Sign in Subscribe
CCNA

Configuring VTY Access

Jay

2 min read
Configuring VTY Access

Introduction

VTY (Virtual Teletype) lines are virtual interfaces on Cisco devices that allow remote access via Telnet or SSH. Configuring VTY access is essential for remote device management, making it one of the fundamental skills every network administrator must master.

Understanding VTY Lines

Cisco devices typically have multiple VTY lines available:

  • Most routers have VTY lines 0-4 (5 concurrent sessions)
  • Some switches may have VTY lines 0-15 (16 concurrent sessions)
  • Each VTY line can be configured independently

Basic VTY Configuration

To configure VTY access, you need to enter line configuration mode and set up authentication:

Router(config)# line vty 0 4
Router(config-line)# password cisco
Router(config-line)# login
Router(config-line)# exit

This configuration:

  • Selects VTY lines 0 through 4
  • Sets the password to cisco
  • Enables password authentication

Enabling Telnet Access

Once VTY lines are configured with passwords, Telnet access is automatically enabled. Test the connection from another device:

PC> telnet 192.168.1.1

Configuring SSH Access

SSH is more secure than Telnet as it encrypts the connection. To enable SSH:

Router(config)# hostname R1
Router(config)# ip domain-name lab.local
Router(config)# crypto key generate rsa
Router(config)# username admin privilege 15 secret cisco
Router(config)# line vty 0 4
Router(config-line)# login local
Router(config-line)# transport input ssh

Key configuration steps:

  • Set hostname and domain name (required for SSH)
  • Generate RSA keys for encryption
  • Create a local user account
  • Configure VTY lines to use local authentication
  • Restrict transport to SSH only

Transport Input Options

You can control which protocols are allowed on VTY lines:

Router(config-line)# transport input ?
  all      All protocols
  none     No protocols
  ssh      TCP/IP SSH protocol
  telnet   TCP/IP Telnet protocol

Examples:

  • transport input telnet - Telnet only
  • transport input ssh - SSH only
  • transport input ssh telnet - Both protocols
  • transport input none - Disable remote access

Access Control with ACLs

You can restrict VTY access to specific IP addresses using access lists:

Router(config)# access-list 10 permit 192.168.1.0 0.0.0.255
Router(config)# access-list 10 deny any
Router(config)# line vty 0 4
Router(config-line)# access-class 10 in

This configuration only allows connections from the 192.168.1.0/24 network.

Setting Session Timeouts

Configure automatic logout for idle sessions:

Router(config)# line vty 0 4
Router(config-line)# exec-timeout 5 0

This sets a 5-minute timeout (format is minutes seconds).

Video Tutorial

Common Troubleshooting

If you cannot connect via VTY:

  • Verify VTY lines are configured with passwords
  • Check if transport input allows your protocol
  • Ensure the device has IP connectivity
  • Verify access-class restrictions
  • Check if all VTY lines are in use

Best Practices

  • Use SSH instead of Telnet for security
  • Implement strong passwords or local user accounts
  • Apply access-class restrictions
  • Set appropriate session timeouts
  • Monitor VTY line usage

Verification Commands

Use these commands to verify VTY configuration:

Router# show line vty
Router# show running-config | section line vty
Router# show users
Router# show ssh

Sign up for more like this.

Enter your email
Subscribe