For years, I've wanted to put together a collection of lab hardware for public use, but had many technical obstacles to overcome. Many people starting out in networking have grown accustomed to deploying old Cisco 2511 routers as access servers for labs. While these might suffice for an individual, they're hardly a robust solution and simply unfit for a managed lab. For serious console access over IP, I needed something more.
It wasn't until I came across a line of console servers produced by Opengear that a free community lab became a real possibility. With Opengear's help, the community lab I had envisioned quickly became a reality. Many readers have asked for a more in-depth explanation of how access to the lab is managed, so here it is.
The Opengear CM4116
The heart of the lab is an Opengear CM4116.
This is a solid-state, ultra-low-power 1U box with 16 RS-232 serial ports (the CM4000 line also offers port densities of 1, 8, and 48). Each port can be connected to an out-of-band console interface of various hardware, such as the console or auxiliary ports on most Cisco hardware. The box itself is attached to an Ethernet LAN and provides connectivity to the serial ports through a variety of means, such as Telnet or SSH.
The box runs a custom-built lightweight Linux operating system, which is available without a software license and even customizable through Opengear's custom development kit (CDK). It can be managed both through console and an HTTPS interface as pictured below.
Serial Port Configuration
Anyone who has used HyperTerminal or a similar terminal emulator before will find console port configuration very familiar.
Beside typical settings like baud rate and flow control, each port can be configured independently to function in one of several modes:
- Console Server - Provides access to the serial port over IP via Telnet, SSH, raw TCP, and/or RFC 2217 bridging
- SDT - Secure tunneling through Opengear's SDT Connector software (Java-based)
- Terminal Server - Enables TTY login for a local terminal
- Serial Bridge - Connect two serial endpoints over IP using RFC 2217
In console server mode, ports can be independently configured for allowed protocol, logging level, syslog facility, and other parameters. Optionally, the entire serial stream of a port can be exported to a remote server via syslog.
Console access is achieved by connecting via Telnet or SSH on the TCP port for a given serial port. User authentication is provided either locally, by a centralized RADIUS, TACACS+, or LDAP server, or by a combination thereof.
$ telnet 192.168.20.2 2003 Trying 192.168.20.2... Connected to 192.168.20.2. Escape character is '^]'. login: root Password: R3# R3#
One especially handy feature is inline power management utilizing SNMP-controlled UPS or RPC devices. First, an UPS or RPC device is configured and its available outlets automatically discovered.
Next, the administrator creates a managed device, which is essentially a mapping of serial port to UPS/RPC outlet.
When power control is enabled under the serial port configuration, a logged-in user can then manipulate the power outlet of the device he's consoled into directly from the console:
R3# ~p Power Commands: O - Power ON P - Power OFF R - Power cycle off then on again s - Show current power status . - Exit power menu ? - Show this message [R3] Power > R Cycling power ... Connection 1: Unknown [R3] Power > . System Bootstrap, Version 12.3(8r)T9, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 2004 by cisco Systems, Inc. PLD version 0x10 GIO ASIC version 0x127 c1841 processor with 262144 Kbytes of main memory Main memory is configured to 64 bit mode with parity disabled ...
This is a critical feature, allowing remote users to perform hard reboots for tasks like password recovery.
Console Pattern Matching and Alerts
Opengear provides a very elegant solution for what is, in my opinion, the most daunting concern for anyone running a multi-user lab: How do you grant a newbie full control over a device, yet protect the device from accidental software erasures and the like?
The CM4116 software allows for pattern matching against the input and output serial streams of each port. With just a rudimentary understanding of regular expressions, an administrator can define an alert to look for certain strings and perform a variety of actions.
For example, I have defined a number of alerts on the lab's CM4116 to protect against corruption or deletion of the IOS and ASA software images, or formatting of the Flash filesystems. These simple alerts have already saved me hours of having to xmodem a new software image onto corrupted devices.
Here is an example of such an alert in action:
R3# format flash: Format operation may take a while. Continue? [confirm]^C R3# R3# R3# ABUSIVE COMMAND DETECTED on port03 R3# R3#Connection closed by foreign host. $
When a specific output from the device is detected, the alert fires and executes a custom script. In this case, the script has injected a control character (ctrl-c) to cancel the command, printed an error message, and kicked off the user. Additionally, it has notified the administrator of the event by email. Note that this is simply what I've chosen to do; with a little knowledge of bash scripting, you can make an alert do just about anything.
Management via Console
Hardcore engineers know never to rely solely on a graphical interface for systems management, and the folks at Opengear are well aware of this maxim. Unmitigated root access to the console server is available via Telnet or SSH. The
config utility is provided for easy inspection and manipulation of configuration parameters.
# config -g config.ports.port5.speed config.ports.port5.speed 9600 # config -s config.ports.port5.parity=None # config -g config.ports.port5.parity config.ports.port5.parity None
Coupled with remote command execution via SSH,
config makes automated changes a snap.
I have been thoroughly pleased with the capabilities of this console server. I have no doubt that without it, I would still be searching for a lab access solution. Opengear's CM4000 series is an ideal solution for both critical out-of-band console access and robust lab management.