Telnet is a remote connection protocol known to be active on port 23. It can be used to administrate a Cisco IOS powered device over the network. This article will demonstrate the necessary commands to configure Telnet.

For testing, I have built a basic network in Cisco Packet Tracer with a router called:
Gilgamesh (IP: 192.168.0.254)
and a remote PC (IP: 192.168.1.1)

To enable telnet, we start configuring VTY ports on Lines. ‘Lines’ on Cisco routers are physical or visual serial ports while VTY ports are specifically visual ports used for remote access using Telnet or SSH. To do that, I typed the following in my router

Gilgamesh>enable
Gilgamesh#conf ter
Enter configuration commands, one per line. End with CNTL/Z.
Gilgamesh(config)#line vty 0 4

the 0 4 numbers refer to configuring 5 visual sessions. Now, leave the router’s CLI as it is (do not close it) and lets try to connect to the router from our PC’s command prompts.

PC>telnet 192.168.0.254
Trying 192.168.0.254 …Open
[Connection to 192.168.0.254 closed by foreign host]

The lines above shows that the connection was refused. This is because, login is disabled on all the five telnet sessions we created until a password is set. To set ‘ciscopass’ as a password, go back to the router and type

Gilgamesh(config-line)#password ciscopass

now if we try to telnet from our PC again

PC>telnet 192.168.0.254
Trying 192.168.0.254 …Open
User Access Verification
Password:
Gilgamesh>

we can see that telnet worked. As such, this also implies that if we want to disable telnet again, we can simply remove the password using

Gilgamesh(config-line)#no password

However, note that removing the password will NOT disable telnet if you have local authentication setup.
And now, what if you want to enable telnet with no password set?
this can be done with

Gilgamesh(config-line)#no password
Gilgamesh(config-line)#no login

to test, perform the following from the PC:


PC>telnet 192.168.0.254
Trying 192.168.0.254 …Open
Gilgamesh>

Remote connection was successful!
to disable this very insecure practice, go back to the router and type

Gilgamesh(config-line)#login
% Login disabled on line 66, until ‘password’ is set
% Login disabled on line 67, until ‘password’ is set
% Login disabled on line 68, until ‘password’ is set
% Login disabled on line 69, until ‘password’ is set
% Login disabled on line 70, until ‘password’ is set

which is exactly the same condition we had when we first typed in the ‘line vty 0 4′ command. Nevertheless, an alternative way to disable tenlet is to write:

Gilgamesh(config-line)#transport input none
or
Gilgamesh(config-line)#transport input ssh

if this approach is used, you may activate telnet again using

Gilgamesh(config-line)#transport input telnet
or
Gilgamesh(config-line)#transport input all

Now telnet to the router again and lets try to configure it remotely. An important thing to remember is that the privileged mode in a Cisco router can not be activated if the terminal password is not set. In this is the case you will get something like the following result:

PC>telnet 192.168.0.254
Trying 192.168.0.254 …Open
Gilgamesh>enable
% No password set.
Gilgamesh>

to set a password, type the following in the router’s CLI

Gilgamesh#conf ter
Enter configuration commands, one per line. End with CNTL/Z.
Gilgamesh(config)#enable secret cisco

The password is now set to: ‘cisco’. Test again from the PC

Gilgamesh>enable
Password:
Gilgamesh#

As you see, the priviledged mode is now accessible from the remote PC!

If you want to display all active telnet connections in a router, use:

Gilgamesh#show users
Line User Host(s) Idle Location
* 0 con 0 idle 00:00:00
67 vty 0 idle 00:00:32 192.168.1.1

Interface User Mode Idle Peer Address

Another way is if you display the TCP connections and note a connection on port 23.

Gilgamesh#show tcp

Stand-alone TCP connection from host 192.168.1.1
Connection state is ESTABLISHED, I/O status: 1, unread input bytes: 0
Connection is ECN Disabled
Local host: 192.168.0.254, Local port: 23
Foreign host: 192.168.1.1, Foreign port: 1034

Before finishing this post, itس worth mentioning that configuring a switch is exactly the same but you will need to assign an IP address for the default vlan1 to enable remote access. I easily achieved that with the following commands

Switch>enable
Switch#conf ter
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#interface vlan1
Switch(config-if)#ip address 192.168.0.253 255.255.255.0
Switch(config-if)#no shutdown
%LINK-5-CHANGED: Interface Vlan1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up

To enable remote connection from behind the router i.e. other subnets, I added a default gateway information too

Switch(config)#ip default-gateway 192.168.0.254

I tried to brief the necessary commands and at the end I shall only remind you that Telnet is not recommended from a security point of view since the session between the connected devices is not encrypted. In addition, it is better to create user accounts to avoid sharing a single password between users. My coming posts will consequently demonstrate setting user accounts and then enabling SSH, a secure alternative to Telnet.

6 Responses to “Configure and test Telnet on a Cisco router or switch”

Leave a Reply

*

Haider’s WebSpace
Welcome to my technical blog. This is where I write, archive and share computer related articles. Subjects vary from posting technical solutions to researching particular topics. Feel free to comment and talk IT!
Sponsored Links
My Tweets