Security - accessing VTY from another VRF

When configuring management connectivity on a particular Cisco device, you can be filtered by creating an access-class on the VTY lines of that device.

By default incoming Telnet or SSH connections from interfaces that are part of a VRF instance other than the default instance are rejected. In order to allow incoming connections on the VTY line from a different VRF, the vrf-also keyword must be applied after the access-class.

If you have VRFs configured on your device, then for you to access the VTY management interface via an interface in another VRF, you must apply the keyword like so:

Router(config-line)# access-class 1 in vrf-also

Starting from IOS XE 16.8.1 VRF awareness has been added to the access class line feature using the vrfname keyword. Specifically, you can do the following:

Device(config)# line vty 0 4 Device(config-line)# ipv6 access-class acl-name in vrfname vfrA

Note that you cannot use both VRF awareness and vrf-also on the same VTY line, as they are mutually exclusive commands.