Solved: Cisco catOS & Concurrent Telnet Sessions

stevemcevoy07 · ‎08-30-2010

Is there a way to set this like on IOS with the vty setting

Thanks

Steve

Sergei Vasilenko · ‎08-31-2010

Hi Steve,

CatOS allows limited number of processes with type 2 stack in the system.
The max # of processes with type 2 stack is 13 .
Telnet/SSH processes are examples of the processes which require type 2 stack.

"show user" to check current usage.
"set logout X" to setup inactivity timeout for each session.

On newer versions (8.7?) within CSCse80371 "Cat6500:Need ability to limit the number of connections to sc0" the option was added:

set ip permit [mask] [telnet|ssh] max-connections

Range of limit is from 0 to the maximum telnet/ssh connections allowed to the switch.
A limit 0 means no rules will be applied to limit the telnet/ssh connections

> (enable) show ip permit
Http permit list disabled.
Snmp permit list disabled.
Ssh permit list disabled.
Telnet permit list enabled.
Permit List Mask Access-Type Max-Connections
--------------- --------------- ------------- ---------------
10.77.11.190 telnet 3
10.77.11.190 ssh 2
10.77.11.190 snmp http
10.77.15.64 255.255.255.192 telnet ssh 5

Denied IP Address Last Accessed Time Type
----------------- ------------------ ------
10.77.11.190 03/18/07,10:54:18 Telnet

Regards,

Sergey

View solution in original post

Sergei Vasilenko · ‎08-31-2010

Hi Steve,

CatOS allows limited number of processes with type 2 stack in the system.
The max # of processes with type 2 stack is 13 .
Telnet/SSH processes are examples of the processes which require type 2 stack.

"show user" to check current usage.
"set logout X" to setup inactivity timeout for each session.

On newer versions (8.7?) within CSCse80371 "Cat6500:Need ability to limit the number of connections to sc0" the option was added:

set ip permit [mask] [telnet|ssh] max-connections

Range of limit is from 0 to the maximum telnet/ssh connections allowed to the switch.
A limit 0 means no rules will be applied to limit the telnet/ssh connections

> (enable) show ip permit
Http permit list disabled.
Snmp permit list disabled.
Ssh permit list disabled.
Telnet permit list enabled.
Permit List Mask Access-Type Max-Connections
--------------- --------------- ------------- ---------------
10.77.11.190 telnet 3
10.77.11.190 ssh 2
10.77.11.190 snmp http
10.77.15.64 255.255.255.192 telnet ssh 5

Denied IP Address Last Accessed Time Type
----------------- ------------------ ------
10.77.11.190 03/18/07,10:54:18 Telnet

Regards,

Sergey

stevemcevoy07 · ‎08-31-2010

Hi Sergey,

Thank you that is perfect. I am unable to view the link, think maybe priviledges. Does this require a CCO login?

Just one more thing.I would like to enable logging to view telnet connections only, really connections that are being dropped but a little unsure of the settings.

The switch in question is a heavily used POP switch and I do not want to impact the performance of it by enabling too much debugging.

TIA

Steve

Sergei Vasilenko · ‎09-03-2010

Hi Steve,

As for link, sorry it was an internal one. You could see it on CCO Bug Toolkit tool:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCse80371

For logging
If we are talking about ip permit usage, then as per
Configuring the IP Permit List
http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst6500/catos/8.x/configuration/guide/ip_perm.html
If you want to log the unauthorized access attempts to the console or a syslog server,
you migth need change the logging severity level for IP (like "set logging level ip 4 default" in the config section).
As per Table 37-1 IP Permit List Default Configuration, the IP syslog message severity level default value is 2.

Also, if you are talking about user authorizations failures then sev5 messages generated for that:
%MGMT-5-LOGIN_FAIL:User failed to log in from via Telnet - max attempt reached

As far as it is sev5 (notifications) the MGMT logging level migth need to be changed from the default 4, like:
set logging level mgmt 5 default

Thanks,
Sergey

stevemcevoy07 · ‎09-05-2010

Hi Sergey,

Thanks for the links and update. I do not have CCO access so have asked a colleague to get me the details.

The issue that I have is we use a software application to configure the switch, the switch is overloaded from what I understand and can be a little slow to respond at times with the telnet prompts.

It appears to me the switch is dropping the telnet connections after the user has logged on leaving user sessions open and thus I would like to know if I can tell this from the switch logs.

Thanks I appreciate your help

Steve