- Preface
- Read Me First
- Software Packaging and Architecture
- Using Cisco IOS XE Software
- Console Port, Telnet, and SSH Handling
- Consolidated Packages and SubPackages Management
- Software Upgrade Processes Supported by Cisco ASR 1000 Series Routers
- High Availability Overview
- Broadband Scalability and Performance
- UniDirectional Link Detection (UDLD) Protocol
- Using the Management Ethernet Interface
- Network Synchronization Support
- IEEE 1588v2 PTP Support
- Configuring Bridge Domain Interfaces
- Enabling Support for Tunable DWDM-XFP-C
- Monitoring and Maintaining Multilink Frame Relay
- Configuring MPLS Layer 2 VPNs
- Enabling Management by REST API
- LSM-MLDP-based MVPN Support
- Tracing and Trace Management
- Packet Trace
- Configuring and Accessing the Web User Interface
- PPP Half-Bridge on the Cisco ASR 1000 Series Routers
- Cisco ASR 1000 Embedded Services Processor 10G Non Crypto Capable New Feature
- Ethernet Virtual Connections on Port Channels
- Configuring Traffic Storm Control
- Unsupported Commands
- Configuration Examples
- Console Port Overview for the Cisco ASR 1000 Series Routers
- Console Port Handling Overview
- Telnet and SSH Overview for the Cisco ASR 1000 Series Routers
- Persistent Telnet and Persistent SSH Overview
- Configuring a Console Port Transport Map
- Configuring Persistent Telnet
- Configuring Persistent SSH
- Viewing Console Port, SSH, and Telnet Handling Configurations
- Important Notes and Restrictions
Console Port, Telnet, and SSH Handling
This chapter covers the following topics:
- Console Port Overview for the Cisco ASR 1000 Series Routers
- Console Port Handling Overview
- Telnet and SSH Overview for the Cisco ASR 1000 Series Routers
- Persistent Telnet and Persistent SSH Overview
- Configuring a Console Port Transport Map
- Configuring Persistent Telnet
- Configuring Persistent SSH
- Viewing Console Port, SSH, and Telnet Handling Configurations
- Important Notes and Restrictions
Console Port Overview for the Cisco ASR 1000 Series Routers
The console port on the Cisco ASR 1000 Series Router is an EIA/TIA-232 asynchronous, serial connection with no flow control and an RJ-45 connector. The console port is used to access the router and is located on the front panel of the Route Processor (RP).
For information on accessing the router using the console port, see the “Accessing the CLI Using a Directly-Connected Console” section on page 3-2 .
Console Port Handling Overview
Users using the console port to access the router are automatically directed to the IOS command-line interface, by default.
If a user is trying to access the router through the console port and sends a break signal (a break signal can be sent by entering Ctrl-C or Ctrl-Shift-6, or by entering the send break command at the Telnet prompt ) before connecting to the IOS command-line interface, the user is directed into a diagnostic mode by default if the nonRPIOS subpackages can be accessed.
These settings can be changed by configuring a transport map for the console port and applying that transport map to the console interface.
Telnet and SSH Overview for the Cisco ASR 1000 Series Routers
Telnet and Secure Shell (SSH) on the Cisco ASR 1000 Series Routers can be configured and handled like Telnet and SSH on other Cisco platforms. For information on traditional Telnet, see the line command in the Cisco IOS Terminal Services Command Reference guide located at: http://www.cisco.com/en/US/docs/ios/12_2/termserv/command/reference/trflosho.html#wp1029818.
For information on configuring traditional SSH, see the “Configuring Secure Shell” chapter of the Cisco IOS Security Configuration Guide located at: http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfssh.html .
The Cisco ASR 1000 Series Routers also introduces persistent Telnet and persistent SSH. Persistent Telnet and persistent SSH allow network administrators to more clearly define the treatment of incoming traffic when users access the router through the Management Ethernet port using Telnet or SSH. Notably, persistent Telnet and persistent SSH provide more robust network access by allowing the router to be configured to be accessible through the Ethernet Management port using Telnet or SSH even when the IOS process has failed.
Persistent Telnet and Persistent SSH Overview
In traditional Cisco routers, accessing the router using Telnet or SSH is not possible in the event of an IOS failure. When Cisco IOS fails on a traditional Cisco router, the only method of accessing the router is through the console port. Similarly, if all active IOS processes have failed on a Cisco ASR 1000 Series Router that is not using persistent Telnet or persistent SSH, the only method of accessing the router is through the console port.
