Bi Vit VLan AccessList

Tc gi Trng Quang Dng

Vlan Access-list (VACLs)l mt trong nhng phng php nng cao tnh bo mt trong mng. Cho php kim sot lu lng chy trn Switch. Khi cu hnh Vlan Access-list, ngi dng c th phn loi lu lng:ip, tcp, wwwTu vo chnh sch ca nh qu tr mng c th lc b hoc cho cc loi thng tin lu thng trong mng. Vlan Access-list c th p dng trong phm vi Vlan, hoc gia cc Vlan (intervlan) Vlan Access-list c cc dc tnh nh Router Access-list(RACLs), c th loi b, cho qua, hay ti nh hng (redirection) cc gi tin Trong phm vi bi Lab gm hai phn: -Phn 1: Minh ho c tnh ca VACLs trong phm vi mt Vlan -Phn 2: Minh ho c tnh ca VACLs vt khi phm vi Vlan

Phn 1: Minh ho c tnh ca VACLs trong phm vi mt Vlan

hnh

M t:Trong Vlan 10 dng mt Cisco Router dng lm Access server, c cu hnh vi a ch 192.168.10.254/24, cho php telnet. Management IP ca Vlan 10 l 192.168.10.1/24, cc Work Station c a ch t 192.168.10.2..192.168.1.253/24. Cu hnh Vlan Access-list cm khng cho cc Work Station c a ch IP trong khong 192.168.10.2/24 n 192.168.10.15/24 khng th telnet vo Access Server, ngoi tr 192.168.10.3/24 (192.168.10.3/24 vn c th telnet vo).

Thng tin v trm 192.168.10.3

Dng mt Work Station trong khong cm th nghim:gi s dng trm 192.168.10.4

Cc bc cu hnh: Bc 1: m t bi Lab, trc ht phi cu hnh c bn gm Vlan, v cc my trm nh hnh

Cu hnh Vlan

Vnpro#vlan database

Vnpro(vlan)#vtp domain Vnpro Changing VTP domain name from NULL to Vnpro Vnpro(vlan)#vlan 10 name Admin VLAN 10 added: Name: Admin Vnpro(vlan)#vlan 20 name User VLAN 20 added: Name: User Vnpro(vlan)#apply APPLY completed. Vnpro(vlan)#exit APPLY completed. Exiting....

Cu hnh Management IP cho cc Vlan

Vnpro#config terminal Enter configuration commands, one per line. End with CNTL/Z. Vnpro(config)#interface vlan 1 Vnpro(config-if)#ip address 192.168.1.1 255.255.255.0 Vnpro(config-if)#no shutdown Vnpro(config-if)#exit 00:06:14: %LINK-3-UPDOWN: Interface Vlan1, changed state to up Vnpro(config)#interface vlan 10 Vnpro(config-if)#ip address 192.168.10.1 255.255.255.0 Vnpro(config-if)#no shutdown

Vnpro(config-if)#exit Vnpro(config)# 00:07:05: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to down Vnpro(config)#interface vlan 20 Vnpro(config-if)#ip address 192.168.20.1 255.255.255.0 Vnpro(config-if)#no shut Vnpro(config-if)#exit 00:06:40: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to down

Sau khi cu hnh Vlan, ngi dng c th a cc port vo cc Vlan tng ng

Bc 2: Cu hnh Vlan Accest-list -Cu hnh access-list

Vnpro(config)#ip access-list extended VnproAllow1 Vnpro(config-ext-nacl)#permit tcp host 192.168.10.3 host 192.168.10.254 eq tenet Vnpro(config-ext-nacl)#exit Vnpro(config)#ip access-list extended VnproBlock1 Vnpro(config-ext-nacl)#permit tcp 192.168.10.0 0.0.0.15 host 192.168.10.254 eq telnet Vnpro(config-ext-nacl)#exit Vnpro(config)#ip access-list extended VnproDefault1 Vnpro(config-ext-nacl)#permit tcp any any Vnpro(config-ext-nacl)#exit Vnpro(config)#

kim tra thng tin v Access-list Vnpro#show ip access-lists Extended IP access list VnproAllow1 permit tcp host 192.168.10.3 host 192.168.10.254 eq telnet Extended IP access list VnproBlock1 permit tcp 192.168.10.0 0.0.0.15 host 192.168.10.254 eq telnet Extended IP access list VnproDefault1 permit tcp any any Vnpro#

Khi nim Access-list khng cn b hp trong ngha thng thng (dng chn traffic, hay chn cc IP), Access-list c dng lc , phn loi traffic, a ch IP, sau i vi tng loi traffic hay IP phn loi, ngi dng c th c chnh sch i x khc nhau. Ly VD trong bi Lab ny, dng cc Access-list phn cc Work Station thnh cc nhm sau - VnproAllow1 tng ng vi host 192.168.10.3, loi traffic tcp c th l telnet -VnproBlock1 tng ng vi host t 192.168.10.1/28 n 192.168.10.15/28 , loi traffic tcp c th l telnet -VnproDefault tng ng vi cc host cn li trong Vlan 10, loi traffic tcp c th l telnet Sau tu vo tng nhm, ngi dng c cc chnh sch khc nhau:c th nh sau: -i vi nhm VnproAllow1: cho php -i vi nhm VnproBlock1: b cm (tc traffic tng ng khi truy cp n IP tng ng trong nhm ny s b DROP) -i vi nhm VnproDefault1: cho php. Nguyn tc: sau khi c chnh sch cm cc loi traffic truy cp n cc IP tng ng no , cn thit phi kt thc vi Access-list c ni dung permit any any, nu khng, do tnh cht implicit deny ca Access-list, cc host khc s b cm i vi mi loi traffic cn li. Trong trng hp bi Lab, nhm VnproDefault1 c dng vi chc nng nu trn.

Cu hnh Vlan Access-map (dng p t chnh sch i vi tng nhm phn loi) Vnpro(config)#vlan access-map VnproMap1 10 Vnpro(config-access-map)#match ip address VnproAllow1 Vnpro(config-access-map)#action forward Vnpro(config-access-map)#exit Vnpro(config)#vlan access-map VnproMap1 20 Vnpro(config-access-map)#match ip address VnproBlock1 Vnpro(config-access-map)#action drop Vnpro(config-access-map)#exit Vnpro(config)#vlan access-map VnproMap1 30 Vnpro(config-access-map)#match ip address VnproDefault1 Vnpro(config-access-map)#action forward Vnpro(config-access-map)#end 00:18:33: %SYS-5-CONFIG_I: Configured from console by console

Kim tra thng tin v Vlan Access-map va cu hnh

Vnpro#show vlan access-map Vlan access-map "VnproMap1" 10 Match clauses: ip address: VnproAllow1 Action: forward Vlan access-map "VnproMap1" 20

Match clauses: ip address: VnproBlock1 Action: Drop Vlan access-map "VnproMap1" 30 Match clauses: ip address: VnproDefault1 Action: forward Vnpro#

Mun kch hot cc chnh sch , phi p dng (apply) cc Access-map ny vo Vlan c th (trong trng hp ny l Vlan 10

Trc khi Apply vo Vlan 10, host 192.168.10.3/28 v 192.168.10.4/28 u c th telnet vo 192.168.10.254

Kt qu telnet thnh cng t Work Station 192.168.10.3/24 v 192.168.10.4/24 vo Access Server 192.168.10.254

Apply vo mt Vlan (kch hot cc Access-map trn Vlan 10) Vnpro(config)#vlan fiter VnproMap1 vlan-list 10

Kim tra Vnpro#show vlan filter VLAN Map VnproMap1 is filtering VLANs: 10 Vnpro#

Kim tra s hot ng ca Vlan Access-list sau khi kch hot bng cch tin hnh telnet t cc Work Station 192.168.10.3/28 v 192.168.10.4/28 v ghi nhn kt qu.

Work Station 192.168.10.3/28 vn telnet thnh cng vo Access Server 192.168.10.254 v Work Station ny c a ch IP c phn loi bi nhm VnproAllow1, v chnh sch p dng cho nhm ny l action: forward Work Station 192.168.4/28 b t chi khi telnet vo Access Server 192.168.254 v Work Station ny c a ch IP c phn loi bi nhm VnproBlock1, v chnh sch p dng cho nhm ny l action: drop

i vi cc Work Station cn li nm trong nhm VnproDefault1 vn c th telnet vo Access Server 192.168.10.254 v chnh sch i vi nhm ny l action: forward Tuy nhin khi ch cu hnh VnproDefault1 nh sau:

Vnpro(config)#ip access-list extended VnproDefault1 Vnpro(config-ext-nacl)#permit tcp any any Vnpro(config-ext-nacl)#exit Vnpro(config)#

Vi cu hnh nh vy, cc Work Station trong nhm VnproDefaul1 ch c th telnet ch khng th ping thy Access Server do qun dng lnh permit ip any any

Mun ping thy Access Server cn cu hnh nh sau: Vnpro(config)#ip access-list extended VnproDefault1 Vnpro(config-ext-nacl)#permit tcp any any Vnpro(config-ext-nacl)#permit ip any any Vnpro(config-ext-nacl)#exit Vnpro(config)# l do c tnh implicit deny ca Access-list . Phn 2 s minh ho vic khc phc li trn. Mt lu khc:khi c kch hot, cc Access-list s kim tra theo th t t trn xung, gp dng iu kin, Switch s p t chnh sch c cu hnh vo ri kt thc qu trnh kim tra.

Trong bi Lab ny, nu i th t cc Access-map, kt qu s hon ton khc. VD :nu t voVnproMap1 10 cu hnh nh sau:

Vnpro(config)#vlan access-map VnproMap1 10 Vnpro(config-access-map)#match ip address VnproDefault1 Vnpro(config-access-map)#action forward Vnpro(config-access-map)#exit

Access-map s c kim tra t trn xung, ngay ln kim tra u tin gp permit ip any any v tt c cc IP u tho iu kin any anySwitch lp tc p t chnh sch action: forward v nhm ny ri kt thc qu trnh kim tra. Kt qu : tt c cc Work Station u c th telnet vo Access Server 192.168.10.254 (k c cc Work Station c a ch IP trong khong 192.168.10.1/28 n 192.168.10.15/28)

V vy khi cu hnh, th t cc Access-list v Access-map l mt iu ht sc quan trng . Phn 2: Minh ho c tnh ca VACLs vt khi phm vi Vlan

hnh

Cu hnh InterVlan Routing: Tham kho cu hnh InterVlan Routing trong bi InterVlan Routing & MultiLayer Switching Trong trng hp ny InterVlan Routing dnh giao thc nh tuyn Rip dn gin ho cu hnh (v mc tiu chnh l: minh ho VACLs)

M t: Trong phn ny , cu hnh Vlan Access-list p dng vo Vlan 20

Dng Cisco Router kt ni vi MultiLayer Switch qua cng FastEthernet c s a ch nh hnh v, Router c hostname l Remote dng lm Access Server. Management IP ca Vlan 20 l 192.168.20.1/24, cc Work Station c a ch t 192.168.20.2..192.168.20.253/24. Cu hnh Vlan Access-list cm khng cho cc Work Station c a ch IP trong khong 192.168.20.2/24 n 192.168.20.15/24 khng th telnet vo Access Server, ngoi tr 192.168.20.3/24 (192.168.20.3/24 vn c th telnet vo Remote router 10.200.0.2/24). Cc bc tin hnh tng t nh trn:

Cu hnh MLS trn Switch Vnpro

Vnpro(config)#interface fa0/1 Vnpro(config-if)#no switchport Vnpro(config-if)# Vnpro(config-if)#ip address 10.200.0.1 255.255.255.0 Vnpro(config-if)#no shutdown Vnpro(config-if)#exit 01:28:35: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up 01:28:36: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up Vnpro(config)#ip routing Vnpro(config)#router rip Vnpro(config-router)#network 192.168.1.0 Vnpro(config-router)#network 192.168.10.0 Vnpro(config-router)#network 192.168.20.0 Vnpro(config-router)#network 10.200.0.0 Vnpro(config-router)#^Z 01:29:53: %SYS-5-CONFIG_I: Configured from console by console

Cu hnh a ch IP v nh tuyn trn Remote router

Remote#config terminal Enter configuration commands, one per line. End with CNTL/Z. Remote(config)#interface Ethernet0/0 Remote(config-if)#ip address 10.200.0.2 255.255.255.0 Remote(config-if)#no shutdown Remote(config-if)#exit Remote(config)#interface loopback 0 Remote(config-if)#ip address 172.168.0.1 255.255.255.0 Remote(config-if)#no shutdown Remote(config-if)#exit Remote(config)#router rip Remote(config-router)#network 10.200.0.0 Remote(config-router)#network 172.168.0.0 Remote(config-router)#^Z

Kim tra thng tin nh tuyn trn Remote router vo Vnpro Switch Vnpro#show ip route

Gateway of last resort is not set

C R C

192.168.10.0/24 is directly connected, Vlan10 172.168.0.0/16 [120/1] via 10.200.0.2, 00:00:24, FastEthernet0/1 192.168.20.0/24 is directly connected, Vlan20 10.0.0.0/24 is subnetted, 1 subnets

10.200.0.0 is directly connected, FastEthernet0/1

Cu hnh cc Vlan Access-list mi

Vnpro#telnet 10.200.0.2 Trying 10.200.0.2 ... Open

User Access Verification

Password: cisco Remote>enable Password: vnpro Remote#show ip route

Gateway of last resort is not set

192.168.10.0/24 [120/1] via 10.200.0.1, 00:00:09, Ethernet0/0 172.168.0.0/24 is subnetted, 1 subnets

C R

172.168.0.0 is directly connected, Loopback0 192.168.20.0/24 [120/1] via 10.200.0.1, 00:00:09, Ethernet0/0 10.0.0.0/24 is subnetted, 1 subnets

10.200.0.0 is directly connected, Ethernet0/0

Remote#

Vnpro(config)#ip access-list extended VnproAllow2 Vnpro(config-ext-nacl)#permit tcp host 192.168.20.3 host 10.200.0.2 eq telnet Vnpro(config-ext-nacl)#exit Vnpro(config)#ip access-list extended VnproBlock2 Vnpro(config-ext-nacl)#permit tcp 192.168.20.0 0.0.0.15 host 10.200.0.2 eq telnet Vnpro(config-ext-nacl)#exit Vnpro(config)#ip access-list extended VnproDefault2 Vnpro(config-ext-nacl)#permit tcp any any Vnpro(config-ext-nacl)#permit ip any any Vnpro(config-ext-nacl)#end Vnpro# 01:56:55: %SYS-5-CONFIG_I: Configured from console by console

Kim tra thng tin v Access-list Vnpro#show ip access-lists Extended IP access list VnproAllow1 permit tcp host 192.168.10.3 host 192.168.10.254 eq telnet Extended IP access list VnproAllow2 permit tcp host 192.168.20.3 host 10.200.0.2 eq telnet Extended IP access list VnproBlock1 permit tcp 192.168.10.0 0.0.0.15 host 192.168.10.254 eq telnet Extended IP access list VnproBlock2 permit tcp 192.168.20.0 0.0.0.15 host 10.200.0.2 eq telnet Extended IP access list VnproDefault1 permit tcp any any Extended IP access list VnproDefault2

permit tcp any any permit ip any any Vnpro#

Cu hnh Vlan Access-map

Vnpro#config terminal Enter configuration commands, one per line. End with CNTL/Z. Vnpro(config)#vlan access-map VnproMap2 10

Vnpro(config-access-map)#match ip address VnproAllow2 Vnpro(config-access-map)#action forward Vnpro(config-access-map)#exit Vnpro(config)#vlan access-map VnproMap2 20 Vnpro(config-access-map)#match ip address VnproBlock2 Vnpro(config-access-map)#action drop Vnpro(config-access-map)#exit Vnpro(config)#vlan access-map VnproMap2 30 Vnpro(config-access-map)#match ip address VnproDefault2 Vnpro(config-access-map)#action forward Vnpro(config-access-map)#end Vnpro(config)#

Kim tra thng tin Vlan Access-list

Vnpro#show vlan access-map Vlan access-map "VnproMap1" 10 Match clauses: ip address: VnproAllow1 Action: forward Vlan access-map "VnproMap1" 20 Match clauses: ip address: VnproBlock1

Action: drop Vlan access-map "VnproMap1" 30 Match clauses: ip address: VnproDefault1 Action: forward Vlan access-map "VnproMap2" 10 Match clauses: ip address: VnproAllow2 Action: forward Vlan access-map "VnproMap2" 20 Match clauses: ip address: VnproBlock2 Action: drop Vlan access-map "VnproMap2" 30 Match clauses: ip address: VnproDefault2 Action: forward Vnpro#

Khi cha p dng (apply) Vlan Access-map VnproMap2 vo Vlan 20, tt c cc Work Station

trn Vlan 20 u c th telnet v Ping thnh cng Remote router

Work Station telnet thnh cng vo Remote router khi cha p dng Vlan Access-map VnproMap2 vo Vlan 20

Work Station ping thnh cng vo Remote router khi cha p dng Vlan Access-map VnproMap2 vo Vlan 20

p dng (apply) Vlan Access-map VnproMap2 vo Vlan 20 Vnpro(config)#vlan filter VnproMap2 vlan-list 20

Kim tra cu hnh Vlan Access-map khi p dng vo cc Vlan trn Switch Vnpro#show vlan filter VLAN Map VnproMap1 is filtering VLANs: 10 VLAN Map VnproMap2 is filtering VLANs: 20

Kim tra s hot ng ca Vlan Access-list sau khi p dng Vlan Access-map VnproMap2 vo Vlan 20 bng cch ping v telnet Remote router t cc Work Station v ghi nhn kt qu.

T kt qu trn c th thy:Work Station c IP 192.168.20.4/28 ch c th ping ch khng th telnet vo Remote router 10.200.0.2/24, qua thy c tnh nng ca VACLs trong mi trng intervlan.

Lu : khng nh phn1, sau khi p dng Vlan Access-map VnproMap2 vo Vlan 20 Work Station 192.168.20.4/28 ch b cm khi gi traffic tcp c th l telnet n Remote router qua IP10.200.0.2/24, cn cc loi traffic khc( trong trng hp ny l ip vn trong sut (transparent) vi Vlan Access-list) Tnh cht implicit deny ca Access-list c khc phc so vi cu hnh trnh by phn1.

Tham kho s khc bit qua c im sau: Phn 1: Vnpro(config)#ip access-list extended VnproDefault1 Vnpro(config-ext-nacl)#permit tcp any any Vnpro(config-ext-nacl)#exit Vnpro(config)#

Phn 2: Vnpro(config)#ip access-list extended VnproDefault2 Vnpro(config-ext-nacl)#permit tcp any any Vnpro(config-ext-nacl)#permit ip any any Vnpro(config-ext-nacl)#exit Vnpro(config)#

Trong tt c mi trng hp, khi s dng Access-list ni chung, Cn ch trnh t ca cc Access-list s dng, v c tnh implicit deny ca chng .

Ph lc Cu hnh tham kho ca Switch

Vnpro !

hostname Vnpro ! enable secret 5 $1$FW/z$z49gfElHWknNIvPIOfZEG0 enable password cisco ! ip subnet-zero ip routing ! ! spanning-tree mode pvst spanning-tree extend system-id ! ! vlan access-map Vnpr1 10 action forward vlan access-map VnproMap1 10 action forward match ip address VnproAllow1 vlan access-map VnproMap1 20 action drop match ip address VnproBlock1 vlan access-map VnproMap1 30 action forward match ip address VnproDefault1 vlan access-map VnproMap2 10 action forward

match ip address VnproAllow2 vlan access-map VnproMap2 20 action drop match ip address VnproBlock2 vlan access-map VnproMap2 30 action forward match ip address VnproDefault2 vlan filter VnproMap1 vlan-list 10 vlan filter VnproMap2 vlan-list 20 ! ! interface FastEthernet0/1 no switchport ip address 10.200.0.1 255.255.255.0 ! interface FastEthernet0/2 no ip address ! interface FastEthernet0/3 no ip address ! interface FastEthernet0/4 no ip address ! interface FastEthernet0/5 switchport access vlan 10

no ip address ! interface FastEthernet0/6 switchport access vlan 10 no ip address ! interface FastEthernet0/7 switchport access vlan 10 no ip address ! interface FastEthernet0/8 switchport access vlan 10 no ip address ! interface FastEthernet0/9 switchport access vlan 20 no ip address ! interface FastEthernet0/10 switchport access vlan 20 no ip address ! interface FastEthernet0/11 switchport access vlan 20 no ip address !

interface FastEthernet0/12 switchport access vlan 20 no ip address ! interface GigabitEthernet0/1 no ip address ! interface GigabitEthernet0/2 no ip address ! interface Vlan1 ip address 192.168.1.1 255.255.255.0 ! interface Vlan10 ip address 192.168.10.1 255.255.255.0 ! interface Vlan20 ip address 192.168.20.1 255.255.255.0 ! router rip network 10.0.0.0 network 192.168.1.0 network 192.168.10.0 network 192.168.20.0 ! ip classless

ip http server ! ip access-list extended VnproAllow1 permit tcp host 192.168.10.3 host 192.168.10.254 eq telnet ip access-list extended VnproAllow2 permit tcp host 192.168.20.3 host 10.200.0.2 eq telnet ip access-list extended VnproBlock1 permit tcp 192.168.10.0 0.0.0.15 host 192.168.10.254 eq telnet ip access-list extended VnproBlock2 permit tcp 192.168.20.0 0.0.0.15 host 10.200.0.2 eq telnet ip access-list extended VnproDefault1 permit tcp any any ip access-list extended VnproDefault2 permit tcp any any permit ip any any ! line con 0 line vty 0 4 password cisco login line vty 5 15 login ! end

Vnpro#show vlan

VLAN Name

Status

Ports

---- -------------------------------- --------- ------------------------------1 default active Fa0/2, Fa0/3, Fa0/4, Gi0/1

Gi0/2 10 Admin 20 User 1002 fddi-default 1003 token-ring-default 1004 fddinet-default 1005 trnet-default active active Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12

active active active active

VLAN Type SAID

MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ -----1 enet 100001 1500 1500 1500 1500 1500 1500 1500 ieee ibm 0 0 0 0 0 0 0 0 0 0 0 0 0 0

10 enet 100010 20 enet 100020 1002 fddi 101002 1003 tr 101003

1004 fdnet 101004 1005 trnet 101005

Remote SPAN VLANs ------------------------------------------------------------------------------

Primary Secondary Type

Ports

------- --------- ----------------- ------------------------------------------

Vnpro#show vlan access-map Vlan access-map "VnproMap1" 10 Match clauses: ip address: VnproAllow1 Action: forward Vlan access-map "VnproMap1" 20 Match clauses: ip address: VnproBlock1 Action: drop Vlan access-map "VnproMap1" 30 Match clauses: ip address: VnproDefault1 Action: forward Vlan access-map "VnproMap2" 10 Match clauses: ip address: VnproAllow2 Action: forward Vlan access-map "VnproMap2" 20 Match clauses:

ip address: VnproBlock2 Action: drop Vlan access-map "VnproMap2" 30 Match clauses: ip address: VnproDefault2 Action: forward

Vnpro#show ip access-list Extended IP access list VnproAllow1 permit tcp host 192.168.10.3 host 192.168.10.254 eq telnet Extended IP access list VnproAllow2 permit tcp host 192.168.20.3 host 10.200.0.2 eq telnet Extended IP access list VnproBlock1 permit tcp 192.168.10.0 0.0.0.15 host 192.168.10.254 eq telnet Extended IP access list VnproBlock2 permit tcp 192.168.20.0 0.0.0.15 host 10.200.0.2 eq telnet Extended IP access list VnproDefault1 permit tcp any any Extended IP access list VnproDefault2 permit tcp any any permit ip any any

Vnpro#show vlan filter VLAN Map VnproMap1 is filtering VLANs:

10 VLAN Map VnproMap2 is filtering VLANs: 20

Vnpro#show ip route

Gateway of last resort is not set

C R C

192.168.10.0/24 is directly connected, Vlan10 172.168.0.0/16 [120/1] via 10.200.0.2, 00:00:21, FastEthernet0/1 192.168.20.0/24 is directly connected, Vlan20 10.0.0.0/24 is subnetted, 1 subnets

10.200.0.0 is directly connected, FastEthernet0/1

Vnpro#ping 10.200.0.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.200.0.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Vnpro#ping 172.168.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.168.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Vnpro#

Cu hnh tham kho ca Remote Router Remote#show running-config Building configuration...

Current configuration : 690 bytes ! version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Remote ! enable secret 5 $1$wDfm$5zcN0Px2wrN0be6jV74m60 enable password cisco ! memory-size iomem 10 ip subnet-zero ! ! ! call rsvp-sync ! interface Loopback0

ip address 172.168.0.1 255.255.255.0 ! interface Ethernet0/0 ip address 10.200.0.2 255.255.255.0 half-duplex ! interface Serial0/0 no ip address shutdown no fair-queue ! router rip network 10.0.0.0 network 172.168.0.0 ! ip classless ip http server ip pim bidir-enable ! dial-peer cor custom ! line con 0 line aux 0 line vty 0 4 password cisco login

! no scheduler allocate end

Remote#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route

Gateway of last resort is not set

192.168.10.0/24 [120/1] via 10.200.0.1, 00:00:25, Ethernet0/0 172.168.0.0/24 is subnetted, 1 subnets

C R

172.168.0.0 is directly connected, Loopback0 192.168.20.0/24 [120/1] via 10.200.0.1, 00:00:25, Ethernet0/0 10.0.0.0/24 is subnetted, 1 subnets

10.200.0.0 is directly connected, Ethernet0/0

Remote#ping 192.168.20.4 Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.20.4, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Remote#telnet 192.168.20.4 Trying 192.168.20.4 ... % Connection refused by remote host

Remote#