Networks Training

How to Disable Telnet and Enable SSH on Cisco Devices

I should have written this article from the very beginning of starting this blog because it is one of the most fundamental configuration steps for managing a Cisco networking device (router, switch, firewall etc).

how to disable telnet and enable ssh on cisco routers and switches

Disabling Telnet and enabling SSH on a networking device is also a step forward in increasing security in the whole network. Encrypted communication is a must nowadays, something that most professionals didn’t pay much attention a few years ago.

There are several ways to manage a Cisco device. Here are the most popular ones:

  • Direct Console Access: Uses a special serial cable to connect directly to the console port and get a Command Line Interface(CLI) to the device.
  • Telnet Access: Remote management of the device from the network. Gives authenticated Command Line access to the device but the whole communication is not encrypted.
  • SSH Access: Remote management of the device form the network (just like Telnet) but the whole traffic is encrypted by the SSH protocol.

There are some more management ways (depending on the device) such as HTTPs Web access, management through an application etc, but the above 3 are the most common options.

Moreover, disabling Telnet and enabling SSH is one of the best practices suggested by the official Cisco Hardening Guide for IOS devices to secure the management plane. For a more practical guide to harden Cisco routers and switches in 10 steps have a look at our post here.

MORE READING:  Cisco IOS DHCP Configuration

Disable Telnet on Cisco Routers/Switches

Let’s see first how to disable Telnet on a Cisco IOS device which covers both Routers and Switches.

Each Telnet access to the device (same applies with SSH as well) uses one of the VTY lines (Virtual Terminal lines).

You need to have in mind that older IOS versions (before 12.2) had 5 VTY lines (numbered 0 to 4), whereas newer IOS versions (after 12.2) have 16 VTY lines (numbered 0 to 15).

Therefore, to disable Telnet you need to do this action on all the VTY lines.

The following configuration will disable Telnet and all other remote network access:

CiscoDevice(config)# line vty 0 15    <– configure all 16 VTY lines
CiscoDevice(config-line)# transport input none   <– disable Telnet and everything else

If you do the above config, the only way to connect to the router or switch is with direct console access.

Controlled Access to Telnet

Another way to control Telnet access to routers and switches is to apply an Access Control List (ACL) on the VTY lines and allow only specific management IPs to connect.

With this method you don’t disable Telnet completely but you just control access to it from management stations.

CiscoDevice(config)# enable secret strongenablepass <– first configure enable password
CiscoDevice(config)# access-list 10 permit 192.168.1.0 0.0.0.255 <– create ACL for subnet 192.168.1.0/24
CiscoDevice(config)# line vty 0 15
CiscoDevice(config-line)# access-class 10 in <– allow subnet above only to access the device via Telnet
CiscoDevice(config-line)# password strongtelnetpass <– configure password on Telnet lines
CiscoDevice(config-line)# login <– ask for Telnet password

Enable SSH on Cisco Routers/Switches

By enabling SSH and configuring this transport protocol on the VTY lines of the IOS device, it will automatically disable Telnet as well.

MORE READING:  Six DoS Vulnerabilities in Cisco IOS Software - Patch your devices ASAP

So lets see how to enable SSH. First you need to generate SSH keys and then enable SSH transport on VTY lines.

CiscoDevice# config terminal

CiscoDevice(config)# enable secret strongenablepass <– first configure enable password

CiscoDevice(config)# username admin password adminpass <– it’s a good practice to create local administration user (if you don’t have external AAA server)

CiscoDevice(config)# hostname NewYork

NewYork(config)# ip domain-name mycompany.com <– configuring hostname and domain name are necessary for creating SSH keys

NewYork(config)# ip ssh version 2 <– use more secure SSH v2

NewYork(config)# crypto key generate rsa modulus 2048 <– create 2048 SSH key

NewYork(config)# ip ssh time-out 60 <– self explanatory

NewYork(config)# ip ssh authentication-retries 3  <– self explanatory

NewYork(config)# line vty 0 15

NewYork(config-line)# transport input ssh <– enables SSH and disables Telnet on all VTY lines

NewYork (config-line)# login local <– use local user for authentication.

SSH requires to have a hostname and domain-name configured and also to generate SSH keys. Also, on VTY lines allow SSH protocol only which means that Telnet is disabled automatically.

Filed Under: Cisco IOS

Download Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls


By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.












Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Suggested Cisco Training

CISCO CERTIFICATION TRAINING
CISCO CCNA 200-120 TRAINING
CCNA SECURITY 640-554 TRAINING
CCENT ICND1 TRAINING
CISCO ICND2 TRAINING
CISCO CCNP TRAINING