Networking

Configure lines and VTYs on Cisco routers

All Cisco routers have two special types of lines, and many Cisco routers have a third. What are these lines, and how do you configure them? These are things that every network admin should know.

All Cisco routers have two special types of lines, and many Cisco routers have a third. What are these lines, and how do you configure them? These are things that every network admin should know.

What are the different types of lines on Cisco routers?

"Lines" on Cisco routers are physical async serial ports on the router (such as a terminal or modem), a virtual network connection, or another type of serial line on the router. To see which lines you have on your router, use the show line command. Here's an example:

Router# show line
   Tty Typ     Tx/Rx    A Modem  Roty AccO AccI   Uses   Noise  Overruns   Int

     0 CTY              -    -      -    -    -      0       0     0/0       -

*   33 TTY  19200/19200 -    -      -    -    -    150     178     0/0       -

    34 TTY  19200/19200 -    -      -    -    -      0       0     0/0       -

    35 TTY  19200/19200 -    -      -    -    -      0       0     0/0       -

    36 TTY  19200/19200 -    -      -    -    -      0       0     0/0       -

    37 TTY  19200/19200 -    -      -    -    -      0       0     0/0       -

    38 TTY  19200/19200 -    -      -    -    -      0       0     0/0       -

    39 TTY  19200/19200 -    -      -    -    -      0     0     0/0       -

    40 TTY  19200/19200 -    -      -    -    -      0       0     0/0       -

    41 TTY   9600/9600  -    -      -    -    -   3083       0     0/0       -

    42 TTY  19200/19200 -    -      -    -    -      0       1     0/0       -

    43 TTY  19200/19200 -    -      -    -    -      5       9     0/0       -

    44 TTY  19200/19200 -    -      -    -    -      0       0     0/0       -

    45 TTY   9600/9600  -    -      -    -    -      0       0     0/0       -

    46 TTY  19200/19200 -    -      -    -    -      0       0     0/0       -

    47 TTY  19200/19200 -    -      -    -    -      0       0     0/0       -

    48 TTY  19200/19200 -    -      -    -    -      0       0     0/0       -

    49 TTY  19200/19200 -    -      -    -    -      0       0     0/0       -

    50 TTY   9600/9600  -    -      -    -    -      0       0     0/0       -

    51 TTY   9600/9600  -    -      -    -    -   1550       1     0/0       -

    52 TTY   9600/9600  -    -      -    -    -      0       0     0/0       -

    53 TTY   9600/9600  -    -      -    -    -     57       0     0/0       -

    54 TTY   9600/9600  -    -      -    -    -   5782       0     0/0       -

    55 TTY   9600/9600  -    -      -    -    -      0       0     0/0       -

    56 TTY   9600/9600  -    -      -    -    -      0       0     0/0       -

    57 TTY   9600/9600  -    -      -    -    -      0       0     0/0       -

    58 TTY   9600/9600  -    -      -    -    -   2117       0     0/0       -

    59 TTY   9600/9600  -    -      -    -    -      0       0     0/0       -

    60 TTY   9600/9600  -    -      -    -    -      0       0     0/0       -

    61 TTY   9600/9600  -    -      -    -    -      0       0     0/0       -

    62 TTY   9600/9600  -    -      -    -    -      0       0     0/0       -

    63 TTY   9600/9600  -    -      -    -    -      0       0     0/0       -

    64 TTY   9600/9600  -    -      -    -    -      0       0     0/0       -

    65 AUX 115200/115200- inout     -    -    -      0       0     0/0       -

*   66 VTY              -    -      -    -    -    439       0     0/0       -

    67 VTY              -    -      -    -    -      2       0     0/0       -

    68 VTY              -    -      -    -    -      0       0     0/0       -

    69 VTY              -    -      -    -    -      0       0     0/0       -

    70 VTY              -    -      -    -    -      0       0     0/0       -

Line(s) not in async mode -or- with no hardware support:

1-32

 

Router#

As you can see from the example, the router has one console line (labeled CTY), one AUX port (labeled AUX), five VTY lines, and 32 TTY lines. Each is a different type of line.

Use the show line summary command to get a cool summary. Here's an example:

Router# show line summary 

        0: ???? ???? ???? ???? ???? ???? ???? ???? ?u??

       36: ???? ?-?- ???? ???- ?--? ??-? ???? ??U- ???

   2 character mode users.           (U)

  62 lines never used                (?)

   2 total lines in use,    1 not authenticated (lowercase)

Router#
To look at the terminal configurations of individual lines, use the show line <parameter> command (even if you aren't connected to that line). Here's an example:
Router# show line console 0
   Tty Typ     Tx/Rx    A Modem  Roty AccO AccI   Uses   Noise  Overruns   Int

     0 CTY              -    -      -    -    -      0       0     0/0       -

Line 0, Location: "", Type: ""

Length: 24 lines, Width: 80 columns

Baud rate (TX/RX) is 9600/9600, no parity, 2 stopbits, 8 databits

Status: Ready

Capabilities: none

Modem state: Ready

Group codes:    0

Modem hardware state: noCTS noDSR  DTR RTS

Special Chars: Escape  Hold  Stop  Start  Disconnect  Activation

                ^^x    none   -     -       none        

Timeouts:      Idle EXEC    Idle Session   Modem Answer  Session   Dispatch

               00:10:00        never                        none     not set

                            Idle Session Disconnect Warning

                              never

                            Login-sequence User Response

                             00:00:30

                            Autoselect Initial Wait

                              not set

Modem type is unknown.

Session limit is not set.

Time since activation: never

Editing is enabled.

History is enabled, history size is 10.

DNS resolution in show commands is enabled

Full user help is disabled

Allowed input transports are none.

Allowed output transports are lat pad v120 mop telnet rlogin nasi ssh.

Preferred transport is lat.

No output characters are padded

No special data dispatching characters

Router#

What's a CTY port?

The console port shouldn't need any introduction. The CTY port is, of course, where you configure the router when it's brand-new -- before it has any IP address configuration. The console port is a serial port, so you must have a PC/laptop with a serial interface and connect to the console with a rolled cable, most likely, using a DB9 to RJ45 adaptor to connect from the serial port on your computer to the console port.

Once you've used the console port to configure the router's network configuration, it isn't common to have to use it again. However, it's good to know that it's there if anything ever goes wrong. In addition, you should secure the console port to keep someone from connecting to it when you aren't around.

What's the AUX port?

While not all routers these days have an AUX port, the AUX port is the auxiliary. Think of it as a secondary console port. The AUX ports don't get a lot of use except to access the router if locked out of the console port.

In the past, network admins would connect modems to the AUX ports so they could dial into their routers. Like the console port, the AUX port is a serial port, and you should also take steps to secure it.

What are TTY lines?

To have a TTY line on your router, you must have an ASYNC card in your router. This card provides some number of asynchronous serial ports on the router, which you can use for serial printers, serial modems, or dumb ASCII text terminals. With those ports, the serial printers could become networked printers (using the LPD service on the router), and the dumb terminals could become networked Telnet devices.

In the case of the router shown above, it has a 32-port asynchronous serial card (Cisco NM-32A ) installed, and it's using many of those ports for asynchronous serial devices such as ASCII text printers and ASCII test dumb terminals. This may seem archaic, but many companies still use this approach to connect to legacy UNIX systems to run legacy text-based applications. However, networked terminal emulators are slowly replacing them.

What are VTY ports?

VTY ports are virtual TTY ports, used to Telnet or SSH into the router over the network. You can use them to connect to the router to make configuration changes or check the status. Most routers have five VTY ports, numbered 0 to 4.

That means you can have up to five concurrent network admins configuring the router at one time. However, you can easily generate more VTY lines.

For example, to create a total of 21 VTY lines (numbered 0 through 20), enter the following:

Router (config)# line 0 20

How do I configure my Cisco router lines?

While you could spend a lot of time learning all the configuration variations for lines on a Cisco router, here's the simplest and most useful configuration for your router lines.

I recommend applying the following configuration on your router's lines:

Router(config)# line con 0
Router(config)# line aux 0
Router(config)# line vty 0 4

Here's an example:

Router(config)# line vty 0 4
Router(config-line)# password My713!CiscoR0uter (USE A STRONG PASSWORD)
Router(config-line)# logging synchronous
Router(config-line)# exec-timeout 60 0

On VTY lines:

Router(config-line)# transport input <telnet OR ssh>

Keep in mind that you can always use the clear line command to clear out a connection on a router line if you run into a problem.

Conclusion

Misconfigured Cisco router lines or unconfigured router lines can be a security risk. Also, if you misconfigure your router's lines, you may not be able to access the router's configuration interfaces.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

15 comments
lifzo
lifzo

i need help with Visual studio 2010, i cant seem to install it in my PC

vijayasankarj
vijayasankarj

I have exec the show command with output modifiers like ...for ex: show mediatrace session stats | format ... the router returns "%format unable to get tty" . How do I overcome this trouble ......

arunedavana
arunedavana

Cisco 7206 vxr router showing unknown symbols in console access.We checked console cable and PC settings.All are working in other routers.Please give me one solution in my mail ID arunedavana@gmail.com

Photogenic Memory
Photogenic Memory

Thanks to all. I really wanted to know how you could limit access to cisco router to ssh only. It seems so simple with these commands. Thanks.

thurm01
thurm01

thanks that was helpfull

robert.a.hatcher
robert.a.hatcher

If working in a secure envirement with questionable and curious people leaving a router open to access "because you are busy multi-tasking" for 60 seconds is asking for problems. I would knock that down to 15 seconds.

icmp30
icmp30

I don't know if it's the articles I'm reading or if it's a general issue at TechRepublic, but the articles I've seen lately are really basic and it's the comments that have the useful info.

mercedesman1981
mercedesman1981

I didn't see any responses, for the tty ports, default setting is both telnet or ssh depending on the software package you have (crypto for ssh). You can therefore specify specifically ssh for both inbound and outbound traffic: transport input ssh and transport output ssh. You can also specify an ssh timeout in global configuration mode.

service
service

Prevent Non-SSH Connections If you want to prevent non-SSH connections, add the transport input ssh command under the lines to limit the router to SSH connections only. Straight (non-SSH) Telnets are refused. line vty 0 4 !--- Prevent non-SSH Telnets. transport input ssh

rburts
rburts

given the comment about the need to protect and secure vty connections I am surprised that the article did not illustrate and advocate using access-class on the vty lines to control who has remote access to the device.

skipngstns
skipngstns

This timeout is set to 60 minutes (exec-timeout minutes seconds). The Cisco default is 10 minutes. Run a show ip eigrp topology or any debug statement and try to finish analyzing your results in 15 seconds.Your statements of a secure environment and leaving a router open to access from questionable or curious people are contradictory.

Photogenic Memory
Photogenic Memory

There are a few authors here at this site that are really on the ball. You can tell from their writing styles. Some of them just write a small opinionated synopsis of a topic which generates a lot of intelligent discussion. Many others don't however. The best writers(for me at least) are the ones that can summarize a topic quickly and go directly to the real world configuration examples. Those topics I notice are either the Linux, Cisco, and Windows Server articles. There's probably other authors and topics but that's what I've noticed so far.

mercedesman1981
mercedesman1981

Don't forget the other half - the transport output command. I use both in my systems: transport input ssh transport output ssh I don't want anything entering or leaving my network devices un-encrypted. But then, we are all using out-of-band management too. Right? Mike

bart.thoen
bart.thoen

"...we are all using out-of-band management too. Right?" We do !! Via ssh of course.