Posted on December 4, 2018 3:35 am
 |  Asked by Jeroen
Print Friendly, PDF & Email

I am using the config below on a vEOS virtual machine on VMware ESXi.
I would like to run SSH on an non-default port. When I skip the server-port 2222 line, SSH works on port 22. When I enable the line connection is denied on port 22, and does time out on port 2222.
Is this a bug or am I doing something wrong?

! Command: show running-config
! device: veos (vEOS, EOS-
! boot system flash:/vEOS-lab.swi
transceiver qsfp default-mode 4x10G
logging console notifications
hostname veos
ip name-server vrf MGMT
ip name-server vrf MGMT
spanning-tree mode mstp
no aaa root
username admin role network-admin secret sha512 $6$xxxxxxx
vrf definition MGMT
interface Ethernet1
interface Management1
vrf forwarding MGMT
ip address
no ip routing
no ip routing vrf MGMT
management ssh
server-port 2222
vrf MGMT
no shutdown

Posted by Kazuo Nakashima
Answered on December 4, 2018 3:46 am

Hello Jeroen,

If it’s a non-default port, you may need to open up the control-plane ACL. I gave it a quick try and experienced the same symptoms you described initially until I did something like the example below where ‘custom-control-plane-acl’ includes a line allowing the custom port:

ip access-group custom-control-plane-acl vrf MGMT in

You can do a – show ip access-lists to see the ‘default-control-plane-acl’ and create your own based on that including the custom port (2222 in your example).

Hope that helps.

Posted by ASHWIN C S
Answered on December 4, 2018 4:12 am

Hello Jeroen,

1. Just to add on to what Kazuo said, the below line 80 in the control plane ACL needs to be modified:

(config-cp)#sh ip access-lists default-control-plane-acl
IP Access List default-control-plane-acl [readonly]
80 permit tcp any any eq ssh telnet www snmp bgp https msdp ldp [match 630 packets, 0:04:26 ago]


80 permit tcp any any eq ssh telnet www snmp bgp https msdp ldp 2222

2. Create a new ACL and copy the original contents of the default control plane ACL with the above change. Apply it to the control-plane:

(config-cp)#ip access-group control-plane in

Hope this helps.

Posted by Jeroen
Answered on December 5, 2018 9:26 pm

Thank you Kazuo and Ashwin,
With your help I was able to fix it, IT WORKS !
I did:

veos# conf
veos(config)# sh ip access-lists default-control-plane-acl
veos(config)# ip access-list my-control-plane-acl
10 permit icmp any any
20 permit ip any any tracked
30 permit udp any any eq bfd ttl eq 255
40 permit udp any any eq bfd-echo ttl eq 254
50 permit udp any any eq multihop-bfd
60 permit udp any any eq micro-bfd
70 permit ospf any any
80 permit tcp any any eq ssh telnet www snmp bgp https msdp ldp 2222
90 permit udp any any eq bootps bootpc snmp rip ntp ldp
100 permit tcp any any eq mlag ttl eq 255
110 permit udp any any eq mlag ttl eq 255
120 permit vrrp any any
130 permit ahp any any
140 permit pim any any
150 permit igmp any any
160 permit tcp any any range 5900 5910
170 permit tcp any any range 50000 50100
180 permit udp any any range 51000 51100
190 permit tcp any any eq 3333
200 permit tcp any any eq nat ttl eq 255
210 permit tcp any eq bgp any
220 permit rsvp any any
veos(config-acl-my-control-plane-acl)# exit
veos(config)# control-plane
veos(config-cp)# ip access-group my-control-plane-acl vrf MGMT in
veos(config-cp)# exit
veos(config)# management ssh
veos(config)# server-port 2222
veos(config)# exit

Post your Answer

You must be logged in to post an answer.