08-30-2010 10:34 PM - edited 03-06-2019 12:44 PM
08-31-2010 01:55 AM
Hi Steve,
CatOS allows limited number of processes with type 2 stack in the system.
The max # of processes with type 2 stack is 13 .
Telnet/SSH processes are examples of the processes which require type 2 stack.
"show user" to check current usage.
"set logout X" to setup inactivity timeout for each session.
On newer versions (8.7?) within CSCse80371 "Cat6500:Need ability to limit the number of connections to sc0" theoption was added:
set ip permit[mask] [telnet|ssh] max-connections
Range of limit is from 0 to the maximum telnet/ssh connections allowed to the switch.
A limit 0 means no rules will be applied to limit the telnet/ssh connections
> (enable) show ip permit
Http permit list disabled.
Snmp permit list disabled.
Ssh permit list disabled.
Telnet permit list enabled.
Permit List Mask Access-Type Max-Connections
--------------- --------------- ------------- ---------------
10.77.11.190 telnet 3
10.77.11.190 ssh 2
10.77.11.190 snmp http
10.77.15.64 255.255.255.192 telnet ssh 5
Denied IP Address Last Accessed Time Type
----------------- ------------------ ------
10.77.11.190 03/18/07,10:54:18 Telnet
Regards,
Sergey
08-31-2010 01:55 AM
Hi Steve,
CatOS allows limited number of processes with type 2 stack in the system.
The max # of processes with type 2 stack is 13 .
Telnet/SSH processes are examples of the processes which require type 2 stack.
"show user" to check current usage.
"set logout X" to setup inactivity timeout for each session.
On newer versions (8.7?) within CSCse80371 "Cat6500:Need ability to limit the number of connections to sc0" theoption was added:
set ip permit[mask] [telnet|ssh] max-connections
Range of limit is from 0 to the maximum telnet/ssh connections allowed to the switch.
A limit 0 means no rules will be applied to limit the telnet/ssh connections
> (enable) show ip permit
Http permit list disabled.
Snmp permit list disabled.
Ssh permit list disabled.
Telnet permit list enabled.
Permit List Mask Access-Type Max-Connections
--------------- --------------- ------------- ---------------
10.77.11.190 telnet 3
10.77.11.190 ssh 2
10.77.11.190 snmp http
10.77.15.64 255.255.255.192 telnet ssh 5
Denied IP Address Last Accessed Time Type
----------------- ------------------ ------
10.77.11.190 03/18/07,10:54:18 Telnet
Regards,
Sergey
08-31-2010 02:38 PM
Hi Sergey,
Thank you that is perfect. I am unable to view the link, think maybe priviledges. Does this require a CCO login?
Just one more thing.I would like to enable logging to view telnet connections only, really connections that are being dropped but a little unsure of the settings.
The switch in question is a heavily used POP switch and I do not want to impact the performance of it by enabling too much debugging.
TIA
Steve
09-03-2010 03:34 AM
Hi Steve,
As for link, sorry it was an internal one. You could see it on CCO Bug Toolkit tool:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCse80371
For logging
If we are talking about ip permit usage, then as per
Configuring the IP Permit List
http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst6500/catos/8.x/configuration/guide/ip_perm.html
If you want to log the unauthorized access attempts to the console or a syslog server,
you migth need change the logging severity level for IP (like "set logging level ip 4 default" in the config section).
As per Table 37-1 IP Permit List Default Configuration, the IP syslog message severity level default value is 2.
Also, if you are talking about user authorizations failures then sev5 messages generated for that:
%MGMT-5-LOGIN_FAIL:User failed to log in from
As far as it is sev5 (notifications) the MGMT logging level migth need to be changed from the default 4, like:
set logging level mgmt 5 default
Thanks,
Sergey
09-05-2010 06:08 PM
Hi Sergey,
Thanks for the links and update. I do not have CCO access so have asked a colleague to get me the details.
The issue that I have is we use a software application to configure the switch, the switch is overloaded from what I understand and can be a little slow to respond at times with the telnet prompts.
It appears to me the switch is dropping the telnet connections after the user has logged on leaving user sessions open and thus I would like to know if I can tell this from the switch logs.
Thanks I appreciate your help
Steve
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide