Network Chatter

Network Chatter

HowTo: Configure an AUX port on a Cisco Router

Leave a Comment

The AUX port, or auxiliary port, has been a fixture on the back of Cisco access routers for almost 30 years. It was also used on other distribution and core routers as well. Although these ports have sat right next to their sibling, the console port, they are not functionally used much anymore and have become almost forgotten, especially in the Cisco Network Academy curriculum.

Even though we are not using them anymore, why are we not configuring them? Have we forgotten how important security is?

After we talk about security, I will continue to talk about how AUX ports work and how you can still use them today.

SECURITY!

The AUX port is still an active port (line) on the back of a router that must not be ignored. In the Cisco Network Academy labs we configure the console port as it is path into the router if you have physical access. BUT WE LEAVE THE AUX PORT UN-CONFIGURED!

This means that if you were to get physical access to the router, you can plug into the AUX port and boom! You would have user exec (non-privileged) access to the router. This would be just like not configuring a password on the console port. This is unacceptable and you will never pass a security assessment/audit this way.

It is so easy to configure the security on the AUX port, just replicate what you put on your console port:

Lab-Router(config)#line aux 0
Lab-Router(config)#password cisco
Lab-Router(config)#login

It’s that easy. Now if someone get’s physical access to your router, they will not be able to get in that big back door that was left open.

Keep reading if you want to know more about the AUX port. There are still some cool things you can do with it.

Difference Between Console Port and Aux Port

The original purpose of the AUX port was to serve as an out-of-band access method into the router. Cisco would ship you a DB-25 adapter that was made to be used with the rollover cable to attach the AUX port to an analog modem.

The console port only supports the data pins: TX, RX, and ground. This works great when you are just using a local computer to access via the RS-232 port for initial configuration.

The AUX port uses many more pins. In addition to the data pins (TX/RX) and ground, the AUX port also uses the other modem control pins: CTS (clear to send), RTS (ready to send), DTR (data terminal ready), and DSR (data set ready).

All of these pins are necessary to support a connection to a Modem as all of those pins are what handle the flow-control between the router and the modem to control when it is ready to send data to the modem and when you should wait. This was important in the modem days as sometimes the modem may start to experience some errors and it would need time to renegotiate before more data could be sent.

Once you had your modem connected to your router, engineers would use this for a few different uses:

  • Out-of-Band Access (OOB) Engineers would use the mode to Dial in to the modem remotely for out-of-band access to the router. This could be used to troubleshoot why your WAN connection was down to your telecommunications provider/ISP. If you connection was down, you would not be able to get into the device remotely to troubleshoot it over your regular network connections (in-band). This could also be used if you had a configuration change go wrong that caused the connection to go down. You could dial into the device (out-of-band) to remove your doomed change.
  • Dial-Up Network Access You had the ability to configure the AUX port as a dial-up interface that could be used to route traffic between the router and another router. Even though the AUX port is a “line”, it could be attached to and “interface” that would behave just line any other interface on the router and route traffic between the two routers. The console port can only be configured as a line and can not be attached to an interface. This was used when only a temporary link was needed or as a backup link if the primary WAN link went down. These were called “dial on demand” interfaces. Because modems were so slow and really no practical for today’s bandwidth needs, these dial on demand links are really not used any more.

Modems are old school, how do we do OOB today?

There is still a big demand for our of band access to routers. If you have a router at a large office and your WAN link goes down, you need to troubleshoot. Today, modems have been replaced by cellular as the OOB technology of choice. There are many companies that sell these products, also referred to as console servers. These boxes will use a cellular connection to obtain and IP address on the Internet and then you can connect to that address, authenticate, and then connect to your remote device. These devices generally have multiple ports on them which allow you to connect not just your router, but other devices such as your Ethernet switches. These devices can cost less than $500 and there are IoT type cellular plans that are less expensive that a normal phone plan.

Here are a few popular products:

WTI / Lantronix / Uplogix

Is there anything I can still do with my AUX port?

Next, there is a feature that you can configure on the AUX port called Reverse Telnet.

Before configuring your AUX port for reverse telnet, you will have to build a cable that will allow you to connect the aux port to your other serial device. This means that you are going to have to find the right pinout configuration to go from the RJ-45 AUX port to the RJ-45 serial port on your other device, or the RJ-45 to DB-9/DB-25 adapter you might be using.

Configuring Reverse Telnet (Not Secure)

Reverse telnet allows you to telnet into this router using a predetermined TCP port and the router will redirect that telnet session out of the AUX port to the serial connection. You can then connect the serial cable to any serial device you want to manage. A great example of this would be a UPS that you have that has a serial port for management, but does not have an ethernet port.

Why do I talk about reverse telnet if it is not secure? Because this is how this was originally setup before SSH became the best practice. Keep reading and we will get to SSH.

Here are the commands you put in your Cisco router to set this up:

Lab-Router(config)#line aux0
Lab-Router(config-line)#password cisco
Lab-Router(config-line)#login
Lab-Router(config-line)#modem inout
Lab-Router(config-line)#transport input telnet
Lab-Router(config-line)#speed 9600
Lab-Router(config-line)#databits 8
Lab-Router(config-line)#parity none
Lab-Router(config-line)#stopbits 1

Set your speed/databits/parity/stopbits to what is required by the device you are connecting your serial cable to.

To connect, you telnet to any active IP address on your router, but change the TCP port from 23 to 2000 + the line number. You can determine the line number of the AUX port on your router by doing a show line command:

LabRouter#show line
   Tty Line Typ     Tx/Rx    A Modem  Roty AccO AccI  Uses  Noise Overruns  Int
     0    0 CTY              -    -      -    -    -     0      0    0/0      -
     1    1 AUX   9600/9600  - inout     -    -    -     3      0    0/0      -
*  194  194 VTY              -    -      -    -    -     5      0    0/0      -
   195  195 VTY              -    -      -    -    -     0      0    0/0      -
   196  196 VTY              -    -      -    -    -     0      0    0/0      -
   197  197 VTY              -    -      -    -    -     0      0    0/0      -
   198  198 VTY              -    -      -    -    -     0      0    0/0      -

In this case, our AUX port is line 1, so our reverse telnet port would be 2000 + 1, or 2001.

To connect, we would telnet to this device like this:

telnet 192.168.1.1 2001

Once connected, you will be prompted for a password. This is because we added a password cisco and the login command to line aux 0.

Configuring Reverse SSH

Keep in mind, the above example is telnet, so your passwords are sent clear text. This really should be configured as SSH to prevent our data from being sent in clear-text over the wire. The below commands configure the same setup for “reverse SSH”. The config below assumes you have already generated a key and have SSH working on your router successfully.

Lab-Router(config)#ip ssh port 2001 rotary 1  (this is what maps port 2001 to our AUX port - see the rotary command under line)
Lab-Router(config)#username auxport password cisco
Lab-Router(config)#line aux0
Lab-Router(config-line)#login local
Lab-Router(config-line)#modem inout
Lab-Router(config-line)#transport input ssh
Lab-Router(config-line)#speed 9600
Lab-Router(config-line)#databits 8
Lab-Router(config-line)#parity none
Lab-Router(config-line)#stopbits 1

Now you should be able to connect securely (all traffic encrypted).

ssh -l auxport 192.168.1.1 -p 2001

If you are connecting with a GUI SSH client, just change the port from 22 to the port that you assigned above (2001).

Now you have an effective way of configuring a serial connecting to a device that may be in the same rack as your router without having to go into your equipment room to connect.

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *