Cisco – Bypassing a Cisco Terminal Server Menu

ciscossh

The guys at a config center connect to devices by: placing them on a management rack, and plugging them into a management switch by means of some hwic/RJ45 reverse telnet connection. When you remote into the management switch, you're dropped onto a menu console where you enter a number and get forwarded into the corresponding port. As an intern with only a couple 300 level courses under his belt, this thing seems a little arcane.

The guys are sitting around and copying/pasting chunks of CLI commands from notepad into an SSH terminal. It's agreed that there should be an easy way to automate these tasks — And there is! I've identified that Paramiko/Netmiko scripts, or short Ansible tasks all appear to be good choices.

The problem is that these configuration tools all assume that you can directly connect to the desired host.

I can't get many straight answers about this terminal server from my coworkers or google. Rumors on the wind that someone once somehow appended a port and loopback (Ex: 2003, 1.1.1.1?) to the IP address in putty — Someone installed a net-card into a router somewhere that can forward requests through the menu, but only telnet requests.

It seems like this terminal server just isn't in vogue right now, does anyone have experience with these things? Is there a way to form an SSH connection that will be transparently forwarded into those telnet ports?

Additional clarification edit

The case is a little unusual on these staging racks. I'm encouraged to find a way to automate certain CLI input, to remedy engineers being stuck copying and pasting the same commands on 10 or 15 devices. The engineers often get stuck wasting a great deal of time on this step. The term server is being used on these staging racks because it's best suited to the wide and random variety of customer devices and tasks required of them, although there are many circumstances where the same sequence of CLI commands has been used thousands of times.

I'd started just writing a simple paramiko script to navigate the term, then feed lines from a given text file into specified ports. This works, but is only suited to dumping conf-t commands. File transfers and device reloads present serious timing/sequencing challenges. Realizing the complications, I've focused on researching how I might enable an actual tool (ansible/netmiko) to be used with the term server, instead of hacking together a lackluster utility of my own.

The complication is that information about the terminal server is scarce, and I'm vaguely made aware that I should only SSH to the term server, and get forwarded into the devices. I should not telnet directly to the term server on port 200N, because of security concerns about different clients who may have access to different portions of that network

Best Answer

does anyone have experience with these things?

Centuries, actually. And that experience says to leave things you know very little (or nothing) about alone, especially when they're systems that (a) work, and (b) have worked for years. Live with it for a few years before declaring it crap.

I call this "new kid syndrome"; the guy comes in, and from day-one declares everything to be antiquated, inefficient junk, and sets off to replace it all with whatever the current generation of "shiny" happens to be. (ruby, cloud, etc.) I've seen this hundreds of times. I've seen tank several companies. All because the new guy doesn't know the processes he's bent on replacing; they don't know the history of why we do things we do the way we do them.

What you are describing is an age old network serial console. That's a terminal server providing telnet access to a device that has no network access of its own -- either because it has no network capability, or isn't configured yet. Your terminal server was setup with a menu interface to select the port, most likely to simplify the process. Having to know the IP and/or TCP port for a specific port can get confusing.

Your demand to use SSH will only complicate attempts of automated/scripted access. (there's a lot more work than simply opening a socket.)

I doubt you have access, or authorization, to make changes, but here's how we used to manage access to telco gear:

ip alias 10.200.5.201 3007
!
line 33 41
 session-timeout 30  output
 location DEX-600E Switch Port
 flush-at-activation
 refuse-message ^C
All XXX switch ports are in use. Please try again later.
^C
 modem DTR-active
 rotary 7
 no exec
 transport input telnet
 autohangup
 stopbits 1
 flowcontrol software out

The first line maps 10.200.5.201 to connect to port 3007 -- 3000(telnet) + rotary. One could also connect to the router's IP:3007 and get the same thing. The line configuration programs 9 ports in a group ("rotary".)

Related Topic