ACE Module Management IP

Answered Question
Jan 15th, 2009

How can I configure ssh management access to the ACE module configured in bridged mode.

I have this problem too.
0 votes
Correct Answer by Gilles Dufour about 8 years 1 day ago

do not mix "domain" name and user "domain".

The domain name is something like cisco.com or yourcompany.net ...

But the user domain is what objects is a user allowed to modify/configure/access inside ACE.

I don't think you need to specify a domain-name to generate the key.

Here is what I did :

switch/Admin(config)# ssh key rsa 768

generating rsa key(768 bits).....

......

generated rsa key

switch/Admin(config)#

gdufour-cat6k1#ssh -l admin 10.86.213.40

Password:

Cisco Application Control Software (ACSW)

TAC support: http://www.cisco.com/tac

Copyright (c) 2002-2008, Cisco Systems, Inc. All rights reserved.

The copyrights to certain works contained herein are owned by

other third parties and are used and distributed under license.

Some parts of this software are covered under the GNU Public

License. A copy of the license is available at

http://www.gnu.org/licenses/gpl.html.

User 'www' is disabled.Please change the password to enable the user.

switch/Admin#

Just make sure you allow SSH traffic with your management policy.

Gilles.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
cisco_lite Sat, 01/17/2009 - 03:22

I followed the link given and I am getting the below error

6500#ssh -l admin 10.0.0.1

[Connection to 10.0.0.1 aborted: error status 28]

Do you know what the above error means. I can telnet the ACE module from Cat6500 but not ssh.

Please assist.

Thanks

cisco_lite Sat, 01/17/2009 - 05:07

In the following excerpt, how do I define domain name. Currently, when I do 'show domain' it shows it as default-domain. Is this sufficient or do I need to create another domain for ssh access.

"Before you generate the key, set the hostname and the domain name."

Correct Answer
Gilles Dufour Mon, 01/19/2009 - 04:10

do not mix "domain" name and user "domain".

The domain name is something like cisco.com or yourcompany.net ...

But the user domain is what objects is a user allowed to modify/configure/access inside ACE.

I don't think you need to specify a domain-name to generate the key.

Here is what I did :

switch/Admin(config)# ssh key rsa 768

generating rsa key(768 bits).....

......

generated rsa key

switch/Admin(config)#

gdufour-cat6k1#ssh -l admin 10.86.213.40

Password:

Cisco Application Control Software (ACSW)

TAC support: http://www.cisco.com/tac

Copyright (c) 2002-2008, Cisco Systems, Inc. All rights reserved.

The copyrights to certain works contained herein are owned by

other third parties and are used and distributed under license.

Some parts of this software are covered under the GNU Public

License. A copy of the license is available at

http://www.gnu.org/licenses/gpl.html.

User 'www' is disabled.Please change the password to enable the user.

switch/Admin#

Just make sure you allow SSH traffic with your management policy.

Gilles.

cisco_lite Mon, 01/19/2009 - 09:35

I generated the key with 1024 bits earlier and faced the error. Following your example i.e. 768 bits, ssh worked. Strange...

1024 is stated in the example on the given link as well.

cisco_lite Mon, 01/19/2009 - 11:09

telnet and ssh to ACE from CAT6500 is working. But if I do the same via putty from another segment, if fails (ping works though)

Topology:

MSFC -> SVI for Vlan11 and Vlan13 defined

ACE -> (Vlan11 briged to Vlan12 on ACE)

(Vlan13 is the management IP interface)

-> FWSM (Vlan15)

From Vlan15 I can ping Vlan13 management IP but I cannot telnet or ssh to it. Policy-map has been defined and applied via service-policy to Vlan13 in ACE for management access via ssh, telnet.

Is there anything else requred for telnet, ssh ?

cisco_lite Mon, 01/19/2009 - 13:00

Ok. It got fixed. I removed Vlan12 (bridged mode) and added ip route for Vlan15 network via Vlan13. Strange...

Does anyone know how are the default and specific routes defined in ACE in case of multiple client/server VLANs. How does ACE identify which route to pick based on which VLAN. Can I drive traffic out of all VLANs from one of the VLAN SVI defined on MSFC.

Gilles Dufour Mon, 01/19/2009 - 23:56

You could use mac-sticky enable to make the traffic return via the same way it came in.

Gilles.

Actions

This Discussion