access-class in on vty needs vrf-also

I was upgrading an a Cisco 2811  remotely from 12.4(24)T8 to 15.1(4)M8. The Tunnel is was using for management was part of a VRF.

interface Tunnel9
...
vrf forwarding management-vrf
...

After the upgrade I was able to ping the router remotely but wasn’t able to get an SSH connection. From the steppingstone I was using I got:

[peter@steppingstone-server:~]$ ssh 192.168.1.1
ssh: connect to host  192.168.1.1 port 22: Connection refused

Luckily I had the possibility to reach the router via another way. When I was logged in and did some searching I found out that in this newer release you need the append the optional vrf-also keyword at the end of the access-class <acl-number> in command. The keyword allows incoming connections from interfaces that belong to a VRF.  See the cisco site for more information about this command.

So to get the remote management fixed I just needed to configure:

cisco-2811(config)#line vty 0 15
cisco-2811(config-line)#access-class 23 in vrf-also

Your vty configuration should look something like:

line vty 0 4
 access-class 23 in vrf-also
 exec-timeout 120 0
 privilege level 15
 logging synchronous
 login local
 transport input ssh
line vty 5 7
 access-class 23 in vrf-also
 exec-timeout 120 0
 privilege level 15
 logging synchronous
 login local
 transport input ssh
line vty 8 15
 access-class 23 in vrf-also
 exec-timeout 15 0
 privilege level 15
 logging synchronous
 login local
 transport input ssh
Posted in Networking Tagged with: , , ,
2 comments on “access-class in on vty needs vrf-also
  1. I see you don’t monetize your website, don’t waste your traffic, you can earn additional
    bucks every month because you’ve got hi quality content.

    If you want to know how to make extra money, search for:
    Boorfe’s tips best adsense alternative

  2. Tom says:

    Thanks for the tip. Most sources on the net don’t mention the need to do this for management on vrf.

Leave a Reply

Your email address will not be published. Required fields are marked *

*