Skip to content
Adam Spera

Console, VTY, AUX, SSH, & SCP

Console

Section titled “Console”

The console line is the physical access method via the device’s console port. There is only one console line (line console 0).

Basic Authentication

Section titled “Basic Authentication”
line console 0
 password cisco
 login
  • The login command tells the router to prompt for the password configured with password.
  • If login is not specified, no authentication will be enforced on console access.

Local Authentication

Section titled “Local Authentication”
username admin password cisco


line console 0
 login local
  • login local uses credentials from locally configured users.
  • Users must enter both a username and password to gain access.

VTY Lines

Section titled “VTY Lines”

VTY lines are virtual teletype lines used for remote access.

  • VTY line numbers typically range from 0 to 15.
  • This means up to 16 users can connect simultaneously.
line vty 0 15
 login local
 transport input { any | ssh | telnet | none }
 exec-timeout {minutes} {seconds}
 absolute-timeout {minutes}
 logout-warning {seconds}
  • login local - uses will need to sign in with a locally confused user
  • transport input <> - defined what protocols are allowed to use those lines
  • exec-timeout <> <> - defines how long to wait before disconnecting inactive sessions
  • absolute-timeout <> - defined at what time the line will be forcibly closed
  • logout-warning <> - defined at what time a logout warning is issuesd

AUX

Section titled “AUX”

Usage of the auxiliary port via a cable modem is a legacy use case and technology, and should be disabled for access.

line aux 0
 no exec

SSH

Section titled “SSH”
hostname R1
ip domain-name adamspera.dev
crypto key generate rsa modulus 2048
ip ssh version 2
username admin password cisco


line vty 0 15
 login local
 transport input ssh
  • transport input ssh allows only SSH (not Telnet).
  • crypto key generate rsa is required to enable SSH.
  • ip ssh version 2 since IOS devices run both 1 & 2, this command stops v1.

SCP Server

Section titled “SCP Server”

SCP is a file sharing protocol that runs over SSH, and requires AAA new-model.

The following configuration example shows how you can setup a network device to be an SCP server:

aaa new-model
aaa authentication login default local
aaa authorization exec default local
username admin secret cisco


hostname MyRouter
ip domain-name adamspera.dev
crypto key generate rsa modulus 2048
ip ssh version 2
line vty 0
  transport input ssh
  login authentication default


ip scp server enable

IOS Login Enhancements

Section titled “IOS Login Enhancements”

Helps protect against brute-force attacks.

login block-for 60 attempts 3 within 10

This means: If 3 failed attempts occur within 10 seconds, block logins for 60 seconds.