Comandos CCNA Exploration 4 Accessing the WAN

---------------------------------------------------------------------------------------Cap 2: HDLC+PPP
---------------------------------------Re-habilita hdlc en un enlace
-----------------------------R(config-if)# encapsulation hdlc
Muestra info de encapsulacin de interface
-----------------------------------------R# show int <int>
muestra info del estado de las interfaces
-----------------------------------------R# sh ip int br
Muestra el tipo de cable conectado a la interfaz
------------------------------------------------R# show controllers <int>
Habilita PPP en un enlace
-------------------------R(config-if)# encapsulation ppp
Habilita la compresin en un enlace ppp
---------------------------------------R(config-if)# compress <predictor | stack>
Modifica el parmetro de porcentaje de calidad
----------------------------------------------R(config-if)# ppp quality <0-99>
Habilita ppp multilink
----------------------------------------------R(config-if)# ppp multilink
Habilita debugeo ppp
----------------------------------------------R# debug ppp [packet (lcps) | negotiation (ncp) | error | ...]
Habilita autenticacin
----------------------------------------------R(config-if)# ppp authentication <chap | pap | chap pap | pap chap>
Credenciales para autenticacin pap
----------------------------------------------R(config)# username <remote-name> password <remote-pass>
R(config-if)# ppp pap sent-username <local-name> password <local-pass>
Credenciales para autenticacin chap
----------------------------------------------R(config)# username <remote-name> password <common-pass>
Habilita debugeo autenticacin ppp

----------------------------------------------R# debug ppp [authentication | chap | ...]

Habilita chap en una sola direccin (con no cisco)
----------------------------------------------R(config-if)# ppp authentication chap callin
---------------------------------------Cap 3: Frame Relay
---------------------------------------Muestra info sobre config frame relay
----------------------------------------------R# show frame-relay map
Mapeo esttico de dlcis
----------------------------------------------R(config-if)# encapsulation frame-relay
R(config-if)# no frame-relay inverse-arp
R(config-if)# frame-relay map ip <ip destino> <dlci local al destino> [broadcast
] [ietf | cisco]
Muestra info de LMI
----------------------------------------------R# show frame-relay lmi
Establece tipo de lmi (disables autosense)
----------------------------------------------R(config-if)# frame-relay lmi-type <cisco | ansi | q933a>
Creacin de subinterfaces (P Vect Distancia Split Horiz)
--------------------------------------------------------R(config-if)# no ip add
R(config-if)# encapsulation frame-relay
R(config-if)# interface <if>.<dlci - subint num> [point-to-point | multipoint]
R(config-if)# frame-relay interface-dlci <dlci - subint num>
Consultas a configuraciones frame-relay
--------------------------------------------------------R# show frame-relay pvc [interface] [dlci]
R# show frame-relay map
Resetea info
--------------------------------------------------------R# clear counters
R# clear frame-relay inarp
muestra info lmi
--------------------------------------------------------R# debug frame-relay lmi
Configuracin de Switch Frame-Realay (IOS ipadvanced)
--------------------------------------------------------R(config)# frame-relay switching
R(config)# interface <int>
R(config-if)# no ip address
R(config-if)# encapsulation frame-relay

R(config-if)#
R(config-if)#
R(config-if)#
R(config-if)#
R(config-if)#
!

clock rate 128000

frame-relay lmi-type [ansi | cisco | q933a]
frame-relay intf-type dce
frame-relay route <dlci-in> interface <interface out> <dlci out>
no shut

--------------------------------------------------------Cap 4: Security
--------------------------------------------------------Comandos para contraseas
--------------------------------------------------------R(config)# service password-encription
R(config)# enable secret <frase>
R(config)# security password min-length <#chars>
R(config)# username <name> secret <frase>
Previene accesos por una lnea
--------------------------------------------------------R(config-line)# no password
R(config-line)# login
Habilita ssh en lneas virtuales
--------------------------------------------------------R(config)# hostname <nom Router>
R(config)# ip domain-name <dominio.com>
R(config)# crypto key generate rsa
R(config)# ip ssh version 2
R(config)# line vty 0 15
R(config-line)# transport input ssh
Adicionalmente:
Establece usuarios para acceso ssh
--------------------------------------------------------R(config)# username <usn> secret <psw>
R(config-line)# login local
Configuraciones ssh adicionales
--------------------------------------------------------R(config)# ip ssh timeout <sec>
R(config)# ip ssh authentications <retries>

Establece tiempo de inactividad para lnea

--------------------------------------------------------R(config-line)# exec timeout <sec>
Establece keepalives para conexiones tcp entrantes
--------------------------------------------------------R(config)# service tcp-keepalives-in
Deshabilitar servicios no necesarios
--------------------------------------------------------R(config)# no cdp run
R(config)# no ip source-route
R(config)# no ip classless //????
R(config)# no service tcp-small-servers

R(config)#
R(config)#
R(config)#
R(config)#
R(config)#
R(config)#

no
no
no
no
no
no

service udp-small-servers
service finger
ip bootp server
ip http server
service config
snmp-servers

R(config-if)# shutdown
R(config-if)# no ip proxy-arp
R(config-if)# no ip directed-broadcast

Autenticacin RIP (CCNA4)

--------------------------------------------------------R(config)# key chain <key name>
R(config-keychain)# key <nmero>
R(config-keychain-key)# key-string <contrasea>
R(config-if)#ip rip authentication mode md5
R(config-if)#ip rip authentication key-chain <key name>
Autenticacin EIGRP (CCNA4)
--------------------------------------------------------R(config)# key chain <key name>
R(config-keychain)# key <nmero>
R(config-keychain-key)# key-string <contrasea>
R(config-if)#ip authentication mode eigrp 1 md5
R(config-if)#ip authentication key-chain eigrp 1 <key name>
Autenticacin OSPF (FR requiere sub-interfaces)
--------------------------------------------------------R(config-(sub)if)# ip ospf message-digest-key <num> md5 <pass>
R(config-(sub)if)# ip ospf authentication message-digest
R(config-router)# area <num> authentication message-digest
Auto aseguramiento del router
--------------------------------------------------------R# auto secure [management | forwarding] [no-interact]

Requisitos para correr cisco sdm

--------------------------------------------------------R(config)# ip http server
R(config)# ip http secure-server
R(config)# ip http authentication local
R(config)# username <usn> privilege 15 secret <frase>
R(config)# line vty 0 4
R(config-line)# privilege level 15
R(config-line)# login local
R(config-line)# transport input telnet ssh
Algunos comandos de navegacin por IFS
--------------------------------------------------------R# show file system
R# dir
R# cd [nvram: | flash: ]
R# pwd

Restaurar imgen IOS por tftp

--------------------------------------------------------rommon1>IP_ADDRESS=192.168.1.2
rommon2>IP_SUBNET_MASK=255.255.255.0
rommon3>DEFAULT_GATEWAY=192.168.1.1
rommon4>TFTP_SERVER=192.168.1.1
rommon5>TFTP_FILE=c1841-ip...bin
rommon6>tftpdnld
rommon7>reset
Restaurar imgen IOS por xmodem
--------------------------------------------------------rommon1>xmodem -c c1841-ip...bin
Recuperacin de contraseas
--------------------------------------------------------rommon1>confreg 0x2142
rommon2>reset
...
R# copy startup running
R(config)# enable secret <frase>
...
R(config)# config-register 0x2102
R# copy runn start
R# reload
--------------------------------------------------------Cap 5: ACLs
--------------------------------------------------------ACL estndar 1-99 1300-1999 cercana al destino
--------------------------------------------------------R(config)# no access-list <acl-num-nn>
R(config)# access-list <acl-num-nn> <permit | deny | remark> <src-ip-add> [wildc
ard] [log]
ACL extendida 100-199 2000-2699 cercana al origen
--------------------------------------------------------R(config)# no access-list <acl-num-1nn>
R(config)# access-list <acl-num-1nn> <permit | deny | remark> <ip | tcp | udp> <
src-ip-add> <wildcard> <dst-ip-add wildcard | any | host dst-ip-add> [<eq | neq
| gt |lt> <service-name | port-num>] [established]
ACL Nombrada
--------------------------------------------------------R(config)# no ip access-list extended <acl_name>
R(config)# ip access-list <standard | extended> <acl_name>
R(config-std-nacl)# [entry-num][permit | deny | remark] <src-ip-add> <wildcard>
[log]
R(config-ext-nacl)# [entry-num][permit | deny | remark] <ip | tcp | udp> <src-ip
-add> <wildcard> <dst-ip-add wildcard | any | host dst-ip-add> [<eq | neq | gt
|lt> <service-name | port-num>] [established]

