[c-nsp] Catalyst 4507R and VRF-Lite

David Prall dcp at dcptech.com
Tue Feb 6 10:55:24 EST 2007 

You don't have any logs from access-list 10. What is happening there? What
version of code are you running on the 4507R. 12.2(31)SGA is the latest.
None of them list VTY configuration.

--
http://dcp.dcptech.com


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
> Francisco Rivas
> Sent: Tuesday, February 06, 2007 9:29 AM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Catalyst 4507R and VRF-Lite
>
> Thanks for the answer, but it didn't solve the problem :(
> I've configured an access-list like this:
>
> access-list 10 permit any log
> access-list 10 remark ACL_VTY
>
> and then, on the VTY, I have
>
> !
> line con 0
>  password 7 xxxxxx
>  login
>  stopbits 1
> line vty 0 4
>  access-class 10 in vrf-also
>  exec-timeout 5 0
>  password 7 xxxxxx
>  login
> line vty 5 15
>  access-class 10 in vrf-also
>  exec-timeout 5 0
>  password 7 xxxxxx
>  login
> !
> !
>
> On the logs, I have:
>
> 3d17h: %SEC-6-IPACCESSLOGP: list 100 permitted tcp
> 192.168.10.2(37677)
> -> 0.0.0.0(23), 1 packet
> 3d17h: %SEC-6-IPACCESSLOGP: list 100 permitted tcp
> 192.168.10.2(37678)
> -> 0.0.0.0(23), 1 packet
>
> This is on the host that I'm using to make the telnet
> connection to the
> catalyst:
> [root at gateway frivas]# telnet 192.168.10.1 Trying 192.168.10.1...
> telnet: connect to address 192.168.10.1: Connection timed out
> telnet: Unable to connect to remote host: Connection timed out
>
> Again, if I disable the VRF on the interface, I can telnet
> into the catalyst without any problems.
> anyone got a hint about this?
>
>
> regards,
>
> Francisco Rivas C.
>
>
>
> David Prall wrote:
> > On the vty you need to put an access-class and use vrf-also.
> >
> >
> http://cisco.com/en/US/products/sw/iosswrel/ps1835/products_co
> mmand_referenc
> > e_chapter09186a00800873c8.html
> >
> > David
> >
> > --
> > http://dcp.dcptech.com
> >
> >
> >
> >> -----Original Message-----
> >> From: cisco-nsp-bounces at puck.nether.net
> >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
> >> Francisco Rivas
> >> Sent: Monday, February 05, 2007 4:20 PM
> >> To: cisco-nsp at puck.nether.net
> >> Subject: [c-nsp] Catalyst 4507R and VRF-Lite
> >>
> >> Hi all,
> >>
> >> I have a Cisco 4507R that's being used to connect three
> >> trunks from different providers. I need to pass some vlans
> >> from one provider to another, but these vlans needs to be
> >> renumbered. So I'm using VRF's to add interfaces from each
> >> provider to one VRF per circuit, routing among them, and
> >> that's OK. But I noticed one problem: if I try to get a
> >> telnet connection to any IP address of the 4507R inside of a
> >> VRF, from the CP point (from the customer's PE for example,
> >> to the router), the Catalyst don't answer the request and it
> >> gives me this output on the log:
> >>
> >> TCP0: bad seg from 192.168.10.2 -- IDB not up: port 23 seq
> >> 2757041294 ack 0 rcvnxt 0 rcvwnd 4128 len 0
> >>
> >> the config of the VRF is like this:
> >>
> >> ip vrf Test
> >>  rd 1:1
> >>  route-target export 1:1
> >>  route-target import 1:1
> >>
> >> !
> >> interface GigabitEthernet3/5
> >>  switchport access vlan 201
> >>  switchport mode access
> >> !
> >> interface Vlan201
> >>  ip vrf forwarding Test
> >>  ip address 192.168.10.1 255.255.255.252  no ip redirects !
> >> line vty 0 4
> >>  exec-timeout 5 0
> >>  password 7 xxxxxxxxxxxxxxxxxxxxx
> >>  login
> >> line vty 5 15
> >>  exec-timeout 5 0
> >>  password 7 xxxxxxxxxxxxxxxxxxxxx
> >>  login
> >> !
> >>
> >>
> >>
> >> So I have plugged a PC on the port 3/5 of the switch, and I
> >> give it the IP 192.168.10.2. I can ping the catalyst
> >> interface from the PC (192.168.10.1), but I can't telnet to it.
> >> What can I be missing here? I can telnet to the catalyst
> >> using the mgmt interface, but not using the IP of the VRF
> >> interface. Besides this, if I remove the "ip vrf forwarding
> >> Test" from the interface, and put the IP address again, I can
> >> telnet them without any problems....
> >> The IOS version running on the Catalyst is 12.2(25)EWA8
> >>
> >> regards,
> >>
> >> Francisco Rivas C.
> >>
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> >
> >
> >
> >
> >
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list