Tuesday, June 3, 2014

A issue with access-clsss ( vrf-also ) IOS-XE multi-vrf

With multiple  vrf, the  access-class command act strange under IOS-XE, you have to enable the  access-class with the keyword of "vrf-also" in order for all VRFs to be protected by the acl.

Without the keyword, the  action is to block all access-line access


Here's my example;

note: we have a simple access-class protecting "inbound" requests

line vty 0 4
 session-timeout 10
 access-class myssh in vrf-also
 exec-timeout 30 0
 logging synchronous
 length 0
 transport input ssh
 transport output ssh



Now the  access-list that was defined was named "myssh" and allows for a limited range of sources to access the  router via ssh.

 show run | sec access-list ext     

 ip access-list extended myssh
  permit tcp 10.10.10.0 0.0.0.3 any eq 22
  permit tcp 10.10.20.0 0.0.0.3 any eq 22


So the  key wording of "vrf-also",  allows for the access class to work within all VRFs

Just something I thought I would share.


Ken Felix
Network & Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(   X   X )=
          o
       /     \

4 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete