Just need a CISCO router plus an asynchronous module or a router with a built-in asynchronous serial port, and you can fully enjoy the control connection of a series of network devices in a workroom or data center. Now let's look at how these work is done, learn how to manage multiple connections at the same time, and look at some security issues you should consider.
Does this situation make you feel familiar with it? You use firewalls, routers and switches to work at home, but you can't touch those devices. In the end, you have to drive to the office to update the configuration or restart the device.
How about this? The network crashes, and you need to quickly and easily access the control ports of all network devices. You'll find you running around between rack devices with your laptop, connecting to one of the devices' control ports for configuration each time.
However, there is also an easy way to avoid such trouble. Using a CISCO router with asynchronous modules, or a router with built-in asynchronous serial port, you can fully enjoy the control connection of a series of network devices in a workroom or data center.
I will start setting up with a Cisco 2511 router in the network room of the data center, and it undoubtedly makes my life easier on the days when troubles come. When I need to connect to the control port of these network devices, I can Telnet to the console server and then to the device I want to connect to, or directly to the device control port.
I prefer the first option because I rarely remember the device port number I need to have direct Telnet. In the case of very few network failures, I can directly connect to the control port of the console server and then access the control port of all network devices from here.
You don't necessarily need to use a 2511 router to do this. However, an old 2511 router (Cisco has stopped making this model) is the cheapest device you can do this.
If you are not facing a large number of devices at work, you can also choose a 2509 router that has 8 serial ports (the average transaction price of used Cisco 2509 on eBay is around $200).
You can use more advanced devices to do the same job, including 2610, 3620, 3640 or 3800 series routers. With these devices, you can also use NM-16A or NM-32A mode. NM-XXA mode provides asynchronous port modules with port 16 or 32.
Start configuration
I started my configuration with a Cisco 2511 router and used one of the asynchronous serial ports to connect to each port of my core network switch, router, and firewall (these devices also need to have serial control ports). Next, I configure the new Cisco terminal server as follows the following ip host command to make connections to each device a little easier:
ip host internet 2016 10.253.100.19
ip host gig_switch3 2015 10.253.100.19
ip host dmz_switch 2013 10.253.100.19
The third part of each line of command includes the device port number, and the last two numbers are the specified port number. For example, 2016 behind the first router ("internet") means that the router is on port 16. The last part of the command line includes the Ethernet port IP address of the console server.
The most exciting place is here: By creating these names, you don't need to know which port the device is on. All you have to do is from the console server Telnet to the host.
You can also connect to this device directly from your PC. For example, you can Telnet from PC to 10.253.100.19 2016. This command specifies that the Telnet client connects to port 2016 instead of the default Telnet port 23.
List A can view my configuration instance.
ciscotermserver#sh run
Building configuration...
Current configuration : 2656 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname ciscots
!
boot-start-marker
boot-end-marker
!
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXX
!
username root privilege 15 password 7 XXXXXXXXXXXXXXXXXXXXXX
no aaa new-model
ip subnet-zero
no ip domain lookup
ip host internet 2016 10.253.100.19
ip host gig_switch3 2015 10.253.100.19
ip host dmz_switch 2013 10.253.100.19
ip host pix 2012 10.253.100.19
ip host gig_switch2 2006 10.253.100.19
ip host dbunbii 2003 10.253.100.19
ip host up_switch1 2004 10.253.100.19
ip host gig_switch1 2005 10.253.100.19
ip host core 2002 10.253.100.19
ip host ras 2011 10.253.100.19
ip host router8 2009 10.253.100.19
ip host up_stack1 2007 10.253.100.19
!
!
!
!
interface Ethernet0
ip address 10.253.100.19 255.255.0.0
!
interface Serial0
no ip address
shutdown
!
interface Serial1
no ip address
shutdown
!
no ip http server
no ip classless
!
!
!
