Recipe 3.10 Restricting VTY Access by Protocol

3.10.1 Problem

You want to restrict what protocols can be used to access the router's VTY ports.

3.10.2 Solution

To restrict what protocols that you can use to access the router's VTY ports, use the transport input configuration command:

Router1#configure terminal           
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#line vty 0 4
Router1(config-line)#transport input telnet
Router1(config-line)#end
Router1#

3.10.3 Discussion

Most administrators do not realize that, by default, Cisco routers allow VTY access via protocols other than Telnet. In some instances, intruders can bypass security measures that you have in place for Telnet and access your VTYs directly. To be safe, we recommend disabling all unused protocols from accessing your VTYs. This prevents unauthorized VTY access through one of these other protocols.

Our example shows how to restrict VTY access to Telnet only. Of course, your organization may require the inclusion of other protocols, such as SSH. Recipe 3.20 discusses how to enable the SSH protocol and prevent all other forms of nonsecure access.

Table 3-1 lists the valid protocols supported by Cisco router VTYs.

Table 3-1. VTY input transport protocols

Keyword

Description

all

Enables all protocols

lat

Enables digital LAT protocol connections

mop

Enables Maintenance Operation Protocol (MOP) transport

nasi

Enables NetWare Access Servers Interface (NASI) transport

none

Disables all input protocols

pad

Enables X.3 PAD connections

rlogin

Enables the Unix rlogin protocol

ssh

Enables Secure Shell (SSHv1) protocol

telnet

Enables inbound Telnet connections

v120

Enables the V.120 protocol

Table 3-1. VTY input transport protocols
Keyword	Description
all	Enables all protocols
lat	Enables digital LAT protocol connections
mop	Enables Maintenance Operation Protocol (MOP) transport
nasi	Enables NetWare Access Servers Interface (NASI) transport
none	Disables all input protocols
pad	Enables X.3 PAD connections
rlogin	Enables the Unix rlogin protocol
ssh	Enables Secure Shell (SSHv1) protocol
telnet	Enables inbound Telnet connections
v120	Enables the V.120 protocol

Use the show terminal EXEC command to view the permitted protocol types for the active line. A router with the default configuration returns a long list of allowed protocols:

Router1#show terminal | include input
Allowed input transports are lat pad v120 lapb-ta telnet rlogin ssh.
Router1#

After we restrict the VTY access to Telnet only, the output looks like this:

Router1#show terminal | include input
Allowed input transports are telnet.
Router1#

3.10.4 See Also

Recipe 3.9; Recipe 3.14; Recipe 3.16

Top