When I was replacing all my buggy little MikroTik RouterOS boxes and VMs with some new shiny (and also buggy) Cisco ISR1000s and CSR1000vs a few years ago, there were several things that I missed so much that existed on the former but not on the latter. One of them was the “MAC Winbox” and “MAC Telnet” capability with which you can plug your maintenance workstation into the router with an Ethernet cable, fire up a Winbox, and it will let you configure the router through a layer 2 connection. It require no valid IP configuration, so it would work as long as you doesn’t shut down the port and there is no wild switch ACL in place. Newer routers have USB console ports, and I do have a console cable in my EDC, but a router’s ability to be configured without a console cable is still its big advantage to me.<\/p>\n
Imagine my face today when I learned that Cisco routers (IOS and IOS XE) do support a layer 2 protocol with remote console capability. And the protocol is not new. The protocol is from the 1980s and IOS has been quietly supporting it for years. It has even been enabled by default for years. It is still being supported (as of IOS XE 17.2).<\/p>\n
<\/p>\n
Let me introduce you to the Maintenance Operation Protocol<\/em>. MOP is designed to be a remote management protocol for VMS. It initially had a lot more capabilities: installing software, remote rebooting, etc., but what we actually need (and the Cisco OSes actually implemented) is its remote console function. The protocol packets are encapsulated directly in Ethernet frames, so it will work across a bridge\/switch and without a valid IP configuration.<\/p>\n Let’s spin up a lab VM and see it in action.<\/p>\n It is simple to enable MOP on a Cisco IOS\/IOS XE system.<\/p>\n Here is a minimal configuration:<\/p>\n It’s too hard to find a working VMS installation now, so I’ll use my Debian 10 for demonstration. We only need the client so remember to disable the server:<\/p>\n Then we simply connect to the router with an interface and a MAC address:<\/p>\n You might need to press Enter after the Console connected<\/span> message to make the username prompt show up.<\/p>\n IOS and IOS XE defaults to enable MOP if you have a empty but defined interface<\/span> configuration block and the interface is a Ethernet interface (no matter how fast it is). In recent versions, if the interface does not exist before, no mop enabled<\/span> will be generated automatically when the interface is detected.<\/p>\n If you don’t connect with a -v<\/span> flag, the connection will fail:<\/p>\n If MOP is enabled on the interface but other configurations are missing, you will get this instead:<\/p>\n MOP connected users will show up in show user<\/span> :<\/p>\n MOP packets statistics can be viewed with show interface <interface> accounting<\/span> :<\/p>\n And connection logs can be displayed with debug mop<\/span> :<\/p>\n There is an auxiliary configuration at the interface level:<\/p>\n If enabled, IOS will send out packets periodically to announce its support for MOP protocol. I haven’t found it useful in any ways.<\/p>\n References:<\/p>\n When I was replacing all my buggy little MikroTik RouterOS boxes and VMs with some new shiny (and also buggy) Cisco ISR1000s and CSR1000vs a few years ago, there were several things that I missed so much that existed on the former but not on the latter. One of them was the “MAC Winbox” and […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[7,8,9],"tags":[],"class_list":["post-49","post","type-post","status-publish","format-standard","hentry","category-cisco","category-cisco-ios","category-cisco-ios-xe"],"acf":[],"_links":{"self":[{"href":"https:\/\/blog.swineson.me\/en\/wp-json\/wp\/v2\/posts\/49"}],"collection":[{"href":"https:\/\/blog.swineson.me\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.swineson.me\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.swineson.me\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.swineson.me\/en\/wp-json\/wp\/v2\/comments?post=49"}],"version-history":[{"count":9,"href":"https:\/\/blog.swineson.me\/en\/wp-json\/wp\/v2\/posts\/49\/revisions"}],"predecessor-version":[{"id":58,"href":"https:\/\/blog.swineson.me\/en\/wp-json\/wp\/v2\/posts\/49\/revisions\/58"}],"wp:attachment":[{"href":"https:\/\/blog.swineson.me\/en\/wp-json\/wp\/v2\/media?parent=49"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.swineson.me\/en\/wp-json\/wp\/v2\/categories?post=49"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.swineson.me\/en\/wp-json\/wp\/v2\/tags?post=49"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}MOP Server Configuration<\/h1>\n
\n
! set up AAA\r\naaa new-model\r\naaa authorization exec default local\r\nusername admin privilege 15 secret super-strong-passw0rd\r\n\r\n! enable MOP on interface level\r\ninterface GigabitEthernet1\r\n no shutdown\r\n mop enable\r\n\r\n! reserve VTY for MOP\r\nline vty 1 4\r\n transport input mop<\/pre>\n
MOP Client Configuration<\/h1>\n
apt install latd\r\nsystemctl disable --now latd<\/pre>\n
root@localhost:~# ip link set eth0 up\r\nroot@localhost:~# moprc -i eth0 -v 00:02:00:00:00:00\r\nMaintenance Version: 3.0.0\r\n\r\nConsole connected (press CTRL\/D when finished)\r\n\r\nUsername: admin\r\nPassword:\r\n\r\nRouter>\r\n<\/pre>\n
Things Worth Noting<\/h1>\n
Default Configuration<\/h2>\n
Cisco Implementation Specific Problems<\/h2>\n
root@localhost:~# moprc -i eth0 00:02:00:00:00:01\r\ntarget does not support remote console\r\n\r\n<\/pre>\n
root@localhost:~# moprc -i eth0 -v 00:02:00:00:00:01\r\nMaintenance Version: 3.0.0\r\n\r\nConsole connected (press CTRL\/D when finished)\r\n\r\nTarget does not respond\r\n\r\n<\/pre>\n
Monitoring MOP Activity<\/h2>\n
Router#show user\r\n Line User Host(s) Idle Location\r\n* 0 con 0 idle 00:00:00\r\n 1 vty 0 admin idle 00:00:06 UNKNOWN\r\n\r\n Interface User Mode Idle Peer Address\r\n\r\n<\/pre>\n
Router#show interfaces GigabitEthernet1 accounting\r\nGigabitEthernet1\r\n Protocol Pkts In Chars In Pkts Out Chars Out\r\n Other 0 0 0 0\r\n IP 0 0 0 0\r\n DEC MOP 1945 116700 1899 114110\r\n ARP 0 0 0 0\r\n<\/pre>\n
*Jul 16 15:20:00.096: MOP: Reserving console for 0002.0000.0002\r\n*Jul 16 15:20:00.098: MOP(GigabitEthernet1): Got request_id message from 0002.0000.0002\r\n*Jul 16 15:20:00.098: MOP(GigabitEthernet1): Sending sysid message to 0002.0000.0002\r\n\r\n*Jul 16 15:20:06.427: MOP: Console released by 0002.0000.0002\r\n<\/pre>\n
MOP System ID Messages<\/h2>\n
interface GigabitEthernet1\r\n mop sysid<\/pre>\n
\n\n