cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5480
Views
0
Helpful
6
Replies

Only one telnet connection

mirica1979
Level 1
Level 1

Hello,

I need to allow only one telnet connection to a router.

Which set of commands will accomplish this this task?

Can "line vty 1, login, password cisco" be used?

6 Replies 6

JORGE RODRIGUEZ
Level 10
Level 10

we'll work with 192.168.1.200 as being the only system IP that can telnet to the router on vty line 1.

create an access list

ip access-list extended 101

access-list 101 permit tcp 192.168.1.200 0.0.0.255 any eq telnet

access-list 101 deny ip any any log

then apply the acl to vty 1 line

e.g

line vty 1

access-class 101 in

transport input telnet

you can configure one vty line with a unique password..

eg.

line vty 1

password xxxxx

login

Jorge Rodriguez

Laurentiu

I will take a slightly different approach than Jorge (while his approach does control access to a single vty by a single host, I am not sure that this is what you were really asking for - especially since it does not address what happens on vty 0).

I will suggest that you configure vty 0 to accept the telnet connection (depending on how your router is configured - especially whether you are using aaa or not - the configuration that you posted would be fine, and that under all the other vty lines you configure:

no exec

This will prevent any telnet connection from becoming active on any other vty. Be aware that on many routers there are vty 0 4, but on some versions there are vty 0 15, and could possibly be other numbers of vty lines. So check how many are in your router and configure tham as I have suggested.

HTH

Rick

HTH

Rick

I agree with rick.

The no exec command turns off the EXEC process for the specified line and this would ensure only one telnet session at a time.

if you also want to allow acess to only one machine, you can use the access-list under the line which does not have the no exec command

Narayan

Narayan/Rick, agree on the no exec command as a more effective approach.

Jorge Rodriguez

Hi,

Just to add one more thing here...

As you will be allowing just one telnet connection, do remember to apply with exec-time with appropriate timer.

otherwise you have to login to console to clear the only available vty line for telnet access.

"I have seen similar problem with 6500 with no exec-timeout applied"

regards

yes a very valid point by rajat..

All you dont need is to lock yourself up and use the console to free the session..

line vty 0

access-class 1 in

exec-timeout 5 0

line vty 1 15

no exec

HTH

Narayan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco