cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2904
Views
0
Helpful
4
Replies

Management Access through VRF

Kryptkeeper
Level 1
Level 1

Hello,

     I have been reading some articles, and blogs, about accessing the VTY lines when the traffic is coming from an interface that is apart of a VRF. According to what I have read, you should not be able connected to the VTY line unless you put an access-list on the VTY lines with the "vrf-also" keyword. Also, the articles were referring to using 4500s, or lower end switches.

     I am coming up with a design and wanted to implement VRF-lite. When I was mocking up the design I noticed I could connect to the VTY lines of a device eventhough the L3 interface I was telnet'd to was in a VRF. I was using three 3725s to see if this actually worked, or not.

     I was hoping that in the end traffic within this VRF would not be able to connect to the management plane. Also, does the inability to connect to the VTY lines a platform/IOS specific issues? Any insight would be appreciated. Thanks.

4 Replies 4

burak-isiksoy
Level 1
Level 1

Why dont you use VTY access-list.

Marwan ALshawi
VIP Alumni
VIP Alumni

access to the device through a certain VRF dose not mean you can not mange the device

the VRF is just virtulising the control plane/routing of the router once you in through telnet or ssh for example you can manage that router but the benefit of having differnt vrf for managment is to have a separate routing and management interface of the actual global routing table and other interfaces

this is by default in the ASR and Nexus which they have a dedicated management interface in management VRF

HTH

Nicholas Poole
Level 1
Level 1

Although other replies below suggested this wasn't the case, I found what you had read to be true.

On a C3750 switch I had a vty acl, I then added a VRF and wanted to get to the cli via that VRF, but I couldn't, I always got connection refused.  When I added "vrf-also" keyword to the access-class command on the vty line I could now gain access.

 

Hi,

I've got the same experience with a 2921 router running 15.2(4) IOS.

 

Best regards,

Milan

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: