Interesting SSH SVI Issue on CAT-9300

ifritchy · ‎07-16-2024

Heyo!

I haven't posted in the Cisco community in a long time but going to give it a shot before a ticket. I have an interesting question and I'm likely missing something small.

I have 10 SVIs on my Layer 3 C9300X-24Y core switch. I want SSH to use vlan1101 however the switch is only responding to SSH via vlan 1201.

I have a Transit VLAN pointing all routes to my Palo firewall into a security zone, that is vlan 1201. When I configure the following:

ip default-gateway 10.99.110.1

0.0.0.0 0.0.0.0 10.99.120.1

All my traffic passes to the Palo over vlan 1101, which is not what I want. In order to remedy this, I removed the default gateway and left the gateway of last resort. -> 0.0.0.0 0.0.0.0 10.99.120.1

Now, I have enabled SSHv2 and issued this command:

ip ssh source-interface Vlan1101

and here is my LINE VTY config

line vty 0 4
login local
exec prompt expand
exec prompt timestamp
transport input ssh
line vty 5 15
login local
exec prompt expand
exec prompt timestamp
transport input ssh

Whenever I attempt to ssh to 10.99.110.2 (the gateway for vlan 1101 is on my Palo), I get a timeout. SSH from any permitted source to the SVI interface on vlan 1201, 10.99.120.10, is working just fine.

Any ideas to stop the switch from listening on vlan 1201 without modifying how my traffic is passing to the Palo?

TIA!!

MHM Cisco World · ‎07-16-2024

Ip ssh source interface <vlan x>

This force ssh to use only one vlan for ssh.

Try command above

MHM

Giuseppe Larosa · ‎07-16-2024

Hello @ifritchy ,

I'm afraid the below command applies only to outgoing SSH sessions where the switch is used as client to connect in SSH to other devices.

>> ip ssh source-interface Vlan1101

dumb question : the Palo FW has a static route for the subnet associated to Vlan 1101 i.e. 10.99.110.2 ?

there are ACLs applied to line vty that you have not reported in your initial post in this thread ?

Edit:

also I would like to remind that ip default-gateway command is effective only if ip routing is disabled and a default static route is effective only when ip routing is enabled.

So I'm a little lost when you say that you have tried to use ip default-gateway and then moved to a default static route using a different SVI.

Edit 2:

>> Whenever I attempt to ssh to 10.99.110.2 (the gateway for vlan 1101 is on my Palo), I get a timeout. SSH from any permitted source to the SVI interface on vlan 1201, 10.99.120.10, is working just fine.

So the Palo Alto is direcly connected on both Vlans / SVIs VLAN 1201 and VLAN 1101 ? But the source IP addresses for your attempts where they are ? if they are downstream/upstream the FW may be you are simply facing asymmetric routing where the switch answers back using the SVI 1201 with a source that is SVI 1101 ( or simply an antispoofing or uRPF equivalent feature)

if you try to SSH to SVI 1101 directly from the FW itself is the SSH session successful ?

Hope to help

Giuseppe

ifritchy · ‎07-17-2024

MHM - I have applied the source interface vlan 1101 command, that is not working. To Guiseppe's point, I have been suspecting an asymmetric routing issue here because yes, I can ssh from the Palo to the Core. Palo is on vlan 1101, and hosts the gateway for that subnet.

Guiseppe, no dumb questions when there's an issue!

1. yes, the Palo has a static route pointing to the SVI on 1201 on the CORE because I do not want my SSH/Mgmt traffic to also be passing all of my user traffic as the transit VLAN to the Palo (network segment for 1201 called Inside-L3, another segment for vlan 1101 called NetMgmt-L3).

2. Only ACL I have configured is an ultra simplistic one for SNMPv3, nothing applied to the LINE interfaces

3. I had a PEBCAK moment when configuring and literally forgot to issue the "ip routing" command prior to the default-gateway/gateway of last resort configs. After issuing ip routing, I removed the default-gateway.

4. Palo is directly connected using an AGGREGATE interface(trunk) hosting vlans 1101, 1201, as well as 8-10 other layer 3 interfaces.

Oddly enough... I can SSH from 10.99.84.100 (not a Palo network, this gateway resides on the core) to 10.99.110.2. I cannot SSH from 10.99.102.36 (that gateway does reside on the Palo) to 10.99.110.2. I do suspect its an asymmetric routing issue and likely can be resolved by a static route on the core switch pointing to the Palo... I don't want to break the environment because I am in another US state, no console access, no IT support on site. I'm thinking if I create a route: 10.99.110.0 255.255.255.0 10.99.110.1, that would force my vlan1101 traffic to hit the Palo interface rather than routing it to the vlan 1201 interface. That supersedes the last resort and would not force any other core SVIs to traverse the vlan1101 interconnect.

Thanks for the responses!

Ian