「緯育 2026-0608」修訂間的差異

出自頂極製作所
標籤手動回退
 
(未顯示同一使用者於中間所作的 3 次修訂)
行 354: 行 354:
| 狀態:完成<br>目的:只允許 VLAN14 IT SSH 到 R3<br>Username:user<br>Password:123<br>Domain:ckc.com<br>RSA:1024<br>ACL:12<br>Allowed Source:10.1.14.64/27<br><br>輸入指令:<br><code>conf t</code><br><code>username user password 123</code><br><code>ip domain-name ckc.com</code><br><code>crypto key generate rsa</code><br><code>1024</code><br><code>ip ssh version 2</code><br><code>access-list 12 permit 10.1.14.64 0.0.0.31</code><br><code>line vty 0 5</code><br><code>login local</code><br><code>transport input ssh</code><br><code>access-class 12 in</code><br><code>exit</code><br><code>line vty 6 15</code><br><code>transport input none</code><br><code>exit</code><br><br>
| 狀態:完成<br>目的:只允許 VLAN14 IT SSH 到 R3<br>Username:user<br>Password:123<br>Domain:ckc.com<br>RSA:1024<br>ACL:12<br>Allowed Source:10.1.14.64/27<br><br>輸入指令:<br><code>conf t</code><br><code>username user password 123</code><br><code>ip domain-name ckc.com</code><br><code>crypto key generate rsa</code><br><code>1024</code><br><code>ip ssh version 2</code><br><code>access-list 12 permit 10.1.14.64 0.0.0.31</code><br><code>line vty 0 5</code><br><code>login local</code><br><code>transport input ssh</code><br><code>access-class 12 in</code><br><code>exit</code><br><code>line vty 6 15</code><br><code>transport input none</code><br><code>exit</code><br><br>
|}
|}
== 人工智慧 Prompt ==
00. 請使用這個連結: https://www.acmex.cc/%E7%B7%AF%E8%82%B2_2026-0608 當作這次學習成果驗收的參考紀錄。
01. 學習成果驗收比照模擬考試,所以正確和精準度都非常重要,而且成果驗收長達6個小時,因此 Token 務必錙銖必較、不要浪費,非常重要。
02. 過程都有很多操作步驟和驗證工作,如果沒有特別提出問題,或者是要求給予回應,不要主動給予過多資料,以免 Token 不夠使用,非常重要。
03. 因為 Packet Tracer 會有許多繁複的指令,每次只要給予我所針對的範圍給出答案就好,一次給太多無法消化、或者也會無謂的浪費 Token。
04. 除了從網址來的基本參考線以外,附件是這次驗收的模擬環境資料,就以這個檔案為成果驗收的主軸,幫我完成最後這個作業。
05. 除非遇到卡關或是撞牆的問題,否則我會儘量減少使用截圖來解決問題,也是為了讓Token維持最大化運用,將耗損控制在最低範圍。
06. 所以需要驗證的時候,我會儘量使用文字貼上,或者由你來告訴我如何驗證,例如:「R2用ping某個ip」這種方式做驗證。
07. 截圖是這次驗收的拓樸圖,務必和上傳的文件做內容比對,確保後面每一個設定都是正確的。

於 2026年6月8日 (一) 00:58 的最新修訂

完整設定表

  • Client IP / Gateway
    • Switch VLAN
    • Access Port
    • Trunk
    • Router-on-a-stick
    • Router Interface
    • Static / Floating Static Route
    • OSPF
    • Default Route
    • NAT / PAT
    • Static NAT
    • IPSec VPN
    • ACL
    • 最終驗證

一、終端設備 IP / Gateway 設定

階段 設備 / 項目 設定內容與輸入指令
Client IP S1 管理 IP 狀態:完成
VLAN:99
IP:10.1.99.101
Mask:255.255.255.0
Gateway:10.1.99.254

輸入指令:
conf t
interface vlan 99
ip address 10.1.99.101 255.255.255.0
no shutdown
exit
ip default-gateway 10.1.99.254

Client IP S2 管理 IP 狀態:完成
VLAN:99
IP:10.1.99.102
Mask:255.255.255.0
Gateway:10.1.99.254

輸入指令:
conf t
interface vlan 99
ip address 10.1.99.102 255.255.255.0
no shutdown
exit
ip default-gateway 10.1.99.254

Client IP Mgmt Server 狀態:完成
IP:10.1.99.100
Mask:255.255.255.0
Gateway:10.1.99.254

設定位置:Desktop → IP Configuration
IP Address: 10.1.99.100
Subnet Mask: 255.255.255.0
Default Gateway: 10.1.99.254
Client IP VLAN12-RD1 狀態:完成
部門:RD
VLAN:12
IP:10.1.12.17
Mask:255.255.255.240
Gateway:10.1.12.30
接線位置:S1 Fa0/11

設定位置:Desktop → IP Configuration
IP Address: 10.1.12.17
Subnet Mask: 255.255.255.240
Default Gateway: 10.1.12.30
Client IP VLAN12-RD2 狀態:完成
部門:RD
VLAN:12
IP:10.1.12.18
Mask:255.255.255.240
Gateway:10.1.12.30
接線位置:S2 Fa0/11

設定位置:Desktop → IP Configuration
IP Address: 10.1.12.18
Subnet Mask: 255.255.255.240
Default Gateway: 10.1.12.30
Client IP VLAN13-Sales1 狀態:完成
部門:Sales
VLAN:13
IP:10.1.13.25
Mask:255.255.255.248
Gateway:10.1.13.30
接線位置:S1 Fa0/15

設定位置:Desktop → IP Configuration
IP Address: 10.1.13.25
Subnet Mask: 255.255.255.248
Default Gateway: 10.1.13.30
Client IP VLAN13-Sales2 狀態:完成
部門:Sales
VLAN:13
IP:10.1.13.26
Mask:255.255.255.248
Gateway:10.1.13.30
接線位置:S2 Fa0/15

設定位置:Desktop → IP Configuration
IP Address: 10.1.13.26
Subnet Mask: 255.255.255.248
Default Gateway: 10.1.13.30
Client IP VLAN14-IT 狀態:完成
部門:IT
VLAN:14
IP:10.1.14.65
Mask:255.255.255.224
Gateway:10.1.14.94
接線位置:S2 Fa0/19

設定位置:Desktop → IP Configuration
IP Address: 10.1.14.65
Subnet Mask: 255.255.255.224
Default Gateway: 10.1.14.94
Client IP R2-Private 狀態:完成
角色:Private Server
IP:172.16.100.101
Mask:255.255.255.0
Gateway:172.16.100.254

設定位置:Desktop → IP Configuration
IP Address: 172.16.100.101
Subnet Mask: 255.255.255.0
Default Gateway: 172.16.100.254
Client IP R2-DMZ 狀態:完成
角色:DMZ Server
IP:172.16.100.102
Mask:255.255.255.0
Gateway:172.16.100.254
Static NAT 對應:171.69.233.209

設定位置:Desktop → IP Configuration
IP Address: 172.16.100.102
Subnet Mask: 255.255.255.0
Default Gateway: 172.16.100.254
Client IP R2-Other 狀態:完成
角色:Other Server
IP:172.16.100.103
Mask:255.255.255.0
Gateway:172.16.100.254

設定位置:Desktop → IP Configuration
IP Address: 172.16.100.103
Subnet Mask: 255.255.255.0
Default Gateway: 172.16.100.254
Client IP R3-PC1 狀態:完成
IP:10.3.1.10
Mask:255.255.255.0
Gateway:10.3.1.254
用途:IPSec VPN 遠端目的端

設定位置:Desktop → IP Configuration
IP Address: 10.3.1.10
Subnet Mask: 255.255.255.0
Default Gateway: 10.3.1.254
Client IP R3-PC2 狀態:完成
IP:10.3.2.10
Mask:255.255.255.0
Gateway:10.3.2.254
用途:Static / Floating Static Route 測試

