Cisco routers make a fairly basic distinction between the characteristics of a serial line (which you might want to think of as “physical” characteristics) and the characteristics of the protocols running over the line. The physical characteristics of a line are configured by the
line command (and various commands that follow it) and include items such as parity and port speed. The high-level protocol characteristics are configured by the
interface command (and the commands that follow it); these characteristics include IP addresses and other properties.
line command can configure:
- The router’s console port (CTY)
- The router’s asynchronous ports (TTYs), used for dial-in and dial-out modem connections
- The router’s auxiliary port (AUX), used for backup modem connections
- Telnet, SSH, and rlogin connections to the router (“virtual terminals” or VTYs)
The line Command
line command specifies which line or group of lines you want to configure by entering the line configuration mode. It doesn’t actually do the configuration; it is followed by other commands that set up the specific properties you want. Here’s the syntax of the
line [aux | console | tty | vty]
The possible line types are
vty. These line types are discussed individually in this chapter. The following example shows how to use the
line command to configure some properties of the router’s console interface:
Enter the privileged command
Enter configuration modeRouter(config)#line console 0
Select the console lineRouter(config-line)#
exec-timeout 30 0
Set the timeout to 30 minutesRouter(config-line)#
Exit the line configuration
Exit the configuration modeRouter#
If you want to apply
line commands to more than one line, you can specify the starting and ending numbers of a group of lines. For example, say you want to apply the command
exec-timeout to TTY lines 5 through 10. Instead of typing this command five times, you can configure the entire group with one
line tty 5 10Router(config-line)#
exec-timeout 30 0
Absolute and Relative Line Numbering
When you’re typing the
line command, you give it “relative” line numbers: the first TTY is
tty0,[*] the first virtual terminal is
vty0, and so on. This numbering scheme is intuitive and convenient. Internally, the router uses an absolute numbering scheme to keep track of the lines. It would be nice if you could ignore the router’s internal bookkeeping, but a number of commands use absolute line numbers when reporting information about a line’s status.
Absolute line numbers are calculated by their location on the router, in the order of CTY, TTY, AUX, and then VTY. The console port is first; its absolute line number is zero (0). The TTY ports are next, starting at absolute line number 1 and continuing for the number of TTY lines on the router. If you have eight TTY ports, absolute numbers 1 through 8 will be the TTYs on your router. Next is the AUX port, whose absolute line number is the last TTY number plus 1. Finally, the VTYs begin at the AUX port’s number plus 1. Table 4-1 clarifies absolute and relative line numbering .Table 4-1. Absolute and relative line numbers
|Line type||Absolute number||Relative number|
|AUX||n + 1||0|
|VTY0||n + 2||0|
|VTY1||n + 3||1|
|VTY2||n + 4||2|
|VTY3||n + 5||3|
To view this table on the router, use the command
show users all. The first column of the output shows the absolute line number, followed by the line type, followed by the line’s relative number:
show users allLine User Host(s) Idle Location 0 con 0 00:00:00 1 tty 1 incoming 6 10.3.21.229 2 tty 2 incoming 6 10.3.21.229 3 tty 3 incoming 6 10.3.21.229 4 tty 4 00:00:00 5 tty 5 00:00:00 6 tty 6 00:00:00 7 tty 7 incoming 3d13h 10.208.8.103 8 tty 8 incoming 3d13h 10.208.8.103 9 tty 9 incoming 3d13h 10.208.8.103 10 tty 10 incoming 3d08h 10.226.76.6 11 tty 11 incoming 3d08h 10.226.76.6 12 tty 12 incoming 3d08h 10.226.76.6 13 tty 13 00:00:00 14 tty 14 00:00:00 15 tty 15 00:00:00 16 tty 16 00:00:00 17 aux 0 00:00:00 * 18 vty 0 idle 0 10.10.187.204 19 vty 1 00:00:00 20 vty 2 00:00:00 21 vty 3 00:00:00
The Console Port
Each router has one console port . This port always has line number 0. You make a connection to the console port by attaching a standard RS232 cable, as shown in Figure 4-1. This cable is often shipped with your router.
Figure 4-1. Console cable connection
You can use any VT100 terminal-emulation program to talk to the router; just select the correct PC serial interface (the one the console cable is plugged into) and then hit the Enter key a few times. The router responds by starting an EXEC session, which is the process within the router that provides the command-line interface. The default settings for the port are 9600 baud, 8 databits, no parity, and 1 stop bit. If you changed any of these defaults on the device, you will have to change the settings on your terminal program to match.
line commands, we can define and control access to the console port . Here is a basic configuration :
line console 0Router(config-line)#
exec-timeout 30 0
location command identifies the router’s location to the users. The command
service linenumber displays the location information automatically to the user upon login. This information can be useful when you are administering your routers. Next, we add a basic security measure: a timeout. If the console port is idle for more than 30 minutes, the session automatically closes. You do not want the session active all the time in a real environment. If you forget to log out, someone might come in after you and modify the router’s configuration!
A little more security can be achieved by adding a user login:
username bob password letmeinRouter(config)#
line console 0Router(config-line)#
These commands provide only minimal security; for more effective security measures, see Chapter 15.
Virtual Terminals (VTYs)
VTYs are logical connections from the network to the router; these are typically telnet, SSH, or rlogin connections. When a user telnets to a router from the network, as in Figure 4-2, the router starts an EXEC process to handle this connection.
Figure 4-2. VTY connections
Although no physical link is associated with a virtual terminal, VTYs are configured just like normal TTY lines. VTYs are enabled once they are configured. If you do not configure any VTYs, then logical connections, such as telnet, cannot be made to your router from the network. Here is a VTY configuration example:
line vty 1Router(config-line)#
Must be enabled for login
exec-timeout 30 0
Set the timeout to 30 minutesRouter(config-line)#
Set one password for telnet
transport input ssh
Allow only ssh accessRouter(config-line)#
access-class 10 in
Apply access list 10 to this
access-list 10 permit host 10.10.1.2
This example shows a semi-secure configuration for a VTY terminal. We set a timeout for 30 minutes and apply only one password. We then use the
transport input command to define the protocols that are allowed to use this line; in this case, we are allowing only ssh access. (If you want to be less secure, you can use telnet instead of ssh.) The
access-class command applies an access list to this interface. We won’t explain access lists here; in this example we use a simple access list to permit access from the host at address 10.10.1.2.
You should configure all your VTYs in the same manner, because there is no way to predict which VTY a user is going to receive when he telnets into the device.
Asynchronous Ports (TTYs)
TTYs are asynchronous connections between the router’s async interfaces and serial devices (modems). If you are connecting modems to your router or access server for dial-up or dial-out connections, you will need to configure the TTY ports .
The TTY ports correspond directly to async interfaces. Therefore, whenever you configure a TTY line, you will probably also configure the corresponding interface. If you plugged a modem into async port 1, you would use
TTY1 to configure all the hardware aspects of the connection between the router and the modem, and the interface
Async1 would configure the protocol. (The interface commands are defined in Chapter 5.) Figure 4-3 demonstrates the possible modem configuration on a router or terminal server.
Figure 4-3. TTY connections to modems
Here is an example of a modem configuration on TTY port 3:
! Select line 3 line tty 3 ! Tell the router to use its local username list login local ! This line is for dial-in access only modem dialin ! The speed of the serial connection is 115200 bps speed 115200 ! Use hardware flow control flowcontrol hardware ! The type of modem is autoconfigured by the router modem autoconfigure discovery
The configuration isn’t difficult to read. The router, which is some sort of terminal server, maintains its own list of usernames and passwords (
login local); the modem is used only for dial-in; the serial connection between the modem and the router is set to 115200 baud; hardware flow control is used; and the modem is configured by the router.
The Auxiliary (AUX) Port
The router’s auxiliary (AUX) port functions as a backup async port. It is most commonly used as a backup console port, but it can also be used as a dial-up port for remote router management and many other functions. It doesn’t have the performance of an asynchronous line; its speed is often limited (particularly on older routers), and it does only per-character I/O, which creates a high CPU load if used continuously.
Figure 4-4 shows how you might use the AUX port as a backup for a T1 line. If the T1 connection goes down, Router 1 automatically dials Router 2 using the modem connected to the AUX port. Obviously, the speed of the backup link is not comparable to the T1 connection, but it does provide some level of backup support.
Figure 4-4. Using an AUX port as a backup connection
The following configuration examples show how to use the AUX port as backup connection . This example uses many commands that are well beyond the scope of this chapter; they are included here to make the configuration complete. The comments describe some of the more advanced commands; for more information about PPP and dial-on-demand routing, see Chapter 12.
