cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

301
Views
5
Helpful
3
Replies

SSH MGMT VRF / Line VTY

is it possible to restrict ssh into router to only MGMT vrf ?

 

under line vty x x , I only find the option VRF-ALSO, but that will allow all VRF and not a specific one or the deafult MGMT vrf 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Participant

Re: SSH MGMT VRF / Line VTY

for access to the device from a vrf other than the default vrf, and to do restrictions, you would define an acl to allow the IPs that you want to have access to the device, then define your access-class statement as such:

 

line vty 0 15

 ip access-class BLAH in vrf-also

 

If I understand what you are asking, this should work for you.

View solution in original post

3 REPLIES 3
Highlighted
Participant

Re: SSH MGMT VRF / Line VTY

for access to the device from a vrf other than the default vrf, and to do restrictions, you would define an acl to allow the IPs that you want to have access to the device, then define your access-class statement as such:

 

line vty 0 15

 ip access-class BLAH in vrf-also

 

If I understand what you are asking, this should work for you.

View solution in original post

Highlighted

Re: SSH MGMT VRF / Line VTY

I want to have the router only respond to SSH from OOB/MANAGEMENT interface.. and not all the other VRF/Interfaces

Highlighted
VIP Rising star

Re: SSH MGMT VRF / Line VTY

@cmarva is right.  A few other things you will need to ensure is that if using AAA server such as ISE for AAA features and you want to route that traffic over that vrf you will need to setup vrf forwarding under aaa server group.  Also, ensure you have defined vrf routes in your vrf for management access.