To configure a router or switch, an administrator must establish a management connection. Network engineers classify management methods into two main categories: Out-of-Band (OOB) management (using dedicated physical links) and In-Band management (using standard data network links).
Quick Comparison
Always use Out-of-Band management when configuring a device for the first time or when the main network is down. Use In-Band management for remote configuration when the network is online.
1. Physical Management Lines (Out-of-Band)
Out-of-Band management does not rely on an IP address or the network topology being online. It utilizes dedicated physical connections directly to the device:
Console Port
- Purpose: Primary gateway used for initial device bootstrapping, troubleshooting boot loops, password recovery, or when IP access is lost.
- Connection: A rollover console cable (DB-9 to RJ-45) or a modern USB-to-mini-USB cable connects directly from a PC's serial/USB port to the device's Console port.
- Baud Rate: Typically configured at
9600 bps, 8 data bits, no parity, 1 stop bit, and no flow control.
Auxiliary (AUX) Port
- Purpose: Legacy remote management method. Typically connected to an external dial-up modem.
- Use Case: Allows dial-up phone line console access as a redundant management channel if the WAN link crashes. Switches generally do not have AUX ports; they are found primarily on routers.
2. Virtual Terminal Lines (In-Band)
In-Band management routes packets over the active network interface. It requires the target device to have an IP address configured, a functional network interface, and active routing path reachability:
VTY (Virtual Teletype) Lines
- Purpose: Logical software interfaces that handle incoming remote terminal sessions.
- Line Range: Cisco switches and routers usually support multiple concurrent connections. Most devices have 16 virtual lines numbered
line vty 0 4andline vty 5 15. - Protocols: Supports Telnet (unencrypted, plaintext, TCP port 23) and SSH (encrypted, secure, TCP port 22).
Security Warning
Telnet transmits passwords and terminal text in plaintext. Anyone monitoring the packets using tools like Wireshark can easily steal administrative credentials. Always restrict VTY lines to SSH only using the command transport input ssh.
3. Configuring Basic Remote VTY Access
To enable Telnet or SSH remote access on a device, configure the VTY lines with authentication requirements:
Router(config)# line vty 0 15 Router(config-line)# password RemoteCiscoPass Router(config-line)# login
This setup prompts remote users for a password when connecting. However, a more robust and secure practice is to use local database accounts for individual tracking:
Router(config)# username admin privilege 15 secret CiscoAdminPass Router(config)# line vty 0 15 Router(config-line)# login local Router(config-line)# transport input ssh
| Line Type | Physical Port | Requires IP Address? | Best Use Case |
|---|---|---|---|
| Console | Console (RJ-45 / USB) | No | Initial setup, boot monitoring, disaster recovery. |
| AUX | Auxiliary (RJ-45) | No (Modem dial-up) | Legacy emergency backup dial-in. |
| VTY | Logical Interfaces (SSH/Telnet) | Yes | Day-to-day remote configuration and management. |