Console & VTY Line Configuration (Cisco IOS)

Securing access lines is one of the first and most important steps in hardening any Cisco router or switch. By default, the console line has no password and VTY lines either have no password or accept any connection — meaning anyone with physical or network access can enter the device freely. This lab covers how to properly secure both line types, configure session timeouts, enable synchronous logging, and restrict VTY access to specific management hosts using Access Control Lists.

Before starting, ensure you have completed Hostname, Password, and Banner Configuration so your device already has a hostname, enable secret, and MOTD banner in place. Understanding Login Authentication Methods will also help you follow the login options used in this lab.

Console vs VTY Lines — Key Differences

Cisco devices have two primary types of access lines. Understanding their differences helps you apply the right security controls to each:

Feature	Console Line (`line con 0`)	VTY Lines (`line vty 0 4`)
Access type	Physical — requires a rollover cable and terminal emulator (PuTTY, SecureCRT)	Remote — over the network via SSH or Telnet
Default state	No password required — open by default	No password — connection refused until `login` or `login local` configured
Number of lines	One (`con 0`)	5 by default (`vty 0 4`); up to 16 on some platforms (`vty 0 15`)
Risk level	Medium — requires physical presence	High — accessible from anywhere on the network
Recommended transport	N/A (direct cable)	SSH only — never Telnet in production

Login Method Options

Command	Behavior	Recommendation
`no login`	No authentication — anyone connects freely	❌ Never use in production
`login`	Uses a single password set under the line with `password [pass]`	⚠️ Basic — no username accountability
`login local`	Requires a username + password from the device's local user database	✅ Recommended — enforces individual accountability

Lab Scenario

In this lab, NetsTuts_SW1 will be configured with the following line security settings:

Line	Login Method	Timeout	Transport	ACL Restriction
Console (`con 0`)	`login local`	5 min	N/A	None
VTY (`vty 0 4`)	`login local`	10 min	SSH only	MGMT-ACCESS ACL

1. Securing the Console Line

Explanation

The console line is the physical management port — typically a blue RJ-45 rollover cable connecting to a laptop running a terminal emulator. Even though physical access is required, the console must always be secured. An unsecured console allows anyone who can physically reach the device to access it without any credentials.

Full Console Line Configuration

NetsTuts_SW1>en
NetsTuts_SW1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
NetsTuts_SW1(config)#username admin privilege 15 secret Admin@Secure1!
NetsTuts_SW1(config)#line console 0
NetsTuts_SW1(config-line)#login local
NetsTuts_SW1(config-line)#exec-timeout 5 0
NetsTuts_SW1(config-line)#logging synchronous
NetsTuts_SW1(config-line)#end
NetsTuts_SW1#
%SYS-5-CONFIG_I: Configured from console by console
NetsTuts_SW1#wr
Building configuration...
[OK]
NetsTuts_SW1#

Console line secured with local authentication, 5-minute idle timeout, and synchronous logging.

Command Breakdown

Command	What It Does	Why It Matters
`username admin privilege 15 secret Admin@Secure1!`	Creates a local user account with full privilege level 15	Required before `login local` — without a local user, you will be locked out
`line console 0`	Enters console line configuration mode	All commands that follow apply only to the console port
`login local`	Requires username + password from the local database	Provides individual accountability — each admin logs in with their own credentials
`exec-timeout 5 0`	Disconnects idle sessions after 5 minutes and 0 seconds	Prevents unattended open sessions from being used by unauthorized people
`logging synchronous`	Holds log messages until you press Enter — they do not interrupt typing mid-command	Without this, IOS log messages appear randomly in the middle of your commands making the CLI very difficult to use

Critical: Always create a local user account before enabling login local. If you enable login local without any local users defined, you will immediately lock yourself out of the console. If this happens, follow the ROMMON Password Recovery procedure to regain access.

Verify Console Line Configuration

NetsTuts_SW1#show running-config | section line con
line con 0
 exec-timeout 5 0
 logging synchronous
 login local

Expected Login Behavior After Configuration

Press RETURN to get started.

***Unauthorized access is strictly prohibited.***
***Disconnect immediately if you are not an authorized user.***

User Access Verification

Username: admin
Password:
NetsTuts_SW1>

The MOTD banner appears first, then the username and password prompt. The password field is invisible when typing. See Hostname, Password, and Banner Configuration for how to configure the MOTD banner.

2. Securing VTY Lines (Remote Access)

Explanation

VTY (Virtual Terminal) lines handle remote CLI access via SSH or Telnet. Unlike the console line, VTY lines are accessible from anywhere on the network — or even from the internet if the device has a public IP. This makes them the highest-risk access point and requires the strictest controls. See SSH vs Telnet Security for a deeper comparison of why SSH must always be used over Telnet.

Most Cisco devices have VTY lines 0–4 (5 simultaneous sessions). Some platforms support up to VTY 0–15 (16 sessions). You should configure all available VTY lines — if you only configure vty 0 4 and the device has vty 5 15, those unconfigured lines may be less secure.

Basic VTY Line Configuration (SSH Only)

NetsTuts_SW1>en
NetsTuts_SW1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
NetsTuts_SW1(config)#line vty 0 4
NetsTuts_SW1(config-line)#login local
NetsTuts_SW1(config-line)#transport input ssh
NetsTuts_SW1(config-line)#exec-timeout 10 0
NetsTuts_SW1(config-line)#logging synchronous
NetsTuts_SW1(config-line)#end
NetsTuts_SW1#wr
Building configuration...
[OK]
NetsTuts_SW1#

VTY lines secured with local authentication, SSH-only transport, and 10-minute idle timeout.

Verify VTY Line Configuration

NetsTuts_SW1#show running-config | section line vty
line vty 0 4
 exec-timeout 10 0
 logging synchronous
 login local
 transport input ssh

transport input options:

transport input ssh — SSH only ✅ (recommended for production)
transport input telnet — Telnet only ❌ (insecure — plain text)
transport input all — both SSH and Telnet ⚠️ (avoid in production)
transport input none — disables all remote access completely

3. Understanding exec-timeout

The exec-timeout command automatically terminates a session that has been idle for a specified period. This is a critical security control — an unattended open session on a network device is a significant risk. See Login Security and Brute-Force Protection for complementary session security measures.

Syntax

exec-timeout [minutes] [seconds]

Example	Timeout Duration	Use Case
`exec-timeout 5 0`	5 minutes, 0 seconds	Standard for console lines
`exec-timeout 10 0`	10 minutes	Standard for VTY lines
`exec-timeout 0 30`	30 seconds	High-security environments
`exec-timeout 0 0`	Never — session stays open indefinitely	❌ Avoid in production — lab use only

Exam tip: exec-timeout 0 0 disables the timeout entirely. This is sometimes used in lab environments to avoid being logged out, but never use it in production — an unattended privileged session is a serious security risk.

4. logging synchronous — Why It Matters

By default, Cisco IOS outputs syslog messages to the console at any time — even in the middle of a command you are typing. This can corrupt your input and make the CLI very difficult to use. For full syslog configuration including sending logs to an external server, see Syslog Configuration.

Without logging synchronous (frustrating behavior)

NetsTuts_SW1(config)#interface gig
*Mar  1 00:04:22.123: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up
abitEthernet0/0

A log message appeared mid-command, splitting the typed text. The command interface gigabitEthernet0/0 was broken up — IOS may reject it.

With logging synchronous (clean behavior)

NetsTuts_SW1(config)#interface gigabitEthernet0/0
*Mar  1 00:04:22.123: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up
NetsTuts_SW1(config-if)#

The log message waits until after you press Enter, then appears on its own line. Your typed command is preserved and submitted correctly.

Apply to Both Console and VTY

NetsTuts_SW1(config)#line console 0
NetsTuts_SW1(config-line)#logging synchronous
NetsTuts_SW1(config-line)#exit
NetsTuts_SW1(config)#line vty 0 4
NetsTuts_SW1(config-line)#logging synchronous
NetsTuts_SW1(config-line)#end

5. Restricting VTY Access with an ACL

Explanation

Even with SSH and login local configured, any host on the network can attempt to connect to the VTY lines and try to authenticate. Adding an Access Control List (ACL) to the VTY lines restricts which source IP addresses are even allowed to attempt a connection — all other hosts are blocked before authentication.

