cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2361
Views
0
Helpful
8
Replies

ACE Module Management IP

cisco_lite
Level 1
Level 1

How can I configure ssh management access to the ACE module configured in bridged mode.

1 Accepted Solution

Accepted Solutions

do not mix "domain" name and user "domain".

The domain name is something like cisco.com or yourcompany.net ...

But the user domain is what objects is a user allowed to modify/configure/access inside ACE.

I don't think you need to specify a domain-name to generate the key.

Here is what I did :

switch/Admin(config)# ssh key rsa 768

generating rsa key(768 bits).....

......

generated rsa key

switch/Admin(config)#

gdufour-cat6k1#ssh -l admin 10.86.213.40

Password:

Cisco Application Control Software (ACSW)

TAC support: http://www.cisco.com/tac

Copyright (c) 2002-2008, Cisco Systems, Inc. All rights reserved.

The copyrights to certain works contained herein are owned by

other third parties and are used and distributed under license.

Some parts of this software are covered under the GNU Public

License. A copy of the license is available at

http://www.gnu.org/licenses/gpl.html.

User 'www' is disabled.Please change the password to enable the user.

switch/Admin#

Just make sure you allow SSH traffic with your management policy.

Gilles.

View solution in original post

8 Replies 8

jecahuao
Cisco Employee
Cisco Employee

I followed the link given and I am getting the below error

6500#ssh -l admin 10.0.0.1

[Connection to 10.0.0.1 aborted: error status 28]

Do you know what the above error means. I can telnet the ACE module from Cat6500 but not ssh.

Please assist.

Thanks

In the following excerpt, how do I define domain name. Currently, when I do 'show domain' it shows it as default-domain. Is this sufficient or do I need to create another domain for ssh access.

"Before you generate the key, set the hostname and the domain name."

do not mix "domain" name and user "domain".

The domain name is something like cisco.com or yourcompany.net ...

But the user domain is what objects is a user allowed to modify/configure/access inside ACE.

I don't think you need to specify a domain-name to generate the key.

Here is what I did :

switch/Admin(config)# ssh key rsa 768

generating rsa key(768 bits).....

......

generated rsa key

switch/Admin(config)#

gdufour-cat6k1#ssh -l admin 10.86.213.40

Password:

Cisco Application Control Software (ACSW)

TAC support: http://www.cisco.com/tac

Copyright (c) 2002-2008, Cisco Systems, Inc. All rights reserved.

The copyrights to certain works contained herein are owned by

other third parties and are used and distributed under license.

Some parts of this software are covered under the GNU Public

License. A copy of the license is available at

http://www.gnu.org/licenses/gpl.html.

User 'www' is disabled.Please change the password to enable the user.

switch/Admin#

Just make sure you allow SSH traffic with your management policy.

Gilles.

I generated the key with 1024 bits earlier and faced the error. Following your example i.e. 768 bits, ssh worked. Strange...

1024 is stated in the example on the given link as well.

telnet and ssh to ACE from CAT6500 is working. But if I do the same via putty from another segment, if fails (ping works though)

Topology:

MSFC -> SVI for Vlan11 and Vlan13 defined

ACE -> (Vlan11 briged to Vlan12 on ACE)

(Vlan13 is the management IP interface)

-> FWSM (Vlan15)

From Vlan15 I can ping Vlan13 management IP but I cannot telnet or ssh to it. Policy-map has been defined and applied via service-policy to Vlan13 in ACE for management access via ssh, telnet.

Is there anything else requred for telnet, ssh ?

Ok. It got fixed. I removed Vlan12 (bridged mode) and added ip route for Vlan15 network via Vlan13. Strange...

Does anyone know how are the default and specific routes defined in ACE in case of multiple client/server VLANs. How does ACE identify which route to pick based on which VLAN. Can I drive traffic out of all VLANs from one of the VLAN SVI defined on MSFC.

You could use mac-sticky enable to make the traffic return via the same way it came in.

Gilles.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: