Whats the best way to restrict access to the management interfaces to only a certain vlan or a certain subnet?
I saw authorized-manager in the CLI but can’t see if it’s an exclusive restriction once you set it or how it works… can i just put a subnet and the vlan for all the various services, and thats it it won’t be accessible via any other ips/vlans?
We can use the authorized-manager command to restrict access to the management – we can also choose which service to be allowed / restricted :
TX2028RFP-EC5EC0# conf t
TX2028RFP-EC5EC0(config)# authorized-manager ?
ip-source IP source related configuration
TX2028RFP-EC5EC0(config)# authorized-manager ip-source ?
<ip_addr> Network or host IP address
TX2028RFP-EC5EC0(config)# authorized-manager ip-source 10.2.109.0 ?
/ CIDR notation
<CR> Configures an IP authorized manager
<ip_mask> Subnet mask for the IP address
interface Interface related configuration
mgmt0 Out of Band management interface
service Service type related configuration
vlan VLAN interface
Example for vlan 100, port gi 0/4 – subnet 100.0.0.0 / 24
TX2028RFP-EC5EC0(config)# authorized-manager ip-source 100.0.0.0 / 24 interface gi 0/4 vlan 100 service https ssh ?
<CR> Configures an IP authorized manager
http HTTP service
snmp SNMP service
telnet Telnet service
TX2028RFP-EC5EC0(config)# authorized-manager ip-source 100.0.0.0 / 24 interface gi 0/4 vlan 100 service https ssh
TX2028RFP-EC5EC0(config)#
TX2028RFP-EC5EC0(config)#
TX2028RFP-EC5EC0(config)#
TX2028RFP-EC5EC0(config)# do show authorized-managers
Ip Authorized Manager Table
---------------------------
Ip Address : 100.0.0.0
Ip Mask : 255.255.255.0
Services allowed : HTTPS, SSH
Ports allowed : Gi0/4
On mgmt0 : Deny
Vlans allowed : 100
Nevermind got it working 
Thanks