From: roel.fonteyn@xxxxxxxxxxx
Date: Thu Aug 29 2002 - 08:10:43 GMT-3
Hi group,
Sorry if this mail comes in double -- I waited half a day with no result.
No lab scenario, just a real life question.
I've got a client who uses vrf light/multi vrf on a router(7200). clients who a
re in a vrf are not allowed to telnet towards the router before they passed the
FW (no NAT). Therefore, my idea was:
create a seperate loopback for normal routing table and another for vrf routing
table.
create an access-list 1xx which allows IP traffic from certain ranges to a spec
ific host address (i.e. access-list 150 permit ip 10.0.0.0 0.0.0.255 host 192.1
68.0.1).
When I apply this access-list to a vty (for testing purpose not all of them, th
ank God), I can't login anymore. Anybody has an idea how to solve this.
config:
...
ip access-list 150 permit ip 10.0.0.0 0.0.0.255 host 192.168.0.1 !/ normal
range
ip access-list 150 permit ip 192.168.10.0 0.0.0.255 host 192.168.0.1 !/ rang
e within vrf
...
line vty 0 3
login local !/ I'm still able to do 4 telnet sessions
line vty 4
login local
access-class 150 in !/ fifth session always get refused, unless I remove th
e access-class.
end
Mvg/Rgrds,
Roel
This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 19:48:41 GMT-3