cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8306
Views
25
Helpful
10
Replies

transport preferred ssh command at console line

julioegb
Level 1
Level 1

Hi everyone.

 

I found this configuration in one switch:

line con 0
 exec-timeout 60 0
 transport preferred ssh

 

I don't know what the transport preferred ssh command do at console line level. This is the right way to secure the console line? Is it better to configure a username and then applied the login local command in line console?

 

I hope my question is clear. Thanks for your answers.

 

Regards,

Julio Guzmán

1 Accepted Solution

Accepted Solutions

Julio provides helpful information about the transport preferred command. I find the use of the command on a console port to be quite strange, since there is really not any way to run SSH over the console connection.

 

How to secure a connection using the console port has a few things that need to be considered. One of the considerations is whether the device has been configured with aaa new-model. If aaa new-model has been configured then it over rides the login local command and there is no point in trying to use login local.

 

HTH

 

Rick 

HTH

Rick

View solution in original post

10 Replies 10

Hi

Use the transport preferred command to specify which transport protocol is used on connections. Use the transport input and transport output commands to explicitly specify the protocols allowed on individual lines for both incoming and outgoing connections.  

 

The transport preferred command setting specifies a search order when attempting to resolve names that might be valid for multiple protocols. If the address or service does not match the preferred protocol, all other valid output protocols are searched to find a valid match.

 

Link: https://www.cisco.com/c/en/us/td/docs/ios/12_2/termserv/configuration/guide/ftersv_c/tcftrmop.html

 

Hope it is useful

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Julio provides helpful information about the transport preferred command. I find the use of the command on a console port to be quite strange, since there is really not any way to run SSH over the console connection.

 

How to secure a connection using the console port has a few things that need to be considered. One of the considerations is whether the device has been configured with aaa new-model. If aaa new-model has been configured then it over rides the login local command and there is no point in trying to use login local.

 

HTH

 

Rick 

HTH

Rick

Hello

I would go for what Richard suggested and enable AAA locally -

 

username stan privilege 15 secret stan

aaa new-model
aaa authentication login STAN local
aaa authorization exec STAN local
aaa authorization console

Line console 0 
no password
authorization exec STAN
login authentication STAN
transport preferred none

res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Edgar Bonnell
Level 1
Level 1

I notice, on con 0, I can put in 'transport preferred none' or 'no transport preferred' which results in 'transport preferred none' but I don't see a way to remove the 'transport preferred'. Once it is entered, I cannot get rid of it. 

 

I even tried, using Solarwinds Orion, to edit the running config...that didn't take it out either.

You have changed the transport preferred from the default value and therefore it shows up in running config. I might try transport preferred all or I might try default line con 0. Give these a try and let us know the results.

 

HTH

 

Rick

HTH

Rick

It's confusing at first but let me give it a go, input | output is not the same thing as the preferred command. The preferred command is used to specify a protocol while on the device so if you mistype something you get this:

 

router2#shurn
% Unknown command or computer name, or unable to find computer address

 

This is because by default the preferred protocol is set to telnet. Its trying to telnet to my mistyped command (so annoying). If we manually change that to SSH we get the same thing.


router2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
router2(config)#line con 0
router2(config-line)#transport preferred ssh
router2(config-line)#end
router2#shurn
% Unknown command or computer name, or unable to find computer address

 

Normally people fix this by simply turning off domain lookups, thats one way to solve it sure. But we can also set the preferred to none and never have to bother with turning off domain lookups again. See below:


router2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
router2(config)#line con 0
router2(config-line)#transport preferred none
router2(config-line)#end

router2#shurn
^
% Invalid input detected at '^' marker.

router2#

 

Why is it configurable on the console as well as the vty lines? It depends on where you source the command. If you're logged in via console it uses the preferred setting configured on that line. Same with vty lines if you ssh to the device it uses the preferred value configured on the vty line you're logged in on (or telnet by default).

 

Hope that helps someone.

 

-A

We had a tech who, for some reason, included the line in his template when rolling out switches. When I pointed out that it won't do anything on the console line, and that it seems impossible to remove later, he refused to remove it from his template. It is now there on hundreds of switches. In this example, the switch is now about 2 1/2 hours away and I don't have access to the console port. The issue isn't worth getting a local tech out there...I don't think I could get rid of the line anyway. The only way I have been successful in doing that is to (when connected locally to the console) copy the config into Notepad, delete the line there, wipe the switch and paste the config back.

 

SW-CVILLE-SaltShed-2(config)#default line ?
<0-16> First Line number
console Primary terminal line
vty Virtual terminal

SW-CVILLE-SaltShed-2(config)#default line con
% Incomplete command.

SW-CVILLE-SaltShed-2(config)#default line console ?
<0-0> First Line number

SW-CVILLE-SaltShed-2(config)#default line console 0
% Vty line 0 doesn't exist
SW-CVILLE-SaltShed-2(config)#line con 0
SW-CVILLE-SaltShed-2(config-line)#transport preferred telnet
SW-CVILLE-SaltShed-2(config-line)#end
line con 0
exec-timeout 9 0
transport preferred telnet

SW-CVILLE-SaltShed-2(config-line)#transport preferred ?
none No protocols
ssh TCP/IP SSH protocol
telnet TCP/IP Telnet protocol

SW-CVILLE-SaltShed-2(config-line)#transport preferred none
line con 0
exec-timeout 9 0
transport preferred none

Thanks for the update. I am surprised that your attempt to default line console 0 did not work. I wonder if it might work with default line 0. Clearly the online help believes that default line console 0 should work, but you demonstrate that it does not (at least for this platform and this version of code). I wonder if it might work like this

line console 0

default transport preferred

If it is not possible to set it back to default values I believe that your choice of transport preferred none is probably the best option.

HTH

Rick

SW-CVILLE-SaltShed-2(config)#line con 0
SW-CVILLE-SaltShed-2(config-line)#default transport preferred
SW-CVILLE-SaltShed-2(config-line)#end

line con 0
exec-timeout 9 0
line vty 0 4

 

I would not have thought of that. Here in Newfoundland, when commenting on the loss of something we might say "She's gone by (i.e. boy), she's gone!" ... and it is gone. 

 

Most of the affected switches are 2960s in various configurations. Some are 3750s.

 

Thank you for your help.

Glad that my suggestion was helpful. I thought that defaulting for the entire interface should have worked. But if it did not then defaulting for the particular command is a logical alternative. I agree that sometimes the syntax of some commands is a bit of a puzzle. At least now you have some insight into how you can change this aspect of your switches.

HTH

Rick
Review Cisco Networking for a $25 gift card