Guys,
I have noticed that there are some telnet sessions to our cisco 3850 switch:
switch#sh users
Line User Host(s) Idle Location
2 vty 0 idle 00:01:06 192.168.3.2
3 vty 1 idle 00:01:06 192.168.3.2
* 4 vty 2 idle 00:00:00 10.xx.5.40
switch#sh tcp brief
TCB Local Address Foreign Address (state)
34A272D4 10.yy.2.201.23 10.xx.5.40.50755 ESTAB
3A0F8494 192.168.3.1.23 192.168.3.2.42519 ESTAB
3A0874F0 192.168.3.1.23 192.168.3.2.42517 TIMEWAIT
3A4A6030 192.168.3.1.23 192.168.3.2.42518 TIMEWAIT
3A4CE854 192.168.3.1.23 192.168.3.2.42520 ESTAB
10.xx.5.40 - my host IP address. Even after clearing these vty (clear line vty <number>), they come back. The switch has only one ip interface: 10.yy.2.201.
switch#sh ip int bri
Interface IP-Address OK? Method Status Protocol
Vlan1 10.yy.2.201 YES NVRAM up up
GigabitEthernet0/0 unassigned YES unset administratively down down
GigabitEthernet1/0/1 unassigned YES unset down down
...
Is it Backoor or internal virtual Sessions? More info:
sh version
Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
1 56 WS-C3850-48P 03.02.03.SE cat3k_caa-universalk9 INSTALL
2 56 WS-C3850-48P 03.02.03.SE cat3k_caa-universalk9 INSTALL
3 56 WS-C3850-48P 03.02.03.SE cat3k_caa-universalk9 INSTALL
switch#sh ip sockets
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 0.0.0.0 0 10.yy.2.201 16666 0 0 0 0
17 0.0.0.0 0 10.yy.2.201 16667 0 0 0 0
17 0.0.0.0 0 10.yy.2.201 12124 0 0 0 0
17 0.0.0.0 0 10.yy.2.201 12125 0 0 0 0
17 0.0.0.0 0 10.yy.2.201 12134 0 0 0 0
17 0.0.0.0 0 10.yy.2.201 12135 0 0 0 0
17 0.0.0.0 0 10.yy.2.201 5246 0 0 0 0
17 0.0.0.0 0 10.yy.2.201 5247 0 0 0 0
17 0.0.0.0 0 10.yy.2.201 5247 0 0 0 0
17 0.0.0.0 0 10.yy.2.201 5247 0 0 0 0
17 0.0.0.0 0 10.yy.2.201 5247 0 0 0 0
17 0.0.0.0 0 10.yy.2.201 5247 0 0 0 0
17 0.0.0.0 0 10.yy.2.201 5247 0 0 0 0
17 0.0.0.0 0 10.yy.2.201 5247 0 0 0 0
17 0.0.0.0 0 10.yy.2.201 5247 0 0 0 0
17 0.0.0.0 0 10.yy.2.201 12223 0 0 0 0
17 0.0.0.0 0 10.yy.2.201 6352 0 0 0 0
17 0.0.0.0 0 10.yy.2.201 67 0 0 1002211 0
17 0.0.0.0 0 10.yy.2.201 5247 0 0 1000011 0
17 0.0.0.0 0 10.yy.2.201 2228 0 0 1000211 0
17(v6) --listen-- --any-- 161 0 0 1020001 0
17(v6) --listen-- --any-- 162 0 0 1020011 0
17(v6) --listen-- --any-- 1025 0 0 1020001 0
17 --listen-- 10.yy.2.201 161 0 0 1001001 0
17 --listen-- 10.yy.2.201 162 0 0 1001011 0
17 --listen-- 10.yy.2.201 1025 0 0 1001011 0
It is old Cisco bug:
Applying ACL to vty and enabling the only ssh as transport input didnt help. Need to update the firmware.