拓扑结构:
要求
1、PC1可以Telnet R1,但是不能pingR1
2、PC1可以ping R2,但是不能Telnet R2
3、PC2的所有要求与PC1相反
使用的设备:4台
路由器、1台
交换机
解决网络拓扑:
1、确定广播域的个数
2、分配网段
3、配置IP地址 (优先配置路由器)
确定广播域的个数
根据拓扑结构图以及要求可知,本拓扑结构一共拥有2个网段,为两个接口网段
分配网段
其中两个接口网段基于192.168.1.0/24进行划分
划分为:
192.168.1.0/25
192.168.1.128/25
配置路由器IP地址
AR1:
<Huawei>system
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname r1
[r1]interface GigabitEthernet 0/0/0
[r1-GigabitEthernet0/0/0]ip address 192.168.1.1 25
[r1-GigabitEthernet0/0/0]
Apr 17 2023 20:40:49-08:00 r1 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP
on the interface GigabitEthernet0/0/0 has entered the UP state.
[r1-GigabitEthernet0/0/0]q
[r1]interface GigabitEthernet 0/0/1
[r1-GigabitEthernet0/0/1]ip address 192.168.1.129 25
Apr 17 2023 20:41:22-08:00 r1 %%01IFNET/4/LINK_STATE(l)[1]:The line protocol IP
on the interface GigabitEthernet0/0/1 has entered the UP state.
[r1-GigabitEthernet0/0/1]q
[r1]AR2:
<Huawei>system
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname r2
[r2]interface GigabitEthernet 0/0/0
[r2-GigabitEthernet0/0/0]ip address 192.168.1.130 25
[r2-GigabitEthernet0/0/0]
Apr 17 2023 20:39:30-08:00 r2 %%01IFNET/4/LINK_STATE(l)[2]:The line protocol IP
on the interface GigabitEthernet0/0/0 has entered the UP state.
[r2-GigabitEthernet0/0/0]q
[r2]AR3:
<Huawei>system
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname r3
[r3]interface GigabitEthernet 0/0/0
[r3-GigabitEthernet0/0/0]ip address 192.168.1.2 25
[r3-GigabitEthernet0/0/0]
Apr 17 2023 20:42:42-08:00 r3 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP
on the interface GigabitEthernet0/0/0 has entered the UP state.
[r3-GigabitEthernet0/0/0]q
[r3]AR4:
<Huawei>system
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname r4
[r4]interface GigabitEthernet 0/0/0
[r4-GigabitEthernet0/0/0]ip address 192.168.1.3 25
Apr 17 2023 20:43:42-08:00 r4 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP
on the interface GigabitEthernet0/0/0 has entered the UP state.
[r4-GigabitEthernet0/0/0]q
[r4]配置静态路由协议
AR2:
[r2]ip route-static 192.168.1.0 25 192.168.1.129AR3:
[r3]ip route-static 192.168.1.128 25 192.168.1.1AR4:
[r4]ip route-static 192.168.1.128 25 192.168.1.1此时配置完静态路由以后,全网可达。
配置ACL访问控制列表
AR1:
[r1]acl 3000
[r1-acl-adv-3000]rule permit tcp source 192.168.1.2 0 destination 192.168.1.1 0 destination-port eq 23
[r1-acl-adv-3000]rule deny icmp source 192.168.1.2 0 destination 192.168.1.1 0
[r1-acl-adv-3000]rule permit icmp source 192.168.1.3 0 destination 192.168.1.1 0
[r1-acl-adv-3000]rule deny tcp source 192.168.1.3 0 destination 192.168.1.1 0 destination-port eq 23
[r1-acl-adv-3000]qAR2:
[r2]acl 3000
[r2-acl-adv-3000]rule permit icmp source 192.168.1.2 0 destination 192.168.1.130 0
[r2-acl-adv-3000]rule deny tcp source 192.168.1.2 0 destination 192.168.1.130 0 destination-port eq 23
[r2-acl-adv-3000]rule deny icmp source 192.168.1.3 0 destination 192.168.1.130 0
[r2-acl-adv-3000]rule permit tcp source 192.168.1.3 0 destination 192.168.1.130 0 destination-port eq 23
[r2-acl-adv-3000]q一定切记要在信息传输的出接口上配置或在信息接收的入接口上配置ACL访问控制列表,必须调用才可以生效
在入接口上配置ACL
AR1:
[r1]interface GigabitEthernet 0/0/0
[r1-GigabitEthernet0/0/0]traffic-filter inbound acl 3000AR2:
[r2]interface GigabitEthernet 0/0/0
[r2-GigabitEthernet0/0/0]traffic-filter inbound acl 3000并在AR1、AR2上开启telnet服务
AR1:
[r1]aaa
[r1-aaa]local-user panda privilege level 15 password cipher 123456
Info: Add a new user.
[r1-aaa]local-user panda service-type telnet
[r1-aaa]q
[r1]
[r1]user-interface vty 0
[r1-ui-vty0]authentication-mode aaa
[r1-ui-vty0]q
[r1]AR2:
[r2]aaa
[r2-aaa]local-user banana privilege level 15 password cipher 123456
Info: Add a new user.
[r2-aaa]local-user banana service-type telnet
[r2-aaa]q
[r2]
[r2]user-interface vty 0
[r2-ui-vty0]authentication-mode aaa
[r2-ui-vty0]q
[r2]实验结果:
PC1:
此时PC1不可以pingR1,但是可以远程登录R1,可以pingR2,但是不能远程登录R2
AR2:
此时PC2可以pingR1,但是不能远程登录R1,不可以pingR2,但是可以远程登录R2
ACL访问控制列表生效,实验要求完成。
