very simple question on VTYs

Hi everybody,

Could someone in 2-3 sentences explain me the difference between VTY0 4
and VTY 5 15?
I can see on almost every Cisco device configuration space for

line vty 0 4
and
line vty 5 15

From what I have read, both are being used for LAN access (telnet or
SSH), but what is the difference between them? When does one really need
to configure "line vty 5 15"?

Thanks in advance and sorry for dumb question.
AL

 

In article <fldqdu$fif$>, "" <>
wrote:

> Hi everybody,
>
> Could someone in 2-3 sentences explain me the difference between VTY0 4
> and VTY 5 15?
> I can see on almost every Cisco device configuration space for
>
> line vty 0 4
> and
> line vty 5 15
>
> From what I have read, both are being used for LAN access (telnet or
> SSH), but what is the difference between them? When does one really need
> to configure "line vty 5 15"?
>
> Thanks in advance and sorry for dumb question.
> AL

I think "vty 0 4" are configured by default, which allows 5 concurrent
logins. If you need more than this, you configure more vtys.

--
Barry Margolin,
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

 

In short absolutely nothing. By default, IOS allows 5 VTY sessions (0 - 4),
and "vty 5 15" allows an additional 11 VTY sessions. For some reason, IOS
breaks them out that way even if the commands under each section is exactly
the same. To configure all 16 VTY sessions, you can use "vty 0 15" but IOS
will still break them up in the config.


<> wrote in message news:fldqdu$fif$...
> Hi everybody,
>
> Could someone in 2-3 sentences explain me the difference between VTY0 4
> and VTY 5 15?
> I can see on almost every Cisco device configuration space for
>
> line vty 0 4
> and
> line vty 5 15
>
> From what I have read, both are being used for LAN access (telnet or SSH),
> but what is the difference between them? When does one really need to
> configure "line vty 5 15"?
>
> Thanks in advance and sorry for dumb question.
> AL

 

On wto, 01 sty 2008 o 16:40 GMT, wrote:

> From what I have read, both are being used for LAN access (telnet or
> SSH), but what is the difference between them? When does one really need
> to configure "line vty 5 15"?

I'd like to add only that it is a good practice to leave last VTY for
'power' user which have to have possibility to log in at any time*. It's
often practiced in a large ISP companies where many users logs into a
routers concurrently (for example NOC engineers).


* you just set another username/password for line VTY 15 which only this
'power' user know.

--
pozdr. S³awomir Kawa³a
JID: slwkk [at] alternatywa [dot] net
GSM: (0)601-398-348

 

keep in mind that when someone telnets or ssh'es into a device, they have no
control over which vty line they connect on - since it just goes in the
order of first available.
if anyone else knows otherwise, please reply.

"S³awomir Kawa³a" <> wrote in message
news:fle39j$c06$...
> On wto, 01 sty 2008 o 16:40 GMT, wrote:
>
>> From what I have read, both are being used for LAN access (telnet or
>> SSH), but what is the difference between them? When does one really need
>> to configure "line vty 5 15"?
>
> I'd like to add only that it is a good practice to leave last VTY for
> 'power' user which have to have possibility to log in at any time*. It's
> often practiced in a large ISP companies where many users logs into a
> routers concurrently (for example NOC engineers).
>
>
> * you just set another username/password for line VTY 15 which only this
> 'power' user know.
>
> --
> pozdr. S³awomir Kawa³a
> JID: slwkk [at] alternatywa [dot] net
> GSM: (0)601-398-348

 

Barry Margolin wrote:
> I think "vty 0 4" are configured by default, which allows 5 concurrent
> logins. If you need more than this, you configure more vtys.

Thank you all for your answers. It is more clear to me now. What happens
though if you configure vtys 0-4, leave the rest not configured and when
6th user tries to login? Is the 6th user going to be denied access?

BTW. Is is a 6 different users (different login IDs) or 6 incoming
connections (but can come from the same user)?

Thanks,
AL

 

In article <flf10c$6pf$>, "" <>
wrote:

> Barry Margolin wrote:
> > I think "vty 0 4" are configured by default, which allows 5 concurrent
> > logins. If you need more than this, you configure more vtys.
>
> Thank you all for your answers. It is more clear to me now. What happens
> though if you configure vtys 0-4, leave the rest not configured and when
> 6th user tries to login? Is the 6th user going to be denied access?

The connection fails.

> BTW. Is is a 6 different users (different login IDs) or 6 incoming
> connections (but can come from the same user)?

6 connections.

VTYs on Cisco are like PTYs on Unix. It's a virtual terminal line for
network logins, analogous to a serial port for dialup/hardwired
terminals.

--
Barry Margolin,
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

 

i'm going to amend my previous post....
you can use the 'rotary' command under the vty lines to change the port
number you connect on, thus allowing an administrator to designate a
particular vty line they are connecting to.
line vty 5
login
rotary rotary_number
telnet to port 3000+rotary_number
there is also an ssh equivalent.
ip ssh port port_number rotary rotary_number
"John Smith" <> wrote in message
news:...
> keep in mind that when someone telnets or ssh'es into a device, they have
> no control over which vty line they connect on - since it just goes in the
> order of first available.
> if anyone else knows otherwise, please reply.
>
> "S³awomir Kawa³a" <> wrote in message
> news:fle39j$c06$...
>> On wto, 01 sty 2008 o 16:40 GMT, wrote:
>>
>>> From what I have read, both are being used for LAN access (telnet or
>>> SSH), but what is the difference between them? When does one really need
>>> to configure "line vty 5 15"?
>>
>> I'd like to add only that it is a good practice to leave last VTY for
>> 'power' user which have to have possibility to log in at any time*. It's
>> often practiced in a large ISP companies where many users logs into a
>> routers concurrently (for example NOC engineers).
>>
>>
>> * you just set another username/password for line VTY 15 which only this
>> 'power' user know.
>>
>> --
>> pozdr. S³awomir Kawa³a
>> JID: slwkk [at] alternatywa [dot] net
>> GSM: (0)601-398-348
>

 

Barry Margolin wrote:
> The connection fails.
> VTYs on Cisco are like PTYs on Unix. It's a virtual terminal line for
> network logins, analogous to a serial port for dialup/hardwired
> terminals.

Thank you Barry.
Regards,
AL

 

By having 16 VTY lines (vty 0 - vty 15) you can mix the configurations of
each.

Example:

line vty 0 9
transport input ssh
access-class 19 in
line vty 10 15
transport input telnet
access-class 20 in

This will allow 10 SSH users which are granted from access-list 19 and also
6 telnet users which are granted from access-list 20.

To avoid a session from hanging indefinately and filling all available VTY
lines, I highly suggest adding the "exec-timeout" command to end idle
sessions. It is very upsetting to have only 4 VTY lines available, 3 being
used by days old sessions never disconnected, and not being able to connect
into a network device for administration.

--

===========
Scott Perry
===========
Indianapolis, Indiana
________________________________________
<> wrote in message news:flha4g$qi2$...
> Barry Margolin wrote:
>> The connection fails.
>> VTYs on Cisco are like PTYs on Unix. It's a virtual terminal line for
>> network logins, analogous to a serial port for dialup/hardwired
>> terminals.
>
> Thank you Barry.
> Regards,
> AL

 

In article <>,
John Smith <> wrote:
>i'm going to amend my previous post....
>you can use the 'rotary' command under the vty lines to change the port
>number you connect on, thus allowing an administrator to designate a
>particular vty line they are connecting to.
>line vty 5
>login
>rotary rotary_number
>telnet to port 3000+rotary_number
>there is also an ssh equivalent.
>ip ssh port port_number rotary rotary_number


That works if you have defined a rotary pool on the target device.
(ie: a set of async lines connected to a particular device might be a rotary,
and the pool for the next device might be the next rotary.)

If you want to connect to a specific port, telnet to port 2000+port#,
where port# is the port number shown in 'show lines'.

The lines are ordered like so: console, async ports, aux port, vty's.
You can't connect to the console via telnet, but you can connect to the
aux port, and if you plug a rollover cable from the aux port to the console
port on another device, you can use it as a single port terminal server by
connecting to port 2001.

AFAIK, routers have 5 vtys by default, while switches have 16. The original
cisco routers had 5 vtys, and the number has persisted ever since.

I suspect that the vty numbers are split in the config for a reason. For
instance, if you take a config from a device with 16 vtys, and drop it into
a device with 5, the first 5 will be properly configured, and the remainder
ignored. If the config specified the entire range, the entire command would
be ignored.



>"John Smith" <> wrote in message
>news:...
>> keep in mind that when someone telnets or ssh'es into a device, they have
>> no control over which vty line they connect on - since it just goes in the
>> order of first available.
>> if anyone else knows otherwise, please reply.
>>
>> "S³awomir Kawa³a" <> wrote in message
>> news:fle39j$c06$...
>>> On wto, 01 sty 2008 o 16:40 GMT, wrote:
>>>
>>>> From what I have read, both are being used for LAN access (telnet or
>>>> SSH), but what is the difference between them? When does one really need
>>>> to configure "line vty 5 15"?
>>>
>>> I'd like to add only that it is a good practice to leave last VTY for
>>> 'power' user which have to have possibility to log in at any time*. It's
>>> often practiced in a large ISP companies where many users logs into a
>>> routers concurrently (for example NOC engineers).
>>>
>>>
>>> * you just set another username/password for line VTY 15 which only this
>>> 'power' user know.
>>>
>>> --
>>> pozdr. S³awomir Kawa³a
>>> JID: slwkk [at] alternatywa [dot] net
>>> GSM: (0)601-398-348
>>
>


--
-- Welcome My Son, Welcome To The Machine --
Bob Vaughan | techie @ tantivy.net |
| P.O. Box 19792, Stanford, Ca 94309 |
-- I am Me, I am only Me, And no one else is Me, What could be simpler? --