This is called an access-class — it is a standard ACL applied specifically to a VTY line, not to an interface. For the full ACL configuration lab, see Standard ACL Configuration. For named ACLs and wildcard mask reference, see those dedicated pages.

Step 1: Create the Management ACL

Define which hosts or subnets are permitted to access the VTY lines. In this example, only the management workstation subnet (10.10.10.0/24) is allowed:

NetsTuts_SW1>en
NetsTuts_SW1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
NetsTuts_SW1(config)#ip access-list standard MGMT-ACCESS
NetsTuts_SW1(config-std-nacl)#permit 10.10.10.0 0.0.0.255
NetsTuts_SW1(config-std-nacl)#deny any log
NetsTuts_SW1(config-std-nacl)#exit

Named standard ACL MGMT-ACCESS permits only the 10.10.10.0/24 subnet. The deny any log entry logs all blocked connection attempts to syslog for security monitoring. The 0.0.0.255 is a wildcard mask matching all hosts in the /24 subnet.

Step 2: Apply the ACL to VTY Lines

NetsTuts_SW1(config)#line vty 0 4
NetsTuts_SW1(config-line)#access-class MGMT-ACCESS in
NetsTuts_SW1(config-line)#login local
NetsTuts_SW1(config-line)#transport input ssh
NetsTuts_SW1(config-line)#exec-timeout 10 0
NetsTuts_SW1(config-line)#logging synchronous
NetsTuts_SW1(config-line)#end
NetsTuts_SW1#wr
Building configuration...
[OK]
NetsTuts_SW1#

access-class MGMT-ACCESS in applies the ACL to inbound VTY connections. Only source IPs matching the ACL are allowed to reach the login prompt.

access-class vs ip access-group:

ip access-group — applied to a physical interface to filter routed traffic. See Applying ACLs to Interfaces.
access-class — applied to a VTY line to filter management access connections

These are different commands for different purposes — do not confuse them on the exam.

Verify ACL and VTY Configuration

NetsTuts_SW1#show running-config | section line vty
line vty 0 4
 access-class MGMT-ACCESS in
 exec-timeout 10 0
 logging synchronous
 login local
 transport input ssh

NetsTuts_SW1#show ip access-lists MGMT-ACCESS
Standard IP access list MGMT-ACCESS
    10 permit 10.10.10.0, wildcard bits 0.0.0.255 (15 matches)
    20 deny   any log (3 matches)

The match counters (15 matches, 3 matches) show real traffic being processed by the ACL. Three blocked attempts have been logged — a sign that unauthorized hosts tried to connect.

6. Complete Line Security Configuration

The following combines all steps from this lab into a single complete baseline configuration for NetsTuts_SW1:

! ══════════════════════════════════════════════════════════
! NetsTuts Line Security Baseline — NetsTuts_SW1
! ══════════════════════════════════════════════════════════

NetsTuts_SW1>en
NetsTuts_SW1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.

! ── Local user account (required for login local) ─────────
NetsTuts_SW1(config)#username admin privilege 15 secret Admin@Secure1!

! ── Management ACL ────────────────────────────────────────
NetsTuts_SW1(config)#ip access-list standard MGMT-ACCESS
NetsTuts_SW1(config-std-nacl)#permit 10.10.10.0 0.0.0.255
NetsTuts_SW1(config-std-nacl)#deny any log
NetsTuts_SW1(config-std-nacl)#exit

! ── Console line ──────────────────────────────────────────
NetsTuts_SW1(config)#line console 0
NetsTuts_SW1(config-line)#login local
NetsTuts_SW1(config-line)#exec-timeout 5 0
NetsTuts_SW1(config-line)#logging synchronous
NetsTuts_SW1(config-line)#exit

! ── VTY lines (SSH only + ACL restriction) ────────────────
NetsTuts_SW1(config)#line vty 0 4
NetsTuts_SW1(config-line)#access-class MGMT-ACCESS in
NetsTuts_SW1(config-line)#login local
NetsTuts_SW1(config-line)#transport input ssh
NetsTuts_SW1(config-line)#exec-timeout 10 0
NetsTuts_SW1(config-line)#logging synchronous
NetsTuts_SW1(config-line)#exit

