Console Port, Telnet, and SSH Handling

This chapter includes the following sections:

Notes and Restrictions for Console Port, Telnet, and SSH

  • Telnet and Secure Shell (SSH) settings configured in the transport map override any other Telnet or SSH settings when the transport map is applied to the Ethernet management interface.

  • Only local usernames and passwords can be used to authenticate users entering a Ethernet management interface. AAA authentication is not available for users accessing the device through a Ethernet management interface using persistent Telnet or persistent SSH.

  • Applying a transport map to a Ethernet management interface with active Telnet or SSH sessions can disconnect the active sessions. Removing a transport map from an interface, however, does not disconnect any active Telnet or SSH session.

  • Configuring the diagnostic and wait banners is optional, but recommended. The banners are especially useful as indicators to users about the status of their Telnet or SSH attempts.

Console Port Overview

The console port on the device is an EIA/TIA-232 asynchronous, serial connection with no flow control and an RJ-45 connector. The console port is used to access the device and is located on the front panel of the Route Processor.

For information on accessing the device using the console port, see Using Cisco IOS XE Software.

Console Port Handling Overview

If you are using the console port to access the router, you are automatically directed to the Cisco IOS command-line interface (CLI).

If you are trying to access the router through the console port and send a break signal (by entering Ctrl-C or Ctrl-Shift-6, or by entering the send break command at the Telnet prompt) before connecting to the CLI, you are directed to a diagnostic mode if the non-RPIOS subpackages are accessible. These settings can be changed by configuring a transport map for the console port and applying that transport map to the console interface.

Configuring a Console Port Transport Map

This task describes how to configure a transport map for a console port interface on the device.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. transport-map type console transport-map-name
  4. connection wait [allow [interruptible] | none [disconnect]]
  5. (Optional) banner [diagnostic | wait] banner-message
  6. exit
  7. transport type console console-line-number input transport-map-name

DETAILED STEPS

  Command or Action Purpose

Step 1

enable

Example:


Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:


Router# configure terminal

Enters global configuration mode.

Step 3

transport-map type console transport-map-name

Example:


Router(config)# transport-map type console consolehandler

Creates and names a transport map for handling console connections, and enters transport map configuration mode.

Step 4

connection wait [allow [interruptible] | none [disconnect]]

Example:


Router(config-tmap)# connection wait none

Specifies how a console connection will be handled using this transport map.

  • allow interruptible—The console connection waits for a Cisco IOS VTY line to become available, and also allows users to enter diagnostic mode by interrupting a console connection that is waiting for a Cisco IOS VTY line to become available. This is the default setting.

    Note

     
    Users can interrupt a waiting connection by entering Ctrl-C or Ctrl-Shift-6.

  • none—The console connection immediately enters diagnostic mode.

Step 5

(Optional) banner [diagnostic | wait] banner-message

Example:


Router(config-tmap)# banner diagnostic X
Enter TEXT message. End with the character 'X'.
--Welcome to Diagnostic Mode--
X
Router(config-tmap)#

(Optional) Creates a banner message that will be seen by users entering diagnostic mode or waiting for the Cisco IOS VTY line because of the console transport map configuration.

  • diagnostic—Creates a banner message seen by users directed to diagnostic mode because of the console transport map configuration.

    Note

     
    Users can interrupt a waiting connection by entering Ctrl-C or Ctrl-Shift-6.

  • wait—Creates a banner message seen by users waiting for Cisco IOS VTY to become available.

  • banner-message—Banner message, which begins and ends with the same delimiting character.

Step 6

exit

Example:


Router(config-tmap)# exit

Exits transport map configuration mode to re-enter global configuration mode.

Step 7

transport type console console-line-number input transport-map-name

Example:


Router(config)# transport type console 0 input consolehandler

Applies the settings defined in the transport map to the console interface.

The transport-map-name for this command must match the transport-map-name defined in the transport-map type console command.

Examples

The following example shows how to create a transport map to set console port access policies and attach to console port 0: 

Router(config)# transport-map type console consolehandler
Router(config-tmap)# connection wait allow interruptible
Router(config-tmap)# banner diagnostic X
Enter TEXT message. End with the character 'X'.
--Welcome to diagnostic mode--
X
Router(config-tmap)# banner wait X
Enter TEXT message. End with the character 'X'.
Waiting for IOS vty line
X
Router(config-tmap)# exit
Router(config)# transport type console 0 input consolehandler

Viewing Console Port and SSH Handling Configurations

Use the following commands to view console port, SSH, and Telnet handling configurations:

  • show transport-map

  • show platform software configuration access policy

Use the show transport-map command to view transport map configurations.

show transport-map [all | name transport-map-name | type [console [ssh ]]

This command can be used either in user EXEC mode or privileged EXEC mode.

