6509 MSFC [7:71340]
I have a MSFC on a 6509 that I am firing up for the first time. The 6509 is running CAT-OS (Hybrid Mode). I have defined several VLAN interfaces on the MSFC, and now must create a specific access-list to limit only a certain source and port address to reach each of these VLAN's. This access-list will not allow Telnet connectivity. My question is, if I create this access list and bind it to all VLANs, will I be able to SESSION over from the switch to the MSFC? Does the SESSION command actually use Telnet to get to the MSFC? Will I need to assign a loopback address and then allow access to the loopback address specifically in my access-list? I just want to make sure that I do not block all access to the MSFC. Any clarification on this would be helpful. Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71340t=71340 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: 6509 MSFC [7:71340]
You can 'session' to the MSFC without previously configuring anything (like IP address) on it, right? So it can't be telnet... :) Thanks, Zsombor At 12:22 PM 6/25/2003 +, Dave C. wrote: I have a MSFC on a 6509 that I am firing up for the first time. The 6509 is running CAT-OS (Hybrid Mode). I have defined several VLAN interfaces on the MSFC, and now must create a specific access-list to limit only a certain source and port address to reach each of these VLAN's. This access-list will not allow Telnet connectivity. My question is, if I create this access list and bind it to all VLANs, will I be able to SESSION over from the switch to the MSFC? Does the SESSION command actually use Telnet to get to the MSFC? Will I need to assign a loopback address and then allow access to the loopback address specifically in my access-list? I just want to make sure that I do not block all access to the MSFC. Any clarification on this would be helpful. Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71345t=71340 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: 6509 MSFC [7:71340]
The access-list will have no effect. Consider this. Can you seesion to the MSFC when it has no configuration on it? Dave if somehow you do wedge yourself, the switch console x command is your friend. Dave Dave C. wrote: I have a MSFC on a 6509 that I am firing up for the first time. The 6509 is running CAT-OS (Hybrid Mode). I have defined several VLAN interfaces on the MSFC, and now must create a specific access-list to limit only a certain source and port address to reach each of these VLAN's. This access-list will not allow Telnet connectivity. My question is, if I create this access list and bind it to all VLANs, will I be able to SESSION over from the switch to the MSFC? Does the SESSION command actually use Telnet to get to the MSFC? Will I need to assign a loopback address and then allow access to the loopback address specifically in my access-list? I just want to make sure that I do not block all access to the MSFC. Any clarification on this would be helpful. Thanks. -- David Madland CCIE# 2016 Sr. Network Engineer Qwest Communications 612-664-3367 Government can do something for the people only in proportion as it can do something to the people. -- Thomas Jefferson Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71348t=71340 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: 6509 MSFC [7:71340]
According to Cisco's website, using the session command is what they call accessing the MSFC from the switch CLI using a Telnet session. However, you can access the MSFC from the console port using the switch console command, which Cisco describes as accessing the MSFC from the switch CLI directly connected to the supervisor engine console port. See the following link for more information (watch for wrap): http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration _guide_chapter09186a008007ebb5.html Shawn K. -Original Message- From: Dave C. [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 8:23 AM To: [EMAIL PROTECTED] Subject: 6509 MSFC [7:71340] I have a MSFC on a 6509 that I am firing up for the first time. The 6509 is running CAT-OS (Hybrid Mode). I have defined several VLAN interfaces on the MSFC, and now must create a specific access-list to limit only a certain source and port address to reach each of these VLAN's. This access-list will not allow Telnet connectivity. My question is, if I create this access list and bind it to all VLANs, will I be able to SESSION over from the switch to the MSFC? Does the SESSION command actually use Telnet to get to the MSFC? Will I need to assign a loopback address and then allow access to the loopback address specifically in my access-list? I just want to make sure that I do not block all access to the MSFC. Any clarification on this would be helpful. Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71354t=71340 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: 6509 MSFC [7:71340]
Actually I think I answered my own question. I believe that it does telnet, but uses a system default Loopback address (127.0.0.x). When I session over, it shows that I came from 127.0.0.y. Any thoughts...? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71356t=71340 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: 6509 MSFC [7:71340]
Hy, but uses a system default Loopback address (127.0.0.x). When I session over, it shows that I came from 127.0.0.y. Any thoughts...? you are right :-) It does use a telnet-session. If you use an ACL on your vty's, you can include/exclude the 127.0.0.x range to allow / reject telnet-sessions from the switching-engine (if you telnet/ssh on the sw-engine). As mentioned before, you can use the switch console while you have access to the consle of the 65xx. Regards, Marco [GroupStudy removed an attachment of type application/pgp-signature] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71365t=71340 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: 6509 MSFC [7:71340]
Yes, I agree that the session command uses an internal telnet session. Cisco's documentation says using a Telnet session, but I believe they didn't go into enough detail! Shawn K. -Original Message- From: Zsombor Papp [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 2:55 PM To: Kaminski, Shawn G Cc: [EMAIL PROTECTED] Subject: RE: 6509 MSFC [7:71340] At 02:48 PM 6/25/2003 +, Kaminski, Shawn G wrote: According to Cisco's website, using the session command is what they call accessing the MSFC from the switch CLI using a Telnet session Not using a telnet session, rather from a telnet session. To appreciate the difference, consider what the 'switch console' command does: it directs the MSFC console to the console outlet that is visible on the supervisor card (FWIW, the MSFC module has its own hardware console port, it's just not wired into an RJ-45 outlet on the front panel of the card). So if you are *not* on the console, then 'switch console' doesn't help you. If you are telnetting to the box (ie. you want to access the MSFC from a telnet session), then you have to use the 'session' command. Now it is possible that the 'session' command is in fact