一、实验拓扑
二、实验需求
1:pc1可以Telnet R1,但不能ping R1;pc1可以ping R2但不能Telnet R2
2:pc2和pc1相反
三、实验思路
1.各个端口IP的配置
2.对pc1、pc2、R2配置缺省,实现全网通
3.配置ACL(由题可知为高级ACL)
4.先开启Telnet
5.在R1处编写ACL列表(就近原则)
6.结果测试
四、实验步骤
1、配置IP地址
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]ip add 192.168.1.1 24
[R1-GigabitEthernet0/0/0]int g0/0/1
[R1-GigabitEthernet0/0/1]ip add 192.168.2.1 24
[R2]int g0/0/0
[R2-GigabitEthernet0/0/0]ip add 192.168.2.2 24
[PC1]int g0/0/0
[PC1-GigabitEthernet0/0/0]ip add 192.168.1.10 24
[PC2]int g0/0/0
[PC2-GigabitEthernet0/0/0]ip add 192.168.1.11 24
2、配置缺省
[R2]ip route-static 192.168.2.0 24 192.168.2.1
[R2]ip route-static 192.168.1.0 24 192.168.2.1
[PC1]ip route-static 0.0.0.0 0 192.168.1.1
[PC2]ip route-static 0.0.0.0 0 192.168.1.1
3、开启Telnet
[R1]aaa
[R1-aaa]local-user DDD privilege level 15 password cipher 123456
Info: Add a new user.
[R1-aaa]local-user DDD service-type telnet
[R1]user-interface vty 0 4
[R1-ui-vty0-4]authentication-mode aaa
[R2]aaa
[R2-aaa]local-user FFF privilege level 15 password cipher 654321
Info: Add a new user.
[R2-aaa]local-user FFF service-type telnet
[R2]user-interface vty 0 4
[R2-ui-vty0-4]authentication-mode aaa
4、编写ACL列表
[R1]acl 3000
[R1-acl-adv-3000]rule deny icmp source 192.168.1.10 0.0.0.0 destination 192.168.
2.1 0.0.0.0
[R1-acl-adv-3000]rule deny icmp source 192.168.1.10 0.0.0.0 destination 192.168.
0.0.0.0
[R1-acl-adv-3000]rule deny tcp source 192.168.1.10 0.0.0.0 destination 192.168.2
.2 0.0.0.0 destination-port eq 23
[R1-acl-adv-3000]rule deny tcp source 192.168.1.11 0.0.0.0 destination 192.168.2
.1 0.0.0.0 destination-port eq 23
[R1-acl-adv-3000]rule deny tcp source 192.168.1.11 0.0.0.0 destination 192.168.1
.1 0.0.0.0 destination-port eq 23
[R1-acl-adv-3000]rule deny icmp source 192.168.1.11 0.0.0.0 destination 192.168.
2.2 0.0.0.0
5、结果测试
pc1可以Telnet R1,但不能ping R1
pc1可以ping R2但不能Telnet R2
Pc2不可以Telnet R1,但能ping R1
Pc2不可以ping R2但能Telnet R2