Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2083
Views
25
Helpful
9
Replies

Hardening configuration on a switch - vty and tty lines

Go to solution
Nissi
Level 1
Level 1

‎03-01-2021 10:07 AM

Doing a show line? on my switch produced the following output:

 

switch# sh line ?
  <0-16>   First Line range
  console  Primary terminal line
  summary  Quick line status summary
  vty      Virtual terminal
  |        Output modifiers
  <cr>

 

Does this imply that tty lines do not exist on the switch?

 

My second question is, if I should only define line vty 0 4 with the appropriate parameters, can unauthorized access be gained to the switch from vty 5 15 although they are not defined?

 

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Nissi

‎03-01-2021 11:00 AM

vty 0-4 mean only 5 simultaneous connections (6th user not allowed)

 

high level for reference: -  ( deep dive google is your help)

 

TTY is Physical Port

VTY is Virtual port

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Go to solution
Georg Pauwen
VIP
VIP
In response to Nissi

‎03-01-2021 11:39 AM

Hello,

 

'vty 0 4' and 'vty 5 15' do not correspond to physical connections. They are basically just 'placeholders' for virtual connections, without any hardware being actually associated with them. So, vty 0 4' means only that 5 virtual connections are possible. When you connect to the device (router or switch) you cannot actually specify the VTY line number. If 'vty 5 15' lines do not exist, nobody can connect to these virtual lines either.

 

That as opposed to TTY lines, these are asynchronous lines, used for inbound or outbound modem and terminal connections, with actual hardware support. I remember these from e.g. Cisco 2509 (very old) access server, and routers used as terminal servers. TTY lines can only be found on routers, not on switches.

View solution in original post

Go to solution
paul driver
VIP
VIP

‎03-01-2021 02:26 PM - edited ‎03-01-2021 02:37 PM

Hello

@Nissi wrote:

My second question is, if I should only define line vty 0 4 with the appropriate parameters, can unauthorized access be gained to the switch from vty 5 15 although they are not defined?

@balaji.bandi wrote:
high level for reference: - ( deep dive google is your help)

If you left the all other vty alone then no access would be allowed however I tend to secure those also in conjunction with AAA local credentials, ssh, acl and timeouts.

See attached for example:


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Preview file
1 KB
9 Replies 9

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-01-2021 10:28 AM

the show is normal output.

 

Line con  - is the console, if someone access console port physically able to get access so you need to secure this with password or AAA configuration

 

vty 0-15 (how many VTY lines you need open, more open is more issues, in standard Vty 0-4 is configured so only Limited users can Login

this also required to tighten the security for the user to login using SSH ( try to avoid telnet - not advise here)

 

Follow switch hardening guide :

 

https://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Nissi
Level 1
Level 1
In response to balaji.bandi

‎03-01-2021 10:36 AM

Thanks for responding. I've taken care of the Line con already and I've defined acceptable parameters for vty 0 4. What I'm interested in knowing is if nothing is defined for vty 5 15, can those lines be accessed by unauthorized means?

 

To clarify the question regarding line tty. Does this exist on a switch or only on routers?

 

Thanks

  

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Nissi

‎03-01-2021 11:00 AM

vty 0-4 mean only 5 simultaneous connections (6th user not allowed)

 

high level for reference: -  ( deep dive google is your help)

 

TTY is Physical Port

VTY is Virtual port

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Georg Pauwen
VIP
VIP
In response to Nissi

‎03-01-2021 11:39 AM

Hello,

 

'vty 0 4' and 'vty 5 15' do not correspond to physical connections. They are basically just 'placeholders' for virtual connections, without any hardware being actually associated with them. So, vty 0 4' means only that 5 virtual connections are possible. When you connect to the device (router or switch) you cannot actually specify the VTY line number. If 'vty 5 15' lines do not exist, nobody can connect to these virtual lines either.

 

That as opposed to TTY lines, these are asynchronous lines, used for inbound or outbound modem and terminal connections, with actual hardware support. I remember these from e.g. Cisco 2509 (very old) access server, and routers used as terminal servers. TTY lines can only be found on routers, not on switches.

Go to solution
Nissi
Level 1
Level 1
In response to Georg Pauwen

‎03-02-2021 05:48 AM

Thanks Georg. Spot on. This is what I was looking for regarding the TTY lines.

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to Georg Pauwen

‎03-02-2021 08:26 AM

Hello

@Georg Pauwen @wrote: When you connect to the device (router or switch) you cannot actually specify the VTY line number.

 

This is not necessary true you can connect to a specific vty line if you desire you just to need to configure that line to do so

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
Georg Pauwen
VIP
VIP
In response to paul driver

‎03-02-2021 09:33 AM

@paul driver 

 

How ? Without the SSH client knowing the specific line number ? That is what I meant...

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to Georg Pauwen

‎03-02-2021 12:25 PM - edited ‎03-02-2021 12:26 PM

Hello

@Georg Pauwen wrote:

How ? Without the SSH client knowing the specific line number ? That is what I meant...

The below will allow ssh to a specific vty line
Example:
rtr - 1.1.1.1.
line vty 24
rotary 127

remote rtr
ssh -l stan 1.1.1.1 3127


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
paul driver
VIP
VIP

‎03-01-2021 02:26 PM - edited ‎03-01-2021 02:37 PM

Hello

@Nissi wrote:

My second question is, if I should only define line vty 0 4 with the appropriate parameters, can unauthorized access be gained to the switch from vty 5 15 although they are not defined?

@balaji.bandi wrote:
high level for reference: - ( deep dive google is your help)

If you left the all other vty alone then no access would be allowed however I tend to secure those also in conjunction with AAA local credentials, ssh, acl and timeouts.

See attached for example:


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Preview file
1 KB
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card