Virtual Terminals (VTYs)

VTYs are logical connections from the network to the router; these are typically telnet, SSH, or rlogin connections. When a user telnets to a router from the network, as in Figure 4-2, the router starts an EXEC process to handle this connection.

Figure 4-2. VTY connections

Although no physical link is associated with a virtual terminal, VTYs are configured just like normal TTY lines. VTYs are enabled once they are configured. If you do not configure any VTYs, then logical connections, such as telnet, cannot be made to your router from the network. Here is a VTY configuration example:

Router(config)#line vty 1 
Router(config-line)#login  Must be enabled for login
access 
Router(config-line)#exec-timeout 30 0  Set the timeout to 30 minutes 
Router(config-line)#password letmeinhere  Set one password for telnet
access 
Router(config-line)#transport input ssh  Allow only ssh access 
Router(config-line)#access-class 10 in  Apply access list 10 to this
line 
Router(config-line)#exit 
Router(config)#access-list 10 permit host 10.10.1.2 

This example shows a semi-secure configuration for a VTY terminal. We set a timeout for 30 minutes and apply only one password. We then use the transport input command to define the protocols that are allowed to use this line; in this case, we are allowing only ssh access. (If you want to be less secure, you can use telnet instead of ssh.) The access-class command applies an access list to this interface. We won't explain access lists here; in this example we use a simple access list to permit access from the host at address 10.10.1.2.

You should configure all your VTYs in the same manner, because there is no way to predict which VTY a user is going to receive when he telnets into the device.