Dynamic NAT

Posted: 17th November 2020 by ccna7guru in ITN
Dynamic NAT

Dynamic NAT uses a pool of public addresses and assigns them on a first-come, first-served basis. When an inside device requests access to an outside network, dynamic NAT assigns an available public IPv4 address from the pool.

In the figure, PC3 has accessed the internet using the first available address in the dynamic NAT pool. The other addresses are still available for use. Similar to static NAT, dynamic NAT requires that enough public addresses are available to satisfy the total number of simultaneous user sessions.

Static NAT

Posted: 17th November 2020 by ccna7guru in ENSA

Now that you have learned about NAT and how it works, this topic will discuss the many versions of NAT that are available to you.

Static NAT uses a one-to-one mapping of local and global addresses. These mappings are configured by the network administrator and remain constant.

In the figure, R2 is configured with static mappings for the inside local addresses of Svr1, PC2, and PC3. When these devices send traffic to the internet, their inside local addresses are translated to the configured inside global addresses. To outside networks, these devices appear to have public IPv4 addresses.

Static NAT CCNA200-301

Static NAT is particularly useful for web servers or devices that must have a consistent address that is accessible from the internet, such as a company web server. It is also useful for devices that must be accessible by authorized personnel when offsite, but not by the general public on the internet. For example, a network administrator from PC4 can use SSH to gain access to the inside global address of Svr1 (209.165.200.226). R2 translates this inside global address to the inside local address 192.168.10.10 and connects the session to Svr1.

Static NAT requires that enough public addresses are available to satisfy the total number of simultaneous user sessions.

Selección de las unidades ópticas

Posted: 10th November 2020 by ccna7guru in ITN

Los factores que deben tenerse en cuenta al adquirir una unidad óptica se enumeran en la Figura 1.

En la tabla de la Figura 2 se resumen las funcionalidades de las unidades ópticas.

Los DVD pueden almacenar una cantidad de datos mayor que el CD y los discos Blu-Ray (BD) pueden almacenar una cantidad de datos mayor que el DVD. Los DVD y BD también pueden tener doble capa para los datos de registro; prácticamente se duplica la cantidad de datos que se pueden registrar en los medios.

Selección de las unidades ópticas

Cómo acceder al material del curso CISCO Netacad

Posted: 2nd November 2020 by ccna7guru in ITN

Cómo acceder al material del curso CISCO Netacad

después de la compra, obtenga una cuenta netacad, viva con un instructor. chat en vivo sobre el curso. acceso completo al curso con una cuenta oficial de Cisco Netacad como estudiante. Podrás acceder al curso de por vida. Se encuentran disponibles asignaciones, laboratorios, comentarios del curso y exámenes finales.

Curso CCNA1: Introducción a las Redes (ITN)
Curso CCNA2: Conmutación, enrutamiento y Wireless Essentials (SRWE)
Curso CCNA3: Redes empresariales, seguridad y automatización (ENSA)

3 Certificado de Cisco.
3 insignia digital de Cisco.
Soporte de instructor en vivo.
Mesa de ayuda disponible.
este curso es mas que un pdf

comprar curso ccna v7.

Interface Verification Commands

Posted: 31st October 2020 by ccna7guru in ITN

There is no point in configuring your router unless you verify the configuration and connectivity. This topic covers the commands to use to verify directly connected networks. It includes two Syntax Checkers and a Packet Tracer.

There are several show commands that can be used to verify the operation and configuration of an interface. The topology in the figure is used to demonstrate the verification of router interface settings.

The following commands are especially useful to quickly identify the status of an interface:

  • show ip interface brief and show ipv6 interface brief – These display a summary for all interfaces including the IPv4 or IPv6 address of the interface and current operational status.
  • show running-config interface interface-id – This displays the commands applied to the specified interface.
  • show ip route and show ipv6 route – These display the contents of the IPv4 or IPv6 routing table stored in RAM. In Cisco IOS 15, active interfaces should appear in the routing table with two related entries identified by the code ‘C’ (Connected) or ‘L’ (Local). In previous IOS versions, only a single entry with the code ‘C’ will appear.

Verify Interface Status

The output of the show ip interface brief and show ipv6 interface brief commands can be used to quickly reveal the status of all interfaces on the router. You can verify that the interfaces are active and operational as indicated by the Status of “up” and Protocol of “up”, as shown in the example. A different output would indicate a problem with either the configuration or the cabling.

R1# show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0/0   192.168.10.1    YES manual up                    up
GigabitEthernet0/0/1   192.168.11.1    YES manual up                    up
Serial0/1/0            209.165.200.225 YES manual up                    up
Serial0/1/1            unassigned      YES unset  administratively down down
R1# show ipv6 interface brief
GigabitEthernet0/0/0   [up/up]
    FE80::7279:B3FF:FE92:3130
    2001:DB8:ACAD:1::1
GigabitEthernet0/0/1   [up/up]
    FE80::7279:B3FF:FE92:3131
    2001:DB8:ACAD:2::1
Serial0/1/0            [up/up]
    FE80::7279:B3FF:FE92:3130
    2001:DB8:ACAD:3::1
Serial0/1/1            [down/down]     Unassigned

Verify IPv6 Link Local and Multicast Addresses

The output of the show ipv6 interface brief command displays two configured IPv6 addresses per interface. One address is the IPv6 global unicast address that was manually entered. The other address, which begins with FE80, is the link-local unicast address for the interface. A link-local address is automatically added to an interface whenever a global unicast address is assigned. An IPv6 network interface is required to have a link-local address, but not necessarily a global unicast address.

The show ipv6 interface gigabitethernet 0/0/0 command displays the interface status and all of the IPv6 addresses belonging to the interface. Along with the link local address and global unicast address, the output includes the multicast addresses assigned to the interface, beginning with prefix FF02, as shown in the example.

R1# show ipv6 interface gigabitethernet 0/0/0
GigabitEthernet0/0/0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::7279:B3FF:FE92:3130
  No Virtual link-local address(es):
  Global unicast address(es):
    2001:DB8:ACAD:1::1, subnet is 2001:DB8:ACAD:1::/64
  Joined group address(es):
    FF02::1
    FF02::1:FF00:1
    FF02::1:FF92:3130
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds (using 30000)
  ND advertised reachable time is 0 (unspecified)
  ND advertised retransmit interval is 0 (unspecified)
  ND router advertisements are sent every 200 seconds
  ND router advertisements live for 1800 seconds
  ND advertised default router preference is Medium

Verify Interface Configuration

The output of the show running-config interface command displays the current commands applied to the specified interface as shown.

R1 show running-config interface gigabitethernet 0/0/0
Building configuration...
Current configuration : 158 bytes
!
interface GigabitEthernet0/0/0
 description Link to LAN 1
 ip address 192.168.10.1 255.255.255.0
 negotiation auto
 ipv6 address 2001:DB8:ACAD:1::1/64
end
R1#

The following two commands are used to gather more detailed interface information:

  • show interfaces– Displays interface information and packet flow count for all interfaces on the device.
  • show ip interface and show ipv6 interface – Displays the IPv4 and IPv6 related information for all interfaces on a router.

Verify Routes

The output of the show ip route and show ipv6 route commands reveal the three directly connected network entries and the three local host route interface entries, as shown in the example. The local host route has an administrative distance of 0. It also has a /32 mask for IPv4, and a /128 mask for IPv6. The local host route is for routes on the router that owns the IP address. It is used to allow the router to process packets destined to that IP.

