Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1011
Views
4
Helpful
9
Replies

Protect Telnet and/or SSH access on T1 router with High CPU/link Utilization

gene.uhl
Level 1
Level 1

‎12-19-2012 06:32 AM - edited ‎03-04-2019 06:27 PM

Hello,

Someone told me the commands, but I can't remember them.  Have a router (2801) at the end of a highly utilized T1 link/router.  How do I protect it so my SSH and/or Telnet sessions will get serviced if the router is real busy. 

Thanks

Gene

Labels:
0 Helpful
9 Replies 9

paolo bevilacqua
Hall of Fame
Hall of Fame

‎12-19-2012 06:37 AM

You should not worry, because a single T1 will not make a 2801 to be 'real busy'.

And IOS has default mechanisms to privilege control plane automatically.

0 Helpful

david.tran
Level 4
Level 4
In response to paolo bevilacqua

‎12-19-2012 12:23 PM

I don't think that is correct.  If you are using NAT (overload) on the router and have a host that is doing some kind of P2P applications behind the router, you can make the 2801 router becomes unresponsive in a hurry, even from the console

0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to david.tran

‎12-19-2012 12:32 PM

I think Paolo is speaking from the perspective of the inside. There's nothing on a T1 in/outbound that would keep the router so busy that an administrator wouldn't be able to telnet from the inside if they were on the same lan. That being said, if someone was saturating the circuit (p2p, streaming, etc), and you needed to be able to telnet into the router over the wan, then yes it could be unresponsive.

What you could do is put a service policy on the router that prioritizes telnet/ssh with something like:

access-list 101 permit tcp any any eq 23

access-list 101 permit tcp any any eq 22

class-map match-any TelnetSSH

match access-group 101

policy-map Outbound

class TelnetSSH

bandwidth 512

class class-default

fair-queue

int s0/0

service-policy output Outbound

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

david.tran
Level 4
Level 4
In response to John Blakley

‎12-19-2012 12:43 PM

I beg to differ.  Even if the LAN side is less 2Mbps; however, if you have a lot of NAT going on and high CPU on the router, your telnet/ssh will not work either even when your connection is from the LAN side. 

Try it with a Cisco 2621 router with IOS 12.2(15)T with NAT overload and an P2P PC running donkey/limewire behind that router and you will see what I mean

0 Helpful

paolo bevilacqua
Hall of Fame
Hall of Fame
In response to david.tran

‎12-19-2012 02:14 PM 

david.tran@finra.org wrote:
I beg to differ.  Even if the LAN side is less 2Mbps; however, if you have a lot of NAT going on and high CPU on the router, your telnet/ssh will not work either  even when your connection is from the LAN side.  
Try it with a Cisco 2621 router with IOS 12.2(15)T with NAT overload and an P2P PC running donkey/limewire behind that router and you will see what I mean

2621 = circa 1996 CPU, 2801, circa 2006. Not to say the 2801 is fast by today standards, but can't compare.

0 Helpful

gene.uhl
Level 1
Level 1
In response to John Blakley

‎12-19-2012 01:33 PM

This is more like what I am looking for, but I have some quesitons.   I have an ASR connected to internal network, which also has the T1 connection on a serial port to the 2800 router, which connects to a 3560.

The have voip so on the ASR and the 2800 there is already a policy map for VOIP on the serial 0/1 of the 2800 and the serial 0/1/1:11 of the ASR  (service-policy output  POLICYNAME)

The issue is the remote side is sending very little, but saturating and dropping default packets on the receive side of the 2800.  So input on its serial port and output on the ASR serial port.

How could I impelement on the ASR side to make sure SSH gets through as well as VOIP traffic?  Can you have two service policies, or do you combine them.

The one I have now on the ASR is:  (the 2801 is similar, but as I am  not experiencing issues on saturation coming from the end node, I figure I would only need it on the ASR side going to the end node)

Policy Map Project_Mgmnt

    Class AutoQoS-VoIP-RTP-Trust

      priority 200 (kbps)

    Class AutoQoS-VoIP-Control-Trust

      bandwidth 5 (%)

    Class class-default

      fair-queue

and the port looks like this:

interface Serial0/1/1/11:0
description CR2801-FP01

ip address 10.254.254.46 255.255.255.252
encapsulation ppp
service-policy output Project_Mgmnt

Appreciate the help on this....

Thanks


Gene

0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to gene.uhl

‎12-19-2012 01:37 PM

You'll want to keep your voice in an LLQ (priority). Then create the class map as stated above and match on 23 (telnet) or 22 (ssh). Then modify the existing policy map to add the new class. The bandwidth statement guarantees that much bandwidth will be set aside when congestion arises.

You'll probably also want to run netflow if possible on this router to see what's saturating the link though.

So in your policy, you'd combine them by adding the other class map to same existing policy...

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
0 Helpful

gene.uhl
Level 1
Level 1
In response to John Blakley

‎12-19-2012 02:01 PM

John,

Thanks!!!  I'll give it a whirl tomorrow and maybe post what I come up with so someone could verify I didn't just screw up my VoiP stuff :-))      Sorry, but I am a neophite when it comes to QoS.

Appreciate the help

Gene

0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to gene.uhl

‎12-19-2012 02:48 PM

No problem! I look forward to hearing how it goes...

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card