目录
搭建拓扑图
实验要求
1.PC1不能ping R1,但是可以登陆R1;不能登陆R2,但是可以ping R2;
2.PC2不能ping R2,但是可以登陆R2;不能登陆R1,但是可以ping R1。
配置过程
配置IP地址、静态路由
R1:
system-view
[Huawei]sysname R1
[R1]int gi 0/0/0
[R1-GigabitEthernet0/0/0]ip add 172.16.2.1 24
[R1-GigabitEthernet0/0/0]int gi 0/0/1
[R1-GigabitEthernet0/0/1]ip add 172.16.1.1 24
[R1-GigabitEthernet0/0/1]quit
R2:
system-view
[Huawei]sysname R2
[R2]int gi 0/0/0
[R2-GigabitEthernet0/0/0]ip add 172.16.2.2 24
[R2-GigabitEthernet0/0/0]quit
[R2]ip route-static 172.16.1.0 24 172.16.2.1
PC1:
system-view
[Huawei]sysname PC1
[PC1]int gi 0/0/0
[PC1-GigabitEthernet0/0/0]ip add 172.16.1.2 24
[PC1-GigabitEthernet0/0/0]quit
[PC1]ip route-static 172.16.2.0 24 172.16.1.1
PC2:
system-view
[Huawei]sysname PC2
[PC2]int gi 0/0/0
[PC2-GigabitEthernet0/0/0]ip add 172.16.1.3 24
[PC2-GigabitEthernet0/0/0]quit
[PC2]ip route-static 172.16.2.0 24 172.16.1.1
配置ACL并调用
R1:
[R1]acl 3500
[R1-acl-adv-3500]rule deny tcp source 172.16.1.2 0 destination 172.16.2.2 0 destination-port eq telnet
[R1-acl-adv-3500]rule deny icmp source 172.16.1.2 0 destination 172.16.1.1 0
[R1-acl-adv-3500]rule deny icmp source 172.16.1.2 0 destination 172.16.2.1 0
[R1-acl-adv-3500]rule deny tcp source 172.16.1.3 0 destination 172.16.1.1 0 destination-port eq telnet
[R1-acl-adv-3500]rule deny tcp source 172.16.1.3 0 destination 172.16.2.1 0 destination-port eq telnet
[R1-acl-adv-3500]rule deny icmp source 172.16.1.3 0 destination 172.16.2.2 0
[R1-acl-adv-3500]quit
[R1]int gi 0/0/1
[R1-GigabitEthernet0/0/1]traffic-filter inbound acl 3500
配置账号
R1:
[R1]user-interface vty 0 4
[R1-ui-vty0-4]authentication-mode aaa
[R1-ui-vty0-4]aaa
[R1-aaa]local-user xirui privilege level 15 password cipher 654321
[R1-aaa]quit
[R1]quit
save
R2:
[R2]user-interface vty 0 4
[R2-ui-vty0-4]authentication-mode aaa
[R2-ui-vty0-4]aaa
[R2-aaa]local-user heihei privilege level 15 password cipher 635241
[R2-aaa]quit
[R2]quit
save
验证实验结果
PC1:PC2: