cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2443
Views
5
Helpful
19
Replies

issues in SSH my Home lab Router(1841)/switch(3560)

Cisconew
Level 1
Level 1

Hi,

I have connected my 1841 Router to Home Internet. Subsequently, connected 3560 switch to 1841 Router.(Refer attached topology with interface details)

I am able to directly ssh  1841 router  as it is connected to my local network(Internet) subnet 192.168.1.0/24.

But not able to ssh my switch directly. But able to ssh/telnet my Switch from 1841router.

Can anyone suggest?

Please find below my Router and switch

 

Router-1841#sh ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.2.100 YES NVRAM up up
FastEthernet0/1 192.168.1.100 YES NVRAM up up

 

Router-1841#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is 192.168.1.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 192.168.1.1
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, FastEthernet0/1
L 192.168.1.100/32 is directly connected, FastEthernet0/1
192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.2.0/24 is directly connected, FastEthernet0/0
L 192.168.2.100/32 is directly connected, FastEthernet0/0

 

 

Router-1841#sh run

interface FastEthernet0/0
ip address 192.168.2.100 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.1.100 255.255.255.0
duplex auto
speed auto
!
!
router eigrp 100
network 0.0.0.0
!
ip default-gateway 192.168.1.1
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!

Switch Config:

interface Vlan1
ip address 192.168.2.150 255.255.255.0
!
interface Vlan10
ip address 192.168.10.10 255.255.255.0
!
interface Vlan20
ip address 192.168.20.10 255.255.255.0
!
!
router eigrp 100
eigrp stub connected summary
network 0.0.0.0
!
ip default-gateway 192.168.2.100
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.100

 

2 Accepted Solutions

Accepted Solutions

Hello,

 

not sure if this has already been mentioned, but your layer 3 switch appears to have the wrong default route:

 

Switch Config:

 

ip default-gateway 192.168.2.100
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.100

 

Delete the default gateway and change the default route:

 

--> no ip default-gateway 192.168.2.100

--> ip route 0.0.0.0 0.0.0.0 192.168.2.100

View solution in original post

Thanks for the additional information. It does seem to show that your Home router does have a route entry for 192.168.2.150/24 with 192.168.1.100 as the next hop. I am a bit surprised that the last octet is 150 (I would have expected zero) but the first 3 octets are correct and the mask is /24. So at this point I would assume that routing for the vlan on the switch is not the issue.

 

Have you corrected the default route on the switch? Did that make any difference in the behavior?

 

At this point can the pc ping the switch? If not please do a traceroute from the pc to the switch and post the output.

HTH

Rick

View solution in original post

19 Replies 19

Richard Burts
Hall of Fame
Hall of Fame

You have not provided much detail for us to work with. Your configurations are very abbreviated so there could be factors there which we can not see. I do have some comments about this:

- am I correct in assuming that this is on some emulator and not on actual router and switch?

- I see that you have enabled EIGRP on router and switch. But I do not see any entries in the router routing table for the vlan subnets on the switch. Could you post the output of show ip eigrp neighbor from both the router and the switch?

- can you tell us where you are initiating the ssh from?

- can you post the output of the command show ip ssh from both the router and the switch?

- can you provide a more complete configuration? especially for the switch.

HTH

Rick

Hi Richard,

Thanks for your reply. I have given the details as requseted by you.

 

- am I correct in assuming that this is on some emulator and not on actual router and switch? --Actual Router and Switch

 

- I see that you have enabled EIGRP on router and switch. But I do not see any entries in the router routing table for the vlan subnets on the switch. Could you post the output of show ip eigrp neighbor from both the router and the switch?

 

3560-SW1#sh ip eigrp nei
EIGRP-IPv4:(100) neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 192.168.2.100 Vl1 11 03:02:00 1272 5000 0 2

 

Router-1841#sh ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(100)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 192.168.2.150 Fa0/0 14 03:04:59 4 200 0 5

 

- can you tell us where you are initiating the ssh from? : -- From my Laptop connected with my Home network through wifi(192.168.1.85)

 

- can you post the output of the command show ip ssh from both the router and the switch?

 

3560-SW1#sh ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3

 

Router-1841#sh ip ssh
SSH Enabled - version 1.99
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCHDDBm4VjEfK6n/LpNVAmXqyJ/X3D+oq38G486HsMf
gi5cKCHmRwVhYX7DTT8RTloAjs3C3m3kKmT+Z4ijjluvv4wSuCz3sWm7QPIh6cLKoTieQ6MLlqFO8YO7
gqU9fLCRNyTyqhxf7sQtE5dd6SGcOWvxC4VrJy9g6TCrM83swQ==

 

- can you provide a more complete configuration? especially for the switch.

 

3560-SW1#sh run
Building configuration...

Current configuration : 5338 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 3560-SW1
!
boot-start-marker
boot-end-marker
!
enable password *****
!
username ***** privilege 15 password 0 *****
no aaa new-model
system mtu routing 1500
ip subnet-zero
ip routing
ip domain-name ccnp.com
!
!

 

spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip ssh version 2
!
!
interface FastEthernet0/1
switchport mode access
!
interface FastEthernet0/2
switchport mode access
!
interface FastEthernet0/3
switchport mode access

----- Same config for interface no up to Fa 0/16 -------

 

interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20

 

----- Same config for interface no up to Fa 0/32-------

 

interface FastEthernet0/33
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/34
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/35
switchport access vlan 10
switchport mode access

----- Same config for interface no up to Fa 0/40------

interface FastEthernet0/40
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/41
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/42
switchport access vlan 20
switchport mode access

----- Same config for interface no up to Fa 0/48-----

interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface Vlan1
ip address 192.168.2.150 255.255.255.0
!
interface Vlan10
ip address 192.168.10.10 255.255.255.0
!
interface Vlan20
ip address 192.168.20.10 255.255.255.0
!
!
router eigrp 100
eigrp stub connected summary
network 0.0.0.0
!
ip default-gateway 192.168.2.100
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.100
ip http server
ip http secure-server
!
!
control-plane

!
!
line con 0
line vty 0 4
login local
transport input all
line vty 5 15
login
!
end

Do i need to add any NAT and ACL configuration in both Switch and Router?

Thank you for the additional information. It is helpful to know that this is on hardware and not on an emulator. I do have some additional questions and a suggestion:

- I am puzzled that the networks for vlan 10 and vlan 20 are not advertised to the router. (may or may not be related to the issue with ssh) would you post the output of these commands on the switch

show interface status

show ip interface brief

show ip route

- It is interesting that the ssh attempt is from a pc in the 192.168.1.0 network. Can you post the output of ipconfig (or other appropriate command if this is not a windows pc) to confirm the ip address, mask, and default gateway of the pc.

- what ip address is the pc using as the destination of its ssh request?

- can the pc ping the address on the switch used as the destination of ssh?

- I notice that the switch is configured for only version 2 of ssh while the router is configured for both version 1 and version 2. Is it possible that the pc is attempting version 1 of ssh?

HTH

Rick

Thanks Richard,

I have given the below details for your comments/questions.

 

I am able to telnet/ssh from router to switch.

Router-1841#telnet 192.168.2.150
Trying 192.168.2.150 ... Open


User Access Verification

Username: ******
Password:
3560-SW1#

 

3560-SW1#sh int status

Port Name Status Vlan Duplex Speed Type
Fa0/1 notconnect 1 auto auto 10/100BaseTX
Fa0/2 notconnect 1 auto auto 10/100BaseTX
Fa0/3 notconnect 1 auto auto 10/100BaseTX
Fa0/4 notconnect 1 auto auto 10/100BaseTX
Fa0/5 notconnect 1 auto auto 10/100BaseTX
Fa0/6 notconnect 1 auto auto 10/100BaseTX
Fa0/7 notconnect 1 auto auto 10/100BaseTX
Fa0/8 notconnect 1 auto auto 10/100BaseTX
Fa0/9 notconnect 1 auto auto 10/100BaseTX
Fa0/10 notconnect 1 auto auto 10/100BaseTX
Fa0/11 notconnect 1 auto auto 10/100BaseTX
Fa0/12 notconnect 1 auto auto 10/100BaseTX
Fa0/13 notconnect 1 auto auto 10/100BaseTX
Fa0/14 notconnect 1 auto auto 10/100BaseTX
Fa0/15 notconnect 1 auto auto 10/100BaseTX
Fa0/16 notconnect 1 auto auto 10/100BaseTX
Fa0/17 notconnect 1 auto auto 10/100BaseTX
Fa0/18 notconnect 1 auto auto 10/100BaseTX
Fa0/19 notconnect 1 auto auto 10/100BaseTX
Fa0/20 notconnect 1 auto auto 10/100BaseTX
Fa0/21 notconnect 1 auto auto 10/100BaseTX
Fa0/22 connected 1 a-full a-100 10/100BaseTX
Fa0/23 notconnect 1 auto auto 10/100BaseTX
Fa0/24 notconnect 1 auto auto 10/100BaseTX
Fa0/25 notconnect 1 auto auto 10/100BaseTX
Fa0/26 notconnect 1 auto auto 10/100BaseTX
Fa0/27 notconnect 1 auto auto 10/100BaseTX
Fa0/28 notconnect 1 auto auto 10/100BaseTX
Fa0/29 notconnect 1 auto auto 10/100BaseTX
Fa0/30 notconnect 1 auto auto 10/100BaseTX
Fa0/31 notconnect 1 auto auto 10/100BaseTX
Fa0/32 notconnect 1 auto auto 10/100BaseTX
Fa0/33 notconnect 10 auto auto 10/100BaseTX
Fa0/34 notconnect 10 auto auto 10/100BaseTX
Fa0/35 notconnect 10 auto auto 10/100BaseTX
Fa0/36 notconnect 10 auto auto 10/100BaseTX
Fa0/37 notconnect 10 auto auto 10/100BaseTX
Fa0/38 notconnect 10 auto auto 10/100BaseTX
Fa0/39 notconnect 10 auto auto 10/100BaseTX
Fa0/40 notconnect 10 auto auto 10/100BaseTX
Fa0/41 notconnect 20 auto auto 10/100BaseTX
Fa0/42 notconnect 20 auto auto 10/100BaseTX
Fa0/43 notconnect 20 auto auto 10/100BaseTX
Fa0/44 notconnect 20 auto auto 10/100BaseTX
Fa0/45 notconnect 20 auto auto 10/100BaseTX
Fa0/46 notconnect 20 auto auto 10/100BaseTX
Fa0/47 notconnect 20 auto auto 10/100BaseTX
Fa0/48 notconnect 20 auto auto 10/100BaseTX
Gi0/1 notconnect 1 auto auto Not Present
Gi0/2 notconnect 1 auto auto Not Present
Gi0/3 notconnect 1 auto auto Not Present
Gi0/4 notconnect 1 auto auto Not Present

 

