Telnet or ssh management

Hi Everybody!!!
I have noticed that I can log in using almost every configured IP address on the device (here Catalyst 6500).
I'm wondreing why? I'm not talking about source address, but the destination one.
I have many vlan interfaces configured on the device. Almost every interface has assigned an IP address.
And I can access remotely the switch using telnet or ssh protocol using every assigned IP address to Vlan interfaces.
I'm wondering if it is desirable.
Could someone explain it to me.
Maybe there is a way to reduce the number of possible addresses, which I can use to log in (destination address).
Best regards,
Agata Czekalska
Technical University of Lodz

Hi
Hmm Technical University..
I am basing this on a couple of asumptions.
Assumption: this is one of the devices that services students/teachers/others
Assumption: students are intelligent and inquisitive.
Assumption: you are the only one/group that should have access to the device.
First your 6500 chassi is/are available on several different VLANS.
this I would stop at once IF there is no special reason for it to be configured that way.
My guess is that if it is not hacked, then it is not far from getting just that.
it does not mean that someone is doing anything malicious with it, but there might be misconfigurations and stuff that disrupts service.
I would actually if possible stop all telnet/ssh/http/https traffic to the device itself.
Atleast stop telnet and http since they send the login information in cleartext.
if the student have a sniffer they will have the loginnames and passwords quickly.
Get a firewall (asa5505?), and setup a pc behind it with a direct connected serial cable to the 6500 (and other switches maybe ?) to connect to the pc you would then open up the firewall only for appropriate communication means (ipsec vpn/ssl vpn/AAA TCP communication)
use personal usernames and passwords so that everyone have their own username and password to login to the equipment.
dont forget to set up NTP. that will help not only with time, it will also help with who was last on.
This method secures the device from malicious use or accidental missconfiguration from someone not authorised to use it in that way.
if this is not possible or desireable in your case, ACLs are used to control what ip address are allowed to access the unit.
HTH

Similar Messages

  • Not able to telnet or ssh to outside interface of ASA and Cisco Router

    Dear All
    Please help me with following question, I have set up testing lab, but still not work.
    it is Hub and spoke site to site vpn case, connection between hub and spoke is metro-E, so we are using private ip for outside interface at each site.
    Hub -- Juniper SRX
    Spoke One - Cisco ASA with version 9.1(5)
    spoke two - Cisco router with version 12.3
    site to site vpn has been successful established. Customer would like to telnet/ssh to spoke's outside ip from Hub(using Hub's outside interface as source for telnet/ssh), or vise versa. Reason for setting up like this is they wants to be able to make configuration change even when site to site vpn is down. Sound like a easy job to do, I tried for a long time, search this forum and google too, but still not work.
    Now I can successfully telnet/ssh to Hub SRX's outside interface from spoke (ASA has no telnet/ssh client, tested using Cisco router).
    Anyone has ever done it before, please help to share your exp. Does Cisco ASA or router even support it?
    When I tested it, of cause site to site vpn still up and running.
    Thanks
    YK

    Hello YK,
    On this case on the ASA, you should have the following:
    CConfiguring Management Access Over a VPN Tunnel
    If your VPN tunnel terminates on one interface, but you want to manage the ASA by accessing a different interface, you can identify that interface as a management-access interface. For example, if you enter the ASA from the outside interface, this feature lets you connect to the inside interface using ASDM, SSH, Telnet, or SNMP; or you can ping the inside interface when entering from the outside interface. Management access is available via the following VPN tunnel types: IPsec clients, IPsec LAN-to-LAN, and the AnyConnect SSL VPN client.
    To specify an interface as a mangement-only interface, enter the following command:
    hostname(config)# management access management_interface
    where management_interface specifies the name of the management interface you want to access when entering the security appliance from another interface.
    You can define only one management-access interface
    Also make sure you have the pertinent configuration for SSH, telnet, ASDM and SNMP(if required), for a quick test you can enable on your lab Test:
      SSH
    - ssh 0 0 outside
    - aaa authentication ssh console LOCAL
    - Make sure you have a default RSA key, or create a new one either ways, with this command:
        *crypto key generate rsa modulus 2048
    Telnet
    - telnet 0 0 outside
    - aaa authentication telnet console LOCAL
    Afterwards, if this works you can define the subnets that should be permitted.
    On the router:
    !--- Step 1: Configure the hostname if you have not previously done so.
    hostname Router
    !--- aaa new-model causes the local username and password on the router
    !--- to be used in the absence of other AAA statements.
    aaa new-model
    username cisco password 0 cisco
    !--- Step 2: Configure the router's DNS domain.
    ip domain-name yourdomain.com
    !--- Step 3: Generate an SSH key to be used with SSH.
    crypto key generate rsa
    ip ssh time-out 60
    ip ssh authentication-retries 3
    !--- Step 4: By default the vtys' transport is Telnet. In this case, 
    !--- Telnet and SSH is supported with transport input all
    line vty 0 4
    transport input All
    *!--- Instead of aaa new-model, the login local command may be used.
    no aaa new-model
    line vty 0 4
      login local
    Let me know how it works out!
    Please don't forget to Rate and mark as correct the helpful Post!
    David Castro,
    Regards,

  • Telnet vs ssh?

    i have a webserver in my basement without a keyboard, monitor or mouse permanently attached to it. so maintaining it is rather difficult. so i've been looking at setting up telnet or ssh on it (which i should have done from the start) so i can manage it from another machine within my network
    now i understand that telnet lacks any type of security, and i'm only using it behind my network anyway. but my concern is if i want to log into it from outside my network through my vpn. i use openvpn, so i'm asking, because i'm not sure the vpn connection is encrypted or not, and if its not, then ssh will be the way to go, otherwise i think telnet is just easier.

    .:B:. wrote:If 'minimal' updates mean what I think it means, then you're only making yourself miserable. Partial updates will break the system; it's a rolling release and often updates depend on one another. Doing 'minimal' updates is not the way to go. If you're afraid stuff breaks, pick another distro, or try the Arch Server Project, or at least install an LTS kernel like gazj did.
    i didn't mean minimal updates like that, i just meant that i don't update it very often. i do run the lts kernel. i just don't update everything else too often out of the blue like that because its setup and working. i ran into issues with mysql one time when i just went ahead and updated, had trouble getting it going right. so i like to plan my downtime and try to know what to expect. so instead of planning to have it down for 10 minutes, and having that turn into an hour, i can plan for an hour if thats what i know it will take.

  • Good ssh manager with password storage?

    Given the fact that I have to daily log in and off several machines, I am looking for a handy ssh manager that allows me to store passwords. It is useless for me to save some work of looking up IPs if I then have to go and look up passwords.
    I have no option of using auth keys, so the most straight forward way is that of storing passwords in some way.
    Do you know of any app or good way to do this?
    Thanks!

    SSH agent can cache the keys, but not automatically (believe me, I tried). Once you cache them they stay stored for as long as you're logged in to the client though.
    [stijn@hermes ~]$ ssh-add -l
    2048 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx /home/stijn/.ssh/id_rsa-amalthea (RSA)
    2048 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx /home/stijn/.ssh/id_rsa-zeus (RSA)
    This is how I have the ssh-agent starting up with my session (I use Openbox):
    This goes in your ~/.bashrc:
    SSHAGENT=/usr/bin/ssh-agent
    SSHAGENTARGS="-s"
    if [ -z "$SSH_AUTH_SOCK" -a -x "$SSHAGENT" ]; then
    eval `$SSHAGENT $SSHAGENTARGS`
    trap "kill $SSH_AGENT_PID" 0
    fi
    This goes in your ~/.logout file (necessary to kill the ssh-agent instance):
    if ( "$SSH_AGENT_PID" != "" ); then
    eval `ssh-agent -k`
    fi
    Last edited by B (2008-09-06 00:39:52)

  • Cant Telnet or SSH to switch

    Hey Guys, I cant telnet or ssh to one of my switches.  I can however telnet to the switch i'm having trouble with from another switch on the network.  I have the config attached, Thanks for any help!

    you are missing ip default-gateway command with pointing to your default gateway IP for switch subnet.

