UPGRADE THE IOS SOFTWARE !!!
I suspect you have stepped on this bug:
CSCed10210
Headline access-class on vty fails to secure vty after reboot Product IOS Feature OTHERS Components Duplicate of Severity 2 Severity help Status Verified Status help First Found-in Version 12.1(14)EA1 All affected versions First Fixed-in Version 12.2(18)SE, 12.1(19)EA1a, 12.1(20)EA1, 12.2(20)SE,
12.1(14)AX1 Version help Release Notes
Symptom: A Catalyst 3750 or 2970 switch running 12.1(19)EA1 or earlier may allow telnet sessions to the device from unauthorized hosts with an access-class applied inbound to the vty lines.
Thie issue occurs only after a reboot and only if a keystroke has not been echoed to the console port. After the console port has received a single character from some kind of terminal, the access-class applied to the vty will activate and filter any new inbound connections.
The configuration under the vty will look similar to this: line vty 0 4 password cisco access-class 3 in login ! access-list 3 permit host 10.1.1.1 access-list 3 deny any
When this configuration is applied, any host will be able to telnet to the switch until at least a character is sent to the console port.
Conditions: This only affects Catalyst 3750 and 2970 switches running 12.1(19)EA1 or earlier. This does not affect any other product.
Workaround:
- Enter at least one character on the console port after reload.
- Upgrade to Cisco IOS 12.1(19)EA1a or higher. Cisco IOS Release
12.1(19)EA1a is expected to be available for download from cisco.com after December 15,
2003.