01-09-2020 07:32 AM - edited 02-21-2020 11:12 AM
is it possible to restrict ssh into router to only MGMT vrf ?
under line vty x x , I only find the option VRF-ALSO, but that will allow all VRF and not a specific one or the deafult MGMT vrf
Solved! Go to Solution.
01-09-2020 07:48 AM
for access to the device from a vrf other than the default vrf, and to do restrictions, you would define an acl to allow the IPs that you want to have access to the device, then define your access-class statement as such:
line vty 0 15
ip access-class BLAH in vrf-also
If I understand what you are asking, this should work for you.
01-09-2020 07:48 AM
for access to the device from a vrf other than the default vrf, and to do restrictions, you would define an acl to allow the IPs that you want to have access to the device, then define your access-class statement as such:
line vty 0 15
ip access-class BLAH in vrf-also
If I understand what you are asking, this should work for you.
01-10-2020 02:16 AM
01-09-2020 08:00 AM
@cmarva is right. A few other things you will need to ensure is that if using AAA server such as ISE for AAA features and you want to route that traffic over that vrf you will need to setup vrf forwarding under aaa server group. Also, ensure you have defined vrf routes in your vrf for management access.
11-16-2023 03:47 AM - edited 11-16-2023 03:48 AM
you can also check if following command is there or not
#access-class BLAH in vrfname Mgmt-intf
or follow following doc
VRF Awareness Access Class Line (cisco.com)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide