06-25-2013 01:32 AM - edited 03-07-2019 02:03 PM
Hi All,
Found a weird behaviour with a C7200 VXR with ACL on the vty access.
To explain the setup, one of the interfaces on the router is setup with a VRF for "out of band" management (sorta-kinda, if you see what I mean).
The other interfaces are all forwarding/routing interfaces.
If I do NOT apply an ACL to the vty lines, telnet/ssh access is possible both inband and via the management vrf with no problem.
If I apply the ACL to the vty lines, then ONLY inband access is possible. Trying to access via the management VRF gives "connection refused".
Debugging the ACL itself, the ACL is indeed ACCEPTING the connection on the management VRF, so looks like there's something weird going on here...
Jun 25 07:46:01.535: %SEC-6-IPACCESSLOGS: list 23 permitted 10.10.1.33 2 packets
Ideas ?
Leland
Solved! Go to Solution.
06-25-2013 02:16 AM
Hi Leland,
Have you used the vrf-also keyword in the access-class command? It should look like:
line vty 0 15
access-class 23 in vrf-also
Quoting from http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#wp4197423098
If you do not specify the vrf-also keyword, incoming Telnet connections from interfaces that are part of a VRF are rejected.
Best regards,
Peter
06-25-2013 02:16 AM
Hi Leland,
Have you used the vrf-also keyword in the access-class command? It should look like:
line vty 0 15
access-class 23 in vrf-also
Quoting from http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#wp4197423098
If you do not specify the vrf-also keyword, incoming Telnet connections from interfaces that are part of a VRF are rejected.
Best regards,
Peter
06-25-2013 02:18 AM
DOH! thanks Peter
That's the one.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: