- Preface
- Read Me First
- Software Packaging and Architecture
- Using Cisco IOS XE Software
- Console Port, Telnet, and SSH Handling
- Consolidated Packages and Sub-Package Management
- Software Upgrade Process
- High Availability Overview
- Broadband Scalability and Performance
- UniDirectional Link Detection (UDLD) Protocol
- Using the Management Ethernet Interface
- Multilink PPP Support for the ASR 1000 Series Aggregation Services Routers
- Synchronous Ethernet Support
- IEEE 1588v2 PTP Support
- Configuring Bridge Domain Interfaces
- Enabling Support for Tunable DWDM-XFP-C
- Monitoring and Maintaining Multilink Frame Relay
- Configuring MPLS Layer 2 VPNs
- Configuring Support for Management Using the REST API
- LSM-MLDP-based MVPN Support
- Tracing and Trace Management
- Packet Trace
- Configuring and Accessing the Web User Interface
- PPP Half-Bridge on the Cisco ASR 1000 Series Routers
- Unsupported Commands
- Configuration Examples
- Console Port Overview for the Cisco ASR 1000 Series Routers
- Console Port Handling Overview
- Telnet and SSH Overview for the Cisco ASR 1000 Series Routers
- Persistent Telnet and Persistent SSH Overview
- Configuring a Console Port Transport Map
- Configuring Persistent Telnet
- Configuring Persistent SSH
- Viewing Console Port, SSH, and Telnet Handling Configurations
- Important Notes and Restrictions
Console Port, Telnet, and SSH Handling
This chapter covers the following topics:
- Console Port Overview for the Cisco ASR 1000 Series Routers
- Console Port Handling Overview
- Telnet and SSH Overview for the Cisco ASR 1000 Series Routers
- Persistent Telnet and Persistent SSH Overview
- Configuring a Console Port Transport Map
- Configuring Persistent Telnet
- Configuring Persistent SSH
- Viewing Console Port, SSH, and Telnet Handling Configurations
- Important Notes and Restrictions
Console Port Overview for the Cisco ASR 1000 Series Routers
The console port on the Cisco ASR 1000 Series Router is an EIA/TIA-232 asynchronous, serial connection with no flow control and an RJ-45 connector. The console port is used to access the router and is located on the front panel of the Route Processor (RP).
For information on accessing the router using the console port, see the “Accessing the CLI Using a Directly-Connected Console” section.
Console Port Handling Overview
Users using the console port to access the router are automatically directed to the IOS command-line interface, by default.
If a user is trying to access the router through the console port and sends a break signal (a break signal can be sent by entering Ctrl-C or Ctrl-Shift-6 , or by entering the send break command at the Telnet prompt) before connecting to the IOS command-line interface, the user is directed into a diagnostic mode by default if the nonRPIOS subpackages can be accessed.
These settings can be changed by configuring a transport map for the console port and applying that transport map to the console interface.
Telnet and SSH Overview for the Cisco ASR 1000 Series Routers
Telnet and Secure Shell (SSH) on the Cisco ASR 1000 Series Routers can be configured and handled like Telnet and SSH on other Cisco platforms. For information on traditional Telnet, see the line command in the Cisco IOS Terminal Services Command Reference guide located at: http://www.cisco.com/en/US/docs/ios/12_2/termserv/command/reference/trflosho.html#wp1029818.
For information on configuring traditional SSH, see the “Configuring Secure Shell” chapter of the Cisco IOS Security Configuration Guide located at: http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfssh.html.
The Cisco ASR 1000 Series Routers also introduces persistent Telnet and persistent SSH. Persistent Telnet and persistent SSH allow network administrators to more clearly define the treatment of incoming traffic when users access the router through the Management Ethernet port using Telnet or SSH. Notably, persistent Telnet and persistent SSH provide more robust network access by allowing the router to be configured to be accessible through the Ethernet Management port using Telnet or SSH even when the IOS process has failed.
Persistent Telnet and Persistent SSH Overview
In traditional Cisco routers, accessing the router using Telnet or SSH is not possible in the event of an IOS failure. When Cisco IOS fails on a traditional Cisco router, the only method of accessing the router is through the console port. Similarly, if all active IOS processes have failed on a Cisco ASR 1000 Series Router that is not using persistent Telnet or persistent SSH, the only method of accessing the router is through the console port.
With persistent Telnet and persistent SSH, however, users can configure a transport map that defines the treatment of incoming Telnet or SSH traffic on the Management Ethernet interface. Among the many configuration options, a transport map can be configured to direct all traffic to the IOS command-line interface, diagnostic mode, or to wait for an IOS vty line to become available and then direct users into diagnostic mode when the user sends a break signal while waiting for the IOS vty line to become available. If a user uses Telnet or SSH to access diagnostic mode, that Telnet or SSH connection will be usable even in scenarios when no IOS process is active. Therefore, persistent Telnet and persistent SSH introduce the ability to access the router via diagnostic mode when the IOS process is not active. For information on diagnostic mode, see the “Understanding the Diagnostic Mode” section.
See the “Configuring Persistent Telnet” section and the “Configuring Persistent SSH” section for information on the various other options that are configurable using persistent Telnet or persistent SSH transport maps.
Configuring a Console Port Transport Map
This task describes how to configure a transport map for a console port interface on the Cisco ASR 1000 Series Router.
