cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7011
Views
0
Helpful
9
Replies

Issues with VTY access-class in SW 3750

hansrodlo
Level 1
Level 1

Hi everyone, 

I have a problem with access-class applied in vty in a SW 3750 with IOS 12.2(58)SE2.

I have this configuration:

Standard IP access list ACL_MGMT_VTY

    10 permit x.x.x.x, wildcard bits 0.0.0.255

!

line vty 0 4

access-class ACL_MGMT_VTY in

privilege level 15

logging synchronous

transport input ssh

!

When I connected to this switch, and try to make a ssh connection with a ip address different to x.x.x.x says this message:

% Connections to that host not permitted from this terminal

If I remove this access-class, or try to establish a telnet, works perfect.

Any suggestions? Ideas?

Possible IOS bug?

9 Replies 9

Jennifer Halim
Cisco Employee
Cisco Employee

Since you only permit x.x.x.x to SSH to the switch, only that IP Address is allowed to SSH the switch. If you try to connect using any other ip address, then it will not allow it since you have restricted it to that particular IP.

If you want the whole subnet to access the switch, then the access-class should say:

permit x.x.x.0 0.0.0.255

instead of:

permit x.x.x.x 0.0.0.255

Hi Jennifer,

The problem is not with ssh incoming sessions, it's when I try to establish a ssh from the switch to any device in the network.

Regards,

Have you tried to configure "access-class out" to restrict access to specific devices and does it work?

Hi Jennifer,

No I don't,

that's the problem, I do not want to limit outbound SSH traffic.

If you configure "permit any" and apply it to the access-class "out", does it work?

Sounds like a bug if it does work.

lorenzobexer
Level 1
Level 1

Hi,

we encountered the same issue on a 2960S Switch. The strange thing ist, we also have 3750 switches and there it works. We are running the same firmware version as you on both models: 12.2(58)SE2.

Summary:

We have no outgoing access-class defined. On the vty lines. Only incoming for limiting SSH acces.

From the 2960S switch we tried:

copy running-config scp://user@host/file

It is denied and the deny counter of the INCOMING ACL goes up by 1.

Tried to configure another ACL for outgoing connections. No difference, the outgoing connection is blocked by the incoming ACC!

When removing the incoming ACC, it works.

Then we have another 2960S switch with an older firmware version . This one works without problems, with the same configuration.

12.2(55)SE3

Looks like a bug.

Same here with a 2960 release 15.0(2)SE2. Will it be solved or is that considered normal?

Techsuptkb
Level 1
Level 1

hi

i don't know ios bug or not it

i have same ios version 12.2(58)se2 on 3750

and when apply acl on line vty I can't login by ssh on device.

when I remove acl - | can

We have vrf on 3750

I find this solution (it helps me):

R1(config-line)#access-class 1 in vrf-also

If it is truly our desire to allow VTY sessions from traffic arriving in  a VRF instance, we can modify the behavior of the access-class. This is  done using the “vrf-also” option.

I found bug

CSCtq51049

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: