×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Only one telnet connection

Unanswered Question
Jul 23rd, 2007
User Badges:

Hello,

I need to allow only one telnet connection to a router.

Which set of commands will accomplish this this task?

Can "line vty 1, login, password cisco" be used?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Mon, 07/23/2007 - 08:42
User Badges:
  • Green, 3000 points or more

we'll work with 192.168.1.200 as being the only system IP that can telnet to the router on vty line 1.




create an access list


ip access-list extended 101

access-list 101 permit tcp 192.168.1.200 0.0.0.255 any eq telnet

access-list 101 deny ip any any log



then apply the acl to vty 1 line


e.g



line vty 1

access-class 101 in

transport input telnet



you can configure one vty line with a unique password..


eg.


line vty 1

password xxxxx

login


Richard Burts Mon, 07/23/2007 - 11:32
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Laurentiu


I will take a slightly different approach than Jorge (while his approach does control access to a single vty by a single host, I am not sure that this is what you were really asking for - especially since it does not address what happens on vty 0).


I will suggest that you configure vty 0 to accept the telnet connection (depending on how your router is configured - especially whether you are using aaa or not - the configuration that you posted would be fine, and that under all the other vty lines you configure:

no exec

This will prevent any telnet connection from becoming active on any other vty. Be aware that on many routers there are vty 0 4, but on some versions there are vty 0 15, and could possibly be other numbers of vty lines. So check how many are in your router and configure tham as I have suggested.


HTH


Rick

royalblues Mon, 07/23/2007 - 11:39
User Badges:
  • Green, 3000 points or more

I agree with rick.


The no exec command turns off the EXEC process for the specified line and this would ensure only one telnet session at a time.


if you also want to allow acess to only one machine, you can use the access-list under the line which does not have the no exec command


Narayan


JORGE RODRIGUEZ Mon, 07/23/2007 - 12:26
User Badges:
  • Green, 3000 points or more

Narayan/Rick, agree on the no exec command as a more effective approach.



rajatsetia Tue, 07/24/2007 - 03:39
User Badges:
  • Bronze, 100 points or more

Hi,


Just to add one more thing here...


As you will be allowing just one telnet connection, do remember to apply with exec-time with appropriate timer.


otherwise you have to login to console to clear the only available vty line for telnet access.


"I have seen similar problem with 6500 with no exec-timeout applied"


regards

royalblues Tue, 07/24/2007 - 03:52
User Badges:
  • Green, 3000 points or more

yes a very valid point by rajat..


All you dont need is to lock yourself up and use the console to free the session..


line vty 0

access-class 1 in

exec-timeout 5 0


line vty 1 15

no exec


HTH

Narayan

Actions

This Discussion