Have a Question?
How To use VyOS as a Console Server
Overview
This article covers how to enable a Protectli Vault to run as a Serial Console server using VyOS 1.3 or later. All of the parts and components used can be purchased directly from Protectli.
Solution Brief
Serial console servers are a critical component for resilient network designs. Out-of-Band control is a critical requirement for network engineers for when you inevitably type something in to a terminal and immediately after pressing you realize you’re working in production instead of your test environment… Not that we’ve ever been there…
The solution is to have a console server connected to your out-of-band network, and the ability to quickly get back on the console using a serial server. Usually you can get them from companies like OpenGear, Digi, or Cisco such as their ACM7000, IM7200,a Cisco NM-16A or Cisco NM-32A.
Some less expensive versions have existed, such as the AirConsole from get-console, but as with many closed-source devices it can be a challenge getting updated software and support.
Our example company needs a console server to attach to our core network switch, as well as one of our production firewalls, and be connected to our out-of-band network to ensure access.
Components
- A Protectli Vault with USB ports
- One or more Serial Console to USB that use an FTDI like chip or our Onboard USB to serial included in the Protectli Vault Pro 2400 and 4600 lines
- A USB hub if you're looking for EVEN MORE! USB ports.
- A copy of VyOS 1.3.x or newer operating system – Rolling releases are available from vyos.io, or you can purchase a subscription via the Vyos Foundation
Installation
Start with an installed version of VyOS on your Protectli Vault. You can use our tutorial to get you started.
Connect your USB to serial cables to the Vault
Login and let’s locate those cables we just attached.
User: vyos
Password: vyos
show hardware usbThis will list all of your USB devices and the names of them. You’ll also be able to tab-complete them in the next section
On my FW2B, the top left port is where I'm starting with for my console cable, and it's identified as usb0b1p1.0
Start with usb0b1p1.0 and enter a description of what is connected to the other end of this. In our case we’re connecting to a network switch
set service console-server device usb0b1p1.0 description "Protectli Lab Switch 01"hint: You can hit tab after "device" to see what options you can enter next for the device port
Because out switch only talks at 9600 baud, we need to also set the speed.
set service console-server device usb0b1p1.0 speed 9600And we would really like to be able to directly connect to the switch from ssh, rather than having to login and then get into it, so why don’t we set up the ssh port as well.
Let’s save it and try logging in to the console of the switch.
commit
exit
show console-server ports
show console-server user
connect console usb0b1p1.0(to exit, press Control+Shift+E then the c key, and then the . key also seen as "^Ec." )
Now that we’ve confirmed we can access it locally, let’s make it accessible by a port on the Vault so we can just get right there.
Go back into configure mode:
configure
set service console-server device usb0b1p1.0 ssh port 4001
commit
exitNow from your other linux computer on the network, you can login using:
ssh vyos@<your vyos ip address> -p4001enter your password and you’re right in to your console.
If you set up ssh keys for your user account, you don’t even need to keep a password around to get to the remote serial console
And that's it. You now have a console server. Make sure you set up proper firewall rules if required, and do note that all Vyos users on your system operate as root level users, so keep access restricted where required by your organization etc.