Professional Documents
Culture Documents
COLOMBIA
Version 1.1
DIRECCIN DE INGENIERA
Confidencial
Pag. 1
18/12/2014
CONTROL DE CAMBIOS
Fecha
de
Cambio
2011-1230
1.
0
2012-0412
1.
0
Confidencial
Ve Cambiado
r. por:
Jorge
Enrique
Gutierrez
Jorge
Enrique
Gutierrez
Secciones
Cambiada
s
Todas
Insercin diagrama en
Escenarios de Aplicacin y
actualziacin scrips con
comentarios de los comandos (en
amarillo)
Pag. 2
18/12/2014
Tabla de contenido
CONTROL DE CAMBIOS...............................................................................................................................................
1
INTRODUCCION.....................................................................................................................................................
3.1.1
3.1.2
Escenario de conexin fibra como enlace ppal wan y enlace backup por 3G...............................................
3.1.3
3.2
3.3
3.4
3.5
Vista frontal.....................................................................................................................................................
3.6
Vista posterior.................................................................................................................................................
4.2
4.3
POLITICAS DE CONFIGURACION...................................................................................................................
TROUBLESHOOTING..........................................................................................................................................
CASOS TECNICOS................................................................................................................................................
10
11
DOCUMENTOS DE REFERENCIA.....................................................................................................................
Confidencial
Pag. 3
18/12/2014
INTRODUCCION
Version y Alcance del documento
Este manual se suministra para los equipos marca TELDAT, especficamente la lnea H1+ y es
el equipo homologado por TELMEX para el producto SOLUCIONES TRANSACCIONALES cuyo
requerimiento principal es la interfaz celular para conectarse a las redes mviles 3G.
Aunque el equipo soporta todas las funcionalidades y protocolos que se usan en los dems
servicios TELMEX (INTERNET, canales IP DATA INTRANET, etc), el presente documento
ilustrar la forma de configurar el router para soportar la configuracin bsica estndar del producto
SOLUCIONES TRANSACCIONALES.
El documento queda publicado para su consulta en la siguiente ruta de la intranet(web):
DIRECCION DE OPERACIONES GERENCIA DE INGENIERIA PRODUCTOS Y SERVICIOS
IP DATA EQUIPOS TELDAT H1+
AnexoTcnico__Teldat h1+_v1.1.doc
Confidencial
Pag. 1
18/12/2014
En cuanto a la instalacin de la SIMCARD para la conectividad 3G, el equipo posee dos tipos
de ranura o slot, una externa y otra interna. La externa es la que aparece en el diagrama anterior
como ranura 4. La ranura interna se encuentra abriendo el equipo e instalando la SIMCARD en el
compartimento que se encuentra cerca a la antena izquierda de 3G(numeral 2). El anterior
procedimiento es necesario cuando el servicio TELMEX a instalar requiere doble SIMCARD.
El equipo al llegar de bodega (TELMEX) debe venir con el cable de consola o adaptador DB9RJ4, con 4 antenas (2 para WiFi que no se usarn y 2 para 3G que son las antenas en forma de
paleta). Adicional a lo anterior el equipo viene con un adaptador de voltaje, un cable UTP y un CD
con toda la documentacin acerca de comandos y configuracin del equipo.
Confidencial
Pag. 2
18/12/2014
Si se est por consola en esta se puede ver lo siguiente al presionar el Botn RST. Lo que
aparece a continuacin es tambin lo mismo que aparece cuando el equipo se inicia por primera
vez:
CFE version 1.0.37-102.9-03 for BCM96368 (32bit,SP,BE)
Build Date: Mon May 3 11:15:40 CEST 2010 (gjimenez@orion)
Copyright (C) 2000-2008 Broadcom Corporation.
