NewYork (config-line)# login local <– use local user for authentication. NewYork(config-line)# transport input ssh <– enables SSH and disables Telnet on all VTY lines NewYork(config)# ip ssh authentication-retries 3 <– self explanatory
NewYork(config)# ip ssh time-out 60 <– self explanatory NewYork(config)# crypto key generate rsa modulus 2048 <– create 2048 SSH key NewYork(config)# ip ssh version 2 <– use more secure SSH v2 NewYork(config)# ip domain-name <– configuring hostname and domain name are necessary for creating SSH keys
First you need to generate SSH keys and then enable SSH transport on VTY lines.ĬiscoDevice(config)# username admin password adminpass <– it’s a good practice to create local administration user (if you don’t have external AAA server) With this method you don’t disable Telnet completely but you just control access to it from management stations.ĬiscoDevice(config)# enable secret strongenablepass <– first configure enable passwordĬiscoDevice(config)# access-list 10 permit 192.168.1.0 0.0.0.255 <– create ACL for subnet 192.168.1.0/24ĬiscoDevice(config-line)# access-class 10 in <– allow subnet above only to access the device via TelnetĬiscoDevice(config-line)# password strongtelnetpass <– configure password on Telnet linesĬiscoDevice(config-line)# login <– ask for Telnet passwordīy enabling SSH and configuring this transport protocol on the VTY lines of the IOS device, it will automatically disable Telnet as well. Controlled Access to TelnetĪnother way to control Telnet access to routers and switches is to apply an Access Control List (ACL) on the VTY lines and allow only specific management IPs to connect. If you do the above config, the only way to connect to the router or switch is with direct console access. The following configuration will disable Telnet and all other remote network access:ĬiscoDevice(config)# line vty 0 15 <– configure all 16 VTY linesĬiscoDevice(config-line)# transport input none <– disable Telnet and everything else Therefore, to disable Telnet you need to do this action on all the VTY lines. You need to have in mind that older IOS versions (before 12.2) had 5 VTY lines (numbered 0 to 4), whereas newer IOS versions (after 12.2) have 16 VTY lines (numbered 0 to 15).
Let’s see first how to disable Telnet on a Cisco IOS device which covers both Routers and Switches.Įach Telnet access to the device (same applies with SSH as well) uses one of the VTY lines (Virtual Terminal lines). For a more practical guide to harden Cisco routers and switches in 10 steps have a look at our post here. Moreover, disabling Telnet and enabling SSH is one of the best practices suggested by the official Cisco Hardening Guide for IOS devices to secure the management plane. There are some more management ways (depending on the device) such as HTTPs Web access, management through an application etc, but the above 3 are the most common options.
There are several ways to manage a Cisco device.
Encrypted communication is a must nowadays, something that most professionals didn’t pay much attention a few years ago. I should have written this article from the very beginning of starting this blog because it is one of the most fundamental configuration steps for managing a Cisco networking device (router, switch, firewall etc).ĭisabling Telnet and enabling SSH on a networking device is also a step forward in increasing security in the whole network.