Announcement

Collapse
No announcement yet.

Cisco C2950 & Cluster & ACL & SSH

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco C2950 & Cluster & ACL & SSH

    I had configured four C2950 as a cluster in pasts.
    This is part of configs:

    commander:
    cluster enable [cluster-name] 0
    cluster member 1 mac-address 0015.xxxx.9fc0
    cluster member 2 mac-address 0016.xxxx.55c0
    cluster member 3 mac-address 0015.xxxx.0e00


    members:
    1: cluster commander-address 0015.xxxx.7540 member 1 name [cluster-name] vlan 1
    2: cluster commander-address 0015.xxxx.7540 member 2 name [cluster-name] vlan 1
    3: cluster commander-address 0015.xxxx.7540 member 3 name [cluster-name] vlan 1

    Everything had worked fine.

    Now I tried to learn a bit more and:
    * upgrade IOS to latest version (with crypto/SSH)
    * set up ACL so that access to the switch, SNMP and HTTP is available from certain devices only
    * set up SSH

    I did IOS upgrade without any problems.

    I set up this ACL (network 192.168.0.0/16):
    access-list 99 permit 192.168.4.45 (5)
    access-list 99 permit 192.168.0.11 (1)
    access-list 99 permit 192.168.1.6 (2)
    access-list 99 permit 192.168.3.1 (3)
    access-list 99 permit 192.168.4.5 (4)
    access-list 99 deny any log (6)

    First question, a cosmetical one:
    I have added lines in the order given in parenthesis,
    why is the 192.168.4.45 on top?

    Then I applied these rules:
    ip http access-class 99
    snmp-server community public RO 99
    snmp-server community [email protected] RO 99
    line vty 0 4
    access-class 99 in


    Second question:
    After applying the rule to line vty I am not able to use
    rcommand 1
    from the commander switch, this I can see in the log of member switch 1:

    000342: May 19 15:16:37 CEST: %SEC-CLUSTER_MEMBER_1-6-IPACCESSLOGS: list 99 denied 10.89.117.64 1 packet

    Why 10.89.117.64? From where this IP address comes from?
    I suppose this to be an IP of cluster commander.
    But I don't have the knowledge.
    Is it dynamic or pernament? From where does it come?
    Should I add it to access-list 99?

    Third question:
    I set up SSH:
    aaa new-model
    ip ssh time-out 60
    ip ssh authentication-retries 3
    ip ssh version 2
    crypto key zeroize rsa
    crypto key generate rsa modulus 2048
    username admin secret [password]
    line vty 0 4
    transport input telnet ssh

    Now the switch ask for username/password,
    not only for password defined in line vty 0 4.
    Can it be specified that for telnet "standard" authentication is used
    and for SSH "new one" is used?
    There is no plan for using telnet any more, I am just curious

    Do you have some recommendation to my changes?
    I am really not a professional Cisco guy...

    Fourth question:
    This is an access-list created (probably) by cluster creation.
    What is it for?
    ip access-list extended CMP-NAT-ACL
    dynamic Cluster-HSRP deny ip any any
    dynamic Cluster-NAT permit ip any any


    Before cluster creation I had
    snmp-server community public RO
    on all switches, cluster creation addes these lines
    snmp-server community [email protected] RO (commander)
    snmp-server community [email protected] RO (member 1)
    snmp-server community [email protected] RO (member 2)
    snmp-server community [email protected] RO (member 3)

    What is this (@esX) for? Can I add ACL 99 here?

    Question five:
    What username is used for HTTP access in "standard" configuration
    (when for telnet password only is needed)?
    What username/password is used for HTTP access in "aaa new-model"?
    Any from username [login] secret [password] pair?

    Thank you very much for sharing your knowledge!
    I welcome any comments or recommendations!


    Here a configuration of the commander is
    (a bit modified because it is forbiden to share company identifying values):

    version 12.1
    no service pad
    service timestamps debug datetime localtime show-timezone
    service timestamps log datetime localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname [switch hostname]
    !
    enable secret 5 [secret]
    !
    clock timezone CET 1
    clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
    ip subnet-zero
    !
    ip domain-name [domain name]
    ip name-server 192.168.1.1
    ip name-server 192.168.1.2
    ip ssh time-out 60
    ip ssh authentication-retries 3
    ip ssh version 2
    cluster enable [cluster name] 0
    cluster member 1 mac-address 0015.xxxx.9fc0
    cluster member 2 mac-address 0016.xxxx.55c0
    cluster member 3 mac-address 0015.xxxx.0e00
    !
    !
    spanning-tree mode pvst
    no spanning-tree optimize bpdu transmission
    spanning-tree extend system-id
    spanning-tree vlan 1 priority 24576
    !
    !
    !
    !
    interface FastEthernet0/1
    ...
    !
    interface FastEthernet0/24
    !
    interface GigabitEthernet0/1
    !
    interface GigabitEthernet0/2
    !
    interface Vlan1
    ip address 192.168.0.11 255.255.0.0
    no ip route-cache
    !
    ip default-gateway 192.168.1.1
    ip http server
    ip http access-class 99
    !
    ip access-list extended CMP-NAT-ACL
    dynamic Cluster-HSRP deny ip any any
    dynamic Cluster-NAT permit ip any any
    access-list 99 permit 192.168.4.45
    access-list 99 permit 192.168.0.11
    access-list 99 permit 192.168.4.5
    access-list 99 permit 192.168.3.1
    access-list 99 permit 192.168.1.6
    access-list 99 deny any log
    snmp-server community public RO 99
    snmp-server community [email protected] RO 99
    !
    line con 0
    exec-timeout 0 0
    password 7 [password]
    logging synchronous
    login
    line vty 0 4
    access-class 99 in
    password 7 [password]
    login
    transport input telnet ssh
    line vty 5 15
    access-class 99 in
    password 7 [password]
    login
    transport input telnet ssh
    !
    ntp clock-period 17179898
    ntp server 192.168.1.1 prefer
    ntp server 192.168.1.1
    !
    end

Working...
X