// PROYECTO FINAL · SECCIÓN 1910-5472 · GRUPO VI · PUCMM

RESTAURANTE
HJS
RED DE ALTA DISPONIBILIDAD

Diseño, subnetting e implementación de una red multi-sede con 4 locales interconectados mediante Router-on-a-Stick + HSRP LAN/WAN. Bloque raíz 10.25.0.0/22, segmentación VLSM por VLAN, 24 VLANs activas y 24 rutas estáticas en el Router Matriz. La Sede Central se conecta a la Matriz vía Fibra Óptica (Gig0/3/0); las demás sedes vía Ethernet estándar.

4
Sedes
24
Rutas Estáticas
/22
Bloque Raíz
24
VLANs Totales
HSRP
LAN + WAN
SC
STEVEN W. CAPELLÁN SUÁREZ // 10163717
FUNDAMENTOS DE REDES · PROYECTO FINAL · LOCAL SUR & NORTE
HM
HAMLET MARTÍNEZ // 10166575
FUNDAMENTOS DE REDES · PROYECTO FINAL · LOCAL SANTIAGO
MÓDULO 01

ARQUITECTURA VLSM — SUBNETTING

El bloque raíz 10.25.0.0/22 (~1022 hosts) se divide entre las 4 sedes usando VLSM: cada VLAN recibe la máscara mínima que cubre sus hosts requeridos + las 3 IPs reservadas (.1 VIP, .2 R1, .3 R2). El bloque 10.25.3.192/27 está reservado exclusivamente para los 4 enlaces WAN, cada uno con una subred /29 (6 hosts útiles).

ENLACES WAN — 10.25.3.192/27 → 4× /29

SedeRed WAN /29VIP HSRP (.1)R1 (.2)R2 (.3)Router Matriz (.4)
Sede Central10.25.3.192/2910.25.3.19310.25.3.19410.25.3.19510.25.3.196
Local Santiago10.25.3.200/2910.25.3.20110.25.3.20210.25.3.20310.25.3.204
Local Norte10.25.3.208/2910.25.3.20910.25.3.21010.25.3.21110.25.3.212
Local Sur 10.25.3.216/2910.25.3.21710.25.3.21810.25.3.21910.25.3.220

SUBREDES LAN POR VLAN (VLSM)

CENTRAL
SANTIAGO
NORTE
SUR
VLANNombreRed / MáscaraVIP HSRPR1R2Rango DHCPHosts req.
20Contabilidad10.25.0.0/2710.25.0.110.25.0.210.25.0.310.25.0.4–3018
10Gerencia10.25.0.32/2710.25.0.3310.25.0.3410.25.0.3510.25.0.36–6215
40Compras10.25.0.64/2710.25.0.6510.25.0.6610.25.0.6710.25.0.68–9415
30Recursos Humanos10.25.0.96/2810.25.0.9710.25.0.9810.25.0.9910.25.0.100–11012
50IT10.25.0.112/2810.25.0.11310.25.0.11410.25.0.11510.25.0.116–12610
60Invitados10.25.0.128/2810.25.0.12910.25.0.13010.25.0.13110.25.0.132–14210
VLANNombreRed / MáscaraVIP HSRPR1R2Rango DHCPHosts req.
30Salón/Servicio10.25.1.0/2710.25.1.110.25.1.210.25.1.310.25.1.4–3025
60Clientes WiFi10.25.1.32/2710.25.1.3310.25.1.3410.25.1.3510.25.1.36–6225
20Cocina10.25.1.64/2710.25.1.6510.25.1.6610.25.1.6710.25.1.68–9420
40Caja/POS10.25.1.96/2810.25.1.9710.25.1.9810.25.1.9910.25.1.100–11012
10Administración10.25.1.112/2810.25.1.11310.25.1.11410.25.1.11510.25.1.116–12610
50IT10.25.1.128/2810.25.1.12910.25.1.13010.25.1.13110.25.1.132–1426
VLANNombreRed / MáscaraVIP HSRPR1R2Rango DHCPHosts req.
30Salón/Servicio10.25.2.0/2710.25.2.110.25.2.210.25.2.310.25.2.4–3022
60Clientes WiFi10.25.2.32/2710.25.2.3310.25.2.3410.25.2.3510.25.2.36–6220
20Cocina10.25.2.64/2710.25.2.6510.25.2.6610.25.2.6710.25.2.68–9418
40Caja/POS10.25.2.96/2810.25.2.9710.25.2.9810.25.2.9910.25.2.100–11010
10Administración10.25.2.112/2810.25.2.11310.25.2.11410.25.2.11510.25.2.116–1268
50IT10.25.2.128/2810.25.2.12910.25.2.13010.25.2.13110.25.2.132–1426
VLANNombreRed / MáscaraVIP HSRPR1R2Rango DHCPHosts req.
30Salón/Servicio10.25.3.0/2710.25.3.110.25.3.210.25.3.310.25.3.4–3020
60Clientes WiFi10.25.3.32/2710.25.3.3310.25.3.3410.25.3.3510.25.3.36–6218
20Cocina10.25.3.64/2710.25.3.6510.25.3.6610.25.3.6710.25.3.68–9415
10Administración10.25.3.96/2810.25.3.9710.25.3.9810.25.3.9910.25.3.100–1108
40Caja/POS10.25.3.112/2810.25.3.11310.25.3.11410.25.3.11510.25.3.116–1268
50IT10.25.3.128/2810.25.3.12910.25.3.13010.25.3.13110.25.3.132–1426
// JUSTIFICACIÓN DE MÁSCARA — VLSM
Para la VLAN 20 (18 hosts requeridos), se aplicó la máscara /27 porque 2⁵ − 2 = 30 hosts útiles, suficientes para cubrir los 18 hosts requeridos + 3 IPs de infraestructura reservadas (.1 VIP HSRP, .2 R1, .3 R2), totalizando 21 direcciones necesarias. Una máscara /28 solo ofrece 2⁴ − 2 = 14 IPs útiles, resultado insuficiente para los 21 requeridos. El mismo criterio se aplicó a todas las VLANs: /27 para VLANs con ≥15 hosts y /28 para VLANs con ≤12 hosts.
MÓDULO 02