  • Question of telnet or SSH to 4500X management port

    I configured 4500X management port (Fa1) and I can ping the IP from the network. But when I tried telnet to the port, the switch showed "password required but not set".
    I didn't configure any password for VTY. Should it be equivalent to "no login"? If to set or change a password for the management port, where to configure it?
    Thanks a lot

    Hi,
    Yes, "password" and "login" for the management port should be configured under the "vty" lines.
    Best regards,
    Antonin

  • Not Able to Telnet or SSH Cisco ASA

    Hi,
    I am not able to do the following to Cisco ASA with one IP address 172.19.1.11, below is the configuration in ASA. Earlier it was working, all of a sudden it stopped working.
    Please help.
    1. Not Able to SSH
    2. Solarwinds not able to take information from ASA.
    http 172.19.1.11 255.255.255.255 inside
    snmp-server host inside 172.19.1.11 community srnemapd
    telnet 172.19.1.11 255.255.255.255 inside
    ssh 172.19.1.11 255.255.255.255 inside
    ntp server 172.19.1.11 source inside prefer

    Hi there,
    Just add a new IP address for ssh to ASA, this will kick start the demon.
    This new IP does not have to be a real one.
    Hope this helps.
    Thanks
    Rizwan Rafeek

  • Telnet, rlogin, ssh not ok on sun 240 with solaris 5.10 on it

    Hello,
    I am facing some problems with connecting througth telnet, rlogin or ssh on a SUN 240 server carying solaris 10 software on it. When I try to connect througth the serial port, it gives me this error:
    telnet 10.151.145.6 2100Trying 10.151.145.6...
    Connected to 10.151.145.6.
    Escape character is '^]'.
    rel4gold_sam_1_7_1 console login: Dec 22 18:21:33 rel4gold_sam_1_7_1 uplink: uplink1: Standby link failure - not receiving heartbeats (B)
    Dec 22 18:23:33 rel4gold_sam_1_7_1 last message repeated 1 time
    INIT: Command is respawning too rapidly. Check for possible errors.
    id: cn "/opt/CCPUsrvr/bin/ccnd -s 38400 -f none -l /dev/term/b #CCPU CCNd"
    Dec 22 18:25:34 rel4gold_sam_1_7_1 uplink: uplink1: Standby link failure - not receiving heartbeats (B)
    rel4gold_sam_1_7_1 console login: root
    Dec 22 18:25:51 rel4gold_sam_1_7_1 login: open_module: /usr/lib/security/pam_authtok_get.so.1 failed: ld.so.1: login: fatal: passwdutil.so.1: open failed: No such file or directory
    Dec 22 18:25:51 rel4gold_sam_1_7_1 login: load_modules: can not open module /usr/lib/security/pam_authtok_get.so.1
    Ping is working properly. Do you have any ideea how can i fix this problem?
    Thank you.

    Yeahh, guys!!!
    I was trying to establish a two-node cluster using VirtualBox + Solaris x86 + Sun Cluster 3.2. The node where I was running scinstall to configure my cluster environment was rebooting the other node in the end of the configuration process but it was hanging in the "Rebooting node01..." message just because it was not able to establish the cluster.
    After see your comments, I changed Solaris x86 to Solaris Express Community Edition and Sun Cluster to Cluster Express and now everything is working fine!
    Thanks!
    Jansen Sena <[email protected]>

  • Telnet or ssh acecss on wrt160nl

    Hello,
    i have 2 questions regarding wrt160nl.
    1.Is it possible to have ssh or telnet access on the router, with the default firmware?
    2.Is it possible to disable one of the antennas on the router, while has installed the default firmware?
    Thank you

    ssh or telnet access on the WRT160NL should be possible. no need to load any 3rd party firmware for this purpose. to configure your telnet session, check out: How to Telnet to Linksys WRT160NL.
    configuring the antennas is not possible using the default firmware. for this you'll have to turn to 3rd party software developers.

