Solved: vty ACL weird behaviour with VRF (c7200 VXR)

LELAND VANDERVORT · ‎06-25-2013

Hi All,

Found a weird behaviour with a C7200 VXR with ACL on the vty access.

To explain the setup, one of the interfaces on the router is setup with a VRF for "out of band" management (sorta-kinda, if you see what I mean).

The other interfaces are all forwarding/routing interfaces.

If I do NOT apply an ACL to the vty lines, telnet/ssh access is possible both inband and via the management vrf with no problem.

If I apply the ACL to the vty lines, then ONLY inband access is possible. Trying to access via the management VRF gives "connection refused".

Debugging the ACL itself, the ACL is indeed ACCEPTING the connection on the management VRF, so looks like there's something weird going on here...

Jun 25 07:46:01.535: %SEC-6-IPACCESSLOGS: list 23 permitted 10.10.1.33 2 packets

Ideas ?

Leland

Peter Paluch · ‎06-25-2013

Hi Leland,

Have you used the vrf-also keyword in the access-class command? It should look like:

line vty 0 15
  access-class 23 in vrf-also

If you do not specify the vrf-also keyword, incoming Telnet connections from interfaces that are part of a VRF are rejected.

Best regards,

Peter

Peter Paluch · ‎06-25-2013

Hi Leland,

Have you used the vrf-also keyword in the access-class command? It should look like:

line vty 0 15
  access-class 23 in vrf-also

If you do not specify the vrf-also keyword, incoming Telnet connections from interfaces that are part of a VRF are rejected.

Best regards,

Peter

LELAND VANDERVORT · ‎06-25-2013

DOH! thanks Peter

That's the one.