Unsolved
This post is more than 5 years old
30 Posts
0
19231
February 8th, 2009 13:00
3348, SSH, Telent, https, cant connect.
I have read everything there is to read, and updarted the firmware and saftware and nothing I do allows me to connect to the management utils of the switch other than the web GUI.
Please help, I do not like connecting in plain test mode.
Here is a copy of my running and startup config:
vlan database
vlan 2
exit
interface range ethernet e(2,4-5,9,12,15,18,21,24,27)
switchport access vlan 2
exit
interface vlan 2
name "Local Area"
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
interface vlan 1
ip address 69.xxx.xxx.xxx 255.255.255.224
exit
interface vlan 2
ip address 192.xxx.xxx.xxx 255.255.255.0
exit
ip default-gateway 69.xxx.xxx.xxx
no qos
ip access-list FIREWALL
permit any 216.xxx.xxx.xxx 0.0.0.0 any
permit any 76.xxx.xxx.xxx 0.0.0.0 any
permit any 76.xxx.xxx.xxx 0.0.0.0 69.xxx.xxx.xxx 0.0.0.0
deny-tcp any any any 22
deny-tcp any any any 23
deny any any 76.xxx.xxx.xxx 0.0.0.0
deny any any 64.xxx.xxx.xxx 0.0.0.0
deny any any 64.xxx.xxx.xxx 0.0.0.0
deny any any 64.xxx.xxx.xxx 0.0.0.0
deny any any 64.xxx.xxx.xxx 0.0.0.0
deny any any 76.xxx.xxx.xxx 0.0.0.0
deny any any 76.xxx.xxx.xxx 0.0.0.0
deny any any 69.xxx.xxx.xxx 0.0.0.0
deny any 66.xxx.xxx.xxx 0.0.0.0 any
permit any any any
exit
interface ethernet g3
service-acl input FIREWALL
exit
hostname sw1.xxxxxxxxxxxx.xom
management access-list Temp
permit
exit
management access-list MyACL
permit ip-source 216.xxx.xxx.xxx service ssh
permit ip-source 76.xxx.xxx.xxx service ssh
permit ip-source 216.xxx.xxx.xxx
permit ip-source 76.xxx.xxx.xxx
permit ip-source 76.xxx.xxx.xxx service snmp
permit ip-source 192.xxx.xxx.xxx service snmp
exit
management access-class MyACL
logging console warnings
logging buffered warnings
logging file warnings
aaa authentication login default local
line telnet
password e30a0e65bxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx encrypted
exit
line ssh
password e30a0xxxxxxxxxxxxxxxxxxxxxxxxxxxx encrypted
exit
line console
password e30a0xxxxxxxxxxxxxxxxxxxxxxxxxxxx encrypted
exit
enable password level 15 e30xxxxxxxxxxxxxxxxxxxxxxxx encrypted
username gpeel password 63a9dxxxxxxxxxxxxxxxxxxxxxx level 15 encrypted
username root password e30a0e6xxxxxxxxxxxxxxxxxxxxxx level 15 encrypted
passwords min-length 8
snmp-server engineID local 8000xxxxxxxxxxxxxxxxxxxxxxx
snmp-server location "Ontario"
snmp-server contact "Me"
snmp-server community Dell_Network_Manager rw view DefaultSuper
snmp-server community xxxxxxxxx ro view Default
snmp-server group xxxxxxxxx v1 read Default
clock timezone -5
clock summer-time recurring usa
snmp-server set rlEventsDeleteEvents rlEventsDeleteEvents 3
0 events found
bh1633
909 Posts
0
February 9th, 2009 14:00
You need to enable the ssh and https servers on the switch.
ip ssh server
ip https server
You may need to generate a key for ssh:
crypto key generate rsa
or
crypto key generate dsa
You may also need to generate crypto certificate for https:
crypto certificate 1 generate key-generate 1024
Telnet is enabled by default, so double check your ACLs.
tnn
30 Posts
0
February 10th, 2009 10:00
Excellent, I now have ssh and https up and runnning.
I have ACLs bound to my incomming port, the first two lines allow access from my home (static IP) and from our office (static IP). The next few lines deny access to the telnet port. Now, the question is, do IP based ACLs restict the ports for the admin ports of the switch itself? (as well as the rest of the network)? i.e. if you wrote poor ACLs you could feasibly lock yourself completely out of the switch and network, right?
If so, I am all good.
BTW, my password for everything is better than 12 chars long, containg special chars, CAPS, etc etc.....
Thanks for the help!
-Grant
bh1633
909 Posts
0
February 10th, 2009 11:00
Yes. You can write an ACL that blocks you from accessing the switch management.