要求:
1.PC可以telnet R1 ,但不能ping R1 ;PC1 可以ping R2,但不能Telnet R2
2.PC2 与 PC1 相反
注意:因为模拟器PC不能做telnet,所以用俩太路由器模拟PC
二、拓扑图 三、IP地址规划这图很简单,所用的IP也很少
| 设备 | IP地址 |
|---|---|
| R1 | g0/0/0 192.168.1.1 /24 g0/0/1 192.168.2.1/ 24 |
| R2 | g0/0/0 192.168.2.2 /24 |
| PC1 | 192.168.1.10 |
| PC2 | 192.168.1.11 |
R1的IP配置:
[r1]int g 0/0/0 [r1-GigabitEthernet0/0/0]ip add 192.168.1.1 24 [r1-GigabitEthernet0/0/0]int g 0/0/1 [r1-GigabitEthernet0/0/1]ip add 192.168.2.1 24
R2的IP配置:
[r2]int g 0/0/0 [r2-GigabitEthernet0/0/0]ip add 192.168.2.2 24
PC1配置信息:
[pc1]int g 0/0/0 [pc1-GigabitEthernet0/0/0]ip add 192.168.1.10 24
PC2配置信息:
[pc2]int g 0/0/0 [pc2-GigabitEthernet0/0/0]ip add 192.168.1.11 24
R1 R2开启 aaa认证:
[r1]aaa [r1-aaa]local-user an privilege level 15 password cipher 123456 Info: Add a new user. [r1-aaa]local-user an service-type telnet [r1-aaa]quit [r1]user-interface vty 0 [r1-ui-vty0]authentication-mode aaa
[r2]aaa [r2-aaa]local-user an privilege level 15 password cipher 123456 Info: Add a new user. [r2-aaa]local-user an service-type telnet [r2]user-interface vty 0 4 [r2-ui-vty0-4]authentication-mode aaa
IP配置完后,做一个缺省路由
[pc1]ip route-static 0.0.0.0 0 192.168.1.1 [pc2]ip route-static 0.0.0.0 0 192.168.1.1
此时可以全网可达;测试结果:
接下来做ACL来抓取感兴趣流量:
根据题目要求,这里需要做一个高级ACL,配置如下:
[r1-acl-adv-3000]display this [V200R003C00] # acl number 3000 rule 5 deny icmp source 192.168.1.10 0 destination 192.168.1.1 0 rule 10 deny icmp source 192.168.1.10 0 destination 192.168.2.1 0 rule 15 deny tcp source 192.168.1.10 0 destination 192.168.2.2 0 rule 20 deny tcp source 192.168.1.10 0 destination 192.168.2.2 0 destination-po rt eq telnet rule 25 deny tcp source 192.168.1.11 0 destination 192.168.1.1 0 destination-po rt eq telnet rule 30 deny tcp source 192.168.1.11 0 destination 192.168.2.1 0 destination-po rt eq telnet rule 35 deny icmp source 192.168.1.11 0 destination 192.168.2.2 0 # return
[r1]acl 3000 [r1-acl-adv-3000]rule deny icmp source 192.168.1.10 0.0.0.0 destination 192.168. 1.1 0.0.0.0 [r1-acl-adv-3000]rule deny icmp source 192.168.1.10 0.0.0.0 destination 192.168. 2.1 0.0.0.0 [r1-acl-adv-3000]rule deny tcp source 192.168.1.10 0.0.0.0 destination 192.168.2 .2 0.0.0.0 destination-port eq 23 [r1]int g0/0/0 [r1-GigabitEthernet0/0/0]traffic-filter inbound acl 3000 [r1]acl 3000 [r1-acl-adv-3000]rule deny tcp source 192.168.1.11 0.0.0.0 destination 192.168. 2.1 0.0.0.0 destination-port eq 23 [r1-acl-adv-3000]rule deny icmp source 192.168.1.11 0.0.0.0 destination 192.168. 2.2 0.0.0.0
最终测试结果:
PC1测试结果:
PC2 测试结果:
