Remote management is a fundamental requirement for network administrators. This guide covers the configuration of VTY lines to support remote access via Telnet and SSH, and why SSH is the modern standard.
Telnet vs. SSH
- Telnet (Port 23): Transmits all data, including passwords, in cleartext. Highly insecure and should be avoided in production.
- SSH (Port 22): Secure Shell provides strong encryption for both authentication and data transfer.
Configuring VTY Lines
Virtual Teletype (VTY) lines are used for inbound logical connections to a device. Cisco routers and switches typically support 5 to 16 concurrent VTY sessions.
Router(config)# line vty 0 4 Router(config-line)# login local Router(config-line)# transport input ssh telnet Router(config-line)# exit
SSH Prerequisites & RSA Keys
Before SSH can be enabled, the device requires several cryptographic prerequisites. The most critical is generating an RSA key pair (Rivest–Shamir–Adleman). RSA is an asymmetric cryptographic algorithm that uses a public key to encrypt data and a private key to decrypt it.
- Hostname: The device cannot use the default 'Router' or 'Switch' name.
- Domain Name: Required to generate the RSA key pair.
- RSA Keys: A modulus of at least 2048 bits is recommended for modern security.
- Local User Database: SSH requires a username and password.
Router(config)# hostname R1 R1(config)# ip domain-name lab.local R1(config)# crypto key generate rsa modulus 2048 R1(config)# username admin privilege 15 secret C1sc0123 R1(config)# ip ssh version 2