实验拓扑图:
思路:首先是配置好ip地址,pc1和pc2就写个缺省模拟客户端,给r2路由器写一个到192.168.1.0/24网段的静态路由就行,然后全网可达,给R1和R2设备开启telnet服务。由于规则比较详细,所以用扩展acl写规则表,然后放在靠近源的位置,也就是R1的g0/0/0接口上。
R1上的配置:
[R1]aaa
[R1-aaa]local-user xiao privilege level 15 password cipher 123456
[R1-aaa]local-user xiao service-type telnet
[R1]user-interface vty 0 4
[R1-ui-vty0-4]authentication-mode aaa
[R1]acl 3000
rule 5 deny icmp source 192.168.1.1 0 destination 192.168.1.3 0
rule 10 deny icmp source 192.168.1.1 0 destination 192.168.2.1 0
rule 15 deny tcp source 192.168.1.2 0 destination 192.168.1.3 0 destination-por
t eq telnet
rule 20 deny tcp source 192.168.1.2 0 destination 192.168.2.1 0 destination-por
t eq telnet
rule 25 deny tcp source 192.168.1.1 0 destination 192.168.2.2 0 destination-por
t eq telnet
rule deny icmp source 192.168.1.2 0 destination 192.168.2.2 0
[R1-GigabitEthernet0/0/0]traffic-filter inbound acl 3000
R2上的配置:
[R2]aaa
[R2-aaa]local-user xiaogang privilege level 15 password cipher 123456
[R2-aaa]local-user xiaogang service-type telnet
[R2]user-interface vty 0 4
[R2-ui-vty0-4]authentication-mode aaa
实验结果: