Previous section   Next section

Recipe 3.15 Reserving a VTY Port for Administrative Access

3.15.1 Problem

You want to prevent other people from using up all of your VTY lines, effectively locking you out of the router.

3.15.2 Solution

You can ensure that at least one VTY port is available to you for access at all times with the following commands:

Router1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#access-list 9 permit 172.25.1.1
Router1(config)#line vty 4
Router1(config-line)#access-class 9 in
Router1(config-line)#end
Router1#

3.15.3 Discussion

Receiving the dreaded "Connection refused" message from one of your routers can be quite distressing, particularly if you're trying to troubleshoot a serious problem. Generally, it means that other sessions have control of all of your router's limited number of VTY lines. However, it can also mean that someone has launched a Denial of Service (DoS) attack. DoS attacks against router VTYs are simple to launch. Just sitting at a login prompt is enough to tie up a VTY line. This means that you don't need a username or a password to use up all of the VTY lines, thus locking out all of the legitimate administrators.

Whether the lockout is caused by legitimate sessions or not, this is what it looks like:

Freebsd% telnet Router1
Trying 172.22.1.4...
telnet: connect to address 172.22.1.4: Connection refused
telnet: Unable to connect to remote host
Freebsd%

You can implement a safeguard to ensure that this never happens. Enabling a restrictive access class on the last accessible VTY ensures that the administrator will retain access at all times. The key is to ensure that your access list is as restrictive as possible (i.e., an administrator's IP address).To view the VTY access statistics, use the show line command:

Router1#show line vty 0 4
   Tty Typ     Tx/Rx    A Modem  Roty AccO AccI   Uses   Noise  Overruns   Int
*   66 VTY              -    -      -    -    -     10       0     0/0       -
*   67 VTY              -    -      -    -    -     10       0     0/0       -
*   68 VTY              -    -      -    -    -      2       0     0/0       -
*   69 VTY              -    -      -    -    -      1       0     0/0       -
*   70 VTY              -    -      -    -    9      1       0     0/0       -
   
Router1#

Note that access class 9 was assigned to the last VTY session (the "AccI" column) and has been accessed only once ("Uses").

3.15.4 See Also

Recipe 3.16; Recipe 3.17

  Previous section   Next section
Top