[c-nsp] VTY access through VRF interface

Jay Nakamura zeusdadog at gmail.com
Mon Oct 25 12:22:06 EDT 2010 

Just to follow up to this issue, TAC decided this is a bug.  I will
post back when I get details on bug ID and any other info.

On Mon, Oct 11, 2010 at 10:31 PM, Jay Nakamura <zeusdadog at gmail.com> wrote:
> New discovery, no matter what, the router will not let me login to the
> IP on the serial interface if it's on a VRF.  I can login to an
> Ethernet interface on the same VRF going through the serial interface.
>  This seems to be what was tripping me up.
>
> Is this a bug?  It sure feels like one.
>
> On Fri, Oct 8, 2010 at 3:45 PM, Jay Nakamura <zeusdadog at gmail.com> wrote:
>> Found out that this was because I didn't have the data license enabled
>> yet.  As soon as I enabled the data license, (I did have to reboot.
>> Grumble...) it started working.
>>
>>
>> On Thu, Oct 7, 2010 at 3:15 PM, Jay Nakamura <zeusdadog at gmail.com> wrote:
>>> I am trying to configure a router with couple VRF and I need to be
>>> able to ssh/telnet to vty through VRF interface.  I haven't had this
>>> problem with other routers prior to 15.0M.  Am I missing a command I
>>> don't know about to enable this?
>>>
>>> With 12.4x, I used "access-class .... vrf-also" and that seems to have
>>> done it.  The router I am working with is a 1941 with 15.0(1)M3
>>> I don't have any firewall or anything else that could prevent logging
>>> in (That I can see)  I can login through the interface on the global
>>> table, trying to get on the VRF interface gets me connection refused
>>>
>>> Here is the redacted config
>>>
>>>
>>> version 15.0
>>> no ip source-route
>>> ip cef
>>> !
>>> !
>>> ip vrf Inside
>>>  rd 64512:3
>>>  import map VRFDefaultMap
>>>  route-target export 64512:3
>>>  route-target import 64512:2
>>> !
>>> ip vrf Outside
>>>  rd 64512:2
>>>  route-target export 64512:2
>>>  route-target import 64512:3
>>> !
>>> !
>>> !
>>> interface GigabitEthernet0/0
>>>  ip address x.x.x.1 255.255.255.248
>>>  ip nat outside
>>>  ip virtual-reassembly
>>>  duplex auto
>>>  speed auto
>>>  !
>>> !
>>> interface GigabitEthernet0/1
>>>  ip vrf forwarding Inside
>>>  ip address 172.17.0.1 255.255.252.0
>>>  ip nat inside
>>>  ip virtual-reassembly
>>>  duplex auto
>>>  speed auto
>>>  !
>>> interface Serial0/0/0
>>>  ip vrf forwarding Outside
>>>  ip address y.y.y.2 255.255.255.248
>>>  ip nat outside
>>>  ip virtual-reassembly
>>>  no clock rate 2000000
>>>  !
>>> !
>>> router bgp 64512
>>>  no synchronization
>>>  bgp log-neighbor-changes
>>>  no auto-summary
>>>  !
>>>  address-family ipv4 vrf Inside
>>>  no synchronization
>>>  redistribute connected
>>>  redistribute static
>>>  exit-address-family
>>>  !
>>>  address-family ipv4 vrf Outside
>>>  no synchronization
>>>  redistribute connected
>>>  redistribute static
>>>  default-information originate
>>>  exit-address-family
>>> !
>>> ip route 0.0.0.0 0.0.0.0 x.x.x.1
>>> ip route vrf Outside 0.0.0.0 0.0.0.0 y.y.y.1
>>> !
>>> !
>>> ip prefix-list DefaultOnly seq 5 permit 0.0.0.0/0
>>> !
>>> route-map VRFDefaultMap permit 10
>>>  match ip address prefix-list DefaultOnly
>>> line vty 0 4
>>>  access-class MgmntACL in vrf-also
>>>  exec-timeout 120 0
>>>  privilege level 15
>>>  password 7 ****
>>>  login local
>>>  transport input telnet ssh
>>> line vty 5 15
>>>  access-class MgmntACL in vrf-also
>>>  exec-timeout 120 0
>>>  privilege level 15
>>>  password 7 ****
>>>  login local
>>>  transport input telnet ssh
>>>
>>
>

More information about the cisco-nsp mailing list