ALTA DISPONIBILIDAD — HSRP LAN + WAN

Cada sede implementa HSRP en dos niveles: en las subinterfaces LAN (una por VLAN, grupo = ID VLAN) y en la interfaz WAN hacia el Router Matriz (grupo 1). Convención: .1 = VIP, .2 = R1 (Active, priority 110, preempt ON), .3 = R2 (Standby, priority 90). R1 recupera el rol Active automáticamente al volver en línea gracias al preempt. Si R1 falla, R2 hereda ambas IPs virtuales sin downtime perceptible.

La encapsulación dot1Q se configura en cada subinterfaz para etiquetar el tráfico por VLAN sobre el enlace troncal.

VIRTUAL IP
VIP — HSRP
GATEWAY
x.x.x.1
Nunca falla · shared
HSRP
FAILOVER AUTO
ACTIVE · PRIORITY 110
Router 1
R1
x.x.x.2
preempt habilitado
HELLO 3s
HOLD 10s
STANDBY · PRIORITY 90
Router 2
R2
x.x.x.3
sin preempt
GRUPO LAN = ID VLAN (VLAN 30 → standby group 30) · GRUPO WAN = 1 (fijo por sede)
R1-Sur — HSRP LAN · Preview VLAN 30 + 60
IOS CLI
! ── R1-Sur: subinterfaces dot1Q + HSRP LAN ─────────────────────
interface GigabitEthernet0/1.30
 encapsulation dot1Q 30
 ip address 10.25.3.2 255.255.255.224   ! R1 física — .2
 standby 30 ip 10.25.3.1               ! VIP HSRP — gateway hosts
 standby 30 priority 110               ! ACTIVE
 standby 30 preempt

interface GigabitEthernet0/1.60
 encapsulation dot1Q 60
 ip address 10.25.3.34 255.255.255.224
 standby 60 ip 10.25.3.33
 standby 60 priority 110
 standby 60 preempt

! ── R2-Sur: mismo VIP, prioridad 90, sin preempt ───────────────
interface GigabitEthernet0/1.30
 encapsulation dot1Q 30
 ip address 10.25.3.3 255.255.255.224   ! R2 física — .3
 standby 30 ip 10.25.3.1               ! Mismo VIP
 standby 30 priority 90                ! STANDBY
// SEDE SUR — 10.25.3.x · WAN /29 → .216
R1-Sur + R2-Sur — 6 VLANs LAN + WAN (completo)
IOS CLI
! ════════════════════════════════════════════════════════════════
! SEDE SUR — R1-Sur: 6 subinterfaces dot1Q + HSRP LAN
! ════════════════════════════════════════════════════════════════

interface GigabitEthernet0/1.30
 encapsulation dot1Q 30
 ip address 10.25.3.2 255.255.255.224   ! R1 — .2 | Red .0/27
 standby 30 ip 10.25.3.1               ! VIP HSRP
 standby 30 priority 110
 standby 30 preempt

interface GigabitEthernet0/1.60
 encapsulation dot1Q 60
 ip address 10.25.3.34 255.255.255.224  ! R1 — .34 | Red .32/27
 standby 60 ip 10.25.3.33
 standby 60 priority 110
 standby 60 preempt

interface GigabitEthernet0/1.20
 encapsulation dot1Q 20
 ip address 10.25.3.66 255.255.255.224  ! R1 — .66 | Red .64/27
 standby 20 ip 10.25.3.65
 standby 20 priority 110
 standby 20 preempt

interface GigabitEthernet0/1.10
 encapsulation dot1Q 10
 ip address 10.25.3.98 255.255.255.240  ! R1 — .98 | Red .96/28
 standby 10 ip 10.25.3.97
 standby 10 priority 110
 standby 10 preempt

interface GigabitEthernet0/1.40
 encapsulation dot1Q 40
 ip address 10.25.3.114 255.255.255.240 ! R1 — .114 | Red .112/28
 standby 40 ip 10.25.3.113
 standby 40 priority 110
 standby 40 preempt

interface GigabitEthernet0/1.50
 encapsulation dot1Q 50
 ip address 10.25.3.130 255.255.255.240 ! R1 — .130 | Red .128/28
 standby 50 ip 10.25.3.129
 standby 50 priority 110
 standby 50 preempt

! ── R2-Sur: mismo VIP, prioridad 90, sin preempt ───────────────

interface GigabitEthernet0/1.30
 encapsulation dot1Q 30
 ip address 10.25.3.3 255.255.255.224   ! R2 — .3
 standby 30 ip 10.25.3.1
 standby 30 priority 90

interface GigabitEthernet0/1.60
 encapsulation dot1Q 60
 ip address 10.25.3.35 255.255.255.224  ! R2 — .35
 standby 60 ip 10.25.3.33
 standby 60 priority 90

interface GigabitEthernet0/1.20
 encapsulation dot1Q 20
 ip address 10.25.3.67 255.255.255.224  ! R2 — .67
 standby 20 ip 10.25.3.65
 standby 20 priority 90

interface GigabitEthernet0/1.10
 encapsulation dot1Q 10
 ip address 10.25.3.99 255.255.255.240  ! R2 — .99
 standby 10 ip 10.25.3.97
 standby 10 priority 90

interface GigabitEthernet0/1.40
 encapsulation dot1Q 40
 ip address 10.25.3.115 255.255.255.240 ! R2 — .115
 standby 40 ip 10.25.3.113
 standby 40 priority 90

interface GigabitEthernet0/1.50
 encapsulation dot1Q 50
 ip address 10.25.3.131 255.255.255.240 ! R2 — .131
 standby 50 ip 10.25.3.129
 standby 50 priority 90

! ── HSRP WAN Sur (10.25.3.216/29) ─────────────────────────────
! R1-Sur WAN
interface GigabitEthernet0/0
 ip address 10.25.3.218 255.255.255.248  ! R1 — .218 (.2 del /29)
 standby 1 ip 10.25.3.217               ! VIP WAN → next-hop Matriz
 standby 1 priority 110
 standby 1 preempt
 no shutdown

! R2-Sur WAN
interface GigabitEthernet0/0
 ip address 10.25.3.219 255.255.255.248  ! R2 — .219 (.3 del /29)
 standby 1 ip 10.25.3.217
 standby 1 priority 90
 no shutdown

ip route 0.0.0.0 0.0.0.0 10.25.3.220   ! next-hop Router Matriz (.4)
// SEDE NORTE — 10.25.2.x · WAN /29 → .208
R1-Norte + R2-Norte — 6 VLANs LAN + WAN (completo)
IOS CLI
! ════════════════════════════════════════════════════════════════
! SEDE NORTE — R1-Norte: 6 subinterfaces dot1Q + HSRP LAN
! ════════════════════════════════════════════════════════════════

interface GigabitEthernet0/1.30
 encapsulation dot1Q 30
 ip address 10.25.2.2 255.255.255.224   ! R1 — .2 | Red .0/27
 standby 30 ip 10.25.2.1
 standby 30 priority 110
 standby 30 preempt

interface GigabitEthernet0/1.60
 encapsulation dot1Q 60
 ip address 10.25.2.34 255.255.255.224  ! R1 — .34 | Red .32/27
 standby 60 ip 10.25.2.33
 standby 60 priority 110
 standby 60 preempt

interface GigabitEthernet0/1.20
 encapsulation dot1Q 20
 ip address 10.25.2.66 255.255.255.224  ! R1 — .66 | Red .64/27
 standby 20 ip 10.25.2.65
 standby 20 priority 110
 standby 20 preempt

interface GigabitEthernet0/1.40
 encapsulation dot1Q 40
 ip address 10.25.2.98 255.255.255.240  ! R1 — .98 | Red .96/28
 standby 40 ip 10.25.2.97
 standby 40 priority 110
 standby 40 preempt

interface GigabitEthernet0/1.10
 encapsulation dot1Q 10
 ip address 10.25.2.114 255.255.255.240 ! R1 — .114 | Red .112/28
 standby 10 ip 10.25.2.113
 standby 10 priority 110
 standby 10 preempt

interface GigabitEthernet0/1.50
 encapsulation dot1Q 50
 ip address 10.25.2.130 255.255.255.240 ! R1 — .130 | Red .128/28
 standby 50 ip 10.25.2.129
 standby 50 priority 110
 standby 50 preempt

! ── R2-Norte: mismo VIP, prioridad 90, sin preempt ─────────────

interface GigabitEthernet0/1.30
 encapsulation dot1Q 30
 ip address 10.25.2.3 255.255.255.224   ! R2 — .3
 standby 30 ip 10.25.2.1
 standby 30 priority 90

interface GigabitEthernet0/1.60
 encapsulation dot1Q 60
 ip address 10.25.2.35 255.255.255.224  ! R2 — .35
 standby 60 ip 10.25.2.33
 standby 60 priority 90

interface GigabitEthernet0/1.20
 encapsulation dot1Q 20
 ip address 10.25.2.67 255.255.255.224  ! R2 — .67
 standby 20 ip 10.25.2.65
 standby 20 priority 90

interface GigabitEthernet0/1.40
 encapsulation dot1Q 40
 ip address 10.25.2.99 255.255.255.240  ! R2 — .99
 standby 40 ip 10.25.2.97
 standby 40 priority 90

interface GigabitEthernet0/1.10
 encapsulation dot1Q 10
 ip address 10.25.2.115 255.255.255.240 ! R2 — .115
 standby 10 ip 10.25.2.113
 standby 10 priority 90

interface GigabitEthernet0/1.50
 encapsulation dot1Q 50
 ip address 10.25.2.131 255.255.255.240 ! R2 — .131
 standby 50 ip 10.25.2.129
 standby 50 priority 90

! ── HSRP WAN Norte (10.25.3.208/29) ───────────────────────────
! R1-Norte WAN
interface GigabitEthernet0/0
 ip address 10.25.3.210 255.255.255.248  ! R1 — .210 (.2 del /29)
 standby 1 ip 10.25.3.209               ! VIP WAN → next-hop Matriz
 standby 1 priority 110
 standby 1 preempt
 no shutdown

! R2-Norte WAN
interface GigabitEthernet0/0
 ip address 10.25.3.211 255.255.255.248  ! R2 — .211 (.3 del /29)
 standby 1 ip 10.25.3.209
 standby 1 priority 90
 no shutdown

ip route 0.0.0.0 0.0.0.0 10.25.3.212   ! next-hop Router Matriz (.4)
// SEDE SANTIAGO — 10.25.1.x · WAN /29 → .200
R1-Santiago + R2-Santiago — 6 VLANs LAN + WAN (completo)
IOS CLI
! ════════════════════════════════════════════════════════════════
! SEDE SANTIAGO — R1-Santiago: 6 subinterfaces dot1Q + HSRP LAN
! ════════════════════════════════════════════════════════════════

interface GigabitEthernet0/1.30
 encapsulation dot1Q 30
 ip address 10.25.1.2 255.255.255.224   ! R1 — .2 | Red .0/27
 standby 30 ip 10.25.1.1
 standby 30 priority 110
 standby 30 preempt

interface GigabitEthernet0/1.60
 encapsulation dot1Q 60
 ip address 10.25.1.34 255.255.255.224  ! R1 — .34 | Red .32/27
 standby 60 ip 10.25.1.33
 standby 60 priority 110
 standby 60 preempt

interface GigabitEthernet0/1.20
 encapsulation dot1Q 20
 ip address 10.25.1.66 255.255.255.224  ! R1 — .66 | Red .64/27
 standby 20 ip 10.25.1.65
 standby 20 priority 110
 standby 20 preempt

interface GigabitEthernet0/1.40
 encapsulation dot1Q 40
 ip address 10.25.1.98 255.255.255.240  ! R1 — .98 | Red .96/28
 standby 40 ip 10.25.1.97
 standby 40 priority 110
 standby 40 preempt

interface GigabitEthernet0/1.10
 encapsulation dot1Q 10
 ip address 10.25.1.114 255.255.255.240 ! R1 — .114 | Red .112/28
 standby 10 ip 10.25.1.113
 standby 10 priority 110
 standby 10 preempt

interface GigabitEthernet0/1.50
 encapsulation dot1Q 50
 ip address 10.25.1.130 255.255.255.240 ! R1 — .130 | Red .128/28
 standby 50 ip 10.25.1.129
 standby 50 priority 110
 standby 50 preempt

! ── R2-Santiago: mismo VIP, prioridad 90, sin preempt ──────────

interface GigabitEthernet0/1.30
 encapsulation dot1Q 30
 ip address 10.25.1.3 255.255.255.224   ! R2 — .3
 standby 30 ip 10.25.1.1
 standby 30 priority 90

interface GigabitEthernet0/1.60
 encapsulation dot1Q 60
 ip address 10.25.1.35 255.255.255.224  ! R2 — .35
 standby 60 ip 10.25.1.33
 standby 60 priority 90

interface GigabitEthernet0/1.20
 encapsulation dot1Q 20
 ip address 10.25.1.67 255.255.255.224  ! R2 — .67
 standby 20 ip 10.25.1.65
 standby 20 priority 90

interface GigabitEthernet0/1.40
 encapsulation dot1Q 40
 ip address 10.25.1.99 255.255.255.240  ! R2 — .99
 standby 40 ip 10.25.1.97
 standby 40 priority 90

interface GigabitEthernet0/1.10
 encapsulation dot1Q 10
 ip address 10.25.1.115 255.255.255.240 ! R2 — .115
 standby 10 ip 10.25.1.113
 standby 10 priority 90

interface GigabitEthernet0/1.50
 encapsulation dot1Q 50
 ip address 10.25.1.131 255.255.255.240 ! R2 — .131
 standby 50 ip 10.25.1.129
 standby 50 priority 90

! ── HSRP WAN Santiago (10.25.3.200/29) ────────────────────────
! R1-Santiago WAN
interface GigabitEthernet0/0
 ip address 10.25.3.202 255.255.255.248  ! R1 — .202 (.2 del /29)
 standby 1 ip 10.25.3.201               ! VIP WAN → next-hop Matriz
 standby 1 priority 110
 standby 1 preempt
 no shutdown

! R2-Santiago WAN
interface GigabitEthernet0/0
 ip address 10.25.3.203 255.255.255.248  ! R2 — .203 (.3 del /29)
 standby 1 ip 10.25.3.201
 standby 1 priority 90
 no shutdown

ip route 0.0.0.0 0.0.0.0 10.25.3.204   ! next-hop Router Matriz (.4)
// SEDE CENTRAL — 10.25.0.x · WAN Fibra Gig0/3/0 → .192
R1-Central + R2-Central — 6 VLANs LAN + Fibra WAN (completo)
FIBER OPTIC · ÚNICO EN LA RED
! ════════════════════════════════════════════════════════════════
! SEDE CENTRAL — R1-Central: 6 subinterfaces dot1Q + HSRP LAN
! ════════════════════════════════════════════════════════════════

interface GigabitEthernet0/1.10
 encapsulation dot1Q 10
 ip address 10.25.0.34 255.255.255.224  ! R1 — .34 | Red .32/27
 standby 10 ip 10.25.0.33
 standby 10 priority 110
 standby 10 preempt

interface GigabitEthernet0/1.20
 encapsulation dot1Q 20
 ip address 10.25.0.2 255.255.255.224   ! R1 — .2 | Red .0/27
 standby 20 ip 10.25.0.1
 standby 20 priority 110
 standby 20 preempt

interface GigabitEthernet0/1.30
 encapsulation dot1Q 30
 ip address 10.25.0.98 255.255.255.240  ! R1 — .98 | Red .96/28
 standby 30 ip 10.25.0.97
 standby 30 priority 110
 standby 30 preempt

interface GigabitEthernet0/1.40
 encapsulation dot1Q 40
 ip address 10.25.0.66 255.255.255.224  ! R1 — .66 | Red .64/27
 standby 40 ip 10.25.0.65
 standby 40 priority 110
 standby 40 preempt

interface GigabitEthernet0/1.50
 encapsulation dot1Q 50
 ip address 10.25.0.114 255.255.255.240 ! R1 — .114 | Red .112/28
 standby 50 ip 10.25.0.113
 standby 50 priority 110
 standby 50 preempt

interface GigabitEthernet0/1.60
 encapsulation dot1Q 60
 ip address 10.25.0.130 255.255.255.240 ! R1 — .130 | Red .128/28
 standby 60 ip 10.25.0.129
 standby 60 priority 110
 standby 60 preempt

! ── R2-Central: mismo VIP, prioridad 90, sin preempt ───────────

interface GigabitEthernet0/1.10
 encapsulation dot1Q 10
 ip address 10.25.0.35 255.255.255.224  ! R2 — .35
 standby 10 ip 10.25.0.33
 standby 10 priority 90

interface GigabitEthernet0/1.20
 encapsulation dot1Q 20
 ip address 10.25.0.3 255.255.255.224   ! R2 — .3
 standby 20 ip 10.25.0.1
 standby 20 priority 90

interface GigabitEthernet0/1.30
 encapsulation dot1Q 30
 ip address 10.25.0.99 255.255.255.240  ! R2 — .99
 standby 30 ip 10.25.0.97
 standby 30 priority 90

interface GigabitEthernet0/1.40
 encapsulation dot1Q 40
 ip address 10.25.0.67 255.255.255.224  ! R2 — .67
 standby 40 ip 10.25.0.65
 standby 40 priority 90

interface GigabitEthernet0/1.50
 encapsulation dot1Q 50
 ip address 10.25.0.115 255.255.255.240 ! R2 — .115
 standby 50 ip 10.25.0.113
 standby 50 priority 90

interface GigabitEthernet0/1.60
 encapsulation dot1Q 60
 ip address 10.25.0.131 255.255.255.240 ! R2 — .131
 standby 60 ip 10.25.0.129
 standby 60 priority 90

! ── HSRP WAN Central — Fibra Óptica Gig0/3/0 (10.25.3.192/29) ─
! Puerto especial Gig0/3/0 — módulo HWIC / SFP óptico
! R1-Central WAN
interface GigabitEthernet0/3/0
 ip address 10.25.3.194 255.255.255.248  ! R1 — .194 (.2 del /29)
 standby 1 ip 10.25.3.193               ! VIP WAN HSRP
 standby 1 priority 110
 standby 1 preempt
 no shutdown

! R2-Central WAN
interface GigabitEthernet0/3/0
 ip address 10.25.3.195 255.255.255.248  ! R2 — .195 (.3 del /29)
 standby 1 ip 10.25.3.193
 standby 1 priority 90
 no shutdown

ip route 0.0.0.0 0.0.0.0 10.25.3.196   ! next-hop Router Matriz (.4)
MÓDULO 03 — SEGURIDAD

DHCP — EXCLUSIONES & POOLS CORRECTOS

Para evitar conflictos de IP, se aplica ip dhcp excluded-address antes de definir cada pool. Esto protege las 3 primeras IPs útiles de cada subred: .1 (VIP HSRP), .2 (R1) y .3 (R2), garantizando que el servidor DHCP nunca las asigne a un host. Los hosts solo reciben IPs desde .4 en adelante.

TABLA DE EXCLUSIONES — PATRÓN POR SEDE (ejemplo VLAN 30)

SedeComando ip dhcp excluded-addressRazón
Sede Central10.25.0.97 10.25.0.99Protege VIP (.97), R1 (.98), R2 (.99)
Local Santiago10.25.1.1 10.25.1.3Protege VIP (.1), R1 (.2), R2 (.3)
Local Norte10.25.2.1 10.25.2.3Protege VIP (.1), R1 (.2), R2 (.3)
Local Sur10.25.3.1 10.25.3.3Protege VIP (.1), R1 (.2), R2 (.3)
// CONVENCIÓN — SIEMPRE EXCLUIR PRIMERO
El mismo patrón se aplica a todas las VLANs de cada sede. Siempre se excluyen las primeras 3 IPs útiles. Así la VIP HSRP (.1) que ven los hosts nunca puede ser reasignada dinámicamente por DHCP, garantizando que el gateway sea inmutable e idempotente ante cualquier reinicio o renegociación.
SEDE CENTRAL — 6 pools (C_GERENCIA_V10 … C_INVIT_V60)
R1 + R2 idénticos
! ── SEDE CENTRAL — exclusiones + pools ─────────────────────────
ip dhcp excluded-address 10.25.0.33 10.25.0.35   ! VLAN 10 Gerencia
ip dhcp excluded-address 10.25.0.1  10.25.0.3    ! VLAN 20 Contabilidad
ip dhcp excluded-address 10.25.0.97 10.25.0.99   ! VLAN 30 RRHH
ip dhcp excluded-address 10.25.0.65 10.25.0.67   ! VLAN 40 Compras
ip dhcp excluded-address 10.25.0.113 10.25.0.115 ! VLAN 50 IT
ip dhcp excluded-address 10.25.0.129 10.25.0.131 ! VLAN 60 Invitados

ip dhcp pool GerenciaVLAN10
 network 10.25.0.32 255.255.255.224
 default-router 10.25.0.33
 dns-server 8.8.8.8

ip dhcp pool ContabilidadVLAN20
 network 10.25.0.0 255.255.255.224
 default-router 10.25.0.1
 dns-server 8.8.8.8

ip dhcp pool RRHHVLAN30
 network 10.25.0.96 255.255.255.240
 default-router 10.25.0.97
 dns-server 8.8.8.8

ip dhcp pool ComprasVLAN40
 network 10.25.0.64 255.255.255.224
 default-router 10.25.0.65
 dns-server 8.8.8.8

ip dhcp pool ITVLAN50
 network 10.25.0.112 255.255.255.240
 default-router 10.25.0.113
 dns-server 8.8.8.8

ip dhcp pool InvitadosVLAN60
 network 10.25.0.128 255.255.255.240
 default-router 10.25.0.129
 dns-server 8.8.8.8
LOCAL SANTIAGO — 6 pools (S_V10 … S_V60)
R1 + R2 idénticos
! ── LOCAL SANTIAGO — exclusiones + pools ────────────────────────
ip dhcp excluded-address 10.25.1.113 10.25.1.115 ! VLAN 10 Administración
ip dhcp excluded-address 10.25.1.65  10.25.1.67  ! VLAN 20 Cocina
ip dhcp excluded-address 10.25.1.1   10.25.1.3   ! VLAN 30 Salón/Servicio
ip dhcp excluded-address 10.25.1.97  10.25.1.99  ! VLAN 40 Caja/POS
ip dhcp excluded-address 10.25.1.129 10.25.1.131 ! VLAN 50 IT
ip dhcp excluded-address 10.25.1.33  10.25.1.35  ! VLAN 60 Clientes WiFi

ip dhcp pool S_V10
 network 10.25.1.112 255.255.255.240
 default-router 10.25.1.113
 dns-server 8.8.8.8

ip dhcp pool S_V20
 network 10.25.1.64 255.255.255.224
 default-router 10.25.1.65
 dns-server 8.8.8.8

ip dhcp pool S_V30
 network 10.25.1.0 255.255.255.224
 default-router 10.25.1.1
 dns-server 8.8.8.8

ip dhcp pool S_V40
 network 10.25.1.96 255.255.255.240
 default-router 10.25.1.97
 dns-server 8.8.8.8

ip dhcp pool S_V50
 network 10.25.1.128 255.255.255.240
 default-router 10.25.1.129
 dns-server 8.8.8.8

ip dhcp pool S_V60
 network 10.25.1.32 255.255.255.224
 default-router 10.25.1.33
 dns-server 8.8.8.8
LOCAL NORTE — 6 pools (N_V10 … N_V60)
R1 + R2 idénticos
! ── LOCAL NORTE — exclusiones + pools ──────────────────────────
ip dhcp excluded-address 10.25.2.113 10.25.2.115 ! VLAN 10 Administración
ip dhcp excluded-address 10.25.2.65  10.25.2.67  ! VLAN 20 Cocina
ip dhcp excluded-address 10.25.2.1   10.25.2.3   ! VLAN 30 Salón/Servicio
ip dhcp excluded-address 10.25.2.97  10.25.2.99  ! VLAN 40 Caja/POS
ip dhcp excluded-address 10.25.2.129 10.25.2.131 ! VLAN 50 IT
ip dhcp excluded-address 10.25.2.33  10.25.2.35  ! VLAN 60 Clientes WiFi

ip dhcp pool AdminVLAN10
 network 10.25.2.112 255.255.255.240
 default-router 10.25.2.113
 dns-server 8.8.8.8

ip dhcp pool CocinaVLAN20
 network 10.25.2.64 255.255.255.224
 default-router 10.25.2.65
 dns-server 8.8.8.8

ip dhcp pool SalonVLAN30
 network 10.25.2.0 255.255.255.224
 default-router 10.25.2.1
 dns-server 8.8.8.8

ip dhcp pool CajaVLAN40
 network 10.25.2.96 255.255.255.240
 default-router 10.25.2.97
 dns-server 8.8.8.8

ip dhcp pool ITVLAN50
 network 10.25.2.128 255.255.255.240
 default-router 10.25.2.129
 dns-server 8.8.8.8

ip dhcp pool Wifi-VLAN60
 network 10.25.2.32 255.255.255.224
 default-router 10.25.2.33
 dns-server 8.8.8.8
LOCAL SUR — 6 pools (ADMIN_V10 … WIFI_V60)
R1 + R2 idénticos
! ── LOCAL SUR — exclusiones + pools ────────────────────────────
ip dhcp excluded-address 10.25.3.97  10.25.3.99  ! VLAN 10 Administración
ip dhcp excluded-address 10.25.3.65  10.25.3.67  ! VLAN 20 Cocina
ip dhcp excluded-address 10.25.3.1   10.25.3.3   ! VLAN 30 Salón/Servicio
ip dhcp excluded-address 10.25.3.113 10.25.3.115 ! VLAN 40 Caja/POS
ip dhcp excluded-address 10.25.3.129 10.25.3.131 ! VLAN 50 IT
ip dhcp excluded-address 10.25.3.33  10.25.3.35  ! VLAN 60 Clientes WiFi

ip dhcp pool AdminVLAN10
 network 10.25.3.96 255.255.255.240
 default-router 10.25.3.97
 dns-server 8.8.8.8

ip dhcp pool CocinaaVLAN20
 network 10.25.3.64 255.255.255.224
 default-router 10.25.3.65
 dns-server 8.8.8.8

ip dhcp pool SalonVLAN30
 network 10.25.3.0 255.255.255.224
 default-router 10.25.3.1
 dns-server 8.8.8.8

ip dhcp pool CajaVALAN40
 network 10.25.3.112 255.255.255.240
 default-router 10.25.3.113
 dns-server 8.8.8.8

ip dhcp pool ITVLAN50
 network 10.25.3.128 255.255.255.240
 default-router 10.25.3.129
 dns-server 8.8.8.8

ip dhcp pool Wifi-VLAN60
 network 10.25.3.32 255.255.255.224
 default-router 10.25.3.33
 dns-server 8.8.8.8

! ── VERIFICACIÓN ────────────────────────────────────────────────
show ip dhcp pool
show ip dhcp binding           ! Confirmar VIP (.1) como gateway
MÓDULO 04

ROUTER MATRIZ — 24 RUTAS ESTÁTICAS

El Router Matriz no tiene HSRP, VLANs ni DHCP. Su función exclusiva es el enrutamiento inter-sede con 24 rutas estáticas. El next-hop de cada ruta es la VIP HSRP WAN (.1) de la sede destino, haciendo el failover R1→R2 transparente para el Matriz.

PUERTOS DEL ROUTER-MATRIZ

PuertoSedeIP MatrizMedio
Gig0/0Local Santiago10.25.3.204Ethernet
Gig0/1Local Norte10.25.3.212Ethernet
Gig0/2Local Sur10.25.3.220Ethernet
Gig0/3/0Sede Central 10.25.3.196⬡ Fibra Óptica
// NOTA — LOCAL NORTE usa Gig0/1
El Local Norte se conecta al Router-Matriz a través del puerto Gig0/1 (no Gig0/0). La Sede Central es la única sede con enlace de Fibra Óptica usando el puerto Gig0/3/0 (módulo HWIC/SFP óptico), con IP de Matriz 10.25.3.196.
ROUTER MATRIZ — 24 RUTAS ESTÁTICAS COMPLETAS
next-hop = VIP HSRP WAN
! ── SEDE CENTRAL (next-hop: 10.25.3.193) ───────────────────────
ip route 10.25.0.0   255.255.255.224 10.25.3.193   ! V20 Contabilidad
ip route 10.25.0.32  255.255.255.224 10.25.3.193   ! V10 Gerencia
ip route 10.25.0.64  255.255.255.224 10.25.3.193   ! V40 Compras
ip route 10.25.0.96  255.255.255.240 10.25.3.193   ! V30 RRHH
ip route 10.25.0.112 255.255.255.240 10.25.3.193   ! V50 IT
ip route 10.25.0.128 255.255.255.240 10.25.3.193   ! V60 Invitados

! ── LOCAL SANTIAGO (next-hop: 10.25.3.201) ─────────────────────
ip route 10.25.1.0   255.255.255.224 10.25.3.201   ! V30 Salón
ip route 10.25.1.32  255.255.255.224 10.25.3.201   ! V60 Clientes WiFi
ip route 10.25.1.64  255.255.255.224 10.25.3.201   ! V20 Cocina
ip route 10.25.1.96  255.255.255.240 10.25.3.201   ! V40 Caja/POS
ip route 10.25.1.112 255.255.255.240 10.25.3.201   ! V10 Administración
ip route 10.25.1.128 255.255.255.240 10.25.3.201   ! V50 IT

! ── LOCAL NORTE (next-hop: 10.25.3.209) ────────────────────────
ip route 10.25.2.0   255.255.255.224 10.25.3.209   ! V30 Salón
ip route 10.25.2.32  255.255.255.224 10.25.3.209   ! V60 Clientes WiFi
ip route 10.25.2.64  255.255.255.224 10.25.3.209   ! V20 Cocina
ip route 10.25.2.96  255.255.255.240 10.25.3.209   ! V40 Caja/POS
ip route 10.25.2.112 255.255.255.240 10.25.3.209   ! V10 Administración
ip route 10.25.2.128 255.255.255.240 10.25.3.209   ! V50 IT

! ── LOCAL SUR  (next-hop: 10.25.3.217) ───────────────────────
ip route 10.25.3.0   255.255.255.224 10.25.3.217   ! V30 Salón
ip route 10.25.3.32  255.255.255.224 10.25.3.217   ! V60 Clientes WiFi
ip route 10.25.3.64  255.255.255.224 10.25.3.217   ! V20 Cocina
ip route 10.25.3.96  255.255.255.240 10.25.3.217   ! V10 Administración
ip route 10.25.3.112 255.255.255.240 10.25.3.217   ! V40 Caja/POS
ip route 10.25.3.128 255.255.255.240 10.25.3.217   ! V50 IT

! ── VERIFICACIÓN ────────────────────────────────────────────────
show ip route static
show ip route summary
#DestinoMáscaraNext-Hop (VIP WAN)VLANSede
// SEDE CENTRAL — next-hop 10.25.3.193
110.25.0.0/2710.25.3.193V20Central
210.25.0.32/2710.25.3.193V10Central
310.25.0.64/2710.25.3.193V40Central
410.25.0.96/2810.25.3.193V30Central
510.25.0.112/2810.25.3.193V50Central
610.25.0.128/2810.25.3.193V60Central
// LOCAL SANTIAGO — next-hop 10.25.3.201
710.25.1.0/2710.25.3.201V30Santiago
810.25.1.32/2710.25.3.201V60Santiago
910.25.1.64/2710.25.3.201V20Santiago
1010.25.1.96/2810.25.3.201V40Santiago
1110.25.1.112/2810.25.3.201V10Santiago
1210.25.1.128/2810.25.3.201V50Santiago
// LOCAL NORTE — next-hop 10.25.3.209
1310.25.2.0/2710.25.3.209V30Norte
1410.25.2.32/2710.25.3.209V60Norte
1510.25.2.64/2710.25.3.209V20Norte
1610.25.2.96/2810.25.3.209V40Norte
1710.25.2.112/2810.25.3.209V10Norte
1810.25.2.128/2810.25.3.209V50Norte
// LOCAL SUR — next-hop 10.25.3.217
1910.25.3.0/2710.25.3.217V30Sur
2010.25.3.32/2710.25.3.217V60Sur
2110.25.3.64/2710.25.3.217V20Sur
2210.25.3.96/2810.25.3.217V10Sur
2310.25.3.112/2810.25.3.217V40Sur
2410.25.3.128/2810.25.3.217V50Sur
MÓDULO 05 — RESULTADOS

VERIFICACIÓN — STATUS: SUCCESSFUL

Validación end-to-end con pings entre todas las sedes. Verificaciones con show standby brief, show ip route y prueba de failover apagando R1 con ping continuo activo.

COMANDOS DE VERIFICACIÓN

ComandoPropósito
show standby briefConfirma roles Active/Standby y VIP activa por VLAN
show ip routeVerifica las 24 rutas estáticas en el Router-Matriz
show ip dhcp bindingValida que los hosts reciben la VIP (.1) como gateway
show ip dhcp poolConfirma los rangos y exclusiones de cada pool
ping <IP_sede_remota>Conectividad extremo a extremo entre sedes (0% loss)
// EVIDENCIA FAILOVER — HSRP STATE CHANGE LOG ● LIVE SIMULATION
*Mar 1 00:04:12.331:R1-Sur# interface GigabitEthernet0/1.30 shutdown
*Mar 1 00:04:15.021:%HSRP-6-STATECHANGE: Gi0/1.30 Grp 30 state Active -> Init
*Mar 1 00:04:15.022:%HSRP-6-STATECHANGE: Gi0/0 Grp 1 state Active -> Init
*Mar 1 00:04:15.890:R2-Sur# [HSRP] Hold timer expired — probing for Active...
*Mar 1 00:04:18.441:%HSRP-6-STATECHANGE: Gi0/1.30 Grp 30 state Standby -> Active
*Mar 1 00:04:18.442:%HSRP-6-STATECHANGE: Gi0/0 Grp 1 state Standby -> Active
*Mar 1 00:04:18.443:%HSRP: VIP 10.25.3.1 now owned by R2-Sur (priority 90)
*Mar 1 00:04:19.100:Ping 10.25.0.1 → 10.25.3.1 ... !!!!! success rate 100%
FAILOVER TIME: ~6s (Hold 10s - Hello 3s) HOSTS MANTUVIERON CONECTIVIDAD
RESULTADO FINAL
MISSION ACCOMPLISHED
6/6
PINGS OK
24
RUTAS ACTIVAS
24
VLANs TOTALES
~6s
FAILOVER TIME
SC
STEVEN W. CAPELLÁN SUÁREZ
// KROKO · CIBERSEGURIDAD · LOCAL SUR & NORTE · SECCIÓN 1910-5472 · PUCMM
REDES TCP/IPCISCO IOSVLSM HSRP LAN/WAN ROUTER-ON-A-STICKDHCPSTATIC ROUTING
HM
HAMLET MARTÍNEZ
// CIBERSEGURIDAD · LOCAL SANTIAGO · SECCIÓN 1910-5472 · PUCMM
REDES TCP/IPCISCO IOSVLSM HSRP LAN/WAN ROUTER-ON-A-STICKDHCPSTATIC ROUTING
📦 DESCARGAR PROYECTO .PKT CISCO PACKET TRACER · HJS-NETWORK.PKT
MÓDULO 06

RESUMEN DE INFRAESTRUCTURA

Referencia rápida de conectividad WAN, rangos de hosts por VLAN y comandos de verificación para el proyecto HJS Network. Cada sede enlaza al Router Matriz vía su subred /29 usando HSRP WAN (grupo 1). Los DHCP Pools asignan IPs desde la .4 debido a las exclusiones de VIP, R1 y R2.

TABLA DE CONECTIVIDAD WAN → ROUTER MATRIZ (.4)

Sede Red WAN /29 VIP HSRP (.1) R1 (.2) R2 (.3) Router Matriz (.4)
Sede Central 10.25.3.192/29 10.25.3.193 10.25.3.194 10.25.3.195 10.25.3.196
Local Santiago 10.25.3.200/29 10.25.3.201 10.25.3.202 10.25.3.203 10.25.3.204
Local Norte 10.25.3.208/29 10.25.3.209 10.25.3.210 10.25.3.211 10.25.3.212
Local Sur 10.25.3.216/29 10.25.3.217 10.25.3.218 10.25.3.219 10.25.3.220
// REFERENCIA DE HOSTS — PRIMERA IP ASIGNABLE POR VLAN
Las PCs de cada VLAN inician en la IP .4 porque las primeras 3 IPs útiles de cada subred están excluidas del DHCP Pool: .1VIP HSRP (gateway de hosts), .2 → R1 (Active), .3 → R2 (Standby). Esta exclusión garantiza que ningún host reciba por DHCP una dirección reservada para infraestructura.

TERMINAL INTERACTIVA — PINGS DE DEFENSA

PING TERMINAL — HJS Network · Pruebas de conectividad
// IP o nombre inválido