Question #1351

This is a detailed analysis of the provided CCNA simulation question. We will break down each task, explain the purpose of the commands, and clarify any technical terms to ensure a beginner can understand. --- ### Introduction to Simulation Questions Simulation (SIM) questions in Cisco certification exams are designed to test your practical configuration and troubleshooting skills on virtual network devices (routers and switches). Instead of multiple-choice answers, you interact with a command-line interface (CLI) to configure devices according to specific requirements. This type of question is crucial as it directly assesses your ability to apply theoretical knowledge to real-world scenarios. ### Topology Analysis Let's first understand the network diagram provided: * **Devices:** * **R1 (Router):** Connects the internal network to the `Internet`. It has an interface `e0/1` connected to the Internet with an IP range of `209.165.201.0/30`. It also has `e0/0` connected to `Sw103`. * **Sw103 (Switch):** A distribution or core layer switch. It connects to `R1` (e0/0), `Sw101` (e0/2), and `Sw102` (e0/2). Its links to Sw101 and Sw102 are labeled as `Trunk` links. * **Sw101 (Switch):** An access layer switch. Connects to `Sw103` (e0/2) via a `Trunk` link. `PC1` is connected to its `e0/0` interface, and this port is assigned to `Campus 1 VLAN 10`. It also connects to `Sw102` (e0/1) via a `Trunk` link. * **Sw102 (Switch):** Another access layer switch. Connects to `Sw103` (e0/2) via a `Trunk` link and `Sw101` (e0/1) via a `Trunk` link. `PC2` is connected to its `e0/0` interface, and this port is assigned to `Campus 2 VLAN 20`. * **PC1 & PC2 (End Devices):** Workstations with assigned IP addresses. * `PC1`: `172.16.10.10` (Part of VLAN 10) * `PC2`: `172.16.20.10` (Part of VLAN 20) * **Links:** * **Trunk Links:** These links (e.g., Sw103-Sw101, Sw103-Sw102, Sw101-Sw102) are configured to carry traffic for multiple VLANs. This is essential for inter-VLAN communication, especially when end devices in different VLANs need to communicate. * **Access Ports:** Ports connected to end devices (e.g., Sw101 e0/0 for PC1, Sw102 e0/0 for PC2) are access ports, meaning they belong to a single VLAN. * **IP Addressing:** * `PC1`: `172.16.10.10` * `PC2`: `172.16.20.10` * `R1` to `Internet`: `209.165.201.0/30` subnet. Now, let's break down each task. --- ### Task 1: Configure a local user account on Sw101 **Goal:** Configure a local user account named `netops` with a specific password and privilege level, allowing only Telnet access on virtual ports 0-4. **Technical Terms:** * **Local Account:** A user account stored directly on the device itself (not on a central server like RADIUS or TACACS+). * **Telnet:** An older, insecure network protocol used to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection. It transmits data in plain text, making it vulnerable to eavesdropping. * **Virtual Ports (VTY lines):** Virtual Teletype (VTY) lines are logical interfaces on a Cisco device that allow for remote access (e.g., Telnet, SSH). Switches typically have 0-15 or more VTY lines. In this case, `0-4` means the first 5 virtual lines. * **Privilege Level:** Cisco IOS uses privilege levels to control access to commands. Level 0 is the lowest, Level 1 is user EXEC mode (limited commands), and Level 15 is the highest (privileged EXEC mode, full access, equivalent to `enable` mode). * **"Vigenere" Algorithm:** This is a classic encryption method. However, in Cisco IOS, when you use the `secret` keyword with the `username` command, it encrypts the password using a strong, one-way hashing algorithm (like MD5 or SHA256, depending on the IOS version and configured hash method), not Vigenere. The mention of "Vigenere" here might be a deliberate distraction or a way to imply that *some* form of encryption should be used, leaning towards `secret` instead of `password` (which uses weak type 7 encryption or no encryption). It's best practice to use `secret`. **Command Analysis:** 1. **`Sw101(config)# username netops privilege 15 secret ipsec4all`** * `username netops`: Creates a user account with the name `netops`. * `privilege 15`: Assigns the highest privilege level (privileged EXEC mode) to this user. This means `netops` can execute any command once logged in, similar to being in `enable` mode. * `secret ipsec4all`: Sets the password for `netops` to `ipsec4all`. The `secret` keyword ensures that the password is encrypted using a strong hashing algorithm (Type 5 or 8/9 in `show running-config`), making it much more secure than the `password` keyword (which uses weaker Type 7 encryption or plain text). 