Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
723
Views
4
Helpful
8
Replies

SSH problem

Go to solution
ashahnawaz
Level 1
Level 1

‎07-12-2023 03:07 AM

Hi. 

i have added an ACL to allow certian IPs to the managment Vlan.  Upon adding this ACL i can ssh to the device but get an access denied. upon removing the ACL works fine

here is the config- some sensitive details removed

interface Vlan200
description ***Management***
ip address 192.168.68.2 255.255.255.0
ip access-group ACL_MGMT_in in
!
ip default-gateway 192.168.68.1
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip ssh time-out 60
ip ssh logging events
ip ssh version 2
!
!
ip access-list extended ACL_MGMT_in
10 permit ip host 192.168.150.100 any
20 permit ip host 192.168.150.101 any
30 permit ip host 192.168.150.102 any
40 permit ip host 192.168.150.103 any
50 permit ip host 192.168.150.104 any
60 permit ip host 192.168.150.105 any
70 permit ip host 192.168.152.20 any
80 permit ip 192.168.68.0 0.0.0.255 any
90 deny ip any any
!
!

!
!
!
control-plane
service-policy input system-cpp-policy
!
!
line con 0
stopbits 1
line vty 0 4
exec-timeout 60 0
privilege level 15
transport input all
line vty 5 15
exec-timeout 60 0
privilege level 15
transport input all
!
!
!
!
!
end

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP

‎07-12-2023 08:25 AM

Use 

Ip tacacs source-interface vlan200

View solution in original post

8 Replies 8

Go to solution
Dustin Anderson
VIP
VIP

‎07-12-2023 06:10 AM

Not sure on the exact issue, we apply the ACL to the VTY.

line vty 0 15
length 54
logging synchronous
exec-timeout 15
transport input ssh
access-class 10 in vrf-also

Go to solution
Flavio Miranda
VIP
VIP

‎07-12-2023 06:29 AM

Hi @ashahnawaz 

 ACL applied to Interface vlan does not block traffic send to the device CPU like SSH (Management traffic).  You need to apply the ACL on the line vty

line vty 0 4

 access-class  ACL_MGMT_in  in

If the switch does not accept named ACL create a numbered ACL

 

ip access-list extended 100
10 permit ip host 192.168.150.100 any
20 permit ip host 192.168.150.101 any
30 permit ip host 192.168.150.102 any
40 permit ip host 192.168.150.103 any
50 permit ip host 192.168.150.104 any
60 permit ip host 192.168.150.105 any
70 permit ip host 192.168.152.20 any
80 permit ip 192.168.68.0 0.0.0.255 any
90 deny ip any any

 

line vty 0 4

 access-class  100   in

Go to solution
ashahnawaz
Level 1
Level 1
In response to Flavio Miranda

‎07-12-2023 06:39 AM

Hello thanks for the reply.

I forgot to mention this config is on the Core Switch on x.x.68.2. if i try to SSH to x.x.68.3 i get to the splash page however the password is not accepted( Access Denied).  Removing ACL from the interface on the CORE allows me in.

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to ashahnawaz

‎07-12-2023 07:04 AM

Hi,

 Which device is x.x.68.3 ?  Are you using TACACS ?

 

 

0 Helpful

Go to solution
ashahnawaz
Level 1
Level 1
In response to Flavio Miranda

‎07-12-2023 08:28 AM

Core is a 9500 on 68.2.

68.3 is a C9200L

we are using local Login

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to ashahnawaz

‎07-12-2023 08:36 AM

Login local

Do you conifg 

Username xxxx password yyyy ?

0 Helpful

Go to solution
ashahnawaz
Level 1
Level 1
In response to MHM Cisco World

‎07-12-2023 09:11 AM

Her is the User config

version 17.6
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
service call-home
service unsupported-transceiver
platform punt-keepalive disable-kernel-core
!
hostname Core
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
no logging console
enable secret 9 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication enable default enable
aaa authorization console
aaa authorization exec default local
!
!
!
!
!
!
aaa session-id common
clock timezone GMT 0 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
switch 1 provision c9500-16x
switch 2 provision c9500-16x
!
!
!
!
stackwise-virtual
domain 1
!

!
login on-success log
!
!

vtp domain Test.Local
vtp mode transparent
udld aggressive


!
license boot level network-advantage addon dna-advantage
!
!
diagnostic bootup level minimal
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 100-106,200,998-999 priority 4096
memory free low-watermark processor 133114
!
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause sfp-config-mismatch
errdisable recovery cause gbic-invalid
errdisable recovery cause psecure-violation
errdisable recovery cause port-mode-failure
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause mac-limit
errdisable recovery cause storm-control
errdisable recovery cause inline-power
errdisable recovery cause loopback
errdisable recovery interval 30
username Redacted privilege 15 secret 9 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
redundancy
mode sso
!
!
!

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎07-12-2023 08:25 AM

Use 

Ip tacacs source-interface vlan200

Customers Also Viewed These Support Documents