How to Secure VTY access to the Router
Cisco routers support remote management. For this feature, they use virtual terminal (VTY) emulation. When you access a router remotely, it associates the remote connection to a virtual terminal (VTY). You use the assigned virtual terminal to execute commands. Routers support multiple remote connections simultaneously. To keep each connection separate, routers assign a unique number to each connection. These numbers are known as VTY line numbers. VTY line numbers start from 0.
Telnet and SSH
Telnet and SSH are among the most popular protocols for remote management. Both protocols come in two parts: server and client. You install the server on the system you want to access remotely, and the client on the system you want to use to access the server remotely. By default, both protocols are available on Cisco routers. You can use either of these protocols to access the virtual terminal. Since these protocols pose security risks, routers keep them disabled by default. If you want to use these protocols, you must enable them manually.
Once enabled, you can use any active IP address on the router to access the virtual terminal. For example, on a router, three interfaces are enabled. You can use the IP address of any of these interfaces to access the virtual terminal. If you want to secure virtual terminals or restrict access to only particular IP addresses, you can use access lists. An access list lets you define the IP addresses you want to allow to access virtual terminals. There are two types of access lists: standard and extended. To secure virtual terminals, you can use either type of access list.
Usually, administrators use a standard access list for this. A standard access list provides the following advantages over an extended access list.
- You can apply a standard ACL directly on VTY lines. You cannot apply an extended ACL directly on VTY lines. To use extended ACLs to secure VTY lines, you must use an ACL for each interface that a user can use to access the VTY lines.
- A standard ACL requires less configuration. For a standard ACL statement, you only need the source address of the host.
- To secure VTY lines, create a standard ACL that only permits the IP addresses you want to allow and apply this ACL to the VTY lines you wish to protect. Once applied, the router will permit only the allowed IP addresses to access the VTY lines.
- If you use extended ACLs to secure the VTY lines, the router will examine each incoming packet only to determine whether it is for the VTY lines.
For the reasons listed above, administrators typically use standard ACLs to secure VTY lines. The following section explains how to configure and implement a standard ACL to secure VTY lines using a Packet Tracer example.
Packet Tracer Example
Create a network topology as shown in the following image, or download the pre-created LAB and load it into Packet Tracer.
Packet Tracer Lab with Initial Configuration
This network contains three sections. All sections can access each other. To verify it, you can test connectivity between them using the ping command.
Objecives:-
Suppose you want to enable virtual terminals for the Manager section. Currently, there is only one PC in the Manager section. The IP address of the PC is 192.168.2.10/24.
Enabling Telnet
Before you access virtual terminals, you must enable a remote management protocol. No matter which protocol you enable for virtual terminals, access lists work the same way for all protocols. Telnet is simple, but it lacks security features. It sends the username and password in clear text. SSH is complex, but it offers many security features. It encrypts all communications. In a lab environment, you can use Telnet. But in a production environment, you should always use SSH. By default, a router supports five Telnet sessions. The following commands enable all sessions and set the password 'telnet' for all sessions.
Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#line vty 0 4 Router(config-line)#password telnet Router(config-line)#login Router(config-line)#exit Router(config)#exit Router#
Telnet uses the password to authenticate the user. It does not authenticate the client system. Any user who knows the correct password can log in from any client system. In this example, if a user from the Sales section knows the password, he can also access the virtual terminal using the Telnet client program. To verify this, open the Telnet client program on PC2.
Specify one IP address from the router's active IP addresses. There are three active IP addresses on the router. These addresses are 192.168.1.1/24, 192.168.2.1/24, and 192.168.3.1/24. Use any one IP address from these IP addresses and click the Connect button.
The Telnet client program connects to the Telnet server program and opens a new remote connection. The Telnet server program presents a login prompt for authentication. Enter the password that you configured with the password command while enabling Telnet sessions. If the specified password is correct, you get a virtual terminal. The virtual terminal places you in enable mode.
The following link provides the Telnet-enabled Packet Tracer lab for this example.
Packet Tracer Lab with Telnet Configuration
Suppose you do not want to allow the Sales and Server sections to access the virtual terminals. You want to permit only the Manager section to access the virtual terminals. For this, you must create and apply an access list on the router that allows only the Manager section to access virtual terminals.
Creating and applying an access list to secure VTY lines
To create and apply a standard access list to secure VTY lines, run the following commands on the router.
Router> Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#access-list 10 permit host 192.168.2.10 Router(config)#line vty 0 4 Router(config-line)#access-class 10 in Router(config-line)#exit Router(config)#
The first two commands enter global configuration mode. The following command creates a standard access list.
access-list 10 permit host 192.168.2.10
access-list:- This command creates an access list.
10:- This number defines the type of the access list and groups all statements in the access list. For a standard access list, you can use any number between the range 1-99 and 1300-1999. To create a new access list, use a new number from this range. To append a statement to the existing list, use the same number.
permit:- This is the action you want to perform when the criteria defined next to it match.
host 192.168.2.10:- This parameter defines an IP address or a range of IP addresses to match. This network has only one host in the Manager section. It matches that host. If you want to match a range of IP addresses, you can use a wildcard mask.
An access list does nothing until you apply it. Routers associate each remote connection with a virtual line. In other words, you access a virtual terminal through a virtual line. You can use a standard ACL directly on the virtual lines. You can apply a standard access list to a single virtual line or all virtual lines. This example applies the access list to all virtual lines. Enter line configuration mode.
line vty 0 4
Use the following command to apply the access list.
access-class 10 in
It requires only two arguments: the ACL number or name you want to apply, and the direction in which you want to use it. This command applies ACL number 10 in the inward direction.
Verifying the ACL implementation
To verify the ACL implementation, reaccess the virtual terminal on PC2. This time, the router will not let you access the virtual terminal.
Now, access a virtual terminal from Laptop0. It lets you access the virtual terminal. It verifies the ACL implementation.
You can also perform more tests from Server0, PC0, and PC1. The router will not allow remote connections from these systems.
You implemented the ACL to block only unauthorized remote access to the router. It does not interrupt the connectivity between sections. To verify this, you can test connectivity between these sections. Use the ping command for testing connectivity.
The following link provides the configured Packet Tracer lab for the above example.
Packet Tracer Lab with ACL Configuration
This tutorial is part of the tutorial "Cisco Access List Commands, Concepts, and Configurations". Other parts of this tutorial are as follows:
Chapter 01 Definition, purposes, benefits, and functions of ACL
Chapter 02 Basic concepts and fundamentals of ACLs
Chapter 03 How Access Lists work on Cisco routers
Chapter 04 Types of access control lists explained
Chapter 05 Wildcard Masks in ACLs Explained
Chapter 06 Rules and configuration guidelines for Cisco ACLs
Chapter 07 Access Control List Explained with Examples
Chapter 08 The ip access-list command options and arguments
Chapter 09 Standard ACL Configuration Commands Explained
Chapter 10 Configure Standard Access Control List Step-by-Step Guide
Chapter 11 How to secure VTY access to the Router
Chapter 12 Extended ACL Configuration Commands Explained
Chapter 13 Configure Extended Access Control List Step-by-Step Guide
Chapter 14 How to block ICMP Ping on Cisco Routers
Conclusion
Securing VTY access to a router is essential for protecting network resources from unauthorized access. By employing standard access control lists (ACLs) and enabling remote management protocols such as Telnet or SSH, you can ensure that only authorized users can access your router's virtual terminals.
By ComputerNetworkingNotes Updated on 2025-11-08