「緯育 2026-0608」修訂間的差異

出自頂極製作所
標籤手動回退
 
(未顯示同一使用者於中間所作的 13 次修訂)
行 1: 行 1:
== S1 ==
== 完整設定表 ==
* VLAN12
* Client IP / Gateway
** vlan 12
** Switch VLAN
** name RD
** Access Port
* VLAN13
** Trunk
** vlan 13
** Router-on-a-stick
** name sales
** Router Interface
* VLAN14
** Static / Floating Static Route
** vlan 14
** OSPF
** name IT
** Default Route
* VLAN99
** NAT / PAT
** vlan 99
** Static NAT
** name MGMT
** IPSec VPN
** exit
** ACL
** interface vlan 99
** 最終驗證
** ip address 10.1.99.101 255.255.255.0
** no shutdown
** exit
* trunk allowed VLAN
** interface range fa0/23 - 24
** switchport mode trunk
** switchport trunk allowed vlan 12,13,14,99
** no shutdown
** exit
** ip default-gateway 10.1.99.254
* S1 to R1 Trunk
** configure terminal
** interface fa0/5
** switchport mode trunk
** switchport trunk allowed vlan 12,13,14,99
** no shutdown
** exit
* Fa0/21
** interface fa0/21
** switchport mode access
** switchport access vlan 99
** no shutdown
* Fa0/11
** interface fa0/11
** switchport mode access
** switchport access vlan 12
** no shutdown
** exit
* Fa0/15
** interface fa0/15
** switchport mode access
** switchport access vlan 13
** no shutdown
** exit


=== 單機設定 ===
=== 一、終端設備 IP / Gateway 設定 ===
* S1 網管 IP
** 10.1.99.101
** 255.255.255.0
** 10.1.99.254
* VLAN12-RD1
** 10.1.12.17
** 255.255.255.240
** 10.1.12.30
* VLAN13-Sales1
** 10.1.13.25
** 255.255.255.248
** 10.1.13.30
* Mgmt Server IP
** 10.1.99.100
** 255.255.255.0
** 10.1.99.254


== S2 ==
{| class="wikitable" style="width:100%;"
* VLAN12
! style="width:12%;" | 階段
** vlan 12
! style="width:18%;" | 設備 / 項目
** name RD
! 設定內容與輸入指令
* Fa0/11
|-
** interface fa0/11
| Client IP
** switchport mode access
| S1 管理 IP
** switchport access vlan 12
| 狀態:完成<br>VLAN:99<br>IP:10.1.99.101<br>Mask:255.255.255.0<br>Gateway:10.1.99.254<br><br>輸入指令:<br><code>conf t</code><br><code>interface vlan 99</code><br><code>ip address 10.1.99.101 255.255.255.0</code><br><code>no shutdown</code><br><code>exit</code><br><code>ip default-gateway 10.1.99.254</code><br><br>
** no shutdown
|-
* VLAN13
| Client IP
** vlan 13
| S2 管理 IP
** name sales
| 狀態:完成<br>VLAN:99<br>IP:10.1.99.102<br>Mask:255.255.255.0<br>Gateway:10.1.99.254<br><br>輸入指令:<br><code>conf t</code><br><code>interface vlan 99</code><br><code>ip address 10.1.99.102 255.255.255.0</code><br><code>no shutdown</code><br><code>exit</code><br><code>ip default-gateway 10.1.99.254</code><br><br>
* VLAN14
|-
** vlan 14
| Client IP
** name IT
| Mgmt Server
* VLAN99
| 狀態:完成<br>IP:10.1.99.100<br>Mask:255.255.255.0<br>Gateway:10.1.99.254<br><br>設定位置:Desktop → IP Configuration<br><code>IP Address: 10.1.99.100</code><br><code>Subnet Mask: 255.255.255.0</code><br><code>Default Gateway: 10.1.99.254</code>
** vlan 99
|-
** name MGMT
| Client IP
** exit
| VLAN12-RD1
** interface vlan 99
| 狀態:完成<br>部門:RD<br>VLAN:12<br>IP:10.1.12.17<br>Mask:255.255.255.240<br>Gateway:10.1.12.30<br>接線位置:S1 Fa0/11<br><br>設定位置:Desktop → IP Configuration<br><code>IP Address: 10.1.12.17</code><br><code>Subnet Mask: 255.255.255.240</code><br><code>Default Gateway: 10.1.12.30</code>
** ip address 10.1.99.102 255.255.255.0
|-
** no shutdown
| Client IP
** exit
| VLAN12-RD2
** ip default-gateway 10.1.99.254
| 狀態:完成<br>部門:RD<br>VLAN:12<br>IP:10.1.12.18<br>Mask:255.255.255.240<br>Gateway:10.1.12.30<br>接線位置:S2 Fa0/11<br><br>設定位置:Desktop → IP Configuration<br><code>IP Address: 10.1.12.18</code><br><code>Subnet Mask: 255.255.255.240</code><br><code>Default Gateway: 10.1.12.30</code>
* trunk allowed VLAN
|-
** interface range fa0/23 - 24
| Client IP
** switchport mode trunk
| VLAN13-Sales1
** switchport trunk allowed vlan 12,13,14,99
| 狀態:完成<br>部門:Sales<br>VLAN:13<br>IP:10.1.13.25<br>Mask:255.255.255.248<br>Gateway:10.1.13.30<br>接線位置:S1 Fa0/15<br><br>設定位置:Desktop → IP Configuration<br><code>IP Address: 10.1.13.25</code><br><code>Subnet Mask: 255.255.255.248</code><br><code>Default Gateway: 10.1.13.30</code>
** no shutdown
|-
* Fa0/15
| Client IP
** interface fa0/15
| VLAN13-Sales2
** switchport mode access
| 狀態:完成<br>部門:Sales<br>VLAN:13<br>IP:10.1.13.26<br>Mask:255.255.255.248<br>Gateway:10.1.13.30<br>接線位置:S2 Fa0/15<br><br>設定位置:Desktop → IP Configuration<br><code>IP Address: 10.1.13.26</code><br><code>Subnet Mask: 255.255.255.248</code><br><code>Default Gateway: 10.1.13.30</code>
** switchport access vlan 13
|-
** no shutdown
| Client IP
** exit
| VLAN14-IT
* Fa0/19
| 狀態:完成<br>部門:IT<br>VLAN:14<br>IP:10.1.14.65<br>Mask:255.255.255.224<br>Gateway:10.1.14.94<br>接線位置:S2 Fa0/19<br><br>設定位置:Desktop → IP Configuration<br><code>IP Address: 10.1.14.65</code><br><code>Subnet Mask: 255.255.255.224</code><br><code>Default Gateway: 10.1.14.94</code>
** interface fa0/19
|-
** switchport mode access
| Client IP
** switchport access vlan 14
| R2-Private
** no shutdown
| 狀態:完成<br>角色:Private Server<br>IP:172.16.100.101<br>Mask:255.255.255.0<br>Gateway:172.16.100.254<br><br>設定位置:Desktop → IP Configuration<br><code>IP Address: 172.16.100.101</code><br><code>Subnet Mask: 255.255.255.0</code><br><code>Default Gateway: 172.16.100.254</code>
** exit
=== 單機設定 ===
* S2 IP
** 10.1.99.102
** 255.255.255.0
** 10.1.99.254
* VLAN12-RD2
** 10.1.12.18
** 255.255.255.240
** 10.1.12.30
* VLAN13-Sales2
** 10.1.13.26
** 255.255.255.248
** 10.1.13.30
* VLAN14-IT
** 10.1.14.65
** 255.255.255.224
** 10.1.14.94
 
== R1 ==
* no ip domain-lookup
* Fa0/0
** interface fa0/0
** no shutdown
* Serial 0/0/0
** interface serial0/0/0
** ip address 192.168.123.1 255.255.255.252
** bandwidth 128
** no shutdown
** exit
* Serial 0/0/1
** interface serial0/0/1
** ip address 192.168.123.5 255.255.255.252
** bandwidth 64
** clock rate 64000
** no shutdown
** exit
** router ospf 1
** no passive-interface serial0/0/1
** network 192.168.123.4 0.0.0.3 area 0
*子介面
** interface fa0/0.2
** encapsulation dot1Q 12
** ip address 10.1.12.30 255.255.255.240
** interface fa0/0.3
** encapsulation dot1Q 13
** ip address 10.1.13.30 255.255.255.248
** interface fa0/0.4
** encapsulation dot1Q 14
** ip address 10.1.14.94 255.255.255.224
** interface fa0/0.99
** encapsulation dot1Q 99
** ip address 10.1.99.254 255.255.255.0
** no shutdown
* R1 to R3 靜態路由
** ip route 10.3.2.0 255.255.255.0 192.168.123.6
** exit
*R1 to R2 靜態路由備援
** ip route 10.3.2.0 255.255.255.0 192.168.123.2 2
** exit
* OSPF
** Loopback0
** interface loopback0
** 192.168.99.1 255.255.255.255
** router ospf 1
** router-id 192.168.99.1
** passive-interface default
** no passive-interface serial0/0/0
** no passive-interface serial0/0/1
** network 192.168.123.0 0.0.0.3 area 0
** network 192.168.123.4 0.0.0.3 area 0
** network 10.1.12.16 0.0.0.15 area 0
** network 10.1.13.24 0.0.0.7 area 0
** network 192.168.99.1 0.0.0.0 area 0
** R1 把 VLAN99 加入 OSPF Area 0
*** router ospf 1
*** network 10.1.99.0 0.0.0.255 area 0
* 對接 Internet
** interface serial0/1/1
** ip address 193.16.1.254 255.255.255.252
** no shutdown
** exit
** ip route 0.0.0.0 0.0.0.0 193.16.1.253
 
== R2 ==
* no ip domain-lookup
* R2 to R3
** interface s0/0/1
** ip address 192.168.123.9 255.255.255.252
** bandwidth 128
** clock rate 128000
** no shutdown
** exit
* R2 to R1
** interface serial0/0/0
** ip address 192.168.123.2 255.255.255.252
** bandwidth 128
** no shutdown
** exit
* Fa0/0
** interface fa0/0
** ip address 172.16.100.254 255.255.255.0
** no shutdown
** exit
*R2 支援 VLAN14 ↔ R3-PC2 備援路徑的靜態路由
** ip route 10.3.2.0 255.255.255.0 192.168.123.10
** 滿足VLAN 14 IT 的路由:ip route 10.1.14.64 255.255.255.224 192.168.123.1
** exit
* OSPF
** interface loopback0
** ip address 192.168.99.2 255.255.255.255
** router ospf 2
** router-id 192.168.99.2
** network 192.168.123.2 0.0.0.0 area 0
** network 192.168.123.9 0.0.0.0 area 0
** network 172.16.100.254 0.0.0.0 area 2
** network 192.168.99.2 0.0.0.0 area 2
** passive-interface fa0/0
* 等價路由特別設定
** interface serial0/0/0
** bandwidth 128
** exit
** interface serial0/0/1
** bandwidth 128
** no shutdown
** exit
** router ospf 2
** network 192.168.123.9 0.0.0.0 area 0
** no passive-interface serial0/0/1
=== 單機設定 ===
* R2-Server1
** 172.16.100.101
** 255.255.255.0
** 172.16.100.254
* R2-Server2
** 172.16.100.102
** 255.255.255.0
** 172.16.100.254
* R2-Private
** 172.16.100.103
** 255.255.255.0
** 172.16.100.254
 
== R3 ==
* no ip domain-lookup
* VPN 前置整理:
** 第一階段 R3 暫不參與 R1 ↔ R6 IPSec VPN 測試。
** 目前 R3 只保留到 VLAN14 的靜態路由:
** R3 to R1 靜態路由
*** ip route 10.1.14.64 255.255.255.224 192.168.123.5
* R3 to VLAN14 靜態路由備援
** ip route 10.1.14.64 255.255.255.224 192.168.123.9 2
** exit
* Fa0/0
** interface fa0/0
** ip address 10.3.1.254 255.255.255.0
** ip ospf 3 area 0
** no shutdown
** end
* F0/1
** interface fa0/1
** ip address 10.3.2.254 255.255.255.0
** no shutdown
** end
* OSPF
** interface loopback0
** ip address 192.168.99.3 255.255.255.255
** ip ospf 3 area 3
** exit
** router ospf 3
** router-id 192.168.99.3
** R3 Serial 加入 Area 0
*** interface serial0/0/0
*** ip address 192.168.123.6 255.255.255.252
*** bandwidth 64
*** no shutdown
*** ip ospf 3 area 0
*** exit
*** interface serial0/0/1
*** ip address 192.168.123.10 255.255.255.252
*** bandwidth 128
*** ip ospf 3 area 0
*** no shutdown
** R3 OSPF process
*** router ospf 3
*** passive-interface fa0/0
* 等價路由特別設定
** interface serial0/0/0
** bandwidth 64
** exit
** interface serial0/0/1
** bandwidth 128
** exit
** end
=== 單機設定 ===
* R3-PC1
** 10.3.1.10
** 255.255.255.0
** 10.3.1.254
* R3-PC2
** 10.3.2.10
** 255.255.255.0
** 10.3.2.254
 
=== ACL ===
* ACL 設定條件
** 把 telnet 改成 SSH 連線。
** 只允許 IT 部門 (也就是 VLAN 14 的網段 10.1.14.64/27) 使用 SSH 遠端連入。
** 到該網路設備做網管,可同時允許 6 條 SSH sessions 連入 R3。
** SSH 條件:
*** username user
*** password 123
*** 網址 ckc.com
*** crypto 1024
* ACL 指令
** username user password 123
** ip domain-name ckc.com
** crypto key generate rsa
*** 1024
** ip ssh version 2
** access-list 12 permit 10.1.14.64 0.0.0.31
** line vty 0 5
** login local
** transport input ssh
** access-class 12 in
** exit
** line vty 6 15
** transport input none
** exit
** end
 
== R6 ==
* no ip domain-lookup
* hostname R6
* Loopback0
** interface loopback0
** ip address 192.168.99.6 255.255.255.255
** exit
* Internet Router 對面:193.16.6.253/30
* R6 指令集:
* Fa0/1
** interface fastEthernet0/1
** ip address 10.5.0.254 255.255.255.0
** no shutdown
** exit
* Fa0/0
** interface fastEthernet0/0
** ip address 10.6.0.254 255.255.255.0
** no shutdown
** exit
* 對接 Internet Router
** interface serial0/0/0
** ip address 193.16.6.254 255.255.255.252
** no shutdown
** exit
** ip route 0.0.0.0 0.0.0.0 193.16.6.253
 
=== 單機設定 ===
* R6-PC5:10.5.0.10/24
** IP Address:10.5.0.10
** Subnet Mask:255.255.255.0
** Default Gateway:10.5.0.254
* R6-PC6:10.6.0.10/24
** IP Address:10.6.0.10
** Subnet Mask:255.255.255.0
** Default Gateway:10.6.0.254
 
== Internet ==
* no ip domain-lookup
* hostname Internet
* 對接 R6
** interface serial0/0/1
** ip address 193.16.6.253 255.255.255.252
** clock rate 64000
** no shutdown
** exit
* Internet_WWW
** interface fastEthernet0/0
** ip address 200.200.200.254 255.255.255.0
** no shutdown
** exit
* Internet_User
** interface fastEthernet0/1
** ip address 201.201.201.254 255.255.255.0
** no shutdown
** exit
* 對接 R1
** interface serial0/0/0
** ip address 193.16.1.253 255.255.255.252
** clock rate 64000
** no shutdown
** exit
=== 單機設定 ===
* Internet WWW
** IP Address:200.200.200.200
** Subnet Mask:255.255.255.0
** Default Gateway:200.200.200.254
* Internet User
** IP Address:201.201.201.201
** Subnet Mask:255.255.255.0
** Default Gateway:201.201.201.254
 
== 更新版整理 ==
= 2026-0608 ACL / NAT / PAT / VPN Lab 最終設定紀錄 =
 
本 Lab 已完成項目:
 
* R1 Default Route 與 OSPF Default Route 宣告
* VLAN12 PAT
* VLAN13 Dynamic NAT
* R2-DMZ Static NAT
* R6-PC5 PAT
* R1 ↔ R6 IPSec VPN
* R2 Extended ACL 100
* 最終驗證完成
 
----
 
= R1 設定 =
 
== R1 介面角色整理 ==
 
{| class="wikitable"
! 介面
! IP / 網段
! 用途
|-
|-
| Fa0/0.2
| Client IP
| 10.1.12.30/28
| R2-DMZ
| VLAN12 RD Gateway / NAT inside
| 狀態:完成<br>角色:DMZ Server<br>IP:172.16.100.102<br>Mask:255.255.255.0<br>Gateway:172.16.100.254<br>Static NAT 對應:171.69.233.209<br><br>設定位置:Desktop → IP Configuration<br><code>IP Address: 172.16.100.102</code><br><code>Subnet Mask: 255.255.255.0</code><br><code>Default Gateway: 172.16.100.254</code>
|-
|-
| Fa0/0.3
| Client IP
| 10.1.13.30/29
| R2-Other
| VLAN13 Gateway / NAT inside
| 狀態:完成<br>角色:Other Server<br>IP:172.16.100.103<br>Mask:255.255.255.0<br>Gateway:172.16.100.254<br><br>設定位置:Desktop → IP Configuration<br><code>IP Address: 172.16.100.103</code><br><code>Subnet Mask: 255.255.255.0</code><br><code>Default Gateway: 172.16.100.254</code>
|-
|-
| Fa0/0.4
| Client IP
| 10.1.14.94/27
| R3-PC1
| VLAN14 Gateway
| 狀態:完成<br>IP:10.3.1.10<br>Mask:255.255.255.0<br>Gateway:10.3.1.254<br>用途:IPSec VPN 遠端目的端<br><br>設定位置:Desktop → IP Configuration<br><code>IP Address: 10.3.1.10</code><br><code>Subnet Mask: 255.255.255.0</code><br><code>Default Gateway: 10.3.1.254</code>
|-
|-
| Fa0/0.99
| Client IP
| 10.1.99.254/24
| R3-PC2
| Management VLAN
| 狀態:完成<br>IP:10.3.2.10<br>Mask:255.255.255.0<br>Gateway:10.3.2.254<br>用途:Static / Floating Static Route 測試<br><br>設定位置:Desktop → IP Configuration<br><code>IP Address: 10.3.2.10</code><br><code>Subnet Mask: 255.255.255.0</code><br><code>Default Gateway: 10.3.2.254</code>
|-
|-
| Serial0/0/0
| Client IP
| 192.168.123.1/30
| R6-PC5
| R1 ↔ R2
| 狀態:完成<br>IP:10.5.0.10<br>Mask:255.255.255.0<br>Gateway:10.5.0.254<br>用途:R6 PAT 測試<br><br>設定位置:Desktop → IP Configuration<br><code>IP Address: 10.5.0.10</code><br><code>Subnet Mask: 255.255.255.0</code><br><code>Default Gateway: 10.5.0.254</code>
|-
|-
| Serial0/0/1
| Client IP
| 192.168.123.5/30
| R6-PC6
| R1 ↔ R3
| 狀態:完成<br>IP:10.6.0.10<br>Mask:255.255.255.0<br>Gateway:10.6.0.254<br>用途:IPSec VPN 本端來源<br><br>設定位置:Desktop → IP Configuration<br><code>IP Address: 10.6.0.10</code><br><code>Subnet Mask: 255.255.255.0</code><br><code>Default Gateway: 10.6.0.254</code>
|-
|-
| Serial0/1/1
| Client IP
| 193.16.1.254/30
| Internet WWW
| R1 ↔ Internet / NAT outside / VPN peer
| 狀態:完成<br>IP:200.200.200.200<br>Mask:255.255.255.0<br>Gateway:200.200.200.254<br>用途:NAT / PAT 連外測試<br><br>設定位置:Desktop → IP Configuration<br><code>IP Address: 200.200.200.200</code><br><code>Subnet Mask: 255.255.255.0</code><br><code>Default Gateway: 200.200.200.254</code>
|-
|-
| Loopback0
| Client IP
| 192.168.99.1/32
| Internet User
| Router ID
| 狀態:完成<br>IP:201.201.201.201<br>Mask:255.255.255.0<br>Gateway:201.201.201.254<br>用途:Static NAT 外部測試<br><br>設定位置:Desktop → IP Configuration<br><code>IP Address: 201.201.201.201</code><br><code>Subnet Mask: 255.255.255.0</code><br><code>Default Gateway: 201.201.201.254</code>
|}
|}
== R1 Default Route ==
<syntaxhighlight lang="text">
conf t
ip route 0.0.0.0 0.0.0.0 193.16.1.253
end
wr
</syntaxhighlight>
== R1 OSPF Default Route 宣告 ==
<syntaxhighlight lang="text">
conf t
router ospf 1
default-information originate
end
wr
</syntaxhighlight>
== R1 NAT Inside / Outside 介面設定 ==
<syntaxhighlight lang="text">
conf t
interface fa0/0.2
ip nat inside
interface fa0/0.3
ip nat inside
interface serial0/0/0
ip nat inside
interface serial0/0/1
ip nat inside
interface serial0/1/1
ip nat outside
end
wr
</syntaxhighlight>
== R1 VLAN12 PAT 設定 ==
<syntaxhighlight lang="text">
conf t
access-list 12 permit 10.1.12.16 0.0.0.15
ip nat inside source list 12 interface serial0/1/1 overload
end
wr
</syntaxhighlight>
== R1 VLAN13 Dynamic NAT 設定 ==
<syntaxhighlight lang="text">
conf t
access-list 13 permit 10.1.13.24 0.0.0.7
ip nat pool VLAN13_POOL 171.69.233.210 171.69.233.222 netmask 255.255.255.240
ip nat inside source list 13 pool VLAN13_POOL
end
wr
</syntaxhighlight>
== R1 R2-DMZ Static NAT 設定 ==
<syntaxhighlight lang="text">
conf t
ip nat inside source static 172.16.100.102 171.69.233.209
end
wr
</syntaxhighlight>
== R1 IPSec VPN 設定 ==
VPN 目的:
* R1 與 R6 外部介面建立 IPSec Tunnel
* R3-PC1:10.3.1.10
* R6-PC6:10.6.0.10
* R1 VPN peer:193.16.6.254
* PSK:SeCrEt
* Phase 1:3DES / SHA / Group 2
* Phase 2:ESP / AES / MD5
<syntaxhighlight lang="text">
conf t
crypto isakmp policy 10
encr 3des
hash sha
authentication pre-share
group 2
lifetime 86400
exit
crypto isakmp key SeCrEt address 193.16.6.254
crypto ipsec transform-set ts16 esp-aes esp-md5-hmac
access-list 110 permit ip 10.3.1.0 0.0.0.255 10.6.0.0 0.0.0.255
crypto map map16 10 ipsec-isakmp
set peer 193.16.6.254
set transform-set ts16
match address 110
exit
interface serial0/1/1
crypto map map16
end
wr
</syntaxhighlight>
== R1 驗證指令 ==
<syntaxhighlight lang="text">
show ip route
show ip route 0.0.0.0
show ip nat translations
show crypto isakmp sa
show crypto ipsec sa
show access-lists 110
</syntaxhighlight>


----
----


= R2 設定 =
=== 二、Switch VLAN / Access Port / Trunk 設定 ===


== R2 介面角色整理 ==
{| class="wikitable" style="width:100%;"
 
! style="width:12%;" | 階段
{| class="wikitable"
! style="width:18%;" | 設備 / 項目
! 介面
! 設定內容與輸入指令
! IP / 網段
|-
! 用途
| VLAN
| S1 建立 VLAN
| 狀態:完成<br>VLAN12:RD<br>VLAN13:sales<br>VLAN14:IT<br>VLAN99:MGMT<br><br>輸入指令:<br><code>conf t</code><br><code>vlan 12</code><br><code>name RD</code><br><code>vlan 13</code><br><code>name sales</code><br><code>vlan 14</code><br><code>name IT</code><br><code>vlan 99</code><br><code>name MGMT</code><br><br>
|-
| VLAN
| S2 建立 VLAN
| 狀態:完成<br>VLAN12:RD<br>VLAN13:sales<br>VLAN14:IT<br>VLAN99:MGMT<br><br>輸入指令:<br><code>conf t</code><br><code>vlan 12</code><br><code>name RD</code><br><code>vlan 13</code><br><code>name sales</code><br><code>vlan 14</code><br><code>name IT</code><br><code>vlan 99</code><br><code>name MGMT</code><br><br>
|-
| Access Port
| S1 Access Port
| 狀態:完成<br>Fa0/11:VLAN12<br>Fa0/15:VLAN13<br>Fa0/21:VLAN99<br><br>輸入指令:<br><code>conf t</code><br><code>interface fa0/11</code><br><code>switchport mode access</code><br><code>switchport access vlan 12</code><br><code>no shutdown</code><br><code>exit</code><br><code>interface fa0/15</code><br><code>switchport mode access</code><br><code>switchport access vlan 13</code><br><code>no shutdown</code><br><code>exit</code><br><code>interface fa0/21</code><br><code>switchport mode access</code><br><code>switchport access vlan 99</code><br><code>no shutdown</code><br><br>
|-
|-
| Fa0/0
| Access Port
| 172.16.100.254/24
| S2 Access Port
| R2 Server 區 Gateway / ACL 套用介面
| 狀態:完成<br>Fa0/11:VLAN12<br>Fa0/15:VLAN13<br>Fa0/19:VLAN14<br><br>輸入指令:<br><code>conf t</code><br><code>interface fa0/11</code><br><code>switchport mode access</code><br><code>switchport access vlan 12</code><br><code>no shutdown</code><br><code>exit</code><br><code>interface fa0/15</code><br><code>switchport mode access</code><br><code>switchport access vlan 13</code><br><code>no shutdown</code><br><code>exit</code><br><code>interface fa0/19</code><br><code>switchport mode access</code><br><code>switchport access vlan 14</code><br><code>no shutdown</code><br><br>
|-
|-
| Serial0/0/0
| Trunk
| 192.168.123.2/30
| S1 to S2
| R2 ↔ R1
| 狀態:完成<br>Trunk Port:Fa0/23 - 24<br>Allowed VLAN:12,13,14,99<br><br>輸入指令:<br><code>conf t</code><br><code>interface range fa0/23 - 24</code><br><code>switchport mode trunk</code><br><code>switchport trunk allowed vlan 12,13,14,99</code><br><code>no shutdown</code><br><br>
|-
|-
| Serial0/0/1
| Trunk
| 192.168.123.9/30
| S2 to S1
| R2 ↔ R3
| 狀態:完成<br>Trunk Port:Fa0/23 - 24<br>Allowed VLAN:12,13,14,99<br><br>輸入指令:<br><code>conf t</code><br><code>interface range fa0/23 - 24</code><br><code>switchport mode trunk</code><br><code>switchport trunk allowed vlan 12,13,14,99</code><br><code>no shutdown</code><br><br>
|-
|-
| Loopback0
| Trunk
| 192.168.99.2/32
| S1 to R1
| Router ID
| 狀態:完成<br>S1 Fa0/5 連接 R1 Fa0/0<br>Allowed VLAN:12,13,14,99<br><br>輸入指令:<br><code>conf t</code><br><code>interface fa0/5</code><br><code>switchport mode trunk</code><br><code>switchport trunk allowed vlan 12,13,14,99</code><br><code>no shutdown</code><br><br>
|}
|}


== R2 Extended ACL 100 設定 ==
----


ACL 目的:
=== 三、Router-on-a-stick / Router 介面設定 (含等價網路平衡設定)===


* 控制前往 R2-Private:172.16.100.101
{| class="wikitable" style="width:100%;"
* 控制前往 R2-DMZ:172.16.100.102
! style="width:12%;" | 階段
* ACL 套用位置:R2 Fa0/0 outbound
! style="width:18%;" | 設備 / 項目
 
! 設定內容與輸入指令
<syntaxhighlight lang="text">
|-
conf t
| Router-on-a-stick
 
| R1 Fa0/0
no access-list 100
| 狀態:完成<br>用途:Trunk 母介面,不設定 IP<br><br>輸入指令:<br><code>conf t</code><br><code>interface fa0/0</code><br><code>no shutdown</code><br><br>
 
|-
access-list 100 permit tcp 10.1.12.16 0.0.0.15 172.16.100.101 0.0.0.0 eq 20
| Router-on-a-stick
access-list 100 permit tcp 10.1.12.16 0.0.0.15 172.16.100.101 0.0.0.0 eq 21
| R1 Fa0/0.2
access-list 100 deny  ip 10.1.12.16 0.0.0.15 172.16.100.101 0.0.0.0
| 狀態:完成<br>VLAN:12<br>Gateway:10.1.12.30/28<br><br>輸入指令:<br><code>conf t</code><br><code>interface fa0/0.2</code><br><code>encapsulation dot1Q 12</code><br><code>ip address 10.1.12.30 255.255.255.240</code><br><br>
access-list 100 deny  ip  10.0.0.0   0.255.255.255 172.16.100.101 0.0.0.0
|-
 
| Router-on-a-stick
access-list 100 permit tcp any 172.16.100.102 0.0.0.0 eq 80
| R1 Fa0/0.3
access-list 100 permit icmp any 172.16.100.102 0.0.0.0
| 狀態:完成<br>VLAN:13<br>Gateway:10.1.13.30/29<br><br>輸入指令:<br><code>conf t</code><br><code>interface fa0/0.3</code><br><code>encapsulation dot1Q 13</code><br><code>ip address 10.1.13.30 255.255.255.248</code><br><br>
access-list 100 deny ip any 172.16.100.102 0.0.0.0
|-
 
| Router-on-a-stick
interface fa0/0
| R1 Fa0/0.4
ip access-group 100 out
| 狀態:完成<br>VLAN:14<br>Gateway:10.1.14.94/27<br><br>輸入指令:<br><code>conf t</code><br><code>interface fa0/0.4</code><br><code>encapsulation dot1Q 14</code><br><code>ip address 10.1.14.94 255.255.255.224</code><br><br>
 
|-
end
| Router-on-a-stick
wr
| R1 Fa0/0.99
</syntaxhighlight>
| 狀態:完成<br>VLAN:99<br>Gateway:10.1.99.254/24<br><br>輸入指令:<br><code>conf t</code><br><code>interface fa0/0.99</code><br><code>encapsulation dot1Q 99</code><br><code>ip address 10.1.99.254 255.255.255.0</code><br><br>
 
|-
== R2 ACL 驗證指令 ==
| Serial
 
| R1 Serial0/0/0
<syntaxhighlight lang="text">
| 狀態:完成<br>連線:R1 to R2<br>IP:192.168.123.1/30<br>Bandwidth:128K<br><br>輸入指令:<br><code>conf t</code><br><code>interface serial0/0/0</code><br><code>ip address 192.168.123.1 255.255.255.252</code><br><code>bandwidth 128</code><br><code>no shutdown</code><br><br>
clear access-list counters 100
|-
show access-lists 100
| Serial
show running-config interface fa0/0
| R1 Serial0/0/1
</syntaxhighlight>
| 狀態:完成<br>連線:R1 to R3<br>IP:192.168.123.5/30<br>Bandwidth:64K<br>Clock rate:64000<br><br>輸入指令:<br><code>conf t</code><br><code>interface serial0/0/1</code><br><code>ip address 192.168.123.5 255.255.255.252</code><br><code>bandwidth 64</code><br><code>clock rate 64000</code><br><code>no shutdown</code><br><br>
 
|-
== R2 ACL 驗證結果紀錄 ==
| Internet
 
| R1 Serial0/1/1
{| class="wikitable"
| 狀態:完成<br>連線:R1 to Internet Router<br>IP:193.16.1.254/30<br>用途:NAT outside、VPN peer<br><br>輸入指令:<br><code>conf t</code><br><code>interface serial0/1/1</code><br><code>ip address 193.16.1.254 255.255.255.252</code><br><code>no shutdown</code><br><br>
! 測試來源
|-
! 目的地
| Router Interface
! 測試服務
| R2 Fa0/0
! 預期
| 狀態:完成<br>用途:Server 區 Gateway<br>IP:172.16.100.254/24<br><br>輸入指令:<br><code>conf t</code><br><code>interface fa0/0</code><br><code>ip address 172.16.100.254 255.255.255.0</code><br><code>no shutdown</code><br><br>
! 實測結果
|-
| Serial
| R2 Serial0/0/0
| 狀態:完成<br>連線:R2 to R1<br>IP:192.168.123.2/30<br>Bandwidth:128K<br>Clock rate:128000<br><br>輸入指令:<br><code>conf t</code><br><code>interface serial0/0/0</code><br><code>ip address 192.168.123.2 255.255.255.252</code><br><code>bandwidth 128</code><br><code>clock rate 128000</code><br><code>no shutdown</code><br><br>
|-
| Serial
| R2 Serial0/0/1
| 狀態:完成<br>連線:R2 to R3<br>IP:192.168.123.9/30<br>Bandwidth:128K<br>Clock rate:128000<br><br>輸入指令:<br><code>conf t</code><br><code>interface serial0/0/1</code><br><code>ip address 192.168.123.9 255.255.255.252</code><br><code>bandwidth 128</code><br><code>clock rate 128000</code><br><code>no shutdown</code><br><br>
|-
| Router Interface
| R3 Fa0/0
| 狀態:完成<br>用途:R3-PC1 Gateway<br>IP:10.3.1.254/24<br><br>輸入指令:<br><code>conf t</code><br><code>interface fa0/0</code><br><code>ip address 10.3.1.254 255.255.255.0</code><br><code>no shutdown</code><br><br>
|-
| Router Interface
| R3 Fa0/1
| 狀態:完成<br>用途:R3-PC2 Gateway<br>IP:10.3.2.254/24<br><br>輸入指令:<br><code>conf t</code><br><code>interface fa0/1</code><br><code>ip address 10.3.2.254 255.255.255.0</code><br><code>no shutdown</code><br><br>
|-
|-
| VLAN12-RD1
| Serial
| 172.16.100.101
| R3 Serial0/0/0
| FTP
| 狀態:完成<br>連線:R3 to R1<br>IP:192.168.123.6/30<br>Bandwidth:64K<br><br>輸入指令:<br><code>conf t</code><br><code>interface serial0/0/0</code><br><code>ip address 192.168.123.6 255.255.255.252</code><br><code>bandwidth 64</code><br><code>no shutdown</code><br><br>
| OK
| OK,成功登入 FTP
|-
|-
| VLAN12-RD1
| Serial
| 172.16.100.101
| R3 Serial0/0/1
| ping
| 狀態:完成<br>連線:R3 to R2<br>IP:192.168.123.10/30<br>Bandwidth:128K<br><br>輸入指令:<br><code>conf t</code><br><code>interface serial0/0/1</code><br><code>ip address 192.168.123.10 255.255.255.252</code><br><code>bandwidth 128</code><br><code>no shutdown</code><br><br>
| Not OK
| OK,Destination host unreachable
|-
|-
| R3-PC
| Router Interface
| 172.16.100.101
| R6 Fa0/1
| ping
| 狀態:完成<br>用途:R6-PC5 Gateway、PAT inside<br>IP:10.5.0.254/24<br><br>輸入指令:<br><code>conf t</code><br><code>interface fa0/1</code><br><code>ip address 10.5.0.254 255.255.255.0</code><br><code>no shutdown</code><br><br>
| Not OK
| OK,Destination host unreachable
|-
|-
| R3-PC
| Router Interface
| 172.16.100.102
| R6 Fa0/0
| ping
| 狀態:完成<br>用途:R6-PC6 Gateway、VPN protected LAN<br>IP:10.6.0.254/24<br><br>輸入指令:<br><code>conf t</code><br><code>interface fa0/0</code><br><code>ip address 10.6.0.254 255.255.255.0</code><br><code>no shutdown</code><br><br>
| OK
| OK,4/4 replies
|-
|-
| R3-PC
| Internet
| 172.16.100.102
| R6 Serial0/0/0
| HTTP
| 狀態:完成<br>連線:R6 to Internet Router<br>IP:193.16.6.254/30<br>用途:NAT outside、VPN peer<br><br>輸入指令:<br><code>conf t</code><br><code>interface serial0/0/0</code><br><code>ip address 193.16.6.254 255.255.255.252</code><br><code>no shutdown</code><br><br>
| OK
| OK,網頁成功開啟
|-
|-
| R3-PC
| Internet Router
| 172.16.100.102
| Internet Router 介面
| FTP
| 狀態:完成<br>To R1:193.16.1.253/30<br>To R6:193.16.6.253/30<br>Internet WWW Gateway:200.200.200.254/24<br>Internet User Gateway:201.201.201.254/24<br><br>輸入指令:<br><code>conf t</code><br><code>interface serial0/0/0</code><br><code>ip address 193.16.1.253 255.255.255.252</code><br><code>clock rate 64000</code><br><code>no shutdown</code><br><code>exit</code><br><code>interface serial0/0/1</code><br><code>ip address 193.16.6.253 255.255.255.252</code><br><code>clock rate 64000</code><br><code>no shutdown</code><br><code>exit</code><br><code>interface fa0/0</code><br><code>ip address 200.200.200.254 255.255.255.0</code><br><code>no shutdown</code><br><code>exit</code><br><code>interface fa0/1</code><br><code>ip address 201.201.201.254 255.255.255.0</code><br><code>no shutdown</code><br><br>
| Not OK
| OK,Timed out
|}
|}
== R2 ACL Match 結果 ==
<syntaxhighlight lang="text">
show access-lists 100
</syntaxhighlight>
實測命中結果:
<syntaxhighlight lang="text">
permit tcp 10.1.12.16 0.0.0.15 host 172.16.100.101 eq ftp (11 match(es))
deny ip 10.1.12.16 0.0.0.15 host 172.16.100.101 (4 match(es))
deny ip 10.0.0.0 0.255.255.255 host 172.16.100.101 (101 match(es))
permit tcp any host 172.16.100.102 eq www (5 match(es))
permit icmp any host 172.16.100.102 (4 match(es))
deny ip any host 172.16.100.102 (12 match(es))
</syntaxhighlight>


----
----


= R3 設定 =
=== 四、Static Route / Floating Static Route / OSPF 設定 ===


== R3 介面角色整理 ==
{| class="wikitable" style="width:100%;"
 
! style="width:12%;" | 階段
{| class="wikitable"
! style="width:18%;" | 設備 / 項目
! 介面
! 設定內容與輸入指令
! IP / 網段
|-
! 用途
| Static Route
| R1 to 10.3.2.0/24 主路由
| 狀態:完成<br>Destination:10.3.2.0/24<br>Next-hop:192.168.123.6<br>AD:1<br><br>輸入指令:<br><code>conf t</code><br><code>ip route 10.3.2.0 255.255.255.0 192.168.123.6</code><br><br>
|-
| Floating Static Route
| R1 to 10.3.2.0/24 備援路由
| 狀態:完成<br>Destination:10.3.2.0/24<br>Next-hop:192.168.123.2<br>AD:2<br><br>輸入指令:<br><code>conf t</code><br><code>ip route 10.3.2.0 255.255.255.0 192.168.123.2 2</code><br><br>
|-
| Static Route
| R2 to 10.3.2.0/24
| 狀態:完成<br>Destination:10.3.2.0/24<br>Next-hop:192.168.123.10<br><br>輸入指令:<br><code>conf t</code><br><code>ip route 10.3.2.0 255.255.255.0 192.168.123.10</code><br><br>
|-
| Static Route
| R2 to VLAN14
| 狀態:完成<br>Destination:10.1.14.64/27<br>Next-hop:192.168.123.1<br><br>輸入指令:<br><code>conf t</code><br><code>ip route 10.1.14.64 255.255.255.224 192.168.123.1</code><br><br>
|-
|-
| Fa0/0
| Static Route
| 10.3.1.254/24
| R3 to VLAN14 主路由
| R3-PC / R3-PC1 Gateway
| 狀態:完成<br>Destination:10.1.14.64/27<br>Next-hop:192.168.123.5<br>AD:1<br><br>輸入指令:<br><code>conf t</code><br><code>ip route 10.1.14.64 255.255.255.224 192.168.123.5</code><br><br>
|-
|-
| Fa0/1
| Floating Static Route
| 10.3.2.254/24
| R3 to VLAN14 備援路由
| R3 第二內網
| 狀態:完成<br>Destination:10.1.14.64/27<br>Next-hop:192.168.123.9<br>AD:2<br><br>輸入指令:<br><code>conf t</code><br><code>ip route 10.1.14.64 255.255.255.224 192.168.123.9 2</code><br><br>
|-
|-
| Serial0/0/0
| OSPF
| 192.168.123.6/30
| R1 OSPF
| R3 ↔ R1
| 狀態:完成<br>Process ID:1<br>Router ID:192.168.99.1<br>主要方式:network 指令使用子網段<br><br>輸入指令:<br><code>conf t</code><br><code>interface loopback0</code><br><code>ip address 192.168.99.1 255.255.255.255</code><br><code>exit</code><br><code>router ospf 1</code><br><code>router-id 192.168.99.1</code><br><code>passive-interface default</code><br><code>no passive-interface serial0/0/0</code><br><code>no passive-interface serial0/0/1</code><br><code>network 192.168.123.0 0.0.0.3 area 0</code><br><code>network 192.168.123.4 0.0.0.3 area 0</code><br><code>network 10.1.12.16 0.0.0.15 area 0</code><br><code>network 10.1.13.24 0.0.0.7 area 0</code><br><code>network 10.1.99.0 0.0.0.255 area 0</code><br><code>network 192.168.99.1 0.0.0.0 area 0</code><br><br>
|-
|-
| Serial0/0/1
| OSPF
| 192.168.123.10/30
| R2 OSPF
| R3 ↔ R2
| 狀態:完成<br>Process ID:2<br>Router ID:192.168.99.2<br>主要方式:network 指令使用直連介面 IP<br><br>輸入指令:<br><code>conf t</code><br><code>interface loopback0</code><br><code>ip address 192.168.99.2 255.255.255.255</code><br><code>exit</code><br><code>router ospf 2</code><br><code>router-id 192.168.99.2</code><br><code>network 192.168.123.2 0.0.0.0 area 0</code><br><code>network 192.168.123.9 0.0.0.0 area 0</code><br><code>network 172.16.100.254 0.0.0.0 area 2</code><br><code>network 192.168.99.2 0.0.0.0 area 2</code><br><code>passive-interface fa0/0</code><br><br>
|-
|-
| Loopback0
| OSPF
| 192.168.99.3/32
| R3 OSPF
| Router ID
| 狀態:完成<br>Process ID:3<br>Router ID:192.168.99.3<br>主要方式:interface mode 啟動 OSPF<br><br>輸入指令:<br><code>conf t</code><br><code>interface loopback0</code><br><code>ip address 192.168.99.3 255.255.255.255</code><br><code>ip ospf 3 area 3</code><br><code>exit</code><br><code>interface fa0/0</code><br><code>ip ospf 3 area 3</code><br><code>exit</code><br><code>interface serial0/0/0</code><br><code>ip ospf 3 area 0</code><br><code>exit</code><br><code>interface serial0/0/1</code><br><code>ip ospf 3 area 0</code><br><code>exit</code><br><code>router ospf 3</code><br><code>router-id 192.168.99.3</code><br><code>passive-interface fa0/0</code><br><br>
|}
 
