Taking Your Cisco Out-Of-Band Management to the Next Level
Earlier this week I found some best practice recommendations from Cisco on securing and controlling out-of-band management for their Nexus 7000 series supervisor modules. Although the recommendations made by Cisco are textbook examples for creating highly available and redundant remote management there are several ways Opengear can expand on those recommendations to help customers achieve a Tier 4-like level of management for their supervisor modules.
First let’s review with the Cisco Recommendations:
- Create A/B side management networks for each supervisor module
- Attach serial console ports to separate terminal servers
- Control IP access to the CPM and Management ports via access lists
- Set session inactivity timeouts
- Increase the speed of the console port to 115,200
- Limit the number of multi-sessions to between 5-10
- Enable access logging
These all make good sense. Here’s what it looks like:
So how can Opengear expand on these recommendations?
- Use Opengear advanced console servers as the terminal server connections
- Use Opengear models with built-in Ethernet switch ports to terminate the Management and CMP ports
- Create firewall rules and control service access on the ACM or IM
- Use the built-in TFTP server and 16GB of flash storage for IOS images and configuration backups
- Capture all serial text for remediation and audits
- Enable serial port pattern matching to alert on critical console messages
Here’s a diagram of our design recommendation:
Enhanced Service Module Management with Opengear Console Servers
A separate hardware fabric:
The Opengear ACM5504-5 and IM4216-34 have a combination of both serial ports and Ethernet switch ports. Using Opengear to create the management network assures higher availability by using a hardware fabric that is completely separate to Cisco IOS. This lessens the likelihood that issues around IOS or hardware upgrades may affect the management network too.
Built-in TFTP server with 16GB of flash storage:
All Opengear models have internal flash storage and built-in TFTP servers. In the event of an outage both can be used to recover devices or restore configurations. This provides the network group with a secure and easy to own TFTP server and storage without the need to maintain a separate Server.
Enable serial port datalogging:
All service module serial port input/output can be captured and stored. These data logs can be reviewed for remediating issues when outages occur. The Opengear unit can also monitor the output from the service module serial port for specific strings of interest. This pattern match can be used to trigger an alert notification letting you know about conditions before they become major issues.
Cisco recommends controlling IP access for access to the CMP port and services on the Management port. This can be controlled at the source/destination level as well as at the service and protocol level using the built-in firewall on all Opengear devices. Serial port access can be controlled on a per user basis using TACACS group or priv level. All user and IP access is logged and alerts can be configured for unauthorized access attempts or firewall rule violations.