Multiple SSH listening ports on Catalyst switches

Similar Messages

• IOS Zone firewall (ZFW) & changing SSH listening port

  I'll have to check into the deetails again but I recall there being a way to change the listening port for SSH.  Not only do you have to configure SSH itself to listen on a new port but I think there was something about making the inbound interface part of a rotary group or something. 
  Anyway, my question is more about how the zone firewall reacts to this.  If I have inspect set for SSH, (or pass) and yet change the default port for it, does the IOS still know to take the configured action on the protocol?  I'll try to test this myself once I have an opportunity but may not be able to for several days, plus if anybody has anything further to add regarding any other implications this port change mgiht have, please share
  Thanks! 

  Hi Julio,
  You are ever helpful sir Howver, things are not making sense.
  Ok so to take it from the top. So far I have done the following:
  Router(config)#ip ssh port 2340 rotary 1
  Then:
  Router(config)#line vty 0 123 (123 = max # of vty lines, my actual # is different)
  Router(config-line)#rotary 1
  This of course does not make SSH on port 2340 work from the Internet zone to Self as I have not yet modified the firewall nor done the ip port-map command. It does work from the LAN side to Self since that zone-pair is more forgiving, however, it works on both 22 and 2340 which I thought odd since I thought the ip ssh command changes the SSH server listening port.
  I have not yet permanently set the ip port-map command. However I ran it once and then did a sh ip port-map ssh
  This showed system defined ssh port maps for tcp and udp on 22, and then my user defined one for tcp port 2340. Interesting that the system-defined ones are both UDP and TCP - I thought SSH was TCP only.
  According to the IOS command referendces (for release 15.2), I should not be able to remove the system-defined port map entries as it would give an error. However, I did no ip port-map ssh port tcp 22 and the same for the UDP entry and they disappeared - so now for sh ip port-map ssh I get no results returned. Yet, SSH still works on 22 and 2340.
  Be that as it may, after some further testing I've concluded that with or without use of the ip port-map ssh port tcp 2340 entry, SSH works (from LAN to Self) on either port 22 or 2340. It seems ip port-map has no effect on the SSH server itself (?). Or perhaps PAM is overridden by the ip ssh commands?
  So at that point I decided to stop testing, not doing anything with firewall yet, until I understand things better. So far, the IOS is very confusing in it's behavior.
  Changing the SSH server's listening port via ip ssh command to something other than 22 seems to not actually change anything, it just adds that port in addition to 22.
  Port-application mapping appears to have no effect on the SSH server (I have not tested whether ip ssh overrides PAM or vice versa)
  So far there seems to be no way to actually change port 22 usage - even "deleting" the PAM entry for ssh via 22 has no effect.
  Confusing!

• Do Catalyst switches forward Precision Time Protocol (PTP) packets?

  I understand that the Catalsyt Switch range do not provide PTP Boundary Clocks. However can they still forward PTP packets from a PTP server to a PTP client connected to a port on Catalyst Switch, in particular the 4900M and 3750-X series. I do understand that any switching delay would affect the accuracy of the PTP clock.

  So if I have a L2 network consisting of severall access switches connected via trunks to a distribution, with PTP clients in differing VLAN's, as long as each VLAN has a connection to the PTP source then the client will receive the PTP timestamp allthough subject to switching delays?

• Changing listening port for SSH on IDS

  What command would I use to change the listening port on a 4200 series IDS? I have it listening on another port, and when I applied the S189/S190 update, it changed SSH back to port 22.
  Just out of curiosity too, does anyone know what else the S189/S190 updates change?
  Thanks,
  Jim

  After looking around, I think it may be the /etc/ssh/sshd_config file that needs to be modified. However, I wanted to double check that with the community. If I modify that file and restart ssh, will I mess anything up and lock myself out of remote access?
  Thanks!!

• Multiple listen ports for one weblogic instance

  Can anybody confirm that you can have only one listen port defined for a single
  weblogic instance (i.e. one instance cannot be listening to multiple ports at
  the same time)?
  Thanks

  you can have multiple ip's assigned to the same box
  and bind each WLS instance to a unique which will listen
  on the same port.
  Kumar
  Gary Wong wrote:
  Can anybody confirm that you can have only one listen port defined for a single
  weblogic instance (i.e. one instance cannot be listening to multiple ports at
  the same time)?
  Thanks

• Multiple listener ports

  I'm having various problems with my 1.0.2.1 install that I think are linked to my ports (iAS and 8.1.7 on same machine). I saw in the preinstallation instructions the following:
  Oracle9i Application Server installs another database that listens on port 1521. Change the port for the origin database listener to be, for example, 1526.
  Can anyone out there tell me how to do this? What is the new database it is installing? The portal30 schema? What's the password for that schema? Is the origin database the one where it installs the wireless repository?
  null

  If you can exactly mention what is the problem you are facing then I can probably look into it.
  Ias10210 Installs another database, which is used for icache alone. This database is installed on 1521 port and no option to change it. So to change the listener port of the database, go to your <ORACLE_DB_HOME>/network/admin/listener.ora file and modify the listener port to 1526 ( the default is 1521). You can do the same in tnsnames.ora also. After this you have to stop and start the listener
  cmd> lsnrctl stop
  cms> lsnrctl start
  For the db installed by IAS is for cache usage alone and is not advisable to use for any other purpose

• Setting uplink port on Catalyst 2900 series Switch

  Greetings, I'm working on my CCNA and I want to copy down the IOS to my Linux box via TFTP before making any major configuration changes (basically back it up).
  I've noticed I don't have an uplink port on the Switch and not really sure how to go about this.
  Also can I use CAT5 or will I have to use Cross-Over?
  thanks

  [quote]
  As long as the speed and duplex are set to auto then MDI/MDI-X is enabled.
  [/quote]
  I'm not sure how to confirm if MDI/MDI-X is enabled or not on the Switch.
  Forgot to include this other detail.  All of the devices (Linux pc and Cisco Switch) are connected to a Linksys SOHO Router/Switch.  Will this make a difference?  I wouldn't think so as long both devices can ping each other.
  thanks

• TCP delay on catalyst switch

  i experienced a TCP delay on catalyst 4506, avoid the problem when i replaced 4506's with dummy unmanaged switches.
  i used two PCs(PC 1 and PC 2) and two 4506 switches (S1 and S2)
  PC 1 is connected to S1 (fast ethernet port)
  PC 2 is connected to S2 (fast ethernet port)
  S1 is connected to S2 (SFP gigabit ethernet port)
  -I started continuous UDP,TCP,MULTICAST and PING from PC1 to PC2
  -I unplugged link between Switch 1 and Switch 2
  all communication stopped.
  -I plugged link between Switch 1 and Switch 2
  -UDP,MULTICAST and PING started immediately but TCP started with approximately 15 seconds delay. :-(
  I repeated same procedure with unmanaged dummy switches instead of 4506, there wasnt 15 seconds delay. TCP showed up in 1 second.
  How can I avoid TCP delay on catalyst switches? Probably some tuning with configuration would do the job?
  tx for helping

  hi gp and thank you very much for responding to this unusual problem.
  - switch ports to the PCs are configured as portfast.
  - switch ports between two catalyst switches are not configured (default)
  - i didnt use the 'switchport access' command since they are default layer 2 interfaces. would 'switchport access vlan 1' command make any difference?
  - i looked at the port status and confirmed connection is 100 mbps full duplex.
  unusual issue is; ping, udp, multicast shows up in a very short time after I re-plug the uplink. that proves all ports are in forwarding state. only TCP shows up with delay, which doesnt occur on 200 $ unmanaged switch??
  thanks in advance for any suggestions

• I don't understand correlation between ACL and dACL. If dACL is downloaded to the Catalyst switch what is the status of the ACL

  Understanding  ISE and dACL.
   I don't understand correlation between ACL and dACL.
   If dACL is downloaded to the Catalyst switch what is the status of the ACL attached to physical port. Is dACL appended to the existing ACL? When I typed ‘sh ip access-list int fa0/1’ I can see only dACL for access domain and dACL for voice domain appended to the previous dACL and no ACL lines.
   Regards,
  Vice

  Hi,
  Downloadable ACLs (dACL) are applied from your RADIUS server based on authentication and authorization policies.  It overrides any standard interface ACL.
  Standard interface ACLs are in place to limit traffic on the port before 802.1x or MAB authentication.
  When an authenticated session terminates on the interface the standard ACL will be re-applied until the next authentication.

• Cryptographic IOS versions on Catalyst Switches

  1. Where can one find the differences between Catalyst switch IOS with cryptographic features and without cryptographic features?
  2. In order to access Cat switches over SSH and HTTPS, do we require Cryptographic versions of the Cat IOS?
  3. What does "k9" stands for in IOS names? e.g. "3560-ipservicesk9"
  Thanks

  Hi
  Answer to Q1 :
  Best plase to compare the Catos and IOS is
  www.cisco.com/go/fn
  there you can search by ios names or platforms or features and compare images.
  Answer to Q2 :
  Yes you need Cryptographic version
  Answer to Q3 :
  K9 stand for Cryptographic version if you have ipservicesk9 you can do SSH in the feature navigator if you search the ios without K9 you will find this :
  IP SERVICES W/O Crypto
  that means this catos does not support Cryptographic.
  Best Regards Bahman Mozaffari.
  Please Rate if Helpful.

• The Connect from Intel Pro/1000 T to 1000base-t Port on Catalyst 4000 (WS-X4412-2GB-T= module) Not Working Properly

  The connect from Intel Pro/1000 T to 1000base-t port on Catalyst 4000 (WS-X4412-2GB-T= module) is not working properly. The Intel Pro/1000 T NIC connects to a 10/100 OK. Auto-negotiation is set at both ends. We can successfully ping across the link. However performance is so poor as to make the connection unusable.

