[c-nsp] 4948 management port VS vty access-group
Saxon Jones
saxon.jones at gmail.com
Thu May 20 10:36:49 EDT 2010
Have you tried adding the vrf-also switch to your access-class
statement? Something like:
line vty 0 4
access-class 10 in vrf-also
I'm not sure if this is available on the 4500, but it works on all the
gear I have.
-saxon
On 20 May 2010 07:51, Nemeth Laszlo <csirek at cooler.hu> wrote:
> Hi All,
>
> I use a C4948 switch with cat4500-entservicesk9-mz.122-53.SG1 IOS.
>
> I try to use the MGMT ethernet port. The config is:
>
> interface FastEthernet1
> ip vrf forwarding mgmtVrf
> ip address 192.168.2.10 255.255.255.0
> speed auto
> duplex auto
>
> If I telnet to the switch from 192.168.2.1 via the MGMT port without
> access-group filter on the VTY, the telnet is working.
>
> # telnet 192.168.2.10
> Trying 192.168.2.10...
> Connected to 192.168.2.10.
> Escape character is '^]'.
>
> User Access Verification
>
> Username:
>
>
> But if i put a filter to the VTY (now i try a simple "access-list 10 permit
> any" ) the telnet doesn't work thru the MGMT port.
>
> VTY config:
>
> line vty 0 4
> access-class 10 in
> exec-timeout 0 0
> login local
>
> Telnet output:
>
> # telnet 192.168.2.10
> Trying 192.168.2.10...
> telnet: Unable to connect to remote host: Connection refused
>
> I tried standard and extended ACL too.
> If I logging an extended ACL (permit ip any any log) output i see it:
>
> *May 20 08:08:15 MET-DST: %SEC-6-IPACCESSLOGP: list 100 permitted tcp
> 192.168.2.1(47611) -> 0.0.0.0(23), 1 packet
>
> But the connection is refused.
>
> Do anybody have any idea, why doesn't work the telnet thru the MGMT if i use
> ACL on the VTY lines? May be SW bug?
>
> Thanks!
>
> Laszlo
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list