.12.2 (GigabitEthernet0/0), d=224.0.0.10, len 60, input feature, packet consumed, MCI
Check(85), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
R1#
IP: tableid=0, s=10.1.1.1 (local), d=100.1.1.3 (FastEthernet1/0), routed via FIB
IP: tableid=0, s=10.1.1.1 (local), d=100.1.1.3 (FastEthernet1/0), routed via FIB
IP: tableid=0, s=10.1.1.1 (local), d=100.1.1.3 (FastEthernet1/0), routed via FIB
IP: tableid=0, s=10.1.1.1 (local), d=100.1.1.3 (FastEthernet1/0), routed via FIB
R1#
IP: tableid=0, s=10.1.1.1 (local), d=100.1.1.3 (FastEthernet1/0), routed via FIB
IP: tableid=0, s=10.1.1.1 (local), d=100.1.1.3 (FastEthernet1/0), routed via FIB
IP: tableid=0, s=10.1.1.1 (local), d=100.1.1.3 (FastEthernet1/0), routed via FIB
IP: tableid=0, s=10.1.1.1 (local), d=100.1.1.3 (FastEthernet1/0), routed via FIB
R1#
IP: tableid=0, s=10.1.1.1 (local), d=100.1.1.3 (FastEthernet1/0), routed via FIB
IP: tableid=0, s=10.1.1.1 (local), d=100.1.1.3 (FastEthernet1/0), routed via FIB
IP: tableid=0, s=10.1.1.1 (local), d=100.1.1.3 (FastEthernet1/0), routed via FIB
IP: tableid=0, s=10.1.1.1 (local), d=100.1.1.3 (FastEthernet1/0), routed via FIB
R1#u al
IP: tableid=0, s=10.1.1.1 (local), d=100.1.1.3 (FastEthernet1/0), routed via FIB
IP: tableid=0, s=10.1.1.1 (local), d=100.1.1.3 (FastEthernet1/0), routed via FIB
IP: tableid=0, s=10.1.1.1 (local), d=100.1.1.3 (FastEthernet1/0), routed via FIB
IP: tableid=0, s=10.1.1.1 (local), d=100.1.1.3 (FastEthernet1/0), routed via FIB
IP: s=10.1.12.1 (local), d=224.0.0.10 (GigabitEthernet0/0), len 60, sending broad/multicast
IP: s=10.1.12.1 (local), d=224.0.0.10 (GigabitEthernet0/0), len 60, sending full packet
IP: s=10.1.12.2 (GigabitEthernet0/0), d=224.0.0.10, len 60, rcvd 0

31
2019 instructor.duoc@gmail.com
SRY

32
2019 instructor.duoc@gmail.com
SRY

ACLs Established

 Configure direccionamiento mostrado.

 Configure OSPF como muestra la figura, publicando las interfaces directamente conectadas.
 R3 es el router ASBR para este escenario. Según políticas de la empresa solo se permitirá el tráfico
iniciado localmente desde los routers R1 y R2. Utilice la ACL 103.
 Habilite telnet en todos los routers, utilice password cisco. Las sesiones telnet no puede cerrarse
nunca.
 En R3 se deben enviar log a la consola para ambos intentos (fallidos/exitosos).

R1
router ospf 1
router-id 1.1.1.1

interface range fastEthernet 0/0 - 1

ip ospf 1 area 0
ip ospf network point-to-point

interface Loopback0
ip ospf 1 area 0

line vty 0 4
exec-timeout 0 0
password cisco
login

R2
router ospf 1
router-id 2.2.2.2

interface range fastEthernet 0/0 - 1

ip ospf 1 area 0
ip ospf network point-to-point
33
2019 instructor.duoc@gmail.com
SRY

interface Loopback0
ip ospf 1 area 0
line vty 0 4
exec-timeout 0 0
password cisco
login

R3
router ospf 1
router-id 3.3.3.3

interface range fastEthernet 0/0 - 1

ip ospf 1 area 0
ip ospf network point-to-point

interface Serial1/0
ip ospf 1 area 1

interface Loopback0
ip ospf 1 area 0

line vty 0 4
exec-timeout 0 0
password cisco
login

R4
router ospf 1
router-id 4.4.4.4

interface Serial1/0
ip ospf 1 area 1

interface Loopback0
ip ospf 1 area 1

line vty 0 4
exec-timeout 0 0
password cisco
login

R3#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
1.1.1.1 0 FULL/ - 00:00:37 10.1.13.1 FastEthernet0/0
2.2.2.2 0 FULL/ - 00:00:38 10.1.23.2 FastEthernet0/1
4.4.4.4 0 FULL/ - 00:00:33 10.1.34.4 Serial1/0

34
2019 instructor.duoc@gmail.com
SRY

R1#sh ip route ospf

10.0.0.0/8 is variably subnetted, 10 subnets, 2 masks
O 10.1.23.0/24 [110/2] via 10.1.13.3, 00:24:17, FastEthernet0/1
[110/2] via 10.1.12.2, 00:24:27, FastEthernet0/0
O IA 10.1.34.0/24 [110/65] via 10.1.13.3, 00:05:27, FastEthernet0/1
O 10.2.2.2/32 [110/2] via 10.1.12.2, 00:05:55, FastEthernet0/0
O 10.3.3.3/32 [110/2] via 10.1.13.3, 00:05:55, FastEthernet0/1
O IA 10.4.4.4/32 [110/66] via 10.1.13.3, 00:04:59, FastEthernet0/1

Comprobamos si R4 puede acceder a los routers dentro de area 0 utilizando telnet.

R4#telnet 10.2.2.2
Trying 10.2.2.2 ... Open
User Access Verification
Password:cisco
R2>

R4#telnet 10.1.1.1
Trying 10.1.1.1 ... Open
User Access Verification
Password:cisco
R1>

Configuramos la ACL 103 y la aplicamos a la entrada de la serial 1/0 de R3.

R3
access-list 103 permit ospf any any
access-list 103 permit tcp any any established log
access-list 103 deny ip any any log

interface Serial1/0
ip access-group 103 in

R4#telnet 10.1.1.1
Trying 10.1.1.1 ...
% Destination unreachable; gateway or host down

R1#telnet 10.4.4.4
Trying 10.4.4.4 ... Open
User Access Verification
Password:cisco
R4>

R3#show access-lists 103

Extended IP access list 103
10 permit ospf any any (8 matches)
35
2019 instructor.duoc@gmail.com
SRY

20 permit tcp any any established log (11 matches)

R4#telnet 10.1.1.1
Trying 10.1.1.1 ...
% Destination unreachable; gateway or host down

R3#
*Aug 29 13:27:47.747: %SEC-6-IPACCESSLOGP: list 103 denied tcp 10.1.34.4(46374) -> 10.1.1.1(23), 1
packet

R1#telnet 10.4.4.4
Trying 10.4.4.4 ... Open
User Access Verification
Password:cisco
R4>

R3#
*Aug 29 13:28:37.151: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 10.4.4.4(23) -> 10.1.13.1(45476), 1
packet

Nota: la gran limitación del uso de la ACL en conjunto con established es que solo aplica a TCP y capas
superiores, pero no funciona para UDP o ICMP.

36
2019 instructor.duoc@gmail.com
SRY

ACLs de Tiempo

 Configurar el direccionamiento mostrado y habilitar EIGRP 1 de manera que los routers publiquen
todas sus interfaces directamente conectadas.
 Configurar R3 para que permita a los usuarios desde R4 navegar por Internet durante los dias de
semana unicamente, y pruebas de conectividad icmp los fines de semana.

- Habilitamos EIGRP

R1
router eigrp 1
network 10.0.0.0
no auto-summary

R2
router eigrp 1
network 10.0.0.0
no auto-summary

R3
router eigrp 1
network 10.0.0.0
no auto-summary

R4
router eigrp 1
network 10.0.0.0
no auto-summary

R4#sh ip route eigrp

Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 9 subnets, 2 masks
D 10.1.1.0/24 [90/161280] via 10.1.34.3, 00:01:07, FastEthernet0/0
D 10.1.12.0/24 [90/33280] via 10.1.34.3, 00:01:07, FastEthernet0/0
D 10.1.23.0/24 [90/30720] via 10.1.34.3, 00:01:07, FastEthernet0/0
D 10.2.2.0/24 [90/158720] via 10.1.34.3, 00:01:07, FastEthernet0/0
D 10.3.3.0/24 [90/156160] via 10.1.34.3, 00:01:07, FastEthernet0/0

37
2019 instructor.duoc@gmail.com
SRY

- Definimos los permisos en R3 según lo que se explicita inicialmente.

R3
time-range SEMANA
periodic weekdays 0:00 to 23:59

time-range FINDE
periodic weekend 0:00 to 23:59

access-list 100 permit tcp any any eq www time-range SEMANA

access-list 100 permit icmp any any time-range FINDE
access-list 100 permit eigrp any any
access-list 100 deny ip any any log

interface FastEthernet0/0
ip access-group 100 in

R3#clock set 10:00:00 20 sept 2011 //martes

R4#ping 10.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.3.3.3, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)

%SEC-6-IPACCESSLOGDP: list 100 denied icmp 10.1.34.4 -> 10.3.3.3 (8/0), 1 packet

R3#show access-lists
Extended IP access list 100
10 permit icmp any any time-range FINDE (inactive) (5 matches)
20 permit tcp any any eq www time-range SEMANA (active)
30 permit eigrp any any (64 matches)
40 deny ip any any log (15 matches)

R4#telnet 10.2.2.2 80
Trying 10.2.2.2, 80 ...
% Connection refused by remote host

R3#show access-lists
Extended IP access list 100
10 permit icmp any any time-range FINDE (inactive) (5 matches)
20 permit tcp any any eq www time-range SEMANA (active) (1 match)
30 permit eigrp any any (70 matches)
40 deny ip any any log (15 matches)

R3#clock set 10:00:00 18 sept 2011 //fin de semana

R3#
%SYS-6-CLOCKUPDATE: System clock has been updated from 10:04:55 UTC Tue Sep 20 2011 to 10:00:00
UTC Sun Sep 18 2011, configured from console by console.
38
2019 instructor.duoc@gmail.com
SRY

R3#clear access-list counters

R3#
%SEC-6-IPACCESSLOGDP: list 100 denied icmp 10.1.34.4 -> 10.3.3.3 (8/0), 14 packets

R4#ping 10.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/76/116 ms

R3#show access-lists
Extended IP access list 100
10 permit icmp any any time-range FINDE (active) (5 matches)
20 permit tcp any any eq www time-range SEMANA (inactive)
30 permit eigrp any any (6 matches)
40 deny ip any any log

39
2019 instructor.duoc@gmail.com
SRY

ACLs Dinámicas

 Configurar EIGRP 1 en todos los routers y publicar sus interfaces directamente conectadas. EIGRP
no debe perder adyacencias.
 Habilitar Telnet en R1 y R2. Para acceder a R4 debemos usar el usuario admin4 password cisco4
 R4 requiere autentificación para poder acceder a los routers dentro de empresa A. Usar telnet
para autentificación.
 Los routers dentro de Empresa A pueden acceder a los servicios de R4 sin autentificación.
 En R3 (el router de borde) crear usuario u4 password cisco.

R1
router eigrp 1
network 10.0.0.0
no auto-summary

line vty 0 4
password cisco
login

R2
router eigrp 1
network 10.0.0.0
no auto-summary

line vty 0 4
password cisco
login

R3
router eigrp 1
network 10.0.0.0
no auto-summary
40
2019 instructor.duoc@gmail.com
SRY

line vty 0 4
password cisco
login

R4
router eigrp 1
network 10.0.0.0
no auto-summary

line vty 0 4
password cisco
login

Accedemos a los routers utilizando telnet antes de aplicar la configuración en R3.

R4#telnet 10.2.2.2
Trying 10.2.2.2 ... Open
User Access Verification
Password:cisco
R2>

R1#telnet 10.4.4.4
Trying 10.4.4.4 ... Open
Autentificacion AAA
Usuario:admin4
Password:cisco4

Configuramos R3

R3
username u4 password cisco

access-list 100 permit tcp any host 10.1.34.3 eq telnet

access-list 100 permit eigrp any any
access-list 100 permit tcp any any established log
access-list 100 dynamic ACCESO permit ip any any

interface Serial1/0
ip access-group 100 in

line vty 0 4
autocommand access-enable host //comando oculto
login local //Parece no ser necesario si el server está down.

41
2019 instructor.duoc@gmail.com
SRY

R4#telnet 10.1.34.3
Trying 10.1.34.3 ... Open

User Access Verification

Username: u4
Password:
[Connection to 10.1.34.3 closed by foreign host]

R4#telnet 10.2.2.2
Trying 10.2.2.2 ... Open

User Access Verification

Password:

R2>en
Password:
R2#

R4#ping 10.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/82/132 ms

R3#show access-lists
Extended IP access list 100
10 permit tcp any host 10.1.34.3 eq telnet (132 matches)
20 permit eigrp any any (128 matches)
30 permit tcp any any established log (18 matches)
40 Dynamic ACCESO permit ip any any
permit ip host 10.1.34.4 any (1 match)

42
2019 instructor.duoc@gmail.com
SRY

Fragmentation Attack

Se utilizó el IOS Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 15.2(4)M8.
Setup: Cree la topologia y direccionamiento mostrado.
 El router R1 está enviando un gran grupo de paquetes fragmentados a R2. Configure una solución de
manera que R2 descarte todos los paquetes fragmentados que recibe en su interface FastEthernet y
genere un mensaje de consola.

R2
ip access-list extended DENY_FRAGMENTS
deny icmp any host 10.1.123.2 fragments log
permit ip any any

interface FastEthernet0/0
ip access-group DENY_FRAGMENTS in

R2#sh access-lists
Extended IP access list DENY_FRAGMENTS
10 deny icmp any host 10.1.123.2 fragments log
20 permit ip any any

R2#sh interfaces fastEthernet 0/0 | include MTU

MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,

R1#ping 10.1.123.2 size 1500

Type escape sequence to abort.
Sending 5, 1500-byte ICMP Echos to 10.1.123.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/16/20 ms

R1#ping 10.1.123.2 size 1501

Type escape sequence to abort.
Sending 5, 1501-byte ICMP Echos to 10.1.123.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R2#
43
2019 instructor.duoc@gmail.com
SRY

%SEC-6-IPACCESSLOGDP: list DENY_FRAGMENTS denied icmp 10.1.123.1 -> 10.1.123.2 (0/0), 1

R2#sh access-lists
Extended IP access list DENY_FRAGMENTS
10 deny icmp any host 10.1.123.2 fragments log (3 matches)
20 permit ip any any (9 matches)

 Con respecto al primer ping realizado en R1. ¿Porque se pierde el primer paquete?

 Configure R3 de manera que realice un seguimiento de los paquetes fragmentados que reciba. R3 solo
permitirá hasta un paquete fragmentado en 2 y con un timout de 2 segundos.

R3
interface FastEthernet0/0
ip virtual-reassembly in max-fragments 2 timeout 2

R3#sh ip interface fastEthernet 0/0 | include Virtual

Input features: Virtual Fragment Reassembly, Virtual Fragment Reassembly After IPSec Decryption, MCI Check

R1#ping 10.1.123.3 size 2980

Type escape sequence to abort.
Sending 5, 2980-byte ICMP Echos to 10.1.123.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/12 ms

R3#
%IP_VFR-4-TOO_MANY_FRAGMENTS: FastEthernet0/0: Too many fragments per datagram (more than 2) - sent by
10.1.123.1, destined to 10.1.123.3

R3#sh ip virtual-reassembly fastEthernet 0/0

FastEthernet0/0:
Virtual Fragment Reassembly (VFR) is ENABLED [in]
Concurrent reassemblies (max-reassemblies): 16
Fragments per reassembly (max-fragments): 2
Reassembly timeout (timeout): 2 seconds
Drop fragments: OFF

Current reassembly count:0

Current fragment count:0
Total reassembly count:59
Total reassembly timeout count:0

 ¿Porque los paquetes se descartan cuando el tamaño del paquete supera los 2800 bytes?’

44
2019 instructor.duoc@gmail.com
SRY

Protección contra el uso de opciones de IP maliciosas

Setup: Cree la topologia y direccionamiento mostrado.

 Configure R1 de manera que bloquee y genere un log cuiando reciba las siguientes opciones IP:
- Loose Source Route (LSR) permite determiner el camino parcial que puede tomar el paquete.
- Strict Source Routing (SSR) permite determiner el camino completo que puede tomar el paquete.
- Base Security

R1
ip access-list extended OPTIONS_IPv4
deny ip any any option lsr log
deny ip any any option ssr log
deny ip any any option security log
permit ip any any

interface FastEthernet0/0
ip access-group OPTIONS_IPv4 in

R2#ping
Protocol [ip]:
Target IP address: 10.1.123.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface:
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]: L
Source route: 10.1.123.2
Loose, Strict, Record, Timestamp, Verbose[LV]:
Sweep range of sizes [n]:
Type escape sequence to abort.
45
2019 instructor.duoc@gmail.com
SRY

Sending 5, 100-byte ICMP Echos to 10.1.123.1, timeout is 2 seconds:

Packet has IP options: Total option bytes= 7, padded length=8
Loose source route: <*>
(10.1.123.2)

Unreachable from 10.1.123.1. Received packet has options

Total option bytes= 7, padded length=8
Loose source route: <*>
(10.1.123.2)

Unreachable from 10.1.123.1. Received packet has options

Total option bytes= 7, padded length=8
Loose source route: <*>
(10.1.123.2)

Unreachable from 10.1.123.1. Received packet has options

Total option bytes= 7, padded length=8
Loose source route: <*>
(10.1.123.2)

Unreachable from 10.1.123.1. Received packet has options

Total option bytes= 7, padded length=8
Loose source route: <*>
(10.1.123.2)

Unreachable from 10.1.123.1. Received packet has options

Total option bytes= 7, padded length=8
Loose source route: <*>
(10.1.123.2)

Success rate is 0 percent (0/5)

R1#
%SEC-6-IPACCESSLOGDP: list OPTIONS_IPv4 denied icmp 10.1.123.2 -> 10.1.123.1 (0/0), 1 packet

 En R2 configure una ACL que permita segmentos TCP que tengan establecidos las flags SYN, ACK, pero no la
flag FIN. Adicionalmente permita solo paquetes que tengan un TTL entre 254 y 255 saltos.

R2
ip access-list extended TCP_OPTIONS
permit tcp any any match-all +ack -fin +syn
permit ip any any ttl range 254 255
deny ip any any log-input

interface FastEthernet0/0
ip access-group TCP_OPTIONS in

46
2019 instructor.duoc@gmail.com
SRY

R2#clear access-list counters

R2#sh access-lists
Extended IP access list TCP_OPTIONS
10 permit tcp any any match-all +ack -fin +syn
20 permit ip any any ttl range 254 255
30 deny ip any any log-input

 Configure telnet en R2 para sesiones entrantes.

R2
line vty 0 4
privilege level 15
no login
transport input telnet

R1#telnet 10.1.123.2
Trying 10.1.123.2 ... Open
R2#

R2#sh access-lists
Extended IP access list TCP_OPTIONS
10 permit tcp any any match-all +ack -fin +syn
20 permit ip any any ttl range 254 255 (74 matches)
30 deny ip any any log-input

 En R1 cree una ruta estática apuntando a R3 como próximo salto para alcanzar la dirección 10.1.123.2.

R1
ip route 10.1.123.2 255.255.255.255 10.1.123.3

R1#sh ip route static

Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
S 10.1.123.2/32 [1/0] via 10.1.123.3

R3#debug ip icmp
ICMP packet debugging is on

R1#traceroute 10.1.123.2 ttl 1 2

Type escape sequence to abort.
Tracing the route to 10.1.123.2
VRF info: (vrf in name/id, vrf out name/id)
1 10.1.123.3 12 msec 16 msec 16 msec
2 10.1.123.2 !A !A !A

R2#
%SEC-6-IPACCESSLOGP: list TCP_OPTIONS denied udp 10.1.123.1(49171) (FastEthernet0/0 ca03.06e4.0008) ->
10.1.123.2(33437), 1 packet
47
2019 instructor.duoc@gmail.com
SRY

R3#
ICMP: redirect sent to 10.1.123.1 for dest 10.1.123.2, use gw 10.1.123.2

R1#telnet 10.1.123.2
Trying 10.1.123.2 ...
% Destination unreachable; gateway or host down

R2#
%SEC-6-IPACCESSLOGP: list TCP_OPTIONS denied tcp 10.1.123.1(11338) (FastEthernet0/0 ca03.06e4.0008) ->
10.1.123.2(23), 1 packet

 ¿Que significa que el mensaje ICMP utilice redirect?

 Configure R3 para que descarte cualquier paquete con opciones establecidas.

R3
ip options drop

% Warning: RSVP and other protocols that use IP Options packets

may not function as expected.

R1#ping 10.1.123.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.123.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/10/16 ms

48
2019 instructor.duoc@gmail.com
SRY

R1#ping
Protocol [ip]:
Target IP address: 10.1.123.3
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface:
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]: T
Number of timestamps [ 9 ]:
Loose, Strict, Record, Timestamp, Verbose[TV]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.123.3, timeout is 2 seconds:
Packet has IP options: Total option bytes= 40, padded length=40
Timestamp: Type 0. Overflows: 0 length 40, ptr 5
>>Current pointer<<
Time= 00:00:00.000 UTC (00000000)
Time= 00:00:00.000 UTC (00000000)
Time= 00:00:00.000 UTC (00000000)
Time= 00:00:00.000 UTC (00000000)
Time= 00:00:00.000 UTC (00000000)
Time= 00:00:00.000 UTC (00000000)
Time= 00:00:00.000 UTC (00000000)
Time= 00:00:00.000 UTC (00000000)
Time= 00:00:00.000 UTC (00000000)

Request 0 timed out

Request 1 timed out
Request 2 timed out
Request 3 timed out
Request 4 timed out
Success rate is 0 percent (0/5)

49
2019 instructor.duoc@gmail.com
SRY

Protección mensajes ICMP tipo 3 código 1

Setup: Cree la topologia y direccionamiento mostrado.

 En R1 cree una ruta estática para alcanzar la dirección 3.3.3.3 (dirección que no existe).
 Configure R3 de manera que si recibe un paquete con mensaje ICMP Destination unreachable (Destino
inaccesible) no lo reenvíe.

R1
ip route 3.3.3.0 255.255.255.0 10.1.123.3

R1#sh ip route static

Gateway of last resort is not set
3.0.0.0/24 is subnetted, 1 subnets
S 3.3.3.0 [1/0] via 10.1.123.3

R1#ping 3.3.3.3 repeat 11

Type escape sequence to abort.
Sending 11, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
UUUUUUUUUUU
Success rate is 0 percent (0/11)

R3
interface FastEthernet0/0
no ip unreachables

R3#sh ip interface fastEthernet 0/0 | include unreachable

ICMP unreachables are never sent

R1#ping 3.3.3.3 repeat 11

Type escape sequence to abort.
Sending 11, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
...........
Success rate is 0 percent (0/11)

50
2019 instructor.duoc@gmail.com
SRY

 Configure R2 para ICMP rate limit de manera que el router pueda enviar 1 paquete ICMP código 1 cada 5
segundos y 1 paquete ICMP código 4 (DF) cada 3 segundos.
 En R1 cree una ruta estática para alcanzar la dirección 3.3.3.3 (dirección que no existe).

R2
ip icmp rate-limit unreachable 5000
ip icmp rate-limit unreachable DF 3000

R2#sh ip icmp rate-limit

DF bit unreachables All other unreachables
Interval (millisecond) 3000 5000
Log threshold (packet) 1000 1000
Log interval (millisecond) 60000 60000

Interface # DF bit unreachables # All other unreachables

--------- --------------------- ------------------------
FastEthernet0/0 0 0

R1
ip route 2.2.2.2 255.255.255.255 10.1.123.2

R1#sh ip route static

Gateway of last resort is not set
2.0.0.0/32 is subnetted, 1 subnets
S 2.2.2.2 [1/0] via 10.1.123.2
3.0.0.0/24 is subnetted, 1 subnets
S 3.3.3.0 [1/0] via 10.1.123.3

R1#ping 2.2.2.2 repeat 15

Type escape sequence to abort.
Sending 15, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
U...U...U...U..
Success rate is 0 percent (0/15)

R2#sh debugging
Generic IP:
ICMP packet debugging is on

R2#
ICMP: dst (2.2.2.2) host unreachable sent to 10.1.123.1
R2#
ICMP: dst (2.2.2.2) host unreachable sent to 10.1.123.1
R2#
ICMP: dst (2.2.2.2) host unreachable sent to 10.1.123.1
R2#
ICMP: dst (2.2.2.2) host unreachable sent to 10.1.123.1
R2#
ICMP: dst (2.2.2.2) host unreachable sent to 10.1.123.1
R2#
ICMP: dst (2.2.2.2) host unreachable sent to 10.1.123.1
R2#
ICMP: dst (2.2.2.2) host unreachable sent to 10.1.123.1
R2#
51
2019 instructor.duoc@gmail.com
SRY

R2#
ICMP: dst (2.2.2.2) host unreachable sent to 10.1.123.1

52
2019 instructor.duoc@gmail.com
SRY

TCP Intercept (Redistribucion EIGRP-OSPF)

Cree el direccionamiento mostrado.

 Forme adyacencia EIGRP 1 entre R1 y R2. R1 debe publicar su interface loopback0 dentro del
dominio EIGRP.

R1
interface Loopback0
ip address 1.1.1.1 255.255.255.0

router eigrp 1
network 1.1.1.0 0.0.0.255
network 10.1.12.0 0.0.0.255
eigrp router-id 0.0.0.1

R2
router eigrp 1
network 10.1.12.0 0.0.0.255
eigrp router-id 0.0.0.2

R1#sh ip eigrp neighbors

EIGRP-IPv4 Neighbors for AS(1)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 10.1.12.2 Fa0/0 14 00:04:26 56 336 0 5

53
2019 instructor.duoc@gmail.com
SRY

R2#sh ip eigrp topology

EIGRP-IPv4 Topology Table for AS(1)/ID(0.0.0.2)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 10.1.12.0/24, 1 successors, FD is 28160
via Connected, FastEthernet0/0
P 1.1.1.0/24, 1 successors, FD is 156160
via 10.1.12.1 (156160/128256), FastEthernet0/0

 Configure OSPF 1 area 0 entre R2 y R3. R3 debe publicar su interface loopback0 dentro del
dominio OSPF.

R2
router ospf 1
router-id 0.0.0.2
network 10.1.23.0 0.0.0.255 area 0

R3
router ospf 1
router-id 0.0.0.3

interface Loopback0
ip address 3.3.3.3 255.255.255.0

interface range fastEthernet 0/1 , loopback 0

ip ospf 1 area 0

interface Loopback0
ip ospf network point-to-point

R3#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
0.0.0.2 1 FULL/DR 00:00:32 10.1.23.2 FastEthernet0/1

R2#sh ip route ospf

Gateway of last resort is not set
3.0.0.0/24 is subnetted, 1 subnets
O 3.3.3.0 [110/2] via 10.1.23.3, 00:00:39, FastEthernet0/1

R2#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/27/32 ms

54
2019 instructor.duoc@gmail.com
SRY

R2#ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/25/32 ms

R1#sh ip route 3.3.3.0 255.255.255.0

% Network not in table

R3#sh ip route 1.1.1.0 255.255.255.0

% Network not in table

 En el ASBR reditribuya mutuamente EIGRP↔OSPF.

R2#sh interfaces fastEthernet 0/0 | include MTU|reliability

MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255

R2
router eigrp 1
default-metric 100000 100 255 1 1500
redistribute ospf 1

R1#sh ip route eigrp

Gateway of last resort is not set
3.0.0.0/24 is subnetted, 1 subnets
D EX 3.3.3.0 [170/53760] via 10.1.12.2, 00:00:11, FastEthernet0/0
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
D EX 10.1.23.0/24 [170/53760] via 10.1.12.2, 00:00:11, FastEthernet0/0

R1#ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R2
router ospf 1
redistribute eigrp 1 subnets

R3#sh ip route ospf

Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
O E2 1.1.1.0 [110/20] via 10.1.23.2, 00:00:15, FastEthernet0/1
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
O E2 10.1.12.0/24 [110/20] via 10.1.23.2, 00:00:15, FastEthernet0/1

55
2019 instructor.duoc@gmail.com
SRY

R1#ping 3.3.3.3 source 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/18/24 ms

 Utilizando AAA habitilie el servicio Telnet en R3. Las credenciales son las siguientes:
- Username: admin
- Password: class

R3
username admin password class

aaa new-model
aaa authentication login TELNET local

line vty 0 4
privilege level 15
login authentication TELNET
transport input telnet
transport output ssh

R1#telnet 3.3.3.3
Trying 3.3.3.3 ... Open
User Access Verification
Username: admin
Password:class
R3#

[Connection to 3.3.3.3 closed by foreign host]

R1#

56
2019 instructor.duoc@gmail.com
SRY

Proteccion a ataques DoS utilizando Committed Access Rate (CAR)

Setup: Cree la topologia y direccionamiento mostrado.

 Se ha reportado que R1 está enviando una gran cantidad de paquetes ICMP a R3. Este tráfico de datos
genera degradación del rendimiento de la red. Limite el tráfico a 8 kbps. Tráfico normal 2 kbps y excedido 4
kbps.

R3
access-list 100 permit icmp any any

interface FastEthernet0/0
rate-limit input access-group 100 8000 2000 4000 conform-action transmit exceed-action drop

R1#ping 10.1.123.3 repeat 100 timeout 1

Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 10.1.123.3, timeout is 1 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!.!!!!!!!!!!.!!!!!!!!!!.!!!!!!!!!!.
!!!!!!!!!.!!!!!!!!!!.!!!!!!!!!
Success rate is 93 percent (93/100), round-trip min/avg/max = 8/10/24 ms

R3#sh interfaces fastEthernet 0/0 rate-limit

FastEthernet0/0
Input
matches: access-group 100
params: 8000 bps, 2000 limit, 4000 extended limit
conformed 93 packets, 10602 bytes; action: transmit
exceeded 7 packets, 798 bytes; action: drop
last packet: 133728ms ago, current burst: 2440 bytes
last cleared 00:03:02 ago, conformed 463 bps, exceeded 34 bps

57
2019 instructor.duoc@gmail.com
SRY

Proteccion a ataques Smurf

Setup: Cree la topologia y direccionamiento mostrado.

 Configure R3 de manera que bloquee ataques Smurf que se originen en la red ethernet y vayan a la
interface loopback0 de R3 (3.3.3.3/24).
Redirects debe estar activo, solo se debe bloquear siempre que se cumpla lo indicado en la tarea anterior.

R3#sh ip interface fastEthernet 0/0 | include ICMP

ICMP redirects are never sent
ICMP unreachables are always sent
ICMP mask replies are never sent

R3#sh running-config interface fastEthernet 0/0

Building configuration...

Current configuration : 112 bytes

!
interface FastEthernet0/0
ip address 10.1.123.3 255.255.255.0
no ip redirects
duplex auto
speed auto
end

R3
interface fastEthernet 0/0
ip redirects

R3#sh ip interface fastEthernet 0/0 | include ICMP

ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent

58
2019 instructor.duoc@gmail.com
SRY

R3
interface Loopback0
ip address 3.3.3.3 255.255.255.0

R3#sh access-lists
R3#

R3
access-list 100 deny icmp any host 3.3.3.255 log
access-list 100 permit ip any any

interface FastEthernet0/0
ip access-group 100 in

R3#sh access-lists
Extended IP access list 100
10 deny icmp any host 3.3.3.255 log
20 permit ip any any

 En R1 cree una ruta hacia el prefijo 3.3.3.3/24 considerando a R3 como próximo salto.

R3
ip route 3.3.3.0 255.255.255.0 10.1.123.3

R1#ping 3.3.3.255
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.255, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R3#
%SEC-6-IPACCESSLOGDP: list 100 denied icmp 10.1.123.1 -> 3.3.3.255 (0/0), 5 packets

R3#sh access-lists
Extended IP access list 100
10 deny icmp any host 3.3.3.255 log (5 matches)
20 permit ip any any

59
2019 instructor.duoc@gmail.com
SRY

ACLs IP/ICMP

 Configrar RIPv2 para que exista NLRI completo. Las actualizaciones deben ser unicast (no
mutlicast).
 En R2 debemos denegar entre 10.1.1.1 y 10.4.4.4. El resto del tráfico debe ser permitido.
 De haber un match respecto a esta regla, debemos ver un log de consola en R2.

R1
router rip
version 2
passive-interface FastEthernet0/0
network 10.0.0.0
neighbor 10.1.12.2
no auto-summary

R2
router rip
version 2
passive-interface FastEthernet0/0
passive-interface FastEthernet0/1
network 10.0.0.0
neighbor 10.1.12.1
neighbor 10.1.23.3
no auto-summary

R3
router rip
version 2
passive-interface FastEthernet0/0
passive-interface FastEthernet0/1
network 10.0.0.0
neighbor 10.1.34.4
neighbor 10.1.23.2
no auto-summary

R4
router rip
version 2
passive-interface FastEthernet0/0

60
2019 instructor.duoc@gmail.com
SRY

network 10.0.0.0
neighbor 10.1.34.3
no auto-summary

R1#sh ip route rip

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 9 subnets, 2 masks

R 10.1.23.0/24 [120/1] via 10.1.12.2, 00:00:12, FastEthernet0/0
R 10.1.34.0/24 [120/2] via 10.1.12.2, 00:00:12, FastEthernet0/0
R 10.2.2.0/24 [120/1] via 10.1.12.2, 00:00:12, FastEthernet0/0
R 10.3.3.0/24 [120/2] via 10.1.12.2, 00:00:12, FastEthernet0/0
R 10.4.4.0/24 [120/3] via 10.1.12.2, 00:00:12, FastEthernet0/0

R1#ping 10.4.4.4 source 10.1.1.1 repeat 2

Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 10.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!
Success rate is 100 percent (2/2), round-trip min/avg/max = 80/106/132 ms

En R2 creamos las ACLs que filtrará el tráfico entre 10.1.1.1 y 10.4.4.4. Como buena práctica verificamos si
hemos configurado alguna ACL con anterioridad con el comando show access-lists. Una de las ACL tiene
origen R1 y destino R4. La otra ACL tiene origen R4 y destino R1. Esto quiere decir que aplicaremos cada
ACL en interfaces distintas.

R2#show access-lists
R2#

R2
access-list 102 deny ip host 10.4.4.4 host 10.1.1.1 log
access-list 102 permit ip any any

access-list 122 deny ip host 10.1.1.1 host 10.4.4.4 log

access-list 122 permit ip any any

interface FastEthernet0/0
ip access-group 122 in

61
2019 instructor.duoc@gmail.com
SRY

interface FastEthernet0/1
ip access-group 102 in

R2#show access-lists
Extended IP access list 102
10 deny ip host 10.4.4.4 host 10.1.1.1 log
20 permit ip any any (3 matches)
Extended IP access list 122
10 deny ip host 10.1.1.1 host 10.4.4.4 log
20 permit ip any any (3 matches)

Prueba de conectividad.

R1#ping 10.2.2.2 source 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/56/88 ms

R1#ping 10.3.3.3 source 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/74/120 ms

R1#ping 10.4.4.4 source 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
U.U.U
Success rate is 0 percent (0/5)

R2#
*Sep 5 13:14:05.527: %SEC-6-IPACCESSLOGDP: list 122 denied icmp 10.1.1.1 -> 10.4.4.4 (0/0), 1 packet

R1#sh ip route rip

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is not set

62
2019 instructor.duoc@gmail.com
SRY

10.0.0.0/8 is variably subnetted, 9 subnets, 2 masks

R 10.1.23.0/24 [120/1] via 10.1.12.2, 00:00:19, FastEthernet0/0
R 10.1.34.0/24 [120/2] via 10.1.12.2, 00:00:19, FastEthernet0/0
R 10.2.2.0/24 [120/1] via 10.1.12.2, 00:00:19, FastEthernet0/0
R 10.3.3.0/24 [120/2] via 10.1.12.2, 00:00:19, FastEthernet0/0
R 10.4.4.0/24 [120/3] via 10.1.12.2, 00:00:19, FastEthernet0/0

 Se requieren las siguientes políticas:

- R1puede pinguear a R2 y recibir la replica de vuelta.
- R2 no puede pinguear a R1

R1
access-list 101 deny icmp host 10.1.12.2 any echo
access-list 101 deny icmp host 10.2.2.2 any echo
access-list 101 deny icmp host 10.1.23.2 any echo
access-list 101 permit ip any any

interface FastEthernet0/0
ip access-group 101 in

R1#ping 10.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/64/88 ms

R1#ping 10.1.12.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.12.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/64/96 ms

R1#ping 10.1.23.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.23.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/74/92 ms

R2#ping 10.1.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.12.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)

63
2019 instructor.duoc@gmail.com
SRY

R2#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)

R2#ping 10.1.1.1 source 10.1.23.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.23.2
U.U.U
Success rate is 0 percent (0/5)

R2#ping 10.1.1.1 source 10.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.2.2.2
U.U.U
Success rate is 0 percent (0/5)

En el siguiente ejemplo configuraremos R2 de manera que si no tiene como alcanzar una red utilice a R3
como su default-gateway. Creamos un default route. Intentamos conectividad a una IP inexistente
(10.5.5.5)

R2
ip route 0.0.0.0 0.0.0.0 fastEthernet 0/1 10.1.23.3

R2#sh ip route static

Gateway of last resort is 10.1.23.3 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.1.23.3, FastEthernet0/1

R2#debug ip icmp
ICMP packet debugging is on

R2#ping 10.5.5.5 repeat 2

Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 10.5.5.5, timeout is 2 seconds:
U
*Sep 5 13:35:50.603: ICMP: dst (10.1.23.2) host unreachable rcv from 10.1.23.3.
Success rate is 0 percent (0/2)

64
2019 instructor.duoc@gmail.com
SRY

 Configurar R3 de manera que no envíe mensage de ICMP: dst (10.1.23.2) host unreachable.

R3
interface FastEthernet0/1
no ip unreachables

R2#ping 10.5.5.5 repeat 2

Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 10.5.5.5, timeout is 2 seconds:
..
Success rate is 0 percent (0/2)

65
2019 instructor.duoc@gmail.com
SRY

ACLs para OSPF y EIGRP

 Configure EIGRP 1 en todos los routers y publique sus interfaces directamente conectadas.
Deshabilite la sumarización automática.
 Configure OSPF 1 area 0 en todos los routers y publique sus interfaces directamente conectadas.
No se permite la elección de DR/BDR. Publique las loopback en OSPF con sus máscaras correctas.
No utilizar comando network para publicar las interfaces. Remover RIPv2 de la configuración
anterior incluyendo ACLs.

Rx
no router rip

R1
router eigrp 1
network 10.0.0.0
no auto-summary

router ospf 1
router-id 1.1.1.1

interface Loopback0
ip ospf network point-to-point
ip ospf 1 area 0

interface FastEthernet0/0
ip ospf network point-to-point
ip ospf 1 area 0

R2
router eigrp 1
network 10.0.0.0
no auto-summary

66
2019 instructor.duoc@gmail.com
SRY

router ospf 1
router-id 2.2.2.2

interface Loopback0
ip ospf network point-to-point
ip ospf 1 area 0

interface FastEthernet0/0
ip ospf network point-to-point
ip ospf 1 area 0

interface FastEthernet0/1
ip ospf network point-to-point
ip ospf 1 area 0

R3
router eigrp 1
network 10.0.0.0
no auto-summary

router ospf 1
router-id 3.3.3.3

interface Loopback0
ip ospf network point-to-point
ip ospf 1 area 0

interface FastEthernet0/0
ip ospf network point-to-point
ip ospf 1 area 0

interface FastEthernet0/1
ip ospf network point-to-point
ip ospf 1 area 0

R4
router eigrp 1
network 10.0.0.0
no auto-summary

router ospf 1
router-id 4.4.4.4

interface Loopback0
ip ospf network point-to-point
ip ospf 1 area 0

interface FastEthernet0/0
ip ospf network point-to-point
67
2019 instructor.duoc@gmail.com
SRY

ip ospf 1 area 0

R2#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
3.3.3.3 0 FULL/ - 00:00:34 10.1.23.3 FastEthernet0/1
1.1.1.1 0 FULL/ - 00:00:36 10.1.12.1 FastEthernet0/0

R2#show ip eigrp neighbors

EIGRP-IPv4 Neighbors for AS(1)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 10.1.23.3 Fa0/1 13 00:04:21 110 660 0 6
0 10.1.12.1 Fa0/0 11 00:04:23 124 744 0 5

 Configure una ACL en R1 de manera que bloquee el tráfico EIGRP y permita todo el resto del
tráfico. El resultado de está configuración la veremos en la tabla de R1 donde en lugar de redes
conocidas por EIGRP (AD 90) se instalarán redes conocidas por OSPF (AD 110).

Nota: Primero verificamos la RIB. Luego de la configuración veremos que EIGRP pierde adyacencia.

R1#sh ip route
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 9 subnets, 2 masks
C 10.1.1.0/24 is directly connected, Loopback0
L 10.1.1.1/32 is directly connected, Loopback0
C 10.1.12.0/24 is directly connected, FastEthernet0/0
L 10.1.12.1/32 is directly connected, FastEthernet0/0
D 10.1.23.0/24 [90/30720] via 10.1.12.2, 00:10:41, FastEthernet0/0
D 10.1.34.0/24 [90/33280] via 10.1.12.2, 00:10:39, FastEthernet0/0
D 10.2.2.0/24 [90/156160] via 10.1.12.2, 00:10:41, FastEthernet0/0
D 10.3.3.0/24 [90/158720] via 10.1.12.2, 00:10:39, FastEthernet0/0
D 10.4.4.0/24 [90/161280] via 10.1.12.2, 00:10:38, FastEthernet0/0

R1#show access-lists
Extended IP access list 101
10 deny icmp host 10.1.12.2 any echo (10 matches)
20 deny icmp host 10.2.2.2 any echo (5 matches)
30 deny icmp host 10.1.23.2 any echo (5 matches)
40 permit ip any any (242 matches)

R1#conf terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#
R1(config)#no access-list 101

R1
access-list 100 deny eigrp any any
access-list 100 permit ip any any

68
2019 instructor.duoc@gmail.com
SRY

interface FastEthernet0/0
ip access-group 100 in

R1#sh ip route | begin Gateway

Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 9 subnets, 2 masks
C 10.1.1.0/24 is directly connected, Loopback0
L 10.1.1.1/32 is directly connected, Loopback0
C 10.1.12.0/24 is directly connected, FastEthernet0/0
L 10.1.12.1/32 is directly connected, FastEthernet0/0
O 10.1.23.0/24 [110/2] via 10.1.12.2, 00:00:13, FastEthernet0/0
O 10.1.34.0/24 [110/3] via 10.1.12.2, 00:00:13, FastEthernet0/0
O 10.2.2.0/24 [110/2] via 10.1.12.2, 00:00:13, FastEthernet0/0
O 10.3.3.0/24 [110/3] via 10.1.12.2, 00:00:13, FastEthernet0/0
O 10.4.4.0/24 [110/4] via 10.1.12.2, 00:00:13, FastEthernet0/0

69
2019 instructor.duoc@gmail.com
SRY

Seguridad Telnet IPv6

R1----------------------------------------------------R2
1::1/128 2001:1:1:12::/64 2::2/128

 Cree la topología y direccionamiento mostrado. Para la dirección Link Local utilice el formato
FE80::X donde la X representa el número del router.

R1
ipv6 unicast-routing

interface FastEthernet0/0
ipv6 address FE80::1 link-local
ipv6 address 2001:1:1:12::1/64

interface Loopback0
ipv6 address 1::1/64

R2
ipv6 unicast-routing

interface FastEthernet0/0
ipv6 address FE80::2 link-local
ipv6 address 2001:1:1:12::2/64

interface Loopback0
ipv6 address 2::2/64

R2#ping 2001:1:1:12::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:1:1:12::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/20/80 ms

R1#ping fe80::2
Output Interface: FastEthernet0/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FE80::2, timeout is 2 seconds:
Packet sent with a source address of FE80::1%FastEthernet0/0
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/28/36 ms

R1#sh ipv6 neighbors

IPv6 Address Age Link-layer Addr State Interface
2001:1:1:12::2 0 ca02.0e3c.0008 REACH Fa0/0
FE80::2 0 ca02.0e3c.0008 REACH Fa0/0

70
2019 instructor.duoc@gmail.com
SRY

71
2019 instructor.duoc@gmail.com
SRY

 Configure OSPFv3 area 0 y compruebe que exista conectividad entre las loopback0 de R1 y R2.
 Utilice el ID OSPF 0.0.0.X donde X corresponde al número del router.
 No se permiten LSAs del tipo 2 en el enlace entre R1 y R2.
 Compruebe la direcciones de las interfaces loopback0 se instalen con su mascara correcta en la
Router Information Base.

R1
router ospfv3 1
router-id 0.0.0.1

interface FastEthernet0/0
ipv6 ospf 1 area 0

interface Loopback0
ipv6 ospf 1 area 0

R2
router ospfv3 1
router-id 0.0.0.2

interface FastEthernet0/0
ipv6 ospf 1 area 0

interface Loopback0
ipv6 ospf 1 area 0

R1#show ipv6 ospf neighbor

OSPFv3 Router with ID (0.0.0.1) (Process ID 1)
Neighbor ID Pri State Dead Time Interface ID Interface
0.0.0.2 1 FULL/DR 00:00:37 3 FastEthernet0/0

R1#show ipv6 route ospf

IPv6 Routing Table - default - 6 entries
O 2::2/128 [110/1]
via FE80::2, FastEthernet0/0

R2
interface Loopback0
ipv6 ospf network point-to-point

R1#show ipv6 route ospf

IPv6 Routing Table - default - 6 entries
O 2::/64 [110/2]
via FE80::2, FastEthernet0/0

72
2019 instructor.duoc@gmail.com
SRY

R1
interface Loopback0
ipv6 ospf network point-to-point

R2#show ipv6 route ospf

IPv6 Routing Table - default - 6 entries
O 1::/64 [110/2]
via FE80::1, FastEthernet0/0

R1#sh ipv6 ospf database

OSPFv3 Router with ID (0.0.0.1) (Process ID 1)
Router Link States (Area 0)
ADV Router Age Seq# Fragment ID Link count Bits
0.0.0.1 212 0x80000002 0 1 None
0.0.0.2 213 0x80000002 0 1 None

Net Link States (Area 0)

ADV Router Age Seq# Link ID Rtr count
0.0.0.2 213 0x80000001 3 2

Link (Type-8) Link States (Area 0)

ADV Router Age Seq# Link ID Interface
0.0.0.1 50 0x80000001 6 Lo0
0.0.0.1 286 0x80000001 3 Fa0/0
0.0.0.2 254 0x80000001 3 Fa0/0

Intra Area Prefix Link States (Area 0)

ADV Router Age Seq# Link ID Ref-lstype Ref-LSID
0.0.0.1 49 0x80000004 0 0x2001 0
0.0.0.2 104 0x80000004 0 0x2001 0
0.0.0.2 213 0x80000001 3072 0x2002 3

R1
interface FastEthernet0/0
ipv6 ospf network point-to-point

R2
interface FastEthernet0/0
ipv6 ospf network point-to-point

R1#sh ipv6 ospf database

OSPFv3 Router with ID (0.0.0.1) (Process ID 1)
Router Link States (Area 0)
ADV Router Age Seq# Fragment ID Link count Bits
0.0.0.1 65 0x80000003 0 1 None
0.0.0.2 12 0x80000003 0 1 None

Link (Type-8) Link States (Area 0)

ADV Router Age Seq# Link ID Interface
0.0.0.1 197 0x80000001 6 Lo0
73
2019 instructor.duoc@gmail.com
SRY

0.0.0.1 433 0x80000001 3 Fa0/0

0.0.0.2 401 0x80000001 3 Fa0/0

Intra Area Prefix Link States (Area 0)

ADV Router Age Seq# Link ID Ref-lstype Ref-LSID
0.0.0.1 65 0x80000005 0 0x2001 0
0.0.0.2 12 0x80000005 0 0x2001 0

R1#sh ipv6 ospf database network

OSPFv3 Router with ID (0.0.0.1) (Process ID 1)

 Habilite Telnet en R2.

 Configure R2 de manera que solo permita conexiones entrantes para el puerto 23 siempre que
tengan como origen la dirección 1::1 (loopback0 del router R1) y destino 2::2 (loopback0 del
router R2).
 Si existe una violación a esta política el proceso debe generar un log de consola.

R2
line vty 0 4
privilege level 15
no login

ipv6 access-list ONLY-R1

permit tcp host 1::1 host 2::2 eq telnet
deny ipv6 any any log

line vty 0 4
ipv6 access-class ONLY-R1 in

R1#telnet 2001:1:1:12::2
Trying 2001:1:1:12::2 ...
% Connection refused by remote host

R2#
%IPV6_ACL-6-ACCESSLOGP: list ONLY-R1/20 denied tcp 2001:1:1:12::1(37180) -> 2001:1:1:12:
:2(23), 1 packet

R1#telnet 2::2
Trying 2::2 ...
% Connection refused by remote host

R2#
%IPV6_ACL-6-ACCESSLOGP: list ONLY-R1/20 denied tcp 2001:1:1:12::1(58477) -> 2::2(23), 1 packet

74
2019 instructor.duoc@gmail.com
SRY

R1#telnet 2::2 /source-interface loopback 0

Trying 2::2 ... Open
R2#

R2#sh line vty 0 4 summary

2: u? ???
1 character mode users. (U)
4 lines never used. (?)
1 total lines in use, 1 not authenticated (lowercase)

R2#exit

[Connection to 2::2 closed by foreign host]

R1#

 Utilice AAA de manera que cuando R1 se conecte via telnet a R2 utilice las siguientes credenciales:
- User: admin
- Passwoerd: class

75
2019 instructor.duoc@gmail.com
SRY

ACLs para IPv6

 Configure el direccionamiento mostrado en la figura. Asigne la dirección link-local en todas sus

interfaces físicas con la siguiente disposición:
Router Link-local ID
R1 FE80::1 1.1.1.1
R2 FE80::2 2.2.2.2
R3 FE80::3 3.3.3.3
R4 FE80::4 4.4.4.4
 Configure OSPFv3 como muestra la figura. La loopback0 de R3 debe ser publicada en el dominio
OSPF. Habilite logs OSPF detalladamente y explique los estados OSPF. No debe existir elección de
DR/BDR. Publique las loopback0 con sus máscaras correctas.

R1
ipv6 router ospf 1
router-id 1.1.1.1
log-adjacency-changes detail

interface FastEthernet0/0
ipv6 ospf 1 area 0
ipv6 ospf network point-to-point

interface FastEthernet0/1
ipv6 ospf 1 area 0
ipv6 ospf network point-to-point

interface Loopback0
ipv6 ospf 1 area 0
ipv6 ospf network point-to-point

76
2019 instructor.duoc@gmail.com
SRY

R2
ipv6 router ospf 1
router-id 2.2.2.2
log-adjacency-changes detail

interface FastEthernet0/0
ipv6 ospf 1 area 0
ipv6 ospf network point-to-point

interface FastEthernet0/1
ipv6 ospf 1 area 0
ipv6 ospf network point-to-point

interface Loopback0
ipv6 ospf 1 area 0
ipv6 ospf network point-to-point

R2#
*Sep 7 13:44:03.863: %OSPFv3-5-ADJCHG: Process 1, Nbr 1.1.1.1 on FastEthernet0/0 from 2WAY to EXSTART, AdjOK?
*Sep 7 13:44:04.079: %OSPFv3-5-ADJCHG: Process 1, Nbr 1.1.1.1 on FastEthernet0/0 from EXSTART to EXCHANGE, Negotiation Done
*Sep 7 13:44:04.235: %OSPFv3-5-ADJCHG: Process 1, Nbr 1.1.1.1 on FastEthernet0/0 from EXCHANGE to LOADING, E xchange Done
*Sep 7 13:44:04.379: %OSPFv3-5-ADJCHG: Process 1, Nbr 1.1.1.1 on FastEthernet0/0 from LOADING to FULL, Loadi ng Done

R3
ipv6 router ospf 1
router-id 3.3.3.3
log-adjacency-changes detail

interface FastEthernet0/0
ipv6 ospf 1 area 0
ipv6 ospf network point-to-point

interface FastEthernet0/1
ipv6 ospf 1 area 0
ipv6 ospf network point-to-point

interface Loopback0
ipv6 ospf 1 area 0
ipv6 ospf network point-to-point

R1#show ipv6 ospf neighbor

OSPFv3 Router with ID (1.1.1.1) (Process ID 1)
Neighbor ID Pri State Dead Time Interface ID Interface
3.3.3.3 0 FULL/ - 00:00:30 2 FastEthernet0/1
2.2.2.2 0 FULL/ - 00:00:35 2 FastEthernet0/0

R2#show ipv6 ospf neighbor

OSPFv3 Router with ID (2.2.2.2) (Process ID 1)
77
2019 instructor.duoc@gmail.com
SRY

Neighbor ID Pri State Dead Time Interface ID Interface

3.3.3.3 0 FULL/ - 00:00:32 3 FastEthernet0/1
1.1.1.1 0 FULL/ - 00:00:38 2 FastEthernet0/0

R1#show ipv6 route ospf

IPv6 Routing Table - default - 10 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, R - RIP, H - NHRP, I1 - ISIS L1
I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
EX - EIGRP external, ND - ND Default, NDp - ND Prefix, DCE - Destination
NDr - Redirect, O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1
OE2 - OSPF ext 2, ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2, l - LISP
O 2001:1:1:23::/64 [110/2]
via FE80::2, FastEthernet0/0
via FE80::3, FastEthernet0/1
O 2001:2:2:2::/64 [110/2]
via FE80::2, FastEthernet0/0
O 2001:3:3:3::/64 [110/2]
via FE80::3, FastEthernet0/1

R1#ping ipv6 2001:3:3:3::3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:3:3:3::3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/45/72 ms

Configure RIPng en R3 y R4 utilizando el identificador de proceso R34. R4 debe publicar su interface

loopback0

R3
ipv6 router rip R34

interface Serial1/0
ipv6 rip R34 enable

R4
ipv6 router rip R34

interface Serial1/0
ipv6 rip R34 enable

interface Loopback0
ipv6 rip R34 enable

R3#show ipv6 route rip

IPv6 Routing Table - default - 13 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, R - RIP, H - NHRP, I1 - ISIS L1
78
2019 instructor.duoc@gmail.com
SRY

I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP

EX - EIGRP external, ND - ND Default, NDp - ND Prefix, DCE - Destination
NDr - Redirect, O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1
OE2 - OSPF ext 2, ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2, l - LISP
R 2001:4:4:4::/64 [120/2]
via FE80::4, Serial1/0

 Redistribuir mutuamente OSPFv3/RIPng

R3
ipv6 router ospf 1
redistribute rip R34 include-connected

ipv6 router rip R34

redistribute ospf 1 metric 2 include-connected

R1#show ipv6 route ospf

IPv6 Routing Table - default - 12 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, R - RIP, H - NHRP, I1 - ISIS L1
I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
EX - EIGRP external, ND - ND Default, NDp - ND Prefix, DCE - Destination
NDr - Redirect, O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1
OE2 - OSPF ext 2, ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2, l - LISP
O 2001:1:1:23::/64 [110/2]
via FE80::2, FastEthernet0/0
via FE80::3, FastEthernet0/1
OE2 2001:1:1:34::/64 [110/20]
via FE80::3, FastEthernet0/1
O 2001:2:2:2::/64 [110/2]
via FE80::2, FastEthernet0/0
O 2001:3:3:3::/64 [110/2]
via FE80::3, FastEthernet0/1
OE2 2001:4:4:4::/64 [110/20]
via FE80::3, FastEthernet0/1

R1#ping 2001:4:4:4::4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:4:4:4::4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/68/88 ms

79
2019 instructor.duoc@gmail.com
SRY

 Crear y publicar la loopback1 en R1 como muestra la figura.

R1
interface Loopback1
ipv6 address 2000:1:1::1/64
ipv6 address 2000:1:1:1::1/64
ipv6 address 2000:1:1:2::1/64
ipv6 address 2000:1:1:3::1/64
ipv6 address 2000:1:1:4::1/64
ipv6 address 2000:1:1:5::1/64
ipv6 address 2000:1:1:6::1/64
ipv6 address 2000:1:1:7::1/64
ipv6 ospf 1 area 0
ipv6 ospf network point-to-point

R4#show ipv6 route rip

IPv6 Routing Table - default - 19 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, R - RIP, H - NHRP, I1 - ISIS L1
I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
EX - EIGRP external, ND - ND Default, NDp - ND Prefix, DCE - Destination
NDr - Redirect, O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1
OE2 - OSPF ext 2, ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2, l - LISP
R 2000:1:1::/64 [120/3]
via FE80::3, Serial1/0
R 2000:1:1:1::/64 [120/3]
via FE80::3, Serial1/0
R 2000:1:1:2::/64 [120/3]
via FE80::3, Serial1/0
R 2000:1:1:3::/64 [120/3]
via FE80::3, Serial1/0
R 2000:1:1:4::/64 [120/3]
via FE80::3, Serial1/0
R 2000:1:1:5::/64 [120/3]
via FE80::3, Serial1/0
R 2000:1:1:6::/64 [120/3]
via FE80::3, Serial1/0
R 2000:1:1:7::/64 [120/3]
via FE80::3, Serial1/0
R 2001:1:1:1::/64 [120/3]
via FE80::3, Serial1/0
R 2001:1:1:12::/64 [120/3]
via FE80::3, Serial1/0
R 2001:1:1:13::/64 [120/3]
via FE80::3, Serial1/0
R 2001:1:1:23::/64 [120/3]
via FE80::3, Serial1/0
R 2001:2:2:2::/64 [120/3]

80
2019 instructor.duoc@gmail.com
SRY

via FE80::3, Serial1/0

R 2001:3:3:3::/64 [120/3]
via FE80::3, Serial1/0

 Configurar R3 de manera que R1 no pueda probar conectividad con el comando ping. Esto incluye
las interfaces loopback o la interface que comunica con R2.

R4
ipv6 access-list TEST
deny icmp 2001:1:1:13::/64 any
permit ipv6 any any

interface FastEthernet0/0
ipv6 traffic-filter TEST in

R1#debug ipv6 icmp

ICMP Packet debugging is on

R1#ping 2001:1:1:13::3 repeat 1

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 2001:1:1:13::3, timeout is 2 seconds:

ICMPv6: Sent echo request, Src=2001:1:1:13::1, Dst=2001:1:1:13::3

ICMPv6: Received N-Solicit, Src=2001:1:1:13::3, Dst=FF02::1:FF00:1
ICMPv6: Sent N-Advert, Src=2001:1:1:13::1, Dst=2001:1:1:13::3.
Success rate is 0 percent (0/1)
R1#
ICMPv6: Received N-Solicit, Src=2001:1:1:13::3, Dst=FF02::1:FF00:1
ICMPv6: Sent N-Advert, Src=2001:1:1:13::1, Dst=2001:1:1:13::3
R1#
ICMPv6: Received N-Solicit, Src=2001:1:1:13::3, Dst=FF02::1:FF00:1
ICMPv6: Sent N-Advert, Src=2001:1:1:13::1, Dst=2001:1:1:13::3

R1#ping 2001:3:3:3::3 repeat 1 source 2001:1:1:12::1

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 2001:3:3:3::3, timeout is 2 seconds:
Packet sent with a source address of 2001:1:1:12::1
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 52/52/52 ms

R1#ping 2001:3:3:3::3 repeat 1 source 2000:1:1:1::1

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 2001:3:3:3::3, timeout is 2 seconds:
Packet sent with a source address of 2000:1:1:1::1
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 60/60/60 ms

81
2019 instructor.duoc@gmail.com
SRY

 El primer caso solo incluye la ipv6 de origen 2001:1:1:13::1 pero no incluye las demás interfaces.
Debemos hacer una configuración que incluya todas las IPv6 que pertenecen a R1.

R3
ipv6 access-list TEST
deny icmp 2001:1:1:13::/64 any
deny icmp 2000:1:1:0::/61 any
deny icmp 2001:1:1:12::/64 any
permit ipv6 any any

interface FastEthernet0/0
ipv6 traffic-filter TEST in

R1#ping 2001:3:3:3::3 repeat 1 source 2000:1:1:1::1

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 2001:3:3:3::3, timeout is 2 seconds:
Packet sent with a source address of 2000:1:1:1::1
S
Success rate is 0 percent (0/1)
R1#ping 2001:3:3:3::3 repeat 1 source 2001:1:1:12::1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 2001:3:3:3::3, timeout is 2 seconds:
Packet sent with a source address of 2001:1:1:12::1
S
Success rate is 0 percent (0/1)

R3#traceroute 2001:1:1:13::3
Type escape sequence to abort.
Tracing the route to 2001:1:1:13::3

1
*Sep 7 15:22:41.667: ICMPv6: Sent Unreachable code 4, Src=2001:1:1:13::3, Dst=2001:1:1:13::3 *
*Sep 7 15:22:44.671: ICMPv6: Sent Unreachable code 4, Src=2001:1:1:13::3, Dst=2001:1:1:13::3 *
*Sep 7 15:22:47.679: ICMPv6: Sent Unreachable code 4, Src=2001:1:1:13::3, Dst=2001:1:1:13::3 *
2
*Sep 7 15:22:50.683: ICMPv6: Sent Unreachable code 4, Src=2001:1:1:13::3, Dst=2001:1:1:13::3 *
*Sep 7 15:22:53.691: ICMPv6: Sent Unreachable code 4, Src=2001:1:1:13::3, Dst=2001:1:1:13::3 *

82
2019 instructor.duoc@gmail.com
SRY

Bloqueo de paquetes de un rango particular usando PBR (Falta Figura)

--------------------A12---------------- ------------------A0---------------- --------------------A34----------------

R1--------------------------------------R2--------------------------------------R3--------------------------------------R4
F0/0 10.1.12.0/24 F0/0 F0/1 10.1.23.0/24 F0/1 F0/0 10.1.34.0/24 F0/0

Setup: Cree el direccionamiento mostrado.

 Configure OSPF 1 de acuerdo a la siguiente tabla:
Router Inteface Prefijo Area
R1 FastEhternet 0/0 10.1.12.1/24 12
R1 Loopback 0 1.1.1.1/24 12
R2 FastEhternet 0/0 10.1.12.2/24 12
R2 Loopback 0 2.2.2.2/24 0
R2 FastEhternet 0/1 10.1.23.2/24 0
R3 FastEhternet 0/0 10.1.34.3/24 34
R3 Loopback 0 3.3.3.3/24 0
R3 FastEhternet 0/1 10.1.23.3/24 34
R4 FastEhternet 0/0 10.1.34.4/24 34
R4 Loopback 0 4.4.4.4/24 34

R1
router ospf 1
router-id 0.0.0.1

interface Loopback0
ip ospf 1 area 12

interface FastEthernet0/0
ip ospf 1 area 12

R2
router ospf 1
router-id 0.0.0.2

interface Loopback0
ip ospf 1 area 0

interface FastEthernet0/0
ip ospf 1 area 12

interface FastEthernet0/1
ip ospf 1 area 0

83
2019 instructor.duoc@gmail.com
SRY

R3
router ospf 1
router-id 0.0.0.3

interface Loopback0
ip ospf 1 area 0

interface FastEthernet0/0
ip ospf 1 area 34

interface FastEthernet0/1
ip ospf 1 area 0

R4
router ospf 1
router-id 0.0.0.4

interface Loopback0
ip ospf 1 area 34

interface FastEthernet0/0
ip ospf 1 area 34

R2#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
0.0.0.3 1 FULL/DR 00:00:38 10.1.23.3 FastEthernet0/1
0.0.0.1 1 FULL/DR 00:00:39 10.1.12.1 FastEthernet0/0

R3#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
0.0.0.2 1 FULL/BDR 00:00:34 10.1.23.2 FastEthernet0/1
0.0.0.4 1 FULL/DR 00:00:34 10.1.34.4 FastEthernet0/0

R1#sh ip route ospf

Gateway of last resort is not set
2.0.0.0/32 is subnetted, 1 subnets
O IA 2.2.2.2 [110/2] via 10.1.12.2, 00:04:45, FastEthernet0/0
3.0.0.0/32 is subnetted, 1 subnets
O IA 3.3.3.3 [110/3] via 10.1.12.2, 00:01:22, FastEthernet0/0
4.0.0.0/32 is subnetted, 1 subnets
O IA 4.4.4.4 [110/4] via 10.1.12.2, 00:01:22, FastEthernet0/0
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
O IA 10.1.23.0/24 [110/2] via 10.1.12.2, 00:01:22, FastEthernet0/0
O IA 10.1.34.0/24 [110/3] via 10.1.12.2, 00:01:22, FastEthernet0/0

84
2019 instructor.duoc@gmail.com
SRY

 Compruebe que todas las intefaces loopback0 tengan sus máscaras correctas.

R4#sh ip route ospf

Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
O IA 1.1.1.1 [110/4] via 10.1.34.3, 00:00:01, FastEthernet0/0
2.0.0.0/32 is subnetted, 1 subnets
O IA 2.2.2.2 [110/3] via 10.1.34.3, 00:03:32, FastEthernet0/0
3.0.0.0/32 is subnetted, 1 subnets
O IA 3.3.3.3 [110/2] via 10.1.34.3, 00:05:13, FastEthernet0/0
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
O IA 10.1.12.0/24 [110/3] via 10.1.34.3, 00:03:32, FastEthernet0/0
O IA 10.1.23.0/24 [110/2] via 10.1.34.3, 00:05:13, FastEthernet0/0

R1
interface Loopback0
ip ospf network point-to-point

R2
interface Loopback0
ip ospf network point-to-point

R3
interface Loopback0
ip ospf network point-to-point

R4
interface Loopback0
ip ospf network point-to-point

R4#sh ip route ospf

Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
O IA 1.1.1.0 [110/4] via 10.1.34.3, 00:00:09, FastEthernet0/0
2.0.0.0/24 is subnetted, 1 subnets
O IA 2.2.2.0 [110/3] via 10.1.34.3, 00:00:09, FastEthernet0/0
3.0.0.0/24 is subnetted, 1 subnets
O IA 3.3.3.0 [110/2] via 10.1.34.3, 00:00:09, FastEthernet0/0
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
O IA 10.1.12.0/24 [110/3] via 10.1.34.3, 00:04:32, FastEthernet0/0
O IA 10.1.23.0/24 [110/2] via 10.1.34.3, 00:06:13, FastEthernet0/0

85
2019 instructor.duoc@gmail.com
SRY

 En R2 cree una política que bloquee los paquetes que reciba desde R3 que tengan un rango de
250-320 bytes y que tengan como destino el router R1.

R2
access-list 100 permit icmp any host 10.1.12.1
access-list 100 permit icmp any host 1.1.1.1

route-map RANGE-PACKET permit 10

match ip address 100
match length 250 320
set interface Null0

route-map RANGE-PACKET permit 20

interface FastEthernet0/1
ip policy route-map RANGE-PACKET

R2#sh route-map
route-map RANGE-PACKET, permit, sequence 10
Match clauses:
ip address (access-lists): 100
length 250 320
Set clauses:
interface Null0
Policy routing matches: 0 packets, 0 bytes
route-map RANGE-PACKET, permit, sequence 20
Match clauses:
Set clauses:
Policy routing matches: 0 packets, 0 bytes

R3#ping 10.1.23.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.23.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/28/48 ms

R3#ping 10.1.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/58/68 ms

R3#ping 10.1.12.1 size 300

Type escape sequence to abort.
Sending 5, 300-byte ICMP Echos to 10.1.12.1, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)

86
2019 instructor.duoc@gmail.com
SRY

R3#ping 10.1.12.1 size 321

Type escape sequence to abort.
Sending 5, 321-byte ICMP Echos to 10.1.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/59/64 ms

R3#ping 10.1.12.1 size 320

Type escape sequence to abort.
Sending 5, 320-byte ICMP Echos to 10.1.12.1, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)

R3#ping 10.1.12.1 size 249

Type escape sequence to abort.
Sending 5, 249-byte ICMP Echos to 10.1.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/58/68 ms

R3#ping 10.1.12.1 size 250

Type escape sequence to abort.
Sending 5, 250-byte ICMP Echos to 10.1.12.1, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)

R2#sh route-map
route-map RANGE-PACKET, permit, sequence 10
Match clauses:
ip address (access-lists): 100
length 250 320
Set clauses:
interface Null0
Policy routing matches: 15 packets, 4560 bytes
route-map RANGE-PACKET, permit, sequence 20
Match clauses:
Set clauses:
Policy routing matches: 15 packets, 3560 bytes

87
2019 instructor.duoc@gmail.com
SRY

 Habilite telnet en R4 utilizando el username admin contraseña class. No se permite el uso de AAA.
Compruebe que exista conectividad entre R1 y R4.

R4
username admin password class

line vty 0 4
login local

R1#telnet 4.4.4.4
Trying 4.4.4.4 ... Open
User Access Verification
Username: admin
Password:class
R4>
R4>exit

[Connection to 4.4.4.4 closed by foreign host]

R1#

 Configure una política que permita conexiones telnet a la dirección destino 4.4.4.4 siempre que el
origen sea la direccion 1.1.1.1. Esta tarea se debe realizar en el router R3.

R3
access-list 100 permit tcp host 1.1.1.1 host 4.4.4.4 eq 23

route-map R1-to-R4 permit 10

match ip address 100
set ip precedence immediate

route-map R1-to-R4 permit 20

set interface Null0

interface FastEthernet0/1
ip policy route-map R1-to-R4

R3#sh route-map
route-map R1-to-R4, permit, sequence 10
Match clauses:
ip address (access-lists): 100
Set clauses:
ip precedence immediate
Policy routing matches: 0 packets, 0 bytes
route-map R1-to-R4, permit, sequence 20
Match clauses:
Set clauses:

88
2019 instructor.duoc@gmail.com
SRY

interface Null0
Policy routing matches: 0 packets, 0 bytes

R1#telnet 10.1.34.4
Trying 10.1.34.4 ...
% Destination unreachable; gateway or host down

R1#telnet 4.4.4.4
Trying 4.4.4.4 ...
% Destination unreachable; gateway or host down

R1#telnet 4.4.4.4 /source-interface loopback 0

Trying 4.4.4.4 ... Open
User Access Verification
Username: admin
Password:class
R4>

R3#sh route-map
route-map R1-to-R4, permit, sequence 10
Match clauses:
ip address (access-lists): 100
Set clauses:
ip precedence immediate
Policy routing matches: 26 packets, 1446 bytes
route-map R1-to-R4, permit, sequence 20
Match clauses:
Set clauses:
interface Null0
Policy routing matches: 1 packets, 58 bytes

R4
access-list 111 permit ip host 1.1.1.1 host 4.4.4.4

R4#debug ip packet 111 detail

IP packet debugging is on (detailed) for access list 111

 Utilice otra solución para el mismo caso anterior.

89
2019 instructor.duoc@gmail.com
SRY

Filtrado utilizando MQC (Modular Quality of Service).

------------------------------------ ---------------------EIGRP 1----------------------------------------------------------

R1--------------------------------------R2--------------------------------------R3--------------------------------------R4
F0/0 10.1.12.0/24 F0/0 F0/1 10.1.23.0/24 F0/1 F0/0 10.1.34.0/24 F0/0

Cree el direccionamiento mostrado

 Configure EIGRP 1 y publique las interfaces loopback0 de todos los routers del dominio.

R1
router eigrp 1
network 1.1.1.0 0.0.0.255
network 10.1.12.0 0.0.0.255
eigrp router-id 1.1.1.1

R2
router eigrp 1
network 2.2.2.0 0.0.0.255
network 10.1.12.0 0.0.0.255
network 10.1.23.0 0.0.0.255

R3
router eigrp 1
network 3.3.3.0 0.0.0.255
network 10.1.23.0 0.0.0.255
network 10.1.34.0 0.0.0.255
eigrp router-id 3.3.3.3

R4
router eigrp 1
network 4.4.4.0 0.0.0.255
network 10.1.34.0 0.0.0.255

R3#sh ip eigrp neighbors

EIGRP-IPv4 Neighbors for AS(1)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 10.1.34.4 Fa0/0 12 00:12:25 56 336 0 4
0 10.1.23.2 Fa0/1 13 00:13:15 34 204 0 12

R2#sh ip eigrp neighbors

EIGRP-IPv4 Neighbors for AS(1)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 10.1.23.3 Fa0/1 10 00:13:31 31 186 0 9
0 10.1.12.1 Fa0/0 10 00:14:05 544 3264 0 7

90
2019 instructor.duoc@gmail.com
SRY

R1#sh ip route eigrp

Gateway of last resort is not set
2.0.0.0/24 is subnetted, 1 subnets
D 2.2.2.0 [90/156160] via 10.1.12.2, 00:14:14, FastEthernet0/0
3.0.0.0/24 is subnetted, 1 subnets
D 3.3.3.0 [90/158720] via 10.1.12.2, 00:13:27, FastEthernet0/0
4.0.0.0/24 is subnetted, 1 subnets
D 4.4.4.0 [90/161280] via 10.1.12.2, 00:12:45, FastEthernet0/0
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
D 10.1.23.0/24 [90/30720] via 10.1.12.2, 00:14:08, FastEthernet0/0
D 10.1.34.0/24 [90/33280] via 10.1.12.2, 00:13:39, FastEthernet0/0

R4#sh ip route eigrp

Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
D 1.1.1.0 [90/161280] via 10.1.34.3, 00:13:11, FastEthernet0/0
2.0.0.0/24 is subnetted, 1 subnets
D 2.2.2.0 [90/158720] via 10.1.34.3, 00:13:11, FastEthernet0/0
3.0.0.0/24 is subnetted, 1 subnets
D 3.3.3.0 [90/156160] via 10.1.34.3, 00:13:11, FastEthernet0/0
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
D 10.1.12.0/24 [90/33280] via 10.1.34.3, 00:13:11, FastEthernet0/0
D 10.1.23.0/24 [90/30720] via 10.1.34.3, 00:13:11, FastEthernet0/0

R4#traceroute 1.1.1.1 source 4.4.4.4 probe 1

Type escape sequence to abort.
Tracing the route to 1.1.1.1
VRF info: (vrf in name/id, vrf out name/id)
1 10.1.34.3 16 msec
2 10.1.23.2 16 msec
3 10.1.12.1 24 msec

 Confugure Telnet en el router R4. Utilice la base de datos local con las siguientes credenciales:
- User: admin
- Password: class
 Para el acceso al modo privilegiado utilice la contraseña cisco.

R4
username admin password class
enable secret cisco

line vty 0 4
login local

91
2019 instructor.duoc@gmail.com
SRY

R1#telnet
Host: 4.4.4.4
Trying 4.4.4.4 ... Open
User Access Verification
Username: admin
Password:class

R4>enable
Password:cisco
R4#

R4#sh users
Line User Host(s) Idle Location
* 0 con 0 idle 00:00:00
2 vty 0 admin idle 00:00:49 10.1.12.1
Interface User Mode Idle Peer Address

R4#exit
[Connection to 4.4.4.4 closed by foreign host]
R1#

R1#telnet 4.4.4.4 /source-interface loopback 0

Trying 4.4.4.4 ... Open
User Access Verification
Username: admin
Password:class
R4>enable
Password:cisco
R4#sh users
Line User Host(s) Idle Location
0 con 0 idle 00:00:41
* 2 vty 0 admin idle 00:00:00 1.1.1.1
Interface User Mode Idle Peer Address

92
2019 instructor.duoc@gmail.com
SRY

 En R1 los paquetes que tengan destino R4 (4.4.4.4) para el puerto 23 deben ser marcados con IP
precedencia de 1.

R1
ip access-list extended IPP
permit tcp any host 4.4.4.4 eq telnet

class-map match-all TELNET

match access-group name IPP

policy-map QOS
class TELNET
set ip precedence 1

interface FastEthernet0/0
service-policy output QOS

R1#sh class-map
Class Map match-all TELNET (id 1)
Match access-group name IPP
Class Map match-any class-default (id 0)
Match any

R1#sh policy-map QOS

Policy Map QOS
Class TELNET
set ip precedence 1

R1#clear counters fastEthernet 0/0

Clear "show interface" counters on this interface [confirm]

R1#sh policy-map interface fastEthernet 0/0

FastEthernet0/0
Service-policy output: QOS
Class-map: TELNET (match-all)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name IPP
QoS Set
precedence 1
Packets marked 0

Class-map: class-default (match-any)

0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: any

93
2019 instructor.duoc@gmail.com
SRY

R1#telnet 10.1.34.4
Trying 10.1.34.4 ... Open
User Access Verification
Username: admin
Password:class
R4>exit

[Connection to 10.1.34.4 closed by foreign host]

R1#sh policy-map interface fastEthernet 0/0
FastEthernet0/0
Service-policy output: QOS
Class-map: TELNET (match-all)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name IPP
QoS Set
precedence 1
Packets marked 0

Class-map: class-default (match-any)

35 packets, 2134 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: any

R1#telnet 4.4.4.4
Trying 4.4.4.4 ... Open
User Access Verification
Username: admin
Password:
R4>exit
[Connection to 4.4.4.4 closed by foreign host]

R1#sh policy-map interface fastEthernet 0/0

FastEthernet0/0
Service-policy output: QOS
Class-map: TELNET (match-all)
33 packets, 1986 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name IPP
QoS Set
precedence 1
Packets marked 33
Class-map: class-default (match-any)
57 packets, 3939 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: any

94
2019 instructor.duoc@gmail.com
SRY

 Modifique la ACL de manera que solo se permitan sesión TELNET siempre que el origen sea la
interface loopback0 de R1 (1.1.1.1).

 Configure R3 de manera que bloquee todos los paquetes que estén marcados con nivel de
precedencia 1.

R3
class-map match-all BLK-IPP
match ip precedence 1

policy-map IPP
class BLK-IPP
drop

interface FastEthernet0/1
service-policy input IPP

R1#telnet 4.4.4.4
Trying 4.4.4.4 ...
% Connection timed out; remote host not responding

R1#telnet 10.1.34.4
Trying 10.1.34.4 ... Open
User Access Verification
Username: admin
Password:class
R4>exit

[Connection to 10.1.34.4 closed by foreign host]

R3#sh policy-map interface fastEthernet 0/1

FastEthernet0/1
Service-policy input: IPP
Class-map: BLK-IPP (match-all)
2 packets, 116 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: ip precedence 1
drop

Class-map: class-default (match-any)

52 packets, 3256 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: any

R3#clear counters fastEthernet 0/1

Clear "show interface" counters on this interface [confirm]
R3#
*Jan 14 17:21:02.455: %CLEAR-5-COUNTERS: Clear counter on interface FastEthernet0/1 by console

95
2019 instructor.duoc@gmail.com
SRY

R3#sh policy-map interface fastEthernet 0/1

FastEthernet0/1
Service-policy input: IPP
Class-map: BLK-IPP (match-all)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: ip precedence 1
drop
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: any

96
2019 instructor.duoc@gmail.com
SRY

NTP Network Time Protocol

Nota: NTP tiene como meta sincronizar el tiempo para distintos de red, esto permite que cuando ocurren
eventos que generan mensajes puedan posteriormente ser interpretados coherentemente utilizando el
tiempo como referencia. La idea es mantener el orden de los syslog que se generan.

 Configure el direccionamiento mostrado.

 Configure EIGRP 1 en todos los routers y publique sus interfaces directamente conectadas.
 En R2 establecer hora.

R1
interface Loopback0
ip address 10.1.1.1 255.255.255.255

interface FastEthernet0/0
ip address 10.1.12.1 255.255.255.0
duplex full
no shutdown

R2
interface Loopback0
ip address 10.2.2.2 255.255.255.255

interface fastethernet0/0
ip address 10.1.12.2 255.255.255.0
full-duplex
no shutdown

interface fastethernet0/1
ip address 10.1.23.2 255.255.255.0
full-duplex
no shutdown

R3
interface Loopback0
ip address 10.3.3.3 255.255.255.255
97
2019 instructor.duoc@gmail.com
SRY

interface fastethernet0/1
ip address 10.1.23.3 255.255.255.0
full-duplex
no shutdown

R1
router eigrp 1
network 10.0.0.0
no auto-summary

R2
router eigrp 1
network 10.0.0.0
no auto-summary

R3
router eigrp 1
network 10.0.0.0
no auto-summary

R1#sh ip route eigrp

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
D 10.1.23.0/24 [90/30720] via 10.1.12.2, 00:20:55, FastEthernet0/0
D 10.2.2.2/32 [90/156160] via 10.1.12.2, 00:20:55, FastEthernet0/0
D 10.3.3.3/32 [90/158720] via 10.1.12.2, 00:20:53, FastEthernet0/0

R3#sh ip route eigrp

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
D 10.1.1.1/32 [90/158720] via 10.1.23.2, 00:21:12, FastEthernet0/1
D 10.1.12.0/24 [90/30720] via 10.1.23.2, 00:21:12, FastEthernet0/1
D 10.2.2.2/32 [90/156160] via 10.1.23.2, 00:21:12, FastEthernet0/1
98
2019 instructor.duoc@gmail.com
SRY

R2#show ip eigrp neighbors

EIGRP-IPv4 Neighbors for AS(1)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 10.1.23.3 Fa0/1 13 00:20:42 88 528 0 3
0 10.1.12.1 Fa0/0 13 00:20:43 100 600 0 4

R2
clock set 14:00:00 11 sep 2012

*Sep 11 14:00:00.003: %SYS-6-CLOCKUPDATE: System clock has been updated from 14:01:13 UTC Tue
Sep 11 2012 to 14:00:00 UTC Tue Sep 11 2012, configured from console by console.

R2#show clock
14:00:33.759 UTC Tue Sep 11 2012

 Configure R2 como NTP server y con stratum 3. Se utiliza cuando no tenemos un reloj externo
para sicronizar el tiempo. Stratum 1 corresponde a la fuente mas fiable.
Stratum (Nivel) Significado
0 No disponible
1 Referencia primaria (reloj atómico)
2 - 15 Referencia secundaria
16 - 255 Reservado

R2
ntp master 2

R2#show ntp status

Clock is synchronized, stratum 2, reference is 127.127.1.1
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18
ntp uptime is 23600 (1/100 of seconds), resolution is 4000
reference time is D3F9D6FB.8F49329F (15:27:55.559 UTC Tue Sep 11 2012)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.40 msec, peer dispersion is 0.23 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000000000 s/s
system poll interval is 16, last update was 12 sec ago.

 Configurar R1 y R3 para que sincronicen sus relojes en base al reloj de R2 (Master). Utilice
loopback0 como source NTP server.
Nota: el proceso no es instantaneo. Paciencia.

R2#show clock
15:16:06.267 UTC Tue Sep 11 2012

99
2019 instructor.duoc@gmail.com
SRY

R1#show clock
*15:17:27.323 UTC Tue Sep 11 2012

R3#show clock
*15:17:40.335 UTC Tue Sep 11 2012

R2
ntp source Loopback0

R1
ntp server 10.2.2.2

R3
ntp server 10.2.2.2

R1#show ntp status

Clock is synchronized, stratum 3, reference is 10.2.2.2
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18
ntp uptime is 18100 (1/100 of seconds), resolution is 4000
reference time is D3F9D6A7.750BC533 (15:26:31.457 UTC Tue Sep 11 2012)
clock offset is -13.4497 msec, root delay is 31.94 msec
root dispersion is 93.03 msec, peer dispersion is 1.01 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is -0.000000051 s/s
system poll interval is 64, last update was 114 sec ago.

R3#show ntp status

Clock is synchronized, stratum 3, reference is 10.2.2.2
nominal freq is 250.0000 Hz, actual freq is 250.0001 Hz, precision is 2**18
ntp uptime is 56200 (1/100 of seconds), resolution is 4000
reference time is D3F9D6F4.D8C50842 (15:27:48.846 UTC Tue Sep 11 2012)
clock offset is -34.9918 msec, root delay is 72.19 msec
root dispersion is 46.74 msec, peer dispersion is 0.73 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is -0.000000625 s/s
system poll interval is 64, last update was 60 sec ago.

100
2019 instructor.duoc@gmail.com
SRY

Authentication Radius

 Configurar Server Radius (WinRadius) para que los usuarios que accedan a R3 se autentifiquen en
función de la base de datos del server, en caso de que el server este down utilizar no debe pedir
autenticación.
 En la WinRadius ir al menú Operation→Add User el usuario nadmin password nico

Nota: La instalación del server Radius se puede realizar de acuerdo al Lab Manual CCNAS.

R1#ping 100.1.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.1.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/31/104 ms

101
2019 instructor.duoc@gmail.com
SRY

R1
username admin password cisco

aaa new-model
aaa authentication login default group radius none
radius-server host 100.1.1.3 auth-port 1812 key WinRadius

R2#telnet 10.1.1.1
Trying 10.1.1.1 ... Open

User Access Verification

Username: nadmin
Password:nico

102
2019 instructor.duoc@gmail.com
SRY

Autenticación utilizando ACS /Tacacs+

 Configurar ACS Server

 Crear el grupo Administrador en el ACS Server que tenga nivel de privilegio 15
 Crear el grupo NOC en el ACS Server que tenga nivel de privilegio 1
 Crear el grupo Invitado en el ACS Server que tenga nivel de privilegio 0

La configuración de Tacacs+ involucra dos dispositivos, el cliente (Router, Firewall, etc…) y el ACS Server.
Este último puede ser un appliance, o sencillamente un PC con la aplicación ACS.
Primero configuraremos el ACS Server.
Nota: El ejemplo presentando está enfocado en el Grupo Administrador, los otros grupos los debe crear el
alumno.

103
2019 instructor.duoc@gmail.com
SRY

Creación de Grupos
- Entramos al ACS y seleccionamos Group Setup.

- Seleccionamos un grupo de cualquiera, por ejemplo el group 3 y seleccionamos Rename Group,

esto nos permite utilizar un nombre más representativo.

- Modificamos el nombre para este grupo de Group 3 a Administrador y cliqueamos Submit para
que los cambios sean efectivos.

104
2019 instructor.duoc@gmail.com
SRY

Podemos ver en la siguiente figura que en Group Setup ahora podemos seleccionar el grupo
Administrador en el menú desplegable, esto nos permite tener nombres representativos. Debemos
proceder de la misma forma para los grupos NOC e Invitado.

105
2019 instructor.duoc@gmail.com
SRY

Configuración de server AAA

Finalmente debemos definir el Server AAA.
- Usamos Add Entry en AAA Server como muestra la figura.

- Completamos los valores mostrados en la figura. El nombre del server (aleatorio), la dirección ip
donde se del Server, una key y el AAA Server Type seleccionamos TACACS+. Finalmente hacemos
los cambios efectivos con Submit + Apply

106
2019 instructor.duoc@gmail.com
SRY

- En Group Setup seleccionamos Edit Settings.

Esto nos lleva a Group Settings : Administrador.

- Seleccionamos TACACS + en la sección Jump to. Esto nos permite acceder de inmediato a la
configuración relativa a Tacacs+.

107
2019 instructor.duoc@gmail.com
SRY

- Seleccionamos Shell (exec),

- Seleccionamos campo Privilege Level y le asignamos valor 15 (máximos privilegios) y aplicamos los
cambios con Submit + Restart

108
2019 instructor.duoc@gmail.com
SRY

Creación de Usuarios
En este momento podemos crear los usuarios dentro del ACS; esto es análogo a cuando utilizamos el
comando username ….. (DB Local).
- Seleccionamos User Setup para crear al usuario.

- Creamos al usuario jadmin (este nombre lo asignamos nosotros, puede ser un nombre cualquiera)
y seleccionamos Add/Edit.

- Agregamos nombre real y descripción.

109
2019 instructor.duoc@gmail.com
SRY

110
2019 instructor.duoc@gmail.com
SRY

- En el campo User Setup (mas abajo) definimos la password que empleará el usuario jadmin para
loguearse en el router. En nuestro caso seleccionamos la password lucho. Además seleccionamos
el grupo al que pertenece el usuario jadmin, en nuestro caso el grupo se llama Administrador (ya
lo hemos definido) y cliqueamos Submit.

Configuración de cliente AAA

Nuestro cliente para este ejercicio corresponde a Router2 (R2). Debemos identificarlo en el ACS Server.

- Seleccionamos Network Configuration

111
2019 instructor.duoc@gmail.com
SRY

- Agregamos el cliente con Add Entry.

Llenamos los campos como sigue:

: hostname del router. En nuestro caso se trata de R2
AAA IP address: 10.2.2.2. Este valor corresponde a la loopback0 de R2 por lo tanto debemos tener
conectividad con R2. Después veremos
Key: key que asignamos luego en R2.
Using Authentication: TACACS + (Cisco IOS)
Aplicamos los cambios cliqueando Submit Apply al final del todo.

112
2019 instructor.duoc@gmail.com
SRY

Configuración Router
Para configurar los cliente debemos tener algún IGP y conectividad entre el cliente AAA y el Server. En el
ejemplo actual el server se encuentra en la subred 100.1.1.0/24.
Lo primero es probar si tenemos accesos a nivel de Red.

R1
router rip
version 2
network 0.0.0.0
no auto-summary

R2
router rip
version 2
network 0.0.0.0
no auto-summary

R3
router rip
version 2
network 0.0.0.0
no auto-summary

R2#ping 100.1.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.1.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/72/112 ms

Y desde el Server hacia R2

113
2019 instructor.duoc@gmail.com
SRY

 Configuración AAA en cliente R2

R2
aaa new-model
aaa authentication login default group tacacs+ enable none
ip tacacs source-interface loopback 0
tacacs-server host 100.1.1.3 key ccnas

R2#test aaa group tacacs+ jadmin lucho legacy

Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated.

 Finalmente hacemos las pruebas finales accediendo a R2 desde R1 por ejemplo.

R1#telnet 10.2.2.2
Trying 10.2.2.2 ... Open

Username: jadmin
Password: lucho

R2>

R2>?
Exec commands:
<1-99> Session number to resume
access-enable Create a temporary Access-List entry
access-profile Apply user-profile to interface
clear Reset functions
connect Open a terminal connection
crypto Encryption related commands.
disable Turn off privileged commands
disconnect Disconnect an existing network connection
emm Run a configured Menu System
enable Turn on privileged commands
ethernet Ethernet parameters
exit Exit from the EXEC
help Description of the interactive help system
lat Open a lat connection
lock Lock the terminal
login Log in as a particular user
logout Exit from the EXEC
mrinfo Request neighbor and version information from a multicast
router
mstat Show statistics after multiple multicast traceroutes
mtrace Trace reverse multicast path from destination to source
name-connection Name an existing network connection
pad Open a X.29 PAD connection
114
2019 instructor.duoc@gmail.com
SRY

ping Send echo messages

ppp Start IETF Point-to-Point Protocol (PPP)
release Release a resource
renew Renew a resource
resume Resume an active network connection
rlogin Open an rlogin connection
set Set system parameter (not config)
show Show running system information
slip Start Serial-line IP (SLIP)
ssh Open a secure shell client connection
systat Display information about terminal lines
tclquit Quit Tool Command Language shell
tdm TDM
telnet Open a telnet connection
terminal Set terminal line parameters
tn3270 Open a tn3270 connection
traceroute Trace route to destination
tunnel Open a tunnel connection
udptn Open an udptn connection
webvpn WebVPN exec command
where List active connections
x28 Become an X.28 PAD
x3 Set X.3 parameters on PAD

115
2019 instructor.duoc@gmail.com
SRY

CBAC

CBAC inspecciona los flujos de tráfico entre zonas de confianza y zonas inseguras, permite el tráfico
desde una zona insegura a una zona de confianza siempre que ese flujo se haya iniciado en la zona de
confianza.

Setup: Configure direccionamiento mostrado Configure RIPv2 para que exista NLRI extremo/extremo.

 Configure R1 para que permita el tráfico TCP, UDP, ICMP iniciado desde la red INSIDE a la red
OUTSIDE. Desde la red OUTSIDE se permite trafico ICMP y Telnet siempre que el destino sea la IP
10.1.123.3/24 (R3). El resto del tráfico desde la red OUTSIDE debe ser denegado.

Nota: Tenemos que definir dos políticas para este escenario:

- INSIDE → OUTSIDE
- OUTSIDE → INSIDE

R1 Estos comandos le dicen al IOS que inspeccione el tráfico TCP, UDP e ICMP.
ip inspect name OUT tcp CBAC no monitorea lo que sucede en el instante sobre la conexión, si es
ip inspect name OUT udp requerido, una inspección específica para una aplicación dada puede ser
ip inspect name OUT icmp configurada, una vez configurada toma prescedencia sobre la inspección
genérica TCP o UDP.

access-list 100 permit ip 10.1.123.0 0.0.0.255 any Las ACLs permiten cualquier tráfico desde la red 10.1.123.0/24
a cualquier red, también permite que RIPv2 opere.
access-list 100 permit udp any any eq rip

interface FastEthernet0/0
description **INTERFACE INSIDE**
116
2019 instructor.duoc@gmail.com
SRY

ip inspect OUT in
ip access-group 100 in

- Puesto que solo se permite el tráfico Telnet e ICMP desde la red insegura debemos identificarlo
con otra ACL.

R1
access-list 101 permit icmp any host 10.1.123.3
access-list 101 permit tcp any host 10.1.123.3 eq telnet
access-list 101 permit udp any any eq 520

interface FastEthernet0/1
description **INTERFACE OUTSIDE**
ip access-group 101 in

 Configure telnet en R3. Cree usuario admin password class. El usuario necesite acceder a R3 a
través de telnet debe loguearse utilizando la base de datos local. Use password cisco para acceder
a modo privilegiado.

R3
username admin password class

enable secret cisco

aaa new-model
aaa authentication login TELNET local

line vty 0 4
login authentication TELNET

- Pruebas CBAC. Desde R2 a R4 acceder por telnet. Comprobar que existe inspección utilizando el
comando sh ip inspect con argumento necesario.
- R4 debe poder acceder remotamente a R3 usando telnet y comprobar conectividad utilizando
ping.

117
2019 instructor.duoc@gmail.com
SRY

Zone Based Firewall I

Setup: Configure direccionamiento mostrado Configure RIPv2 para que exista NLRI extremo/extremo.
Verificar utilizando la tabla de enrutamiento y comprobar cada red creada.

 Configure R1 con las siguientes políticas:

- Permitir todo el tráfico TCP, UDP e ICMP siempre que sea iniciado desde la red INSIDE a la
DMZ y la red OUTSIDE. El tráfico que no sea iniciado desde la red INSIDE debe ser
denegado.
- Permitir solo el tráfico ICMP y HTTP iniciado desde la red OUTSIDE a la DMZ.

R1
router rip
version 2
network 10.0.0.0
network 200.1.1.0
no au

R2
router rip
version 2
network 10.0.0.0
no au

R3
router rip
version 2
network 200.1.1.0
no au

118
2019 instructor.duoc@gmail.com
SRY

119
2019 instructor.duoc@gmail.com
SRY

R4
router rip
version 2
network 10.0.0.0
no au

R3#sh ip route rip

10.0.0.0/24 is subnetted, 4 subnets
R 10.1.14.0 [120/1] via 200.1.1.1, 00:00:07, Serial1/0
R 10.1.12.0 [120/1] via 200.1.1.1, 00:00:07, Serial1/0
R 10.4.4.0 [120/2] via 200.1.1.1, 00:00:07, Serial1/0
R 10.2.2.0 [120/2] via 200.1.1.1, 00:00:07, Serial1/0

1. En R1 definimos elo tráfico interesante utilizando el class-map desde la INSIDE a la OUTSIDE.

R1
class-map type inspect match-any CM-INSIDE
match protocol tcp
match protocol udp
match protocol icmp

class-map type inspect match-any CM-OUTSIDE

match protocol http
match protocol icmp

2. Este segundo paso nos permite determinar que hacer con el tráfico interesante que definimos con
el class-map (permitirlo, inspeccionarlo, descartarlo, entre otras opciones). En R1 aplicamos las
políticas respetando la dirección de cada una de ellas. INSIDE→OUTSIDE, INSIDE→DMZ,
OUTSIDE→DMZ.

R1
policy-map type inspect PM-INSIDE-TO-OUTSIDE
class type inspect CM-INSIDE
inspect

policy-map type inspect PM-INSIDE-TO-DMZ

class type inspect CM-INSIDE
inspect

policy-map type inspect PM-OUTSIDE-TO-DMZ

class type inspect CM-OUTSIDE
inspect

120
2019 instructor.duoc@gmail.com
SRY

3. Definimos las zonas de seguridad INSIDE, OUTSIDE y DMZ. En este caso se han asignado los
nombres de las zonas en minúsculas salvo la DMZ.

R1
zone security inside
zone security outside
zone security DMZ

4. En este paso asignamos las zonas a las interfaces apropiadas. Recordar que los nombres fueron
asignados con minúsculas.

R1
interface FastEthernet0/0
zone-member security inside

interface Serial1/0
zone-member security outside

interface FastEthernet0/1
zone-member security DMZ

5. El último paso consiste en asociar políticas entre zonas (zone-pair). Que en pocas palabras define
direccionalidad del tráfico.

R1
zone-pair security Z-IO source inside destination outside
service-policy type inspect PM-INSIDE-TO-OUTSIDE

zone-pair security Z-ID source inside destination DMZ

service-policy type inspect PM-INSIDE-TO-DMZ

zone-pair security Z-OD source outside destination DMZ

service-policy type inspect PM-OUTSIDE-TO-DMZ

121
2019 instructor.duoc@gmail.com
SRY

 Pruebas ICMP
- Ping desde R2 (INSIDE) a R4 (DMZ)→OK
- Ping desde R2 (INSIDE) a R3 (OUTSIDE)→OK
- Ping desde R3 (OUTSIDE) a R2 (INSIDE)→FAIL
- Ping desde R3 (OUTSIDE) a R4 (DMZ)→OK

R2#ping 10.1.14.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.14.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/68/84 ms

R2#ping 200.1.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.1.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/67/92 ms
R3#ping 10.1.12.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.12.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R3#ping 10.1.14.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.14.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/66/92 ms

R1#show policy-map type inspect zone-pair Z-ID

Zone-pair: Z-ID

Service-policy inspect : PM-INSIDE-TO-DMZ

Class-map: CM-INSIDE (match-any)

Match: protocol tcp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol udp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol icmp
1 packets, 80 bytes
30 second rate 0 bps
Inspect
Packet inspection statistics [process switch:fast switch]
icmp packets: [0:10]

122
2019 instructor.duoc@gmail.com
SRY

Session creations since subsystem startup or last reset 1

Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [1:1:0]
Last session created 00:06:44
Last statistic reset never
Last session creation rate 0
Maxever session creation rate 1
Last half-open session total 0

Class-map: class-default (match-any)

Match: any
Drop (default action)
0 packets, 0 bytes

 Pruebas TCP utilizando Telnet (habilitar telnet en todos los routers de la topología).
- Telnet desde R2 (INSIDE) a R4 (DMZ)→OK
- Telnet desde R2 (INSIDE) a R3 (OUTSIDE)→OK
- Telnet desde R3 (OUTSIDE) a R2 (INSIDE)→FAIL
- HTTP desde R3 (OUTSIDE) a R4 (DMZ)→OK

R1#telnet 10.1.14.4
Trying 10.1.14.4 ... Open
R4>

R1#telnet 200.1.1.3
Trying 200.1.1.3 ... Open
R3>

R3#telnet 10.1.12.2
Trying 10.1.12.2 ...
% Connection timed out; remote host not responding

- Para poder testear la conección HTTP debe habilitar a R4 como server para HTTP. A pesar de que
NO obtendremos acceso a través de telnet, si existe un servicio abierto (Open) que corresponde a
HTTP. La salida que nos entrega el comando show policy-map type inspect zone-pair Z-OD nos
muestra este comportamiento.
R4
ip http server

R3#telnet 10.1.14.4 80
Trying 10.1.14.4, 80 ... Open

R1#show policy-map type inspect zone-pair Z-OD

Zone-pair: Z-OD

Service-policy inspect : PM-OUTSIDE-TO-DMZ

123
2019 instructor.duoc@gmail.com
SRY

Class-map: CM-OUTSIDE (match-any)

Match: protocol http
1 packets, 24 bytes
30 second rate 0 bps
Match: protocol icmp
1 packets, 80 bytes
30 second rate 0 bps
Inspect
Packet inspection statistics [process switch:fast switch]
tcp packets: [0:11]
icmp packets: [0:10]

Session creations since subsystem startup or last reset 2

Current session counts (estab/half-open/terminating) [1:0:0]
Maxever session counts (estab/half-open/terminating) [1:1:0]
Last session created 00:04:36
Last statistic reset never
Last session creation rate 0
Maxever session creation rate 1
Last half-open session total 0

Class-map: class-default (match-any)

Match: any
Drop (default action)
4 packets, 96 bytes

124
2019 instructor.duoc@gmail.com
SRY

Zone Based Firewall II

Nota: Utilizar Plataforma 3725

Setup: Cree el direccionamiento mostrado. Configure EIGRP 1 para lograr conectividad extremo a
extremo. Desactive sumarización automática. Habilite telnet en R4 y R3. Habilite SSH v1.9 en R2 y R5
(genere valores y usuarios arbitrariamente).

 Configure R1 con ZPF utilizando las siguientes políticas:

- Permitir todo el tráfico TCP, UDP e ICMP siempre que sea iniciado desde la red INSIDE a la
DMZ y desde la INSIDE a la red OUTSIDE. El tráfico que no sea iniciado desde la red INSIDE
debe ser denegado.
- Habilite a R1 para que envíe mensajes de log INSPECT a la consola y al servidor syslog (ip
inspect log drop-pkt).
- R3 debe acceder a la zona INSIDE utilizando SSH.

125
2019 instructor.duoc@gmail.com
SRY

SETUP: EIGRP 1, SHHv2

R1
router eigrp 1
network 10.0.0.0
network 200.1.1.0
no auto-summary

R2
router eigrp 1
network 10.0.0.0
no auto-summary

R3
router eigrp 1
network 200.1.1.0
no auto-summary

R4
router eigrp 1
network 10.0.0.0
no auto-summary

R5
router eigrp 1
network 10.0.0.0
no auto-summary

R1#show ip eigrp neighbors

IP-EIGRP neighbors for process 1
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
3 10.1.15.5 Fa2/0 12 00:00:44 112 672 0 4
2 10.1.14.4 Fa0/1 14 00:00:51 113 678 0 3
1 200.1.1.3 Se1/0 11 00:00:59 77 462 0 3
0 10.1.12.2 Fa0/0 12 00:01:04 108 648 0 3

R2
enable secret cisco
username admin password cisco
ip domain-name duoc.cl
crypto key generate rsa usage-keys

aaa new-model
aaa authentication login VTY-LOCAL local

line vty 0 4
login authentication VTY-LOCAL
transport output ssh

126
2019 instructor.duoc@gmail.com
SRY

R2
enable secret cisco
username admin password cisco
ip domain-name duoc.cl
crypto key generate rsa usage-keys

aaa new-model
aaa authentication login VTY-LOCAL local

line vty 0 4
login authentication VTY-LOCAL
transport output ssh

1. En R1 definimos elo tráfico interesante utilizando el class-map desde la INSIDE a la OUTSIDE.

R1
class-map type inspect match-any CM-INSIDE
match protocol tcp
match protocol udp
match protocol icmp

class-map type inspect match-any CM-OUTSIDE

match protocol ssh

2. Este segundo paso nos permite determinar que hacer con el tráfico interesante que definimos con
el class-map (permitirlo, inspeccionarlo, descartarlo, entre otras opciones). En R1 aplicamos las
políticas respetando la dirección de cada una de ellas. INSIDE→OUTSIDE, INSIDE→DMZ,
OUTSIDE→DMZ.

R1
policy-map type inspect PM-INSIDE-TO-OUTSIDE
class type inspect CM-INSIDE
inspect

policy-map type inspect PM-INSIDE-TO-DMZ

class type inspect CM-INSIDE
inspect

policy-map type inspect PM-OUTSIDE-TO-INSIDE

class type inspect CM-OUTSIDE
inspect

127
2019 instructor.duoc@gmail.com
SRY

3. Definimos las zonas de seguridad INSIDE, OUTSIDE y DMZ. En este caso se han asignado los
nombres de las zonas en minúsculas salvo la DMZ.

R1
zone security inside
zone security outside
zone security DMZ

4. En este paso asignamos las zonas a las interfaces apropiadas. Recordar que los nombres fueron
asignados con minúsculas.

R1
interface FastEthernet0/0
zone-member security inside

interface FastEthernet2/0
zone-member security inside

interface Serial1/0
zone-member security outside

interface FastEthernet0/1
zone-member security DMZ

5. El último paso consiste en asociar políticas entre zonas (zone-pair). Que en pocas palabras define
direccionamiento del tráfico.

R1
zone-pair security Z-IO source inside destination outside
service-policy type inspect PM-INSIDE-TO-OUTSIDE

zone-pair security Z-ID source inside destination DMZ

service-policy type inspect PM-INSIDE-TO-DMZ

zone-pair security Z-OD source outside destination inside

service-policy type inspect PM-OUTSIDE-TO-INSIDE

ip inspect log drop-pkt

128
2019 instructor.duoc@gmail.com
SRY

 Pruebas ICMP
- Ping desde R2 (INSIDE) a R4 (DMZ)→OK
- Ping desde R5 (INSIDE) a R4 (DMZ)→OK
- Ping desde R2 (INSIDE) a R3 (OUTSIDE)→OK
- Ping desde R3 (OUTSIDE) a R2 (INSIDE)→FAIL
- Ping desde R3 (OUTSIDE) a R5 (INSIDE)→FAIL

R2#ping 10.1.14.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.14.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/68/92 ms

R5#ping 10.1.14.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.14.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/68/92 ms

R2#ping 200.1.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.1.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/65/84 ms

R3#ping 10.1.12.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.12.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R3#ping 10.1.15.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.15.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R1#
%FW-6-DROP_PKT: Dropping icmp session 200.1.1.3:0 10.1.15.5:0 on zone-pair Z-OD class class-default
due to policy match failure with ip ident 30

- Prueba SSH OUTSIDE→INSIDE

R3#ssh -l admin -c 3des 10.2.2.2

Password:cisco

129
2019 instructor.duoc@gmail.com
SRY

R2>enable
Password:cisco
R2#exit

R1#
%FW-6-DROP_PKT: Dropping Other session 200.1.1.3:50226 10.2.2.2:22 due to Stray Segment with ip
ident 37207 tcpflags 0x5004 seq.no 3158919498 ack 0

130
2019 instructor.duoc@gmail.com
SRY

Zone Based Firewall III

Nota: Utilizar Plataforma 3725

Setup: Cree el direccionamiento mostrado. Configure EIGRP 1 para lograr conectividad extremo a
extremo. Desactive sumarización automática. En todos los routers debemos acceder via telnet usando la
pasword cisco del modo privilegiado.

 Configure R1 con ZPF utilizando las siguientes políticas:

- Los routers de la zona INSIDE deben acceder a R3 (OUTSIDE) vía telnet utilizando sus
loopback0 como origen.(R2→10.2.2.2/32 y R5→ 10.5.5.5). No configurar R3 para esta
regla.
- Se permite solo el tráfico TFTP desde la zona OUTSIDE a la INSIDE. Enviar la configuración
completa al servidor TFTP que muestra la figura.
- Habilite NMAP para R1 y verifique puertos habilitados/deshabilitados.

R1
router eigrp 1
network 10.0.0.0
network 200.1.1.0
no auto-summary

131
2019 instructor.duoc@gmail.com
SRY

R2
router eigrp 1
network 10.0.0.0
no auto-summary
R3
router eigrp 1
network 10.0.0.0
network 200.1.1.0
no auto-summary

R4
router eigrp 1
network 10.0.0.0
no auto-summary

R5
router eigrp 1
network 10.0.0.0
network 100.0.0.0
no auto-summary

R1#show ip eigrp neighbors

IP-EIGRP neighbors for process 1
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
3 10.1.15.5 Fa2/0 14 00:18:00 92 552 0 7
2 10.1.14.4 Fa0/1 14 00:18:14 135 810 0 6
1 200.1.1.3 Se1/0 11 00:18:18 113 678 0 7
0 10.1.12.2 Fa0/0 14 00:18:26 94 564 0 7

R1#sh ip route eigrp

100.0.0.0/24 is subnetted, 1 subnets
D 100.1.1.0 [90/284160] via 10.1.15.5, 00:19:07, FastEthernet2/0
10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
D 10.4.4.0/24 [90/409600] via 10.1.14.4, 00:19:20, FastEthernet0/1
D 10.2.2.0/24 [90/409600] via 10.1.12.2, 00:19:32, FastEthernet0/0
D 10.5.5.5/32 [90/156160] via 10.1.15.5, 00:00:28, FastEthernet2/0

R1
aaa new-model
aaa authentication login TELNET enable
enable secret cisco

line vty 0 4
login authentication TELNET

R2
aaa new-model
aaa authentication login TELNET enable
enable secret cisco

132
2019 instructor.duoc@gmail.com
SRY

line vty 0 4
login authentication TELNET

R3
aaa new-model
aaa authentication login TELNET enable
enable secret cisco

line vty 0 4
login authentication TELNET

R4
aaa new-model
aaa authentication login TELNET enable
enable secret cisco

line vty 0 4
login authentication TELNET

R5
aaa new-model
aaa authentication login TELNET enable
enable secret cisco

line vty 0 4
login authentication TELNET

R5#telnet 10.1.1.1
Trying 10.1.1.1 ... Open
User Access Verification
Password:cisco

R1>enable
Password:cisco

- Los routers de la zona INSIDE deben acceder a R3 (OUTSIDE) vía telnet. Ut

R1
access-list 100 permit ip host 10.2.2.2 any
access-list 100 permit ip host 10.5.5.5 any

class-map type inspect match-all CM-INSIDE

match protocol telnet
match access-group 100

class-map type inspect match-any CM-DMZ

match protocol tftp

133
2019 instructor.duoc@gmail.com
SRY

1. Este segundo paso nos permite determinar que hacer con el tráfico interesante que definimos con
el class-map (permitirlo, inspeccionarlo, descartarlo, entre otras opciones). En R1 aplicamos 2
políticas: INSIDE→OUTSIDE, DMZ→INSIDE.

R1
policy-map type inspect PM-INSIDE-TO-OUTSIDE
class type inspect CM-INSIDE
inspect

policy-map type inspect PM-DMZ-TO-INSIDE

class type inspect CM-DMZ
inspect

2. Definimos las zonas de seguridad INSIDE, OUTSIDE y DMZ. En este caso se han asignado los
nombres de las zonas en minúsculas salvo la DMZ.

R1
zone security inside
zone security outside
zone security DMZ

3. En este paso asignamos las zonas a las interfaces apropiadas. Recordar que los nombres fueron
asignados con minúsculas.

R1
interface FastEthernet0/0
zone-member security inside

interface FastEthernet2/0
zone-member security inside

interface Serial1/0
zone-member security outside

interface FastEthernet0/1
zone-member security DMZ

134
2019 instructor.duoc@gmail.com
SRY

4. El último paso consiste en asociar políticas entre zonas (zone-pair). Que en pocas palabras define
direccionalidad del tráfico.

R1
zone-pair security Z-IO source inside destination outside
service-policy type inspect PM-INSIDE-TO-OUTSIDE

zone-pair security Z-DI source DMZ destination inside

service-policy type inspect PM-DMZ-TO-INSIDE

ip inspect log drop-pkt

ip inspect audit-trail

Pruebas Syslog

R1
logging on
logging origin-id hostname
logging source-interface loopback0
logging 100.1.1.11
logging trap debugging

135
2019 instructor.duoc@gmail.com
SRY

DHCP one Way

 En R2 configure el direccionamiento mostrado.

 En R2 configure el pool DHCP. Los parámetros DHCP que debe entregar al ciente R1 debe ser:
- DNS server: 4.4.4.4
- Direccion IPv4:
- DG: 10.1.1.2
- Dominio: tilt.org
- Red: 10.1.1.0/24

 Capture tráfico utilizando Wireshark en inteface Fastethrnet0/0 de R1

 Configure R1 como cliente DHCP.
 Verifique la negociaón DHCP cliente servidor.

R2
ip dhcp excluded-address 10.1.1.1 10.1.1.9

ip dhcp pool TST

network 10.1.1.0 255.255.255.0
default-router 10.1.1.2
dns-server 4.4.4.4
domain-name tilt.org

interface FastEthernet0/0
ip address 10.1.1.2 255.255.255.0
no shut

R1
interface fastEthernet 0/0
ip address dhcp
no shutdown

136
2019 instructor.duoc@gmail.com
SRY

%DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0/0 assigned DHCP address 10.1.1.10, mask

255.255.255.0, hostname R1

R1#show ip interface brief fastEthernet 0/0

Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.1.1.10 YES DHCP up up

R2#show ip dhcp binding

Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type State Interface
Hardware address/
User name
10.1.1.10 0063.6973.636f.2d63. May 03 2016 12:38 PM Automatic Active FastEthernet0/0
6130.312e.3165.3330.
2e30.3030.382d.4661.
302f.30

R2#show ip dhcp pool

Pool TST :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) :0/0
Total addresses : 254
Leased addresses :1
Excluded addresses :9
Pending event : none
1 subnet is currently in the pool :
Current index IP address range Leased/Excluded/Total
10.1.1.11 10.1.1.1 - 10.1.1.254 1 / 9 / 254

 Después que R1 haya obtenidos su parámetros de red finalice la captura.

 ¿Que filtro de visualización debemos utiizar para ver solo tráfico DHCP?
 Indique los campos mas relevantes del servicio DHCP (negociación), incluya los campos para IPv4,
UDP:
- DHCP Discovery
- DHCP Offer
- DHCP Request
- DHCP ACK

 ¿Que papel cumple el campo Transaction ID?

 ¿Cuál es el tiempo de asignación de los parámetros de red?
 ¿Quién (que dispositivo) y porque envía paquetes ARP gratuitos?

 Agregue a la subred 10.1.1.0/24 el router R3 con la IPv4 10.1.1.3/24.

 Desactive la interface FastEthernet0/0 de R1 (cliente DHCP). Limpie asociaciones DHCP en server
DHCP R2
 En R2 configure el direccionamiento mostrado.
 En R3 configure el pool DHCP. Los parámetros DHCP que debe entregar al ciente R1 debe ser:
- DNS server: 4.4.4.4

137
2019 instructor.duoc@gmail.com
SRY

- Direccion IPv4: 10.1.1.X (excluya las primeras 10 IP asignables).

- DG: 10.1.1.3
- Dominio: tilt.org
- Red: 10.1.1.0/24

 Comience a capturar en la interface Fastethernet0/0 de R1 (cliente DHCP)

 Habilite la interface Fastethernet0/0 de R1
 Después que R1 haya obtenidos su parámetros de red finalice la captura.

R1(config)#interface fastEthernet 0/0

R1(config-if)#shutdown

R2#clear ip dhcp binding *

R2#show ip dhcp binding

Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type State Interface
Hardware address/
User name
R2#

R3
ip dhcp excluded-address 10.1.1.1 10.1.1.9
!
ip dhcp pool TST
network 10.1.1.0 255.255.255.0
default-router 10.1.1.3
dns-server 4.4.4.4
domain-name tilt.org

interface FastEthernet0/0
ip address 10.1.1.3 255.255.255.0
no shut

R1(config)#interface fastEthernet 0/0

R1(config-if)#no shutdown
%DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0/0 assigned DHCP address 10.1.1.10, mask
255.255.255.0, hostname R1

138
2019 instructor.duoc@gmail.com
SRY

 Utilice el filtro visual bootp.

 En la interface gráfica de Wireshark vaya a Statistcs | Flow Graph. En la nueva ventana filtre por
paqutes
 Determine que DHCP Server es utilizado por cliente R1.

139
2019 instructor.duoc@gmail.com
SRY

 Cree el direccionamiento mostrado.

 Configure OSPF 1 area 0 como muestra la figura. La red 10.1.1.0/24 debe ser conocida por R4.
Configure ID en los routers que participan en OSPF. R4 debe publicar en OSPF la IP 4.4.4.4/24
dentro del dominio OSPF.
 Deshabilite los servicios DHCP en R2 y R3.
 Configure R4 como servidor DHCP con los siguientes parámetros de red:
- DNS server: 4.4.4.4
- Direccion IPv4: 10.1.1.X (excluya las primeras 10 IP asignables).
- DG: 4.4.4.4
- Dominio: tilt.org
- Red: 10.1.1.0/24

R2
no ip dhcp excluded-address 10.1.1.1 10.1.1.9
no ip dhcp pool TST

router ospf 1
router-id 1.1.1.1

interface range fastEthernet 0/0-1

ip ospf 1 area 0

R3
no ip dhcp excluded-address 10.1.1.1 10.1.1.9
no ip dhcp pool TST

router ospf 1
router-id 3.3.3.3

interface range fastEthernet 0/0-1

ip ospf 1 area 0

R4
router ospf 1
router-id 4.4.4.4

interface range fastEthernet 0/0-1

ip ospf 1 area 0

R4#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
3.3.3.3 1 FULL/DR 00:00:36 10.1.34.3 FastEthernet0/0
1.1.1.1 1 FULL/DR 00:00:36 10.1.24.2 FastEthernet0/1

140
2019 instructor.duoc@gmail.com
SRY

R4#show ip route ospf

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
O 10.1.1.0/24 [110/2] via 10.1.34.3, 00:03:32, FastEthernet0/0
[110/2] via 10.1.24.2, 00:03:52, FastEthernet0/1

R4
ip dhcp excluded-address 10.1.1.1 10.1.1.9
!
ip dhcp pool TST
network 10.1.1.0 255.255.255.0
default-router 4.4.4.4
dns-server 4.4.4.4
domain-name tilt.org

interface Loopback0
ip address 4.4.4.4 255.255.255.0
ip ospf network point-to-point
ip ospf 1 area 0

R2#sh ip route ospf

Gateway of last resort is not set
4.0.0.0/24 is subnetted, 1 subnets
O 4.4.4.0 [110/2] via 10.1.24.4, 00:00:03, FastEthernet0/1
10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
O 10.1.34.0/24 [110/2] via 10.1.24.4, 00:11:03, FastEthernet0/1
[110/2] via 10.1.1.3, 00:14:55, FastEthernet0/0

R3#sh ip route ospf

Gateway of last resort is not set
4.0.0.0/24 is subnetted, 1 subnets
O 4.4.4.0 [110/2] via 10.1.34.4, 00:00:30, FastEthernet0/1
10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
O 10.1.24.0/24 [110/2] via 10.1.34.4, 00:11:30, FastEthernet0/1
[110/2] via 10.1.1.2, 00:15:22, FastEthernet0/0

141
2019 instructor.duoc@gmail.com
SRY

 En R1 configure la interface Fastethernet0/0 a sus valores de fabrica y desactive la interface.

R1(config)#default interface fastEthernet 0/0

Interface FastEthernet0/0 set to default configuration

R1(config)#interface fastEthernet 0/0

R1(config-if)#shutdown

 Configure una característica de DHCP de manera que permita que R1 pueda obtener sus
parámetros de red desde el servisor R4.
 Habilite R1 para recibir los parámetros de red desde R4.
 Comience a capturar tráfico en la interface Fasethernet0/0 de R1 y Fastethernet0/1 de R2 y R3
(hacia R4).
 Luego que R1 haya obtenido IP compruebe que puede alcanzar al router R4.

R2
interface FastEthernet0/0
ip helper-address 4.4.4.4
ip helper-address 10.1.24.4

R3
interface FastEthernet0/0
ip helper-address 4.4.4.4
ip helper-address 10.1.34.4

R1
interface fastEthernet 0/0
ip address dhcp
no shutdown

R4#show ip dhcp binding

Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type State Interface
Hardware address/
User name
10.1.1.10 0063.6973.636f.2d63. May 02 2016 03:20 PM Automatic Selecting Unknown
6130.312e.3165.3330.
2e30.3030.382d.4661.
302f.30

 ¿Que servicios se envían por defecto cuando se utiliza DHCP Relay? Nombre cada uno y de una
pequeña explicación.
 Determine cual es el camino que utiliza DHCP para entregar valores de red a R1.

142
2019 instructor.duoc@gmail.com
SRY

DHCP Snooping

Setup: Cree el direccionamiento y topología mostrada. Configure hostname de acuerdo a la figura.

 Configure DHCP en R1 (server) considerando los siguientes parámetros de red:

- Red 10.1.1.0/24
- DG 10.1.1.1
- DNS 8.8.4.4
- Dominio: class.org

Nota: Excluya las direccionescorrespondientes al rango 10.1.1.1 a 10.1.1.9

 PC1 debe recibir estos valores de red desde R1 (servidor DHCP). Para resguardar de posibles
ataques o intentos de suplatancionde indentidad DHCP, confgure DHCP Snooping en el SW1.

R1
interface GigabitEthernet0/0
ip address 10.1.1.1 255.255.255.0
no shut

ip dhcp excluded-address 10.1.1.1 10.1.1.9

ip dhcp pool TEST

network 10.1.1.0 255.255.255.0
default-router 10.1.1.1
dns-server 8.8.4.4

R1#sh ip dhcp binding

IP address Client-ID/ Lease expiration Type
Hardware address

143
2019 instructor.duoc@gmail.com
SRY

 Configure como puertos de acceso los dispositivos conectados al SW1. Considere que estos
puertos de acceso:
 Deben pertenecer al la VLAN 100
 Deben bypasear los estados STP y pasar al estado de reenvio inmediatamente.
 Solo deben aceptar una MAC por puerto. Si reciben mas de una MAC de origen deben descartarlas
pero seguir operando normalemente.

SW1
vlan 100
name ACCESO

interface range fastEthernet 0/1-3

switchport access vlan 10
switchport mode access
spanning-tree portfast
switchport port-security
switchport port-security violation restrict

SW1#sh vlan brief

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/4, Fa0/5, Fa0/6, Fa0/7
Fa0/8, Fa0/9, Fa0/10, Fa0/11
Fa0/12, Fa0/13, Fa0/14, Fa0/15
Fa0/16, Fa0/17, Fa0/18, Fa0/19
Fa0/20, Fa0/21, Fa0/22, Fa0/23
Fa0/24, Gig0/1, Gig0/2
10 VLAN0010 active Fa0/1, Fa0/2, Fa0/3
100 ACCESO active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active

R2
interface GigabitEthernet0/0
ip address 10.1.1.2 255.255.255.0
no shut

ip dhcp excluded-address 10.1.1.1 10.1.1.9

ip dhcp pool TEST

network 10.1.1.0 255.255.255.0
default-router 10.1.1.2
dns-server 8.8.4.4

R2#sh ip dhcp binding

144
2019 instructor.duoc@gmail.com
SRY

IP address Client-ID/ Lease expiration Type

Hardware address

 Habilite DHCP en PC1

R1#sh ip dhcp binding

IP address Client-ID/ Lease expiration Type
Hardware address
10.1.1.10 0060.2F78.1D78 -- Automatic

145
2019 instructor.duoc@gmail.com
SRY

 Configure DHCP Snooping de manera que solo se considere válido el trafico DHCP que se genere
en R1.

Previo a la configuración podemos confirmar que R2 envia valores DHCP al cliente PC1 como se muestra a
continuación.

R1(config)#interface gigabitEthernet 0/0

R1(config-if)#shutdown

R2#sh ip dhcp binding

IP address Client-ID/ Lease expiration Type
Hardware address
10.1.1.10 0060.2F78.1D78 -- Automatic

R1(config)#interface gigabitEthernet 0/0

R1(config-if)#no shutdown

SW1
ip dhcp snooping
no ip dhcp snooping information option

interface FastEthernet0/1
ip dhcp snooping trust

SW1#sh ip dhcp snooping

Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
100
DHCP snooping is operational on following VLANs:
none
Smartlog is configured on following VLANs:

146
2019 instructor.duoc@gmail.com
SRY

none
Smartlog is operational on following VLANs:
none
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is disabled

circuit-id default format: vlan-mod-port
remote-id: 000A.41DE.6E05 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface Trusted Allow option Rate limit (pps)

----------------------- ------- ------------ ----------------
FastEthernet0/1 yes yes unlimited
Custom circuit-ids:
FastEthernet0/2 no no 10

R1#sh ip dhcp binding

IP address Client-ID/ Lease expiration Type
Hardware address
10.1.1.10 0060.2F78.1D78 -- Automatic

C:\>ping 10.1.1.1
Pinging 10.1.1.1 with 32 bytes of data:
Reply from 10.1.1.1: bytes=32 time=1ms TTL=255
Reply from 10.1.1.1: bytes=32 time<1ms TTL=255
Reply from 10.1.1.1: bytes=32 time<1ms TTL=255
Reply from 10.1.1.1: bytes=32 time<1ms TTL=255

Ping statistics for 10.1.1.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms

SW1#sh mac address-table

Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
10 0001.c775.e801 STATIC Fa0/2
10 0060.2f78.1d78 STATIC Fa0/3
10 00d0.5862.2201 STATIC Fa0/1

147
2019 instructor.duoc@gmail.com
SRY

NAT

Setup: Configure direccionamiento y verifique que R1 tiene conectividad con sus vecinos
directamente conectados.

 Configure OSPF área 0 en la zona INSIDE. R1 debe inyectar una ruta por defecto dentro del
dominio OSPF.
 En R1 cree una ruta estática para la subred 4.4.4.4/24 apuntando a la interface serial de R4.
 En R4 cree una ruta p

R1
router ospf 1
router-id 0.0.0.1

interface FastEthernet0/0
ip ospf 1 area 0

R2
router ospf 1
router-id 0.0.0.2

interface FastEthernet0/0
ip ospf 1 area 0

R3
router ospf 1
router-id 0.0.0.3
148
2019 instructor.duoc@gmail.com
SRY

interface FastEthernet0/0
ip ospf 1 area 0

R3#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
0.0.0.1 1 FULL/BDR 00:00:33 10.1.1.1 FastEthernet0/0
0.0.0.2 1 FULL/DR 00:00:32 10.1.1.2 FastEthernet0/0

R1
router ospf 1
default-information originate always

R2#sh ip route ospf

Gateway of last resort is 10.1.1.1 to network 0.0.0.0
O*E2 0.0.0.0/0 [110/1] via 10.1.1.1, 00:00:14, FastEthernet0/0

R3#sh ip route ospf

Gateway of last resort is 10.1.1.1 to network 0.0.0.0
O*E2 0.0.0.0/0 [110/1] via 10.1.1.1, 00:00:42, FastEthernet0/0

R1
ip route 0.0.0.0 0.0.0.0 191.1.1.40

R1#sh ip route static

Gateway of last resort is 191.1.1.40 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 191.1.1.40

R1#ping 4.4.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/11/16 ms

NAT Dinámico.
Este método es menos eficiente partiendo de la base que se traduce una IP a otra dinamicamente.
 Cree un pool NAT que traduzca las direcciones internas de acuerdo a la siguiente tabla:
Host Direccion INSIDE Direccion OUTSIDE
R2 10.1.1.2 191.1.1.3
R3 10.1.1.3 191.1.1.3

R1
ip nat pool PUBLICO 191.1.1.2 191.1.1.5 netmask 255.255.255.0

ip access-list standard IN_NET

permit 10.1.1.0 0.0.0.255
149
2019 instructor.duoc@gmail.com
SRY

ip nat inside source list IN_NET pool PUBLICO

interface Serial1/0
ip nat outside

interface FastEthernet0/0
ip nat inside

R1#sh ip nat translations

R1#

R2#ping 4.4.4.4 repeat 1

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 8/8/8 ms

R3#ping 4.4.4.4 repeat 1

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 16/16/16 ms

R1#sh ip nat translations

Pro Inside global Inside local Outside local Outside global
icmp 191.1.1.3:4 10.1.1.2:4 4.4.4.4:4 4.4.4.4:4
--- 191.1.1.3 10.1.1.2 --- ---
icmp 191.1.1.4:3 10.1.1.3:3 4.4.4.4:3 4.4.4.4:3
--- 191.1.1.4 10.1.1.3 --- ---

R4#debug ip icmp
ICMP packet debugging is on
R4#
*Jun 17 13:06:23.755: ICMP: echo reply sent, src 4.4.4.4, dst 191.1.1.3, topology BASE, dscp 0 topoid 0
*Jun 17 13:06:26.319: ICMP: echo reply sent, src 4.4.4.4, dst 191.1.1.4, topology BASE, dscp 0 topoid 0

150
2019 instructor.duoc@gmail.com
SRY

NAT Estático
NAT estático asigna una IP predefinida uno a uno.
 Cree un pool NAT que traduzca las direcciones internas de acuerdo a la siguiente tabla:
Host Direccion INSIDE Direccion OUTSIDE
R2 10.1.1.2 191.1.1.32
R3 10.1.1.3 191.1.1.33

R1(config)#no ip nat inside source list IN_NET pool PUBLICO

Dynamic mapping in use, do you want to delete all entries? [no]: yes
R1(config)#no ip nat pool PUBLICO

R1
ip nat inside source static 10.1.1.2 191.1.1.32
ip nat inside source static 10.1.1.3 191.1.1.33

R1#clear ip nat translation *

R2#ping 4.4.4.4 repeat 1

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 40/40/40 ms

R1#sh ip nat translations

Pro Inside global Inside local Outside local Outside global
icmp 191.1.1.32:5 10.1.1.2:5 4.4.4.4:5 4.4.4.4:5
--- 191.1.1.32 10.1.1.2 --- ---
--- 191.1.1.33 10.1.1.3 --- ---

R1#clear ip nat translation *

R1#

R3#ping 4.4.4.4 repeat 1

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 16/16/16 ms

R1#sh ip nat translations

Pro Inside global Inside local Outside local Outside global
--- 191.1.1.32 10.1.1.2 --- ---
icmp 191.1.1.33:5 10.1.1.3:5 4.4.4.4:5 4.4.4.4:5
--- 191.1.1.33 10.1.1.3 --- ---

R4#
*Jun 17 13:34:03.571: ICMP: echo reply sent, src 4.4.4.4, dst 191.1.1.32, topology BASE, dscp 0 topoid 0

151
2019 instructor.duoc@gmail.com
SRY

PAT
Port Address Translation permite mapear una IP Inside Global a varias IP Inside Local.
 Configure PAT de manera que R2 y R3 utilicen la dirección de la interface serial de R1.

R1(config)#no ip nat inside source static 10.1.1.2 191.1.1.32

R1(config)#no ip nat inside source static 10.1.1.3 191.1.1.33

R1
ip access-list standard IN_NET
permit 10.1.1.0 0.0.0.255

ip nat inside source list IN_NET interface serial 1/0 overload

R1#clear ip nat translation *

R1#

R1#sh ip nat translations

R1#

R3#ping 4.4.4.4 repeat 1

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 12/12/12 ms

R2#ping 4.4.4.4 repeat 1

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 8/8/8 ms

R1#sh ip nat translations

Pro Inside global Inside local Outside local Outside global
icmp 191.1.1.1:9 10.1.1.2:9 4.4.4.4:9 4.4.4.4:9
icmp 191.1.1.1:7 10.1.1.3:7 4.4.4.4:7 4.4.4.4:7

152
2019 instructor.duoc@gmail.com
SRY

 Configure PAT con varias direcciones Inside Global.

 Realice este laboratorio para IPv6 en base a la siguiente figura:

153
2019 instructor.duoc@gmail.com
SRY

NAT TCP Load Sharing

IOS: (C7200-ADVENTERPRISEK9-M), Version 15.2(4)S4

Setup: Configure direccionamiento y verifique que R2 tenga conectividad con sus vecinos
directamente conectados.

 Configure OSPF área 0 en la zona INSIDE. R2 debe inyectar una ruta por defecto dentro del
dominio OSPF.
 Configure Telnet en todos los routers utilizando usuario adminX y classX donde X corresponde al
número del router. Compruebe que R2 sea el DR y R3 el BDR.

R2#ping 255.255.255.255 repeat 1

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 255.255.255.255, timeout is 2 seconds:
Reply to request 0 from 10.1.1.3, 8 ms
Reply to request 0 from 10.1.1.4, 16 ms
Reply to request 0 from 10.1.12.1, 16 ms

R4
router ospf 1
router-id 0.0.0.4

interface FastEthernet0/0
ip ospf 1 area 0

R2
router ospf 1
router-id 0.0.0.2
default-information originate always

interface FastEthernet0/0
ip ospf priority 255
ip ospf 1 area 0

154
2019 instructor.duoc@gmail.com
SRY

R3
router ospf 1
router-id 0.0.0.3
interface FastEthernet0/0
ip ospf priority 254
ip ospf 1 area 0

R4#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
0.0.0.2 255 FULL/DR 00:00:37 10.1.1.2 FastEthernet0/0
0.0.0.3 254 FULL/BDR 00:00:39 10.1.1.3 FastEthernet0/0

R2#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
0.0.0.3 254 FULL/BDR 00:00:31 10.1.1.3 FastEthernet0/0
0.0.0.4 1 FULL/DROTHER 00:00:32 10.1.1.4 FastEthernet0/0

R4#sh ip route ospf

Gateway of last resort is 10.1.1.2 to network 0.0.0.0
O*E2 0.0.0.0/0 [110/1] via 10.1.1.2, 00:00:40, FastEthernet0/0

R3#sh ip route ospf

Gateway of last resort is 10.1.1.2 to network 0.0.0.0
O*E2 0.0.0.0/0 [110/1] via 10.1.1.2, 00:01:35, FastEthernet0/0

R1
line vty 0 4
privilege level 15
no login

R2
line vty 0 4
privilege level 15
no login

R3
line vty 0 4
privilege level 15
no login

R4
line vty 0 4
privilege level 15
no login

R2#telnet 10.1.12.1
Trying 10.1.12.1 ... Open
R1#

155
2019 instructor.duoc@gmail.com
SRY

R2#telnet 10.1.1.3
Trying 10.1.1.3 ... Open
R3#

R2#telnet 10.1.1.4
Trying 10.1.1.4 ... Open
R4#

 Configure R2 de manera que traduzca conexiones desde R1 a la dirección 10.1.34.34 a dos

direcciones reales (FastEthernet0/0 de R3 y R4) en modo Round-Robin. Los routers R3 y R4 ya
están recibiendo una ruta por defecto desde el router R2.

R1
ip route 0.0.0.0 0.0.0.0 10.1.12.2

R1#sh ip route static

Gateway of last resort is 10.1.12.2 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.1.12.2

R1#ping 10.1.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/22/28 ms

R1#ping 10.1.1.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/18/28 ms

R2
ip nat pool HOST-REAL 10.1.1.3 10.1.1.4 prefix-length 24 type rotary
access-list 10 permit 10.1.34.34

ip nat inside destination list 10 pool HOST-REAL

interface FastEthernet0/1
ip nat outside

interface FastEthernet0/0
ip nat inside

156
2019 instructor.duoc@gmail.com
SRY

 Comprobación.

R1#telnet 10.1.34.34
Trying 10.1.34.34 ... Open
R3#

R3#sh users
Line User Host(s) Idle Location
0 con 0 idle 00:07:27
* 2 vty 0 idle 00:00:00 10.1.12.1
Interface User Mode Idle Peer Address

R1#telnet 10.1.34.34
Trying 10.1.34.34 ... Open
R4#
R2#debug ip nat detailed
IP NAT detailed debugging is on

R1#telnet 10.1.34.34
Trying 10.1.34.34 ... Open

R2#
*Nov 15 21:43:35.915: NAT: Entry assigned id 3
*Nov 15 21:43:35.915: NAT*: o: tcp (10.1.12.1, 51756) -> (10.1.34.34, 23) [2772]
*Nov 15 21:43:35.915: NAT*: s=10.1.12.1, d=10.1.34.34->10.1.1.3 [2772]
*Nov 15 21:43:35.955: NAT*: i: tcp (10.1.1.3, 23) -> (10.1.12.1, 51756) [14659]
*Nov 15 21:43:35.955: NAT*: s=10.1.1.3->10.1.34.34, d=10.1.12.1 [14659]
*Nov 15 21:43:35.975: NAT*: o: tcp (10.1.12.1, 51756) -> (10.1.34.34, 23) [2773]
*Nov 15 21:43:35.975: NAT*: s=10.1.12.1, d=10.1.34.34->10.1.1.3 [2773]
*Nov 15 21:43:35.975: NAT*: o: tcp (10.1.12.1, 51756) -> (10.1.34.34, 23) [2774]
*Nov 15 21:43:35.979: NAT*: s=10.1.12.1, d=10.1.34.34->10.1.1.3 [2774]
*Nov 15 21:43:35.979: NAT*: o: tcp (10.1.12.1, 51756) -> (10.1.34.34, 23) [2775]
*Nov 15 21:43:35.979: NAT*: s=10.1.12.1, d=10.1.34.34->10.1.1.3 [2775]
*Nov 15 21:43:35.995: NAT*: i: tcp (10.1.1.3, 23) -> (10.1.12.1, 51756) [14660]
*Nov 15 21:43:35.995: NAT*: s=10.1.1.3->10.1.34.34, d=10.1.12.1 [14660]
*Nov 15 21:43:35.995
R2#: NAT*: i: tcp (10.1.1.3, 23) -> (10.1.12.1, 51756) [14661]
*Nov 15 21:43:35.999: NAT*: s=10.1.1.3->10.1.34.34, d=10.1.12.1 [14661]
*Nov 15 21:43:35.999: NAT*: i: tcp (10.1.1.3, 23) -> (10.1.12.1, 51756) [14662]
*Nov 15 21:43:35.999: NAT*: s=10.1.1.3->10.1.34.34, d=10.1.12.1 [14662]
*Nov 15 21:43:35.999: NAT*: i: tcp (10.1.1.3, 23) -> (10.1.12.1, 51756) [14663]
*Nov 15 21:43:35.999: NAT*: s=10.1.1.3->10.1.34.34, d=10.1.12.1 [14663]
*Nov 15 21:43:36.003: NAT*: i: tcp (10.1.1.3, 23) -> (10.1.12.1, 51756) [14664]
*Nov 15 21:43:36.003: NAT*: s=10.1.1.3->10.1.34.34, d=10.1.12.1 [14664]
*Nov 15 21:43:36.011: NAT*: o: tcp (10.1.12.1, 51756) -> (10.1.34.34, 23) [2776]
*Nov 15 21:43:36.015: NAT*: s=10.1.12.1, d=10.1.34.34->10.1.1.3 [2776]
*Nov 15 21:43:36.015: NAT*: o: tcp (10.1.12.1, 51756) -> (10.1.34.34, 23) [2777]
*Nov 15 21:43:36.015: NAT*: s=10.1.12.1, d=10.1.34.34->10.1.1.3 [2777]

157
2019 instructor.duoc@gmail.com
SRY

*Nov 15 21:43:36.019: NAT*: o: tcp (10.1.12.1, 51756) -> (10.1.34.34, 23) [2778]
*Nov 15 21:43:36.019: NAT*: s=10.1.12.1, d=10.1.34.34->10.1.1.3 [2778]
*Nov 15 21:43:36.023: NAT*: o: tcp (10.1.12.1, 51756) -> (10.1.34.34, 23) [2779]
*Nov 15 21:43:36.023: NAT*: s=10.1.12.1, d=10.1.34.34->10.1.1.3 [2779]
*Nov 15 21:43:36.031: NAT*: i: tcp (10.1.1.3, 23) -> (10.1.12.1, 51756) [14665]
*Nov 15 21:43:36.035: NAT*: s=10.1.1.3->10.1.34.34, d=10.1.12.1 [14665]
*Nov 15 21:43:36.235: NAT*: o: tcp (10.1.12.1, 51756) -> (10.1.34.34, 23) [2780]
*Nov 15 21:43:36.235: NAT*: s=10.1.12.1, d=10.1.34.34->10.1.1.3 [2780]

R1#telnet 10.1.34.34
Trying 10.1.34.34 ... Open
R4#

R2#4:17.587: NAT*: s=10.1.12.1, d=10.1.34.34->10.1.1.4 [38805]

*Nov 15 21:44:17.619: NAT*: i: tcp (10.1.1.4, 23) -> (10.1.12.1, 39346) [8059]
*Nov 15 21:44:17.619: NAT*: s=10.1.1.4->10.1.34.34, d=10.1.12.1 [8059]
*Nov 15 21:44:17.627: NAT*: o: tcp (10.1.12.1, 39346) -> (10.1.34.34, 23) [38806]
*Nov 15 21:44:17.627: NAT*: s=10.1.12.1, d=10.1.34.34->10.1.1.4 [38806]
*Nov 15 21:44:17.627: NAT*: o: tcp (10.1.12.1, 39346) -> (10.1.34.34, 23) [38807]
*Nov 15 21:44:17.631: NAT*: s=10.1.12.1, d=10.1.34.34->10.1.1.4 [38807]
*Nov 15 21:44:17.631: NAT*: o: tcp (10.1.12.1, 39346) -> (10.1.34.34, 23) [38808]
*Nov 15 21:44:17.631: NAT*: s=10.1.12.1, d=10.1.34.34->10.1.1.4 [38808]
*Nov 15 21:44:17.647: NAT*: i: tcp (10.1.1.4, 23) -> (10.1.12.1, 39346) [8060]
*Nov 15 21:44:17.647: NAT*: s=10.1.1.4->10.1.34.34, d=10.1.12.1 [8060]
*Nov 15 21:44:17.647: NAT*: i: tcp (10.1.1.4, 23) -> (10.1.12.1, 39346) [8061]
*Nov 15 21:44:17.651: NAT*: s=10.1.1.4->10.1.34.34, d=10.1.12.1 [8061]
*Nov 15 21:44:
R2#17.651: NAT*: i: tcp (10.1.1.4, 23) -> (10.1.12.1, 39346) [8062]
*Nov 15 21:44:17.651: NAT*: s=10.1.1.4->10.1.34.34, d=10.1.12.1 [8062]
*Nov 15 21:44:17.651: NAT*: i: tcp (10.1.1.4, 23) -> (10.1.12.1, 39346) [8063]
*Nov 15 21:44:17.651: NAT*: s=10.1.1.4->10.1.34.34, d=10.1.12.1 [8063]
*Nov 15 21:44:17.651: NAT*: i: tcp (10.1.1.4, 23) -> (10.1.12.1, 39346) [8064]
*Nov 15 21:44:17.651: NAT*: s=10.1.1.4->10.1.34.34, d=10.1.12.1 [8064]
*Nov 15 21:44:17.655: NAT*: o: tcp (10.1.12.1, 39346) -> (10.1.34.34, 23) [38809]
*Nov 15 21:44:17.659: NAT*: s=10.1.12.1, d=10.1.34.34->10.1.1.4 [38809]
*Nov 15 21:44:17.659: NAT*: o: tcp (10.1.12.1, 39346) -> (10.1.34.34, 23) [38810]
*Nov 15 21:44:17.659: NAT*: s=10.1.12.1, d=10.1.34.34->10.1.1.4 [38810]
*Nov 15 21:44:17.663: NAT*: o: tcp (10.1.12.1, 39346) -> (10.1.34.34, 23) [38811]
*Nov 15 21:44:17.663: NAT*: s=10.1.12.1, d=10.1.34.34->10.1.1.4 [38811]
*Nov 15 21:44:17.663: NAT*: o: tcp (10.1.12.1, 39346) -> (10.1.34.34, 23) [38812]
*Nov 1
R2#5 21:44:17.663: NAT*: s=10.1.12.1, d=10.1.34.34->10.1.1.4 [38812]
*Nov 15 21:44:17.675: NAT*: i: tcp (10.1.1.4, 23) -> (10.1.12.1, 39346) [8065]
*Nov 15 21:44:17.675: NAT*: s=10.1.1.4->10.1.34.34, d=10.1.12.1 [8065]
*Nov 15 21:44:17.855: NAT*: o: tcp (10.1.12.1, 39346) -> (10.1.34.34, 23) [38813]
*Nov 15 21:44:17.855: NAT*: s=10.1.12.1, d=10.1.34.34->10.1.1.4 [38813]

R2#sh ip nat translations

Pro Inside global Inside local Outside local Outside global
tcp 10.1.34.34:23 10.1.1.3:23 10.1.12.1:51756 10.1.12.1:51756
158
2019 instructor.duoc@gmail.com
SRY

tcp 10.1.34.34:23 10.1.1.4:23 10.1.12.1:39346 10.1.12.1:39346

R2#sh ip nat translations tcp verbose

Pro Inside global Inside local Outside local Outside global
tcp 10.1.34.34:23 10.1.1.3:23 10.1.12.1:22009 10.1.12.1:22009
create 00:00:07, use 00:00:05, left 00:00:54, Map-Id(In): 1,
flags:
extended, dest, timing-out, use_count: 0, entry-id: 5, lc_entries: 0
tcp 10.1.34.34:23 10.1.1.4:23 10.1.12.1:39346 10.1.12.1:39346
create 00:09:00, use 00:00:08, left 00:00:51, Map-Id(In): 1,
flags:
extended, dest, timing-out, use_count: 0, entry-id: 4, lc_entries: 0
tcp 10.1.34.34:23 10.1.1.4:23 10.1.12.1:64928 10.1.12.1:64928
create 00:00:05, use 00:00:05, left 23:59:54, Map-Id(In): 1,
flags:
extended, dest, use_count: 0, entry-id: 6, lc_entries: 0

159
2019 instructor.duoc@gmail.com
SRY

HSRP NAT

Setup: Cree la topología mostrada. Configure el direccionamiento de la figura.

 Habilite en todos los routers de la topología.

R1
line vty 0 4
privilege level 15
no login
transport input all

R2
line vty 0 4
privilege level 15
no login
transport input all

R3
line vty 0 4
privilege level 15
no login
transport input all

R4
line vty 0 4
privilege level 15
no login
transport input all

160
2019 instructor.duoc@gmail.com
SRY

 Configure EIGRP nombrado para toda la topología con el numero de Sistema Autonomo 123 entre
R1, R2 y R3.
 Configure EIGRP nombrado para toda la topología con el numero de Sistema Autonomo 234 entre
R2, R3 y R4
 Redistribuya ambos Sistemas Autónomos.

R1
router eigrp n1
address-family ipv4 unicast autonomous-system 123
network 10.1.123.0 0.0.0.255

R2
router eigrp n1
address-family ipv4 unicast autonomous-system 123
topology base
default-metric 10000 10 255 1 1500
redistribute eigrp 234
exit-af-topology
network 10.1.123.0 0.0.0.255

router eigrp n2
address-family ipv4 unicast autonomous-system 234
topology base
default-metric 10000 10 255 1 1500
redistribute eigrp 123
exit-af-topology
network 10.1.234.0 0.0.0.255

R3
router eigrp n1
address-family ipv4 unicast autonomous-system 123
topology base
default-metric 10000 10 255 1 1500
redistribute eigrp 234
exit-af-topology
network 10.1.123.0 0.0.0.255

router eigrp n2
address-family ipv4 unicast autonomous-system 234
topology base
default-metric 10000 10 255 1 1500
redistribute eigrp 123
exit-af-topology
network 10.1.234.0 0.0.0.255

R4
router eigrp n2
address-family ipv4 unicast autonomous-system 234

161
2019 instructor.duoc@gmail.com
SRY

network 10.1.234.0 0.0.0.255

R1#sh ip eigrp neighbors

EIGRP-IPv4 VR(n1) Address-Family Neighbors for AS(123)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 10.1.123.3 Fa0/0 14 00:00:43 27 162 0 3
0 10.1.123.2 Fa0/0 12 00:03:29 37 222 0 3

R4#sh ip eigrp neighbors

EIGRP-IPv4 VR(n2) Address-Family Neighbors for AS(234)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 10.1.234.3 Fa0/1 12 00:00:20 1294 5000 0 5
0 10.1.234.2 Fa0/1 13 00:00:20 40 240 0 4

R4#sh ip route eigrp

Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
D EX 10.1.123.0/24 [170/153600] via 10.1.234.3, 00:00:32, FastEthernet0/1
[170/153600] via 10.1.234.2, 00:00:32, FastEthernet0/1

R1#sh ip route eigrp

Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
D EX 10.1.234.0/24 [170/153600] via 10.1.123.3, 00:01:25, FastEthernet0/0
[170/153600] via 10.1.123.2, 00:01:25, FastEthernet0/0

R4#sh ip eigrp topology

EIGRP-IPv4 VR(n2) Topology Table for AS(234)/ID(10.1.234.4)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status

P 10.1.234.0/24, 1 successors, FD is 13107200

via Connected, FastEthernet0/1
P 10.1.123.0/24, 2 successors, FD is 19660800
via 10.1.234.2 (19660800/13107200), FastEthernet0/1
via 10.1.234.3 (19660800/13107200), FastEthernet0/1

R1#sh ip eigrp topology

EIGRP-IPv4 VR(n1) Topology Table for AS(123)/ID(1.1.1.1)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 10.1.234.0/24, 2 successors, FD is 19660800
via 10.1.123.2 (19660800/13107200), FastEthernet0/0
via 10.1.123.3 (19660800/13107200), FastEthernet0/0
P 10.1.123.0/24, 1 successors, FD is 13107200
via Connected, FastEthernet0/0

R4#traceroute 10.1.123.1
162
2019 instructor.duoc@gmail.com
SRY

Type escape sequence to abort.

Tracing the route to 10.1.123.1
VRF info: (vrf in name/id, vrf out name/id)
1 10.1.234.2 8 msec
10.1.234.3 16 msec
10.1.234.2 16 msec
2 10.1.123.1 16 msec 36 msec 36 msec

163
2019 instructor.duoc@gmail.com
SRY

R1#traceroute 10.1.234.4
Type escape sequence to abort.
Tracing the route to 10.1.234.4
VRF info: (vrf in name/id, vrf out name/id)
1 10.1.123.2 16 msec
10.1.123.3 8 msec
10.1.123.2 12 msec
2 10.1.234.4 16 msec 36 msec 24 msec

 Configure la VIP HSRP 10.1.123.254 en R2 y R3 (segmento 10.1.123.0/24). R2 debe tener el rol

ACTIVE.
 Configure la VIP HSRP 10.1.234.254 en R2 y R3 (segmento 10.1.234.0/24). R2 debe tener el rol
ACTIVE.

R2
interface FastEthernet0/0
standby 10 ip 10.1.123.254
standby 10 priority 150
standby 10 preempt
standby 10 name SITIO-1
standby 10 track 1 decrement 51

interface FastEthernet0/1
standby 20 ip 10.1.234.254
standby 20 priority 150
standby 20 preempt
standby 20 name SITIO-2
standby 20 track 2 decrement 51

R3
interface FastEthernet0/0
standby 10 ip 10.1.123.254
standby 10 preempt
standby 10 name SITIO-1
standby 10 track 1 decrement 51

interface FastEthernet0/1
standby 20 ip 10.1.234.254
standby 20 preempt
standby 20 name SITIO-2
standby 20 track 2 decrement 51

R2#sh standby brief

P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Fa0/0 10 150 P Active local 10.1.123.3 10.1.123.254

164
2019 instructor.duoc@gmail.com
SRY

Fa0/1 20 150 P Active local 10.1.234.3 10.1.234.254

165
2019 instructor.duoc@gmail.com
SRY

R3#sh standby brief

P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Fa0/0 10 100 P Standby 10.1.123.2 local 10.1.123.254
Fa0/1 20 100 P Standby 10.1.234.2 local 10.1.234.254

 R2 debe traducir la direccion de R1 (10.1.123.1) desde Sitio 1 a la direccion 10.1.234.1 en Sitio 2.

 R3 debe traducir la direccion de R1 (10.1.123.1) desde Sitio 1 a la direccion 10.1.234.1 en Sitio 2.

R2
interface FastEthernet0/0
ip nat inside

interface FastEthernet0/1
ip nat outside

ip nat inside source static 10.1.123.1 10.1.234.1 redundancy SITIO-1

R3
interface FastEthernet0/0
ip nat inside

interface FastEthernet0/1
ip nat outside

ip nat inside source static 10.1.123.1 10.1.234.1 redundancy SITIO-1

R1#telnet 10.1.234.4
Trying 10.1.234.4 ... Open
R4#

R4#sh users
Line User Host(s) Idle Location
0 con 0 idle 00:18:10
* 2 vty 0 idle 00:00:00 10.1.234.1
Interface User Mode Idle Peer Address

R2#sh ip nat translations

Pro Inside global Inside local Outside local Outside global
tcp 10.1.234.1:36896 10.1.123.1:36896 10.1.234.4:23 10.1.234.4:23
--- 10.1.234.1 10.1.123.1 --- ---

R3#sh ip nat translations

Pro Inside global Inside local Outside local Outside global
--- 10.1.234.1 10.1.123.1 --- ---

166
2019 instructor.duoc@gmail.com
SRY

R2
interface fastEthernet 0/1
shutdown

*Nov 18 16:55:19.875: %TRACKING-5-STATE: 1 interface Fa0/1 line-protocol Up->Down

*Nov 18 16:55:19.887: %HSRP-5-STATECHANGE: FastEthernet0/1 Grp 20 state Active -> Init
R2#
*Nov 18 16:55:22.291: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 10 state Active -> Speak
R2#
*Nov 18 16:55:33.547: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 10 state Speak -> Standby

R3#sh standby brief

P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Fa0/0 10 100 P Active local 10.1.123.2 10.1.123.254
Fa0/1 20 100 P Active local unknown 10.1.234.254

R2#sh standby brief

P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Fa0/0 10 99 P Standby 10.1.123.3 local 10.1.123.254
Fa0/1 20 150 P Init unknown unknown 10.1.234.254

R3#sh ip nat translations

Pro Inside global Inside local Outside local Outside global
tcp 10.1.234.1:36896 10.1.123.1:36896 10.1.234.4:23 10.1.234.4:23
--- 10.1.234.1 10.1.123.1 --- ---

Como podemos observar, R2 tiene el rol active hasta que la interface FastEthernet 0/1 se desactiva, en
ese momento baja su prioridad qa 99por lo que R3 toma el rol Activo con prioridad 100.

 Realice estas mismas pruebas desde R4 a R1.

167
2019 instructor.duoc@gmail.com
SRY

Firewall por Zona Challenge NAT/PAT

Setup: Configure direccionamiento y verifique que R1 tiene conectividad con sus vecinos
directamente conectados.

1. Configure OSPF en Inside y DMZ utilice OSPF área 0 y publique las loopback0 de R2 y R3. Cree
una ruta por defecto en R1 apuntando a R4. R1 debe inyectar una ruta por defecto a través de
OSPF. En R4 cree rutas estáticas para alcanzar las redes INSIDE y DMZ. Antes de seguir con la
siguiente tarea compruebe que tiene conectividad end to end.

2. Configure NAT en R1 de manera que convierta la IP del server 10.1.13.3 (R3) a la dirección
pública 100.1.1.100. Desde Internet se podrá acceder a las aplicaciones del servidor (DMZ)
utilizando la IP 100.1.1.100. Configure PAT de manera que todos los hosts que pertenecen a la
INSIDE utilicen la IP de la interface serial 1/0 de R1.

R1
router ospf 1
router-id 1.1.1.1
default-information originate always

interface range fastEthernet 0/0 - 1

ip ospf 1 area 0
ip ospf network point-to-point

ip route 0.0.0.0 0.0.0.0 100.1.1.4

R2
interface FastEthernet0/0
ip ospf network point-to-point
ip ospf 1 area 0

interface Loopback0
ip ospf network point-to-point
ip ospf 1 area 0
R3
interface FastEthernet0/1
168
2019 instructor.duoc@gmail.com
SRY

ip ospf network point-to-point

ip ospf 1 area 0

interface Loopback0
ip ospf network point-to-point
ip ospf 1 area 0

R4
ip route 2.0.0.0 255.0.0.0 Serial1/0
ip route 3.0.0.0 255.0.0.0 Serial1/0
ip route 10.0.0.0 255.0.0.0 Serial1/0

R1#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
10.1.12.2 0 FULL/ - 00:00:38 10.1.12.2 FastEthernet0/0
3.3.3.3 0 FULL/ - 00:00:35 10.1.13.3 FastEthernet0/1

R1#sh ip route
Gateway of last resort is 100.1.1.4 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 100.1.1.4
1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 1.1.1.0/24 is directly connected, Loopback0
L 1.1.1.1/32 is directly connected, Loopback0
2.0.0.0/24 is subnetted, 1 subnets
O 2.2.2.0 [110/2] via 10.1.12.2, 00:01:02, FastEthernet0/0
3.0.0.0/24 is subnetted, 1 subnets
O 3.3.3.0 [110/2] via 10.1.13.3, 00:00:40, FastEthernet0/1
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.1.12.0/24 is directly connected, FastEthernet0/0
L 10.1.12.1/32 is directly connected, FastEthernet0/0
C 10.1.13.0/24 is directly connected, FastEthernet0/1
L 10.1.13.1/32 is directly connected, FastEthernet0/1
100.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 100.1.1.0/24 is directly connected, Serial1/0
L 100.1.1.1/32 is directly connected, Serial1/0

R1#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/54/72 ms

R1#ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/76/92 ms

R1#ping 4.4.4.4
169
2019 instructor.duoc@gmail.com
SRY

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 68/75/88 ms

R2#ping 4.4.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/62/92 ms

R3#ping 4.4.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/72/84 ms

R4#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 92/105/136 ms

R4#ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 92/121/132 ms

R1
interface Serial1/0
description **A R4**
ip nat outside

%LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up

interface FastEthernet0/0
description **A R2**
ip nat inside

interface FastEthernet0/1
description **A R3**
ip nat inside

access-list 100 permit ip 10.1.12.0 0.0.0.255 any

ip nat inside source list 100 interface serial 1/0 overload
ip nat inside source static 10.1.13.3 100.1.1.100

R2#ping 4.4.4.4
Type escape sequence to abort.
170
2019 instructor.duoc@gmail.com
SRY

Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:

!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/73/92 ms

R1#show ip nat translations

Pro Inside global Inside local Outside local Outside global
icmp 100.1.1.1:1 10.1.12.2:1 4.4.4.4:1 4.4.4.4:1
--- 100.1.1.100 10.1.13.3 --- ---

R3#ping 4.4.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/74/100 ms

R1#show ip nat translations

Pro Inside global Inside local Outside local Outside global
icmp 100.1.1.1:2 10.1.12.2:2 4.4.4.4:2 4.4.4.4:2
icmp 100.1.1.100:1 10.1.13.3:1 4.4.4.4:1 4.4.4.4:1
icmp 100.1.1.100:2 10.1.13.3:2 4.4.4.4:2 4.4.4.4:2
--- 100.1.1.100 10.1.13.3 --- ---

R4#ping 100.1.1.100 source 4.4.4.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.1.1.100, timeout is 2 seconds:
Packet sent with a source address of 4.4.4.4
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/23/28 ms

R1#show ip nat translations

Pro Inside global Inside local Outside local Outside global
icmp 100.1.1.1:3 10.1.12.2:3 4.4.4.4:3 4.4.4.4:3
icmp 100.1.1.100:0 10.1.13.3:0 100.1.1.4:0 100.1.1.4:0
icmp 100.1.1.100:1 10.1.13.3:1 100.1.1.4:1 100.1.1.4:1
icmp 100.1.1.100:3 10.1.13.3:3 4.4.4.4:3 4.4.4.4:3
--- 100.1.1.100 10.1.13.3 --- ---

3. Habilite telnet en el servidor DMZ (R3) y compruebe que el servicio HTTP está activo desde la
OUTSIDE.

R3
ip http server

line vty 0 4
exec-timeout 0 0
password cisco
login
transport input all
171
2019 instructor.duoc@gmail.com
SRY

R4#telnet 100.1.1.100 80
Trying 100.1.1.100, 80 ... Open

R4#telnet 100.1.1.100
Trying 100.1.1.100 ... Open

User Access Verification

Password:cisco

Definición de zonas
4. Cree y asigne a la interface correspondiente la zona OUTSIDE (serial1/0), INSIDE
(FasEthernet0/0) y DMZ (FastEthernet0/1).

R1
zone security OUTSIDE
description INTERNET

interface Serial1/0
zone-member security OUTSIDE

zone security INSIDE

description ZONA-SEGURA

interface FastEthernet0/0
zone-member security INSIDE

zone security DMZ

description SERVER

interface FastEthernet0/1
zone-member security DMZ

R1#show zone security

zone self
Description: System defined zone
zone OUTSIDE
Description: INTERNET
Member Interfaces:
Serial1/0
zone INSIDE
Description: ZONA-SEGURA
Member Interfaces:
FastEthernet0/0
zone DMZ
Description: SERVER
Member Interfaces:
FastEthernet0/1
172
2019 instructor.duoc@gmail.com
SRY

Puesto que aun no hemos definidos las acciones (políticas), los paquetes serán descartados.

R1#debug policy-map type inspect detail

Policy-Firewall detailed debugging is on

R4#ping 100.1.1.100 repeat 1

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 100.1.1.100, timeout is 2 seconds:
.
Success rate is 0 percent (0/1)

R1#
FIREWALL: ret_val 0 is not PASS_PAK
R1#
FIREWALL*: ret_val 0 is not PASS_PAK
FIREWALL*: ret_val NO_ACTION, but not valid router traffic .Dropping pak
R1#
FIREWALL: ret_val 0 is not PASS_PAK
R1#

R1#u all
All possible debugging has been turned off

Políticas ZBF:
5. P1: No se permite el tráfico de paquetes desde la DMZ a cualquier otra zona. P2: No se
permite el tráfico iniciado desde la zona OUTSIDE a la zona INSIDE.

R1
En ambos casos no es necesario configuración alguna puesto que el valor por defecto es denegar
cualquier tráfico de datos.

Test: Ping desde la DMZ a Internet.

6. P3: Se permite el tráfico http/https desde la zona OUTSIDE a la zona DMZ. En este caso se permitirá
desde cualquier origen desde Internet al HTTP server 100.1.1.100, y HTTPS server 100.1.1.100.

R1#show access-lists
Extended IP access list 100
10 permit ip 10.1.12.0 0.0.0.255 any

R1
access-list 111 permit tcp any host 100.1.1.100 eq www
access-list 111 permit tcp any host 100.1.1.100 eq 23

access-list 112 permit tcp any host 100.1.1.100 eq 443

173
2019 instructor.duoc@gmail.com
SRY

access-list 112 permit tcp any host 100.1.1.100 eq 23

class-map type inspect match-all CM-OD-HTTP

match protocol http

class-map type inspect match-all CM-OD-HTTPS

match protocol https

R1
policy-map type inspect PM-OD
class type inspect CM-OD-HTTP
inspect
class type inspect CM-OD-HTTPS
inspect
class class-default
drop

zone-pair security OD source OUTSIDE destination DMZ

service-policy type inspect PM-OD

R1#debug policy-map type inspect

Policy-Firewall events debugging is on

R4#telnet 100.1.1.100 80
Trying 100.1.1.100, 80 ... Open

R1#
*Sep 7 09:16:15.071: FIREWALL: FW CCE got packet 0x682A5218 in process path
*Sep 7 09:16:15.075: FIREWALL: Multicast pak 0x682A5218, let it pass
*Sep 7 09:16:15.771: FIREWALL: FW CCE got packet 0x682A56E4 in process path
*Sep 7 09:16:15.771: FIREWALL: Multicast pak 0x682A56E4, let it pass

7. P4: Se permite el tráfico desde la zona INSIDE a la zona OUTSIDE para:

- Todo el tráfico TCP
- FTP (para propósitos de inspección)
- ICMP

R1
class-map type inspect match-any CM-IO
match protocol tcp
match protocol ftp
match protocol icmp

policy-map type inspect PM-IO

class type inspect CM-IO
inspect
174
2019 instructor.duoc@gmail.com
SRY

class class-default
drop

zone-pair security IO source INSIDE destination OUTSIDE

service-policy type inspect PM-IO

175
2019 instructor.duoc@gmail.com
SRY

8. P5: Se permite el tráfico desde la zona INSIDE a la zona DMZ para:

- FTP
- HTTPS
- ICMP

R1
class-map type inspect match-any CM-ID
match protocol ftp
match protocol https
match protocol icmp

policy-map type inspect PM-ID

class type inspect CM-ID
inspect
class class-default
drop

zone-pair security ID source INSIDE destination DMZ

service-policy type inspect PM-ID

9. P6: Para evitar ataques DoS se deben permitir solo 1000 conexiones válidas, además entre 100
y 500 conexiones embrionarias (conexiones TCP incompletas).

R1
parameter-map type inspect SESION
max-incomplete low 100
max-incomplete high 500
sessions maximum 1000

R1#show class-map type inspect

Class Map type inspect match-all CM-OD-HTTP (id 1)
Match access-group 111
Match protocol http

Class Map type inspect match-any CM-IO (id 3)

Match protocol tcp
Match protocol ftp
Match protocol icmp

Class Map type inspect match-any CM-ID (id 4)

Match protocol ftp
Match protocol https
Match protocol icmp

Class Map type inspect match-all CM-OD-HTTPS (id 2)

Match access-group 112
176
2019 instructor.duoc@gmail.com
SRY

Match protocol https

R1#show parameter-map type inspect SESION

parameter-map type inspect SESION
audit-trail off
alert on
max-incomplete low 100
max-incomplete high 500
one-minute low 2147483647
one-minute high 2147483647
udp idle-time 30
icmp idle-time 10
dns-timeout 5
tcp idle-time 3600
tcp finwait-time 5
tcp synwait-time 30
tcp max-incomplete host 4294967295 block-time 0
sessions maximum 1000

Test P3

R4#telnet 100.1.1.100 80
Trying 100.1.1.100, 80 ... Open

R1#show policy-map type inspect zone-pair OD sessions

policy exists on zp OD
Zone-pair: OD

Service-policy inspect : PM-OD

Class-map: CM-OD-HTTP (match-all)

Match: protocol http

Inspect

Number of Established Sessions = 1

Established Sessions
Session 699BA8A0 (100.1.1.4:50257)=>(10.1.13.3:80) http:tcp SIS_OPEN/TCP_ESTAB
Created 00:00:03, Last heard 00:00:03
Bytes sent (initiator:responder) [0:0]

Class-map: CM-OD-HTTPS (match-all)

Match: protocol https

Inspect

177
2019 instructor.duoc@gmail.com
SRY

Class-map: class-default (match-any)

Match: any
Drop
45 packets, 1912 bytes

R4#telnet 100.1.1.100 443

Trying 100.1.1.100, 443 ... Open

R1#show policy-map type inspect zone-pair OD sessions

policy exists on zp OD
Zone-pair: OD

Service-policy inspect : PM-OD

Class-map: CM-OD-HTTP (match-all)

Match: protocol http

Inspect

Number of Established Sessions = 1

Established Sessions
Session 699BA8A0 (100.1.1.4:50257)=>(10.1.13.3:80) http:tcp SIS_OPEN/TCP_CLOSEWAIT
Created 00:03:14, Last heard 00:00:13
Bytes sent (initiator:responder) [0:0]

Class-map: CM-OD-HTTPS (match-all)

Match: protocol https

Inspect

Number of Established Sessions = 1

Established Sessions
Session 699BAC20 (100.1.1.4:51264)=>(10.1.13.3:443) https:tcp SIS_OPEN/TCP_ESTAB
Created 00:01:06, Last heard 00:00:06
Bytes sent (initiator:responder) [0:0]

Class-map: class-default (match-any)

Match: any
Drop
45 packets, 1912 bytes

178
2019 instructor.duoc@gmail.com
SRY

P4 INSIDE to OUTISIDE (TCP, FTP, HTTP, ICMP)

R4
ip http server

line vty 0 4
exec-timeout 0 0
password cisco
login
transport input all

R2#telnet 4.4.4.4 80
Trying 4.4.4.4, 80 ... Open

R1#show policy-map type inspect zone-pair IO sessions

policy exists on zp IO
Zone-pair: IO
Service-policy inspect : PM-IO
Class-map: CM-IO (match-any)
Match: protocol tcp
8 packets, 192 bytes
30 second rate 0 bps
Match: protocol ftp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol icmp
1 packets, 80 bytes
30 second rate 0 bps

Inspect

Number of Established Sessions = 1

Established Sessions
Session 699BCBA0 (10.1.12.2:35651)=>(4.4.4.4:80) tcp SIS_OPEN/TCP_ESTAB
Created 00:00:16, Last heard 00:00:16
Bytes sent (initiator:responder) [0:0]

Class-map: class-default (match-any)

Match: any
Drop
0 packets, 0 bytes

R2#ping 4.4.4.4 repeat 1000

Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!
179
2019 instructor.duoc@gmail.com
SRY

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

R1#show policy-map type inspect zone-pair IO sessions

policy exists on zp IO
Zone-pair: IO

Service-policy inspect : PM-IO

Class-map: CM-IO (match-any)

Match: protocol tcp
8 packets, 192 bytes
30 second rate 0 bps
Match: protocol ftp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol icmp
3 packets, 240 bytes
30 second rate 0 bps

Inspect

Number of Established Sessions = 1

Established Sessions
Session 699BD2A0 (10.1.12.2:8)=>(4.4.4.4:0) icmp SIS_OPEN
Created 00:00:36, Last heard 00:00:00
ECHO request
Bytes sent (initiator:responder) [22248:21744]

Class-map: class-default (match-any)

Match: any
Drop
0 packets, 0 bytes

180
2019 instructor.duoc@gmail.com
SRY

P2 INSIDE to DMZ (FTP, HTTPS, ICMP)

R2#telnet 10.1.13.3 443

Trying 10.1.13.3, 443 ... Open

R1#show policy-map type inspect zone-pair ID sessions

policy exists on zp ID
Zone-pair: ID

Service-policy inspect : PM-ID

Class-map: CM-ID (match-any)

Match: protocol ftp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol https
1 packets, 24 bytes
30 second rate 0 bps
Match: protocol icmp
0 packets, 0 bytes
30 second rate 0 bps

Inspect

Number of Established Sessions = 1

Established Sessions
Session 699BD9A0 (10.1.12.2:61000)=>(10.1.13.3:443) https:tcp SIS_OPEN/TCP_ESTAB
Created 00:00:09, Last heard 00:00:08
Bytes sent (initiator:responder) [0:0]

Class-map: class-default (match-any)

Match: any
Drop
2 packets, 48 bytes

R2#ping 3.3.3.3 repeat 100

Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 98 percent (98/100), round-trip min/avg/max = 64/87/112 ms

181
2019 instructor.duoc@gmail.com
SRY

R1#show policy-map type inspect zone-pair ID sessions

policy exists on zp ID
Zone-pair: ID

Service-policy inspect : PM-ID

Class-map: CM-ID (match-any)

Match: protocol ftp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol https
1 packets, 24 bytes
30 second rate 0 bps
Match: protocol icmp
1 packets, 80 bytes
30 second rate 0 bps

Inspect

Number of Established Sessions = 1

Established Sessions
Session 699BDD20 (10.1.12.2:8)=>(3.3.3.3:0) icmp SIS_OPEN
Created 00:00:08, Last heard 00:00:01
ECHO request
Bytes sent (initiator:responder) [2376:2304]

Class-map: class-default (match-any)

Match: any
Drop
2 packets, 48 bytes

R1#show policy-firewall config all

Zone: self
Description: System defined zone

Zone: OUTSIDE
Description: INTERNET
Member Interfaces:
Serial1/0

Zone: INSIDE
Description: ZONA-SEGURA
Member Interfaces:
FastEthernet0/0

Zone: DMZ
Description: SERVER
Member Interfaces:
182
2019 instructor.duoc@gmail.com
SRY

FastEthernet0/1

Zone-pair : OD
Source Zone : OUTSIDE
Destination Zone : DMZ
Service-policy inspect : PM-OD
Class-map : CM-OD-HTTP(match-all)
Match protocol http
Action : inspect
Parameter-map : SESION

Class-map : CM-OD-HTTPS(match-all)
Match protocol https
Action : inspect
Parameter-map : SESION

Class-map : class-default(match-any)
Match any
Action : drop log
Parameter-map : Default

Zone-pair : IO
Source Zone : INSIDE
Destination Zone : OUTSIDE
Service-policy inspect : PM-IO
Class-map : CM-IO(match-any)
Match protocol tcp
Match protocol ftp
Match protocol icmp
Action : inspect
Parameter-map : Default

Class-map : class-default(match-any)
Match any
Action : drop log
Parameter-map : Default

Zone-pair : ID
Source Zone : INSIDE
Destination Zone : DMZ
Service-policy inspect : PM-ID
Class-map : CM-ID(match-any)
Match protocol ftp
Match protocol https
Match protocol icmp
Action : inspect
Parameter-map : Default

Class-map : class-default(match-any)
Match any
183
2019 instructor.duoc@gmail.com
SRY

Action : drop log

Parameter-map : Default

Parameter-map Config:
Global:
alert on
sessions maximum 2147483647
waas disabled
l2-transparent dhcp-passthrough disabled
log dropped-packets disabled
log summary disabled
max-incomplete low 18000
max-incomplete high 20000
one-minute low 2147483647
one-minute high 2147483647
tcp reset-PSH disabled
Default:
audit-trail off
alert on
max-incomplete low 2147483647
max-incomplete high 2147483647
one-minute low 2147483647
one-minute high 2147483647
udp idle-time 30
icmp idle-time 10
dns-timeout 5
tcp idle-time 3600
tcp finwait-time 5
tcp synwait-time 30
tcp max-incomplete host 4294967295 block-time 0
sessions maximum 2147483647

184
2019 instructor.duoc@gmail.com
SRY

GRE Recursivo

Setup: Configure direccionamiento y verifique que R1 tiene conectividad con sus vecinos
directamente conectados.

 En R1 cree el direccionamiento mostrado.

 Configure OSPF 1 area 0 entre R1 y R2. Publique la interface loopback0 de R1 dentro de esta área.
 Configure OSPF 1 area 1 entre R2 y R3. Publique la interface loopback0 dentro de esta área.

R1
router ospf 1
router-id 0.0.0.1

interface Loopback0
ip ospf network point-to-point
ip ospf 1 area 0

interface FastEthernet0/0
ip ospf 1 area 0

R2
router ospf 1
router-id 0.0.0.2

interface FastEthernet0/0
ip ospf 1 area 0

185
2019 instructor.duoc@gmail.com
SRY

interface FastEthernet0/1
ip ospf 1 area 1

R3
router ospf 1
router-id 0.0.0.3

interface Loopback0
ip ospf network point-to-point
ip ospf 1 area 1

interface FastEthernet0/1
ip ospf 1 area 1

R2#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
0.0.0.1 1 FULL/DR 00:00:38 10.1.12.1 FastEthernet0/0
0.0.0.3 1 FULL/DR 00:00:37 10.1.23.3 FastEthernet0/1

R2#sh ip route ospf

Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
O 1.1.1.0 [110/2] via 10.1.12.1, 00:00:21, FastEthernet0/0
3.0.0.0/24 is subnetted, 1 subnets
O 3.3.3.0 [110/2] via 10.1.23.3, 00:00:11, FastEthernet0/1

R1#sh ip ospf database

OSPF Router with ID (0.0.0.1) (Process ID 1)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count
0.0.0.1 0.0.0.1 622 0x80000002 0x00B535 2
0.0.0.2 0.0.0.2 623 0x80000002 0x00CE2C 1

Net Link States (Area 0)

Link ID ADV Router Age Seq# Checksum
10.1.12.2 0.0.0.2 623 0x80000001 0x008E8D

Summary Net Link States (Area 0)

Link ID ADV Router Age Seq# Checksum
3.3.3.0 0.0.0.2 600 0x80000001 0x00250B
10.1.23.0 0.0.0.2 652 0x80000001 0x00FA1D

186
2019 instructor.duoc@gmail.com
SRY

 Luego de comprobar que exista conectividad entre las loopback0s de R1 y R3 cree un tunnel GRE
entre R1 y R3 utilizando la subred 172.16.1.0/24. Considere los siguientes valores:

Dispositivo Tunnel Origen Destino

R1 13 Loopback0 3.3.3.3
R3 13 Loopback0 1.1.1.1

R1
interface Tunnel13
ip address 172.16.1.1 255.255.255.0
tunnel source Loopback0
tunnel destination 3.3.3.3

R3
interface Tunnel13
ip address 172.16.1.3 255.255.255.0
tunnel source Loopback0
tunnel destination 1.1.1.1

R1#show ip int brief tunnel 13

Interface IP-Address OK? Method Status Protocol
Tunnel13 172.16.1.1 YES manual up up

R3#show ip int brief tunnel 13

Interface IP-Address OK? Method Status Protocol
Tunnel13 172.16.1.3 YES manual up up

R3#ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/64/100 ms

187
2019 instructor.duoc@gmail.com
SRY

 Configure EIGRP de 64 bits utilizando el Sistema Autónomo 1 entre R1 y R3 a través del túnel.
Publique las interfaces loopback0 en EIGRP.

R1
router eigrp n1
address-family ipv4 unicast autonomous-system 1
network 1.1.1.0 0.0.0.255
network 172.16.1.0 0.0.0.255
eigrp router-id 1.1.1.1

R3
router eigrp n1
address-family ipv4 unicast autonomous-system 1
network 3.3.3.0 0.0.0.255
network 172.16.1.0 0.0.0.255
eigrp router-id 3.3.3.3

R3#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel13, changed state to up
R3#
%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 172.16.1.1 (Tunnel13) is up: new adjacency
%ADJ-5-PARENT: Midchain parent maintenance for IP midchain out of Tunnel13 - looped chain
attempting to stack
R3#
%TUN-5-RECURDOWN: Tunnel13 temporarily disabled due to recursive routing
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel13, changed state to down
%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 172.16.1.1 (Tunnel13) is down: interface down

 Configure en R1 y R3 dos soluciones para evitar el recursive routing.

188
2019 instructor.duoc@gmail.com
SRY

Tunnel GRE IPv6.

 Cree el direccionamiento mostrado.

R1
interface FastEthernet0/0
ip address 10.1.12.1 255.255.255.0
no shut

R2
interface FastEthernet0/0
ip address 10.1.12.2 255.255.255.0
no shut

interface FastEthernet0/1
ip address 10.1.23.2 255.255.255.0
no shut

R3
interface FastEthernet0/1
ip address 10.1.23.3 255.255.255.0
no shut

R2#ping 255.255.255.255 repeat 2

Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 255.255.255.255, timeout is 2 seconds:
Reply to request 0 from 10.1.23.3, 16 ms
Reply to request 0 from 10.1.12.1, 24 ms
Reply to request 1 from 10.1.23.3, 8 ms
Reply to request 1 from 10.1.12.1, 12 ms

189
2019 instructor.duoc@gmail.com
SRY

 Configure EIGRP 10 de 64 bits y forme adyacencia entre R1-R2, y R2-R3.

 En R1 cree y publique el prefijo 1.1.1.1/32 y el prefijo 3.3.3.3 en el router R3. Utilice la interface loopback0
para esta tarea.

