cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

445
Views
0
Helpful
2
Replies
Highlighted

vty ACL weird behaviour with VRF (c7200 VXR)

Hi All,

Found a weird behaviour with a C7200 VXR with ACL on the vty access.

To explain the setup, one of the interfaces on the router is setup with a VRF for "out of band" management  (sorta-kinda, if you see what I mean).

The other interfaces are all forwarding/routing interfaces.

If I do NOT apply an ACL to the vty lines, telnet/ssh access is possible both inband and via the management vrf with no problem.

If I apply the ACL to the vty lines, then ONLY inband access is possible.  Trying to access via the management VRF gives "connection refused".

Debugging the ACL itself, the ACL is indeed ACCEPTING the connection on the management VRF, so looks like there's something weird going on here...

Jun 25 07:46:01.535: %SEC-6-IPACCESSLOGS: list 23 permitted 10.10.1.33 2 packets

Ideas ?

Leland

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Cisco Employee

Re: vty ACL weird behaviour with VRF (c7200 VXR)

Hi Leland,

Have you used the vrf-also keyword in the access-class command? It should look like:

line vty 0 15

  access-class 23 in vrf-also

Quoting from http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#wp4197423098

If you do not specify the vrf-also keyword, incoming Telnet connections from interfaces that are part of a VRF are rejected.

Best regards,

Peter

2 REPLIES 2
Hall of Fame Cisco Employee

Re: vty ACL weird behaviour with VRF (c7200 VXR)

Hi Leland,

Have you used the vrf-also keyword in the access-class command? It should look like:

line vty 0 15

  access-class 23 in vrf-also

Quoting from http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#wp4197423098

If you do not specify the vrf-also keyword, incoming Telnet connections from interfaces that are part of a VRF are rejected.

Best regards,

Peter

vty ACL weird behaviour with VRF (c7200 VXR)

DOH!   thanks Peter

That's the one.

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards