内外网连通
内网和外网不能使用路由连通,使用NAT
第一步配置ACL 第二步 地址池 第三步用在出接口上绑定
[RT1]acl basic 2000
[RT1-acl-ipv4-basic-2000]rule permit source 172.16.1.0 0.0.0.255
[RT1-acl-ipv4-basic-2000]rule permit source 172.16.2.0 0.0.0.255
[RT1-acl-ipv4-basic-2000]quit
[RT1]nat address-group 1
[RT1-address-group-1]address 100.0.0.10 100.0.0.20
[RT1-address-group-1]quit
[RT1]inter mp1
[RT1-MP-group1]nat outbound 2000 address-group 1
[RT1-MP-group1]quit
此时,pc1不可以访问pc3原因:pc1的网关SW2缺了一条默认路由
[SW2]ip route-static 0.0.0.0 0 10.0.0.2
[SW2]dis ip r
Destinations : 21 Routes : 21
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/0 Static 60 0 10.0.0.2 Vlan30
0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
10.0.0.0/30 Direct 0 0 10.0.0.1 Vlan30
10.0.0.0/32 Direct 0 0 10.0.0.1 Vlan30
10.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
10.0.0.3/32 Direct 0 0 10.0.0.1 Vlan30
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
172.16.1.0/24 Direct 0 0 172.16.1.254 Vlan10
172.16.1.0/32 Direct 0 0 172.16.1.254 Vlan10
172.16.1.254/32 Direct 0 0 127.0.0.1 InLoop0
172.16.1.255/32 Direct 0 0 172.16.1.254 Vlan10
172.16.2.0/24 Direct 0 0 172.16.2.254 Vlan20
172.16.2.0/32 Direct 0 0 172.16.2.254 Vlan20
172.16.2.254/32 Direct 0 0 127.0.0.1 InLoop0
172.16.2.255/32 Direct 0 0 172.16.2.254 Vlan20
224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0
此时pc1和pc3连通
[RT1]dis acl 2000
Basic IPv4 ACL 2000, 2 rules,
ACL's step is 5
rule 0 permit source 172.16.1.0 0.0.0.255 (1 times matched)
rule 5 permit source 172.16.2.0 0.0.0.255
配置远程登录
先开启服务器
配置虚拟用户,设置验证密码,用户角色
[RT2]telnet server enable //开启服务器
[RT2]line vty 0 4 //设置虚拟用户个数,一个则为0
[RT2-line-vty0-4]set authentication password simple 123 //设置用户登录密码
[RT2-line-vty0-4]user-role network-admin //设置用户角色,角色不一样权限不同
[RT2-line-vty0-4]quit
验证可否进行远程登录
可用三层交换机和路由器进行登录,但登录时需要指定客户端
[SW2]telnet client source ip 172.16.1.254
[SW2]
<SW2>telnet 100.0.0.2
Trying 100.0.0.2 ...
Press CTRL+K to abort
Connected to 100.0.0.2 ...
******************************************************************************
* Copyright (c) 2004-2016 Hangzhou H3C Tech. Co., Ltd. All rights reserved. *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
Password:
<RT2>
<RT2>
<RT2>dis ip r
Destinations : 17 Routes : 17
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
100.0.0.0/24 Direct 0 0 100.0.0.2 MP1
100.0.0.0/32 Direct 0 0 100.0.0.2 MP1
100.0.0.1/32 Direct 0 0 100.0.0.1 MP1
100.0.0.2/32 Direct 0 0 127.0.0.1 InLoop0
100.0.0.255/32 Direct 0 0 100.0.0.2 MP1
100.0.1.0/24 Direct 0 0 100.0.1.254 GE0/0
100.0.1.0/32 Direct 0 0 100.0.1.254 GE0/0
100.0.1.254/32 Direct 0 0 127.0.0.1 InLoop0
100.0.1.255/32 Direct 0 0 100.0.1.254 GE0/0
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0
224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0
255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
<RT2>quit
通过配置ACL,设置主机PC1不能和PC2 Ping通,但可以和其他主机Ping 通;主机PC2所在的网络 不能telnet PC3;
配置高级ACL,配置在SW2上
[SW2]acl ad
[SW2]acl advanced 3000
[SW2-acl-ipv4-adv-3000]rule deny icmp source 172.16.1.1 0 destination 172.16.2.
1 0
[SW2-acl-ipv4-adv-3000]quit
[SW2]inter vlan 30
[SW2-Vlan-interface30]inter vlan 10
[SW2-Vlan-interface10]packet-filter 3000 inbound
[SW2-Vlan-interface10]quit
pc1不能ping通pc2,SW2查看是否是ACL起作用
先验证是否能登录
<SW2>telnet 100.0.0.2
Trying 100.0.0.2 ...
Press CTRL+K to abort
Connected to 100.0.0.2 ...
******************************************************************************
* Copyright (c) 2004-2016 Hangzhou H3C Tech. Co., Ltd. All rights reserved. *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
Password:
<RT2>quit
[SW2]acl advanced 3001
[SW2-acl-ipv4-adv-3001]rule deny tcp source 172.16.2.0 0.0.0.255 destination 100
.0.0.2 0 destination-port eq 23
[SW2-acl-ipv4-adv-3001]rule deny tcp source 172.16.2.0 0.0.0.255 destination 100
.0.1.254 0 destination-port eq telnet
[SW2-acl-ipv4-adv-3001]quit
[SW2]inter vlan 30
[SW2-Vlan-interface30]packet-filter 3001 outbound
[SW2-Vlan-interface30]quit
<SW2>telnet 100.0.0.2
Trying 100.0.0.2 ...
Press CTRL+K to abort
Connected to 100.0.0.2 ...
Failed to connect to the remote host!