緯育 2026-0608

出自頂極製作所
於 2026年5月25日 (一) 02:55 由 Kuyohong留言 | 貢獻 所做的修訂
類別 設備 / 位置 設定數值 輸入指令 系統回應 / 驗證結果 說明
終端設備 S1 網管 IP IP:10.1.99.101
Mask:255.255.255.0
Gateway:10.1.99.254 
在 Switch S1 的 Config / VLAN Interface 或 CLI 設定:
interface vlan 99
 ip address 10.1.99.101 255.255.255.0
 no shutdown
exit
ip default-gateway 10.1.99.254

show ip interface brief

Vlan99  10.1.99.101  YES manual  up  up
S1 管理 VLAN 使用 VLAN99,Gateway 指向 R1 的 Fa0/0.99:10.1.99.254。
終端設備 S2 網管 IP IP:10.1.99.102
Mask:255.255.255.0
Gateway:10.1.99.254 
interface vlan 99
 ip address 10.1.99.102 255.255.255.0
 no shutdown
exit
ip default-gateway 10.1.99.254

show ip interface brief

Vlan99  10.1.99.102  YES manual  up  up
S2 管理 VLAN 使用 VLAN99,Gateway 同樣指向 R1 的 10.1.99.254。
終端設備 Mgmt Server IP:10.1.99.100
Mask:255.255.255.0
Gateway:10.1.99.254 
Desktop > IP Configuration

IP Address: 10.1.99.100
Subnet Mask: 255.255.255.0
Default Gateway: 10.1.99.254

ping 10.1.99.254

Reply from 10.1.99.254
Mgmt Server 放在 VLAN99,用來測試交換器管理 VLAN 與 R1 單臂路由。
終端設備 VLAN12-RD1 IP:10.1.12.17
Mask:255.255.255.240
Gateway:10.1.12.30 
Desktop > IP Configuration

IP Address: 10.1.12.17
Subnet Mask: 255.255.255.240
Default Gateway: 10.1.12.30

ping 10.1.12.30

Reply from 10.1.12.30
VLAN12-RD1 接在 S1 Fa0/11,屬於 RD 部門 VLAN12。
終端設備 VLAN12-RD2 IP:10.1.12.18
Mask:255.255.255.240
Gateway:10.1.12.30 
Desktop > IP Configuration

IP Address: 10.1.12.18
Subnet Mask: 255.255.255.240
Default Gateway: 10.1.12.30

ping 10.1.12.30

Reply from 10.1.12.30
VLAN12-RD2 接在 S2 Fa0/11,屬於 RD 部門 VLAN12。
終端設備 VLAN13-Sales1 IP:10.1.13.25
Mask:255.255.255.248
Gateway:10.1.13.30 
Desktop > IP Configuration

IP Address: 10.1.13.25
Subnet Mask: 255.255.255.248
Default Gateway: 10.1.13.30

ping 10.1.13.30

Reply from 10.1.13.30
VLAN13-Sales1 接在 S1 Fa0/15,屬於 Sales 部門 VLAN13。
終端設備 VLAN13-Sales2 IP:10.1.13.26
Mask:255.255.255.248
Gateway:10.1.13.30 
Desktop > IP Configuration

IP Address: 10.1.13.26
Subnet Mask: 255.255.255.248
Default Gateway: 10.1.13.30

ping 10.1.13.30

Reply from 10.1.13.30
VLAN13-Sales2 接在 S2 Fa0/15,後續 Dynamic NAT 測試使用此主機。
終端設備 VLAN14-IT IP:10.1.14.65
Mask:255.255.255.224
Gateway:10.1.14.94 
Desktop > IP Configuration

IP Address: 10.1.14.65
Subnet Mask: 255.255.255.224
Default Gateway: 10.1.14.94

ping 10.1.14.94

Reply from 10.1.14.94
VLAN14-IT 接在 S2 Fa0/19,後續也用於 SSH ACL 測試。
終端設備 R2-Private / R2-Server1 IP:172.16.100.101
Mask:255.255.255.0
Gateway:172.16.100.254 
Desktop > IP Configuration

IP Address: 172.16.100.101
Subnet Mask: 255.255.255.0
Default Gateway: 172.16.100.254

VLAN12-RD1 ftp 172.16.100.101

Connected to 172.16.100.101
230 Logged in
R2-Private 伺服器,ACL 要求只允許 VLAN12 使用 FTP 存取。
終端設備 R2-DMZ / R2-Server2 IP:172.16.100.102
Mask:255.255.255.0
Gateway:172.16.100.254 
Desktop > IP Configuration

IP Address: 172.16.100.102
Subnet Mask: 255.255.255.0
Default Gateway: 172.16.100.254

R3-PC ping 172.16.100.102

Reply from 172.16.100.102
R2-DMZ 伺服器,後續 Static NAT 對應到 171.69.233.209,ACL 只允許 ping / http。
終端設備 R3-PC1 IP:10.3.1.10
Mask:255.255.255.0
Gateway:10.3.1.254 
Desktop > IP Configuration

IP Address: 10.3.1.10
Subnet Mask: 255.255.255.0
Default Gateway: 10.3.1.254

R6-PC6 ping 10.3.1.10

Reply from 10.3.1.10
R3-PC1 是 IPSec VPN 的遠端內網目的端。
終端設備 R3-PC2 IP:10.3.2.10
Mask:255.255.255.0
Gateway:10.3.2.254 
Desktop > IP Configuration

IP Address: 10.3.2.10
Subnet Mask: 255.255.255.0
Default Gateway: 10.3.2.254

ping 10.3.2.254

Reply from 10.3.2.254
10.3.2.0/24 為 R3 第二內網,曾用於 Static Route / Floating Static Route 測試。
終端設備 R6-PC5 IP:10.5.0.10
Mask:255.255.255.0
Gateway:10.5.0.254 
Desktop > IP Configuration

IP Address: 10.5.0.10
Subnet Mask: 255.255.255.0
Default Gateway: 10.5.0.254

ping 200.200.200.200

Reply from 200.200.200.200
R6-PC5 使用 R6 PAT 連到 Internet。
終端設備 R6-PC6 IP:10.6.0.10
Mask:255.255.255.0
Gateway:10.6.0.254 
Desktop > IP Configuration

IP Address: 10.6.0.10
Subnet Mask: 255.255.255.0
Default Gateway: 10.6.0.254

ping 10.3.1.10

Sent = 4, Received = 4, Lost = 0
R6-PC6 是 IPSec VPN 的本端內網來源。
終端設備 Internet WWW IP:200.200.200.200
Mask:255.255.255.0
Gateway:200.200.200.254 
Desktop > IP Configuration

IP Address: 200.200.200.200
Subnet Mask: 255.255.255.0
Default Gateway: 200.200.200.254

VLAN12-RD1 ping 200.200.200.200

Reply from 200.200.200.200
Internet WWW 是 NAT / PAT 連外測試目的端。
終端設備 Internet User IP:201.201.201.201
Mask:255.255.255.0
Gateway:201.201.201.254 
Desktop > IP Configuration

IP Address: 201.201.201.201
Subnet Mask: 255.255.255.0
Default Gateway: 201.201.201.254

ping 171.69.233.209

Reply from 171.69.233.209
Internet User 用於測試 R2-DMZ Static NAT 公有 IP 171.69.233.209。
Switch VLAN S1 建立 VLAN VLAN12:RD
VLAN13:Sales
VLAN14:IT
VLAN99:MGMT 
conf t
vlan 12
 name RD
vlan 13
 name sales
vlan 14
 name IT
vlan 99
 name MGMT



show vlan brief

12  RD
13  sales
14  IT
99  MGMT
S1 建立全部 VLAN,供 access port 與 trunk 使用。
Switch VLAN S2 建立 VLAN VLAN12:RD
VLAN13:Sales
VLAN14:IT
VLAN99:MGMT 
conf t
vlan 12
 name RD
vlan 13
 name sales
vlan 14
 name IT
vlan 99
 name MGMT



show vlan brief

12  RD
13  sales
14  IT
99  MGMT
S2 建立與 S1 相同的 VLAN。
Switch Access Port S1 Access Port Fa0/11:VLAN12
Fa0/15:VLAN13
Fa0/21:VLAN99 
conf t

interface fa0/11
 switchport mode access
 switchport access vlan 12
 no shutdown
exit

interface fa0/15
 switchport mode access
 switchport access vlan 13
 no shutdown
exit

interface fa0/21
 switchport mode access
 switchport access vlan 99
 no shutdown
exit




show vlan brief

Fa0/11 在 VLAN12
Fa0/15 在 VLAN13
Fa0/21 在 VLAN99
S1 上的終端設備分別放入對應 VLAN。
Switch Access Port S2 Access Port Fa0/11:VLAN12
Fa0/15:VLAN13
Fa0/19:VLAN14 
conf t

interface fa0/11
 switchport mode access
 switchport access vlan 12
 no shutdown
exit

interface fa0/15
 switchport mode access
 switchport access vlan 13
 no shutdown
exit

interface fa0/19
 switchport mode access
 switchport access vlan 14
 no shutdown
exit




show vlan brief

Fa0/11 在 VLAN12
Fa0/15 在 VLAN13
Fa0/19 在 VLAN14
S2 上的 RD、Sales、IT 主機分別放入 VLAN12、VLAN13、VLAN14。
Switch Trunk S1 連接 S2 的 Trunk Trunk Port:Fa0/23 - 24
Allowed VLAN:12,13,14,99 
conf t

interface range fa0/23 - 24
 switchport mode trunk
 switchport trunk allowed vlan 12,13,14,99
 no shutdown




show interfaces trunk

Port        Mode     Status
Fa0/23      on       trunking
Fa0/24      on       trunking

Vlans allowed on trunk: 12,13,14,99
S1 與 S2 之間使用 trunk 傳送多個 VLAN。
Switch Trunk S2 連接 S1 的 Trunk Trunk Port:Fa0/23 - 24
Allowed VLAN:12,13,14,99 
conf t

interface range fa0/23 - 24
 switchport mode trunk
 switchport trunk allowed vlan 12,13,14,99
 no shutdown




show interfaces trunk

Port        Mode     Status
Fa0/23      on       trunking
Fa0/24      on       trunking

Vlans allowed on trunk: 12,13,14,99
S2 與 S1 之間使用 trunk 傳送多個 VLAN。
Switch Trunk S1 連接 R1 的 Trunk S1 Fa0/5 → R1 Fa0/0
Allowed VLAN:12,13,14,99 
conf t

interface fa0/5
 switchport mode trunk
 switchport trunk allowed vlan 12,13,14,99
 no shutdown




show interfaces trunk

Fa0/5 trunking
Vlans allowed on trunk: 12,13,14,99
S1 Fa0/5 連接 R1 Fa0/0,提供 Router-on-a-stick 單臂路由。
Router-on-a-stick R1 啟用實體 Fa0/0 R1 Fa0/0 不設 IP,只作為子介面承載 trunk 
conf t

interface fa0/0
 no shutdown




show ip interface brief

FastEthernet0/0  unassigned  up  up
R1 Fa0/0 為 trunk 母介面,實際閘道 IP 設在子介面。
Router-on-a-stick R1 Fa0/0.2 VLAN12 Gateway:10.1.12.30/28 
conf t

interface fa0/0.2
 encapsulation dot1Q 12
 ip address 10.1.12.30 255.255.255.240




show ip interface brief

FastEthernet0/0.2  10.1.12.30  up  up
VLAN12 的 Default Gateway。
Router-on-a-stick R1 Fa0/0.3 VLAN13 Gateway:10.1.13.30/29 
conf t

interface fa0/0.3
 encapsulation dot1Q 13
 ip address 10.1.13.30 255.255.255.248




show ip interface brief

FastEthernet0/0.3  10.1.13.30  up  up
VLAN13 的 Default Gateway。
Router-on-a-stick R1 Fa0/0.4 VLAN14 Gateway:10.1.14.94/27 
conf t

interface fa0/0.4
 encapsulation dot1Q 14
 ip address 10.1.14.94 255.255.255.224




show ip interface brief

FastEthernet0/0.4  10.1.14.94  up  up
VLAN14 的 Default Gateway。
Router-on-a-stick R1 Fa0/0.99 VLAN99 Gateway:10.1.99.254/24 
conf t

interface fa0/0.99
 encapsulation dot1Q 99
 ip address 10.1.99.254 255.255.255.0




show ip interface brief

FastEthernet0/0.99  10.1.99.254  up  up
VLAN99 管理網段的 Default Gateway。
R1 介面 R1 to R2 Serial0/0/0:192.168.123.1/30
Bandwidth:128 
conf t

interface serial0/0/0
 ip address 192.168.123.1 255.255.255.252
 bandwidth 128
 no shutdown




show ip interface brief

Serial0/0/0  192.168.123.1  up  up
R1 與 R2 的 Serial link。
R1 介面 R1 to R3 Serial0/0/1:192.168.123.5/30
Bandwidth:64
Clock rate:64000 
conf t

interface serial0/0/1
 ip address 192.168.123.5 255.255.255.252
 bandwidth 64
 clock rate 64000
 no shutdown




show ip interface brief

Serial0/0/1  192.168.123.5  up  up
R1 與 R3 的 Serial link,成本較高,用於 OSPF cost / ECMP 設計。
R1 介面 R1 to Internet Serial0/1/1:193.16.1.254/30 
conf t

interface serial0/1/1
 ip address 193.16.1.254 255.255.255.252
 no shutdown




show ip interface brief

Serial0/1/1  193.16.1.254  up  up
R1 對接 Internet Router,後續 NAT outside 與 VPN peer 都使用此介面。
R2 介面 R2 to R1 Serial0/0/0:192.168.123.2/30
Bandwidth:128 
conf t

interface serial0/0/0
 ip address 192.168.123.2 255.255.255.252
 bandwidth 128
 no shutdown




show ip interface brief

Serial0/0/0  192.168.123.2  up  up
R2 與 R1 的 Serial link。
R2 介面 R2 to R3 Serial0/0/1:192.168.123.9/30
Bandwidth:128
Clock rate:128000 
conf t

interface serial0/0/1
 ip address 192.168.123.9 255.255.255.252
 bandwidth 128
 clock rate 128000
 no shutdown




show ip interface brief

Serial0/0/1  192.168.123.9  up  up
R2 與 R3 的 Serial link。
R2 介面 R2 Server 區 Fa0/0:172.16.100.254/24 
conf t

interface fa0/0
 ip address 172.16.100.254 255.255.255.0
 no shutdown




show ip interface brief

FastEthernet0/0  172.16.100.254  up  up
R2 Server / DMZ 區 gateway,後續 ACL 100 套用於此介面 outbound。
R3 介面 R3 Fa0/0 10.3.1.254/24 
conf t

interface fa0/0
 ip address 10.3.1.254 255.255.255.0
 no shutdown




show ip interface brief

FastEthernet0/0  10.3.1.254  up  up
R3-PC1 所在網段 gateway,也是 VPN 遠端內網。
R3 介面 R3 Fa0/1 10.3.2.254/24 
conf t

interface fa0/1
 ip address 10.3.2.254 255.255.255.0
 no shutdown




show ip interface brief

FastEthernet0/1  10.3.2.254  up  up
R3 第二內網。
R3 介面 R3 to R1 Serial0/0/0:192.168.123.6/30
Bandwidth:64 
conf t

interface serial0/0/0
 ip address 192.168.123.6 255.255.255.252
 bandwidth 64
 no shutdown




show ip interface brief

Serial0/0/0  192.168.123.6  up  up
R3 與 R1 的 Serial link。
R3 介面 R3 to R2 Serial0/0/1:192.168.123.10/30
Bandwidth:128 
conf t

interface serial0/0/1
 ip address 192.168.123.10 255.255.255.252
 bandwidth 128
 no shutdown




show ip interface brief

Serial0/0/1  192.168.123.10  up  up
R3 與 R2 的 Serial link。
R6 介面 R6 Fa0/1 10.5.0.254/24 
conf t

interface fastEthernet0/1
 ip address 10.5.0.254 255.255.255.0
 no shutdown




show ip interface brief

FastEthernet0/1  10.5.0.254  up  up
R6-PC5 所在網段 gateway,後續 R6 PAT inside。
R6 介面 R6 Fa0/0 10.6.0.254/24 
conf t

interface fastEthernet0/0
 ip address 10.6.0.254 255.255.255.0
 no shutdown




show ip interface brief

FastEthernet0/0  10.6.0.254  up  up
R6-PC6 所在網段 gateway,後續 VPN protected LAN。
R6 介面 R6 to Internet Serial0/0/0:193.16.6.254/30 
conf t

interface serial0/0/0
 ip address 193.16.6.254 255.255.255.252
 no shutdown




show ip interface brief

Serial0/0/0  193.16.6.254  up  up
R6 對接 Internet Router,後續 NAT outside 與 VPN peer 都使用此介面。
Internet 介面 Internet to R1 Serial0/0/0:193.16.1.253/30
Clock rate:64000 
conf t

interface serial0/0/0
 ip address 193.16.1.253 255.255.255.252
 clock rate 64000
 no shutdown




show ip interface brief

Serial0/0/0  193.16.1.253  up  up
Internet Router 對接 R1。
Internet 介面 Internet to R6 Serial0/0/1:193.16.6.253/30
Clock rate:64000 
conf t

interface serial0/0/1
 ip address 193.16.6.253 255.255.255.252
 clock rate 64000
 no shutdown




show ip interface brief

Serial0/0/1  193.16.6.253  up  up
Internet Router 對接 R6。
Internet 介面 Internet WWW Fa0/0:200.200.200.254/24 
conf t

interface fastEthernet0/0
 ip address 200.200.200.254 255.255.255.0
 no shutdown




show ip interface brief

FastEthernet0/0  200.200.200.254  up  up
Internet WWW Server 的 gateway。
Internet 介面 Internet User Fa0/1:201.201.201.254/24 
conf t

interface fastEthernet0/1
 ip address 201.201.201.254 255.255.255.0
 no shutdown




show ip interface brief

FastEthernet0/1  201.201.201.254  up  up
Internet User 的 gateway。
Static Route R1 到 R3 10.3.2.0/24 主路由 目的:10.3.2.0/24
Next-hop:192.168.123.6 
conf t