Asignar ACL a int

--------------------------------------------------------R(config-if)# ip access-group <acl-num | acl_name> <in | out>
Muestra acl si es nombrada, con sus nmeros
--------------------------------------------------------R# show access-list [num | nombre]
ACLs en vtys
--------------------------------------------------------R(config-line)# access-class <acl-num | acl-name> <in | out>
ACLs Dinmicas si hace telnet tiene acceso a pesar de la
acl acl-num | acl-name que lo prohibe
--------------------------------------------------------R(config)# username <usn> password 0 <frase>
R(config)# access-list <acl-num | acl-name> dynamic <testlist-name> timeout 15 <
permit | deny > ...
...
R(config-line)# login local
R(config-line)# autocommand access-enable host timeout 5
ACLS Reflexivas solo trfico originado desde dentro
--------------------------------------------------------R(config)# ip access-list extended <out_acl_name>
R(config-ext-nacl)# [entry-num] permit <ip | tcp | udp> <src-ip-add> <wildcard>
any reflect <alias?? | TCPTRAFIC | ICMPTRAFIC>
R(config)# ip access-list extended <in_acl_name>
R(config-ext-nacl)# evaluate <alias?? | TCPTRAFIC | ICMPTRAFIC>
R(config-if)# ip access-group <out_acl_name> out
R(config-if)# ip access-group <in_acl_name> in
ACLS Basadas en tiempo
--------------------------------------------------------R(config)# time-range <nombre-rango>
R(config-time-range)# periodic Monday Wednesday Friday 8:00 to 17:00
R(config)# access-list <acl-num-1nn> <permit | deny | remark> <ip | tcp | udp> <
src-ip-add> <wildcard> <dst-ip-add wildcard | any | host dst-ip-add> [<eq | neq
| gt |lt> <service-name | port-num>] time-range <Nombre-rango>
...
--------------------------------------------------------Cap 7: DHCP + NAT + IPv6
--------------------------------------------------------Configurar un dhcp
--------------------------------------------------------R(config)# ip dhcp-excluded-address <low-ip-add> [high-ip-add]
R(config)# ip dhcp pool <pool-name>
R(dhcp-config)# network <ip-net-addr> <mask | /prefix>
R(dhcp-config)# default-router address <gw-ip> [gw-ip ...]

R(dhcp-config)#
R(dhcp-config)#
R(dhcp-config)#
R(dhcp-config)#

dns-server address <dns-ip> [dns-ip ...]

domain-name <nom-dominio>
lease <days [hours] [minutes] | infinite>
netbios-name-server <ip-add> [ip-add ...]

Muestra asociaciones dhcp

--------------------------------------------------------R# show ip dhcp binding
R# show ip dhcp server statistics
R# show ip dhcp pool
R# show ip dhcp conflict
Habilita debug dhcp
--------------------------------------------------------R# debug ip dhcp server events
Habilita cliente dhcp en interfaz
--------------------------------------------------------R(config-if)# ip address dhcp
Habilitar DHCP Relay ! Busca dhcp en otra subred
--------------------------------------------------------R(config)#interface fa0/0
R(config-if)#ip helper-address <dhcp-ip>
--------------------------------------------------------! -- Static NAT - una privada a una publica
--------------------------------------------------------R(config)#ip nat inside source static <local-ip> <global-ip>
R(config)#int fa 0/0
R(config-if)#ip nat inside
R(config-if)#int s 0/0/0
R(config-if)#ip nat outside
--------------------------------------------------------! -- Dynamic NAT - varias publicas/muchas privadas
--------------------------------------------------------R(config)# ip nat pool <pool-name> <start-global-ip> <end-global-ip> [netmask <n
etmask> | prefix-length <prefix-length>]
R(config)# access-list <access-list-number> permit <source-inside-ips> [source w
ildcard]
R(config)# ip nat inside source list <access-list-number> pool <pool-name>
R(config-if)#ip nat inside
R(config-if)#ip nat outside
--------------------------------------------------------! --- Overload NAT - una publica / muchas privadas
--------------------------------------------------------R(config)# access-list <acl-num> permit <inside-net-ip> <inside-wildcard>
R(config)# ip nat inside source list <acl-num> interface <outside-int> overload
R(config-if)#ip nat inside
R(config-if)#ip nat outside

--------------------------------------------------------! --- Overload NAT - unas publicas / muchas privadas

--------------------------------------------------------R(config)# access-list <acl-num> permit <inside-net-ip> <inside-wildcard>
R(config)# ip nat pool <pool-name> <start-global-ip> <end-global-ip> [netmask <n
etmask> | prefix-length <prefix-length>]
R(config)# ip nat inside source list <acl-num> pool <pool-name> overload
R(config-if)#ip nat inside
R(config-if)#ip nat outside

! --- Shows para NAT

--------------------------------------------------------R# show ip nat translations
R# show ip nat translations verbose
R# show ip nat statistics
R# clear ip nat translation ?
R# debug ip nat
--------------------------------------------------------! --- IPv6-Basics
--------------------------------------------------------R1(config)#ipv6 unicast-routing
R(config-if)#ipv6 address 2001:DB8:2222:7272::72/64
R(config-if)#ipv6 address 2001:DB8:2222:7272::/64 eui-64
! --- Dual stack dir ipv4 e ipv6 misma interfaz
! -- Otras configuraciones
Define un nombre esttico para una ipv6
--------------------------------------------------------R(config)# ipv6 host name [port] ipv6-address1 [ipv6-address2...ipv6-address4]
HAbilita dn6 server
--------------------------------------------------------R(config)# ip name-server <ipv6_address>
! --- Ripng
--------------------------------------------------------R(config)#ipv6 unicast routing
R(config)#ipv6 router rip <name>
R(config-if)#ipv6 rip <name> enable
! --- Verificacin
--------------------------------------------------------R# show ipv6 interface <int>
R# show ipv6 ?