very simple question on VTYs

Discussion in 'Cisco' started by aleu@vp.pl, Jan 1, 2008.

  1. Guest

    Hi everybody,

    Could someone in 2-3 sentences explain me the difference between VTY0 4
    and VTY 5 15?
    I can see on almost every Cisco device configuration space for

    line vty 0 4
    and
    line vty 5 15

    From what I have read, both are being used for LAN access (telnet or
    SSH), but what is the difference between them? When does one really need
    to configure "line vty 5 15"?

    Thanks in advance and sorry for dumb question.
    AL
     
    , Jan 1, 2008
    #1
    1. Advertising

  2. In article <fldqdu$fif$>, "" <>
    wrote:

    > Hi everybody,
    >
    > Could someone in 2-3 sentences explain me the difference between VTY0 4
    > and VTY 5 15?
    > I can see on almost every Cisco device configuration space for
    >
    > line vty 0 4
    > and
    > line vty 5 15
    >
    > From what I have read, both are being used for LAN access (telnet or
    > SSH), but what is the difference between them? When does one really need
    > to configure "line vty 5 15"?
    >
    > Thanks in advance and sorry for dumb question.
    > AL


    I think "vty 0 4" are configured by default, which allows 5 concurrent
    logins. If you need more than this, you configure more vtys.

    --
    Barry Margolin,
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    *** PLEASE don't copy me on replies, I'll read them in the group ***
     
    Barry Margolin, Jan 1, 2008
    #2
    1. Advertising

  3. Thrill5 Guest

    In short absolutely nothing. By default, IOS allows 5 VTY sessions (0 - 4),
    and "vty 5 15" allows an additional 11 VTY sessions. For some reason, IOS
    breaks them out that way even if the commands under each section is exactly
    the same. To configure all 16 VTY sessions, you can use "vty 0 15" but IOS
    will still break them up in the config.


    <> wrote in message news:fldqdu$fif$...
    > Hi everybody,
    >
    > Could someone in 2-3 sentences explain me the difference between VTY0 4
    > and VTY 5 15?
    > I can see on almost every Cisco device configuration space for
    >
    > line vty 0 4
    > and
    > line vty 5 15
    >
    > From what I have read, both are being used for LAN access (telnet or SSH),
    > but what is the difference between them? When does one really need to
    > configure "line vty 5 15"?
    >
    > Thanks in advance and sorry for dumb question.
    > AL
     
    Thrill5, Jan 1, 2008
    #3
  4. On wto, 01 sty 2008 o 16:40 GMT, wrote:

    > From what I have read, both are being used for LAN access (telnet or
    > SSH), but what is the difference between them? When does one really need
    > to configure "line vty 5 15"?


    I'd like to add only that it is a good practice to leave last VTY for
    'power' user which have to have possibility to log in at any time*. It's
    often practiced in a large ISP companies where many users logs into a
    routers concurrently (for example NOC engineers).


    * you just set another username/password for line VTY 15 which only this
    'power' user know.

    --
    pozdr. S³awomir Kawa³a
    JID: slwkk [at] alternatywa [dot] net
    GSM: (0)601-398-348
     
    S³awomir Kawa³a, Jan 1, 2008
    #4
  5. John Smith Guest

    keep in mind that when someone telnets or ssh'es into a device, they have no
    control over which vty line they connect on - since it just goes in the
    order of first available.
    if anyone else knows otherwise, please reply.

    "S³awomir Kawa³a" <> wrote in message
    news:fle39j$c06$...
    > On wto, 01 sty 2008 o 16:40 GMT, wrote:
    >
    >> From what I have read, both are being used for LAN access (telnet or
    >> SSH), but what is the difference between them? When does one really need
    >> to configure "line vty 5 15"?

    >
    > I'd like to add only that it is a good practice to leave last VTY for
    > 'power' user which have to have possibility to log in at any time*. It's
    > often practiced in a large ISP companies where many users logs into a
    > routers concurrently (for example NOC engineers).
    >
    >
    > * you just set another username/password for line VTY 15 which only this
    > 'power' user know.
    >
    > --
    > pozdr. S³awomir Kawa³a
    > JID: slwkk [at] alternatywa [dot] net
    > GSM: (0)601-398-348
     
    John Smith, Jan 2, 2008
    #5
  6. Guest

    Barry Margolin wrote:
    > I think "vty 0 4" are configured by default, which allows 5 concurrent
    > logins. If you need more than this, you configure more vtys.


    Thank you all for your answers. It is more clear to me now. What happens
    though if you configure vtys 0-4, leave the rest not configured and when
    6th user tries to login? Is the 6th user going to be denied access?

    BTW. Is is a 6 different users (different login IDs) or 6 incoming
    connections (but can come from the same user)?

    Thanks,
    AL
     
    , Jan 2, 2008
    #6
  7. In article <flf10c$6pf$>, "" <>
    wrote:

    > Barry Margolin wrote:
    > > I think "vty 0 4" are configured by default, which allows 5 concurrent
    > > logins. If you need more than this, you configure more vtys.

    >
    > Thank you all for your answers. It is more clear to me now. What happens
    > though if you configure vtys 0-4, leave the rest not configured and when
    > 6th user tries to login? Is the 6th user going to be denied access?


    The connection fails.

    > BTW. Is is a 6 different users (different login IDs) or 6 incoming
    > connections (but can come from the same user)?


    6 connections.

    VTYs on Cisco are like PTYs on Unix. It's a virtual terminal line for
    network logins, analogous to a serial port for dialup/hardwired
    terminals.

    --
    Barry Margolin,
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    *** PLEASE don't copy me on replies, I'll read them in the group ***
     
    Barry Margolin, Jan 2, 2008
    #7
  8. John Smith Guest

    i'm going to amend my previous post....
    you can use the 'rotary' command under the vty lines to change the port
    number you connect on, thus allowing an administrator to designate a
    particular vty line they are connecting to.
    line vty 5
    login
    rotary rotary_number
    telnet to port 3000+rotary_number
    there is also an ssh equivalent.
    ip ssh port port_number rotary rotary_number
    "John Smith" <> wrote in message
    news:...
    > keep in mind that when someone telnets or ssh'es into a device, they have
    > no control over which vty line they connect on - since it just goes in the
    > order of first available.
    > if anyone else knows otherwise, please reply.
    >
    > "S³awomir Kawa³a" <> wrote in message
    > news:fle39j$c06$...
    >> On wto, 01 sty 2008 o 16:40 GMT, wrote:
    >>
    >>> From what I have read, both are being used for LAN access (telnet or
    >>> SSH), but what is the difference between them? When does one really need
    >>> to configure "line vty 5 15"?

    >>
    >> I'd like to add only that it is a good practice to leave last VTY for
    >> 'power' user which have to have possibility to log in at any time*. It's
    >> often practiced in a large ISP companies where many users logs into a
    >> routers concurrently (for example NOC engineers).
    >>
    >>
    >> * you just set another username/password for line VTY 15 which only this
    >> 'power' user know.
    >>
    >> --
    >> pozdr. S³awomir Kawa³a
    >> JID: slwkk [at] alternatywa [dot] net
    >> GSM: (0)601-398-348

    >
     
    John Smith, Jan 2, 2008
    #8
  9. Guest

    Barry Margolin wrote:
    > The connection fails.
    > VTYs on Cisco are like PTYs on Unix. It's a virtual terminal line for
    > network logins, analogous to a serial port for dialup/hardwired
    > terminals.


    Thank you Barry.
    Regards,
    AL
     
    , Jan 3, 2008
    #9
  10. Scott Perry Guest

    By having 16 VTY lines (vty 0 - vty 15) you can mix the configurations of
    each.

    Example:

    line vty 0 9
    transport input ssh
    access-class 19 in
    line vty 10 15
    transport input telnet
    access-class 20 in

    This will allow 10 SSH users which are granted from access-list 19 and also
    6 telnet users which are granted from access-list 20.

    To avoid a session from hanging indefinately and filling all available VTY
    lines, I highly suggest adding the "exec-timeout" command to end idle
    sessions. It is very upsetting to have only 4 VTY lines available, 3 being
    used by days old sessions never disconnected, and not being able to connect
    into a network device for administration.

