Only one telnet connection

Unanswered Question
Jul 23rd, 2007

Hello,

I need to allow only one telnet connection to a router.

Which set of commands will accomplish this this task?

Can "line vty 1, login, password cisco" be used?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Mon, 07/23/2007 - 08:42

we'll work with 192.168.1.200 as being the only system IP that can telnet to the router on vty line 1.

create an access list

ip access-list extended 101

access-list 101 permit tcp 192.168.1.200 0.0.0.255 any eq telnet

access-list 101 deny ip any any log

then apply the acl to vty 1 line

e.g

line vty 1

access-class 101 in

transport input telnet

you can configure one vty line with a unique password..

eg.

line vty 1

password xxxxx

login

Richard Burts Mon, 07/23/2007 - 11:32

Laurentiu

I will take a slightly different approach than Jorge (while his approach does control access to a single vty by a single host, I am not sure that this is what you were really asking for - especially since it does not address what happens on vty 0).

I will suggest that you configure vty 0 to accept the telnet connection (depending on how your router is configured - especially whether you are using aaa or not - the configuration that you posted would be fine, and that under all the other vty lines you configure:

no exec

This will prevent any telnet connection from becoming active on any other vty. Be aware that on many routers there are vty 0 4, but on some versions there are vty 0 15, and could possibly be other numbers of vty lines. So check how many are in your router and configure tham as I have suggested.

HTH

Rick

royalblues Mon, 07/23/2007 - 11:39

I agree with rick.

The no exec command turns off the EXEC process for the specified line and this would ensure only one telnet session at a time.

if you also want to allow acess to only one machine, you can use the access-list under the line which does not have the no exec command

Narayan

rajatsetia Tue, 07/24/2007 - 03:39

Hi,

Just to add one more thing here...

As you will be allowing just one telnet connection, do remember to apply with exec-time with appropriate timer.

otherwise you have to login to console to clear the only available vty line for telnet access.

"I have seen similar problem with 6500 with no exec-timeout applied"

regards

royalblues Tue, 07/24/2007 - 03:52

yes a very valid point by rajat..

All you dont need is to lock yourself up and use the console to free the session..

line vty 0

access-class 1 in

exec-timeout 5 0

line vty 1 15

no exec

HTH

Narayan

Actions

This Discussion