Chapter 4. Line Commands

Cisco routers make a fairly basic distinction between the characteristics of a serial line (which you might want to think of as “physical” characteristics) and the characteristics of the protocols running over the line. The physical characteristics of a line are configured by the line command (and various commands that follow it) and include items such as parity and port speed. The high-level protocol characteristics are configured by the interface command (and the commands that follow it); these characteristics include IP addresses and other properties.

The line command can configure:

  • The router’s console port (CTY)

  • The router’s asynchronous ports (TTYs), used for dial-in and dial-out modem connections

  • The router’s auxiliary port (AUX), used for backup modem connections

  • Telnet, SSH, and rlogin connections to the router (“virtual terminals” or VTYs)

The line Command

The line command specifies which line or group of lines you want to configure by entering the line configuration mode. It doesn’t actually do the configuration; it is followed by other commands that set up the specific properties you want. Here’s the syntax of the line command:

line [aux | console | tty | vty] starting-line-number ending-line-number

The possible line types are aux, console, tty, and vty. These line types are discussed individually in this chapter. The following example shows how to use the line command to configure some properties of the router’s console interface:

            Enter the privileged command
Router#config terminal 
            Enter configuration mode
Router(config)#line console 0            Select the console line

Router(config-line)#exec-timeout 30 0 
            Set the timeout to 30 minutes
            Exit the line configuration
            Exit the configuration mode

If you want to apply line commands to more than one line, you can specify the starting and ending numbers of a group of lines. For example, say you want to apply the command exec-timeout to TTY lines 5 through 10. Instead of typing this command five times, you can configure the entire group with one line command:

Router(config)#line tty 5 10
Router(config-line)#exec-timeout 30 0

Absolute and Relative Line Numbering

When you’re typing the line command, you give it “relative” line numbers: the first TTY is tty0,[*] the first virtual terminal is vty0, and so on. This numbering scheme is intuitive and convenient. Internally, the router uses an absolute numbering scheme to keep track of the lines. It would be nice if you could ignore the router’s internal bookkeeping, but a number of commands use absolute line numbers when reporting information about a line’s status.

Absolute line numbers are calculated by their location on the router, in the order of CTY, TTY, AUX, and then VTY. The console port is first; its absolute line number is zero (0). The TTY ports are next, starting at absolute line number 1 and continuing for the number of TTY lines on the router. If you have eight TTY ports, absolute numbers 1 through 8 will be the TTYs on your router. Next is the AUX port, whose absolute line number is the last TTY number plus 1. Finally, the VTYs begin at the AUX port’s number plus 1. Table 4-1 clarifies absolute and relative line numbering .

Table 4-1. Absolute and relative line numbers

Line type

Absolute number

Relative number

Console (CTY)



















n + 1



n + 2



n + 3



n + 4



n + 5


To view this table on the router, use the command show users all. The first column of the output shows the absolute line number, followed by the line type, followed by the line’s relative number:

Router>show users all
     Line     User      Host(s)            Idle Location
   0 con 0                                 00:00:00
   1 tty 1             incoming            6
   2 tty 2             incoming            6
   3 tty 3             incoming            6
   4 tty 4                                 00:00:00
   5 tty 5                                 00:00:00
   6 tty 6                                 00:00:00
   7 tty 7             incoming             3d13h
   8 tty 8             incoming             3d13h
   9 tty 9             incoming             3d13h
  10 tty 10            incoming             3d08h
  11 tty 11            incoming             3d08h
  12 tty 12            incoming             3d08h
  13 tty 13                                00:00:00
  14 tty 14                                00:00:00
  15 tty 15                                00:00:00
  16 tty 16                                00:00:00
  17 aux 0                                 00:00:00
* 18 vty 0             idle                0
  19 vty 1                                 00:00:00
  20 vty 2                                 00:00:00
  21 vty 3                                 00:00:00

The Console Port

Each router has one console port . This port always has line number 0. You make a connection to the console port by attaching a standard RS232 cable, as shown in Figure 4-1. This cable is often shipped with your router.

Console cable connection
Figure 4-1. Console cable connection

You can use any VT100 terminal-emulation program to talk to the router; just select the correct PC serial interface (the one the console cable is plugged into) and then hit the Enter key a few times. The router responds by starting an EXEC session, which is the process within the router that provides the command-line interface. The default settings for the port are 9600 baud, 8 databits, no parity, and 1 stop bit. If you changed any of these defaults on the device, you will have to change the settings on your terminal program to match.

Using the line commands, we can define and control access to the console port . Here is a basic configuration :

Router#config terminal
Router(config)#service linenumber
Router(config)#line console 0
Router(config-line)#location Building-2A
Router(config-line)#exec-timeout 30 0

The location command identifies the router’s location to the users. The command service linenumber displays the location information automatically to the user upon login. This information can be useful when you are administering your routers. Next, we add a basic security measure: a timeout. If the console port is idle for more than 30 minutes, the session automatically closes. You do not want the session active all the time in a real environment. If you forget to log out, someone might come in after you and modify the router’s configuration!

A little more security can be achieved by adding a user login:

Router(config)#username bob password letmein
Router(config)#line console 0
Router(config-line)#login local

These commands provide only minimal security; for more effective security measures, see Chapter 15.

Virtual Terminals (VTYs)

VTYs are logical connections from the network to the router; these are typically telnet, SSH, or rlogin connections. When a user telnets to a router from the network, as in Figure 4-2, the router starts an EXEC process to handle this connection.

VTY connections
Figure 4-2. VTY connections

Although no physical link is associated with a virtual terminal, VTYs are configured just like normal TTY lines. VTYs are enabled once they are configured. If you do not configure any VTYs, then logical connections, such as telnet, cannot be made to your router from the network. Here is a VTY configuration example:

Router(config)#line vty 1
            Must be enabled for login
Router(config-line)#exec-timeout 30 0    
            Set the timeout to 30 minutes
Router(config-line)#password letmeinhere    
            Set one password for telnet
Router(config-line)#transport input ssh    
            Allow only ssh access
Router(config-line)#access-class 10 in    
            Apply access list 10 to this
Router(config)#access-list 10 permit host

This example shows a semi-secure configuration for a VTY terminal. We set a timeout for 30 minutes and apply only one password. We then use the transport input command to define the protocols that are allowed to use this line; in this case, we are allowing only ssh access. (If you want to be less secure, you can use telnet instead of ssh.) The access-class command applies an access list to this interface. We won’t explain access lists here; in this example we use a simple access list to permit access from the host at address


You should configure all your VTYs in the same manner, because there is no way to predict which VTY a user is going to receive when he telnets into the device.

Asynchronous Ports (TTYs)

TTYs are asynchronous connections between the router’s async interfaces and serial devices (modems). If you are connecting modems to your router or access server for dial-up or dial-out connections, you will need to configure the TTY ports .

The TTY ports correspond directly to async interfaces. Therefore, whenever you configure a TTY line, you will probably also configure the corresponding interface. If you plugged a modem into async port 1, you would use TTY1 to configure all the hardware aspects of the connection between the router and the modem, and the interface Async1 would configure the protocol. (The interface commands are defined in Chapter 5.) Figure 4-3 demonstrates the possible modem configuration on a router or terminal server.

TTY connections to modems
Figure 4-3. TTY connections to modems

Here is an example of a modem configuration on TTY port 3:

! Select line 3
line tty 3
  ! Tell the router to use its local username list
  login local
  ! This line is for dial-in access only
  modem dialin
  ! The speed of the serial connection is 115200 bps
  speed 115200
  ! Use hardware flow control 

  flowcontrol hardware
  ! The type of modem is autoconfigured by the router
  modem autoconfigure discovery

The configuration isn’t difficult to read. The router, which is some sort of terminal server, maintains its own list of usernames and passwords (login local); the modem is used only for dial-in; the serial connection between the modem and the router is set to 115200 baud; hardware flow control is used; and the modem is configured by the router.

The Auxiliary (AUX) Port

The router’s auxiliary (AUX) port functions as a backup async port. It is most commonly used as a backup console port, but it can also be used as a dial-up port for remote router management and many other functions. It doesn’t have the performance of an asynchronous line; its speed is often limited (particularly on older routers), and it does only per-character I/O, which creates a high CPU load if used continuously.

Figure 4-4 shows how you might use the AUX port as a backup for a T1 line. If the T1 connection goes down, Router 1 automatically dials Router 2 using the modem connected to the AUX port. Obviously, the speed of the backup link is not comparable to the T1 connection, but it does provide some level of backup support.

Using an AUX port as a backup connection
Figure 4-4. Using an AUX port as a backup connection

The following configuration examples show how to use the AUX port as backup connection . This example uses many commands that are well beyond the scope of this chapter; they are included here to make the configuration complete. The comments describe some of the more advanced commands; for more information about PPP and dial-on-demand routing, see Chapter 12.

!  Configure the primary (T1) interface, with async 4 as a backup.
!  See Chapter 5 for info on interface configuration.
!  See Chapter 12 for the dialing commands
interface serial0
  ip address
  backup interface async 4
  backup delay 10 1
! The AUX line translates to the async 4 interface.
interface async 4
  ip address
  dialer in-band
  dialer string 410-555-5555
  dialer-group 1
  async dynamic routing
! Build our dialer lists.
dialer-list 1 protocol ip permit
chat-script script1 " " "atdt 410-555-5555" timeout 60 "connected"
! Finally, configure the AUX port using the line commands.
line aux 0
  modem chat-script script1
  modem inout

show line

To display the status of a line, use the command show line. This is not a privileged command and can be executed by any user. On an eight-port terminal server, show line gives output like this:

Router>show line
 TTY TYP      Tx/Rx      A Modem  Roty AccO AccI  Uses    Noise   Overruns
   0 CTY               -    -      -    -    -     0        0        0/0
   1 TTY    9600/9600   -    -      -    -    -     3      542        0/0
*  2 TTY    9600/9600   -    -      -    -    -     1        0        0/0
   3 TTY   38400/38400  - RIisCD    -    -    -     1        0        0/0
I  4 TTY   38400/38400  - inout     -    -    -    25        0        0/0
I  5 TTY   38400/38400  - inout     -    -    -  3940        0        0/0
I  6 TTY   38400/38400  - inout     -    -    -  1483        0        0/0
I  7 TTY   38400/38400  - inout     -    -    -   364        0        0/0
I  8 TTY   38400/38400  - inout     -    -    -    12        0        0/0

Table 4-2 describes the fields in this report.

Table 4-2. Fields in a show line display



1st column

I = line is idle; * = line is active.


Actual line number.


Type of line: CTY (console), AUX, TTY, VTY, LPT.


Transmit and receive baud rates for this line.


Autobaud (automatic baud rate detection) is active.


Type of modem signal configured for this line (callin, callout, cts-req, dtr-act, inout, RIisCd).


Rotary group configured for this line.

AccO, AccI

Access lists for this line, both output and input (see access-class in Chapter 17).


Number of connections made to this line since the router was booted.


Number of times noise was detected on this line. Can be used to gauge line quality.


Number of buffer overruns that have occurred on this line, in the format hardware/software. Hardware overruns occur when the hardware receives data from the software faster than it can process it. Software overruns occur when the software receives data from the hardware faster than it can process it. A bad cable could cause overruns.

You can retrieve more detailed information by selecting a single line:

Router>show line 5
 Tty Typ     Tx/Rx     A Modem  Roty AccO AccI  Uses    Noise   Overruns
A  5 TTY  38400/38400  - inout     -    -    -  3969        0      0/0

Line 5, Location: "", Type: ""
Length: 24 lines, Width: 80 columns
Baud rate (TX/RX) is 38400/38400, no parity, 1 stopbits, 8 databits
Status: Ready, Active, No Exit Banner, Async Interface Active
Capabilities: Hardware Flowcontrol In, Hardware Flowcontrol Out
  Modem Callout, Modem RI is CD, Line usable as async interface
Modem state: Ready
Special Chars: Escape  Hold  Stop  Start  Disconnect  Activation
                ^^x    none   -     -       none
Timeouts:    Idle EXEC    Idle Session   Modem Answer  Session   Dispatch
             0:00:30        never                        none     not set
Session limit is not set.
Time since activation: 2:08:08
Editing is enabled.
History is enabled, history size is 10.
Full user help is disabled
Allowed transports are lat telnet rlogin mop.  Preferred is lat.
No output characters are padded
No special data dispatching characters
Modem hardware state: CTS DSR  DTR RTS
Line is running PPP for address
0 output packets queued, 1 input packets.
 Async Escape map is 00000000000000000101000000000000
Group codes:    0
  Interface Async5: (passive, compression on)
    Rcvd:    5711 total, 4516 compressed, 0 errors
             0 dropped, 0 buffer copies, 0 buffer failures
    Sent:    5085 total, 4032 compressed,
             138729 bytes saved, 3943290 bytes sent
             1.3 efficiency improvement factor
    Connect: 16 rx slots, 16 tx slots, 1275 long searches, 765 misses
             84% hit ratio, five minute miss rate 0 misses/sec, 1 max

The first part of this report has the same format given in Table 4-2. However, the rest of the report goes into great detail about the line’s characteristics. Table 4-3 shows what these additional fields mean.

Table 4-3. Fields in a show line for a single port




TTY line number.


Value of the location keyword set for this line. See location in Chapter 17.


Value specified by the line configuration.


Terminal display length in characters.


Terminal display width in characters.


Transmit (TX) and receive (RX) baud rates.


State of the line (ready, connected/disconnected, active/inactive, exit banner).


How or for what this line can be used.

Modem state

Control state of the modem. If not Ready, suspect a modem problem.

Special chars

Settings of characters defined for this line.


Timeouts as specified by the configurations.

Session limit

Maximum number of sessions for this line. Controlled by the session-limit command.

Time since activation

Time elapsed since line activation (i.e., how long the line has been considered active).


Whether command-line editing is enabled.


Length of the command history buffer. Set by the user with the history command.

Full user help

Whether the full-help command has been activated for this line.

Transport methods

Transport mechanisms allowed on this line. See the transport command in Chapter 17 for more information.

Character padding

See the padding command in Chapter 17.

Data dispatching characters

Whether any data-dispatching characters are configured. See dispatch-character in Chapter 17 for more information.

Line protocol

The protocol and address specified for this line.

Output/input packets

Queued packet counts for this line.

Group codes

AT group codes for this line.

Reverse Telnet

When a user telnets to a router, she is “logged on” directly to the router. Cisco adds a special twist: if you telnet to a special port on the router, the router redirects the incoming telnet connection back out a selected asynchronous line, rather than internally accepting the incoming connection. This is called reverse telnet . Here are two telnet commands you might give on your Unix or Windows workstation:

% telnet router1             
            Telnet directly into router1
% telnet router1 2001        
            Telnet to port 2001 on router1

The first telnet command connects to the standard telnet port (TCP port 23; remember that we’re now talking about TCP ports, not the router’s physical ports) and initiates a virtual terminal session with the router. The second command is tricky. It connects to TCP port 2001; the router maps this port to one of its asynchronous lines. The router performs any login requirements, then connects the telnet session to the mapped line. The mapping is simple: just subtract 2000 from the port used for the telnet connection. So in this example, the user would be connected to asynchronous line 1 (tty1). Line 2 (tty2) would be 2002, and so on. If a modem is connected to tty1, the user would be talking directly to the modem.

