这里是引用
一、路由器上IP地址配置:
R1:
[r1]interface g0/0/0
[r1-GigabitEthernet0/0/0]ip address 192.168.1.1 24
[r1]interface g0/0/1
[r1-GigabitEthernet0/0/1]ip address 12.1.1.1 24
R2:
[r2]interface g0/0/1
[r2-GigabitEthernet0/0/1]ip address 12.1.1.2 24
[r2]interface g0/0/2
[r2-GigabitEthernet0/0/2]ip address 23.1.1.1 24
[r2]interface g0/0/0
[r2-GigabitEthernet0/0/0]ip address 192.168.2.1 24
R3:
[r3]interface g0/0/1
[r3-GigabitEthernet0/0/1]ip address 23.1.1.2 24
[r3]interface g0/0/0
[r3-GigabitEthernet0/0/0]ip address 192.168.3.1 24
二、路由器地址池的配置:
R1:
[r1]ip pool class_A
Info: It’s successful to create an IP address pool.
[r1-ip-pool-class_A]network 192.168.1.0 mask 24
[r1-ip-pool-class_A]gateway-list 192.168.1.1
[r1-ip-pool-class_A]dns-list 8.8.8.8
[r1]dhcp enable
Info: The operation may take a few seconds. Please wait for a moment.done.
[r1]interface g0/0/0
[r1-GigabitEthernet0/0/0]dhcp select global
R2:
[r2]ip pool class_B
Info: It’s successful to create an IP address pool.
[r2-ip-pool-class_B]network 192.168.2.0 mask 24
[r2-ip-pool-class_B]gateway-list 192.168.2.1
[r2-ip-pool-class_B]dns-list 8.8.8.8
[r2]dhcp enable
Info: The operation may take a few seconds. Please wait for a moment.done.
[r2]interface g0/0/0
[r2-GigabitEthernet0/0/0]dhcp select global
R3:
[r3]ip pool class_C
Info: It’s successful to create an IP address pool.
[r3-ip-pool-class_C]network 192.168.3.0 mask 24
[r3-ip-pool-class_C]gateway-list 192.168.3.1
[r3-ip-pool-class_C]dns-list 8.8.8.8
[r3]dhcp enable
Info: The operation may take a few seconds. Please wait for a moment.done.
[r3]interface g0/0/0
[r3-GigabitEthernet0/0/0]dhcp select global
三、动态路由RIP协议配置:
R1:
[r1]rip 1
[r1-rip-1]version 2
[r1-rip-1]network 192.168.1.0
[r1-rip-1]network 12.0.0.0
R2:
[r2]rip 1
[r2-rip-1]version 2
[r2-rip-1]network 12.0.0.0
[r2-rip-1]network 23.0.0.0
[r2-rip-1]network 192.168.2.0
R3:
[r3]rip 1
[r3-rip-1]version 2
[r3-rip-1]network 23.0.0.0
[r3-rip-1]network 192.168.3.0
四、acl配置
要求PC1不能ping通PC6,但能ping通PC5
说明一下:在第二步DHCP操作中,PC1和PC5拿到的地址分别为:
PC1:192.168.1.253 (很奇怪,竟然不是254) PC2:192.168.3.253
- 首先进行基本ACL配置:
基本ACL使用在靠近目标的地方
[r3]acl 2000
[r3-acl-basic-2000]rule 1 deny source 192.168.1.253 0.0.0.0
[r3]interface g0/0/0
[r3-GigabitEthernet0/0/0]traffic-filter outbound acl 2000
这样我们发现终端PC5和PC6都拒绝被访问,所以我们要进行高级ACL配置 - 高级ACL的配置—高级ACL使用在靠近源端口的地方
删除上边配置的ACL 2000
[r3]undo acl 2000
在进行下边配置:
[r1]acl 3000
[r1-acl-adv-3000]rule 1 deny ip source 192.168.1.253 0 destination 192.168.3.253 0
[r1]interface g0/0/0
[r1-GigabitEthernet0/0/0]traffic-filter inbound acl 3000
五、远程登录及icmp配置:
- 要求:R1不能ping通R3,但是可以远程登录R3
(1)首先,在R3上进行远程登录配置:
[r3]user-interface vty 0 4
[r3-ui-vty0-4]authentication-mode aaa
[r3-ui-vty0-4]q
[r3]aaa
[r3-aaa]local-user huawei password cipher huawei
Info: Add a new user.
[r3-aaa]local-user huawei privilege level 15
[r3-aaa]local-user huawei service-type telnet
然后在R1上远程登录R3进行验证
(2)在R2上配置高级ACL及icmp(ping)的限制
说明:由于路由器不能限制自己本身产生的流量,所以必须在靠近R1最近的一台设备R2上进行设置,其配置如下:
[r2]acl 3000
[r2-acl-adv-3000]rule 1 deny icmp source 12.1.1.1 0 destination 23.1.1.2 0
[r2-acl-adv-3000]q
[r2]interface g0/0/1
[r2-GigabitEthernet0/0/1]traffic-filter inbound acl
这样,我们就达到了R1能远程登录R3但不能ping通R3的目的 - 对于上边的实验过程,我们也可以反过来操作
所以其要求为:R1可以ping通R3,但是不能远程登录R3
说明:和上边一样要在R2上进行操作,其配置如下:
首先,删除在R2上的ACL配置:
[r2]undo acl 3000
重新配置高级ACL如下:
[r2]acl 3000
[r2-acl-adv-3000]rule 1 deny tcp source 12.1.1.1 0 destination 23.1.1.2 0
destination-port ep 23
[r2-acl-adv-3000]rule 1 deny tcp source 12.1.1.1 0 destination 23.1.1.2 0
destination-port eq 23
[r2-acl-adv-3000]q
[r2]interface g0/0/1
[r2-GigabitEthernet0/0/1]traffic-filter inbound acl 3000
Error: A simplified ACL has been applied in this view.
(前边已经调用过acl 3000,所以再次调用会出现错误已经调用警告)
[r2-GigabitEthernet0/0/1]q
[r2]acl 3000
[r2-acl-adv-3000]rule 2 deny tcp source 12.1.1.1 0 destination 192.168.3.1 0
destination-port eq 23
经过以上操作,我们实现了R1的g0/0/1端口不能远程登录R3。但是,在VRP平台上,使用 -a 参数能够让ping程序以指定的IP作为回显请求报文的源地址。操作如下:
telnet -a 192.168.1.1 23.1.1.2
使用上边指令依然能够远程登录R3,所以我们要继续在R2上操作:
[r2]acl 3000
[r2-acl-adv-3000]rule 3 deny tcp source 192.168.1.1 0 destination 23.1.1.2 0
destination-port eq 23
[r2-acl-adv-3000]rule 4 deny tcp source 192.168.1.1 0 destination 192.168.3.1 0
destination-port eq 23
这样,我们就实现了在两个源端口全方位封堵R1远程登录R3的要求。