  • Telnet to SSH connection

    Hi
        we are transitioning from Telnet to the more secure SSH type connection changing to ssh from  telnet What i dont  know is how this will impact the applications and the interfaces
    i dont know how this will impact the following application
    SMTP forwarding from SAP.
    Interface from WebMethods.
    Interface between R/3, BW and CRM
    can any one suggest us in this

    Hi
        we are transitioning from Telnet to the more secure SSH type connection changing to ssh from  telnet What i dont  know is how this will impact the applications and the interfaces
    i dont know how this will impact the following application
    SMTP forwarding from SAP.
    Interface from WebMethods.
    Interface between R/3, BW and CRM
    can any one suggest us in this

  • SMB 300 switch - RADIUS authentication

    Did anybody have any luck configuring radius authentication with SMB 300 managed switches? I just deployed one and struggling with radius authentication with AD. Radius server works because there are 10 other Catalyst switches and routers working fine.
    Any pointers on how to setup radius authentication for administrative connection? I need it for http, telnet and ssh management session to the switch.
    Thanks in advance,
    Sam

    yes, PAP always use plain text and that doesn't provide any kind of security.  However, administrative session with radius doesn't support chap/mschap.we can't configure firewall/IOS devices for aministration session like telnet/ssh to authenticate users on mschapv2 authentication method.
    If you need secure communication then you may implement TACACS.
    TACACS+ and RADIUS use a shared secret key to provide encryption for communication between the client and the server. RADIUS encrypts the user's password when the client made a request to the server. This encryption prevents someone from sniffing the user's password using a packet analyzer. However other information such as username and services that is being performed can be analyzed. TACACS+ encrypts not just only the entire payload when communicating, but it also encrypts the user's password between the client and the server. This makes it more difficult to decipher information about the communication between the client and the server. TACACS+ uses MD5 hash function in its encryption and decryption algorithm.
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • LMS Software Image Management - Telnet failure

    Hi all,
    I had a problem with Software Image Management for the upgrade of a switch.
    It seems that at the end of the upgrade, CiscoWorks was unable to save the configuration with telnet.
    Yet, telnet seems to be ok because CiscoWorks manages to connect to the switch at the beginning of the upgrade.
    Updating config file during software upgrade processDevice running-config is modified but failed to save the running-config to startup-config.Cause: Could not detect SSH protocols running on the device
    TELNET: Failed to establish TELNET connection to 10.1.3.4 -Cause: Authentication failed on device 3 times.
    I sent attached the logs of the upgrade.
    Thank you in advance.

    Hello,
    The job fails last night after timeout.
    I have reschedule job this morning for 2 switchs :
    2960 with telnet and ssh enabled
    2960 with telnet enabled only
    The device credentials verification job seems to be coherent :
    Device Name
    Read
    Community
    Read Write
    Community
    Telnet
    Enable
    by Telnet
    SSH
    Enable
    by SSH
    1.
    switch04-d
    Ok
    Ok
    Ok(Primary Successful)
    Ok(Primary Successful)
    Failed  to connect.
    Did Not  Try
    1.
    switch03-d
    Ok
    Ok
    Ok(Primary Successful)
    Ok(Primary Successful)
    Ok(Primary Successful)
    Ok(Primary Successful)
    But the job fails again cause telnet authentication failed on device 3 times.
    I do not understand why LMS does not use ssh if possible at the finish of the job? Why telnet authentication fails ?
    Thanks in advance.

  • [Feature Request] Wap321 SSH/Telnet Support

    Dear Cisco Developers,
    we are facing a problem with your design choice of not to support Telnet/SSH on the Wap321. We bought this Product because it was one of the only Access Points with SSH and Telnet Support.
    We need the SSH Support for a script that changes the WPA-psk key of the interface wlan0 on more then 20AP's every Week. Everything was good until we got hold of a new charge which came with firmware version 1.0.1.10.
    Changelog:
    "Due to security concerns, Telnet and SSH access options are removed in firmware version 1.0.1.10."
    So I talked with the German Cisco Small Business Support and he said he will investigate and try to get it to the Second Support tier. Well it never came to that, he called us two days later and said that is was a BUG to Support SSH and Telnet on the WAP321 and it was never designed to be a Feature.
    So i guess we have following options:
    1.Bring back the SSH Support for the Wap321 in the next Firmware update
    2.Provide Firmware version 1.0.0.3
    3.Give me a Workaround for my task
    So any help would be appreciated and i hope we are not the only ones that would like to see a comeback of this feature.
    In hope for comments
    Best wish
    Fabian Schwarz
    (PTA-Support)
    PS: Support Ticket was
    624972937

    No Sir I do not.
    According to the response from L2:
    SSH is only enabled for customer to use it on switches.
    Developers normally do not allow SSH (enable or protect with password) for end
    user on any Wireless device. Management is done by web interface.
    In this particular case SSH was enabled only due to some bugs which were
    monitored during first release so it is not meant to be for end user.
    Because of particular security risks, SSH is for troubleshooting by developers.
    Currently there is no chance that they would issue any official firmware for this as
    well as there is a little chance they would create special firmware for just a few
    customers.
    I am sorry for any inconvenience that this has caused.
    Eric Moyers
    If you like you can roll the mouse over my picture and get my actual email address and contact me directly.