Parallel flash device: name AM29LV320MT, id 0x2201, size 16384KB
CPU type 0x2A031: 400MHz, Bus: 160MHz, Ref: 64MHz
CPU running TP0
Total memory: 67108864 bytes (64MB)
Boot Address 0xb8000000
*** default configuration required ***
Board IP address
: 192.168.1.1:ffffff00
Host IP address
: 192.168.1.100
Gateway IP address
:
Run from flash/host (f/h)
:f
Default host run file name
:
Confidencial
Pag. 3
18/12/2014
Pag. 4
18/12/2014
Teldat
(c)2001-2011
Router model H1+ WL USB IPSec SNA VoIP T+ 26 48 CPU MIPS32 S/N: 728/10146
1 LAN, 1 WLAN
CIT software version: 10.08.12.01.09 Jul 11 2011 14:38:00
*
Press any key to get started
La version mnima recomendada por el fabricante con la que debe llegar el equipo es la
10.08.24
Si no se tiene acceso por consola se puede acceder por puerto Ethernet luego de un reset por
defecto con el botn externo se debe configurar un PC con una IP del segmento 192.168.1.0/24
que no sea la 192.168.1.1 o la 192.168.1.100 y se realiza un telnet a alguna de las dos
conectando el PC a alguno de los puerto LAN 1 a LAN4
Salvamos cambios
REDEBAN Config>save yes
Building configuration as text... OK
Writing configuration... OK on Flash as IPSEC
REDEBAN Config>
Confidencial
Pag. 5
18/12/2014
Y por ultimo reiniciamos el equipo el cual arrancara con la configuracin por defecto
REDEBAN *restart
Confidencial
Pag. 6
18/12/2014
Configuracion
para
transaccionales.
3.1.1
servicio
estndar
Pag. 7
18/12/2014
soluciones
profile H1 default
profile H1 dialout
profile H1 3gpp-accessibility-control traffic 100 all
profile H1 3gpp-apn telmex.corp.comcel.com.co APN asociado a la SIMCARD.
profile H1 3gpp-restart-on-disc
profile H1 3gpp-restart-on-cnxs-fails 6 30s
;
exit
;
global-profiles ppp
; -- PPP Profiles Configuration -lcp-options cellular1/1 default
lcp-options cellular1/1 acfc
lcp-options cellular1/1 pfc
lcp-options cellular1/1 accm 0
;
exit
;
network cellular1/0
; -- Interface AT. Configuration -coverage-timer 10
;
network mode automatic
network domain cs+ps
exit
;
;
network ppp1
; -- Generic PPP User Configuration -ip address unnumbered
;
;
ppp
; -- PPP Configuration -authentication sent-user web ciphered-pwd 0x19A02514F479EDB1
ipcp local address assigned
no ipcp peer-route
lcp echo-req off
exit
;
base-interface
; -- Base Interface Configuration -base-interface cellular1/1 link
base-interface cellular1/1 profile H1 Asociacin de la interfaz celular con el perfil de configuracion
Confidencial
Pag. 8
18/12/2014
3G(APN)
;
exit
;
exit
;
;
network tnip1
; -- IP Tunnel Net Configuration - PEER Dir IP TUNEL 3G
ip address 10.8.1.158 255.255.255.252
;
;
ip mtu 1410
;
enable
mode gre ip
source ppp1 IP que toma la SIMCARD del Operador mvil.
destination 172.25.0.1 IP de la loopback en el router de interconexin (Asociada al APN)
keepalive 10s 1
exit
;
network ethernet0/0.2
; -- Ethernet Subinterface Configuration -description LAN_CLIENTE
;
ip address 10.240.10.81 255.255.255.248
ip address 10.200.61.73 255.255.255.248 secondary
;
;
encapsulation dot1q 2
;
;
exit
;
;
protocol ip
; -- Internet protocol user configuration -route 172.25.0.1 255.255.255.255 ppp1 Asegura la alcanzabilidad del tunel remoto.
route 0.0.0.0 0.0.0.0 tnip1 distance 200
;
;
exit
;
;
Confidencial
Pag. 9
18/12/2014
;
feature vlan
; -- VLAN configuration -enable
;
vlan 2 ethernet0/0 port internal
vlan 2 ethernet0/0 port 2
vlan 2 ethernet0/0 port 3
vlan 2 ethernet0/0 port 4
;
tag-default ethernet0/0 port 1 xxx Se deja puerto 0/0 para WAN asociado a la VLAN xxx
tag-default ethernet0/0 port 2 2 Asociacion de la VLAN de LAN(2) con los puertos fisicos.
tag-default ethernet0/0 port 3 2
tag-default ethernet0/0 port 4 2
;
tag-insertion ethernet0/0 port internal
;
tag-removal ethernet0/0 port 2 Puertos LAN que quedan como acceso.
tag-removal ethernet0/0 port 3
tag-removal ethernet0/0 port 4
;
exit
;
;
;
dump-command-errors
end
CLIENTE Config>
Comandos de verificacin
TELDAT H1 cellular1/1 AT+list
Daughter Board
= SOFTUSB Device Adapter
Module Manufacturer
= QISDA
Module Model
= H20
Module Firmware
= Qisda Build Ver: 7225A-SLCAAVZA-3240,SW Ver: 1.09,Boot Block ver
IMEI
= 353030020124376
IMSI
= 732103015950559
SIM Card ICC
= 89577321030159505593
Drop by ping failed
=0
Drop by tracert failed
=0
Confidencial
Pag. 10
18/12/2014
3.1.2
Confidencial
Escenario de conexin fibra como enlace ppal wan y enlace backup por 3G
Pag. 11
18/12/2014
18/12/2014
;
exit
;
global-profiles ppp
; -- PPP Profiles Configuration -lcp-options cellular1/1 default
lcp-options cellular1/1 acfc
lcp-options cellular1/1 pfc
lcp-options cellular1/1 accm 0
;
exit
;
network cellular1/0
; -- Interface AT. Configuration -coverage-timer 10
;
network mode automatic
network domain cs+ps
exit
;
;
network ppp1
; -- Generic PPP User Configuration -ip address unnumbered
;
;
ppp
; -- PPP Configuration -authentication sent-user web ciphered-pwd 0x19A02514F479EDB1
ipcp local address assigned
no ipcp peer-route
lcp echo-req off
exit
;
base-interface
; -- Base Interface Configuration -base-interface cellular1/1 link
base-interface cellular1/1 profile H1
;
exit
;
exit
;
;
Confidencial
Pag. 13
18/12/2014
network tnip1
; -- IP Tunnel Net Configuration -ip address 10.8.1.158 255.255.255.252
;
;
;
;
ip mtu 1410
;
enable
mode gre ip
source ppp1 IP que toma la SIMCARD del Operador mvil.
destination 172.25.0.1 IP de la loopback en el router de interconexin (Asociada al APN)
keepalive 10s 1
exit
;
network ethernet0/0.2
; -- Ethernet Subinterface Configuration -description LAN_CLIENTE
;
ip address 10.240.10.81 255.255.255.248
ip address 10.200.61.73 255.255.255.248 secondary
;
;
encapsulation dot1q 2
;
;
exit
;
network ethernet0/0.3520
; -- Ethernet Subinterface Configuration -description WAN_TELMEX
;
ip address 10.161.139.166 255.255.255.252
;
encapsulation dot1q 3520
;
exit
;
protocol ip
; -- Internet protocol user configuration -router-id 10.161.139.166
;
route 172.25.0.1 255.255.255.255 ppp1
Confidencial
Pag. 14
18/12/2014
3.1.2.1
PRUEBAS DE SERVICIO
Verificacin en PE
GCHICONORTE#sh ip bgp vpnv4 vrf saturacion-nov2 neighbors 10.161.139.166 routes
BGP table version is 334823171, local router ID is 10.10.66.107
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
Next Hop
Metric LocPrf Weight Path
Route Distinguisher: 100:3474 (default for vrf saturacion-nov2)
*> 10.200.61.72/29 10.161.139.166
1
0 65535 ?
