Reserving a VTY Port for Administrative Access

Reserving a VTY Port for Administrative Access

Problem

You want to prevent all of your VTY lines from being used up, effectively locking you out of the router.

Solution

You can ensure that at least one VTY port is available to you for access at all times with the following commands:

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 9 permit 172.25.1.1
Router1(config)#line vty 4
Router1(config-line)#access-class 9 in
Router1(config-line)#exit
Router1(config)#end
Router1#

You can also reserve a particular inbound telnet port for administrator access by assigning VTY(s) into a rotary group by using the rotary command:

Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 9 permit 172.25.1.1
Router1(config)#line vty 5 7
Router1(config-line)#rotary 25
Router1(config-line)#access-class 9 in
Router1(config-line)#exit
Router1(config)#end
Router1#

Discussion

Receiving the dreaded "Connection Refused" message from one of your routers can be quite distressing, particularly if you're trying to troubleshoot a serious problem. Generally, it means that other sessions have control of all of your router's limited number of VTY lines. However, it can also mean that someone has launched a Denial of Service (DoS) attack. DoS attacks against router VTYs are simple to launch. Just sitting at a login prompt is enough to tie up a VTY line. This means that you don't need a username or a password to use up all of the VTY lines, locking out all of the legitimate administrators.

Whether the lockout is caused by legitimate sessions or not, this is what it looks like:

Freebsd% telnet Router1
Trying 172.22.1.4...
telnet: connect to address 172.22.1.4: Connection refused
telnet: Unable to connect to remote host
Freebsd%

You can implement a safeguard to ensure that this never happens. Enabling a restrictive access-class on the last accessible VTY ensures that the administrator will always retain access at all times. The key is to ensure that your access-list is as restrictive as possible (i.e., an administrator's IP address).

To view the VTY access statistics, use the show line command:

Router1#show line vty 0 4
Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int
* 66 VTY - - - - - 10 0 0/0 -
* 67 VTY - - - - - 10 0 0/0 -
* 68 VTY - - - - - 2 0 0/0 -
* 69 VTY - - - - - 1 0 0/0 -
* 70 VTY - - - - 9 1 0 0/0 -

Router1#

Notice that access-class 9 was assigned to the last VTY session (the AccI column) and was only accessed once (the Uses column).

The rotary configuration command lets you dedicate a group of VTY ports to administrative access. In our example, we created three new VTY lines. By using the rotary command, we also changed the Telnet port of the group of VTY lines from the normal port 23 to Telnet port 3025. The only way to Telnet to this rotary group is to Telnet to port 3025 from your remote server (port 3000 + the rotary group numberin this case, 25):

Freebsd% telnet 172.25.1.101 3025
Trying 172.25.1.101...
Connected to 172.25.1.101.
Escape character is '^]'.

User Access Verification

Username: ijbrown
Password: **********
Router>

After Telneting to the router rotarty group, you can display the VTY you're connected to by issuing the show line command:

Router>show line vty 0 7
Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int
162 VTY - - - - - 5 0 0/0 -
163 VTY - - - - - 2 0 0/0 -
164 VTY - - - - - 0 0 0/0 -
165 VTY - - - - - 0 0 0/0 -
166 VTY - - - - - 0 0 0/0 -
* 167 VTY - - 25 - 9 2 0 0/0 -
168 VTY - - 25 - 9 0 0 0/0 -
169 VTY - - 25 - 9 0 0 0/0 -

Router>

Notice that we are connected to TTY 167 (VTY 5) as indicated by the "*" on the left most column. Also, notice that column "Roty" in dicates the VTY 5, 6 and 7 are all part of rotary 25.

See Also