Cisco Support Community
Community Member

securing 3560 cluster access on line VTY


we are using 3560 as access switch on our network.  We find very usefull the possibility to connect on 1 switch (the commander) from which havng the possibility to going on the other on the same switch stack with the RCOM command). 

But like with other bussiness it's mandatory to using only secure protocol to manage switches.  On our side we never using the GUI, so HTTP and HTTPS are disable by default on all of our switches. Also we have currently and access-class configure to allowed only some network ID and specific host to connect by telnet or SSH to the switch.  We already find cluster connection looks works on network  If we allow only SSH on the management CLI protocol cluster stop to work.

What I found on bug tool kit SCdz07515, it's not look like to be corrected in the future.  The work around was to left Telnet enable....  which is may not acceptable for security purpose. One way to mitigate this is to allowing Telnet only to the subnet used by cluster.

My question is :  is it possible to control this network ID ? is definetly too large for us.  Having the possiblity to set this network ID to something knowed,  smaller, and not routed in the network may help to make it more acceptable.  Also, we would like also be able to using Telnet to this known range and left only SSH as management CLI protocol for others....

Finally, is it planned to make this feature works with only SSH (or secure protocol) enable ?

Thanks !

Everyone's tags (4)
CreatePlease to create content