Imagine you're a network administrator sitting at your desk, but the router you need to configure is in a locked data center 500 miles away. Without physical access, how do you manage the device? The answer lies in understanding Cisco's line configuration — specifically Console, Auxiliary (Aux), and VTY lines. These lines define how you connect to a Cisco device for management. For the CCNA 200-301 exam, you must know the differences between these lines, how to secure them, and how to apply common configurations like passwords and access control. This topic falls under the 'Network Access' exam objective and is foundational for any network engineer.
Jump to a section
Think of a Cisco router as a secure office building. The Console line is like the building's main entrance door — it's the direct, physical way in. You need a key (a console cable) to open it, and once inside, you're at the front desk with full access to the building's systems. This entrance is typically used by the building manager (network engineer) for initial setup or emergency repairs. It's the most trusted access point because you must be physically present. The Auxiliary (Aux) line is like a secondary, less-used side door. It's also a physical entrance, but it's often used for dial-up modem access — imagine an old-school security guard who can unlock the side door remotely via a phone line. It's less secure and rarely used in modern networks. Finally, the VTY (Virtual Teletype) lines are like the building's phone system — you can call in from anywhere (over the network via Telnet or SSH) and get access, but you need to know the right phone number (IP address) and passcode (login credentials). Just like a company might have multiple phone lines for different departments, a Cisco router has multiple VTY lines (usually 0-4 or 0-15) to allow multiple remote administrators to connect simultaneously. Each line can be configured with different security settings — some might require a password, others might be restricted to certain phone numbers (access control lists). This analogy helps you remember: Console = direct physical access, Aux = secondary physical (often dial-up), VTY = remote network access.
What Are Lines in Cisco IOS?
In Cisco IOS, a 'line' refers to a logical or physical interface through which you can access the device's command-line interface (CLI) for management purposes. Each line type provides a different method of connection. The three primary line types are: - Console (line con 0): The physical console port on the device. Used for out-of-band management (direct cable connection). Typically the first access method when a device is unconfigured. - Auxiliary (line aux 0): A secondary physical port, historically used for dial-up modem connections. Rarely used today but still present on some devices. - VTY (line vty 0 4 or 0 15): Virtual terminal lines used for remote access via Telnet or SSH. These are logical and allow multiple simultaneous connections.
Why Lines Matter for CCNA
Cisco 200-301 tests your ability to configure basic security on these lines, such as setting passwords, enabling SSH, and applying access control lists. You must know the default number of VTY lines (5 for IOS 15, but can be increased to 16) and that the console port has no password by default, which is a major security risk. Misconfiguring line passwords is a common trap on the exam.
Configuring Line Passwords
The most basic configuration is setting a password for line access. For example:
Router> enable
Router# configure terminal
Router(config)# line console 0
Router(config-line)# password cisco
Router(config-line)# login
Router(config-line)# exitpassword sets the password required to enter user EXEC mode.
login enables password checking at login. Without login, the line will not prompt for a password.
For VTY lines, you can set a password and optionally require local authentication:
Router(config)# line vty 0 4
Router(config-line)# password cisco
Router(config-line)# loginThe 'login local' Command
Instead of a shared password, you can use local usernames and passwords stored in the device's configuration:
Router(config)# username admin secret cisco
Router(config)# line vty 0 4
Router(config-line)# login localThis is more secure than a shared password and is required for SSH.
Enabling SSH on VTY Lines
SSH is the recommended remote access method. To enable SSH, you must: 1. Configure a hostname and domain name. 2. Generate RSA keys. 3. Configure VTY lines to accept SSH connections.
Example:
Router(config)# hostname R1
R1(config)# ip domain-name example.com
R1(config)# crypto key generate rsa modulus 2048
R1(config)# line vty 0 4
R1(config-line)# transport input ssh
R1(config-line)# login localtransport input ssh restricts the line to SSH only. transport input telnet allows only Telnet. transport input all allows both (default).
The 'exec-timeout' Command
To automatically disconnect idle sessions, use exec-timeout:
R1(config-line)# exec-timeout 5 30This sets a timeout of 5 minutes and 30 seconds. The default is 10 minutes.
The 'logging synchronous' Command
This prevents console messages from interrupting your typing. Useful on console and AUX lines:
R1(config-line)# logging synchronousVerification Commands
Use show line to view line status:
R1# show line
Tty Line Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int
* 0 0 CTY - - - - - - 0 0 0/0 -
1 1 AUX - - - - - - 0 0 0/0 -
VTY 2 2 VTY - - - - - - 0 0 0/0 -
VTY 3 3 VTY - - - - - - 0 0 0/0 -
VTY 4 4 VTY - - - - - - 0 0 0/0 -
VTY 5 5 VTY - - - - - - 0 0 0/0 -
VTY 6 6 VTY - - - - - - 0 0 0/0 -The asterisk (*) indicates the current line. 'CTY' is console, 'AUX' is auxiliary, 'VTY' is virtual.
Use show users to see active sessions:
R1# show users
Line User Host(s) Idle Location
* 0 con 0 idle 00:00:00
2 vty 0 admin idle 00:01:23 192.168.1.100The 'line vty 0 4' vs 'line vty 0 15'
Older IOS versions default to 5 VTY lines (0-4). Newer versions often have 16 lines (0-15). You can configure a range: line vty 0 15. The exam may test that you know the default number.
Security Best Practices
Always set a password on the console line.
Use login local with individual usernames instead of a shared password.
Use SSH instead of Telnet.
Apply an access-class to restrict which IP addresses can connect via VTY.
Example of access-class:
R1(config)# access-list 10 permit 192.168.1.0 0.0.0.255
R1(config)# line vty 0 4
R1(config-line)# access-class 10 inThis restricts VTY access to the 192.168.1.0/24 subnet.
Summary of Line Types
| Line Type | Connection Method | Physical/Logical | Typical Use | |-----------|-------------------|------------------|-------------| | Console | Direct cable (rollover) | Physical | Initial config, troubleshooting | | Auxiliary | Dial-up modem | Physical | Backup remote access (legacy) | | VTY | Telnet/SSH | Logical | Remote management |
Access Global Configuration Mode
To configure lines, you must first enter global configuration mode. From privileged EXEC mode (enable), type `configure terminal` (or `conf t`). This puts you in configuration mode where you can then specify which line to configure. Example: ``` Router> enable Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# ``` Note: The prompt changes to (config)# indicating you are in global config mode.
Enter Line Configuration Mode
Use the `line` command followed by the line type and number(s). For console: `line console 0`. For auxiliary: `line aux 0`. For VTY: `line vty 0 4` (to configure lines 0 through 4). The prompt changes to (config-line)#. Example: ``` Router(config)# line console 0 Router(config-line)# ``` Remember: The console is always line 0. Aux is always line 0. VTY lines start at 0.
Set a Password for the Line
Inside line configuration mode, set a password with the `password` command. Then enable password checking with the `login` command. Without `login`, the line will not prompt for a password. Example: ``` Router(config-line)# password cisco Router(config-line)# login ``` For VTY lines, you can also use `login local` to require a username and password from local database. This is more secure and required for SSH.
Configure SSH on VTY Lines
To enable SSH, you must first configure a hostname and domain name, then generate RSA keys. Example: ``` Router(config)# hostname R1 R1(config)# ip domain-name example.com R1(config)# crypto key generate rsa modulus 2048 ``` The modulus must be at least 768 (2048 recommended). Then, under line vty, set transport input to ssh and enable login local: ``` R1(config)# line vty 0 4 R1(config-line)# transport input ssh R1(config-line)# login local ``` This restricts VTY access to SSH only.
Set Idle Timeout and Logging Synchronous
To automatically disconnect idle sessions, use `exec-timeout minutes seconds`. Default is 10 minutes. Example sets 5 minutes 30 seconds: ``` Router(config-line)# exec-timeout 5 30 ``` To prevent console messages from interrupting your typing, use `logging synchronous`. This is especially useful on console lines: ``` Router(config-line)# logging synchronous ``` Both commands enhance the user experience and security.
Verify Line Configuration
Use `show running-config | section line` to view line configurations. Use `show line` to see line status and active sessions. Use `show users` to see who is currently logged in. Example: ``` Router# show running-config | section line line con 0 password 7 0822455D0A16 login line aux 0 line vty 0 4 password 7 0822455D0A16 login transport input ssh ``` Note: Passwords are encrypted (type 7) if `service password-encryption` is enabled.
In enterprise environments, console lines are used for out-of-band management. When a network device loses network connectivity (e.g., a misconfigured VLAN or a dead switch uplink), the console port is the only way to access the device. Network engineers often deploy console servers (like Cisco's 2500 series) that aggregate multiple console cables into one network-accessible device, allowing remote console access over IP. This is critical for data centers where devices are not easily physically accessible.
VTY lines are the workhorses of day-to-day remote management. In a typical production network, all VTY lines are configured to accept only SSH connections, with strong authentication via local usernames or AAA (TACACS+/RADIUS). Access control lists (ACLs) are applied to VTY lines to restrict management access to specific management subnets, preventing unauthorized access from the internet. For example, an ACL might permit only the 10.0.0.0/8 management network to connect via SSH.
A common misconfiguration is forgetting to set a password on the console line. This leaves the device vulnerable to anyone with physical access. In one real incident, a junior engineer left a console cable connected to a router in a public area; anyone could plug in and gain full access. Another issue is setting the VTY transport input to 'all' (including Telnet) when SSH is required. Many organizations mandate SSH-only for security compliance, and failing to change the default can lead to audit failures.
Performance considerations: Each VTY line consumes memory for the session. With 16 lines, a router can handle up to 16 concurrent SSH sessions. In large networks, this is usually sufficient, but if many administrators need simultaneous access, you may need to increase the number of VTY lines (via line vty 0 31). However, this is rare. The console line should never be shared; it's typically used by one person at a time.
When misconfigured, the most common symptom is being unable to connect remotely. For example, if transport input ssh is set but the device hasn't generated RSA keys, SSH connections will fail. Or if login local is set but no usernames exist, no one can log in. These issues are easily diagnosed with debug ip ssh or checking the running config.
The CCNA 200-301 exam tests line configuration under the 'Network Access' topic. Specifically, you must know:
The difference between console, aux, and VTY lines.
How to set passwords and enable login.
How to configure SSH (hostname, domain name, RSA keys, transport input).
The default number of VTY lines (5 for lines 0-4, but some IOS versions have 16).
The exec-timeout and logging synchronous commands.
The access-class command to restrict VTY access.
Common Wrong Answers:
1. 'The console line requires a password by default.' WRONG. The console has no password by default. You must configure one.
2. 'The login command is not needed if you set a password.' WRONG. Without login, the line will not prompt for a password; anyone can access the CLI.
3. 'Telnet is more secure than SSH.' WRONG. Telnet sends data in plaintext; SSH encrypts.
4. 'The aux line is used for remote access via SSH.' WRONG. Aux is typically for dial-up modems, not SSH.
Specific Values and Commands to Memorize:
- line console 0 – only console line.
- line aux 0 – only aux line.
- line vty 0 4 – default VTY range (5 lines).
- transport input ssh – restricts to SSH.
- crypto key generate rsa modulus 2048 – generates RSA keys (modulus 2048 is exam-recommended).
- exec-timeout 0 0 – disables timeout (not recommended).
Decision Rule for Scenario Questions:
If the question asks about remote management security, always choose SSH over Telnet. If it asks about initial device configuration, choose the console line. If it asks about restricting management access to a specific subnet, use access-class under VTY lines. If a password is set but login is missing, the line will not prompt for a password — that's a common trap.
Console line (line con 0) is for direct physical access; no password by default.
Auxiliary line (line aux 0) is for dial-up modem; rarely used in modern networks.
VTY lines (line vty 0 4 or 0 15) are for remote Telnet/SSH access.
The 'login' command must be configured for the line to prompt for a password.
Use 'login local' to require a username and password from local database.
