?
Solved

cisco vty question

Posted on 2009-02-15
11
Medium Priority
?
4,272 Views
Last Modified: 2012-05-06
Hello, Below are the config printouts at the bottom of two of our Cisco Catalyst 3750 LAN switches. They are configured using HSRP. I just saw how they were configured and I'm new to CISCO syntax. Can you help me understand line by line each piece and which one is better? I can't think of any reason these two switches which are redundant pairs should be any different from each other.

SWITCH #1
----------------
control-plane
!
!
line con 0
line vty 0 4
no exec-banner
password cisco
login
length 0
line vty 5 15
login
!
end



SWITCH #2
------------------
control-plane
!
!
line con 0
line vty 0 1
password cisco
login
length 0
line vty 2 4
password cisco
login
line vty 5 15
login
!
end
0
Comment
Question by:GCIT_Manager
  • 5
  • 5
11 Comments
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 400 total points
ID: 23646588
line vty 0 4 ! Indicates the following commands are for the vty lines 0-4
no exec-banner ! There will be no banner message just for telnet connections
password cisco ! The password for telnet connections will be "cisco"
login ! Requires telnet connections to respond with the above password.
length 0 ! set the screen length to unlimited.
line vty 5 15  ! Indicates the following commands are for the vty lines 5-15
login ! Since the password is not set, connections will not be allowed on these lines.

Most likely, the reason they're different is because different people set them up and weren't sure what they were doing and typed in commands that they had seen before.

I would make them all the same. Removing the "length 0" will pause the output every 23 lines and prompt with "more" to see the next line (or page).


line vty 0 4
 password cisco
 login
 no length 0
line vty 5 15
 login

Open in new window

0
 

Author Comment

by:GCIT_Manager
ID: 23649614
thanks. that helps. I guess I'm still a bit confused.

what are vty lines? and why are some described as 5-15 and others "0 4"?

what I'm trying to do is the following:

1. require usernames and passwords instead of the default account (like when I telnet it just asks for pwd).
2. change all default passwords.
3. encrypt the passwords (so it doesn't show them in the config file)
4. create a user account for myself with admin privileges.
5. require connections over ssh except for serial console (ssh is more secure than telnet, no?)

I like the "---more---" idea though. helps me view piece by piece. the only annoying part is that when I export the config by highlight I have to go through and remove those pieces manually so they don't get pasted in during a restore.
0
 
LVL 16

Expert Comment

by:Aaron Street
ID: 23650127
vty lines are virtual terminal lines.. or in otehr word telnet line

so you can have up to 15 (no sorry 16.. line 0 is also a valid interface) users telnetting in to the switch at once.

you can if you want assign different passwords to different lines and have people log in in different way, say ssh on vty 0 - 4 and telnet 5 to 15.

you can also break up the lines as much as you want and if nessey configure each indivualy..

however the standard break is line 0 to 4 and 5 to 15. the reson for this is taht some old switchs on have lines 0 to 4.

if you try to copy a config from a new switch to an old switch, that was configured line vty 0 - 15, this would fail on the old switch,

by splitting the lines up, the first config comman to configure lines 0-4 will work on both switchs. the seccond command for line 5 - 15 will fail on the old switch but pass on the newer switch. so this split is just for legecy purposes.

0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 16

Expert Comment

by:Aaron Street
ID: 23650219
ok for your points

1.. issuse the command
# line vty 0 - 15
# login

that will make the switch requre a password.

2 # password "waht ever you want here#

you dont need to worry about the 0 or the 7. you only need to type 7 if you are copy an pasting a already encrypted password from another switch

3. go back to a standard config more and type

# service password-encryption

4. by default you will have a admin status once you have typed in the enable passowrd.

5. SSH, forget all i have typed above. to set up SSH you really need to look in the Cisco manuals. if varies how you want to do this, what level on encryption you want to use and a few other bits

but this would set up the ssh for you

# Line vty 0
# transport input ssh


exit and go back to conf t

# user name xxxx pasword xxx
# ip domain  abc.com
# Crypto key generate rsa
# size 512
#ip ssh ver 2


that will set up an ssh account, and make line 0 accept ssh connection

0
 

Author Comment

by:GCIT_Manager
ID: 23650363
thanks devil.

is there any reason to leave telnet on if telnet on if ssh is enabled?

2. that password command changes the username password, but does it change the "enable" password once you're in?

3. can you explain what we're doing with those last 5 lines you suggested?
0
 
LVL 16

Accepted Solution

by:
Aaron Street earned 1600 total points
ID: 23650612
ok

no you should use a
# line vty 0
# no transport input telnet

you should only leave telnet enabable if you havew a specific reason. usualy you can disabable it.

2. we are only settign up acces to the switch interface here. once logged in via telnet/ssh/consol you still need to run a

#enable
#"password"

connamd to get in to the privilage mode from what you can run config commands from.

the last 5 lines of code are setting up a user account on the switch (SSH need a log in name and password unlike telnet)
setting the domain, and generating the secure certificates, much like a web page using public and private encryption uses certifiates for authentication. When you enable SSH on a switch you have to generate the secure keys it will use. the size command is like 512 bit encryption, 128 bit ect.. the larger the number the stronger the encryption. 512 is strong, some people we recomend going to 1024. although this may slow down authentication to the switch a bit.

one othe thing to be aware of.

if you do a #service password-encryption and then look at the line password, you will see some thing like

#password 7 140304095C123454

try it on your switch, then look for cisco level 7 encryption in google. (http://www.ifm.net.nz/cookbooks/passwordcracker.html)

and type in you encrypted password!!! its easly cracked. so althogh encryptiing it may stop casaul observer, any one who has manged to log on to the swith will be able to see its clear form. however it can only be read from an enable prompt. this uses Level 5

#enable secret 5 $1$J5tY$1Foy63562467eYMrTBNfkw/
#enable password 7 03075345345345

but if you see lots of people enableing both the enable password and the secreat one. often using the same password for both!!

my advice is to only enalbe the secreat password use this one instead of the enable one. and then run a

#no enable password.


level 5 is much tougher to break... however I still not going to post any of my real ones above ;)
0
 

Author Comment

by:GCIT_Manager
ID: 23651373
thanks Devil. last question:

so I'll go try and implement SSH. however do I need to undo any of the telnet access ("No ...")? or does enabling SSH disable telnet automatically?
0
 

Author Closing Comment

by:GCIT_Manager
ID: 31547146
i think i need a cisco security book for dummies. I understand a lot of the switch protocols but the telnet, ssh, and encryption pieces are foreign to me.
0
 
LVL 16

Expert Comment

by:Aaron Street
ID: 23651524
no enabeling ssh does not disable telnet.

you need to run a

# no transport input telnet

how ever you can also run a

#transport input telnet
#transport input ssh

and this would allow both on that VTY line.

so you can play around with ssh till you get it working, and still have telnet as a back up

then do a

#lint vty 0 - 15
(so select all line
then
#no transport input telnet to remove it from all lines in one go.

0
 

Author Comment

by:GCIT_Manager
ID: 23651570
awesome. thanks!
0
 
LVL 16

Expert Comment

by:Aaron Street
ID: 23657262
your welcome :)
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This tutorial will go through the steps required to write a script that will back up the configuration settings of a HP-ProCurve switch. You will need to get the following things to follow this tutorial: Telnet Scripting Tool e.g. TST10.exe …
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question