Saturday, June 18, 2011

Managing lots of Cisco consoles from one location

Repost from old blog

Any who. The issue: Lets say you have 16 or so Cisco devices (extreme works also) that connect to various parts of your network. Now you want to be able to manage these devices remotely but not make a huge security hole using Vlans and attempting to keep it all secure with ACLs.

So the easy way is to do all the management via the console port. No ACLs to worry about and easier to secure.

So I have 16+ Cisco devices from Routers to switches (2950s, 3550s, 2621s, 2651s, 3750s, 4912s and even an AS5300) all in my lab. So with all those in my lab I got myself a DIGI portserver TS 16 Rack mount device (we use them for kernel debugging also). With a special digi to cisco cable (yes I will give you the pin-outs if you want them) I connect each cisco's console port to the digi and then the DIGI's Ethernet port to my "management network". The management network is where my management workstation lives.

The digi device will let you telnet or ssh (SSH is better) into it. Then from there connect to each of its ports (using the connect command). Now where the fun comes in is how to setup the DIGI to talk to the cisco. Then create a menu so you dont alway have to know the port number each device is connected to.

So below are the steps to allow you to connect the DIGI to the cisco (once you have the cable).
1.Make sure your device is up to date. I am using 82000685_E.bin and 82000684_L.bin
2.Know your port numbers (we are going to use ports 1-16)
3.Set the port type to printer (set ports range=1-16 dev=prn)
4.set the ip on your digi (set config dhcp=off ip= submask=)

At this point you should be able to use "connect 1" and connect to port 1. A few hits of the enter key and it should show you the cisco console.

Now we need to secure the device a little more by turning off things that are not needed. This will leave only telnet and ssh on (I would turn off telnet also but if you dont have an ssh client then it is kinda hard to use).
1.set secureaccess http=off snmp=off rlogin=off rsh=off https=off realport=off securerealport=off
2.set secureaccess reversessh=off securesockets=off reversetcp=off reversetelnet=off

We need to make our menu before we assign a user to use it. This will be an example of ports 1-3 with a title bar
1.set menu range=1 t1="Cisco management" t2="Make sure you save!" name=menu1
2.set menu range=1 m1="cisco 1" c1="connect 1"
3.set menu range=1 m2="cisco 2" c2="connect 2"
4.set menu range=1 m3="cisco 3" c3="connect 3"

Now lets make a user that we will connect with to see our menu
1.set user name= defaultaccess=menu menu=1

Set the password for our new digi user
1.newpass name=

Now a little know tip. When use the default escape char with digi it will leave the port open and not let you reconnect until you do a kill tty= (you can see the ttys by running the 'who' command). But if you use the escapekill command (default is a . (that is a period)) then it will close the tty when you escape. So the default escape command is "+]" . Now add a period after that and hit enter and you will kill the connection not just disconnect so a "+].". Now you press the control and ] key in one key stroke then the period in another.

Now you should be able to telnet or ssh into your ip and get a menu. Press 1 to connect cisco 1, 2 to connect to cisco 2, and 3 to connect to cisco 3.

How great!

No comments:

Post a Comment

10 Years from last post

 Well world!   After the last almost 10 years I have been up to a few things in life and work.  Most recently I was working at Microsoft on ...