Solved: issues in SSH my Home lab Router(1841)/switch(3560) - Page 2

Cisconew · ‎08-20-2020

Hi,

I have connected my 1841 Router to Home Internet. Subsequently, connected 3560 switch to 1841 Router.(Refer attached topology with interface details)

I am able to directly ssh 1841 router as it is connected to my local network(Internet) subnet 192.168.1.0/24.

But not able to ssh my switch directly. But able to ssh/telnet my Switch from 1841router.

Can anyone suggest?

Please find below my Router and switch

Router-1841#sh ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.2.100 YES NVRAM up up
FastEthernet0/1 192.168.1.100 YES NVRAM up up

Router-1841#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is 192.168.1.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 192.168.1.1
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, FastEthernet0/1
L 192.168.1.100/32 is directly connected, FastEthernet0/1
192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.2.0/24 is directly connected, FastEthernet0/0
L 192.168.2.100/32 is directly connected, FastEthernet0/0

Router-1841#sh run

interface FastEthernet0/0
ip address 192.168.2.100 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.1.100 255.255.255.0
duplex auto
speed auto
!
!
router eigrp 100
network 0.0.0.0
!
ip default-gateway 192.168.1.1
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!

Switch Config:

interface Vlan1
ip address 192.168.2.150 255.255.255.0
!
interface Vlan10
ip address 192.168.10.10 255.255.255.0
!
interface Vlan20
ip address 192.168.20.10 255.255.255.0
!
!
router eigrp 100
eigrp stub connected summary
network 0.0.0.0
!
ip default-gateway 192.168.2.100
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.100

Cisconew · ‎08-21-2020

Hi Richard,

Thanks for helping me.

Hopefully changing default route in Switch and adding routes for switch subnet in Home Router solved this issue.

Now i can SSH to both Switch and Router.

C:\Users\***>tracert 192.168.2.150

Tracing route to 192.168.2.150 over a maximum of 30 hops

1 1 ms <1 ms <1 ms RAC2V1S [192.168.1.1]
2 1 ms 1 ms 1 ms 192.168.1.100
3 1 ms 1 ms 1 ms 192.168.2.150

Trace complete.

Thanks.

Richard Burts · ‎08-21-2020

Thanks for the update. Glad to know that our suggestions were helpful and that now SSH works. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick

Cisconew · ‎08-21-2020

Sure Richard,

This community is helping me in learning networking.

I have one more doubt in SSH.

Now i am doing ssh from my home network.

Suppose if i connect my devices remotely via SSH, do i need to add any configurations like NAT and ACL.

please clarify.

Thanks

DJ

Richard Burts · ‎08-21-2020

DJ

You ask an interesting and important question here. In the discussion up to this point we have been dealing with communications within your home network. In the home network environment there is little (if any) reason to use access lists to control the flow of traffic, no need for address translation, and probably no reason to limit what devices can have remote access to your router and switch. Now you widen the scope of the discussion. Now we have issues about access from inside your network to the Internet and potential issues about access from the Internet to resources inside your network. That could turn into a BIG discussion, but I will start with these comments:

- If you want devices inside your network to initiate traffic to the Internet (and to receive responses from the Internet) then you will need to configure dynamic address translation. Since at least the wireless (and perhaps some other devices) connect through your Home Internet and not your 1841 there will need to be dynamic address translation on your Home Internet for the addresses in 192.168.1.0. I am guessing that this address translation is already done. So we need to think about address translation for the 192.168.2.0 network. Since your Home Internet does already have a route for the 192.168.2.0 network it may be that you can configure address translation for that network on your Home Internet. If that is possible it is the better solution (to have all address translation done in one place). But if there are issues getting address translation on your Home Internet for the new network then it should be possible to have your 1841 translate addresses in 192.168.2.0 into its address in 192.168.1.0 (which would then be translated again by your Home Internet).

- Do you want any devices inside your home network to be accessible from the Internet (to have Internet resources initiate traffic to devices inside your home network)? For that to happen you will need to configure either static address translation (or perhaps port forwarding). Note this would need to be done if you want Internet access for SSH to your 1841 and/or your switch.

- If you do want to enable SSH access to 1841 and switch from Internet then you will most certainly want to configure controls on what IP addresses are able to SSH to those devices. It is an absolute certainty that if you make the 1841 and switch accessible from Internet that MANY devices in the Internet will attempt SSH access to them. The usual way to provide the control on access is to configure access-class on the vty ports of your 1841 and switch. access-class uses an access list (usually a standard access list rather than an extended access list) to identify the addresses that are allowed to SSH to your devices. Also note that if you are going to enable Internet access to 1841 and switch that you probably want to limit access to SSH (to disable access using telnet).

HTH

Rick

Cisconew · ‎08-28-2020

Thanks Richard. Sorry for my late reply. I am able to see your reply today only. So i will try this and if any further clarification needed i will come back.