Telnet Active When Only SSH Should Be Permitted
Presenting Symptom
Users can connect to the router via Telnet, even though only SSH should be permitted for remote management.
Network Context
A small branch office with a Cisco 4321 ISR running IOS XE 16.9. The router connects to the corporate WAN via a single interface. Remote management is intended to be secured via SSH only, but Telnet connections are still accepted on the VTY lines.
Diagnostic Steps
Check VTY line configuration
show running-config | section line vtyline vty 0 4 transport input ssh login local
If 'transport input ssh' is present, Telnet should be disabled. If 'transport input all' or 'transport input telnet' is present, Telnet is allowed. Also check for 'transport input none' which blocks both.
Verify active sessions
show usersLine User Host(s) Idle Location 0 con 0 idle 00:00:00 2 vty 0 admin idle 00:00:05 192.168.1.100 * 1 vty 1 admin idle 00:00:02 192.168.1.101
Look for 'vty' lines with IP addresses. If you see Telnet sessions (indicated by 'telnet' in the 'Line' column or by the protocol used), it confirms Telnet is being used. The 'Location' shows the source IP.
Check VTY access-class
show running-config | include access-classaccess-class 10 in
If an access-class is applied to VTY lines, it may be allowing Telnet traffic. Check the access-list to see if it permits Telnet (port 23).
Verify SSH configuration
show ip sshSSH Enabled - version 2.0 Authentication timeout: 120 secs; Authentication retries: 3
If SSH is enabled, it should be the only allowed transport. If SSH is not enabled, Telnet might be the only option. Ensure SSH version 2 is configured.
Root Cause
The VTY lines are configured with 'transport input all' or 'transport input telnet' instead of 'transport input ssh'. This allows Telnet connections to be established, bypassing the intended SSH-only policy.
Resolution
Verification
1. Run 'show running-config | section line vty' to confirm 'transport input ssh' is present. 2. Run 'show users' to ensure no active Telnet sessions (only SSH sessions should appear). 3. Attempt a Telnet connection from a remote host; it should be rejected with 'Connection refused'.
Prevention
1. Always explicitly configure 'transport input ssh' on VTY lines to disable Telnet. 2. Use an ACL to restrict management access to trusted IP addresses. 3. Enable SSH and disable Telnet globally as a standard security baseline.
CCNA Exam Relevance
On the CCNA 200-301 exam, this scenario may appear as a troubleshooting question where you must identify why Telnet is still working despite SSH being configured. The exam tests knowledge of VTY line configuration, transport input commands, and the difference between Telnet and SSH security. Key fact: 'transport input ssh' disables Telnet.
Exam Tips
Remember that 'transport input ssh' must be applied under the VTY lines; it is not a global command.
The exam may show a configuration snippet with 'transport input all' and ask you to identify the security risk.
Know that 'show running-config | section line vty' is the quickest way to check VTY transport settings.
Commands Used in This Scenario
access-class [acl] in
Restricts incoming or outgoing Telnet/SSH access to a router line (VTY, AUX, console) by applying an ACL that filters source IP addresses.
show ip ssh
Displays the status and configuration of SSH server on the Cisco IOS device, used to verify SSH is enabled and check connection details.
show running-config
Displays the current active configuration in DRAM, showing all non-default settings.
show users
Displays active user sessions on the router, including line type, idle time, and remote IP addresses, useful for monitoring who is logged in and troubleshooting connectivity issues.
Test Your CCNA Knowledge
Practice with scenario-based questions to prepare for the CCNA 200-301 exam.
Practice CCNA Questions