ip route 10.3.2.0 255.255.255.0 192.168.123.6




show ip route 10.3.2.0

S 10.3.2.0/24 via 192.168.123.6
R1 到 R3 Fa0/1 網段的主要靜態路由。
Floating Static Route R1 到 R3 10.3.2.0/24 備援路由 目的:10.3.2.0/24
Next-hop:192.168.123.2
AD:2 
conf t

ip route 10.3.2.0 255.255.255.0 192.168.123.2 2




show running-config

ip route 10.3.2.0 255.255.255.0 192.168.123.2 2
Floating Static Route 的 AD 為 2,正常狀況下不會優先於 AD 1 的主靜態路由。
Static Route R2 到 R3 10.3.2.0/24 目的:10.3.2.0/24
Next-hop:192.168.123.10 
conf t

ip route 10.3.2.0 255.255.255.0 192.168.123.10




show ip route 10.3.2.0

S 10.3.2.0/24 via 192.168.123.10
R2 到 R3 Fa0/1 網段的靜態路由。
Static Route R2 到 VLAN14 目的:10.1.14.64/27
Next-hop:192.168.123.1 
conf t

ip route 10.1.14.64 255.255.255.224 192.168.123.1




show ip route 10.1.14.64

S 10.1.14.64/27 via 192.168.123.1
R2 前往 VLAN14 的靜態路由。
Static Route R3 到 VLAN14 主路由 目的:10.1.14.64/27
Next-hop:192.168.123.5 
conf t

ip route 10.1.14.64 255.255.255.224 192.168.123.5




show ip route 10.1.14.64

S 10.1.14.64/27 via 192.168.123.5
R3 到 VLAN14 的主靜態路由。
Floating Static Route R3 到 VLAN14 備援路由 目的:10.1.14.64/27
Next-hop:192.168.123.9
AD:2 
conf t

ip route 10.1.14.64 255.255.255.224 192.168.123.9 2




show running-config

ip route 10.1.14.64 255.255.255.224 192.168.123.9 2
Floating Static Route 的 AD 為 2,作為備援路徑。
OSPF R1 OSPF Process ID:1
Router ID:192.168.99.1
Area:0 
conf t

interface loopback0
 ip address 192.168.99.1 255.255.255.255
exit

router ospf 1
 router-id 192.168.99.1
 passive-interface default
 no passive-interface serial0/0/0
 no passive-interface serial0/0/1
 network 192.168.123.0 0.0.0.3 area 0
 network 192.168.123.4 0.0.0.3 area 0
 network 10.1.12.16 0.0.0.15 area 0
 network 10.1.13.24 0.0.0.7 area 0
 network 10.1.99.0 0.0.0.255 area 0
 network 192.168.99.1 0.0.0.0 area 0




show ip ospf neighbor
show ip route ospf

R1 與 R2 / R3 建立 OSPF 鄰居
R1 使用 network subnet method 宣告 OSPF,並將 VLAN12、VLAN13、VLAN99 納入 OSPF。
OSPF R2 OSPF Process ID:2
Router ID:192.168.99.2
Area 0 / Area 2 
conf t

interface loopback0
 ip address 192.168.99.2 255.255.255.255
exit

router ospf 2
 router-id 192.168.99.2
 network 192.168.123.2 0.0.0.0 area 0
 network 192.168.123.9 0.0.0.0 area 0
 network 172.16.100.254 0.0.0.0 area 2
 network 192.168.99.2 0.0.0.0 area 2
 passive-interface fa0/0
 no passive-interface serial0/0/1




show ip ospf neighbor
show ip route ospf

R2 與 R1 / R3 建立 OSPF 鄰居
R2 Fa0/0 被 passive-interface 保護
R2 使用 interface IP 精準宣告方式,Server 區在 Area 2,Serial links 在 Area 0。
OSPF R3 OSPF Process ID:3
Router ID:192.168.99.3
Area 0 / Area 3 
conf t

interface loopback0
 ip address 192.168.99.3 255.255.255.255
 ip ospf 3 area 3
exit

interface fa0/0
 ip ospf 3 area 0
exit

interface serial0/0/0
 ip ospf 3 area 0
exit

interface serial0/0/1
 ip ospf 3 area 0
exit

router ospf 3
 router-id 192.168.99.3
 passive-interface fa0/0




show ip ospf neighbor
show ip route ospf

R3 與 R1 / R2 建立 OSPF 鄰居
R3 Fa0/0 可被宣告但不送 Hello
R3 使用 interface mode 的 ip ospf process area 方式啟用 OSPF。
OSPF Cost Serial bandwidth 調整 R1-R2:128K
R2-R3:128K
R1-R3:64K 
R1:
interface serial0/0/0
 bandwidth 128
interface serial0/0/1
 bandwidth 64

