Showing results for 
Search instead for 
Did you mean: 

How to restict management to work over the Gigabit0 Management interface ASR 1001-X

Shlomy Maron
Cisco Employee
Cisco Employee

I have ASR 1001-X, I've upgraded it to 03.16.04b.S

the command "control-plane host" doesn't exist anymore.

is there a way to restrict the management access to work via Gigabit0 without using ACL on the other interfaces ?

3 Replies 3

Paul Chapman
Level 4
Level 4

Hi Shlomy -

Set an access-class on your VTY lines.  The "vrf-also" parameter will allow you to apply the ACL to all VRFs (including the management VRF).

ip access-list extended ACL-VTY
permit tcp any host <mgmt ip> eq 22
deny ip any any
line vty 0 15
access-class ACL-VTY vrf-also


Hi Paul,

I think you got my question wrong.

I'd like to block telnet/snmp/ssh to the router via all physical interfaces except the management interface.

the old version had the command control-plane host which allowed you to decide which interface is allowed to do it.

yet - it does not appear in th version 3.16.4b.

any suggestions ?

Hi -

I'm still running 3.16.3 and I see the command.  Since there are no release notes (that I can find) for 3.16.4 (a or b) which document a command change, I would consider this a bug. Open a TAC case and see if they can put it back in 3.16.5 or at least document a proper workaround.


Review Cisco Networking for a $25 gift card