Solved: How can i delete "line vty 5 15"?

Sanghee Han · ‎01-11-2010

Hi all,

I can't delete "line vty 5 15"

when i try it the below message occurs

====================================================

PE007#sh run | beg line vty
line vty 0 4
exec-timeout 30 0
privilege level 15
logging synchronous
no login
line vty 5 15
exec-timeout 0 0
no login
!
end

PE007#conf t
Enter configuration commands, one per line. End with CNTL/Z.
PE007(config)#no line
PE007(config)#no line vty 5 15
% Can't delete last 16 VTY lines
PE007(config)#

who's knows about this??

Peter Paluch · ‎01-11-2010

Hello Sanghee,

You cannot delete the VTY lines 5 to 15. They are only separately described in the configuration file for backward compatibility purposes.

The reason is this: Older IOSes supported only 5 VTYs, from 0 to 4. In newer IOSes, this number was increased. Now imagine that the VTY section would begin with a command line vty 0 15. The configuration parser in older IOSes would refuse to accept such command and it would also ignore all the commands that were supposed to be placed on the VTY lines. As a result, no VTY line would be configured, resulting in inability to login remotely. That is why the newer IOSes consciously split the configuration of the VTY lines to two sections - line vty 0 4 that will be accepted by all IOSes, old and new, and the remaining lines line vty 5 15 that will be understood and accepted by newer IOSes.

Best regards,

Peter

View solution in original post

Ganesh Hariharan · ‎01-11-2010

Hi,

I dont think you can delete the VTY lines but you can not allow access to them which you already have in place (no login). You can simply allow access via only the first 5 lines if desired:

line vty 0 4
password
login

line vty 5 15
no login <--does not allow access to these lines.

Hope that helps

Regards

Ganesh.H

View solution in original post

Peter Paluch · ‎01-11-2010

Hello Sanghee,

You cannot delete the VTY lines 5 to 15. They are only separately described in the configuration file for backward compatibility purposes.

The reason is this: Older IOSes supported only 5 VTYs, from 0 to 4. In newer IOSes, this number was increased. Now imagine that the VTY section would begin with a command line vty 0 15. The configuration parser in older IOSes would refuse to accept such command and it would also ignore all the commands that were supposed to be placed on the VTY lines. As a result, no VTY line would be configured, resulting in inability to login remotely. That is why the newer IOSes consciously split the configuration of the VTY lines to two sections - line vty 0 4 that will be accepted by all IOSes, old and new, and the remaining lines line vty 5 15 that will be understood and accepted by newer IOSes.

Best regards,

Peter

Sanghee Han · ‎01-11-2010

thanks for your answer.

it's helpful to me.

WalterNL · ‎11-05-2015

Long time ago the last answer.

The solution is simple yet strange:

Just compair both line so like

0 2

3-4

5,

6-15

make all the VTY's like the one you want to keep ( like the 0-2 ) and they will disapear.

so copy paste the same configuration to ALL the VTY's like 0 2.

line vty 0 2
session-timeout 20
line vty 3 4

session-timeout 30
line vty 5
session-timeout 40
config t

line vty 3 4
session-timeout 20
line vty 5
session-timeout 20

and they should be gone with just 0-4 left.

if you see 0 5 just split it to 0 4 and 5 ( 5 needs a diffirent config like 0 4

and do a

no vty line 5

done!

Ganesh Hariharan · ‎01-11-2010

Hi,

I dont think you can delete the VTY lines but you can not allow access to them which you already have in place (no login). You can simply allow access via only the first 5 lines if desired:

line vty 0 4
password
login

line vty 5 15
no login <--does not allow access to these lines.

Hope that helps

Regards

Ganesh.H

Sanghee Han · ‎01-11-2010

thanks for you answer.

it's a good information. thanks again

Antonio Moraes · ‎02-16-2012

line vty 0 4

password

login

line vty 5 15

no login

Beware!!! Actually this disables asking for password on incomming telnet sessions!

In this case, your switch will only ask for password on the firt five telnet sessions.

michael.kelsey · ‎06-27-2012

you can also go with....

line vty 5 15

transport input none

transport output none.

That will not allow any type (ssh, telnet, etc) to be established on vty lines 5 15.

I would recommend the following config on any devies that uses SSH

line vty 0 4

transport input ssh

password

login

Richard Burts · ‎06-27-2012

If you want the vty 5 to 15 to not work then the best thing to do is to configure this

line vty 5 15

no exec

HTH

Rick

HTH

Rick

themhuyen · ‎02-18-2013

Not sure what IOS version you have, but I did it before. Note you only need to delete line vty 5 and the IOS will automatically delete all lines that started from 5. However, you can not delete the line vty from 0 to 4.

Below is how I delete them:

c28ar01#conf t
Enter configuration commands, one per line. End with CNTL/Z.
c28ar01(config)#do sh run | be line vty
line vty 0 4
session-timeout 5
access-class 22 in
transport preferred none
transport input ssh
transport output none

!

< snip >

c28ar01(config)#
c28ar01(config)#line vty 5 15 >>> Added vty 5 - 15
c28ar01(config-line)#
c28ar01(config-line)#
c28ar01(config-line)#
c28ar01(config-line)#do sh run | be line vty
line vty 0 4
session-timeout 5
access-class 22 in
transport preferred none
transport input ssh
transport output none
!
line vty 5 15 >>> new

!

< snip >

c28ar01(config-line)#
c28ar01(config-line)#no line vty 5
c28ar01(config)#
c28ar01(config)#
c28ar01(config)#do sh run | be line vty
line vty 0 4
session-timeout 5
access-class 22 in
transport preferred none
transport input ssh
transport output none
!

<<< line vty 5-15 are now deleted >>>

< snip >

Douglas Holmes · ‎02-18-2013

I wanted to add that I normally configure my vty ports as follows:

line vty 0 4

access-class 23 in

password 7 xxxxxxxxxxx

login local

transport input ssh

line vty 5 15

access-class 23 in

no login

transport input none

I don't normally login from one switch to another. I limit IP addresses that have access to the device. There are many variations. But if you don't want to use ports vty 5 - 15, just input the:

line vty 5 15

no login

transport input none

Richard Burts · ‎02-18-2013

How IOS treats the vty 5 15 is very much dependent on the version of IOS being used. We have an example in this thread in which vty 5 15 is not the default. Clearly in this version of IOS the extra vty can be added and can be deleted.

And very clearly the version of IOS for the original poster does have vty 5 15 as its default setting and will not allow them to be deleted

PE007(config)#no line vty 5 15

% Can't delete last 16 VTY lines

HTH

Rick

HTH

Rick