Cisco IOS Telnet Server and Client

ReneMolenaar · December 29, 2016, 9:27pm

This topic is to discuss the following lesson:

vallia · July 20, 2016, 12:20am

Please translate the following sentence:

“Telnet is niet secure dus liever niet gebruiken…”

ReneMolenaar · July 26, 2016, 6:21pm

Hi Valli,

Just removed this, this was a bit of my draft (in Dutch

Rene

hroger · May 21, 2019, 11:17am

I think it is better to create the credentials “user and password” before typing the command login local, because in case of problems (if you lose control), the equipment will ask you an account that you have not created yet.
Am I wright ?

lagapidis · May 21, 2019, 12:15pm

Hello Hugues

Yes, if you type the command login local and log out without creating any credentials, then you will not be able to log back in.

Laz

m1dagne · August 27, 2019, 5:21pm

Hi Laz, first I would like to thankyou for your quick response. Just to be specific, I was working on CCNA routing & switching ICND1 100-105, Unit 7 Network Management, subtitle Telnet Server and Client. Here is what I found on packet tracer 7.1:

R2#telnet 192.168.12.1 ?
  <0-65535>  Port number
  <cr>

as you see here I do not have the option to add a source address as explained on the lecture note after the command telnet 192.168.12.1 /source interface…

lagapidis · August 29, 2019, 6:22am

Hello Mintesinot

I tried it out myself and I confirm your findings. Unfortunately packet tracer does not include the whole list of available commands that exist on a real IOS device. This is one of those cases where it only includes a subset. However, keep in mind that for the specific exams (ICND1, ICND2, CCNA) the commands included in packet tracer are sufficient for your studies. The source interface command that Rene mentions in the lesson is useful to understand the concepts described, but it will not be necessary for the exams themselves.

I hope this has been helpful!

Laz

harshig89 · January 17, 2020, 6:31am

Difference between tacacs server, radius server and radius /tacacs client.
I am trying to understand the basic difference between tacacs client and tacacs server and radius client and radius server and ISE .

Since TACACS+ is a cisco proprietary, we can only configure centralized server on CISCO ACS or CISCO ISE acting as TACACS server , while a windows 2012 server as centralized RADIUS server? while network access devices such as cisco switches, as either Tacacs clients or Radius clients with source interface vlan on switch that carries the radius or tacacs traffic towards the centralized servers ?

In shared authetnication model - your windows PC or macintosh laptop is a supplicant while your cisco switch is authenticator which authenticates using credentials of local directory on ise or LDAP on microsoft AD server ?

Is authentication done locally at cisco switch with response of Radius server from microsoft AD or tacacs+ CIsco ISE , or is it done all at end devices through secured tunnel ? I am not getting deeper in to authentication protocols like EAP FAST or PEAP. I just want to understand the device roles, as where the authentication process happens in between the three nodes starting with host supplicants, authenticator (network switch) and back end authentication device like ISE or microsft AD LDAP.

lagapidis · January 17, 2020, 6:51am

Hello Harshi

I just responded to this post here:

I hope this has been helpful!

Laz

Vanilson_pedro · September 3, 2020, 2:51pm

Hi dear team!!

On this lesson you said this “If you use telnet, it’s best to use an access-list to restrict what devices are allowed to connect.”

Even though we do this…, an attacker can also try to change his IP to access the server… What else can we do to protect the telnet server and our network?

lagapidis · September 5, 2020, 5:30am

Hello Vanilson

There are several things you can do to make your Telnet connection even more secure. Other than the access list, you can apply the following:

Password protection and password policies - Use a password in the console and vty lines and set up your password policy so it only allows three failed attempts before blocking you out for a period of time.
Use Management Plane Protection (MPP) (take a look at the lesson for more info) to restrict the interfaces via which the device permits packets from protocols such as Telnet.
Use Control Plane Policing (CoPP) (see lesson) to ensure that the control plane of a device will not get so overwhelmed in a potential attack that Telnet traffic (and any management traffic) will not get processed correctly.

In addition to all of this, if you want to protect your communication session so that intercepted packets cannot be deciphered, it is preferable to use SSH as your management protocol.

I hope this has been helpful!

Laz

k19921130 · May 1, 2023, 4:28am

Hi Rene,
If we will set vrf mgmt in Switch.
How can I set ACL in line vty?

lagapidis · May 4, 2023, 10:02am

Hello Eric

If you have VRFs configured on your device, then for you to access the VTY management interface from a particular VRF (other than the default one) you must apply the following command:

Router(config-line)# access-class 1 in vrf-also

By default incoming Telnet/SSH connections from interfaces that are part of a VRF instance are rejected. The vrf-also keyword must be applied so that incoming connections from interfaces on other VRFs will be accepted.

Starting from IOS XE 16.8.1 VRF awareness has been added to the access class line feature using the vrfname keyword. Specifically, you can do the following:

Device(config)# line vty 0 4
Device(config-line)# ipv6 access-class acl-name in vrfname vfrA

Note that you cannot use both VRF awareness and vrf-also on the same VTY line, as they are mutually exclusive commands.

More information about VRF awareness can be found at this Cisco documentation:

I hope this has been helpful!

Laz