Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1137
Views
20
Helpful
7
Replies

IOS-XE 16.8.x line vty 'vrfname'

johnlloyd_13
Level 9
Level 9

‎08-03-2021 08:43 PM

hi,

i noticed the 'vrfname' under the line vty. i checked it was recently introduced in IOS-XE 16.8.x.

i usually use 'vrf-also' for our MGMT VRF and haven't seen anyone use 'vrfname' that much per my google search.

my question is, what's the difference between the 'vrf-also' and 'vrfname'? is 'vrfname' more secure?

what are some use case examples for the 'vrfname'?

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bbdsl/configuration/xe-16-11/bba-xe-16-11-book/bba-xe-16-8-book_chapter_0100101.pdf

 

(config)#line vty 0 4

(config-line)#access-class acl_VTY_ACL in ?

  vrf-also  Same access list is applied for all VRFs

  vrfname   Access list is applied for given VRFs

  <cr>      <cr>

Labels:
0 Helpful
7 Replies 7

Seb Rupik
VIP Alumni
VIP Alumni

‎08-04-2021 01:16 AM

Hi there,

The decision to allow all VRFs access to the VTYs or limit it to just one depends on your topology and security posture. Certainly vrf-also is convenient, but if you are operating a multi tenant environment then it would make sense to limit access to the management plane to just one VRF, ie, the L3 domain which contains your management VLAN.

 

cheers,

Seb.

balaji.bandi
Hall of Fame
Hall of Fame

‎08-04-2021 03:33 AM

Do not want to re-invent the wheel :

 

good explanation here :

 

https://community.cisco.com/t5/switching/vty-access-class-vrf-also-question/td-p/2528048

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

johnlloyd_13
Level 9
Level 9

‎08-04-2021 07:05 PM

hi balaji,

i'm aware of the 'vrf-also' and use it in our environment. my question is regarding 'vrfname' if has the same purpose and what's the main difference between the two.

i don't see it commonly used since it's relatively new.

0 Helpful

Seb Rupik
VIP Alumni
VIP Alumni
In response to johnlloyd_13

‎08-05-2021 01:34 AM

I have the opposite experience and always use 'vrfname Mgmt-vrf' as switches are connected via the out of band gi0/0 switchport.

vrfname is useful as it allows you to explicitly list the VRFs you want to have access instead of opening the flood gates and using vrf-also, as you eluded to in your first post, this should be considered more secure.

 

cheers,

Seb.

balaji.bandi
Hall of Fame
Hall of Fame
In response to johnlloyd_13

‎08-05-2021 02:28 AM

adding @Seb Rupik  comment...

 

  vrf-also  Same access list is applied for all VRFs
  vrfname   Access list is applied for given VRFs

Commands are self explanatory. If you have more VRF ( VRF-also works) - if you looking Granular 1 VRF - VRFNAME should do the job

 

Make sense ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

johnlloyd_13
Level 9
Level 9
In response to balaji.bandi

‎08-05-2021 07:19 AM

hi balaji,

is using 'vrf-also' tied to the default 'Mgmt-intf' VRF, which is applied to the dedicated OOB management port?

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to johnlloyd_13

‎08-05-2021 07:25 AM

yes mgmt vrf should cover technically. (if that is the only VRF available in your network, i prefer to go with vrfname

vrfname   Access list is applied for given VRF

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card