Connecting to Manage–Cisco Managing Networks
Chapter 10 covered two kinds of common management ports: console ports and management Ethernet ports. You can use these ports to connect to a router in several ways—either using in-band or out-of-band management.
In-Band and Out-of-Band Management
In-band management means connecting to and managing network devices through the same interfaces used to forward user traffic. Out-of-band management means you connect through ports dedicated to managing the network. Figure 21-7 illustrates these two ways of managing a network.
Figure 21-7 In-Band and Out-of-Band Management
The operator is using host A to manage the network. User traffic flows between server B and host C. The management workstation can reach routers D and E in two ways:
• In-band through router D and router E through D. On this path, user and management traffic are mixed.
• Out-of-band through router F. The out-of-band network is connected to different Ethernet interfaces on routers D and E, either a standard or an Ethernet management port.
The primary advantage of building an out-of-band management network is it should continue working even if the network carrying user traffic fails. Using in-band management, on the other hand, does not require additional hardware and wiring.
Connecting Through a Terminal Emulator
You connect to a router or switch from a host—like an Apple Macintosh or Windows computer—or a mobile device through a terminal emulator. Terminals originally connected to computers through a serial interface, but over time they have been adapted to connect in other ways, including the console port, the teletype network (telnet) protocol, and Secure Shell (SSH).
The console port provides a serial connection to the router, switch, or other middlebox. You can connect to this port physically using a cable from your computer (or mobile device, in many cases) or remotely through a terminal server.
Most network devices, including Cisco routers and switches, include a virtual terminal interface type, listed as vty interfaces, for connecting to the device through any terminal emulator.
A terminal server is a router with serial interfaces. Each serial interface on the terminal service is connected to the console port of a network device.
Telnet and SSH are both IP-based protocols. You need to have an Ethernet, Wi-Fi, or some other port configured on the router or switch to connect using one of these protocols.
Note
Chapter 15, “Application Transport, “ describes
SSH. Chapter 23, “Configuring a Network, ” explains how to configure a Cisco router or switch for SSH access.
Device Management Security Practices
The following three basic rules will allow you to manage network devices remotely while maintaining your network’s security:
First, always use SSH to connect to network devices. Telnet is not secure enough to use for day-to-day management of network devices. Use Telnet or the physical console port to configure SSH; then disable the Telnet protocol.
Second, control physical access to the console port by placing the device in a secure room or location.
Third, never allow management connections of any kind from outside of your network. Figure 21-8 illustrates the correct way to access a router or switch from outside the network (through the Internet).
Figure 21-8 Controlling Network Device Access
In Figure 21-8, host A’s user would like to SSH into router B.
Router B’s filters should be configured to prevent connection on its Internet-facing interface. Blocking direct access to the router from the Internet prevents attackers from attacking this edge router directly—even using known exploits.
Instead, host A must connect to server C using Remote Desktop Protocol (RDP), SSH, or another method. From there, the user can connect to router B’s internal network interface using SSH.