Line vty 0 4 & 5 15

Similar Messages

• How to set username and password at line vty 0 4?

  hi guys,
  would like to know how i can set username and password so when i telnet to the router, i can login as username and password..?
  thks,
  ken

  Hi,
  for a simple telnet password with user name & password, find the steps below,
  aaa new-model
  username password
  line vty 0 4
  password
  login local
  if you wanted different types of users to login with different privilagez,do the following
  username privilege 15 password
  username privilege 5 password
  privilege exec level 15 conf t
  privilege exec level 5 show
  line vty 0 4
  password
  login local
  in the above statement "privilege exec level 15 "will have full access, "privilege exec level 5" will have the limited like "show" related
  hope this helps.
  rate this post if cleared.

• Line vty 0 4 settings via GUI

  Is there a way to change the line vty 0 4 settings using a web browser. My current config somehow go the no login command placed on the vty and I'm trying to prevent having to connect via the console port.

  Hi
  Are you using LWAPP?
  If so then the following will allow telnet:
  Q.   Can I Telnet/SSH into an LWAPP based access point?
  A. In Wireless LAN Controller release 5.0 and later, the controller       supports the use of Telnet or Secure Shell (SSH) protocols to troubleshoot       lightweight access points. You can use these protocols in order to make       debugging easier, especially when the access point is unable to connect to the       controller. You can configure Telnet and SSH support only through the       controller CLI. In order to enable Telnet or SSH connectivity on an access point, use       the config ap {telnet | ssh} command. The Cisco       lightweight access point associates with this Cisco Wireless LAN controller for       all network operation and in the event of a hardware reset. config ap {telnet | ssh} {enable | disable} Cisco_AP
  Examples > config ap telnet enable cisco_ap1
  > config ap telnet disable cisco_ap1
  > config ap ssh enable cisco_ap2
  > config ap ssh disable cisco_ap2

• Line vty 0 4 question..

  Hi,
  I have a question here regarding about line vty 0 4 in the router configuration..
  What i am trying to achieve is..i would like to telnet to the router from an ip(10.x.x.x) , and ssh from the other IP (10.x.x.y), how can I do it?
  thanks..

  Thanks for the reply,guys..
  current setting is using "transport input ssh" with is SSH from a monitoring machine.
  But come DR - disaster recovery, where the router A will be connected to another router B,would like to do a "telnet" session from the remote router B,therefore exploring the telnet method.
  This is for management purpose during DR.

• Assigning ACL under Line VTY

  Hey dears,
  In my topology, there are two ip addresses on R1:
  interface fa0/0: 1.1.1.1/24
  interface loo0: 2.2.2.2/24
  I want to login from R2 to R1 just to one of those ip addresses on R1. Actually I want to login just to 2.2.2.2 !
  So, I am going to use ACL under Line VTY. But id doesn't work.
  I know that I can simply use this ACL under interface fa0/0 which I've tested before and it worked.
  Here is my current configuration:
  ***with this configuration R2 can login to both ip addresses***please find the attachment***
  Extended IP access list CISCO
      10 deny tcp any host 1.1.1.1 eq telnet
      20 permit ip any any
  line vty 0 4
   access-class CISCO in
   password cisco
   login
  line vty 5 15
   access-class CISCO in
   password cisco
   login

  For VTY access you should use a standard access list. The router does not read all 5-tuples. 
  To restrict the protocol use the transport input command.
  To restrict the source you use an ACL and vty access-class like you have done. 
  If you want to restrict to a certain IP/interface you have a couple of options-
  Control Plane Protectionhttp://packetpros.com/control-plane-protection-cppr/
  Control Plane Policinghttp://packetpros.com/copp-on-routers/
  QoShttp://packetpros.com/secure-the-control-plane-with-qos/
  ACL's
  ip access-list extended BLOCK-SSH
   deny tcp any 1.1.1.1 eq ssh
   permit ip any any
  interface fa0/0
   ip access-group BLOCK-SSH in

• Re: Line VTY Access / CatOs

  All,
  I have a Cat4006 with a router card and I am unable to telnet nor ssh to either of the cards. On the Mod1 (Swtich Card) I am able to console and not ssh or telnet. I recieve a connection to host lost. On the Mod2 (RtR Card) I am able to telnet and not ssh.
  Thank you in advance!!
  Switch Mod: 10.10.xxx.1
  Rtr Mod: 10.10.xx.5
  RtR Version:
  Cisco Internetwork Operating System Software
  IOS (tm) L3 Switch/Router Software (CAT4232-IN-M), Version 12.0(25)W5(27b) RELEASE SOFTWARE
  Copyright (c) 1986-2004 by cisco Systems, Inc.
  Compiled Tue 11-May-04 19:23 by integ
  Image text-base: 0x60010928, data-base: 0x6061A000
  ROM: System Bootstrap, Version 12.0(7)W5(15b) RELEASE SOFTWARE
  ROM: L3 Switch/Router Software (CAT4232-IN-M), Version 12.0(18)W5(22a) RELEASE SOFTWARE
  RtR Line VTY CFG:
  line vty 0 4
  access-class 199 in
  password 7
  23123123
  login local
  transport input telnet

  I believe that there may be two parts of this problem. First I would suggest that instead of an extended access list for the access-class on the vty ports that you use an standard access list.
  I believe that the other part of the issue may be even more problematic. The vty includes the configuration login local. This requires that usernames and passwords be configured. Are there usernames and passwords configured?
  I suggest that you remove the login local and change the access class to a standard access list. Then it will be much easier to telnet.
  Also the vty are configured with transport input telnet. That explains why SSH does not work. If you want to be able to do both telnet and SSH then configure transport telnet ssh.
  HTH
  Rick

• Enabling SSH on Line VTY

  Hi All,
  Today we allow Telnet via Line VTY across IOS routers/switches. 1) What configuration changes are required in Line VTY to allow Telnet and SSH? 2) Are there any IOS related dependencies for SSH protocol on routers/switches?
  Jim Frys

  First you'll need the crypto image to configure SSH (look for k9 in the IOS file name). Then you'll need to configure SSH.
  https://packetpros.com/cisco_kb/IOS_RTR_SSH.html
  Finally add telnet and SSH to the VTY's.
  line vty 0 4
  transport input telnet ssh
  The above command will only allow telnet and ssh. By default all protocols are allowed and the above line provides some additional security.
  Hope that helps.

• EEM script on line vty

  Hi,
  I am using this script to check high cpu util on switch
  event manager applet high_cpu
  event snmp oid 1.3.6.1.4.1.9.9.109.1.1.1.1.3.1 get-type exact entry-op gt entry-val "65" poll-interval 5 action 1.01 syslog msg "------HIGH CPU DETECTED----, CPU: $_snmp_oid_val %"
  action 1.02 cli command "enable"
  action 1.03 cli command "term len 0"
  action 1.04 cli command "debug platform packet all receive buffer"
  action 1.05 cli command "show platform health | redirect slot0:high_cpu1"
  action 1.06 cli command "show proc cpu sort | redirect slot0:high_cpu2"
  action 1.07 cli command "show platform cpu packet statistics | redirect slot0:high_cpu3"
  action 1.08 cli command "show platform cpu packet buffered | redirect slot0:high_cpu4"
  action 1.09 cli command "show platform health | redirect slot0:high_cpu5"
  action 1.10 cli command "show proc cpu sort | redirect slot0:high_cpu6"
  action 1.11 cli command "show platform cpu packet statistics | redirect slot0:high_cpu7"
  action 1.12 cli command "show platform cpu packet buffered | redirect slot0:high_cpu8"
  action 1.13 cli command "show clock | redirect slot0:high_cpu9"
  action 1.14 cli command "undebug all"
  action 1.15 cli command "conf t"
  action 1.16 cli command "no event
  Switch version: cat4500e-entservicesk9-mz.122-50.SG3.bin
  Model:  WS-C4900M 3 slot switch
  Can you pls confirm whether each line will take separate vty to run each command or all the above command will run on single vty
  Post running this script we are getting vty 11-15 are showing 0.0 & we are not able to kill/disconnect session
  br/subhojit

  You can use "show tcp brief" to identify the tcp connections with a TCB value associated to each.
  Try to clear the session using the command "clear tcp tcb " to clear the lines.
  High CPU was due to Spanning-tree state changes/
  Thanks & Regards,
  Karthick Murugan
  CCIE#39285
  **DO NOT FORGET TO RATE ALL USEFUL POSTS**

• Type 5 Passwords on line con 0 and line vty 0 4

  Hi all,
  I have a requirement to have all passwords on my network infrastructure devices to have type 5 (MD5) passwords vs. the type 7 passwords. I'm running IOS version 12.2 on my devices. Is it possible to accomplish this? Or would doing this require ACS or something equivalent. Thank you,
  Brad Trotter

  Brad
  I do not know who established this requirement but they are requiring you to do something that can not be done. Type 5 encryption (MD5) is for enable secret. Cisco has not implemented that type of encryption for console or vty passwords. If you use ACS then the passwords that are normally used can be protected on the server (or you can use one time passwords which are even more safe). But for the passwords that are configured on the router type 7 is as good as you are going to get.
  HTH
  Rick

• Best Practices for securing VTY lines?

  Hi all,
  The thread title makes this sound like a big post but it's not. 
  If my router has say., 193 VTY lines as a maximum, but by default running-config has only a portion of those mentioned, should I set any configs I do on all lines, or just on the lines sh run shows?  Example: 
  sh run on a router I have with default config has: :
  line vty 0 4
  access-class 23 in
  privilege level 15
  login local
  transport input telnet ssh
  line vty 5 15
  access-class 23 in
  privilege level 15
  login local
  transport input telnet ssh
  Yet, I have the option of configuring up to 193 VTY lines:
  Router(config)#line vty ?
    <0-193>  First Line number
  It seems lines 16-193 still exist in memory, so my concern is that they are potentially exposed somehow to exploits or what not.  So my practice is to do any configs I do using VTY 0 193 to ensure universal configuration.  But, my "enabling" the extra lines, am I using more memory, and, how secure is this against somebody trying to say, connect 193 times to my router simtaneously?  Does it increase the likelihood of success on DoS attack for example. 

  Hi guys, thanks for the replies and excellent information.  I'm excited to look at the IOS Hardending doc and the other stuff too. 
  Just to clarify, I don't actually use the default config, I only pasted it from a new router just to illustrate the default VTY line count. 
  I never use telnet from inside or outside, anyting snooping a line will pick up the cleartext as ou both know of course.  SSH is always version 2 etc. 
  I was considering doing a console server from the insidde as the only access method - which I do have set up but I have to remote to it It's just that with power outages at times, the console PC won't come back up (no BIOS setting to return to previous state, no WOL solution in place) so now I have both that plus the SSH access.  I have an ACL on both the VTY lines themselves as well as a ZBFW ACL governing SSH - perhaps a bit redundant in some ways but oh well if there's a zero-day ou thtere for turning off the zbfw I might still be protected  
  Regretfully I havne't learned about AAA yet - that I believe is in my CCNA Security book but first I need to get other things learned. 
  And with regard to logging in general, both enabling the right kind and monitoring it properly, that's a subject I need to work on big time.  I still get prot 25 outbound sometimes from a spam bot, but by the time I manually do my sh logging | i :25 I have missed it (due to cyclic logging with a buffer at 102400).  Probably this woud be part of that CCNA Security book as well. 
  So back to the # of VTY lines.  I will see what I can do to reduce the line count.  I suppose something like "no line vty 16 193" might work, if not it'll take some research. 
  But if an attacker wants to jam up my vty lines so I can't connect in, once they've fingerprinted the unit a bit to find out that I don't have an IPS running for example, wouldn't it be better that they have to jam up 193 lines simultaneously (with I presume 193 source IPs) instaed of 16?  Or am I just theorizing too much here.  I'ts not that this matters much, anybody who cares enough to hack this router will get a surprise when they find out there's nothing worth the effort on the other side But this is more so I can be better armed for future deployments.  Anyway, I will bookmark the info from this thread and am looking forward to reading it. 

• VTY Lines

  Hello, 
  I encountered an interesting behavior on the Cat 3550 switches. First, I configured the vty 0 4 and vty 5 15 with transport input telnet and when I issued the sh run command this is the output I received(what you'd expect to see): 
  sw1#sh run | be line vty 
  line vty 0 4
   transport input telnet
  line vty 5 15
   transport input telnet
  Next, I wanted to add ssh as the transport input, so I configured the vtys as follows: 
  sw1# config t
  sw1(config)# line vty 0 4 
  sw1(config-line)#transport input all 
  And, when I issued the show run command, the vty 0 4 is no longer displayed! My question is, why does the line vty disappear when I use the transport input all command? 
  sw1#sh run | be line vty    
  line vty 5 15
   transport input telnet
  end
  Thanks in advance. 
  Best, ~zK 

  Duplicate post. 
  Go HERE.

• VTY lines and clearing them

  Wondering if anyone has ever had a problem clearing vty lines. I've done it a million times, with success. But now I have a few devices that have some "hung" sessions. I try to clear them, the command is accepted, but the connection is still there. Any ideas? Also, i've read the definitions of "exec timeout" and "session timeout" but wondering what everyone else uses. I've always used EXEC.

  It is a 10012. I am trying clear line vty x:
  ts1euclwi# who
  Line User Host(s) Idle Location
  2 vty 0 idle 6w1d admin.gld.charter.com
  3 vty 1 idle 4w3d admin.gld.charter.com
  4 vty 2 idle 3w2d
  north1.stpt.wi.charter.com
  5 vty 3 idle 3w3d
  north1.stpt.wi.charter.com
  * 6 vty 4 bwithrow idle 00:00:00
  68-115-71-26.static.eucl.wi.charter.com
  8 vty 6 maint idle 2w0d admin.gld.charter.com
  Interface User Mode Idle Peer Address
  ts1euclwi#clear line vty 1
  [confirm]
  [OK]
  ts1euclwi#who
  Line User Host(s) Idle Location
  2 vty 0 idle 6w1d admin.gld.charter.com
  3 vty 1 idle 4w3d admin.gld.charter.com
  4 vty 2 idle 3w2d
  north1.stpt.wi.charter.com
  5 vty 3 idle 3w3d
  north1.stpt.wi.charter.com
  * 6 vty 4 bwithrow idle 00:00:00
  68-115-71-26.static.eucl.wi.charter.com
  8 vty 6 maint idle 2w0d admin.gld.charter.com
  Interface User Mode Idle Peer Address

• VTY line configuration on a 1042

  Hello,
  I'd like to know if there is any command to configure the vty line interfaces on the AP with the console cable so without going through the wlc. My point is to configure SSH and telnet on vty 0 to15. When I checked the matching box on the wlc, I see in the config:
  line vty 0 4
     transport input all (instead of none)
  But as it is a LAP, I don't have any 'conf t' or vty command.
  Do you know how to?
  Thanks
  Theophile

  That is a lightweight AP so you can't do that.  You first need to allow telenet and ssh on the AP once it joines the wlc and then you can set your login credentials.  The controller manages all the lightweight AP's so there is a limited amount of cammands that can be ran on the LAP's.

• Shell authorization works only on vty lines and not on console

  Why does command authorization only works for the vty line and NOT for the consoles?
  I use ACS for Win 3.3.(1)
  any input are very welcome
  Configuration
  aaa new-model
  aaa authentication login VTY group tacacs+ local
  aaa authentication login CONSOLE group tacacs+ local
  aaa authentication enable default group tacacs+ enable
  aaa authorization exec default group tacacs+ none
  aaa authorization commands 15 default group tacacs+ none
  line con 0
  login authentication CONSOLE
  line vty 0 4
  login authentication VTY

  By default, console authorization is turned off, even with all the standard authorization commands in your configuration. This was done deliberately to leave the console connection as a "back door" to get into the router in case you lock yourself out (which is easy to do with authorization). The theory is that if someone has access to your console port, you have a lot more to worry about than command authorization :-)
  If you really, really want to do this, make sure it works fine first on the VTY's, and then issue the hidden command:
  aaa authorization console

• Setting VTY lines for SSH % Telnet only

  Hello,
  First off I apologize if this is the wrong section to post in or if there has already been a thread made for this particular problem however I've yet to find a solution that works.
  I am configuring a 1841 router running IOS Version 12.4(15)T1
  I am trying to set the vty lines to accept only telnet and ssh connections.
  I am using these commands:
  R1(config)# line vty 0 15
  R1(config-line)# password ciscovtypass
  R1(config-line)# login local
  R1(config-line)#transport input telnet ssh
  When I enter the "transport input telnet ssh" , I receive the error "Invalid input detected at '^' marker" and points to the word ssh.  I can successfully use "transport input telnet" and "transport input ssh" by themselves, however when I try to set them both on the same line is when i get the error.  And setting them both one after another overwrites the previous.  Any help would be much appreciated, thanks. 

  The suggestion from Leo would certainly allow both telnet and SSH. But it also allows some other protocols (they are not common in today's networking environment - but the original question was quite specific that they want to allow only 2 protocols and not all protocols). So let us look for answers that may help Michael.
  My first thought was to wonder if SSH has been fully enabled and whether this might be a factor in the problem. Michael indicates that transport input ssh works ok and that seems to indicate that enabling SSH is not the issue. But I would still feel better if Michael would post the output of show ip ssh
  I wonder if there is an order dependency in which one of the protocols must be entered first. I suggest trying this
  line vty 0 15
  transport input telnet ?
  and
  transport input ssh ?
  and see if one of them indicates that the other protocol is an option.
  HTH
  Rick