December 2006
Intermediate to advanced
1188 pages
72h 8m
English
Content preview from Cisco IOS Cookbook, 2nd Edition
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Restricting VTY Access by Protocol
Problem
You want to restrict what protocols can be used to access the router’s VTY ports.
Solution
To restrict what protocols that you can use to access the routers VTY ports, use the transport input configuration command:
Router1#configure terminalEnter configuration commands, one per line. End with CNTL/Z. Router1(config)#line vtyRouter1(config-line)#0 4transport input telnetRouter1(config-line)#exitRouter1(config)#endRouter1#
Discussion
Most administrators do not realize that, by default, Cisco routers will allow VTY access via other protocols besides Telnet. In some instances, intruders can bypass security measures that you have in place for Telnet and access your VTYs directly. To be safe, we recommend that you disable all unused protocols from accessing your VTYs. This will prevent anybody from gaining VTY access through one of these other protocols.
Our example shows how to restrict VTY access to Telnet only. Of course, your organization may require other protocols be included as well, such as Secure Shell (SSH). Recipe 3.20 discusses how to enable the SSH protocol and prevent all other forms of nonsecure access.
Table 3-1 lists the valid protocols that Cisco router VTYs support.
Table 3-1. VTY input transport protocols
| Protocol | Description |
|---|---|
| all | Enables all protocols |
| lat | Enables Digital LAT protocol connections |
| mop | Enables Maintenance Operation Protocol (MOP) transport |
| nasi | Enables NetWare Access Servers Interface (NASI) transport |
| none | Disables all input ... |