3560-SW1#sh ip int br
Interface IP-Address OK? Method Status Protocol
Vlan1 192.168.2.150 YES NVRAM up up
Vlan10 192.168.10.10 YES NVRAM up down - not connected to any end devices
Vlan20 192.168.20.10 YES NVRAM up down-not connected to any end devices
FastEthernet0/1 unassigned YES unset down down
FastEthernet0/2 unassigned YES unset down down
FastEthernet0/3 unassigned YES unset down down
FastEthernet0/4 unassigned YES unset down down
FastEthernet0/5 unassigned YES unset down down
FastEthernet0/6 unassigned YES unset down down
FastEthernet0/7 unassigned YES unset down down
FastEthernet0/8 unassigned YES unset down down
FastEthernet0/9 unassigned YES unset down down
FastEthernet0/10 unassigned YES unset down down
FastEthernet0/11 unassigned YES unset down down
FastEthernet0/12 unassigned YES unset down down
FastEthernet0/13 unassigned YES unset down down
FastEthernet0/14 unassigned YES unset down down
FastEthernet0/15 unassigned YES unset down down
FastEthernet0/16 unassigned YES unset down down
FastEthernet0/17 unassigned YES unset down down
FastEthernet0/18 unassigned YES unset down down
FastEthernet0/19 unassigned YES unset down down
FastEthernet0/20 unassigned YES unset down down
FastEthernet0/21 unassigned YES unset down down
FastEthernet0/22 unassigned YES unset up up -----Connection to Router
FastEthernet0/23 unassigned YES unset down down
FastEthernet0/24 unassigned YES unset down down
FastEthernet0/25 unassigned YES unset down down
FastEthernet0/26 unassigned YES unset down down
FastEthernet0/27 unassigned YES unset down down
FastEthernet0/28 unassigned YES unset down down
FastEthernet0/29 unassigned YES unset down down
FastEthernet0/30 unassigned YES unset down down
FastEthernet0/31 unassigned YES unset down down
FastEthernet0/32 unassigned YES unset down down
FastEthernet0/33 unassigned YES unset down down
FastEthernet0/34 unassigned YES unset down down
FastEthernet0/35 unassigned YES unset down down
FastEthernet0/36 unassigned YES unset down down
FastEthernet0/37 unassigned YES unset down down
FastEthernet0/38 unassigned YES unset down down
FastEthernet0/39 unassigned YES unset down down
FastEthernet0/40 unassigned YES unset down down
FastEthernet0/41 unassigned YES unset down down
FastEthernet0/42 unassigned YES unset down down
FastEthernet0/43 unassigned YES unset down down
FastEthernet0/44 unassigned YES unset down down
FastEthernet0/45 unassigned YES unset down down
FastEthernet0/46 unassigned YES unset down down
FastEthernet0/47 unassigned YES unset down down
FastEthernet0/48 unassigned YES unset down down
GigabitEthernet0/1 unassigned YES unset down down
GigabitEthernet0/2 unassigned YES unset down down
GigabitEthernet0/3 unassigned YES unset down down
GigabitEthernet0/4 unassigned YES unset down down

 

3560-SW1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.1.100 to network 0.0.0.0

D 192.168.1.0/24 [90/28416] via 192.168.2.100, 04:48:21, Vlan1
C 192.168.2.0/24 is directly connected, Vlan1
S* 0.0.0.0/0 [1/0] via 192.168.1.100

 

C:\Users\*****>ipconfig

Wireless LAN adapter Wi-Fi:

Connection-specific DNS Suffix . : home
IPv6 Address. . . . . . . . . . . : 2606:a000:121d:4a88:251a:4674:c4e5:742f
Temporary IPv6 Address. . . . . . : 2606:a000:121d:4a88:7586:f3d7:bc98:a4f0
Link-local IPv6 Address . . . . . : fe80::251a:4674:c4e5:742f%19
IPv4 Address. . . . . . . . . . . : 192.168.1.85
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::9a1e:19ff:fe23:b5c2%19
192.168.1.1

 

- what ip address is the pc using as the destination of its ssh request? -192.168.2.150(switch Int clan 1 ip address)

 

- can the pc ping the address on the switch used as the destination of ssh?

C:\Users\****>ping 192.168.2.150

Pinging 192.168.2.150 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.2.150:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

 

- I notice that the switch is configured for only version 2 of ssh while the router is configured for both version 1 and version 2. Is it possible that the pc is attempting version 1 of ssh? --:

I have used putty to ssh my router via ip address 192.168.1.100.(Worked well)

Sameway, i have used putty to ssh my switch via ip address 192.168.2.150.(Not worked).

 

How to check ssh version on my PC?

Thanks

Hello,

 

not sure if this has already been mentioned, but your layer 3 switch appears to have the wrong default route:

 

Switch Config:

 

ip default-gateway 192.168.2.100
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.100

 

Delete the default gateway and change the default route:

 

--> no ip default-gateway 192.168.2.100

--> ip route 0.0.0.0 0.0.0.0 192.168.2.100

Thanks Georg,

I 've changed the same. But didn't work for me.

 

 

Thanks

Post the full running config of the switch (sh run)...

Hi Georg,

Please find below the show run output for Switch.

 

3560-SW1#sh run
Building configuration...

Current configuration : 5338 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 3560-SW1
!
boot-start-marker
boot-end-marker
!
enable password *****
!
username ***** privilege 15 password 0 *****
no aaa new-model
system mtu routing 1500
ip subnet-zero
ip routing
ip domain-name ccnp.com
!
!

 

spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip ssh version 2
!
!
interface FastEthernet0/1
switchport mode access
!
interface FastEthernet0/2
switchport mode access
!
interface FastEthernet0/3
switchport mode access

----- Same config for interface no up to Fa 0/16 -------

 

interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20

 

----- Same config for interface no up to Fa 0/32-------

 

interface FastEthernet0/33
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/34
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/35
switchport access vlan 10
switchport mode access

----- Same config for interface no up to Fa 0/40------

interface FastEthernet0/40
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/41
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/42
switchport access vlan 20
switchport mode access

----- Same config for interface no up to Fa 0/48-----

interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface Vlan1
ip address 192.168.2.150 255.255.255.0
!
interface Vlan10
ip address 192.168.10.10 255.255.255.0
!
interface Vlan20
ip address 192.168.20.10 255.255.255.0
!
!
router eigrp 100
eigrp stub connected summary
network 0.0.0.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.2.100
ip http server
ip http secure-server
!
!
control-plane

!
!
line con 0
line vty 0 4
login local
transport input all
line vty 5 15
login
!
end

Hello,

 

are you doing this in Packet Tracer ? If so, post the zipped .pkt file...

Hi,

I am doing this in my physical/actual devices.

 

thanks.

It was a good catch that the default route on the switch was not correct. And if the default route on the switch was not correct it would prevent the switch from being able to access the 192.168.1.0 network. So that was part of the problem. But I believe that it is not all of the problem. In the information you provided was this from the pc

Default Gateway . . . . . . . . . : fe80::9a1e:19ff:fe23:b5c2%19
192.168.1.1

192.168.1.1 is not the router address. It it the next hop for the default route on your router. And your diagram identifies it as Home Router/Wireless Router. I am guessing that this device does not have routing logic for the 192.168.2.0 network. And this is the other part of the problem.

HTH

Rick

 

Thanks Richard for your reply.

I have pasted the details of my Home router(Spectrum) details. Can i anything to do with this?

Network:

 

Local IPv4 Address-192.168.1.1
Local Subnet Mask-255.255.255.0
Local Ethernet Mac address:98:1E:19:23:B5:C2
Public IPv4 Address-172.73.*.*
Public Subnet Mask-255.255.224.0
Default Gateway-172.73.128.1
Primary DNS Server-209.18.47.*
Secondary DNS Server-209.18.47.*
Link Local Gateway IPv6 Address:fe80::9a1e:19ff :fe23:b5c2
Global Gateway IPv6 Address-

 

 

Route Details:

IP Version Destination IP Address / Prefix Length Interface Gateway IP Address Metric Origin Options

IPV40.0.0.0/0IP_DATA AUTOSTATIC
IPV40.0.0.0/0IP_BR_LAN AUTOSTATIC
IPV40.0.0.0/0IP_BR_LAN AUTOSTATIC
IPV40.0.0.0/0IP_DATA 172.73.*.*AUTODHCPV4
IPV4209.18.*.*/32IP_DATA AUTOSTATIC
IPV4209.18.*.*/32IP_DATA AUTOSTATIC
IPV4192.168.2.150/24IP_BR_LAN 192.168.1.100AUTOSTATIC

 

Thanks for the additional information. It does seem to show that your Home router does have a route entry for 192.168.2.150/24 with 192.168.1.100 as the next hop. I am a bit surprised that the last octet is 150 (I would have expected zero) but the first 3 octets are correct and the mask is /24. So at this point I would assume that routing for the vlan on the switch is not the issue.

 

Have you corrected the default route on the switch? Did that make any difference in the behavior?

 

At this point can the pc ping the switch? If not please do a traceroute from the pc to the switch and post the output.

HTH

Rick
Review Cisco Networking for a $25 gift card