[nsp] access-class XX in vrf-also

Dennis Peng dpeng at cisco.com
Tue Jan 27 14:02:43 EST 2004 

p.gaspar at mobilkom.at [p.gaspar at mobilkom.at] wrote:
> Hello,
> 
> has anyone of you guys seen documentation to the following command in vty
> configuration?

It doesn't appear to be documented. I've opened up a bug to get this addressed.

> access-class 99 in vrf-also
> 
> The behavior of it is somehow strange.
> 1. if no access class is configured on vty, all connections (also from all
> VRFs) are allowed
> 2. if "access-class 99 in" is configured, _ALL_ telnet attemts
> _comming_from_VRF_ interfaces are blocked, even if the ip address of the
> telneting host is permited in access-list. The telnet requests comming from
> non-VRF interfaces are processed according to the access-list configured
> 3. if "access-class 99 in vrf-also" is configured, telnet requests from VRF
> interfaces are processed according to access-list aswel are the non-VRF
> requests.
> 
> The question is: Do we understand the behavior of this command
> right?

Yes, everything you observed above is by design. I've modified the
release-note for CSCdw22290 to include some basic documentation for
the knob. Here is the gist:

The "vrf-also" option allows incoming telnet connections (assuming the
access-list check passes) from interfaces which are part of a VRF. By
default, incoming telnet connections from interfaces that are part of
a VRF are rejected.

> Is there a way how to configure separate access-class for each VRF?

Not currently. There is a feature request for this functionality. If
you are interested, open up a case and have it attached to
CSCds14042. Or if you have an SE or sales manager, hit them up for the
request.

Dennis

> 
> thanks
> Peter
>  
> Mag. Peter Gaspar
> Mobile Core Networks
> 
> mobilkom austria AG & Co KG
> Obere Donaustra?e 29; A-1020 Wien
> 
> Tel.:	+43 - (0)1 - 331 61 6255
> Mobil:	+43 - (0)664 - 331 6255
> Fax:	+43 - (0)1 - 331 97911 6255
> e-mail:	p.gaspar at mobilkom.at
> 
> http://www.mobilkom.at/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list