URL PARA VER BW DE ROUTERS

https://www.cisco.com/c/en/us/products/routers/branch-routers/index.html
==========================
FORWARDING DE PUERTOS
ip nat inside source static tcp ip_inside_local puerto ip_inside_global puerto
p nat inside source static tcp 192.168.1.9 2222 181.39.85.3 2222
--------------------------------------------------------------
NATEO
NAT ESTATICO
R1(config)#ip nat inside source static 172.16.16.1 64.100.50.1
R1(config)#int g0/0
R1(config-if)#ip nat inside
R1(config-if)#int s0/0/0
R1(config-if)#ip nat outside

NAT DINAMICO
*Paso1
Establecer una ACL que indique cuáles direcciones no más van a salir
*Paso2
Establecer el pool NAT de direcciones con las cuales van a salir
*Paso3
Relación el pool NAT de direcciones con la ACL
*Paso4
Introducir el nateo en las interfaces

R2(config)#access-list 1 permit 172.16.0.0 0.0.255.255

R2(config)#ip nat pool POOL-NAT 209.165.76.196 209.165.76.199 netmask
255.255.255.252
A pesar de que estan seteadas 4 direcciones, por la mascara solo usaran 2
direcciones lo que implica que solo 2 usuarios pueden salir al mismo tiempo
R2(config)#ip nat inside source list 1 pool POOL-NAT
R2(config)#int s0/0/1
R2(config-if)#ip nat inside
R2(config-if)#int s0/0/0
R2(config-if)#ip nat outside

PAT
CASO CUANDO ISP DA MAS DE DOS DIRECCIONES
ip nat pool NAT-POOL2 209.165.200.226 209.165.200.240 netmask 255.255.255.224
access-list 1 permint 192.168.0.0 0.0.255.255
ip nat inside source list 1 pool NAT-POOL2 overload
int s0/0/0
ip nat outside
int f0/0
ip nat inside

CASO CUANDO ISP DA UNA DIRECCION

ip nat pool POOL-NAT 209.165.201.225 209.165.201.225 netmask 255.255.255.255
access-list 1 permit 192.168.0.0 0.0.255.255
ip nat inside source list 1 pool POOL-NAT overload
INT S0/0/0
ip nat outside
int f0/0
ip nat inside

access-list 80 permit 192.168.10.0 0.0.0.255

ip nat inside source list 80 interface FastEthernet4 overload
interface Vlan1
ip address 192.168.10.1 255.255.255.0
 ip nat inside
interface FastEthernet4
description WAN-TELCONET
ip address 190.95.252.188 255.255.255.0
ip nat outside
========================================================
CONFIGURACION DHCP ESTATICO
service dhcp (activar dhcp)
ip dhcp excluded-address 192.168.1.1 HighIPAddress
ip dhcp pool CAFEBOMBOM
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 200.93.192.148 200.93.192.161
domain-name telconet.net
!
ip dhcp pool STATIC-SRV1
host 192.168.1.100 255.255.255.0
client-identifier 01fc.ecda.834a.45
!
---------------------------------------------------------------------------
CONFIGURACION ACL STANDARD
*1-99
*Solo direcciones de origen
*Cerca del destino, en estas no se especifican dirección destino (Se refiere a la
interfaz)
R3(config)#access-list 1 deny 192.168.100.0 0.0.0.255
R3(config)#access-list 1 permit any
R3(config)#int g0/1
R3(config-if)#ip access-group 1 out
---------------------------------------------------------------------------
CONFIGURACION ACL EXTENDED
*100-199 y 2000–2699
*Cerca del origen
*Direcciones de origen y destino
*Puertos y protocolos

DENEGAR 192.168.100.0/24 EN 192.168.102.0/24

R1(config)#access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
R1(config)#access-list 100 permit ip any any
R1(config)#interface g0/1
R1(config-if)#ip access-group 100 in

PERMITIR TELNET SOLO A 192.168.101.2/24 EN R2

R2(config)#access-list 1 permit host 192.168.101.2
R2(config)#line vty 0 4
R2(config-line)#access-class 1 in