* 10.240.10.80/29 10.161.139.166
1
0 65535 ?
Confidencial
Pag. 16
18/12/2014
18/12/2014
1 ms 10.161.139.165
2 ms 10.161.31.174
1 ms 190.144.226.6
CLIENTE IP+
Confidencial
Pag. 18
18/12/2014
3.1.3
Pag. 19
18/12/2014
Pag. 20
18/12/2014
;
sim external-socket-1 pin ciphered 0x41EDDF31006925E8
sim external-socket-1 local-address 111111111 Asocia la SIM externa al perfil de COMCEL.
sim internal-socket-2 pin ciphered 0xB3B6C6B3352F6A10
sim internal-socket-2 local-address 222222222 Asocia la SIM interna al perfil de TIGO(Backup).
sim supervision enable
sim return-criteria time after 10
sim return-criteria registration-lost over 1
sim registration-criteria lost over 1
sim return-criteria nsla-advisor 7
sim nsla-criteria nsla-advisor 5
;
network mode automatic
network domain cs+ps
exit
;
;
network ppp1 Interfaz lgica PPP para conexin PPAL por COMCEL
; -- Generic PPP User Configuration -ip address unnumbered
;
ppp
; -- PPP Configuration -ipcp local address assigned
no ipcp peer-route
lcp echo-req off
exit
;
base-interface
; -- Base Interface Configuration -base-interface cellular1/1 link
base-interface cellular1/1 profile COMCEL
;
exit
;
exit
;
;
network ppp2 Interfaz lgica PPP para conexin alterna por TIGO
; -- Generic PPP User Configuration -ip address unnumbered
;
ppp
; -- PPP Configuration -Confidencial
Pag. 21
18/12/2014
event
; -- ELS Config -enable trace subsystem SPF ALL
exit
;
feature ssh
; -- SSH protocol configuration -server
; -- SSH Server -enable
exit
;
feature nsm
; -- Network Service Monitor configuration -operation 1
; -- NSM Operation configuration -type echo ipicmp 10.15.0.10
frequency 3
timeout 1500
exit
;
operation 2
; -- NSM Operation configuration -type echo ipicmp 10.16.0.2
frequency 3
timeout 1500
exit
;
schedule 1 life forever
schedule 1 start-time now
schedule 2 life forever
schedule 2 start-time now
exit
;
feature nsla
; -- Feature Network Service Level Advisor -enable
;
filter 5 nsm-op 1 rtt
filter 5 significant-samples 5
filter 5 activation threshold 2000
filter 5 activation sensibility 80
filter 5 activation stabilization-time 60
Confidencial
Pag. 23
18/12/2014
18/12/2014
;
exit
;
;
dump-command-errors
end
DEMO_2SIMCARD Config>
_____________
COMCEL
COMCEL_VENECIA#sh run int tun 18
Building configuration...
Current configuration : 255 bytes
!
interface Tunnel18
description --- TUNNEL-COMCEL-BPOPULAR-3G --ip vrf forwarding AvalBogBPO
ip address 192.168.28.1 255.255.255.252
no ip route-cache cef
tunnel source 192.168.107.105
tunnel destination 192.168.100.1
tunnel vrf AvalBogBPO
end
COMCEL_VENECIA#
ip route vrf AvalBogBPO 10.100.76.0 255.255.254.0 Tunnel18 name INTERWAN_SIMCARD_BPOP (TODAS
LAS OFICINAS)
COMCEL_VENECIA#
ip route 192.168.100.1 255.255.255.255 192.168.107.30 name APN ---> DEBERIA ESTAR APUNTADO A LA
VRF AVALBogBPO.EL TUNEL ACTUALMENTE ESTA CAIDO.
___________________________________________________
Confidencial
Pag. 25
18/12/2014
TIGO
address-family ipv4 vrf AvalBogBPO
redistribute static route-map FILTRO_BPOPULAR-3G
redistribute ospf 3 vrf AvalBogBPO metric 110 match internal external 2
neighbor 10.161.105.165 remote-as 14080
neighbor 10.161.105.165 description TELMEX BANCO POPULAR BACKUP - BPP0994
neighbor 10.161.105.165 timers 10 30
neighbor 10.161.105.165 activate
neighbor 10.161.105.165 route-map BACKUP_BPO in
no synchronization
exit-address-family
TELM_INTERCONEXION3G#sh route-map FILTRO_BPOPULAR-3G
route-map FILTRO_BPOPULAR-3G, permit, sequence 10
Match clauses:
ip address prefix-lists: FILTRO_BPOPULAR-3G-LIST
Set clauses:
Policy routing matches: 0 packets, 0 bytes
TELM_INTERCONEXION3G#
sh ip prefix-list FILTRO_BPOPULAR-3G-LIST
ip prefix-list FILTRO_BPOPULAR-3G-LIST: 5 entries
seq 5 deny 172.24.10.5/32
seq 15 deny 10.11.4.56/29
seq 25 deny 10.3.0.0/24 ge 25
seq 35 deny 172.22.126.0/23
seq 50 permit 0.0.0.0/0 le 32
________________TELM_INTERCONEXION3G#sh ip bgp vpnv4 vrf AvalBogBPO 10.200.8.0
BGP routing table entry for 100:16004:0.0.0.0/0, version 3463435
Paths: (1 available, best #1, table AvalBogBPO)
Not advertised to any peer
14080 64601
10.161.105.165 from 10.161.105.165 (10.10.66.107)
Origin IGP, localpref 50, valid, external, best
Extended Community: RT:100:16004
mpls labels in/out 6796/nolabel
TELM_INTERCONEXION3G#sh ip bgp vpnv4 vrf AvalBogBPO 172.16.116.0
BGP routing table entry for 100:16004:0.0.0.0/0, version 3463435
Paths: (1 available, best #1, table AvalBogBPO)
Not advertised to any peer
14080 64601
10.161.105.165 from 10.161.105.165 (10.10.66.107)
Confidencial
Pag. 26
18/12/2014
Pag. 27
18/12/2014
Pag. 28
18/12/2014
Pag. 29
18/12/2014
global-profiles dial
; -- Dial Profiles Configuration -profile PPAL default
profile PPAL dialout
profile PPAL local-address 111111111
profile PPAL 3gpp-accessibility-control traffic 100 all
profile PPAL 3gpp-apn telmex.ath
profile PPAL 3gpp-restart-on-disc
;
profile BACKUP default
profile BACKUP dialout
profile BACKUP local-address 222222222
profile BACKUP 3gpp-accessibility-control traffic 100 all
profile BACKUP 3gpp-apn telmexath.comcel.com.co
profile BACKUP 3gpp-restart-on-disc
;
exit
;
global-profiles ppp
; -- PPP Profiles Configuration -lcp-options cellular1/1 default
lcp-options cellular1/1 acfc
lcp-options cellular1/1 pfc
lcp-options cellular1/1 accm 0
;
exit
;
;
;
;
;
;
;
;
;
;
;
;
;
;
;
;
;
;
Confidencial
Pag. 30
18/12/2014
;
network cellular1/0
; -- Interface AT. Configuration -coverage-timer 10
;
;
sim-select internal-socket-2
;
;
;
;
;
sim external-socket-1 pin ciphered 0xB3B6C6B3352F6A10
sim external-socket-1 local-address 222222222
sim internal-socket-2 pin ciphered 0x41EDDF31006925E8
sim internal-socket-2 local-address 111111111
sim supervision enable
sim return-criteria nsla-advisor 7
sim nsla-criteria nsla-advisor 5
;
network mode automatic
network domain cs+ps
exit
;
;
;
;
;
;
;
;
;
;
network ppp1
; -- Generic PPP User Configuration -ip address unnumbered
;
;
;
;
;
ppp
; -- PPP Configuration -ipcp local address assigned
Confidencial
Pag. 31
18/12/2014
no ipcp peer-route
lcp echo-req off
exit
;
base-interface
; -- Base Interface Configuration -base-interface cellular1/1 link
base-interface cellular1/1 profile PPAL
;
exit
;
exit
;
;
network ppp2
; -- Generic PPP User Configuration -ip address unnumbered
;
;
;
;
;
ppp
; -- PPP Configuration -ipcp local address assigned
no ipcp peer-route
lcp echo-req off
exit
;
base-interface
; -- Base Interface Configuration -base-interface cellular1/1 link
base-interface cellular1/1 profile BACKUP
;
exit
;
exit
;
;
network tnip1
; -- IP Tunnel Net Configuration -ip address 10.1.0.6 255.255.255.252
;
;
Confidencial
Pag. 32
18/12/2014
;
;
;
enable
mode gre ip
source ppp1
destination 172.24.10.1
path-mtu-discovery
exit
;
;
network tnip2
; -- IP Tunnel Net Configuration -ip address 10.6.0.14 255.255.255.252
;
;
;
;
;
enable
mode gre ip
source ppp2
destination 172.24.10.100
path-mtu-discovery
exit
;
;
network tnip3
; -- IP Tunnel Net Configuration -ip address 10.136.16.22 255.255.255.252
;
;
;
;
;
enable
mode gre ip
source loopback10
destination 10.81.2.25
exit
;
;
network loopback100
; -- Loopback interface configuration -Confidencial
Pag. 33
18/12/2014
Pag. 34
18/12/2014
protocol asrt
; -- ASRT Bridge user configuration -bridge
irb
port ethernet0/0 1
no stp
no bridge-protocol ip
route-protocol ip
exit
;
;
protocol ip
; -- Internet protocol user configuration -route 172.24.10.1 255.255.255.255 ppp1
route 10.129.0.10 255.255.255.255 tnip3
route 10.129.0.37 255.255.255.255 tnip3
route 10.129.0.61 255.255.255.255 tnip3
route 10.129.0.107 255.255.255.255 tnip3
route 10.129.0.113 255.255.255.255 tnip3
route 10.129.0.150 255.255.255.255 tnip3
route 10.129.3.44 255.255.255.255 tnip3
route 10.129.3.142 255.255.255.255 tnip3
route 10.130.0.50 255.255.255.255 tnip3
route 10.130.0.52 255.255.255.255 tnip3
route 10.130.0.53 255.255.255.255 tnip3
route 10.130.0.82 255.255.255.255 tnip3
route 10.130.0.176 255.255.255.255 tnip3
route 10.133.4.21 255.255.255.255 tnip3
route 10.136.1.27 255.255.255.255 tnip3
route 10.136.1.30 255.255.255.255 tnip3
route 192.168.10.65 255.255.255.255 tnip3
route 192.168.10.105 255.255.255.255 tnip3
route 10.81.2.25 255.255.255.255 tnip1
route 10.81.2.25 255.255.255.255 tnip2 230
route 172.24.10.100 255.255.255.255 ppp2
;
classless
;
ipsec
; -- IPSec user configuration -enable
assign-access-list 100
;
template 1 default
Confidencial
Pag. 35
18/12/2014
Pag. 36
18/12/2014
10.136.1.27
ciphered
protocol snmp
; -- SNMP user configuration -no default-config
;
community tmxc01ava1008RO subnet 10.161.103.70 255.255.255.255
;
host 192.168.125.245 trap version v1 tmxc01ava1008RO all
host 192.168.125.246 trap version v1 tmxc01ava1008RO all
;
trap sending-parameters time 3s
trap sending-parameters number 1
trap sending-parameters reachability-checking icmp
exit
;
feature mac-filtering
; -- MAC Filtering user configuration -create list FILTRO
;
create filter input ethernet0/0
;
attach FILTRO 1
;
default exclude 1
enable all
update "FILTRO"
; -- MAC Filtering list configuration -add source 00-00-00-00-00-00 00-00-00-00-00-00
exit
;
exit
;
feature nsm
; -- Network Service Monitor configuration -operation 1
; -- NSM Operation configuration -type echo ipicmp 10.1.0.5
frequency 3
timeout 1500
exit
;
operation 2
; -- NSM Operation configuration -type echo ipicmp 10.6.0.13
frequency 3
Confidencial
Pag. 37
18/12/2014
timeout 1500
exit
;
schedule 1 life forever
schedule 1 start-time now
schedule 2 life forever
schedule 2 start-time now
exit
;
feature nsla
; -- Feature Network Service Level Advisor -enable
;
filter 5 nsm-op 1 rtt
filter 5 significant-samples 5
filter 5 activation threshold 2000
filter 5 activation sensibility 80
filter 5 activation stabilization-time 60
filter 5 deactivation threshold 1500
filter 5 deactivation sensibility 80
filter 5 deactivation stabilization-time 25
;
filter 7 nsm-op 2 rtt
filter 7 significant-samples 5
filter 7 activation threshold 2000
filter 7 activation sensibility 80
filter 7 activation stabilization-time 60
filter 7 deactivation threshold 1500
filter 7 deactivation sensibility 80
filter 7 deactivation stabilization-time 25
;
alarm 5 filter-id 5
;
alarm 7 filter-id 7
;
advisor 5 alarm-id 5
;
advisor 7 alarm-id 7
;
exit
;
feature ssh
; -- SSH protocol configuration -Confidencial
Pag. 38
18/12/2014
server
; -- SSH Server -enable
exit
;
exit
;
;
;
dump-command-errors
end
TELDAT H1 Config>
Configuracion
liberar..
8.1.1
para
servicio
estndar
de
datos
p5
Config$
user teldat password teldat
;
feature ssh
; -- SSH protocol configuration -server
Confidencial
Pag. 39
18/12/2014
(internet).
Por
(como
Para deshabilitar el telnet, se debe poner un nmero mximo de sesiones permitidas= 0, lo que
quiere decir que por telnet no se va a abrir ningn socket TCP.
set telnet
; -- Telnet user configuration -set max-telnets 0
exit
;
8.1.2
Habilitar listas de acceso para control de acceso a la gestin del equipo via WAN/LAN.
La idea es que en la lista de acceso solo se permita acceder al equipo via SSH desde la red
10.X.X.X.
p5
Config$
feature access-lists
; -- Access Lists user configuration -access-list 100
;
; Entrada 1 denegando el telnet hacia la wan del equipo.
entry 1 default
entry 1 deny
entry 1 destination port-range 23 23
entry 1 protocol tcp
;
; Entrada 2 permitiendo el SSH
entry 2 default
entry 2 permit
entry 2 source address 10.0.0.0 255.0.0.0
entry 2 destination port-range 22 22
entry 2 protocol tcp
;
; Entrada 3 permitiendo otros trficos que deban ir por la wan
entry 3 default
entry 3 permit
entry 3 protocol tcp
Confidencial
Pag. 40
18/12/2014
Luego se aplica sta lista de acceso en la interfaz WAN, en sentido IN , por ejemplo:
network ethernet0/0.1
; -- Ethernet Subinterface Configuration -ip access-group 100 in
;
;
;
;
;
exit
;
Confidencial
Pag. 41
18/12/2014
2. TACACS.
Confidencial
Pag. 42
18/12/2014
Confidencial
Pag. 43
18/12/2014
10
Confidencial
Pag. 44
18/12/2014
Confidencial
Pag. 45
18/12/2014
POLITICAS DE CONFIGURACION.
Confidencial
Pag. 46
18/12/2014
CASOS TECNICOS
Confidencial
Pag. 47
18/12/2014
Confidencial
Pag. 48
18/12/2014
DOCUMENTOS DE REFERENCIA
Confidencial
Pag. 49
18/12/2014