Sorry, yes, this is an MLS switch running OSPF.

Here is what the routed link from our distrubrtion switch to core switch looks like.  I executed this command on the core switch

#Core1

interface Port-channel100
description Routed Link to distrubtion switch
ip address 17.12.0.38 255.255.255.252
ip pim dr-priority 100
ip pim sparse-dense-mode
ip ospf network point-to-point
ip ospf 1 area 0
logging event link-status
storm-control broadcast level 5.00
storm-control action trap

All the routed links are configured the exact same way.  If I was to enter 17.12.0.38 on putty, it would take me to the core switch login page.  I would like to only access it from the manangemet vrf IP address.

Hi

If you want to reach the device through other IP than the routed interface's IP, you can create a loopback on each the device, example:

No VRF 

interface  loopback 0

ip address 10.0.0.1 255.255.255.255

router ospf 1

net 10.0.0.1 0.0.0.0 area 0

With VRF 

interface  loopback 0

ip vrf forwarding VRF-NAME

ip address 10.0.0.1 255.255.255.255

router ospf 1 vrf VR-NAME

net 10.0.0.1 0.0.0.0 area 0

This IP 10.0.0.1 must be advertised to other OSPF neighbor to be able to reach it. 

I am not clear what is your requirement. You have told us this " I would like to only access the switch from the management ip/network". When you say from the management network do you mean that the request comes from the management network (source address is in the management network) or do you mean that the request goes to the management ip (destination address is the management address)?

The former is easy to accomplish using access-class assigned to the vty ports. The latter is much more challenging. You would need something like Control Plane Policing to accomplish this.

HTH

Rick

It's unfortunately the latter.  I remmeber reading about control plane policing along time ago now that you mention it.  Yes, that is difficult.  So it seems that ACL is the only feasible option.  My co-woker mentioned that control plane policing isn't actually even supported on the image we're using. 

Woulnd't we need to advertise the routed links into OSPF also?  Sorry, really rusty there. 

Hi

If they are connecting to other layer 3 device you should advertise the routed links into OSPF, in order to be able to forward packets.  

In order to manage a Layer 3 device, you can use the routed link IP configured on the device or a loopback being advertised by a routing protocol. Now to restrict the access for specific IP addresses you can use ACLs as recommended previously. 

As I stated previously controlling remote access by controlling the source address is easy to accomplish using access-class and an access list. But controlling remote access by controlling the destination address is quite challenging. The best way to do this is with Control Plane Policing. But I wondered as I wrote my suggestion whether this feature would be supported on your switch. Sorry that it looks like it is not supported.

There is one other alternative that you can consider. I hesitate to suggest it because it is complicated and somewhat error prone. But if implemented carefully and correctly it should work. The suggestion involves assigning an access list on every layer 3 interface of the switch. What makes it complicated is that you have multiple layer 3 interfaces on which an SSH request might be received. The access list on each interface needs to deny any SSH request whose destination address is any of your layer 3 addresses other than your management ip. The access list then needs to permit any SSH request whose destination is your management ip. And the access list needs to permit any SSH request who destination is not one of your switch IP addresses.  It is ugly but it should work. It reminds me a bit of some of the scenarios I worked out while preparing for the CCIE lab.

HTH

Rick

You are quite welcome. I am glad that our responses have been helpful. I hope to see you continue to be active in the forum.

HTH

Rick