R2:
interface serial0/0/0
 bandwidth 128
interface serial0/0/1
 bandwidth 128

R3:
interface serial0/0/0
 bandwidth 64
interface serial0/0/1
 bandwidth 128

show ip route ospf
show interfaces serial0/0/0
show interfaces serial0/0/1

可看到依 bandwidth 產生不同 OSPF cost
用 bandwidth 調整 OSPF cost,產生預期的等值路由或指定路徑。
Default Route R1 對 Internet Default route:0.0.0.0/0
Next-hop:193.16.1.253 
conf t

ip route 0.0.0.0 0.0.0.0 193.16.1.253




show ip route

S* 0.0.0.0/0 via 193.16.1.253
R1 是總公司對 Internet 出口。
OSPF Default R1 宣告 default route OSPF default-information originate 
conf t

router ospf 1
 default-information originate




R2 / R3 show ip route

O*E2 0.0.0.0/0
R2 / R3 透過 OSPF 學到預設路由。
Default Route R6 對 Internet Default route:0.0.0.0/0
Next-hop:193.16.6.253 
conf t

ip route 0.0.0.0 0.0.0.0 193.16.6.253




show ip route

S* 0.0.0.0/0 via 193.16.6.253
R6 是分公司對 Internet 出口。
NAT / PAT R1 VLAN12 PAT Inside:Fa0/0.2
Outside:Serial0/1/1
ACL:10
VLAN12:10.1.12.16/28 
conf t

interface fa0/0.2
 ip nat inside
exit

interface serial0/1/1
 ip nat outside
exit

access-list 10 permit 10.1.12.16 0.0.0.15

ip nat inside source list 10 interface serial0/1/1 overload




VLAN12-RD1:
ping 200.200.200.200

R1:
show ip nat translations

可看到 PAT translation
VLAN12 使用 R1 Serial0/1/1 的公有 IP 做 overload PAT。
NAT / PAT R6-PC5 PAT Inside:Fa0/1
Outside:Serial0/0/0
ACL:10
R6-PC5 網段:10.5.0.0/24 
conf t

interface fa0/1
 ip nat inside
exit

interface serial0/0/0
 ip nat outside
exit

access-list 10 permit 10.5.0.0 0.0.0.255

ip nat inside source list 10 interface serial0/0/0 overload




R6-PC5:
ping 200.200.200.200

R6:
show ip nat translations

可看到 PAT translation
R6-PC5 使用 R6 Serial0/0/0 的公有 IP 做 overload PAT。
Dynamic NAT R1 VLAN13 Dynamic NAT Inside:Fa0/0.3
Outside:Serial0/1/1
ACL:20
Pool:171.69.233.210 - 171.69.233.222 
conf t

interface fa0/0.3
 ip nat inside
exit

interface serial0/1/1
 ip nat outside
exit

no access-list 20
no ip nat inside source list 20 pool netpool
no ip nat pool netpool 171.69.233.210 171.69.233.222 netmask 255.255.255.240

access-list 20 permit 10.1.13.24 0.0.0.7

ip nat pool natpool 171.69.233.210 171.69.233.222 netmask 255.255.255.240

ip nat inside source list 20 pool natpool




VLAN13-Sales2:
ping 200.200.200.200

R1:
show ip nat translations

可看到 10.1.13.26 轉成 171.69.233.210
VLAN13 使用 Dynamic NAT,公有 IP 池從 171.69.233.210 到 171.69.233.222。
NAT 回程路由 Internet Router 回指公有 IP 池 Public Pool:171.69.233.208/28
Next-hop:193.16.1.254 
conf t

ip route 171.69.233.208 255.255.255.240 193.16.1.254




show ip route

S 171.69.233.208/28 via 193.16.1.254
Internet Router 必須知道 NAT 公有 IP 池要回到 R1。
Static NAT R2-DMZ Static NAT Inside local:172.16.100.102
Inside global:171.69.233.209 
conf t

interface serial0/0/0
 ip nat inside
exit

interface serial0/1/1
 ip nat outside
exit

no ip nat inside source static 172.16.100.103 171.69.233.209

ip nat inside source static 172.16.100.102 171.69.233.209




R1:
show ip nat translations

--- 171.69.233.209  172.16.100.102  ---  ---

Internet User:
ping 171.69.233.209

Reply from 171.69.233.209
R2-DMZ 伺服器 172.16.100.102 固定對應到公有 IP 171.69.233.209。
IPSec VPN R1 Phase 1 PSK:SeCrEt
Encryption:3DES
Hash:SHA
DH Group:2
Lifetime:86400 
conf t

crypto isakmp policy 10
 encr 3des
 hash sha
 authentication pre-share
 group 2
 lifetime 86400
exit

crypto isakmp key SeCrEt address 193.16.6.254




show crypto isakmp policy

encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2
lifetime: 86400 seconds
R1 的 IKE Phase 1 參數。
IPSec VPN R1 Phase 2 / Crypto Map Transform-set:ts16
ESP AES / MD5
Peer:193.16.6.254
Crypto ACL:110 
conf t

crypto ipsec transform-set ts16 esp-aes esp-md5-hmac

no access-list 110
access-list 110 permit ip 10.3.1.0 0.0.0.255 10.6.0.0 0.0.0.255

crypto map map16 10 ipsec-isakmp
 set peer 193.16.6.254
 set transform-set ts16
 match address 110
exit

interface serial0/1/1
 crypto map map16




show crypto ipsec sa

local ident: 10.3.1.0/24
remote ident: 10.6.0.0/24
encaps / decaps 有數字
R1 crypto ACL 與 R6 必須鏡像對稱。
IPSec VPN R6 Phase 1 PSK:SeCrEt
Encryption:3DES
Hash:SHA
DH Group:2
Lifetime:86400 
conf t

crypto isakmp policy 10
 encr 3des
 hash sha
 authentication pre-share
 group 2
 lifetime 86400
exit

crypto isakmp key SeCrEt address 193.16.1.254




show crypto isakmp policy

encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2
lifetime: 86400 seconds
R6 的 IKE Phase 1 參數。
IPSec VPN R6 Phase 2 / Crypto Map Transform-set:ts61
ESP AES / MD5
Peer:193.16.1.254
Crypto ACL:110 
conf t

crypto ipsec transform-set ts61 esp-aes esp-md5-hmac

no access-list 110
access-list 110 permit ip 10.6.0.0 0.0.0.255 10.3.1.0 0.0.0.255

crypto map map61 10 ipsec-isakmp
 set peer 193.16.1.254
 set transform-set ts61
 match address 110
exit

interface serial0/0/0
 crypto map map61




show crypto ipsec sa

local ident: 10.6.0.0/24
remote ident: 10.3.1.0/24
encaps / decaps 有數字
R6 crypto ACL 與 R1 必須鏡像對稱。
IPSec VPN 驗證 R6-PC6 到 R3-PC1 Source:10.6.0.10
Destination:10.3.1.10 
R6-PC6:
ping 10.3.1.10

Reply from 10.3.1.10
Sent = 4, Received = 4, Lost = 0
VPN 端到端通訊成功。
IPSec VPN 驗證 R6 ISAKMP SA Phase 1 狀態 
show crypto isakmp sa

IPv4 Crypto ISAKMP SA
dst           src           state     conn-id  slot  status
193.16.1.254  193.16.6.254  QM_IDLE   1024     0     ACTIVE
QM_IDLE / ACTIVE 代表 Phase 1 成功。
IPSec VPN 驗證 R6 IPSec SA Phase 2 封包計數 
show crypto ipsec sa

#pkts encaps: 7
#pkts encrypt: 7
#pkts decaps: 6
#pkts decrypt: 6

inbound esp sas:
 Status: ACTIVE

outbound esp sas:
 Status: ACTIVE
encaps / decaps 有增加,代表 Phase 2 成功加密與解密。
ACL R2 Exted ACL 100 套用介面:R2 Fa0/0
方向:out
控制 172.16.100.101 / 172.16.100.102 
conf t

no access-list 100

access-list 100 permit tcp 10.1.12.16 0.0.0.15 172.16.100.101 0.0.0.0 eq 20
access-list 100 permit tcp 10.1.12.16 0.0.0.15 172.16.100.101 0.0.0.0 eq 21
access-list 100 deny ip 10.1.12.16 0.0.0.15 172.16.100.101 0.0.0.0
access-list 100 deny ip 10.0.0.0 0.255.255.255 172.16.100.101 0.0.0.0

access-list 100 permit tcp any 172.16.100.102 0.0.0.0 eq 80
access-list 100 permit icmp any 172.16.100.102 0.0.0.0
access-list 100 deny ip any 172.16.100.102 0.0.0.0

interface fa0/0
 ip access-group 100 out




show running-config interface fa0/0

interface FastEthernet0/0
 ip access-group 100 out
ACL 100 套在 R2 Fa0/0 outbound,控制往 Server 區的流量。
ACL 驗證 清除 ACL 計數器 ACL 100 
clear access-list counters 100

沒有錯誤訊息即代表完成
測試前先清除計數器,方便確認 permit / deny 是否被命中。
ACL 驗證 VLAN12-RD1 FTP R2-Private Source:10.1.12.17
Destination:172.16.100.101
Service:FTP 
ftp 172.16.100.101

Connected to 172.16.100.101
230 Logged in
符合 ACL 要求:VLAN12 可使用 FTP 存取 R2-Private。
ACL 驗證 VLAN12-RD1 ping R2-Private Source:10.1.12.17
Destination:172.16.100.101
Service:ICMP 
ping 172.16.100.101

Destination host unreachable
Sent = 4, Received = 0, Lost = 4
符合 ACL 要求:VLAN12 除 FTP 以外不可存取 R2-Private。
ACL 驗證 R3-PC ping R2-Private Source:10.3.2.10
Destination:172.16.100.101
Service:ICMP 
ping 172.16.100.101

Destination host unreachable
Sent = 4, Received = 0, Lost = 4
符合 ACL 要求:總公司其他 VLAN / R3 內網不可存取 R2-Private。
ACL 驗證 R3-PC ping R2-DMZ Source:10.3.2.10
Destination:172.16.100.102
Service:ICMP 
ping 172.16.100.102

Reply from 172.16.100.102
Sent = 4, Received = 4, Lost = 0
符合 ACL 要求:Any-PC 可 ping R2-DMZ。
ACL 驗證 R3-PC http R2-DMZ Source:10.3.2.10
Destination:172.16.100.102
Service:HTTP 
Web Browser:
http://172.16.100.102

Cisco Packet Tracer 網頁成功開啟
符合 ACL 要求:Any-PC 可使用 HTTP 存取 R2-DMZ。
ACL 驗證 R3-PC ftp R2-DMZ Source:10.3.2.10
Destination:172.16.100.102
Service:FTP 
ftp 172.16.100.102

Error opening ftp://172.16.100.102/
Timed out
符合 ACL 要求:R2-DMZ 不允許 FTP 等其他服務。
ACL 驗證 R2 show access-lists 100 ACL match 結果 
show access-lists 100

permit tcp 10.1.12.16 0.0.0.15 host 172.16.100.101 eq ftp (11 match(es))
deny ip 10.1.12.16 0.0.0.15 host 172.16.100.101 (4 match(es))
deny ip 10.0.0.0 0.255.255.255 host 172.16.100.101 (101 match(es))
permit tcp any host 172.16.100.102 eq www (5 match(es))
permit icmp any host 172.16.100.102 (4 match(es))
deny ip any host 172.16.100.102 (12 match(es))
permit / deny 規則皆有 match,ACL 驗證完成。
SSH ACL R3 只允許 VLAN14 IT SSH Username:user
Password:123
Domain:ckc.com
RSA:1024
ACL:12 
conf t

username user password 123
ip domain-name ckc.com
crypto key generate rsa
1024
ip ssh version 2

access-list 12 permit 10.1.14.64 0.0.0.31

line vty 0 5
 login local
 transport input ssh
 access-class 12 in
exit

line vty 6 15
 transport input none
exit




VLAN14-IT ssh 到 R3:OK
其他 VLAN ssh 到 R3:Not OK
只允許 VLAN14 IT 網段使用 SSH 管理 R3,最多開放 vty 0 到 5 共 6 條 sessions。
最終驗證 NAT / PAT VLAN12、VLAN13、R6-PC5 
VLAN12-RD1:
ping 200.200.200.200

VLAN13-Sales2:
ping 200.200.200.200

R6-PC5:
ping 200.200.200.200

R1 / R6:
show ip nat translations

VLAN12 PAT:OK
VLAN13 Dynamic NAT:OK
R6-PC5 PAT:OK
NAT translation 有產生
NAT / PAT 完成。
最終驗證 Static NAT 172.16.100.102 ↔ 171.69.233.209 
Internet User:
ping 171.69.233.209
http://171.69.233.209

R1:
show ip nat translations

Internet User ping R2-DMZ 公有 IP:OK
Internet User http R2-DMZ 公有 IP:OK
Static NAT translation 存在
Static NAT 完成。
最終驗證 IPSec VPN R6-PC6 ↔ R3-PC1 
R6-PC6:
ping 10.3.1.10

R6:
show crypto isakmp sa
show crypto ipsec sa

R6-PC6 ping 10.3.1.10:OK
QM_IDLE / ACTIVE
encaps / decaps 有增加
IPSec VPN 完成。
最終驗證 ACL 100 R2 Fa0/0 outbound 
R2:
show access-lists 100

permit 規則有 match
deny 規則有 match
ACL 測試全部符合預期
Exted ACL 100 完成。
取自「https://www.acmex.cc/index.php?title=緯育_2026-0608&oldid=7353