04-01-2020 02:00 PM
Hi
See attached diagram.
So I have set up a 2 Switch 9300 Stack with and x4 9300 access switches connecting to the stack
I have subnetted a /23 in x4 subnets and created an SVI for each subnet on the stack, I have also created VRF between Stack and Provider routers and have also added the x4 subnets into the VRF and all works fine Data/Phones/Wireless etc all traversing the VRF as expected,
Now heres the thing I can SSH to the access switches no issues but I cant SSH onto the Stack I have tried SSH ing to the Data SVI's and the SVI connecting to provider as any one got any idea why this is happening please.??
Thanks in advance
04-01-2020 02:34 PM
A couple of things come to mind.
- first and most obvious, can you verify IP connectivity from whatever device you originate the SSH from to the SVIs on the switches? (simple test is can you ping the SVIs)
- second and probably fairly obvious, can you verify that SSH is enabled on the switches? (show ip ssh)
- another thing to look into is whether there is any security policy or access list on the switches which would impact SSH?
- and if SSH does not work, can you telnet to the switches?
04-02-2020 12:04 AM
Hi,
Can you post the output of the following: "show ip ssh", "show run | i ssh", "show run | sec aaa|radius|tacacs", "show ip int brief | e unass", "show ip vrf brief"?
Regards,
Cristian Matei.
04-02-2020 10:33 AM
Hi as requested
Is this INE cristian Matei ???
DSW1#show ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96
KEX Algorithms:diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
Authentication timeout: 60 secs; Authentication retries: 2
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): TP-self-signed- (key not included)
DSW1#sh run | i ssh
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
transport input ssh
transport input ssh
DSW1#sh run | s aaa|radius|tacas
aaa new-model
aaa authentication login default group radius local
aaa authorization console
aaa authorization exec default group radius local
aaa session-id common
radius server ip
address ipv4 x.x.x.x auth-port 1812 acct-port 1813
key 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
radius server IP
address ipv4 x.x.x.x auth-port 1812 acct-port 1813
key 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
DSW1#show ip int brief | e unass
Interface IP-Address OK? Method Status Protocol
Vlanx x.x.x.x YES NVRAM up up
Vlanx x.x.x.x YES NVRAM up up
Vlanx x.x.x.x YES NVRAM up up
Vlanx x.x.x.x YES NVRAM up up
Vlanx x.x.x.x YES NVRAM up up
DSW.#show ip vrf brief
Name Default RD Interfaces
DATA <not set> Vlx
Vlx
Vlx
Vlx
Vlx
Mgmt-vrf <not set> Gi0/0
04-02-2020 12:07 PM
Hi,
Nice meeting you here, as well. Yes, this is Cristian Matei from INE. This year you'll see my trainings on my own platform.
As for the subject matter. You don't even get the authentication prompt, or you fail authentication? I understand that the RADIUS server and the SVI's of the stack are running in VRF DATA, correct? In this case do the required changes to end up with a config as follows and try again:
radius server FIRST
address ipv4 1.1.1.1 auth-port 1645 acct-port 1646
key cisco
!
radius server SECOND
address ipv4 2.2.2.2 auth-port 1645 acct-port 1646
key cisco
!
aaa group server radius RADIUS_SERVERS
server name FIRST
server name SECOND
ip vrf forwarding DATA
ip radius source-interface xxxxx (needs to be in the same VRF of DATA)
!
no aaa authentication login default group radius local
no aaa authorization exec default group radius local
aaa authentication login default group RADIUS_SERVERS local
aaa authorization exec default group RADIUS_SERVERS local
aaa session-id common
Regards,
Cristian Matei.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide