cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
19518
Views
31
Helpful
12
Replies

Does 3650 Mgmt Interface (Gi0/0) support SSH ?

Does anyone know if the WS-C3650-48PD supports (or not) SSH over the MGMT interface (Gi0/0) ?

I have it working with Telnet and the switch is configured with SSH enabled.

I can use SSH if I use in-band management (configure the switch IP on a VLAN interface instead of on the Gi0/0 interface), but when I try to open a SSH session over the MGMT interface I get "Connection refused" in my SSH client.

Is there something extra I need to do to make SSH work over MGMT ?

 

...

!
vrf definition Mgmt-vrf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!

...

!
ip ssh time-out 60
ip ssh authentication-retries 5
ip ssh logging events
ip ssh version 2
!

...

!
interface GigabitEthernet0/0
 vrf forwarding Mgmt-vrf
 ip address 172.28.26.95 255.255.255.0
 negotiation auto
!

...

ip route vrf Mgmt-vrf 0.0.0.0 0.0.0.0 172.28.26.1
!
...

line vty 0 4
 access-class 1 in
 exec-timeout 50 0
 password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 logging synchronous
 login local
 length 0
 transport input telnet ssh
 escape-character 3
...


Normally I would  use "transport input ssh" - ie. no telnet - but this is the only way I've been able to use the MGMT interface so far and I'd rather not be using Telnet at all.

 

Thanks

David

 

 

 

1 Accepted Solution

Accepted Solutions

amikat
Spotlight
Spotlight

Hi,

Can you please try to modify your "access-class" command under "line vty 0 4" as follows:

"access-class 1 in vrf-also"

and see if that makes any progress.

Best regards,

Antonin

View solution in original post

12 Replies 12

Reza Sharifi
Hall of Fame
Hall of Fame

For the out-of-band management interface, SSH should work the same way as telnet as long ssh is configured correctly.

What is the output of

sh ip ssh?

HTH 

Thanks Reza - I think it ought to work too. I'll get you the "sh ip ssh" later today and post it. I've had to relocate the switch and get it working with in-band management in the interim but I'm still keen to solve this issue.

 

David

Quicker than expected - quiet morning so far ;-)

#sh ip ssh
SSH Enabled - version 2.0
Authentication timeout: 60 secs; Authentication retries: 5
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxxxxxxx...
#

I checked the SSH traffic from my client - I send SYN, get back RST - definitely an active refusal of the connection.

If MGMT Gi0/0 does support SSH, it's clear I'm missing something to enable it.

IOS is Cisco's current recommended for this platform and in the recommended installation mode

Switch Ports Model              SW Version        SW Image              Mode
------ ----- -----              ----------        ----------            ----
*    1 52    WS-C3650-48PD      03.03.05SE        cat3k_caa-universalk9 INSTALL
 

If I move the management IP address off Gi0/0 and onto the management VLAN interface (management is then through Gi1/1/1 where the VLAN is trunked), it works fine and I can SSH to the switch with no other changes to the configuration (of course subsequently I want to disable Telnet)

I know can eliminate patching and routing/forwarding of the traffic as issues given Telnet and PING can reach the management IP address under both configurations. It's as if the MGMT interface just doesn't allow SSH by default (or possibly not at all)

 

If you have a working configuration you'd be happy to share, I'd appreciate it.

 

Thanks again

David

 

Hi David,

There is no especial configuration needed it on the mgmt0 interface to access it via telnet or SSH.  I have the same exact config working on multiple 3850 switches with no issues.

Here is a working config

SSH Enabled - version 1.99
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxxxxx...

one difference is that mine shows version 1.99 and your 2.0, but this should not make any difference.

My interface config is exactly the same as yours.

IOS ver 03.02.02.SE

HTH

 

 

 

 

3650 series is fairly new, so sounds like an IOS issue.

Have you opened a ticket with TAC?
 

Thanks Reza

No ticket opened yet, but that will be my next step. I just wanted to check other people's experience first in case I was missing some simple configuration step or had not understood some design limitation on the interface.

Thanks for your time and interest.

 

David

amikat
Spotlight
Spotlight

Hi,

Can you please try to modify your "access-class" command under "line vty 0 4" as follows:

"access-class 1 in vrf-also"

and see if that makes any progress.

Best regards,

Antonin

Hi Antonin

 

Yes - that fixed it, thanks. I can now SSH to the MGMT interface G0/0.

 

It seems odd that Telnet would work but SSH would not until I made your suggested change and added "vrf-also", but I'll keep it in mind when setting up newer switches that have dedicated management ports.

 

I think I might have struck a similar problem a few years ago with the mgmt0 port on a Nexus 5500 switch, but at the time didn't have the time to pursue it, so I might have a look at whether there's a similar parameter there too.

 

Thanks again - a very satisfying outcome ;-)

 

David

Hi,

Thanks for the response.

Well done!

Just FYI: there are various models of Cisco switches where mgmt i/face is not configured as vrf. In these cases naturally you do not need to bother to configure "vrf-also" parameter and ssh access works just smoothly without.

Best regards,

Antonin

Antonin,

Thanks for the update. This is great information, but as you correctly noted none of the other switches need this command, ssh works just fine.

I guess, Cisco decided to yet make another change in the new platform to make our lives more difficult :)

 

And, just for something to keep us challenged, the Nexus 5596 mgmt0 interface does use the pre-defined vrf object named "management", BUT

...

the access-class command on vty line does NOT support any vrf parameter  ;-)

 

Anyway, for now I'm not going to mess with that one - it's in our core and I'm using the mgmt0 interfaces for the peer keep-alive link in the cluster, so for now I'll stick with the in-band management.

 

Thanks again

David

Thank you so much!

Review Cisco Networking for a $25 gift card