! ── Save ──────────────────────────────────────────────────
NetsTuts_SW1(config)#end
NetsTuts_SW1#wr
Building configuration...
[OK]
NetsTuts_SW1#

7. Verification Commands

Command	What It Shows	What to Check
`show running-config \| section line`	All line configurations (console and VTY)	Confirm login local, exec-timeout, transport input ssh, and access-class are present
`show users`	Currently active sessions — which user on which line	Verify who is currently connected and from which IP address
`show ip access-lists MGMT-ACCESS`	ACL entries and match counters	Confirm the ACL exists and check how many connections have been permitted or denied
`show logging`	Recent log messages including denied connection attempts	Look for `%SEC-6-IPACCESSLOGS` entries showing blocked VTY attempts
`clear line vty [number]`	Forces a specific VTY session to disconnect	Use to remove stuck or unauthorized sessions

show users Output Example

NetsTuts_SW1#show users
    Line       User       Host(s)              Idle       Location
*  0 con 0    admin      idle                 00:00:00
   1 vty 0    admin      idle                 00:02:14   10.10.10.5

Two active sessions: one on console (local) and one via VTY from 10.10.10.5 — both authenticated as admin. The asterisk (*) marks the session running this command.

8. Troubleshooting Common Issues

Problem	Cause	Fix
Locked out of console after `login local`	No local user account was created before enabling `login local`	Perform password recovery — see ROMMON Password Recovery to boot into ROMMON, bypass startup-config, and recreate the user account
SSH connection refused	RSA keys not generated, or `transport input ssh` not set on VTY lines	Run `crypto key generate rsa modulus 2048` and verify VTY transport. See SSH Configuration for the full setup.
Cannot SSH from management host	ACL is blocking the source IP — management host not in permitted subnet	Check `show ip access-lists MGMT-ACCESS` — add the correct permit statement for the host. See Standard ACL Configuration.
Session times out too quickly	`exec-timeout` set too low	Increase timeout: `exec-timeout 15 0` under the appropriate line
Log messages breaking CLI input	`logging synchronous` not configured on the line	Add `logging synchronous` under both `line con 0` and `line vty 0 4`. See Syslog Configuration for full logging setup.
VTY lines 5–15 still accessible without restrictions	Configuration only applied to `vty 0 4` — higher lines left open	Apply the same config to `line vty 5 15` if the platform supports it

9. Key Points & Exam Tips

Always create a local user account before enabling login local on any line — failing to do so will lock you out immediately. See Hostname, Password, and Banner Configuration for local user account setup.
login uses a single shared line password. login local uses individual username/password pairs — always prefer login local for accountability. For centralized authentication, see Login Authentication Methods.
exec-timeout 0 0 disables the idle timeout — useful in labs but never in production.
logging synchronous should be applied to both console and VTY lines — it prevents log messages from interrupting CLI input. For sending logs to an external server, see Syslog Configuration.
transport input ssh restricts VTY lines to SSH only — Telnet is plain text and must never be used in production environments. See SSH vs Telnet Security.
access-class applies a standard ACL to VTY lines to restrict which source IPs can attempt a connection. This is different from ip access-group which is applied to interfaces. See Applying ACLs.
Configure all VTY lines — if a device supports vty 0 15 and you only configure vty 0 4, lines 5–15 may be accessible without your security settings.
show users shows all active sessions including their source IP — use this to identify unauthorized connections.
deny any log at the end of the management ACL logs all blocked connection attempts — essential for security monitoring via syslog and syslog server.
The clear line vty [number] command forcibly disconnects a specific VTY session — useful for removing stuck or suspicious sessions.
For the full AAA framework using RADIUS or TACACS+ instead of local authentication, see AAA Configuration.

Next Steps: With lines secured, the natural next step is SSH Configuration & Telnet Hardening for a complete deep-dive into SSH key management and version enforcement. For centralized authentication using RADIUS or TACACS+, see Login Authentication Methods, AAA with RADIUS Configuration, and AAA with TACACS+ Configuration. For brute-force protection and login rate limiting, see Login Security and Brute-Force Protection.

