Docwikibot: Bot: Adding {{Template:Required Metadata}}

2009-12-18T17:30:17Z

Bot: Adding {{Template:Required Metadata}}

← Older revision		Revision as of 17:30, 18 December 2009
Line 1:		Line 1:
		+	{{Template:Required Metadata}}
	==Purpose==		==Purpose==
	Configure remote access to allow telnet, ssh, and other mgmt protocols access to the ACE via the Admin context.		Configure remote access to allow telnet, ssh, and other mgmt protocols access to the ACE via the Admin context.

Pzimmerm: 1 revision

2008-12-04T18:37:23Z

1 revision

← Older revision

Revision as of 18:37, 4 December 2008

Pzimmerm: /* Related Information */

2008-12-02T18:19:59Z

Related Information

New page

==Purpose==
Configure remote access to allow telnet, ssh, and other mgmt protocols access to the ACE via the Admin context.

==Design==
In the typical scenario, the MSFC is used to route remote access connection from a client to the ACE. It is recommended to have a dedicated VLAN for remote management when feasible; however, it is not required. In fact, it is common to see a management service policy apply to client vlans when ACE is integrated into an existing network.

[[Image:Inital Remote Access to ACE.jpg]]

==Configuration==
Remote access is denied by default on the ACE module. To enable remote access you need to configure the following objects:
* class-map to classify the remote management traffic which can access the ACE control plane
* policy-map to allow the classified protocols
* interface vlan to receive the remote access connections

To begin the configuration, use a console connection or session to the ACE from the Sup720 (session slot <#>proc 0).
It is common to allow all of the management protocols to the Admin context using the management policy-map with the default class.

<pre>policy-map type management first-match unrestricted-remote-mgmt
class class-default
permit</pre>

However, if security is a concern ACE can be configured to only accept the require protocols from well defined hosts. This follow example shows a common configuration where only ssh, snmp, and https management protocols are allowed.

<pre>class-map type management match-any remote-access
2 match protocol ssh any
3 match protocol snmp any
4 match protocol https any</pre>

{{note|To restrict access based on host, simply change the “any” to a well define host match. }}

<pre>policy-map type management first-match remote-mgmt
class remote-access
permit</pre>

{{note|To further restrict access, policies can be used to deny remote access traffic. Although policies to deny remote access traffic are not commonly used, they useful when one needs to allow a subnet remote access, and restrict a single host within that subnet.}}

<pre>interface vlan 10
description "Client side connectivity"
ip address 172.16.1.5 255.255.255.0
service-policy input remote-mgmt
no shutdown

ip route 0.0.0.0 0.0.0.0 172.16.1.1

Related 'show' commands
DC1-Cat6k1#show users
DC1-Cat6k1#show telnet
DC1-Cat6k1#show ssh session-info
DC1-Cat6k1#show conn</pre>

==Comments==
There is a limit of 4 simultaneous TELNET sessions or 4 simultaneous SSH sessions per context at any given time.

==show running-config==

<pre>ACE/Admin# sho run
Generating configuration....

login timeout 0
hostname Pod1-ACE

class-map type management match-any remote-access
2 match protocol ssh any
3 match protocol snmp any
4 match protocol https any

policy-map type management first-match remote-mgmt
class remote-access
permit

interface vlan 10
description "Client side connectivity"
ip address 172.16.1.5 255.255.255.0
service-policy input remote-mgmt
no shutdown

ip route 0.0.0.0 0.0.0.0 172.16.1.1</pre>

==Related Information==
[http://www.cisco.com/web/psa/products/index.html Technical Support & Documentation - Cisco Systems]



[[Category:Data Center Application Services Configuration Examples]]

Initial Remote Access to ACE Configuration Example - Revision history

Docwikibot: Bot: Adding {{Template:Required Metadata}}

Pzimmerm: 1 revision

Pzimmerm: /* Related Information */