SSH requires hostname, domain name, RSA keys, and 'transport input ssh' on VTY lines.
Default VTY lines: 5 (0-4) in most IOS versions; can be expanded to 16 (0-15).
These come up on the exam all the time. Here's how to tell them apart.
Console Line
Physical port (RJ-45 or USB)
Direct cable connection required
Single line (line con 0)
No password by default
Used for initial config and out-of-band management
VTY Lines
Logical lines (virtual)
Remote access via Telnet/SSH
Multiple lines (0-4 or 0-15)
No password by default, but often configured
Used for day-to-day remote management
Mistake
The console line requires a password by default.
Correct
Cisco IOS does not set any password on the console line by default. Anyone with physical access can connect and enter user EXEC mode without a password.
Many assume that because the device is secure, there must be a default password, but there isn't.
Mistake
Setting a password on a line automatically enables password checking.
Correct
The `password` command only sets the password; you must also use the `login` command to enable password checking. Without `login`, the line will not prompt for a password.
Candidates often overlook the `login` command because the password is set, but the two commands are independent.
Mistake
The aux line is used for SSH remote access.
Correct
The auxiliary port is typically used for dial-up modem connections (out-of-band management). It is not designed for SSH; SSH uses VTY lines.
The name 'auxiliary' sounds like a secondary remote access method, leading to confusion.
Mistake
Telnet is more secure than SSH because it is simpler.
Correct
Telnet transmits data, including passwords, in plaintext. SSH encrypts all traffic, making it the secure choice for remote management.
Simplicity is often mistaken for security, but in networking, encryption is essential.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Both are physical ports on Cisco devices, but they serve different purposes. The console port (line con 0) is the primary management port used for direct connection via a rollover cable to a computer's serial or USB port. It provides out-of-band access and is essential for initial configuration and troubleshooting when the network is down. The auxiliary port (line aux 0) is a secondary serial port historically used for connecting a modem for dial-up remote access. It is rarely used in modern networks. On the exam, know that the console is for direct physical access, while aux is for modem-based access.
Yes. The `password` command sets the password that will be required, but `login` enables password checking. If you omit `login`, the line will not prompt for a password; anyone can access the CLI. Think of `login` as the 'enable password checking' switch. Always include both. Exam tip: If a question shows a configuration with only `password` and no `login`, the line will not prompt for a password.
The default is 5 VTY lines, numbered 0 through 4. However, in some IOS versions, the default is 16 (0-15). The CCNA exam typically expects you to know that the default is 5. You can verify with `show line` or `show running-config | section line vty`. To increase the number, use `line vty 0 15` (or any range up to 31).
To enable SSH, you must: 1) Set a hostname (e.g., `hostname R1`). 2) Set a domain name (e.g., `ip domain-name example.com`). 3) Generate RSA keys (e.g., `crypto key generate rsa modulus 2048`). 4) Configure VTY lines: `line vty 0 4`, then `transport input ssh`, and `login local` (with local usernames configured). Without these steps, SSH will not work. Remember: Telnet is disabled by default when you set `transport input ssh`.
The `exec-timeout` command sets the number of minutes and seconds of inactivity before the router automatically disconnects an idle session. The default is 10 minutes. For example, `exec-timeout 5 30` sets a timeout of 5 minutes and 30 seconds. Setting it to `0 0` disables the timeout (not recommended for security). This command is configured under the line configuration mode.
When you are typing a command on the console or VTY line, the router may output system messages (like debug output or link status changes) that interrupt your typing. The `logging synchronous` command (configured under the line) causes the router to reprint the command line you were typing after the system message, preventing your input from being mixed with output. This is especially useful on the console line.
Use the `access-class` command under the VTY line configuration. First, create a standard access list that permits the desired source IP addresses. Then, apply it with `access-class <acl-number> in`. For example: ``` access-list 10 permit 192.168.1.0 0.0.0.255 line vty 0 4 access-class 10 in ``` This restricts incoming VTY connections to the 192.168.1.0/24 subnet. The 'in' keyword filters inbound connections.
You've just covered Console, Auxiliary, and VTY Lines — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?