ā06-10-2011 09:02 PM
unable to ssh into virtual context on ACE, but able to SSH into Admin context .
ssh key rsa 1024 force command ,(invalid command ) on ACE.Please help me on this
ā06-11-2011 04:41 PM
Hello,
ACE management access is allowed using the modular policy framework instead of ssh key rsa [key size] command.
If you want to enable SSH access per context context you need to create a new management class-map, match it on a policy and then apply it under the interface of that context.
i.e
ACE/Context(config)# class-map type management match-any MGMT
ACE/Context(config-cmap-mgmt)# 2 match protocol icmp any
ACE/Context(config-cmap-mgmt)# 3 match protocol ssh any
ACE/Context(config-cmap-mgmt)# exit
ACE/Context(config)# policy-map type management first-match MGMT_POLICY
ACE/Context(config-pmap-mgmt)# class MGMT
ACE/Context(config-pmap-mgmt-c)# permit
ACE/Context(config-pmap-mgmt-c)# exit
ACE/Context(config-pmap-mgmt)# exit
ACE/Context(config)# interface vlan 10
ACE/Context(config-if)# ip address 192.168.10.1 255.255.255.240
ACE/Context(config-if)# service-policy input MGMT_POLICY
HTH
__ __
Pablo
ā06-11-2011 09:02 PM
This is the config I have on the context
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any`
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
interface vlan 201
ip address 161.247.133.88 255.255.255.0
peer ip address 161.247.133.89 255.255.255.0
mtu 1500
access-group input ALL
service-policy input remote_mgmt_allow_policy
service-policy input POLICY
no shutdown
not sure If i need to add anything else to get the SSH access working on the context.
ā06-13-2011 09:33 AM
Hi There
Can you share the show run from your Admin context and the arp table if possible?
Tnx
__ __
Pablo
ā06-15-2011 08:26 AM
logging enable
logging buffered 7
logging host 10.129.40.123 udp/514
resource-class RC1
limit-resource all minimum 10.00 maximum unlimited
limit-resource sticky minimum 10.00 maximum unlimited
boot system image:c4710ace-mz.A3_2_5.bin
login timeout 10
peer hostname s0adcdmzace02
hostname s0adcdmzace01
interface gigabitEthernet 1/1
switchport trunk allowed vlan 201,1003
no shutdown
interface gigabitEthernet 1/2
no shutdown
interface gigabitEthernet 1/3
shutdown
interface gigabitEthernet 1/4
no shutdown
clock timezone est -5 0
clock summer-time standard EDT
deadtime 15
ntp server 161.247.133.30 prefer
ntp peer 161.247.133.89
aaa authentication login error-enable
access-list ALL line 8 extended permit ip any any
access-list ALL line 10 extended permit icmp any any
access-list ALL line 11 extended permit tcp any any
ip domain-lookup
ip domain-name aholdusa.com
ip name-server 10.129.12.53
ip name-server 10.129.12.51
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
interface vlan 201
ip address 161.247.133.145 255.255.255.0
peer ip address 161.247.133.146 255.255.255.0
mtu 1500
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
ft interface vlan 1003
ip address 1.1.1.1 255.255.255.252
peer ip address 1.1.1.2 255.255.255.252
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 1003
ft group 1
peer 1
priority 200
associate-context Admin
inservice
ip route 0.0.0.0 0.0.0.0 161.247.133.30
ip route 10.0.0.0 255.0.0.0 161.247.133.40
ip route 161.247.128.0 255.255.255.0 161.247.133.40
ip route 161.247.134.0 255.255.255.0 161.247.133.40
ip route 161.247.135.0 255.255.255.0 161.247.133.40
ip route 161.247.7.0 255.255.255.0 161.247.133.40
ip route 161.247.136.0 255.255.255.0 161.247.133.40
context production
allocate-interface vlan 201
member RC1
ft group 11
peer 1
priority 200
associate-context production
inservice
s0adcdmzace01/Admin# sh arp
Context Admin
================================================================================
IP ADDRESS MAC-ADDRESS Interface Type Encap NextArp(s) Status
================================================================================
161.247.133.30 00.08.a3.db.89.e5 vlan201 GATEWAY 66 226 sec up
161.247.133.40 00.00.5e.00.01.67 vlan201 GATEWAY 67 240 sec up
161.247.133.44 00.00.5e.00.01.67 vlan201 LEARNED 73 12673 sec up
161.247.133.89 00.12.43.dc.6f.02 vlan201 LEARNED 68 10482 sec up
161.247.133.145 00.1e.68.58.10.0b vlan201 INTERFACE LOCAL _ up
161.247.133.146 00.1e.68.58.10.11 vlan201 LEARNED 69 10674 sec up
161.247.133.177 00.0d.60.51.f2.06 vlan201 LEARNED 70 11709 sec up
1.1.1.1 00.1e.68.58.10.0b vlan1003 INTERFACE LOCAL _ up
1.1.1.2 00.1e.68.58.10.11 vlan1003 LEARNED 56 8170 sec up
================================================================================
Total arp entries 9
ā06-15-2011 10:09 AM
Hi,
The config on the Admin context looks OK, I thought it may be an issue with interface or resources allocation but that looks fine.
Do you happen to have a default route on context "production"? If not wrong it would be the same default route admin context is using.
ip route 0.0.0.0 0.0.0.0 161.247.133.30
Are you able to ping 161.247.133.88 from an upstream device sitting on VLAN 201?
Regards
__ __
Pablo
ā06-15-2011 12:58 PM
default route is exactly the same in my context as that of Admin.
Ping is blocked ,so I can't ping .88 or .145 (Admin context).
Not sure if I am missing any thing to get ssh access working on my context.Please help me
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide