实验需求：
0、做之前确保全网互通
1、-交换机用路由器代替，WG主机用路由器模拟
2、-AR1只能允许WG登陆
3、-YF和CW之间不能互通，但可以和WG互通
4、-WG和YF可以访问Client1
5、-CW不能访问Client1
6、-YF和WG只能访问Server1的WWW服务
7、-只有WG才能访问Server1的所有服务

实验拓扑：

实验配置：

---------------------------------------------------------------------------------
[WG]int g0/0/0
[WG-GigabitEthernet0/0/0]ip add 192.168.10.1 24
[WG-GigabitEthernet0/0/0]un shutdown 
[WG]rip
[WG-rip-1]version 2    
[WG-rip-1]network 192.168.10.0
----------------------------
[AR2]int g0/0/1
[AR2-GigabitEthernet0/0/1]ip add 192.168.10.2 24    
[AR2-GigabitEthernet0/0/1]un shutdown 

[AR2]int g0/0/0
[AR2-GigabitEthernet0/0/0]ip add 192.168.12.1 24    
[AR2-GigabitEthernet0/0/0]un shutdown 
 
[AR2]int g0/0/2
[AR2-GigabitEthernet0/0/2]ip add 192.168.20.254 24    
[AR2-GigabitEthernet0/0/2]un shutdown 
 
[AR2]rip    
[AR2-rip-1]version 2    
[AR2-rip-1]network 192.168.10.0    
[AR2-rip-1]network 192.168.12.0    
[AR2-rip-1]network 192.168.20.0
--------------------------------------
[AR1]int g0/0/1
[AR1-GigabitEthernet0/0/1]ip add 192.168.12.2 24    
[AR1-GigabitEthernet0/0/1]un shutdown 

[AR1]int g0/0/0
[AR1-GigabitEthernet0/0/0]ip add 1.1.1.254 24    
[AR1-GigabitEthernet0/0/0]un shutdown 

[AR1]int g0/0/2
[AR1-GigabitEthernet0/0/2]ip add 192.168.13.2 24    
[AR1-GigabitEthernet0/0/2]un shutdown 

[AR1]rip
[AR1-rip-1]version 2    
[AR1-rip-1]network 192.168.12.0    
[AR1-rip-1]network 1.0.0.0
[AR1-rip-1]network 192.168.13.0
---------------------------------------------
[AR3]int g0/0/0
[AR3-GigabitEthernet0/0/0]ip add 192.168.13.1 24    
[AR3-GigabitEthernet0/0/0]un shutdown 
 
[AR3]int g0/0/1
[AR3-GigabitEthernet0/0/1]ip add 192.168.30.254 24    
[AR3-GigabitEthernet0/0/1]un shutdown 

[AR3]int g0/0/2
[AR3-GigabitEthernet0/0/2]ip add 192.168.1.254 24    
[AR3-GigabitEthernet0/0/2]un shutdown 

[AR3]rip
[AR3-rip-1]version 2    
[AR3-rip-1]network 192.168.13.0    
[AR3-rip-1]network 192.168.30.0    
[AR3-rip-1]network 192.168.1.0

===================================================================================
关键配置：1
  设备访问控制
  -AR1只能允许WG登陆
[AR1]acl 2000    
[AR1-acl-basic-2000]rule 5 permit source 192.168.10.1 0    
[AR1-acl-basic-2000]rule 10 deny source any 

[AR1]user-interface vty 0 4    
[AR1-ui-vty0-4]acl 2000 inbound 
[AR1-ui-vty0-4]authentication-mode aaa
[AR1-ui-vty0-4]aaa    
[AR1-aaa]local-user 77 password cipher 77    
[AR1-aaa]local-user 77 service-type telnet

-------------------------------------------------------------------------------------
关键配置：2
   YF主机访问控制
 -YF和CW之间不能互通，
  YF可以和WG、Client1互通
  YF只能访问Server1的WWW服务
[AR2]acl 3000    
[AR2-acl-adv-3000]rule 5 permit ip source 192.168.20.1 0 destination 192.168.10.1 0    
[AR2-acl-adv-3000]rule 10 permit ip source 192.168.20.1 0 destination 1.1.1.1 0
[AR2-acl-adv-3000]rule 15 permit tcp source 192.168.20.1 0 destination 192.168.1
.1 0 destination-port eq 80    
    
[AR2-acl-adv-3000]rule 20 deny ip source any 
[AR2]int g0/0/2    
[AR2-GigabitEthernet0/0/2]traffic-filter inbound acl 3000

------------------------------------------------------------------------------------
关键配置：3
 CW主机访问控制
 CW和YF、Client1之间不能互通
 CW可以和WG通
 CW只能访问Server1的WWW服务

[AR3]acl 3000    
[AR3-acl-adv-3000]rule 5 permit ip source 192.168.30.1 0 destination 192.168.10.1 0
[AR3-acl-adv-3000]rule 10 permit tcp source 192.168.30.1 0 destination 192.168.1
.1 0 destination-port eq 80    
[AR3-acl-adv-3000]rule 15 deny ip source any 
[AR3]int g0/0/1    
[AR3-GigabitEthernet0/0/1]traffic-filter inbound acl 3000

-------------------------------------------------------------------------
查看命令：
<AR3>display acl 3000
<AR2>display acl 3000
<AR1>display acl 2000

------------------------------------------------------------------------------------