如果R2访问R1,首先需要通过TELNET路由器获得认证,一旦获得,路由器建立一临时访问表使用户能够到达目的主机。
通过LOCK-AND-KEY安全,可以指定允许哪些用户访问哪些源或目的主机。
LOCK-AND-KEY工作过程
1)R2通过虚拟的终端接口远程登陆到R1
2)R1打开远程对话框并提示输入用户密码,如果通过,允许访问。
3)R2随后知道退出对话框,动态表中建立一临时条目项。
4)然后R2来的数据流就能够到R1
5)预定义超时后,临时表删除。
R1
hostname r1
!
logging rate-limit console 10 except errors
!
username r2 password 0 r2 用户认证
username r2 autocommand access-enable timeout 5 时间限制
ip subnet-zero
no ip finger
ip telnet source-interface Ethernet0 将所有的TELNET数据包的源设置为E0
IP为1。1。1。1
no ip domain-lookup
!
cns event-service server
!
!
!
!
!
interface Ethernet0
ip address 1.1.1.1 255.255.255.0
no keepalive
!
interface Serial0
ip address 170.1.12.1 255.255.255.0
ip access-group 100 in
clockrate 64000
!
interface Serial1
no ip address
shutdown
!
ip kerberos source-interface any
no ip classless
ip route 2.2.2.0 255.255.255.0 Serial0
no ip http server
!
access-list 1 permit 2.2.2.2
access-list 100 dynamic tempaccess permit tcp host 2.2.2.2 host 1.1.1.1 eq telnet log
access-list 100 permit tcp any host 170.1.12.1 eq telnet log
access-list 100 deny ip any any log
!
!
line con 0
exec-timeout 0 0
logging synchronous
transport input none
line aux 0
line vty 0 4
login local 在登陆时启用本地的密码验证
!
end
r2#
r2#sh ru
Building configuration...
Current configuration : 738 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname r2
!
logging rate-limit console 10 except errors
!
ip subnet-zero
no ip finger
no ip domain-lookup
!
cns event-service server
!
!
!
!
!
interface Ethernet0
ip address 2.2.2.2 255.255.255.0
no keepalive
!
interface Serial0
ip address 170.1.12.2 255.255.255.0
!
interface Serial1
no ip address
shutdown
!
ip kerberos source-interface any
no ip classless
ip route 1.1.1.0 255.255.255.0 Serial0
no ip http server
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
transport input none
line aux 0
line vty 0 4
login
!
end
验证检测
r2# telnet 170.1.12.1
Trying 170.1.12.1 ... Open
User Access Verification
Username: r2
Password:
List#100-tempaccess already contains this IP address pair
r1#sh ip access-lists
Standard IP access list 1
permit 2.2.2.2
Extended IP access list 100
Dynamic tempaccess permit tcp host 2.2.2.2 host 1.1.1.1 eq telnet log
permit tcp host 170.1.12.2 host 1.1.1.1 eq telnet log (time left 128)
permit tcp any host 170.1.12.1 eq telnet log (159 matches)
deny ip any any log