DENEGAR TODO ACCESO AL SERVIDOR 192.168.20.3 EXCEPTO A LA PC 192.168.30.51, ESTA

SOLO PUEDE TENER ACCESO HTTPS Y PING NADA MAS
R2(config)#ip access-list extended 100
R2(config-ext-nacl)#permit tcp host 192.168.30.51 host 192.168.20.3 eq 443
R2(config-ext-nacl)#permit icmp host 192.168.30.51 host 192.168.20.3
R2(config-ext-nacl)#deny ip any host 192.168.20.3
R2(config-ext-nacl)#permit ip any any
R2(config-ext-nacl)#int g0/1
R2(config-if)#ip acc
R2(config-if)#ip access-group 100 in
---------------------------------------------------------------------------
MANUAL DE SOPORTE L1 PAG 30-43
PARA VER LA IP DE MAYOR CONSUMO
conf t
int vlan 1
ip accounting output-packets
exit
show ip accounting
Nota: Una vez realizada la revisión se debe retirar el comando ip accounting de la
interaz LAN con el comando (no ip accounting) ya que si lo dejamos así aumenta el
procesamiento del router.

PARA VER CONSUMO DE BW X PROTOCOLOS (NBAR)

conf t
int vlan1
ip nbar protocol-discovery
show ip nbar protocol-discovery top-n 5

PARA VER IPS DE MAYOR CONSUMO (NETFLOW)

conf t
int vlan1
ip flow egress
ip flow-top-talkers
top 10
sort-by bytes
show ip flow top-talkers
show ip cache flow
=========================================================================
***SEGMENTACION POR INTERFACE Y REDES****

interface Vlan10
description INTERNET
ip address 186.5.5.145 255.255.255.248
no ip redirects
no ip proxy-arp
ip accounting output-packets
ip virtual-reassembly
rate-limit input access-group 110 10000000 1000000 1000000 conform-action transmit
exceed-action drop
rate-limit input access-group 100 4608000 4608000 4608000 conform-action transmit
exceed-action drop
rate-limit output access-group 110 10000000 1000000 1000000 conform-action
transmit exceed-action drop
rate-limit output access-group 100 4608000 4608000 4608000 conform-action transmit
exceed-action drop
load-interval 30

access-list 100 remark CONTROL_INTERNET

access-list 100 deny ip host 186.5.5.146 any
access-list 100 deny ip any host 186.5.5.146
access-list 100 deny ip any host 186.5.5.147
access-list 100 deny ip host 186.5.5.147 any
access-list 100 permit ip 186.5.5.144 0.0.0.7 any
access-list 100 permit ip any 186.5.5.144 0.0.0.7
access-list 110 remark SEGMENTACION-DOS-IPS
access-list 110 permit ip host 201.218.13.114 any
access-list 110 permit ip any host 201.218.13.114
access-list 110 permit ip any host 186.5.5.147
access-list 110 permit ip host 186.5.5.147 any

***********************************************
****************SEGMENTACION INTERNET Y DATOS*******************

class-map match-all INTERNET

match access-group 160
class-map match-all DATOS
match access-group 155
!
!
policy-map BW
class INTERNET
police cir 1536000 bc 153600 be 153600
exceed-action drop
class DATOS
police cir 1536000 bc 153600 be 153600
exceed-action drop

access-list 155 remark DATOS

access-list 155 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 160 remark INTERNET
access-list 160 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 160 permit ip any any

interface Ethernet1/0
ip address 192.168.160.169 255.255.255.248
ip nat inside
full-duplex
service-policy input BW
service-policy output BW

UBICAR LAS POLICIES CREADAS EN LAS INTERFACES ej: fa0.1994 de ser necesario
police cir bits si es 1 mega seria:
police cir 1024000

***********************************************
*******SEGMENTACION POR INTERFACE**************

interface Vlan2
ip address 192.168.25.7 255.255.255.0
no ip redirects
no ip proxy-arp
ip virtual-reassembly
ip tcp adjust-mss 1432
rate-limit input 6144000 614400 614400 conform-action transmit exceed-action drop
rate-limit output 6144000 614400 614400 conform-action transmit exceed-action drop
load-interval 30
*********************************************
SEGMENTACION ESPECIFICANDO NOT MACTCH ACL
*********************************************

access-list 150 remark SEG-VIDEOCONFERENCIA

access-list 150 permit ip host 192.168.169.49 any
access-list 150 permit ip any host 192.168.169.49

class-map match-all RESTO-BW

match not access-group 150
class-map match-all SEG-VCONFERENCIA
match access-group 150
!
!
policy-map CONTROLBW
class SEG-VCONFERENCIA
police cir 2048000 bc 204800 be 204800
exceed-action drop
class RESTO-BW
police cir 14848000 bc 1484800 be 1484800
exceed-action drop
==========================================================================
SEGMENTACION PDF SIKANDAR QOS PAG 160

access-list 120 permit tcp any any eq www

class-map WEB_TR
match access-group 120

class class-default

policie-map CCIE
class WEB_TR
bandwidth 64

class class-default

int fa4
service-policy output CCIE

Se restringe a 64 kbps solo la navegacion a paginas http

EJEMPLO:
access-list 120 permit ip any any

class-map match-all SEGMENTACION500MB

match access-group 120

policy-map SEGMENTACION500MB
class SEGMENTACION500MB
bandwidth 512000

interface GigabitEthernet0/0/0
ip address 10.61.60.222 255.255.255.252
service-policy output SEGMENTACION500MB
==========================================================================

###############################################
**********CONFIGURACION VPN********************

crypto isakmp policy 10

encr 3des
authentication pre-share
group 2
crypto isakmp key 4uM0drE8MR3zX address 186.101.66.86
!
!
crypto ipsec transform-set 4uM0drE8MR3zX esp-des esp-md5-hmac
!
crypto map VPN-MEDISUMI 10 ipsec-isakmp
set peer 186.101.66.86
set transform-set 4uM0drE8MR3zX
match address 101
!
access-list 101 remark VPN_portrans-medisumi
access-list 101 permit ip 192.168.7.0 0.0.0.255 10.223.61.0 0.0.0.255

interface FastEthernet4
description TO TELCONET
ip address 186.3.100.165 255.255.255.0
crypto map VPN-MEDISUMI

====================================================
TUNEL
CoopStaRosa-CIAS(TU0)==================(TU7)bce-gye-conc-cias

CoopStaRosa-CIAS WAN:10.110.175.90
bce-gye-conc-cias WAN:10.11.117.98

CONFIGURACION:

CoopStaRosa-CIAS
interface Tunnel0
description TO BCE-GYE
ip address 192.168.96.237 255.255.255.252
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1432
keepalive 3 3
tunnel source 10.110.175.90
tunnel destination 10.11.117.98
end
ip route 10.11.117.98 255.255.255.255 10.110.175.89 name WAN_BCE_GYE

bce-gye-conc-cias
interface Tunnel7
description coop-SantaRosa
ip address 192.168.96.238 255.255.255.252
ip tcp adjust-mss 1432
keepalive 3 3
tunnel source 10.11.117.98
tunnel destination 10.110.175.90
end

===========================================
CONFIGURACION TUNNEL

CoopStaRosa-CIAS
interface Tunnel1
description BAUSTRO
ip address 172.20.1.126 255.255.255.252
tunnel source 10.110.175.130
tunnel destination 10.33.250.211
!
ip route 10.33.250.211 255.255.255.255 10.110.175.129 name BAUSTRO
CONCENTRADOR_CUENCA-ATM-CIAS#
interface Tunnel196
description COOP-SANTA-ROSA
ip address 172.20.1.125 255.255.255.252
ip tcp adjust-mss 1432
tunnel source 10.33.250.211
tunnel destination 10.110.175.130
end
ip route 10.110.175.130 255.255.255.255 10.33.250.209 name COOP_STAROSA
================================================
VER RUTAS RECIBIDAS EN BGP
sh ip bgp neigh x.x.x.x received-routes
sh ip bgp vpnv4 vrf routerbg7513_1_40 summary
=================================================
CONFIGURAR PBR
ip access-list extended 101
permit ip 10.0.0.0 0.0.0.255 any
route-map gold
match ip address 101
set ip next-hop 172.16.255.2
interface fa0/0
ip policy route-map gold
debug ip policy
debug ip packet 101 detail
debug ip policy 101
Note1: The ‘set ip next-hop‘ and ‘set ip default next-hop‘ are similar commands but
have a different order of operations. Configuring the set ip next-hop command
causes the system to use policy routing first and then use the routing table.
Configuring the set ip default next-hop command causes the system to use the
routing table first and then policy route the specified next hop.
==================================================
CONFIGURAR RELOAD PROGRAMADO
Ciscozine#reload in 1:30
Reload scheduled for 10:20:49 UTC Thu Apr 28 2011 (in 1 hour and 30 minutes) by
console
Reload reason: Reload Command
Proceed with reload? [confirm]
Ciscozine#show reload
Reload scheduled for 10:20:49 UTC Thu Apr 28 2011 (in 1 hour and 29 minutes) by
console
Reload reason: Reload Command
Ciscozine#reload cancel (cancelar reinicio)
==================================================
PARA ACTIVAR VLAN CUAND NO HAY NADA CONECTADO
int vlan 1
no autostate
=======================
COMANDOS PARA VER EN SWITCH CISCO BW
sh mls qos int fa0/16 queueing
sh mls qos aggregate-policer
========================
COMANDOS PARA VER LOAD BALANCE (CUANDO POR UNA INTERFAZ SUBE Y OTRA INTERFAZ BAJA)

se debe revisar en el switch y en el cpe y ambos deben coincidir

sw etherchannel load-balance

EJEMPLO:
nedetel-vincesbalzar#sh etherchannel load-balance
EtherChannel Load-Balancing Configuration:
dst-ip

EtherChannel Load-Balancing Addresses Used Per-Protocol:

Non-IP: Destination MAC address
IPv4: Destination IP address
IPv6: Destination IP address

sw1balzar1-ten>show etherchannel load-balance

EtherChannel Load-Balancing Configuration:
src-dst-ip

EtherChannel Load-Balancing Addresses Used Per-Protocol:

Non-IP: Source XOR Destination MAC address
IPv4: Source XOR Destination IP address
IPv6: Source XOR Destination IP address
===================================================
The "ip local policy route-map" command is used to policy-route traffic generated
locally on the router.
The "ip policy route-map" looks at traffic entering an interface and policy-routes
accordingly. This traffic would be external, transiting the router.
=================================================
route map inbound: influye como el trafico sale. Para prefijos que yo no conozco
route map outbound: influye como el trafico entra al router. Para prefijos que si
conozco
================================================
TRACK + HSRP
ROUTER PRINCIPAL
ip sla 1
icmp-echo 10.41.168.217 source-interface FastEthernet0
threshold 2
frequency 10
ip sla schedule 1 life forever start-time now

track 1 ip sla 1

interface Vlan1
description LAN-CLIENTE
ip address 192.168.6.252 255.255.255.0
standby 1 ip 192.168.6.254
standby 1 priority 110
standby 1 preempt
standby 1 track 1 decrement 60

ROUTER BACKUP
interface Vlan1
description LAN
ip address 192.168.6.253 255.255.255.0
standby 1 ip 192.168.6.254
standby 1 priority 90
standby 1 preempt
=====OTRA FORMA====

track 1 interface GigabitEthernet 0/2 line-protocol

configure object tracking for the GigabitEthernet 0/2 interface. When the line-
protocol changes (goes down) then the object state will change
SW2(config)#interface Vlan 1
SW2(config-if)#standby 1 track 1 decrement 60

Fuente:https://networklessons.com/cisco/ccie-routing-switching/hsrp-hot-standby-
routing-protocol
=================================================================
BGP
weight es solo un parametro que indica como sale el router, para que retorne el
trafico por el backup se debe setear metric 1000 como routemap en el backup, ya que
como esta caido el principal el pe va a ir al cpe por el backup, y asi mismo cuando
el pe sense que que el principal del cpe ya haya subido va enviar todo el trafico
por la metric 0 es decir por el principal
CPE
federal#sh ip bgp
Network Next Hop Metric LocPrf Weight Path
* 0.0.0.0 10.211.227.221 890 27947 27947 i
* 181.39.73.1 990 27947 i
* 10.211.183.225 900 27947 27947
i
*> 181.198.17.1 1000 27947 i

prefiere 181.198.17.1 ya que tiene mayor peso

PE
pe1gyec> sh ip bgp vpnv4 vrf telconet | b 181.39.87.64
Network Next Hop Metric LocPrf Weight Path
* 181.39.87.64/30 181.39.73.18 1000 0 65305 i
*> 181.198.17.36 0 0 65305
i

prefiere 181.198.17.36 ya que tiene metric 0 vs al 1000

tiene el mismo weight ya que en el pe no tiene configurado dicho parametro ni para
el backup ni para el principal

===============ELIMINAR SESIONES IDLEs===================

#sh user
Line User Host(s) Idle Location
* 7 vty 1 ipccl2-uio idle 00:00:00 201.218.38.47
8 vty 2 ipccl2-uio idle 00:00:27 201.218.38.47

si quiero eliminar la line 8 vty 2

clear line 8 or clear line vty 2