[c-nsp] VTY access through VRF interface
Jay Nakamura
zeusdadog at gmail.com
Mon Oct 11 22:31:08 EDT 2010
New discovery, no matter what, the router will not let me login to the
IP on the serial interface if it's on a VRF. I can login to an
Ethernet interface on the same VRF going through the serial interface.
This seems to be what was tripping me up.
Is this a bug? It sure feels like one.
On Fri, Oct 8, 2010 at 3:45 PM, Jay Nakamura <zeusdadog at gmail.com> wrote:
> Found out that this was because I didn't have the data license enabled
> yet. As soon as I enabled the data license, (I did have to reboot.
> Grumble...) it started working.
>
>
> On Thu, Oct 7, 2010 at 3:15 PM, Jay Nakamura <zeusdadog at gmail.com> wrote:
>> I am trying to configure a router with couple VRF and I need to be
>> able to ssh/telnet to vty through VRF interface. I haven't had this
>> problem with other routers prior to 15.0M. Am I missing a command I
>> don't know about to enable this?
>>
>> With 12.4x, I used "access-class .... vrf-also" and that seems to have
>> done it. The router I am working with is a 1941 with 15.0(1)M3
>> I don't have any firewall or anything else that could prevent logging
>> in (That I can see) I can login through the interface on the global
>> table, trying to get on the VRF interface gets me connection refused
>>
>> Here is the redacted config
>>
>>
>> version 15.0
>> no ip source-route
>> ip cef
>> !
>> !
>> ip vrf Inside
>> rd 64512:3
>> import map VRFDefaultMap
>> route-target export 64512:3
>> route-target import 64512:2
>> !
>> ip vrf Outside
>> rd 64512:2
>> route-target export 64512:2
>> route-target import 64512:3
>> !
>> !
>> !
>> interface GigabitEthernet0/0
>> ip address x.x.x.1 255.255.255.248
>> ip nat outside
>> ip virtual-reassembly
>> duplex auto
>> speed auto
>> !
>> !
>> interface GigabitEthernet0/1
>> ip vrf forwarding Inside
>> ip address 172.17.0.1 255.255.252.0
>> ip nat inside
>> ip virtual-reassembly
>> duplex auto
>> speed auto
>> !
>> interface Serial0/0/0
>> ip vrf forwarding Outside
>> ip address y.y.y.2 255.255.255.248
>> ip nat outside
>> ip virtual-reassembly
>> no clock rate 2000000
>> !
>> !
>> router bgp 64512
>> no synchronization
>> bgp log-neighbor-changes
>> no auto-summary
>> !
>> address-family ipv4 vrf Inside
>> no synchronization
>> redistribute connected
>> redistribute static
>> exit-address-family
>> !
>> address-family ipv4 vrf Outside
>> no synchronization
>> redistribute connected
>> redistribute static
>> default-information originate
>> exit-address-family
>> !
>> ip route 0.0.0.0 0.0.0.0 x.x.x.1
>> ip route vrf Outside 0.0.0.0 0.0.0.0 y.y.y.1
>> !
>> !
>> ip prefix-list DefaultOnly seq 5 permit 0.0.0.0/0
>> !
>> route-map VRFDefaultMap permit 10
>> match ip address prefix-list DefaultOnly
>> line vty 0 4
>> access-class MgmntACL in vrf-also
>> exec-timeout 120 0
>> privilege level 15
>> password 7 ****
>> login local
>> transport input telnet ssh
>> line vty 5 15
>> access-class MgmntACL in vrf-also
>> exec-timeout 120 0
>> privilege level 15
>> password 7 ****
>> login local
>> transport input telnet ssh
>>
>
More information about the cisco-nsp
mailing list