lo0:2.2 r1(R2) s1/0 ---- s2/0 r1(R1) lo0 1.1 s1/0 -------- s2/0 r3  lo0 3.3

step 1...
r1:
 en
 config t
 hostname R2
 no ip domain-lookup
 lin 0
 exec-timeout 0 0
 logging syn
 exit

 int lo 0
 ip add 2.2.2.2 255.255.255.255
 exit
 int s1/0
 ip add 12.1.1.2 255.255.255.0
 no shutdown
 exit
 


r2
 en
 config t
 hostname R1
 no ip domain-lookup
 lin 0
 exec-timeout 0 0
 logging syn
 exit

 int lo 0
 ip add 1.1.1.1 255.255.255.255
 exit
 int s2/0
 ip add 12.1.1.1 255.255.255.0
 no shutdown
 exit
 int s1/0
 ip add 13.1.1.1 255.255.255.0
 no shutdown
 exit


r3
 en
 config t
 hostname R3
 no ip domain-lookup
 lin 0
 exec-timeout 0 0
 logging syn
 exit

 int lo 0
 ip add 3.3.3.3 255.255.255.255
 exit
 int s2/0
 ip add 13.1.1.3 255.255.255.0
 no shutdown
 exit

R1 ping 12.1.1.2
R1 Ping 13.1.1.3
---------------------------------------------------------------
step 2......
R1 ip route 2.2.2.2 255.255.255.255 s2/0 12.1.1.2
R1 ip route 3.3.3.3 255.255.255.255 s1/0 13.1.1.3

R2 ip route 1.1.1.1 255.255.255.255  s1/0 12.1.1.1
R2 ip route 3.3.3.3 255.255.255.255  s1/0 12.1.1.1
R2 ip route 13.1.1.0 255.255.255.0  s1/0 12.1.1.1

R3 ip route 1.1.1.1 255.255.255.255  s2/0 13.1.1.1
R3 ip route 2.2.2.2 255.255.255.255  s2/0 13.1.1.1
R3 ip route 12.1.1.0 255.255.255.0  s2/0  13.1.1.1

R1 ping 2.2.2.2 source loopback 0
R1 ping 3.3.3.3 source loopback 0

R2 ping 1.1.1.1 source loopback 0
R2 ping 3.3.3.3 source loopback 0

R3 ping 2.2.2.2 source loopback 0
R3 ping 1.1.1.1 source loopback 0
R3 ping 12.1.1.1 shorce loopback 0
--------------------------------------------------------------------
step 3.....
R2 ping 3.3.3.3 source loopback 0
r1 debug ip packet

r1 int s2/0
   no ip route-cache        
   end

r1 unde all
r1 show ip route
---------------------------------------------------------------------
step 4.....
r1 access-list?
   access-list 10 ?
   access-list 10 deny ?
   access-list 10 deny 2.2.2.2 ?
   access-list 10 deny  host 2.2.2.2
r1 show ip access-list 10
------------------------------------------------------------------
step 5.....
r1 config t
   int s2/0
   ip access-group 10 ?
   ip access-group 10 in
   end

r2 ping 3.3.3.3 source loopback 0

r1 debug ip packet
r2 ping 3.3.3.3 source loopback 0

r1 unde all

r3 debug ip packet
r2 ping 3.3.3.3 source loopback 0
-------------------------------------------------------------------
step 5 第二种做法
r1 config t
   int s2/0
   no ip access-group 10 in
   exit
   int s1/0
   ip access-group 10 out
   end
r1 debug ip packet
r2 ping 3.3.3.3 source loopback 0
......这次是超时
r3 debug ip packet 
依然收不到包
-------------------------------------------------------------------
step 6
r2 config t
   int lo 0
   ip add 22.22.22.22 255.255.255.255
   end
r1 ip route 22.22.22.22 255.255.255.255 s2/0 12.1.1.2
   end
r3 ip route 22.22.22.22 255.255.255.255.s2/0 13.1.1.1

r2 int lo0
   ip add 2.2.2.2 255.255.255.255 secondary
   end
   show ip int bri
r1 no  access-list 10
   show ip access-list
r1 config t
   access-list 10 deny host 2.2.2.2
   end
   show ip access-list
r2 ping 3.3.3.3 source 2.2.2.2
r1 show ip access-list
r2 ping 3.3.3.3 source 22.22.22.22
r1 show ip access-list
因为它没有22.22.22.22 通过的条目 acl默认的拒绝
r1 config t
   access-list 10 deny any// access-list 10 permit any
   show ip access-list


访问控制列表 
控制层
转发层
控制层变了转发层会变
路由器拆包拆到第三层 ip层  每个路由器都看到数据包的第三层
先查ACL再查路由表
标准: 基于源地址  (ip 地址)
扩展: 基于源地址 目标地址 端口号 协议号
不管是标准的还是扩展的ACL都是默认的拒绝
环回口就是路由器自身的包 路由器不会被拒绝
为什么这个列表不能做在R2上面呢?  因为路由器不会拒绝自己本身的发包