5.1.b Implement and troubleshoot device access control

5.1.b [i] Lines [VTY, AUX, console]

The use of password protection to control or restrict access to the command line interface (CLI) of your router is one of the fundamental elements of an overall security plan. Protecting the router from unauthorized remote access , typically Telnet, is the most common security that needs configuring, but protecting the router from unauthorized local access cannot be overlooked.

The VTY lines are the Virtual Terminal lines of the router, used solely to control inbound Telnet connections. They are virtual, in the sense that they are a function of software – there is no hardware associated with them. They appear in the configuration as line vty 0 4. Each of these types of lines can be configured with password protection. Lines can be configured to use one password for all users , or for user-specific passwords. User-specific passwords can be configured locally on the router, or you can use an authentication server to provide authentication.

To specify a password on a line, use the password command in line configuration mode. To enable password checking at login, use the login command in line configuration mode.

While transport preferred none provides the same output, it also disables auto telnet for the defined host that are configured with the ip host command. This is unlike the no logging preferred command, which stops it for undefined hosts and lets it work for the defined ones.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Location 4988).  . Kindle Edition.

http://www.cisco.com/en/US/products/sw/iosswrel/ps1818/products_configuration_example09186a0080204528.shtml