?
Solved

Understanding Cisco VTY lines

Posted on 2005-04-13
9
Medium Priority
?
17,358 Views
Last Modified: 2008-01-09
I have a Cisco Router (3845), and am configuring remote access.  I setup "line con 0" to define my local console properties, but when I setup remote access (telnet/ssh), I'm confused about the VTY line numbers.

Using the SDM GUI, it created

ine vty 0 4
 access-class 102 in
 privilege level 15
 password mypassword
 login
 transport input ssh
line vty 5 15
 access-class 101 in
 privilege level 15
 password mypassword
 login local
 transport input ssh
!

What is the difference in line vty 0 - 4 and 5-15?  What defines which line you come in on?  If I telnet/ssh to the router, is that line vty 0?

Also can you explain login vs login local?

Thanks
Shane
0
Comment
Question by:shanepresley
  • 6
  • 3
9 Comments
 
LVL 49

Accepted Solution

by:
sunray_2003 earned 2000 total points
ID: 13773486
Hi shanepresley,

basically vtys are virtual terminal lines

vty 0-4 means you have programmed 5 terminal lines to your router. So you can only open 5 terminal sessions to the router.
if you try to open one more session more than 5 , you wont be allowed.

Normally , you can program 16 terminal lines which means you can have 16 simultaneous connections.
In your case ,you have all 16 lines programmed.

Looks like in your case , you can ONLY SSH to that router as your transport input says "SSH"..

Once inside your router , give "show line", you know which line or VTY is being used.

Regarding login vs login local , if you want to login using an username , you would have to give login local. This can be used for numerous purposes like authenticating certain users,keep track of who logs in etc..

If you have only login , anyone can login (ofcourse they need to know the password)



SR..
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 13773519
Shane,

Think this might help you understand some more
http://www.cisco.com/warp/public/63/configpasswords.html

Just a word of caution. if you donot have physical access to your router , make sure to work with the VTY lines with care as you might get locked out and cannot telnet or SSH into it..
0
 
LVL 1

Author Comment

by:shanepresley
ID: 13773698
SR, thanks for the great explanation.

I do have physical console access to this router, and it's just a lab router, so I should be okay....

Regarding vty 0-4 and 5-15...do you have any idea why these would be split?  Wouldn't it make more sense if it was vty 0 15?  

Also, the problem I am having is that when I telnet, I get prompted for username/password, and it works.  When I SSH, I get prompted for username/password, and using the same username/password, it fails.

When I try changing to just login (instead of login local), telnet just asks for the password, which works fine, but SSH demands a username (I enter something bogus), then the password, and it still fails.

So...why would authentication be working for telnet, but not ssh?

0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 49

Expert Comment

by:sunray_2003
ID: 13773760
shanepresley,

check there is a different access-list for 0-4 and 5-15. You need to check what those different access-lists are doing.
Generally they do this to restrict access to the routers from specific IPs.

So if an IP address 100.100.100.100 (for example) is listed in access-list 101 and your IP is 100.100.100.100 , then from that IP you can do SSH and it would connect to any of the lines 0-4..

 
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 13773809
How are you SSHing ? Are you using secure shell or putty ?
0
 
LVL 1

Author Comment

by:shanepresley
ID: 13773911
access-list 101 and access-list 102 are the same (they just list a few management IPs).  So I assume somehow I should combine vty 0 15 to use access-list 101, and get rid of access-list 102.

I have tried SSH using SecureCRT as well as Putty.  Results are the same.
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 13774589
shanepresley,

looks to me SSH requires an username and password.. Not so sure...

Are you sure you can do telnet as I see the transport input in ur case is only SSH.. You would not be able to telnet ..
0
 
LVL 1

Author Comment

by:shanepresley
ID: 13774666
Regarding telnet, you are correct.  I had to change my transport to be telnet ssh to allow me to do either.

But I found the problem.  It turns out that if you are using SSH you need to use 'login local' but then also remove the password line.  You can't use a password on the line vty if you want to use SSH (which requires username/password).  Or maybe there is some way to do that, but regardless...this solved my SSH problem...

line vty 0 4
 access-class 101 in
 privilege level 15
 login local
 transport input ssh
!

Thanks for your help and explanations!
Shane
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 13774674
shanepresley,

Glad you got it resolved.

SR
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question