[c-nsp] VTY access through VRF interface

Jay Nakamura zeusdadog at gmail.com
Fri Oct 8 15:45:37 EDT 2010


Found out that this was because I didn't have the data license enabled
yet.  As soon as I enabled the data license, (I did have to reboot.
Grumble...) it started working.


On Thu, Oct 7, 2010 at 3:15 PM, Jay Nakamura <zeusdadog at gmail.com> wrote:
> I am trying to configure a router with couple VRF and I need to be
> able to ssh/telnet to vty through VRF interface.  I haven't had this
> problem with other routers prior to 15.0M.  Am I missing a command I
> don't know about to enable this?
>
> With 12.4x, I used "access-class .... vrf-also" and that seems to have
> done it.  The router I am working with is a 1941 with 15.0(1)M3
> I don't have any firewall or anything else that could prevent logging
> in (That I can see)  I can login through the interface on the global
> table, trying to get on the VRF interface gets me connection refused
>
> Here is the redacted config
>
>
> version 15.0
> no ip source-route
> ip cef
> !
> !
> ip vrf Inside
>  rd 64512:3
>  import map VRFDefaultMap
>  route-target export 64512:3
>  route-target import 64512:2
> !
> ip vrf Outside
>  rd 64512:2
>  route-target export 64512:2
>  route-target import 64512:3
> !
> !
> !
> interface GigabitEthernet0/0
>  ip address x.x.x.1 255.255.255.248
>  ip nat outside
>  ip virtual-reassembly
>  duplex auto
>  speed auto
>  !
> !
> interface GigabitEthernet0/1
>  ip vrf forwarding Inside
>  ip address 172.17.0.1 255.255.252.0
>  ip nat inside
>  ip virtual-reassembly
>  duplex auto
>  speed auto
>  !
> interface Serial0/0/0
>  ip vrf forwarding Outside
>  ip address y.y.y.2 255.255.255.248
>  ip nat outside
>  ip virtual-reassembly
>  no clock rate 2000000
>  !
> !
> router bgp 64512
>  no synchronization
>  bgp log-neighbor-changes
>  no auto-summary
>  !
>  address-family ipv4 vrf Inside
>  no synchronization
>  redistribute connected
>  redistribute static
>  exit-address-family
>  !
>  address-family ipv4 vrf Outside
>  no synchronization
>  redistribute connected
>  redistribute static
>  default-information originate
>  exit-address-family
> !
> ip route 0.0.0.0 0.0.0.0 x.x.x.1
> ip route vrf Outside 0.0.0.0 0.0.0.0 y.y.y.1
> !
> !
> ip prefix-list DefaultOnly seq 5 permit 0.0.0.0/0
> !
> route-map VRFDefaultMap permit 10
>  match ip address prefix-list DefaultOnly
> line vty 0 4
>  access-class MgmntACL in vrf-also
>  exec-timeout 120 0
>  privilege level 15
>  password 7 ****
>  login local
>  transport input telnet ssh
> line vty 5 15
>  access-class MgmntACL in vrf-also
>  exec-timeout 120 0
>  privilege level 15
>  password 7 ****
>  login local
>  transport input telnet ssh
>



More information about the cisco-nsp mailing list