Networking Requirements
On the network shown in Figure 1, the PE is a device in the HR department and two VPN instances VPN-A and VPN-B are created on the PE. CE1 is a device in Department A and belongs to VPN-A that uses 111:1 as the VPN-target. CE2 is a device in Department B and belongs to VPN-B that uses 222:2 as the VPN-target. To allow the user (CE1) in VPN-A to log in to the PE by Telnet and prevent the user (CE2) in VPN-B from logging in to the PE, configure a basic ACL on the PE so that devices in Department A are allowed to access the devices in the HR department, whereas devices in Department B are not allowed to access the devices in the HR department, and devices in Department A and Department B cannot access each other.
Configuration Roadmap
The configuration roadmap is as follows:
-
Configure VPN instances on different devices.
-
Define ACL rules to configure rights for different VPN users to access the PE.
-
Apply the ACL to allow different VPN users to have different rights to access the PE.
Data Preparation
To complete the configuration, you need the following data:
-
ACL number
-
VPN instance names
Procedure
- Configure VPN instances on the PE.
# Configure VPN-A.
<HUAWEI> system-view
[~HUAWEI] sysname PE
[*HUAWEI] commit
[~PE] ip vpn-instance vpna
[*PE-vpn-instance-vpna] route-distinguisher 100:1
[*PE-vpn-instance-vpna] vpn-target 111:1 both
[*PE-vpn-instance-vpna] commit
[~PE-vpn-instance-vpna] quit
[~PE] interface gigabitethernet 0/1/0
[~PE-GigabitEthernet0/1/0] ip binding vpn-instance vpna
[*PE-GigabitEthernet0/1/0] ip address 10.1.1.1 24
[*PE-GigabitEthernet0/1/0] commit
[~PE-GigabitEthernet0/1/0] quit
# Configure VPN-B.[~PE] ip vpn-instance vpnb
[*PE-vpn-instance-vpnb] route-distinguisher 100:2
[*PE-vpn-instance-vpnb] vpn-target 222:2 both
[*PE-vpn-instance-vpnb] commit
[~PE-vpn-instance-vpnb] quit
[~PE] interface gigabitethernet 0/2/0
[~PE-GigabitEthernet0/2/0] ip binding vpn-instance vpnb
[*PE-GigabitEthernet0/2/0] ip address 10.2.1.1 24
[*PE-GigabitEthernet0/2/0] commit
[~PE-GigabitEthernet0/2/0] quit
- Create a basic ACL and configure ACL rules on the PE to allow the user (CE1) in VPN-A to log in to PE by Telnet and prevent the user (CE2) in VPN-B from logging in to the PE.
[~PE] acl number 2001
[*PE-acl4-basic-2001] rule permit vpn-instance vpna
[*PE-acl4-basic-2001] rule deny vpn-instance vpnb
[*PE-acl4-basic-2001] commit
[~PE-acl4-basic-2001] quit
- Apply the ACL in Telnet services on the PE.
[~PE] user-interface vty 0 4
[~PE-ui-vty0-4] authentication-mode password
[*PE-ui-vty0-4] set authentication password
Please configure the login password (8-16) Enter Password: Confirm Password:
[*PE-ui-vty0-4] acl 2001 inbound
[*PE-ui-vty0-4] commit
- Configure IP addresses for CE1 and CE2 as shown in Figure 1. For configuration details, see Configuration Files in this section.
- Verify the configuration.
# Log in to the PE from CE1 by Telnet. The command output shows that CE1 can log in to the PE by Telnet.
<CE1> telnet vpn-instance vpna 10.1.1.1
Trying 10.1.1.1 ... Press CTRL+K to abort Connected to 10.1.1.1 ... Info: The max number of VTY users is 10, and the number of current VTY users on line is 1. <PE>
# Log in to the PE from CE2 by Telnet. The command output shows that CE2 cannot log in to the PE by Telnet.<CE2> telnet vpn-instance vpna 10.1.1.1
Trying 10.1.1.1 ... Press CTRL+K to abort Error: Failed to connect to the remote host.Press CTRL+K to abort
# Log in to CE2 from CE1 by Telnet. The command output shows that CE1 cannot log in to CE2 by Telnet.<CE1> telnet vpn-instance vpnb 10.2.1.2
Trying 10.2.1.2 ... Press CTRL+K to abort Error: Failed to connect to the remote host.Press CTRL+K to abort
Configuration Files
-
PE configuration file
# sysname PE # ip vpn-instance vpna route-distinguisher 100:1 vpn-target 111:1 export-extcommunity vpn-target 111:1 import-extcommunity ip vpn-instance vpnb route-distinguisher 100:2 vpn-target 222:2 export-extcommunity vpn-target 222:2 import-extcommunity # acl number 2001 rule 5 permit vpn-instance vpna rule 10 deny vpn-instance vpnb # interface GigabitEthernet0/1/0 undo shutdown ip binding vpn-instance vpna ip address 10.1.1.1 255.255.255.0 # interface GigabitEthernet0/2/0 undo shutdown ip binding vpn-instance vpnb ip address 10.2.1.1 255.255.255.0 # user-interface con 0 user-interface vty 0 4 acl 2001 inbound authentication-mode password user privilege level 15 set authentication password cipher \Ly$!c2@a#x#R32H{7y/U4=1$A*:Z$\@<> user-interface vty 16 20 # return
-
CE1 configuration file
# sysname CE1 # aaa authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default # # interface GigabitEthernet0/1/0 undo shutdown ip address 10.1.1.2 255.255.255.0 # user-interface con 0 user-interface vty 0 4 user-interface vty 16 20 # return
-
CE2 configuration file
# sysname CE2 # aaa authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default # # interface GigabitEthernet0/1/0 undo shutdown ip address 10.2.1.2 255.255.255.0 # user-interface con 0 user-interface vty 0 4 user-interface vty 16 20 # return
(Visited 558 times, 1 visits today)