「緯育 2026-0608」修訂間的差異

出自頂極製作所
行 410: 行 410:


== 更新版整理 ==
== 更新版整理 ==
= 2026-0608 ACL / NAT / PAT / VPN Lab 最終設定紀錄 =
## 大標題
 
### 小標題
本 Lab 已完成項目:
* 條列
 
  * 子條列
* R1 Default Route 與 OSPF Default Route 宣告
    * 指令
* VLAN12 PAT
* VLAN13 Dynamic NAT
* R2-DMZ Static NAT
* R6-PC5 PAT
* R1 ↔ R6 IPSec VPN
* R2 Extended ACL 100
* 最終驗證完成
 
----
 
= R1 設定 =
 
== R1 介面角色整理 ==
 
{| class="wikitable"
! 介面
! IP / 網段
! 用途
|-
| Fa0/0.2
| 10.1.12.30/28
| VLAN12 RD Gateway / NAT inside
|-
| Fa0/0.3
| 10.1.13.30/29
| VLAN13 Gateway / NAT inside
|-
| Fa0/0.4
| 10.1.14.94/27
| VLAN14 Gateway
|-
| Fa0/0.99
| 10.1.99.254/24
| Management VLAN
|-
| Serial0/0/0
| 192.168.123.1/30
| R1 ↔ R2
|-
| Serial0/0/1
| 192.168.123.5/30
| R1 ↔ R3
|-
| Serial0/1/1
| 193.16.1.254/30
| R1 ↔ Internet / NAT outside / VPN peer
|-
| Loopback0
| 192.168.99.1/32
| Router ID
|}
 
== R1 Default Route ==
 
<syntaxhighlight lang="text">
conf t
ip route 0.0.0.0 0.0.0.0 193.16.1.253
end
wr
</syntaxhighlight>
 
== R1 OSPF Default Route 宣告 ==
 
<syntaxhighlight lang="text">
conf t
router ospf 1
default-information originate
end
wr
</syntaxhighlight>
 
== R1 NAT Inside / Outside 介面設定 ==
 
<syntaxhighlight lang="text">
conf t
 
interface fa0/0.2
ip nat inside
 
interface fa0/0.3
ip nat inside
 
interface serial0/0/0
ip nat inside
 
interface serial0/0/1
ip nat inside
 
interface serial0/1/1
ip nat outside
 
end
wr
</syntaxhighlight>
 
== R1 VLAN12 PAT 設定 ==
 
<syntaxhighlight lang="text">
conf t
 
access-list 12 permit 10.1.12.16 0.0.0.15
ip nat inside source list 12 interface serial0/1/1 overload
 
end
wr
</syntaxhighlight>
 
== R1 VLAN13 Dynamic NAT 設定 ==
 
<syntaxhighlight lang="text">
conf t
 
access-list 13 permit 10.1.13.24 0.0.0.7
ip nat pool VLAN13_POOL 171.69.233.210 171.69.233.222 netmask 255.255.255.240
ip nat inside source list 13 pool VLAN13_POOL
 
end
wr
</syntaxhighlight>
 
== R1 R2-DMZ Static NAT 設定 ==
 
<syntaxhighlight lang="text">
conf t
 
ip nat inside source static 172.16.100.102 171.69.233.209
 
end
wr
</syntaxhighlight>
 
== R1 IPSec VPN 設定 ==
 
VPN 目的:
 
* R1 與 R6 外部介面建立 IPSec Tunnel
* R3-PC1:10.3.1.10
* R6-PC6:10.6.0.10
* R1 VPN peer:193.16.6.254
* PSK:SeCrEt
* Phase 1:3DES / SHA / Group 2
* Phase 2:ESP / AES / MD5
 
