Re: Limit number of simultaneous telnet commections

stephan.steiner · ‎08-30-2007

Hi

Is there a way to limit the number of concurrent telnet connections to a router?

I have tried

user myusername user-maxlinks 1

But I'm still able to log in more than one using the user myusername. Also, the documentation mentions some restrictions, one of which is that pppoe has to be used, and this is a router that is used for PPP dialout and site to site VPN.. no pppoe anywhere.

Then I tried the session limit on the lines:

line con 0

transport output telnet

line aux 0

transport output telnet

line vty 0 4

access-class 1 in vrf-also

password test123

session-limit 2

transport input telnet

transport output none

line vty 5 15

access-class 1 in vrf-also

privilege level 5

session-limit 1

transport input telnet

transport output none

However, even after that, I'm able to open up 5 concurrent telnet sessions (I stopped after 5).

Am I missing something or is it simply not possible to limit the number of telnet sessions to a router?

purohit_810 · ‎08-30-2007

First check do you have places access list

access-list 1 in {Network}

If yes than check by below configuration also..

line vty 0 4

access-class 1 in vrf-also

password test123

session-limit 2

Instead of above

line vty 0 1

access-class 1 in vrf-also

password test123

session-limit 2

Regards,

Dharmesh

stephan.steiner · ‎08-30-2007

Yes I do have an acl 1 which allows access from certain internal IP ranges from which we do permit connections to the router (if not, wouldn't the access-class command result in no telnet access being possible, which goes in the right direction but is obviously too strict).

I think you mixed up the two config blocks (since mine is line vty 0 4....)

so your suggestion is to limit telnet access by only enabling telnet on lines 0 and 1 instead of 0 - 4 (plus 5 - 15) like I had before? Shouldn't "session-limit X" either apply to the total of lines under which it is listed (so if I have a config "line vty 0 15", there are 16 lines but with the defined session limit, effectively only two concurrent logins would be permitted)? The alternative (apply per line) doesn't make too much sense to me since you can have only one connection per line anyway. Wouldn't limiting telnet access to just lines 0 and 1 without any session limit result in also limiting the number of concurrent sessions to 2?

Is there any way to limit sessions per username rather than globally (ideally I'd rather have that since that way I can ensure that no matter what, there's an emergency admin access).

xcz504d1114 · ‎08-30-2007

Not 100% sure, but this may help you in the right direction. I think to limit telnet to a device on a per user basis, you need to configure that in your TACACS server, not actually on the router itself. I don't believe there is a way to set an access list based on user names on the router, just to end devies.