    --

    ===========
    Scott Perry
    ===========
    Indianapolis, Indiana
    ________________________________________
    <> wrote in message news:flha4g$qi2$...
    > Barry Margolin wrote:
    >> The connection fails.
    >> VTYs on Cisco are like PTYs on Unix. It's a virtual terminal line for
    >> network logins, analogous to a serial port for dialup/hardwired
    >> terminals.

    >
    > Thank you Barry.
    > Regards,
    > AL
     
    Scott Perry, Jan 7, 2008
    #10
  11. Bob Vaughan Guest

    In article <>,
    John Smith <> wrote:
    >i'm going to amend my previous post....
    >you can use the 'rotary' command under the vty lines to change the port
    >number you connect on, thus allowing an administrator to designate a
    >particular vty line they are connecting to.
    >line vty 5
    >login
    >rotary rotary_number
    >telnet to port 3000+rotary_number
    >there is also an ssh equivalent.
    >ip ssh port port_number rotary rotary_number



    That works if you have defined a rotary pool on the target device.
    (ie: a set of async lines connected to a particular device might be a rotary,
    and the pool for the next device might be the next rotary.)

    If you want to connect to a specific port, telnet to port 2000+port#,
    where port# is the port number shown in 'show lines'.

    The lines are ordered like so: console, async ports, aux port, vty's.
    You can't connect to the console via telnet, but you can connect to the
    aux port, and if you plug a rollover cable from the aux port to the console
    port on another device, you can use it as a single port terminal server by
    connecting to port 2001.

    AFAIK, routers have 5 vtys by default, while switches have 16. The original
    cisco routers had 5 vtys, and the number has persisted ever since.

    I suspect that the vty numbers are split in the config for a reason. For
    instance, if you take a config from a device with 16 vtys, and drop it into
    a device with 5, the first 5 will be properly configured, and the remainder
    ignored. If the config specified the entire range, the entire command would
    be ignored.



    >"John Smith" <> wrote in message
    >news:...
    >> keep in mind that when someone telnets or ssh'es into a device, they have
    >> no control over which vty line they connect on - since it just goes in the
    >> order of first available.
    >> if anyone else knows otherwise, please reply.
    >>
    >> "S³awomir Kawa³a" <> wrote in message
    >> news:fle39j$c06$...
    >>> On wto, 01 sty 2008 o 16:40 GMT, wrote:
    >>>
    >>>> From what I have read, both are being used for LAN access (telnet or
    >>>> SSH), but what is the difference between them? When does one really need
    >>>> to configure "line vty 5 15"?
    >>>
    >>> I'd like to add only that it is a good practice to leave last VTY for
    >>> 'power' user which have to have possibility to log in at any time*. It's
    >>> often practiced in a large ISP companies where many users logs into a
    >>> routers concurrently (for example NOC engineers).
    >>>
    >>>
    >>> * you just set another username/password for line VTY 15 which only this
    >>> 'power' user know.
    >>>
    >>> --
    >>> pozdr. S³awomir Kawa³a
    >>> JID: slwkk [at] alternatywa [dot] net
    >>> GSM: (0)601-398-348

    >>

    >



    --
    -- Welcome My Son, Welcome To The Machine --
    Bob Vaughan | techie @ tantivy.net |
    | P.O. Box 19792, Stanford, Ca 94309 |
    -- I am Me, I am only Me, And no one else is Me, What could be simpler? --
     
    Bob Vaughan, Jan 14, 2008
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Wes Perdue

    more vtys on a 2610

    Wes Perdue, Mar 3, 2004, in forum: Cisco
    Replies:
    1
    Views:
    544
    Aaron Leonard
    Mar 3, 2004
  2. Amator
    Replies:
    3
    Views:
    367
    Hansang Bae
    Dec 23, 2005
  3. Thomas Reed

    Quick Book file access very very very slow

    Thomas Reed, Apr 9, 2004, in forum: Computer Support
    Replies:
    7
    Views:
    789
    Palindrome
    Apr 9, 2004
  4. Replies:
    7
    Views:
    4,301
    Kimba W. Lion
    Jan 26, 2007
  5. MeekiMoo
    Replies:
    0
    Views:
    682
    MeekiMoo
    Jul 28, 2009
Loading...

Share This Page