Restricting VTY Access by Protocol

Problem

You want to restrict what protocols can be used to access the router's VTY ports.

Solution

To restrict what protocols that you can use to access the routers VTY ports, use the transport input configuration command:

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#line vty 0 4
Router1(config-line)#transport input telnet
Router1(config-line)#exit
Router1(config)#end
Router1#

 

Discussion

Most administrators do not realize that, by default, Cisco routers will allow VTY access via other protocols besides Telnet. In some instances, intruders can bypass security measures that you have in place for Telnet and access your VTYs directly. To be safe, we recommend that you disable all unused protocols from accessing your VTYs. This will prevent anybody from gaining VTY access through one of these other protocols.

Our example shows how to restrict VTY access to Telnet only. Of course, your organization may require other protocols be included as well, such as Secure Shell (SSH). Recipe 3.20 discusses how to enable the SSH protocol and prevent all other forms of nonsecure access.

Table 3-1 lists the valid protocols that Cisco router VTYs support.

Table 3-1. VTY input transport protocols

Protocol Description
all Enables all protocols
lat Enables Digital LAT protocol connections
mop Enables Maintenance Operation Protocol (MOP) transport
nasi Enables NetWare Access Servers Interface (NASI) transport
none Disables all input protocols
pad Enables X.3 PAD connections
rlogin Enables the Unix rlogin protocol
ssh Enables the Secure Shell (SSHv1) protocol
telnet Enables inbound Telnet connections
v120 Enables the V.120 protocol

Use the show terminal EXEC command to view the permitted protocol types for the active line. For a router with the default configuration, there is a long list of allowed protocols:

Router1#show terminal | include input
Allowed input transports are lat pad v120 lapb-ta telnet rlogin ssh.
Router1#

After we restrict the VTY access to Telnet only, the output looks like this:

Router1#show terminal | include input
Allowed input transports are telnet.
Router1#

 

See Also

Recipe 3.14; Recipe 3.16; Recipe 3.20





Cisco IOS Cookbook
Cisco IOS Cookbook (Cookbooks (OReilly))
ISBN: 0596527225
EAN: 2147483647
Year: 2004
Pages: 505
Simiral book on Amazon

Flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net