With persistent Telnet and persistent SSH, however, users can configure a transport map that defines the treatment of incoming Telnet or SSH traffic on the Management Ethernet interface.
See the Configuring Persistent Telnet and the Configuring Persistent SSH for information on the various other options that are configurable using persistent Telnet or persistent SSH transport maps.
Configuring a Console Port Transport Map
This task describes how to configure a transport map for a console port interface on the Cisco ASR 1000 Series Router.
1.
enable
2.
configure
terminal
3.
transport-map
type
console
transport-map-name
4. connection wait [allow interruptible | none]
5. exit
6.
transport
type
console
console-line-number
input
transport-map-name
DETAILED STEPS
Examples
In the following example, a transport map to set console port access policies is created and attached to console port 0:
Router(config)# transport-map type console consolehandler Router(config-tmap)# connection wait allow interruptible Router(config-tmap)# exit Router(config)# transport type console 0 input consolehandler
Configuring Persistent Telnet
This task describes how to configure persistent Telnet on the Cisco ASR 1000 Series Routers.
For a persistent Telnet connection to access an IOS vty line on the Cisco ASR 1000 Series Router, local login authentication must be configured for the vty line (the login command in line configuration mode). If local login authentication is not configured, users will not be able to access IOS using a Telnet connection into the Management Ethernet interface with an applied transport map.
1.
enable
2.
configure
terminal
3.
transport-map
type
persistent
telnet
transport-map-name
4. connection wait [allow {interruptible}| none {disconnect}]
5.
transport
interface
gigabitethernet
0
6. exit
7. transport type persistent telnet input transport-map-name
DETAILED STEPS
| Command or Action | Purpose | |||
|---|---|---|---|---|
| Step 1 | enable
Example:
Router> enable
|
Enables privileged EXEC mode.
| ||
| Step 2 | configure
terminal
Example:
Router# configure terminal
|
Enters global configuration mode. | ||
| Step 3 | transport-map
type
persistent
telnet
transport-map-name
Example:
Router(config)# transport-map type persistent telnet telnethandler
|
Creates and names a transport map for handling persistent Telnet connections, and enters transport map configuration mode. | ||
| Step 4 | connection
wait [allow {interruptible}|
none {disconnect}]
Example:
Router(config-tmap)# connection wait none
Example: |
Specifies how a persistent Telnet connection will be handled using this transport map:
| ||
| Step 5 | transport
interface
gigabitethernet
0
Example:
Router(config-tmap)# transport interface gigabitethernet 0
|
Applies the transport map settings to the Management Ethernet interface (interface gigabitethernet 0). Persistent Telnet can only be applied to the Management Ethernet interface on the Cisco ASR 1000 Series Routers. This step must be taken before applying the transport map to the Management Ethernet interface. | ||
| Step 6 | exit
Example:
Router(config-tmap)# exit
|
Exits transport map configuration mode to re-enter global configuration mode. | ||
| Step 7 | transport
type persistent telnet input
transport-map-name
Example: Example:
Router(config)# transport type persistent telnet input telnethandler
|
Applies the settings defined in the transport map to the Management Ethernet interface. The transport-map-name for this command must match the transport-map-name defined in the transport-map type persistent telnet comm and. |
Examples
In the following example, a transport map that will make all Telnet connections wait for an IOS vty line to become available before connecting to the router, while also allowing the user to interrupt the process and enter diagnostic mode, is configured and applied to the Management Ethernet interface (interface gigabitethernet 0).
The transport map is then applied to the interface when the transport type persistent telnet input command is entered to enable persistent Telnet.
Router(config)# transport-map type persistent telnet telnethandler Router(config-tmap)# connection wait allow interruptible Router(config-tmap)# transport interface gigabitethernet 0 Router(config-tmap)# exit Router(config)# transport type persistent telnet input telnethandler
Configuring Persistent SSH
This task describes how to configure persistent SSH on the Cisco ASR 1000 Series Routers.
1.
enable
2.
configure
terminal
3.
transport-map
type
persistent
ssh
transport-map-name
4. connection wait [allow {interruptible}| none {disconnect}]
5.
rsa
keypair-name
rsa-keypair-name
6. authentication-retries number-of-retries
7. time-out timeout-interval
8.
transport
interface
gigabitethernet
0
9. exit
10. transport type persistent ssh input transport-map-name
DETAILED STEPS
| Command or Action | Purpose | |||
|---|---|---|---|---|
| Step 1 | enable
Example:
Router> enable
|
Enables privileged EXEC mode.
| ||
| Step 2 | configure
terminal
Example:
Router# configure terminal
|
Enters global configuration mode. | ||
| Step 3 | transport-map
type
persistent
ssh
transport-map-name
Example:
Router(config)# transport-map type persistent ssh sshhandler
|
Creates and names a transport map for handling persistent SSH connections, and enters transport map configuration mode. | ||
| Step 4 | connection
wait [allow {interruptible}|
none {disconnect}]
Example:
Router(config-tmap)# connection wait allow interruptible
Example: |
Specifies how a persistent SSH connection will be handled using this transport map:
| ||
| Step 5 | rsa
keypair-name
rsa-keypair-name
Example:
Router(config-tmap)# rsa keypair-name sshkeys
|
Names the RSA keypair to be used for persistent SSH connections. For persistent SSH connections, the RSA keypair name must be defined using this command in transport map configuration mode. The RSA keypair definitions defined elsewhere on the router, such as through the use of the ip ssh rsa keypair-name command, do not apply to persistent SSH connections. No rsa-keypair-name is defined by default. | ||
| Step 6 |
authentication-retries number-of-retries
Example:
Router(config-tmap)# authentication-retries 4
|
(Optional) Specifies the number of authentication retries before dropping the connection. The default number-of-retries is 3. | ||
| Step 7 | time-out
timeout-interval
Example:
Router(config-tmap)# time-out 30
|
(Optional) Specifies the SSH time-out interval in seconds. The default timeout-interval is 120 seconds. | ||
| Step 8 | transport
interface
gigabitethernet
0
Example:
Router(config-tmap)# transport interface gigabitethernet 0
|
Applies the transport map settings to the Management Ethernet interface (interface gigabitethernet 0). Persistent SSH can only be applied to the Management Ethernet interface on the Cisco ASR 1000 Series Routers. | ||
| Step 9 | exit
Example:
Router(config-tmap)# exit
|
Exits transport map configuration mode to re-enter global configuration mode. | ||
| Step 10 | transport
type persistent ssh input
transport-map-name
Example: Example:
Router(config)# transport type persistent ssh input sshhandler
|
Applies the settings defined in the transport map to the Management Ethernet interface. The transport-map-name for this command must match the transport-map-name defined in the transport-map type persistent ssh command . |
Examples
In the following example, a transport map that will make all SSH connections wait for the vty line to become active before connecting to the router is configured and applied to the Management Ethernet interface (interface gigabitethernet 0). The RSA keypair is named sshkeys.
This example only uses the commands required to configure persistent SSH.
Router(config)# transport-map type persistent ssh sshhandler Router(config-tmap)# connection wait allow Router(config-tmap)# rsa keypair-name sshkeys Router(config-tmap)# transport interface gigabitethernet 0
In the following example, a transport map is configured that will apply the following settings to any users attempting to access the Management Ethernet port via SSH:
- Users using SSH will wait for the vty line to become active, but will enter diagnostic mode if the attempt to access IOS through the vty line is interrupted.
- The RSA keypair name is sshkeys
- The connection allows one authentication retry.
- The banner “ --Waiting for vty line-- ” will appear if the connection is waiting for the vty line to become active.
The transport map is then applied to the interface when the transport type persistent ssh input command is entered to enable persistent SSH:
Router(config)# transport-map type persistent ssh sshhandler Router(config-tmap)# connection wait allow interruptible Router(config-tmap)# rsa keypair-name sshkeys Router(config-tmap)# authentication-retries 1
Router(config-tmap)#banner wait X Enter TEXT message. End with the character 'X'. --Waiting for vty line-- X Router(config-tmap)# time-out 30 Router(config-tmap)# transport interface gigabitethernet 0 Router(config-tmap)# exit Router(config)# transport type persistent ssh input sshhandler
Viewing Console Port, SSH, and Telnet Handling Configurations
Use the show transport-map all name transport-map-name | type console persistent ssh telnet]]] EXEC or privileged EXEC command to view the transport map configurations.
In the following example, a console port, persistent SSH, and persistent Telnet transport are configured on the router and various forms of the show transport-map command are entered to illustrate the various ways the show transport-map command can be entered to gather transport map configuration information.
