Did you know a Cisco router can be used as a console server? SSH connections can be mapped to serial lines that in turn can be connected to the console ports on your choice of other devices.
To get started, you need a supported network module or HWIC such as the NM-A16 or HWIC-8ASYNC respectively. Once you have the module installed in your router ensure it’s enabled by reviewing the unit’s inventory:
router#sh inventory NAME: "CISCO2921/K9", DESCR: "CISCO2921/K9 chassis, Hw Serial#: 0000000000, Hw Revision: 1.0" PID: CISCO2921/K9 , VID: V01 , SN: 00000000000 NAME: "High Speed Wan Interface card with 8 RS232 async port(HWIC-8A) on Slot 0 SubSlot 3", DESCR: "High Speed Wan Interface card with 8 RS232 async port(HWIC-8 A)" PID: HWIC-8A , VID: V01 , SN: 0000000000
To further verify issues a “show line” to see the lines that you will be configuring.
router#show line Tty Line Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int 0 0 CTY - - - - - 0 0 0/0 - 1 1 AUX 9600/9600 - - - - - 0 0 0/0 - 2 2 TTY 9600/9600 - - - - - 0 0 0/0 - 0/3/0 51 TTY 9600/9600 - - - - - 0 0 0/0 - 0/3/1 52 TTY 9600/9600 - - - - - 0 0 0/0 - 0/3/2 53 TTY 9600/9600 - - - - - 0 0 0/0 - 0/3/3 54 TTY 9600/9600 - - - - - 0 0 0/0 - 0/3/4 55 TTY 9600/9600 - - - - - 0 0 0/0 - 0/3/5 56 TTY 9600/9600 - - - - - 0 0 0/0 - 0/3/6 57 TTY 9600/9600 - - - - - 0 0 0/0 - 0/3/7 58 TTY 9600/9600 - - - - - 0 0 0/0 -
After verifying hardware is active it’s time to configure. Let’s start with some basics to get a user added, an AAA authentication method defined and SSH enabled.
aaa new-model aaa authentication login VTY local username admin privilege 15 secret cisco ip ssh version
Additionally we need to define a rotary group as part of our SSH configuration. The first SSH port is mapped to rotary 1 and the listening ports increment up from there. Ports 2001, 2002 and 2003 will map to rotary 1,2, and 3 respectively.
ip ssh port 2001 rotary 1 8
Next, we attach rotary configuration to the hardware lines. Also, attach a login authentication, limit connections to SSH only and disable exec. The cool thing is we can use any form AAA authentication such as local, radius, or TACACS to authenticate our users. My example is using the method I defined earlier as “VTY” using only the local user database.
line 0/3/0 login authentication VTY rotary 1 no exec transport input ssh line 0/3/1 login authentication VTY rotary 2 no exec transport input ssh line 0/3/2 login authentication VTY rotary 3 no exec transport input ssh line 0/3/3 login authentication VTY rotary 4 no exec transport input ssh
Finally, it’s time to test. When you connect to the lines simply SSH to the IP address of the router and tack on the port number that matches the physical port you want to manage.
If you want to show the listening port on the router use the “show control-plane host open-ports”. You can see the listening ports as well as the service it’s associated with.
router#show control-plane host open-ports Active internet connections (servers and established) Prot Local Address Foreign Address Service State tcp *:22 *:0 SSH-Server LISTEN tcp *:2004 *:0 SSH-Server LISTEN tcp *:2003 *:0 SSH-Server LISTEN tcp *:2002 *:0 SSH-Server LISTEN tcp *:2001 *:0 SSH-Server LISTEN
As you do your testing or have this system deployed it can be very helpful to identify lines that are in use by other users. Again, we use the show line command but see the counters and indicators have increase from before.
router#show line Tty Line Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int 0 0 CTY - - - - - 0 0 0/0 - 1 1 AUX 9600/9600 - - - - - 0 0 0/0 - 2 2 TTY 9600/9600 - - - - - 0 0 0/0 - * 0/0/0 3 TTY 9600/9600 - - 1 - - 9 1 0/0 - * 0/0/1 4 TTY 9600/9600 - - 2 - - 2 3 0/0 - 0/0/2 5 TTY 9600/9600 - - 3 - - 1 0 0/0 - ..... * 388 388 VTY - - - - - 10 0 0/0 - 389 389 VTY - - - - - 27 0 0/0 - 390 390 VTY - - - - - 4 0 0/0 -
Look for the “*” to identify lines in use. As you can see here 0/0/0 and 0/0/1 are in use and assigned to rotary numbers. You can also see the “*” next to line 388, a VTY line that an administrator is logged in on. Finally, the “Uses” counters have incremented each time a connection was made.
To see the username of the individuals on the active lines use the “who” command.
router#who Line User Host(s) Idle Location tty 0/0/0 steve incoming 00:00:03 192.168.1.47 *388 vty 0 admin idle 00:00:09 192.168.1.88
As you can see from this output the line, username and client IP address of that user is all listed in the output of this command.
The final concern is “how do I manually end connections?” This is easily done with the “clear line” command followed with the line number from the “who” or “show line” output. Once you confirm the connection is ended and the user disconnected.
router#clear line 0/0/0 [confirm] [OK]
I hope you found this helpful! Feel free to comment with thoughts and questions!