匿名
尚未登入
登入
頂極製作所
搜尋
檢視 緯育 2026-0608 的原始碼
出自頂極製作所
命名空間
頁面
討論
更多
更多
頁面操作
閱讀
檢視原始碼
歷史
←
緯育 2026-0608
由於下列原因,您沒有權限進行編輯此頁面的動作:
您請求的操作只有這個群組的使用者能使用:
管理員
您可以檢視並複製此頁面的原始碼。
{| class="wikitable" ! 類別 ! 設備 / 位置 ! 設定數值 ! 輸入指令 ! 系統回應 / 驗證結果 ! 說明 |- | 終端設備 | S1 網管 IP | IP:10.1.99.101<br>Mask:255.255.255.0<br>Gateway:10.1.99.254 | <pre> 在 Switch S1 的 Config / VLAN Interface 或 CLI 設定: interface vlan 99 ip address 10.1.99.101 255.255.255.0 no shutdown exit ip default-gateway 10.1.99.254 </pre> | <pre> show ip interface brief Vlan99 10.1.99.101 YES manual up up </pre> | S1 管理 VLAN 使用 VLAN99,Gateway 指向 R1 的 Fa0/0.99:10.1.99.254。 |- | 終端設備 | S2 網管 IP | IP:10.1.99.102<br>Mask:255.255.255.0<br>Gateway:10.1.99.254 | <pre> interface vlan 99 ip address 10.1.99.102 255.255.255.0 no shutdown exit ip default-gateway 10.1.99.254 </pre> | <pre> show ip interface brief Vlan99 10.1.99.102 YES manual up up </pre> | S2 管理 VLAN 使用 VLAN99,Gateway 同樣指向 R1 的 10.1.99.254。 |- | 終端設備 | Mgmt Server | IP:10.1.99.100<br>Mask:255.255.255.0<br>Gateway:10.1.99.254 | <pre> Desktop > IP Configuration IP Address: 10.1.99.100 Subnet Mask: 255.255.255.0 Default Gateway: 10.1.99.254 </pre> | <pre> ping 10.1.99.254 Reply from 10.1.99.254 </pre> | Mgmt Server 放在 VLAN99,用來測試交換器管理 VLAN 與 R1 單臂路由。 |- | 終端設備 | VLAN12-RD1 | IP:10.1.12.17<br>Mask:255.255.255.240<br>Gateway:10.1.12.30 | <pre> Desktop > IP Configuration IP Address: 10.1.12.17 Subnet Mask: 255.255.255.240 Default Gateway: 10.1.12.30 </pre> | <pre> ping 10.1.12.30 Reply from 10.1.12.30 </pre> | VLAN12-RD1 接在 S1 Fa0/11,屬於 RD 部門 VLAN12。 |- | 終端設備 | VLAN12-RD2 | IP:10.1.12.18<br>Mask:255.255.255.240<br>Gateway:10.1.12.30 | <pre> Desktop > IP Configuration IP Address: 10.1.12.18 Subnet Mask: 255.255.255.240 Default Gateway: 10.1.12.30 </pre> | <pre> ping 10.1.12.30 Reply from 10.1.12.30 </pre> | VLAN12-RD2 接在 S2 Fa0/11,屬於 RD 部門 VLAN12。 |- | 終端設備 | VLAN13-Sales1 | IP:10.1.13.25<br>Mask:255.255.255.248<br>Gateway:10.1.13.30 | <pre> Desktop > IP Configuration IP Address: 10.1.13.25 Subnet Mask: 255.255.255.248 Default Gateway: 10.1.13.30 </pre> | <pre> ping 10.1.13.30 Reply from 10.1.13.30 </pre> | VLAN13-Sales1 接在 S1 Fa0/15,屬於 Sales 部門 VLAN13。 |- | 終端設備 | VLAN13-Sales2 | IP:10.1.13.26<br>Mask:255.255.255.248<br>Gateway:10.1.13.30 | <pre> Desktop > IP Configuration IP Address: 10.1.13.26 Subnet Mask: 255.255.255.248 Default Gateway: 10.1.13.30 </pre> | <pre> ping 10.1.13.30 Reply from 10.1.13.30 </pre> | VLAN13-Sales2 接在 S2 Fa0/15,後續 Dynamic NAT 測試使用此主機。 |- | 終端設備 | VLAN14-IT | IP:10.1.14.65<br>Mask:255.255.255.224<br>Gateway:10.1.14.94 | <pre> Desktop > IP Configuration IP Address: 10.1.14.65 Subnet Mask: 255.255.255.224 Default Gateway: 10.1.14.94 </pre> | <pre> ping 10.1.14.94 Reply from 10.1.14.94 </pre> | VLAN14-IT 接在 S2 Fa0/19,後續也用於 SSH ACL 測試。 |- | 終端設備 | R2-Private / R2-Server1 | IP:172.16.100.101<br>Mask:255.255.255.0<br>Gateway:172.16.100.254 | <pre> Desktop > IP Configuration IP Address: 172.16.100.101 Subnet Mask: 255.255.255.0 Default Gateway: 172.16.100.254 </pre> | <pre> VLAN12-RD1 ftp 172.16.100.101 Connected to 172.16.100.101 230 Logged in </pre> | R2-Private 伺服器,ACL 要求只允許 VLAN12 使用 FTP 存取。 |- | 終端設備 | R2-DMZ / R2-Server2 | IP:172.16.100.102<br>Mask:255.255.255.0<br>Gateway:172.16.100.254 | <pre> Desktop > IP Configuration IP Address: 172.16.100.102 Subnet Mask: 255.255.255.0 Default Gateway: 172.16.100.254 </pre> | <pre> R3-PC ping 172.16.100.102 Reply from 172.16.100.102 </pre> | R2-DMZ 伺服器,後續 Static NAT 對應到 171.69.233.209,ACL 只允許 ping / http。 |- | 終端設備 | R3-PC1 | IP:10.3.1.10<br>Mask:255.255.255.0<br>Gateway:10.3.1.254 | <pre> Desktop > IP Configuration IP Address: 10.3.1.10 Subnet Mask: 255.255.255.0 Default Gateway: 10.3.1.254 </pre> | <pre> R6-PC6 ping 10.3.1.10 Reply from 10.3.1.10 </pre> | R3-PC1 是 IPSec VPN 的遠端內網目的端。 |- | 終端設備 | R3-PC2 | IP:10.3.2.10<br>Mask:255.255.255.0<br>Gateway:10.3.2.254 | <pre> Desktop > IP Configuration IP Address: 10.3.2.10 Subnet Mask: 255.255.255.0 Default Gateway: 10.3.2.254 </pre> | <pre> ping 10.3.2.254 Reply from 10.3.2.254 </pre> | 10.3.2.0/24 為 R3 第二內網,曾用於 Static Route / Floating Static Route 測試。 |- | 終端設備 | R6-PC5 | IP:10.5.0.10<br>Mask:255.255.255.0<br>Gateway:10.5.0.254 | <pre> Desktop > IP Configuration IP Address: 10.5.0.10 Subnet Mask: 255.255.255.0 Default Gateway: 10.5.0.254 </pre> | <pre> ping 200.200.200.200 Reply from 200.200.200.200 </pre> | R6-PC5 使用 R6 PAT 連到 Internet。 |- | 終端設備 | R6-PC6 | IP:10.6.0.10<br>Mask:255.255.255.0<br>Gateway:10.6.0.254 | <pre> Desktop > IP Configuration IP Address: 10.6.0.10 Subnet Mask: 255.255.255.0 Default Gateway: 10.6.0.254 </pre> | <pre> ping 10.3.1.10 Sent = 4, Received = 4, Lost = 0 </pre> | R6-PC6 是 IPSec VPN 的本端內網來源。 |- | 終端設備 | Internet WWW | IP:200.200.200.200<br>Mask:255.255.255.0<br>Gateway:200.200.200.254 | <pre> Desktop > IP Configuration IP Address: 200.200.200.200 Subnet Mask: 255.255.255.0 Default Gateway: 200.200.200.254 </pre> | <pre> VLAN12-RD1 ping 200.200.200.200 Reply from 200.200.200.200 </pre> | Internet WWW 是 NAT / PAT 連外測試目的端。 |- | 終端設備 | Internet User | IP:201.201.201.201<br>Mask:255.255.255.0<br>Gateway:201.201.201.254 | <pre> Desktop > IP Configuration IP Address: 201.201.201.201 Subnet Mask: 255.255.255.0 Default Gateway: 201.201.201.254 </pre> | <pre> ping 171.69.233.209 Reply from 171.69.233.209 </pre> | Internet User 用於測試 R2-DMZ Static NAT 公有 IP 171.69.233.209。 |- | Switch VLAN | S1 建立 VLAN | VLAN12:RD<br>VLAN13:Sales<br>VLAN14:IT<br>VLAN99:MGMT | <pre> conf t vlan 12 name RD vlan 13 name sales vlan 14 name IT vlan 99 name MGMT </pre> | <pre> show vlan brief 12 RD 13 sales 14 IT 99 MGMT </pre> | S1 建立全部 VLAN,供 access port 與 trunk 使用。 |- | Switch VLAN | S2 建立 VLAN | VLAN12:RD<br>VLAN13:Sales<br>VLAN14:IT<br>VLAN99:MGMT | <pre> conf t vlan 12 name RD vlan 13 name sales vlan 14 name IT vlan 99 name MGMT </pre> | <pre> show vlan brief 12 RD 13 sales 14 IT 99 MGMT </pre> | S2 建立與 S1 相同的 VLAN。 |- | Switch Access Port | S1 Access Port | Fa0/11:VLAN12<br>Fa0/15:VLAN13<br>Fa0/21:VLAN99 | <pre> conf t interface fa0/11 switchport mode access switchport access vlan 12 no shutdown exit interface fa0/15 switchport mode access switchport access vlan 13 no shutdown exit interface fa0/21 switchport mode access switchport access vlan 99 no shutdown exit </pre> | <pre> show vlan brief Fa0/11 在 VLAN12 Fa0/15 在 VLAN13 Fa0/21 在 VLAN99 </pre> | S1 上的終端設備分別放入對應 VLAN。 |- | Switch Access Port | S2 Access Port | Fa0/11:VLAN12<br>Fa0/15:VLAN13<br>Fa0/19:VLAN14 | <pre> conf t interface fa0/11 switchport mode access switchport access vlan 12 no shutdown exit interface fa0/15 switchport mode access switchport access vlan 13 no shutdown exit interface fa0/19 switchport mode access switchport access vlan 14 no shutdown exit </pre> | <pre> show vlan brief Fa0/11 在 VLAN12 Fa0/15 在 VLAN13 Fa0/19 在 VLAN14 </pre> | S2 上的 RD、Sales、IT 主機分別放入 VLAN12、VLAN13、VLAN14。 |- | Switch Trunk | S1 連接 S2 的 Trunk | Trunk Port:Fa0/23 - 24<br>Allowed VLAN:12,13,14,99 | <pre> conf t interface range fa0/23 - 24 switchport mode trunk switchport trunk allowed vlan 12,13,14,99 no shutdown </pre> | <pre> show interfaces trunk Port Mode Status Fa0/23 on trunking Fa0/24 on trunking Vlans allowed on trunk: 12,13,14,99 </pre> | S1 與 S2 之間使用 trunk 傳送多個 VLAN。 |- | Switch Trunk | S2 連接 S1 的 Trunk | Trunk Port:Fa0/23 - 24<br>Allowed VLAN:12,13,14,99 | <pre> conf t interface range fa0/23 - 24 switchport mode trunk switchport trunk allowed vlan 12,13,14,99 no shutdown </pre> | <pre> show interfaces trunk Port Mode Status Fa0/23 on trunking Fa0/24 on trunking Vlans allowed on trunk: 12,13,14,99 </pre> | S2 與 S1 之間使用 trunk 傳送多個 VLAN。 |- | Switch Trunk | S1 連接 R1 的 Trunk | S1 Fa0/5 → R1 Fa0/0<br>Allowed VLAN:12,13,14,99 | <pre> conf t interface fa0/5 switchport mode trunk switchport trunk allowed vlan 12,13,14,99 no shutdown </pre> | <pre> show interfaces trunk Fa0/5 trunking Vlans allowed on trunk: 12,13,14,99 </pre> | S1 Fa0/5 連接 R1 Fa0/0,提供 Router-on-a-stick 單臂路由。 |- | Router-on-a-stick | R1 啟用實體 Fa0/0 | R1 Fa0/0 不設 IP,只作為子介面承載 trunk | <pre> conf t interface fa0/0 no shutdown </pre> | <pre> show ip interface brief FastEthernet0/0 unassigned up up </pre> | R1 Fa0/0 為 trunk 母介面,實際閘道 IP 設在子介面。 |- | Router-on-a-stick | R1 Fa0/0.2 | VLAN12 Gateway:10.1.12.30/28 | <pre> conf t interface fa0/0.2 encapsulation dot1Q 12 ip address 10.1.12.30 255.255.255.240 </pre> | <pre> show ip interface brief FastEthernet0/0.2 10.1.12.30 up up </pre> | VLAN12 的 Default Gateway。 |- | Router-on-a-stick | R1 Fa0/0.3 | VLAN13 Gateway:10.1.13.30/29 | <pre> conf t interface fa0/0.3 encapsulation dot1Q 13 ip address 10.1.13.30 255.255.255.248 </pre> | <pre> show ip interface brief FastEthernet0/0.3 10.1.13.30 up up </pre> | VLAN13 的 Default Gateway。 |- | Router-on-a-stick | R1 Fa0/0.4 | VLAN14 Gateway:10.1.14.94/27 | <pre> conf t interface fa0/0.4 encapsulation dot1Q 14 ip address 10.1.14.94 255.255.255.224 </pre> | <pre> show ip interface brief FastEthernet0/0.4 10.1.14.94 up up </pre> | VLAN14 的 Default Gateway。 |- | Router-on-a-stick | R1 Fa0/0.99 | VLAN99 Gateway:10.1.99.254/24 | <pre> conf t interface fa0/0.99 encapsulation dot1Q 99 ip address 10.1.99.254 255.255.255.0 </pre> | <pre> show ip interface brief FastEthernet0/0.99 10.1.99.254 up up </pre> | VLAN99 管理網段的 Default Gateway。 |- | R1 介面 | R1 to R2 | Serial0/0/0:192.168.123.1/30<br>Bandwidth:128 | <pre> conf t interface serial0/0/0 ip address 192.168.123.1 255.255.255.252 bandwidth 128 no shutdown </pre> | <pre> show ip interface brief Serial0/0/0 192.168.123.1 up up </pre> | R1 與 R2 的 Serial link。 |- | R1 介面 | R1 to R3 | Serial0/0/1:192.168.123.5/30<br>Bandwidth:64<br>Clock rate:64000 | <pre> conf t interface serial0/0/1 ip address 192.168.123.5 255.255.255.252 bandwidth 64 clock rate 64000 no shutdown </pre> | <pre> show ip interface brief Serial0/0/1 192.168.123.5 up up </pre> | R1 與 R3 的 Serial link,成本較高,用於 OSPF cost / ECMP 設計。 |- | R1 介面 | R1 to Internet | Serial0/1/1:193.16.1.254/30 | <pre> conf t interface serial0/1/1 ip address 193.16.1.254 255.255.255.252 no shutdown </pre> | <pre> show ip interface brief Serial0/1/1 193.16.1.254 up up </pre> | R1 對接 Internet Router,後續 NAT outside 與 VPN peer 都使用此介面。 |- | R2 介面 | R2 to R1 | Serial0/0/0:192.168.123.2/30<br>Bandwidth:128 | <pre> conf t interface serial0/0/0 ip address 192.168.123.2 255.255.255.252 bandwidth 128 no shutdown </pre> | <pre> show ip interface brief Serial0/0/0 192.168.123.2 up up </pre> | R2 與 R1 的 Serial link。 |- | R2 介面 | R2 to R3 | Serial0/0/1:192.168.123.9/30<br>Bandwidth:128<br>Clock rate:128000 | <pre> conf t interface serial0/0/1 ip address 192.168.123.9 255.255.255.252 bandwidth 128 clock rate 128000 no shutdown </pre> | <pre> show ip interface brief Serial0/0/1 192.168.123.9 up up </pre> | R2 與 R3 的 Serial link。 |- | R2 介面 | R2 Server 區 | Fa0/0:172.16.100.254/24 | <pre> conf t interface fa0/0 ip address 172.16.100.254 255.255.255.0 no shutdown </pre> | <pre> show ip interface brief FastEthernet0/0 172.16.100.254 up up </pre> | R2 Server / DMZ 區 gateway,後續 ACL 100 套用於此介面 outbound。 |- | R3 介面 | R3 Fa0/0 | 10.3.1.254/24 | <pre> conf t interface fa0/0 ip address 10.3.1.254 255.255.255.0 no shutdown </pre> | <pre> show ip interface brief FastEthernet0/0 10.3.1.254 up up </pre> | R3-PC1 所在網段 gateway,也是 VPN 遠端內網。 |- | R3 介面 | R3 Fa0/1 | 10.3.2.254/24 | <pre> conf t interface fa0/1 ip address 10.3.2.254 255.255.255.0 no shutdown </pre> | <pre> show ip interface brief FastEthernet0/1 10.3.2.254 up up </pre> | R3 第二內網。 |- | R3 介面 | R3 to R1 | Serial0/0/0:192.168.123.6/30<br>Bandwidth:64 | <pre> conf t interface serial0/0/0 ip address 192.168.123.6 255.255.255.252 bandwidth 64 no shutdown </pre> | <pre> show ip interface brief Serial0/0/0 192.168.123.6 up up </pre> | R3 與 R1 的 Serial link。 |- | R3 介面 | R3 to R2 | Serial0/0/1:192.168.123.10/30<br>Bandwidth:128 | <pre> conf t interface serial0/0/1 ip address 192.168.123.10 255.255.255.252 bandwidth 128 no shutdown </pre> | <pre> show ip interface brief Serial0/0/1 192.168.123.10 up up </pre> | R3 與 R2 的 Serial link。 |- | R6 介面 | R6 Fa0/1 | 10.5.0.254/24 | <pre> conf t interface fastEthernet0/1 ip address 10.5.0.254 255.255.255.0 no shutdown </pre> | <pre> show ip interface brief FastEthernet0/1 10.5.0.254 up up </pre> | R6-PC5 所在網段 gateway,後續 R6 PAT inside。 |- | R6 介面 | R6 Fa0/0 | 10.6.0.254/24 | <pre> conf t interface fastEthernet0/0 ip address 10.6.0.254 255.255.255.0 no shutdown </pre> | <pre> show ip interface brief FastEthernet0/0 10.6.0.254 up up </pre> | R6-PC6 所在網段 gateway,後續 VPN protected LAN。 |- | R6 介面 | R6 to Internet | Serial0/0/0:193.16.6.254/30 | <pre> conf t interface serial0/0/0 ip address 193.16.6.254 255.255.255.252 no shutdown </pre> | <pre> show ip interface brief Serial0/0/0 193.16.6.254 up up </pre> | R6 對接 Internet Router,後續 NAT outside 與 VPN peer 都使用此介面。 |- | Internet 介面 | Internet to R1 | Serial0/0/0:193.16.1.253/30<br>Clock rate:64000 | <pre> conf t interface serial0/0/0 ip address 193.16.1.253 255.255.255.252 clock rate 64000 no shutdown </pre> | <pre> show ip interface brief Serial0/0/0 193.16.1.253 up up </pre> | Internet Router 對接 R1。 |- | Internet 介面 | Internet to R6 | Serial0/0/1:193.16.6.253/30<br>Clock rate:64000 | <pre> conf t interface serial0/0/1 ip address 193.16.6.253 255.255.255.252 clock rate 64000 no shutdown </pre> | <pre> show ip interface brief Serial0/0/1 193.16.6.253 up up </pre> | Internet Router 對接 R6。 |- | Internet 介面 | Internet WWW | Fa0/0:200.200.200.254/24 | <pre> conf t interface fastEthernet0/0 ip address 200.200.200.254 255.255.255.0 no shutdown </pre> | <pre> show ip interface brief FastEthernet0/0 200.200.200.254 up up </pre> | Internet WWW Server 的 gateway。 |- | Internet 介面 | Internet User | Fa0/1:201.201.201.254/24 | <pre> conf t interface fastEthernet0/1 ip address 201.201.201.254 255.255.255.0 no shutdown </pre> | <pre> show ip interface brief FastEthernet0/1 201.201.201.254 up up </pre> | Internet User 的 gateway。 |- | Static Route | R1 到 R3 10.3.2.0/24 主路由 | 目的:10.3.2.0/24<br>Next-hop:192.168.123.6 | <pre> conf t ip route 10.3.2.0 255.255.255.0 192.168.123.6 </pre> | <pre> show ip route 10.3.2.0 S 10.3.2.0/24 via 192.168.123.6 </pre> | R1 到 R3 Fa0/1 網段的主要靜態路由。 |- | Floating Static Route | R1 到 R3 10.3.2.0/24 備援路由 | 目的:10.3.2.0/24<br>Next-hop:192.168.123.2<br>AD:2 | <pre> conf t ip route 10.3.2.0 255.255.255.0 192.168.123.2 2 </pre> | <pre> show running-config ip route 10.3.2.0 255.255.255.0 192.168.123.2 2 </pre> | Floating Static Route 的 AD 為 2,正常狀況下不會優先於 AD 1 的主靜態路由。 |- | Static Route | R2 到 R3 10.3.2.0/24 | 目的:10.3.2.0/24<br>Next-hop:192.168.123.10 | <pre> conf t ip route 10.3.2.0 255.255.255.0 192.168.123.10 </pre> | <pre> show ip route 10.3.2.0 S 10.3.2.0/24 via 192.168.123.10 </pre> | R2 到 R3 Fa0/1 網段的靜態路由。 |- | Static Route | R2 到 VLAN14 | 目的:10.1.14.64/27<br>Next-hop:192.168.123.1 | <pre> conf t ip route 10.1.14.64 255.255.255.224 192.168.123.1 </pre> | <pre> show ip route 10.1.14.64 S 10.1.14.64/27 via 192.168.123.1 </pre> | R2 前往 VLAN14 的靜態路由。 |- | Static Route | R3 到 VLAN14 主路由 | 目的:10.1.14.64/27<br>Next-hop:192.168.123.5 | <pre> conf t ip route 10.1.14.64 255.255.255.224 192.168.123.5 </pre> | <pre> show ip route 10.1.14.64 S 10.1.14.64/27 via 192.168.123.5 </pre> | R3 到 VLAN14 的主靜態路由。 |- | Floating Static Route | R3 到 VLAN14 備援路由 | 目的:10.1.14.64/27<br>Next-hop:192.168.123.9<br>AD:2 | <pre> conf t ip route 10.1.14.64 255.255.255.224 192.168.123.9 2 </pre> | <pre> show running-config ip route 10.1.14.64 255.255.255.224 192.168.123.9 2 </pre> | Floating Static Route 的 AD 為 2,作為備援路徑。 |- | OSPF | R1 OSPF | Process ID:1<br>Router ID:192.168.99.1<br>Area:0 | <pre> conf t interface loopback0 ip address 192.168.99.1 255.255.255.255 exit router ospf 1 router-id 192.168.99.1 passive-interface default no passive-interface serial0/0/0 no passive-interface serial0/0/1 network 192.168.123.0 0.0.0.3 area 0 network 192.168.123.4 0.0.0.3 area 0 network 10.1.12.16 0.0.0.15 area 0 network 10.1.13.24 0.0.0.7 area 0 network 10.1.99.0 0.0.0.255 area 0 network 192.168.99.1 0.0.0.0 area 0 </pre> | <pre> show ip ospf neighbor show ip route ospf R1 與 R2 / R3 建立 OSPF 鄰居 </pre> | R1 使用 network subnet method 宣告 OSPF,並將 VLAN12、VLAN13、VLAN99 納入 OSPF。 |- | OSPF | R2 OSPF | Process ID:2<br>Router ID:192.168.99.2<br>Area 0 / Area 2 | <pre> conf t interface loopback0 ip address 192.168.99.2 255.255.255.255 exit router ospf 2 router-id 192.168.99.2 network 192.168.123.2 0.0.0.0 area 0 network 192.168.123.9 0.0.0.0 area 0 network 172.16.100.254 0.0.0.0 area 2 network 192.168.99.2 0.0.0.0 area 2 passive-interface fa0/0 no passive-interface serial0/0/1 </pre> | <pre> show ip ospf neighbor show ip route ospf R2 與 R1 / R3 建立 OSPF 鄰居 R2 Fa0/0 被 passive-interface 保護 </pre> | R2 使用 interface IP 精準宣告方式,Server 區在 Area 2,Serial links 在 Area 0。 |- | OSPF | R3 OSPF | Process ID:3<br>Router ID:192.168.99.3<br>Area 0 / Area 3 | <pre> conf t interface loopback0 ip address 192.168.99.3 255.255.255.255 ip ospf 3 area 3 exit interface fa0/0 ip ospf 3 area 0 exit interface serial0/0/0 ip ospf 3 area 0 exit interface serial0/0/1 ip ospf 3 area 0 exit router ospf 3 router-id 192.168.99.3 passive-interface fa0/0 </pre> | <pre> show ip ospf neighbor show ip route ospf R3 與 R1 / R2 建立 OSPF 鄰居 R3 Fa0/0 可被宣告但不送 Hello </pre> | R3 使用 interface mode 的 ip ospf process area 方式啟用 OSPF。 |- | OSPF Cost | Serial bandwidth 調整 | R1-R2:128K<br>R2-R3:128K<br>R1-R3:64K | <pre> R1: interface serial0/0/0 bandwidth 128 interface serial0/0/1 bandwidth 64 R2: interface serial0/0/0 bandwidth 128 interface serial0/0/1 bandwidth 128 R3: interface serial0/0/0 bandwidth 64 interface serial0/0/1 bandwidth 128 </pre> | <pre> show ip route ospf show interfaces serial0/0/0 show interfaces serial0/0/1 可看到依 bandwidth 產生不同 OSPF cost </pre> | 用 bandwidth 調整 OSPF cost,產生預期的等值路由或指定路徑。 |- | Default Route | R1 對 Internet | Default route:0.0.0.0/0<br>Next-hop:193.16.1.253 | <pre> conf t ip route 0.0.0.0 0.0.0.0 193.16.1.253 </pre> | <pre> show ip route S* 0.0.0.0/0 via 193.16.1.253 </pre> | R1 是總公司對 Internet 出口。 |- | OSPF Default | R1 宣告 default route | OSPF default-information originate | <pre> conf t router ospf 1 default-information originate </pre> | <pre> R2 / R3 show ip route O*E2 0.0.0.0/0 </pre> | R2 / R3 透過 OSPF 學到預設路由。 |- | Default Route | R6 對 Internet | Default route:0.0.0.0/0<br>Next-hop:193.16.6.253 | <pre> conf t ip route 0.0.0.0 0.0.0.0 193.16.6.253 </pre> | <pre> show ip route S* 0.0.0.0/0 via 193.16.6.253 </pre> | R6 是分公司對 Internet 出口。 |- | NAT / PAT | R1 VLAN12 PAT | Inside:Fa0/0.2<br>Outside:Serial0/1/1<br>ACL:10<br>VLAN12:10.1.12.16/28 | <pre> conf t interface fa0/0.2 ip nat inside exit interface serial0/1/1 ip nat outside exit access-list 10 permit 10.1.12.16 0.0.0.15 ip nat inside source list 10 interface serial0/1/1 overload </pre> | <pre> VLAN12-RD1: ping 200.200.200.200 R1: show ip nat translations 可看到 PAT translation </pre> | VLAN12 使用 R1 Serial0/1/1 的公有 IP 做 overload PAT。 |- | NAT / PAT | R6-PC5 PAT | Inside:Fa0/1<br>Outside:Serial0/0/0<br>ACL:10<br>R6-PC5 網段:10.5.0.0/24 | <pre> conf t interface fa0/1 ip nat inside exit interface serial0/0/0 ip nat outside exit access-list 10 permit 10.5.0.0 0.0.0.255 ip nat inside source list 10 interface serial0/0/0 overload </pre> | <pre> R6-PC5: ping 200.200.200.200 R6: show ip nat translations 可看到 PAT translation </pre> | R6-PC5 使用 R6 Serial0/0/0 的公有 IP 做 overload PAT。 |- | Dynamic NAT | R1 VLAN13 Dynamic NAT | Inside:Fa0/0.3<br>Outside:Serial0/1/1<br>ACL:20<br>Pool:171.69.233.210 - 171.69.233.222 | <pre> conf t interface fa0/0.3 ip nat inside exit interface serial0/1/1 ip nat outside exit no access-list 20 no ip nat inside source list 20 pool netpool no ip nat pool netpool 171.69.233.210 171.69.233.222 netmask 255.255.255.240 access-list 20 permit 10.1.13.24 0.0.0.7 ip nat pool natpool 171.69.233.210 171.69.233.222 netmask 255.255.255.240 ip nat inside source list 20 pool natpool </pre> | <pre> VLAN13-Sales2: ping 200.200.200.200 R1: show ip nat translations 可看到 10.1.13.26 轉成 171.69.233.210 </pre> | VLAN13 使用 Dynamic NAT,公有 IP 池從 171.69.233.210 到 171.69.233.222。 |- | NAT 回程路由 | Internet Router 回指公有 IP 池 | Public Pool:171.69.233.208/28<br>Next-hop:193.16.1.254 | <pre> conf t ip route 171.69.233.208 255.255.255.240 193.16.1.254 </pre> | <pre> show ip route S 171.69.233.208/28 via 193.16.1.254 </pre> | Internet Router 必須知道 NAT 公有 IP 池要回到 R1。 |- | Static NAT | R2-DMZ Static NAT | Inside local:172.16.100.102<br>Inside global:171.69.233.209 | <pre> conf t interface serial0/0/0 ip nat inside exit interface serial0/1/1 ip nat outside exit no ip nat inside source static 172.16.100.103 171.69.233.209 ip nat inside source static 172.16.100.102 171.69.233.209 </pre> | <pre> R1: show ip nat translations --- 171.69.233.209 172.16.100.102 --- --- Internet User: ping 171.69.233.209 Reply from 171.69.233.209 </pre> | R2-DMZ 伺服器 172.16.100.102 固定對應到公有 IP 171.69.233.209。 |- | IPSec VPN | R1 Phase 1 | PSK:SeCrEt<br>Encryption:3DES<br>Hash:SHA<br>DH Group:2<br>Lifetime:86400 | <pre> conf t crypto isakmp policy 10 encr 3des hash sha authentication pre-share group 2 lifetime 86400 exit crypto isakmp key SeCrEt address 193.16.6.254 </pre> | <pre> show crypto isakmp policy encryption algorithm: Three key triple DES hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #2 lifetime: 86400 seconds </pre> | R1 的 IKE Phase 1 參數。 |- | IPSec VPN | R1 Phase 2 / Crypto Map | Transform-set:ts16<br>ESP AES / MD5<br>Peer:193.16.6.254<br>Crypto ACL:110 | <pre> conf t crypto ipsec transform-set ts16 esp-aes esp-md5-hmac no access-list 110 access-list 110 permit ip 10.3.1.0 0.0.0.255 10.6.0.0 0.0.0.255 crypto map map16 10 ipsec-isakmp set peer 193.16.6.254 set transform-set ts16 match address 110 exit interface serial0/1/1 crypto map map16 </pre> | <pre> show crypto ipsec sa local ident: 10.3.1.0/24 remote ident: 10.6.0.0/24 encaps / decaps 有數字 </pre> | R1 crypto ACL 與 R6 必須鏡像對稱。 |- | IPSec VPN | R6 Phase 1 | PSK:SeCrEt<br>Encryption:3DES<br>Hash:SHA<br>DH Group:2<br>Lifetime:86400 | <pre> conf t crypto isakmp policy 10 encr 3des hash sha authentication pre-share group 2 lifetime 86400 exit crypto isakmp key SeCrEt address 193.16.1.254 </pre> | <pre> show crypto isakmp policy encryption algorithm: Three key triple DES hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #2 lifetime: 86400 seconds </pre> | R6 的 IKE Phase 1 參數。 |- | IPSec VPN | R6 Phase 2 / Crypto Map | Transform-set:ts61<br>ESP AES / MD5<br>Peer:193.16.1.254<br>Crypto ACL:110 | <pre> conf t crypto ipsec transform-set ts61 esp-aes esp-md5-hmac no access-list 110 access-list 110 permit ip 10.6.0.0 0.0.0.255 10.3.1.0 0.0.0.255 crypto map map61 10 ipsec-isakmp set peer 193.16.1.254 set transform-set ts61 match address 110 exit interface serial0/0/0 crypto map map61 </pre> | <pre> show crypto ipsec sa local ident: 10.6.0.0/24 remote ident: 10.3.1.0/24 encaps / decaps 有數字 </pre> | R6 crypto ACL 與 R1 必須鏡像對稱。 |- | IPSec VPN 驗證 | R6-PC6 到 R3-PC1 | Source:10.6.0.10<br>Destination:10.3.1.10 | <pre> R6-PC6: ping 10.3.1.10 </pre> | <pre> Reply from 10.3.1.10 Sent = 4, Received = 4, Lost = 0 </pre> | VPN 端到端通訊成功。 |- | IPSec VPN 驗證 | R6 ISAKMP SA | Phase 1 狀態 | <pre> show crypto isakmp sa </pre> | <pre> IPv4 Crypto ISAKMP SA dst src state conn-id slot status 193.16.1.254 193.16.6.254 QM_IDLE 1024 0 ACTIVE </pre> | QM_IDLE / ACTIVE 代表 Phase 1 成功。 |- | IPSec VPN 驗證 | R6 IPSec SA | Phase 2 封包計數 | <pre> show crypto ipsec sa </pre> | <pre> #pkts encaps: 7 #pkts encrypt: 7 #pkts decaps: 6 #pkts decrypt: 6 inbound esp sas: Status: ACTIVE outbound esp sas: Status: ACTIVE </pre> | encaps / decaps 有增加,代表 Phase 2 成功加密與解密。 |- | ACL | R2 Exted ACL 100 | 套用介面:R2 Fa0/0<br>方向:out<br>控制 172.16.100.101 / 172.16.100.102 | <pre> conf t no access-list 100 access-list 100 permit tcp 10.1.12.16 0.0.0.15 172.16.100.101 0.0.0.0 eq 20 access-list 100 permit tcp 10.1.12.16 0.0.0.15 172.16.100.101 0.0.0.0 eq 21 access-list 100 deny ip 10.1.12.16 0.0.0.15 172.16.100.101 0.0.0.0 access-list 100 deny ip 10.0.0.0 0.255.255.255 172.16.100.101 0.0.0.0 access-list 100 permit tcp any 172.16.100.102 0.0.0.0 eq 80 access-list 100 permit icmp any 172.16.100.102 0.0.0.0 access-list 100 deny ip any 172.16.100.102 0.0.0.0 interface fa0/0 ip access-group 100 out </pre> | <pre> show running-config interface fa0/0 interface FastEthernet0/0 ip access-group 100 out </pre> | ACL 100 套在 R2 Fa0/0 outbound,控制往 Server 區的流量。 |- | ACL 驗證 | 清除 ACL 計數器 | ACL 100 | <pre> clear access-list counters 100 </pre> | <pre> 沒有錯誤訊息即代表完成 </pre> | 測試前先清除計數器,方便確認 permit / deny 是否被命中。 |- | ACL 驗證 | VLAN12-RD1 FTP R2-Private | Source:10.1.12.17<br>Destination:172.16.100.101<br>Service:FTP | <pre> ftp 172.16.100.101 </pre> | <pre> Connected to 172.16.100.101 230 Logged in </pre> | 符合 ACL 要求:VLAN12 可使用 FTP 存取 R2-Private。 |- | ACL 驗證 | VLAN12-RD1 ping R2-Private | Source:10.1.12.17<br>Destination:172.16.100.101<br>Service:ICMP | <pre> ping 172.16.100.101 </pre> | <pre> Destination host unreachable Sent = 4, Received = 0, Lost = 4 </pre> | 符合 ACL 要求:VLAN12 除 FTP 以外不可存取 R2-Private。 |- | ACL 驗證 | R3-PC ping R2-Private | Source:10.3.2.10<br>Destination:172.16.100.101<br>Service:ICMP | <pre> ping 172.16.100.101 </pre> | <pre> Destination host unreachable Sent = 4, Received = 0, Lost = 4 </pre> | 符合 ACL 要求:總公司其他 VLAN / R3 內網不可存取 R2-Private。 |- | ACL 驗證 | R3-PC ping R2-DMZ | Source:10.3.2.10<br>Destination:172.16.100.102<br>Service:ICMP | <pre> ping 172.16.100.102 </pre> | <pre> Reply from 172.16.100.102 Sent = 4, Received = 4, Lost = 0 </pre> | 符合 ACL 要求:Any-PC 可 ping R2-DMZ。 |- | ACL 驗證 | R3-PC http R2-DMZ | Source:10.3.2.10<br>Destination:172.16.100.102<br>Service:HTTP | <pre> Web Browser: http://172.16.100.102 </pre> | <pre> Cisco Packet Tracer 網頁成功開啟 </pre> | 符合 ACL 要求:Any-PC 可使用 HTTP 存取 R2-DMZ。 |- | ACL 驗證 | R3-PC ftp R2-DMZ | Source:10.3.2.10<br>Destination:172.16.100.102<br>Service:FTP | <pre> ftp 172.16.100.102 </pre> | <pre> Error opening ftp://172.16.100.102/ Timed out </pre> | 符合 ACL 要求:R2-DMZ 不允許 FTP 等其他服務。 |- | ACL 驗證 | R2 show access-lists 100 | ACL match 結果 | <pre> show access-lists 100 </pre> | <pre> permit tcp 10.1.12.16 0.0.0.15 host 172.16.100.101 eq ftp (11 match(es)) deny ip 10.1.12.16 0.0.0.15 host 172.16.100.101 (4 match(es)) deny ip 10.0.0.0 0.255.255.255 host 172.16.100.101 (101 match(es)) permit tcp any host 172.16.100.102 eq www (5 match(es)) permit icmp any host 172.16.100.102 (4 match(es)) deny ip any host 172.16.100.102 (12 match(es)) </pre> | permit / deny 規則皆有 match,ACL 驗證完成。 |- | SSH ACL | R3 只允許 VLAN14 IT SSH | Username:user<br>Password:123<br>Domain:ckc.com<br>RSA:1024<br>ACL:12 | <pre> conf t username user password 123 ip domain-name ckc.com crypto key generate rsa 1024 ip ssh version 2 access-list 12 permit 10.1.14.64 0.0.0.31 line vty 0 5 login local transport input ssh access-class 12 in exit line vty 6 15 transport input none exit </pre> | <pre> VLAN14-IT ssh 到 R3:OK 其他 VLAN ssh 到 R3:Not OK </pre> | 只允許 VLAN14 IT 網段使用 SSH 管理 R3,最多開放 vty 0 到 5 共 6 條 sessions。 |- | 最終驗證 | NAT / PAT | VLAN12、VLAN13、R6-PC5 | <pre> VLAN12-RD1: ping 200.200.200.200 VLAN13-Sales2: ping 200.200.200.200 R6-PC5: ping 200.200.200.200 R1 / R6: show ip nat translations </pre> | <pre> VLAN12 PAT:OK VLAN13 Dynamic NAT:OK R6-PC5 PAT:OK NAT translation 有產生 </pre> | NAT / PAT 完成。 |- | 最終驗證 | Static NAT | 172.16.100.102 ↔ 171.69.233.209 | <pre> Internet User: ping 171.69.233.209 http://171.69.233.209 R1: show ip nat translations </pre> | <pre> Internet User ping R2-DMZ 公有 IP:OK Internet User http R2-DMZ 公有 IP:OK Static NAT translation 存在 </pre> | Static NAT 完成。 |- | 最終驗證 | IPSec VPN | R6-PC6 ↔ R3-PC1 | <pre> R6-PC6: ping 10.3.1.10 R6: show crypto isakmp sa show crypto ipsec sa </pre> | <pre> R6-PC6 ping 10.3.1.10:OK QM_IDLE / ACTIVE encaps / decaps 有增加 </pre> | IPSec VPN 完成。 |- | 最終驗證 | ACL 100 | R2 Fa0/0 outbound | <pre> R2: show access-lists 100 </pre> | <pre> permit 規則有 match deny 規則有 match ACL 測試全部符合預期 </pre> | Exted ACL 100 完成。 |}
返回到「
緯育 2026-0608
」。
* [[檔案:2000-Dragon-30.png|15px]] [[附近走走]]<br> * [[檔案:2000-Dragon-30.png|15px]] [[應用程式]]<br> * [[檔案:2000-Dragon-30.png|15px]] [[郵遞區號]]<br> * [[檔案:2000-Dragon-30.png|15px]] [[作品紀錄]]<br> * [[檔案:2000-Dragon-30.png|15px]] [[攝影相簿]]<br> * [[檔案:2000-Dragon-30.png|15px]] [[網路書籤]]<br> * [[檔案:2000-Dragon-30.png|15px]] [[網路照片]]<br> * [[檔案:2000-Dragon-30.png|15px]] [[星艦日誌]]<br> * [[檔案:2000-Dragon-30.png|15px]] [[Privacy_Policy|隱私政策]]<br>
附近走走
應用程式
郵遞區號
作品紀錄
攝影相簿
網路書籤
網路照片
星艦日誌
隱私政策
首頁
wiki工具
wiki工具
特殊頁面
頁面工具
頁面工具
使用者頁面工具
更多
連結至此的頁面
相關變更
頁面資訊
頁面日誌