! Configure the primary (T1) interface, with async 4 as a backup. ! See Chapter 5 for info on interface configuration. ! See Chapter 12 for the dialing commands interface serial0 ip address 10.10.1.1 255.255.255.0 backup interface async 4 backup delay 10 1 ! ! The AUX line translates to the async 4 interface. interface async 4 ip address 10.10.1.2 255.255.255.0 dialer in-band dialer string 410-555-5555 dialer-group 1 async dynamic routing ! ! Build our dialer lists. dialer-list 1 protocol ip permit chat-script script1 " " "atdt 410-555-5555" timeout 60 "connected" ! ! Finally, configure the AUX port using the line commands. line aux 0 modem chat-script script1 modem inout
To display the status of a line, use the command
show line. This is not a privileged command and can be executed by any user. On an eight-port terminal server,
show line gives output like this:
show lineTTY TYP Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns 0 CTY - - - - - 0 0 0/0 1 TTY 9600/9600 - - - - - 3 542 0/0 * 2 TTY 9600/9600 - - - - - 1 0 0/0 3 TTY 38400/38400 - RIisCD - - - 1 0 0/0 I 4 TTY 38400/38400 - inout - - - 25 0 0/0 I 5 TTY 38400/38400 - inout - - - 3940 0 0/0 I 6 TTY 38400/38400 - inout - - - 1483 0 0/0 I 7 TTY 38400/38400 - inout - - - 364 0 0/0 I 8 TTY 38400/38400 - inout - - - 12 0 0/0
Table 4-2 describes the fields in this report.Table 4-2. Fields in a show line display
|TTY||Actual line number.|
|TYP||Type of line: CTY (console), AUX, TTY, VTY, LPT.|
|TX/RX||Transmit and receive baud rates for this line.|
|A||Autobaud (automatic baud rate detection) is active.|
|Modem||Type of modem signal configured for this line (|
|Roty||Rotary group configured for this line.|
|AccO, AccI||Access lists for this line, both output and input (see |
|Uses||Number of connections made to this line since the router was booted.|
|Noise||Number of times noise was detected on this line. Can be used to gauge line quality.|
|Overruns||Number of buffer overruns that have occurred on this line, in the format hardware/software. Hardware overruns occur when the hardware receives data from the software faster than it can process it. Software overruns occur when the software receives data from the hardware faster than it can process it. A bad cable could cause overruns.|
You can retrieve more detailed information by selecting a single line:
show line 5Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns A 5 TTY 38400/38400 - inout - - - 3969 0 0/0 Line 5, Location: "", Type: "" Length: 24 lines, Width: 80 columns Baud rate (TX/RX) is 38400/38400, no parity, 1 stopbits, 8 databits Status: Ready, Active, No Exit Banner, Async Interface Active Capabilities: Hardware Flowcontrol In, Hardware Flowcontrol Out Modem Callout, Modem RI is CD, Line usable as async interface Modem state: Ready Special Chars: Escape Hold Stop Start Disconnect Activation ^^x none - - none Timeouts: Idle EXEC Idle Session Modem Answer Session Dispatch 0:00:30 never none not set Session limit is not set. Time since activation: 2:08:08 Editing is enabled. History is enabled, history size is 10. Full user help is disabled Allowed transports are lat telnet rlogin mop. Preferred is lat. No output characters are padded No special data dispatching characters Modem hardware state: CTS DSR DTR RTS Line is running PPP for address 126.96.36.199. 0 output packets queued, 1 input packets. Async Escape map is 00000000000000000101000000000000 Group codes: 0 Interface Async5: (passive, compression on) Rcvd: 5711 total, 4516 compressed, 0 errors 0 dropped, 0 buffer copies, 0 buffer failures Sent: 5085 total, 4032 compressed, 138729 bytes saved, 3943290 bytes sent 1.3 efficiency improvement factor Connect: 16 rx slots, 16 tx slots, 1275 long searches, 765 misses 84% hit ratio, five minute miss rate 0 misses/sec, 1 max
The first part of this report has the same format given in Table 4-2. However, the rest of the report goes into great detail about the line’s characteristics. Table 4-3 shows what these additional fields mean.Table 4-3. Fields in a show line for a single port
|Line||TTY line number.|
|Location||Value of the location keyword set for this line. See |
|Type||Value specified by the line configuration.|
|Length||Terminal display length in characters.|
|Width||Terminal display width in characters.|
|Baud||Transmit (TX) and receive (RX) baud rates.|
|Status||State of the line (ready, connected/disconnected, active/inactive, exit banner).|
|Capabilities||How or for what this line can be used.|
|Modem state||Control state of the modem. If not |
|Special chars||Settings of characters defined for this line.|
|Timeouts||Timeouts as specified by the configurations.|
|Session limit||Maximum number of sessions for this line. Controlled by the |
|Time since activation||Time elapsed since line activation (i.e., how long the line has been considered active).|
|Editing||Whether command-line editing is enabled.|
|History||Length of the command history buffer. Set by the user with the |
|Full user help||Whether the |
|Transport methods||Transport mechanisms allowed on this line. See the |
|Character padding||See the |
|Data dispatching characters||Whether any data-dispatching characters are configured. See |
|Line protocol||The protocol and address specified for this line.|
|Output/input packets||Queued packet counts for this line.|
|Group codes||AT group codes for this line.|
When a user telnets to a router, she is “logged on” directly to the router. Cisco adds a special twist: if you telnet to a special port on the router, the router redirects the incoming telnet connection back out a selected asynchronous line, rather than internally accepting the incoming connection. This is called reverse telnet . Here are two telnet commands you might give on your Unix or Windows workstation:
Telnet directly into router1%
telnet router1 2001
Telnet to port 2001 on router1
The first telnet command connects to the standard telnet port (TCP port 23; remember that we’re now talking about TCP ports, not the router’s physical ports) and initiates a virtual terminal session with the router. The second command is tricky. It connects to TCP port 2001; the router maps this port to one of its asynchronous lines. The router performs any login requirements, then connects the telnet session to the mapped line. The mapping is simple: just subtract 2000 from the port used for the telnet connection. So in this example, the user would be connected to asynchronous line 1 (
tty1). Line 2 (
tty2) would be 2002, and so on. If a modem is connected to
tty1, the user would be talking directly to the modem.
The only catch to this mapping is the AUX port. The number of the AUX port is the last TTY port, plus 1. So, on a router with 18 TTY ports, the AUX port would be port 2019 (the last TTY, port 2018, plus 1). On a router with no TTY interfaces, the AUX port would be port 2001.
In addition to port 2000, ports 4000 and 6000 can be used. Port 4000 plus the
tty1 gives you a raw TCP port, which is usually for sending data directly to a printer. On port 2000, each carriage return is translated into a carriage return plus a linefeed. Port 6000 is just like port 2000, except it turns off the carriage-return translation.
Reverse telnet requires that the TTY line be configured to allow outbound connections. Here’s how you do this:
modem inout command allows both incoming and outgoing connections. Another way to configure the line is:
modem callout command allows only outgoing connections.
Another useful command for reverse telnet is
ip alias. This command lets you assign an IP address to a reverse telnet connection. In other words, the router associates an IP address with a reverse telnet port. If you telnet to this address, the router will connect you directly to the specified port. For example, assume that a router has an Ethernet interface with an address of 10.1.1.1. The following commands configure it to route incoming telnet connections for the addresses 10.1.1.2, 10.1.1.3, and 10.1.1.4 to asynchronous ports 1 through 3:
interface ethernet0 ip address 10.1.1.1 255.255.255.0 no shutdown ! ! Now configure our reverse telnet IP address ip alias 10.1.1.2 2001 ip alias 10.1.1.3 2002 ip alias 10.1.1.4 2003
Now, when you telnet to 10.1.1.2, you will be connected to the device that is connected to port 1.
Common Configuration Items
This section summarizes the configuration items you are likely to encounter when configuring a line on a router or a terminal server.
These useful commands set the low-level physical parameters of a line. To set the line speed (baud) you can use the
rxspeed commands. For databits, stop bits, and parity, use the commands
parity, respectively. For automatic baud rate detection , use the
For flow control, use the
flowcontrol command, which takes as arguments
hardware. In a modern environment,
hardware flow control is almost always appropriate.
transport command defines which protocols can be used to connect to a line. The default protocol is
none, which means that no incoming connections are allowed. The command
transport input telnet specifies that telnet can be used as an incoming protocol, but no other protocols are allowed.
You can also specify the preferred protocol to use after a user has connected to a line. By default, the preferred protocol is
telnet. Therefore, when users are connected to the router, they can type a hostname, and the router will assume they want to telnet to a device. To disable this behavior, use the command
transport preferred none.
Session Limits and Timeouts
IOS provides two ways to limit the number of ongoing sessions. To limit the number of sessions allowed on a line, use
the session-limit command. To limit a session’s idle time, use the
session-timeout command. If the session is idle longer than the specified time, the router automatically logs the user out. Note that these commands apply to the configuration of lines and not to the router as a whole.
Special Characters and Key Sequences
IOS allows you to specify a number of special characters that control the interaction between a user and the router. The activation character is the character that starts a terminal session when it is typed at a vacant terminal. The default activation character is Enter; you can set it to another value using the
activation-character command. Other special characters are the disconnect character and the hold character, both of which have no defaults. The disconnect character disconnects (terminates) a session, while the hold character pauses a session until any other key is pressed. These characters are set using the
All three of these commands apply to lines; the argument for each command is the ASCII value for the character. For example, to set the disconnect character for line 2 to Ctrl-d (ASCII value 4), use the following commands:
Published @ September 24, 2021 4:03 am