Saturday, January 21, 2017

IP ALIAS

To access the router(s) we generally make use of the console. We generally have a safe environment and do so. However, what do we do when we want to connect to the router’s console which are remotely located (yes we can still use a terminal server and access the same using reverse telnet, but it’s not very safe). This is when we make use of the IP ALIAS. 

Let's have a quick look at the how our setup will look like.

Firstly, we would need to insert a ‘HWIC-16A’ (Cisco 16-Port Asynchronous High-Speed WAN Interface Card) into a locally available ISR router (in my case a CISCO2921/K9 which is local to the remote setup which we want to access). Once the HWIC-16A is up, you can check the same using (show ip interface brief)

As seen here, the Async0/1/0 - Async0/1/15 are the lines which have appeared due to the module. 

ISR-2921#show ip interface brief 
Interface                  IP-Address      OK? Method Status                Protocol
Embedded-Service-Engine0/0 unassigned      YES NVRAM  administratively down down    
GigabitEthernet0/0         9.45.66.198     YES NVRAM  up                    up      
GigabitEthernet0/1         19.0.0.108      YES NVRAM  up                    up      
GigabitEthernet0/2         unassigned      YES NVRAM  administratively down down    
GigabitEthernet0/2/0       unassigned      YES NVRAM  administratively down down    
GigabitEthernet0/3/0       unassigned      YES unset  administratively down down    
GigabitEthernet0/3/1       unassigned      YES unset  administratively down down    
GigabitEthernet0/3/2       unassigned      YES unset  administratively down down    
GigabitEthernet0/3/3       unassigned      YES unset  administratively down down    
GigabitEthernet1/0         unassigned      YES NVRAM  administratively down down    
GigabitEthernet1/1         unassigned      YES unset  up                    up      
Async0/1/0                 unassigned      YES unset  down                  down    
Async0/1/1                 unassigned      YES unset  down                  down    
Async0/1/2                 unassigned      YES unset  down                  down    
Async0/1/3                 unassigned      YES unset  down                  down    
Async0/1/4                 unassigned      YES unset  down                  down    
Async0/1/5                 unassigned      YES unset  down                  down    
Async0/1/6                 unassigned      YES unset  down                  down    
Async0/1/7                 unassigned      YES unset  down                  down    
Async0/1/8                 unassigned      YES unset  down                  down    
Async0/1/9                 unassigned      YES unset  down                  down    
Async0/1/10                unassigned      YES unset  down                  down    
Async0/1/11                unassigned      YES unset  down                  down    
Async0/1/12                unassigned      YES unset  down                  down    
Async0/1/13                unassigned      YES unset  down                  down    
Async0/1/14                unassigned      YES unset  down                  down    
Async0/1/15                unassigned      YES unset  down                  down    
Loopback0                  172.24.131.161  YES NVRAM  up                    up      
Loopback1                  unassigned      YES unset  up                    up      
Vlan1                      unassigned      YES unset  up                    up      
ISR-2921#

We can also check the show line:

ISR-2921#show line     
*Jan 21 07:45:31.630: %SYS-5-CONFIG_I: Configured from console by cisco on console
ISR-2921#show line 
   Tty Line Typ     Tx/Rx    A Modem  Roty AccO AccI  Uses  Noise Overruns  Int
*     0    0 CTY              -    -      -    -    -     0      0    0/0      -
      1    1 AUX   9600/9600  -    -      -    -    -     0      0    0/0      -
      2    2 TTY   9600/9600  -    -      -    -    -     0      0    0/0      -
  0/1/0   19 TTY   9600/9600  -    -      -    -    -     2      0    0/0      -
  0/1/1   20 TTY   9600/9600  -    -      -    -    -     3      0    0/0      -
  0/1/2   21 TTY   9600/9600  -    -      -    -    -     0      0    0/0      -
  0/1/3   22 TTY   9600/9600  -    -      -    -    -     0      1    0/0      -
  0/1/4   23 TTY   9600/9600  -    -      -    -    -     0      0    0/0      -
  0/1/5   24 TTY   9600/9600  -    -      -    -    -     0      0    0/0      -
  0/1/6   25 TTY   9600/9600  -    -      -    -    -     0      0    0/0      -
  0/1/7   26 TTY   9600/9600  -    -      -    -    -     0      0    0/0      -
  0/1/8   27 TTY   9600/9600  -    -      -    -    -     0      0    0/0      -
  0/1/9   28 TTY   9600/9600  -    -      -    -    -     0      0    0/0      -
 0/1/10   29 TTY   9600/9600  -    -      -    -    -     0      0    0/0      -
 0/1/11   30 TTY   9600/9600  -    -      -    -    -     0      0    0/0      -
 0/1/12   31 TTY   9600/9600  -    -      -    -    -     0      0    0/0      -
 0/1/13   32 TTY   9600/9600  -    -      -    -    -     0      0    0/0      -
 0/1/14   33 TTY   9600/9600  -    -      -    -    -     0      0    0/0      -
 0/1/15   34 TTY   9600/9600  -    -      -    -    -     0      0    0/0      -
     67   67 TTY   9600/9600  -    -      -    -    -     0      0    0/0      -
    388  388 VTY              -    -      -    -    -     2      0    0/0      -
    389  389 VTY              -    -      -    -    -     0      0    0/0      -
    390  390 VTY              -    -      -    -    -     0      0    0/0      -
    391  391 VTY              -    -      -    -    -     0      0    0/0      -
    392  392 VTY              -    -      -    -    -     0      0    0/0      -
    393  393 VTY              -    -      -    -    -     0      0    0/0      -

Line(s) not in async mode -or- with no hardware support: 
3-18, 35-66, 68-387

ISR-2921#

Line 0/1/0 - line 0/1/15 (line numbers 19 - 34) is added via the module.

NOTE: Before inserting the HWIC-16A it’s best to power off the ISR router (that is what I do anyway)

Secondly, we would need a ‘CAB-HD8-ASYNC’ connector, which has Eight RJ45 cables, the same will be used to connect to the consoles of remote routers around this ISR router. 

With this, we can easily make connections to the remote routers using our usual ‘telnet <ISR’s router’s reachable IP address> <Line number>’.

Example of making this kind of a connection - 

ISR-2921#show running-config interface GigabitEthernet 0/1
Building configuration...

Current configuration : 156 bytes
!
interface GigabitEthernet0/1
 description reachable IP address
 ip address 19.0.0.108 255.0.0.0
 duplex auto
 speed auto
end

ISR-2921#

ISR-2921#show running-config | section username
username user1 privilege 15 password 0 xxxxxxxx
ISR-2921#

On a remote linux client:

[root@pool-100-1-1-100 ~]# telnet 19.0.0.108 2019
Trying 19.0.0.108...
Connected to 19.0.0.108 (19.0.0.108).
Escape character is '^]'.


User Access Verification

Username: user1
Password: 

SW-7606>

The above way of accessing the remote router's has two inherent problems:
01. Usage of telnet (security)
02. You will have to remember the line numbers

To ensure, that we can make use of SSH instead of telnet and to avoid remembering the line number we make use of the IP ALIAS

The configuration is fairly simple with the below steps:

1. Configure - ip ssh port <value> rotary <range>

2. Configure - ip alias <reachable IP address> <port value> ! this port value is linked to the port value used above

3. Configure - under the line (0/1/0 - 0/1/15) rotary <value> ! this value should be within the range mentioned in Step #1

Example of making IP ALIAS connection -

Step #1.

ISR-2921(config)#ip ssh port ?
  <2000-10000>  Starting Port number

ISR-2921(config)#
ISR-2921(config)#ip ssh port 3001 rotary ?
  <1-127>  Low (or only) Rotary group number

ISR-2921(config)#ip ssh port 3001 rotary 1 20
ISR-2921(config)#

Step #2.

ISR-2921(config)#ip alias 19.0.0.109 ?
  <1-65535>  IP port number

ISR-2921(config)#ip alias 19.0.0.109 3001
ISR-2921(config)#

What can also be observed is that the 19.0.0.109 address we are using with ‘ip alias’ is ping-able and the same is listed in the show ip route:

ISR-2921#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

      9.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        9.45.0.0/16 is directly connected, GigabitEthernet0/0
L        9.45.66.198/32 is directly connected, GigabitEthernet0/0
      19.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C        19.0.0.0/8 is directly connected, GigabitEthernet0/1
L        19.0.0.108/32 is directly connected, GigabitEthernet0/1
L        19.0.0.109/32 is directly connected, GigabitEthernet0/1
      172.24.0.0/16 is variably subnetted, 3 subnets, 2 masks
C        172.24.131.160/27 is directly connected, Loopback0
L        172.24.131.161/32 is directly connected, Loopback0
L        172.24.131.162/32 is directly connected, Loopback0
      202.153.144.0/32 is subnetted, 1 subnets
S        202.153.144.25 [1/0] via 9.45.0.1
ISR-2921#

Step #3.

ISR-2921(config)#line 0/1/0
ISR-2921(config-line)#rotary 1
ISR-2921(config-line)# 

Post rotary configuration you can see the same from ‘show line’:

ISR-2921#show line 
   Tty Line Typ     Tx/Rx    A Modem  Roty AccO AccI  Uses  Noise Overruns  Int
*     0    0 CTY              -    -      -    -    -     0      0    0/0      -
      1    1 AUX   9600/9600  -    -      -    -    -     0      0    0/0      -
      2    2 TTY   9600/9600  -    -      -    -    -     0      0    0/0      -
  0/1/0   19 TTY   9600/9600  -    -      1    -    -     5      0    0/0      -
  0/1/1   20 TTY   9600/9600  -    -      -    -    -     3      0    0/0      -
  0/1/2   21 TTY   9600/9600  -    -      -    -    -     0      0    0/0      -
  0/1/3   22 TTY   9600/9600  -    -      -    -    -     0      1    0/0      -
  0/1/4   23 TTY   9600/9600  -    -      -    -    -     0      0    0/0      -
  0/1/5   24 TTY   9600/9600  -    -      -    -    -     0      0    0/0      -
  0/1/6   25 TTY   9600/9600  -    -      -    -    -     0      0    0/0      -
  0/1/7   26 TTY   9600/9600  -    -      -    -    -     0      0    0/0      -
  0/1/8   27 TTY   9600/9600  -    -      -    -    -     0      0    0/0      -
  0/1/9   28 TTY   9600/9600  -    -      -    -    -     0      0    0/0      -
 0/1/10   29 TTY   9600/9600  -    -      -    -    -     0      0    0/0      -
 0/1/11   30 TTY   9600/9600  -    -      -    -    -     0      0    0/0      -
 0/1/12   31 TTY   9600/9600  -    -      -    -    -     0      0    0/0      -
 0/1/13   32 TTY   9600/9600  -    -      -    -    -     0      0    0/0      -
 0/1/14   33 TTY   9600/9600  -    -      -    -    -     0      0    0/0      -
 0/1/15   34 TTY   9600/9600  -    -      -    -    -     0      0    0/0      -
     67   67 TTY   9600/9600  -    -      -    -    -     0      0    0/0      -
    388  388 VTY              -    -      -    -    -     2      0    0/0      -
    389  389 VTY              -    -      -    -    -     0      0    0/0      -
    390  390 VTY              -    -      -    -    -     0      0    0/0      -
    391  391 VTY              -    -      -    -    -     0      0    0/0      -
    392  392 VTY              -    -      -    -    -     0      0    0/0      -
    393  393 VTY              -    -      -    -    -     0      0    0/0      -

Line(s) not in async mode -or- with no hardware support: 
3-18, 35-66, 68-387

ISR-2921#

On a remote linux client:

[root@pool-100-1-1-100 ~]# ssh user1@19.0.0.109
ssh: connect to host 19.0.0.109 port 22: Connection refused
[root@pool-100-1-1-100 ~]# ssh user1@19.0.0.109
The authenticity of host '19.0.0.109 (19.0.0.109)' can't be established.
RSA key fingerprint is e9:12:7c:54:ad:68:a6:e6:d2:fe:c8:cf:59:10:3c:5c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '19.0.0.109' (RSA) to the list of known hosts.
Password: 

SW-7606>

A bit on the configuration now:

ip ssh port 3001 rotary 1 20’:
- here we have used port 3001 and rotary from 1 to 20
ip alias 19.0.0.109 3001’:
- here we have used port 3001
under line 0/1/0, we use rotary 1’:
- this links our line 0/1/0 (number 19) with port 3001

Now, to show you the relation between the port and the rotary, if I happen to change the rotary value from 1 to 20, the following configurations would also need to be changed: 

ISR-2921(config)#line 0/1/0
ISR-2921(config-line)#rotary 20
ISR-2921(config-line)#

ISR-2921(config)#ip alias 19.0.0.109 3020 ! 3001 changed to 3020
ISR-2921(config)#

[root@pool-100-1-1-100 ~]# ssh user1@19.0.0.109
Password: 

SW-7606>

With this I would like to conclude this small write up on ‘ip alias’

NOTE: For SSH to work on the router you have to ensure you have configured the crypto key