2. **`Sw101(config)# line vty 0 4`** * Enters the configuration mode for VTY lines 0 through 4. These are the virtual ports used for remote access. 3. **`Sw101(config-line)# login local`** * Configures the VTY lines to authenticate users against the local user database (the `username` command we configured earlier) instead of using a global `password` command for VTY lines or relying on external authentication. 4. **`Sw101(config-line)# transport input telnet`** * Restricts the allowed inbound protocols on these VTY lines to only `telnet`. This means users can only Telnet to the switch; other protocols like SSH would be blocked on these VTY lines. 5. **`Sw101(config-line)# exit`** * Exits the VTY line configuration mode. 6. **`Sw101(config)# service password-encryption`** * This command encrypts *all plaintext passwords* in the configuration (e.g., `enable password` if it were configured without `secret`, or `password` commands under `line console` or `line vty`). It uses a weak Type 7 encryption, which can be easily decrypted. It does *not* affect passwords configured with the `secret` keyword, as those are already strongly hashed. It's a good practice for securing any unintentionally plain-text passwords. 7. **`Sw101(config)# do wr`** * `do`: Allows executing a privileged EXEC mode command (`wr` or `write memory`) from any configuration mode. * `wr` (shorthand for `write memory` or `copy running-config startup-config`): Saves the currently active configuration (running-config) to Non-Volatile RAM (NVRAM), so the configuration persists after a reload. --- ### Task 2: Configure and apply a single NACL on Sw103 **Goal:** Configure a Named Extended Access Control List (ACL) called `ENT_ACL` on `Sw103` to control traffic originating from `VLAN 10`. **Technical Terms:** * **Access Control List (ACL):** A sequential list of permit or deny statements that control network traffic based on criteria like source/destination IP address, protocol, and port number. * **Named ACL:** An ACL identified by a name (e.g., `ENT_ACL`) rather than a number. Named ACLs are generally preferred as they are easier to manage and read. * **Extended ACL:** An ACL that can filter traffic based on a wider range of criteria, including source IP, destination IP, protocol (TCP, UDP, ICMP), and port numbers. It is more granular than a Standard ACL. * **Inbound/Outbound:** ACLs are applied to interfaces and can filter traffic as it *enters* (inbound) or *leaves* (outbound) the interface. * **Source/Destination:** Refers to the origin and end point of a network packet. * **Protocol:** The type of communication (e.g., ICMP for ping, TCP for Telnet/HTTP, UDP for DNS). * **Wildcard Mask:** Used in ACLs to specify which bits of an IP address must match and which can be ignored. It's the inverse of a subnet mask. For example, `172.16.10.0 0.0.0.255` means match the first three octets exactly, and the last octet can be anything (covering the entire `172.16.10.0/24` subnet). * **Implicit Deny:** At the end of every ACL, there is an invisible `deny ip any any` statement. If traffic doesn't match any explicit `permit` statement in the ACL, it will be denied by this implicit rule. This is why a `permit ip any any` (or a more specific permit statement) is often needed at the end of an ACL to allow all other desired traffic. * **Ping (ICMP):** Uses the Internet Control Message Protocol (ICMP) for testing network connectivity. * **Telnet (TCP Port 23):** Uses TCP and typically port 23 for remote login. **Command Analysis:** 1. **`Sw103(config)# ip access-list extended ENT_ACL`** * Creates a new Named Extended ACL with the name `ENT_ACL`. This also puts the CLI into `config-ext-nacl` mode, where you define the ACL rules. 2. **`Sw103(config-ext-nacl)# deny icmp host 172.16.10.10 host 172.16.20.10`** * **Task Requirement:** "Restrict only PC1 on VLAN 10 from pinging PC2". * `deny icmp`: Specifies that ICMP (ping) traffic should be denied. * `host 172.16.10.10`: Specifies the source IP address as a single host, PC1. * `host 172.16.20.10`: Specifies the destination IP address as a single host, PC2. * This rule exactly matches the requirement: PC1 cannot ping PC2. 