The NM Server in the NM VPN Attached to the VTY Could Not Access Devices Though No Such Limitation Was Set in the ACL

Publication Date:  2012-07-27 Views:  90 Downloads:  0
Issue Description
To ensure the network access security of a certain IP bearer network, the customer demanded to set the ACL right in VTP configured on the devices. Thus, only the NM server in the NM VPN attached to the VTY could access devices of V300R002C06B325. The ACL right was set as follows:
acl 2007
rule 5 permit source 10.0.102.113 0
rule 500 deny
Note: 10.0.102.113 is the IP address of the NM server in the NM VPN attached to the VTY.
user-interface vty 0 4
acl 2007 inbound
authentication-mode aaa
protocol inbound all
After the ACL right was set, the NM server in the NM VPN attached to the VTY could not access devices. 

 
Alarm Information
The NM server cannot access devices. 

 
Handling Process
The configuration was modified as follows:
acl 2007
rule 5 permit vpn-instance XXX source 10.0.102.113 0
rule 500 deny
#
user-interface vty 0 4
acl 2007 inbound
authentication-mode aaa
protocol inbound all 

 
Root Cause
In V300R002C06B325, for ACL 2000�2999, if an IP address within the VPN needs to access devices, the VPN instance name must be added to the ACL. For example,
acl 2007
rule 5 permit vpn-instance XXX source 10.0.102.113 0
Note: XXX is the VPN instance name. 

 
Suggestions
Null

END