Protect VTYs with an Access List

When you telnet to your router, you connect to a VTY (virtual terminal). This terminal lets you configure your router over the network, without a physical connection to the console port. This capability is extremely useful, but also dangerous: if you can configure your router over the network, so can anyone else with the appropriate passwords. One way to make the router more secure is to apply an access list to the VTY ports. This list should allow connections only from certain hosts. The following commands restrict telnet access to the 192.168.1.5 machine. We also apply an exec-timeout, which disconnects idle connections:

! Define the access list
access-list 5 permit 192.168.1.5 0.0.0.0
!
line vty 0 4
  ! Only allow telnet
  tranport input telnet
  ! Apply our access list for incoming connections
  access-class 5 in
  ! Finally, apply an exec-timeout, which will disconnect an idle connection
  ! The timeout is 10 minutes and 0 seconds
  exec-timeout 10 0
   Users and Authentication

Usernames are optional: many routers have a single password, which is given to everyone who needs access to the router. However, doing without usernames has obvious problems: you can never tell who is logged in, who just rebooted the router, or who is responsible for the configuration changes that broke your Internet connection. Usernames and passwords make it possible to trace who has done what; they add a sense of accountability and allow more fine-grained control over what individuals ...

Get CISCO IOS in a Nutshell now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.