cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11566
Views
0
Helpful
15
Replies

SSH access to Nexus 900

pablo.arcelcr
Level 1
Level 1

How Can I do to access a Nexus 9000 from different IP segment that currently the device is?

 

Do I need to create an ACL in the Nexus device to allow that?

1 Accepted Solution

Accepted Solutions

 show running-config vrf management
!Time: Tue Oct 31 17:05:32 2017

version 7.0(3)I6(1)

interface mgmt0
  vrf member management
vrf context management
  ip route 0.0.0.0/0 10.154.5.1

 

 

IP Route Table for VRF "management"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>

0.0.0.0/0, ubest/mbest: 1/0
    *via 10.154.5.1, [1/0], 3w6d, static

 

 

View solution in original post

15 Replies 15

Hello,

 

the access list would be to actually restrict SSH access. By default, anyone with IP connectivity can use SSH. What are you running into ?

 

Check the guide below for reference:

 

Configuring SSH and Telnet

 

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/security/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_chapter_01000.html

 

I did this:

 

ip access-list ALLOW-SSH
20 permit ip 10.154.5.0/24 any
30 permit ip 10.54.19.0/24 any

 

line vty
session-limit 5
exec-timeout 15
access-class ALLOW-SSH in

 

But still not able to connect from the 10.54.19.0/24 segment

Hello,

 

do you have 'transport input ssh' configured under the vty lines ?

Nexus 9000 doesn't have that option

Do you have SSH access when you remove the access class from the vty lines ?

If I remove the access class i lost access from the ip segment that currently the Nexus is located. I need to access that device from segment 10.54.19.0/24 but currently I only have access from 10.154.5.0/24 which is the same segment of Nexus' IP address 

Odd...

 

Can you post the full configuration ?

Hi Pablo

before we try to provide SSH access to the N9k, could you first verify if there is reachability between the two subnets. Could you please ping the source IP which is in different subnet from N9k (vrf management).

 

Thanks
--Vinit

Yes, I can reach other devices that are located in the same segment than the Nexus device but I cannot reach the Nexus itself

Hi Pablo

Thanks for the reply. So, what i understand from your below reply is that you are unable to reach the N9k from the device from where you are performing the ssh. Is that statement correct?

If that is the case, could you please capture the below output:

- show int mgmt0
- show run int mgm0
- show processes cpu sort | egrep -i ssh

Also, as a workaround, could you please try disabling and enabling ssh again and see if that helps. Only try this option once you have collected below logs.

Also, try enabling telnet and see if that is working fine or not.

 

Thanks
--Vinit

I can reach the Nexus from the same segment.

I can reach not a Nexus device from different segment to the same segment that Nexus currently is.

I cannot reach Nexus from a different segment

 

show int mgmt0
mgmt0 is up
admin state is up,
  Hardware: GigabitEthernet, address: 1880.90f1.6aca (bia 1880.90f1.6aca)
  Internet Address is 10.154.5.90/24
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec
  reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, medium is broadcast
  full-duplex, 1000 Mb/s
  Auto-Negotiation is turned off
  Auto-mdix is turned off
  EtherType is 0x0000
  1 minute input rate 720 bits/sec, 0 packets/sec
  1 minute output rate 720 bits/sec, 0 packets/sec
  Rx
    2451819 input packets 2411613 unicast packets 40192 multicast packets
    14 broadcast packets 208439624 bytes
  Tx
    2451813 output packets 2411611 unicast packets 40195 multicast packets
    7 broadcast packets 207671403 bytes

 

-----------------------------------------------------------------------------

 

show run int mgmt0

!Command: show running-config interface mgmt0
!Time: Tue Oct 31 16:16:22 2017

version 7.0(3)I6(1)

interface mgmt0
  speed 100
  duplex full
  vrf member management
  ip address 10.154.5.90/24

 

----------------------------------------------------------

 


CRRHR-CORE-PRI# show processes cpu sort | egrep -i ssh
11334            0         1    414   0.00%  sshd
23697        32704   2442075     13   0.00%  psshelper
23708        32427   2439920     13   0.00%  psshelper_gsvc
25923        32931   2440054     13   0.00%  psshelper
25924        32667   2441401     13   0.00%  psshelper
30187          373       448    834   0.00%  dcos_sshd

 

Hello,

 

what we are trying to find out is if you have IP connectivity at all between the segments, which doesn't seem to be the case.

Post the configuration of the Nexus...


!Command: show running-config
!Time: Tue Oct 31 17:08:13 2017

version 7.0(3)I6(1)
switchname CRRHR-CORE-PRI
vdc CRRHR-CORE-PRI id 1
  limit-resource vlan minimum 16 maximum 4094
  limit-resource vrf minimum 2 maximum 4096
  limit-resource port-channel minimum 0 maximum 511
  limit-resource u4route-mem minimum 248 maximum 248
  limit-resource u6route-mem minimum 96 maximum 96
  limit-resource m4route-mem minimum 58 maximum 58
  limit-resource m6route-mem minimum 8 maximum 8

feature telnet
cfs eth distribute
feature scheduler
feature interface-vlan
feature hsrp
feature lacp
feature vpc
feature vtp
clock protocol none vdc 1