R1
interface Loopback0
ip address 1.1.1.1 255.255.255.255

router eigrp n1
address-family ipv4 unicast autonomous-system 10
network 1.1.1.1 0.0.0.0
network 10.1.12.0 0.0.0.255

R2
router eigrp n2
address-family ipv4 unicast autonomous-system 10
network 10.1.12.0 0.0.0.255
network 10.1.23.0 0.0.0.255

R3
interface Loopback0
ip address 3.3.3.3 255.255.255.255

router eigrp n3
address-family ipv4 unicast autonomous-system 10
network 3.3.3.3 0.0.0.0
network 10.1.23.0 0.0.0.255

R2#sh ip eigrp neighbors

EIGRP-IPv4 VR(n2) Address-Family Neighbors for AS(10)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 10.1.23.3 Fa0/1 14 00:00:26 32 192 0 4
0 10.1.12.1 Fa0/0 14 00:01:29 14 100 0 4

R1#sh ip route eigrp

Gateway of last resort is not set
3.0.0.0/32 is subnetted, 1 subnets
D 3.3.3.3 [90/154240] via 10.1.12.2, 00:00:37, FastEthernet0/0
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
D 10.1.23.0/24 [90/153600] via 10.1.12.2, 00:01:44, FastEthernet0/0

R1#ping 3.3.3.3 source 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/20 ms

190
2019 instructor.duoc@gmail.com
SRY

 Cree el tunnel 13 para IPv6 entre R1 y R6 utilizando las loopback 0 para esta tarea. Utilice la subred 13::/64.

R1
interface Tunnel13
ipv6 address FE80::1 link-local
ipv6 address 13::1/64
tunnel source Loopback0
tunnel destination 3.3.3.3

R3
interface Tunnel13
ipv6 address FE80::3 link-local
ipv6 address 13::3/64
tunnel source Loopback0
tunnel destination 1.1.1.1

R3#sh ipv6 interface tunnel 13

Tunnel13 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::3
No Virtual link-local address(es):
Global unicast address(es):
13::3, subnet is 13::/64
Joined group address(es):
FF02::1
FF02::1:FF00:3
MTU is 1476 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 30000)
ND NS retransmit interval is 1000 milliseconds

 Comience a capturar tráfico en la interface FastEthernet 0/0 de R1.

 Genere un ping desde R1 a R3 a la direccion IPv6 13:😊.
 De acuerdo a los datos obtenidos de los mensajes ICMPv6 determine el nivel de encapsulación de los
paquetes IPv6 utilizando como referencia el siguiente modelo:

191
2019 instructor.duoc@gmail.com
SRY

 Realice el siguiente ping extendido en R1. Capture datos en la inteface FastEthernet0/1 de R3. Compruebe
que el valor de DSCP en el paquete IPv4.
 ¿Qué valor tiene el DSCP, el valor se transfiere al paquete IPv6? ¿Por qué?

Protocol [ip]: ipv6

Target IPv6 address: 13::3
Repeat count [5]: 1
Datagram size [100]:
Timeout in seconds [2]:
Extended commands? [no]: y
Source address or interface: 13::1
UDP protocol? [no]:
Verbose? [no]: y
Precedence [0]: 6
Include hop by hop option? [no]:
Include destination option? [no]:
Sweep range of sizes? [no]:
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 13::3, timeout is 2 seconds:
Packet sent with a source address of 13::1
Reply to request 0 (24 ms)
Success rate is 100 percent (1/1), round-trip min/avg/max = 24/24/24 ms

 Configure EIGRP 10 para IPv6 de manera que exista adyacencia EIGRP entre R1 y R3.

R3
router eigrp n3
address-family ipv6 unicast autonomous-system 10
neighbor FE80::1 Tunnel13
eigrp router-id 3.3.3.3

R1
router eigrp n1
address-family ipv6 unicast autonomous-system 10
neighbor FE80::3 Tunnel13
eigrp router-id 1.1.1.1

R1#sh ipv6 eigrp neighbors

EIGRP-IPv6 VR(n1) Address-Family Neighbors for AS(10)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 Link-local address: Tu13 13 00:01:14 44 5000 0 2
FE80::3

 De acuerdo a los datos obtenidos de los mensajes EIGRP para IPv6, determine el nivel de encapsulación de
los paquetes.

192
2019 instructor.duoc@gmail.com
SRY

IPSec Site-to-Site I

Nota: Utilizar router 2691.

Paso1.
Setup: Crear el direccionamiento mostrado. Configurar EIGRP 1y publique todas sus interfaces
directamente conectadas. Verificar que tenemos comunicación entre R1 y R3

Paso2: Habilite las políticas IKE en R1 y R3.

o IPSec es un conjunto de protocolos de seguridad que permite enviar datos encriptados.
Hay dos elementos de configuración en la implementación IPSec VPN:
 Implementar IKE (Internet key Exchange)
 Implementar parámetros IPSec
 Verificar que IKE es soportado y habilitado. La fase 1 de IKE define el
método de intercambio de claves usado para validar políticas entre peers.
IKE fase 2, los peers intercambian políticas IPSec (coincidentes en ambos
lados) como la autenticación y encriptación de datos. IKE debe estar
habilitado para que IPSec funcione. El primer paso por tanto es habilitar IKE.

R1
crypto isakmp enable

R3
crypto isakmp enable

193
2019 instructor.duoc@gmail.com
SRY

 Para permitir la fase 1 de IKE debemos crear una política ISAKMP y

configurar un asociación con el peer. ISAKMP define políticas de
autenticación, algoritmos de encriptación y una función de hash usado para
enviar tráfico de control entre los dos puntos finales VPN. Cuando una
asociación de seguridad ISAKMP es aceptada por los peer IKE, la fase 1 ha
sido completada. Como vemos dentro el comando crypto isakmp policy
podemos definir una serie de parámetros: authentication, encryption,
group, hash y liftime.

R1(config)#crypto isakmp policy 10

R1(config-isakmp)#?
ISAKMP commands:
authentication Set authentication method for protection suite
default Set a command to its defaults
encryption Set encryption algorithm for protection suite
exit Exit from ISAKMP protection suite configuration mode
group Set the Diffie-Hellman group
hash Set hash algorithm for protection suite
lifetime Set lifetime for ISAKMP security association
no Negate a command or set its defaults

Paso3: Configurar parámetros de políticas ISAKMP en R1 y R3.

En esta fase debemos determinar:
o Algoritmo de encriptación.
o Algoritmo de hash (control de integridad de datos), asegura que los datos no han sido
alterados.
o Tipo de autentificación. Los peers deben ser quienes dicen que son.
o Grupo Diffie-Hellman utilizado para crear una clave secreta compartida por los peers que
no es enviada a través de la red.
 Configure un tipo de autenticación de claves pre-compartidas:
i. Use encriptación AES 256.
ii. Use algoritmo de hash SHA
iii. Use intercambio de claves del grupo 2 Diffie-Hellman

R1(config)#crypto isakmp policy 10

R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#encryption aes 256
R1(config-isakmp)#hash sha
R1(config-isakmp)#lifetime 86400
R1(config-isakmp)#group 2

R3(config)#crypto isakmp policy 10

R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#encryption aes 256
R3(config-isakmp)#hash sha
R3(config-isakmp)#group 2
R3(config-isakmp)#lifetime 86400

194
2019 instructor.duoc@gmail.com
SRY

R1#show crypto isakmp policy

Global IKE policy
Protection suite of priority 10
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit

Paso4: Configurar claves pre-compartidas:

a. Como explicamos anteriormente las claves pre-compartidas son utilizadas para la autenticación.
Para que la autenticación sea exitosa las claves en ambos peers deben iguales, también debemos
tener conectividad al peer al que apuntamos. Para ser originales utilizaremos la clave cisco.

R1
crypto isakmp key 0 cisco address 10.1.12.2

R2
crypto isakmp key 0 cisco address 10.1.12.1

Paso5: Configurar IPSec transform set y tiempo de vida.

a. IPSec transform set es otro parámetro de configuración que el router negocia para formar
asociaciones de seguridad. Una asociación de seguridad es simplemente el paquete de algoritmos
y parámetros (tales como las claves) que se está usando para cifrar y autenticar un flujo particular
en una dirección.

R1(config)#crypto ipsec transform-set 50 ?

ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
comp-lzs IP Compression using the LZS compression algorithm
esp-3des ESP transform using 3DES(EDE) cipher (168 bits)
esp-aes ESP transform using AES cipher
esp-des ESP transform using DES cipher (56 bits)
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-null ESP transform w/o cipher
esp-seal ESP transform using SEAL cipher (160 bits)
esp-sha-hmac ESP transform using HMAC-SHA auth

195
2019 instructor.duoc@gmail.com
SRY

b. En R1 y R3 crear un transform set con una etiqueta de TS ustilizar ESP con un AES con ESP y hash
SHA.

R1(config)# crypto ipsec transform-set TS esp-aes esp-sha-hmac

R1(cfg-crypto-trans)#

R3(config)# crypto ipsec transform-set TS esp-aes esp-sha-hmac

R3(cfg-crypto-trans)#

IPSec transform set: especifica algoritmos de criptografía y funciones (transforms) que un router emplea
sobre los actuales paquetes de datos enviados a través del túnel IPSec. Este algoritmo incluye:
o Encriptación.
o Encapsulación.
o Autenticación.
o Integridad de datos.

Paso6: Definir tráfico interesante. En este escenario el tráfico interesante debe ser el que se origina en la
red 100.1.1.0/24 para R1, y la red 200.2.2.0/24 para R3.

R1
access-list 100 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255

R3
access-list 100 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255

Paso7: Crear y aplicar un crypto map.

Todas las políticas que hemos creada debemos habilitarlas utilizando un crypto map que llama a la ACL y
se aplica a la interface. Además indica quien será el peer con el que formaremos estas asociaciones.

R1(config)#crypto map MAP 10 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#set peer 10.1.23.3
R1(config-crypto-map)#match address 100
R1(config-crypto-map)#set transform-set TS
R1(config-crypto-map)#exit
R1(config)# interface fastEthernet 0/0
R1(config-if)#crypto map MAP
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

R3(config)#crypto map MAP 10 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R3(config-crypto-map)#set peer 10.1.12.1

196
2019 instructor.duoc@gmail.com
SRY

R3(config-crypto-map)#match address 100

R3(config-crypto-map)#set transform-set TS
R3(config-crypto-map)#exit
R3(config)#interface fastEthernet 0/1
R3(config-if)#crypto map MAP
R3(config-if)#
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

Verificación IPSec

R1#ping 200.2.2.2 source loopback 100

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 100.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/77/96 ms

R3#ping 100.1.1.1 source loopback 200

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 200.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/59/96 ms

R3#show crypto isakmp sa

dst src state conn-id slot status
10.1.23.3 10.1.12.1 QM_IDLE 1 0 ACTIVE

R1#show crypto isakmp sa

dst src state conn-id slot status
10.1.23.3 10.1.12.1 QM_IDLE 1 0 ACTIVE

R3#show crypto ipsec sa

interface: FastEthernet0/1
Crypto map tag: MAP, local addr 10.1.23.3

protected vrf: (none)

local ident (addr/mask/prot/port): (200.2.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (100.1.1.0/255.255.255.0/0/0)
current_peer 10.1.12.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 19, #pkts encrypt: 19, #pkts digest: 19
#pkts decaps: 19, #pkts decrypt: 19, #pkts verify: 19
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
197
2019 instructor.duoc@gmail.com
SRY

#send errors 0, #recv errors 0

local crypto endpt.: 10.1.23.3, remote crypto endpt.: 10.1.12.1

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x2FD21B91(802298769)

inbound esp sas:

spi: 0x903C7ACF(2419882703)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: MAP
sa timing: remaining key lifetime (k/sec): (4496590/3359)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x2FD21B91(802298769)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: MAP
sa timing: remaining key lifetime (k/sec): (4496590/3353)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

198
2019 instructor.duoc@gmail.com
SRY

IPSec Site-to-Site II

1. Configurar direccionamiento mostrado y habilite Frame Relay como muestra la figura, deshabilite
mapeo dinámico. Los routers del core deben estar en la misma subred. Configure enrutamiento
estático en el core de manera R1 y R3 tengan comunicación bidireccinal. En los routers de Sitio
configure una ruta por defecto.

R1
interface Serial1/0
ip address 20.1.123.1 255.255.255.0
encapsulation frame-relay
frame-relay map ip 20.1.123.2 102 broadcast
frame-relay map ip 20.1.123.3 102 broadcast
no frame-relay inverse-arp
no shutdown

R2
interface s1/0
encapsulation frame-relay
no shutdown

interface Serial1/0.123 multipoint

ip address 20.1.123.2 255.255.255.0
frame-relay map ip 20.1.123.1 201 broadcast
frame-relay map ip 20.1.123.3 203 broadcast
no frame-relay inverse-arp

R3
interface Serial1/0
ip address 20.1.123.3 255.255.255.0
encapsulation frame-relay
frame-relay map ip 20.1.123.2 302 broadcast
frame-relay map ip 20.1.123.1 302 broadcast
no frame-relay inverse-arp
no shutdown

R1#ping 20.1.123.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.123.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/61/76 ms

R3#ping 20.1.123.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.123.1, timeout is 2 seconds:

199
2019 instructor.duoc@gmail.com
SRY

!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 68/85/96 ms

2. Configure IKE fase 1 utilizando claves pre-compartidas (policy)

3. Configure claves pre-compartidas entre R1 y R3, utilice password class.
4. Configure IKE R1↔R3. Considere los siguientes datos:
- Habilitar IKE (utilice la mejor prioridad).
- Configure pre-shared para la autentificación.
- Para la integridad utilice md5.
- Encriptación AES.
- El tiempo de conexión debe establecerse a 4 horas.
- Use el intercambio de claves Diffie-Hellman mas seguro

5. Configure claves pre-compartidas entre R1 y R3, utilice password class.

R1
crypto isakmp policy 10
authentication pre-share

R3
crypto isakmp policy 10
authentication pre-share

R1
crypto isakmp key 0 class address 20.1.123.3

R3
crypto isakmp key 0 class address 20.1.123.1

6. Configure Transform Set habilitando ESP para autenticación, encriptación e integridad. Utilice los
algoritmos más seguros.

R1
crypto ipsec transform-set TS esp-des esp-md5-hmac

R3
crypto ipsec transform-set TS esp-des esp-md5-hmac

200
2019 instructor.duoc@gmail.com
SRY

7. Defina el tráfico interesante para los enlaces Broadcast.

R1
access-list 100 permit ip 172.16.14.0 0.0.0.255 172.16.35.0 0.0.0.255

R3
access-list 100 permit ip 172.16.35.0 0.0.0.255 172.16.14.0 0.0.0.255

8. Cree el crypto map estaleciendo peering R1↔ R3. Habilite el crypto map en la interface serial de
ambos routers.

R1
crypto map MAP 10 ipsec-isakmp
set peer 20.1.123.3
set transform-set TS
match address 100

interface Serial1/0
crypto map MAP

R3
crypto map MAP 10 ipsec-isakmp
set peer 20.1.123.1
set transform-set TS
match address 100

interface Serial1/0
crypto map MAP

Al final del ejercicio debemos ver algo similar a las siguientes salidas:

R3#show crypto engine connections active

ID Interface IP-Address State Algorithm Encrypt Decrypt
1 Serial1/0 20.1.123.3 set HMAC_SHA+DES_56_CB 0 0
2001 Serial1/0 20.1.123.3 set DES+MD5 0 10
2002 Serial1/0 20.1.123.3 set DES+MD5 9 0

R1#show crypto ipsec sa

interface: Serial1/0
Crypto map tag: MAP, local addr 20.1.123.1

protected vrf: (none)

local ident (addr/mask/prot/port): (172.16.14.0/255.255.255.0/0/0)
201
2019 instructor.duoc@gmail.com
SRY

remote ident (addr/mask/prot/port): (172.16.35.0/255.255.255.0/0/0)

current_peer 20.1.123.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

local crypto endpt.: 20.1.123.1, remote crypto endpt.: 20.1.123.3

path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0
current outbound spi: 0xE4FC7B0E(3841751822)

inbound esp sas:

spi: 0x40AE847D(1085179005)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: MAP
sa timing: remaining key lifetime (k/sec): (4396851/3424)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xE4FC7B0E(3841751822)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: MAP
sa timing: remaining key lifetime (k/sec): (4396850/3224)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

R5#ping 172.16.14.4 repeat 1

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 172.16.14.4, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 144/144/144 ms

202
2019 instructor.duoc@gmail.com
SRY

DMVPN

DMVPN mapeo estático (fase 1)

 Cree el direccionamiento mostrado.

 Compruebe que R2 (representa Internet) pueda alcanzar a todos sus vecinos directamente
conectados.

R2#ping 255.255.255.255
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 255.255.255.255, timeout is 2 seconds:
.
Reply to request 1 from 10.1.12.1, 84 ms
Reply to request 1 from 10.1.25.5, 88 ms
Reply to request 1 from 10.1.24.4, 84 ms
Reply to request 1 from 10.1.23.3, 84 ms
Reply to request 2 from 10.1.25.5, 124 ms
Reply to request 2 from 10.1.23.3, 128 ms
Reply to request 2 from 10.1.24.4, 124 ms
Reply to request 2 from 10.1.12.1, 124 ms
Reply to request 3 from 10.1.24.4, 76 ms
Reply to request 3 from 10.1.25.5, 80 ms
Reply to request 3 from 10.1.12.1, 80 ms
203
2019 instructor.duoc@gmail.com
SRY

Reply to request 3 from 10.1.23.3, 80 ms

Reply to request 4 from 10.1.12.1, 100 ms
Reply to request 4 from 10.1.24.4, 104 ms
Reply to request 4 from 10.1.23.3, 104 ms
Reply to request 4 from 10.1.25.5, 104 ms

 Configure una ruta estática por defecto en los routers R1, R3, R4 y R5 apuntando al router R2.

R1
ip route 0.0.0.0 0.0.0.0 10.1.12.2

R3
ip route 0.0.0.0 0.0.0.0 10.1.23.2

R4
ip route 0.0.0.0 0.0.0.0 10.1.24.2

R5
ip route 0.0.0.0 0.0.0.0 10.1.25.2

R1#ping 10.1.23.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.23.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 96/116/136 ms

R1#ping 10.1.24.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.24.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 76/101/124 ms

R1#ping 10.1.25.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.25.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 96/120/140 ms

R3#ping 10.1.24.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.24.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 88/116/160 ms

R3#ping 10.1.25.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.25.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 100/117/136 ms

R4#ping 10.1.25.5
Type escape sequence to abort.
204
2019 instructor.duoc@gmail.com
SRY

Sending 5, 100-byte ICMP Echos to 10.1.25.5, timeout is 2 seconds:

!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 100/120/144 ms

R1#sh ip route static

Gateway of last resort is 10.1.12.2 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.1.12.2

 Configure DMVPN fase 1 considerando los roles: R1-> HUB, R3, R4 y R5 los Spokes. Utilice la subred
172.16.1.0/24. Al finalizar esta tarea, Hub & Spkes deben tener conectividad end to end.

R1
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
no ip redirects
ip nhrp map 172.16.1.3 10.1.23.3
ip nhrp map 172.16.1.4 10.1.24.4
ip nhrp map 172.16.1.5 10.1.25.5
ip nhrp network-id 1
tunnel source 10.1.12.1
tunnel mode gre multipoint

R3
interface Tunnel0
ip address 172.16.1.3 255.255.255.0
no ip redirects
ip nhrp map 172.16.1.1 10.1.12.1
ip nhrp map 172.16.1.4 10.1.24.4
ip nhrp map 172.16.1.5 10.1.25.5
ip nhrp network-id 3

205
2019 instructor.duoc@gmail.com
SRY

tunnel source 10.1.23.3

tunnel mode gre multipoint

R4
interface Tunnel0
ip address 172.16.1.4 255.255.255.0
no ip redirects
ip nhrp map 172.16.1.1 10.1.12.1
ip nhrp map 172.16.1.3 10.1.23.3
ip nhrp map 172.16.1.5 10.1.25.5
ip nhrp network-id 4
tunnel source 10.1.24.4
tunnel mode gre multipoint

R5
interface Tunnel0
ip address 172.16.1.5 255.255.255.0
no ip redirects
ip nhrp map 172.16.1.1 10.1.12.1
ip nhrp map 172.16.1.3 10.1.23.3
ip nhrp map 172.16.1.4 10.1.24.4
ip nhrp network-id 5
tunnel source 10.1.25.5
tunnel mode gre multipoint

R1#show ip nhrp
172.16.1.3/32 via 172.16.1.3
Tunnel0 created 00:15:58, never expire
Type: static, Flags:
NBMA address: 10.1.23.3
172.16.1.4/32 via 172.16.1.4
Tunnel0 created 00:15:47, never expire
Type: static, Flags:
NBMA address: 10.1.24.4
172.16.1.5/32 via 172.16.1.5
Tunnel0 created 00:15:40, never expire
Type: static, Flags:
NBMA address: 10.1.25.5

R1#ping 172.16.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 132/145/184 ms

R1#ping 172.16.1.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 124/145/172 ms

R1#ping 172.16.1.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.5, timeout is 2 seconds:
206
2019 instructor.duoc@gmail.com
SRY

!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 92/141/168 ms

R3#ping 172.16.1.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 100/123/140 ms

R3#ping 172.16.1.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 136/140/148 ms

R4#ping 172.16.1.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 128/137/152 ms

R3#show ip nhrp
172.16.1.1/32 via 172.16.1.1
Tunnel0 created 00:12:14, never expire
Type: static, Flags: used
NBMA address: 10.1.12.1
172.16.1.4/32 via 172.16.1.4
Tunnel0 created 00:12:14, never expire
Type: static, Flags: used
NBMA address: 10.1.24.4
172.16.1.5/32 via 172.16.1.5
Tunnel0 created 00:12:14, never expire
Type: static, Flags: used
NBMA address: 10.1.25.5

R1#show debugging
Generic IP:
IP packet debugging is on (detailed)

R1#ping 172.16.1.3 repeat 1

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 172.16.1.3, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 216/216/216 ms
R1#
*Jul 6 10:12:07.007: FIBipv4-packet-proc: route packet from (local) src 172.16.1.1 dst 172.16.1.3
*Jul 6 10:12:07.007: FIBfwd-proc: packet routed by adj to Tunnel0 172.16.1.3
*Jul 6 10:12:07.011: FIBipv4-packet-proc: packet routing succeeded
*Jul 6 10:12:07.011: IP: s=172.16.1.1 (local), d=172.16.1.3 (Tunnel0), len 100, sending
*Jul 6 10:12:07.015: ICMP type=8, code=0
*Jul 6 10:12:07.019: IP: s=172.16.1.1 (local), d=172.16.1.3 (Tunnel0), len 100, sending full packet
*Jul 6 10:12:07.023: ICMP type=8, code=0
*Jul 6 10:12:07.027: FIBipv4-packet-proc: route packet from (local) src 10.1.12.1 dst 10.1.23.3
R1#
207
2019 instructor.duoc@gmail.com
SRY

*Jul 6 10:12:07.027: FIBfwd-proc: packet routed by adj to FastEthernet0/0 10.1.12.2

*Jul 6 10:12:07.031: FIBipv4-packet-proc: packet routing succeeded
*Jul 6 10:12:07.031: IP: s=10.1.12.1 (local), d=10.1.23.3 (FastEthernet0/0), len 124, sending, proto=47
*Jul 6 10:12:07.039: IP: s=10.1.12.1 (local), d=10.1.23.3 (FastEthernet0/0), len 124, sending full packet, proto=47
*Jul 6 10:12:07.167: IP: s=10.1.23.3 (FastEthernet0/0), d=10.1.12.1, len 124, input feature, proto=47, MCI
Check(101), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Jul 6 10:12:07.175: FIBipv4-packet-proc: route packet from FastEthernet0/0 src 10.1.23.3 dst 10.1.12.1
*Jul 6 10:12:07.175: FIBfwd-proc: Default:10.1.12.1/32 receive entry
*Jul 6 10:12:07.179: FIBipv4-packet-proc: packet routing failed
*Jul 6 10:12:07.179: IP: tableid=0, s=10.1.23.3 (FastEthernet0/0), d=10.1.12.1 (FastEthernet0/0), routed via RIB
*Jul 6 10:12:07.183: IP: s=10.1.23.3 (FastEthernet0/0), d=10.1.12.1 (FastEtherne
R1#t0/0), len 124, rcvd 3, proto=47
*Jul 6 10:12:07.187: IP: s=10.1.23.3 (FastEthernet0/0), d=10.1.12.1, len 124, stop process pak for forus packet,
proto=47
*Jul 6 10:12:07.195: IP: s=172.16.1.3 (Tunnel0), d=172.16.1.1, len 100, input feature
*Jul 6 10:12:07.199: ICMP type=0, code=0, MCI Check(101), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk
FALSE
*Jul 6 10:12:07.199: FIBipv4-packet-proc: route packet from Tunnel0 src 172.16.1.3 dst 172.16.1.1
*Jul 6 10:12:07.203: FIBfwd-proc: Default:172.16.1.1/32 receive entry
*Jul 6 10:12:07.203: FIBipv4-packet-proc: packet routing failed
*Jul 6 10:12:07.207: IP: tableid=0, s=172.16.1.3 (Tunnel0), d=172.16.1.1 (Tunnel0), routed via RIB
*Jul 6 10:12:07.207: IP: s=172.16.1.3 (Tunnel0), d=172.16.1.1 (Tunnel0), len 100, rcvd 3
*Jul 6 10:12:07.211: ICMP type=0, code=0
*Jul 6 10:12:07.215: IP: s=172.16.1.3 (Tunnel0), d=172.16.1.1, len 100, stop process pak for forus packet
*Jul 6 10:12:07.215: ICMP type=0, code=0

208
2019 instructor.duoc@gmail.com