Solved: Ouf-of-band management design

Hejbi · ‎09-23-2019

Hi guys,

I am looking for the best solution for Out of Band management (console access) for running network devices in DCs.

We have 2 remote small datacenters equipped with various devices (Cisco Nexus, PaloAlto FWs,...).

Basically requirements are:
- this OOB will ensure connection via console cables to devices.
- OOB network has to be fully independent from inband management and production network.ouf of band management
- connection to OOB console access should have separate internet access (4G/LTE).
- devices for OOB equipment should be from Cisco.
- if possible 2-FA should be used/integrated if possible.

Do you have any idea what boxes (Cisco console routers, firewalls, VPN access, 4G/LTE module) to use?
Many thanks for your inputs and ideas!

Hejbi

balaji.bandi · ‎10-03-2019

You can do the Lab of this, this required physical test.

i would just buy a refurbished old kit for cheap with 1 module and test onsite before I go buy with a full contract.

Some kit are EoL already, so you get cheaper price, tell the vendor you going to test this feature, if works you will buy another module.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

balaji.bandi · ‎09-23-2019

Depends on the number of device, i used Old 25XX in DC environment, with ASA FW for VPN to come in OOB, in case all the Live network go down, to look at console.

high level

PC----Internet----DSL--ASA(old 5505 - you can use 550X-X here new modesl--25XX -- Device consoles.

you can also setp multi fact authentication.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hejbi · ‎09-24-2019

Hi Balaji,

thanks a lot for your inputs!
We will have about 30 devices which will need console access in one DC.

I was thinking about this setup per one DC:

- 4G/LTE/DSL public Internet connection
- 1x Cisco ASA 5506-X (Base license) as VPN gateway for IPsec RA (Cisco AnyConnect)
- 1x ISR Cisco 4221 with 2x NIM-16A module
- 4x CAB-ASYNC-8 octal cable

In our production is not acceptable to have end-of-life devices.

Still have to think about the integration of 2nd factor implementation and integration on Cisco ASA FW.

Hejbi

balaji.bandi · ‎09-24-2019

All looks good for me

Since i have not tested as console access, test before buying, i have heard some one tried and failed..not sure what was the issue here.

1x ISR Cisco 4221 with 2x NIM-16A module

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hejbi · ‎10-02-2019

Hi Balaji,

thanks for your comment. Neither I have any experience with configuration of console terminal server, so I hope I will not have any issues with that. For now I don't have any HW where to test that... any idea when you mentioned "test before buying"? Any lab simulator?

I planned I will use official Cisco config guide for NIM-16A and some blogs describing the configuration of Console terminal servers (links below),....and then I will prey for the success to have that working :-D.

https://www.cisco.com/c/en/us/td/docs/routers/access/interfaces/NIM/software/configuration/guide/Async-Serial-NIM-16-24-Port-xe-16-book.html

https://medium.com/@danielceckert/use-a-cisco-2600-series-router-as-a-serial-console-server-f7113e64437b

Hejbi