To access the router(s) we generally make use of the console. We generally have a safe environment and do so. However, what do we do when we want to connect to the router’s console which are remotely located (yes we can still use a terminal server and access the same using reverse telnet, but it’s not very safe). This is when we make use of the IP ALIAS.
Let's have a quick look at the how our setup will look like.
Firstly, we would need to insert a ‘HWIC-16A’ (Cisco 16-Port Asynchronous High-Speed WAN Interface Card) into a locally available ISR router (in my case a CISCO2921/K9 which is local to the remote setup which we want to access). Once the HWIC-16A is up, you can check the same using (show ip interface brief)
As seen here, the Async0/1/0 - Async0/1/15 are the lines which have appeared due to the module.
ISR-2921#show ip interface brief
Interface IP-Address OK? Method Status Protocol
Embedded-Service-Engine0/0 unassigned YES NVRAM administratively down down
GigabitEthernet0/0 9.45.66.198 YES NVRAM up up
GigabitEthernet0/1 19.0.0.108 YES NVRAM up up
GigabitEthernet0/2 unassigned YES NVRAM administratively down down
GigabitEthernet0/2/0 unassigned YES NVRAM administratively down down
GigabitEthernet0/3/0 unassigned YES unset administratively down down
GigabitEthernet0/3/1 unassigned YES unset administratively down down
GigabitEthernet0/3/2 unassigned YES unset administratively down down
GigabitEthernet0/3/3 unassigned YES unset administratively down down
GigabitEthernet1/0 unassigned YES NVRAM administratively down down
GigabitEthernet1/1 unassigned YES unset up up
Async0/1/0 unassigned YES unset down down
Async0/1/1 unassigned YES unset down down
Async0/1/2 unassigned YES unset down down
Async0/1/3 unassigned YES unset down down
Async0/1/4 unassigned YES unset down down
Async0/1/5 unassigned YES unset down down
Async0/1/6 unassigned YES unset down down
Async0/1/7 unassigned YES unset down down
Async0/1/8 unassigned YES unset down down
Async0/1/9 unassigned YES unset down down
Async0/1/10 unassigned YES unset down down
Async0/1/11 unassigned YES unset down down
Async0/1/12 unassigned YES unset down down
Async0/1/13 unassigned YES unset down down
Async0/1/14 unassigned YES unset down down
Async0/1/15 unassigned YES unset down down
Loopback0 172.24.131.161 YES NVRAM up up
Loopback1 unassigned YES unset up up
Vlan1 unassigned YES unset up up
ISR-2921#
We can also check the show line:
ISR-2921#show line
*Jan 21 07:45:31.630: %SYS-5-CONFIG_I: Configured from console by cisco on console
ISR-2921#show line
Tty Line Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int
* 0 0 CTY - - - - - 0 0 0/0 -
1 1 AUX 9600/9600 - - - - - 0 0 0/0 -
2 2 TTY 9600/9600 - - - - - 0 0 0/0 -
0/1/0 19 TTY 9600/9600 - - - - - 2 0 0/0 -
0/1/1 20 TTY 9600/9600 - - - - - 3 0 0/0 -
0/1/2 21 TTY 9600/9600 - - - - - 0 0 0/0 -
0/1/3 22 TTY 9600/9600 - - - - - 0 1 0/0 -
0/1/4 23 TTY 9600/9600 - - - - - 0 0 0/0 -
0/1/5 24 TTY 9600/9600 - - - - - 0 0 0/0 -
0/1/6 25 TTY 9600/9600 - - - - - 0 0 0/0 -
0/1/7 26 TTY 9600/9600 - - - - - 0 0 0/0 -
0/1/8 27 TTY 9600/9600 - - - - - 0 0 0/0 -
0/1/9 28 TTY 9600/9600 - - - - - 0 0 0/0 -
0/1/10 29 TTY 9600/9600 - - - - - 0 0 0/0 -
0/1/11 30 TTY 9600/9600 - - - - - 0 0 0/0 -
0/1/12 31 TTY 9600/9600 - - - - - 0 0 0/0 -
0/1/13 32 TTY 9600/9600 - - - - - 0 0 0/0 -
0/1/14 33 TTY 9600/9600 - - - - - 0 0 0/0 -
0/1/15 34 TTY 9600/9600 - - - - - 0 0 0/0 -
67 67 TTY 9600/9600 - - - - - 0 0 0/0 -
388 388 VTY - - - - - 2 0 0/0 -
389 389 VTY - - - - - 0 0 0/0 -
390 390 VTY - - - - - 0 0 0/0 -
391 391 VTY - - - - - 0 0 0/0 -
392 392 VTY - - - - - 0 0 0/0 -
393 393 VTY - - - - - 0 0 0/0 -
Line(s) not in async mode -or- with no hardware support:
3-18, 35-66, 68-387
ISR-2921#
Line 0/1/0 - line 0/1/15 (line numbers 19 - 34) is added via the module.
