Management Access through VRF

Kryptkeeper · ‎08-04-2011

Hello,

I have been reading some articles, and blogs, about accessing the VTY lines when the traffic is coming from an interface that is apart of a VRF. According to what I have read, you should not be able connected to the VTY line unless you put an access-list on the VTY lines with the "vrf-also" keyword. Also, the articles were referring to using 4500s, or lower end switches.

I am coming up with a design and wanted to implement VRF-lite. When I was mocking up the design I noticed I could connect to the VTY lines of a device eventhough the L3 interface I was telnet'd to was in a VRF. I was using three 3725s to see if this actually worked, or not.

I was hoping that in the end traffic within this VRF would not be able to connect to the management plane. Also, does the inability to connect to the VTY lines a platform/IOS specific issues? Any insight would be appreciated. Thanks.

burak-isiksoy · ‎08-07-2011

Why dont you use VTY access-list.

Marwan ALshawi · ‎08-08-2011

access to the device through a certain VRF dose not mean you can not mange the device

the VRF is just virtulising the control plane/routing of the router once you in through telnet or ssh for example you can manage that router but the benefit of having differnt vrf for managment is to have a separate routing and management interface of the actual global routing table and other interfaces

this is by default in the ASR and Nexus which they have a dedicated management interface in management VRF

HTH

Nicholas Poole · ‎07-16-2014

Although other replies below suggested this wasn't the case, I found what you had read to be true.

On a C3750 switch I had a vty acl, I then added a VRF and wanted to get to the cli via that VRF, but I couldn't, I always got connection refused. When I added "vrf-also" keyword to the access-class command on the vty line I could now gain access.

milan.kulik · ‎07-16-2014

Hi,

I've got the same experience with a 2921 router running 15.2(4) IOS.

Best regards,

Milan