Skip to content
Study CCNP

5.1.a Lines and local user authentication

3 min read ENCOR 350-401 v1.2

Aligned to Cisco's 350-401 ENCOR v1.2 exam topics.

On this page

Line configuration is where many device-hardening mistakes start. A router can have a strong routing design and still be easy to compromise if VTY lines allow Telnet, accept weak line passwords, or let anyone on the network attempt SSH.

Console versus VTY

  • Console line is local physical or virtual console access.
  • VTY lines are remote CLI sessions: SSH or Telnet.

For ENCOR, focus on making VTY secure:

  • Use SSH, not Telnet.
  • Authenticate against local users or AAA.
  • Restrict source IPs with access-class.
  • Use timeouts.
  • Prefer stronger secret hashing where supported.
Console · line con 0
VTY · SSH · login local
Authenticated CLI

Local user baseline

hostname R1
ip domain-name ccnpstudy.local
crypto key generate rsa modulus 2048
ip ssh version 2

username admin privilege 15 algorithm-type scrypt secret <unique-local-secret>

ip access-list standard VTY-MGMT
 permit 10.10.10.0 0.0.0.255
 deny any log

line con 0
 login local
 exec-timeout 5 0
 logging synchronous

line vty 0 4
 transport input ssh
 login local
 access-class VTY-MGMT in
 exec-timeout 10 0
 logging synchronous

Use a placeholder in published prose rather than a reusable-looking password. Students copy examples. Make the copy-safe behavior obvious.

What each command is doing

CommandWhy it matters
ip domain-nameRequired before generating RSA keys on many IOS/IOS XE platforms.
crypto key generate rsa modulus 2048Creates keys used by SSH.
ip ssh version 2Forces SSHv2.
username ... secretCreates a local user with an encrypted secret.
transport input sshPrevents Telnet access.
login localUses the local username database for login.
access-class VTY-MGMT inRestricts which source IPs may open VTY sessions.
exec-timeoutDisconnects idle sessions.

Verification

show ip ssh
show running-config | section line con
show running-config | section line vty
show users
show access-lists VTY-MGMT

Useful test:

Then try from a source outside the management subnet. You should see the ACL deny counter increase.

Common mistakes

Mistake 1: using a line password instead of local users

line vty 0 4
 password cisco
 login

That is weaker and does not identify individual admins. Prefer local users for lab/break-glass and AAA for production.

Mistake 2: allowing both SSH and Telnet

transport input all

This is easy to miss. Use transport input ssh.

Mistake 3: applying the ACL in the wrong place

access-class goes under the line. It filters management sessions to the VTY. It is not the same as ip access-group on an interface.

Lab

Goal: Build a secure local-login configuration and prove the controls work.

Tasks:

  1. Configure R1 with hostname, domain, RSA keys, and SSHv2.
  2. Create user admin with privilege 15.
  3. Allow VTY access only from 10.10.10.0/24.
  4. Set console timeout to 5 minutes and VTY timeout to 10 minutes.
  5. Verify a permitted host can SSH.
  6. Verify a non-permitted host cannot SSH.
  7. Confirm the ACL counters match the tests.

Success criteria:

show ip ssh
show access-lists VTY-MGMT
show users

Exam memory

  • login local = use local username database.
  • access-class = restrict VTY source addresses.
  • transport input ssh = no Telnet.
  • exec-timeout 0 0 = never time out. Do not use that in production.