📘 CCNA 200-301 v1.1
2.8 Describe network device management access (Telnet, SSH, HTTP, HTTPS, console, TACACS+/RADIUS, and cloud managed)
2.8 Describe Network Device Management Access
What is Network Device Management Access?
Network devices (like switches, routers, and access points) need to be configured, monitored, and troubleshooted by administrators.
To do that, we need management access methods — different ways to connect to the device’s operating system (IOS) and control it.
There are two main categories of management access:
- Local Access (Out-of-Band)
Accessing the device directly, without using the network. - Remote Access (In-Band)
Accessing the device over the network using IP-based protocols.
🔸 1. Local Access (Console Access)
✅ Console Port
- Physical port on the device used for initial setup or recovery.
- Does not depend on IP connectivity (works even if network settings are wrong).
- Requires a console cable connected from your PC to the device’s console port.
- Accessed using terminal software like:
- PuTTY
- Tera Term
- SecureCRT
Key Points:
- Default no password (until configured).
- Used to configure hostname, IP address, passwords, etc.
- Essential for out-of-band management (managing device when network is down).
🔸 2. Remote Access (In-Band Management)
Once the device has an IP address assigned (for example, on a management VLAN or interface), administrators can connect remotely over the network using these protocols:
1. Telnet
- Uses TCP port 23.
- Sends data and passwords in plain text.
- Not secure — can be captured using packet sniffing tools.
- Rarely used today in production.
- Still important for CCNA exams to understand.
Example Command:
Router(config)# line vty 0 4
Router(config-line)# password cisco
Router(config-line)# login
Router(config-line)# transport input telnet
2. SSH (Secure Shell)
- Uses TCP port 22.
- Encrypted and secure — replaces Telnet in modern networks.
- Used to remotely manage Cisco devices safely.
- Requires:
- Device hostname
- Domain name
- RSA key (encryption key)
- Local or remote login credentials
Example Configuration:
Router(config)# hostname R1
Router(config)# ip domain-name example.com
Router(config)# crypto key generate rsa
Router(config)# username admin secret Cisco123
Router(config)# line vty 0 4
Router(config-line)# login local
Router(config-line)# transport input ssh
Key Points:
- Always prefer SSH over Telnet.
- Can be tested with:
PC> ssh -l admin 192.168.1.1
3. HTTP (Hypertext Transfer Protocol)
- Uses TCP port 80.
- Allows management through a web browser.
- Some Cisco devices have a web-based interface (for example, Cisco Small Business routers).
- Not secure — credentials and data are sent in plain text.
Example: Accessing http://192.168.1.1 from a browser.
4. HTTPS (HTTP Secure)
- Uses TCP port 443.
- Encrypted using SSL/TLS.
- Provides a secure web management interface for network devices.
- Often used in wireless LAN controllers (WLCs), Cisco Meraki, or Cisco DNA Center.
Example: Accessing https://192.168.1.1 from a browser.
🔸 3. Centralized Authentication (AAA)
When multiple administrators manage many devices, you don’t want to configure usernames/passwords on every device individually.
Instead, you can use centralized authentication servers.
This is done using AAA (Authentication, Authorization, Accounting) protocols:
1. TACACS+ (Terminal Access Controller Access-Control System Plus)
- Cisco proprietary (works mainly with Cisco devices).
- Uses TCP port 49.
- Encrypts entire packet (more secure).
- Separates the AAA functions:
- Authentication – Who you are
- Authorization – What you can do
- Accounting – What you did
- Works with Cisco ISE (Identity Services Engine) or ACS servers.
Used for: Admin access control to network devices.
2. RADIUS (Remote Authentication Dial-In User Service)
- Open standard protocol.
- Uses UDP ports 1812 (authentication) and 1813 (accounting).
- Encrypts only passwords, not entire packet (less secure than TACACS+).
- Combines authentication and authorization into one process.
- Commonly used for VPNs, Wi-Fi authentication, and 802.1X access control.
Used for: End-user authentication to the network (wired or wireless).
TACACS+ vs RADIUS Summary
| Feature | TACACS+ | RADIUS |
|---|---|---|
| Ownership | Cisco proprietary | Open standard |
| Transport Protocol | TCP 49 | UDP 1812/1813 |
| Encryption | Entire packet | Password only |
| AAA Separation | Yes (all separate) | No (combined) |
| Usage | Device administration | Network access (VPN/Wi-Fi) |
🔸 4. Cloud-Managed Access
Modern Cisco solutions, like Cisco Meraki or Cisco DNA Center, allow cloud-based management.
🔹 Cloud Management
- Devices are connected to the internet and register to the cloud management platform.
- Admins log in to a web portal or dashboard to manage all devices remotely.
- Configuration, monitoring, and firmware updates are done centrally.
Example Platforms:
- Cisco Meraki Dashboard
- Cisco DNA Center Cloud
Benefits:
- Centralized management of multiple sites
- Simplified configuration backup and monitoring
- No need for local console/SSH access in most cases
🔸 Summary Table
| Access Type | Description | Port | Security | Used For |
|---|---|---|---|---|
| Console | Local physical access | N/A | Secure (direct) | Initial setup / recovery |
| Telnet | Remote text access | 23 | Not secure | Legacy CLI management |
| SSH | Secure remote text access | 22 | Encrypted | Secure CLI management |
| HTTP | Web interface | 80 | Not secure | GUI access |
| HTTPS | Secure web interface | 443 | Encrypted | Secure GUI access |
| TACACS+ | Centralized admin authentication | 49 (TCP) | Encrypted | Device admin control |
| RADIUS | Centralized user authentication | 1812/1813 (UDP) | Password encrypted | VPN/Wi-Fi authentication |
| Cloud Managed | Cloud-based dashboard | Internet | Encrypted (SSL/TLS) | Centralized management |
🔸 Exam Tips
- SSH is always preferred over Telnet.
- HTTPS is always preferred over HTTP.
- TACACS+ → used for device administration (Cisco-specific).
- RADIUS → used for user access (open standard).
- Console → used for out-of-band local access.
- Know the port numbers for each protocol.
- Understand which methods are secure and which are not.
