Home > Cisco > Cisco VTY equals Telnet? Not really :)

Cisco VTY equals Telnet? Not really :)

One person has recently asked me about securing VTY access on Cisco routers/switches and it seemed (could be a false impression though) that he believed that VTY equals Telnet (= plain text) access. I did not argue at the time (just said to him that certainly you would not want to have telnet access left open and you need to use SSH where possible) but now being curious I have checked what acronym VTY really means and come across this post. I always enjoy Etherealmind posts but this one really made me smile! (the original “teletype” piece of hardware)

And, of course, a VTY line can have either Telnet or SSH as its transport (or both).

As it’s not something I do on a regular basis here is my quick refresher on the SSH config:

  • Pre-reqs: hostname, domain name & username

hostname <host name>
ip domain-name <domain name>
username <user> secret <password>

  • SSH config

crypto key generate rsa
ip ssh version 2

  • Terminal config

line vty 0 4
    login local
    transport input ssh

(obviously you can use RADIUS/TACACS instead of Local, or try them first and then fail back to Local as the last resort)

You would also normally want to restrict management access by an ACL or even go a bit further and move one of your VTYs to a “secret” port by the rotary command (the port number will always be 3000 plus the number you have specified as the argument) and also leave a “backdoor” for admin team by securing the last VTY with a very restrictive ACL (literally just a single IP) to protect yourself from potential DoS attacks.

Here is the link for more details (you’ll need to have an account for SafariBooksOnline).

P.S. Funny fact – I actually have a 3750 switch in Prod that was purchased in UK but does not have SSH support! LOL

Advertisements
Categories: Cisco Tags:
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: