Re: Unable to Telent(Destination unreachable; gateway or host do

adhityakarthik · ‎05-14-2009

hi all

I need to restict telnet access to switches, mean i should able to telnet LAN Switches from core switch mangement vlan.

I have apllied ACL, but after applying ACL, i am able to ping access switch but i am unable to telnet, config is pasted below can some one help plz

On Core switch

int vlan 171

description Mgmt vlan

ip address 172.17.1.2 255.255.255.0

--------------

On access siwth i have apllied this config

access-list 110 permit ip 172.17.1.0 0.0.0.255 any

access-list 110 deny ip any any log

And on vlan interface i have apllied this

int vla171

ip aceess group 110 in

after this iam able to pin access switch from the core but uanble to telnet

erros pasted below

Core1ping 172.17.1.10

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.17.1.10, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Core-DC-1#tel

Core-DC-1#telnet 172.17.1.10

Trying 172.17.1.10 ...

% Destination unreachable; gateway or host down

Please help me on the same

srinivas sagar

cisco_lad2004 · ‎05-14-2009

apply ACL under instead line VTY 0 4 and later 5 15.

conf t

line vty 0 4

access-class 110 in

end

HTH

Sam

adhityakarthik · ‎05-14-2009

Hi

Thanks very much for the update.

My erequirement is not only telnet but to allowSNMP servers and other montiroing tools to pool, i got requirement to apply on mangement vlan could you please gucid eme

Srinivas

cisco_lad2004 · ‎05-14-2009

please re test with telnet /source-interface vlan 171

this will confirm if u have any routing issues. if u can PING, u should be able to telnet unless going thru FW or further ACLs that re misleading u.

please inc show ip route from core for SWITCH management VLAN.

Sam

adhityakarthik · ‎05-14-2009

HI

i am able to ping and do the tracert

Core-DC-1#p 172.17.1.10

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.17.1.10, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Core-DC-1#tel

Core-DC-1#telnet 172.17.1.10

Trying 172.17.1.10 ...

% Destination unreachable; gateway or host down

Core-DC-1#traceroute 172.17.1.10

Type escape sequence to abort.

Tracing the route to 172.17.1.10

1 172.17.1.10 0 msec * 0 msec

Core-DC-1#q

Io route

Core-DC-1#sh ip route | in 172.17.1.0

C 172.17.1.0/24 is directly connected, Vlan171

Core-DC-1#

Rinivasa

adhityakarthik · ‎05-14-2009

HI

i am able to ping and do the tracert

Core-DC-1#p 172.17.1.10

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.17.1.10, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Core-DC-1#tel

Core-DC-1#telnet 172.17.1.10

Trying 172.17.1.10 ...

% Destination unreachable; gateway or host down

Core-DC-1#traceroute 172.17.1.10

Type escape sequence to abort.

Tracing the route to 172.17.1.10

1 172.17.1.10 0 msec * 0 msec

Core-DC-1#q

Io route

Core-DC-1#sh ip route | in 172.17.1.0

C 172.17.1.0/24 is directly connected, Vlan171

Core-DC-1#

Rinivasa

cisco_lad2004 · ‎05-14-2009

Rinivasa,

Ur config should work.

veriffy that there are no other ACLs on physical ports / trunks that may cause this.

Its a straight forward setup and should work.

Sam

adhityakarthik · ‎05-14-2009

Hi

there are no ACSL in the access siwth it has not worked

do u want to me to check any thing on core

srinivasa

cisco_lad2004 · ‎05-14-2009

what do u get when u telnet this way ?

telnet 172.17.1.10 /source-interface vlan 171

If u get through, then check that you have this line configured.

"ip telnet source-interface" which is corrupting your telnet source.

adhityakarthik · ‎05-14-2009

Hi,

i will check this

have not configured ip telnet source itnerface vlan

find my config below

ip tacacs source-interface Vlan171

logging source-interface Vlan171

snmp-server trap-source Vlan171

Srinivasa

adhityakarthik · ‎05-14-2009

Hi,

i will check this

have not configured ip telnet source itnerface vlan

find my config below

ip tacacs source-interface Vlan171

logging source-interface Vlan171

snmp-server trap-source Vlan171

Srinivasa

cisco_lad2004 · ‎05-14-2009

what do u get when u telnet this way ?

telnet 172.17.1.10 /source-interface vlan 171

adhityakarthik · ‎05-14-2009

Hi

Thanks for the update.

I havnet tried, will try later in the evening

Please note that its a stack Switch(5 Switches connected in sack) and i am doing it remotely

srinivasa

amitmarathe · ‎05-14-2009

Just check the source interface when you telnet to the switch.

adhityakarthik · ‎05-14-2009

Hi

i didnt get you

srinivasa

Unable to Telent(Destination unreachable; gateway or host down )