NOTE: Before inserting the HWIC-16A it’s best to power off the ISR router (that is what I do anyway)
Secondly, we would need a ‘CAB-HD8-ASYNC’ connector, which has Eight RJ45 cables, the same will be used to connect to the consoles of remote routers around this ISR router.
With this, we can easily make connections to the remote routers using our usual ‘telnet <ISR’s router’s reachable IP address> <Line number>’.
Example of making this kind of a connection -
ISR-2921#show running-config interface GigabitEthernet 0/1
Building configuration...
Current configuration : 156 bytes
!
interface GigabitEthernet0/1
description reachable IP address
ip address 19.0.0.108 255.0.0.0
duplex auto
speed auto
end
ISR-2921#
ISR-2921#show running-config | section username
username user1 privilege 15 password 0 xxxxxxxx
ISR-2921#
On a remote linux client:
[root@pool-100-1-1-100 ~]# telnet 19.0.0.108 2019
Trying 19.0.0.108...
Connected to 19.0.0.108 (19.0.0.108).
Escape character is '^]'.
User Access Verification
Username: user1
Password:
SW-7606>
The above way of accessing the remote router's has two inherent problems:
01. Usage of telnet (security)
02. You will have to remember the line numbers
To ensure, that we can make use of SSH instead of telnet and to avoid remembering the line number we make use of the IP ALIAS.
The configuration is fairly simple with the below steps:
1. Configure - ip ssh port <value> rotary <range>
2. Configure - ip alias <reachable IP address> <port value> ! this port value is linked to the port value used above
3. Configure - under the line (0/1/0 - 0/1/15) rotary <value> ! this value should be within the range mentioned in Step #1
Example of making IP ALIAS connection -
Step #1.
ISR-2921(config)#ip ssh port ?
<2000-10000> Starting Port number
ISR-2921(config)#
ISR-2921(config)#ip ssh port 3001 rotary ?
<1-127> Low (or only) Rotary group number
ISR-2921(config)#ip ssh port 3001 rotary 1 20
ISR-2921(config)#
Step #2.
ISR-2921(config)#ip alias 19.0.0.109 ?
<1-65535> IP port number
ISR-2921(config)#ip alias 19.0.0.109 3001
ISR-2921(config)#
What can also be observed is that the 19.0.0.109 address we are using with ‘ip alias’ is ping-able and the same is listed in the show ip route:
ISR-2921#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is not set
9.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 9.45.0.0/16 is directly connected, GigabitEthernet0/0
L 9.45.66.198/32 is directly connected, GigabitEthernet0/0
19.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 19.0.0.0/8 is directly connected, GigabitEthernet0/1
L 19.0.0.108/32 is directly connected, GigabitEthernet0/1
L 19.0.0.109/32 is directly connected, GigabitEthernet0/1
172.24.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 172.24.131.160/27 is directly connected, Loopback0
L 172.24.131.161/32 is directly connected, Loopback0
L 172.24.131.162/32 is directly connected, Loopback0
202.153.144.0/32 is subnetted, 1 subnets
S 202.153.144.25 [1/0] via 9.45.0.1
ISR-2921#
Step #3.
