实验要求:
1、PC1可以telnet登录R1,不能ping通R1;不能登录R2,可以ping通R2
2、PC2不可以telnet登录R1,能ping通R1:能登录R2,不可以ping通R2
实验思路:
1.配置各路由器接口IP;
2.配置路由表,先实现全网可达;
3.为R1,R2开启telnet并设置aaa登录;
4.设置ACL:
可以ping通,但不能登录telnet采用:rule deny tcp source 源IP地址 destination 目标IP地址 destination-port eq 23 该规则拒绝了源IP地址 对目标IP地址 的tcp下目标端口23访问-- 拒绝telnet
不可以ping通,但是能登录telnet采用:rule deny icmp source 源IP地址 destination 目标IP地址 该规则拒绝源IP地址对目标IP地址的ICMP访问--拒绝ping
5.在接口调用ACL。
配置命令如下:
PC1
<Huawei>system-view
[Huawei]sysname PC1
[PC1]int g 0/0/0
[PC1-GigabitEthernet0/0/0]ip address 192.168.1.2 24
[PC1-GigabitEthernet0/0/0]q
[PC1]ip route-static 192.168.2.0 24 192.168.1.2
PC2
<Huawei>system-view
[Huawei]sysname pc2
[pc2]int GigabitEthernet 0/0/0
[pc2-GigabitEthernet0/0/0]ip address 192.168.1.3 24
[pc2-GigabitEthernet0/0/0]q
[pc2]ip route-static 192.168.2.0 24 192.168.1.3
R1
<Huawei>sys
[Huawei]sysname R1
[R1]int g 0/0/0
[R1-GigabitEthernet0/0/0]ip address 192.168.1.1 24
[R1-GigabitEthernet0/0/0]int g 0/0/1
[R1-GigabitEthernet0/0/1]ip address 192.168.2.1 24
[R1-GigabitEthernet0/0/1]q
[R1]aaa
[R1-aaa]local-user R1 privilege level 15 password cipher 123
[R1-aaa]local-user R1 service-type telnet
[R1-aaa]q
[R1]user-interface vty 0 4
[R1-ui-vty0-4]authentication-mode aaa
[R1-ui-vty0-4]q
[R1]acl 3000
[R1-acl-adv-3000]rule deny icmp source 192.168.1.2 0 destination 192.168.1.1 0
[R1-acl-adv-3000]rule deny icmp source 192.168.1.2 0 destination 192.168.2.1 0
[R1-acl-adv-3000]rule deny tcp source 192.168.1.2 0 destination 192.168.2.2 0 de
stination-port eq 23
[R1-acl-adv-3000]rule deny tcp source 192.168.1.3 0 destination 192.168.1.1 0 de
stination-port eq 23
[R1-acl-adv-3000]rule deny tcp source 192.168.1.3 0 destination 192.168.2.1 0 de
stination-port eq 23
[R1-acl-adv-3000]rule deny icmp source 192.168.1.3 0 destination 192.168.2.2 0
[R1]int g 0/0/0
[R1-GigabitEthernet0/0/0]traffic-filter inbound acl 3000
R2
<Huawei>sys
[Huawei]sysname R2
[R2]int g 0/0/0
[R2-GigabitEthernet0/0/0]ip address 192.168.2.2 24
[R2-GigabitEthernet0/0/0]q
[R2]ip route-static 192.168.1.0 24 192.168.2.1
[R2]aaa
[R2-aaa]local-user R2 privilege level 15 password cipher 321
[R2-aaa]local-user R2 service-type telnet
[R2-aaa]q
[R2]user-interface vty 0 4
[R2-ui-vty0-4]authentication-mode aaa
[R2-ui-vty0-4]q
结果如下:
PC1可以登录R1,不能登录R2
PC1不能ping通 R1,可以ping通R2
PC2可以登录R2,不能登录R1
可以ping通R1,不能ping通R2