H3CNE综合实验

实验拓扑

实验需求

  1. 按照图示配置 IP 地址
  2. SW1 和 SW2 之间的直连链路配置链路聚合
  3. 公司内部业务网段为 Vlan10 和 Vlan20;Vlan10 是市场部,Vlan20 是技术部,要求对 Vlan 进行命名以便识别;PC1 属于 Vlan10,PC2 属于 Vlan20,Vlan30 用于 SW1 和 SW2 建立 OSPF 邻居;Vlan111 为 SW1 和 R1 的互联 Vlan,Vlan222 为 SW2 和 R2 的互联 Vlan
  4. 所有交换机相连的端口配置为 Trunk,允许相关流量通过
  5. 交换机连接 PC 的端口配置为边缘端口
  6. 在 SW1 上配置 DHCP 服务,为 Vlan10 和 Vlan20 的 PC 动态分配 IP 地址、网关和 DNS 地址;要求 Vlan10 的网关是 192.168.1.252,Vlan20 的网关是 192.168.2.253
  7. 按图示分区域配置 OSPF 实现公司内部网络全网互通,ABR 的环回口宣告进骨干区域;业务网段不允许出现协议报文
  8. R1 上配置默认路由指向互联网,并引入到 OSPF
  9. R1 通过双线连接到互联网,配置 PPP-MP,并配置双向 chap 验证
  10. 配置 EASY IP,只有业务网段 192.168.1.0/24192.168.2.0/24 的数据流可以通过 R1 访问互联网
  11. R1 开启 TELNET 远程管理,使用用户 telnetuser 登录,密码 123,只允许技术部远程管理 R1

实验解法

1.配置IP地址

[INTERNET]interface LoopBack 0
[INTERNET-LoopBack0]ip address 100.1.1.1 32

[R1]interface GigabitEthernet 0/1
[R1-GigabitEthernet0/1]ip address 10.0.0.1 30
[R1]interface GigabitEthernet 0/0
[R1-GigabitEthernet0/0]ip address 10.0.0.5 30
[R1]interface GigabitEthernet 0/2
[R1-GigabitEthernet0/2]ip address 10.0.0.14 30
[R1]interface LoopBack 0
[R1-LoopBack0]ip address 10.1.1.1 32

[R2]interface GigabitEthernet 0/2
[R2-GigabitEthernet0/2]ip address 10.0.0.2 30
[R2]interface GigabitEthernet 0/0
[R2-GigabitEthernet0/0]ip address 10.0.0.9 30
[R2]interface GigabitEthernet 0/1
[R2-GigabitEthernet0/1]ip address 10.0.0.18 30
[R2]interface LoopBack 0
[R2-LoopBack0]ip address 10.1.1.2 32

[R3]interface GigabitEthernet 0/0
[R3-GigabitEthernet0/0]ip address 10.0.0.13 30
[R3]interface GigabitEthernet 0/1
[R3-GigabitEthernet0/1]ip address 10.0.0.17 30
[R3]interface GigabitEthernet 0/2
[R3-GigabitEthernet0/2]ip address 192.168.3.254 24
[R3]interface LoopBack 0
[R3-LoopBack0]ip address 10.1.1.3 32

[SW1]interface LoopBack 0
[SW1-LoopBack0]ip address 10.1.1.11 32

[SW2]interface LoopBack 0
[SW2-LoopBack0]ip address 10.1.1.12 32

PC3

2.SW1 和 SW2 之间的直连链路配置链路聚合

首先在SW1和SW2上分别创建聚合组1,将SW1和SW2连接的两个接口都加入到创建的聚合组1

[SW1]interface Bridge-Aggregation 1
[SW1]interface range GigabitEthernet 1/0/1 to GigabitEthernet 1/0/2
[SW1-if-range]port link-aggregation group 1

[SW2]interface Bridge-Aggregation 1
[SW2]interface range GigabitEthernet 1/0/1 to GigabitEthernet 1/0/2
[SW2-if-range]port link-aggregation group 1

查看聚合口状态

[SW1]display link-aggregation summary 
Aggregation Interface Type: 
BAGG -- Bridge-Aggregation, BLAGG -- Blade-Aggregation, RAGG -- Route-Aggregation, SCH-B -- Schannel-Bundle 
Aggregation Mode: S -- Static, D -- Dynamic 
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Actor System ID: 0x8000, 9686-abde-0600

