10.1.10 Set IP Addresses to Allow VRF to Log In from Remote Operation Terminals [SL-L3A]

By setting their IP addresses in an access list, you can specify which remote operation terminals are allowed to log in to the Switch.

As a rule, access lists are individually set to the global network and each VRF. An access list can also be set to all VRFs including the global network. Although these configurations can be used in combination, the last access list is implicitly discarded when using multiple access lists.

How access lists are applied to the access source VRFs (that is, the application range of access lists) depends on the relationship between the access sources and the locations where access lists are set. As an example, the following table describes how an applied access list will change depending on where access lists are set when the Switch is accessed from the global network, VRF 10 and VRF 20. (Entries in parentheses show which access list is applied.)

Table 10-3: Scope of access lists

Access list location	Access source VRF
	Global network	VRF 10	VRF 20
global	(global)	-	-
global VRF 10	(global)	(VRF 10)	-
global VRF 10 VRF ALL	(global) # After applied (VRF ALL)	(VRF 10) # After applied (VRF ALL)	(VRF ALL)

After configuring settings, check whether other remote operation terminals are denied login to the Switch.

Points to note

Use an access list to permit access to this Switch from specific remote operation terminals. To do so, you must register their IP addresses in advance by using the ip access-list standard, ipv6 access-list, access-list, ip access-group, or ipv6 access-class configuration commands. You can register a maximum of 128 IPv4 addresses and subnet masks, or IPv6 addresses and prefixes. If you omit this configuration, all remote operation terminals will be able to access the Switch. If access is attempted from a terminal that does not have access permission (a terminal not registered in the configuration entry), the message Unknown host address <IP address> will appear on other login terminals.

A configuration example is shown below. First, restrict login from remote operation terminals on all VRFs including the global network. Next, permit login from the global network and specific VRFs. After this, login is permitted only from specified networks.

Command examples

1. (config)# ip access-list standard REMOTE_VRFALL

   (config-std-nacl)# deny any

   (config-std-nacl)# exit

   Set the access list REMOTE_VRFALL, which restricts login to all VRFs including the global network.

2. (config)# ip access-list standard REMOTE_GLOBAL

   (config-std-nacl)# permit 192.168.0.0 0.0.0.255

   (config-std-nacl)# exit

   Sets the access list REMOTE_GLOBAL, which permits login only from the network IP address 192.168.0.0/24 in a global network.

3. (config)# ip access-list standard REMOTE_VRF10

   (config-std-nacl)# permit 10.10.10.0 0.0.0.255

   (config-std-nacl)# exit

   Sets the access list REMOTE_VRF10, which permits login only from the network IP address 10.10.10.0/24 on VRF 10.

4. (config)# line vty 0 2

   (config-line)# ip access-group REMOTE_VRFALL vrf all in

   (config-line)# ip access-group REMOTE_GLOBAL in

   (config-line)# ip access-group REMOTE_VRF10 vrf 10 in

   (config-line)#

   Moves to line mode, applies the access list REMOTE_VRFALL to all VRFs including the global network, the access list REMOTE_GLOBAL to the global network, and the access list REMOTE_VRF10 to VRF10.

   On the global network, permits login only from the network IP address 192.168.0.0/24.

   On VRF 10, permits login only from the network IP address 10.10.10.0/24.

   Login from other VRFs is restricted.