SUMMARY STEPS
2.
(Required) configure terminal
3. (Required) transport-map type console transport-map-name
4. (Required) connection wait [ allow interruptible | none { disconnect }]
5. (Optional) banner [ diagnostic | wait ] banner-message
7. (Required) transport type console console-line-number input transport-map-name
DETAILED STEPS
Examples
In the following example, a transport map to set console port access policies is created and attached to console port 0:
Configuring Persistent Telnet
This task describes how to configure persistent Telnet on the Cisco ASR 1000 Series Routers.
Prerequisites
For a persistent Telnet connection to access an IOS vty line on the Cisco ASR 1000 Series Router, local login authentication must be configured for the vty line (the login command in line configuration mode). If local login authentication is not configured, users will not be able to access IOS using a Telnet connection into the Management Ethernet interface with an applied transport map. Diagnostic mode will still be accessible in this scenario.
SUMMARY STEPS
2. (Required) configure terminal
3. (Required) transport-map type persistent telnet transport-map-name
4. (Required) connection wait [ allow { interruptible } | none { disconnect }]
5. (Optional) banner [ diagnostic | wait ] banner-message
6. (Required) transport interface GigabitEthernet 0
8. (Required) transport type persistent telnet input transport-map-name
DETAILED STEPS
Examples
In the following example, a transport map that will make all Telnet connections wait for an IOS vty line to become available before connecting to the router, while also allowing the user to interrupt the process and enter diagnostic mode, is configured and applied to the Management Ethernet interface (interface gigabitethernet 0).
A diagnostic and a wait banner are also configured.
The transport map is then applied to the interface when the transport type persistent telnet input command is entered to enable persistent Telnet.
connection wait allow interruptible
Configuring Persistent SSH
This task describes how to configure persistent SSH on the Cisco ASR 1000 Series Routers.
SUMMARY STEPS
2. (Required) configure terminal
3. (Required) transport-map type persistent ssh transport-map-name
4. (Required) connection wait [ allow { interruptible } | none { disconnect }]
5. (Required) rsa keypair-name rsa-keypair-name
6. (Optional) authentication-retries number-of-retries
7. (Optional) banner [ diagnostic | wait ] banner-message
8. (Optional) time-out timeout-interval-in-seconds
9. (Required) transport interface GigabitEthernet 0
11. (Required) transport type persistent ssh input transport-map-name
DETAILED STEPS
Examples
In the following example, a transport map that will make all SSH connections wait for the vty line to become active before connecting to the router is configured and applied to the Management Ethernet interface (interface gigabitethernet 0). The RSA keypair is named sshkeys.
This example only uses the commands required to configure persistent SSH.
In the following example, a transport map is configured that will apply the following settings to any users attempting to access the Management Ethernet port via SSH:
- Users using SSH will wait for the vty line to become active, but will enter diagnostic mode if the attempt to access IOS through the vty line is interrupted.
- The RSA keypair name is sshkeys
- The connection allows one authentication retry.
- The banner “
--Welcome to Diagnostic Mode--” will appear if diagnostic mode is entered as a result of SSH handling through this transport map. - The banner “
--Waiting for vty line--” will appear if the connection is waiting for the vty line to become active.
The transport map is then applied to the interface when the transport type persistent ssh input command is entered to enable persistent SSH:
Router(config-tmap)# authentication-retries 1
Router(config-tmap)# banner diagnostic X
Enter TEXT message. End with the character 'X'.
--Welcome to Diagnostic Mode--
time-out 30
Viewing Console Port, SSH, and Telnet Handling Configurations
Use the show transport-map [ all | name transport-map-name | type [ console | persistent [ ssh | telnet ]]] EXEC or privileged EXEC command to view the transport map configurations.
In the following example, a console port, persistent SSH, and persistent Telnet transport are configured on the router and various forms of the show transport-map command are entered to illustrate the various ways the show transport-map command can be entered to gather transport map configuration information.
The show platform software configuration access policy command can be used to view the current configurations for the handling of incoming console port, SSH, and Telnet connections. The output of this command provides the current wait policy for each type of connection, as well as any information on the currently configured banners. Unlike show transport-map, this command is available in diagnostic mode so it can be entered in cases when you need transport map configuration information but cannot access the IOS CLI.
In the following example, the connection policy and banners are set for a persistent SSH transport map, and the transport map is enabled.
The show platform software configuration access policy output is given both before the new transport map is enabled and after the transport map is enabled so the changes to the SSH configuration are illustrated in the output.
Important Notes and Restrictions
The important notes and restriction pertaining to the console port, SSH, and telnet handling include:
- The Telnet and SSH settings made in the transport map override any other Telnet or SSH settings when the transport map is applied to the Management Ethernet interface.
- Only local usernames and passwords can be used to authenticate users entering a Management Ethernet interface. AAA authentication is not available for users accessing the router through a Management Ethernet interface using persistent Telnet or persistent SSH.
- Applying a transport map to a Management Ethernet interface with active Telnet or SSH sessions can disconnect the active sessions. Removing a transport map from an interface, however, does not disconnect any active Telnet or SSH sessions.
- Configuring the diagnostic and wait banners i s optional but recommended. The banners are especially useful as indicators to users of the status of their Telnet or SSH attempts.
Feedback