設定位置:Desktop → IP Configuration
IP Address: 10.3.2.10
Subnet Mask: 255.255.255.0
Default Gateway: 10.3.2.254
Client IP R6-PC5 狀態:完成
IP:10.5.0.10
Mask:255.255.255.0
Gateway:10.5.0.254
用途:R6 PAT 測試

設定位置:Desktop → IP Configuration
IP Address: 10.5.0.10
Subnet Mask: 255.255.255.0
Default Gateway: 10.5.0.254
Client IP R6-PC6 狀態:完成
IP:10.6.0.10
Mask:255.255.255.0
Gateway:10.6.0.254
用途:IPSec VPN 本端來源

設定位置:Desktop → IP Configuration
IP Address: 10.6.0.10
Subnet Mask: 255.255.255.0
Default Gateway: 10.6.0.254
Client IP Internet WWW 狀態:完成
IP:200.200.200.200
Mask:255.255.255.0
Gateway:200.200.200.254
用途:NAT / PAT 連外測試

設定位置:Desktop → IP Configuration
IP Address: 200.200.200.200
Subnet Mask: 255.255.255.0
Default Gateway: 200.200.200.254
Client IP Internet User 狀態:完成
IP:201.201.201.201
Mask:255.255.255.0
Gateway:201.201.201.254
用途:Static NAT 外部測試

設定位置:Desktop → IP Configuration
IP Address: 201.201.201.201
Subnet Mask: 255.255.255.0
Default Gateway: 201.201.201.254

二、Switch VLAN / Access Port / Trunk 設定

階段 設備 / 項目 設定內容與輸入指令
VLAN S1 建立 VLAN 狀態:完成
VLAN12:RD
VLAN13:sales
VLAN14:IT
VLAN99:MGMT

輸入指令:
conf t
vlan 12
name RD
vlan 13
name sales
vlan 14
name IT
vlan 99
name MGMT

VLAN S2 建立 VLAN 狀態:完成
VLAN12:RD
VLAN13:sales
VLAN14:IT
VLAN99:MGMT

輸入指令:
conf t
vlan 12
name RD
vlan 13
name sales
vlan 14
name IT
vlan 99
name MGMT

Access Port S1 Access Port 狀態:完成
Fa0/11:VLAN12
Fa0/15:VLAN13
Fa0/21:VLAN99

輸入指令:
conf t
interface fa0/11
switchport mode access
switchport access vlan 12
no shutdown
exit
interface fa0/15
switchport mode access
switchport access vlan 13
no shutdown
exit
interface fa0/21
switchport mode access
switchport access vlan 99
no shutdown

Access Port S2 Access Port 狀態:完成
Fa0/11:VLAN12
Fa0/15:VLAN13
Fa0/19:VLAN14

輸入指令:
conf t
interface fa0/11
switchport mode access
switchport access vlan 12
no shutdown
exit
interface fa0/15
switchport mode access
switchport access vlan 13
no shutdown
exit
interface fa0/19
switchport mode access
switchport access vlan 14
no shutdown

Trunk S1 to S2 狀態:完成
Trunk Port:Fa0/23 - 24
Allowed VLAN:12,13,14,99

輸入指令:
conf t
interface range fa0/23 - 24
switchport mode trunk
switchport trunk allowed vlan 12,13,14,99
no shutdown

Trunk S2 to S1 狀態:完成
Trunk Port:Fa0/23 - 24
Allowed VLAN:12,13,14,99

輸入指令:
conf t
interface range fa0/23 - 24
switchport mode trunk
switchport trunk allowed vlan 12,13,14,99
no shutdown

Trunk S1 to R1 狀態:完成
S1 Fa0/5 連接 R1 Fa0/0
Allowed VLAN:12,13,14,99

輸入指令:
conf t
interface fa0/5
switchport mode trunk
switchport trunk allowed vlan 12,13,14,99
no shutdown

三、Router-on-a-stick / Router 介面設定 (含等價網路平衡設定)

階段 設備 / 項目 設定內容與輸入指令
Router-on-a-stick R1 Fa0/0 狀態:完成
用途:Trunk 母介面,不設定 IP

輸入指令:
conf t
interface fa0/0
no shutdown

Router-on-a-stick R1 Fa0/0.2 狀態:完成
VLAN:12
Gateway:10.1.12.30/28

輸入指令:
conf t
interface fa0/0.2
encapsulation dot1Q 12
ip address 10.1.12.30 255.255.255.240

Router-on-a-stick R1 Fa0/0.3 狀態:完成
VLAN:13
Gateway:10.1.13.30/29

輸入指令:
conf t
interface fa0/0.3
encapsulation dot1Q 13
ip address 10.1.13.30 255.255.255.248

Router-on-a-stick R1 Fa0/0.4 狀態:完成
VLAN:14
Gateway:10.1.14.94/27

輸入指令:
conf t
interface fa0/0.4
encapsulation dot1Q 14
ip address 10.1.14.94 255.255.255.224

Router-on-a-stick R1 Fa0/0.99 狀態:完成
VLAN:99
Gateway:10.1.99.254/24

輸入指令:
conf t
interface fa0/0.99
encapsulation dot1Q 99
ip address 10.1.99.254 255.255.255.0

Serial R1 Serial0/0/0 狀態:完成
連線:R1 to R2
IP:192.168.123.1/30
Bandwidth:128K

輸入指令:
conf t
interface serial0/0/0
ip address 192.168.123.1 255.255.255.252
bandwidth 128
no shutdown

Serial R1 Serial0/0/1 狀態:完成
連線:R1 to R3
IP:192.168.123.5/30
Bandwidth:64K
Clock rate:64000

輸入指令:
conf t
interface serial0/0/1
ip address 192.168.123.5 255.255.255.252
bandwidth 64
clock rate 64000
no shutdown

Internet R1 Serial0/1/1 狀態:完成
連線:R1 to Internet Router
IP:193.16.1.254/30
用途:NAT outside、VPN peer

輸入指令:
conf t
interface serial0/1/1
ip address 193.16.1.254 255.255.255.252
no shutdown

Router Interface R2 Fa0/0 狀態:完成
用途:Server 區 Gateway
IP:172.16.100.254/24

輸入指令:
conf t
interface fa0/0
ip address 172.16.100.254 255.255.255.0
no shutdown

Serial R2 Serial0/0/0 狀態:完成
連線:R2 to R1
IP:192.168.123.2/30
Bandwidth:128K
Clock rate:128000

輸入指令:
conf t
interface serial0/0/0
ip address 192.168.123.2 255.255.255.252
bandwidth 128
clock rate 128000
no shutdown

Serial R2 Serial0/0/1 狀態:完成
連線:R2 to R3
IP:192.168.123.9/30
Bandwidth:128K
Clock rate:128000

輸入指令:
conf t
interface serial0/0/1
ip address 192.168.123.9 255.255.255.252
bandwidth 128
clock rate 128000
no shutdown

Router Interface R3 Fa0/0 狀態:完成
用途:R3-PC1 Gateway
IP:10.3.1.254/24

輸入指令:
conf t
interface fa0/0
ip address 10.3.1.254 255.255.255.0
no shutdown

Router Interface R3 Fa0/1 狀態:完成
用途:R3-PC2 Gateway
IP:10.3.2.254/24

輸入指令:
conf t
interface fa0/1
ip address 10.3.2.254 255.255.255.0
no shutdown

Serial R3 Serial0/0/0 狀態:完成
連線:R3 to R1
IP:192.168.123.6/30
Bandwidth:64K

輸入指令:
conf t
interface serial0/0/0
ip address 192.168.123.6 255.255.255.252
bandwidth 64
no shutdown

Serial R3 Serial0/0/1 狀態:完成
連線:R3 to R2
IP:192.168.123.10/30
Bandwidth:128K

輸入指令:
conf t
interface serial0/0/1
ip address 192.168.123.10 255.255.255.252
bandwidth 128
no shutdown

Router Interface R6 Fa0/1 狀態:完成
用途:R6-PC5 Gateway、PAT inside
IP:10.5.0.254/24

輸入指令:
conf t
interface fa0/1
ip address 10.5.0.254 255.255.255.0
no shutdown

Router Interface R6 Fa0/0 狀態:完成
用途:R6-PC6 Gateway、VPN protected LAN
IP:10.6.0.254/24

輸入指令:
conf t
interface fa0/0
ip address 10.6.0.254 255.255.255.0
no shutdown

Internet R6 Serial0/0/0 狀態:完成
連線:R6 to Internet Router
IP:193.16.6.254/30
用途:NAT outside、VPN peer

輸入指令:
conf t
interface serial0/0/0
ip address 193.16.6.254 255.255.255.252
no shutdown

Internet Router Internet Router 介面 狀態:完成
To R1:193.16.1.253/30
To R6:193.16.6.253/30
Internet WWW Gateway:200.200.200.254/24
Internet User Gateway:201.201.201.254/24

輸入指令:
conf t
interface serial0/0/0
ip address 193.16.1.253 255.255.255.252
clock rate 64000
no shutdown
exit
interface serial0/0/1
ip address 193.16.6.253 255.255.255.252
clock rate 64000
no shutdown
exit
interface fa0/0
ip address 200.200.200.254 255.255.255.0
no shutdown
exit
interface fa0/1
ip address 201.201.201.254 255.255.255.0
no shutdown

四、Static Route / Floating Static Route / OSPF 設定

階段 設備 / 項目 設定內容與輸入指令
Static Route R1 to 10.3.2.0/24 主路由 狀態:完成
Destination:10.3.2.0/24
Next-hop:192.168.123.6
AD:1

輸入指令:
conf t
ip route 10.3.2.0 255.255.255.0 192.168.123.6

Floating Static Route R1 to 10.3.2.0/24 備援路由 狀態:完成
Destination:10.3.2.0/24
Next-hop:192.168.123.2
AD:2

輸入指令:
conf t
ip route 10.3.2.0 255.255.255.0 192.168.123.2 2

Static Route R2 to 10.3.2.0/24 狀態:完成
Destination:10.3.2.0/24
Next-hop:192.168.123.10

輸入指令:
conf t
ip route 10.3.2.0 255.255.255.0 192.168.123.10

Static Route R2 to VLAN14 狀態:完成
Destination:10.1.14.64/27
Next-hop:192.168.123.1

輸入指令:
conf t
ip route 10.1.14.64 255.255.255.224 192.168.123.1

Static Route R3 to VLAN14 主路由 狀態:完成
Destination:10.1.14.64/27
Next-hop:192.168.123.5
AD:1

輸入指令:
conf t
ip route 10.1.14.64 255.255.255.224 192.168.123.5

Floating Static Route R3 to VLAN14 備援路由 狀態:完成
Destination:10.1.14.64/27
Next-hop:192.168.123.9
AD:2

輸入指令:
conf t
ip route 10.1.14.64 255.255.255.224 192.168.123.9 2

OSPF R1 OSPF 狀態:完成
Process ID:1
Router ID:192.168.99.1
主要方式:network 指令使用子網段

輸入指令:
conf t
interface loopback0
ip address 192.168.99.1 255.255.255.255
exit
router ospf 1
router-id 192.168.99.1
passive-interface default
no passive-interface serial0/0/0
no passive-interface serial0/0/1
network 192.168.123.0 0.0.0.3 area 0
network 192.168.123.4 0.0.0.3 area 0
network 10.1.12.16 0.0.0.15 area 0
network 10.1.13.24 0.0.0.7 area 0
network 10.1.99.0 0.0.0.255 area 0
network 192.168.99.1 0.0.0.0 area 0

OSPF R2 OSPF 狀態:完成
Process ID:2
Router ID:192.168.99.2
主要方式:network 指令使用直連介面 IP

輸入指令:
conf t
interface loopback0
ip address 192.168.99.2 255.255.255.255
exit
router ospf 2
router-id 192.168.99.2
network 192.168.123.2 0.0.0.0 area 0
network 192.168.123.9 0.0.0.0 area 0
network 172.16.100.254 0.0.0.0 area 2
network 192.168.99.2 0.0.0.0 area 2
passive-interface fa0/0

