Question of telnet or SSH to 4500X management port

Similar Messages

• Cisco 3850 Switch Management Port - ACL on VTY

  Hi,
  I got these switches.
  Switch Ports Model              SW Version        SW Image              Mode   
  *    1 32    WS-C3850-24T       03.03.02SE        cat3k_caa-universalk9 INSTALL
       2 32    WS-C3850-24T       03.03.02SE        cat3k_caa-universalk9 INSTALL
  SSH access to Management port G0/0 with an ACL applied on line vty 0 4 is failing, even through the ACL is permiting traffic.
  interface GigabitEthernet0/0
   vrf forwarding Mgmt-vrf
   ip address 172.16.12.3 255.255.255.0
   negotiation auto
  ip access-list standard ACLVTY
   permit any log
  line vty 0 4
   access-class ACLVTY in
   exec-timeout 15 0
   length 0
   history size 64
   transport preferred ssh
   transport input ssh
   transport output telnet ssh
  037599: *Mar 28 2014 04:59:49.919 AEDT: %SEC-6-IPACCESSLOGS: list permit-any permitted 172.16.12.100 1 packet
  # show ip access-list permit-any
  Standard IP access list permit-any
      10 permit any log (3 matches)
  If I remove the ACL under VTY "no access-class ACLVTY in", then SSH to the management port works. If I don't use the management port and use a normal port say G1/0/1 configured on management VLAN and assigned the same IP address, then SSH works with the VTY ACL still existing. 
  Any ideas ?
  Thanks, 
  Rick.

  Hi,
  IOS will accept all VTY connections by default. However, if an access-class is used, the assumption is that connections should only arrive from the global VRF. If you need control the IP source while allowing VTY connections from VRF instances, you have a try configuration option "vrf-also"
  So, you should get something like this:
  line vty 0 4
  access-class ACLVTY in vrf-also  

• Telnet or ssh management

  Hi Everybody!!!
  I have noticed that I can log in using almost every configured IP address on the device (here Catalyst 6500).
  I'm wondreing why? I'm not talking about source address, but the destination one.
  I have many vlan interfaces configured on the device. Almost every interface has assigned an IP address.
  And I can access remotely the switch using telnet or ssh protocol using every assigned IP address to Vlan interfaces.
  I'm wondering if it is desirable.
  Could someone explain it to me.
  Maybe there is a way to reduce the number of possible addresses, which I can use to log in (destination address).
  Best regards,
  Agata Czekalska
  Technical University of Lodz

  Hi
  Hmm Technical University..
  I am basing this on a couple of asumptions.
  Assumption: this is one of the devices that services students/teachers/others
  Assumption: students are intelligent and inquisitive.
  Assumption: you are the only one/group that should have access to the device.
  First your 6500 chassi is/are available on several different VLANS.
  this I would stop at once IF there is no special reason for it to be configured that way.
  My guess is that if it is not hacked, then it is not far from getting just that.
  it does not mean that someone is doing anything malicious with it, but there might be misconfigurations and stuff that disrupts service.
  I would actually if possible stop all telnet/ssh/http/https traffic to the device itself.
  Atleast stop telnet and http since they send the login information in cleartext.
  if the student have a sniffer they will have the loginnames and passwords quickly.
  Get a firewall (asa5505?), and setup a pc behind it with a direct connected serial cable to the 6500 (and other switches maybe ?) to connect to the pc you would then open up the firewall only for appropriate communication means (ipsec vpn/ssl vpn/AAA TCP communication)
  use personal usernames and passwords so that everyone have their own username and password to login to the equipment.
  dont forget to set up NTP. that will help not only with time, it will also help with who was last on.
  This method secures the device from malicious use or accidental missconfiguration from someone not authorised to use it in that way.
  if this is not possible or desireable in your case, ACLs are used to control what ip address are allowed to access the unit.
  HTH

• Question about 4500X VSS management port

  I have two standalone 4500X switches that I'm planning to convert to VSS. If I cable the management port on both switches to a management cloud, which management port should I put the management IP address? Is it the port on the active switch? if the active switch failed, would the management port on the standby switch take over the management IP?
  The management port is in VRF mgmtVrf. Should I create a default route for the VRF such as "ip route vrf mgmtvrf 0.0.0.0 0.0.0.0 ....." to point to its default gateway IP?
  Thanks

  When you convert the chassis to VSS, only the management interfaces (FastEthernet1) for switch-1 (active) will be visible in the config.  So you want to cable both management interfaces to your management cloud, but you only apply the IP to the active switch.
  The management port is in VRF mgmtVrf. Should I create a default route for the VRF such as "ip route vrf mgmtvrf 0.0.0.0 0.0.0.0 ....." to point to its default gateway IP?
  Correct, you need a default route in that mgmt vrf pointing to the gateway.
  HTH

• Not able to telnet or ssh to outside interface of ASA and Cisco Router

  Dear All
  Please help me with following question, I have set up testing lab, but still not work.
  it is Hub and spoke site to site vpn case, connection between hub and spoke is metro-E, so we are using private ip for outside interface at each site.
  Hub -- Juniper SRX
  Spoke One - Cisco ASA with version 9.1(5)
  spoke two - Cisco router with version 12.3
  site to site vpn has been successful established. Customer would like to telnet/ssh to spoke's outside ip from Hub(using Hub's outside interface as source for telnet/ssh), or vise versa. Reason for setting up like this is they wants to be able to make configuration change even when site to site vpn is down. Sound like a easy job to do, I tried for a long time, search this forum and google too, but still not work.
  Now I can successfully telnet/ssh to Hub SRX's outside interface from spoke (ASA has no telnet/ssh client, tested using Cisco router).
  Anyone has ever done it before, please help to share your exp. Does Cisco ASA or router even support it?
  When I tested it, of cause site to site vpn still up and running.
  Thanks
  YK

  Hello YK,
  On this case on the ASA, you should have the following:
  CConfiguring Management Access Over a VPN Tunnel
  If your VPN tunnel terminates on one interface, but you want to manage the ASA by accessing a different interface, you can identify that interface as a management-access interface. For example, if you enter the ASA from the outside interface, this feature lets you connect to the inside interface using ASDM, SSH, Telnet, or SNMP; or you can ping the inside interface when entering from the outside interface. Management access is available via the following VPN tunnel types: IPsec clients, IPsec LAN-to-LAN, and the AnyConnect SSL VPN client.
  To specify an interface as a mangement-only interface, enter the following command:
  hostname(config)# management access management_interface
  where management_interface specifies the name of the management interface you want to access when entering the security appliance from another interface.
  You can define only one management-access interface
  Also make sure you have the pertinent configuration for SSH, telnet, ASDM and SNMP(if required), for a quick test you can enable on your lab Test:
    SSH
  - ssh 0 0 outside
  - aaa authentication ssh console LOCAL
  - Make sure you have a default RSA key, or create a new one either ways, with this command:
      *crypto key generate rsa modulus 2048
  Telnet
  - telnet 0 0 outside
  - aaa authentication telnet console LOCAL
  Afterwards, if this works you can define the subnets that should be permitted.
  On the router:
  !--- Step 1: Configure the hostname if you have not previously done so.
  hostname Router
  !--- aaa new-model causes the local username and password on the router
  !--- to be used in the absence of other AAA statements.
  aaa new-model
  username cisco password 0 cisco
  !--- Step 2: Configure the router's DNS domain.
  ip domain-name yourdomain.com
  !--- Step 3: Generate an SSH key to be used with SSH.
  crypto key generate rsa
  ip ssh time-out 60
  ip ssh authentication-retries 3
  !--- Step 4: By default the vtys' transport is Telnet. In this case, 
  !--- Telnet and SSH is supported with transport input all
  line vty 0 4
  transport input All
  *!--- Instead of aaa new-model, the login local command may be used.
  no aaa new-model
  line vty 0 4
    login local
  Let me know how it works out!
  Please don't forget to Rate and mark as correct the helpful Post!
  David Castro,
  Regards,

• Telnet vs ssh?

  i have a webserver in my basement without a keyboard, monitor or mouse permanently attached to it. so maintaining it is rather difficult. so i've been looking at setting up telnet or ssh on it (which i should have done from the start) so i can manage it from another machine within my network
  now i understand that telnet lacks any type of security, and i'm only using it behind my network anyway. but my concern is if i want to log into it from outside my network through my vpn. i use openvpn, so i'm asking, because i'm not sure the vpn connection is encrypted or not, and if its not, then ssh will be the way to go, otherwise i think telnet is just easier.

  .:B:. wrote:If 'minimal' updates mean what I think it means, then you're only making yourself miserable. Partial updates will break the system; it's a rolling release and often updates depend on one another. Doing 'minimal' updates is not the way to go. If you're afraid stuff breaks, pick another distro, or try the Arch Server Project, or at least install an LTS kernel like gazj did.
  i didn't mean minimal updates like that, i just meant that i don't update it very often. i do run the lts kernel. i just don't update everything else too often out of the blue like that because its setup and working. i ran into issues with mysql one time when i just went ahead and updated, had trouble getting it going right. so i like to plan my downtime and try to know what to expect. so instead of planning to have it down for 10 minutes, and having that turn into an hour, i can plan for an hour if thats what i know it will take.