R1# show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       
Gateway of last resort is not set
      192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.10.0/24 is directly connected, GigabitEthernet0/0/0
L        192.168.10.1/32 is directly connected, GigabitEthernet0/0/0
      192.168.11.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.11.0/24 is directly connected, GigabitEthernet0/0/1
L        192.168.11.1/32 is directly connected, GigabitEthernet0/0/1
      209.165.200.0/24 is variably subnetted, 2 subnets, 2 masks
C        209.165.200.224/30 is directly connected, Serial0/1/0
L        209.165.200.225/32 is directly connected, Serial0/1/0
R1# show ipv6 route
IPv6 Routing Table - default - 7 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
       
C   2001:DB8:ACAD:1::/64 [0/0]
     via GigabitEthernet0/0/0, directly connected
L   2001:DB8:ACAD:1::1/128 [0/0]
     via GigabitEthernet0/0/0, receive
C   2001:DB8:ACAD:2::/64 [0/0]
     via GigabitEthernet0/0/1, directly connected
L   2001:DB8:ACAD:2::1/128 [0/0]
     via GigabitEthernet0/0/1, receive
C   2001:DB8:ACAD:3::/64 [0/0]
     via Serial0/1/0, directly connected
L   2001:DB8:ACAD:3::1/128 [0/0]
     via Serial0/1/0, receive
L   FF00::/8 [0/0]
     via Null0, receive
R1#

A ‘C’ next to a route within the routing table indicates that this is a directly connected network. When the router interface is configured with a global unicast address and is in the “up/up” state, the IPv6 prefix and prefix length are added to the IPv6 routing table as a connected route.

The IPv6 global unicast address applied to the interface is also installed in the routing table as a local route. The local route has a /128 prefix. Local routes are used by the routing table to efficiently process packets with the interface address of the router as the destination.

The ping command for IPv6 is identical to the command used with IPv4 except that an IPv6 address is used. As shown in the example, the ping command is used to verify Layer 3 connectivity between R1 and PC1.

R1# ping 2001:db8:acad:1::10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:DB8:ACAD:1::10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Filter Show Command Output

Commands that generate multiple screens of output are, by default, paused after 24 lines. At the end of the paused output, the –More– text displays. Pressing Enter displays the next line and pressing the spacebar displays the next set of lines. Use the terminal length command to specify the number of lines to be displayed. A value of 0 (zero) prevents the router from pausing between screens of output.

Another very useful feature that improves the user experience in the CLI is the filtering of show output. Filtering commands can be used to display specific sections of output. To enable the filtering command, enter a pipe (|) character after the show command and then enter a filtering parameter and a filtering expression.

There are four filtering parameters that can be configured after the pipe.

section

Shows the entire section that starts with the filtering expression, as shown in the example.

R1# show running-config | section line vty
line vty 0 4
 password 7 110A1016141D
 login
 transport input all

include

Includes all output lines that match the filtering expression, as shown in the example.

R1# show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0/0   192.168.10.1    YES manual up                    up
GigabitEthernet0/0/1   192.168.11.1    YES manual up                    up
Serial0/1/0            209.165.200.225 YES manual up                    up
Serial0/1/1            unassigned      NO  unset  down                  down
R1#
R1# show ip interface brief | include up
GigabitEthernet0/0/0   192.168.10.1    YES manual up                    up
GigabitEthernet0/0/1   192.168.11.1    YES manual up                    up
Serial0/1/0            209.165.200.225 YES manual up                    up

exclude

Excludes all output lines that match the filtering expression, as shown in the example.

R1# show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0/0   192.168.10.1    YES manual up                    up
GigabitEthernet0/0/1   192.168.11.1    YES manual up                    up
Serial0/1/0            209.165.200.225 YES manual up                    up
Serial0/1/1            unassigned      NO  unset  down                  down
R1#
R1# show ip interface brief | exclude unassigned
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0/0   192.168.10.1    YES manual up                    up
GigabitEthernet0/0/1   192.168.11.1    YES manual up                    up
Serial0/1/0            209.165.200.225 YES manual up                    up

begin

Shows all the output lines from a certain point, starting with the line that matches the filtering expression, as shown in the example.

