cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
979
Views
0
Helpful
7
Replies

accessing back-end servers via ssh

axfalk
Level 1
Level 1

We're running a redundant pair of ACE SM's in bridge mode and were requested by the customer to access the back-end servers via ssh. We currently allow only IP and ICMP in our access-list that we apply to the client side and server side interfaces. Can we just add SSH to the access-list or do we need to add TCP port 22?

thanks..

Greg

1 Accepted Solution

Accepted Solutions

Can you ping from client to server?

If you can, please get 'show conn' as below when you access with icmp and ssh.

And also please let me know the configuration of client vlan and bvi interface on ACE?

## icmp

ACE4710a-yushimaz/c2(config-if)# do sh conn

conn-id    np dir proto vlan source                destination           state

----------+--+---+-----+----+---------------------+---------------------+------+

2293       1  in  ICMP  781  192.168.82.162:57925  192.168.82.161:2048   --

2496       1  out ICMP  782  192.168.82.161:57925  192.168.82.162:0      --

total active connections : 2

## ssh

ACE4710a-yushimaz/c2(config-if)# do sh conn

conn-id    np dir proto vlan source                destination           state

----------+--+---+-----+----+---------------------+---------------------+------+

2548       1  in  TCP   781  192.168.82.162:52187  192.168.82.161:22     ESTAB

2567       1  out TCP   782  192.168.82.161:22     192.168.82.162:52187  ESTAB

total active connections : 2

Regards,

Yuji

View solution in original post

7 Replies 7

yushimaz
Cisco Employee
Cisco Employee

If permit ip is configured as below and apply to both client and server,

you don't have to configure access-list for ssh.

access-list all line 8 extended permit ip any any

I confirmed the behavior with the following basic setup of bridge mode.

client --[vlan781] -- ACE4710 -- [vlan782] -- server

client: 192.168.82.161

server: 192.168.82.162

ACE4710a-yushimaz/c2# sh run

Generating configuration....

access-list all line 8 extended permit ip any any

access-group input all

interface vlan 781

  bridge-group 1

  no shutdown

interface vlan 782

  bridge-group 1

  no shutdown

interface bvi 1

  ip address 192.168.82.160 255.255.255.0

  no shutdown

##  ssh from client to server

client:~# ssh -l root 192.168.82.161
root@192.168.82.161's password:
Linux avs3120b 2.6.26-2-686 #1 SMP Thu Nov 25 01:53:57 UTC 2010 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Apr 11 15:54:06 2011 from 192.168.82.162
server:~#
If you don't permit ip address for ssh client in 'permit ip' configuration, you have
to configure acl for ssh. You can use 'ssh' and '22' as below but port#22 will be
translated to ssh on show run.
ACE4710a-yushimaz/c2(config)# access-list ssh extended permit tcp any any eq ssh
ACE4710a-yushimaz/c2(config)# access-list ssh2 extended permit tcp any any eq 22
ACE4710a-yushimaz/c2(config)# do sh run | i ssh
Generating configuration....
access-list ssh line 8 extended permit tcp any any eq ssh
access-list ssh2 line 8 extended permit tcp any any eq ssh
ACE4710a-yushimaz/c2(config)#

Regards,

Yuji

Thanks very much for your detail response. I have the following in my config:

access-list any line 8 extended permit icmp any any
access-list any line 16 extended permit ip any any

interface vlan 111
  description server vlan
  bridge-group 1
  mac-sticky enable
  no icmp-guard
  access-group input bpdu
  access-group input any
  access-group output any
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  no shutdown

however, I still can't access the servers via SSH.....I can do it from the ACE, but not from the upstream switch...Can you think of anything else that jumps at you?

Thanks agan..

_Greg

Can you ping from client to server?

If you can, please get 'show conn' as below when you access with icmp and ssh.

And also please let me know the configuration of client vlan and bvi interface on ACE?

## icmp

ACE4710a-yushimaz/c2(config-if)# do sh conn

conn-id    np dir proto vlan source                destination           state

----------+--+---+-----+----+---------------------+---------------------+------+

2293       1  in  ICMP  781  192.168.82.162:57925  192.168.82.161:2048   --

2496       1  out ICMP  782  192.168.82.161:57925  192.168.82.162:0      --

total active connections : 2

## ssh

ACE4710a-yushimaz/c2(config-if)# do sh conn

conn-id    np dir proto vlan source                destination           state

----------+--+---+-----+----+---------------------+---------------------+------+

2548       1  in  TCP   781  192.168.82.162:52187  192.168.82.161:22     ESTAB

2567       1  out TCP   782  192.168.82.161:22     192.168.82.162:52187  ESTAB

total active connections : 2

Regards,

Yuji

Thanks for your response. I just noticed I can SSH into some servers from the switch, but not to others. Yet, I can SSH into all of them from the ACE. This is my client side int and the bvi:

interface vlan 222
  description vip vlan
  bridge-group 1
  mac-sticky enable
  no icmp-guard
  access-group input bpdu
  access-group input any
  access-group output any
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  service-policy input V222-VIPS
  no shutdown

interface bvi 1
  ip address 192.168.92.197 255.255.255.192
  alias 192.168.92.196 255.255.255.192
  peer ip address 192.168.92.198 255.255.255.192
  no shutdown

thanks again...

Does 'policy-map V222-VIPS' loadbalance ssh requests?

If your client uses both direct access to server and vip addcess,

some request may be dropped due to 'redundant connection' by

ocm.

(Since I don't have full configuration and don't know the detail of

connection table, I'm not sure. So, the following is just my guess.

I need 'show tech' to investigate more detail.)

client(192.168.92.201) -- ACE(vip:192.168.92.200) -- server(192.168.92.202)


If ip addresses are configured as above, ACE establishes connections as below.

(This time, source port uses 10000.)

# vip access

conn-id    np dir proto vlan source                destination           state

----------+--+---+-----+----+---------------------+---------------------+------+

111111     1  in  TCP   111  192.168.92.201:10000  192.168.92.100:22     ESTAB

111112     1  out TCP   222  192.168.92.202:22     192.168.92.201:10000  ESTAB


# direct access

conn-id    np dir proto vlan source                destination           state

----------+--+---+-----+----+---------------------+---------------------+------+

111113     1  in  TCP   111  192.168.92.201:10000  192.168.92.202:22     ESTAB

111114     1  out TCP   222  192.168.92.202:22     192.168.92.201:10000  ESTAB

Conn-id 111112 and 111114 are same.

If conn-id 111112 is existing, ACE cannot create conn-id 111114.

Then below counter will be incremented.

ACE/Admin# show np 1 me-stats -socm | i redundant

Drop    [redundant connection]:                         1             0

It apts to occur http request since many connections are established.

Hoever, I've never heard other protocol. So, my gues may be wrong.

Anyway, to trobleshoot more detail, I want show tech.

Regards,

Yuji

Thanks again.  If users are accessing the servers directly from the switch, will they have to traverse the ACE to bridge the server side and the client side vlans, or the ACE will be bypassed and the switch will bridge the vlans?

Thanks..

_Greg...

ACE will bridge the request and create the connection entry for this request.

Regards,

Yuji

Review Cisco Networking for a $25 gift card