Example

The following example shows transport maps that are configured on the device: a console port (consolehandler), persistent SSH (sshhandler), and persistent Telnet transport (telnethandler): 

Router# show transport-map all
Transport Map:
Name: consolehandler
Type: Console Transport
 
Connection:
Wait option: Wait Allow Interruptable
Wait banner:
 
Waiting for the IOS CLI
 
bshell banner:
 
Welcome to Diagnostic Mode
 
 
Transport Map:
Name: sshhandler
Type: Persistent SSH Transport
 
Interface:
GigabitEthernet0/0/0
 
Connection:
Wait option: Wait Allow Interruptable
Wait banner:
 
Waiting for IOS prompt
 
Bshell banner:
Welcome to Diagnostic Mode
 
 

 
Router# show transport-map type console
Transport Map:
Name: consolehandler
Type: Console Transport
 
Connection:
Wait option: Wait Allow Interruptable
Wait banner:
 
Waiting for the IOS CLI
 
Bshell banner:
 
Welcome to Diagnostic Mode
 
 
Router# show transport-map type persistent ssh
Transport Map:
Name: sshhandler
Type: Persistent SSH Transport
 
Interface:
GigabitEthernet0
 
Connection:
Wait option: Wait Allow Interruptable
Wait banner:
 
Waiting for IOS prompt
 
Bshell banner:
 
Welcome to Diagnostic Mode
 
 
SSH:
Timeout: 120
Authentication retries: 5
RSA keypair: sshkeys
  

 
Router# show transport-map name consolehandler
Transport Map:
Name: consolehandler
Type: Console Transport
 
Connection:
Wait option: Wait Allow Interruptable
Wait banner:
 
Waiting for the IOS CLI
 
Bshell banner:
 
Welcome to Diagnostic Mode

Use the show platform software configuration access policy command to view the current configurations for handling the incoming console port, SSH, and Telnet connections. The output of this command provides the current wait policy for each type of connection (Telnet, SSH, and console), as well as information on the currently configured banners.

Unlike the show transport-map command, the show platform software configuration access policy command is available in diagnostic mode so that it can be entered in scenarios where you need transport map configuration information, but cannot access the Cisco IOS CLI.

Example

Router# show platform software configuration access policy
The current access-policies
 
Method : telnet
Rule : wait
Shell banner:
Wait banner :
 
Method : ssh
Rule : wait
Shell banner:
Wait banner :
 
Method : console
Rule : wait with interrupt
Shell banner:
Wait banner :

Example

The following example shows the show platform software configuration access policy command being issued both before and after a new transport map for SSH are configured. During the configuration, the connection policy and banners are set for a persistent SSH transport map, and the transport map for SSH is enabled. 

Router# show platform software configuration access policy
The current access-policies
 
Method : telnet
Rule : wait with interrupt
Shell banner:
Welcome to Diagnostic Mode
 
Wait banner :
Waiting for IOS Process
 
 
Method : ssh
Rule : wait
Shell banner:
Wait banner :
 
Method : console
Rule : wait with interrupt
Shell banner:
Wait banner :
 
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# transport-map type persistent ssh sshhandler
Router(config-tmap)# connection wait allow interruptible
Router(config-tmap)# banner diagnostic X
Enter TEXT message. End with the character 'X'.
Welcome to Diag Mode
X
Router(config-tmap)# banner wait X
Enter TEXT message. End with the character 'X'.
Waiting for IOS
X
Router(config-tmap)# rsa keypair-name sshkeys
Router(config-tmap)# transport interface gigabitethernet 1
Router(config-tmap)# exit
Router(config)# transport type persistent ssh input sshhandler
Router(config)# exit
 
Router# show platform software configuration access policy
The current access-policies
 
Method : telnet
Rule : wait with interrupt
Shell banner:
Welcome to Diagnostic Mode
 
Wait banner :
Waiting for IOS process
 
 
Method : ssh
Rule : wait with interrupt
Shell banner:
Welcome to Diag Mode
 
Wait banner :
Waiting for IOS
 
 
Method : console
Rule : wait with interrupt
Shell banner:
Wait banner :