Configure Cisco Switch Telnet Login and Password

The ability to telnet into a Cisco switch greatly simplifies remote administration of the device. This tech-recipe describes enabling telnet logins and password protecting them.


To enable telnet logins into a Cisco switch and set the telnet password to keepout, use the following commands from configuration mode:

line vty 0 15
password keepout
login

To telnet to the switch, it must have an IP address configured.

 

About Quinn McHenry

Quinn was one of the original co-founders of Tech-Recipes. He is currently crafting iOS applications as a senior developer at Small Planet Digital in Brooklyn, New York.
View more articles by Quinn McHenry

The Conversation

Follow the reactions below and share your own thoughts.

  • bravepc

    You have done what?

    The switch will arrive with a serial light blue cable. Connect it to the console port at the Cisco switch, and to the serial port on a pr.

    Open a terminal session (in ZP Hyperterm), use default settings and give session any name. In that way, tou don even need an ip

    But, this is the very entry point to the switch config. Somebody has to write a long manual here!

    • Jacob

      how to open a ZP hyperterm?

  • Oscar P. Snick

    To Anonymous above, you can’t telnet to a switch that has no login. Bravepc describes the method well.

    Cisco already has a “long” manual. If it was effective, however, I wouldn’t have ended up here.

    Thanks for the info.

    • Lessa

      To first configure a Cisco switch, be it any model #, it first has to be connected in out-of-band management: via console cable. Out-of-band can be taken as out of bandwidth, meaning not online. Not using the Ethernet or internet connections. In-band would be the opposite, meaning using Ethernet or internet connections. In-band = telnetting, SDM, etc.

      Note: I CANNOT remember how to set the IP to enter to get into telnet.. you have to have an IP, but I cannot remember what the commands are to set it. I believe it might be int vlan (#), and then setting that IP, as vty does not have an IP option. I am unsure. I did try this in Packet Tracer 5.0 and setting the vlan 1 IP did not change any affect when trying to ping or telnet to the switch.

      1.) Connect console cable
      2.) Use terminal emulation program to connect to switch or router. HyperTerminal in XP, Putty in XP & Vista, or (I’ve never heard ‘ZP’ before), ZP Hyperterm. I’m sure there are others as well. The default settings should be: Bits Per Second: 9600, Data Bits: 8, Parity: None, Stop Bits: 1, Flow Control: None. If this is not what you have, then correct it to the ones listed previously. Connect
      3.) Enter Privileged Exec mode via typing enable. The prompt with “>” dictates that it is “user” mode. Exec mode is “#”.
      4.) Enter configure terminal mode by typing that in after enable (while in exec/privileged mode)or config t for short.
      5.) Type in line vty 0 15 (meaning virtual telnet 0 – 15, 16 in all. You can set different passwords for different vtys. It is not limited to ONLY 0 15. Meaning ONLY 0-15.)
      6.) Type “password *password*”, where the asterisks dictate what you want to set your password as.
      7.) Type “login”, to make sure that someone connecting via telnet will have to enter the password you just set. Otherwise, it’s just free access. Remember “login”.
      8.) Type end, this will take you back STRAIGHT to privileged exec mode, this way you do not have to keep typing “exit”.
      9.) Type “wr”, short for “write”, which will then automatically (via write’s default settings) save running-config to startup-config. This is shorter than typing “copy run start”, which is also shorter than “copy running-config startup-config”.
      10.) You can either just disconnect from console 0 (or as the switch states it: con0) or type “logout” which will take you to the beginning, where you will have to press enter and re-login via secret and enable passwords.

      Note: I CANNOT remember how to set the IP to enter to get into telnet.. you have to have an IP, but I cannot remember what the commands are to set it.

      Now, via telnet:

      1.) Open up command (start menu > run > cmd)
      2.) Type “telnet (ip set)”
      3.) If the privilege was set to, say, “15″, then once the password was entered (as it is now prompting for the password if “login” was remembered), then once logged-in you will be in, I am 90% sure, enable mode without having to enter the enable password & enable secret, just the set telnet. I may have this backwards as I do not have much experience with the telnetting (I will be doing some testing later on)
      4.) Config t to use most commands, or show *whatever here* to get started. All show commands are in exec mode only, not config mode. There is a very limited amount of show commands in user mode.

      Okay, well.. if any mistakes are found, or if you know what I did not, please correct. I was typing this in during class, so please excuse me. I had limited time to mess around with Packet Tracer 5.0 before I had to move onto another page, or I would have researched answering my own questions. Thanks for reading.

      • Anonymous

        i think a method to configure a telnet r admission ip :

        1) u need to go to enable mode
        2)Conf t
        3)interface vlan 1
        4) ip add 10.0.0.0 255.255.255.0

        I am new at cisco but i think this si how u do it

        (sry 4 my writhing but i am Croatian xD )

        • Anonymous

          U r right “darkman001″

          switch#Conf t
          switch(config)#interface vlan 1
          Switch(config-if)#ip add 192.168.1.50 255.255.255.0
          Switch(config-if)#no shutdown
          Switch(config-if)#exit
          after this u can telnet to switch (if u have configured vty pwd and enable pwd).

          • Tahir

            > Performing the Initial Configuration
            To complete the initial configuration for the switch,or a brand new routerRouter follow these steps:
            ________________________________________

            Download putty is a free software available on the internet Link: http://www.putty.org/ (configure your putty with the following configuration)
            Click on Serial and choose option
            Port : Com1,or com3 check in your device manager option under control panel.
            Speed : 9600
            Databits: 8
            StopBits: 1
            Parity : None
            FlowControl:XON/XOFF or None
            ——————————————————————————

            Step 1 At the terminal prompt, enter the enable command to enter privileged exec mode.
            Switch> enable
            Password: password
            Switch#
            Step 2 Set the system time using the clock set command in privileged EXEC mode.
            Switch# clock set 20:09:01 3 Apr 2006
            Step 3 Verify the change by entering the show clock command.
            Switch# show clock
            20:09:06.079 UTC Thu Apr 3 2006
            Step 4 Enter the configure terminal command to enter global configuration mode.
            Switch# configure terminal
            Enter configuration commands, one per line. End with CNTL/Z.
            Switch (config)#
            Step 5 Configure the system prompt and hostname for the switch, and press Return. To remove the new prompt and return the prompt to its default, use the no hostname command.
            Switch (config)# hostname Switch1
            Step 6 Use the banner motd global configuration command to set location information in the login banner. You can also set a system contact using this command.
            Switch1(config)# banner motd c 170 West Tasman Drive, San Jose, CA c
            or
            Switch1 (config)# banner motd c 170 West Tasman Drive, San Jose, CA; Tech Support 408 123
            4567 c
            Step 7 Configure an enable secret password, and press Return.
            The password can be from 1 to 25 alphanumeric characters, can start with a number, is case sensitive, allows spaces, but ignores leading spaces. The secret password is encrypted and the enable password is in plain text.
            Switch1 (config)# enable secret SecretPassword
            Step 8 Configure an enable password, and press Return.
            Switch1 (config)# enable password EnablePassword
            Step 9 Configure a virtual terminal (Telnet) password, and press Return.
            The password can be from 1 to 25 alphanumeric characters, is case sensitive, allows spaces, but ignores leading spaces.
            Switch1 (config)# password terminal-password
            Switch1 (config)# line vty 0 15
            Step 10 Configure the interface that connects to the management network. (The IP address and subnet mask shown are for example only. Use an address appropriate for your network.)
            Switch1 (config)# ip routing
            Switch1 (config)# interface gigabitethernet 3/24
            Switch1 (config-if)# no switchport
            Switch1 (config-if)# no shutdown
            Switch1 (config-if)# ip address 10.4.120.106 255.0.0.0
            Switch1 (config-if)# exit
            Step 11 Exit from global configuration mode:
            Switch (config)# exit
            Switch #
            Step 12 View the configuration that you have just created and confirm that it is what you want.
            Switch1# show run
            !
            hostname Switch1
            !
            banner motd ^C
            170 West Tasman Drive, San Jose, CA ^C
            !
            !— Output suppressed.
            Step 13 Configure a default route.
            Switch1(config)#ip route 0.0.0.0 0.0.0.0 172.16.1.1
            Step 14 Verify the IP information by using the show ip interface brief and show ip route commands.
            Switch1# show ip interface brief

            Good Luck

        • a

          you must set gateway after that
          ip default-gateway 10.10.10.1–>

        • christo k.j

          > thanx….

