After starting a router configuration using the Console Port or Auxiliary Port, you can choose from among several options to gain access to Cisco IOS Software. These access methodologies are commonly referred to as EXEC sessions. Assuming that the device model and IOS supports them, certain Cisco devices can support up to five means of gaining an EXEC session to the IOS, which are discussed in the following subsections.
Several Cisco devices do not have a default IP address that can be utilized to gain access to the IOS. Therefore, administrators gain initial out-of-band terminal access to Cisco devices via the console port. After an EXEC access is gained, you can configure the device via the CLI of IOS.
The term out-of-band simply refers to the fact that the console is a management port that is separate from interfaces that are used for networking data transmissions. Conversely, in-band management signals tra verse over the same networking paths and interfaces as the data stream. This implies that you have IP connectivity to the devices that you are managing.
To connect to a console port, Cisco supplies you with a flat rollover cable. As illustrated in Figure 7.1, the pins in a rollover cable are reverse images of each other when the cable is viewed with both sides of the tabs in the same orientation. Cisco console cables either come with two RJ-45 connectors in which a DB-9 adapter is required for connection to the PC, or come with the DB-9 connector attached to one end of the cable. The 9-pin connector of the console cable connects to your terminal PC’s COM port. Keep in mind that this management connection is for initial terminal access only and should not be confused with an actual networking ethernet cable of any sort.
It is imperative to be able to recognize and differentiate between the pin configurations and the usage of a straight-through ethernet cable versus a cross-over ethernet cable versus a rollover console cable.
An ASCII terminal emulation software program must be running on your management PC if it is to interact with the Cisco IOS. There are several different terminal programs available, such as HyperTerminal, TeraTerm, SecureCRT, and others. The terminal setup of the COM port connected to the rollover console cable must be set to the following default console parameters: 9600 baud, 8 data bits, no parity bits, 1 stop bit, and no flow control. After the terminal is set up correctly and you have powered on the Cisco device, you should see the output from your console EXEC session in the terminal window.
Certain Cisco models may contain another out-of-band management port called an auxiliary (AUX) port. This port is very similar to the console port in that it uses a rollover cable and has an RJ-45 connection to the Cisco device. The difference between the auxiliary and the console port is that the auxiliary port has flow control capability, which is useful for analog modem connectivity. By connecting an external modem to this management port, you can dial into the modem remotely and gain an EXEC session without being physically next to the Cisco device.
As discussed in Chapter 1, “Standard Internetworking Models,” Telnet is an Application layer protocol of the TCP/IP protocol suite that uses TCP port 23 to gain virtual terminal emulation to a device. Telnet is considered in-band management because it is required to have IP connectivity to the Cisco device into which you are trying to Telnet. Most Cisco devices allow at least 5 Telnet EXEC sessions to be connected for remote terminal access. For the sake of security, there is some configuration involved to allow Telnet access into the Cisco devices. Telnet is discussed in further detail in Chapter 8, “Foundation Cisco Configurations.”
HTTP and HTTPS
Similar to Telnet, HTTP and HTTPS are also Application layer protocols of the TCP/IP protocol suite. HTTP uses TCP port 80 to establish a management connection to the Cisco device. HTTPS is a secure version of HTTP over Secure Socket Layer (SSL) and uses TCP port 443. HTTP and HTTPS terminal sessions require IP connectivity to the Cisco device, making it an in-band management communication methodology. The key difference between HTTP/HTTPS and Telnet is that when you use HTTP or HTTPS, you can have a graphical interface to the configuration and administration features of the Cisco IOS.
The HTTP EXEC session is made possible by an HTTP server service that can run if configured on the Cisco device. For security purposes, some Cisco routers do not have this functionality enabled by default. If this functionality is not going to be utilized, it is recommended that you disable this service to avoid any security vulnerabilities.
HTTP and HTTPS are utilized in the Security Device Manager (SDM) configuration utility which will be dis cussed in greater detail in Chapter 9, “Understanding the Cisco SDM.”
Imagine you have Telntetted into a Cisco device and it is prompting you for a password. If an attacker has the capability to eavesdrop on that Telnet terminal session, he could very well detect the password because the Telnet communications are in clear text.
With SSH (Secure Shell), you are provided a secure terminal EXEC connection through the use of encrypted communications between your terminal client and the Cisco device. Your terminal application must support SSH to connect securely to your Cisco device. Some terminal programs that support SSH are SecureCRT and Putty. In addition, the version and feature set
of the Cisco IOS must support SSH. Similar to its brother in-band protocols, SSH also requires initial configurations before gaining access to an EXEC session. Granted, this additional configuration may seem tedious; however, the benefit of having secure remote terminal connections to the Cisco device outweighs the work involved.
Table 7.1 quickly reviews the five means of gaining EXEC sessions to Cisco Devices.
Successfully initiating a Telnet, HTTP/HTTPS, or SSH session to a Cisco device is an excellent way to test that you have Application layer connectivity to that device.