!
line con 0
line 1
session-timeout 30
exec-timeout 0 0
no exec
transport input telnet
line 2
session-timeout 30
location CORE
exec-timeout 0 0
no exec
transport input telnet
line 3
session-timeout 30
location DBUNBII
exec-timeout 0 0
no exec
transport input telnet
line 4
session-timeout 30
location UP_SWITCH1
exec-timeout 0 0
no exec
transport input telnet
line 5
session-timeout 30
location GIG_Switch4
exec-timeout 0 0
no exec
transport input telnet
line 6
session-timeout 30
location GIG_SWITCH2
exec-timeout 0 0
no exec
transport input telnet
line 7
session-timeout 30
location UP_STACK1
exec-timeout 0 0
no exec
transport input telnet
line 8
session-timeout 30
exec-timeout 0 0
no exec
transport input telnet
line 9
session-timeout 30
location ROUTER8
exec-timeout 0 0
no exec
transport input telnet
line 10
session-timeout 30
exec-timeout 0 0
no exec
transport input telnet
line 11
session-timeout 30
location RAS
exec-timeout 0 0
no exec
transport input telnet
speed 38400
line 12
session-timeout 30
location PIX
exec-timeout 0 0
no exec
transport input telnet
line 13
session-timeout 30
location DMZ_SWITCH
exec-timeout 0 0
no exec
transport input telnet
line 14
session-timeout 30
exec-timeout 0 0
no exec
transport input telnet
line 15
session-timeout 30
location GIG_SWITCH3
exec-timeout 0 0
no exec
transport input telnet
line 16
session-timeout 30
location INTERNET
exec-timeout 0 0
no exec
transport input telnet
line aux 0
line vty 0 4
exec-timeout 60 0
login local
!
end
ciscotermserver#
Manage multiple connections
After Telnet to the console server and connect to these devices, you need to know how to manage multiple connections at the same time. This helps you to compare and troubleshoot device configurations more conveniently.
Follow the steps below:
1. Enter the host name in the command line, that is, use an IP host Telnet to the device you have configured. This is the number 1 connection.
2. Return to the command line without disconnecting, press [Ctrl] + [Shift] +6, and then press x. This will display the console server prompt.
3. Here, you can Telnet to another device by typing its host name from the IP host list. This is the number 2 connection.
4. Once connected to the router, press [Ctrl]+[Shift]+6 again, and x. This will return to the console prompt.
5. Enter show sessions. This command will list your current session. For example, you have two sessions: one to the first router and one to the second. If you want to cancel one of these sessions, you can enter disconnect X, where X is the connection number (such as 1 or 2).
6. To go to a session, enter session number (same, 1 or 2). If you directly enter the carriage on the empty command line, you can also bring you back to the previous session.
Note: When you try to enter the assigned name in the ip host command and go back to an existing session, the system will return "Connection refused by remote host." This means that either you already have a connection or someone else has connected to the control port.
Balancing ease of use and security
It is important to remember that security and ease of use are always a contradiction. Just like for an airport, the safer it will make you feel the more inconvenient. Therefore, it is very important to balance the two to meet the needs of the business.
Sometimes you put all your eggs in one basket - in which case all access to the core network device is connected to the same console server - security is the top priority. You should always set a console password for all network devices. If the intruder obtains access to the console server, he will only be able to access devices that do not set up console authentication.
In addition, you should also set a timeout for the control ports of these servers. This way, if the connection is disconnected, the console will log out of the login information within a few seconds.
Maybe you are thinking about how you can Telnet to the console server if the network crashes, which is indeed what you should think of. You can install a dial-up modem on the console server and in the worst case dial-up via this device remotely to the console server. On the other hand, security management experts around the world condemn this solution. Because while it may be convenient, it allows your core network equipment to open the door to all dial-up hackers around the world.
Finally, it is important to remember that any Telnet communication on the network is not encrypted. Therefore, in this case, the username and password of the core network device we transmit on the network are all plain text. But you can do the same with SSH instead of Telnet. At the same time, it should be emphasized that you need to find a balance between ease of use and security according to the specific needs of the company.
Article entry: csh Editor in charge: csh