本文描述了一个网络实验,涉及PC1和PC2对R1和R2的访问控制,PC1只能TelnetR1但不能ping,PC2则相反。实验通过配置静态路由、Telnet服务和详细的ACL规则来实现特定的网络访问限制。
1.实验要求
(1)PC1可以访问Telnet R1,不能ping R1
(2)PC1不能访问Telnet R2,但可以Ping R2
(3)PC2不可以访问Telnet R1,能Ping R1
(4)PC2能访问Telnet R2,但不可以Ping R2
2.实验拓补
3.实验思路
- 先在R1,PC1和PC2上配置静态路由使全网可通
- 在R1和R2上配置Telnet服务
- 在R1上配置ACL
实验步骤
[R1]int g0/0/1
[R1-GigabitEthernet0/0/1]ip add 192.168.1.254 24
[R1-GigabitEthernet0/0/0]int g0/0/0
[R1-GigabitEthernet0/0/0]ip add 192.168.2.1 24
[R2]int g0/0/0
[R2-GigabitEthernet0/0/0]ip add 192.168.2.2 24
[R2]ip route-static 192.168.1.0 24 192.168.2.1
[PC1]int g0/0/0
[PC1-GigabitEthernet0/0/0]ip add 192.168.1.10 24
[PC1]ip route-static 0.0.0.0 0 192.168.1.254
[PC2]int g0/0/0
[PC2-GigabitEthernet0/0/0]ip add 192.168.1.11 24
[PC2]ip route-static 0.0.0.0 0 192.168.1.254
[R1]aaa
[R1-aaa]local-user abc privilege level 15 password cipher 12345
[R1-aaa]local-user abc service-type telnet
[R1-aaa]quit
[R1]user-interface vty 0 4
[R1-ui-vty0-4]authentication-mode aaa
[R2]aaa
[R2-aaa]local-user hhh privilege level 15 password cipher 666
[R2-aaa]
[R2-aaa]local-user hhh service-type telnet
[R2]user-interface vty 0 4
[R2-ui-vty0-4]authentication-mode aaa
[R1]acl 3000
[R1-acl-adv-3000]rule deny icmp source 192.168.1.10 0.0.0.0 destination 192.168.1.254 0.0.0.0
[R1-acl-adv-3000]rule deny icmp source 192.168.1.10 0.0.0.0 destination 192.168.
2.1 0.0.0.0
[R1-acl-adv-3000]rule deny tcp source 192.168.1.10 0.0.0.0 destination 192.168.2
.2 0.0.0.0 destination-port eq 23
192.168.1.11 0.0.0.0 destination 192.168.1
.254 0.0.0.0 destination-port eq 23
[R1-acl-adv-3000]rule deny tcp source 192.168.1.11 0.0.0.0 destination 192.168.2
.1 0.0.0.0 destination-port eq 23
[R1-acl-adv-3000]rule deny icmp source 192.168.1.11 0.0.0.0 destination 192.168.
2.2 0.0.0.0
[R1]int g0/0/1
[R1-GigabitEthernet0/0/1]traffic-filter inbound acl 3000
[R1-GigabitEthernet0/0/1]quit
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]traffic-filter ou
[R1-GigabitEthernet0/0/0]quit
4.测试
(1)全网通
(2)ACL测试
扫一扫
686
到【灌水乐园】发言
