help with disabling login acceses PowerConnect 5324

Question

Hi, I am new to switch configs. We need to update firmware and also lock down access to the switches to only HTTPS and SSH. Here is what I am doing. (config)#crypto certificate 1 generate key-generate (config)#crypto key generate dsa (config)#crypto key generate rsa (config)#exit (config)#ip ssh server (config)#ip https server (config)#NO ip http server management access-list NoTelnet deny vlan 1 service telnet console(config)# management access-class NoTelnet As soon as I do the Mgmt ACL then my connection locks up and I can't log into the switch by any means anymore. I have to powercycle the thing. WHAT am I doing wrong?? Before I tried to disable telnet everything was working as it should NO http, and could get in with https and Putty. When I did these changes I was logged in using PuTTY. Now I cant' log back in. I can ping it just fine and the switch is functioning just that I can't login in with any means. Help help. Also after I did the mgmt acl to deny telnet Putty locked up and gave me this error. network Error: Software caused a connection abort. Message Edited by ccarbo1970 on 04-24-2007 11:15 AM

bh1633 · Answer

post the output of:   console# show running-config

ccarbo1970 · Answer

right, that is why I used PuTTY in the first place because if I did disable telent while telnetted in it will boot me. What config do you want? what command do I do to get this. I am a newbie to switch configs. I did delete the access-list of DenyTelnet from the console and now I can access it again. thanks

bh1633 · Answer

Post you whole configuration (with end of line chracters please)    If you were connected via telnet, and then put in a management ACL to block telnet, then you will be disconnected from your telnet client.   Change Putty to SSH mode, and you should be able to log back in.

ccarbo1970 · Answer

Here is the running config. I deleted the access list of NoTelnet and now I can log in with putty and https.
CORP 47-7# show running-config
interface vlan 1
ip address 172.28.1.247 255.255.255.0
exit
ip default-gateway 172.28.1.254
hostname "CORP 47-7"
line telnet
password 77bc8d84fdb7f73bac83057793c146f5 encrypted
exit
line ssh
password 77bc8d84fdb7f73bac83057793c146f5 encrypted
exit
line console
password 77bc8d84fdb7f73bac83057793c146f5 encrypted
exit
enable password level 15 77bc8d84fdb7f73bac83057793c146f5 encrypted
username admin password 77bc8d84fdb7f73bac83057793c146f5 level 15 encrypted
ip ssh server
snmp-server location "Corporate 2nd Floor"
snmp-server contact "Network Support"
no ip http server
ip https server
clock summer-time recurring 2 Sun Mar 02:00 first Sun Nov 02:00
More: , Quit: q, One line:
[Kclock source sntp
sntp client poll timer 600
sntp unicast client enable
sntp broadcast client enable
sntp server 172.21.0.123 poll
interface vlan 1
sntp client enable
exit
****************************************************************************** This is the switch that I Disable Telnet and now can no longer login into it via https or ssh. Only via serial port, unless I delete the telnetDeny.

CORP 47-9# show running-config
interface vlan 1
ip address 172.28.1.251 255.255.255.0
exit
ip default-gateway 172.28.1.254
hostname "CO
management access-list telnetDeny
deny service telnet
exit
management access-class telnetDeny
line telnet
password 77bc8d84fdb7f73bac83057793c146f5 encrypted
exit
line ssh
password 77bc8d84fdb7f73bac83057793c146f5 encrypted
exit
line console
password 77bc8d84fdb7f73bac83057793c146f5 encrypted
exit
username admin password 77bc8d84fdb7f73bac83057793c146f5 level 15 encrypted
ip ssh server
snmp-server location "Corporate 2nd Floor"
snmp-server contact "Network Support"
no ip http server
ip https server
clock timezone -6
clock summer-time recurring 2 Sun Mar 02:00 first Sun Nov 02:00
sntp client enable vlan 1
clock source sntp
sntp client poll timer 600
sntp unicast client enable
sntp broadcast client enable
sntp server 172.21.0.123 poll
CORP 47-9#

Message Edited by ccarbo1970 on 04-24-2007 01:54 PM

ccarbo1970 · Answer

Here is another thing I noticed when the deny telnet service is active. When trying to access the switch via HTTPS and SSH here are errors I got on the switch. I had a laptop connected to it via serial and seen these after I came back to the closet. why am I getting these errors?? thanks in advance.

CORP 47-9> 24-Apr-2007 14:17:40 %MNGINF-W-ACL: Management ACL drop packet receiv
ed on interface Vlan Vlan 1 from 172.28.4.209 to 172.28.1.251 protocol 6 service
Https
24-Apr-2007 14:17:43 %MNGINF-W-ACL: Management ACL drop packet received on inter
face Vlan Vlan 1 from 172.28.4.209 to 172.28.1.251 protocol 6 service Https
24-Apr-2007 14:17:49 %MNGINF-W-ACL: Management ACL drop packet received on inter
face Vlan Vlan 1 from 172.28.4.209 to 172.28.1.251 protocol 6 service Https
24-Apr-2007 14:18:12 %MNGINF-W-ACL: Management ACL drop packet received on inter
face Vlan Vlan 1 from 172.28.4.209 to 172.28.1.251 protocol 6 service Ssh
24-Apr-2007 14:18:15 %MNGINF-W-ACL: Management ACL drop packet received on inter
face Vlan Vlan 1 from 172.28.4.209 to 172.28.1.251 protocol 6 service Ssh
24-Apr-2007 14:18:21 %MNGINF-W-ACL: Management ACL drop packet received on inter
face Vlan Vlan 1 from 172.28.4.209 to 172.28.1.251 protocol 6 service Ssh

bh1633 · Answer

change telnetDeny to this:   management access-list telnetDeny deny service telnet permit service ssh permit service https exit

ccarbo1970 · Answer

Hey!! thanks alot Sir, that worked. Telnet don't work but the others do work. Thanks again! clint

Networking General

Was this post helpful?