== R3 本階段重點 ==
 
本階段 R3 主要作為:
 
* ACL 測試來源之一
* VPN 遠端內網目的端
* R3-PC1:10.3.1.10
* R3-PC:10.3.2.10
 
R3 本身在 NAT / ACL / VPN 最後階段沒有新增主要設定,重點是確認路由與 OSPF 仍正常。
 
== R3 驗證指令 ==
 
<syntaxhighlight lang="text">
show ip route
show ip route 0.0.0.0
show ip ospf neighbor
ping 172.16.100.101
ping 172.16.100.102
</syntaxhighlight>
 
== R3 驗證結果紀錄 ==
 
<syntaxhighlight lang="text">
R3-PC ping 172.16.100.101 → Not OK
R3-PC ping 172.16.100.102 → OK
R3-PC http 172.16.100.102 → OK
R3-PC ftp 172.16.100.102 → Not OK
</syntaxhighlight>
 
----
 
= R6 設定 =
 
== R6 介面角色整理 ==
 
{| class="wikitable"
! 介面
! IP / 網段
! 用途
|-
|-
| Fa0/1
| OSPF Cost
| 10.5.0.254/24
| Serial bandwidth
| R6-PC5 Gateway / NAT inside
| 狀態:完成<br>R1-R2:128K<br>R2-R3:128K<br>R1-R3:64K<br><br>R1 輸入指令:<br><code>conf t</code><br><code>interface serial0/0/0</code><br><code>bandwidth 128</code><br><code>exit</code><br><code>interface serial0/0/1</code><br><code>bandwidth 64</code><br><br><br><br>R2 輸入指令:<br><code>conf t</code><br><code>interface serial0/0/0</code><br><code>bandwidth 128</code><br><code>exit</code><br><code>interface serial0/0/1</code><br><code>bandwidth 128</code><br><br><br><br>R3 輸入指令:<br><code>conf t</code><br><code>interface serial0/0/0</code><br><code>bandwidth 64</code><br><code>exit</code><br><code>interface serial0/0/1</code><br><code>bandwidth 128</code><br><br>
|-
|-
| Fa0/0
| Default Route
| 10.6.0.254/24
| R1 Default Route
| R6-PC6 Gateway / VPN protected LAN
| 狀態:完成<br>Default Route:0.0.0.0/0<br>Next-hop:193.16.1.253<br><br>輸入指令:<br><code>conf t</code><br><code>ip route 0.0.0.0 0.0.0.0 193.16.1.253</code><br><br>
|-
|-
| Serial0/0/0
| OSPF Default
| 193.16.6.254/30
| R1 宣告 Default Route
| R6 ↔ Internet / NAT outside / VPN peer
| 狀態:完成<br>目的:讓 R2 / R3 學到 O*E2 0.0.0.0/0<br><br>輸入指令:<br><code>conf t</code><br><code>router ospf 1</code><br><code>default-information originate</code><br><br>
|-
|-
| Loopback0
| Default Route
| 192.168.99.6/32
| R6 Default Route
| Router ID
| 狀態:完成<br>Default Route:0.0.0.0/0<br>Next-hop:193.16.6.253<br><br>輸入指令:<br><code>conf t</code><br><code>ip route 0.0.0.0 0.0.0.0 193.16.6.253</code><br><br>
|}
|}
== R6 Default Route ==
<syntaxhighlight lang="text">
conf t
ip route 0.0.0.0 0.0.0.0 193.16.6.253
end
wr
</syntaxhighlight>
== R6 PAT 設定 ==
PAT 目的:
* R6-PC5:10.5.0.10
* 使用 R6 Serial0/0/0 公有 IP 193.16.6.254 overload 出 Internet
<syntaxhighlight lang="text">
conf t
access-list 5 permit 10.5.0.0 0.0.0.255
interface fastEthernet0/1
ip nat inside
interface serial0/0/0
ip nat outside
ip nat inside source list 5 interface serial0/0/0 overload
end
wr
</syntaxhighlight>
== R6 IPSec VPN 設定 ==
VPN 目的:
* R6-PC6:10.6.0.10
* R3-PC1:10.3.1.10
* R6 peer:193.16.1.254
* PSK:SeCrEt
* Phase 1:3DES / SHA / Group 2
* Phase 2:ESP / AES / MD5
<syntaxhighlight lang="text">
conf t
crypto isakmp policy 10
encr 3des
hash sha
authentication pre-share
group 2
lifetime 86400
exit
crypto isakmp key SeCrEt address 193.16.1.254
crypto ipsec transform-set ts61 esp-aes esp-md5-hmac
access-list 110 permit ip 10.6.0.0 0.0.0.255 10.3.1.0 0.0.0.255
crypto map map61 10 ipsec-isakmp
set peer 193.16.1.254
set transform-set ts61
match address 110
exit
interface serial0/0/0
crypto map map61
end
wr
</syntaxhighlight>
== R6 VPN 查修時使用過的重掛 Crypto Map 指令 ==
若 Phase 1 / Phase 2 沒有正常重新協商,可以重掛 crypto map:
<syntaxhighlight lang="text">
conf t
interface serial0/0/0
no crypto map map61
crypto map map61
end
wr
</syntaxhighlight>
== R6 驗證指令 ==
<syntaxhighlight lang="text">
show ip route
show ip nat translations
show crypto isakmp sa
show crypto ipsec sa
show access-lists 110
</syntaxhighlight>
== R6 VPN 驗證結果紀錄 ==
<syntaxhighlight lang="text">
R6-PC6 ping 10.3.1.10 → OK
show crypto isakmp sa:
QM_IDLE / ACTIVE
show crypto ipsec sa:
#pkts encaps: 7
#pkts encrypt: 7
#pkts decaps: 6
#pkts decrypt: 6
inbound esp sas: ACTIVE
outbound esp sas: ACTIVE
</syntaxhighlight>
----
= Internet Router 設定 =
== Internet Router 重點設定 ==
Internet Router 需要負責:
* 連接 R1 公網:193.16.1.253/30
* 連接 R6 公網:193.16.6.253/30
* 連接 Internet WWW:200.200.200.254/24
* 連接 Internet User:201.201.201.254/24
* 回指 NAT 公有 IP 池:171.69.233.208/28
== Internet Router 公有 IP 池回程路由 ==
Dynamic NAT 與 Static NAT 使用的公有 IP 範圍:
* 171.69.233.209 ~ 171.69.233.222
* 歸納為 171.69.233.208/28
<syntaxhighlight lang="text">
conf t
ip route 171.69.233.208 255.255.255.240 193.16.1.254
end
wr
</syntaxhighlight>
== Internet Router 注意事項 ==
* Internet Router 不應設定指向企業內部私有 IP 的 static route。
* 不應出現指向 10.0.0.0/8、172.16.100.0/24、192.168.123.0/30 等內部私有網段的路由。
* Internet Router 只需要知道如何回到 NAT 公有 IP 池 171.69.233.208/28。
== Internet Router 驗證指令 ==
<syntaxhighlight lang="text">
show ip route
show running-config | include 171.69.233.208
ping 193.16.1.254
ping 193.16.6.254
</syntaxhighlight>


----
----


= 終端設備測試紀錄 =
=== 五、NAT / PAT / Static NAT 設定 ===


== VLAN12-RD1 測試 ==
{| class="wikitable" style="width:100%;"
 
! style="width:12%;" | 階段
<syntaxhighlight lang="text">
! style="width:18%;" | 設備 / 項目
ping 200.200.200.200
! 設定內容與輸入指令
ftp 172.16.100.101
ping 172.16.100.101
</syntaxhighlight>
 
結果:
 
<syntaxhighlight lang="text">
ping 200.200.200.200 → OK
ftp 172.16.100.101 → OK
ping 172.16.100.101 → Not OK
</syntaxhighlight>
 
== R3-PC 測試 ==
 
<syntaxhighlight lang="text">
ping 172.16.100.101
ping 172.16.100.102
ftp 172.16.100.102
</syntaxhighlight>
 
結果:
 
<syntaxhighlight lang="text">
ping 172.16.100.101 → Not OK
ping 172.16.100.102 → OK
http 172.16.100.102 → OK
ftp 172.16.100.102 → Not OK
</syntaxhighlight>
 
== R6-PC6 VPN 測試 ==
 
<syntaxhighlight lang="text">
ping 10.3.1.10
</syntaxhighlight>
 
結果:
 
<syntaxhighlight lang="text">
ping 10.3.1.10 → OK
Sent = 4, Received = 4, Lost = 0
</syntaxhighlight>
 
----
 
= 最終總結 =
 
{| class="wikitable"
! 項目
! 完成狀態
|-
|-
| VLAN12 PAT
| PAT
| 完成
| R1 VLAN12 PAT
| 狀態:完成<br>Inside:Fa0/0.2<br>Outside:Serial0/1/1<br>ACL:10<br>Source:10.1.12.16/28<br><br>輸入指令:<br><code>conf t</code><br><code>interface fa0/0.2</code><br><code>ip nat inside</code><br><code>exit</code><br><code>interface serial0/1/1</code><br><code>ip nat outside</code><br><code>exit</code><br><code>access-list 10 permit 10.1.12.16 0.0.0.15</code><br><code>ip nat inside source list 10 interface serial0/1/1 overload</code><br><br>
|-
|-
| PAT
| R6-PC5 PAT
| R6-PC5 PAT
| 完成
| 狀態:完成<br>Inside:Fa0/1<br>Outside:Serial0/0/0<br>ACL:10<br>Source:10.5.0.0/24<br><br>輸入指令:<br><code>conf t</code><br><code>interface fa0/1</code><br><code>ip nat inside</code><br><code>exit</code><br><code>interface serial0/0/0</code><br><code>ip nat outside</code><br><code>exit</code><br><code>access-list 10 permit 10.5.0.0 0.0.0.255</code><br><code>ip nat inside source list 10 interface serial0/0/0 overload</code><br><br>
|-
|-
| VLAN13 Dynamic NAT
| Dynamic NAT
| 完成
| R1 VLAN13 Dynamic NAT
| 狀態:完成<br>Inside:Fa0/0.3<br>Outside:Serial0/1/1<br>ACL:20<br>Pool:171.69.233.210 - 171.69.233.222<br><br>輸入指令:<br><code>conf t</code><br><code>interface fa0/0.3</code><br><code>ip nat inside</code><br><code>exit</code><br><code>interface serial0/1/1</code><br><code>ip nat outside</code><br><code>exit</code><br><code>no access-list 20</code><br><code>no ip nat inside source list 20 pool netpool</code><br><code>no ip nat pool netpool 171.69.233.210 171.69.233.222 netmask 255.255.255.240</code><br><code>access-list 20 permit 10.1.13.24 0.0.0.7</code><br><code>ip nat pool natpool 171.69.233.210 171.69.233.222 netmask 255.255.255.240</code><br><code>ip nat inside source list 20 pool natpool</code><br><br>
|-
|-
| R2-DMZ Static NAT
| NAT Return Route
| 完成
| Internet Router
| 狀態:完成<br>目的:回指 NAT 公有 IP 池<br>Public Pool:171.69.233.208/28<br>Next-hop:193.16.1.254<br><br>輸入指令:<br><code>conf t</code><br><code>ip route 171.69.233.208 255.255.255.240 193.16.1.254</code><br><br>
|-
|-
| Internet Router 公有 IP 池回程路由
| Static NAT
| 完成
| R1 R2-DMZ Static NAT
| 狀態:完成<br>Inside local:172.16.100.102<br>Inside global:171.69.233.209<br><br>輸入指令:<br><code>conf t</code><br><code>interface serial0/0/0</code><br><code>ip nat inside</code><br><code>exit</code><br><code>interface serial0/1/1</code><br><code>ip nat outside</code><br><code>exit</code><br><code>no ip nat inside source static 172.16.100.103 171.69.233.209</code><br><code>ip nat inside source static 172.16.100.102 171.69.233.209</code><br><br>
|}
 
----
 
=== 六、IPSec VPN 設定 ===
 
{| class="wikitable" style="width:100%;"
! style="width:12%;" | 階段
! style="width:18%;" | 設備 / 項目
! 設定內容與輸入指令
|-
|-
| R1 ↔ R6 IPSec VPN Phase 1
| VPN Phase 1
| 完成,QM_IDLE / ACTIVE
| R1 IKE Policy
| 狀態:完成<br>Peer:193.16.6.254<br>PSK:SeCrEt<br>Encryption:3DES<br>Hash:SHA<br>DH Group:2<br>Lifetime:86400<br><br>輸入指令:<br><code>conf t</code><br><code>crypto isakmp policy 10</code><br><code>encr 3des</code><br><code>hash sha</code><br><code>authentication pre-share</code><br><code>group 2</code><br><code>lifetime 86400</code><br><code>exit</code><br><code>crypto isakmp key SeCrEt address 193.16.6.254</code><br><br>
|-
|-
| R1 ↔ R6 IPSec VPN Phase 2
| VPN Phase 2
| 完成,encaps / decaps 有增加
| R1 Crypto Map
| 狀態:完成<br>Transform-set:ts16<br>Crypto ACL:110<br>Local:10.3.1.0/24<br>Remote:10.6.0.0/24<br>Peer:193.16.6.254<br><br>輸入指令:<br><code>conf t</code><br><code>crypto ipsec transform-set ts16 esp-aes 128 esp-md5-hmac</code><br><code>no access-list 110</code><br><code>access-list 110 permit ip 10.3.1.0 0.0.0.255 10.6.0.0 0.0.0.255</code><br><code>crypto map map16 10 ipsec-isakmp</code><br><code>set peer 193.16.6.254</code><br><code>set transform-set ts16</code><br><code>match address 110</code><br><code>exit</code><br><code>interface serial0/1/1</code><br><code>crypto map map16</code><br><br>
|-
|-
| R2 Extended ACL 100
| VPN Phase 1
| 完成
| R6 IKE Policy
| 狀態:完成<br>Peer:193.16.1.254<br>PSK:SeCrEt<br>Encryption:3DES<br>Hash:SHA<br>DH Group:2<br>Lifetime:86400<br><br>輸入指令:<br><code>conf t</code><br><code>crypto isakmp policy 10</code><br><code>encr 3des</code><br><code>hash sha</code><br><code>authentication pre-share</code><br><code>group 2</code><br><code>lifetime 86400</code><br><code>exit</code><br><code>crypto isakmp key SeCrEt address 193.16.1.254</code><br><br>
|-
|-
| ACL Permit 測試
| VPN Phase 2
| 完成
| R6 Crypto Map
| 狀態:完成<br>Transform-set:ts61<br>Crypto ACL:110<br>Local:10.6.0.0/24<br>Remote:10.3.1.0/24<br>Peer:193.16.1.254<br><br>輸入指令:<br><code>conf t</code><br><code>crypto ipsec transform-set ts61 esp-aes 128 esp-md5-hmac</code><br><code>no access-list 110</code><br><code>access-list 110 permit ip 10.6.0.0 0.0.0.255 10.3.1.0 0.0.0.255</code><br><code>crypto map map61 10 ipsec-isakmp</code><br><code>set peer 193.16.1.254</code><br><code>set transform-set ts61</code><br><code>match address 110</code><br><code>exit</code><br><code>interface serial0/0/0</code><br><code>crypto map map61</code><br><br>
|-
|-
| ACL Deny 測試
| VPN 查修備註
| 完成
| R6 重掛 Crypto Map
| 狀態:備註<br>用途:若 ACL 110 有 match,但 encaps / decaps 仍為 0,可重掛 crypto map 後重新 ping 觸發。<br><br>查修指令:<br><code>conf t</code><br><code>interface serial0/0/0</code><br><code>no crypto map map61</code><br><code>crypto map map61</code><br><br>
|}
|}


本 Lab 最終判定:
----


'''2026-0608 ACL / NAT / PAT / VPN Lab 已完成。'''
=== 七、Extended ACL 100 / SSH ACL 設定 ===
 
{| class="wikitable" style="width:100%;"
! style="width:12%;" | 階段
! style="width:18%;" | 設備 / 項目
! 設定內容與輸入指令
|-
| Extended ACL
| R2 ACL 100
| 狀態:完成<br>套用介面:R2 Fa0/0<br>方向:out<br>R2-Private:172.16.100.101<br>R2-DMZ:172.16.100.102<br><br>輸入指令:<br><code>conf t</code><br><code>no access-list 100</code><br><code>access-list 100 permit tcp 10.1.12.16 0.0.0.15 172.16.100.101 0.0.0.0 eq 20</code><br><code>access-list 100 permit tcp 10.1.12.16 0.0.0.15 172.16.100.101 0.0.0.0 eq 21</code><br><code>access-list 100 deny ip 10.1.12.16 0.0.0.15 172.16.100.101 0.0.0.0</code><br><code>access-list 100 deny ip 10.0.0.0 0.255.255.255 172.16.100.101 0.0.0.0</code><br><code>access-list 100 permit tcp any 172.16.100.102 0.0.0.0 eq 80</code><br><code>access-list 100 permit icmp any 172.16.100.102 0.0.0.0</code><br><code>access-list 100 deny ip any 172.16.100.102 0.0.0.0</code><br><code>interface fa0/0</code><br><code>ip access-group 100 out</code><br><br>
|-
| SSH ACL
| R3 SSH 管理限制
| 狀態:完成<br>目的:只允許 VLAN14 IT SSH 到 R3<br>Username:user<br>Password:123<br>Domain:ckc.com<br>RSA:1024<br>ACL:12<br>Allowed Source:10.1.14.64/27<br><br>輸入指令:<br><code>conf t</code><br><code>username user password 123</code><br><code>ip domain-name ckc.com</code><br><code>crypto key generate rsa</code><br><code>1024</code><br><code>ip ssh version 2</code><br><code>access-list 12 permit 10.1.14.64 0.0.0.31</code><br><code>line vty 0 5</code><br><code>login local</code><br><code>transport input ssh</code><br><code>access-class 12 in</code><br><code>exit</code><br><code>line vty 6 15</code><br><code>transport input none</code><br><code>exit</code><br><br>
|}

於 2026年6月8日 (一) 00:58 的最新修訂

完整設定表

  • Client IP / Gateway
    • Switch VLAN
    • Access Port
    • Trunk
    • Router-on-a-stick
    • Router Interface
    • Static / Floating Static Route
    • OSPF
    • Default Route
    • NAT / PAT
    • Static NAT
    • IPSec VPN
    • ACL
    • 最終驗證

一、終端設備 IP / Gateway 設定

階段 設備 / 項目 設定內容與輸入指令
Client IP S1 管理 IP 狀態:完成
VLAN:99
IP:10.1.99.101
Mask:255.255.255.0
Gateway:10.1.99.254

輸入指令:
conf t
interface vlan 99
ip address 10.1.99.101 255.255.255.0
no shutdown
exit
ip default-gateway 10.1.99.254

Client IP S2 管理 IP 狀態:完成
VLAN:99
IP:10.1.99.102
Mask:255.255.255.0
Gateway:10.1.99.254

輸入指令:
conf t
interface vlan 99
ip address 10.1.99.102 255.255.255.0
no shutdown
exit
ip default-gateway 10.1.99.254

Client IP Mgmt Server 狀態:完成
IP:10.1.99.100
Mask:255.255.255.0
Gateway:10.1.99.254

設定位置:Desktop → IP Configuration
IP Address: 10.1.99.100
Subnet Mask: 255.255.255.0
Default Gateway: 10.1.99.254
Client IP VLAN12-RD1 狀態:完成
部門:RD
VLAN:12
IP:10.1.12.17
Mask:255.255.255.240
Gateway:10.1.12.30
接線位置:S1 Fa0/11

設定位置:Desktop → IP Configuration
IP Address: 10.1.12.17
Subnet Mask: 255.255.255.240
Default Gateway: 10.1.12.30
Client IP VLAN12-RD2 狀態:完成
部門:RD
VLAN:12
IP:10.1.12.18
Mask:255.255.255.240
Gateway:10.1.12.30
接線位置:S2 Fa0/11

設定位置:Desktop → IP Configuration
IP Address: 10.1.12.18
Subnet Mask: 255.255.255.240
Default Gateway: 10.1.12.30
Client IP VLAN13-Sales1 狀態:完成
部門:Sales
VLAN:13
IP:10.1.13.25
Mask:255.255.255.248
Gateway:10.1.13.30
接線位置:S1 Fa0/15

設定位置:Desktop → IP Configuration
IP Address: 10.1.13.25
Subnet Mask: 255.255.255.248
Default Gateway: 10.1.13.30
Client IP VLAN13-Sales2 狀態:完成
部門:Sales
VLAN:13
IP:10.1.13.26
Mask:255.255.255.248
Gateway:10.1.13.30
接線位置:S2 Fa0/15

設定位置:Desktop → IP Configuration
IP Address: 10.1.13.26
Subnet Mask: 255.255.255.248
Default Gateway: 10.1.13.30
Client IP VLAN14-IT 狀態:完成
部門:IT
VLAN:14
IP:10.1.14.65
Mask:255.255.255.224
Gateway:10.1.14.94
接線位置:S2 Fa0/19

設定位置:Desktop → IP Configuration
IP Address: 10.1.14.65
Subnet Mask: 255.255.255.224
Default Gateway: 10.1.14.94
Client IP R2-Private 狀態:完成
角色:Private Server
IP:172.16.100.101
Mask:255.255.255.0
Gateway:172.16.100.254

設定位置:Desktop → IP Configuration
IP Address: 172.16.100.101
Subnet Mask: 255.255.255.0
Default Gateway: 172.16.100.254
Client IP R2-DMZ 狀態:完成
角色:DMZ Server
IP:172.16.100.102
Mask:255.255.255.0
Gateway:172.16.100.254
Static NAT 對應:171.69.233.209

設定位置:Desktop → IP Configuration
IP Address: 172.16.100.102
Subnet Mask: 255.255.255.0
Default Gateway: 172.16.100.254
Client IP R2-Other 狀態:完成
角色:Other Server
IP:172.16.100.103
Mask:255.255.255.0
Gateway:172.16.100.254

設定位置:Desktop → IP Configuration
IP Address: 172.16.100.103
Subnet Mask: 255.255.255.0
Default Gateway: 172.16.100.254
Client IP R3-PC1 狀態:完成
IP:10.3.1.10
Mask:255.255.255.0
Gateway:10.3.1.254
用途:IPSec VPN 遠端目的端

設定位置:Desktop → IP Configuration
IP Address: 10.3.1.10
Subnet Mask: 255.255.255.0
Default Gateway: 10.3.1.254
Client IP R3-PC2 狀態:完成
IP:10.3.2.10
Mask:255.255.255.0
Gateway:10.3.2.254
用途:Static / Floating Static Route 測試

設定位置:Desktop → IP Configuration
IP Address: 10.3.2.10
Subnet Mask: 255.255.255.0
Default Gateway: 10.3.2.254
Client IP R6-PC5 狀態:完成
IP:10.5.0.10
Mask:255.255.255.0
Gateway:10.5.0.254
用途:R6 PAT 測試

設定位置:Desktop → IP Configuration
IP Address: 10.5.0.10
Subnet Mask: 255.255.255.0
Default Gateway: 10.5.0.254
Client IP R6-PC6 狀態:完成
IP:10.6.0.10
Mask:255.255.255.0
Gateway:10.6.0.254
用途:IPSec VPN 本端來源

設定位置:Desktop → IP Configuration
IP Address: 10.6.0.10
Subnet Mask: 255.255.255.0
Default Gateway: 10.6.0.254
Client IP Internet WWW 狀態:完成
IP:200.200.200.200
Mask:255.255.255.0
Gateway:200.200.200.254
用途:NAT / PAT 連外測試

設定位置:Desktop → IP Configuration
IP Address: 200.200.200.200
Subnet Mask: 255.255.255.0
Default Gateway: 200.200.200.254
Client IP Internet User 狀態:完成
IP:201.201.201.201
Mask:255.255.255.0
Gateway:201.201.201.254
用途:Static NAT 外部測試

設定位置:Desktop → IP Configuration
IP Address: 201.201.201.201
Subnet Mask: 255.255.255.0
Default Gateway: 201.201.201.254

二、Switch VLAN / Access Port / Trunk 設定

階段 設備 / 項目 設定內容與輸入指令
VLAN S1 建立 VLAN 狀態:完成
VLAN12:RD
VLAN13:sales
VLAN14:IT
VLAN99:MGMT

輸入指令:
conf t
vlan 12
name RD
vlan 13
name sales
vlan 14
name IT
vlan 99
name MGMT

VLAN S2 建立 VLAN 狀態:完成
VLAN12:RD
VLAN13:sales
VLAN14:IT
VLAN99:MGMT

輸入指令:
conf t
vlan 12
name RD
vlan 13
name sales
vlan 14
name IT
vlan 99
name MGMT

Access Port S1 Access Port 狀態:完成
Fa0/11:VLAN12
Fa0/15:VLAN13
Fa0/21:VLAN99

輸入指令:
conf t
interface fa0/11
switchport mode access
switchport access vlan 12
no shutdown
exit
interface fa0/15
switchport mode access
switchport access vlan 13
no shutdown
exit
interface fa0/21
switchport mode access
switchport access vlan 99
no shutdown

Access Port S2 Access Port 狀態:完成
Fa0/11:VLAN12
Fa0/15:VLAN13
Fa0/19:VLAN14

輸入指令:
conf t
interface fa0/11
switchport mode access
switchport access vlan 12
no shutdown
exit
interface fa0/15
switchport mode access
switchport access vlan 13
no shutdown
exit
interface fa0/19
switchport mode access
switchport access vlan 14
no shutdown

Trunk S1 to S2 狀態:完成
Trunk Port:Fa0/23 - 24
Allowed VLAN:12,13,14,99

輸入指令:
conf t
interface range fa0/23 - 24
switchport mode trunk
switchport trunk allowed vlan 12,13,14,99
no shutdown

Trunk S2 to S1 狀態:完成
Trunk Port:Fa0/23 - 24
Allowed VLAN:12,13,14,99

輸入指令:
conf t
interface range fa0/23 - 24
switchport mode trunk
switchport trunk allowed vlan 12,13,14,99
no shutdown

Trunk S1 to R1 狀態:完成
S1 Fa0/5 連接 R1 Fa0/0
Allowed VLAN:12,13,14,99

輸入指令:
conf t
interface fa0/5
switchport mode trunk
switchport trunk allowed vlan 12,13,14,99
no shutdown

三、Router-on-a-stick / Router 介面設定 (含等價網路平衡設定)

階段 設備 / 項目 設定內容與輸入指令
Router-on-a-stick R1 Fa0/0 狀態:完成
用途:Trunk 母介面,不設定 IP

輸入指令:
conf t
interface fa0/0
no shutdown

Router-on-a-stick R1 Fa0/0.2 狀態:完成
VLAN:12
Gateway:10.1.12.30/28

輸入指令:
conf t
interface fa0/0.2
encapsulation dot1Q 12
ip address 10.1.12.30 255.255.255.240

Router-on-a-stick R1 Fa0/0.3 狀態:完成
VLAN:13
Gateway:10.1.13.30/29

輸入指令:
conf t
interface fa0/0.3
encapsulation dot1Q 13
ip address 10.1.13.30 255.255.255.248

Router-on-a-stick R1 Fa0/0.4 狀態:完成
VLAN:14
Gateway:10.1.14.94/27

輸入指令:
conf t
interface fa0/0.4
encapsulation dot1Q 14
ip address 10.1.14.94 255.255.255.224

Router-on-a-stick R1 Fa0/0.99 狀態:完成
VLAN:99
Gateway:10.1.99.254/24

輸入指令:
conf t
interface fa0/0.99
encapsulation dot1Q 99
ip address 10.1.99.254 255.255.255.0

Serial R1 Serial0/0/0 狀態:完成
連線:R1 to R2
IP:192.168.123.1/30
Bandwidth:128K

輸入指令:
conf t
interface serial0/0/0
ip address 192.168.123.1 255.255.255.252
bandwidth 128
no shutdown

Serial R1 Serial0/0/1 狀態:完成
連線:R1 to R3
IP:192.168.123.5/30
Bandwidth:64K
Clock rate:64000

輸入指令:
conf t
interface serial0/0/1
ip address 192.168.123.5 255.255.255.252
bandwidth 64
clock rate 64000
no shutdown

Internet R1 Serial0/1/1 狀態:完成
連線:R1 to Internet Router
IP:193.16.1.254/30
用途:NAT outside、VPN peer

輸入指令:
conf t
interface serial0/1/1
ip address 193.16.1.254 255.255.255.252
no shutdown

Router Interface R2 Fa0/0 狀態:完成
用途:Server 區 Gateway
IP:172.16.100.254/24

輸入指令:
conf t
interface fa0/0
ip address 172.16.100.254 255.255.255.0
no shutdown

Serial R2 Serial0/0/0 狀態:完成
連線:R2 to R1
IP:192.168.123.2/30
Bandwidth:128K
Clock rate:128000

輸入指令:
conf t
interface serial0/0/0
ip address 192.168.123.2 255.255.255.252
bandwidth 128
clock rate 128000
no shutdown

Serial R2 Serial0/0/1 狀態:完成
連線:R2 to R3
IP:192.168.123.9/30
Bandwidth:128K
Clock rate:128000

輸入指令:
conf t
interface serial0/0/1
ip address 192.168.123.9 255.255.255.252
bandwidth 128
clock rate 128000
no shutdown

Router Interface R3 Fa0/0 狀態:完成
用途:R3-PC1 Gateway
IP:10.3.1.254/24

輸入指令:
conf t
interface fa0/0
ip address 10.3.1.254 255.255.255.0
no shutdown

Router Interface R3 Fa0/1 狀態:完成
用途:R3-PC2 Gateway
IP:10.3.2.254/24

輸入指令:
conf t
interface fa0/1
ip address 10.3.2.254 255.255.255.0
no shutdown

Serial R3 Serial0/0/0 狀態:完成
連線:R3 to R1
IP:192.168.123.6/30
Bandwidth:64K

輸入指令:
conf t
interface serial0/0/0
ip address 192.168.123.6 255.255.255.252
bandwidth 64
no shutdown

Serial R3 Serial0/0/1 狀態:完成
連線:R3 to R2
IP:192.168.123.10/30
Bandwidth:128K

輸入指令:
conf t
interface serial0/0/1
ip address 192.168.123.10 255.255.255.252
bandwidth 128
no shutdown

Router Interface R6 Fa0/1 狀態:完成
用途:R6-PC5 Gateway、PAT inside
IP:10.5.0.254/24

輸入指令:
conf t
interface fa0/1
ip address 10.5.0.254 255.255.255.0
no shutdown

Router Interface R6 Fa0/0 狀態:完成
用途:R6-PC6 Gateway、VPN protected LAN
IP:10.6.0.254/24

輸入指令:
conf t
interface fa0/0
ip address 10.6.0.254 255.255.255.0
no shutdown

Internet R6 Serial0/0/0 狀態:完成
連線:R6 to Internet Router
IP:193.16.6.254/30
用途:NAT outside、VPN peer

輸入指令:
conf t
interface serial0/0/0
ip address 193.16.6.254 255.255.255.252
no shutdown

Internet Router Internet Router 介面 狀態:完成
To R1:193.16.1.253/30
To R6:193.16.6.253/30
Internet WWW Gateway:200.200.200.254/24
Internet User Gateway:201.201.201.254/24

輸入指令:
conf t
interface serial0/0/0
ip address 193.16.1.253 255.255.255.252
clock rate 64000
no shutdown
exit
interface serial0/0/1
ip address 193.16.6.253 255.255.255.252
clock rate 64000
no shutdown
exit
interface fa0/0
ip address 200.200.200.254 255.255.255.0
no shutdown
exit
interface fa0/1
ip address 201.201.201.254 255.255.255.0
no shutdown

四、Static Route / Floating Static Route / OSPF 設定

階段 設備 / 項目 設定內容與輸入指令
Static Route R1 to 10.3.2.0/24 主路由 狀態:完成
Destination:10.3.2.0/24
Next-hop:192.168.123.6
AD:1

輸入指令:
conf t
ip route 10.3.2.0 255.255.255.0 192.168.123.6

Floating Static Route R1 to 10.3.2.0/24 備援路由 狀態:完成
Destination:10.3.2.0/24
Next-hop:192.168.123.2
AD:2

輸入指令:
conf t
ip route 10.3.2.0 255.255.255.0 192.168.123.2 2

Static Route R2 to 10.3.2.0/24 狀態:完成
Destination:10.3.2.0/24
Next-hop:192.168.123.10

輸入指令:
conf t
ip route 10.3.2.0 255.255.255.0 192.168.123.10

Static Route R2 to VLAN14 狀態:完成
Destination:10.1.14.64/27
Next-hop:192.168.123.1

輸入指令:
conf t
ip route 10.1.14.64 255.255.255.224 192.168.123.1

Static Route R3 to VLAN14 主路由 狀態:完成
Destination:10.1.14.64/27
Next-hop:192.168.123.5
AD:1

輸入指令:
conf t
ip route 10.1.14.64 255.255.255.224 192.168.123.5

Floating Static Route R3 to VLAN14 備援路由 狀態:完成
Destination:10.1.14.64/27
Next-hop:192.168.123.9
AD:2

輸入指令:
conf t
ip route 10.1.14.64 255.255.255.224 192.168.123.9 2

OSPF R1 OSPF 狀態:完成
Process ID:1
Router ID:192.168.99.1
主要方式:network 指令使用子網段

輸入指令:
conf t
interface loopback0
ip address 192.168.99.1 255.255.255.255
exit
router ospf 1
router-id 192.168.99.1
passive-interface default
no passive-interface serial0/0/0
no passive-interface serial0/0/1
network 192.168.123.0 0.0.0.3 area 0
network 192.168.123.4 0.0.0.3 area 0
network 10.1.12.16 0.0.0.15 area 0
network 10.1.13.24 0.0.0.7 area 0
network 10.1.99.0 0.0.0.255 area 0
network 192.168.99.1 0.0.0.0 area 0

OSPF R2 OSPF 狀態:完成
Process ID:2
Router ID:192.168.99.2
主要方式:network 指令使用直連介面 IP

輸入指令:
conf t
interface loopback0
ip address 192.168.99.2 255.255.255.255
exit
router ospf 2
router-id 192.168.99.2
network 192.168.123.2 0.0.0.0 area 0
network 192.168.123.9 0.0.0.0 area 0
network 172.16.100.254 0.0.0.0 area 2
network 192.168.99.2 0.0.0.0 area 2
passive-interface fa0/0

OSPF R3 OSPF 狀態:完成
Process ID:3
Router ID:192.168.99.3
主要方式:interface mode 啟動 OSPF

輸入指令:
conf t
interface loopback0
ip address 192.168.99.3 255.255.255.255
ip ospf 3 area 3
exit
interface fa0/0
ip ospf 3 area 3
exit
interface serial0/0/0
ip ospf 3 area 0
exit
interface serial0/0/1
ip ospf 3 area 0
exit
router ospf 3
router-id 192.168.99.3
passive-interface fa0/0

OSPF Cost Serial bandwidth 狀態:完成
R1-R2:128K
R2-R3:128K
R1-R3:64K

R1 輸入指令:
conf t
interface serial0/0/0
bandwidth 128
exit
interface serial0/0/1
bandwidth 64



R2 輸入指令:
conf t
interface serial0/0/0
bandwidth 128
exit
interface serial0/0/1
bandwidth 128



R3 輸入指令:
conf t
interface serial0/0/0
bandwidth 64
exit
interface serial0/0/1
bandwidth 128

Default Route R1 Default Route 狀態:完成
Default Route:0.0.0.0/0
Next-hop:193.16.1.253

輸入指令:
conf t
ip route 0.0.0.0 0.0.0.0 193.16.1.253

OSPF Default R1 宣告 Default Route 狀態:完成
目的:讓 R2 / R3 學到 O*E2 0.0.0.0/0

輸入指令:
conf t
router ospf 1
default-information originate

Default Route R6 Default Route 狀態:完成
Default Route:0.0.0.0/0
Next-hop:193.16.6.253

輸入指令:
conf t
ip route 0.0.0.0 0.0.0.0 193.16.6.253

五、NAT / PAT / Static NAT 設定

階段 設備 / 項目 設定內容與輸入指令
PAT R1 VLAN12 PAT 狀態:完成
Inside:Fa0/0.2
Outside:Serial0/1/1
ACL:10
Source:10.1.12.16/28

輸入指令:
conf t
interface fa0/0.2
ip nat inside
exit
interface serial0/1/1
ip nat outside
exit
access-list 10 permit 10.1.12.16 0.0.0.15
ip nat inside source list 10 interface serial0/1/1 overload

PAT R6-PC5 PAT 狀態:完成
Inside:Fa0/1
Outside:Serial0/0/0
ACL:10
Source:10.5.0.0/24

輸入指令:
conf t
interface fa0/1
ip nat inside
exit
interface serial0/0/0
ip nat outside
exit
access-list 10 permit 10.5.0.0 0.0.0.255
ip nat inside source list 10 interface serial0/0/0 overload

Dynamic NAT R1 VLAN13 Dynamic NAT 狀態:完成
Inside:Fa0/0.3
Outside:Serial0/1/1
ACL:20
Pool:171.69.233.210 - 171.69.233.222

輸入指令:
conf t
interface fa0/0.3
ip nat inside
exit
interface serial0/1/1
ip nat outside
exit
no access-list 20
no ip nat inside source list 20 pool netpool
no ip nat pool netpool 171.69.233.210 171.69.233.222 netmask 255.255.255.240
access-list 20 permit 10.1.13.24 0.0.0.7
ip nat pool natpool 171.69.233.210 171.69.233.222 netmask 255.255.255.240
ip nat inside source list 20 pool natpool

NAT Return Route Internet Router 狀態:完成
目的:回指 NAT 公有 IP 池
Public Pool:171.69.233.208/28
Next-hop:193.16.1.254

輸入指令:
conf t
ip route 171.69.233.208 255.255.255.240 193.16.1.254

Static NAT R1 R2-DMZ Static NAT 狀態:完成
Inside local:172.16.100.102
Inside global:171.69.233.209

輸入指令:
conf t
interface serial0/0/0
ip nat inside
exit
interface serial0/1/1
ip nat outside
exit
no ip nat inside source static 172.16.100.103 171.69.233.209
ip nat inside source static 172.16.100.102 171.69.233.209

六、IPSec VPN 設定

階段 設備 / 項目 設定內容與輸入指令
VPN Phase 1 R1 IKE Policy 狀態:完成
Peer:193.16.6.254
PSK:SeCrEt
Encryption:3DES
Hash:SHA
DH Group:2
Lifetime:86400

輸入指令:
conf t
crypto isakmp policy 10
encr 3des
hash sha
authentication pre-share
group 2
lifetime 86400
exit
crypto isakmp key SeCrEt address 193.16.6.254

VPN Phase 2 R1 Crypto Map 狀態:完成
Transform-set:ts16
Crypto ACL:110
Local:10.3.1.0/24
Remote:10.6.0.0/24
Peer:193.16.6.254

輸入指令:
conf t
crypto ipsec transform-set ts16 esp-aes 128 esp-md5-hmac
no access-list 110
access-list 110 permit ip 10.3.1.0 0.0.0.255 10.6.0.0 0.0.0.255
crypto map map16 10 ipsec-isakmp
set peer 193.16.6.254
set transform-set ts16
match address 110
exit
interface serial0/1/1
crypto map map16

VPN Phase 1 R6 IKE Policy 狀態:完成
Peer:193.16.1.254
PSK:SeCrEt
Encryption:3DES
Hash:SHA
DH Group:2
Lifetime:86400

輸入指令:
conf t
crypto isakmp policy 10
encr 3des
hash sha
authentication pre-share
group 2
lifetime 86400
exit
crypto isakmp key SeCrEt address 193.16.1.254

VPN Phase 2 R6 Crypto Map 狀態:完成
Transform-set:ts61
Crypto ACL:110
Local:10.6.0.0/24
Remote:10.3.1.0/24
Peer:193.16.1.254

輸入指令:
conf t
crypto ipsec transform-set ts61 esp-aes 128 esp-md5-hmac
no access-list 110
access-list 110 permit ip 10.6.0.0 0.0.0.255 10.3.1.0 0.0.0.255
crypto map map61 10 ipsec-isakmp
set peer 193.16.1.254
set transform-set ts61
match address 110
exit
interface serial0/0/0
crypto map map61

VPN 查修備註 R6 重掛 Crypto Map 狀態:備註
用途:若 ACL 110 有 match,但 encaps / decaps 仍為 0,可重掛 crypto map 後重新 ping 觸發。

查修指令:
conf t
interface serial0/0/0
no crypto map map61
crypto map map61

七、Extended ACL 100 / SSH ACL 設定

階段 設備 / 項目 設定內容與輸入指令
Extended ACL R2 ACL 100 狀態:完成
套用介面:R2 Fa0/0
方向:out
R2-Private:172.16.100.101
R2-DMZ:172.16.100.102

輸入指令:
conf t
no access-list 100
access-list 100 permit tcp 10.1.12.16 0.0.0.15 172.16.100.101 0.0.0.0 eq 20
access-list 100 permit tcp 10.1.12.16 0.0.0.15 172.16.100.101 0.0.0.0 eq 21
access-list 100 deny ip 10.1.12.16 0.0.0.15 172.16.100.101 0.0.0.0
access-list 100 deny ip 10.0.0.0 0.255.255.255 172.16.100.101 0.0.0.0
access-list 100 permit tcp any 172.16.100.102 0.0.0.0 eq 80
access-list 100 permit icmp any 172.16.100.102 0.0.0.0
access-list 100 deny ip any 172.16.100.102 0.0.0.0
interface fa0/0
ip access-group 100 out

SSH ACL R3 SSH 管理限制 狀態:完成
目的:只允許 VLAN14 IT SSH 到 R3
Username:user
Password:123
Domain:ckc.com
RSA:1024
ACL:12
Allowed Source:10.1.14.64/27

輸入指令:
conf t
username user password 123
ip domain-name ckc.com
crypto key generate rsa
1024
ip ssh version 2
access-list 12 permit 10.1.14.64 0.0.0.31
line vty 0 5
login local
transport input ssh
access-class 12 in
exit
line vty 6 15
transport input none
exit

取自「https://www.acmex.cc/index.php?title=緯育_2026-0608&oldid=7471