3. **`Sw103(config-ext-nacl)# permit tcp host 172.16.10.10 host 172.16.30.2 eq telnet`** * **Task Requirement:** "Allow only PC1 on VLAN 10 to telnet to R1 (172.16.30.2)". * `permit tcp`: Specifies that TCP traffic should be permitted. * `host 172.16.10.10`: Source IP address is PC1. * `host 172.16.30.2`: Destination IP address is R1 (as specified in the task). This assumes R1 has an IP of 172.16.30.2 on its interface connected to Sw103, likely an SVI or routed port that acts as the gateway for VLAN 10. * `eq telnet`: Specifies that the destination port must be equal to the Telnet port (23). * This rule permits PC1 to Telnet specifically to R1. 4. **`Sw103(config-ext-nacl)# deny tcp 172.16.10.0 0.0.0.255 any eq telnet`** * **Task Requirement:** "Prevent all other devices from telnetting from VLAN 10". * `deny tcp`: Specifies that TCP traffic should be denied. * `172.16.10.0 0.0.0.255`: Specifies the source network as `172.16.10.0/24` using a wildcard mask. This covers all devices in VLAN 10. * `any`: Specifies that the destination can be any IP address. * `eq telnet`: Specifies the destination port as Telnet (23). * Because ACLs are processed sequentially, and the previous rule permitted PC1 (`172.16.10.10`) to telnet to R1, this rule will apply to *all other* devices in the `172.16.10.0/24` network, effectively denying them Telnet access to any destination. 5. **`Sw103(config-ext-nacl)# permit ip 172.16.10.0 0.0.0.255 any`** * **Task Requirement:** "Allow all other network traffic from VLAN 10". * `permit ip`: Specifies that all IP traffic (any protocol) should be permitted. * `172.16.10.0 0.0.0.255`: Source network is `172.16.10.0/24`. * `any`: Destination can be any IP address. * This is a critical rule. Without it, the implicit `deny ip any any` at the end of the ACL would block *all* other traffic from VLAN 10 not explicitly permitted by the preceding rules. This rule ensures that normal network communication for VLAN 10 (excluding the specifically denied ping and Telnet) is allowed. 6. **`Sw103(config-ext-nacl)# do wr`** * Saves the defined ACL to NVRAM. **Missing Step: ACL Application** It's important to note that merely defining an ACL does not make it active. An ACL must be *applied* to an interface (physical or SVI) in a specific direction (inbound or outbound). The task states "Configure and apply a single NACL on Sw103". The provided reference commands *configure* the ACL but do *not* show its application. In a real exam scenario, you would typically apply this ACL inbound to the Switched Virtual Interface (SVI) for VLAN 10 on Sw103, assuming Sw103 is performing inter-VLAN routing for VLAN 10. For example: ``` Sw103(config)# interface vlan 10 Sw103(config-if)# ip access-group ENT_ACL in ``` Or, if Sw103 is not the gateway and the traffic is being forwarded through it towards a gateway elsewhere, it could be applied to a physical interface. Given the problem statement, applying it to `interface vlan 10` (if it exists and is the gateway for VLAN 10 traffic) would be the most logical place to control traffic *from* VLAN 10. The lack of this application step in the reference solution is a significant omission for a practical simulation. The exam system might just be checking for the correct ACL definition in this specific instance. --- ### Task 3: Configure security on interface Ethernet 0/0 of Sw102 **Goal:** Configure port security on `Sw102`'s `e0/0` interface, which is connected to `PC2`. **Technical Terms:** * **Port Security:** A Layer 2 security feature on Cisco switches that limits the number of valid MAC addresses allowed on a port. It helps prevent unauthorized devices from connecting to the network by controlling which MAC addresses are allowed to send traffic. * **MAC Address (Media Access Control Address):** A unique identifier assigned to network interfaces (NICs) for communications within a network segment. * **Dynamic Learning:** The switch automatically learns MAC addresses from incoming traffic. * **Maximum Number of Secure MAC Addresses:** The limit of how many MAC addresses the port will allow to communicate. * **Violation Modes:** What the switch does when an unauthorized MAC address (or too many MAC addresses) is detected on a port. * **Shutdown:** The default. The interface is immediately error-disabled and turned off. An administrator must manually re-enable it. * **Restrict:** Discards packets from the insecure source, increments a violation counter, and sends a syslog message, but the port remains operational. * **Protect:** Discards packets from the insecure source but does *not* increment a violation counter or send a syslog message. The port remains operational. * **Syslog Message:** A standard for sending system log or event messages to a central server, allowing network administrators to monitor device activity and troubleshoot issues. **Command Analysis:** 1. **`Sw102(config)# interface Ethernet 0/0`** * Enters interface configuration mode for `Ethernet 0/0` on `Sw102`. This is the port connected to `PC2`. 