TEST WHAT YOU LEARNED

1. An engineer enables `login local` on the console line but has not created any local user accounts. What happens on the next console connection?

A. The device prompts for a username and accepts any input B. The device falls back to no login automatically C. The console is inaccessible — authentication fails because no local users exist D. The device uses the enable secret as the console password

Correct answer is C. login local requires a username and password from the local database. If no local users exist, every authentication attempt fails — effectively locking you out of the console. Always create at least one local account before enabling login local. See Hostname, Password, and Banner Configuration for local user setup. If locked out, use ROMMON Password Recovery.

2. What is the difference between `access-class` and `ip access-group`?

A. They are identical — both filter traffic on interfaces B. access-class filters VTY connection attempts by source IP; ip access-group filters routed traffic on a physical interface C. access-class only works with extended ACLs; ip access-group works with standard ACLs D. ip access-group is applied in line configuration mode

Correct answer is B. access-class is applied under a VTY line and controls which source IPs can attempt a management connection. ip access-group is applied to a physical interface and filters routed data traffic. These are completely separate and serve different purposes. See ACL Overview and Applying ACLs for more detail.

3. An engineer configures `exec-timeout 0 0` on all VTY lines. What is the security risk?

A. Sessions disconnect immediately — no one can stay connected B. The VTY lines become disabled C. The device reboots after 0 seconds of inactivity D. Idle sessions never time out — an unattended privileged session could be used by an unauthorized person

Correct answer is D. exec-timeout 0 0 disables the idle session timeout entirely. Sessions remain open indefinitely — if an engineer walks away from an authenticated session, anyone who accesses that terminal has full device access. Always set a reasonable timeout in production. See Login Security and Brute-Force Protection for additional session security controls.

4. A device has VTY lines 0–15. An engineer applies security settings only to `line vty 0 4`. What is the risk?

A. VTY lines 5–15 remain unsecured — an attacker could use them to connect without the configured restrictions B. No risk — IOS automatically applies settings from vty 0 4 to all higher lines C. Lines 5–15 are disabled by default and cannot be used D. The device only uses lines 0–4 regardless of how many exist

Correct answer is A. IOS does not automatically copy settings between VTY line ranges. If a device supports VTY 0–15 and you only configure 0–4, lines 5–15 may have default (open) settings. Always configure all VTY line ranges on every device.

5. Which command shows all currently active management sessions including their source IP address and username?

A. show ip interface brief B. show running-config | section line C. show users D. show sessions

Correct answer is C. show users displays all active console and VTY sessions, showing which line is in use, the authenticated username, idle time, and the source IP address of remote connections. It is the primary command for monitoring active management access.

6. Why does `logging synchronous` improve usability of the Cisco CLI?

A. It prevents all log messages from appearing on the console B. It holds log messages until after you press Enter so they do not interrupt the command you are typing C. It sends log messages to an external syslog server instead of the console D. It increases the logging severity level to show more detail

Correct answer is B. Without logging synchronous, IOS syslog messages appear at any time — even in the middle of a command you are typing, splitting the text on screen. With it, messages wait until after you press Enter, keeping your input intact and the CLI clean.

7. An ACL applied to VTY lines with `access-class MGMT-ACCESS in` contains `deny any log` as its last entry. What does the `log` keyword do?

A. It saves the ACL configuration to flash memory B. It generates a debug message for every matched packet C. It stores denied connections in the running-config D. It generates a syslog message every time a connection is denied — enabling security monitoring of unauthorized access attempts

Correct answer is D. The log keyword appended to an ACL entry generates a syslog message each time that entry is matched. For a deny any log at the end of a VTY ACL, this means every unauthorized connection attempt is logged — giving you visibility into who is trying to access your device. Configure a syslog server to capture and retain these logs centrally.

8. What is the primary difference between using `login` and `login local` on a VTY line?

A. login uses a single shared password with no username; login local requires individual username and password pairs from the local database, providing per-user accountability B. login local is less secure because it stores passwords locally C. login requires SSH; login local works with Telnet only D. They are functionally identical — only the syntax differs

Correct answer is A. login prompts only for a password (set with password [pass] under the line) — no username is required and all users share the same password. login local requires a username and password from the local database, meaning each administrator has individual credentials and their actions can be tracked. For enterprise-scale authentication, see Login Authentication Methods and AAA with RADIUS.

