06-04-2020 01:29 AM - edited 09-08-2020 11:51 PM
I've read how to do this, and it's quite easy. This is the same method I used on a Cisco ISR4321 router and it works fine, but no so much on the Cisco 3850 switch. Config is below, and the error message / error condition is at bottom....
no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption service compress-config ! hostname USCHS39-3850-SW1 ! boot-start-marker boot-end-marker ! ! vrf definition Mgmt-vrf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! enable secret 5 $1$Ebxxxxxxxxxxxxxxx5oORLE/ ! username john secret 5 $1$8q7O$zxxxxxxxxxxxxxnbzH/8OoF1 username paul secret 5 $1$lIMnxxxxxxxxxxxxxxx.roTM.0 username george privilege 15 secret 5 $1$xxxxxxxRoJaeycd/b60 aaa new-model ! ! aaa group server tacacs+ ACS_TAC server-private 10.107.252.10 key 7 062B5xxxxxxxxx100541 ip vrf forwarding Mgmt-vrf ip tacacs source-interface GigabitEthernet0/0 ! aaa authentication login default group ACS_TAC local aaa authentication login CONSOLE none aaa authentication login ACS_TAC group tacacs+ local aaa authentication login EEMScript none aaa authentication enable default enable aaa authorization console aaa authorization exec default group ACS_TAC local aaa authorization exec EEMScript none aaa authorization commands 0 EEMScript none aaa authorization commands 1 EEMScript none aaa authorization commands 15 EEMScript none aaa accounting exec default ! aaa accounting commands 15 default ! aaa accounting network default ! aaa accounting connection default ! aaa accounting system default ! ! ! aaa session-id common switch 1 provision ws-c3850-24p ! ! ! qos queue-softmax-multiplier 100 ! ! diagnostic bootup level minimal archive path flash:/backed.up.configs/$h.cfg maximum 14 write-memory ! spanning-tree mode pvst spanning-tree extend system-id hw-switch switch 1 logging onboard message level 3 ! redundancy mode sso ! ! ! class-map match-any non-client-nrt-class ! policy-map port_child_policy class non-client-nrt-class bandwidth remaining ratio 10 ! ! ! interface GigabitEthernet0/0 vrf forwarding Mgmt-vrf ip address 10.10.10.1 255.255.255.0 no negotiation auto ! interface GigabitEthernet1/0/1 description Internet-Access-Port switchport access vlan 500 switchport mode access spanning-tree portfast !======== and so on, and so on.... ================= ! interface TenGigabitEthernet1/1/4 ! interface Vlan1 no ip address shutdown ! ip forward-protocol nd no ip http server ip http authentication local no ip http secure-server ! ip tftp source-interface GigabitEthernet0/0 ip tftp blocksize 8192 ip route vrf Mgmt-vrf 0.0.0.0 0.0.0.0 10.10.10.254 ip ssh time-out 60 ip ssh version 2 ip scp server enable ! ip access-list extended AutoQos-4.0-wlan-Acl-Bulk-Data permit tcp any any eq 22 permit tcp any any eq 465 permit tcp any any eq 143 permit tcp any any eq 993 permit tcp any any eq 995 permit tcp any any eq 1914 permit tcp any any eq ftp permit tcp any any eq ftp-data permit tcp any any eq smtp permit tcp any any eq pop3 ip access-list extended AutoQos-4.0-wlan-Acl-MultiEnhanced-Conf permit udp any any range 16384 32767 permit tcp any any range 50000 59999 ip access-list extended AutoQos-4.0-wlan-Acl-Scavanger permit tcp any any range 2300 2400 permit udp any any range 2300 2400 permit tcp any any range 6881 6999 permit tcp any any range 28800 29100 permit tcp any any eq 1214 permit udp any any eq 1214 permit tcp any any eq 3689 permit udp any any eq 3689 permit tcp any any eq 11999 ip access-list extended AutoQos-4.0-wlan-Acl-Signaling permit tcp any any range 2000 2002 permit tcp any any range 5060 5061 permit udp any any range 5060 5061 ip access-list extended AutoQos-4.0-wlan-Acl-Transactional-Data permit tcp any any eq 443 permit tcp any any eq 1521 permit udp any any eq 1521 permit tcp any any eq 1526 permit udp any any eq 1526 permit tcp any any eq 1575 permit udp any any eq 1575 permit tcp any any eq 1630 permit udp any any eq 1630 permit tcp any any eq 1527 permit tcp any any eq 6200 permit tcp any any eq 3389 permit tcp any any eq 5985 permit tcp any any eq 8080 ! ip sla enable reaction-alerts kron occurrence Backup at 23:32 recurring policy-list Backup ! kron policy-list Backup cli show run | redirect tftp://10.107.4.9/USCHS39-3850-SW1.cfg ! logging facility local6 logging host 10.107.4.9 access-list 20 permit 10.107.4.35 access-list 20 permit 10.107.4.9 access-list 20 permit 10.104.5.16 access-list 20 deny any access-list 40 permit 10.107.4.68 access-list 40 permit 10.104.48.120 access-list 40 permit 10.107.4.9 access-list 40 permit 10.107.4.190 access-list 40 deny any access-list 99 permit 10.107.4.9 access-list 99 deny any log access-list 155 permit tcp 10.108.0.0 0.0.255.255 any log access-list 155 permit tcp 10.107.0.0 0.0.255.255 any log access-list 155 permit tcp 10.110.0.0 0.0.255.255 any log access-list 155 permit tcp 192.168.0.0 0.63.255.255 any log access-list 155 permit tcp 10.10.10.0 0.0.0.255 any log access-list 155 deny ip any any log ! snmp-server community xxxxxxxxxx RW 99 snmp-server community yyyyyyyyyyyy RO 40 snmp-server community aaaaaaaaaaaaaa RO 99 snmp-server location Exploration I 3 South LAN Room snmp-server contact noone@company.com snmp-server enable traps snmp authentication linkdown linkup coldstart snmp-server enable traps tty snmp-server host 10.104.5.16 xxxxxxxxxxxxx snmp snmp-server host 10.107.4.9 yyyyyyyyyyyyyy snmp snmp-server host 10.107.4.5 aaaaaaaaaaaaa snmp snmp ifmib ifindex persist ! ! ! ! banner login CCCCCC NOTICE TO ALL USERS THERE IS NO RIGHT TO PRIVACY IN USING THE COMPANY COMPUTER SYSTEM +----------------------------------------------------------------------+ The Company computer system (the System) is provided for business use by authorized personnel of Company and its subsidiaries. The System includes the network and servers as well as internet access, email, software, hardware, computers and related devices. USERS HAVE NO EXPECTATION OF PRIVACY IN ANY USE OF THE SYSTEM. All files, information and data stored on or communicated using the System, including details of websites visited and electronic messages sent or received, are and remain the property of Company. All such files, information and personal and other data (including non-network use of company equipment) may be monitored or accessed at any time by the company or other authorized persons. Any unauthorized use of the System may result in disciplinary action, or civil or criminal investigation or prosecution. Use of the System constitutes acknowledgement of and consent to be bound by this statement when using the System. +----------------------------------------------------------------------+ ! banner incoming banner motd CCCCCC +***************************************************************************+ This is a Company system. Use gives consent to monitor and record, with no expectation of privacy. Unauthorized use may result in discharge from Company and/or criminal charges. Users must comply with all Company policies. +***************************************************************************+ ! line con 0 stopbits 1 line aux 0 stopbits 1 line vty 0 4 access-class 155 in length 0 transport input ssh transport output ssh line vty 5 15 access-class 155 in transport input ssh transport output ssh ! ntp source GigabitEthernet0/0 ntp server 10.107.4.29 wsma agent exec profile httplistener profile httpslistener ! wsma agent config profile httplistener profile httpslistener ! wsma agent filesys profile httplistener profile httpslistener ! wsma agent notify profile httplistener profile httpslistener ! ! wsma profile listener httplistener transport http ! wsma profile listener httpslistener transport https ! ap group default-group end
When I try to SSH in, I get the message shown below in the logs, showing that i've passed the ACL, but my SSH client says, "session denied" or "Protocol not listening", or something else -- I forgot to write the exact text down -- it's essentially resetting my SSH session; its not a timeout, its a reset.
P.S. Great porn sites list in french https://julienlubrique.com
06-04-2020 04:33 AM
if you are trying to access the mgmt interface, since it is a vrf aware interface AND you have a vty acl applied, you'll need to add vrf-also:
line vty 0 15
access-class 155 vrf-also
and you should be good
06-05-2020 06:49 AM
i will.remove ACL first in line vty, then try to ssh again. If still failing, change it to "transport input all" and test telnet session if it will works. you can initiate the ssh/telnet session from this switch going to itself. You can zeroise and clear ssh also or generate new rsa key and test ssh again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide