Cisco Access Servers

[MidnightWizard]

Just started playing with my new 2511RJ

Found quite a number of configs on the net but I have a couple of questions for any of the Cisco Gurus here.

A lot of posts are of the type --"just do this , then that , and everything works"

I would prefer to understand all the detail of what is going on.

I am OK with the CLI and configuration but am a bit confused with some of the principles


OK let me state the obvious so we have a foundation to work from .........

One uses an access server in order to access the console ports of many devices from ONE device ( the AS )

One needs to access the console port as this is the most basic and powerful interface for configuration / trouble shooting (do not need to have an IP address set on an interface )

The AS is only going to give you access to devices in your local "pod" I think of this as a LAN thing -- ie a rolled cable only goes so far ( not around the world as in a WAN link )

To put it in the way that the Americans love ........

IF your AS is in Chicago then you are not going to configure a device that is PHYSICALLY in Seattle

LAN or local vs WAN or remote -- OK I hope I understand that correctly.

Right

One accesses the devices attached to the AS via Telnet ( from your PC / Laptop etc )

Now I assume that this is from some form of telnet application -- CLI ( DOS ) or Terra-Term / Hyperterminal or similar ?

The normal way of doing this is via a loop-back interface.

Here is the official reference from Cisco Configuring a Terminal/Comm Server

aus-comm-server#show running-config
!
version 12.0

service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname aus-comm-server
!
enable secret  <deleted>
!
username cisco password <deleted>
!
ip subnet-zero
ip domain-list cisco.com
no ip domain-lookup

ip host 3600-3 2014 172.21.1.1

!--- The host 3600-3 is connected to port 14 of the comm server.
!--- Ensure that the IP address is that of an interface on the comm server.

ip host 3600-2 2013 172.21.1.1
ip host 5200-1 2010 172.21.1.1
ip host 2600-1 2008 172.21.1.1
ip host 2509-1 2007 172.21.1.1
ip host 4500-1 2015 172.21.1.1
ip host 3600-1 2012 172.21.1.1
ip host 2511-2 2002 172.21.1.1
ip host 2511-rj 2003 172.21.1.1
ip host 2511-1 2001 172.21.1.1
ip host 5200-2 2011 172.21.1.1
ip host 2520-1 2004 172.21.1.1
ip host 2520-2 2005 172.21.1.1
ip host 2600-2 2009 172.21.1.1
ip host 2513-1 2006 172.21.1.1
ip host pix-1 2016 172.21.1.1
!
!
process-max-time 200
!
interface Loopback1
 ip address 172.21.1.1 255.0.0.0

!--- This address is used in the IP host commands.
!--- Work with loopback interfaces, which are virtual and always available.

 no ip directed-broadcast
!
interface Ethernet0
 ip address 171.55.31.5 255.255.255.192

!---  Use a public IP address to ensure connectivity. 

No ip directed-broadcast
 no ip mroute-cache
!
interface Serial0
 no ip address
 no ip directed-broadcast
 no ip mroute-cache
 shutdown
!
ip default-gateway 171.55.31.1

!--- This is the default gateway when routing is disabled.
!--- For example, if the router is in boot ROM mode.

ip classless
ip route 0.0.0.0 0.0.0.0 171.55.31.1

!--- Set the default route for the external network.

no ip http server
!
line con 0
 transport input all
 line 1 16
 session-timeout 20

!--- The session times out after 20 minutes of inactivity. 

no exec

!--- Unwanted signals from the attached device do not launch. 
!--- An EXEC session ensures that the line never becomes unavailable 
!--- due to a rogue EXEC process.

 exec-timeout 0 0

!--- This disables exec timeout transport input all.
!--- Allow all protocols to use the line.
!--- Configure lines 1 - 16 with at least transport input Telnet.

line aux 0

!--- Auxiliary port can provide dial backup to the network.
!--- Note: This configuration does not implement modem on AUX port modem InOut. 
!--- Allow auxiliary port to support dialout and dialin connections.

 transport preferred telnet
 transport input all
 speed 38400
 flowcontrol hardware
line vty 0 4
 exec-timeout 60 0
 password <deleted> 
login
!
end

This seems to be the normal way of doing it

It is the config on the remote host that has me confused.

Normally if one connects from a PC via a Console port then one configues line con 0 ( the console line )

If one is connecting to the remote host console port that is attached to the AS serial async port what "line" does one configure on the remote host ?

I guess this has something to do with "Reverse-Telnet" ? Anyway -- this bit confusing to me ?


Then there is another completely different way of doing it

version 11.3
no service password-encryption
!
hostname 2509-ts
!
enable secret 5 $1$FJw4$wnl7PsB.0kRuklKLNzd3I/
!
username admin
!
!
interface Loopback0
no ip address
!
interface Ethernet0
ip address 192.168.16.253 255.255.255.0
bandwidth 10000000
!
interface Serial0
no ip address
no ip mroute-cache
shutdown
no fair-queue
!
interface Serial1
no ip address
shutdown
!
interface Async1
no ip address
!
ip default-gateway 192.168.16.1
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.16.1
!
line con 0
no exec
exec-timeout 35791 0
telnet break-on-ip
telnet sync-on-break
telnet ip-on-break
flowcontrol hardware
line 1 8
session-timeout 35791
exec-timeout 35791 0
password admin
login local
transport input all
stopbits 1
line aux 0
line vty 0 4
no login
!
end

No additional IP HOST HOSTNAME commands were needed.
Just go thru the Ethernet port and specify the line number as the port number in the Telnet app.
Works like a champ.

OK now I am really confused

"Just go through the Ethernet port" WTF what is this person talking about ?

I assume that if one Telnets then one goes through the ethernet port anyway ( Fine for the LAN -- depends on how the AS is connected and routed for the Internet ( Serial 0 or the AS connected to another [WAN] router on the same LAN segment / subnet)

I cannot see where and how this way of doing things differs from the loopback interface way of doing it ( apart from obviously all the IP host entries )

IF I understand correctly one then also needs more VTY ( Virtual terminal lines ) on the AS ( more than the standard four ) OK I know that this is trivial to do. Am I on the right track here.

This way seems more "classy" ??????

I am not understanding the big picture though -- unfortunately I have to know ALL the little nitty-gritty stuff before the thing "CLICKS"

Is there anyone clued up on this stuff that can give a blow-by blow explanation ( not the -- "just plug this in here copy and paste this config in here and bob's your aunty" )

PLEASE

 

[ponder]

Dude, you have me confused, I have no clue about what you are asking

The only thing I can tell you from past experience is the routers console port config was the normal config you would use for connecting with a laptop & serial cable. That does not change when you hook the console ports up to a access server.

 

[MidnightWizard]

Console Port

Thanks

I am pretty familiar with the using the console port to log in / configure etc on a SINGLE device.

Con 0 is a type of "line" as are also the AUX ( Async 1 ) and the TTY -- all different types of interface ( as are serial 0 / eth 0 / fae 0 / bri / etc etc )

With an AS you are logging into that device and then using that one device to give you access to up to sixteen other devices via THEIR console port. ( Reverse Telnet )

The AS is connected via the low speed async ( serial ) ports ( Octal or RJ / 8 or 16 ) to the console port of the attached devices.
( You can also connect external modems to these async ports on the AS -- but that is a different application )

This is a different animal than just connecting to a single device.

Maybe we might be able to entice the great "Roman"

 

[Roman4604]

Maybe we might be able to entice the great "Roman"

Dunno about great, but what you are asking is quite simple.

IOS will open (& listen on) a TCP port for each (async) line that has "transport input telnet" configured. The TCP port corresponds to line # + 2000 e.g. telnet any of the router's IPs on port 2008 and you will pop out of line 8 (use 'sh line' to see line name to line # mappings).

This is what your 2nd example is trying to say. The 1st example is a variation where you telnet the virtual console (vty x on std TCP port 23) which has some aliases configured to re-telnet the same router on a different port e.g. typing 2600-1 will telnet the router on TCP port 2008 popping you out of line 8.

You shouldnt really use (reverse) telnet on the open Internet as you could be exposing passwords. Better to use SSH to IOS which also has a reverse line mapping facility e.g.

ssh username:8@routerIP will pop you out of line 8

... remember to cfg 'transport input ssh' on the lines

 

[MidnightWizard]

MENU

Dunno about great, but what you are asking is quite simple.

I guess for some
Many thanks

You shouldnt really use (reverse) telnet on the open Internet as you could be exposing passwords. Better to use SSH to IOS which also has a reverse line mapping facility e.g.

ssh username:8@routerIP will pop you out of line 8

... remember to cfg 'transport input ssh' on the lines

Is one then in effect working with the AS or through the AS

Should one use the loopback interface as recommended by Cisco or would the ETH interface be better ?

Can one use SSH in a menu setup ?

IOS Command Line Interface Commands

Not sure how you set up a CLI Menu command list but it looks very interesting.

I have my routers ready for a first try but I am as nervous as a virgin on her first wedding night
I get terribly grumpy when the frustration of idiocy overcomes me

 

[Roman4604]

Is one then in effect working with the AS or through the AS

I would say through, as you wont see the AS's CLI, you'd go straight through to the console port of the router hanging off the line.

Should one use the loopback interface as recommended by Cisco or would the ETH interface be better ?

Either will work, suppose its neater to use a loopback with a AS that has multiple IP access interfaces (so you dont discon if one happens to go down).

Can one use SSH in a menu setup ?

You could by SSHing to the AS's CLI (i.e. no :x before the @ in the ssh statement). Personally I find connection switching/menus in the IOS CLI clumsy, would rather fire of multiple SSH (Putty) connections to the AS, and switch windows using Window's taskbar.

 

[MidnightWizard]

Cisco SSH Links

Thanks

Here are the Cisco links for Cisco IOS Security Configuration Guide

IOS 12.2

IOS 12.4

Reverse SSH Enhancements

Configuring Secure Shell

SSH terminal Line Access


Would you perhaps know the correct IOS to acquire ?

Here is an advisory note from Cisco

Cisco 2500 Series Routers Support for IOS 12.2T Feature Sets

But I just cannot find the exact name of the correct IOS Image ??????

Router 2511RJ has full 16 Flash & 16 DRAM

 

[ambo]

Would you perhaps know the correct IOS to acquire ?

Do you need to upgrade it? The unit should have an IOS installed when you receive it and unless there is an important feature or patch that you need I see no reason to upgrade.

 

[MidnightWizard]

Feature Set

Do you need to upgrade it?
The unit should have an IOS installed when you receive it
and
unless there is an important feature or patch that you need I see no reason to upgrade.

YES

I can only afford old /used / re-furb so the unit has an older IOS

I need the last and latest for the SSH feature set. ( and whatever security improvements / patches )

A valid reason for a new IOS -- not so ?

 

[ponder]

Thanks

I am pretty familiar with the using the console port to log in / configure etc on a SINGLE device.

Con 0 is a type of "line" as are also the AUX ( Async 1 ) and the TTY -- all different types of interface ( as are serial 0 / eth 0 / fae 0 / bri / etc etc )

With an AS you are logging into that device and then using that one device to give you access to up to sixteen other devices via THEIR console port. ( Reverse Telnet )

The AS is connected via the low speed async ( serial ) ports ( Octal or RJ / 8 or 16 ) to the console port of the attached devices.
( You can also connect external modems to these async ports on the AS -- but that is a different application )

This is a different animal than just connecting to a single device.

Maybe we might be able to entice the great "Roman"

Sorry, I see no real difference. The only difference is you are working through an AS where the AS facilitates the connection to the console ports of the individual routers. The config for the devices hanging off the AS stays the same.

 

[MidnightWizard]

Asynch

Sorry, I see no real difference.
The only difference is you are working through an AS where the AS facilitates the connection to the console ports of the individual routers.
The config for the devices hanging off the AS stays the same.

Could be ?

I always think of the console as not being Telnet and the VTY's being Telnet (SSH )

The AS allows you to Telnet directly to the remote hosts Console -- this seems somehow different to me ( Different than accessing the console directly via a PC )

So must the remote hosts console port or VTY port be configured ?

To access the AS remotely ( or over the LAN ) you are obviously using the VTY lines.


What protocol is used to access the Console port anyway ( via the PC serial port )

I am still busy trying to understand it all & getting this all to work -- will let you know what I discover when I have the correct IOS and am finished. ( eventually )

 

[ponder]

I think you are making this way more complicated than it actually is for yourself.

The remote hosts (referring to the routers connected to the AS via console ports) console port configs stay the same as if you would be connecting directly to a PC. Forget about the remote hosts, the AS does the translation between TCP/IP and the serial/console port, that is the function of the AS. It's no different (but simpler) to doing TCP/IP to X.25 translation etc.

 

[MidnightWizard]

Loopback Addressing

I think you are making this way more complicated than it actually is for yourself.
The remote hosts (referring to the routers connected to the AS via console ports) console port configs stay the same as if you would be connecting directly to a PC.
Forget about the remote hosts, the AS does the translation between TCP/IP and the serial/console port, that is the function of the AS.
It's no different (but simpler) to doing TCP/IP to X.25 translation etc.

Thanks -- everything is complicated until it becomes simple ( through study & trial & error )

Perhaps you can help with another question ?

I am a bit stumped with the IP addressing of the Loopback adapter ( and how it interacts with the other interfaces )

Apparently you can assign the loopback any valid IP ?

I understand that if you want to access your AS from outside ( Internet) then you need a valid routable public IP.

Are you then accessing the AS via the Loopback ?
IF so I assume you must be able to ping the Loopback ?
IF so why then even have an UP & UP ETH ?

But what is confusing me are the following examples culled from Internet.
I have NO idea why the Loopback addresses were chosen or setup in this way

Weird mask ?

interface Loopback0                  
 ip address 1.1.1.1 255.0.0.0

Wierd mask and on different subnet to ETH ?

interface Loopback1
ip address 1.1.1.1 255.255.255.255
!
interface Ethernet0
ip address 192.168.1.112 255.255.255.0
!

Another weird mask also different to ETH ?

interface Loopback0
ip address 100.1.1.1 255.255.255.255
no ip route-cache
!
interface Ethernet0
ip address 192.168.1.100 255.255.255.0
no ip route-cache

IF I am not mistaken 192.168.1.100 & 192.168.1.112 are private IP addresses -- ie this is being used on the LAN segment ?

So in these scenarios how do you ping the Loopback ? ( from the LAN )

As you can see , I am still getting to grips with IP addressing and subnetting

There are a lot more obscure krinkles and wrinkles in AS than at first meet the eye.
( Well anyway to me )

 

[ponder]

I am a bit stumped with the IP addressing of the Loopback adapter ( and how it interacts with the other interfaces )

Apparently you can assign the loopback any valid IP ?

I understand that if you want to access your AS from outside ( Internet) then you need a valid routable public IP.

Are you then accessing the AS via the Loopback ?
IF so I assume you must be able to ping the Loopback ?

Lets get back to the basics.

What is a loopback interface?

It's a virtual interface used mostly for management purposes seen only inside the device it is assigned to. Management software etc use it to pick up alarms etc. ie. the device sends traffic to itself. It also has other purposes for example determining router id's with ospf. Why use loopback and not physical interfaces for this? Because they are virtual and never go down.

How do you propose you ping an address on a loopback interface when it's not seen externally and you have no route to it?

With an AS you need to connect to the AS remotely via telnet, ssh etc, this you do via the IP address on the physical ports (serial, ethernet etc) you can then use the internal loopback address to do the TCP/IP to serial/console translation.

I'm not trying to be condescending with my above questions, I'm asking them because I think by answering them you will understand the underlying principals better? (I used the same method while lecturing, ask the guys questions and then they think about it and then you see the lights go on which is rewarding. It's easier to learn this stuff if you understand what's going on than copying parrot fashion from books etc)

What are you studying at the moment? Could I suggest you get the basics like IP Addresses, Subnetting, ARP, Layer 2 -Layer 3 operation, interfaces etc down to a tee because if you don't you are going to struggle with the stuff above that if you don't understand. Also if you have physical kit you practice on connect a sniffer and observe what happens at the frame level. I just feel you are jumping a bit ahead of yourself here.

Your turn, bring on some more questions and we will try and answer.

 

[MidnightWizard]

Loopback

How do you propose you ping an address on a loopback interface when it's not seen externally and you have no route to it?

I'm not trying to be condescending with my above questions,

Your turn, bring on some more questions and we will try and answer.

Would you like to reconsider this one ?

Before I go check the Cisco docs again

 

[ponder]

Ok, let say your physical interfaces are down, serial & ethernet etc, you have no way to get to the loopback interface seeing it's virtual and has no connection to any hardware.
Even with your ethernet & serial interfaces being up and you telnet to the loopback interface the traffic still has to go via the serial or ethernet ports as the loopback interface has no physical connection to the outside world except VIA the other interfaces.
To get to a loopback interface you would have to add the network used by the loopback interface to the routing protocol used as a network you want to route for.
The route to the loopback interface will always be via another network and never directly.
But at the same time also keep in mind that with some devices you cannot even do this, thinking CatOS switches if I'm not mistaken

 

[MidnightWizard]

Loopback

Ok, let say your physical interfaces are down, serial & ethernet etc, you have no way to get to the loopback interface seeing it's virtual and has no connection to any hardware.

