一、实验拓扑
二、实验需求
1、pc1可以 Telnet R1,但不能 ping R1;pc1可以 ping R2但不能 Telnet R2
2、pc2和pc1相反
三、实验思路
1.各个端口 IP 的配置
2.对pc1、pc2、R2配置缺省,实现全网通
3.配置 ACL (由题可知为高级 ACL )
4.先开启 Telnet
5.在R1处编写 ACL 列表(就近原则)
6.结果测试
四、实验步骤
1、配置 IP 地址
[R1] int g0/0/0
[R1-GigabitEthernet0/0/0] ip add 192.168.1.124
[R1-GigabitEthernet0/0/0] int g0/0/1
[R1-GigabitEthernet0/0/1] ip add 192.168.2.124
[R2] int g0/0/0
[R2-GigabitEthernet0/0/0] ip add 192.168.2.224
[PC1] int g0/0/0
[PC1-GigabitEthernet0/0/0] ip add 192.168.1.1024
[PC2] int g0/0/0
[PC2-GigabitEthernet0/0/0] ip add 192.168.1.1124
2、配置缺省
[R2] ip route - static 192.168.2.024192.168.2.
[R2] ip route - static 192.168.1.024192.168.2.
[PC1] ip route - static 0.0.0.00192.168.1.1[PC2] ip route - static 0.0.0.00192.168.1.1
3、开启 Telnet
[R1] aaa
[R1-aaa] local - user DDD privilege level 15 pa ssword cipher 123456
[R1-aaa] local - user DDD service - type telnet
[R1] user - interface vty 04
[R1-ui-vty0-4] authentication - mode aaa
[R2] aaa
[R2-aaa] local - user FFF privilege level 15 pas sword cipher 654321
Info : Add a new user .
[R2-aaa] local - user FFF service - type telnet [R2] user - interface vty 04
[R2-ui-vty0-4] authentication - mode aaa
4、编写 ACL 列表
[R1] acl 3000
[R1-ac- adv -3000] rule deny icmp " source 192.168.1.100.0.0.0 destination 192.168.2.1 0.0.0.0
[R1-acl- adv -3000] rule deny icmp source 192.168.1.100.0.0.0 destination 192.168.1.1 0.0.00
[R1-acl- adv -3000] rule deny tcp source 192.168.1.100.0.0.0 destination 192.168.2.2 0.0.0.0 destination - port eq 23
[R1-acl- adv -3000] rule deny tcp source 192.168.1.110.0.0.0 destination 192.168.2.1 0.0.0.0 destination - port eq 23
[R1-acl- adv -3000] rule deny tcp source 192.168.1.110.0.0.0 destination 192.168.1.1 0.0.0.0 destination - port eq 23
[R1-acl- adv -3000] rule deny icmp source 192.168.1.110.0.0.0 destination 192.168.2.2 0.0.0.0
5、结果测试
pc1可以 Telnet R1,但不能 ping R1
pc1可以ping R2 但不能Telnet R2
pc2不可以Telnet R1,但能pingR1
pc2不可以ping R2 但能Telnet R2