uses a telnet session internally. Even so I would be surprised if you could disable that using access lists. It is certainly not a normal telnet session as it doesn't require username/password and such. However, to be sure: Dave, please try it out, and let us know! :) Thanks, Zsombor . However, you can access the MSFC from the console port using the switch console command, which Cisco describes as accessing the MSFC from the switch CLI directly connected to the supervisor engine console port. See the following link for more information (watch for wrap): http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuratio n _guide_chapter09186a008007ebb5.html Shawn K. -Original Message- From: Dave C. [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 8:23 AM To: [EMAIL PROTECTED] Subject: 6509 MSFC [7:71340] I have a MSFC on a 6509 that I am firing up for the first time. The 6509 is running CAT-OS (Hybrid Mode). I have defined several VLAN interfaces on the MSFC, and now must create a specific access-list to limit only a certain source and port address to reach each of these VLAN's. This access-list will not allow Telnet connectivity. My question is, if I create this access list and bind it to all VLANs, will I be able to SESSION over from the switch to the MSFC? Does the SESSION command actually use Telnet to get to the MSFC? Will I need to assign a loopback address and then allow access to the loopback address specifically in my access-list? I just want to make sure that I do not block all access to the MSFC. Any clarification on this would be helpful. Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71373t=71340 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: 6509 MSFC [7:71340]
At 02:48 PM 6/25/2003 +, Kaminski, Shawn G wrote: According to Cisco's website, using the session command is what they call accessing the MSFC from the switch CLI using a Telnet session Not using a telnet session, rather from a telnet session. To appreciate the difference, consider what the 'switch console' command does: it directs the MSFC console to the console outlet that is visible on the supervisor card (FWIW, the MSFC module has its own hardware console port, it's just not wired into an RJ-45 outlet on the front panel of the card). So if you are *not* on the console, then 'switch console' doesn't help you. If you are telnetting to the box (ie. you want to access the MSFC from a telnet session), then you have to use the 'session' command. Now it is possible that the 'session' command is in fact uses a telnet session internally. Even so I would be surprised if you could disable that using access lists. It is certainly not a normal telnet session as it doesn't require username/password and such. However, to be sure: Dave, please try it out, and let us know! :) Thanks, Zsombor . However, you can access the MSFC from the console port using the switch console command, which Cisco describes as accessing the MSFC from the switch CLI directly connected to the supervisor engine console port. See the following link for more information (watch for wrap): http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration _guide_chapter09186a008007ebb5.html Shawn K. -Original Message- From: Dave C. [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 8:23 AM To: [EMAIL PROTECTED] Subject: 6509 MSFC [7:71340] I have a MSFC on a 6509 that I am firing up for the first time. The 6509 is running CAT-OS (Hybrid Mode). I have defined several VLAN interfaces on the MSFC, and now must create a specific access-list to limit only a certain source and port address to reach each of these VLAN's. This access-list will not allow Telnet connectivity. My question is, if I create this access list and bind it to all VLANs, will I be able to SESSION over from the switch to the MSFC? Does the SESSION command actually use Telnet to get to the MSFC? Will I need to assign a loopback address and then allow access to the loopback address specifically in my access-list? I just want to make sure that I do not block all access to the MSFC. Any clarification on this would be helpful. Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71370t=71340 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: 6509 MSFC [7:71340]
You made me try it... :) I configured this on the MSFC: access-list 100 deny ip any any log ! line vty 0 4 access-class 100 in and I was still able to use 'session' to get to it. Does anyone have different experience? FWIW, I also checked the TCP connections on the MSFC, and when a 'session' is open, it does show a TCP connection between 127.0.0.12:23 (local) and 127.0.0.11:1025 (local). And when I configured a password on the vty's, I was subsequently required to enter that password for a 'session'. So it looks like telnet, walks like telnet, ... :) OK, now back to work... ;( Thanks, Zsombor At 06:01 PM 6/25/2003 +, Marco Eulenfeld wrote: Hy, but uses a system default Loopback address (127.0.0.x). When I session over, it shows that I came from 127.0.0.y. Any thoughts...? you are right :-) It does use a telnet-session. If you use an ACL on your vty's, you can include/exclude the 127.0.0.x range to allow / reject telnet-sessions from the switching-engine (if you telnet/ssh on the sw-engine). As mentioned before, you can use the switch console while you have access to the consle of the 65xx. Regards, Marco [GroupStudy removed an attachment of type application/pgp-signature] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71376t=71340 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: 6509 MSFC [7:71340]
Good information! Thanks for trying it out for us! Shawn K. -Original Message- From: Zsombor Papp [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 4:21 PM To: [EMAIL PROTECTED] Subject: Re: 6509 MSFC [7:71340] You made me try it... :) I configured this on the MSFC: access-list 100 deny ip any any log ! line vty 0 4 access-class 100 in and I was still able to use 'session' to get to it. Does anyone have different experience? FWIW, I also checked the TCP connections on the MSFC, and when a 'session' is open, it does show a TCP connection between 127.0.0.12:23 (local) and 127.0.0.11:1025 (local). And when I configured a password on the vty's, I was subsequently required to enter that password for a 'session'. So it looks like telnet, walks like telnet, ... :) OK, now back to work... ;( Thanks, Zsombor At 06:01 PM 6/25/2003 +, Marco Eulenfeld wrote: Hy, but uses a system default Loopback address (127.0.0.x). When I session over, it shows that I came from 127.0.0.y. Any thoughts...? you are right :-) It does use a telnet-session. If you use an ACL on your vty's, you can include/exclude the 127.0.0.x range to allow / reject telnet-sessions from the switching-engine (if you telnet/ssh on the sw-engine). As mentioned before, you can use the switch console while you have access to the consle of the 65xx. Regards, Marco [GroupStudy removed an attachment of type application/pgp-signature] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71386t=71340 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]