  • Transport input telnet ssh help

    Hello,
    I had two questions about remotely login to switch or router :
    1. What is the default setting on switch or router to accept remote login (i.e., telnet or ssh)
    2. If i configure...TRANSPORT INPUT TELNET SSH... which one is default and accepted first by switch or router. I mean I know that it will accept both but I want to know that If I configure both to accept then which one has the first priority or by default which one is accepted first, tenet or ssh.
    Thanks

    1) Default settings on all VTYs are "transport input all" --> all the supported protocols, that includes both telnet and ssh.
    2) There is no priority level on which one is accepted first. Basically it just listens on both protocols (telnet - tcp/23 and ssh - tcp/22) for remote management.
    Here is the command description for your reference:
    http://www.cisco.com/en/US/docs/ios/termserv/command/reference/tsv_s1.html#wp1069219
    Hope that helps.

  • QoS: Locally sourced SSH/Telnet/...

    Doing some packet sniffing at the moment. I noticed that SSH/Telnet packets that are returning from Cisco Catalyst 3750 switches and Cisco 2800 routers are being marked with CS6. I was aware about Control Plane protocols that mark traffic with CS6/CS7, like IP Routing Protocols, STP, NHRP and others. Haven't heard anything about SSH/Telnet though. Those belong to Management Plane. Have googled for hours to find any Cisco document with the full list of protocols and how those are being marked (CS6/CS7) if sourced locally. Found nothing.
    Anyone to spill the bins?
    Much appreciate

    Thanks for your input... Although it haven't made it clear
    Here's my config
    C3750#sh run all | inc ip.ssh|ip.telnet
    ip ssh time-out 120
    ip ssh authentication-retries 5
    ip ssh break-string ~break
    ip ssh dh min size 1024
    C3750(config)#ip ssh dscp ?
      <0-63>  ip dscp value (default value 0 )
    Looks odd to me. As I said, Wireshark displays all returning SSH frames (that is, originated on switch) with 802.1p = 6 and DSCP = CS6. The output above states the default value has to be 0, and I don't have any commands that rewrite the default behaviour.
    I have QoS enabled on the switch (mls qos) with relevant maps created. I do not have any QoS policies for the locally originated traffic in place (i.e. ip policy globall command).
    Strange

Maybe you are looking for

  • How to get MDI back in your Acrobat (from version 9.0 and up!)

    Hi all! I just recently start using Acrobat quite heavly and I realized that the lack of MDI was hogging my taskbar! I search the net and found the MDI vs SDI blog: http://blogs.adobe.com/acrobat/2008/09/mdi_vs_sdi_in_acrobat.html The case is clear,

  • Web Gallery Captions

    Using the Bridge CS4, in Windows XP, what is the simplest and fastest way to include a caption or a title or the filename for each of the pictures of a web gallery when it is displayed on the browser? Thanks

  • Is there a Thunderbird manual? I'm trying to understand all the View/Threads options.

    I'm learning Thunderbird, hoping to adopt it as my mail client (can't keep Eudora afloat any more). The forums are not efficient for learning it. Right now I'm trying to understand all the View/Threads options, but tomorrow it will be something else.

  • No sound with my videos...

    Hello... I have bought an Ipod 30 giga but when I want see my videos on my Ipod I have no sound... I have seen on the Apple's website it's a problem of file... a multiplexed file or a kind like that... Is anybody could help me??

  • Syncing Photos to Macbook Pro with Snow Leopard 10.6.1 from iPhone 4s

    With my iPhone 4s plugged into the Macbook It will backup and sync using iTunes but when I click on the device icon on the left it wants to set up a MobileMe account and the iPhone has iCloud turned on.  I want to stay with Snow Leopard 10.6.1 Is the