No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade
Knowledge Base

The ACL Used on the VTY Interface of an NE20E-X6 to Limit Login Network Segments Fails

Publication Date:  2019-07-12  |   Views:  191  |   Downloads:  0  |   Document ID:  EKB1100015019

Contents

Issue Description

Version information: NE20E-X6

Version V600R003C00SPCa00B10u.

Symptom: A user is configured with Telnet login, and the PC can properly log in to the management IP address 172.19.32.30 through Telnet. However, if ACL is used on a VTY interface to configure the allowed network segments, users in all network segments fail in login but a ping to the management IP address still succeeds.

After the ACL is disabled, users in all network segments can properly log in.

Device configuration:

acl number 2001
 rule 5 permit source 172.17.19.0 0.0.0.255
 rule 10 permit source 172.17.18.0 0.0.0.255

interface GigabitEthernet0/0/0
 speed auto
 duplex auto
 undo shutdown
 ip binding vpn-instance management
 ip address 172.19.32.30 255.255.255.0

interface GigabitEthernet2/0/0
 undo shutdown
 ip address 172.19.0.54 255.255.255.240

 ip route-static 0.0.0.0 0.0.0.0 X.X.15.221
 ip route-static 172.17.0.0 255.255.0.0 172.19.0.49
 ip route-static 172.19.0.0 255.255.0.0 172.19.0.49
 ip route-static vpn-instance management 0.0.0.0 0.0.0.0 172.19.32.254

user-interface vty 0 4
 authentication-mode aaa
 protocol inbound ssh
 acl 2001 inbound  

aaa
 local-user adminselect password cipher XXXXX
  local-user adminselect service-type telnet
 local-user adminselect level 15

Solution

Bind the management interface to a VPN instance.

interface GigabitEthernet0/0/0
 speed auto
 duplex auto
 undo shutdown
 ip binding vpn-instance management
 ip address 172.19.32.30 255.255.255.0

 

If an ACL is used by the VTY interface, bind the ACL to the VPN instance also.

acl 2001

rule  permit vpn-instance management source 172.17.18.0 0.0.0.255

rule  permit vpn-instance management source 172.17.19.0 0.0.0.255