一.实验拓扑
二.实验需求
1.pc1可以访问telent R1,不能ping R1
2.pc1不能访问telnet R2,可以ping R2
3.pc2不能访问telnet R1,可以ping R1
4.pc2可以访问telnet R2,不能ping R2
5.全网可达
三.实验分析、思路、步骤及操作
1.配置IP地址,实现全网可达
因为利用路由器模拟pc,所以要在模拟pc的路由器下配置模拟网关
给R2配置路由协议,保证全网可通
(1)配置R1IP地址
[R1]interface GigabitEthernet0/0/0
[R1-GigabitEthernet0/0/0]ip address 192.168.1.254 24
[R1-GigabitEthernet0/0/0]interface GigabitEthernet0/0/1
[R1-GigabitEthernet0/0/1]ip address 192.168.2.1 24
(2)配置R2IP地址
[R2]interface GigabitEthernet0/0/0
[R2-GigabitEthernet0/0/0]ip address 192.168.2.2 24
[R2-GigabitEthernet0/0/0]quit
[R2]ip route-static 192.168.1.0 24 192.168.2.1
(3)配置PC1IP地址
[PC1]interface GigabitEthernet0/0/0
[PC1-GigabitEthernet0/0/0]ip address 192.168.1.1 24
[PC1-GigabitEthernet0/0/0]quit
[PC1]ip route-static 0.0.0.0 0 192.168.1.254
(4)配置PC2IP地址
[PC2]interface GigabitEthernet0/0/0
[PC2-GigabitEthernet0/0/0]ip address 192.168.1.2 24
[PC2-GigabitEthernet0/0/0]quit
[PC2]ip route-static 0.0.0.0 0 192.168.1.254
(5)测试
PC1 ping R1
PC2 ping R2
2.因为主机需要访问Telnet R1、R2,所以要在R1、R2上配置Telnet服务
(1)配置R1Telnet服务
[R1]aaa
[R1-aaa]local-user yi privilege level 15 password cipher yi12345
[R1-aaa]local-user yi service-type telnet
[R1-aaa]quit
[R1]user-interface vyt 0 4
[R1-ui-vyt0-4]authentication-mode aaa
(2)配置R2Telnet服务
[R2]aaa
[R2-aaa]local-user xing privilege level 15 password cipher xing12345
[R2-aaa]local-user xing service-type telnet
[R2-aaa]quit
[R2]user-interface vyt 0 4
[R2-ui-vyt0-4]authentication-mode aaa
(3)测试
PC1访问telnet R2
PC2访问telnet R1
3.因为PC1不能ping R1且不能访问telnet R2,PC2不能访问telnet R1且不能ping R2,所以要在R1或R2上配置ACl技术。
在那个路由器上配置ACL技术就在那个路由器上入接口或出接口下发规则(且只能在一个接口上下发规则)
(1)PC1不能ping R1
[R1]acl 3000
[R1-acl-adv-3000]rule deny icmp source 192.168.1.1 0.0.0.0 destination 192.168.1.254 0.0.0.0
[R1-acl-adv-3000]rule deny icmp source 192.168.1.1 0.0.0.0 destination 192.168.2.1 0.0.0.0
(2)PC1不能访问telnet R2
[R1-acl-adv-3000]rule deny tcp source 192.168.1.1 0.0.0.0 destination 192.168.2.2 0.0.0.0 destination-port eq 23
(3)PC2不能访问telnet R1
[R1-acl-adv-3000]rule deny tcp source 192.168.1.2 0.0.0.0 destination 192.168.1.254 0.0.0.0 destination-port eq 23
[R1-acl-adv-3000]rule deny tcp source 192.168.1.2 0.0.0.0 destination 192.168.2.1 0.0.0.0 destination-port eq 23
(4)PC2不能ping R2
[R1-acl-adv-3000]rule deny icmp source 192.168.1.2 0.0.0.0 destination 192.168.2.2 0.0.0.0
(5)在R1入接口下发规则
[R1]interface GigabitEthernet0/0/0
[R1-GigabitEthernet0/0/0]traffic-filter inbound acl 3000
(6)在R1出接口下发规则
[R1]interface GigabitEthernet0/0/1
[R1-GigabitEthernet0/0/1]traffic-filter outbound acl 3000
四.测试实验结果
(1)PC1不能ping R1
(2)PC1不能访问telnet R2
(3)PC2不能访问telnet R1
(4)PC2不能ping R2