  When an Intel Pro/1000 T NIC is connected to a Catalyst switch, the customer may see poor network connections or excessive numbers of dropped packets. The problem arises when a module with a TBI interface transmits an odd byte packet to a receiver with a Gigabit Media Independent Interface (GMII).
  The interoperability issue is a result of the implementation of Carrier Extension. Carrier Extension is detailed in sub section 35.2.3.5 in the IEEE 802.3 specification. Carrier Extension can be used to pad the last byte of a packet, so the packet is aligned on an even numbered boundary.

• Enterprise Manager listening ports?

  Hi all,
  Which are the TCP/IP ports an intelligent
  agent uses to communicate with an OEM
  console?
  From the docs, it seems that the only port
  it uses is 7770/tcp, but I saw 7771, 7772,
  7773, 7778 also.
  I need this info to setup a (um, rather
  complicated) forwarding SSH tunnel between
  OEM console and the agent node -- OEM
  console will be in a private network
  Regards,
  Alvaro.
  null

  Thanks Peter for your quick response!
  ...but what I really need is to know which ports the OEM console spawns to listen
  to connections from agents -- ie, the TCP
  /IP connections initiated from agent
  to the OEM console.
  In my case, the OEM->agent comms work
  well, but not agent->OEM since the OEM
  server is in a private IP network.
  As said, I'll forward via SSH the ports
  back to the OEM server, but I need to know
  which are these OEM ports...
  Any help would be much appreciated.
  Alvaro
  null

• Changing the listening ports of ARD

  I know how to change the listening port of SSH from 22 to some other number.
  Is there any way to configure ARD (in plist maybe?) so that it can try connecting to SSH on a non-default port number.
  Whilst I know how to secure SSH (not properly secured in OS X by default) I would rather change it's listening port to avoid the traffic that will simply try to bruteforce in.
  So if I edit ssh_config and sshd_config on my Macs will this break ARD? Or if these conf files are properly edited (ssh_cnfig on client changed to port 22222 and sshd_config on server changed to 22222) will ARD connect seamlessly?
  In short does ARD absolutely need Remote Login (SSH) to be running on the default port 22?

  hmm okay, but i don't need to port forward 22 from my router to my mac to allow ARD access, only ports 5900, 5988 and 3283.
  That improves things since 22 is not visible to the WAN.
  Still, I'd like to know the answer to my question in the previous post.
  And what about re-mapping VNC from 5900 (another obvious target although prob not vulnerable to VNC exploits since I expect Apple have modified this service and somehow hooked it into the authentication of the ssh protocol)?
  Message was edited by: doz

• Cisco 4507 Catalyst switch goes down

  Hi,
      We have  cisco 4507 catalyst switch in which end users are connected. today this catalyst switch goes down , i checked the input power was normal but the Switch is not running. All the notification lights like supervisior engine and Fan status lights are showing in RED colur . So i switched off the SMPS and wait for some time and i switched ON , the switch starts running and in 3-4 minutes it again goes down.  
  Thanks and Best Regards,

    Get on the console port and watch it while it is booting up.  It will usually tell you why it is failing in the logs or messages as it is booting up . 

• Can MPLS aware Netflow ver. 9 be enabled on the catalyst switches 6500

  HI, I'm working for KOREA TELECOM, and currently providing MPLS VPN.
  We're planning to provide our customer with traffic report using NetFlow..
  I read some documents which reads Netflow ver.9 can be enabled on Cisco GSR 12000 Series, but no mention about catalyst switches. So, I ' m curious about that Netflow ver 9 can be activated on catalyst 6500 series.. because the point where switch is located already have mpls encapsulated packet ( mpls vpn packet).
  Thank you , in advance.

  NetFlow is now integral to Cisco 6500. A configuration we recommend is as below:
  mls netflow     // This enables NetFlow on the Supervisor.
  mls nde sender version 7
  mls aging long 64  // This breaks up long-lived flows into (roughly) one-minute segments.
  mls aging normal 32  // This ensures that flows that have finished are exported in a timely manner.
  mls flow ip interface-full
  mls nde interface
  The  next two commands will help to enable NetFlow data export for  bridged  traffic which is optional. You can specify the list of VLANs  here to  enable bridged traffic.
  ip flow ingress layer2-switched vlan
  ip flow export layer2-switched vlan
  Apart from this, NetFlow has to be enabled on the MSFC using the below commands.
  ip flow egress       // This command has to be executed on all the L3/VLAN interfaces.
  ip flow-export destination {hostname|ip_address} 9996  // The hostname or IP address of the flow server
  ip flow-export source {interface} // The interface through which NetFlow packets are exported. eg: Loopback0
  ip flow-export version 9
  ip flow-cache timeout active 1
  snmp-server ifindex persist
  The new Cisco Flexible NetFlow actually allows for export of MPLS specific information (I believe it is stack lables) in addition to information on IP Address, port, etc. But you will need a tool that can support these additional fields. Otherwise you can view IP, port, protocol, etc related information from MPLS links.
  Regards,
  Don Thomas Jacob
  ManageEngine NetFlow Analyzer