access-class in on vty needs vrf-also

I was upgrading an a Cisco 2811  remotely from 12.4(24)T8 to 15.1(4)M8. The Tunnel is was using for management was part of a VRF.

interface Tunnel9
...
vrf forwarding management-vrf
...

After the upgrade I was able to ping the router remotely but wasn’t able to get an SSH connection. From the steppingstone I was using I got:

[peter@steppingstone-server:~]$ ssh 192.168.1.1
ssh: connect to host  192.168.1.1 port 22: Connection refused

Luckily I had the possibility to reach the router via another way. When I was logged in and did some searching I found out that in this newer release you need the append the optional vrf-also keyword at the end of the access-class <acl-number> in command. The keyword allows incoming connections from interfaces that belong to a VRF.  See the cisco site for more information about this command.

So to get the remote management fixed I just needed to configure:

cisco-2811(config)#line vty 0 15
cisco-2811(config-line)#access-class 23 in vrf-also

Your vty configuration should look something like:

line vty 0 4
 access-class 23 in vrf-also
 exec-timeout 120 0
 privilege level 15
 logging synchronous
 login local
 transport input ssh
line vty 5 7
 access-class 23 in vrf-also
 exec-timeout 120 0
 privilege level 15
 logging synchronous
 login local
 transport input ssh
line vty 8 15
 access-class 23 in vrf-also
 exec-timeout 15 0
 privilege level 15
 logging synchronous
 login local
 transport input ssh

One thought on “access-class in on vty needs vrf-also”

  1. Thanks for the tip. Most sources on the net don’t mention the need to do this for management on vrf.

Leave a Reply to Tom Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.