NE综合实验2:RIP 与 OSPF 动态路由精细配置及ACL访问控制列表
NE综合实验2:RIP 与 OSPF 动态路由精细配置及ACL访问控制列表
文章目录
- NE综合实验2:RIP 与 OSPF 动态路由精细配置及ACL访问控制列表
- 实验拓扑
- 实验要求
- 实验步骤
实验拓扑
实验要求
1.按照图示配置IP地址;
2.按照图示区域划分配置对应的动态路由协议;
3.在R7上配置DHCP服务器,能够让PC可以获取IP地址;
4.将所有环回⼝宣告进OSPF中,将环回⼝7宣告进RIP中,将RIP路由引⼊OSPF中,OSPF路由引⼊RIP中;
5.要求实现全⽹互通;
6.在R3和R6上开启RIP的端⼝验证,密码为hyzy;
7.在R7上开启RIP静默接⼝,要求业务⽹段不允许接收协议报⽂;
8.在R5和R4上开启OSPF端⼝验证,密码为hyzy;
9.要求在R4上配置FTP服务,测试时可以允许所有设备均可登录访问;
10.要求在R1上配置TELNET服务,测试时可以允许所有设备均可登录访问管理;
11.要求拒绝R5访问R1的TELNET服务,其他设备均不影响;
12.要求拒绝R2访问R4的FTP服务,其他设备均不影响;
13.要求拒绝10.1.1.0/24⽹段ping通R1地址;
14.要求拒绝10.1.1.0/24网段地址访问R4地址;
15.要求拒绝PC10地址访问R3地址;
实验步骤
1.按照图示配置IP地址
在R1上
[R1]dis ip int b
*down: administratively down
(s): spoofing (l): loopback
Interface Physical Protocol IP address/Mask VPN instance Description
GE0/0 up up 192.168.1.1/24 -- --
GE0/1 up up 192.168.2.1/24 -- --
GE0/2 up up 100.3.3.1/24 -- --
GE5/0 down down -- -- --
GE5/1 down down -- -- --
GE6/0 down down -- -- --
GE6/1 down down -- -- --
Loop0 up up(s) 1.1.1.1/32 -- --
Ser1/0 down down -- -- --
Ser2/0 down down -- -- --
Ser3/0 down down -- -- --
Ser4/0 down down -- -- --
[R1]在R2上
[R2]dis ip int b
*down: administratively down
(s): spoofing (l): loopback
Interface Physical Protocol IP address/Mask VPN instance Description
GE0/0 up up 192.168.1.2/24 -- --
GE0/1 up up 192.168.3.2/24 -- --
GE0/2 up up 100.1.1.2/24 -- --
GE5/0 down down -- -- --
GE5/1 down down -- -- --
GE6/0 down down -- -- --
GE6/1 down down -- -- --
Loop0 up up(s) 2.2.2.2/32 -- --
Ser1/0 down down -- -- --
Ser2/0 down down -- -- --
Ser3/0 down down -- -- --
Ser4/0 down down -- -- --
[R2]在R3上
[R3]dis ip int b
*down: administratively down
(s): spoofing (l): loopback
Interface Physical Protocol IP address/Mask VPN instance Description
GE0/0 up up 192.168.2.3/24 -- --
GE0/1 up up 192.168.3.3/24 -- --
GE0/2 up up 200.2.2.3/24 -- --
GE5/0 up up 200.1.1.3/24 -- --
GE5/1 down down -- -- --
GE6/0 down down -- -- --
GE6/1 down down -- -- --
Loop0 up up(s) 3.3.3.3/32 -- --
Ser1/0 down down -- -- --
Ser2/0 down down -- -- --
Ser3/0 down down -- -- --
Ser4/0 down down -- -- --
[R3]在R4上
[R4]dis ip int b
*down: administratively down
(s): spoofing (l): loopback
Interface Physical Protocol IP address/Mask VPN instance Description
GE0/0 up up 172.16.3.4/24 -- --
GE0/1 up up 172.16.1.4/24 -- --
GE0/2 up up 100.3.3.4/24 -- --
GE5/0 down down -- -- --
GE5/1 down down -- -- --
GE6/0 down down -- -- --
GE6/1 down down -- -- --
Loop0 up up(s) 4.4.4.4/32 -- --
Ser1/0 down down -- -- --
Ser2/0 down down -- -- --
Ser3/0 down down -- -- --
Ser4/0 down down -- -- --
[R4]在R5上
[R5]dis ip int b
*down: administratively down
(s): spoofing (l): loopback
Interface Physical Protocol IP address/Mask VPN instance Description
GE0/0 up up 172.16.1.5/24 -- --
GE0/1 up up 172.16.2.5/24 -- --
GE0/2 up up 100.2.2.5/24 -- --
GE5/0 down down -- -- --
GE5/1 down down -- -- --
GE6/0 down down -- -- --
GE6/1 down down -- -- --
Loop0 up up(s) 5.5.5.5/32 -- --
Ser1/0 down down -- -- --
Ser2/0 down down -- -- --
Ser3/0 down down -- -- --
Ser4/0 down down -- -- --
[R5]在R6上
[R6]dis ip int b
*down: administratively down
(s): spoofing (l): loopback
Interface Physical Protocol IP address/Mask VPN instance Description
GE0/0 up up 200.3.3.6/24 -- --
GE0/1 up up 200.1.1.6/24 -- --
GE0/2 up up 172.16.3.6/24 -- --
GE5/0 up up 172.16.2.6/24 -- --
GE5/1 down down -- -- --
GE6/0 down down -- -- --
GE6/1 down down -- -- --
Loop0 up up(s) 6.6.6.6/32 -- --
Ser1/0 down down -- -- --
Ser2/0 down down -- -- --
Ser3/0 down down -- -- --
Ser4/0 down down -- -- --
[R6]在R7上
[R7]dis ip int b
*down: administratively down
(s): spoofing (l): loopback
Interface Physical Protocol IP address/Mask VPN instance Description
GE0/0 up up 200.2.2.7/24 -- --
GE0/1 up up 200.3.3.7/24 -- --
GE0/2 up up 100.1.1.7/24 -- --
GE5/0 up up 100.2.2.7/24 -- --
GE5/1 up up 10.1.1.254/24 -- --
GE6/0 down down -- -- --
GE6/1 down down -- -- --
Loop0 up up(s) 7.7.7.7/32 -- --
Ser1/0 down down -- -- --
Ser2/0 down down -- -- --
Ser3/0 down down -- -- --
Ser4/0 down down -- -- --
[R7]
2.按照图示区域划分配置对应的动态路由协议,并将所有环回⼝宣告进OSPF中,将环回⼝7宣告进RIP中,将RIP路由引⼊OSPF中,OSPF路由引⼊RIP中,要求实现全⽹互通;
在R1上
[R1]ospf 1 router-id 1.1.1.1
[R1-ospf-1]area 0
[R1-ospf-1-area-0.0.0.0]dis th
#area 0.0.0.0network 1.1.1.1 0.0.0.0network 100.3.3.0 0.0.0.255network 192.168.1.0 0.0.0.255network 192.168.2.0 0.0.0.255
#
return
[R1-ospf-1-area-0.0.0.0]在R2上
[R2]ospf 1 router-id 2.2.2.2
[R2-ospf-1]area 0
[R2-ospf-1-area-0.0.0.0]dis th
#area 0.0.0.0network 2.2.2.2 0.0.0.0network 100.1.1.0 0.0.0.255network 192.168.1.0 0.0.0.255network 192.168.3.0 0.0.0.255
#
return
[R2-ospf-1-area-0.0.0.0]在R3上
[R3]ospf 1 router-id 3.3.3.3
[R3-ospf-1]dis th
#
ospf 1 router-id 3.3.3.3import-route directimport-route rip 1area 0.0.0.0network 3.3.3.3 0.0.0.0network 192.168.2.0 0.0.0.255network 192.168.3.0 0.0.0.255
#
return
[R3-ospf-1]rip 1
[R3-rip-1]dis th
#
rip 1undo summaryversion 2network 200.1.1.0network 200.2.2.0import-route directimport-route ospf 1
#
return
[R3-rip-1]在R4上
[R4]ospf 2 router-id 4.4.4.4
[R4-ospf-2]dis th
#
ospf 2 router-id 4.4.4.4area 0.0.0.0network 4.4.4.4 0.0.0.0network 100.3.3.0 0.0.0.255network 172.16.1.0 0.0.0.255network 172.16.3.0 0.0.0.255
#
return
[R4-ospf-2]在R5上
[R5]ospf 2 router-id 5.5.5.5
[R5-ospf-2]dis th
#
ospf 2 router-id 5.5.5.5area 0.0.0.0network 5.5.5.5 0.0.0.0network 100.2.2.0 0.0.0.255network 172.16.1.0 0.0.0.255network 172.16.2.0 0.0.0.255
#
return
[R5-ospf-2]在R6上
[R6]ospf 2 router-id 6.6.6.6
[R6-ospf-2]dis th
#
ospf 2 router-id 6.6.6.6import-route directimport-route rip 1area 0.0.0.0network 6.6.6.6 0.0.0.0network 172.16.2.0 0.0.0.255network 172.16.3.0 0.0.0.255
#
return
[R6-ospf-2]rip 1
[R6-rip-1]dis th
#
rip 1undo summaryversion 2network 200.1.1.0network 200.3.3.0import-route directimport-route ospf 2
#
return
[R6-rip-1]在R7上
[R7]ospf 1
[R7-ospf-1]dis th
#
ospf 1 router-id 7.7.7.7import-route directimport-route rip 1area 0.0.0.0network 7.7.7.7 0.0.0.0network 100.1.1.0 0.0.0.255
#
return
[R7-ospf-1]ospf 2
[R7-ospf-2]dis th
#
ospf 2area 0.0.0.0network 100.2.2.0 0.0.0.255
#
return
[R7-ospf-2]rip 1
[R7-rip-1]dis th
#
rip 1undo summarynetwork 7.0.0.0network 10.0.0.0network 200.2.2.0network 200.3.3.0silent-interface GigabitEthernet5/1import-route directimport-route ospf 1import-route ospf 2
#
return
[R7-rip-1]
3.在R7上配置DHCP服务器,能够让PC可以获取IP地址
在R7上
[R7]dhcp enable
[R7]dhcp server ip-pool 1
[R7-dhcp-pool-1]network 10.1.1.0 mask 255.255.255.0
[R7-dhcp-pool-1]gateway-list 10.1.1.254
[R7-dhcp-pool-1]dns-list 114.114.114.114
[R7-dhcp-pool-1]dis th
#
dhcp server ip-pool 1gateway-list 10.1.1.254network 10.1.1.0 mask 255.255.255.0dns-list 114.114.114.114
#
return
[R7-dhcp-pool-1]qu
[R7]dis dhcp server ip-in-use
IP address Client identifier/ Lease expiration TypeHardware address
10.1.1.2 0035-3063-332e-3035- Jul 15 09:25:57 2025 Auto(C) 6439-2e30-3930-362d- 4745-302f-302f-31
10.1.1.3 0035-3063-332e-3061- Jul 15 09:26:13 2025 Auto(C) 3031-2e30-6130-362d- 4745-302f-302f-31
[R7]
4.在R3和R6上开启RIP的端⼝验证,密码为admin@12345
在R3上
[R3]int g0/2
[R3-GigabitEthernet0/2]rip authentication-mode simple plain admin@12345
[R3-GigabitEthernet0/2]int g5/0
[R3-GigabitEthernet5/0]rip authentication-mode simple plain admin@12345
[R3-GigabitEthernet5/0]在R6上
[R6]int g0/0
[R6-GigabitEthernet0/0]rip authentication-mode simple plain admin@12345
[R6-GigabitEthernet0/0]int g0/1
[R6-GigabitEthernet0/1]rip authentication-mode simple plain admin@12345
[R6-GigabitEthernet0/1]
5.在R7上开启RIP静默接⼝,要求业务⽹段不允许接收协议报⽂
在R7上
[R7]rip 1
[R7-rip-1]silent-interface g5/1
[R7-rip-1]
6.在R5和R4上开启OSPF端⼝验证,密码为hyzy
在R4上
[R4]int g0/1
[R4-GigabitEthernet0/1]ospf authentication-mode simple plain hyzy
[R4-GigabitEthernet0/1]在R5上
[R5]int g0/0
[R5-GigabitEthernet0/0]ospf authentication-mode sim plain hyzy
[R5-GigabitEthernet0/0]
7.要求在R4上配置FTP服务,测试时可以允许所有设备均可登录访问
在R4上
[R4]ftp server enable
[R4]local-user luoqi class manage
New local user added.
[R4-luser-manage-luoqi]password simple admin@12345
[R4-luser-manage-luoqi]authorization-attribute user-role level-15
[R4-luser-manage-luoqi]service-type ftp
[R4-luser-manage-luoqi]qu
[R4]user-interface vty 0 4
[R4-line-vty0-4]authentication-mode scheme
[R4-line-vty0-4]user-role level-15
[R4-line-vty0-4]qu
[R4]
8.要求在R1上配置TELNET服务,测试时可以允许所有设备均可登录访问管理
在R1上
[R1]telnet server enable
[R1]local-user lq class man
[R1]local-user lq class manage
New local user added.
[R1-luser-manage-lq]pas
[R1-luser-manage-lq]password sim
[R1-luser-manage-lq]password simple admin@12345
[R1-luser-manage-lq]aut
[R1-luser-manage-lq]authorization-attribute user-role level-15
[R1-luser-manage-lq]ser
[R1-luser-manage-lq]service-type telnet
[R1-luser-manage-lq]qu
[R1]user-int
[R1]user-in
[R1]user-interface vty 0 4
[R1-line-vty0-4]au
[R1-line-vty0-4]aut
[R1-line-vty0-4]authentication-mode sch
[R1-line-vty0-4]authentication-mode scheme
[R1-line-vty0-4]user-rol
[R1-line-vty0-4]user-role level-15
[R1-line-vty0-4]qu
9.要求拒绝R5访问R1的TELNET服务,其他设备均不影响
在R1上
[R1]acl advanced 3000
[R1-acl-ipv4-adv-3000]rule deny tcp source 5.5.5.5 0 destination-port eq telnet
[R1-acl-ipv4-adv-3000]rule deny tcp source 100.2.2.5 0 destination-port eq telne
t
[R1-acl-ipv4-adv-3000]rule deny tcp source 172.16.2.5 0 destination-port eq teln
et
[R1-acl-ipv4-adv-3000]rule deny tcp source 172.16.1.5 0 destination-port eq teln
et
[R1-acl-ipv4-adv-3000]qu
[R1]int g0/0
[R1-GigabitEthernet0/0]packet-filter 3000 inbound
[R1-GigabitEthernet0/0]int g0/1
[R1-GigabitEthernet0/1]packet-filter 3000 inbound
[R1-GigabitEthernet0/1]int g0/2
[R1-GigabitEthernet0/2]packet-filter 3000 inbound
[R1-GigabitEthernet0/2]在R5上
<R5>telnet 1.1.1.1
Trying 1.1.1.1 ...
