Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
504
Views
0
Helpful
1
Replies

Restrict HTTPS access to a single VRF in IOS-XE

ewaizel
Level 1
Level 1

‎08-26-2022 11:12 AM

Hi everybody

We are segmenting our networks based on Cat9500 & Cat9600 as the L3 core. We only want management flows to be served by the management VRF and its associated L3 interfaces.

The question is about how to do this for HTTPS access.

For the SSH case, this is a very elegant way to do this:

line vty 0 4
access-class CLI_Access in vrfname mgmt

I cannot find something like this for HTTPS. There is no mention in the manuals about adding a VRF into the 'ip http' section.

Yes, we can apply ACLs for http access, but these are not extended ones. We cannot specify a single destination address (to match the one in the management VRF). Only basic standard ACLs are allowed into this:

ip http access-class ipv4 HTTPS_Access

I can also apply an ACL and access-group for the actual interfaces facing "insecure" VRFs. I simply don't like this solution.

Can you comment if you had this requirement and how you solved it?

Thanks in advance

Enrique

 

 

 

Labels:
0 Helpful
1 Reply 1

MHM Cisco World
VIP
VIP

‎08-26-2022 11:45 AM

but if you specify the source interface as management, and since the management is run under VRF then by default HTTP access via management VRF 

0 Helpful
Customers Also Viewed These Support Documents