OSPF R3 OSPF 狀態:完成
Process ID:3
Router ID:192.168.99.3
主要方式:interface mode 啟動 OSPF

輸入指令:
conf t
interface loopback0
ip address 192.168.99.3 255.255.255.255
ip ospf 3 area 3
exit
interface fa0/0
ip ospf 3 area 3
exit
interface serial0/0/0
ip ospf 3 area 0
exit
interface serial0/0/1
ip ospf 3 area 0
exit
router ospf 3
router-id 192.168.99.3
passive-interface fa0/0

OSPF Cost Serial bandwidth 狀態:完成
R1-R2:128K
R2-R3:128K
R1-R3:64K

R1 輸入指令:
conf t
interface serial0/0/0
bandwidth 128
exit
interface serial0/0/1
bandwidth 64



R2 輸入指令:
conf t
interface serial0/0/0
bandwidth 128
exit
interface serial0/0/1
bandwidth 128



R3 輸入指令:
conf t
interface serial0/0/0
bandwidth 64
exit
interface serial0/0/1
bandwidth 128

Default Route R1 Default Route 狀態:完成
Default Route:0.0.0.0/0
Next-hop:193.16.1.253

輸入指令:
conf t
ip route 0.0.0.0 0.0.0.0 193.16.1.253

OSPF Default R1 宣告 Default Route 狀態:完成
目的:讓 R2 / R3 學到 O*E2 0.0.0.0/0

輸入指令:
conf t
router ospf 1
default-information originate

Default Route R6 Default Route 狀態:完成
Default Route:0.0.0.0/0
Next-hop:193.16.6.253

輸入指令:
conf t
ip route 0.0.0.0 0.0.0.0 193.16.6.253

五、NAT / PAT / Static NAT 設定

階段 設備 / 項目 設定內容與輸入指令
PAT R1 VLAN12 PAT 狀態:完成
Inside:Fa0/0.2
Outside:Serial0/1/1
ACL:10
Source:10.1.12.16/28

輸入指令:
conf t
interface fa0/0.2
ip nat inside
exit
interface serial0/1/1
ip nat outside
exit
access-list 10 permit 10.1.12.16 0.0.0.15
ip nat inside source list 10 interface serial0/1/1 overload

PAT R6-PC5 PAT 狀態:完成
Inside:Fa0/1
Outside:Serial0/0/0
ACL:10
Source:10.5.0.0/24

輸入指令:
conf t
interface fa0/1
ip nat inside
exit
interface serial0/0/0
ip nat outside
exit
access-list 10 permit 10.5.0.0 0.0.0.255
ip nat inside source list 10 interface serial0/0/0 overload

Dynamic NAT R1 VLAN13 Dynamic NAT 狀態:完成
Inside:Fa0/0.3
Outside:Serial0/1/1
ACL:20
Pool:171.69.233.210 - 171.69.233.222

輸入指令:
conf t
interface fa0/0.3
ip nat inside
exit
interface serial0/1/1
ip nat outside
exit
no access-list 20
no ip nat inside source list 20 pool netpool
no ip nat pool netpool 171.69.233.210 171.69.233.222 netmask 255.255.255.240
access-list 20 permit 10.1.13.24 0.0.0.7
ip nat pool natpool 171.69.233.210 171.69.233.222 netmask 255.255.255.240
ip nat inside source list 20 pool natpool

NAT Return Route Internet Router 狀態:完成
目的:回指 NAT 公有 IP 池
Public Pool:171.69.233.208/28
Next-hop:193.16.1.254

輸入指令:
conf t
ip route 171.69.233.208 255.255.255.240 193.16.1.254

Static NAT R1 R2-DMZ Static NAT 狀態:完成
Inside local:172.16.100.102
Inside global:171.69.233.209

輸入指令:
conf t
interface serial0/0/0
ip nat inside
exit
interface serial0/1/1
ip nat outside
exit
no ip nat inside source static 172.16.100.103 171.69.233.209
ip nat inside source static 172.16.100.102 171.69.233.209

