Hi All,
Recently posted about console server with VyOS here:
The POC we went with was Option 1.
So far works amazingly well. We set it all up with ansible and the config module. Will probably make a few tweaks to how we access these console devices, either by being in the office or on vpn to get to it via site-to-site/ipsec and set the firewall rules up accordingly, or port-knock and ssh for an extra layer, or both… The only downside we have with this current set up is Its attached to 1 Vyos Box and if IT dies, then we lose console to all the things, Our option for this is a console server per VyOS box and some DB9 Y splitters so we can connect to serial from either VyOS box, but that is a future “ME” problem.
here are some example snippets:
console-vars.yml
---
# Get port information from firewall `show hardware usb serial`
console:
staging-switch-1:
port: "usb0b1.1.1p1.0"
speed: 9600
ssh_port: 21022
staging-switch-2:
port: "usb0b1.1.1p1.1"
speed: 9600
ssh_port: 21023
staging-leaf-1:
port: "usb0b1.1.1p1.2"
speed: 9600
ssh_port: 21024
staging-leaf-2:
port: "usb0b1.1.1p1.3"
speed: 9600
ssh_port: 21025
console-server.cfg
{% if console is defined %}
{% set rule_number = namespace(value=10) %}
{% for alias, con in console.items() %}
set service console-server device {{ con.port }} alias '{{ alias }}'
set service console-server device {{ con.port }} speed '{{ con.speed }}'
set service console-server device {{ con.port }} ssh port '{{ con.ssh_port }}'
{# Set firewall port group for CONSOLE ports #}
{% for alias, con in console.items() %}
set firewall group port-group CONSOLE port '{{ con.ssh_port }}'
{% endfor %}
{# Set firewall for CONSOLE-INPUT #}
set firewall ipv4 name CONSOLE-INPUT default-action 'drop'
set firewall ipv4 name CONSOLE-INPUT rule {{ rule_number.value }} action 'accept'
set firewall ipv4 name CONSOLE-INPUT rule {{ rule_number.value }} description 'allow console to {{ alias }}'
set firewall ipv4 name CONSOLE-INPUT rule {{ rule_number.value }} destination port '{{ con.ssh_port }}'
set firewall ipv4 name CONSOLE-INPUT rule {{ rule_number.value }} protocol 'tcp'
set firewall ipv4 name CONSOLE-INPUT rule {{ rule_number.value }} source group network-group NET-ADMIN
{% set rule_number.value = rule_number.value + 10 %}
{# Set firewall Input filter to JUMP to CONSOLE-INPUT #}
set firewall ipv4 input filter rule 40 action 'jump'
set firewall ipv4 input filter rule 40 destination group port-group 'CONSOLE'
set firewall ipv4 input filter rule 40 jump-target 'CONSOLE-INPUT'
set firewall ipv4 input filter rule 40 protocol 'tcp'
{% endfor %}
{% endif %}
roles/console_server/tasks/main.yml
- name: "Set up console server configuration"
vyos_config:
src: console-server.cfg
notify: Save config
roles/console_server/handlers/main.yml
---
- name: Save config
vyos_config:
save: true
This is currently in our staging network, with the two supermicro edge servers as our VyOS router/firewalls.
So far this works well with the supplied cables and the DB9 to RJ45 cables that come with cisco devices, We are planning to make our own RJ45 - RJ45 cables, as the pin-out doesn’t appear to be standard rollover cables or atleast when we tried to use a normal patch lead and cut the end off and reverse it, it didn’t work. This is the ideal scenario, alternatively we are looking at getting a couple of these StarTech.com ROLLOVER Cisco Console Rollover Adapter for RJ45 to test, based on the size these may need to go at the device end, but would allow us to use normal patch leads.
