Using Old Cisco Routers as Console Servers

Serial Ports§

Ah, yes, the network admin's best friend. A Serial Port.

While serial ports come in many varieties, the most common standard is RS-232 (or rather the modern variant of it). It describes communication between a DTE (Data Terminal Equipment) and DCE (Data Communication Equipment).

The distinction is important as the wiring for the DB-25M or DE-9M differed for each end. However, at some point, someone (probably Yost) came up with a way to use 8P8C connectors have it all use the same pinout. These cables and adapters have been called many things:

  • Rollover cable
  • Cisco Cable
  • Yost Cable
  • (Cisco) Console Cable

You can connect two 8P8C serial ports between anything together without worring what function it is.

Nowadays, the "DTE" will be a laptop with a serial dongle and the "DCE" will be a router/switch/... Pretty much all serial ports will be 8P8C.

Oh, don't plug in your ethernet port into an 8P8C serial port. Bzzzt

Attaching Serial Consoles to Cisco Routers§

There are several ways to attach another device with a serial port to a cisco router. These are the ones I recommend:

  1. AUX port: 1 port (usually)
  • This is undoubtedly the simplest choice.
  • Simply connect the AUX port to other 8P8C console ports.
  1. HWIC-8A + CAB-ASYNC-8/CAB-HD8-ASYNC: 8 ports per HWIC
  • Good option if you have a router that takes (E)HWIC cards and you find it cheap.
  • 8 ports are okay, but the following option is more "future proof".
  1. HWIC-16A + 2x CAB-ASYNC-8/CAB-HD8-ASYNC: 16 ports per HWIC slot
  • Excellent option if you have a router that can take (E)HWIC cards.
  • One module gets you 16 serial ports, so a single card should be more than enough for homelab purposes.
  • Can buy one CAB-ASYNC-8/CAB-HD8-ASYNC at a time for 8 ports per.
  1. SM-32A + 4x CAB-ASYNC-8/CAB-HD8-ASYNC: 32 ports per NM slot
  • If you have one of those chonkers with a Network Module slot.
  • A whopping 32 serial ports! And rather cheap, too.
  • Can buy one CAB-ASYNC-8/CAB-HD8-ASYNC at a time for 8 ports per.
  1. NIM-16A + 2x CAB-ASYNC-8/CAB-HD8-ASYNC: 16 ports per NIM slot
  • If you have more modern equipment, this is an option.
  • Not quite cheap.
  • Can buy one CAB-ASYNC-8/CAB-HD8-ASYNC at a time for 8 ports per.
  1. NIM-24A + 3x CAB-ASYNC-8: 16 ports per NIM slot
  • Like the above, but one more slot.
  • Even less cheap and requires the new cables to fit all three.
  • Can buy one CAB-ASYNC-8 at a time for 8 ports per.

You definitly want something with not-stone-age IOS for modern crypto.

Serial line config§

You're gonna need to configure the serial ports first. The following is on an ISR G2, specifically the 2901, with the HWIC-16A.

! AUX port config. 115200 8N1 on rotary 10 with DCD.
line aux 0
 login local
 modem Host
 rotary 1
 no exec
 transport input ssh
 transport output none
 stopbits 1
 speed 115200

! HWIC slot 0, first cable, first port. 9600 (default) 8N1 on rotary 100 with DCD.
line 0/0/0
 login local
 modem Host
 rotary 100
 no exec
 transport input ssh
 transport output none
 stopbits 1

! HWIC slot 0, second cable, first port. 9600 (default) 8N1 on rotary 108 with DCD.
line 0/0/8
 login local
 modem Host
 rotary 108
 no exec
 transport input ssh
 transport output none
 stopbits 1

You might also need to exchange login local with login authentication default depending on your device.

(Reverse) SSH§

Make sure to configure SSH sanely:

! Generate keys if you haven't already.
crypto key generate rsa modulus 3072

! If using the Loopback interface, make sure it uses it.
ip ssh source-interface Loopback0
ip ssh logging events
ip ssh version 2
ip ssh dh min size 2048
ip ssh server algorithm mac hmac-sha2-512
ip ssh server algorithm encryption aes256-ctr
ip scp server enable

That'll make the whole thing less crappy security-wise at the cost of slightly longer initial handshake. If you have to impress your friends with your big keys, you can also choose 4096 bit instead of 3072 for neglible benefits, but this thing's probably a security nightmare anyway.

If you want to configure an SSH key - which you do - keep in mind that it only really supports RSA, no Ed25519.

  1. Fetch your legacy RSA key's public key and wrap it below the 254 byte line limit IOS has.
cat .ssh/id_legacy_rsa.pub | sed -En 's/^ssh-rsa ([^ ]+).*$/\1/p' | fold -b -w128
  1. Enter the right mode to save it in the config.
stale(config)#ip ssh pubkey-chain
stale(conf-ssh-pubkey)#username vifino
stale(conf-ssh-pubkey-user)#key-string
stale(conf-ssh-pubkey-data)# <PASTE LINES HERE >
stale(conf-ssh-pubkey-data)#exit

If you're using something above 12.3, say 15.0, you can use the feature described in Reverse SSH Enhancements. tl;dr: You can slap the rotary number behind the username instead of selecting a specific SSH port.

If that's not available, you don't like it or want more choice, you can configure seperate SSH ports for each of the rotaries:

! Enable rotary 1 on port 9001, rotary 2 on 9002, etc.. for *all* rotaries.
ip ssh port 9001 rotary 1 127

Use it!§

After you configured the ports with their rotary group, you can use it with the following two ways:

  1. ssh -u myuser -p 9100 serialbox
  • This accesses port 9100 via SSH, 9100 in my example maps to rotary 100.
  • I prefer this. Target port gets closed if the line is in use - instant disconnect.
  1. ssh -u myuser:$PORT serialbox
  • This accesses port 22 via SSH, but uses the Reverse SSH Enhancements to access the line instead of a specific port.
  • What is $PORT? Well.
    • N to dial line N (see show line for the mapping)
    • rotaryN to dial rotary N (e.g. rotary100)
  • You get spicy and confusing error messages!
    • Wrong line number? Received disconnect from <addr> port 22:2: Non-assigned port!
    • Line in use? Received disconnect from <addr> port 22:2: Requested line not found!

Personally, I prefer the former. Just my regular username, no special stuff except the target port. Either is fine, but I suggest using rotary groups in either case for less hassle when moving things around.

Summary§

Apart from the quirks in the config and the slow speed of the SSH handshake with decent crypto, this works very well!

With modem signals enabled (DCD), you can even trigger automatic logout on the target devices. For example, in Junos, you can configure the console port to do that:

set system ports console log-out-on-disconnect

Plus, if you're into retrocomputing, you can enable X.25 and use PAD features to dial into the same rotaries. Maybe I'll write a post about X.25 in general. Fun!