设置acl,就远原则,AR1的g0/0/0端口配置,对应PC1目标端口AR1需要icmp拒绝pc1,目标端口AR2需要tcp拒绝pc1,PC2与PC1配置原理相同
配置
接口
[AR1]int g0/0/1
[AR1-GigabitEthernet0/0/1]ip add 192.168.2.1 24
[AR1-GigabitEthernet0/0/1]int g0/0/0
[AR1-GigabitEthernet0/0/0]ip add 192.168.1.1 24
[AR2]int g0/0/0
[AR2-GigabitEthernet0/0/0]ip add 192.168.2.2 24
[AR2]ip route-static 192.168.1.0 24 192.168.2.1
[PC1]int g0/0/0
[PC1-GigabitEthernet0/0/0]ip add 192.168.1.10 24
[PC1]ip route-static 0.0.0.0 0 192.168.1.1
[PC2]int g0/0/0
[PC2-GigabitEthernet0/0/0]ip add 192.168.1.11 24
[PC2]ip route-static 0.0.0.0 0 192.168.1.1
开启telnet功能
[AR1]aaa
[AR1-aaa]local-user zzq privilege level 15 password cipher 123456
[AR1-aaa]local-user zzq service-type telnet
[AR1]user-interface vty 0
[AR1-ui-vty0]authentication-mode aaa
[AR2]aaa
[AR2-aaa]local-user zzq privilege level 15 password cipher 123456
[AR2-aaa]local-user zzq service-type telnet
[AR2]user-interface vty 0 4
[AR2-ui-vty0-4]authentication-mode aaa
创建ACL
[AR1]acl 3000
[AR1-acl-adv-3000]rule deny icmp source 192.168.1.10 0.0.0.0 destination 192.168.1.1 0.0.0.0
[AR1-acl-adv-3000]rule deny icmp source 192.168.1.10 0.0.0.0 destination 192.168.2.1 0.0.0.0
[AR1-acl-adv-3000]rule deny tcp source 192.168.1.10 0.0.0.0 destination 192.168.2.2 0.0.0.0 destination-port eq 23
[AR1-acl-adv-3000]rule deny tcp source 192.168.1.11 0.0.0.0 destination 192.168.1.1 0.0.0.0 destination-port eq 23
[AR1-acl-adv-3000]rule deny tcp source 192.168.1.11 0.0.0.0 destination 192.168.2.1 0.0.0.0 destination-port eq 23
[AR1-acl-adv-3000]rule deny icmp source 192.168.1.11 0.0.0.0 destination 192.168.2.2 0.0.0.0
[AR1]int g0/0/0
[AR1-GigabitEthernet0/0/0]traffic-filter inbound acl 3000
实验结果