拓朴如下:

R1 Serial0/0/0 <----->R2 Serial0/0/0

R1 FastEthernet0/0 <-----> PC0

R2 FastEthernet0/0 <-----> PC1

R1的配置如下： 

service password-encryption 

! 

hostname R1 

! 

! 

enable secret 5 $1$6HWX$IY4UIouN7jar3FEO0lz2i/ 

enable password 7 14141B180F0B 

! 

no ip domain-lookup 

! 

! 

interface FastEthernet0/0 

ip address 192.168.101.1 255.255.255.0 

ip access-group 100 in 

duplex auto 

speed auto 

! 

interface FastEthernet0/1 

no ip address 

duplex auto 

speed auto 

shutdown 

! 

interface Serial0/0/0 

ip address 192.168.1.1 255.255.255.0 

clock rate 64000 

! 

interface Vlan1 

no ip address 

shutdown 

! 

router rip 

network 192.168.1.0 

network 192.168.101.0 

! 

ip classless 

! 

access-list 100 deny icmp any any echo 

access-list 100 permit ip any any 

! 

! 

! 

line con 0 

password 7 14141B180F0B 

login 

line vty 0 4 

password 7 14141B180F0B 

login 

! 

! 

R2的配置如下: 

service password-encryption 

! 

hostname R2 

! 

! 

enable secret 5 $1$VScG$k3YubD3YzXi9BHsEeAmXr0 

enable password 7 070C285F4D06 

! 

no ip domain-lookup 

! 

! 

interface FastEthernet0/0 

ip address 192.168.100.1 255.255.255.0 

duplex auto 

speed auto 

! 

interface FastEthernet0/1 

no ip address 

duplex auto 

speed auto 

shutdown 

! 

interface Serial0/0/0 

ip address 192.168.1.2 255.255.255.0 

! 

interface Vlan1 

no ip address 

shutdown 

! 

router rip 

network 192.168.1.0 

network 192.168.100.0 

! 

ip classless 

! 

! 

! 

! 

line con 0 

password 7 070C285F4D06 

login 

line vty 0 4 

password 7 070C285F4D06 

login 

! 

! 

PC0的配置如下： 

IP Address 192.168.101.2 

Gateway 192.168.101.1 

PC1的配置如下: 

IP Address 192.168.100.2 

Gateway 192.168.100.1 

#########################

R1(config)# access-list 100 deny icmp any any echo-reply 

R1(config)#access-list 100 permit ip any any 

结果： 

从PC0 ping PC1 (ping 192.168.100.2) 是不通的。因为PC0发出的ping的请求响应包在R1的FastEthernet0/0口上被丢弃。(access-list 100 deny icmp any any echo) 

从PC1 ping PC0 (ping 192.168.101.2)是通的. 

在R1上改变访问控制列表。 

R1(config)# no access-list 100 deny icmp any any echo 

R1(config)#no access-list 100 permit ip any any 

结果: 

从PC0 ping PC1 (ping 192.168.100.2) 是通的。 

从PC1 ping PC0 (ping 192.168.101.2)是不通的.因为PC0发出ping的响应回复包在R1的FastEthernet0/0口上被丢弃。(access-list 100 deny icmp any any echo-rely)