0

Networking Requirements

On the network shown in Figure 1, the PE is a device in the HR department and two VPN instances VPN-A and VPN-B are created on the PE. CE1 is a device in Department A and belongs to VPN-A that uses 111:1 as the VPN-target. CE2 is a device in Department B and belongs to VPN-B that uses 222:2 as the VPN-target. To allow the user (CE1) in VPN-A to log in to the PE by Telnet and prevent the user (CE2) in VPN-B from logging in to the PE, configure a basic ACL on the PE so that devices in Department A are allowed to access the devices in the HR department, whereas devices in Department B are not allowed to access the devices in the HR department, and devices in Department A and Department B cannot access each other.
Figure 1 Configuring a basic ACL to manage device access rights

Configuration Roadmap

The configuration roadmap is as follows:
  1. Configure VPN instances on different devices.
  2. Define ACL rules to configure rights for different VPN users to access the PE.
  3. Apply the ACL to allow different VPN users to have different rights to access the PE.

Data Preparation

To complete the configuration, you need the following data:
  • ACL number
  • VPN instance names

Procedure

  1. Configure VPN instances on the PE.
    # Configure VPN-A.
    <HUAWEI> system-view
    [~HUAWEI] sysname PE
    [*HUAWEI] commit
    [~PE] ip vpn-instance vpna
    [*PE-vpn-instance-vpna] route-distinguisher 100:1
    [*PE-vpn-instance-vpna] vpn-target 111:1 both
    [*PE-vpn-instance-vpna] commit
    [~PE-vpn-instance-vpna] quit
    [~PE] interface gigabitethernet 0/1/0
    [~PE-GigabitEthernet0/1/0] ip binding vpn-instance vpna
    [*PE-GigabitEthernet0/1/0] ip address 10.1.1.1 24
    [*PE-GigabitEthernet0/1/0] commit
    [~PE-GigabitEthernet0/1/0] quit
    # Configure VPN-B.
    [~PE] ip vpn-instance vpnb
    [*PE-vpn-instance-vpnb] route-distinguisher 100:2
    [*PE-vpn-instance-vpnb] vpn-target 222:2 both
    [*PE-vpn-instance-vpnb] commit
    [~PE-vpn-instance-vpnb] quit
    [~PE] interface gigabitethernet 0/2/0
    [~PE-GigabitEthernet0/2/0] ip binding vpn-instance vpnb
    [*PE-GigabitEthernet0/2/0] ip address 10.2.1.1 24
    [*PE-GigabitEthernet0/2/0] commit
    [~PE-GigabitEthernet0/2/0] quit
  2. Create a basic ACL and configure ACL rules on the PE to allow the user (CE1) in VPN-A to log in to PE by Telnet and prevent the user (CE2) in VPN-B from logging in to the PE. 
    [~PE] acl number 2001
    [*PE-acl4-basic-2001] rule permit vpn-instance vpna
    [*PE-acl4-basic-2001] rule deny vpn-instance vpnb
    [*PE-acl4-basic-2001] commit
    [~PE-acl4-basic-2001] quit
  3. Apply the ACL in Telnet services on the PE. 
    [~PE] user-interface vty 0 4
    [~PE-ui-vty0-4] authentication-mode password
    [*PE-ui-vty0-4] set authentication password
    Please configure the login password (8-16)
Enter Password:
Confirm Password:
    [*PE-ui-vty0-4] acl 2001 inbound
    [*PE-ui-vty0-4] commit
  4. Configure IP addresses for CE1 and CE2 as shown in Figure 1. For configuration details, see Configuration Files in this section.
  5. Verify the configuration.
    # Log in to the PE from CE1 by Telnet. The command output shows that CE1 can log in to the PE by Telnet.
    <CE1> telnet vpn-instance vpna 10.1.1.1
    Trying 10.1.1.1 ...                                                             
Press CTRL+K to abort                                                           
Connected to 10.1.1.1 ...                                                       
Info: The max number of VTY users is 10, and the number                         
      of current VTY users on line is 1.  
<PE>
    # Log in to the PE from CE2 by Telnet. The command output shows that CE2 cannot log in to the PE by Telnet.
    <CE2> telnet vpn-instance vpna 10.1.1.1
    Trying 10.1.1.1 ...
Press CTRL+K to abort
Error: Failed to connect to the remote host.Press CTRL+K to abort
    # Log in to CE2 from CE1 by Telnet. The command output shows that CE1 cannot log in to CE2 by Telnet.
    <CE1> telnet vpn-instance vpnb 10.2.1.2
    Trying 10.2.1.2 ...
Press CTRL+K to abort
Error: Failed to connect to the remote host.Press CTRL+K to abort

Configuration Files

  • PE configuration file
    #
 sysname PE
#
ip vpn-instance vpna
 route-distinguisher 100:1
 vpn-target 111:1 export-extcommunity
 vpn-target 111:1 import-extcommunity
ip vpn-instance vpnb
 route-distinguisher 100:2
 vpn-target 222:2 export-extcommunity
 vpn-target 222:2 import-extcommunity
#
acl number 2001
 rule 5 permit vpn-instance vpna
 rule 10 deny vpn-instance vpnb
#
interface GigabitEthernet0/1/0
 undo shutdown
 ip binding vpn-instance vpna
 ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet0/2/0
 undo shutdown
 ip binding vpn-instance vpnb
 ip address 10.2.1.1 255.255.255.0
#    
user-interface con 0
user-interface vty 0 4
 acl 2001 inbound
 authentication-mode password
 user privilege level 15
 set authentication password cipher \Ly$!c2@a#x#R32H{7y/U4=1$A*:Z$\@<>
user-interface vty 16 20
#
return
  • CE1 configuration file
    #
 sysname CE1
#
aaa
 authentication-scheme default
 #
 authorization-scheme default
 #
 accounting-scheme default
 #
 domain default
 #
#
interface GigabitEthernet0/1/0
 undo shutdown
 ip address 10.1.1.2 255.255.255.0
#
user-interface con 0
user-interface vty 0 4
user-interface vty 16 20
#
return
  • CE2 configuration file
    #
 sysname CE2
#
aaa
 authentication-scheme default
 #
 authorization-scheme default
 #
 accounting-scheme default
 #
 domain default
 #
#
interface GigabitEthernet0/1/0
 undo shutdown
 ip address 10.2.1.2 255.255.255.0
#
user-interface con 0
user-interface vty 0 4
user-interface vty 16 20
#
return
(Visited 558 times, 1 visits today)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.