ISR-2921(config)#line 0/1/0
ISR-2921(config-line)#rotary 1
ISR-2921(config-line)#
Post rotary configuration you can see the same from ‘show line’:
ISR-2921#show line
Tty Line Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int
* 0 0 CTY - - - - - 0 0 0/0 -
1 1 AUX 9600/9600 - - - - - 0 0 0/0 -
2 2 TTY 9600/9600 - - - - - 0 0 0/0 -
0/1/0 19 TTY 9600/9600 - - 1 - - 5 0 0/0 -
0/1/1 20 TTY 9600/9600 - - - - - 3 0 0/0 -
0/1/2 21 TTY 9600/9600 - - - - - 0 0 0/0 -
0/1/3 22 TTY 9600/9600 - - - - - 0 1 0/0 -
0/1/4 23 TTY 9600/9600 - - - - - 0 0 0/0 -
0/1/5 24 TTY 9600/9600 - - - - - 0 0 0/0 -
0/1/6 25 TTY 9600/9600 - - - - - 0 0 0/0 -
0/1/7 26 TTY 9600/9600 - - - - - 0 0 0/0 -
0/1/8 27 TTY 9600/9600 - - - - - 0 0 0/0 -
0/1/9 28 TTY 9600/9600 - - - - - 0 0 0/0 -
0/1/10 29 TTY 9600/9600 - - - - - 0 0 0/0 -
0/1/11 30 TTY 9600/9600 - - - - - 0 0 0/0 -
0/1/12 31 TTY 9600/9600 - - - - - 0 0 0/0 -
0/1/13 32 TTY 9600/9600 - - - - - 0 0 0/0 -
0/1/14 33 TTY 9600/9600 - - - - - 0 0 0/0 -
0/1/15 34 TTY 9600/9600 - - - - - 0 0 0/0 -
67 67 TTY 9600/9600 - - - - - 0 0 0/0 -
388 388 VTY - - - - - 2 0 0/0 -
389 389 VTY - - - - - 0 0 0/0 -
390 390 VTY - - - - - 0 0 0/0 -
391 391 VTY - - - - - 0 0 0/0 -
392 392 VTY - - - - - 0 0 0/0 -
393 393 VTY - - - - - 0 0 0/0 -
Line(s) not in async mode -or- with no hardware support:
3-18, 35-66, 68-387
ISR-2921#
On a remote linux client:
[root@pool-100-1-1-100 ~]# ssh user1@19.0.0.109
ssh: connect to host 19.0.0.109 port 22: Connection refused
[root@pool-100-1-1-100 ~]# ssh user1@19.0.0.109
The authenticity of host '19.0.0.109 (19.0.0.109)' can't be established.
RSA key fingerprint is e9:12:7c:54:ad:68:a6:e6:d2:fe:c8:cf:59:10:3c:5c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '19.0.0.109' (RSA) to the list of known hosts.
Password:
SW-7606>
A bit on the configuration now:
‘ip ssh port 3001 rotary 1 20’:
- here we have used port 3001 and rotary from 1 to 20
‘ip alias 19.0.0.109 3001’:
- here we have used port 3001
‘under line 0/1/0, we use rotary 1’:
- this links our line 0/1/0 (number 19) with port 3001
Now, to show you the relation between the port and the rotary, if I happen to change the rotary value from 1 to 20, the following configurations would also need to be changed:
ISR-2921(config)#line 0/1/0
ISR-2921(config-line)#rotary 20
ISR-2921(config-line)#
ISR-2921(config)#ip alias 19.0.0.109 3020 ! 3001 changed to 3020
ISR-2921(config)#
[root@pool-100-1-1-100 ~]# ssh user1@19.0.0.109
Password:
SW-7606>
With this I would like to conclude this small write up on ‘ip alias’
NOTE: For SSH to work on the router you have to ensure you have configured the crypto key
No comments:
Post a Comment