We recently had a client who asked us to implement the simple and cost effective solution for Out-of-band management for their production data centers. The goal of Out-of-band management is to have a network access to the critical data center infrastructure when company’s network is melted, preventing you to access any devices for troubleshooting purposes. In other words this is meant to be company’s alternative way of accessing data center critical devices.
The simplest solution, that we actually ended up implementing, was a static DSL line from a local ISP provider, terminated on Cisco 2611 router, using PPPoE protocol. Cisco 2611 router is not a high throughput router, but given that packet throughput is not a requirement in our case and the fact that it supports asynchronous modules for device console connectivity, we decided it would be a good fit. Client would initially SSH to the static IP provided by the ISP and configured on Cisco 2611 router. From there, given the router had asynchronous lines to all network devices’ console port, they would be able to connect to any device via the console.
Point-to-Point Protocol over Ethernet (PPPoE) is traditionally suited for connecting many users on a company Ethernet network to the Internet by using a common Customer Premises Equipment (CPE), which in most cases is the ISP provided device such as cable modem. PPPoE is based on the well known Point-to-Point Protocol (PPP), that has been commonly used in dialup connections a while back.
Here is how we got it done:
1. Ordered a static DSL line from AT&T. You have to request a static IP if you plan to be able to SSH or Telnet into your data center router form anywhere outside. You must configure the AT&T modem to be in the ‘bridged’ mode, meaning it will act as a dumb device and will delegate the responsibility of establishing the connection to your Cisco 2611 router. Once you have registered with AT&T ask them to provide you with the PPP username and password, that you will need later on to configure your router for PPP authentication. Also ask them to provide you with the static IP and network mask for your router interface.
2. AT&T technician will install your DSL line and connect it to the outside port on the modem. You will need to connect an internal port on the modem to one of the Ethernet interfaces on your Cisco 2611 router.
3. Next step is to configure your Cisco 2611 router to support PPPoE and establish the connection to your ISP network. Here is the router configuration that achieved our goal. In our case Cisco 2611 router acts as a PPPoE client.
Configure VPDN (Virtual Private Dialup Network) and enable PPPoE globally:
conf t vpdn enable ! vpdn-group 1 request-dialin protocol pppoe
Configure the dialer interface responsbile to ‘dial up’ to the ISP device and establish a PPPoE session. You need to identify what authentication protocol your provider is using – PAP or CHAP. PAP is a clear password authentication, while CHAP is more secure. If unsure – you can configure them both, as we did, and let the interface negotiate it for you:
interface Dialer1 ip address X.X.X.X 255.255.255.0 !!! <--- Static IP provided by ISP ip mtu 1492 encapsulation ppp dialer pool 1 dialer-group 1 no cdp enable ppp chap hostname
Configure physical ethernet interface with the MSS(maximum segment sise) of 1452 to alow for additional 8-byte PPPoE encapsulation and have the total segment sixe not to exceed 1500 bytes, the standard ehternet maximum segment size. You specify dial-pool-number that your Dialer 1 interface is part of:
interface FastEthernet0/0 ip tcp adjust-mss 1452 pppoe enable pppoe-client dial-pool-number 1 no shutdown exit
Configure routing with the default static route pointing to the dialer interface:
ip classless ip route 0.0.0.0 0.0.0.0 dialer1
This specifies for what kind of traffic should connection be established:
dialer-list 1 protocol ip permit
And Ta Da!
Once everything is configured, you must be able to reach your router’s static IP that you have assigned anywhere from the internet. So make sure you have configured both ‘Exec’ level and enable passwords on Cisco 2611 router, as it is now officially exposed to anyone on the Internet to login.
If your connections is not established, you might need to troubleshoot it. The first step is to make sure PPPoE authentication is working correctly and PPPoE session is estblished. These commands will help:
show vpdn show ppoe session debug pppoe errors
Turn on PPP debugging in case there are issues with PPP authentication:
debug ppp negotiation
If you turn on debugging, dont forget to turn it all off at the end of troubleshooting, as it might suck up some of your router resources during normal operation:
no debug all
Overall, this was inexpensive solution to get it done and client would proactivley monitor an Ehternet interface with the static IP going forward to avoid situations where engineers find out about broken service when they actually need to use it. Cost for a brnad new Cisco 2611 is around 2K, we however bought a used one from a reseller for only $200. Monthly recurring charges for the DSL line would be $30/month.
We welcome anyone to share their solution for this specific problem.