AGG        AGG   Partner ID              Selected  Unselected  Individual  Share
Interface  Mode                          Ports     Ports       Ports       Type 
--------------------------------------------------------------------------------
BAGG1      S     None                    2         0           0           Shar 

[SW2]display link-aggregation summary 
Aggregation Interface Type: 
BAGG -- Bridge-Aggregation, BLAGG -- Blade-Aggregation, RAGG -- Route-Aggregation, SCH-B -- Schannel-Bundle 
Aggregation Mode: S -- Static, D -- Dynamic 
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Actor System ID: 0x8000, 9686-b245-0700

AGG        AGG   Partner ID              Selected  Unselected  Individual  Share
Interface  Mode                          Ports     Ports       Ports       Type 
--------------------------------------------------------------------------------
BAGG1      S     None                    2         0           0           Shar

可以看到两条链路都被选中

3.公司内部业务网段为 Vlan10 和 Vlan20;Vlan10 是市场部,Vlan20 是技术部,要求对 Vlan 进行命名以便识别;PC1 属于 Vlan10,PC2 属于 Vlan20,Vlan30 用于 SW1 和 SW2 建立 OSPF 邻居;Vlan111 为 SW1 和 R1 的互联 Vlan,Vlan222 为 SW2 和 R2 的互联 Vlan

在SW1上创建vlan10、vlan20、vlan30、vlan111,并命名

[SW1]vlan 10
[SW1-vlan10]name shichangbu
[SW1]vlan 20
[SW1-vlan20]name jishubu
[SW1]vlan 30
[SW1]vlan 111

vlan111为SW1和R1互联vlan,也就是通过vlan interface接口开启交换机的三层功能,所以将vlan111绑定到接口G1/0/4

[SW1-vlan111]port GigabitEthernet 1/0/4

在SW2上创建vlan10、vlan20、vlan30、vlan222,并分别命名

[SW2]vlan 10
[SW2-vlan10]name shichangbu
[SW2]vlan 20
[SW2-vlan20]name jishubu
[SW2]vlan 30
[SW2]vlan 222

vlan222为SW2和R2互联vlan,将vlan222绑定到接口G1/0/4

[SW2-vlan222]port GigabitEthernet 1/0/4

在SW3上创建vlan10和vlan20,并分别命名

[SW3]vlan 10
[SW3-vlan10]name shichangbu
[SW3]vlan 20
[SW3-vlan20]name jishubu

PC1属于vlan10,PC2属于vlan20 ,所以将SW3连接PC1的接口加入到vlan10,连接PC2的接口加入到vlan20

[SW3]vlan 10
[SW3-vlan10]port GigabitEthernet 1/0/3
[SW3]vlan 20
[SW3-vlan10]port GigabitEthernet 1/0/4

进入到SW1和SW2的Vlan-interface 按图示分别配置IP地址

[SW1]interface Vlan-interface 10
[SW1-Vlan-interface10]ip address 192.168.1.252 24
[SW1]interface Vlan-interface 20
[SW1-Vlan-interface20]ip address 192.168.2.252 24
[SW1]interface Vlan-interface 30
[SW1-Vlan-interface30]ip address 10.1.2.1 30
[SW1]interface Vlan-interface 111
[SW1-Vlan-interface111]ip address 10.0.0.6 30

[SW2]interface Vlan-interface 10
[SW2-Vlan-interface10]ip address 192.168.1.253 24
[SW2]interface Vlan-interface 20
[SW2-Vlan-interface20]ip address 192.168.2.253 24
[SW2]interface Vlan-interface 30
[SW2-Vlan-interface30]ip address 10.1.2.2 30
[SW2]interface Vlan-interface 222
[SW2-Vlan-interface222]ip address 10.0.0.10 30

4.所有交换机相连的端口配置为 Trunk,允许相关流量通过

SW1和SW2之间配置了链路聚合,所以需要在聚合接口上配置Trunk

业务网段vlan10和vlan20的流量会从这里经过,而vlan30是用于SW1和SW2建立OSPF邻居,所以需要允许vlan10、vlan20、vlan30通过

[SW1]interface Bridge-Aggregation 1
[SW1-Bridge-Aggregation1]port link-type trunk 
[SW1-Bridge-Aggregation1]port trunk permit vlan 10 20 30
[SW1]interface GigabitEthernet 1/0/3
[SW1-GigabitEthernet1/0/3]port link-type trunk 
[SW1-GigabitEthernet1/0/3]port trunk permit vlan 10 20