六、IPSec VPN 設定

階段 設備 / 項目 設定內容與輸入指令
VPN Phase 1 R1 IKE Policy 狀態:完成
Peer:193.16.6.254
PSK:SeCrEt
Encryption:3DES
Hash:SHA
DH Group:2
Lifetime:86400

輸入指令:
conf t
crypto isakmp policy 10
encr 3des
hash sha
authentication pre-share
group 2
lifetime 86400
exit
crypto isakmp key SeCrEt address 193.16.6.254

VPN Phase 2 R1 Crypto Map 狀態:完成
Transform-set:ts16
Crypto ACL:110
Local:10.3.1.0/24
Remote:10.6.0.0/24
Peer:193.16.6.254

輸入指令:
conf t
crypto ipsec transform-set ts16 esp-aes 128 esp-md5-hmac
no access-list 110
access-list 110 permit ip 10.3.1.0 0.0.0.255 10.6.0.0 0.0.0.255
crypto map map16 10 ipsec-isakmp
set peer 193.16.6.254
set transform-set ts16
match address 110
exit
interface serial0/1/1
crypto map map16

VPN Phase 1 R6 IKE Policy 狀態:完成
Peer:193.16.1.254
PSK:SeCrEt
Encryption:3DES
Hash:SHA
DH Group:2
Lifetime:86400

輸入指令:
conf t
crypto isakmp policy 10
encr 3des
hash sha
authentication pre-share
group 2
lifetime 86400
exit
crypto isakmp key SeCrEt address 193.16.1.254

VPN Phase 2 R6 Crypto Map 狀態:完成
Transform-set:ts61
Crypto ACL:110
Local:10.6.0.0/24
Remote:10.3.1.0/24
Peer:193.16.1.254

輸入指令:
conf t
crypto ipsec transform-set ts61 esp-aes 128 esp-md5-hmac
no access-list 110
access-list 110 permit ip 10.6.0.0 0.0.0.255 10.3.1.0 0.0.0.255
crypto map map61 10 ipsec-isakmp
set peer 193.16.1.254
set transform-set ts61
match address 110
exit
interface serial0/0/0
crypto map map61

VPN 查修備註 R6 重掛 Crypto Map 狀態:備註
用途:若 ACL 110 有 match,但 encaps / decaps 仍為 0,可重掛 crypto map 後重新 ping 觸發。

查修指令:
conf t
interface serial0/0/0
no crypto map map61
crypto map map61

七、Extended ACL 100 / SSH ACL 設定

階段 設備 / 項目 設定內容與輸入指令
Extended ACL R2 ACL 100 狀態:完成
套用介面:R2 Fa0/0
方向:out
R2-Private:172.16.100.101
R2-DMZ:172.16.100.102

輸入指令:
conf t
no access-list 100
access-list 100 permit tcp 10.1.12.16 0.0.0.15 172.16.100.101 0.0.0.0 eq 20
access-list 100 permit tcp 10.1.12.16 0.0.0.15 172.16.100.101 0.0.0.0 eq 21
access-list 100 deny ip 10.1.12.16 0.0.0.15 172.16.100.101 0.0.0.0
access-list 100 deny ip 10.0.0.0 0.255.255.255 172.16.100.101 0.0.0.0
access-list 100 permit tcp any 172.16.100.102 0.0.0.0 eq 80
access-list 100 permit icmp any 172.16.100.102 0.0.0.0
access-list 100 deny ip any 172.16.100.102 0.0.0.0
interface fa0/0
ip access-group 100 out

SSH ACL R3 SSH 管理限制 狀態:完成
目的:只允許 VLAN14 IT SSH 到 R3
Username:user
Password:123
Domain:ckc.com
RSA:1024
ACL:12
Allowed Source:10.1.14.64/27

輸入指令:
conf t
username user password 123
ip domain-name ckc.com
crypto key generate rsa
1024
ip ssh version 2
access-list 12 permit 10.1.14.64 0.0.0.31
line vty 0 5
login local
transport input ssh
access-class 12 in
exit
line vty 6 15
transport input none
exit

取自「https://www.acmex.cc/index.php?title=緯育_2026-0608&oldid=7471