Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
700
Views
0
Helpful
2
Replies

restriction on VTY line not working

kihihavi
Level 1
Level 1

‎06-04-2020 01:29 AM - edited ‎09-08-2020 11:51 PM

I've read how to do this, and it's quite easy. This is the same method I used on a Cisco ISR4321 router and it works fine, but no so much on the Cisco 3850 switch. Config is below, and the error message / error condition is at bottom....

no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname USCHS39-3850-SW1
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 $1$Ebxxxxxxxxxxxxxxx5oORLE/
!
username john secret 5 $1$8q7O$zxxxxxxxxxxxxxnbzH/8OoF1
username paul secret 5 $1$lIMnxxxxxxxxxxxxxxx.roTM.0
username george privilege 15 secret 5 $1$xxxxxxxRoJaeycd/b60
aaa new-model
!
!
aaa group server tacacs+ ACS_TAC
server-private 10.107.252.10 key 7 062B5xxxxxxxxx100541
ip vrf forwarding Mgmt-vrf
ip tacacs source-interface GigabitEthernet0/0
!
aaa authentication login default group ACS_TAC local
aaa authentication login CONSOLE none
aaa authentication login ACS_TAC group tacacs+ local
aaa authentication login EEMScript none
aaa authentication enable default enable
aaa authorization console
aaa authorization exec default group ACS_TAC local
aaa authorization exec EEMScript none
aaa authorization commands 0 EEMScript none
aaa authorization commands 1 EEMScript none
aaa authorization commands 15 EEMScript none
aaa accounting exec default
!
aaa accounting commands 15 default
!
aaa accounting network default
!
aaa accounting connection default
!
aaa accounting system default
!
!
!
aaa session-id common
switch 1 provision ws-c3850-24p
!
!
!
qos queue-softmax-multiplier 100
!
!
diagnostic bootup level minimal
archive
path flash:/backed.up.configs/$h.cfg
maximum 14
write-memory
!
spanning-tree mode pvst
spanning-tree extend system-id
hw-switch switch 1 logging onboard message level 3
!
redundancy
mode sso
!
!
!
class-map match-any non-client-nrt-class
!
policy-map port_child_policy
class non-client-nrt-class
bandwidth remaining ratio 10
!
!
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
ip address 10.10.10.1 255.255.255.0
no negotiation auto
!
interface GigabitEthernet1/0/1
description Internet-Access-Port
switchport access vlan 500
switchport mode access
spanning-tree portfast
!======== and so on, and so on.... =================
!
interface TenGigabitEthernet1/1/4
!
interface Vlan1
no ip address
shutdown
!
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
!
ip tftp source-interface GigabitEthernet0/0
ip tftp blocksize 8192
ip route vrf Mgmt-vrf 0.0.0.0 0.0.0.0 10.10.10.254
ip ssh time-out 60
ip ssh version 2
ip scp server enable
!
ip access-list extended AutoQos-4.0-wlan-Acl-Bulk-Data
permit tcp any any eq 22
permit tcp any any eq 465
permit tcp any any eq 143
permit tcp any any eq 993
permit tcp any any eq 995
permit tcp any any eq 1914
permit tcp any any eq ftp
permit tcp any any eq ftp-data
permit tcp any any eq smtp
permit tcp any any eq pop3
ip access-list extended AutoQos-4.0-wlan-Acl-MultiEnhanced-Conf
permit udp any any range 16384 32767
permit tcp any any range 50000 59999
ip access-list extended AutoQos-4.0-wlan-Acl-Scavanger
permit tcp any any range 2300 2400
permit udp any any range 2300 2400
permit tcp any any range 6881 6999
permit tcp any any range 28800 29100
permit tcp any any eq 1214
permit udp any any eq 1214
permit tcp any any eq 3689
permit udp any any eq 3689
permit tcp any any eq 11999
ip access-list extended AutoQos-4.0-wlan-Acl-Signaling
permit tcp any any range 2000 2002
permit tcp any any range 5060 5061
permit udp any any range 5060 5061
ip access-list extended AutoQos-4.0-wlan-Acl-Transactional-Data
permit tcp any any eq 443
permit tcp any any eq 1521
permit udp any any eq 1521
permit tcp any any eq 1526
permit udp any any eq 1526
permit tcp any any eq 1575
permit udp any any eq 1575
permit tcp any any eq 1630
permit udp any any eq 1630
permit tcp any any eq 1527
permit tcp any any eq 6200
permit tcp any any eq 3389
permit tcp any any eq 5985
permit tcp any any eq 8080
!
ip sla enable reaction-alerts
kron occurrence Backup at 23:32 recurring
policy-list Backup
!
kron policy-list Backup
cli show run | redirect tftp://10.107.4.9/USCHS39-3850-SW1.cfg
!
logging facility local6
logging host 10.107.4.9
access-list 20 permit 10.107.4.35
access-list 20 permit 10.107.4.9
access-list 20 permit 10.104.5.16
access-list 20 deny any
access-list 40 permit 10.107.4.68
access-list 40 permit 10.104.48.120
access-list 40 permit 10.107.4.9
access-list 40 permit 10.107.4.190
access-list 40 deny any
access-list 99 permit 10.107.4.9
access-list 99 deny any log
access-list 155 permit tcp 10.108.0.0 0.0.255.255 any log
access-list 155 permit tcp 10.107.0.0 0.0.255.255 any log
access-list 155 permit tcp 10.110.0.0 0.0.255.255 any log
access-list 155 permit tcp 192.168.0.0 0.63.255.255 any log
access-list 155 permit tcp 10.10.10.0 0.0.0.255 any log
access-list 155 deny ip any any log
!
snmp-server community xxxxxxxxxx RW 99
snmp-server community yyyyyyyyyyyy RO 40
snmp-server community aaaaaaaaaaaaaa RO 99
snmp-server location Exploration I 3 South LAN Room
snmp-server contact noone@company.com
snmp-server enable traps snmp authentication linkdown linkup coldstart
snmp-server enable traps tty
snmp-server host 10.104.5.16 xxxxxxxxxxxxx snmp
snmp-server host 10.107.4.9 yyyyyyyyyyyyyy snmp
snmp-server host 10.107.4.5 aaaaaaaaaaaaa snmp
snmp ifmib ifindex persist
!
!
!
!
banner login CCCCCC
NOTICE TO ALL USERS
THERE IS NO RIGHT TO PRIVACY IN USING THE COMPANY COMPUTER SYSTEM
+----------------------------------------------------------------------+
The Company computer system (the System) is provided for business
use by authorized personnel of Company and its subsidiaries. The
System includes the network and servers as well as internet access,
email, software, hardware, computers and related devices.
USERS HAVE NO EXPECTATION OF PRIVACY IN ANY USE OF THE SYSTEM.
All files, information and data stored on or communicated using the
System, including details of websites visited and electronic messages
sent or received, are and remain the property of Company. All such files,
information and personal and other data (including non-network use
of company equipment) may be monitored or accessed at any time by
the company or other authorized persons. Any unauthorized use of
the System may result in disciplinary action, or civil or criminal
investigation or prosecution. Use of the System constitutes
acknowledgement of and consent to be bound by this statement
when using the System.
+----------------------------------------------------------------------+
!
banner incoming 
banner motd CCCCCC
+***************************************************************************+
This is a Company system. Use gives consent to monitor and record, with no
expectation of privacy. Unauthorized use may result in discharge from Company
and/or criminal charges. Users must comply with all Company policies.
+***************************************************************************+

!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class 155 in
length 0
transport input ssh
transport output ssh
line vty 5 15
access-class 155 in
transport input ssh
transport output ssh
!
ntp source GigabitEthernet0/0
ntp server 10.107.4.29
wsma agent exec
profile httplistener
profile httpslistener
!
wsma agent config
profile httplistener
profile httpslistener
!
wsma agent filesys
profile httplistener
profile httpslistener
!
wsma agent notify
profile httplistener
profile httpslistener
!
!
wsma profile listener httplistener
transport http
!
wsma profile listener httpslistener
transport https
!
ap group default-group
end

When I try to SSH in, I get the message shown below in the logs, showing that i've passed the ACL, but my SSH client says, "session denied" or "Protocol not listening", or something else -- I forgot to write the exact text down -- it's essentially resetting my SSH session; its not a timeout, its a reset.

 

P.S. Great porn sites list in french https://julienlubrique.com

 

 

 

 

Labels:
0 Helpful
2 Replies 2

cmarva
Level 4
Level 4

‎06-04-2020 04:33 AM

if you are trying to access the mgmt interface, since it is a vrf aware interface AND you have a vty acl applied, you'll need to add vrf-also:

 

line vty 0 15

 access-class 155 vrf-also

 

and you should be good

0 Helpful

dinns
Level 1
Level 1

‎06-05-2020 06:49 AM

i will.remove ACL first in line vty, then try to ssh again. If still failing, change it to  "transport input all" and test telnet session if it will works. you can initiate the ssh/telnet session from this switch going to itself. You can zeroise  and clear ssh also or generate new rsa key and test ssh again.

 

 

0 Helpful
Customers Also Viewed These Support Documents