[SW2]interface Bridge-Aggregation 1
[SW2-Bridge-Aggregation1]port link-type trunk 
[SW2-Bridge-Aggregation1]port trunk permit vlan 10 20 30
[SW2]interface GigabitEthernet 1/0/3
[SW2-GigabitEthernet1/0/3]port link-type trunk 
[SW2-GigabitEthernet1/0/3]port trunk permit  vlan 10 20

在SW3连接SW1和SW2的接口上放行vlan10和vlan20

[SW3]interface GigabitEthernet 1/0/1
[SW3-GigabitEthernet1/0/1]port link-type trunk 
[SW3-GigabitEthernet1/0/1]port trunk permit vlan 10 20
[SW3]interface GigabitEthernet 1/0/2
[SW3-GigabitEthernet1/0/2]port link-type trunk 
[SW3-GigabitEthernet1/0/2]port trunk permit vlan 10 20

此时查看SW1和SW2的接口状态,都已经成功UP

[SW1]display ip interface brief 
*down: administratively down
(s): spoofing  (l): loopback
Interface                Physical Protocol IP Address      Description 
Loop0                    up       up(s)    10.1.1.11       --
MGE0/0/0                 down     down     --              --
Vlan10                   up       up       192.168.1.252   --
Vlan20                   up       up       192.168.2.252   --
Vlan30                   up       up       10.1.2.1        --
Vlan111                  up       up       10.0.0.6        --

[SW2]display ip interface brief 
*down: administratively down
(s): spoofing  (l): loopback
Interface                Physical Protocol IP Address      Description 
Loop0                    up       up(s)    10.1.1.12       --
MGE0/0/0                 down     down     --              --
Vlan10                   up       up       192.168.1.253   --
Vlan20                   up       up       192.168.2.253   --
Vlan30                   up       up       10.1.2.2        --
Vlan222                  up       up       10.0.0.10       --

5.交换机连接 PC 的端口配置为边缘端口

交换机默认开启生成树协议,连接交换机的接口都会收到STP的BPDU,由于边缘端口有不收BPDU不参与拓扑计算和直接从阻塞状态变为转发状态的特点,所以需要将连接PC的接口配置为边缘端口以加快接口角色的状态改变,成为普通接口。

[SW3]interface GigabitEthernet 1/0/3
[SW3-GigabitEthernet1/0/3]stp edged-port 
Edge port should only be connected to terminal. It will cause temporary loops if port GigabitEthernet1/0/3 is connected to bridges. Please use it carefully.
[SW3]interface GigabitEthernet 1/0/4
[SW3-GigabitEthernet1/0/4]stp edged-port 
Edge port should only be connected to terminal. It will cause temporary loops if port GigabitEthernet1/0/4 is connected to bridges. Please use it carefully.

6.在 SW1 上配置 DHCP 服务,为 Vlan10 和 Vlan20 的 PC 动态分配 IP 地址、网关和 DNS 地址;要求 Vlan10 的网关是 192.168.1.252,Vlan20 的网关是 192.168.2.253

在SW1上开启DHCP服务,创建两个地址池 vlan10 和 vlan20 ,地址池 vlan10 宣告的网段为192.168.1.0/24,网关为192.168.1.252,地址池 vlan20 宣告的网段为192.168.2.0/24,网关为192.168.2.253

[SW1]dhcp enable 
[SW1]dhcp server ip-pool vlan10 //创建地址池'vlan10'
[SW1-dhcp-pool-vlan10]network 192.168.1.0 mask 255.255.255.0
[SW1-dhcp-pool-vlan10]dns-list 8.8.8.8 //指定DNS服务器为8.8.8.8
[SW1-dhcp-pool-vlan10]gateway-list 192.168.1.252 //指定地址池'vlan10'的网关
[SW1]dhcp server ip-pool vlan20 //创建地址池'vlan20'
[SW1-dhcp-pool-vlan20]network 192.168.2.0 mask 255.255.255.0
[SW1-dhcp-pool-vlan20]dns-list 8.8.8.8 
[SW1-dhcp-pool-vlan20]gateway-list 192.168.2.253

PC1属于vlan10,vlan10属于192.168.1.0/24网段,PC2属于vlan20,vlan10属于192.168.2.0/24网段,所以他们只会收到同vlan的广播,所以PC1会被分配到192.168.1.0/24网段的地址,PC2会被分配到192.168.2.0/24网段的地址。

查看PC1和PC2都已经通过SW1的DHCP服务自动获取到了相对应网段的IP地址

PC1

PC2

7.按图示分区域配置 OSPF 实现公司内部网络全网互通,ABR 的环回口宣告进骨干区域

R1和R2连接了骨干区域0和非骨干区域1,所以R1和R2属于ABR,将环回口宣告进骨干区域0

为了避免宣告出错,可以使用display ip interface brief 查看每个接口对应的IP地址对着宣告,通配符掩码可以使用0.0.0.0来精确匹配IP地址

[R1]display ip interface brief 
*down: administratively down
(s): spoofing  (l): loopback
Interface                Physical Protocol IP Address      Description 
GE0/0                    up       up       10.0.0.5        --
GE0/1                    up       up       10.0.0.1        --
GE0/2                    up       up       10.0.0.14       --
GE5/0                    down     down     --              --
GE5/1                    down     down     --              --
GE6/0                    down     down     --              --
GE6/1                    down     down     --              --
Loop0                    up       up(s)    10.1.1.1        --
Ser1/0                   up       up       --              --
Ser2/0                   up       up       --              --
Ser3/0                   down     down     --              --
Ser4/0                   down     down     --              --

[R1]ospf 1 router-id 10.1.1.1
[R1-ospf-1]area 0
[R1-ospf-1-area-0.0.0.0]network 10.0.0.1 0.0.0.0
[R1-ospf-1-area-0.0.0.0]network 10.0.0.14 0.0.0.0
[R1-ospf-1-area-0.0.0.0]network 10.1.1.1 0.0.0.0
[R1-ospf-1]area 1
[R1-ospf-1-area-0.0.0.1]network 10.0.0.5 0.0.0.0

[R2]display ip interface brief 
*down: administratively down
(s): spoofing  (l): loopback
Interface                Physical Protocol IP Address      Description 
GE0/0                    up       up       10.0.0.9        --
GE0/1                    up       up       10.0.0.18       --
GE0/2                    up       up       10.0.0.2        --
GE5/0                    down     down     --              --
GE5/1                    down     down     --              --
GE6/0                    down     down     --              --
GE6/1                    down     down     --              --
Loop0                    up       up(s)    10.1.1.2        --
Ser1/0                   down     down     --              --
Ser2/0                   down     down     --              --
Ser3/0                   down     down     --              --
Ser4/0                   down     down     --              --

[R2]ospf 1 router-id 10.1.1.2 
[R2-ospf-1]area 0
[R2-ospf-1-area-0.0.0.0]network 10.0.0.18 0.0.0.0
[R2-ospf-1-area-0.0.0.0]network 10.0.0.2 0.0.0.0
[R2-ospf-1-area-0.0.0.0]network 10.1.1.2 0.0.0.0
[R2-ospf-1]area 1
[R2-ospf-1-area-0.0.0.1]network 10.0.0.9 0.0.0.0

[R3]display ip interface brief 
*down: administratively down
(s): spoofing  (l): loopback
Interface                Physical Protocol IP Address      Description 
GE0/0                    up       up       10.0.0.13       --
GE0/1                    up       up       10.0.0.17       --
GE0/2                    down     down     192.168.3.254   --
GE5/0                    down     down     --              --
GE5/1                    down     down     --              --
GE6/0                    down     down     --              --
GE6/1                    down     down     --              --
Loop0                    up       up(s)    10.1.1.3        --
Ser1/0                   down     down     --              --
Ser2/0                   down     down     --              --
Ser3/0                   down     down     --              --
Ser4/0                   down     down     --              --

[R3]ospf 1 router-id 10.1.1.3 
[R3-ospf-1]area 0
[R3-ospf-1-area-0.0.0.0]network 10.0.0.13 0.0.0.0
[R3-ospf-1-area-0.0.0.0]network 10.0.0.17 0.0.0.0
[R3-ospf-1-area-0.0.0.0]network 192.168.3.254 0.0.0.0

[SW1]display ip interface brief 
*down: administratively down
(s): spoofing  (l): loopback
Interface                Physical Protocol IP Address      Description 
Loop0                    up       up(s)    10.1.1.11       --
MGE0/0/0                 down     down     --              --
Vlan10                   up       up       192.168.1.252   --
Vlan20                   up       up       192.168.2.252   --
Vlan30                   up       up       10.1.2.1        --
Vlan111                  up       up       10.0.0.6        --

[SW1]ospf 1 router-id 10.1.1.11 
[SW1-ospf-1]area 1
[SW1-ospf-1-area-0.0.0.1]network 10.0.0.6 0.0.0.0
[SW1-ospf-1-area-0.0.0.1]network 10.1.2.1 0.0.0.0
[SW1-ospf-1-area-0.0.0.1]network 192.168.1.252 0.0.0.0
[SW1-ospf-1-area-0.0.0.1]network 192.168.2.252 0.0.0.0

[SW2]display ip interface brief 
*down: administratively down
(s): spoofing  (l): loopback
Interface                Physical Protocol IP Address      Description 
Loop0                    up       up(s)    10.1.1.12       --
MGE0/0/0                 down     down     --              --
Vlan10                   up       up       192.168.1.253   --
Vlan20                   up       up       192.168.2.253   --
Vlan30                   up       up       10.1.2.2        --
Vlan222                  up       up       10.0.0.10       --

[SW2]ospf 1 router-id 10.1.1.12
[SW2-ospf-1]area 1
[SW2-ospf-1-area-0.0.0.1]network 10.0.0.10 0.0.0.0
[SW2-ospf-1-area-0.0.0.1]network 10.1.2.2 0.0.0.0
[SW2-ospf-1-area-0.0.0.1]network 192.168.1.253 0.0.0.0
[SW2-ospf-1-area-0.0.0.1]network 192.168.2.253 0.0.0.0

业务网段不允许出现协议报文就需要配置静默接口,静默接口不接收OSPF协议报文

业务网段分别属于vlan10和vlan20,所以需要在SW1和SW2的ospf里都静默掉vlan10和vlan20

[SW1-ospf-1]silent-interface vlan 10
[SW1-ospf-1]silent-interface vlan 20

[SW2-ospf-1]silent-interface vlan 10
[SW2-ospf-1]silent-interface vlan 20

8.R1 通过双线连接到互联网,配置 PPP-MP,并配置双向 chap 验证

创建MP聚合组1并配置IP地址,将R1和Internet相连的接口都加入到MP聚合组里

[INTERNET]interface MP-group 1
[INTERNET-MP-group1]ip address 202.100.1.1 30
[INTERNET]interface Serial 1/0
[INTERNET-Serial1/0]ppp mp MP-group 1
[INTERNET]interface Serial 2/0
[INTERNET-Serial2/0]ppp mp MP-group 1

[R1]interface MP-group 1
[R1-MP-group1]ip address 202.100.1.2 30
[R1]interface Serial 1/0
[R1-Serial1/0]ppp mp MP-group 1
[R1]interface Serial 2/0
[R1-Serial2/0]ppp mp MP-group 1

配置双向chap验证,在R1和Internet上都需要创建一个用户,由于是用于验证的用户,所以用户类型只需要配置为network即可,指定用户服务类型为ppp

[INTERNET]local-user pppuser class network 
[INTERNET-luser-network-pppuser]password simple 123
[INTERNET-luser-network-pppuser]service-type ppp

[R1]local-user pppuser class network 
[R1-luser-network-pppuser]password simple 123
[R1-luser-network-pppuser]service-type ppp

在双方互相连接的两个接口上都需要配置用于验证用户名和密码,配置双方的用户名密码可以保持一致

[INTERNET]interface Serial 1/0
[INTERNET-Serial1/0]ppp authentication-mode chap //验证模式为chap
[INTERNET-Serial1/0]ppp chap user pppuser
[INTERNET-Serial1/0]ppp chap password simple 123
[INTERNET]interface Serial 2/0
[INTERNET-Serial2/0]ppp authentication-mode chap
[INTERNET-Serial2/0]ppp chap user pppuser
[INTERNET-Serial2/0]ppp chap password simple 123

[R1]interface Serial 1/0
[R1-Serial1/0]ppp authentication-mode chap
[R1-Serial1/0]ppp chap user pppuser
[R1-Serial1/0]ppp chap password simple 123
[R1]interface Serial 2/0
[R1-Serial2/0]ppp authentication-mode chap
[R1-Serial2/0]ppp chap user pppuser
[R1-Serial2/0]ppp chap password simple 123

进入到MP聚合接口,关闭再开启

[R1]interface MP-group 1
[R1-MP-group1]shutdown 
[R1-MP-group1]undo shutdown 

[R1-MP-group1]display ip interface brief 
*down: administratively down
(s): spoofing  (l): loopback
Interface                Physical Protocol IP Address      Description 

