You only need a CISCO router with an asynchronous module or a vro with a built-in asynchronous serial port to fully enjoy the control connection to a series of network devices in a work room or data center. Now let's take a look at how these jobs are done, learn how to manage multiple connections, and look at the security issues you should consider.
Are you familiar with this situation? You work with firewalls, routers, and switches at home, but you cannot touch those devices. In the end, you have to drive to the Office to update the configuration or restart the device.
So how? When the network crashes, you need to quickly and conveniently access the control ports of all network devices. You will find that you have a laptop running between devices in the rack, and each time you connect to the control port of one of the devices for configuration.
However, there is also a simple method to avoid such troubles. Using a CISCO router with an asynchronous module or a router with a built-in asynchronous serial port, you can fully enjoy the control connection to a series of network devices in a work room or data center.
I will start setting up a Cisco 2511 router between networks in the data center. Without a doubt, it will make my life easier in the days of trouble. When I need to connect to the control ports of these network devices, I can Telnet to the console server, then Telnet to the device that I want to connect to, or directly Telnet to the control port of the device.
I prefer the first option, because I rarely remember the port number of the device that I needed to Telnet directly. In rare cases of network paralysis, I can directly connect to the control port of the console server, and then access the control ports of all network devices from here.
You do not have to use vrouters 2511 to complete this task. However, an old 2511 router Cisco has stopped producing devices of this type) is the cheapest device you can achieve this goal.
If you are not facing a large number of devices at work, you can also choose vrouters 2509, the router has 8 serial ports. The average transaction price of Cisco 2509 on eBay is around $200 ).
You can use more advanced devices to do the same job, including 2610, 3620, 3640, or 3800 series routers. With these devices, you can also use NM-16A or NM-32A mode. The NM-XXA mode provides 16 or 32-port asynchronous port modules.
Start Configuration
I started my configuration from a Cisco 2511 router, using one of the asynchronous serial ports to connect to each of my core network switches, routers, and firewalls also requires a serial control port ). Next, configure the new Cisco Terminal Server according to the following ip host command to make the connection to each device simpler:
Ip host internet 2016 10.253.100.19
Ip host gig_switch3 2015 10.253.100.19
Ip host dmz_switch 2013 10.253.100.19
The third part of each command line includes the device port number. The last two digits are the specified port number. For example, 2016 after the first vro "internet") indicates that the vro is on port 16. The last part of the command line includes the Ethernet port IP address of the console server.
The most amazing thing is here: by creating these names, you don't need to know which port the device is on. All you need to do is Telnet from the console server to the host.
You can also directly connect to this device from a PC. For example, you can Telnet from a PC to 10.253.100.19 2016. This command specifies that the Telnet client is connected to port 2016 instead of the default Telnet port 23.
My configuration example is as follows:
ciscotermserver#sh runBuilding configuration...Current configuration : 2656 bytes!version 12.3service timestamps debug uptimeservice timestamps log uptimeservice password-encryption!hostname ciscots!boot-start-markerboot-end-marker!enable secret 5 XXXXXXXXXXXXXXXXXXXXXXX!username root privilege 15 password 7 XXXXXXXXXXXXXXXXXXXXXXno aaa new-modelip subnet-zerono ip domain lookupip host internet 2016 10.253.100.19ip host gig_switch3 2015 10.253.100.19ip host dmz_switch 2013 10.253.100.19ip host pix 2012 10.253.100.19ip host gig_switch2 2006 10.253.100.19ip host dbunbii 2003 10.253.100.19ip host up_switch1 2004 10.253.100.19ip host gig_switch1 2005 10.253.100.19ip host core 2002 10.253.100.19ip host ras 2011 10.253.100.19ip host router8 2009 10.253.100.19ip host up_stack1 2007 10.253.100.19!!!!interface Ethernet0ip address 10.253.100.19 255.255.0.0!interface Serial0no ip addressshutdown!interface Serial1no ip addressshutdown!no ip http serverno ip classless!!!!line con 0line 1session-timeout 30exec-timeout 0 0no exectransport input telnetline 2session-timeout 30location COREexec-timeout 0 