Out-of-band access (modem) to IDSM2 blade

We will soon have a few strands of IDSM2 distributed geographically. My company security group does not control the Cat 650 x switch as such, and I would like to know if there is some way we could get access to consoles (modem) to the IDSM2 blade only (without getting to the switch).

If this is not possible, is there a common console connection that must be shared between the infrastructure group and the security group? is it possible for us to share access modem/console as well as the separation of privileges?

Your help is appreciated. Thank you

The JOINT-2 itself is not a port of the console.

Options to access the JOINT-2:

(1) a user can access console switch and the switch CLI, the user can JOINT-2 session. This would require a physical connection to the switch via a console port (or terminal server) and passwords to access the switch and the JOINT-2.

(2) a user could connect to the switch via a modem and the switch CLI user can sesion at the JOINT-2. This would imply a connection by modem to the switch and the passwords to access the switch and the JOINT-2.

(3) a user could telnet or ssh to the switch and the switch CLI user can JOINT-2 session. This would require network connectivity to the ip address of the switch itself and passwords for the switch and JOINT-2.

(4) a user could SSH directly to the JOINT-2 command and control the IP address. This would require network connectivity to the command and control of the IDSM2 ip address and require only passwords for JOINT-2 itself.

(5) similar to the number 4 above, the user could telnet directly to the JOINT-2.

(6) a user could browse the Web (HTTPS) to the JOINT-2 command and control IP address to access the IDS Device Manager. This would require network connectivity to the command and control of the IDSM2 ip address and require only passwords for JOINT-2 itself.

-------------

During the initial installation of the JOINT-2, options 4,5 and 6 cannot be used. This is because the JOINT-2 comes with a standard default ip address that is not likely available. For the initial Setup, the user must session from a CLI switch.

However, once that the "setup" command was run on the JOINT-2 and the configuration of the JOINT-2 switch to place in the vlan correct for the IP JOINT-2 command and control, then the JOINT-2 accessible directly on the network via options 4,5 and 6.

Once the initial Setup is complete, the day-to-day management of the JOINT-2 can be made through direct network access, so there is no need to access the switch.

The only time wherever the switch will have to be consulted again is to configure the sending of packets to the JOINT-2 (usually done with the initial setup and rarely changes) and reset the module or reload a new image on the module in case of major problems. (Note that the standard upgrades can be performed via direct access to the network without access to the switch).

If some users choose to work in collaboration with the team of the switch during initial setup and during periods of trouble shootin.

And will just use the direct access via ssh or telnet to the JOINT-2 for the activity on the day the day.

Other groups have used GANYMEDE + to provide a userid on the switch to the security team. Via GANYMEDE + configuration entries, the Userid for the security team may be limited to the execution of only the commands that are required to maintain the JOINT-2.

The user ID could be used to connect through the network to the switch, or connect on the console switch or a modem connected to the switch.

If you fear that repeatedly when the network connectivity between your main site and the remote site is down, so have you considered adding a PC on the remote site, which would be on the same network as the command and control of JOINT-2 address?

You could put a modem in the PC and then when you need to dial in the PC and the PC would be able to telnet or ssh to the IP address of the JOINT-2.

Tags: Cisco Security

Similar Questions

  • Question about Powerconnect M6220 and out-of-band/management 8024-K connection

    I'm sorry if this question belongs to another section, but with regard to the functionality of these switches I thought I would start here.

    My question is, the M6220 and 8024-K out-of-band connection are going through the connections on Board (for example port 18 for example) or through connection of the M1000e CMC?

    The reason for this question. We recently vlaned our network and CMC modules are VLAN 8 (10.100.8.0 255.255.248.0) and management of our switches is supposed to be on the VLAN 1 (10.100.1.0 255.255.255.0). I can't ping on the affected IPS (IE 10.100.1.15), but our CMC modules are fully accessible (IE10.100.9.120). Our blades are fully accessible and can access all the VLANS on them (they are the ESX host).

    Finally, I'm sorry if all necessary information has been provided, I'm not so much a networking guru.

    Thoughts?

    Thanks for your help

    The OOB interface is connected to the chassis management controller by the median plane of the chassis. Traffic on this

    port is separated from network traffic operating on the switch ports and cannot be lit or routed to the operational network.

  • My account has been blocked, I forgot security question answers. Could someone help me to sort out how to access my account security question unanswered!

    My account has been blocked, I forgot security question answers. Could someone help me to sort out how to access my account security question unanswered!

    Hello

    You must work with the support of Yahoo and their forums.

    Yahoo help and support
    http://help.Yahoo.com/l/us/Yahoo/helpcentral/

    Yahoo products and services
    http://everything.Yahoo.com/us/

    I hope this helps.

    Rob Brown - Microsoft MVP<- profile="" -="" windows="" expert="" -="" consumer="" :="" bicycle=""><- mark="" twain="" said="" it="">

  • Microsoft Out-Of-Band security for December 17, 2008 bulletin

    Microsoft Out-Of-Band security for December 17, 2008 bulletin
    Microsoft security for December 17, 2008 bulletin

    Published: December 9, 2008 | Updated: December 17, 2008

    Note: There may be due to replication latency problems, if the page does not keep refreshing

    Today Microsoft released the following critical update of band security bulletin

    Security bulletin MS08-078 Microsoft - critical
    Update of security for Internet Explorer (960714)
    Published: 17 December 2008

    Version: 1.0

    General information
    Executive summary
    This security update addresses a publicly disclosed vulnerability. This vulnerability could allow remote code execution if a user views a Web page specially designed using Internet Explorer. Users whose accounts are configured to have fewer rights user on the system could be less affected than users who operate with administrative user rights.

    This security update is rated critical for Internet Explorer 5.01, Internet Explorer 6, Internet Explorer 6 Service Pack 1, and Internet Explorer 7. For information about Internet Explorer 8 Beta 2, please refer to the section, frequently asked Questions (FAQ) related to this security update. For more information, see the subsection, software affected and Non-affected, in this section.

    Addresses security update, the vulnerability by modifying the way that Internet Explorer validates data binding parameters and handles the error resulting in the exploitable condition. For more information about the vulnerability, see the frequently asked Questions (FAQ) section in the vulnerability information section.

    Recommendation. Microsoft recommends that customers apply the update immediately.

    Known issues. None

    This security update also addresses the vulnerability first described in Microsoft Security Advisory 961051
    http://www.Microsoft.com/technet/security/advisory/961051.mspx

    http://www.Microsoft.com/technet/security/bulletin/MS08-078.mspx

    A security update for Internet Explorer 7 in Windows Vista x 64 Edition (KB960714)
    http://www.Microsoft.com/downloads/details.aspx?FamilyId=69979d92-8d45-47FE-AC4C-c2f1f23cf1fb&displaylang=en

    NICK ADSL UK

  • Default gateway of 8132F Out of Band

    Hello

    I want to check is Gateway default out-of-band 8132F is the same as the default gateway for the switch.

    As I'm now a default gateway of 8132F is not even as a gateway by default out-of-band.

    ---

    out-of-band interface
    IP 192.168.10.210 255.255.255.0 0.0.0.0<-- can="" assign="" another="">
    output
    default IP gateway - 172.16.0.5
    IP route 0.0.0.0 0.0.0.0 172.16.0.5 253
    ---
    Thank you!

    The exit port of the band is at the back of the switch and for out of band management. Page 93 of the user guide shows you where the port is located and has a good description of the port.

    http://Dell.to/1LAfyCM

    If you do not use the port, then there is no need to set the gateway for it.

  • Over 4500 X out-of-band management interface

    Each of the X 4500 switches in our stack has an interface of Fa1 beside the console port series.  My understanding is that this should be used for the out-of-band management of the switch.  Here is the configuration of the interface:

    interface FastEthernet1

    VRF forwarding mgmtVrf

    IP 172.21.2.30 255.255.255.0

    automatic speed

    automatic duplex

    end

    Samba configuration was by default.  The only thing that I changed was the ip address information.  My question relates to things like domain-lookup and GANYMEDE.  I can't use this interface for these functions.  Even if I add the following global configuration to my passage:

    IP domain-lookup-interface source Fa1

    Radius-server interface Fa1 source IP

    the switch is unable to communicate with the reference of DNS servers by ip name-server command or the reference GANYMEDE + servers in the section profile of the RADIUS server.

    In the case of GANYMEDE, the following debug output is produced when I try to open a session using GANYMEDE:

    * 10:24:58.874 29 August: MORE: Queuing AAA request 38 for processing authentication

    * 10:24:58.874 29 August: MORE: treatment demand beginning 38 authentication id

    * 10:24:58.874 29 August: MORE: authentication start package created for 38 (sdavidso)

    * 10:24:58.874 29 August: MORE: using the 172.19.40.31 Server

    * 10:24:58.874 29 August: HIGHER (00000026) / 0: road to connect error no. to host

    * 10:24:58.874 29 August: MORE: choose the next server 172.19.40.32

    * 10:24:58.874 29 August: HIGHER (00000026) / 0: road to connect error no. to host

    * 10:25:05.539 29 August: MORE: Queuing AAA request 38 for processing authentication

    * 10:25:05.539 29 August: MORE: treatment demand beginning 38 authentication id

    * 10:25:05.539 29 August: MORE: authentication start package created for 38 (sdavidso)

    * 10:25:05.539 29 August: MORE: using the 172.19.40.31 Server

    * 10:25:05.539 29 August: HIGHER (00000026) / 0: road to connect error no. to host

    * 10:25:05.539 29 August: MORE: choose the next server 172.19.40.32

    * 10:25:05.539 29 August: HIGHER (00000026) / 0: road to connect error no. to host

    This output shows that I can ping from RADIUS servers:

    HQ-4500 X - SW1 #ping vrf mgmtVrf 172.19.40.31

    Type to abort escape sequence.

    Send 5, echoes ICMP 100 bytes to 172.19.40.31, wait time is 2 seconds:

    !!!!!

    Success rate is 100 per cent (5/5), round-trip min/avg/max = 1/1/4 ms

    HQ-4500 X - SW1 #ping vrf mgmtVrf 172.19.40.32

    Type to abort escape sequence.

    Send 5, echoes ICMP 100 bytes to 172.19.40.32, wait time is 2 seconds:

    !!!!!

    The Fa1 interface cannot be used for these types of functions deliberate or is there something I can do to make this work for my setup?

    Thank you

    Steven

    Given that you can reach the remote RADIUS server, I suppose that you have created a default route for the mgmtVrf:

    IP route 0.0.0.0 0.0.0.0. VRF mgmtVrf

    The other bits you need to address is in mode config-sg-Ganymede:

    IP vrf forwarding mgmtVrf

  • Deployment of Out - of - Band NAC to wireless networks

    I am to evaluate the NAC for my users Wi-wired and wireless apparatus. I've read that the only way to deply to the NAC for the without thread is in-band mode, but it seems that the following link explains that it is possible to deply to the NAC for the in-band mode or out-of-band wireless networks:

    "NAC Appliance can be deployed for wireless LANs in a deployment in the endpoint Strip full-time scanning or out-of-band in a central site for periodic analysis in order to confirm compliance with the posture. The NAC Appliance server performs authentication, the posture and sanitation assessment. The server securely controls the traffic of users authenticated and unauthenticated by the management of traffic of the port/protocol or subnet policies, offering a management policy based bandwidth on share, or bandwidth by user or by using sessions on time and heartbeat checks. (Figure 1) »

    http://www.Cisco.com/en/us/prod/collateral/wireless/ps5678/ps6521/prod_brochure0900aecd80355b2f_ps6128_Products_Brochure.html

    Anyone know if it is possible to use the deployment of out-of-band NAC to wireless networks? If you can point me to documentation it will be appreciated.

    Concerning

    That's right

  • Out of band with ISe unit management

    Hello

    I want to know if it is possible to use port 1 GigabitEthernet port managmenet (out of band management).

    I try to set it up.

    When I do that I can ping, but I can't do a SSH for this Ip address.

    The error message is: "the remote system refused the connection."

    Why it does not work?

    (Note that this works on a premium device that is quite the same).

    Here is my config

    +++++++++++++++++

    ZZSDC2ISE3 / admin # sh run
    Building configuration...
    !
    hostname ZZSDC2ISE3
    !
    IP - resource.local domain name
    !
    interface GigabitEthernet 0
    IP 172.26.58.138 255.255.255.240
    automatic configuration service IPv6 address
    !
    1 GigabitEthernet interface
    IP 172.26.200.62 255.255.255.0
    automatic configuration service IPv6 address
    !

    +++++++++++++++++++++

    Miche Misonne

    This may be possible in version 1.2, for now only gig0 can be used for management.

  • WRT54G w / Macs - access modem drops on sharing

    I have a WRT54G (v8) connected to an Actiontec DSL modem. Connected to the router are a Macbook Pro and a Mac Pro, both wireless and a Wii via ethernet.

    Everything works fine as long as I don't have access to other machines. For example, if I want to browse files on my Mac Pro (office) of my MBP, I can 'see' the office and connect. But as soon as I try to transfer files, I lose the connection with the Actiontec modem. The transfer is carried out correctly, and when I check the WRT54G, everything seems fine. But I have to manually restart the router to restore communication with the Actiontec modem.

    For clarity, before I try to transfer, can I connect to the Actiontec. When the connection dies, I can always get to the Linksys router, but a restart of the screen of the admin does not work - I have to physically disconnect and then reconnect the power on the Linksys.

    (PPPoE) modem has wireless disabled, and I use WEP. Once I reboot the router, everything works well again.

    Any ideas on how to avoid this problem?

    Smaller MTU on the WRT to 1350 and cycle power to the router. Now, check.

  • RE6500HG has not detected 5 GHz dual-band access point transmission

    I have a dual band (2.4 GHz & 5 GHz) access point in the living room and the RE6500HG is located in the room adjacent to the living room. During the installation of the RE6500HG could detect only the 2.4 GHz transmission and after a few tries I had to settle for a configuration unique (2.4 GHz) band.

    My iPad Air in the room, could receive the signal of 5 GHz from the living room AP. In an experiment, I put in place the RE6500HG in the living room at distances ranging from 1 meter to 5 meters without success in the configuration of the 5 GHz RE6500HG

    My RE6500GH is defective? I bought the unit yesterday (April 27)

    Try adjusting the road s 5 GHz to channel 36.

  • Locked out of Admin Access and password has been deleted or changed.

    I've been locked out of my account and I can not get access to the C drive not even with the command prompt. Whenever I try to use Windows Management console it says "incorrect parameters". -What this means and how can I have access again?

    Oh and I have Vista and I tried the Net User Administrator / Active: Yes and I can't access my UAC or C drive. Also, when I open command prompt and type "dir" I get access denied, even as an administrator.

    How is that possible? I was told there is a way to get rid of all passwords on my computer to reset the?

    Thanks, :))

    Making it big!

    Hi David,

    No, still can not, the message says: username or incorrect password.

    As for the guest account thing, Yes, you're just weird, I couldn't access the C drive on my regular account, but from the reviews, I can. HM... indeed.

    Can you suggest someone who can help?

    Thank you

    Q

    Making it big!

    There are many amd MVPs experts who can help you.
    Just be patient and wait.

    A much more radical action is to perform a Vista repair install as long as you have the DVD of the Vistal Installation. (Read the Note from the tutorial section)
    Here is the tutorial...
    http://www.Vistax64.com/tutorials/88236-repair-install-Vista.html

    If you are not comfortable doing this, download a friend who is Knowledeable in the computer help you.

    Another choice it would take your RELIABLE local computer service shop.
    It will cost you, but you be rest asured that problem is solved.
    DO NOT take it to Best Buy or any geek squad ' joints '. "

    I would just wait for better answers from the experts in this forum. For the benefits of others looking for answers, please mark as answer suggestion if it solves your problem.

  • Out-of-Band management on the servers in the DMZ

    Hi, I have four PC7048s in my DMZ. External, internal making face and 2 separate demilitarized. Everything is good. All workers.

    Since they are demilitarized I want only their route between them and thus in position off http, Https, Telnet, and SSH management so that they cannot be managed remotely from the DMZ subnets.

    I then plugged the OOB interfaces in my internal management switch and VLAN them accordingly. Very well, now I can ping my OOB interfaces on all four. But I can't manage them because I have disabled SSH, HTTPS, HTTP and Telnet

    If I allow them (just SSH and HTTPS) I am now able to manage the switches of the DMZ on the IPs DMZ subnet

    I thought that the point of the OOB was so this does not happen and there is isolation? If I have to spend globally on HTTPS and SSH, then they are not really well isolated (I understand that OOB traffic cannot talk to IN-Band etc. - is the fact that I turn on a global configuration for remote OOB service)

    Am I missing something?

    Thank you

    Your results are correct. To lock the management more far I suggest looking to implement ACLs. With the ACL you can permit/deny access to various management services.

    Page 1471, guide the user passes over these commands.

    FTP.Dell.com/.../PowerConnect-7048r_Reference%20Guide_en-US.pdf

    Thank you

  • PowerConnect 7000 series in-band versus out-of-band management

    Hi all, I have four Powerconnect 7024 configured as two piles: a battery is dedicated to iSCSI and the other pile is my front-end network. I have the installation of battery of iSCSI with OOB management with the port connected to my pile of front-end but how do I set up the front battery management? I tried to configure in-band management during installation but stupidly did not test and now its deployment and I can't handle the battery at a distance. How others remotely manage their kernel stack if there is nowhere else to connect the port OOB for? The powerconnect switch discourages in-band management, but I don't see why you would not use it in this situation. Thank you, Christian

    If you can connect to a laptop to the serial port, the RJ45 beside the OOB port corresponds to the serial port, but you would need a cable designed to convert the RJ45 and then possibly series to USB and series. You can access it through putty and set a static ip address to use on the OOB port with the command ip address ip address {ip address {mask: prefix length} | dhcp}

    It is also set to dhcp mode by default so if you connect to the OOB port for something that gives DHCP it can get an address.

  • Can nodes added to OME C6220 via out of band (CMC)?

    Hi, I tried to add MCC C6220 nodes with Protocol WS MAN and it doesn't seem to work. How can I add these OME in an out of the way of the band? I noticed that we cannot ssh (or telnet) to the CMC ips. only of https

    Thank you very much

    Naseem

    Hi Naseem,

    I believe you are referring server PowerEdge C. Support for this server is with the IPMI Protocol. When you discover using IPMI, they will classify as PowerEdge C server in the tree view of the devices. Hope this fixes your query.

  • RV042G - access modem connected to a WAN port

    Hello

    I've set up my RV042G with that one line WAN currently using a modem Alice IAD to connect to my ISP. This unit has an own web server for configuration currently configured IP 192.168.0.1. The dual WAN router got the address of WAN IP 192.168.0.4 (the fixed address) and a LAN IP 192.168.0.5. Now, I need to access the modem from time to time for maintenance but can not reach address 192.168.0.1. The RV042G can be configured to allow communication between the modem and the LAN devices? I tried to put a static route, but that did not help. I'm certainly not a network expert.

    Thank you

    Mike

    Hi Mike, if your modem is able to log on locally, then the LAN RV042G subnet should be different from that of the modem LAN subnet. Given that your modem is 192.168.0.x your RV042G can be 192.168.1.x for LAN. So the RV042G WAN is 192.168.0.x.

    This should be your goal.

    -Tom
    Please mark replied messages useful

Maybe you are looking for