Securing VTY lines on Cisco Router/Switches

It is best practice to not only control access to a Cisco Switch or Router VTY lines but encrypt the management traffic. This blog post describes how to enable SSH and configure a basic ACL to permit traffic from trusted source ip subnet.

Configure the Cisco device with a hostname and domain name

Switch (config)# hostname 3560-1
3560-1(config)# ip domain-name

Enable SSH and use a stronger key modulus greater than the default of 512. Configure the SSH version, SSH time out and retry settings

3560-1(config)# crypto key generate rsa
3560-1(config)# 1024
3560-1(config)# ip ssh version 2
3560-1(config)# ip ssh authentication-retries 3
3560-1(config)# ip ssh time-out 90

User accounts can either be local or the most secure is using RADIUS/TACACS, see previous blog post for configuring Cisco devices to authenticate to a Windows NPS RADIUS server HERE. Alternatively create a local user account.

3560-1(config)# username ADMIN privilege 15 secret SECRETPWD

To further secure access to the VTY line you can configure an ACL to permit traffic from trusted ip addresses or subnets

3560-1(config)# ip access-list standard ACL_MGMT
3560-1(config-std-nacl)# permit log
3560-1(config-std-nacl)# deny any log

Modify the VTY lines to use the local user account previously created and enable SSH. By enabling SSH you are disabling telnet, unless you specifically enable it

3560-1(config)# ine vty 0 4
3560-1(config)# login local
3560-1(config)# transport input ssh

Activate the previously created ACL

3560-1(config)# access-class ACL_MGMT in

To login to another Cisco switch or router enabled with SSH from the cli of a cisco device you use the command SSH –l USERNAME IP ADDRESS

If logging is enabled you will see in the authentication attempt permitted and the source ip address


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s