We help IT Professionals succeed at work.

cisco vty question

GCIT_Manager
GCIT_Manager asked
on
Medium Priority
4,621 Views
Last Modified: 2012-05-06
Hello, Below are the config printouts at the bottom of two of our Cisco Catalyst 3750 LAN switches. They are configured using HSRP. I just saw how they were configured and I'm new to CISCO syntax. Can you help me understand line by line each piece and which one is better? I can't think of any reason these two switches which are redundant pairs should be any different from each other.

SWITCH #1
----------------
control-plane
!
!
line con 0
line vty 0 4
no exec-banner
password cisco
login
length 0
line vty 5 15
login
!
end



SWITCH #2
------------------
control-plane
!
!
line con 0
line vty 0 1
password cisco
login
length 0
line vty 2 4
password cisco
login
line vty 5 15
login
!
end
Comment
Watch Question

Don JohnstonInstructor
CERTIFIED EXPERT
Top Expert 2015
Commented:
line vty 0 4 ! Indicates the following commands are for the vty lines 0-4
no exec-banner ! There will be no banner message just for telnet connections
password cisco ! The password for telnet connections will be "cisco"
login ! Requires telnet connections to respond with the above password.
length 0 ! set the screen length to unlimited.
line vty 5 15  ! Indicates the following commands are for the vty lines 5-15
login ! Since the password is not set, connections will not be allowed on these lines.

Most likely, the reason they're different is because different people set them up and weren't sure what they were doing and typed in commands that they had seen before.

I would make them all the same. Removing the "length 0" will pause the output every 23 lines and prompt with "more" to see the next line (or page).


line vty 0 4
 password cisco
 login
 no length 0
line vty 5 15
 login

Open in new window

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
thanks. that helps. I guess I'm still a bit confused.

what are vty lines? and why are some described as 5-15 and others "0 4"?

what I'm trying to do is the following:

1. require usernames and passwords instead of the default account (like when I telnet it just asks for pwd).
2. change all default passwords.
3. encrypt the passwords (so it doesn't show them in the config file)
4. create a user account for myself with admin privileges.
5. require connections over ssh except for serial console (ssh is more secure than telnet, no?)

I like the "---more---" idea though. helps me view piece by piece. the only annoying part is that when I export the config by highlight I have to go through and remove those pieces manually so they don't get pasted in during a restore.
Aaron StreetTechnical Infrastructure Architecture and Global Network Manager

Commented:
vty lines are virtual terminal lines.. or in otehr word telnet line

so you can have up to 15 (no sorry 16.. line 0 is also a valid interface) users telnetting in to the switch at once.

you can if you want assign different passwords to different lines and have people log in in different way, say ssh on vty 0 - 4 and telnet 5 to 15.

you can also break up the lines as much as you want and if nessey configure each indivualy..

however the standard break is line 0 to 4 and 5 to 15. the reson for this is taht some old switchs on have lines 0 to 4.

if you try to copy a config from a new switch to an old switch, that was configured line vty 0 - 15, this would fail on the old switch,

by splitting the lines up, the first config comman to configure lines 0-4 will work on both switchs. the seccond command for line 5 - 15 will fail on the old switch but pass on the newer switch. so this split is just for legecy purposes.

Aaron StreetTechnical Infrastructure Architecture and Global Network Manager

Commented:
ok for your points

1.. issuse the command
# line vty 0 - 15
# login

that will make the switch requre a password.

2 # password "waht ever you want here#

you dont need to worry about the 0 or the 7. you only need to type 7 if you are copy an pasting a already encrypted password from another switch

3. go back to a standard config more and type

# service password-encryption

4. by default you will have a admin status once you have typed in the enable passowrd.

5. SSH, forget all i have typed above. to set up SSH you really need to look in the Cisco manuals. if varies how you want to do this, what level on encryption you want to use and a few other bits

but this would set up the ssh for you

# Line vty 0
# transport input ssh


exit and go back to conf t

# user name xxxx pasword xxx
# ip domain  abc.com
# Crypto key generate rsa
# size 512
#ip ssh ver 2


that will set up an ssh account, and make line 0 accept ssh connection

Author

Commented:
thanks devil.

is there any reason to leave telnet on if telnet on if ssh is enabled?

2. that password command changes the username password, but does it change the "enable" password once you're in?

3. can you explain what we're doing with those last 5 lines you suggested?
Technical Infrastructure Architecture and Global Network Manager
Commented:
ok

no you should use a
# line vty 0
# no transport input telnet

you should only leave telnet enabable if you havew a specific reason. usualy you can disabable it.

2. we are only settign up acces to the switch interface here. once logged in via telnet/ssh/consol you still need to run a

#enable
#"password"

connamd to get in to the privilage mode from what you can run config commands from.

the last 5 lines of code are setting up a user account on the switch (SSH need a log in name and password unlike telnet)
setting the domain, and generating the secure certificates, much like a web page using public and private encryption uses certifiates for authentication. When you enable SSH on a switch you have to generate the secure keys it will use. the size command is like 512 bit encryption, 128 bit ect.. the larger the number the stronger the encryption. 512 is strong, some people we recomend going to 1024. although this may slow down authentication to the switch a bit.

one othe thing to be aware of.

if you do a #service password-encryption and then look at the line password, you will see some thing like

#password 7 140304095C123454

try it on your switch, then look for cisco level 7 encryption in google. (http://www.ifm.net.nz/cookbooks/passwordcracker.html)

and type in you encrypted password!!! its easly cracked. so althogh encryptiing it may stop casaul observer, any one who has manged to log on to the swith will be able to see its clear form. however it can only be read from an enable prompt. this uses Level 5

#enable secret 5 $1$J5tY$1Foy63562467eYMrTBNfkw/
#enable password 7 03075345345345

but if you see lots of people enableing both the enable password and the secreat one. often using the same password for both!!

my advice is to only enalbe the secreat password use this one instead of the enable one. and then run a

#no enable password.


level 5 is much tougher to break... however I still not going to post any of my real ones above ;)

Author

Commented:
thanks Devil. last question:

so I'll go try and implement SSH. however do I need to undo any of the telnet access ("No ...")? or does enabling SSH disable telnet automatically?

Author

Commented:
i think i need a cisco security book for dummies. I understand a lot of the switch protocols but the telnet, ssh, and encryption pieces are foreign to me.
Aaron StreetTechnical Infrastructure Architecture and Global Network Manager

Commented:
no enabeling ssh does not disable telnet.

you need to run a

# no transport input telnet

how ever you can also run a

#transport input telnet
#transport input ssh

and this would allow both on that VTY line.

so you can play around with ssh till you get it working, and still have telnet as a back up

then do a

#lint vty 0 - 15
(so select all line
then
#no transport input telnet to remove it from all lines in one go.

Author

Commented:
awesome. thanks!
Aaron StreetTechnical Infrastructure Architecture and Global Network Manager

Commented:
your welcome :)
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.