Vous êtes sur la page 1sur 7

config-if)#encapsulation hdlc config)# interface s0/0/0 config-if)#encapsulation ppp show interfaces show interfaces serial debug ppp undebug

all R1# hostname R1 username R2 password cisco ppp authenticarion pap ppp pap sent-username R1 password cisco ooooo ppp auhentication CHAP R2# hostname R2 username R1 password cisco ppp authenticarion pap ppp pap sent-username R2 password cisco ooooo ppp auhentication CHAP show frame-relay map config)# interface s0/0/0 encapsulation frame-relay encapsulation frame-relay ietf frame-relay interface-dlci 110 exit exit

10.1.1.1 su etiqueta 102) .no shutdown

interface s0/0/0 no ip address encapsulation frame-relay no shut exit interface s0/0/0.102 point-to-point ip address 10.1.1.1 255.255.255.252 bandwidth 64 frame-relay interface-dlci 102 exit interface s0/0/0.103 point-to-point ip address 10.1.1.5 255.255.255.252 bandwidth 64 frame-relay interface-dlci 103 exit debug frame-relay lmi sh interfaces sh frame-relay lmi sh frame-relay pvc sh frame-relay map

Lineas VTY -------------------------------config)#hostname r2 config)# ip domain-name cisco.com config)#crypto key generate rsa config)#username student secret cisco

.interface s0/0/0 .ip address 10.1.1.1 255.255.255.0 .encapsulation frame-relay .bandwidth 64 .no frame-relay inverse-arp (opcional si es que se quiere que no ) .frame-relay map ip 10.1.1.2 102 broadcast cisco (mapa estatico) (frame relay publica al vecino con la ip

config)#line vty 0 4 config-line)#no transport input config-line)#transport input ssh config-line)#login local config-line)#exec-tomeout 3 (tiempode sesion inactiva) config-line)#exit config)#ip ssh time-out 15 config)#ip ssh autentication-retries 2

-------------------------------Inabilitar por seguridad -------------------------------no cdp run no ip source-route no ip classless no ip service tcp-small-servers no ip service udp-small-server no ip finger no service finger no ip bootp server no ip http server no ip name-server no boot network no service config no access-list 0 access-list 70 deny deny no snmp-server enable traps no snmp-server system-shutdown no snmp-server trap-auth

config)#key chain RIP_KEY(nombre) config-keychain)#key 1(identificador) config-keychain-key)#key-string cisco exit exit config)# int s0/0/0 config-if)#ip rip authentication mode md5 config-if)#ip rip authentication key-chain RIP_KEY -------------------------------EIGRP -------------------------------config)#key chain EIGRP_KEY(nombre) config-keychain)#key 1(identificador) config-keychain-key)#key-string cisco exit exit config)# int s0/0/0 config-if)#ip authentication mode eigrp 1 md5 config-if)#ip authentication key-chain eigrp 1 EIGRP_KEY

---------------------------------Comandos relacionados con Debug: ---------------------------------config)# service timestamps debug datetime ------------------------------------msec OSPF /agrega una marca horaria a un debug o mensaje ------------------------------------de registro/ config)#interface s0/0/0 config-if)#ip ospf message-digest-key 1 md5 #show processes cisco /muestra el uso del cpu por procesos/ config-if)#ip ospf authentication message-digest config-if)#exit #no debug all config)#router ospf 10 /inabilita todos los comandos debug/ config-router)# area 0 authentication messagedigest #terminal monitor /muestra el resultado de debug en la version -------------------------------------actual vty/ bloqueo de router -------------------------------------#auto secure ---------------------------------RIP ----------------------------------config)#router rip acl estandar (1-199 y 1300-1999) mas cerca al config-router)#passive-interface default destino config-router)#no passive-interface s0/0/0