 

banner motd C
********************************************************************************
* This computer system                                                         *
* (including all hardware, software, and peripheral equipment)                 *
* is the property of Teleperformance.                                          *
* Use of this computer system is restricted to official Teleperformance        *
* business. Teleperformance reserves the right to monitor                      *
* use of the computer system at any time.                                      *
* Use of this system constitutes consent to such monitoring.                   *
* Any unauthorized access, use, or modification of the computer system         *
* can result in civil liability and/or criminal penalties.                     *
********************************************************************************
C

ip domain-lookup
system default switchport
ip access-list ALLOW-SSH
  20 permit ip 10.154.5.0/24 any
  30 permit ip 10.54.19.0/24 any
copp profile strict
vtp domain CRNB-LAN@agscr
snmp-server user admin network-admin auth md5 0x292c4731e8dddfd30951aa3d4f5b56bf priv 0x292c4731e8dddfd30951aa3d4f5b
56bf localizedkey
snmp-server user parce network-admin auth md5 0x317a4e37b7a2e8b7b485b7be1393f334 priv 0x317a4e37b7a2e8b7b485b7be1393
f334 localizedkey
snmp-server user jgonzalez network-admin auth md5 0x24e0824fad95321247afeac87a0c31d1 priv 0x24e0824fad95321247afeac8
7a0c31d1 localizedkey
rmon event 1 description FATAL(1) owner PMON@FATAL
rmon event 2 description CRITICAL(2) owner PMON@CRITICAL
rmon event 3 description ERROR(3) owner PMON@ERROR
rmon event 4 description WARNING(4) owner PMON@WARNING
rmon event 5 description INFORMATION(5) owner PMON@INFO


vlan 310
  name VMotion
vlan 311
  name SCSI-A
vlan 312
  name SCSI-B
vlan 350
  name Keepalive

vrf context management
  ip route 0.0.0.0/0 10.154.5.1
hardware profile portmode 48x25G+2x100G+4x40G

vpc domain 10
  role priority 1
  peer-keepalive destination 10.154.5.91 source 10.154.5.90


interface Vlan1

interface Vlan21
  description Transit-CRSJ-RHR-FW
  ip address 10.154.0.75/29
  hsrp 21
    priority 120
    timers  1  3
    ip 10.154.0.74

interface Vlan310
  description VMotion
  no shutdown
  ip address 10.154.254.2/28
  hsrp 210
    priority 120
    timers  1  3
    ip 10.154.254.1

interface Vlan311
  description SCSI-A
  no shutdown
  ip address 10.154.254.18/28
  hsrp 211
    priority 120
    timers  1  3
    ip 10.154.254.17

interface Vlan312
  description SCSI-B
  no shutdown
  ip address 10.154.254.34/28
  hsrp 212
    priority 120
    timers  1  3
    ip 10.154.254.33

interface port-channel15
  switchport mode trunk
  spanning-tree port type network
  vpc peer-link

interface port-channel16
  description Portchannel-Nessus-Catalyst2960
  switchport mode trunk

interface port-channel17
  description Portchannel-UCS-FIA-Nessus
  switchport mode trunk

interface Ethernet1/1
  description Trunk_TPCRRHR-PB-Acc-S1_G1/0/52
  switchport mode trunk

interface Ethernet1/2

interface Ethernet1/3

interface Ethernet1/4

interface Ethernet1/5

interface Ethernet1/6

interface Ethernet1/7

interface Ethernet1/8

interface Ethernet1/9

interface Ethernet1/10

interface Ethernet1/11

interface Ethernet1/12

interface Ethernet1/13

interface Ethernet1/14

interface Ethernet1/15

interface Ethernet1/16

interface Ethernet1/17

interface Ethernet1/18

interface Ethernet1/19

interface Ethernet1/20

interface Ethernet1/21

interface Ethernet1/22

interface Ethernet1/23

interface Ethernet1/24

interface Ethernet1/25

interface Ethernet1/26

interface Ethernet1/27

interface Ethernet1/28

interface Ethernet1/29

interface Ethernet1/30

interface Ethernet1/31
  switchport mode trunk
  channel-group 16 mode active

interface Ethernet1/32
  switchport mode trunk
  channel-group 16 mode active

interface Ethernet1/33

interface Ethernet1/34

interface Ethernet1/35

interface Ethernet1/36

interface Ethernet1/37

interface Ethernet1/38

interface Ethernet1/39
  switchport mode trunk
  channel-group 17 mode active

interface Ethernet1/40
  switchport mode trunk
  channel-group 17 mode active

interface Ethernet1/41
  switchport mode trunk
  channel-group 17 mode active

interface Ethernet1/42
  switchport mode trunk
  channel-group 17 mode active

interface Ethernet1/43
  description SPA-Port5-Vlan311
  switchport access vlan 311

interface Ethernet1/44
  description SPA-Port5-Vlan312
  switchport access vlan 312

interface Ethernet1/45

interface Ethernet1/46
  description Nessus-Management
  no switchport
  ip address 10.154.5.92/24
  no shutdown

interface Ethernet1/47
  switchport mode trunk
  channel-group 15 mode active

interface Ethernet1/48
  switchport mode trunk
  channel-group 15 mode active

interface Ethernet1/49

interface Ethernet1/50

interface Ethernet1/51

interface Ethernet1/52

interface Ethernet1/53

interface Ethernet1/54

interface mgmt0
  speed 100
  duplex full
  vrf member management
  ip address 10.154.5.90/24
line console
  exec-timeout 10
line vty
  session-limit 5
  exec-timeout 15
  access-class ALLOW-SSH in
boot nxos bootflash:/nxos.7.0.3.I6.1.bin
no system default switchport shutdown

 

can u share the below config:

- show run vrf management

- show ip route <dst> vrf management

 

Thanks
--Vinit
Review Cisco Networking for a $25 gift card