a.alekseev Tue, 07/08/2008 - 23:44

ena sec xxx

line vty 0 4

pass www


transport input telnet

logg sync

michael.leblanc Wed, 07/09/2008 - 06:49

If you want, you could supplement Aleksey's configuration with the following to restrict Telnet access to a specific management station, and establish an idle timeout on the VTY lines:

access-list 100 remark --- VTY access from Network Management Station.

access-list 100 permit tcp host any eq 23 log

access-list 100 deny ip any any log

Note: Replace with the address of your management station.

Note: TCP port 23 above, is the Telnet port.

Edit: Make sure you use a different ACL number if 100 is already in use.

line vty 0 4

access-class 100 in

exec-timeout 9 0

Your interface ACL (if implemented) will also need to accommodate inbound Telnet.

mohammedmahmoud Thu, 07/10/2008 - 03:41


To try and summarize the whole story.

Access control can be done in 4 fashions:

1. No kind of security, using "no login" under the VTYs, this will enable you to login without any kind of passwords.

2. Just use VTY and enable passwords.

3. Use local usernames and passwords on the router.

4. Use AAA.

The second case is easy:

enable secret xxxx

line vty 0 4


password xxxxx

The third case:

username xxxx password xxxx

enable secret xxxx

line vty 0 4

login local

The fourth case see AAA.


NOTE We can use an access-class to restrict the access over the VTY using an ACL, as Michael has illustrated.

Another important thing to take care of, if no enable password is enabled then you can never go to enable mode (unlike console, where you can go in without having an enable password). If neither the enable password command nor the enable secret command is configured, and if there is a line password configured for the console, the console line password will serve as the enable password for all VTY (Telnet and Secure Shell [SSH]) sessions.

I hope that i've been informative.


Mohammed Mahmoud.

olakunle06 Thu, 07/10/2008 - 07:49

please i have configured the telnet access on both routers now,but i could only telnet from router 2 to 1 and cannot telnet from 1 to 2. pls can anyone suggest what went wrong and the solution

michael.leblanc Thu, 07/10/2008 - 10:53

You've not indicated "which" commands you implemented, whether ACLs are implemented, or anything related to your network topology.

You need to be more informative if you want assistance.

olakunle06 Thu, 07/10/2008 - 11:36

ena sec xxx

i used the command above and ik cant access from R1 to R2 but could telnet from R2 to R1

line vty 0 4

pass www


transport input telnet

logg sync

johnlloyd_13 Tue, 08/12/2008 - 03:02

you can also add service password-encryption and enable secret global config commands for security reasons..


This Discussion