ExtremeSwitching (VSP)

 SSH from VSP to another device

bfaltys's profile image
bfaltys posted 11-05-2021 09:20
We have a switch that someone put in the field, but we cannot reach it. I added a layer 3 vlan interface on the VSP on site & can ping it. Is it possible to SSH from the VSP? I can see the other switch via LLDP & there is also an ISIS adjacency. I'm wondering if the gateway isn't configured.
bfaltys's profile image
bfaltys
Nevermind. If you exit down to exec mode the option is there.

VSP4900:1>?
Exec commands:
clear-stats Clear port statistic counters
clock Clock configurations
cpld-install
debug-file Command To delete debug files
dump Dump the ar table
dvr DVR configuration commands
eapol Set EAPOL configurations
enable Turn on privileged commands
exit Exit from the EXEC and end the current session
file-checksum Calculate or compare MD5/SHA512 digest for a file
help Description of the interactive help system
ip IP configuration features
ipv6 IPv6 configurations
isis Isis configuration command
l2 L2 commands
line-card Perform trace commands for IO and SF cards
linktrace Linktrace command
login Re-login to a different access level
logout Logout of system
loopback Loopback command
ls List files in a directory
manualtrigger Send triggered update
ping Ping Hostname / IP
pwc Print current working level
quick-config-mgmt Quick setup for management interfaces
remove Remove file or directory, with wild card pattern
show Show running system information
slot Set slot state reset
ssh Open ssh client session to a remote host
tacacs Tacacs protocol configurations
telnet Telnet to a remote host
terminal Terminal commands
trace Trace file config
bfaltys's profile image
bfaltys
Strangely, I can ping the IP, but when I try to SSH I get an unreachable message.

VSP4900:1>ping 10.1.1.254

Sending ping in context grt
10.1.1.254 is alive
VSP4900:1>
VSP4900:1>
VSP4900:1>ssh 10.1.1.254 -l admin
Trying 10.1.1.254 ...
Host 10.1.1.254 is not reachable.
VSP4900:1>
Ludovico Stevens's profile image
Ludovico Stevens
If your VSP is on 8.2 or later, then SSH client/server only operates on the segmented management interfaces (mgmt context).
You are pinging in the grt context; try pinging in the mgmt context with "ping 10.1.1.254 mgmt".
You can see your management interfaces with "show mgmt interface" & "show mgmt ip". Maybe you don't have any..
You can have one on a VLAN and/or a CLIP.
bfaltys's profile image
bfaltys
If I can reach the other switch via GRT, how can the mgmt IP not reach it? I have a layer 3 interface on the local switch so there is a connected route to that network. Though, this is across an SPBM link...not sure how that plays into this, but I would think it doesn't matter as the overlay is essentially transparent. I do have a mgmt CLIP configured.
bfaltys's profile image
bfaltys
After digging a bit more, I think we need to look at the gateway on the ERS. If SSH from the VSP uses the mgmt IP as the source and if the ERS doesn't have a gateway or the gateway is wrong, it obviously wouldn't know how to get back to the VSP's mgmt IP. If I could SSH with the vlan interface as the source, I might be able to get to it.
Ludovico Stevens's profile image
Ludovico Stevens
If your VSP has an IP address (say on GRT) on the same VLAN where the ERS is located, but you only have a mgmt CLIP on the VSP and the ERS does not have any valid return route to reach that VSP CLIP, then that might be your problem.
What you can do, is to create a "mgmt vlan" interface on that very same VSP VLAN; and when you configure the mgmt vlan IP address on that mgmt VLAN interface, you must/can configure the very same IP address that VLAN already has configured on GRT (hence in the VSP config, the same IP address appears configured twice, once under "interface vlan X" and once again under "mgmt vlan X"). Now you should be able to hit the ERS with SSH from the VSP.