Cisco Nexus 3000 ssh access

Similar Messages

• Cisco Nexus 5K + Micrososft Radius for Admin Authentication

  Hi,
  I have cisco 3750 switches configured to use MS radius for administrator authention. however, now I would like to add our cisco nexus switches to MS radius as well so that administrators are authenticated against the Microsoft radius for admin authention.
  I tried it earlier but it won't accept 3750 commands.. Can you please help with me with a configuration example please that I can follow?
  the commands I have used on 3750 are as follows:
  aaa new-model
  aaa authentication login vtylogin group radius local
  aaa authentication login conlogin group radius local
  aaa authentication enable default group radius enable
  aaa authorization console
  aaa authorization exec vtylogin group radius local
  aaa authorization exec conlogin group radius local
  radius-server host x.x.x.x key SECRETE
  line con 0
  exec-timeout 5 0
  authorization exec conlogin
  logging synchronous
  login authentication conlogin
  line vty 0 4
  exec-timeout 0 0
  authorization exec vtylogin
  login authentication vtylogin
  transport input ssh
  line vty 5 15
  exec-timeout 0 0
  authorization exec vtylogin
  login authentication vtylogin
  transport input ssh

  I have never done this before with ACS but not with NPS. However, you are in the right path. Nexus uses NX-OS which is different in some regards to regular IOS. One of those differences is the AAA setup. In NX-OS you assign users to roles. So for full access you will need to return the following attributes from your Radius server:
  Attribute: cisco-av-pair
  Requirement: Mandatory
  Value: shell:roles*"network-admin vdc-admin"
  For more information take a look at this link:
  http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115925-nexus-integration-acs-00.html
  Hope this helps
  Thank you for rating helpful posts!

• Routing issue between Cisco Nexus and Cisco 4510 R+E Chassis

  We have configured Cisco Nexus 7K9 as core and Cisco 4510 R+E as access switches for Server connectivity.
  We are experiencing problem in terms of ARP learning and Ping issues between Cisco Nexus and end hosts.

  Hi,
  So you have N7k acting as L3 with servers connected to 4510?.
  Do you see the MAC associated with failing ARP in 4510?. Is it happening with all or few servers?. Just to verify if it is connectivity issue between N7k and 4510, you can configure an SVI on 4510 and assign address from same raneg (server/core range) and perform a ping.
  This will help narrow down if issue is between server to 4510 or 4510 to N7k.
  Thanks,
  Nagendra

• Ask the Expert: Configuration, Design, and Troubleshooting of Cisco Nexus 1000

  With Louis Watta
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about design, configuration, and troubleshooting of Cisco Nexus 1000V Series Switches operating inside VMware ESXi and Hyper-V with Cisco expert Louis Watta. Cisco Nexus 1000V Series Switches deliver highly secure, multitenant services by adding virtualization intelligence to the data center network. With Cisco Nexus 1000V Series Switches, you can have a consistent networking feature set and provisioning process all the way from the virtual machine access layer to the core of the data center network infrastructure.
  This is a continuation of the live Webcast.
  Louis Watta is a technical leader in the services organization for Cisco. Watta's primary background is in data center technologies: servers (UNIX, Windows, Linux), switches (MDS, Brocade), storage arrays (EMC, NetApp, HP), network switches (Cisco Catalyst and Cisco Nexus), and enterprise service hypervisors (VMware ESX, Hyper-V, KVM, XEN). As a Technical Leader in Technical Services, Louis currently supports beta and early field trials (EFTs) on new Cisco software and hardware. He has more than 15 years of experience in a wide variety of data center applications and is interested in data center technologies oriented toward data center virtualization and orchestration. Prior to Cisco, Louis was a system administrator for GTE Government Systems. He has a bachelor of science degree in computer science from North Carolina State University. .
  Remember to use the rating system to let Louis know if you have received an adequate response.
  Louis might not be able to answer each question because of the volume expected during this event. Remember that you can continue the conversation on the Data Center community Unified Computing shortly after the event.
  This event lasts through Friday, JUne 14, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.
  Webcast related links:
  Slides
  FAQ
  Webcast Video Recording

  Right now there is only a few features that are not supported on N1Kv on Hyper-V
  They are VXLAN and QOS Fair Weighted Queuing. We are currently demoing VXLAN functionality at Microsoft TechEd Conference this week in New Orleans. So VXLAN support should be coming soon. I can't give you a specific timeline.
  For Fair Weighted Queuing I'm not sure. In the VMware world we take advantage of NETIOC infrastructure. In the MS world they do not have a NETIOC infrastructure that we can use to create a similar feature.
  Code base parity (as in VMware and Hyper-V VSMs running NXOS 5.x) will happen with the next major N1KV release for ESX.
  Let me know if that doesn't answer your question.
  thanks
  louis

• Ask the Expert: Different Flavors and Design with vPC on Cisco Nexus 5000 Series Switches

  Welcome to the Cisco® Support Community Ask the Expert conversation.  This is an opportunity to learn and ask questions about Cisco® NX-OS.
  The biggest limitation to a classic port channel communication is that the port channel operates only between two devices. To overcome this limitation, Cisco NX-OS has a technology called virtual port channel (vPC). A pair of switches acting as a vPC peer endpoint looks like a single logical entity to port channel attached devices. The two devices that act as the logical port channel endpoint are actually two separate devices. This setup has the benefits of hardware redundancy combined with the benefits offered by a port channel, for example, loop management.
  vPC technology is the main factor for success of Cisco Nexus® data center switches such as the Cisco Nexus 5000 Series, Nexus 7000 Series, and Nexus 2000 Series Switches.
  This event is focused on discussing all possible types of vPC along-with best practices, failure scenarios, Cisco Technical Assistance Center (TAC) recommendations and troubleshooting
  Vishal Mehta is a customer support engineer for the Cisco Data Center Server Virtualization Technical Assistance Center (TAC) team based in San Jose, California. He has been working in TAC for the past 3 years with a primary focus on data center technologies, such as the Cisco Nexus 5000 Series Switches, Cisco Unified Computing System™ (Cisco UCS®), Cisco Nexus 1000V Switch, and virtualization. He presented at Cisco Live in Orlando 2013 and will present at Cisco Live Milan 2014 (BRKCOM-3003, BRKDCT-3444, and LABDCT-2333). He holds a master’s degree from Rutgers University in electrical and computer engineering and has CCIE® certification (number 37139) in routing and switching, and service provider.
  Nimit Pathak is a customer support engineer for the Cisco Data Center Server Virtualization TAC team based in San Jose, California, with primary focus on data center technologies, such as Cisco UCS, the Cisco Nexus 1000v Switch, and virtualization. Nimit holds a master's degree in electrical engineering from Bridgeport University, has CCNA® and CCNP® Nimit is also working on a Cisco data center CCIE® certification While also pursuing an MBA degree from Santa Clara University.
  Remember to use the rating system to let Vishal and Nimit know if you have received an adequate response. 
  Because of the volume expected during this event, Vishal and Nimit might not be able to answer every question. Remember that you can continue the conversation in the Network Infrastructure Community, under the subcommunity LAN, Switching & Routing, shortly after the event. This event lasts through August 29, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hello Gustavo
