<>要求
* 配置IP地址
* pc1可以访问client,client拒绝pc2的访问
* client可以访问server的telnet服务
server需配置telnet,用户名和密码均为admin
* 合理配置路由
私网上不允许有公网路由,公网上不允许有私网路由
* AR3和AR4之间配置MP-group,并且配置chap认证
<>思路
* 做基础配置
* 做chap验证,做mp-group
* 做telnet,napt地址转换
* 做acl
这里需要注意,做要求2的时候,由于AR2和AR3之间地址已经发生转换,并且是做的NAPT,所以高级acl需要在AR2做(或者可以做静态NAT,然后在AR3上做高级ACL)
<>实现
telnet <Huawei>sy [Huawei]sysn telnet [telnet]int g 0/0/0 [telnet-
GigabitEthernet0/0/0]ip a 172.16.1.1 30 [telnet-GigabitEthernet0/0/0]qu [telnet]
telnet server enable [telnet]user-interface vty 0 4 [telnet-ui-vty0-4]
authentication-mode aaa [telnet-ui-vty0-4]qu [telnet]aaa [telnet-aaa]local-user
admin password cipher admin [telnet-aaa]local-user admin service-type telnet [
telnet-aaa]local-user admin privilege level 3 [telnet]ip route-static 0.0.0.0 0
172.16.1.2 AR2 <Huawei>sy [Huawei]sysname AR2 [AR2]int g 0/0/0 [AR2-
GigabitEthernet0/0/0]ip a 172.16.1.2 30 [AR2-GigabitEthernet0/0/0]int g 0/0/1 [
AR2-GigabitEthernet0/0/1]ip a 10.1.1.2 24 [AR2-GigabitEthernet0/0/0]int g 0/0/2
[AR2-GigabitEthernet0/0/2]ip a 200.1.1.2 24 [AR2]ip route-static 0.0.0.0 0.0.0.0
200.1.1.3 [AR2]acl number 2000 [AR2-acl-basic-2000]rule permit source 172.16.1.0
0.0.0.255 [AR2-acl-basic-2000]rule permit source 10.1.1.0 0.0.0.255 [AR2-acl-
basic-2000]qu [AR2]nat address-group 1 200.1.1.20 200.1.1.20 [AR2]int g 0/0/2 [
AR2-GigabitEthernet0/0/2]nat server protocol tcp global 200.1.1.10 telnet inside
172.16.1.1 telnet [AR2-GigabitEthernet0/0/2]nat outbound 2000 address-group 1 [
AR2]acl 3000 [AR2-acl-adv-3000]rule permit ip source 10.1.1.1 0 destination
198.76.1.1 0 [AR2-acl-adv-3000]rule deny ip source 10.1.1.2 0 destination 198.76
.1.0 0.0.0.255 [AR2-acl-adv-3000]int g 0/0/1 [AR2-GigabitEthernet0/0/1]traffic-
filter inbound acl 3000 AR3 #配置MP-group接口时需要注意,chap或pap验证要先配置,然后再把物理端口添加到mp-
group接口组 <Huawei>sy [Huawei]int Mp-group 0/0/0 [Huawei-Mp-group0/0/0]aaa [Huawei
-aaa]local-user 123 password cipher 123 [Huawei-aaa]local-user 123 service-type
ppp [Huawei-aaa]qu [Huawei]int s 4/0/0 [Huawei-Serial4/0/0]ppp authentication-
mode chap [Huawei-Serial4/0/0]ppp mp Mp-group 0/0/0 [Huawei-Serial4/0/0]int s 4/
0/1 [Huawei-Serial4/0/1]ppp authentication-mode chap [Huawei-Serial4/0/1]ppp mp
Mp-group 0/0/0 [Huawei-Serial4/0/0]qu [Huawei]int Mp-group 0/0/0 [Huawei-Mp-
group0/0/0]ip a 200.2.2.3 24 AR4 <Huawei>sy [Huawei]int g 0/0/1 [Huawei-
GigabitEthernet0/0/1]ip a 198.76.1.4 24 [Huawei]int Mp-group 0/0/0 [Huawei-Mp-
group0/0/0]qu [Huawei]int s 4/0/0 [Huawei-Serial4/0/0]ppp chap user 123 [Huawei-
Serial4/0/0]ppp chap password cipher 123 [Huawei-Serial4/0/0]ppp mp Mp-group 0/0
/0 [Huawei-Serial4/0/0]int s 4/0/1 [Huawei-Serial4/0/1]ppp chap user 123 [Huawei
-Serial4/0/1]ppp chap password cipher 123 [Huawei-Serial4/0/1]ppp mp Mp-group 0/
0/0 [Huawei]int Mp-group 0/0/0 [Huawei-Mp-group0/0/0]ip address 200.2.2.4 24
client <Huawei>sy [Huawei]sysn client [client]int g 0/0/0 [client-
GigabitEthernet0/0/0]ip a 198.76.1.1 24 [client]ip route-static 0.0.0.0 0 198.76
.1.4
<>验证