Vty attribution

saberplanet · ‎05-11-2017

Hi,

I have a question related to VTY attribution.

Let say we have

line vty 0 4

access-class XXXX in

login local

line vty 5 15

no login

Yes 5 15 looks wrong as it should have been "transport input none" instead of the "no login".

Now in order to reach 5 to 15, the first 5 (0 4) should be busy. We do have an access-class so only authorized ips should be able to establish a connection. The question is can a malicious party send more than 5 simultaneous connections (wether telnet or ssh) and be lucky to have his request served by vty 5 15 settings (which were "no login" and thus authorize anyone without a valid user or password)?

How does the vty attribution work? Is it only for established connection and not simply a tcp request that should be blocked by the ACL..?

Thank you!

Reza Sharifi · ‎05-11-2017

Hi,

"no login" means you can make connection to the device without any authentication which means the device is not secure at all. This command needs to be removed, so people are forced to authenticate with username and password.

HTH

saberplanet · ‎05-11-2017

Please read the whole text please. I know the "no login" is not correct.

If there is more than 5 simultaneous connections (wether SSH or Telnet), will a VTY session be attributed to each one even if we have an ACL on vty 0 4? In which scenario will the connection be served by vty 5 15? I know that if we did not have the ACL on vty 0 4 and we send more than 5 tcp connections (ssh or telnet), we were able to have vty 5 15 to let us in because of the "no login"...

Thank you :)

saberplanet · ‎05-15-2017

What do you guys think about this?