Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
506
Views
0
Helpful
2
Replies

DNS lookup for SSH connection not working with vrf

mario.jost
Level 3
Level 3

‎03-27-2018 08:44 AM - edited ‎03-08-2019 02:25 PM

If i use vrf specific DNS servers in my configuration, it works fine with the ping command:

roTST01#show running-config | include name-
ip name-server vrf DSL 8.8.8.8
ip name-server vrf DSL 8.8.4.4
ip name-server vrf LAN 172.16.222.50
ip name-server vrf LAN 172.16.222.52

roTST01#ping vrf DSL www.google.ch
Translating "www.google.ch"...domain server (8.8.8.8) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.217.16.131, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/26/28 ms
roTST01#ping vrf LAN swtst01.company.local
Translating "swtst01.company.local"...domain server (172.16.222.50) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.220.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

But if i want to use SSH to connect to a device, IOS somehow wants to use the DNS servers that have been assigned to the router via a dialer interface instead of using the ones configured for this vrf:

roTST01#ssh -vrf LAN -l user12 swtst01.company.local
Translating "swtst01.company.local"...domain server (195.186.4.162) (195.186.1.162)

% Unknown command or computer name, or unable to find computer address

This is a C897VA-K9 with IOS version 15.6(2)T1 if anyone wants to know. Is there something I am missing?

Labels:
0 Helpful
2 Replies 2

Francesco Molino
VIP Alumni
VIP Alumni

‎03-28-2018 06:38 AM

Hi

Can you share your config for ip domain-lookup?
If you configure:
ip domain-lookup source-interface xxxx --> interface name of your LAN vrf, it should work

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

mario.jost
Level 3
Level 3
In response to Francesco Molino

‎03-28-2018 08:20 AM

Hey there, thanks for the reply. I did not change anything with ip domain-lookup which means, it is still in its IOS default state, which means activated. I configured the source interface command as suggested, but it did not help:

 

roTST01(config)#ip domain-lookup source-interface vlan 10
roTST01(config)#end
roTST01#show running-config interface vlan 10
Building configuration...

Current configuration : 175 bytes
!
interface Vlan10
 description Company Net
 ip vrf forwarding LAN
 ip address 172.16.220.2 255.255.255.0
 ip helper-address global 172.16.200.10
 ip tcp adjust-mss 1366
end

roTST01#ssh -vrf LAN -l user12 swtst01.company.local
Translating "swtst01.company.local"...domain server (195.186.4.162) (195.186.1.162)

% Unknown command or computer name, or unable to find computer address

Even if this workaround would help, i would limit the usage of the ssh domain lookup to only one vrf (the one that interface vlan10 is assigned to). In a correct implementation, the SSH command would contact the DNS servers that are responsible for the specified VRF to resolve names.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card