Courseiva
SecurityLine Config

transport input ssh

Restricts incoming Telnet or SSH connections on a VTY line to only SSH, blocking unencrypted Telnet access for secure remote management.

Syntax·Line Config
transport input ssh

When to Use This Command

  • Securing remote management access to a router by disabling Telnet and allowing only encrypted SSH connections.
  • Complying with security policies that require encrypted remote administration protocols.
  • Preventing unauthorized interception of credentials and session data over the network.
  • Configuring a management VTY line for SSH-only access while other lines remain for console or auxiliary use.

Command Examples

Enable SSH-only on VTY lines 0-4

line vty 0 4 transport input ssh
R1(config-line)# transport input ssh
R1(config-line)#

The command is entered in line configuration mode. No output is shown if successful; the prompt returns. This configures all five VTY lines to accept only SSH connections.

Verify transport input setting

show line vty 0 4
   Tty Line Typ    Tx/Rx    A Modem  Roty AccO AccI   Uses   Noise  Overruns   Int
*    0   0 VTY              -    -      -    -    -      0       0     0/0       -
     1   1 VTY              -    -      -    -    -      0       0     0/0       -
     2   2 VTY              -    -      -    -    -      0       0     0/0       -
     3   3 VTY              -    -      -    -    -      0       0     0/0       -
     4   4 VTY              -    -      -    -    -      0       0     0/0       -

Line 0, Location: '', Type: 'VTY'
Length: 24 lines, Width: 80 columns
Baud rate (TX/RX) is 9600/9600
Status: Ready
Capabilities: none
Modem state: Ready
Special Chars: Escape  Hold  Stop  Start  Disconnect  Activation
    ^^x    none   -     -       none
Timeouts:    Idle EXEC    Idle Session   Modem Answer  Session   Dispatch
           00:10:00        never                        none     not set
 Idle Session Disconnect Timer: never
 Session Limit is not set.
Time since activation: never
Editing is enabled.
History is enabled, history size is 10.
DNS resolution in show commands is enabled
 Full user help is disabled
 Allowed input transports are SSH.
 Allowed output transports are Telnet.
 Preferred transport is Telnet.
 No output characters are padded.
 No special data display characters.

The output shows the configuration of VTY lines. Key line: 'Allowed input transports are SSH.' confirms that only SSH is permitted for incoming connections. Other transports (like Telnet) are not listed, meaning they are blocked.

Understanding the Output

The 'show line vty' command displays detailed line parameters. The critical field is 'Allowed input transports' which lists protocols permitted for incoming connections. If it shows 'SSH', then only SSH is allowed; if it shows 'Telnet' or 'All', then Telnet is also permitted. A secure configuration should show only 'SSH'. The output also includes line status, baud rate, timeouts, and other settings that are not directly related to transport input but help verify the overall line configuration.

CCNA Exam Tips

1.

CCNA exam tip 1: Remember that 'transport input ssh' must be paired with 'login local' or AAA to enforce authentication; otherwise, no password is required.

2.

CCNA exam tip 2: The default transport input on VTY lines is 'telnet' (or 'all' in some IOS versions). You must explicitly configure 'transport input ssh' to disable Telnet.

3.

CCNA exam tip 3: To allow both SSH and Telnet, use 'transport input telnet ssh' (order matters for some versions).

4.

CCNA exam tip 4: The 'transport input' command only affects incoming connections; outgoing connections (like SSH from the router) are controlled by 'transport output'.

Common Mistakes

Mistake 1: Forgetting to configure SSH server (hostname, domain-name, crypto key) before enabling transport input ssh, causing connection failures.

Mistake 2: Applying 'transport input ssh' to the console or aux line, which is unnecessary and may block local access.

Mistake 3: Not saving the configuration after setting transport input, so the change is lost on reload.

Related Commands

ip ssh version 2

Enables SSH version 2 on the router for secure remote management, replacing the less secure version 1.

line vty 0 4

Enters line configuration mode for virtual terminal (VTY) lines 0 through 4 to configure remote access settings like Telnet/SSH, ACLs, and timeout parameters.

login local

Configures the line to require local username/password authentication using the local database, typically applied to console, vty, or aux lines for secure access.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions