Chinaunix首页 | 论坛 | 博客
  • 博客访问: 18671179
  • 博文数量: 7460
  • 博客积分: 10434
  • 博客等级: 上将
  • 技术积分: 78178
  • 用 户 组: 普通用户
  • 注册时间: 2008-03-02 22:54
文章分类

全部博文(7460)

文章存档

2011年(1)

2009年(669)

2008年(6790)

分类: 系统运维

2008-05-22 11:09:40

如果R2访问R1,首先需要通过TELNET路由器获得认证,一旦获得,路由器建立一临时访问表使用户能够到达目的主机。
通过LOCK-AND-KEY安全,可以指定允许哪些用户访问哪些源或目的主机。
LOCK-AND-KEY工作过程
1)R2通过虚拟的终端接口远程登陆到R1
2)R1打开远程对话框并提示输入用户密码,如果通过,允许访问。
3)R2随后知道退出对话框,动态表中建立一临时条目项。R>4)然后R2来的数据流就能够到R1
5)预定义超时后,临时表删除。

 

R1

hostname r1
!
logging rate-limit console 10 except errors
!
username r2 password 0 r2    用户认证
username r2 autocommand access-enable timeout 5     时间限制
ip subnet-zero
no ip finger
ip telnet source-interface Ethernet0  将所有的TELNET数据包的源设置为E0 
                                                IP为1。1。1。1
                                            
no ip domain-lookup
!
cns event-service server
!
!
!
!
!
interface Ethernet0
 ip address 1.1.1.1 255.255.255.0
 no keepalive
!
interface Serial0
 ip address 170.1.12.1 255.255.255.0
 ip access-group 100 in
 clockrate 64000
!
interface Serial1
 no ip address
 shutdown
!
ip kerberos source-interface any
no ip classless
ip route 2.2.2.0 255.255.255.0 Serial0
no ip http server
!
access-list 1 permit 2.2.2.2
access-list 100 dynamic tempaccess permit tcp host 2.2.2.2 host 1.1.1.1 eq telnet log
access-list 100 permit tcp any host 170.1.12.1 eq telnet log
access-list 100 deny   ip any any log
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
 transport input none
line aux 0
line vty 0 4

 login local   在登陆时启用本地的密码验证
!
end

r2#
r2#sh ru
Building configuration...

Current configuration : 738 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname r2
!
logging rate-limit console 10 except errors
!
ip subnet-zero
no ip finger
no ip domain-lookup
!
cns event-service server
!
!
!
!
!
interface Ethernet0
 ip address 2.2.2.2 255.255.255.0
 no keepalive
!
interface Serial0
 ip address 170.1.12.2 255.255.255.0
!
interface Serial1
 no ip address
 shutdown
!
ip kerberos source-interface any
no ip classless
ip route 1.1.1.0 255.255.255.0 Serial0
no ip http server
!
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
 transport input none
line aux 0
line vty 0 4
 login
!
end


验证检测

r2# telnet 170.1.12.1
Trying 170.1.12.1 ... Open


User Access Verification

Username: r2
Password:
List#100-tempaccess already contains this IP address pair


r1#sh ip access-lists
Standard IP access list 1
    permit 2.2.2.2
Extended IP access list 100
    Dynamic tempaccess permit tcp host 2.2.2.2 host 1.1.1.1 eq telnet log
      permit tcp host 170.1.12.2 host 1.1.1.1 eq telnet log (time left 128)
    permit tcp any host 170.1.12.1 eq telnet log (159 matches)
    deny ip any any log

阅读(360) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~