[c-nsp] Catalyst 4507R and VRF-Lite

Francisco Rivas frivas at lanparty.cl
Tue Feb 6 13:55:15 EST 2007 

sorry, these logs are wrong. The ACL 100 was an extended ACL that I've 
tried before the 10 on the VTY. This are the logs for the ACL 10:

3d17h: %SEC-6-IPACCESSLOGS: list 10 permitted 192.168.10.2 14 packets
3d17h: %SEC-6-IPACCESSLOGS: list 10 permitted 192.168.10.2 6 packets
3d17h: %SEC-6-IPACCESSLOGS: list 10 permitted 192.168.10.2 3 packets
3d17h: %SEC-6-IPACCESSLOGS: list 10 permitted 192.168.10.2 3 packets

The IOS version is 12.2(25)EWA8 (cat4000-i5k91s-mz.122-25.EWA8.bin). The 
config on the VTY is like this:

line vty 0 4
 access-class 10 in vrf-also
 exec-timeout 5 0
 password 7 xxxxx
 login


the output of show ver is this:

cat#sh version
Cisco IOS Software, Catalyst 4000 L3 Switch Software (cat4000-I5K91S-M), 
Version 12.2(25)EWA8, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Wed 24-Jan-07 15:06 by pwade
Image text-base: 0x10000000, data-base: 0x115FE81C

ROM: 12.2(31r)SGA
Pod Revision 14, Force Revision 34, Tie Revision 32

cat uptime is 3 days, 21 hours, 35 minutes
Uptime for this control processor is 3 days, 21 hours, 35 minutes
System returned to ROM by reload
System image file is "bootflash:cat4000-i5k91s-mz.122-25.EWA8.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be 
found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export at cisco.com.

cisco WS-C4507R (MPC8540) processor (revision 11) with 524288K bytes of 
memory.
Processor board ID FOX103401CN
MPC8540 CPU at 800Mhz, Supervisor V-10GE
Last reset from Reload
7 Virtual Ethernet interfaces
52 Gigabit Ethernet interfaces
2 Ten Gigabit Ethernet interfaces
511K bytes of non-volatile configuration memory.

Configuration register is 0x2102


regards,

Francisco Rivas C.


David Prall wrote:
> You don't have any logs from access-list 10. What is happening there? What
> version of code are you running on the 4507R. 12.2(31)SGA is the latest.
> None of them list VTY configuration.
>
> --
> http://dcp.dcptech.com
>
>
>   
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net
>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
>> Francisco Rivas
>> Sent: Tuesday, February 06, 2007 9:29 AM
>> To: cisco-nsp at puck.nether.net
>> Subject: Re: [c-nsp] Catalyst 4507R and VRF-Lite
>>
>> Thanks for the answer, but it didn't solve the problem :(
>> I've configured an access-list like this:
>>
>> access-list 10 permit any log
>> access-list 10 remark ACL_VTY
>>
>> and then, on the VTY, I have
>>
>> !
>> line con 0
>>  password 7 xxxxxx
>>  login
>>  stopbits 1
>> line vty 0 4
>>  access-class 10 in vrf-also
>>  exec-timeout 5 0
>>  password 7 xxxxxx
>>  login
>> line vty 5 15
>>  access-class 10 in vrf-also
>>  exec-timeout 5 0
>>  password 7 xxxxxx
>>  login
>> !
>> !
>>
>> On the logs, I have:
>>
>> 3d17h: %SEC-6-IPACCESSLOGP: list 100 permitted tcp
>> 192.168.10.2(37677)
>> -> 0.0.0.0(23), 1 packet
>> 3d17h: %SEC-6-IPACCESSLOGP: list 100 permitted tcp
>> 192.168.10.2(37678)
>> -> 0.0.0.0(23), 1 packet
>>
>> This is on the host that I'm using to make the telnet
>> connection to the
>> catalyst:
>> [root at gateway frivas]# telnet 192.168.10.1 Trying 192.168.10.1...
>> telnet: connect to address 192.168.10.1: Connection timed out
>> telnet: Unable to connect to remote host: Connection timed out
>>
>> Again, if I disable the VRF on the interface, I can telnet
>> into the catalyst without any problems.
>> anyone got a hint about this?
>>
>>
>> regards,
>>
>> Francisco Rivas C.
>>
>>
>>
>> David Prall wrote:
>>     
>>> On the vty you need to put an access-class and use vrf-also.
>>>
>>>
>>>       
>> http://cisco.com/en/US/products/sw/iosswrel/ps1835/products_co
>> mmand_referenc
>>     
>>> e_chapter09186a00800873c8.html
>>>
>>> David
>>>
>>> --
>>> http://dcp.dcptech.com
>>>
>>>
>>>
>>>       
>>>> -----Original Message-----
>>>> From: cisco-nsp-bounces at puck.nether.net
>>>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
>>>> Francisco Rivas
>>>> Sent: Monday, February 05, 2007 4:20 PM
>>>> To: cisco-nsp at puck.nether.net
>>>> Subject: [c-nsp] Catalyst 4507R and VRF-Lite
>>>>
>>>> Hi all,
>>>>
>>>> I have a Cisco 4507R that's being used to connect three
>>>> trunks from different providers. I need to pass some vlans
>>>> from one provider to another, but these vlans needs to be
>>>> renumbered. So I'm using VRF's to add interfaces from each
>>>> provider to one VRF per circuit, routing among them, and
>>>> that's OK. But I noticed one problem: if I try to get a
>>>> telnet connection to any IP address of the 4507R inside of a
>>>> VRF, from the CP point (from the customer's PE for example,
>>>> to the router), the Catalyst don't answer the request and it
>>>> gives me this output on the log:
>>>>
>>>> TCP0: bad seg from 192.168.10.2 -- IDB not up: port 23 seq
>>>> 2757041294 ack 0 rcvnxt 0 rcvwnd 4128 len 0
>>>>
>>>> the config of the VRF is like this:
>>>>
>>>> ip vrf Test
>>>>  rd 1:1
>>>>  route-target export 1:1
>>>>  route-target import 1:1
>>>>
>>>> !
>>>> interface GigabitEthernet3/5
>>>>  switchport access vlan 201
>>>>  switchport mode access
>>>> !
>>>> interface Vlan201
>>>>  ip vrf forwarding Test
>>>>  ip address 192.168.10.1 255.255.255.252  no ip redirects !
>>>> line vty 0 4
>>>>  exec-timeout 5 0
>>>>  password 7 xxxxxxxxxxxxxxxxxxxxx
>>>>  login
>>>> line vty 5 15
>>>>  exec-timeout 5 0
>>>>  password 7 xxxxxxxxxxxxxxxxxxxxx
>>>>  login
>>>> !
>>>>
>>>>
>>>>
>>>> So I have plugged a PC on the port 3/5 of the switch, and I
>>>> give it the IP 192.168.10.2. I can ping the catalyst
>>>> interface from the PC (192.168.10.1), but I can't telnet to it.
>>>> What can I be missing here? I can telnet to the catalyst
>>>> using the mgmt interface, but not using the IP of the VRF
>>>> interface. Besides this, if I remove the "ip vrf forwarding
>>>> Test" from the interface, and put the IP address again, I can
>>>> telnet them without any problems....
>>>> The IOS version running on the Catalyst is 12.2(25)EWA8
>>>>
>>>> regards,
>>>>
>>>> Francisco Rivas C.
>>>>
>>>> _______________________________________________
>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>
>>>>         
>>>
>>>
>>>
>>>       
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>     
>
>
>
>
>

More information about the cisco-nsp mailing list