Thanks Reza - I think it ought to work too. I'll get you the "sh ip ssh" later today and post it. I've had to relocate the switch and get it working with in-band management in the interim but I'm still keen to solve this issue.

David

Quicker than expected - quiet morning so far ;-)

#sh ip ssh
SSH Enabled - version 2.0
Authentication timeout: 60 secs; Authentication retries: 5
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxxxxxxx...
#

I checked the SSH traffic from my client - I send SYN, get back RST - definitely an active refusal of the connection.

If MGMT Gi0/0 does support SSH, it's clear I'm missing something to enable it.

IOS is Cisco's current recommended for this platform and in the recommended installation mode

Switch Ports Model              SW Version        SW Image              Mode
------ ----- -----              ----------        ----------            ----
*    1 52    WS-C3650-48PD      03.03.05SE        cat3k_caa-universalk9 INSTALL
 

If I move the management IP address off Gi0/0 and onto the management VLAN interface (management is then through Gi1/1/1 where the VLAN is trunked), it works fine and I can SSH to the switch with no other changes to the configuration (of course subsequently I want to disable Telnet)

I know can eliminate patching and routing/forwarding of the traffic as issues given Telnet and PING can reach the management IP address under both configurations. It's as if the MGMT interface just doesn't allow SSH by default (or possibly not at all)

If you have a working configuration you'd be happy to share, I'd appreciate it.

Thanks again

David

Hi David,

There is no especial configuration needed it on the mgmt0 interface to access it via telnet or SSH.  I have the same exact config working on multiple 3850 switches with no issues.

Here is a working config

SSH Enabled - version 1.99
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxxxxx...

one difference is that mine shows version 1.99 and your 2.0, but this should not make any difference.

My interface config is exactly the same as yours.

IOS ver 03.02.02.SE

HTH

3650 series is fairly new, so sounds like an IOS issue.

Have you opened a ticket with TAC?
 

Thanks Reza

No ticket opened yet, but that will be my next step. I just wanted to check other people's experience first in case I was missing some simple configuration step or had not understood some design limitation on the interface.

Thanks for your time and interest.

David

Hi Antonin

Yes - that fixed it, thanks. I can now SSH to the MGMT interface G0/0.

It seems odd that Telnet would work but SSH would not until I made your suggested change and added "vrf-also", but I'll keep it in mind when setting up newer switches that have dedicated management ports.

I think I might have struck a similar problem a few years ago with the mgmt0 port on a Nexus 5500 switch, but at the time didn't have the time to pursue it, so I might have a look at whether there's a similar parameter there too.

Thanks again - a very satisfying outcome ;-)

David

Hi,

Thanks for the response.

Well done!

Just FYI: there are various models of Cisco switches where mgmt i/face is not configured as vrf. In these cases naturally you do not need to bother to configure "vrf-also" parameter and ssh access works just smoothly without.

Best regards,

Antonin

Antonin,

Thanks for the update. This is great information, but as you correctly noted none of the other switches need this command, ssh works just fine.

I guess, Cisco decided to yet make another change in the new platform to make our lives more difficult :)

And, just for something to keep us challenged, the Nexus 5596 mgmt0 interface does use the pre-defined vrf object named "management", BUT

...

the access-class command on vty line does NOT support any vrf parameter  ;-)

Anyway, for now I'm not going to mess with that one - it's in our core and I'm using the mgmt0 interfaces for the peer keep-alive link in the cluster, so for now I'll stick with the in-band management.

Thanks again

David

Thank you so much!