How to Secure VTY access to the Router (2024)

This tutorial explains how to secure a Telnet, SSH, or a remote connection to the router. Learn how to block unauthorized access to Cisco routers.

Cisco routers support the remote management feature. For this feature, routers use virtual type terminals (VTY). When you access a router remotely, the router associates the remote connection to a virtual type terminal (VTY). You can use the assigned virtual terminal to execute commands.

Routers support multiple remote connections simultaneously. To keep each connection separate, routers assign a unique number to each connection. These numbers are known as VTY line numbers. VTY line numbers start from 0.

Telnet and SSH

Telnet and SSH are two of the most popular protocols used for remote management. Both protocols come in two parts: server and client. The Server part is installed on the system that you want to access remotely. The client part is installed on the system that you want to use to access the server system remotely.

By default, both protocols are installed on Cisco routers. You can use one or both of these protocols to access the router's virtual terminal. Since these protocols involve security risks, routers do not enable them automatically. If you want to use these protocols, you have to enable them manually.

Once enabled, you can use any active IP address on the router to access the router's virtual terminal. For example, on a router three interfaces are enabled. You can use the IP address of any of these interfaces to access the router's virtual terminal.

If you want to secure virtual terminals or permit only particular IP addresses to access them, you can use access lists. An access list allows you to define the IP addresses that are allowed to access virtual terminals. There are two types of access lists: standard access lists and extended access lists.

To secure virtual terminals, you can use both types of access lists, but it is recommended to use a standard access list. A standard access list provides the following advantages over an extended access list.

You can apply a standard ACL directly on VTY lines. But you can't apply an extended ACL on VTY lines. If you want to use extended ACLs to secure VTY lines, you have to use an ACL for each interface that a user can use to access the VTY lines.

A standard ACL requires less configuration. For a standard ACL statement, you only need the source address of the host.

If you use extended ACLs to secure the VTY lines, the router will examine each incoming packet only to determine whether the packet is attempting to reach the VTY lines.

Because of the above-listed reasons, administrators usually use standard ACLs to secure VTY lines. In the following section, we will discuss how to configure and implement a standard ACL to secure VTY lines.

Using a standard ACL to secure VTY lines

To secure VTY lines, create a standard ACL that only permits the IP addresses you want to allow and apply this ACL to the VTY lines that you want to protect. Once the ACL is applied, the router will permit only the allowed IP addresses to access the VTY lines.

Let's understand this process through an example.

Either create a network on Packet Tracer as shown in the following image or download the following pre-created LAB and load it on Packet Tracer.

Download Packet Tracer Lab with Initial Configuration

This network contains three sections. Currently, all sections can access each other. To verify the connectivity, you can use the ping command.

Now, suppose we want to enable the router's virtual terminals for the Manager section. Currently, there is only one PC in the Manager section. The IP address of the PC is 192.168.2.10/24.

To enable access to the router's virtual terminal, we have to enable either Telnet or SSH on the router. No matter which protocol you enable for virtual terminals, access lists work similarly for both protocols. In this example, we will enable Telnet.

Telnet is simple, but it does not provide any security feature. It sends username and password in clear text format. SSH is complex, but it offers a lot of security features. It encrypts all communications. In a lab environment, you can use Telnet. But in a production environment, you should always use SSH.

Enabling Telnet

By default, a router supports five telnet sessions. The following commands enable all telnet sessions and set the password 'telnet' for all sessions.

Router>enableRouter#configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)#line vty 0 4Router(config-line)#password telnetRouter(config-line)#loginRouter(config-line)#exitRouter(config)#exitRouter#

Telnet uses the password to authenticate the user. It does not authenticate the client system. It means any user who knows the correct password can log in from any client system. In our example, if a user from the Sales section knows the password, he can also access the router's virtual terminal through the telnet client program.

To verify this, open the Telnet client program of PC2.

On the Telnet client program, specify any one IP address from the active IP addresses on the router. As you can see, there are three active IP addresses on the router. These addresses are 192.168.1.1/24, 192.168.2.1/24, and 192.168.3.1/24. Use any one IP address from these IP addresses and click the Connect button.

The Telnet client program connects the Telnet server program and opens a new remote connection. The Telnet server program presents a login prompt for authentication.

Enter the password that you configure with the password command when enabling Telnet sessions. In this example, I configured the password to the 'telnet'. So, I will use the password 'telnet'. If you configured another password, use that password.

If the specified password is correct, we get a virtual terminal. On the virtual terminal, we are placed on enable mode.

Telnet enabled Packet Tracer Lab

The following link provides the telnet enabled packet tracer lab of this example.

Download Packet Tracer Lab with Telnet Configuration

Requirements

Now suppose, we don't want to allow the Sales and Server sections to access the router's virtual terminals. We want to allow only the Manager section to access the router's virtual terminals. For this, we have to create and apply an access list on the router that allows only the Manager section to access virtual terminals.

Creating and applying an access list to secure VTY lines

To create and apply a standard access list to secure VTY lines, run the following commands on the router.

Router>Router>enableRouter#configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)#access-list 10 permit host 192.168.2.10Router(config)#line vty 0 4Router(config-line)#access-class 10 inRouter(config-line)#exitRouter(config)#

We can create an access list in global configure mode. The first two commands are used to enter global configuration mode. The next command creates a standard access list. Let discuss this command in detail.

access-list 10 permit host 192.168.2.10

access-list: - This argument tells the router that we are creating an access list.

10:- This number defines the type of the access list and groups all statements in the access list. For a standard access list, you can use any number between the range 1-99 and 1300-1999. To create a new access list, use a new number from this range. To append a statement in the existing list, use the same number.

permit:- This is the action that we want to perform when the criteria defined next to it meet.

host 192.168.2.10:- This parameter defines the condition. In our example, we have only one host in the Manager section. So, we specified the IP address of the host with the host keyword. If you want to match a range of IP addresses, you can use a wildcard mask.

To learn all arguments, options, and parameters of the access-list command in detail, you can check the previous parts of this tutorial.

An access list does nothing until you apply it. Routers associate each remote connection with a virtual line. In other words, you access a virtual terminal through a virtual line. We can apply a standard ACL directly on the virtual lines.

We can apply a standard access list to a single virtual line or all virtual lines. In our example, we will apply the access list to all virtual lines. To apply an access list, we have to enter the line configuration mode.

We used the next command to enter the line configuration mode of all lines.

line vty 0 4

We used the following command to apply the access list.

access-class 10 in

This command needs only two arguments: the number or name of the ACL that we want to apply and the direction in which we want to apply the ACL.We specified the number 10 here because the number of the ACL is 10. We want to filter incoming packets, so we specified the 'in' direction here.We used the last command to exit line configuration mode.

Verifying the ACL implementation

To verify the ACL implementation, access the router's virtual terminal from PC2 again. This time the router will not let you access the virtual terminal.

Now, access a virtual terminal from Laptop0. If you can access the router's virtual terminal, it verifies that the ACL is implemented correctly.

You can also perform more tests from Server0, PC0, and PC1. The router will not allow remote connections from these systems.

We implemented the ACL to block only unauthorized remote access to the router. It should not interrupt the connectivity between sections. To verify this, we can use the ping command to test connectivity between sections. The following image shows connectivity test between sections.

Configured Packet Tracer Lab

The following link provides the configured packet tracer lab of the above example.

Download Packet Tracer Lab with ACL Configuration

That's all for this tutorial. In the next tutorial, we will learn how to create, implement and verify a numbered extended access list.