2. **`Sw102(config-if)# switchport mode access`** * Configures the interface as an access port. Port security primarily functions on access ports. It's a crucial prerequisite because port security (and many other access-layer features) are designed for end-device connections, not for trunking between switches. 3. **`Sw102(config-if)# switchport port-security`** * Enables port security on the `Ethernet 0/0` interface. This command is necessary to activate the feature. 4. **`Sw102(config-if)# switchport port-security maximum 2`** * **Task Requirement:** "Set the maximum number of secure MAC addresses to two". * Sets the maximum number of MAC addresses that can be learned on this port to 2. If a third MAC address attempts to send traffic, a violation will occur. 5. **`Sw102(config-if)# switchport port-security violation restrict`** * **Task Requirement:** "Ensure that the port discards the packet, counts the number of violations and sends a syslog message". * Sets the port security violation mode to `restrict`. This matches the requirement precisely: * `discards the packet`: Packets from unauthorized MAC addresses are dropped. * `counts the number of violations`: The violation counter for the port increments. * `sends a syslog message`: An event log message is sent to the console and/or a syslog server. 6. **`Sw102(config-if)# switchport port-security mac-address sticky`** * **Task Requirement:** "Allow secure mac addresses to be learned dynamically". * Enables "sticky" MAC address learning. This is a hybrid approach: * The port *dynamically learns* MAC addresses (like normal dynamic learning). * However, learned MAC addresses are then *stored in the running configuration* as sticky secure MAC addresses. This means if the switch reboots, these MAC addresses are remembered, preventing the need to re-learn them. If `sticky` wasn't enabled, dynamically learned MAC addresses would be lost on a reboot. * This command satisfies the "allow secure mac addresses to be learned dynamically" requirement while adding persistence. 7. **`Sw102(config-if)# do wr`** * Saves the port security configuration to NVRAM. --- ### Summary and Best Practices for Simulation Questions * **Read Carefully:** Pay close attention to keywords, device names, interface names, IP addresses, usernames, passwords, and specific requirements (e.g., "only Telnet," "restrict only," "allow only"). * **Device Context:** Always be aware of which device you are configuring (`Sw101`, `Sw103`, `Sw102`). * **Command Syntax:** Ensure precise command syntax. Even a minor typo can cause a command to fail. * **Order of Operations:** While not always strictly enforced for every command, some configurations have prerequisites (e.g., `switchport mode access` before `switchport port-security`). * **Save Configuration:** Always use `copy running-config startup-config` or `write memory` (`wr`) to save your changes to NVRAM. If you don't save, your configuration will be lost if the device reloads, and you might fail the question. * **Verify:** In a real exam, if time permits, it's good practice to verify your configurations using `show` commands (e.g., `show running-config`, `show ip access-lists`, `show port-security interface e0/0`). While not required by the guidelines, it helps catch mistakes. * **Implicit Deny (ACLs):** Always remember the implicit `deny any any` at the end of an ACL. If you want to allow other traffic, you must explicitly permit it. * **Encryption Type:** Be aware of the difference between `password` (weak Type 7 encryption or plaintext) and `secret` (stronger hashing like MD5/SHA256) for user accounts. This comprehensive breakdown should provide a solid understanding of the tasks, commands, and underlying networking concepts for this CCNA simulation question.

Ciscoの世界へようこそ！ネットワークエンジニアへの第一歩として、この実作問題（シミュレーション）は非常に重要です。 この問題では、**「ユーザー管理」「ネットワーク制限 (ACL)」「ポートセキュリティ」**という、ネットワーク運用の現場で毎日使う基本技術が詰め込まれています。初心者の方にもわかりやすく、各タスクを丁寧に解説します。 --- ### 💡 用語解説集 解説に出てくる重要な言葉を整理しておきましょう。 * **VTY (Virtual Teletype):** ルータやスイッチに遠隔（リモート）でログインするための仮想的な入り口のことです。 * **ACL (Access Control List):** ネットワークの「門番」です。どの通信を通して、どの通信を拒否するかを決めます。 * **ICMP:** `ping`コマンドなどで使われる、通信状態を確認するためのプロトコルです。 * **Port Security:** スイッチの物理的なポート（差し込み口）に、許可していないPCが接続されるのを防ぐ機能です。 * **Sticky MAC:** 接続されたPCのMACアドレス（機器固有の番号）を自動で覚え、設定に書き込む便利な機能です。 --- ### 🛠 タスク 1：Sw101 でのユーザーアカウントと遠隔管理設定 このタスクでは、特定のユーザーだけが Telnet（遠隔操作）でログインできるように設定します。 #### 【設定コマンドと解説】 1. **`username netops privilege 15 secret ipsec4all`** * **解説:** `netops` という名前のユーザーを作成します。`privilege 15` は最高権限（設定変更ができるモード）を意味します。`secret` はパスワードを暗号化して保存する命令です。 2. **`line vty 0 4`** * **解説:** 仮想的なログイン口（0番から4番の計5つ）の設定モードに入ります。 3. **`login local`** * **解説:** 「ログインするときは、さっき作ったローカルのユーザーリスト（netops）を使って認証してね」という指示です。 4. **`transport input telnet`** * **解説:** 「この入り口からは Telnet 通信だけを許可します（他のSSHなどは拒否）」という制限です。 5. **`service password-encryption`** * **解説:** 設定ファイル内のパスワードをすべて暗号化し、盗み見られても分からないようにします。 --- ### 🛠 タスク 2：Sw103 でのアクセスリスト (ACL) 設定 「だれが・どこへ・どんな通信をするか」を細かくコントロールします。ACLは**「上から順番にチェックされる」**のがルールです。 #### 【設定コマンドと解説】 1. **`ip access-list extended ENT_ACL`** * **解説:** `ENT_ACL` という名前の「拡張アクセスリスト」を作成します。拡張リストは、送信元だけでなく宛先や通信の種類（pingやWebなど）も指定できます。 2. **`deny icmp host 172.16.10.10 host 172.16.20.10`** * **解説:** PC1 から PC2 への `ping` (icmp) を禁止します。 3. **`permit tcp host 172.16.10.10 host 172.16.30.2 eq telnet`** * **解説:** PC1 から R1 への Telnet 通信（ポート23）だけを特別に許可します。 4. **`deny tcp 172.16.10.0 0.0.0.255 any eq telnet`** * **解説:** VLAN 10 にいる他のすべてのデバイスからの Telnet 通信を禁止します。 5. **`permit ip 172.16.10.0 0.0.0.255 any`** * **解説:** 「それ以外の普通の通信（Web閲覧など）」はすべて許可します。 * *注意:* ACLの最後には「これ以外は全部拒否」という隠れたルールがあるため、最後にこの許可命令を入れるのがポイントです。 --- ### 🛠 タスク 3：Sw102 でのポートセキュリティ設定 知らないPCが勝手につながれたときに、通信を遮断し管理者に通知する設定です。 #### 【設定コマンドと解説】 1. **`interface Ethernet 0/0`** → **`switchport mode access`** * **解説:** 対象のポートを選択し、PCを接続するための「アクセスモード」に変更します。