Cisco Console Server —
In an effort to provide a more secure way to access our network equipment in the event of an outage we setup a console server. We didnt purchase anything from a vendor but built a Cisco Console server. There is little documentation for creating this online so I am going to go through the steps of creating one.
Equipment used: below is the list of equipment needed to get started with the project
- Cisco 2621xm router
- NM-32a Async network module
- cab-octal-sync Async octal set of cables (68pin connector terminated with 8 RJ45 async console ports)
- cat5 cables of appropriate length and color (In my environment, color signifies function. This may not apply in your setup)
Connectivity Setup:
To start we are going to setup the devices, power it and assume the switches have been setup appropriately.
interface Loopback1
no ip address
interface FastEthernet0/0
ip address 172.17.1.70 255.255.252.0
no ip mroute-cache
duplex auto
speed auto
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
ip route 0.0.0.0 0.0.0.0 172.17.0.1
Once your device has connectivity to the network, connect all your octal cables and terminate them on each device to be monitored. If you have the correct cables, once each is connected you will see a green light on the NM-32a module. Now we need to configure the authentication to you device.
Security Setup:
First lets configure the device. Every Network admin is aware that Telnet is the standard connectivity to routers & switches, but its far from secure. We are going to start off with configuring SSH. Below we are going setup the devices name, the domain-name and generate the RSA.
router(config)# hostname console-server
console-server(config)#
Next lets setup the Domain Name:
console-server(config)# ip domain-name mgmt.yousendit.com
console-server(config)#
Now we need to configure the RSA key:
console-server(config)# crypto key generate rsa
The name for the keys will be: console-server.mgmt.intriguingproblems.net
Choose the size of the key modulus in the range of 360 to 2048
for your General Purpose Keys. Choosing a key modulus greater than
512 may take a few minutes.
How many bits in the modulus [512]: 768
% Generating 768 bit RSA keys ...[OK]
console-server(config)#
*Mar 1 00:17:13.337: %SSH-5-ENABLED: SSH 1.5 has been enabled
console-server(config)#
Lastly we need to enforce SSH to use the local database for authentication and setup a new account:
console-server(config)#aaa new-model
console-server(config)#
console-server(config)#username <username> password <password>
console-server(config)#
Device Access
Once you have setup the ability to access these device we should be able to test connectivity and setup for easy access in the future.
The NM-32a module when attached channels ports that are open on the console server. If you have telnet setup simply following below will get you to a server:
telnet 172.21.1.1 2013
this will open a telnet session to the console server on the port 2013. This is channeled to the NM-32a through the Async cable to the device to be managed. Now as this is a good introduction to how the device is accessible your port number may vary. For my device i have ports 2033 – 2064. The method to find out what your ports are run the following command:
console-server(config)# show ip interface brief
Next task is to create a way to access the devices without having to memorize the port numbers. The easiest method is to add the devices to the config. This will give you an easy method for accessing the devices when you are on the Console server. Below is an example of how to define how to get to your network devices without much difficulty.
ip host sjc103con01 2013 172.21.1.1
ip host sjc101fwl01 2014 172.21.1.1
ip host sjc102fwl01 2014 172.21.1.1
There are options to add the port numbers to your DNS setup as text. Writing a simple script to run through and grab the port number will allow you to just drop in the device name and it will run a similar connection found above.
All in all this project is quite simple but not documented in depth at so that a new Network Administrator would be able to set this up quickly.
Categorised as: Network Administration