Press CTRL+K to abort
Connected to 1.1.1.1 ...
Failed to connect to the remote host!
<R5>telnet 192.168.1.1
Trying 192.168.1.1 ...
Press CTRL+K to abort
Connected to 192.168.1.1 ...
Failed to connect to the remote host!
<R5>telnet 192.168.2.1
Trying 192.168.2.1 ...
Press CTRL+K to abort
Connected to 192.168.2.1 ...
Failed to connect to the remote host!
<R5>telnet 100.3.3.1
Trying 100.3.3.1 ...
Press CTRL+K to abort
Connected to 100.3.3.1 ...
Failed to connect to the remote host!
<R5>在R2上
<R2>telnet 1.1.1.1
Trying 1.1.1.1 ...
Press CTRL+K to abort
Connected to 1.1.1.1 ...******************************************************************************
* Copyright (c) 2004-2021 New H3C Technologies Co., Ltd. All rights reserved.*
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************Login: lq
Password:
<R1>dis usersIdx Line Idle Time Pid Type0 CON 0 00:03:21 Jul 14 15:04:18 11058
+ 66 VTY 0 00:00:00 Jul 14 15:08:23 11072 TEL Following are more details.
VTY 0 :User name: lqLocation: 192.168.1.2+ : Current operation user.F : Current operation user works in async mode.
<R1>在R3上
<R3>telnet 1.1.1.1
Trying 1.1.1.1 ...
Press CTRL+K to abort
Connected to 1.1.1.1 ...******************************************************************************
* Copyright (c) 2004-2021 New H3C Technologies Co., Ltd. All rights reserved.*
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************Login: lq
Password:
<R1>dis usersIdx Line Idle Time Pid Type0 CON 0 00:00:15 Jul 14 15:09:05 11083
+ 66 VTY 0 00:00:00 Jul 14 15:09:18 11091 TEL Following are more details.
VTY 0 :User name: lqLocation: 192.168.2.3+ : Current operation user.F : Current operation user works in async mode.
<R1>在R4上
<R4>telnet 1.1.1.1
Trying 1.1.1.1 ...
Press CTRL+K to abort
Connected to 1.1.1.1 ...******************************************************************************
* Copyright (c) 2004-2021 New H3C Technologies Co., Ltd. All rights reserved.*
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************Login: lq
Password:
<R1>dis usersIdx Line Idle Time Pid Type0 CON 0 00:00:38 Jul 14 15:09:05 11083
+ 66 VTY 0 00:00:00 Jul 14 15:09:40 11101 TEL Following are more details.
VTY 0 :User name: lqLocation: 100.3.3.4+ : Current operation user.F : Current operation user works in async mode.
<R1>在R6上
<R6>telnet 1.1.1.1
Trying 1.1.1.1 ...
Press CTRL+K to abort
Connected to 1.1.1.1 ...******************************************************************************
* Copyright (c) 2004-2021 New H3C Technologies Co., Ltd. All rights reserved.*
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************Login: lq
Password:
<R1>dis usersIdx Line Idle Time Pid Type0 CON 0 00:01:02 Jul 14 15:09:05 11083 66 VTY 0 00:00:21 Jul 14 15:09:40 11101 TEL
+ 67 VTY 1 00:00:00 Jul 14 15:10:04 11111 TEL Following are more details.
VTY 0 :User name: lqLocation: 100.3.3.4
VTY 1 :User name: lqLocation: 172.16.3.6+ : Current operation user.F : Current operation user works in async mode.
<R1>在R7上
<R7>telnet 1.1.1.1
Trying 1.1.1.1 ...
Press CTRL+K to abort
Connected to 1.1.1.1 ...******************************************************************************
* Copyright (c) 2004-2021 New H3C Technologies Co., Ltd. All rights reserved.*
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************Login: lq
Password:
<R1>dis usersIdx Line Idle Time Pid Type0 CON 0 00:01:33 Jul 14 15:09:05 11083 66 VTY 0 00:00:52 Jul 14 15:09:40 11101 TEL 67 VTY 1 00:00:26 Jul 14 15:10:04 11111 TEL
+ 68 VTY 2 00:00:00 Jul 14 15:10:30 11121 TEL Following are more details.
VTY 0 :User name: lqLocation: 100.3.3.4
VTY 1 :User name: lqLocation: 172.16.3.6
VTY 2 :User name: lqLocation: 100.1.1.7+ : Current operation user.F : Current operation user works in async mode.
<R1>
10.要求拒绝R2访问R4的ftp服务,其他设备均不受影响
在R2上
[R4]acl advanced 3000
[R4-acl-ipv4-adv-3000]rule deny tcp source 2.2.2.2 0 destination-port range 21 2
2
[R4-acl-ipv4-adv-3000]rule deny tcp source 192.168.1.2 0 destination-port range
21 22
[R4-acl-ipv4-adv-3000]rule deny tcp source 192.168.3.2 0 destination-port range
21 22
[R4-acl-ipv4-adv-3000]rule deny tcp source 100.1.1.2 0 destination-port range 2122
[R4-acl-ipv4-adv-3000]qu
[R4]int g0/0
[R4-GigabitEthernet0/0]packet-filter 3000 inbound
[R4-GigabitEthernet0/0]int g0/1
[R4-GigabitEthernet0/1]packet-filter 3000 inbound
[R4-GigabitEthernet0/1]int g0/2
[R4-GigabitEthernet0/2]packet-filter 3000 inbound
[R4-GigabitEthernet0/2]int g0/2
[R4-GigabitEthernet0/2]packet-filter 3000 inbound
[R4-GigabitEthernet0/2]qu
[R4]在R2上
<R2>ftp 4.4.4.4
Press CTRL+C to abort.<R2>
<R2>ftp 100.3.3.4
Press CTRL+C to abort.<R2>ftp 172.16.3.4
Press CTRL+C to abort.<R2>ftp 172.16.1.4
Press CTRL+C to abort.<R2>在R1上
<R1>ftp 4.4.4.4
Press CTRL+C to abort.
Connected to 4.4.4.4 (4.4.4.4).
220 FTP service ready.
User (4.4.4.4:(none)): luoqi
331 Password required for luoqi.
Password:
230 User logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
227 Entering Passive Mode (4,4,4,4,132,60)
150 Accepted data connection
drwxrwxrwx 2 0 0 4096 Jul 14 08:50 diagfile
-rwxrwxrwx 1 0 0 43136 Jul 14 08:50 licbackup
-rwxrwxrwx 1 0 0 43136 Jul 14 08:50 licnormal
drwxrwxrwx 2 0 0 4096 Jul 14 08:50 logfile
-rwxrwxrwx 1 0 0 0 Jul 14 08:50 msr36-cmw710-boot-r0424p22.bin
-rwxrwxrwx 1 0 0 0 Jul 14 08:50 msr36-cmw710-system-r0424p22.bin
drwxrwxrwx 2 0 0 4096 Jul 14 08:50 seclog
226 7 matches total
ftp> 在R3上
<R3>ftp 4.4.4.4
Press CTRL+C to abort.
Connected to 4.4.4.4 (4.4.4.4).
220 FTP service ready.
User (4.4.4.4:(none)): luoqi
331 Password required for luoqi.
Password:
230 User logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
227 Entering Passive Mode (4,4,4,4,46,16)
150 Accepted data connection
drwxrwxrwx 2 0 0 4096 Jul 14 08:50 diagfile
-rwxrwxrwx 1 0 0 43136 Jul 14 08:50 licbackup
-rwxrwxrwx 1 0 0 43136 Jul 14 08:50 licnormal
drwxrwxrwx 2 0 0 4096 Jul 14 08:50 logfile
-rwxrwxrwx 1 0 0 0 Jul 14 08:50 msr36-cmw710-boot-r0424p22.bin
-rwxrwxrwx 1 0 0 0 Jul 14 08:50 msr36-cmw710-system-r0424p22.bin
drwxrwxrwx 2 0 0 4096 Jul 14 08:50 seclog
226 7 matches total
ftp> 在R5上
<R5>ftp 4.4.4.4
Press CTRL+C to abort.
Connected to 4.4.4.4 (4.4.4.4).
220 FTP service ready.
User (4.4.4.4:(none)): luoqi
331 Password required for luoqi.
Password:
230 User logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
227 Entering Passive Mode (4,4,4,4,6,20)
150 Accepted data connection
drwxrwxrwx 2 0 0 4096 Jul 14 08:50 diagfile
-rwxrwxrwx 1 0 0 43136 Jul 14 08:50 licbackup
-rwxrwxrwx 1 0 0 43136 Jul 14 08:50 licnormal
drwxrwxrwx 2 0 0 4096 Jul 14 08:50 logfile
-rwxrwxrwx 1 0 0 0 Jul 14 08:50 msr36-cmw710-boot-r0424p22.bin
-rwxrwxrwx 1 0 0 0 Jul 14 08:50 msr36-cmw710-system-r0424p22.bin
drwxrwxrwx 2 0 0 4096 Jul 14 08:50 seclog
226 7 matches total
ftp> 在R6上
<R6>ftp 4.4.4.4
Press CTRL+C to abort.
Connected to 4.4.4.4 (4.4.4.4).
220 FTP service ready.
User (4.4.4.4:(none)): luoqi
331 Password required for luoqi.
Password:
230 User logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
227 Entering Passive Mode (4,4,4,4,131,220)
150 Accepted data connection
drwxrwxrwx 2 0 0 4096 Jul 14 08:50 diagfile
-rwxrwxrwx 1 0 0 43136 Jul 14 08:50 licbackup
-rwxrwxrwx 1 0 0 43136 Jul 14 08:50 licnormal
drwxrwxrwx 2 0 0 4096 Jul 14 08:50 logfile
-rwxrwxrwx 1 0 0 0 Jul 14 08:50 msr36-cmw710-boot-r0424p22.bin
-rwxrwxrwx 1 0 0 0 Jul 14 08:50 msr36-cmw710-system-r0424p22.bin
drwxrwxrwx 2 0 0 4096 Jul 14 08:50 seclog
226 7 matches total
ftp> 在R7上
<R7>ftp 4.4.4.4
Press CTRL+C to abort.
Connected to 4.4.4.4 (4.4.4.4).
220 FTP service ready.
User (4.4.4.4:(none)): luoqi
331 Password required for luoqi.
Password:
230 User logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
227 Entering Passive Mode (4,4,4,4,35,120)
150 Accepted data connection
drwxrwxrwx 2 0 0 4096 Jul 14 08:50 diagfile
-rwxrwxrwx 1 0 0 43136 Jul 14 08:50 licbackup
-rwxrwxrwx 1 0 0 43136 Jul 14 08:50 licnormal
drwxrwxrwx 2 0 0 4096 Jul 14 08:50 logfile
-rwxrwxrwx 1 0 0 0 Jul 14 08:50 msr36-cmw710-boot-r0424p22.bin
-rwxrwxrwx 1 0 0 0 Jul 14 08:50 msr36-cmw710-system-r0424p22.bin
drwxrwxrwx 2 0 0 4096 Jul 14 08:50 seclog
226 7 matches total
ftp>
11.要求拒绝10.1.1.0/24网段ping通R1地址
在R1上
[R1]acl advanced 3000
[R1-acl-ipv4-adv-3000]rule permit icmp source 10.1.1.0 0.0.0.255 destination 1.1
.1.1 0 icmp-type echo-reply
[R1-acl-ipv4-adv-3000]rule deny icmp source 10.1.1.0 0.0.0.255 destination 1.1.1
.1 0
[R1-acl-ipv4-adv-3000]rule permit icmp source 10.1.1.0 0.0.0.255 destination 192
.168.1.1 0 icmp-type echo-reply
[R1-acl-ipv4-adv-3000]rule deny icmp source 10.1.1.0 0.0.0.255 destination 192.1
68.1.1 0
[R1-acl-ipv4-adv-3000]rule permit icmp source 10.1.1.0 0.0.0.255 destination 192
.168.2.1 0 icmp-type echo-reply
[R1-acl-ipv4-adv-3000]rule deny icmp source 10.1.1.0 0.0.0.255 destination 192.1
68.2.1 0
[R1-acl-ipv4-adv-3000]rule permit icmp source 10.1.1.0 0.0.0.255 destination 100
.3.3.1 0 icmp-type echo-reply
[R1-acl-ipv4-adv-3000]rule deny icmp source 10.1.1.0 0.0.0.255 destination 100.3
.3.1 0在PC9上
<H3C>ping 1.1.1.1
Ping 1.1.1.1 (1.1.1.1): 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out--- Ping statistics for 1.1.1.1 ---
5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss
<H3C>%Jul 14 14:46:25:861 2025 H3C PING/6/PING_STATISTICS: Ping statistics for 1.1.1.1: 5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss.<H3C>ping 100.3.3.1
Ping 100.3.3.1 (100.3.3.1): 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out--- Ping statistics for 100.3.3.1 ---
5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss
<H3C>%Jul 14 14:46:43:980 2025 H3C PING/6/PING_STATISTICS: Ping statistics for 100.3.3.1: 5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss.<H3C>ping 192.168.1.1
Ping 192.168.1.1 (192.168.1.1): 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out--- Ping statistics for 192.168.1.1 ---
5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss
<H3C>%Jul 14 14:47:00:810 2025 H3C PING/6/PING_STATISTICS: Ping statistics for 192.168.1.1: 5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss.<H3C>ping 192.168.2.1
Ping 192.168.2.1 (192.168.2.1): 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out--- Ping statistics for 192.168.2.1 ---
5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss
<H3C>%Jul 14 14:47:15:232 2025 H3C PING/6/PING_STATISTICS: Ping statistics for 192.168.2.1: 5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss.但R1能ping通PC9
<H3C>ping 10.1.1.2
Ping 10.1.1.2 (10.1.1.2): 56 data bytes, press CTRL+C to break
56 bytes from 10.1.1.2: icmp_seq=0 ttl=252 time=3.080 ms
56 bytes from 10.1.1.2: icmp_seq=1 ttl=252 time=2.399 ms
56 bytes from 10.1.1.2: icmp_seq=2 ttl=252 time=2.930 ms
56 bytes from 10.1.1.2: icmp_seq=3 ttl=252 time=2.656 ms
56 bytes from 10.1.1.2: icmp_seq=4 ttl=252 time=2.184 ms--- Ping statistics for 10.1.1.2 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 2.184/2.650/3.080/0.330 ms
<R1>%Jul 14 15:23:37:341 2025 R1 PING/6/PING_STATISTICS: Ping statistics for 10.1.1.2: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 2.184/2.650/3.080/0.330 ms.
12.要求拒绝10.1.1.0/24网段地址访问R4地址
在R4上
[R4]acl advanced 3000
[R4-acl-ipv4-adv-3000]rule permit icmp source 10.1.1.0 0.0.0.255 destination 4.4
.4.4 0 icmp-type echo-reply
[R4-acl-ipv4-adv-3000]rule deny icmp source 10.1.1.0 0.0.0.255 destination 4.4.4
.4 0
[R4-acl-ipv4-adv-3000]rule permit icmp source 10.1.1.0 0.0.0.255 destination 100
.3.3.4 0 icmp-type echo-reply
[R4-acl-ipv4-adv-3000]rule deny icmp source 10.1.1.0 0.0.0.255 destination 100.3
.3.4 0
[R4-acl-ipv4-adv-3000]rule permit icmp source 10.1.1.0 0.0.0.255 destination 172
.16.3.4 0 icmp-type echo-reply
[R4-acl-ipv4-adv-3000]rule deny icmp source 10.1.1.0 0.0.0.255 destination 172.1
6.3.4 0
[R4-acl-ipv4-adv-3000]rule permit icmp source 10.1.1.0 0.0.0.255 destination 172
.16.1.4 0 icmp-type echo-reply
[R4-acl-ipv4-adv-3000]rule deny icmp source 10.1.1.0 0.0.0.255 destination 172.1
6.1.4 0
[R4-acl-ipv4-adv-3000]qu
[R4]在PC9上
<H3C>ping 4.4.4.4
Ping 4.4.4.4 (4.4.4.4): 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out--- Ping statistics for 4.4.4.4 ---
5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss
<H3C>%Jul 14 14:50:55:767 2025 H3C PING/6/PING_STATISTICS: Ping statistics for 4.4.4.4: 5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss.<H3C>ping 100.3.3.4
Ping 100.3.3.4 (100.3.3.4): 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out--- Ping statistics for 100.3.3.4 ---
5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss
<H3C>%Jul 14 14:51:15:339 2025 H3C PING/6/PING_STATISTICS: Ping statistics for 100.3.3.4: 5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss.<H3C>ping 172.16.1.4
Ping 172.16.1.4 (172.16.1.4): 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out--- Ping statistics for 172.16.1.4 ---
5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss
<H3C>%Jul 14 14:51:33:832 2025 H3C PING/6/PING_STATISTICS: Ping statistics for 172.16.1.4: 5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss.<H3C>ping 172.16.3.4
Ping 172.16.3.4 (172.16.3.4): 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out--- Ping statistics for 172.16.3.4 ---
5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss
<H3C>%Jul 14 14:51:51:741 2025 H3C PING/6/PING_STATISTICS: Ping statistics for 172.16.3.4: 5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss.<H3C>但在R4上能ping通PC9
<R4>ping 10.1.1.2
Ping 10.1.1.2 (10.1.1.2): 56 data bytes, press CTRL+C to break
56 bytes from 10.1.1.2: icmp_seq=0 ttl=252 time=2.417 ms
56 bytes from 10.1.1.2: icmp_seq=1 ttl=252 time=2.054 ms
56 bytes from 10.1.1.2: icmp_seq=2 ttl=252 time=2.164 ms
56 bytes from 10.1.1.2: icmp_seq=3 ttl=252 time=2.543 ms
56 bytes from 10.1.1.2: icmp_seq=4 ttl=252 time=2.112 ms--- Ping statistics for 10.1.1.2 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 2.054/2.258/2.543/0.189 ms
<R4>%Jul 14 15:28:03:683 2025 R4 PING/6/PING_STATISTICS: Ping statistics for 10.1.1.2: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 2.054/2.258/2.543/0.189 ms.<R4>
15.要求拒绝PC10地址访问R3地址
在R3上
[R3]acl advanced 3000
[R3-acl-ipv4-adv-3000]rule permit icmp source 10.1.1.3 0 destination 3.3.3.3 0 i
cmp-type echo-reply
[R3-acl-ipv4-adv-3000]rule deny icmp source 10.1.1.3 0 destination 3.3.3.3 0
[R3-acl-ipv4-adv-3000]rule permit icmp source 10.1.1.3 0 destination 192.168.2.30 icmp-type echo-reply
[R3-acl-ipv4-adv-3000]rule deny icmp source 10.1.1.3 0 destination 192.168.2.3 0[R3-acl-ipv4-adv-3000]rule permit icmp source 10.1.1.3 0 destination 192.168.3.30 icmp-type echo-reply
[R3-acl-ipv4-adv-3000]rule deny icmp source 10.1.1.3 0 destination 192.168.3.3 0[R3-acl-ipv4-adv-3000]rule permit icmp source 10.1.1.3 0 destination 200.1.1.3 0icmp-type echo-reply
[R3-acl-ipv4-adv-3000]rule deny icmp source 10.1.1.3 0 destination 200.1.1.3 0
[R3-acl-ipv4-adv-3000]rule permit icmp source 10.1.1.3 0 destination 200.2.2.3 0icmp-type echo-reply
[R3-acl-ipv4-adv-3000]rule deny icmp source 10.1.1.3 0 destination 200.2.2.3 0
[R3-acl-ipv4-adv-3000]qu
[R3]int g0/0
[R3-GigabitEthernet0/0]packet-filter 3000 inbound
[R3-GigabitEthernet0/0]int g0/1
[R3-GigabitEthernet0/1]packet-filter 3000 inbound
[R3-GigabitEthernet0/1]int g0/2
[R3-GigabitEthernet0/2]packet-filter 3000 inbound
[R3-GigabitEthernet0/2]int g5/0
[R3-GigabitEthernet5/0]packet-filter 3000 inbound
[R3-GigabitEthernet5/0]在PC10上
<H3C>ping 3.3.3.3
Ping 3.3.3.3 (3.3.3.3): 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out--- Ping statistics for 3.3.3.3 ---
5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss
<H3C>%Jul 14 15:36:18:890 2025 H3C PING/6/PING_STATISTICS: Ping statistics for 3.3.3.3: 5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss.<H3C>ping 192.168.2.3
Ping 192.168.2.3 (192.168.2.3): 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out--- Ping statistics for 192.168.2.3 ---
5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss
<H3C>%Jul 14 15:36:39:361 2025 H3C PING/6/PING_STATISTICS: Ping statistics for 192.168.2.3: 5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss.<H3C>ping 192.168.3.3
Ping 192.168.3.3 (192.168.3.3): 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out--- Ping statistics for 192.168.3.3 ---
5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss
<H3C>%Jul 14 15:36:54:378 2025 H3C PING/6/PING_STATISTICS: Ping statistics for 192.168.3.3: 5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss.<H3C>ping 200.1.1.3
Ping 200.1.1.3 (200.1.1.3): 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out--- Ping statistics for 200.1.1.3 ---
5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss
<H3C>%Jul 14 15:37:16:837 2025 H3C PING/6/PING_STATISTICS: Ping statistics for 200.1.1.3: 5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss.<H3C>ping 200.2.2.3
Ping 200.2.2.3 (200.2.2.3): 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out--- Ping statistics for 200.2.2.3 ---
5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss
<H3C>%Jul 14 15:37:32:512 2025 H3C PING/6/PING_STATISTICS: Ping statistics for 200.2.2.3: 5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss.<H3C>但在R3上能ping通PC10
[R3]ping 10.1.1.3
Ping 10.1.1.3 (10.1.1.3): 56 data bytes, press CTRL+C to break
56 bytes from 10.1.1.3: icmp_seq=0 ttl=253 time=2.178 ms
56 bytes from 10.1.1.3: icmp_seq=1 ttl=253 time=1.543 ms
56 bytes from 10.1.1.3: icmp_seq=2 ttl=253 time=1.105 ms
56 bytes from 10.1.1.3: icmp_seq=3 ttl=253 time=1.799 ms
56 bytes from 10.1.1.3: icmp_seq=4 ttl=253 time=1.070 ms--- Ping statistics for 10.1.1.3 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.070/1.539/2.178/0.421 ms
[R3]%Jul 14 15:38:13:525 2025 R3 PING/6/PING_STATISTICS: Ping statistics for 10.1.1.3: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 1.070/1.539/2.178/0.421 ms.