R1# show ip route | begin Gateway
Gateway of last resort is not set
      192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.10.0/24 is directly connected, GigabitEthernet0/0/0
L        192.168.10.1/32 is directly connected, GigabitEthernet0/0/0
      192.168.11.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.11.0/24 is directly connected, GigabitEthernet0/0/1
L        192.168.11.1/32 is directly connected, GigabitEthernet0/0/1
      209.165.200.0/24 is variably subnetted, 2 subnets, 2 masks
C        209.165.200.224/30 is directly connected, Serial0/1/0
L        209.165.200.225/32 is directly connected, Serial0/1/0

Command History Feature

The command history feature is useful because it temporarily stores the list of executed commands to be recalled.

To recall commands in the history buffer, press Ctrl+P or the Up Arrow key. The command output begins with the most recent command. Repeat the key sequence to recall successively older commands. To return to more recent commands in the history buffer, press Ctrl+N or the Down Arrow key. Repeat the key sequence to recall successively more recent commands.

By default, command history is enabled and the system captures the last 10 command lines in its history buffer. Use the show history privileged EXEC command to display the contents of the buffer.

It is also practical to increase the number of command lines that the history buffer records during the current terminal session only. Use the terminal history size user EXEC command to increase or decrease the size of the buffer.

An example of the terminal history size and show history commands is shown in the figure.

R1# terminal history size 200
R1# show history
  show ip int brief
  show interface g0/0/0
  show ip route
  show running-config
  show history
  terminal history size 200

Limitar y Aprender MAC Addresses

Posted: 30th October 2020 by ccna7guru in ITN

Para poner el numero máximo de direcciones MAC permitidas en un puerto, utilice el siguiente comando

Switch(config-if)# switchport port-security maximum value 

El valor predeterminado de port security es 1. EL numero maximo de direcciones MAC seguras que se puede configurar depende del switch y el IOS. En este ejemplo, el maximo es 8192.

S1(config)# interface f0/1 
S1(config-if)# switchport port-security maximum ? 
  <1-8192> Maximas direcciones
S1(config-if)# switchport port-security maximum 

El switch se puede configurar para aprender direcciones MAC en un puerto seguro de tres maneras:

1. Manually Configured

El administrador configura manualmente una(s) direccion MAC estatica usando el siguiente comando para cada direccion MAC en el puerto:

Switch(config-if)# switchport port-security mac-address mac-address

2. Dynamically Learned

Cuando se ingresa el comando switchport port-security, la fuente MAC actual para el dispositivo conectado al puerto se asegura automáticamente pero no se agrega a la configuración de inicio. Si el switch es reiniciado, el puerto tendrá que re-aprender la direccion MAC del dispositivo.

3. Dynamically Learned – Sticky

El administrador puede configurar al switch para que aprenda la direccion MAC automáticamente a la “pegue” a la configuración en ejecución usando el siguiente comando:

Switch(config-if)# switchport port-security mac-address sticky 

Al guardar la configuración en ejecución la direccion MAC aprendida automaticamente se quedara en NVRAM.

EL siguiente ejemplo muestra una configuración completa de port security en la interfaz FastEthernet 0/1. El administrador especifica una cantidad máxima de 4 direcciones MAC, configura una direccion MAC segura, y luego configura el puerto para que aprenda mas direcciones MAC de manera automática hasta un máximo de 4 direcciones MAC. Use los comandos show port-security interface y show port-security address para verificar la configuración.

S1(config)# interfaz fa0/1
S1(config-if)# switchport mode access
S1(config-if)# switchport port-security
S1(config-if)# switchport port-security maximum 4
S1(config-if)# switchport port-security mac-address aaaa.bbbb.1234
S1(config-if)# switchport port-security mac-address sticky 
S1(config-if)# finalizar
S1# show port-security interface fa0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 4
Total MAC Addresses : 1
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0
S1# show port-security address
               Secure Mac Address Table
-----------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
                                                                   (mins)    
--- ----------- --- ----- -------------
   1 aaaa.bbbb.1234 SecureConfigured Fa0/1 -
-----------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 8192S1#

The output of the show port-security interface command verifies that port security is enabled, there is a host connected to the port (i.e., Secure-up), a total of 2 MAC addresses will be allowed, and S1 has learned one MAC address statically and one MAC address dynamically (i.e., sticky).

The output of the show port-security address command lists the two learned MAC addresses.

El método más simple y eficaz para evitar ataques por saturación de la tabla de direcciones MAC es habilitar la sport security.

La seguridad de puertos limita la cantidad de direcciones MAC válidas permitidas en el puerto. Permite a un administrador configurar manualmente las direcciones MAC para un puerto o permitir que el switch aprenda dinámicamente un número limitado de direcciones MAC. Cuando un puerto configurado con port security recibe un frame, la dirección MAC de origen del frame se compara con la lista de direcciones MAC de origen seguro que se configuraron manualmente o se aprendieron dinámicamente en el puerto.

Al limitar a uno la cantidad de direcciones MAC permitidas en un puerto, la seguridad de puertos se puede usar para controlar la expansión no autorizada de la red, como se muestra en la figura.

Mitigación de ataques por saturación de tabla de direcciones MAC

Implementación de Seguridad de Puertos

Posted: 29th October 2020 by ccna7guru in ITN

Asegurar los puertos sin utilizar

Los dispositivos de Capa 2 se consideran el eslabón mas débil en la infraestructura de seguridad de una compañía. Los ataques de Capa 2 son de los mas sencillos de desplegar para los hackers, pero estas amenazas también pueden ser mitigadas con algunas soluciones comunes de capa 2.

Se deben proteger todos los puertos del switch (interfaces) antes de implementar el switch para su uso en producción. Como un puerto es protegido depende de su función.

Un método simple que muchos administradores usan para contribuir a la seguridad de la red ante accesos no autorizados es inhabilitar todos los puertos del switch que no se utilizan. Por ejemplo, si un switch Catalyst 2960 tiene 24 puertos y hay tres conexiones Fast Ethernet en uso, es aconsejable inhabilitar los 21 puertos que no se utilizan. Navegue a cada puerto no utilizado y emita el comando shutdown de Cisco IOS. Si un puerto debe reactivarse más tarde, se puede habilitar con el comando no shutdown.

Para configurar un rango de puertos, use el comando interface range.

Switch(config)# interface range type module/first-number – last-number

Por ejemplo, para apagar los puertos for Fa0/8 hasta Fa0/24 en S1, usted debe ingresar el siguiente comando.

S1(config)# interface range fa0/8 - 24
S1(config-if-range)# shutdown
%LINK-5-CHANGED: Interface FastEthernet0/8, changed state to administratively down
(resultado omitido)
%LINK-5-CHANGED: Interface FastEthernet0/24, changed state to administratively down
S1(config-if-range)#

What is Inter-VLAN Routing?

Posted: 20th October 2020 by ccna7guru in ITN

VLANs are used to segment switched Layer 2 networks for a variety of reasons. Regardless of the reason, hosts in one VLAN cannot communicate with hosts in another VLAN unless there is a router or a Layer 3 switch to provide routing services.

Inter-VLAN routing is the process of forwarding network traffic from one VLAN to another VLAN.

There are three inter-VLAN routing options:

Legacy Inter-VLAN routing – This is a legacy solution. It does not scale well.

Router-on-a-Stick – This is an acceptable solution for a small to medium-sized network.

Layer 3 switch using switched virtual interfaces (SVIs) – This is the most scalable solution for medium to large organizations.

Legacy Inter-VLAN Routing

•The first inter-VLAN routing solution relied on using a router with multiple Ethernet interfaces. Each router interface was connected to a switch port in different VLANs. The router interfaces served as the default gateways to the local hosts on the VLAN subnet.

•Legacy inter-VLAN routing using physical interfaces works, but it has a significant limitation. It is not reasonably scalable because routers have a limited number of physical interfaces. Requiring one physical router interface per VLAN quickly exhausts the physical interface capacity of a router.

Note: This method of inter-VLAN routing is no longer implemented in switched networks and is included for explanation purposes only.

Legacy Inter-VLAN Routing

Router-on-a-Stick Inter-VLAN Routing

The ‘router-on-a-stick’ inter-VLAN routing method overcomes the limitation of the legacy inter-VLAN routing method. It only requires one physical Ethernet interface to route traffic between multiple VLANs on a network.

•A Cisco IOS router Ethernet interface is configured as an 802.1Q trunk and connected to a trunk port on a Layer 2 switch. Specifically, the router interface is configured using subinterfaces to identify routable VLANs.

•The configured subinterfaces are software-based virtual interfaces. Each is associated with a single physical Ethernet interface. Subinterfaces are configured in software on a router. Each subinterface is independently configured with an IP address and VLAN assignment. Subinterfaces are configured for different subnets that correspond to their VLAN assignment. This facilitates logical routing.

•When VLAN-tagged traffic enters the router interface, it is forwarded to the VLAN subinterface. After a routing decision is made based on the destination IP network address, the router determines the exit interface for the traffic. If the exit interface is configured as an 802.1q subinterface, the data frames are VLAN-tagged with the new VLAN and sent back out the physical interface

Inter VLAN Routing
Router on a stick

Note: The router-on-a-stick method of inter-VLAN routing does not scale beyond 50 VLANs.

Inter-VLAN Routing on a Layer 3 Switch

The modern method of performing inter-VLAN routing is to use Layer 3 switches and switched virtual interfaces (SVI). An SVI is a virtual interface that is configured on a Layer 3 switch, as shown in the figure.

Note: A Layer 3 switch is also called a multilayer switch as it operates at Layer 2 and Layer 3. However, in this course we use the term Layer 3 switch.

Inter-VLAN SVIs are created the same way that the management VLAN interface is configured. The SVI is created for a VLAN that exists on the switch. Although virtual, the SVI performs the same functions for the VLAN as a router interface would. Specifically, it provides Layer 3 processing for packets that are sent to or from all switch ports associated with that VLAN.

The following are advantages of using Layer 3 switches for inter-VLAN routing:

•They are much faster than router-on-a-stick because everything is hardware switched and routed.

•There is no need for external links from the switch to the router for routing.

•They are not limited to one link because Layer 2 EtherChannels can be used as trunk links between the switches to increase bandwidth.

•Latency is much lower because data does not need to leave the switch in order to be routed to a different network.

•They more commonly deployed in a campus LAN than routers.

•The only disadvantage is that Layer 3 switches are more expensive.

Malware- Descripción General del Malware

Posted: 15th October 2020 by ccna7guru in ITN

•Ahora que conoce las herramientas que usan los hackers, este tema le presenta los diferentes tipos de malware que utilizan los hackers para obtener acceso a dispositivos finales.

•Los terminales son especialmente propensos a ataques de malware. Es importante saber acerca del malware porque los atacantes confían en que los usuarios instalen malware para explotar las brechas de seguridad.

Malware- Descripción General del Malware

Malware
Virus y Caballos de Troya

•El primer tipo de malware informático y el más común son los virus. Los virus requieren una acción humana para propagarse e infectar otros equipos.

•Se ocultan al adjuntarse al código informático, al software o a los documentos en la computadora. Cuando se abre, el virus se ejecuta e infecta el equipo.

•Los virus pueden:

o  Modificar, dañar, eliminar archivos o borrar discos duros completos.

o Causar problemas de arranque del equipo y dañar aplicaciones.

o Capturar y enviar información confidencial a los atacantes.

o Acceder a cuentas de correo electrónico y utilizarlas para propagarse.

o Permanecer inactivo hasta que el atacante lo requiera.