9. An engineer needs to forcibly disconnect an idle VTY session on line 2. Which command achieves this?

A. disconnect vty 2 B. no line vty 2 C. clear line vty 2 D. shutdown line vty 2

Correct answer is C. clear line vty [number] forcibly terminates the specified VTY session. First use show users to identify the line number of the session you want to clear, then run clear line vty [number]. This is useful for removing stuck, idle, or suspicious sessions.

10. A management host at `10.10.10.50` tries to SSH into NetsTuts_SW1 but the connection is refused instantly — before any username prompt appears. The engineer confirms SSH is working from another host. What is the most likely cause?

A. The enable secret is not configured B. The VTY ACL does not permit 10.10.10.50 — the host is blocked before reaching the login prompt C. The username admin does not exist on the device D. The exec-timeout has expired for that VTY line

Correct answer is B. An access-class ACL on VTY lines blocks connections at the TCP level — before any SSH handshake or login prompt appears. If the host's IP is not permitted by the ACL, the connection is refused immediately. Check show ip access-lists MGMT-ACCESS to verify the permit statement covers 10.10.10.50. See Standard ACL Configuration for how to add or modify permit entries.

Back to Home

Console & VTY Line Configuration (Cisco IOS)

Console vs VTY Lines — Key Differences

Login Method Options

Lab Scenario

1. Securing the Console Line

Explanation

Full Console Line Configuration

Command Breakdown

Verify Console Line Configuration

Expected Login Behavior After Configuration

2. Securing VTY Lines (Remote Access)

Explanation

Basic VTY Line Configuration (SSH Only)

Verify VTY Line Configuration

3. Understanding exec-timeout

Syntax

4. logging synchronous — Why It Matters

Without logging synchronous (frustrating behavior)

With logging synchronous (clean behavior)

Apply to Both Console and VTY

5. Restricting VTY Access with an ACL

Explanation

Step 1: Create the Management ACL

Step 2: Apply the ACL to VTY Lines

Verify ACL and VTY Configuration

6. Complete Line Security Configuration

7. Verification Commands

show users Output Example

8. Troubleshooting Common Issues

9. Key Points & Exam Tips

TEST WHAT YOU LEARNED

1. An engineer enables login local on the console line but has not created any local user accounts. What happens on the next console connection?

2. What is the difference between access-class and ip access-group?

3. An engineer configures exec-timeout 0 0 on all VTY lines. What is the security risk?

4. A device has VTY lines 0–15. An engineer applies security settings only to line vty 0 4. What is the risk?

5. Which command shows all currently active management sessions including their source IP address and username?

6. Why does logging synchronous improve usability of the Cisco CLI?

7. An ACL applied to VTY lines with access-class MGMT-ACCESS in contains deny any log as its last entry. What does the log keyword do?

8. What is the primary difference between using login and login local on a VTY line?

9. An engineer needs to forcibly disconnect an idle VTY session on line 2. Which command achieves this?

10. A management host at 10.10.10.50 tries to SSH into NetsTuts_SW1 but the connection is refused instantly — before any username prompt appears. The engineer confirms SSH is working from another host. What is the most likely cause?

1. An engineer enables `login local` on the console line but has not created any local user accounts. What happens on the next console connection?

2. What is the difference between `access-class` and `ip access-group`?

3. An engineer configures `exec-timeout 0 0` on all VTY lines. What is the security risk?

4. A device has VTY lines 0–15. An engineer applies security settings only to `line vty 0 4`. What is the risk?

6. Why does `logging synchronous` improve usability of the Cisco CLI?

7. An ACL applied to VTY lines with `access-class MGMT-ACCESS in` contains `deny any log` as its last entry. What does the `log` keyword do?

8. What is the primary difference between using `login` and `login local` on a VTY line?

10. A management host at `10.10.10.50` tries to SSH into NetsTuts_SW1 but the connection is refused instantly — before any username prompt appears. The engineer confirms SSH is working from another host. What is the most likely cause?