Create a management interface on a Cisco device (when no out of band management port is available). Can also be created on a VLAN. This has been required when the only way we could manage a device was within a separate VLAN. This gets around having to use ACLs in place to block traffic.
Note: When adding the VRF to the network interface, it will loose the IP address already assigned, you will need to had this back in using an alternative method.
Here is an example creating a management on sub interface Ethernet0.30 (IP address: 10.60.0.10), note at the end we allow access to the VRF for management
vrf definition Mgmt-intf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! interface Ethernet10.30 description Management encapsulation dot1Q 30 vrf forwarding Mgmt-intf ip address 10.60.0.10 255.255.255.0 access-list 11 remark --restrict telnet access-- access-list 11 permit 10.60.0.0 0.0.0.255 line vty 0 4 access-class 11 in vrf-also transport input all