Tuesday, May 1, 2012

CCNA Certification Exam Training: Telnet & VTY Line Passwords


Telnet is a simple yet powerful program that allows you to connect to a remote Cisco router or switch, and then configure it as though you were right at the console. Telnet is also one of those features that seems so very simple, until you get asked a half dozen questions about it on your CCNA exams.

One common belief about Telnet: Telnet runs at layer 7 of the OSI model, not layer 3. It’s easy to think that Telnet runs at Layer 3 of the OSI model, the Network layer. After all, you’re entering an IP address when you telnet in to a router or switch, and you may be on another router when you do it.

None of that matters. Layer 3 is strictly routing. Like other features that require input from the end user, especially authentication, Telnet runs at the Application layer of the OSI model.

Speaking of authentication…
Cisco routers can run quite a few passwords. We can set an enable password, an enable secret, an enable secret and enable password, a password for PPP connections, and even a console password.

All of those are optional, but the telnet password is not. Makes sense – you wouldn’t want just anyone telnetting into your router, would you?

We'll see how to set that password and note other vital Telnet details right after this brief and important message!

Now back to Telnet...
If you have no password set on the VTY lines of your router, no one can telnet in. If they try, they’ll see this message:

R1#telnet 3.3.3.3
Trying 3.3.3.3 ... Open
Password required, but none set
[Connection to 3.3.3.3 closed by foreign host]

To allow telnet access into a Cisco router, configure the VTY lines with a password and the login command:

R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#line vty 0 4
R3(config-line)#login
% Login disabled on line 2, until 'password' is set
% Login disabled on line 3, until 'password' is set
% Login disabled on line 4, until 'password' is set
% Login disabled on line 5, until 'password' is set
% Login disabled on line 6, until 'password' is set
R3(config-line)#password cisco

Note the messages you get after enabling login. These messages simply indicate that the login won’t work until a password is set. The order with which you use the login and password commands don’t matter just make sure you use them both.

We’re not quite done, though. The remote user can now telnet in, but by default, that user will be placed into user exec mode. If the user is to be allowed to enter privileged exec mode during a telnet session, an enable password or enable secret must be set.

R1#telnet 3.3.3.3
Trying 3.3.3.3 ... Open
User Access Verification
Password: <we entered the password here >
R3>enable
% No password set
R3>

The user is stuck in user exec until you set a local enable password. Doing so will allow the user to use that password to enter privileged exec mode.

R3#conf t
R3(config)#enable password ccna
R3(config)#^Z
R1#telnet 3.3.3.3
Trying 3.3.3.3 ... Open
User Access Verification
Password: < user entered cisco here>
R3>enable
Password: < user entered ccna here >
R3#

The user is now in privileged exec mode. There’s also another method to use so the user is placed directly into privileged exec mode when telnetting in, avoiding the enable password prompt. Use the command privilege level 15 on the VTY lines to do so.

R3#conf t
R3(config)#line vty 0 4
R3(config-line)#privilege level 15
R1#telnet 3.3.3.3
Trying 3.3.3.3 ... Open
User Access Verification
Password: < user entered VTY line password here >
R3#

Note that the user went straight to privileged exec mode!