Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Issues with VTY access-class in SW 3750

Hi everyone, 

I have a problem with access-class applied in vty in a SW 3750 with IOS 12.2(58)SE2.

I have this configuration:

Standard IP access list ACL_MGMT_VTY

    10 permit x.x.x.x, wildcard bits 0.0.0.255

!

line vty 0 4

access-class ACL_MGMT_VTY in

privilege level 15

logging synchronous

transport input ssh

!

When I connected to this switch, and try to make a ssh connection with a ip address different to x.x.x.x says this message:

% Connections to that host not permitted from this terminal

If I remove this access-class, or try to establish a telnet, works perfect.

Any suggestions? Ideas?

Possible IOS bug?

Everyone's tags (6)
9 REPLIES
Cisco Employee

Issues with VTY access-class in SW 3750

Since you only permit x.x.x.x to SSH to the switch, only that IP Address is allowed to SSH the switch. If you try to connect using any other ip address, then it will not allow it since you have restricted it to that particular IP.

If you want the whole subnet to access the switch, then the access-class should say:

permit x.x.x.0 0.0.0.255

instead of:

permit x.x.x.x 0.0.0.255

New Member

Issues with VTY access-class in SW 3750

Hi Jennifer,

The problem is not with ssh incoming sessions, it's when I try to establish a ssh from the switch to any device in the network.

Regards,

Cisco Employee

Issues with VTY access-class in SW 3750

Have you tried to configure "access-class out" to restrict access to specific devices and does it work?

New Member

Issues with VTY access-class in SW 3750

Hi Jennifer,

No I don't,

that's the problem, I do not want to limit outbound SSH traffic.

Cisco Employee

Issues with VTY access-class in SW 3750

If you configure "permit any" and apply it to the access-class "out", does it work?

Sounds like a bug if it does work.

New Member

Issues with VTY access-class in SW 3750

Hi,

we encountered the same issue on a 2960S Switch. The strange thing ist, we also have 3750 switches and there it works. We are running the same firmware version as you on both models: 12.2(58)SE2.

Summary:

We have no outgoing access-class defined. On the vty lines. Only incoming for limiting SSH acces.

From the 2960S switch we tried:

copy running-config scp://user@host/file

It is denied and the deny counter of the INCOMING ACL goes up by 1.

Tried to configure another ACL for outgoing connections. No difference, the outgoing connection is blocked by the incoming ACC!

When removing the incoming ACC, it works.

Then we have another 2960S switch with an older firmware version . This one works without problems, with the same configuration.

12.2(55)SE3

Looks like a bug.

New Member

Issues with VTY access-class in SW 3750

Same here with a 2960 release 15.0(2)SE2. Will it be solved or is that considered normal?

New Member

Re: Issues with VTY access-class in SW 3750

hi

i don't know ios bug or not it

i have same ios version 12.2(58)se2 on 3750

and when apply acl on line vty I can't login by ssh on device.

when I remove acl - | can

We have vrf on 3750

I find this solution (it helps me):

R1(config-line)#access-class 1 in vrf-also

If it is truly our desire to allow VTY sessions from traffic arriving in  a VRF instance, we can modify the behavior of the access-class. This is  done using the “vrf-also” option.

New Member

Issues with VTY access-class in SW 3750

I found bug

CSCtq51049

4770
Views
0
Helpful
9
Replies
CreatePlease login to create content