Security - accessing VTY from another VRF
When configuring management connectivity on a particular Cisco device, you can be filtered by creating an access-class on the VTY lines of that device.
By default incoming Telnet or SSH connections from interfaces that are part of a VRF instance other than the default instance are rejected. In order to allow incoming connections on the VTY line from a different VRF, the
vrf-also keyword must be applied after the access-class.
If you have VRFs configured on your device, then for you to access the VTY management interface via an interface in another VRF, you must apply the keyword like so:
Router(config-line)# access-class 1 in vrf-also
Starting from IOS XE 16.8.1 VRF awareness has been added to the access class line feature using the
vrfname keyword. Specifically, you can do the following:
Device(config)# line vty 0 4 Device(config-line)# ipv6 access-class acl-name in vrfname vfrA
Note that you cannot use both VRF awareness and
vrf-also on the same VTY line, as they are mutually exclusive commands.