MP1                      up       up       202.100.1.2     --
Ser1/0                   up       up       --              --
Ser2/0                   up       up       --              --

在R1上查看三层接口信息,MP1接口物理状态UP,协议UP,说明PPP双向验证通过

9.R1 上配置默认路由指向互联网,并引入到 OSPF

因为R1连接Internet的接口是加入到了PPP-MP组,并且是在双方的MP接口下都配置了IP地址,所以这里配置默认路由需要指向的下一跳为Internet的MP接口的IP地址

[R1]ip route-static 0.0.0.0 0 202.100.1.1

在R1的OSPF里引入默认路由

[R1]ospf 
[R1-ospf-1]default-route-advertise

此时查看R2 R3 SW1 SW2的路由表发现都学习到了来自OSPF的外部默认路由

[R2]display ip routing-table 

Destinations : 27       Routes : 28

Destination/Mask   Proto   Pre Cost        NextHop         Interface
0.0.0.0/0          O_ASE2  150 1           10.0.0.1        GE0/2

[R3]display ip routing-table 

Destinations : 28       Routes : 30

Destination/Mask   Proto   Pre Cost        NextHop         Interface
0.0.0.0/0          O_ASE2  150 1           10.0.0.14       GE0/0

[SW1]display ip routing-table 

Destinations : 33       Routes : 35

Destination/Mask   Proto   Pre Cost        NextHop         Interface
0.0.0.0/0          O_ASE2  150 1           10.0.0.5        Vlan111

[SW2]display ip routing-table 

Destinations : 33       Routes : 35

Destination/Mask   Proto   Pre Cost        NextHop         Interface
0.0.0.0/0          O_ASE2  150 1           10.1.2.1        Vlan30

10.配置 EASY IP,只有业务网段 192.168.1.0/24192.168.2.0/24 的数据流可以通过 R1 访问互联网

创建基本ACL2000,匹配出192.168.1.0/24192.168.2.0/24的业务网段

[R1]acl basic 2000
[R1-acl-ipv4-basic-2000]rule permit source 192.168.1.0 0.0.0.255
[R1-acl-ipv4-basic-2000]rule permit source 192.168.2.0 0.0.0.255

因为R1是通过两条PPP链路捆绑成一条连接连接外网Internet,所以这里需要在MP聚合口上配置Easy IP,使用ACL2000号规则应用在出方向

[R1]interface MP-group 1
[R1-MP-group1]nat outbound 2000

效果测试

PC1Ping

PC2Ping

PC3Ping

PC1和PC2都可以通过NAT访问互联网,而PC3由于没有配置所以无法访问互联网,所以PC3只能在内网互通

11.R1 开启 Telnet 远程管理,使用用户 telnetuser 登录,密码 123,只允许技术部远程管理 R1

创建用户telnetuser,密码为123

[R1]telnet server enable 
[R1]local-user telnetuser class manage 
[R1-luser-manage-telnetuser]password simple 123
[R1-luser-manage-telnetuser]service-type telnet //指定当前用户服务类型为telnet
[R1-luser-manage-telnetuser]authorization-attribute user-role level-15 //用户级别level-15
[R1]user-interface vty 0 4 //进入用户线vty视图,同时允许5个用户同时访问Telnet
[R1-line-vty0-4]authentication-mode scheme //验证模式为用户名+密码验证
[R1-line-vty0-4]user-role level-15 //设置多个用户级别为level-15,可省略

只允许技术部远程管理R1的Telnet服务,因为技术部属于vlan20,在192.168.2.0/24网段,所以先创建一个基本ACL2010匹配192.168.2.0/24网段。

[R1]acl basic 2010
[R1-acl-ipv4-basic-2010]rule permit source 192.168.2.0 0.0.0.255

在R1上的telnet服务上应用ACL2010规则

[R1]telnet server acl 2010

效果测试

由于H3C模拟器的PC无法使用Telnet功能,所以这里使用SW1带192.168.2.0/24网段的源地址访问R1的telnet服务

<SW1>telnet 10.1.1.1 source ip 192.168.2.252

SW1_Source2.0

SW1带192.168.2.0/24网段的源地址能够访问到R1的telnet服务

SW1_Source1.0

而带192.168.1.0/24网段的源地址则无法访问R1的telnet服务