0no exectransport input telnetline 3session-timeout 30location DBUNBIIexec-timeout 0 0no exectransport input telnetline 4session-timeout 30location UP_SWITCH1exec-timeout 0 0no exectransport input telnetline 5session-timeout 30location GIG_Switch4exec-timeout 0 0no exectransport input telnetline 6session-timeout 30location GIG_SWITCH2exec-timeout 0 0no exectransport input telnetline 7session-timeout 30location UP_STACK1exec-timeout 0 0no exectransport input telnetline 8session-timeout 30exec-timeout 0 0no exectransport input telnetline 9session-timeout 30location ROUTER8exec-timeout 0 0no exectransport input telnetline 10session-timeout 30exec-timeout 0 0no exectransport input telnetline 11session-timeout 30location RASexec-timeout 0 0no exectransport input telnetspeed 38400line 12session-timeout 30location PIXexec-timeout 0 0no exectransport input telnetline 13session-timeout 30location DMZ_SWITCHexec-timeout 0 0no exectransport input telnetline 14session-timeout 30exec-timeout 0 0no exectransport input telnetline 15session-timeout 30location GIG_SWITCH3exec-timeout 0 0no exectransport input telnetline 16session-timeout 30location INTERNETexec-timeout 0 0no exectransport input telnetline aux 0line vty 0 4exec-timeout 60 0login local!endciscotermserver#
|
Manage multiple connections
After you Telnet to the console server and connect to these devices, you need to know how to manage multiple connections at the same time. This helps you more easily compare and troubleshoot device configurations.
Follow these steps:
1. Enter the host name in the command line, that is, use an IP host to Telnet to the configured device. This is connection 1.
2. Return to the command line without disconnecting, press [Ctrl] + [Shift] + 6, and then press x. The console server prompt is displayed.
3. Here, you can Telnet to another device by typing its host name in the ip host list. This is connection 2.
4. Once the vro is connected, press [Ctrl] + [Shift] + 6 again, and then press x. This will return to the console prompt.
5. Enter show sessions. This command will list your current session. For example, you have two sessions: one to the first vro and the other to the second. If you want to cancel a session, you can enter disconnect X, where X is the connection number such as 1 or 2 ).
6. to switch to a session, enter the same session number as 1 or 2. If you press enter directly in the empty command line, you can also bring you back to the previous session.
Note: When you try to enter the assigned name in the ip host command to return to an existing Session, the system will return "Connection refused by remote host. ", this indicates that either you have a connection or someone else has connected to the control port.
Balance ease of use and security
Remember that security and ease of use are always a conflict. For example, the safer the airport, the more inconvenient it is. Therefore, it is very important to balance the two to meet the needs of enterprises.
Sometimes you put all your eggs in one basket-in this case, All accesses to the core network devices are connected to the same console server-security is a top priority. You should always set the console password for all network devices. If an intruder obtains the access permission of the console server, the attacker can only access devices without Console Authentication.
In addition, you should set timeout for the control ports of these servers. In this way, if the connection is disconnected, the console will log off the logon information within several seconds.
Maybe you are thinking about how to Telnet to the console server if the network crashes. You can install a dial-up modem on the console server and remotely dial the modem to the console server in the worst case. On the other hand, security management experts all over the world condemn this solution. Although it may be convenient, it makes your core network device open to all dial-up hackers around the world.
Finally, remember that any Telnet communication on the network is not encrypted. Therefore, in this example, the username and password of the core network device transmitted over the network are in plain text. However, you can use SSH instead of Telnet to do the same job. At the same time, you also need to emphasize that you need to find a balance between ease of use and security based on the specific needs of the enterprise.
David Davis has 12 years of experience in the IT industry and has passed many certifications, including CCIE, MCSE + I, CISSP, CCNA, CCDA, and CCNP. He is currently managing a system/Network Administrator team for a retail company and providing some consulting services on networks/systems outside of work hours. (End)