Cisco IOS Telnet Server and Client

This topic is to discuss the following lesson:

Please translate the following sentence:

“Telnet is niet secure dus liever niet gebruiken…”

Hi Valli,

Just removed this, this was a bit of my draft (in Dutch :slight_smile:


I think it is better to create the credentials “user and password” before typing the command login local, because in case of problems (if you lose control), the equipment will ask you an account that you have not created yet.
Am I wright ?

Hello Hugues

Yes, if you type the command login local and log out without creating any credentials, then you will not be able to log back in.


Hi Laz, first I would like to thankyou for your quick response. Just to be specific, I was working on CCNA routing & switching ICND1 100-105, Unit 7 Network Management, subtitle Telnet Server and Client. Here is what I found on packet tracer 7.1:

R2#telnet ?
  <0-65535>  Port number

as you see here I do not have the option to add a source address as explained on the lecture note after the command telnet /source interface…

Hello Mintesinot

I tried it out myself and I confirm your findings. Unfortunately packet tracer does not include the whole list of available commands that exist on a real IOS device. This is one of those cases where it only includes a subset. However, keep in mind that for the specific exams (ICND1, ICND2, CCNA) the commands included in packet tracer are sufficient for your studies. The source interface command that Rene mentions in the lesson is useful to understand the concepts described, but it will not be necessary for the exams themselves.

I hope this has been helpful!


Difference between tacacs server, radius server and radius /tacacs client.
I am trying to understand the basic difference between tacacs client and tacacs server and radius client and radius server and ISE .

Since TACACS+ is a cisco proprietary, we can only configure centralized server on CISCO ACS or CISCO ISE acting as TACACS server , while a windows 2012 server as centralized RADIUS server? while network access devices such as cisco switches, as either Tacacs clients or Radius clients with source interface vlan on switch that carries the radius or tacacs traffic towards the centralized servers ?

In shared authetnication model - your windows PC or macintosh laptop is a supplicant while your cisco switch is authenticator which authenticates using credentials of local directory on ise or LDAP on microsoft AD server ?

Is authentication done locally at cisco switch with response of Radius server from microsoft AD or tacacs+ CIsco ISE , or is it done all at end devices through secured tunnel ? I am not getting deeper in to authentication protocols like EAP FAST or PEAP. I just want to understand the device roles, as where the authentication process happens in between the three nodes starting with host supplicants, authenticator (network switch) and back end authentication device like ISE or microsft AD LDAP.

Hello Harshi

I just responded to this post here:

I hope this has been helpful!


1 Like

Hi dear team!!

On this lesson you said this “If you use telnet, it’s best to use an access-list to restrict what devices are allowed to connect.”

Even though we do this…, an attacker can also try to change his IP to access the server… What else can we do to protect the telnet server and our network?

Hello Vanilson

There are several things you can do to make your Telnet connection even more secure. Other than the access list, you can apply the following:

  • Password protection and password policies - Use a password in the console and vty lines and set up your password policy so it only allows three failed attempts before blocking you out for a period of time.
  • Use Management Plane Protection (MPP) (take a look at the lesson for more info) to restrict the interfaces via which the device permits packets from protocols such as Telnet.
  • Use Control Plane Policing (CoPP) (see lesson) to ensure that the control plane of a device will not get so overwhelmed in a potential attack that Telnet traffic (and any management traffic) will not get processed correctly.

In addition to all of this, if you want to protect your communication session so that intercepted packets cannot be deciphered, it is preferable to use SSH as your management protocol.

I hope this has been helpful!


1 Like