Cisco SSH Console Server

Did you know a Cisco router can be used as a console server? SSH connections can be mapped to serial lines that in turn can be connected to the console ports on your choice of other devices.

To get started, you need a supported network module or HWIC such as the NM-A16 or HWIC-8ASYNC respectively. Once you have the module installed in your router ensure it’s enabled by reviewing the unit’s inventory:

router#sh inventory
NAME: "CISCO2921/K9", DESCR: "CISCO2921/K9 chassis, Hw Serial#: 0000000000, Hw                                         Revision: 1.0"
PID: CISCO2921/K9      , VID: V01 , SN: 00000000000
NAME: "High Speed Wan Interface card with 8 RS232 async port(HWIC-8A) on Slot 0                                         SubSlot 3", DESCR: "High Speed Wan Interface card with 8 RS232 async port(HWIC-8                                        A)"
PID: HWIC-8A           , VID: V01 , SN: 0000000000

To further verify issues a “show line” to see the lines that you will be configuring.

router#show line
   Tty Line Typ     Tx/Rx    A Modem  Roty AccO AccI  Uses  Noise Overruns  Int
      0    0 CTY              -    -      -    -    -     0      0    0/0      -
      1    1 AUX   9600/9600  -    -      -    -    -     0      0    0/0      -
      2    2 TTY   9600/9600  -    -      -    -    -     0      0    0/0      -
  0/3/0   51 TTY   9600/9600  -    -      -    -    -     0      0    0/0      -
  0/3/1   52 TTY   9600/9600  -    -      -    -    -     0      0    0/0      -
  0/3/2   53 TTY   9600/9600  -    -      -    -    -     0      0    0/0      -
  0/3/3   54 TTY   9600/9600  -    -      -    -    -     0      0    0/0      -
  0/3/4   55 TTY   9600/9600  -    -      -    -    -     0      0    0/0      -
  0/3/5   56 TTY   9600/9600  -    -      -    -    -     0      0    0/0      -
  0/3/6   57 TTY   9600/9600  -    -      -    -    -     0      0    0/0      -
  0/3/7   58 TTY   9600/9600  -    -      -    -    -     0      0    0/0      -

After verifying hardware is active it’s time to configure. Let’s start with some basics to get a user added, an AAA authentication method defined and SSH enabled.

aaa new-model
aaa authentication login VTY local
username admin privilege 15 secret cisco
ip ssh version

Additionally we need to define a rotary group as part of our SSH configuration. The first SSH port is mapped to rotary 1 and the listening ports increment up from there. Ports 2001, 2002 and 2003 will map to rotary 1,2, and 3 respectively.

ip ssh port 2001 rotary 1 8

Next, we attach rotary configuration to the hardware lines. Also, attach a login authentication, limit connections to SSH only and disable exec. The cool thing is we can use any form AAA authentication such as local, radius, or TACACS to authenticate our users. My example is using the method I defined earlier as “VTY” using only the local user database.

line 0/3/0
 login authentication VTY
 rotary 1
 no exec
 transport input ssh
line 0/3/1
 login authentication VTY
 rotary 2
 no exec
 transport input ssh
line 0/3/2
 login authentication VTY
 rotary 3
 no exec
 transport input ssh
line 0/3/3
 login authentication VTY
 rotary 4
 no exec
 transport input ssh

Finally, it’s time to test. When you connect to the lines simply SSH to the IP address of the router and tack on the port number that matches the physical port you want to manage.

If you want to show the listening port on the router use the “show control-plane host open-ports”. You can see the listening ports as well as the service it’s associated with.

router#show control-plane host open-ports
Active internet connections (servers and established)
Prot               Local Address             Foreign Address                  Service    State
 tcp                        *:22                         *:0               SSH-Server   LISTEN
 tcp                      *:2004                         *:0               SSH-Server   LISTEN
 tcp                      *:2003                         *:0               SSH-Server   LISTEN
 tcp                      *:2002                         *:0               SSH-Server   LISTEN
 tcp                      *:2001                         *:0               SSH-Server   LISTEN

As you do your testing or have this system deployed it can be very helpful to identify lines that are in use by other users.  Again, we use the show line command but see the counters and indicators have increase from before.

router#show line
   Tty Line Typ     Tx/Rx    A Modem  Roty AccO AccI  Uses  Noise Overruns  Int
      0    0 CTY              -    -      -    -    -     0      0    0/0      -
      1    1 AUX   9600/9600  -    -      -    -    -     0      0    0/0      -
      2    2 TTY   9600/9600  -    -      -    -    -     0      0    0/0      -
* 0/0/0    3 TTY   9600/9600  -    -      1    -    -     9      1    0/0      -
* 0/0/1    4 TTY   9600/9600  -    -      2    -    -     2      3    0/0      -
  0/0/2    5 TTY   9600/9600  -    -      3    -    -     1      0    0/0      -
.....
*   388  388 VTY              -    -      -    -    -    10      0    0/0      -
    389  389 VTY              -    -      -    -    -    27      0    0/0      -
    390  390 VTY              -    -      -    -    -     4      0    0/0      -

Look for the “*” to identify lines in use.  As you can see here 0/0/0 and 0/0/1 are in use and assigned to rotary numbers.  You can also see the “*” next to line 388, a VTY line that an administrator is logged in on.  Finally, the “Uses” counters have incremented each time a connection was made.

To see the username of the individuals on the active lines use the “who” command.

router#who
     Line       User       Host(s)              Idle       Location
  tty 0/0/0    steve       incoming             00:00:03 192.168.1.47
*388 vty 0     admin       idle                 00:00:09 192.168.1.88

As you can see from this output the line, username and client IP address of that user is all listed in the output of this command.

The final concern is “how do I manually end connections?” This is easily done with the “clear line” command followed with the line number from the “who” or “show line” output.  Once you confirm the connection is ended and the user disconnected.

router#clear line 0/0/0
[confirm]
 [OK]

I hope you found this helpful!  Feel free to comment with thoughts and questions!

This entry was posted in Networking and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *