[c-nsp] VTY access through VRF interface

Jay Nakamura zeusdadog at gmail.com
Mon Oct 11 22:31:08 EDT 2010 

New discovery, no matter what, the router will not let me login to the
IP on the serial interface if it's on a VRF.  I can login to an
Ethernet interface on the same VRF going through the serial interface.
 This seems to be what was tripping me up.

Is this a bug?  It sure feels like one.

On Fri, Oct 8, 2010 at 3:45 PM, Jay Nakamura <zeusdadog at gmail.com> wrote:
> Found out that this was because I didn't have the data license enabled
> yet.  As soon as I enabled the data license, (I did have to reboot.
> Grumble...) it started working.
>
>
> On Thu, Oct 7, 2010 at 3:15 PM, Jay Nakamura <zeusdadog at gmail.com> wrote:
>> I am trying to configure a router with couple VRF and I need to be
>> able to ssh/telnet to vty through VRF interface.  I haven't had this
>> problem with other routers prior to 15.0M.  Am I missing a command I
>> don't know about to enable this?
>>
>> With 12.4x, I used "access-class .... vrf-also" and that seems to have
>> done it.  The router I am working with is a 1941 with 15.0(1)M3
>> I don't have any firewall or anything else that could prevent logging
>> in (That I can see)  I can login through the interface on the global
>> table, trying to get on the VRF interface gets me connection refused
>>
>> Here is the redacted config
>>
>>
>> version 15.0
>> no ip source-route
>> ip cef
>> !
>> !
>> ip vrf Inside
>>  rd 64512:3
>>  import map VRFDefaultMap
>>  route-target export 64512:3
>>  route-target import 64512:2
>> !
>> ip vrf Outside
>>  rd 64512:2
>>  route-target export 64512:2
>>  route-target import 64512:3
>> !
>> !
>> !
>> interface GigabitEthernet0/0
>>  ip address x.x.x.1 255.255.255.248
>>  ip nat outside
>>  ip virtual-reassembly
>>  duplex auto
>>  speed auto
>>  !
>> !
>> interface GigabitEthernet0/1
>>  ip vrf forwarding Inside
>>  ip address 172.17.0.1 255.255.252.0
>>  ip nat inside
>>  ip virtual-reassembly
>>  duplex auto
>>  speed auto
>>  !
>> interface Serial0/0/0
>>  ip vrf forwarding Outside
>>  ip address y.y.y.2 255.255.255.248
>>  ip nat outside
>>  ip virtual-reassembly
>>  no clock rate 2000000
>>  !
>> !
>> router bgp 64512
>>  no synchronization
>>  bgp log-neighbor-changes
>>  no auto-summary
>>  !
>>  address-family ipv4 vrf Inside
>>  no synchronization
>>  redistribute connected
>>  redistribute static
>>  exit-address-family
>>  !
>>  address-family ipv4 vrf Outside
>>  no synchronization
>>  redistribute connected
>>  redistribute static
>>  default-information originate
>>  exit-address-family
>> !
>> ip route 0.0.0.0 0.0.0.0 x.x.x.1
>> ip route vrf Outside 0.0.0.0 0.0.0.0 y.y.y.1
>> !
>> !
>> ip prefix-list DefaultOnly seq 5 permit 0.0.0.0/0
>> !
>> route-map VRFDefaultMap permit 10
>>  match ip address prefix-list DefaultOnly
>> line vty 0 4
>>  access-class MgmntACL in vrf-also
>>  exec-timeout 120 0
>>  privilege level 15
>>  password 7 ****
>>  login local
>>  transport input telnet ssh
>> line vty 5 15
>>  access-class MgmntACL in vrf-also
>>  exec-timeout 120 0
>>  privilege level 15
>>  password 7 ****
>>  login local
>>  transport input telnet ssh
>>
>

More information about the cisco-nsp mailing list