====== ITCORP Bogotá — Auditoría y Optimización de Infraestructura de Red ======
**Fecha:** Mayo 2025\\
**Ingeniero:** Antonio Perez\\
**Alcance:** Switch H3C 4800G · AP Aruba IAP 325 · Proxmox HPE G9 · Proxmox Dell R720
----
===== 1. Auditoría Switch H3C 4800G =====
==== 1.1 Hallazgos críticos ====
^ Ítem ^ Estado ^ Acción ^
| STP | Desactivado (''stp disable'') | Activar RSTP + edged-port en acceso |
| Contraseñas | Texto claro (''simple'') | Migrar a ''cipher'' |
| SNMP | Comunidades ''public/private'' con write | Cambiar a nombres seguros + ACL |
| Telnet | Habilitado sin ACL | Deshabilitar, dejar solo SSH |
| Puerto pruebas GE1/0/7 | Trunk all VLANs activo | Hacer shutdown cuando no se use |
| MTU | Sin configurar (default 1500) | Jumbo frames en puertos VMware |
==== 1.2 VLANs configuradas ====
^ VLAN ^ Nombre ^ Gateway ^ Subred ^ Observación ^
| 1 | Default | 10.57.0.1/24 | 10.57.0.0/24 | Gestión switch |
| 2 | DMZ | — | — | Sin interfaz L3 |
| 3 | Internet | — | — | Sin querier IGMP |
| 4 | Invitados | 10.57.2.1/24 | 10.57.2.0/24 | Ampliada de /30 a /24 |
| 5 | VoIP | 10.57.4.1/24 | 10.57.4.0/24 | |
| 6 | Sistemas | 10.57.8.1/24 | 10.57.8.0/24 | |
| 7 | IoT | 10.57.10.1/24 | 10.57.10.0/24 | |
| 8 | Ventas | 10.57.12.1/24 | 10.57.12.0/24 | SSID ITCORP |
| 9 | Operaciones | 10.57.14.1/24 | 10.57.14.0/24 | |
| 10 | Laboratorio | 10.57.16.1/24 | 10.57.16.0/24 | |
| 11 | Impresoras | 10.57.18.1/24 | 10.57.18.0/24 | |
| 12 | DMZ2 | — | — | Puerto SonicWall X6 |
==== 1.3 Cambios aplicados en el switch ====
=== VLAN 4 — Ampliación de subred ===
system-view
interface Vlan-interface4
description VLAN 4 INVITADOS
undo ip address 10.57.2.1 255.255.255.252
ip address 10.57.2.1 255.255.255.0
dhcp select relay
dhcp relay server-select 1
quit
save force
=== Puertos usuarios — movidos a VLAN 8 ===
Puertos GE1/0/1-2, 4-6, 8-14, 16-29, 33, 35, 38-39 movidos a VLAN 8 access con ''undo description''.
=== LACP BAGG1 — Proxmox Dell R720 ===
system-view
interface Bridge-Aggregation1
description PROXMOX-DELL-R720-10.57.0.240-LACP3x1G
port link-type trunk
port trunk permit vlan all
link-aggregation mode dynamic
quit
interface GigabitEthernet1/0/41
port link-aggregation group 1
interface GigabitEthernet1/0/42
port link-aggregation group 1
interface GigabitEthernet1/0/43
port link-aggregation group 1
interface GigabitEthernet1/0/44
undo port link-aggregation group 1
port access vlan 8
quit
save force
=== LACP BAGG2 — Proxmox HPE G9 ===
system-view
interface Bridge-Aggregation2
description PROXMOX 10.57.0.122
port link-type trunk
port trunk permit vlan all
link-aggregation mode dynamic
quit
interface GigabitEthernet1/0/11
port link-aggregation group 2
interface GigabitEthernet1/0/12
port link-aggregation group 2
interface GigabitEthernet1/0/13
port link-aggregation group 2
interface GigabitEthernet1/0/14
port link-aggregation group 2
quit
save force
==== 1.4 Mapa de puertos clave ====
^ Puerto ^ Descripción ^ Config ^ VLAN ^
| GE1/0/3 | Impresora 10.57.18.3 | Access | 11 |
| GE1/0/7 | Proxmox 10.57.0.240 (trunk libre) | Trunk | — |
| GE1/0/10 | iLO HPE G9 10.57.0.122 | Trunk | 1 |
| GE1/0/11-14 | Proxmox HPE G9 (BAGG2) | LACP | All |
| GE1/0/15 | Ventas VoIP+datos | Hybrid PVID8 | 5t+8u |
| GE1/0/32 | Bridge HUE (IoT) | Access | 7 |
| GE1/0/37 | SonicWall X6 | Access | 12 |
| GE1/0/40 | iDRAC Dell R720 (LOM1) | Trunk | 1 |
| GE1/0/41-43 | Proxmox Dell R720 (BAGG1) | LACP | All |
| GE1/0/45 | AP Aruba 10.57.0.90 | Trunk | All |
| GE1/0/46 | VMware 10.57.0.130 | Trunk | All |
| GE1/0/47 | VMware 10.57.0.100 | Trunk | All |
| GE1/0/48 | SonicWall X0 10.57.0.2 | Trunk | All |
----
===== 2. Auditoría y Optimización WLAN — Aruba IAP 325 =====
**Hardware:** Aruba AP-325 · ArubaOS Instant 8.7.1.0 · Virtual Controller\\
**IP gestión:** 10.57.0.90 · **Regulación:** US (hardware FCC, no modificable)
==== 2.1 Hallazgos ====
^ Parámetro ^ Problema ^ Solución ^
| opmode | TKIP habilitado (inseguro) | Solo WPA2-AES |
| max-tx-power | 127 (sin límite real) | Limitado a 20 dBm |
| DSCP WMM | Voice=6, Video/BE/BK=7 (incorrecto) | Corregido según RFC 4594 |
| WMM shares | BK=BE=90, Video=Voice=70 (invertido) | Voice=100, Video=90, BE=70, BK=40 |
| wireless-containment | none | deauth-only |
| AirGroup | allowall + 11 servicios activos | Solo AirPlay, AirPrint, GoogleCast |
| broadcast-filter | none | arp (proxy ARP) |
| dot11r / OKC | ausentes | Habilitados (fast roaming Mac) |
| country | US | Hardware FCC — no modificable |
==== 2.2 Cambios aplicados ====
=== Flujo de commit correcto en Instant 8.7 ===
configure terminal
[cambios]
end
commit apply
write mem
> **Nota:** ''commit apply'' solo funciona desde el prompt normal (fuera de config). El ''exit'' del modo config NO persiste cambios.
=== ARM — potencia y RF ===
configure terminal
arm
min-tx-power 12
max-tx-power 20
band-steering-mode prefer-5ghz
client-aware
scanning
exit
end
commit apply
write mem
> **Nota:** ''80mhz-support disable'' y ''virtual-controller-country CO'' no son válidos en esta build/hardware.
=== IDS — contención rogue APs ===
configure terminal
ids
wireless-containment deauth-only
exit
end
commit apply
write mem
=== SSID ITCORP — cifrado, QoS y roaming ===
configure terminal
wlan ssid-profile ITCORP
opmode wpa2-psk-aes
broadcast-filter arp
wmm-voice-dscp 46
wmm-video-dscp 34
wmm-best-effort-dscp 0
wmm-background-dscp 8
wmm-voice-share 100
wmm-video-share 90
wmm-best-effort-share 70
wmm-background-share 40
dot11r
okc
exit
end
commit apply
write mem
=== AirGroup — depuración de servicios ===
configure terminal
airgroupservice itunes
disable
exit
airgroupservice remotemgmt
disable
exit
airgroupservice sharing
disable
exit
airgroupservice AmazonTV
disable
exit
airgroupservice DIAL
disable
exit
airgroupservice "DLNA Media"
disable
exit
airgroupservice "DLNA Print"
disable
exit
airgroupservice allowall
disable
exit
end
commit apply
write mem
=== SSID IoT — VLAN 7 ===
configure terminal
wlan access-rule IoT
index 4
rule any any match any any any permit
exit
wlan ssid-profile IoT
enable
essid IoT
wpa-passphrase
opmode wpa2-psk-aes
vlan 7
rf-band all
broadcast-filter arp
dtim-period 3
max-clients-threshold 32
wmm-background-dscp 8
wmm-best-effort-dscp 0
wmm-video-dscp 0
wmm-voice-dscp 0
wmm-background-share 40
wmm-best-effort-share 50
wmm-video-share 50
wmm-voice-share 50
exit
end
commit apply
write mem
==== 2.3 Estado final SSID ====
^ SSID ^ VLAN ^ Seguridad ^ Banda ^ DTIM ^ Propósito ^
| ITCORP | 8 | WPA2-PSK-AES | 2.4+5GHz | 1 | Corporativo |
| IoT | 7 | WPA2-PSK-AES | 2.4+5GHz | 3 | Dispositivos IoT |
==== 2.4 Estado final AirGroup ====
^ Servicio ^ Estado ^
| AirPlay | Habilitado |
| AirPrint | Habilitado |
| GoogleCast | Habilitado |
| iTunes | Deshabilitado |
| RemoteMgmt | Deshabilitado |
| Sharing | Deshabilitado |
| AmazonTV | Deshabilitado |
| DIAL | Deshabilitado |
| DLNA Media | Deshabilitado |
| DLNA Print | Deshabilitado |
| allowall | Deshabilitado |
==== 2.5 Limitaciones de hardware — Aruba IAP 325 FCC ====
^ Comando ^ Resultado ^ Razón ^
| ''virtual-controller-country CO'' | Error — código inválido | Hardware certificado FCC/US |
| ''80mhz-support disable'' | Parse error | No soportado en esta build de Instant |
| ''client-isolation'' en ssid-profile | Parse error | No disponible en Instant 8.7 standalone |
| ''client-isolation'' en access-rule | Parse error | No disponible en Instant 8.7 standalone |
| ''commit apply'' dentro de config | Parse error | Solo funciona fuera del modo config |
----
===== 3. LACP Proxmox HPE ProLiant G9 (10.57.0.122) =====
**Hardware:** HPE ProLiant · 4 NICs (nic0-nic3) · ArubaOS Instant 8.7\\
**Acceso de recuperación:** iLO — ILOMXQ54702SY.ITC.LOCAL
==== 3.1 Problema inicial ====
El servidor no respondía en red. Solo nic2 estaba activa como uplink de vmbr0 sin bond configurado.
==== 3.2 Diagnóstico ====
# Solo nic2 UP como master de vmbr0
# nic0, nic1, nic3 DOWN sin usar
ip link show
==== 3.3 Configuración aplicada ====
**Archivo ''/etc/network/interfaces'':**
auto lo
iface lo inet loopback
iface nic0 inet manual
iface nic1 inet manual
iface nic2 inet manual
iface nic3 inet manual
auto bond0
iface bond0 inet manual
bond-slaves nic0 nic1 nic2 nic3
bond-miimon 100
bond-mode 802.3ad
bond-xmit-hash-policy layer2+3
bond-lacp-rate fast
auto vmbr0
iface vmbr0 inet static
address 10.57.0.122/24
gateway 10.57.0.1
bridge-ports bond0
bridge-stp off
bridge-fd 0
source /etc/network/interfaces.d/*
**Aplicación:**
ifdown vmbr0; ifdown nic2; ifup bond0; ifup vmbr0
==== 3.4 Resultado ====
^ Esclavo ^ NIC ^ Switch ^ Estado ^
| nic0 | enp2s0f0 | GE1/0/11 | Active ✓ |
| nic1 | enp2s0f1 | GE1/0/12 | Active ✓ |
| nic2 | enp2s0f2 | GE1/0/13 | Active ✓ |
| nic3 | enp2s0f3 | GE1/0/14 | Active ✓ |
**Ancho de banda agregado:** 4 x 1Gbps = 4Gbps\\
**Partner MAC (switch):** 20:fd:f1:8f:42:00
> **Pendiente:** Verificar persistencia tras reboot.
----
===== 4. LACP Proxmox Dell PowerEdge R720 (10.57.0.240) =====
**Hardware:** Dell PowerEdge R720 · iDRAC7 Express · 4 NICs LOM\\
**Acceso de recuperación:** iDRAC — 10.57.0.220
==== 4.1 Arquitectura de puertos ====
^ Puerto servidor ^ NIC ^ MAC ^ Switch ^ Rol ^
| iDRAC LOM1 | nic2 (enp1s0f0) | f8:bc:12:44:17:48 | GE1/0/40 | iDRAC gestión |
| LOM2 | nic3 (enp1s0f1) | f8:bc:12:44:17:49 | GE1/0/41 | LACP |
| LOM3 | nic0 (enp2s0f0) | f8:bc:12:44:17:4a | GE1/0/42 | LACP |
| LOM4 | nic1 (enp2s0f1) | f8:bc:12:44:17:4b | GE1/0/43 | LACP |
==== 4.2 Nota iDRAC7 Express ====
> El iDRAC7 Express **no tiene puerto dedicado físico** — solo iDRAC7 Enterprise lo tiene. El iDRAC comparte LOM1 con el sistema operativo. GE1/0/40 está conectado a LOM1 y es exclusivo para iDRAC. LOM1 (nic2/enp1s0f0) fue excluido del bond para evitar conflicto LACP.
==== 4.3 Configuración aplicada ====
**Archivo ''/etc/network/interfaces'':**
auto lo
iface lo inet loopback
iface enp1s0f0 inet manual
iface enp1s0f1 inet manual
iface enp2s0f0 inet manual
iface enp2s0f1 inet manual
auto bond0
iface bond0 inet manual
bond-slaves enp1s0f1 enp2s0f0 enp2s0f1
bond-miimon 100
bond-mode 802.3ad
bond-xmit-hash-policy layer2+3
bond-lacp-rate fast
auto vmbr0
iface vmbr0 inet static
address 10.57.0.240/24
gateway 10.57.0.1
bridge-ports bond0
bridge-stp off
bridge-fd 0
**Aplicación (desde SSH con nohup):**
nohup bash -c 'sleep 10; ifdown vmbr0; ifdown bond0; ifup bond0; ifup vmbr0' &
==== 4.4 Resultado ====
^ Esclavo ^ NIC ^ Switch ^ Estado ^
| nic3 | enp1s0f1 | GE1/0/41 | Active ✓ |
| nic0 | enp2s0f0 | GE1/0/42 | Active ✓ |
| nic1 | enp2s0f1 | GE1/0/43 | Active ✓ |
**Ancho de banda agregado:** 3 x 1Gbps = 3Gbps\\
**Partner MAC (switch):** 20:fd:f1:8f:42:00
----
===== 5. Resumen de infraestructura Bogotá =====
==== 5.1 Diagrama lógico de conectividad ====
Internet
|
SonicWall UTM (10.57.0.2)
|
H3C 4800G (10.57.0.1)
|
+-- GE1/0/40 -------- iDRAC Dell R720 (10.57.0.220)
+-- BAGG1 (41-43) --- Proxmox Dell R720 (10.57.0.240) — bond0 3x1G
+-- BAGG2 (11-14) --- Proxmox HPE G9 (10.57.0.122) — bond0 4x1G
+-- GE1/0/45 -------- AP Aruba IAP 325 (10.57.0.90)
+-- GE1/0/10 -------- iLO HPE G9
+-- GE1/0/32 -------- Bridge HUE (IoT VLAN 7)
+-- GE1/0/3 -------- Impresora (VLAN 11)
+-- GE1/0/37 -------- SonicWall X6 (VLAN 12)
+-- GE1/0/1-29 ------ Usuarios Ventas (VLAN 8)
==== 5.2 Pendientes ====
^ Tarea ^ Prioridad ^ Detalle ^
| Verificar HPE tras reboot | Alta | Confirmar bond0 persiste |
| Activar RSTP en switch | Alta | ''stp enable'' + edged-port en acceso |
| Cambiar contraseñas a cipher | Alta | local-user admin/manager/monitor |
| Deshabilitar Telnet | Alta | ''undo telnet server enable'' |
| Cambiar comunidades SNMP | Media | Eliminar public/private con write |
| Shutdown GE1/0/7 (puerto pruebas) | Media | Puerto trunk all VLANs activo sin uso |
| Jumbo frames puertos VMware | Media | GE1/0/45, 46, 47 → jumboframe 9000 |
| Conectar nic2 R720 a GE1/0/44 | Baja | Completar bond a 4x1G cuando sea posible |
| PSK IoT en AP | Baja | Definir y aplicar contraseña SSID IoT |
| Ampliar VLAN 4 en DHCP | Baja | Ajustar scope si se activa SSID Guest |
----
//Documento generado por IT Corporation — Base de Conocimientos ITCORP Bogotá//