[c-nsp] Catalyst 4507R and VRF-Lite

Francisco Rivas frivas at lanparty.cl
Tue Feb 6 09:28:40 EST 2007 

Thanks for the answer, but it didn't solve the problem :(
I've configured an access-list like this:

access-list 10 permit any log
access-list 10 remark ACL_VTY

and then, on the VTY, I have

!
line con 0
 password 7 xxxxxx
 login
 stopbits 1
line vty 0 4
 access-class 10 in vrf-also
 exec-timeout 5 0
 password 7 xxxxxx
 login
line vty 5 15
 access-class 10 in vrf-also
 exec-timeout 5 0
 password 7 xxxxxx
 login
!
!

On the logs, I have:

3d17h: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 192.168.10.2(37677) 
-> 0.0.0.0(23), 1 packet
3d17h: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 192.168.10.2(37678) 
-> 0.0.0.0(23), 1 packet

This is on the host that I'm using to make the telnet connection to the 
catalyst:
[root at gateway frivas]# telnet 192.168.10.1
Trying 192.168.10.1...
telnet: connect to address 192.168.10.1: Connection timed out
telnet: Unable to connect to remote host: Connection timed out

Again, if I disable the VRF on the interface, I can telnet into the 
catalyst without any problems.
anyone got a hint about this?


regards,

Francisco Rivas C.



David Prall wrote:
> On the vty you need to put an access-class and use vrf-also.
>
> http://cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_referenc
> e_chapter09186a00800873c8.html
>
> David
>
> --
> http://dcp.dcptech.com
>
>
>   
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net
>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
>> Francisco Rivas
>> Sent: Monday, February 05, 2007 4:20 PM
>> To: cisco-nsp at puck.nether.net
>> Subject: [c-nsp] Catalyst 4507R and VRF-Lite
>>
>> Hi all,
>>
>> I have a Cisco 4507R that's being used to connect three
>> trunks from different providers. I need to pass some vlans
>> from one provider to another, but these vlans needs to be
>> renumbered. So I'm using VRF's to add interfaces from each
>> provider to one VRF per circuit, routing among them, and
>> that's OK. But I noticed one problem: if I try to get a
>> telnet connection to any IP address of the 4507R inside of a
>> VRF, from the CP point (from the customer's PE for example,
>> to the router), the Catalyst don't answer the request and it
>> gives me this output on the log:
>>
>> TCP0: bad seg from 192.168.10.2 -- IDB not up: port 23 seq
>> 2757041294 ack 0 rcvnxt 0 rcvwnd 4128 len 0
>>
>> the config of the VRF is like this:
>>
>> ip vrf Test
>>  rd 1:1
>>  route-target export 1:1
>>  route-target import 1:1
>>
>> !
>> interface GigabitEthernet3/5
>>  switchport access vlan 201
>>  switchport mode access
>> !
>> interface Vlan201
>>  ip vrf forwarding Test
>>  ip address 192.168.10.1 255.255.255.252  no ip redirects !
>> line vty 0 4
>>  exec-timeout 5 0
>>  password 7 xxxxxxxxxxxxxxxxxxxxx
>>  login
>> line vty 5 15
>>  exec-timeout 5 0
>>  password 7 xxxxxxxxxxxxxxxxxxxxx
>>  login
>> !
>>
>>
>>
>> So I have plugged a PC on the port 3/5 of the switch, and I
>> give it the IP 192.168.10.2. I can ping the catalyst
>> interface from the PC (192.168.10.1), but I can't telnet to it.
>> What can I be missing here? I can telnet to the catalyst
>> using the mgmt interface, but not using the IP of the VRF
>> interface. Besides this, if I remove the "ip vrf forwarding
>> Test" from the interface, and put the IP address again, I can
>> telnet them without any problems....
>> The IOS version running on the Catalyst is 12.2(25)EWA8
>>
>> regards,
>>
>> Francisco Rivas C.
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>     
>
>
>
>
>

More information about the cisco-nsp mailing list