cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1529
Views
0
Helpful
2
Replies

vty ACL weird behaviour with VRF (c7200 VXR)

Hi All,

Found a weird behaviour with a C7200 VXR with ACL on the vty access.

To explain the setup, one of the interfaces on the router is setup with a VRF for "out of band" management  (sorta-kinda, if you see what I mean).

The other interfaces are all forwarding/routing interfaces.

If I do NOT apply an ACL to the vty lines, telnet/ssh access is possible both inband and via the management vrf with no problem.

If I apply the ACL to the vty lines, then ONLY inband access is possible.  Trying to access via the management VRF gives "connection refused".

Debugging the ACL itself, the ACL is indeed ACCEPTING the connection on the management VRF, so looks like there's something weird going on here...

Jun 25 07:46:01.535: %SEC-6-IPACCESSLOGS: list 23 permitted 10.10.1.33 2 packets

Ideas ?

Leland

1 Accepted Solution

Accepted Solutions

Peter Paluch
Cisco Employee
Cisco Employee

Hi Leland,

Have you used the vrf-also keyword in the access-class command? It should look like:

line vty 0 15

  access-class 23 in vrf-also

Quoting from http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#wp4197423098

If you do not specify the vrf-also keyword, incoming Telnet connections from interfaces that are part of a VRF are rejected.

Best regards,

Peter

View solution in original post

2 Replies 2

Peter Paluch
Cisco Employee
Cisco Employee

Hi Leland,

Have you used the vrf-also keyword in the access-class command? It should look like:

line vty 0 15

  access-class 23 in vrf-also

Quoting from http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#wp4197423098

If you do not specify the vrf-also keyword, incoming Telnet connections from interfaces that are part of a VRF are rejected.

Best regards,

Peter

DOH!   thanks Peter

That's the one.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco