Let’s say one of your techs is configuring a firewall and makes a mistake that results in the firewall (and the rest of the network) no longer being accessible. What are your options for fixing the issue?

Plugging in with a serial cable

Network elements (such as firewalls, routers, and switches) can often be configured through serial connections to the device. A serial connection provides command-line management of the device even when the device’s network interfaces aren’t accessible.

You can plug a laptop into the serial port of the firewall with a USB to serial cable and restore a previous configuration to bring the firewall back up.

Doing this—connecting to a device through an alternate connection (like a serial interface) without using the production network—is called out-of-band management. You can use out-of-band management to access network devices even when the production network isn’t accessible.

When bare metal can’t be reached

Another problem is when a bare metal server becomes completely inaccessible. If the server’s operating system has become corrupt to the point of no longer booting, you can’t connect to the machine remotely using RDP or SSH, so you can’t reinstall the OS or restore a backup remotely.

In these cases, you can manage the server out-of-band using intelligent platform management interfaces (IPMI). Different vendors have different names for IPMI, such as iLO, iDRAC, and IMM, but they all work essentially the same way.

The interfaces act as an IP switch, providing a keyboard, video, and mouse access to the server remotely over the network. Even if the operating system becomes corrupt and the server is no longer accessible, it can be rebooted over IPMI and the OS repaired or even reinstalled.

The only issue with these out-of-band management options is they both require a truck roll—you need to send a tech onsite to physically plug into the devices.

But what if your site or client is three hours away? Now a simple fix has quickly become an expensive fix.

There is another way though…

Console servers to the rescue

Console servers have multiple serial ports that can be connected to the serial console ports of multiple network elements. In the past, console servers were accessed remotely using dial-up modems. These days most console servers support 3G or LTE connections, or an alternate internet connection using a secondary ISP.

You can then configure the network device remotely using the CLI over the serial console ports of multiple devices as if you were actually sitting on-site with a laptop plugged in.

Even if the internet connection is broken during a storm, you can still remotely manage network devices through the console server’s 3G or LTE connections. The site won’t have internet access until the line is repaired by the ISP, but you’ll still be able to ensure local infrastructure is accessible. And you’ll look like a superstar when you’re able to fix local connectivity issues remotely even with the ISP down.

Since IPMI uses NICs for access, IPMI devices aren’t accessible if the network isn’t accessible. Fortunately, console servers come with multiple NICs allowing server IPMIs to connect directly to the console server, separate from the rest of the local LAN.

In this way, you can also remotely access an IPMI-equipped server through the console server even if the internet connection is down.

Console servers can be costly—but for top-tier clients or sites that are essential to keep up, especially ones located far from you, they can be totally worth the investment to ensure you can remotely administer the network even when the network isn’t accessible.

For tips, check out our e-book and article The Auvik Guide to Basic Switch Configuration

  1. Pierre Avatar

    Re #3 – domain name
    You don’t need a domain-name to generate the ssh key
    Just use the keywork label as in :
    crypto key generate rsa general-keys label Whatever modulus 1024

    Re #6 – console port (or terminal window when using term moni)
    Control/L will rewrite what you are typing

Leave a Reply

Your email address will not be published. Required fields are marked *