Securing vty Access

Any vty should be configured to accept connections only with the protocols actually needed. You can do this with the transport input command. A vty expected to receive only Telnet sessions could be configured with transport input telnet, for example, whereas a vty permitting both Telnet and SSH sessions would have transport input telnet ssh. Not configuring a transport input for vty access is also an option if you want to disable the service.

One way to reduce this exposure is to configure an access list on all vty lines. An access list restricts the router to accept connections only from a single, specific administrative workstation. Example 5-7 shows a sample configuration of an access list configured on a vty line.

0 0

Post a comment