<syntaxhighlight lang="text">
conf t
 
crypto isakmp policy 10
encr 3des
hash sha
authentication pre-share
group 2
lifetime 86400
exit
 
crypto isakmp key SeCrEt address 193.16.6.254
 
crypto ipsec transform-set ts16 esp-aes esp-md5-hmac
 
access-list 110 permit ip 10.3.1.0 0.0.0.255 10.6.0.0 0.0.0.255
 
crypto map map16 10 ipsec-isakmp
set peer 193.16.6.254
set transform-set ts16
match address 110
exit
 
interface serial0/1/1
crypto map map16
 
end
wr
</syntaxhighlight>
 
== R1 驗證指令 ==
 
<syntaxhighlight lang="text">
show ip route
show ip route 0.0.0.0
show ip nat translations
show crypto isakmp sa
show crypto ipsec sa
show access-lists 110
</syntaxhighlight>
 
----
 
= R2 設定 =
 
== R2 介面角色整理 ==
 
{| class="wikitable"
! 介面
! IP / 網段
! 用途
|-
| Fa0/0
| 172.16.100.254/24
| R2 Server 區 Gateway / ACL 套用介面
|-
| Serial0/0/0
| 192.168.123.2/30
| R2 ↔ R1
|-
| Serial0/0/1
| 192.168.123.9/30
| R2 ↔ R3
|-
| Loopback0
| 192.168.99.2/32
| Router ID
|}
 
== R2 Extended ACL 100 設定 ==
 
ACL 目的:
 
* 控制前往 R2-Private:172.16.100.101
* 控制前往 R2-DMZ:172.16.100.102
* ACL 套用位置:R2 Fa0/0 outbound
 
<syntaxhighlight lang="text">
conf t
 
no access-list 100
 
access-list 100 permit tcp 10.1.12.16 0.0.0.15 172.16.100.101 0.0.0.0 eq 20
access-list 100 permit tcp 10.1.12.16 0.0.0.15 172.16.100.101 0.0.0.0 eq 21
access-list 100 deny  ip  10.1.12.16 0.0.0.15 172.16.100.101 0.0.0.0
access-list 100 deny  ip  10.0.0.0  0.255.255.255 172.16.100.101 0.0.0.0
 
access-list 100 permit tcp any 172.16.100.102 0.0.0.0 eq 80
access-list 100 permit icmp any 172.16.100.102 0.0.0.0
access-list 100 deny ip any 172.16.100.102 0.0.0.0
 
interface fa0/0
ip access-group 100 out
 
end
wr
</syntaxhighlight>
 
== R2 ACL 驗證指令 ==
 
<syntaxhighlight lang="text">
clear access-list counters 100
show access-lists 100
show running-config interface fa0/0
</syntaxhighlight>
 
== R2 ACL 驗證結果紀錄 ==
 
{| class="wikitable"
! 測試來源
! 目的地
! 測試服務
! 預期
! 實測結果
|-
| VLAN12-RD1
| 172.16.100.101
| FTP
| OK
| OK,成功登入 FTP
|-
| VLAN12-RD1
| 172.16.100.101
| ping
| Not OK
| OK,Destination host unreachable
|-
| R3-PC
| 172.16.100.101
| ping
| Not OK
| OK,Destination host unreachable
|-
| R3-PC
| 172.16.100.102
| ping
| OK
| OK,4/4 replies
|-
| R3-PC
| 172.16.100.102
| HTTP
| OK
| OK,網頁成功開啟
|-
| R3-PC
| 172.16.100.102
| FTP
| Not OK
| OK,Timed out
|}
 
== R2 ACL Match 結果 ==
 
<syntaxhighlight lang="text">
show access-lists 100
</syntaxhighlight>
 
實測命中結果:
 
<syntaxhighlight lang="text">
permit tcp 10.1.12.16 0.0.0.15 host 172.16.100.101 eq ftp (11 match(es))
deny ip 10.1.12.16 0.0.0.15 host 172.16.100.101 (4 match(es))
deny ip 10.0.0.0 0.255.255.255 host 172.16.100.101 (101 match(es))
permit tcp any host 172.16.100.102 eq www (5 match(es))
permit icmp any host 172.16.100.102 (4 match(es))
deny ip any host 172.16.100.102 (12 match(es))
</syntaxhighlight>
 
----
 
= R3 設定 =
 
== R3 介面角色整理 ==
 
{| class="wikitable"
! 介面
! IP / 網段
! 用途
|-
| Fa0/0
| 10.3.1.254/24
| R3-PC / R3-PC1 Gateway
|-
| Fa0/1
| 10.3.2.254/24
| R3 第二內網
|-
| Serial0/0/0
| 192.168.123.6/30
| R3 ↔ R1
|-
| Serial0/0/1
| 192.168.123.10/30
| R3 ↔ R2
|-
| Loopback0
| 192.168.99.3/32
| Router ID
|}
 
== R3 本階段重點 ==
 
本階段 R3 主要作為:
 
* ACL 測試來源之一
* VPN 遠端內網目的端
* R3-PC1:10.3.1.10
* R3-PC:10.3.2.10
 
R3 本身在 NAT / ACL / VPN 最後階段沒有新增主要設定,重點是確認路由與 OSPF 仍正常。
 
== R3 驗證指令 ==
 
<syntaxhighlight lang="text">
show ip route
show ip route 0.0.0.0
show ip ospf neighbor
ping 172.16.100.101
ping 172.16.100.102
</syntaxhighlight>
 
== R3 驗證結果紀錄 ==
 
<syntaxhighlight lang="text">
R3-PC ping 172.16.100.101 → Not OK
R3-PC ping 172.16.100.102 → OK
R3-PC http 172.16.100.102 → OK
R3-PC ftp 172.16.100.102 → Not OK
</syntaxhighlight>
 
----
 
= R6 設定 =
 
== R6 介面角色整理 ==
 
{| class="wikitable"
! 介面
! IP / 網段
! 用途
|-
| Fa0/1
| 10.5.0.254/24
| R6-PC5 Gateway / NAT inside
|-
| Fa0/0
| 10.6.0.254/24
| R6-PC6 Gateway / VPN protected LAN
|-
| Serial0/0/0
| 193.16.6.254/30
| R6 ↔ Internet / NAT outside / VPN peer
|-
| Loopback0
| 192.168.99.6/32
| Router ID
|}
 
== R6 Default Route ==
 
<syntaxhighlight lang="text">
conf t
ip route 0.0.0.0 0.0.0.0 193.16.6.253
end
wr
</syntaxhighlight>
 
== R6 PAT 設定 ==
 
PAT 目的:
 
* R6-PC5:10.5.0.10
* 使用 R6 Serial0/0/0 公有 IP 193.16.6.254 overload 出 Internet
 
<syntaxhighlight lang="text">
conf t
 
access-list 5 permit 10.5.0.0 0.0.0.255
 
interface fastEthernet0/1
ip nat inside
 
interface serial0/0/0
ip nat outside
 
ip nat inside source list 5 interface serial0/0/0 overload
 
end
wr
</syntaxhighlight>
 
== R6 IPSec VPN 設定 ==
 
VPN 目的:
 
* R6-PC6:10.6.0.10
* R3-PC1:10.3.1.10
* R6 peer:193.16.1.254
* PSK:SeCrEt
* Phase 1:3DES / SHA / Group 2
* Phase 2:ESP / AES / MD5
 
<syntaxhighlight lang="text">
conf t
 
crypto isakmp policy 10
encr 3des
hash sha
authentication pre-share
group 2
lifetime 86400
exit
 
crypto isakmp key SeCrEt address 193.16.1.254
 
crypto ipsec transform-set ts61 esp-aes esp-md5-hmac
 
access-list 110 permit ip 10.6.0.0 0.0.0.255 10.3.1.0 0.0.0.255
 
crypto map map61 10 ipsec-isakmp
set peer 193.16.1.254
set transform-set ts61
match address 110
exit
 
interface serial0/0/0
crypto map map61
 
end
wr
</syntaxhighlight>
 
== R6 VPN 查修時使用過的重掛 Crypto Map 指令 ==
 
若 Phase 1 / Phase 2 沒有正常重新協商,可以重掛 crypto map:
 
<syntaxhighlight lang="text">
conf t
interface serial0/0/0
no crypto map map61
crypto map map61
end
wr
</syntaxhighlight>
 
== R6 驗證指令 ==
 
<syntaxhighlight lang="text">
show ip route
show ip nat translations
show crypto isakmp sa
show crypto ipsec sa
show access-lists 110
</syntaxhighlight>
 
== R6 VPN 驗證結果紀錄 ==
 
<syntaxhighlight lang="text">
R6-PC6 ping 10.3.1.10 → OK
 
show crypto isakmp sa:
QM_IDLE / ACTIVE
 
show crypto ipsec sa:
#pkts encaps: 7
#pkts encrypt: 7
#pkts decaps: 6
#pkts decrypt: 6
 
inbound esp sas: ACTIVE
outbound esp sas: ACTIVE
</syntaxhighlight>
 
----
 
= Internet Router 設定 =
 
== Internet Router 重點設定 ==
 
Internet Router 需要負責:
 
* 連接 R1 公網:193.16.1.253/30
* 連接 R6 公網:193.16.6.253/30
* 連接 Internet WWW:200.200.200.254/24
* 連接 Internet User:201.201.201.254/24
* 回指 NAT 公有 IP 池:171.69.233.208/28
 
== Internet Router 公有 IP 池回程路由 ==
 
Dynamic NAT 與 Static NAT 使用的公有 IP 範圍:
 
* 171.69.233.209 ~ 171.69.233.222
* 歸納為 171.69.233.208/28
 
<syntaxhighlight lang="text">
conf t
 
ip route 171.69.233.208 255.255.255.240 193.16.1.254
 
end
wr
</syntaxhighlight>
 
== Internet Router 注意事項 ==
 
* Internet Router 不應設定指向企業內部私有 IP 的 static route。
* 不應出現指向 10.0.0.0/8、172.16.100.0/24、192.168.123.0/30 等內部私有網段的路由。
* Internet Router 只需要知道如何回到 NAT 公有 IP 池 171.69.233.208/28。
 
== Internet Router 驗證指令 ==
 
<syntaxhighlight lang="text">
show ip route
show running-config | include 171.69.233.208
ping 193.16.1.254
ping 193.16.6.254
</syntaxhighlight>
 
----
 
= 終端設備測試紀錄 =
 
== VLAN12-RD1 測試 ==
 
<syntaxhighlight lang="text">
ping 200.200.200.200
ftp 172.16.100.101
ping 172.16.100.101
</syntaxhighlight>
 
結果:
 
<syntaxhighlight lang="text">
ping 200.200.200.200 → OK
ftp 172.16.100.101 → OK
ping 172.16.100.101 → Not OK
</syntaxhighlight>
 
== R3-PC 測試 ==
 
<syntaxhighlight lang="text">
ping 172.16.100.101
ping 172.16.100.102
ftp 172.16.100.102
</syntaxhighlight>
 
結果:
 
<syntaxhighlight lang="text">
ping 172.16.100.101 → Not OK
ping 172.16.100.102 → OK
http 172.16.100.102 → OK
ftp 172.16.100.102 → Not OK
</syntaxhighlight>
 
== R6-PC6 VPN 測試 ==
 
<syntaxhighlight lang="text">
ping 10.3.1.10
</syntaxhighlight>
 
結果:
 
<syntaxhighlight lang="text">
ping 10.3.1.10 → OK
Sent = 4, Received = 4, Lost = 0
</syntaxhighlight>
 
----
 
= 最終總結 =
 
{| class="wikitable"
! 項目
! 完成狀態
|-
| VLAN12 PAT
| 完成
|-
| R6-PC5 PAT
| 完成
|-
| VLAN13 Dynamic NAT
| 完成
|-
| R2-DMZ Static NAT
| 完成
|-
| Internet Router 公有 IP 池回程路由
| 完成
|-
| R1 ↔ R6 IPSec VPN Phase 1
| 完成,QM_IDLE / ACTIVE
|-
| R1 ↔ R6 IPSec VPN Phase 2
| 完成,encaps / decaps 有增加
|-
| R2 Extended ACL 100
| 完成
|-
| ACL Permit 測試
| 完成
|-
| ACL Deny 測試
| 完成
|}
 
本 Lab 最終判定:
 
'''2026-0608 ACL / NAT / PAT / VPN Lab 已完成。'''

於 2026年5月25日 (一) 02:19 的修訂

S1

  • VLAN12
    • vlan 12
    • name RD
  • VLAN13
    • vlan 13
    • name sales
  • VLAN14
    • vlan 14
    • name IT
  • VLAN99
    • vlan 99
    • name MGMT
    • exit
    • interface vlan 99
    • ip address 10.1.99.101 255.255.255.0
    • no shutdown
    • exit
  • trunk allowed VLAN
    • interface range fa0/23 - 24
    • switchport mode trunk
    • switchport trunk allowed vlan 12,13,14,99
    • no shutdown
    • exit
    • ip default-gateway 10.1.99.254
  • S1 to R1 Trunk
    • configure terminal
    • interface fa0/5
    • switchport mode trunk
    • switchport trunk allowed vlan 12,13,14,99
    • no shutdown
    • exit
  • Fa0/21
    • interface fa0/21
    • switchport mode access
    • switchport access vlan 99
    • no shutdown
  • Fa0/11
    • interface fa0/11
    • switchport mode access
    • switchport access vlan 12
    • no shutdown
    • exit
  • Fa0/15
    • interface fa0/15
    • switchport mode access
    • switchport access vlan 13
    • no shutdown
    • exit

單機設定

  • S1 網管 IP
    • 10.1.99.101
    • 255.255.255.0
    • 10.1.99.254
  • VLAN12-RD1
    • 10.1.12.17
    • 255.255.255.240
    • 10.1.12.30
  • VLAN13-Sales1
    • 10.1.13.25
    • 255.255.255.248
    • 10.1.13.30
  • Mgmt Server IP
    • 10.1.99.100
    • 255.255.255.0
    • 10.1.99.254

S2

  • VLAN12
    • vlan 12
    • name RD
  • Fa0/11
    • interface fa0/11
    • switchport mode access
    • switchport access vlan 12
    • no shutdown
  • VLAN13
    • vlan 13
    • name sales
  • VLAN14
    • vlan 14
    • name IT
  • VLAN99
    • vlan 99
    • name MGMT
    • exit
    • interface vlan 99
    • ip address 10.1.99.102 255.255.255.0
    • no shutdown
    • exit
    • ip default-gateway 10.1.99.254
  • trunk allowed VLAN
    • interface range fa0/23 - 24
    • switchport mode trunk
    • switchport trunk allowed vlan 12,13,14,99
    • no shutdown
  • Fa0/15
    • interface fa0/15
    • switchport mode access
    • switchport access vlan 13
    • no shutdown
    • exit
  • Fa0/19
    • interface fa0/19
    • switchport mode access
    • switchport access vlan 14
    • no shutdown
    • exit

單機設定

  • S2 IP
    • 10.1.99.102
    • 255.255.255.0
    • 10.1.99.254
  • VLAN12-RD2
    • 10.1.12.18
    • 255.255.255.240
    • 10.1.12.30
  • VLAN13-Sales2
    • 10.1.13.26
    • 255.255.255.248
    • 10.1.13.30
  • VLAN14-IT
    • 10.1.14.65
    • 255.255.255.224
    • 10.1.14.94

R1

  • no ip domain-lookup
  • Fa0/0
    • interface fa0/0
    • no shutdown
  • Serial 0/0/0
    • interface serial0/0/0
    • ip address 192.168.123.1 255.255.255.252
    • bandwidth 128
    • no shutdown
    • exit
  • Serial 0/0/1
    • interface serial0/0/1
    • ip address 192.168.123.5 255.255.255.252
    • bandwidth 64
    • clock rate 64000
    • no shutdown
    • exit
    • router ospf 1
    • no passive-interface serial0/0/1
    • network 192.168.123.4 0.0.0.3 area 0
  • 子介面
    • interface fa0/0.2
    • encapsulation dot1Q 12
    • ip address 10.1.12.30 255.255.255.240
    • interface fa0/0.3
    • encapsulation dot1Q 13
    • ip address 10.1.13.30 255.255.255.248
    • interface fa0/0.4
    • encapsulation dot1Q 14
    • ip address 10.1.14.94 255.255.255.224
    • interface fa0/0.99
    • encapsulation dot1Q 99
    • ip address 10.1.99.254 255.255.255.0
    • no shutdown
  • R1 to R3 靜態路由
    • ip route 10.3.2.0 255.255.255.0 192.168.123.6
    • exit
  • R1 to R2 靜態路由備援
    • ip route 10.3.2.0 255.255.255.0 192.168.123.2 2
    • exit
  • OSPF
    • Loopback0
    • interface loopback0
    • 192.168.99.1 255.255.255.255
    • router ospf 1
    • router-id 192.168.99.1
    • passive-interface default
    • no passive-interface serial0/0/0
    • no passive-interface serial0/0/1
    • network 192.168.123.0 0.0.0.3 area 0
    • network 192.168.123.4 0.0.0.3 area 0
    • network 10.1.12.16 0.0.0.15 area 0
    • network 10.1.13.24 0.0.0.7 area 0
    • network 192.168.99.1 0.0.0.0 area 0
    • R1 把 VLAN99 加入 OSPF Area 0
      • router ospf 1
      • network 10.1.99.0 0.0.0.255 area 0
  • 對接 Internet
    • interface serial0/1/1
    • ip address 193.16.1.254 255.255.255.252
    • no shutdown
    • exit
    • ip route 0.0.0.0 0.0.0.0 193.16.1.253

R2

  • no ip domain-lookup
  • R2 to R3
    • interface s0/0/1
    • ip address 192.168.123.9 255.255.255.252
    • bandwidth 128
    • clock rate 128000
    • no shutdown
    • exit
  • R2 to R1
    • interface serial0/0/0
    • ip address 192.168.123.2 255.255.255.252
    • bandwidth 128
    • no shutdown
    • exit
  • Fa0/0
    • interface fa0/0
    • ip address 172.16.100.254 255.255.255.0
    • no shutdown
    • exit
  • R2 支援 VLAN14 ↔ R3-PC2 備援路徑的靜態路由
    • ip route 10.3.2.0 255.255.255.0 192.168.123.10
    • 滿足VLAN 14 IT 的路由:ip route 10.1.14.64 255.255.255.224 192.168.123.1
    • exit
  • OSPF
    • interface loopback0
    • ip address 192.168.99.2 255.255.255.255
    • router ospf 2
    • router-id 192.168.99.2
    • network 192.168.123.2 0.0.0.0 area 0
    • network 192.168.123.9 0.0.0.0 area 0
    • network 172.16.100.254 0.0.0.0 area 2
    • network 192.168.99.2 0.0.0.0 area 2
    • passive-interface fa0/0
  • 等價路由特別設定
    • interface serial0/0/0
    • bandwidth 128
    • exit
    • interface serial0/0/1
    • bandwidth 128
    • no shutdown
    • exit
    • router ospf 2
    • network 192.168.123.9 0.0.0.0 area 0
    • no passive-interface serial0/0/1

單機設定

  • R2-Server1
    • 172.16.100.101
    • 255.255.255.0
    • 172.16.100.254
  • R2-Server2
    • 172.16.100.102
    • 255.255.255.0
    • 172.16.100.254
  • R2-Private
    • 172.16.100.103
    • 255.255.255.0
    • 172.16.100.254

R3

  • no ip domain-lookup
  • VPN 前置整理:
    • 第一階段 R3 暫不參與 R1 ↔ R6 IPSec VPN 測試。
    • 目前 R3 只保留到 VLAN14 的靜態路由:
    • R3 to R1 靜態路由
      • ip route 10.1.14.64 255.255.255.224 192.168.123.5
  • R3 to VLAN14 靜態路由備援
    • ip route 10.1.14.64 255.255.255.224 192.168.123.9 2
    • exit
  • Fa0/0
    • interface fa0/0
    • ip address 10.3.1.254 255.255.255.0
    • ip ospf 3 area 0
    • no shutdown
    • end
  • F0/1
    • interface fa0/1
    • ip address 10.3.2.254 255.255.255.0
    • no shutdown
    • end
  • OSPF
    • interface loopback0
    • ip address 192.168.99.3 255.255.255.255
    • ip ospf 3 area 3
    • exit
    • router ospf 3
    • router-id 192.168.99.3
    • R3 Serial 加入 Area 0
      • interface serial0/0/0
      • ip address 192.168.123.6 255.255.255.252
      • bandwidth 64
      • no shutdown
      • ip ospf 3 area 0
      • exit
      • interface serial0/0/1
      • ip address 192.168.123.10 255.255.255.252
      • bandwidth 128
      • ip ospf 3 area 0
      • no shutdown
    • R3 OSPF process
      • router ospf 3
      • passive-interface fa0/0
  • 等價路由特別設定
    • interface serial0/0/0
    • bandwidth 64
    • exit
    • interface serial0/0/1
    • bandwidth 128
    • exit
    • end

