Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Limit Control Plane Access Of PE Router

            Hi Folks,

I have interface in vrf London. I am able to access this interface FastEthernet0/1 of PE  from CPE . How to prevent PE access from all the interface connected to CPE?

ip vrf London

rd 200:200

route-target export 200:200

route-target import 200:200

interface FastEthernet0/1

ip vrf forwarding London

ip address

duplex auto

speed auto

no cdp enable



Cisco Employee

Re: Limit Control Plane Access Of PE Router

Hello Ranjeet,

One of the ways to limit control plane access to your PE is to define an ACL and simply use it on your VTY lines. Using an ACL on VTYs will automatically prevent control plane access from VRFs even if the ACL itself permitted the source IPs. So even this configuration would work for you:

ip access-list standard VTY

permit any


line vty 0 15

access-class VTY in

If you actually wanted to allow access from VRFs as well based on the source IP, you would need the vrf-also keyword in the access-class command - this discussion was focused on its usage:

In addition, you can also define a selected subset of interfaces through which the control/management plane traffic is allowed. An example is probably easier to read than a lengthy explanation:

control-plane host

management-interface FastEthernet0/0 allow ssh snmp telnet

Using this approach, the management traffic has to enter only through the defined set of management interfaces, otherwise it will be dropped. You can define multiple interfaces in the control-plane host section.

Best regards,


New Member

Limit Control Plane Access Of PE Router

Hi Peter,

Thanks for the suggestions . I will put the configuration on my router today and report the results here.



Bangalore, India

CreatePlease to create content