telnet question

Unanswered Question
Oct 23rd, 2007

If only enable one telnet line, should I just use 'line vty 0', or still have to use 'line vty 0 4'?


I remembered read on the book that some admins may set a different psd for the last telnet line to make sure they always get one line left for themselves. But the Netsim does not let me try this way, it even cannot set different psd for different telnet lines. Thanks for your help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (3 ratings)
Loading.
Collin Clark Tue, 10/23/2007 - 08:30

line vty 0 4 is like specifying a range of VTY lines. Instead of going under each VTY line and entering commands, you can configure them all at once. The first line used will be 0, then if another admin connect he will get line 1 and so on. You could reserve the last line for a specific person, but if designed right you should never need to do that.


HTH and please rate.

xs_echoss Tue, 10/23/2007 - 09:10

Thanks for ur reply. Testking gave me the wrong answer, so i want to make sure about this.

nchintha Tue, 10/23/2007 - 16:54

Yeah you can always reserve a single line for the admin using the line vty x (x is the line of the virtual terminal),if a seperate password is defined for this you are the only one who can access it.

Kevin Dorrell Tue, 10/23/2007 - 20:05

How can you arrange it so that when the administrator connects, he always gets the line with the special previleges and the seperate password. As far as I have seen, there is no way to determine which particular vty line you connect to.


For this reason, I have never understood what advntage there is to being able configure all 5 of them differently. Except perhaps if the VTYs are used for user sessions, in which case the last one could have a special password known only to the administrator in case the users all lock themselves out.


Kevin Dorrell

Luxembourg


xs_echoss Tue, 10/23/2007 - 20:24

I do not know how this works. What I want to make sure is that 'line vty 0' works, cuz i do not have a real router to let me try, and the stupid netsim does not allow 'line vty 0'.

Collin Clark Wed, 10/24/2007 - 04:59

Heres an example:


line vty 0 3

login authentication my_aaa

privilege level 15

exec-timeout 5 0

logging synchronous

transport input ssh


The above will allow anyone who is authenticated to access the first 4 vty lines. In the last line we will setup it up so only you can access it.


line vty 4

access-class 10 in

login authentication my_aaa

privilege level 15

exec-timeout 5 0

logging synchronous

transport input ssh


access-list 10 permit 10.10.10.115


Notice the new command 'access-class 10 in'. The is an ACL that is applied to the vty line. Only the IP 10.10.10.115 will be allowed to connect to this last vty line. We need to add the ACL as well. Again, this really isn't necessary in the production world.


HTH and please rate.

Kevin Dorrell Wed, 10/24/2007 - 05:04

So apart from the last vty - the "line of last resort" - there is not really any sense in distinguishing between the others?


Kevin Dorrell

Luxembourg

Collin Clark Wed, 10/24/2007 - 05:18

Nope. In fact creating the last one separately really doesn't make sense either. With proper security controls/router config (ie tcp-keepalives) in place, all your VTY lines should never be in use.

stephenneville Wed, 10/24/2007 - 03:56

If you are going to use a different password on the last line, then this needs to be combined with an access list to ensure that this line is always available


Stephen

Actions

This Discussion