要求:1、PC1可以telnet登录R1,不能ping通R1
2、PC1可以ping通R2,但不能登录R2。
3、PC2的所有规则与pc1相反。
第一步、如图配置IP地址
第二步、运行静态路由协议,使全网可达
[R2]ip route-static 192.168.2.0 24 192.168.1.1[PC1]ip route-static 192.168.1.0 24 192.168.2.1[PC2]ip route-static 192.168.1.0 24 192.168.2.1 第三步、在R1、R2上设置远程登录
[R1]aaa
[R1-aaa]local-user user1 privilege level 15 password cipher 123
Info: Add a new user.
[R1-aaa]local-user user1 service-type telnet
[R1-aaa]q
[R1]user-interface vty 0 4
[R1-ui-vty0-4]authentication-mode aaa[R2]aaa
[R2-aaa]local-user user1 privilege level 15 password cipher 123
[R2-aaa]local-user user1 service-type telnet
[R2-aaa]q
[R2]user-interface vty 0 4
[R2-ui-vty0-4]authentication-mode aaa测试:
<PC1>telnet 192.168.2.1Press CTRL_] to quit telnet modeTrying 192.168.2.1 ...Connected to 192.168.2.1 ...Login authenticationUsername:user1
Password:
<R1><PC1>telnet 192.168.1.2Press CTRL_] to quit telnet modeTrying 192.168.1.2 ...Connected to 192.168.1.2 ...Login authenticationUsername:user1
Password:
<R2>第四步、写acl并调用
[R1]acl 3000
[R1-acl-adv-3000]rule deny icmp source 192.168.2.2 0 destination 192.168.2.1 0
[R1-acl-adv-3000]rule deny tcp source 192.168.2.2 0 destination 192.168.1.2 0 destination-port eq 23
[R1-acl-adv-3000]rule deny tcp source 192.168.2.3 0 destination 192.168.2.1 0 destination-port eq 23
[R1-acl-adv-3000]rule deny icmp source 192.168.2.3 0 destination 192.168.1.2 0
[R1-acl-adv-3000]q
[R1]interface g0/0/1
[R1-GigabitEthernet0/0/1]traffic-filter inbound acl 3000测试:
