如图4-15所示,终端PC与Client间路由可达,Client与Server间路由可达。用户希望实现对远程设备Server的管理与维护,不过终端PC与远程设备Server间无可达路由,不能直接Telnet远程登录到Server。用户可以通过Telnet登录到Client,再从Client通过Telnet登录到需要管理的设备Server。为了防止其他非法设备通过Telnet方式登录Server,配置ACL规则只允许Client通过Telnet方式登录Server。本例中以华为设备作为服务器。
使用Telnet协议存在安全风险,建议使用STelnet V2登录设备。
采用如下的思路配置设备作为Telnet客户端登录其他设备:
<HUAWEI> system-view[HUAWEI] sysname Server[Server] telnet server enable[Server] user-interface vty 0 4[Server-ui-vty0-4] user privilege level 15[Server-ui-vty0-4] protocol inbound telnet[Server-ui-vty0-4] authentication-mode aaa[Server-ui-vty0-4] quit
[Server] aaa[Server-aaa] local-user admin1234 password irreversible-cipher Helloworld@6789[Server-aaa] local-user admin1234 service-type telnet[Server-aaa] local-user admin1234 privilege level 3[Server-aaa] quit
[Server] acl 2000[Server-acl-basic-2000] rule permit source 10.1.1.1 0[Server-acl-basic-2000] quit[Server] user-interface vty 0 4[Server-ui-vty0-4] acl 2000 inbound[Server-ui-vty0-4] quit
采用ACL方式配置Telnet终端服务的配置为可选配置。
# 完成以上配置后,仅可以从Client上Telnet登录到Server,无法从其他设备登录到Server。
<HUAWEI> system-view[HUAWEI] sysname Client[Client] quit<Client> telnet 10.2.1.1Trying 10.2.1.1 ...Press CTRL+K to abortConnected to 10.2.1.1 ...Warning: Telnet is not a secure protocol, and it is recommended to use Stelnet.Login authenticationUsername:admin1234Password:<Server>
Server的配置文件
#sysname Server#telnet server enable#acl number 2000 rule 5 permit source 10.1.1.1 0#aaa local-user admin1234 password irreversible-cipher $1a$gRNl~ukoL~0.WU)C2]~2a}Cz/Y0-u8M{j@Ql6/xHryO-Y7m{=A>kWc.-q}>*$ local-user admin1234 privilege level 3 local-user admin1234 service-type telnet#user-interface vty 0 4 acl 2000 inbound authentication-mode aaa user privilege level 15 protocol inbound telnet #return联系客服