The only catch to this mapping is the AUX port. The number of the AUX port is the last TTY port, plus 1. So, on a router with 18 TTY ports, the AUX port would be port 2019 (the last TTY, port 2018, plus 1). On a router with no TTY interfaces, the AUX port would be port 2001.

In addition to port 2000, ports 4000 and 6000 can be used. Port 4000 plus the tty1 gives you a raw TCP port, which is usually for sending data directly to a printer. On port 2000, each carriage return is translated into a carriage return plus a linefeed. Port 6000 is just like port 2000, except it turns off the carriage-return translation.

Reverse telnet requires that the TTY line be configured to allow outbound connections. Here’s how you do this:

Router(config)#line tty2
Router(config-line)#modem inout

The modem inout command allows both incoming and outgoing connections. Another way to configure the line is:

Router(config)#line tty2
Router(config-line)#modem callout

The modem callout command allows only outgoing connections.

Another useful command for reverse telnet is ip alias. This command lets you assign an IP address to a reverse telnet connection. In other words, the router associates an IP address with a reverse telnet port. If you telnet to this address, the router will connect you directly to the specified port. For example, assume that a router has an Ethernet interface with an address of The following commands configure it to route incoming telnet connections for the addresses,, and to asynchronous ports 1 through 3:

interface ethernet0
 ip address
 no shutdown
! Now configure our reverse telnet IP address
ip alias 2001
ip alias 2002
ip alias 2003

Now, when you telnet to, you will be connected to the device that is connected to port 1.

Common Configuration Items

This section summarizes the configuration items you are likely to encounter when configuring a line on a router or a terminal server.

Communication Parameters

These useful commands set the low-level physical parameters of a line. To set the line speed (baud) you can use the speed, txspeed, or rxspeed commands. For databits, stop bits, and parity, use the commands databits, stopbits, and parity, respectively. For automatic baud rate detection , use the autobaud command.

For flow control, use the flowcontrol command, which takes as arguments none, software, or hardware. In a modern environment, hardware flow control is almost always appropriate.

Transport Type

The transport command defines which protocols can be used to connect to a line. The default protocol is none, which means that no incoming connections are allowed. The command transport input telnet specifies that telnet can be used as an incoming protocol, but no other protocols are allowed.

You can also specify the preferred protocol to use after a user has connected to a line. By default, the preferred protocol is telnet. Therefore, when users are connected to the router, they can type a hostname, and the router will assume they want to telnet to a device. To disable this behavior, use the command transport preferred none.

Session Limits and Timeouts

IOS provides two ways to limit the number of ongoing sessions. To limit the number of sessions allowed on a line, use the session-limit command. To limit a session’s idle time, use the session-timeout command. If the session is idle longer than the specified time, the router automatically logs the user out. Note that these commands apply to the configuration of lines and not to the router as a whole.

Special Characters and Key Sequences

IOS allows you to specify a number of special characters that control the interaction between a user and the router. The activation character is the character that starts a terminal session when it is typed at a vacant terminal. The default activation character is Enter; you can set it to another value using the activation-character command. Other special characters are the disconnect character and the hold character, both of which have no defaults. The disconnect character disconnects (terminates) a session, while the hold character pauses a session until any other key is pressed. These characters are set using the disconnect-character and hold-character commands.

All three of these commands apply to lines; the argument for each command is the ASCII value for the character. For example, to set the disconnect character for line 2 to Ctrl-d (ASCII value 4), use the following commands:

Router(config)#line 2
Router(config-line)#disconnect-character 4

[*] On some routers, like the 2600, TTY numbering depends on the placement of modules on the router’s chassis. On a device such as this, TTY numbers don’t necessarily start at 0; depending on how modules are installed, they might start at 32 or some other number. Likewise, the AUX port may be 65, depending on card placement.

Get Cisco IOS in a Nutshell, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.