  Please see my responses to your questions:
  Yes almost all routing protocols use Multicast to establish adjacencies. We are dealing with two different type of traffic –Control Plane and Data Plane.
  Control Plane: To establish Routing adjacency, the first packet (hello) is punted to CPU. So in the case of triangle routed VPC topology as specified on the Operations Guide Link, multicast for routing adjacencies will work. The hellos packets will be exchanged across all 3 routers and adjacency will be formed over VPC links
  http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/operations/n5k_L3_w_vpc_5500platform.html#wp999181
  Now for Data Plane we have two types of traffic – Unicast and Multicast.
  The Unicast traffic will not have any forwarding issues, but because the Layer 3 ECMP and port channel run independent hash calculations there is a possibility that when the Layer 3 ECMP chooses N5k-1 as the Layer 3 next hop for a destination address while the port channel hashing chooses the physical link toward N5k-2. In this scenario,N5k-2 receives packets from R with the N5k-1 MAC as the destination MAC.
  Sending traffic over the peer-link to the correct gateway is acceptable for data forwarding, but it is suboptimal because it makes traffic cross the peer link when the traffic could be routed directly.
  For that topology, Multicast Traffic might have complete traffic loss due to the fact that when a PIM router is connected to Cisco Nexus 5500 Platform switches in a vPC topology, the PIM join messages are received only by one switch. The multicast data might be received by the other switch.
  The Loop avoidance works little different across Nexus 5000 and Nexus 7000.
  Similarity: For both products, loop avoidance is possible due to VSL bit
  The VSL bit is set in the DBUS header internal to the Nexus.
  It is not something that is set in the ethernet packet that can be identified. The VSL bit is set on the port asic for the port used for the vPC peer link, so if you have Nexus A and Nexus B configured for vPC and a packet leaves Nexus A towards Nexus B, Nexus B will set the VSL bit on the ingress port ASIC. This is not something that would traverse the peer link.
  This mechanism is used for loop prevention within the chassis.
  The idea being that if the port came in the peer link from the vPC peer, the system makes the assumption that the vPC peer would have forwarded this packet out the vPC-enabled port-channels towards the end device, so the egress vpc interface's port-asic will filter the packet on egress.
  Differences:  In Nexus 5000 when it has to do L3-to-L2 lookup for forwarding traffic, the VSL bit is cleared and so the traffic is not dropped as compared to Nexus 7000 and Nexus 3000.
  It still does loop prevention but the L3-to-L2 lookup is different in Nexus 5000 and Nexus 7000.
  For more details please see below presentation:
  https://supportforums.cisco.com/sites/default/files/session_14-_nexus.pdf
  DCI Scenario:  If 2 pairs are of Nexus 5000 then separation of L3/L2 links is not needed.
  But in most scenarios I have seen pair of Nexus 5000 with pair of Nexus 7000 over DCI or 2 pairs of Nexus 7000 over DCI. If Nexus 7000 are used then L3 and L2 links are required for sure as mentioned on above presentation link.
  Let us know if you have further questions.
  Thanks,
  Vishal

