Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3599
Views
15
Helpful
10
Replies

Unable to disable telnet on Cisco Switch 3850

ram.c@billdesk.com
Level 1
Level 1

‎06-01-2019 02:40 AM

Hi,

 

We are unable to disable telnet on Cisco Switch 3850. version (Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9 -M), Version 16.6.4, RELEASE SOFTWARE (fc3).

 

Following command are already executed on device.

 

 

line con 0
logging synchronous
stopbits 1
line aux 0
no exec
stopbits 1
line vty 0 4
access-class 1 in
exec-timeout 15 0
transport preferred ssh
transport input ssh
transport output ssh
line vty 5 15
no exec

Labels:
0 Helpful
10 Replies 10

marce1000
VIP
VIP

‎06-01-2019 03:46 AM

 

 - Could you remove transport preferred ssh  and try again; better is to have a backup  session open on the device in case a command locks you out completely (then you can still revert).

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Edwin Portillo
Spotlight
Spotlight

‎06-01-2019 04:25 AM - edited ‎06-01-2019 04:29 AM

Spoiler
Hi my Friend, 


Test what you say @marce1000 and you can also prevent me from logging into the range of access lines via telnet, for example:

vty line 5 15
No login

Another way that for some versions of IOS works by denying the lines they will not use:

 No line vty 5 15

Richard Burts
Hall of Fame
Hall of Fame
In response to Edwin Portillo

‎06-04-2019 07:59 AM

I am not clear about something in the original post. The partial config includes this

line vty 0 4
transport preferred ssh
transport input ssh
transport output ssh
line vty 5 15
no exec

 

So vty 0 through 4 accept only SSH and vty 5 through 15 do not accept connections. It looks to me like telnet is disabled. But the original post tells us they are not able to disable telnet. Can the original poster provide clarification about how telnet is not disabled?

 

HTH

 

Rick

HTH

Rick
0 Helpful

marce1000
VIP
VIP
In response to Richard Burts

‎06-04-2019 09:43 AM

 

                     >Can the original poster provide clarification about how telnet is not disabled?

  - That looks like a strange sentence for me Richard,  because I presume that this would  follow from user experience. My assertion is that transport preferred ssh needs to be removed from the config otherwise the switch would think that telnet is still an alllowed option.

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to marce1000

‎06-04-2019 01:17 PM

M

 

Your assertion is flawed. There are several commands related to SSH and you need to understand the function of both of them.

line vty 0 4
transport preferred ssh  **  this command indicates that when there are multiple transport protocols allowed which one of them is preferred. It does not have anything to do with which transport protocols are allowed.
transport input ssh  **  this command indicates what transport protocol is allowed. In this cases only a single transport is allowed, which is ssh. 

 

I would agree that when only a single transport protocol is allowed that it is not significant to specify which one is preferred. And therefore I would agree that the original poster might want to remove the un needed command. But having that command in the configuration is not going to enable telnet.

 

You find my question strange. My question reflects my analysis of the very limited partial configuration and it looks to me that telnet should be disabled. If the original poster has evidence that it is not disabled then I would like to know what that evidence is. Perhaps it does follow from user experience. In that case I would like to know what that experience is.

 

HTH

 

Rick

HTH

Rick

delasandro
Level 1
Level 1
In response to Richard Burts

‎06-04-2019 05:02 PM

learned alot from u guys didnt know there was a transport preferred ssh command in other words picking from the list. Do you think this guy means disconnecting from a telnet session? Looks like he does not have it allowed coming into the device anyway, but its been my experience that disconnecting from telnet session with the disconnect command does not work a simple exit does.

0 Helpful

marce1000
VIP
VIP
In response to Richard Burts

‎06-05-2019 04:14 AM

>...

>If the original poster has evidence that it is not disabled then I would like to know what that evidence is. Perhaps it does follow from user experience. In that case I would like to know what that experience is.

  - Remarkable , can't you shut check whether you can telnet to the device or not, using Putty (e.g.) or another app (?)

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

UsmanAkram1525
Level 1
Level 1

‎08-04-2020 02:06 AM

add *transport input ssh* command to line vty 0 4 and linet vty 5 15

 

then check.

 

 

 

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to UsmanAkram1525

‎08-04-2020 12:12 PM

The original post was clear that vty 0 4 already had transport input ssh applied. And since vty 5 15 were configured with no exec then it would be superfluous to apply transport input ssh to them.

HTH

Rick
0 Helpful

UsmanAkram1525
Level 1
Level 1
In response to Richard Burts

‎08-06-2020 06:19 AM

I had tried two methods and both works for me:
1. create an access-group and deny port 23 then apply this on Management Vlan.
2. I have added command "transport input ssh" to line vty 0 4 and line vty 5 15 (as informed above).


0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents