基础:AR1 GE 0/0/1 192.168.1.1 24
GE 0/0/0 192.168.2.1 24
AR2 GE 0/0/0 192.168.2.2 24
PC1 192.168.1.2 24
PC2 192.168.1.3 24
并实现全网可达
1:R1 R2 配置telnet
[r1]aaa
[r1-aaa]local-user ltt privilege level 15 password cipher 123456
Info: Add a new user.
[r1-aaa]local-user ltt service-type telnet
[r1-aaa]q
[r1]user-interface vty 0 4
[r1-ui-vty0-4]authentication-mode aaa
[r1-ui-vty0-4]
2:给R1配置ACL
使pc2无法登录R1
[r1]acl 3000
[r1-acl-adv-3000]rule deny tcp source 192.168.1.3 0 destination 192.168.1.1 0 de
stination-port eq 23
使pc1无法ping通R1
[r1-acl-adv-3000]rule deny icmp source 192.168.1.2 0 destination 192.168.1.1 0
R1 0/0/1接口调用ACL3000
[r1-GigabitEthernet0/0/1]traffic-filter inbound acl 3000
3:给R2配置ACL
使pc1无法登录R2
[r2]acl 3001
[r2-acl-adv-3001]rule deny tcp source 192.168.1.2 0 destination 192.168.2.2 0 de
stination-port eq 23
使pc2无法ping通R2
[r2-acl-adv-3001]rule deny icmp source 192.168.1.3 0 destination 192.168.2.2 0
R2 0/0/0接口调用ACL3001
[r2-GigabitEthernet0/0/0]traffic-filter inbound acl 3001
#
<r1>display acl 3000
Advanced ACL 3000, 2 rules
Acl's step is 5
rule 5 deny tcp source 192.168.1.3 0 destination 192.168.1.1 0 destination-port
eq telnet (6 matches)
rule 10 deny icmp source 192.168.1.2 0 destination 192.168.1.1 0 (5 matches)
<r2>display acl 3001
Advanced ACL 3001, 2 rules
Acl's step is 5
rule 5 deny tcp source 192.168.1.2 0 destination 192.168.2.2 0 destination-port
eq telnet (45 matches)
rule 10 deny icmp source 192.168.1.3 0 destination 192.168.2.2 0 (5 matches)
!!!!ACL扩展配置实验2.0!!!!
表acl3001完全没必要 可以将表3001中的内容全部添加到表3000中,便不在让R2的GE0/0/0接口调用任何acl表,此时假设pc1去登录R2,那么R1在GE0/0/1口便可对其拦截,以防其占用R1与R2之间带宽
详情如下:
<r1>display acl 3000
Advanced ACL 3000, 4 rules
Acl's step is 5
rule 5 deny tcp source 192.168.1.3 0 destination 192.168.1.1 0 destination-port
eq telnet
rule 10 deny icmp source 192.168.1.2 0 destination 192.168.1.1 0
rule 15 deny tcp source 192.168.1.2 0 destination 192.168.2.2 0 destination-por
t eq telnet (3 matches)
rule 20 deny icmp source 192.168.1.3 0 destination 192.168.2.2 0 (10 matches)