ポートセキュリティはこれを行わないと有効にできません。 2. **`switchport port-security`** * **解説:** そのポートでポートセキュリティ機能を「ON」にします。 3. **`switchport port-security maximum 2`** * **解説:** このポートに同時に接続して良いPCの数を「最大2台まで」に制限します。 4. **`switchport port-security violation restrict`** * **解説:** 違反（3台目がつながった等）が起きた時の動きを指定します。`restrict` は「通信を遮断し、ログ（記録）を残し、違反回数をカウントする」という、一番バランスの良いモードです。 5. **`switchport port-security mac-address sticky`** * **解説:** 最初につないだPCのMACアドレスをスイッチが自動で学習し、設定に保存します。手動で1台ずつ登録する手間が省けます。 --- ### 📝 最後に大切なポイント Ciscoの試験や実務では、設定が終わった後に必ず **`do write`** または **`copy running-config startup-config`** を行い、設定を保存（NVRAMへ書き込み）することを忘れないでください。これを忘れると、再起動した時に設定が消えてしまい、試験でも得点になりません。 この問題は、セキュリティの基本がギュッと詰まった良問です。一つ一つのコマンドが「何のために」あるのかを意識して練習してみてくださいね！応援しています！

你好！我是 Cisco 的技術專家。很高興能為你解析這題 CCNA 的實作模擬題。這題涵蓋了網路設備管理中非常基礎且重要的三個面向：**使用者存取控制**、**流量過濾（ACL）**以及**交換器埠口安全（Port Security）**。 這類題目在考試中非常看重「精確度」，讓我們用最白話的方式，一步步拆解這些任務。 --- ### 任務一：在 Sw101 設定本地使用者帳號與存取限制 這個任務的目標是讓管理員能透過 Telnet 登入交換器，且只能使用我們指定的帳號。 #### 解析與指令： 1. **建立使用者帳號：** ```bash Sw101(config)# username netops privilege 15 secret ipsec4all ``` * **解說：** 建立一個名字叫 `netops` 的人。`privilege 15` 代表給他最高的「管理員權限（Exec mode）」。`secret` 會將密碼加密儲存。 2. **設定遠端登入線路（VTY）：** ```bash Sw101(config)# line vty 0 4 Sw101(config-line)# login local Sw101(config-line)# transport input telnet ``` * **解說：** `line vty 0 4` 開啟 5 個虛擬通道供遠端登入。`login local` 告訴交換器：「登入時請檢查我們剛剛建立的本地帳號庫」。`transport input telnet` 則是規定「只准用 Telnet 登入」，禁止掉更安全的 SSH（這是題目要求的）。 3. **加密所有明文密碼：** ```bash Sw101(config)# service password-encryption ``` * **解說：** 這是一個好習慣，將設定檔中所有沒加密的密碼通通弄成亂碼，避免被人偷看。 --- ### 任務二：在 Sw103 設定具名存取控制清單 (Named ACL) ACL 就像是一份「黑名單與白名單」，決定哪些封包可以通過，哪些要丟掉。這題要求使用 **Named Extended ACL**（具名擴展式 ACL），因為我們要過濾特定的通訊協定（Ping 和 Telnet）。 #### 解析與指令： 1. **進入 ACL 設定模式：** ```bash Sw103(config)# ip access-list extended ENT_ACL ``` 2. **規則 1：禁止 PC1 ping PC2** ```bash Sw103(config-ext-nacl)# deny icmp host 172.16.10.10 host 172.16.20.10 ``` 3. **規則 2：只准 PC1 Telnet 到 R1** ```bash Sw103(config-ext-nacl)# permit tcp host 172.16.10.10 host 172.16.30.2 eq telnet ``` 4. **規則 3：禁止 VLAN 10 的其他裝置使用 Telnet** ```bash Sw103(config-ext-nacl)# deny tcp 172.16.10.0 0.0.0.255 any eq telnet ``` 5. **規則 4：允許 VLAN 10 的其他所有流量** ```bash Sw103(config-ext-nacl)# permit ip 172.16.10.0 0.0.0.255 any ``` > **專家筆記：** ACL 的順序非常重要！是由上而下比對的。一旦符合條件就不會再往下看。所以我們先寫「特定的（PC1）」，最後才寫「範圍大的（整個網段）」。 --- ### 任務三：在 Sw102 的 Ethernet 0/0 設定埠口安全 (Port Security) 這是為了防止有人隨便拔掉公司的電腦線插上自己的筆電。 #### 解析與指令： 1. **設定埠口模式：** ```bash Sw102(config)# interface Ethernet 0/0 Sw102(config-if)# switchport mode access ``` * **解說：** Port Security 只能跑在存取模式（Access）的埠口上。 2. **開啟安全功能並限制數量：** ```bash Sw102(config-if)# switchport port-security Sw102(config-if)# switchport port-security maximum 2 ``` * **解說：** 先啟動開關，然後限制這個孔「最多只能認得 2 個 MAC 地址（兩台設備）」。 3. **設定違規處理動作：** ```bash Sw102(config-if)# switchport port-security violation restrict ``` * **解說：** 題目要求「丟棄封包、計數並發送警告」。`restrict` 模式剛好符合這點。 4. **自動學習 MAC 地址：** ```bash Sw102(config-if)# switchport port-security mac-address sticky ``` * **解說：** `sticky`（黏性）會自動抓取插上來的電腦 MAC 並直接寫進設定檔裡，不用管理員手動輸入，非常方便。 --- ### 專業名詞解釋小辭典 1. **VTY (Virtual Teletype):** 交換器的虛擬線路，用於遠端登入管理（如 Telnet 或 SSH）。 2. **Privilege Level 15:** Cisco 設備最高權限等級，可以使用所有指令。 3. **ICMP (Internet Control Message Protocol):** 最常用於 `ping` 指令的協定，用來測試網路通不通。 4. **Wildcard Mask (萬用字元遮罩):** 如 `0.0.0.255`。在 ACL 中與子網路遮罩相反，0 代表「一定要符合」，255 代表「我不在乎」。 5. **MAC Address (媒體存取控制位址):** 網路卡出廠時唯一的硬體身分證。 6. **Syslog:** 設備用來記錄發生什麼事情的日誌系統。 7. **NVRAM:** 非揮發性隨機存取記憶體。也就是你下 `write` 或 `copy run start` 後，設定檔永久存放的地方，即使斷電也不會消失。 --- **最後提醒：** 在做完所有設定後，請務必執行 `do wr` (write memory)，否則設備重開機後，辛苦做的設定就會全消失，這在考試中是會被扣分的喔！希望這份解析能幫你更了解網路安全與管理。加油！

你好！我是來自 Cisco 的技術專家。很高興為你解析這道 CCNA 實作題。 這道題目涵蓋了網路工程師日常工作中最重要的三個部分：**使用者管理（AAA 基礎）**、**流量控制（ACL 訪問控制清單）**以及**接入層安全（Port Security 埠安全）**。 我會將這三個任務拆解開來，用最直白的方式為你說明每一條指令的意義。 --- ### 任務一：在 Sw101 上配置遠端登入賬號 (Telnet) **場景說明**：我們需要幫管理員（netops）開一個房間門（Telnet），讓他在遠端就能進來管理交換機，但只允許他用密碼進來，且權限要給足。 #### 實作指令解析： 1. **`username netops privilege 15 secret ipsec4all`** * **白話文**：創建一個名叫 `netops` 的用戶，給他最高權限（15級），密碼設為 `ipsec4all` 並進行強加密（secret）。 2. **`line vty 0 4`** * **白話文**：進入「虛擬線路」設定模式。`0 4` 表示同時允許 5 個人（編號 0, 1, 2, 3, 4）連線進來。 3. **`login local`** * **白話文**：告訴交換機：「有人要登入時，請檢查我們剛才在本地創建的那個用戶清單。」 4. **`transport input telnet`** * **白話文**：規定這扇門「只准使用 Telnet 協議」進入，不准用 SSH 或其他方式。 5. **`service password-encryption`** * **白話文**：這是一個「保險箱」功能。它會把設定檔中所有明文顯示的密碼（如 line 的密碼）都變成看不懂的亂碼，防止旁人偷窺。 --- ### 任務二：在 Sw103 上配置具名 ACL (ENT_ACL) **場景說明**：ACL（訪問控制清單）就像是一個「安檢清單」。Sw103 站在路口，檢查每一個經過的封包，符合規則的才放行。 #### 實作指令解析： 1. **`ip access-list extended ENT_ACL`** * **專業名詞 - Extended ACL (擴展型 ACL)**：它可以精確地控制「誰（來源 IP）」要去「哪裡（目的 IP）」以及「做什麼（協議/埠號）」。 * **白話文**：我們創建一張名為 `ENT_ACL` 的進階安檢表。 2. **`deny icmp host 172.16.10.10 host 172.16.20.10`** * **專業名詞 - ICMP**：就是我們常用的 `ping` 命令所使用的協議。 * **白話文**：禁止 PC1 (172.16.10.10) 去 ping PC2 (172.16.20.10)。 3. **`permit tcp host 172.16.10.10 host 172.16.30.2 eq telnet`** * **白話文**：准許 PC1 (172.16.10.10) 連接到 R1 (172.16.30.2) 的 Telnet 服務。 4. **`deny tcp 172.16.10.0 0.0.0.255 any eq telnet`** * **專業名詞 - Wildcard Mask (反掩碼/萬用字元遮罩)**：`0.0.0.255` 表示匹配前三個數字相同的所有 IP（即整個 VLAN 10 網段）。 * **白話文**：除了 PC1 以外，禁止 VLAN 10 網段內的所有其他設備去 Telnet 任何地方。 5. **`permit ip 172.16.10.0 0.0.0.255 any`** * **重要規則**：ACL 的末尾隱含了一條「拒絕所有」的指令。如果這行不寫，VLAN 10 的所有其他上網行為（如網頁瀏覽）都會被切斷。 * **白話文**：除了上面提到的限制，VLAN 10 的其他所有流量通通放行。 --- ### 任務三：在 Sw102 上配置埠安全 (Port Security) **場景說明**：防止有人亂拔網線接上自己的電腦，或者是有人在同一個孔接上多台設備。我們要把 Ethernet 0/0 鎖定。 #### 實作指令解析： 1. **`interface Ethernet 0/0`** -> **`switchport mode access`** * **白話文**：進入 E0/0 接口，並強制設定為「接入模式」（這是啟動埠安全的先決條件）。 2. **`switchport port-security`** * **白話文**：正式開啟這台機器這個孔的「保安功能」。 3. **`switchport port-security maximum 2`** * **白話文**：這個孔「最多」只認得 2 個身分（MAC 地址）。 4. **`switchport port-security violation restrict`** * **專業名詞 - Violation Restrict (限制模式)**：當發現第 3 個陌生人闖入時，丟棄他的數據，紀錄違規次數，並發送警告訊息（Syslog），但不會像 `shutdown` 模式那樣直接把整個孔關掉。 5. **`switchport port-security mac-address sticky`** * **專業名詞 - Sticky (黏性 MAC 地址)**： * **白話文**：這是一種「自動記憶」功能。交換機會自動記住第一、二個插進來的電腦地址，並自動把它們寫進設定檔裡，以後重啟也不會忘記這兩位是「自己人」。 --- ### 專家提醒： 在思科設備上完成配置後，一定要養成習慣輸入 **`do write`** 或 **`copy running-config startup-config`**，否則設備一停電，你辛苦做的實驗配置就全沒了！ 希望這個解析能幫你更輕鬆地掌握 CCNA 的知識點。加油！