單機設定

  • R3-PC1
    • 10.3.1.10
    • 255.255.255.0
    • 10.3.1.254
  • R3-PC2
    • 10.3.2.10
    • 255.255.255.0
    • 10.3.2.254

ACL

  • ACL 設定條件
    • 把 telnet 改成 SSH 連線。
    • 只允許 IT 部門 (也就是 VLAN 14 的網段 10.1.14.64/27) 使用 SSH 遠端連入。
    • 到該網路設備做網管,可同時允許 6 條 SSH sessions 連入 R3。
    • SSH 條件:
      • username user
      • password 123
      • 網址 ckc.com
      • crypto 1024
  • ACL 指令
    • username user password 123
    • ip domain-name ckc.com
    • crypto key generate rsa
      • 1024
    • ip ssh version 2
    • access-list 12 permit 10.1.14.64 0.0.0.31
    • line vty 0 5
    • login local
    • transport input ssh
    • access-class 12 in
    • exit
    • line vty 6 15
    • transport input none
    • exit
    • end

R6

  • no ip domain-lookup
  • hostname R6
  • Loopback0
    • interface loopback0
    • ip address 192.168.99.6 255.255.255.255
    • exit
  • Internet Router 對面:193.16.6.253/30
  • R6 指令集:
  • Fa0/1
    • interface fastEthernet0/1
    • ip address 10.5.0.254 255.255.255.0
    • no shutdown
    • exit
  • Fa0/0
    • interface fastEthernet0/0
    • ip address 10.6.0.254 255.255.255.0
    • no shutdown
    • exit
  • 對接 Internet Router
    • interface serial0/0/0
    • ip address 193.16.6.254 255.255.255.252
    • no shutdown
    • exit
    • ip route 0.0.0.0 0.0.0.0 193.16.6.253

單機設定

  • R6-PC5:10.5.0.10/24
    • IP Address:10.5.0.10
    • Subnet Mask:255.255.255.0
    • Default Gateway:10.5.0.254
  • R6-PC6:10.6.0.10/24
    • IP Address:10.6.0.10
    • Subnet Mask:255.255.255.0
    • Default Gateway:10.6.0.254

Internet

  • no ip domain-lookup
  • hostname Internet
  • 對接 R6
    • interface serial0/0/1
    • ip address 193.16.6.253 255.255.255.252
    • clock rate 64000
    • no shutdown
    • exit
  • Internet_WWW
    • interface fastEthernet0/0
    • ip address 200.200.200.254 255.255.255.0
    • no shutdown
    • exit
  • Internet_User
    • interface fastEthernet0/1
    • ip address 201.201.201.254 255.255.255.0
    • no shutdown
    • exit
  • 對接 R1
    • interface serial0/0/0
    • ip address 193.16.1.253 255.255.255.252
    • clock rate 64000
    • no shutdown
    • exit

單機設定

  • Internet WWW
    • IP Address:200.200.200.200
    • Subnet Mask:255.255.255.0
    • Default Gateway:200.200.200.254
  • Internet User
    • IP Address:201.201.201.201
    • Subnet Mask:255.255.255.0
    • Default Gateway:201.201.201.254

更新版整理

    1. 大標題
      1. 小標題
  • 條列
 * 子條列
   * 指令
取自「https://www.acmex.cc/index.php?title=緯育_2026-0608&oldid=7351