Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2262
Views
5
Helpful
4
Replies

SSH MGMT VRF / Line VTY

Go to solution
hermanwjacobsen
Level 1
Level 1

‎01-09-2020 07:32 AM - edited ‎02-21-2020 11:12 AM

is it possible to restrict ssh into router to only MGMT vrf ?

 

under line vty x x , I only find the option VRF-ALSO, but that will allow all VRF and not a specific one or the deafult MGMT vrf 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cmarva
Level 4
Level 4

‎01-09-2020 07:48 AM

for access to the device from a vrf other than the default vrf, and to do restrictions, you would define an acl to allow the IPs that you want to have access to the device, then define your access-class statement as such:

 

line vty 0 15

 ip access-class BLAH in vrf-also

 

If I understand what you are asking, this should work for you.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
cmarva
Level 4
Level 4

‎01-09-2020 07:48 AM

for access to the device from a vrf other than the default vrf, and to do restrictions, you would define an acl to allow the IPs that you want to have access to the device, then define your access-class statement as such:

 

line vty 0 15

 ip access-class BLAH in vrf-also

 

If I understand what you are asking, this should work for you.

0 Helpful

Go to solution
hermanwjacobsen
Level 1
Level 1
In response to cmarva

‎01-10-2020 02:16 AM

I want to have the router only respond to SSH from OOB/MANAGEMENT interface.. and not all the other VRF/Interfaces

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎01-09-2020 08:00 AM

@cmarva is right.  A few other things you will need to ensure is that if using AAA server such as ISE for AAA features and you want to route that traffic over that vrf you will need to setup vrf forwarding under aaa server group.  Also, ensure you have defined vrf routes in your vrf for management access.

Go to solution
gurindersingh
Level 1
Level 1

‎11-16-2023 03:47 AM - edited ‎11-16-2023 03:48 AM

you can also check if following command is there or not

#access-class BLAH in vrfname Mgmt-intf

or follow following doc

 VRF Awareness Access Class Line (cisco.com)

 

0 Helpful
Customers Also Viewed These Support Documents