Field of the Invention
The invention relates to systems, methods and apparatus involving computer networks, network configurations and network switches. In particular, the invention involves out-of-band serial console access to network appliances within a network configuration.
Description of Related Art
The related art includes, for instance, assorted network systems having network switches in various network configurations. A network system having a given network configuration typically will have distributed network switches for communication with remote network appliances via a shared network connection.
A network system may be part of an enterprise network, which could be, for instance, a large-scale commercial, government, or military network, a large global multinational network, a large national network, a large educational network, or some extension of the Internet at-large. A network system typically has a data center and a network operations center at its core. A data center is a large network node where quantities of computers, network switches, and network appliances reside. A data center usually is manned 24×7 and is outfitted with backup power sources and a failover to a backup data center. A network operations center (“NOC”) is a management center specifically built to manage large enterprise networks, support the configuration and uptime of the network, and is manned 24×7 with network engineers. Some people use the terms data center and NOC interchangeably.
The distant portions within a network system may be considered network edge points, which are remote sites that typically are populated with, for instance, a router, a firewall, a network switch, and one or more network appliances, such as general purpose computers or specific purpose devices. A network appliance may be any device connected to the network, including, for example, a router, a firewall, a network switch, a print server, an intrusion detection device, an application specific device, or a general purpose computer. Network appliances may communicate with other network appliances through a plurality of network connections. The network edge points typically do not have technical personnel onsite and may be managed 100% remotely by a network operations center.
In some instances, a network appliance may need to be managed directly, such as for an application update or fix. Network appliance management often uses a command line interface (CLI), which uses root commands that an operating system will understand. A user located in an NOC, for instance, may need to remotely manage a network appliance at a network edge point. In some instances, appliance management may occur over the network connection. Network-based appliance management may use Telnet, a clear text network protocol that allows access to remote network devices through the network. Moreover, Secure Shell (SSH) is a secure version of Telnet to provide an encrypted terminal session with a remote device on a network. This method requires that the appliance be functioning and that the network connection be functioning, and that the appliance be connected to the network connection, which typically requires that up-network network appliances, such as a router, also be functioning.
In other instances, appliance management may occur through an appliance's console access port, instead of through a network port, and over serial console access between the user's computer and the console access port. Almost all enterprise-level network appliances contain a serial console port for configuration. The console access port was created to ensure a method to communicate directly with the operating system of the device. A console access port generally uses CLI for configuration and management. The console access port is used for configuration and management only, which may occur directly via a connection to a laptop serial port, or indirectly via an appliance management device's serial port. Serial console access between an appliance and a remote user may occur, for instance, through a terminal server, which is a network appliance that has console access ports that connect directly to the console access ports of the network appliances at the network edge point. Terminal server console access typically assumes CLI appliance management.
A terminal server may use “out of band” (OOB) connection for appliance management. True out of band management involves methods to access a network device for management purposes using communication separate from the network connection. For example, OOB management might use a dial-up modem with a network terminal server connected to a console port to manage a remote device even if the network is not present or configured correctly. Today there are three schools of thought on Out of Band Management (OBM): (1) use a phone line connected to a device with a modem and several serial ports (true out of band access); (2) use a cellular modem connected to a device with several serial ports (true out of band access); and (3) use a Terminal or Console server with a network connection and several serial ports (this is not true out of band access, but it is much less costly as there are no recurring fees associated with the secondary circuit).
In summary, the method that an NOC typically uses to manage remote sites is to use CLI access to network devices in order to configure them. CLI is keystroke terminal data and is defined as either:
(1) A direct serial connection to the console port found on almost all network devices of substance (routers, firewalls, VOIP switches, managed switches, etc). This is usually accomplished by connecting a laptop directly to the serial port or an OOB management device that provides remote access to the serial port.
(2) A remote network connection using the SSH protocol. This is usually accomplished by an engineer in the NOC who enters the IP address in a simple SSH client software that provides a remote encrypted terminal session to the network appliance.
While a network appliance can be accessed for CLI through its network port, the most common way to ensure CLI access to remote sites is to install hardware, such as a terminal server, also known as a console server, that provides network access to the serial console access ports on all the network appliances. Attaching to the serial port improves reliability because the appliance can be contacted even if its network interface loses its configuration. A terminal server typically has a network interface and some number of serial ports. Each serial port can be connected to a console access port on a network appliance. In order to communicate to the terminal server, each network port usually requires its own IP address, independent of the IP address of a nearby router, usually at a cost from the network provider, which incurs a cost to the edge point to purchase this additional IP address. As cloud computing has increased, however, IP addresses have become more expensive, because cloud computing requires the assignment of increasingly more IP addresses.
When the NOC wants to contact the network appliance via the console access port, it performs a Telnet or SSH connection to the terminal server over the network, and then selects the appropriate serial port connected to that network appliance. Once the access is made, the NOC has CLI access to the network appliance. Inasmuch as this connection is made through the network appliance's serial console access port, many consider the connection to be “out of band” even though the original access is provided using the primary network, which is considered “in band.” The placement of the terminal server is important as to what type of access the NOC will have to the site.
The most typical installation places the terminal server behind the firewall, which has the security advantage that, by being behind the firewall, the terminal server is in the security zone already established by the firewall. The disadvantages include that the device will require its own IP address to be mapped through the router and firewall, and that the device can only be reached if the router, firewall, and network switch, are all functioning.
The least common placement of the terminal server is parallel to, i.e., next to, the router. The advantage to a parallel placement is that the terminal server can now be reached regardless of the status of the router, firewall or network switch. The disadvantage of parallel placement is that the terminal server is now in front of the firewall and therefore outside the security zone. The terminal server is sitting directly on the internet, which is considered “untrusted” for obvious reasons. For security, the terminal server usually uses Remote Authentication Dial In User Server (RADIUS) (a software server run on a server to authenticate users from any device running a RADIUS client) or TACACS+, which would now have to come from the internet as the terminal server is in front of the router and firewall. This is typically not achievable or recommended.
A third option is to use a terminal server having dual network interfaces, which allows placement of the terminal server next to the router, and allows access to the terminal server over a redundant, backup IP circuit, independent of the primary network. The advantages include that the terminal server may be accessed regardless of the status of the primary network, inasmuch as there is a secondary path to the terminal server via the redundant backup network access. The disadvantages include the cost and infrastructure, insofar as (1) a fixed IP address needs to be purchased for each network interface of the terminal server, and the network edge point may need to pay for a redundant, backup IP network connection, which preferably should be completely independent of the primary network (i.e., not using same carrier etc.).
To the extent that each of these aforementioned terminal server placements has its own disadvantages, new systems, methods and apparatus for serial console access are desired to improve performance and reduce costs.