acl extendida(100-199 y 2000-2699) mas cerca al config-std-nacl)#deny host 192.168.11.10 origen config-std-nacl)#permit 192.168.11.0 0.0.0.255 --------------------------------------config-std-nacl)#interface fa0/0 config-if)#ip access-group NO_FTP out -estandar ----------------------config)#access-list 10 permit 192.168.10.0 show access-list config t #show access-list ip access-list standar WERBSERVER config)#no access-list 10 15 permit host 192.168.11.10 end config)#access-list 10 remark Permit host from the 192.168.10.0 LAN (inserta un comentario con remark de maximo 100 caracteres) config)#access-list 10 permit 192.168.10.0 192.168.10.10 0.0.0.0 = host 192.168.10.10 access-list 114 permit tcp 192.168.20.0 0.0.0.255 any eq 23 access-list 114 permit tcp 192.168.20.0 0.0.0.255 denegar un host de una red o subred any eq 21 config)#no access-list 1 access-list 114 permit tcp 192.168.20.0 0.0.0.255 config)#access-list 1 deny 192.168.10.10 0.0.0.0 any eq 20 config)#access-list permit 192.168.10.0 0.0.0.255 (red o subred 0.0.255.255) access-list 114 permit tcp 192.168.20.0 0.0.0.255 config)#interface s0/0/0 any eq telnet config-if)#ip access-group 1 out access-list 114 permit tcp 192.168.20.0 0.0.0.255 any eq ftp ----------------------------------------access-list 114 permit tcp 192.168.20.0 0.0.0.255 access-list con vty any eq ftp-data 0.0.0.0 255.255.255.255. = deny config)#access-list 21 permit 192.168.10.0 0.0.0.255 config)#access-list 21 permit 192.168.11.0 0.0.0.255 config)#access-list 21 deny any config)# line vty 0 4 config-line)#login config-line)#password secret config-line)#access-class 21 in -----------------------------------------ACL CON NOMBRE config)#ip access-list standard NO_FTP ejemplo para denergar ftp -------------------------------------------ejemplo con filtrado de trafico web 80 y 443 ------------------------------------------access-list 103 permit tcp 192.168.10.0 0.0.0.255 any eq 80 access-list 103 permit tcp 192.168.10.0 0.0.0.255 any eq 443 access-list 104 permit tcp any 192.168.10.0 0.0.0.255 any eq established interface s0/0/0 ip access-group 103 out ip access-group 104 in en acls con nombre se pueden editar entrads ------------------------------------------

ACLS EXTENDIDAS

access-list 102 tcp deny 192.168.11.0 0.0.0.255 192.168.10.0many eq 20 access-list 102 tcp deny 192.168.11.0 0.0.0.255 192.168.10.0 any eq 21 access-list 102 permit ip any any interface fa0/1 ip access-group 101 in

(establece el tiempo de 15 minutos de conexion ) interfac s0/0/1 ip access-group 101 in (se configura la lista de acceso en la entrada) line vty 0 4 login local autocoomand access-enable host timeout 5 (cuando el usuario se conecte a la linea vty tendra que estar en actiuvudad minimo 5 minutos ) -----------------------------------------ACL REFLEXIVA -----------------------------------------ip access-list extended OUTBOUNDFILTERS permit tcp 192.168.0.0 0.0.255.255 any reflect TCPTRAFICT permit icmp 192.168.0.0 0.0.255.255 any reflect ICMPTRAFICT ip access-list extended INBOUNDFILTERS evaluate TCPTRAFFIC evaluate ICMPTRAFFIC interface s0/0/0 ip access-group INBOUNDFILTERS in ip access-group OUTFILTERS out

ejemplo para denegar telnet ------------------------------------------access-list 101 deny tcp 192.168.11.0 0.0.0.255 any eq 23 access-list 101 permit ip any any interface fa0/0 ip access-group 101 out

ACL EXTENDIDAS DENOMINADAS -------------------------------------ejemplo permitir navegar solo paginas web: access-list extended SURFING permit tcp 192.168.10.0 0.0.0.255 any eq 80 permit tcp 192.168.10.0 0.0.0.255 any eq 443 access-list extended BROWSING permir tco 192.168.10.0 0.0.0.255 stablised interface s0/0/0 ip access-group SURFING out ip access-group BROWSING in

-----------------------------------------ACL BASADA EN TIEMPO -----------------------------------------ACL DINAMICAS: time-range EVERYOTHERDAY ----------------------peridoic Monday Wednesday Friday 8:00 to ejemplo: conexion por medio de telnet ip router 17:00 10.2.2.2 la red conectada es 192.168.30.0 y la red a la que se va ha conectar es 192.168.10.0 access-list 101 permi tcp 192.168.10.0 0.0.0.255 any eq telnet time-rage EVERYOTHERDAY config)#username student password 0 cisco config)# access-list 110 permit any host 10.2.2.2 interface s0/0/0 eq telnet ip access-group 101 out config)#access-list 110 dynamic testlist timeout 15 permit ip 192.168.10.0 0.0.255.255 192.168.30.0 0.0.0.255 #copy running-confgi startup-config --------------------------------------

#copy running-config tftp: #copy tftp: running-config #copy tftp: startup-config #show flash rommon1>IP_ADDRESS=192.168.1.2 rommon2>IP_SUBNET_MASK=255.255.255.0 rommon3>DEFAULT_GATEWAY=192.168.1.1 rommon4>TFTP_SERVER=192.168.1.1 rommon5>TFTP_FILE=c1841-ipbase-mz.12314.t7.bin

#show ip dhcp server statistics #show ip dhcp pool ---------------------------una interface con cliente ---------------------------config)#interface fa0/0 config-if)#ip address dhcp config-if)#no shut #show ip int fa0/0 --------------------------dhcp relay (cuando dhcp se encuentra en otra red) --------------------------#config t config)#interface fa0/0 config-if)#ip helper-address 192.168.11.5 config-if)#end

rommon1>tftpdnld -------------------------------reset password -------------------------------rommon1>confreg 0x2142 rommon2>reset router>enable

en la PC: ipconfig /release ipconfig /renew --------------------------cargar la configuracion, cambiar la clave y luego: como router relay se puede configurar lo siguiente: config)#config-register 0x2102 Puerto 37: Tiempo #wr Puerto 49: TACACS Puerto 53: DNS Puerto 67: Cliente DHCP/BOOTP Puerto 68: Servidor de DHCP/BOOTP ------------------------Puerto 69: TFTP Servidor dhcp Puerto 137: Servicio de nombres NetBIOS ------------------------config)#ip dhcp excluded-address (ips excluidas) Puerto 138: Servicio de datagrama NetBIOS) config)#ip dhcp excluded-address 192.168.10.1 ---------------------------Verificacion de Relay DHCP 192.168.10.9 ----------------------------# show runing-config config)#ip dhcp pool LAN-POOL-1 dhcp-config)#network 192.168.10.0 ---- depuracion del dhcp 255.255.255.0 #access-list 100 permit ip host 0.0.0.0 host dhcp-config)#default-router 192.168.10.1 255.255.255.255 dhcp-config)#domain-name span.com #debug ip packet detail 100 dhcp-config)#end #show ip dhcp binding

NAT estatico -----------------en este escenrio la interface s0/0/0 esta conectada a la red interna y la s0/1/0 a la red externa con la ip publica -------------------------#ip nat inside source static 192.168.10.254 209.165.200.154 #interface serial0/0/0 #ip nat inside #interface serial0/1/0 #ip nat outside ------------------NAT DINAMICO ------------------se sebe de traducir un rango ip privado a un rango publico s0/0/0 interface a redes privadas s0/1/0 interface a redes publicas ---------------------#ip nat pool NAT-POLL1 209.165.200.226 209.165.200.240 netmask 255.255.255.224 (se crea rango de direciones publicas) #access-list 1 permit 192.168.0.0 0.0.255.255 (se crea la lista de direcciones privadas) #ip nat inside source list 1 poll NAT-POOL1 (SI SOLO SE TIENE UNA DIRECCION DE SALIDA) #ip nat inside source list 1 interface serial0/1/0 #interface s0/0/0 #ip nat inside #interface s0/1/0 #ip nat outside ---------------------------

#ip nat pool NAT-POLL1 209.165.200.226 209.165.200.240 netmask 255.255.255.224 (se crea rango de direciones publicas) #access-list 1 permit 192.168.0.0 0.0.255.255 (se crea la lista de direcciones privadas) #ip nat inside source list 1 poll NAT-POOL1 overload (SI SOLO SE TIENE UNA DIRECCION DE SALIDA) #ip nat inside source list 1 interface serial0/1/0 overload #interface s0/0/0 #ip nat inside #interface s0/1/0 #ip nat outside ----------------------------------comprobaciones ----------------------------------#show ip nat translations #show ip nat translations verbose #show ip nat statistics #clear ip nat translation * (elimina todas las entradas de la tabla) #show ip nat translations (elimina la entrada a la tabla ) #debug ip nat

---------------------config)#ipv6 address 2001.DB8:2222:7272::72/64 dual stack: config)#ipv6 unicast-routing (habilita el envio de trafico ipv6) config)#interface fa0/0 config-if)#ip address 192.168.99.1 255.255.255.0 config-if)#ipv6 address 3ffe:b00:c18:1::3/127 config-if)ipv6 address ipv6prefix/prefix-lengh eui-64

NAT DINAMICO SOBRECARGA ------------------se sebe de traducir un rango ip privado a un rango publico s0/0/0 interface a redes privadas s0/1/0 interface a redes publicas ----------------------

------ipv6 unicast-routing ipv6 router rip rt0 interface fa0/0 ipv6 address 2001:db8:1:1::/64 eui-64 ipv6 rip rt0 enable

sh ipv6 interface sh ipv6 interface brief sh ipv6 neighbors sh ipv6 protocols sh ipv6 rip sh ipv6 route sh ipv6 route summay sh ipv6 static sh ipv6 static 2001:db8:666:0/16 sh ipv6 static interface s0/0/0 sh ipv6 static detail