Posted on June 22, 2016 12:26 am
 |  Asked by David
Print Friendly, PDF & Email

Hi all, I’m attempting to lock all management protocols down to a management VRF.  This is on the 7280 platform, running 4.15.6M-3137476.4156M

My management interface is actually a VLAN interface, not a physical interface.  To accomplish that:


management ssh
idle-timeout 30
vrf MGMT


and of course:


interface Vlan50
vrf forwarding MGMT
ip address

However, there are other VLAN interfaces on this device, and they’re still accepting ssh connections:


interface Vlan16
ip address
ip virtual-router address


In that example, I can still SSH in to the address, even though it’s not in the MGMT vrf.

I did a full reload, no change.  Did I miss a step?  Or is management vrf only supported on physical ports?  I’d prefer to avoid plugging the switch back into itself just to accomplish a management vrf since it would waste a 10gig port.


Posted by Vikram
Answered on June 22, 2016 12:44 am

Hi David,

You would have to disable ssh for the default VRF under ”management ssh”.


switch#conf t
switch(config)#management ssh
switch(config-mgmt-ssh)#vrf MGMT
switch(config-mgmt-ssh-vrf-MGMT)#no shut
switch(config-mgmt-ssh)#sh active
management ssh
   vrf MGMT
      no shutdown
switch#show management ssh
SSHD status for Default VRF is disabled
switch#show management ssh vrf MGMT
SSHD status for VRF MGMT is enabled

After the above you would only be able to ssh to interfaces that are in the vrf named ”MGMT”.

Please do let us know if the above meets your requirements. Thx

On a separate note just out of curiosity could you please advise why you are not using the built-in dedicated Management interface on the device? Is it because you are using this as a stand-alone switch that provides connectivity to the rest of your infrastructure including mgmt connectivity to other devices? Thx

And in case the built-in dedicated Management interface is used (no vrfs) -- how can I disable SSH on VLAN interfaces? Thank you.
(Teddy Brewski at March 14, 2020 1:40 pm)
Posted by David
Answered on June 22, 2016 1:40 am

That worked perfectly thanks!

Correct on the reasoning.  This device is the vlan root and handling layer 3 for the management vlan.

Post your Answer

You must be logged in to post an answer.