very simple question on VTYs

Hi everybody,

Could someone in 2-3 sentences explain me the difference between VTY0 4 and VTY 5 15? I can see on almost every Cisco device configuration space for

line vty 0 4 and line vty 5 15

From what I have read, both are being used for LAN access (telnet or SSH), but what is the difference between them? When does one really need to configure "line vty 5 15"?

Thanks in advance and sorry for dumb question. AL

Reply to
Loading thread data ...

I think "vty 0 4" are configured by default, which allows 5 concurrent logins. If you need more than this, you configure more vtys.

Reply to
Barry Margolin

In short absolutely nothing. By default, IOS allows 5 VTY sessions (0 - 4), and "vty 5 15" allows an additional 11 VTY sessions. For some reason, IOS breaks them out that way even if the commands under each section is exactly the same. To configure all 16 VTY sessions, you can use "vty 0 15" but IOS will still break them up in the config.

Reply to

I'd like to add only that it is a good practice to leave last VTY for 'power' user which have to have possibility to log in at any time*. It's often practiced in a large ISP companies where many users logs into a routers concurrently (for example NOC engineers).

  • you just set another username/password for line VTY 15 which only this 'power' user know.
Reply to
Sławomir Kawa

keep in mind that when someone telnets or ssh'es into a device, they have no control over which vty line they connect on - since it just goes in the order of first available. if anyone else knows otherwise, please reply.

Reply to
John Smith

Thank you all for your answers. It is more clear to me now. What happens though if you configure vtys 0-4, leave the rest not configured and when

6th user tries to login? Is the 6th user going to be denied access?

BTW. Is is a 6 different users (different login IDs) or 6 incoming connections (but can come from the same user)?

Thanks, AL

Reply to

The connection fails.

6 connections.

VTYs on Cisco are like PTYs on Unix. It's a virtual terminal line for network logins, analogous to a serial port for dialup/hardwired terminals.

Reply to
Barry Margolin

Thank you Barry. Regards, AL

Reply to

By having 16 VTY lines (vty 0 - vty 15) you can mix the configurations of each.


line vty 0 9 transport input ssh access-class 19 in line vty 10 15 transport input telnet access-class 20 in

This will allow 10 SSH users which are granted from access-list 19 and also

6 telnet users which are granted from access-list 20.

To avoid a session from hanging indefinately and filling all available VTY lines, I highly suggest adding the "exec-timeout" command to end idle sessions. It is very upsetting to have only 4 VTY lines available, 3 being used by days old sessions never disconnected, and not being able to connect into a network device for administration.

Reply to
Scott Perry

That works if you have defined a rotary pool on the target device. (ie: a set of async lines connected to a particular device might be a rotary, and the pool for the next device might be the next rotary.)

If you want to connect to a specific port, telnet to port 2000+port#, where port# is the port number shown in 'show lines'.

The lines are ordered like so: console, async ports, aux port, vty's. You can't connect to the console via telnet, but you can connect to the aux port, and if you plug a rollover cable from the aux port to the console port on another device, you can use it as a single port terminal server by connecting to port 2001.

AFAIK, routers have 5 vtys by default, while switches have 16. The original cisco routers had 5 vtys, and the number has persisted ever since.

I suspect that the vty numbers are split in the config for a reason. For instance, if you take a config from a device with 16 vtys, and drop it into a device with 5, the first 5 will be properly configured, and the remainder ignored. If the config specified the entire range, the entire command would be ignored.

Reply to
Bob Vaughan Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.