Sometimes when you edit the config on your router you just want a little privacy. So how do you kick off the other users safely and politely whilst protecting and securing your own access? Here are few ideas and walk-throughs for some basic VTY access and administration tasks.

First things first - how can we check who is logged in? In my old *nix days I had the 'who' command and IOS has used that same syntax. The who command (like write mem) has its "New Skool" partner 'show users' and I'll use that here.

Now hopefully no-one else has logged into my router as the general-use 'network' account. To use shared accounts is bad management and makes a security and audit tracing headache....oh dear, it's not looking good ;-)

ATP-OFFICE-VG0#sh users
    Line       User       Host(s)              Idle       Location
* 67 vty 0     network    idle                 00:00:00 192.168.1.10
  68 vty 1     network    idle                 00:00:35 192.168.1.10
  69 vty 2     network    idle                 00:00:39 192.168.1.10

  Interface    User               Mode         Idle     Peer Address

Damn, there are a few people logged in! Which one am I? By the way if you don't have a working DNS or can't resolve these host-names then the show users command can take a long time to render. Use the 'no ip domain-lookup' global configuration command to speed things up.

OK so if I look at the far right I see the location (source) of those users...that'll give me an idea. Hopefully not everyone just hopped onto this central admin box at 192.168.1.10 I'm on as a stepping stone...

ATP-OFFICE-VG0#sh users
    Line       User       Host(s)              Idle       Location
* 67 vty 0     network    idle                 00:00:00 192.168.1.10
  68 vty 1     network    idle                 00:00:35 192.168.1.10
  69 vty 2     network    idle                 00:00:39 192.168.1.10

  Interface    User               Mode         Idle     Peer Address

Damn!

OK so maybe I just look at the far left? If I see the '* symbol then thats me... OK I'm connected to Line 67 then. Now I can kill off the other users...how do you do that?


ATP-OFFICE-VG0#disconnect ?
  <0-0>  The number of an active network connection
  WORD   The name of an active network connection
  qdm    Disconnect QDM web-based clients
  ssh    Disconnect an active SSH connection
  <cr>


Nope not that...

ATP-OFFICE-VG0#clear line ?
  <0-71>       Line number
  async-queue  Clear queued rotary async lines
  aux          Auxiliary line
  console      Primary terminal line
  tty          Terminal controller
  vty          Virtual terminal
  x/y          Slot/Port for Modems
  x/y/z        Slot/Subslot/Port for Modems


Ah yes - clear line...but whats my line number and what are the other line numbers? Lets take a look at the 'show users' output. On the far right it gives us our line numbers, I was 67.


So now we know which VTY we are we can get right on and kill off the other connections...but maybe first we can ask them to logout vefore we force them out. We can do this using the send command. We can send a text message to individual (vty, tty, console) or all users using the '*' wildcard.

ATP-OFFICE-VG0#send *                                              
Enter message, end with CTRL/Z; abort with CTRL/C:
Please disconnect your session - I've got stuff to do
^Z
Send message? [confirm]

The connected users will see this message which includes the source VTY line number.

***
***
*** Message from tty67 to all terminals:
***
Please disconnect your session - I've got stuff to do

I waited for a few seconds and they didn't disconnect immediately so lets just crack on...some of us have work to do. Lets force them off...


ATP-OFFICE-VG0#clear line 68
[confirm]
 [OK]
ATP-OFFICE-VG0#clear line 69
[confirm]
 [OK]

Now lets confirm we're on our own now...

ATP-OFFICE-VG0#show users
    Line       User       Host(s)              Idle       Location
* 67 vty 0     network    idle                 00:00:00 192.168.1.10

  Interface    User               Mode         Idle     Peer Address


Great news. So that's that - job done. It was a little convoluted perhaps but hopefully you got some good information there.

One other little tip/trick when it comes to VTY ports and seeing which one you are on is enabling the 'linenumber' service. Using this command under global configuration mode will display your connected VTY port on login - it even works for the local console.


ATP-OFFICE-VG0(config)#service linenumber 


Here is a display showing this output when you login to a router with the service running:


localhost:~ mad$ telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
ATP-OFFICE-VG0 line 67

User Access Verification


Well this is all good and now you have access.

What if you wanted sole access or at least to be fairly confident no-one outside of your circle of trust was going to get into the router and start making changes? We've got access lists of course and that's always a decent option if you want to lock out a whole bunch of your admin staff. What I like to do however is afford myself a back door for emergency and important work. By having a back door I can quietly close the front door and be sure I'll be OK.


So here is something I do on all my devices. Firstly I need a general access VTY pool for the rest of my network teams to use. Now there are 5 VTY ports normally configured on an IOS device running from vty 0 to 4. What if we configured a new vty port of 5 and created a new access-list just for that port. This way I could be assured that even if the first 5 vty ports were used I'd still be able to get in on vty 5. Sound good?

Here is the basic configuration. I'll create a local user and authenticate my telnet access on vty 0 through 4 using a local user. Notice I also restricted remote input access to telnet only where the default is 'all'. I further lock down the router by disallowing anyone using this router as a stepping stone to other devices by setting the output transport to none.

line vty 0 4
 login local
 transport input telnet
 transport output none

So right now anyone who has knowledge of the username and password I have created can scoot along to port 23 (telnet) on this router and bam - they're in. Lets make things a little more secure with an access -list to restrict who exactly can access the device.

ATP-OFFICE-VG0(config)#ip access-list standard VTY_ACCESS
ATP-OFFICE-VG0(config-std-nacl)#permit host 192.168.1.10
ATP-OFFICE-VG0(config-std-nacl)#exit
ATP-OFFICE-VG0(config)#line vty 0 4
ATP-OFFICE-VG0(config-line)#access-class VTY_ACCESS in

Right so we've got a named standard access list permitting access only from host 192.168.1.10 to the telnet port on the router (well I used a standard ACL so strictly speaking it has access to any and all ports but lets not quibble).

OK this looks a lot more secure now but there is one final twist here. I wanted a VTY 5 port which I alone has access to. But you know something else - I actually don't want to make life difficult by creating a whole new username and by requiring a whole new access-list for me....that's just far too much to remember. Actually it also glares in the face of the KISS mantra of Keep It Simple Stupid.

So here is one final 'trick'. Use the rotary command. This command will allow us to set a higher port on the router for the telnet application. Using the rotary command allows us to set a specific 'listen port' which only I will know - I'll keep it for emergency access.

Here's the config. First we'll create the sixth vty line VTY5. Then we'll add the same access list and username configuration. Finally we'll add the rotary command to enable this 'high port' telnet access.

ATP-OFFICE-VG0(config)#line vty 5
ATP-OFFICE-VG0(config-line)#access-class VTY_ACCESS in
ATP-OFFICE-VG0(config-line)#login local
ATP-OFFICE-VG0(config-line)#rotary 125

The rotary command ranges from 0 to 127 and allows us to light up a TCP telnet port between 3000 and 3127...see the match? I chose 125 so my high port telnet is running on TCP port 3125.

Lets check that out:

localhost:~ mad$ telnet 192.168.1.1 3125
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
ATP-OFFICE-VG0 line 72

User Access Verification

Username:

OK this is great, so now I have this setup I can get access to the router even when all the other VTYs using standard telnet port 23 are all used up! I also leave the input and output off the config so I can use SSH to and from this device - nice. Now I should come clean and explain that I do actually also use a different ACL and username to make this rotary VTY extra specially mine only.

Good luck in your studies.
© 2011 defaultrouteuk.com

Cisco, IOS, CCNA, CCNP, CCIE are trademarks of Cisco Systems Inc.
JunOS, JNCIA, JNCIP, JNCIE are registered trademark of Juniper Networks Inc.