[c-nsp] 4948 management port VS vty access-group

Nemeth Laszlo csirek at cooler.hu
Thu May 20 10:57:19 EDT 2010 

Hi All!

Thanks for infos, the vrf-also work fine!!

Best regards,
Laszlo

2010-05-20 16:36 keltezéssel, Saxon Jones írta:
> Have you tried adding the vrf-also switch to your access-class
> statement? Something like:
>
> line vty 0 4
>   access-class 10 in vrf-also
>
> I'm not sure if this is available on the 4500, but it works on all the
> gear I have.
>
> -saxon
>
> On 20 May 2010 07:51, Nemeth Laszlo<csirek at cooler.hu>  wrote:
>> Hi All,
>>
>> I use a C4948 switch with cat4500-entservicesk9-mz.122-53.SG1 IOS.
>>
>> I try to use the MGMT ethernet port. The config is:
>>
>>   interface FastEthernet1
>>   ip vrf forwarding mgmtVrf
>>   ip address 192.168.2.10 255.255.255.0
>>   speed auto
>>   duplex auto
>>
>> If I telnet to the switch from 192.168.2.1 via the MGMT port without
>> access-group filter on the VTY, the telnet is working.
>>
>>   # telnet 192.168.2.10
>>   Trying 192.168.2.10...
>>   Connected to 192.168.2.10.
>>   Escape character is '^]'.
>>
>>   User Access Verification
>>
>>   Username:
>>
>>
>> But if i put a filter to the VTY (now i try a simple "access-list 10 permit
>> any" ) the telnet doesn't work thru the MGMT port.
>>
>> VTY config:
>>
>>   line vty 0 4
>>   access-class 10 in
>>   exec-timeout 0 0
>>   login local
>>
>> Telnet output:
>>
>>   # telnet 192.168.2.10
>>   Trying 192.168.2.10...
>>   telnet: Unable to connect to remote host: Connection refused
>>
>> I tried standard and extended ACL too.
>> If I logging an extended ACL (permit ip any any log) output i see it:
>>
>>   *May 20 08:08:15 MET-DST: %SEC-6-IPACCESSLOGP: list 100 permitted tcp
>> 192.168.2.1(47611) ->  0.0.0.0(23), 1 packet
>>
>> But the connection is refused.
>>
>> Do anybody have any idea, why doesn't work the telnet thru the MGMT if i use
>> ACL on the VTY lines? May be SW bug?
>>
>> Thanks!
>>
>> Laszlo
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>

More information about the cisco-nsp mailing list