Router# show transport-map all Transport Map: Name: consolehandler Type: Console Transport Connection: Wait option: Wait Allow Interruptable Wait banner: Waiting for the IOS CLI Transport Map: Name: sshhandler Type: Persistent SSH Transport Interface: GigabitEthernet0 Connection: Wait option: Wait Allow Interruptable Wait banner: Waiting for IOS prompt SSH: Timeout: 120 Authentication retries: 5 RSA keypair: sshkeys Transport Map: Name: telnethandler Type: Persistent Telnet Transport Interface: GigabitEthernet0 Connection: Wait option: Wait Allow Interruptable Wait banner: Waiting for IOS process Transport Map: Name: telnethandling1 Type: Persistent Telnet Transport Connection: Wait option: Wait Allow Router# show transport-map type console Transport Map: Name: consolehandler Type: Console Transport Connection: Wait option: Wait Allow Interruptable Wait banner: Waiting for the IOS CLI Router# show transport-map type persistent ssh Transport Map: Name: sshhandler Type: Persistent SSH Transport Interface: GigabitEthernet0 Connection: Wait option: Wait Allow Interruptable Wait banner: Waiting for IOS prompt SSH: Timeout: 120 Authentication retries: 5 RSA keypair: sshkeys Router# show transport-map type persistent telnet Transport Map: Name: telnethandler Type: Persistent Telnet Transport Interface: GigabitEthernet0 Connection: Wait option: Wait Allow Interruptable Wait banner: Waiting for IOS process Transport Map: Name: telnethandling1 Type: Persistent Telnet Transport Connection: Wait option: Wait Allow Router# show transport-map name telnethandler Transport Map: Name: telnethandler Type: Persistent Telnet Transport Interface: GigabitEthernet0 Connection: Wait option: Wait Allow Interruptable Wait banner: Waiting for IOS process Router# show transport-map name consolehandler Transport Map: Name: consolehandler Type: Console Transport Connection: Wait option: Wait Allow Interruptable Wait banner: Waiting for the IOS CLI Router# show transport-map name sshhandler Transport Map: Name: sshhandler Type: Persistent SSH Transport Interface: GigabitEthernet0 Connection: Wait option: Wait Allow Interruptable Wait banner: Waiting for IOS prompt SSH: Timeout: 120 Authentication retries: 5 RSA keypair: sshkeys Router#
The show platform software configuration access policy command can be used to view the current configurations for the handling of incoming console port, SSH, and Telnet connections. The output of this command provides the current wait policy for each type of connection, as well as any information on the currently configured banners.
Router# show platform software configuration access policy The current access-policies Method : telnet Rule : wait Shell banner: Wait banner : Method : ssh Rule : wait Shell banner: Wait banner : Method : console Rule : wait with interrupt Shell banner: Wait banner :
In the following example, the connection policy and banners are set for a persistent SSH transport map, and the transport map is enabled.
The show platform software configuration access policy output is given both before the new transport map is enabled and after the transport map is enabled so the changes to the SSH configuration are illustrated in the output.
Router# show platform software configuration access policy The current access-policies Method : telnet Rule : wait with interrupt Wait banner : Waiting for IOS Process Method : ssh Rule : wait Shell banner: Wait banner : Method : console Rule : wait with interrupt Shell banner: Wait banner : Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# transport-map type persistent ssh sshhandler Router(config-tmap)# connection wait allow interruptible Router(config-tmap)# rsa keypair-name sshkeys Router(config-tmap)# transport interface gigabitethernet 0 Router(config-tmap)# exit Router(config)# transport type persistent ssh input sshhandler Router(config)# exit Router# show platform software configuration access policy The current access-policies Method : telnet Rule : wait with interrupt Wait banner : Waiting for IOS process Method : ssh Rule : wait with interrupt Wait banner : Waiting for IOS Method : console Rule : wait with interrupt Shell banner: Wait banner :
Important Notes and Restrictions
The important notes and restriction pertaining to the console port, SSH, and telnet handling include:
- The Telnet and SSH settings made in the transport map override any other Telnet or SSH settings when the transport map is applied to the Management Ethernet interface.
- Only local usernames and passwords can be used to authenticate users entering a Management Ethernet interface. AAA authentication is not available for users accessing the router through a Management Ethernet interface using persistent Telnet or persistent SSH.
- Applying a transport map to a Management Ethernet interface with active Telnet or SSH sessions can disconnect the active sessions. Removing a transport map from an interface, however, does not disconnect any active Telnet or SSH sessions.
Feedback