04-11-2011 08:21 PM
We're running a redundant pair of ACE SM's in bridge mode and were requested by the customer to access the back-end servers via ssh. We currently allow only IP and ICMP in our access-list that we apply to the client side and server side interfaces. Can we just add SSH to the access-list or do we need to add TCP port 22?
thanks..
Greg
Solved! Go to Solution.
04-12-2011 07:31 AM
Can you ping from client to server?
If you can, please get 'show conn' as below when you access with icmp and ssh.
And also please let me know the configuration of client vlan and bvi interface on ACE?
## icmp
ACE4710a-yushimaz/c2(config-if)# do sh conn
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+
2293 1 in ICMP 781 192.168.82.162:57925 192.168.82.161:2048 --
2496 1 out ICMP 782 192.168.82.161:57925 192.168.82.162:0 --
total active connections : 2
## ssh
ACE4710a-yushimaz/c2(config-if)# do sh conn
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+
2548 1 in TCP 781 192.168.82.162:52187 192.168.82.161:22 ESTAB
2567 1 out TCP 782 192.168.82.161:22 192.168.82.162:52187 ESTAB
total active connections : 2
Regards,
Yuji
04-11-2011 09:16 PM
If permit ip is configured as below and apply to both client and server,
you don't have to configure access-list for ssh.
access-list all line 8 extended permit ip any any
I confirmed the behavior with the following basic setup of bridge mode.
client --[vlan781] -- ACE4710 -- [vlan782] -- server
client: 192.168.82.161
server: 192.168.82.162
Generating configuration....
access-list all line 8 extended permit ip any any
access-group input all
interface vlan 781
bridge-group 1
no shutdown
interface vlan 782
bridge-group 1
no shutdown
interface bvi 1
ip address 192.168.82.160 255.255.255.0
no shutdown
## ssh from client to server
Regards,
Yuji
04-12-2011 07:09 AM
Thanks very much for your detail response. I have the following in my config:
access-list any line 8 extended permit icmp any any
access-list any line 16 extended permit ip any any
interface vlan 111
description server vlan
bridge-group 1
mac-sticky enable
no icmp-guard
access-group input bpdu
access-group input any
access-group output any
service-policy input REMOTE_MGMT_ALLOW_POLICY
no shutdown
however, I still can't access the servers via SSH.....I can do it from the ACE, but not from the upstream switch...Can you think of anything else that jumps at you?
Thanks agan..
_Greg
04-12-2011 07:31 AM
Can you ping from client to server?
If you can, please get 'show conn' as below when you access with icmp and ssh.
And also please let me know the configuration of client vlan and bvi interface on ACE?
## icmp
ACE4710a-yushimaz/c2(config-if)# do sh conn
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+
2293 1 in ICMP 781 192.168.82.162:57925 192.168.82.161:2048 --
2496 1 out ICMP 782 192.168.82.161:57925 192.168.82.162:0 --
total active connections : 2
## ssh
ACE4710a-yushimaz/c2(config-if)# do sh conn
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+
2548 1 in TCP 781 192.168.82.162:52187 192.168.82.161:22 ESTAB
2567 1 out TCP 782 192.168.82.161:22 192.168.82.162:52187 ESTAB
total active connections : 2
Regards,
Yuji
04-12-2011 08:47 AM
Thanks for your response. I just noticed I can SSH into some servers from the switch, but not to others. Yet, I can SSH into all of them from the ACE. This is my client side int and the bvi:
interface vlan 222
description vip vlan
bridge-group 1
mac-sticky enable
no icmp-guard
access-group input bpdu
access-group input any
access-group output any
service-policy input REMOTE_MGMT_ALLOW_POLICY
service-policy input V222-VIPS
no shutdown
interface bvi 1
ip address 192.168.92.197 255.255.255.192
alias 192.168.92.196 255.255.255.192
peer ip address 192.168.92.198 255.255.255.192
no shutdown
thanks again...
04-12-2011 06:17 PM
Does 'policy-map V222-VIPS' loadbalance ssh requests?
If your client uses both direct access to server and vip addcess,
some request may be dropped due to 'redundant connection' by
ocm.
(Since I don't have full configuration and don't know the detail of
connection table, I'm not sure. So, the following is just my guess.
I need 'show tech' to investigate more detail.)
client(192.168.92.201) -- ACE(vip:192.168.92.200) -- server(192.168.92.202)
If ip addresses are configured as above, ACE establishes connections as below.
(This time, source port uses 10000.)
# vip access
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+
111111 1 in TCP 111 192.168.92.201:10000 192.168.92.100:22 ESTAB
111112 1 out TCP 222 192.168.92.202:22 192.168.92.201:10000 ESTAB
# direct access
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+
111113 1 in TCP 111 192.168.92.201:10000 192.168.92.202:22 ESTAB
111114 1 out TCP 222 192.168.92.202:22 192.168.92.201:10000 ESTAB
Conn-id 111112 and 111114 are same.
If conn-id 111112 is existing, ACE cannot create conn-id 111114.
Then below counter will be incremented.
ACE/Admin# show np 1 me-stats -socm | i redundant
Drop [redundant connection]: 1 0
It apts to occur http request since many connections are established.
Hoever, I've never heard other protocol. So, my gues may be wrong.
Anyway, to trobleshoot more detail, I want show tech.
Regards,
Yuji
04-13-2011 09:48 AM
Thanks again. If users are accessing the servers directly from the switch, will they have to traverse the ACE to bridge the server side and the client side vlans, or the ACE will be bypassed and the switch will bridge the vlans?
Thanks..
_Greg...
04-14-2011 06:02 PM
ACE will bridge the request and create the connection entry for this request.
Regards,
Yuji
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide