topic Re: SSH MGMT VRF / Line VTY in Network Access Control

SSH MGMT VRF / Line VTY

hermanwjacobsen — Fri, 21 Feb 2020 19:12:54 GMT

is it possible to restrict ssh into router to only MGMT vrf ?

under line vty x x , I only find the option VRF-ALSO, but that will allow all VRF and not a specific one or the deafult MGMT vrf

Re: SSH MGMT VRF / Line VTY

cmarva — Thu, 09 Jan 2020 15:48:51 GMT

for access to the device from a vrf other than the default vrf, and to do restrictions, you would define an acl to allow the IPs that you want to have access to the device, then define your access-class statement as such:

line vty 0 15

ip access-class BLAH in vrf-also

If I understand what you are asking, this should work for you.

Re: SSH MGMT VRF / Line VTY

Mike.Cifelli — Thu, 09 Jan 2020 16:00:43 GMT

@cmarva is right. A few other things you will need to ensure is that if using AAA server such as ISE for AAA features and you want to route that traffic over that vrf you will need to setup vrf forwarding under aaa server group. Also, ensure you have defined vrf routes in your vrf for management access.

Re: SSH MGMT VRF / Line VTY

hermanwjacobsen — Fri, 10 Jan 2020 10:16:15 GMT

I want to have the router only respond to SSH from OOB/MANAGEMENT interface.. and not all the other VRF/Interfaces

Re: SSH MGMT VRF / Line VTY

gurindersingh — Thu, 16 Nov 2023 11:48:31 GMT

you can also check if following command is there or not

#access-class BLAH in vrfname Mgmt-intf

or follow following doc

VRF Awareness Access Class Line (cisco.com)