• Cant Telnet or SSH to switch

  Hey Guys, I cant telnet or ssh to one of my switches.  I can however telnet to the switch i'm having trouble with from another switch on the network.  I have the config attached, Thanks for any help!

  you are missing ip default-gateway command with pointing to your default gateway IP for switch subnet.

• I do not remember my answers to the security questions and when I go in to manage my account the questions come up.  There is no place for me to retrieve the answers to get in.

  I do not remember my answers to the security questions and when I go in to manage my account the questions come up.  There is no place for me to retrieve the answers to get in. What do I do.

  That's because you never registered a rescue email address. The only way to resolve this now is to contact iTunes Support. They are the only ones that can help.
  http://www.apple.com/emea/support/itunes/contact.html

• 4500X Out-of-Band Management port

  I am attempting to set up the FastEthernet management port on some 4500x switches that we have recieved for Out-of-Band management, but I am unable to get them working.  I have set this up before on ASR1004 routers and have not had any troubles with them, although I have noticed that they use a different mangement vrf name.  
  I have added the IP address to the FastEthernet1 port, applied a default route for the vrf (e.g. ip route vrf mgmtVrf 0.0.0.0 0.0.0.0 x.x.x.x), and connected the port to my switch.  I am unable to ping the out-of-band management IP from anywhere, inside or outside of its subnet, and I am unable to ping out from the 4500x using the ping vrf mgmtVrf <IP address> command.  When I run a show interface Fa1 command on the 4500x and on the switch its connected to, they both show that they are sending traffic but neither shows that its recieving any traffic.  I have tried connecting a laptop directly to the FastEthernet port, set it statically to the same subnet, and am still unable to ping the managment interface.  I ran a Wireshark capture on the laptop and I show no traffic coming from the management port on the switch, even though when I check the  show interface command it shows that the port is sending packets.  I have attempted this on two separte 4500x switches so far with the same results.  We are running IOS-XE 03.04.04.SG on both switches with the entservices license.  Any help would be appreciated.
  Thanks,
  Jesse

  Here is the show int fa1 and show run int fa1 while I had the laptop connected and attempted to ping both directions.
  interface FastEthernet1
   vrf forwarding mgmtVrf
   ip address 172.16.1.10 255.255.0.0
   speed auto
   duplex auto
  end
  FastEthernet1 is up, line protocol is up
    Hardware is RP management port, address is f40f.1b56.9c57 (bia f40f.1b56.9c57)
    Internet address is 172.16.1.10/16
    MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
       reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation ARPA, loopback not set
    Keepalive set (10 sec)
    Full-duplex, 1000Mb/s, 100BaseTX/FX
    ARP type: ARPA, ARP Timeout 04:00:00
    Last input 00:06:29, output never, output hang never
    Last clearing of "show interface" counters never
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
    Queueing strategy: fifo
    Output queue: 0/0 (size/max)
    5 minute input rate 0 bits/sec, 0 packets/sec
    5 minute output rate 0 bits/sec, 0 packets/sec
       0 packets input, 0 bytes
       Received 0 broadcasts (0 IP multicasts)
       0 runts, 0 giants, 0 throttles
       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
       0 watchdog
       0 input packets with dribble condition detected
       402 packets output, 101340 bytes, 0 underruns
       0 output errors, 0 collisions, 0 interface resets
       0 unknown protocol drops
       0 babbles, 0 late collision, 0 deferred
       8 lost carrier, 0 no carrier
       0 output buffer failures, 0 output buffers swapped out

• Management port on fabric interconnect question

  I'm using the same pool of of IP addresses for my FI and KVM pool.
  I need to make sure that my management port on each FI is connected to a switch that is also accessible in the same range\subnet, correct?
  After setting everything up, I'm currently unable to get to my VIP.

  Correct.  Ensure the subnet masks are correct, and the gateway is reachable.  If you can "ping" from outside to each FI's management IP, there's no reason you shouldn't be able to reach the VIP.  Obivously the VIP address must be in the same subnet & VLAN as the management IPs, and not be used elsewhere in your environment.
  Regards,
  Robert

• 7304 nse100 FE Management Port configuration question

  How can the F0/0 FE Management Port be used? Since the 7304 has a redundant NSE100 prossesor card I would like to use this port two ways as a remote router access port for management and as a standard FastEthernet interface. Is configuration and advertising of the interface IP address the same as standard FastEthernet interfaces?

  The FastEthernet port on the Cisco 7304 is for management purposes only. Any other use of the FastEthernet port is not supported. This statement is according to the configuration notes of 7304.So, it cannot be used as a standard GE port.

• Management port on CSS 11150

  I have a simple question. Can someone tell me how to access the management port on the css 11150?
  I configured the ip and mask on the management port and condigured my laptop for a ip on the same network. But i am unable to connect.

  what do you mean by connect ?
  Are you trying telnet or HTTP ?
  Are you able to ping ?
  Is the interface showing up ?
  Try 10Mb Half duplex set manually and see if it works.
  Also, did you reboot the CSS after configuring the ip address/mask for the management interface ?
  Gilles.

• C2960s ethernet management port

  Hi,
  Can the ethernet management port on a 2960s be used to source syslog, snmp traps, ntp updates... ?
  this is not mentioned in the software configuration guide (http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/configuration/guide/swint.html#wp2220949) and what worries is the instability warning in the bottom..
  thanks,
  bart

  hi Bart,
  The Ethernet management port supports these features:   <<< from the documentation...
  •Express Setup (only in switch stacks)
  •Network Assistant
  •Telnet with passwords
  •TFTP
  •Secure Shell (SSH)
  •DHCP-based autoconfiguration
  •SMNP (only the ENTITY-MIB and the IF-MIB)
  •IP ping
  •Interface features
  –Speed—10 Mb/s, 100 Mb/s, and autonegotiation
  –Duplex mode—Full, half, and autonegotiation
  –Loopback detection
  •Cisco Discovery Protocol (CDP)
  •DHCP relay agent
  •IPv4 and IPv6 access control lists (ACLs)

• Management port in Cisco Switches (are they really physical port)

  Hi all,
  I have been taught to console into my cisco switch for configurations through console cable + putty (serial terminal).
  Then I have been taught to configure a management ip and gateway on the cisco switch.
  Switch# conf t
  Switch(config)# interface vlan 1
  Switch(config-if)# ip address 192.168.1.11 255.255.255.0
  Switch(config-if)# no shut
  Switch(config-if)# exit
  Switch(config)# ip default-gateway 192.168.1.1
  All the while, i thought this is the way to remote in to the switch via putty/telnet through the network to configure the switch, until i saw the picture below (cisco catalyst 2960)
  =======================================
  There is a physical port call ethernet management port.  What is it ?   What is the difference between this port and the earlier example of setting a management ip in VLAN 1 ?
  If i set an IP on this particular interface and I ssh in, will i see the same screen/display/console from the earlier example in which i set a management ip in VLAN1 and I ssh in ?
  Regards,
  Noob

  Hi Leo,
  Sorry if you find it hard to explain to me.
  I have understood to think of the ethernet management port as a separate entity from the original switch.
  Maybe with the help of the diagram below, can you let me know if i have understood correctly ?
  *please assume connected port is a management port separated from the normal switch ports
  q1) does the ethernet management port need to be connected to another switch ?
  I have thought of it as a device on the network and it is mentioned by you previously that it will be connected to a switch
  "he traffic goes up the cable connected to the Management port and up a switch.  Now that switch holds all the information because it is a switch.  "
  q2) In the current setup then, terminal B will be able to access the management port - am i right ?
  q3) you mentioned that the management port is not able to set any gateway, (which is the router fe0/5 - 192.168.0.3 in my illustration), in that case do you mean that terminal A will not be able to access the management port remotely and it can only be accessible locally ?
  Please do correct me if my understanding is wrong.
  Thank you so much for your advices.
  Regards,
  Noob

• Advantages of 10/100 Management port on 6500/4500 series

  Hi mates,
  There is a common port called "10/100 MGT" (next to console port) on the supervisor engines of 6500 and 4500 series switch.
  Why would I need that port since I can telnet through Layer2 10/100 ports??
  Is that port doing the same job as console port? in addition allows longer distances over cat 5 cables??
  Do we need to assign IP address on that mangement port?
  Thanks for helping :)

  Hi,
  The 6500 supervisors do not have a 10/100 MGT port. The cat4000 supervisors do, however.
  On the supI and supII, the Ethernet management ports are for network management only. These ports do not support network switching. See:
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/inst_gd/05modins.htm#xtocid184774
  On the SupII+, SupIII, and higher, the Ethernet management port is used (in ROMMON mode only) to recover a switch software image that has been corrupted or destroyed due to a network catastrophe. This port is not active while the switch is operating normally.
  See:
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/hw_doc/78_13686.htm#wp32993
  HTH,
  Bobby
  *please rate helpful posts