Thanks for your patience
True
Just tried it now

Even with your ethernet & serial interfaces being up and you telnet to the loopback interface the traffic still has to go via the serial or ethernet ports as the loopback interface has no physical connection to the outside world except VIA the other interfaces.

Correct

To get to a loopback interface you would have to add the network used by the loopback interface to the routing protocol used as a network you want to route for.
The route to the loopback interface will always be via another network and never directly.
But at the same time also keep in mind that with some devices you cannot even do this, thinking CatOS switches if I'm not mistaken

OK this is getting on to CCNP routing protocols ( beyond me at the moment )

I am learning by doing -- I like working with the physical devices -- so my theoretical knowledge has to catch up.
Working this way some of the stuff I want to do is beyond CCNA so my knowledge is very patchy good in some places bad in others.

To clear some stuff up --

In the AS the loopback is there purely to telnet INTERNALLY to the attached devices ?

You must have at least ONE physical interface up to be able to access the Loopback

If you access the AS remotely ( via WAN or LAN ) you are telnetting / SSH via one of the physical interfaces ( serial or ethernet or IDSN etc etc ) ?
So in other words you cannot connect remotely directly to the Loopback Interface IP address ? ( but must first go through a physical interface ? )

Just to clear this up .........

This IP mask is a /32

ip address 1.1.1.1 255.255.255.255

All the mask bits blacked indicating only ONE IP ?????


Not sure what this one indicates

ip address 1.1.1.1 255.0.0.0


Where and why you would mask them this way -- seeing as the Loopback is normally going to use a private IP range ?

 

[ponder]

OK this is getting on to CCNP routing protocols ( beyond me at the moment )

Pretty sure they cover RIP, RIPv2, IGRP & EIGRP in CCNA (don't think they do OSPF, IS-IS & BGP) but I can't really remember.

In the AS the loopback is there purely to telnet INTERNALLY to the attached devices ?

No. That is one function but it can also perform other functions, you could also use it externally if you added a route to loopback interfaces.

You must have at least ONE physical interface up to be able to access the Loopback

From outside the device yes. If you connect to the device via the console port with your laptop you will be able to telnet to itself, yeah that sounds stupid but you can, not that you would want to.

If you access the AS remotely ( via WAN or LAN ) you are telnetting / SSH via one of the physical interfaces ( serial or ethernet or IDSN etc etc ) ?

Yes. There is no other way.

So in other words you cannot connect remotely directly to the Loopback Interface IP address ? ( but must first go through a physical interface ? )

Not per say. But you can Telnet/SSH 'directly' to it if you add that network as one you want routed to the routing protocol but it still goes via the physical interface. The physical interface is a hop in the routing path to the loopback interface.

Just to clear this up .........

This IP mask is a /32

ip address 1.1.1.1 255.255.255.255

All the mask bits blacked indicating only ONE IP ?????


Not sure what this one indicates

ip address 1.1.1.1 255.0.0.0


Where and why you would mask them this way -- seeing as the Loopback is normally going to use a private IP range ?

Wrt 255.255.255.255 mask
Think about it. It's a single interface (virtual) connected to nothing. It does not have a directly connected neighbour so no need for 255.255.255.252 mask or any bigger mask as there are also no other hosts on that network. There is no broadcast, who you gonna broadcast to as there is nothing else anyway? Using anything other than /32 mask would be a waste of IP addresses.

Wrt 255.0.0.0 mask
This could be done to simulate a bigger "external" network. In all honesty I have never come across this before, http://docs.google.com/viewer?a=v&q...4SlXYa&sig=AHIEtbTS8h0lNb2y-IaSeYzeI2vKy2ygBQ


I've always used a /32 mask for loopback interfaaces.

 

[Roman4604]

Still at it guys?

In all honesty I have never come across this before

Yeah, only production scenario I know where its useful to have a larger mask loopback is, if one wishes to attract traffic to a virtual segment (via routing proto adv) for the purposes of NAT.

For example a NAT-PE router hosting a virtual segment on which multiple external (overload) alias addressess reside, to provide breakout for multiple VRFs.

Otherwise as said, no need to use anything but all 255s.

 

[ponder]

Still at it guys?

Good, now that you are here you can take over for a while