Out of band access to devices?

Justin Grote justin at grote.name
Tue Aug 16 14:48:08 UTC 2005


Andrew Pollock wrote:

>Hi,
>
>Way back in December of 2003, I asked the question of out of band access.
>
>I'm back in a similar environment where I have a number of Cisco switches
>attached to Cyclades AlterPath ACS console-access servers, and all remove
>access to the switches is disabled. Telnet isn't an option, and I suspect
>that the IOS version doesn't include crypto, so I can't enable SSH access.
>  
>
Why is telnet not an option? Apply an access list that only allows 
telnet access from the RANCID server and put telnet filters on your edge 
routers and/or put the management interfaces of the switches on their 
own VLAN and isolated from any outside connections. That's what most 
RANCID users that I know do.

You'll be secure to all forms of attack except a source-spoofed replay 
attack or a packet capture between your RANCID collector and the 
switches, but that would have to a) originate inside your system, b) 
know the IP address of your RANCID collector, and c) know your switch 
password. Anyone with this kind of knowledge probably works in your 
company and is going to get in if they really want to, just by SSHing to 
your console access server.

>So the only way of managing the devices is via SSHing to the Cyclades and
>getting on the console port. We can SSH directly to a specific port of the
>Cyclades, and after authenticating, get on the console attached to that
>port, and disconnect by way of the standard SSH disconnect break sequence
>when we're done.
>
>I'm wondering if RANCID has evolved over the last nearly 2 years to include
>such out of band access to devices, or if it's much of a muchness still?
>  
>
It doesn't specifically support it, but the framework is certainly 
there. All you'd have to do is add a new connection method to clogin. If 
the console server allows direct connection to the switch just by 
accessing the specific port (and there are no menus or anything else in 
the way), the SSH clogin method may probably even work out of the box, 
if you specify the port in cloginrc.

-- 
__________________________
Justin Grote
Network Architect
JWG Networks




More information about the Rancid-discuss mailing list