Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
165
Views
0
Helpful
1
Replies

ACL question

afsharki2
Level 1
Level 1

‎12-02-2016 09:51 AM - edited ‎03-08-2019 08:24 AM

Hello,

I have a device with ip 1.1.1.1 that *attempts* to connect to my 4500x switch every once in a while.

The problem is, every time it attempts to connect, the following log pops up on the 4500x:

%SSH-3-NO_MATCH: No matching hostkey algorithm found: client ssh-dss server ssh-rsa

  I wanted to setup an ACL on my 4500x that prints a log everytime this device 1.1.1.1. tries to connect.  Although the "sh logging" does not show the IP of the device, I want to verify it for sure.

Thank you

Labels:
0 Helpful
1 Reply 1

Richard Burts
Hall of Fame
Hall of Fame

‎12-02-2016 12:30 PM

It should not be difficult to configure an access list that will generate log messages for each attempt to connect from source address 1.1.1.1. But there are a few things that you need to decide about how you want the access list to work.

- the access list must permit or must deny the packet. Do you want to permit or to deny in the access list?

- clearly we need to check for attempts with SSH. But do we need to check for other protocols as well?

- you want to see attempts to access this 4500 but not attempts to access any other device. So you need to supply a list of all of the IP addresses that might be used to access this 4500. (probably the output of show ip interface brief is the place to start)

- note that adding the log parameter to an ACL entry forces matching packets to be process switched. Is the potential performance impact acceptable? (probably not a lot of impact but we will not know till we have tried it)

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card