• Aborting the show file command ouput in cisco nexus

  Hi all ,
  In order to verify the md5 value in cisco nexus image  we need to use show file bootflash:image md5sum command. But instead of that we given show file bootflash:image . And it is continiously showing the entire file content and full junk values coming in console. I have given ctrl+shift+6 to abort the ouput. But it is not stopping and now i am not able to do anything in console. Any suggestion to abort that.
  Thanks,
  Vijay

  Hi All,
  I just cleared the console session from tty lines using the below command,
  clear line linename.
  After this , console responded and we are able to access it.
  Thanks,
  Vijay.

• Slides on Nexus 3000

  Hi,
  Does anyone have  some slides on Nexus 3000 ?
  Best regards

  Please Get in touch with your local Cisco Sales team , they should be able to help you with it.
  Regards
  Abijith Sharma V S

• Simple SSH Access-List Question

  I am enabling SSH access for all of our Cisco devices and want to restrict access to just the following ip addresses: 192.168.200.1-192.168.200.50.  I forgot the exact access-list configuration to accomplish this.  The subnet is /24 and I don't want the whole subnet - just .1 - .50.
  Thank you,
  Thomas Reiling

  Hi there,
  If using ssh make sure you have a domain name, host name and a generated rsa key.  Assuing you've done that, the the following ACL and line vty command will do the trick.  Note that the 1-50 host list is not on a subnet barrier.
  To get it exactly
  access-list 1 remark ALLOW MANAGEMENT
  access-list 1 permit 192.168.200.0 0.0.0.31
  access-list 1 permit 192.168.200.32 0.0.0.15
  access-list 1 permit 192.168.200.48 0.0.0.1
  access-list 1 host 192.168.200.50
  access-list 1 deny any log
  It would be a good idea to put it on a boundary though, so the following would be much more simpler and easier to read.
  access-list 1 remark ALLOW MANAGEMENT
  access-list 1 permit 192.168.200.0 0.0.0.63
  access-list 1 deny   any log
  Apply the access-class on the vty lines and depending on authentication, i'd put something there too.
  line vty 0 4
  access-class 1 in
  transport input ssh
  password blahblah
  That ought to do it.
  good luck!
  Brad

• Can't Ciscoworks LMS 4.2.2 back up the configuration of Cisco VPN 3000 concerntrator?

  Hi All,
  In VPN 3000 concerntrator, I've enabled tftp, telnet, snmp. I've also successfully added the concerntrator into Ciscoworks LMS 4.2.2. All the ports are verified open to Ciscoworks. No question mark shows next to this device in the device management of LMS. However, when I run configuration Achive Job, I always get the following failed message. Can anybody tell me how to to back up the configuration of Cisco VPN 3000 concerntrator in Ciscoworks LMS 4.2.2? Thanks in advance.

  Sorry, but apparently not. Please see the supported devices table (here).
  That table states, among other things:
  The following features are not supported:
  Network Topology Layer 2 Services
  Fault Management
  Configuration Deploy Protocols: HTTPS, TELNET, SSH, SCP, TFTP, RCP
  Configuration Fetch Protocols: HTTPS, TELNET, SSH, SCP, TFTP, RCP

• Ssh access into virtual context on the ACE module A(2.2)

  Hello,
  I tried to configure:
  Admin(conf)#context test
  Admin(conf-context)#ssh key rsa1 1024
  but this command ssh is not supported int this newest version. How can I configure the ssh access directly into virtual context on the ACE module??
  Thank you

  Here's a link on how to configure it.
  https://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/admin/guide/access.html#wp1049450
  Hope that helps.

• Cisco Nexus 7010

  Hi,
  Can any one please let me know how to enable http/https access on cisco nexus 7010
  Regards
  Asif Naveed

  Following objects from conventional CISCO-PROCESS-MIB provides you details on CPU on devices:
  cpmCPUTotal5secRev     1.3.6.1.4.1.9.9.109.1.1.1.1.6
  cpmCPUTotal1minRev     1.3.6.1.4.1.9.9.109.1.1.1.1.7
  cpmCPUTotal5minRev      1.3.6.1.4.1.9.9.109.1.1.1.1.8
  Following document will be helpful as well:
  http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094a94.shtml
  As many MIBs are not completely implemented on NX-OS so there is one more MIB which can help, i.e CISCO-SYSTEM-EXT-MIB :
  cseSysCPUUtilization(1.3.6.1.4.1.9.9.305.1.1.1)
  Unlike the averaged values from CISCO-PROCESS-MIB, cseSysCPUUtilization returns an un-smoothed value and typically shows more erratic results. It only shares the the average utilization of CPU on the active supervisor. So usually it is recommended to use the CISCO-PROCESS-MIB, ie. cpmCPUTotal5secRev instead.
  -Thanks
  Vinod
  **Rating Encourages contributors, and its really free. **

• WRVS4400n port forwarding (SSH access)

  I have a WRVS4400n and a CentOS server that I need to enable a SSH access to from WAN.
  I created a single port forward rule to open port 22 and forward to server (which address is 192.168.41.3)
  However ssh connect doesn't happen, the command "ssh user@{external_IP}" times out after 20 seconds.
  Wondering why...
  If I connect my server directly to modem through outside interface - I have no problems connecting to it. Once it's behind router - no luck.
  I even added same rule for UDP, not sure if it's needed, but it definitely didn't hepl.
  The router is on firmware version 2.0.1.3, version on a bottom is 2.
  Any suggestions?

  Hi Randy Manthey, Thanks for quick response. The server has 2 interfaces:  eth0 (outside, WAN) currently down. When it was up it had a static IP, default gateway and mask assigned by ISP. It was plugged into the cable modem at that time, it was accessible.  eth1 (inside, LAN), up, address 192.168.41.3, default gateway 192.168.41.1 (which is above mentioned Cisco router WRVS4400n). It can ping all machines on LAN, including gateway. It is accessible to all machines on LAN and can be pinged by the Cisco router. It CANNOT ping any IP address on WAN (I understand this is because eth0 is down).  Let me know if you need any other info. Thank you.
  Edit: I got home (the router is in one of my offices) and scanned the router with nmap:
  nmap -v -sT -PN XXX.YYY.ZZZ.88
  Starting Nmap 5.21 ( http://nmap.org ) at 2012-04-24 23:24 EDT
  Initiating Parallel DNS resolution of 1 host. at 23:24
  Completed Parallel DNS resolution of 1 host. at 23:24, 0.04s elapsed
  Initiating Connect Scan at 23:24
  Scanning wsip-XXX-YYY-ZZZ-88.nn.nn.nnn.net (XXX.YYY.ZZZ.88) [1000 ports]
  Discovered open port 8080/tcp on XXX.YYY.ZZZ.88
  Completed Connect Scan at 23:24, 6.06s elapsed (1000 total ports)
  Nmap scan report for wsip-XXX-YYY-ZZZ-88.nn.nn.nnn.net (XXX.YYY.ZZZ.88)
  Host is up (0.033s latency).
  Not shown: 999 filtered ports
  PORT     STATE SERVICE
  8080/tcp open  http-proxy
  Read data files from: /usr/share/nmap
  Nmap done: 1 IP address (1 host up) scanned in 6.14 seconds
  Port 8080 - is a port for remoute router administration.

• SSH Access On Specific IP

  Hi,
  I have configured 10 interface vlan on my cisco core switch 6509.
  However I want my users SSH it on management IP only. SSH access on other IP (defined for each interface vlan) should be blocked by switch.
  Kindly suggest how to configure this.
  Thanks in advance.

  You could use an ACL, CoPP, CPPr to do it. Here's an example-
  http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series-switches/white_paper_c11_553261.html
  Hope it helps.

• Cisco Nexus 3K Layer 3 Connectivity Issue while using Optical SFP

  Dear All,
  Am facing L3 reachability issue between N3k switched, even in same subnet. Also checked that VLAN is allowed under trunk port.
  I can able to see the switch details as CDP neighbour.
  We are using SVI, and found all the SVI and Interface protocol status is up/up. So to test I use a host to directly connect N3k with Optical SFP in access port, found failure on reachability, but while replacing with SFP ethernet module instead of SFP optical module reachability is okay.
  Please help me to resolve this issue.
  Thanks,
  Kannan,

  Hello Amit,
  Pls find the following details..
  We use SFP-10G-LR Modules on both end, we also replaced and checked with SFP-10G-SR modules as well..
  Software
    BIOS:      version 1.9.0
    loader:    version N/A
    kickstart: version 6.0(2)A1(1b)
    system:    version 6.0(2)A1(1b)
    Power Sequencer Firmware:
               Module 1: version v3.1
    BIOS compile time:       10/13/2012
    kickstart image file is: bootflash:///n3500-uk9-kickstart.6.0.2.A1.1b.bin
    kickstart compile time:  9/5/2013 14:00:00 [09/05/2013 22:37:16]
    system image file is:    bootflash:///n3500-uk9.6.0.2.A1.1b.bin
    system compile time:     9/5/2013 14:00:00 [09/06/2013 02:25:01]
  Hardware
    cisco Nexus 3548 Chassis ("48x10GE Supervisor")
  Thanks for the reply,and sry for my delayed response..

• Cisco Nexus 5596UP SFP Problem

  Hi All,
  We are using Cisco Nexus 5596UP on DC.
  we want to use 1g-mm gbic for fiber connection, but do not link up
  sh int 1/29 trans det
      transceiver is present
      type is 1000base-SX
      name is CISCO-FINISAR  
      part number is FTRJ-8519-7D-CSC
      revision is --
      serial number is FNS0841A2RK    
      nominal bitrate is 1200 MBit/sec
      Link length supported for 50/125um fiber is 550 m
      Link length supported for 62.5/125um fiber is 300 m
      cisco id is --
      cisco extended id number is 4
     Transceiver calibration is invalid
  sh int eth 1/29
  Ethernet1/29 is down (Link not connected)
    Hardware: 1000/10000 Ethernet, address: 0005.73e8.bea4 (bia 0005.73e8.bea4)
    Description: Zer_fiber
    MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
       reliability 0/255, txload 1/255, rxload 1/255
    Encapsulation ARPA
    Port mode is access
    full-duplex, 1000 Mb/s, media type is 10G
    Beacon is turned off
    Input flow-control is off, output flow-control is off
    Rate mode is dedicated
    Switchport monitor is off
    EtherType is 0x8100
    Last link flapped never
    Last clearing of "show interface" counters 07:11:12
    30 seconds input rate 0 bits/sec, 0 bytes/sec, 0 packets/sec
    30 seconds output rate 0 bits/sec, 0 bytes/sec, 0 packets/sec
    Load-Interval #2: 5 minute (300 seconds)
      input rate 0 bps, 0 pps; output rate 0 bps, 0 pps
    RX
      0 unicast packets  928 multicast packets  0 broadcast packets
      928 input packets  6764 bytes
      0 jumbo packets  0 storm suppression bytes
      0 giants  928 input error  0 short frame  0 overrun   0 underrun
      0 watchdog  0 if down drop
      0 input with dribble  0 input discard
      0 Rx pause
    TX
      0 unicast packets  0 multicast packets  0 broadcast packets
      0 output packets  0 bytes
      0 jumbo packets
      0 output errors  0 collision  0 deferred  0 late collision
      0 lost carrier  0 no carrier  0 babble
      0 Tx pause
    0 interface resets

  Hi,
  We are using 1000Base-SX SFP in N7K with release 6.0.2,
  But, we can't use 1000Base-SX in 5596UP with release 5.0(3)N2(2b)
  1000Base-SX writes are supported on the web page you suggested. However, in accordance with the following configuration does not work.
  sh run int eth1/29
  interface Ethernet1/29
    switchport access vlan 645
    speed 1000
    duplex full
  sh int status | inc 1/29
  Port          Name               Status    Vlan      Duplex  Speed   Type
  Eth1/29       ---          notconnec 645       full    1000    1/10g     
  sh int eth 1/29
  Ethernet1/29 is down (Link not connected) - But link connected...
    Hardware: 1000/10000 Ethernet, address: 0005.73e8.bea4 (bia 0005.73e8.bea4)
    Description: ---
    MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
       reliability 0/255, txload 1/255, rxload 1/255
    Encapsulation ARPA
    Port mode is access
  full-duplex, 1000 Mb/s, media type is 10G
    Beacon is turned off
  sh int eth 1/29 transceiver details
  Ethernet1/29
      transceiver is present
      type is 1000base-SX
      name is CISCO-FINISAR  
      part number is FTRJ-8519-7D-CSC
      revision is --
      serial number is FNS0841A2RK    
      nominal bitrate is 1200 MBit/sec
      Link length supported for 50/125um fiber is 550 m
      Link length supported for 62.5/125um fiber is 300 m
      cisco id is --
      cisco extended id number is 4
     Transceiver calibration is invalid
  thank you for your interest
  Regards,
  Yücel