      • Markitupmark

        conf t
        interface vlan 1
        ip address 192.168.0.2 255.255.255.252
        no shut

      • charanjeet

        > trying to telnet ……
        screen showing me this only…..its nt working

  • Shaun VT

    Thanks Helped Alot

  • http://www.bksec.com/ pramod

    your suggession is right Given by you.

    Thanks a lot

  • o meu

    k treta

  • madcow

    think that service password encryption should be enabled. (even if its low end security) u do not want save the passwords in clear text. and you probably want to create an access to block off access from the entire world (you only want to connect to it from within your own network) so:

    !enter configuration mode
    conf t

    !enable service password encryption
    service password encryption

    !password for privilaged acccess
    enable password keepout

    !access list for whatever you netblock is
    access-list 1 permit 192.168.0.0 0.0.0.255

    !enter telnet config mode
    line vty 0 4
    password keepout
    login
    access-class 1 in

    • Anonymous

      Great guys, i have a quick question Do we need to set up any default gateway to use Telnet?

  • Anonymous

    this page so intresting….but i want no
    how to get the password if from:
    switch>
    password:
    to the
    switch#
    what command must i do????

    • saif.musa

      xtrem
      you have to do like this:
      switch> enable
      switch# enable passward CISCO
      switch#enable secret CISCO (so you will be insure that no one could config your password from displaying running-config instruction)
      switch#wr
      switch#exit
      by doing that you will requasting passward in moving from user mode into exec mode.

  • AB

    I enable service password-encryption. I’ve not been able to telnet into my switch anymore. What can I do to gain access into the switch without altering what I had there already?

    AB

    • MM

      Hi!
      I am stuck with something while implementing the TELNET
      My switch was configured for both SSH and Telnet session previously ( for example: ssh to the router and then telnet to a switch), is it necessary to remove the SSH configuration if we want the PC to directly telnet the switch?
      How do we do that?
      Now after configuring the switch (for an ip address and a login passowrd), can we telnet to the switch from a linux PC that is on the internet?

  • Snarl

    *************************************
    TELNET MINIMUM CONFIG
    *************************************

    switch>enable
    switch#conf t
    switch(config)#enable secret class

    switch(config)#interface f0/1
    switch(config-if)#vlan 10
    switch(config-if)#exit
    switch(config)#interface f0/1
    switch(config-if)#switchport access vlan 10
    switch(config-if)#exit

    switch(config)#int vlan 10
    switch(config-if)#ip address 192.168.0.1 255.255.255.0
    switch(config-if)#no shutdown
    switch(config-if)#exit

    switch(config)#line vty 0 15
    switch(config-line)#password cisco
    switch(config-line)#transport input telnet
    switch(config-line)#login
    switch(config-line)#exit

    switch(config)#exit
    switch(config)#write

    *************************************

    • Xtropx

      On my switch, the 3500XL, login requires parameters, which I do not know, or it fails saying ‘incomplete command.’ The write command does not work either, in either variation, but appears to not be necessary.

      When I telnet to the IP of the switch, set at 192.168.0.25, it asks me for a user-name. I never set a user-name. I can’t get in. Any possible solutions??

      • Penggewang

        to see which port your want to telnet…

        switch# show cdp neighbour

        this comand will help your to see which port your switch had connected and what ip of the port that has connected to switch. Then used that ip to telnet.

      • Snarl

        switch(config)#write
        should be at the privileged exec prompt;
        switch#write
        or use this (they do the same thing);
        switch#copy running-config startup-config

        for telnet you’ll need to set a username and password, you never set one and thats the problem

        try this to see what parameters are available for login;
        switch(config-line)#login ?

        • Snarl

          thinking about it, probably the reason its not accepting the login command is because you haven’t set a username or password.

          on the switch I have, I must set a password but its not necessary to set a username, it could be that older IOS versions are a little different

    • http://www.google.com Tapas kumar samal

      switch>enble
      switch#conf t
      switch(config)#interface f0/1
      switch(config-if)#vlan 10
      switch(config-if)#switchport acess vlan10
      switch(config-if)#exit
      switch(config-if)#ip address 192.168.1.1 255.255.255.0
      switch(config-if)#no shut
      switch(config-if)#exit
      Router# config t
      Router(config)# line console 0
      Router(config-line)# password tapas
      Router(config-line)# login
      Router(config-line)#exit
      But Complex passwords are important to keep someone from guessing your password.

  • Anga

    i want username and password also how to do it??

  • Rupali 320

    Tuhadi man da Fudda MAreya Saleyo ki-2 likhde rende ho………….

  • Ykumsa24

    Anga that is my qustion too how do i get username and pasword to accecce in the first place andy one help pleace

  • Blaze Jane95

    switch(config)#line vty 0 15
    switch(config-line)#password cisco
    switch(config-line)#transport input telnet
    switch(config-line)#login
    switch(config-line)#exit
     i have configured the above lines in the cisco me3400series switch an now i can no longer login it request a password and when i enter cisco it says its a bad secret

  • Sumit Tiwari

    How to set telnet( VTY ) user name? Suppose Username is XYZ and Password is CISCO_123.

  • jayne

    im trying to telnet but it says:

    Connection refused by remote host

    –what was that mean?…

    thanks!

  • khaled

    anybody can help me to enable telnet on a catalyst switch 2950?

  • Muhammad

    the above is correct use however i have realised that once you have enabled and assigned an ip address to another vlan other than vlan 1 you cannot connect through vty ports anyway, you will then have to connect through con0 only

  • syed

    hello i have vlan network but i dont now some switch ip how i find this ip i am new

  • Angela

    Hi,

    I have just replaced a faulty Catalyst 2960 24 port switch )designated S1) with a spare unit that I have works. Unfortunatley, the access passwords have been set and the preson responsible has left the company without recording them in our database/

    Can you please recommend to me what I should do to access the IOS?

    Thanks,
    Angela

    • David Kirk

      I’m not a Cisco guy but does the reset not clear the password? T

      Press and hold the Mode button. The switch LEDs begin blinking after about
      3 seconds. Continue holding down the Mode button. The LEDs stop blinking
      after 7 more seconds, and then the switch reboots.

  • Bhunesh Kumar

    > friend my self Bhunesh Kumar I am doing CCNA in last class we learned telnet with switch, i that i dont understand that why we use default vlan . can any one please tell me.

  • KHS

    For the people who asked, this is how to setup username and password in a cisco switch:

    WEST-SW#config t
    Enter configuration commands, one per line. End with CNTL/Z.
    WEST-SW(config)#username XYZ password CISCO_123
    WEST-SW(config)#int vlan 1
    WEST-SW(config-if)#ip address 192.168.1.2 255.255.255.0
    WEST-SW(config-if)#exit
    WEST-SW(config)#ip default-gateway 192.168.1.1
    WEST-SW(config)#line vty 0 15
    WEST-SW(config-line)#password CISCO_123
    WEST-SW(config-line)#login local
    WEST-SW(config-line)#exit
    WEST-SW(config)#exit
    WEST-SW#

    to configure enable password:
    WEST-SW#
    WEST-SW#config t
    WEST-SW(config)#enable password CISCO
    WEST-SW(config)#exit
    WEST-SW#

    I successfuly logged in from PC using telnet

    PC>telnet 192.168.1.2
    Trying 192.168.1.2 …Open

    User Access Verification

    Username: XYZ
    Password:
    WEST-SW>enable
    Password:
    WEST-SW#

    That’s it, GOOD LUCK guys!

  • zoe

    HI gyz m new in nworking.. i m little bit confuse:
    switches(2950) works on layer 2(data link layer) which works only on physical address that is MAC address right!
    so why do we need to setup an ip address and how can we telnet the switch without using ip address of the destination…… plz gyz help me out….thnx in advance

    • KHS

      Hi Zoe,

      You need to setup an IP address to telnet the switch, otherwise console is your only way to configure it.

      PS : you can use more than one IP address in one switch, one IP address per VLAN.

  • charanjeet

    Current configuration : 1011 bytes
    !
    version 12.1
    no service timestamps log datetime msec
    no service timestamps debug datetime msec
    no service password-encryption
    !
    hostname Switch
    !
    !
    spanning-tree mode pvst
    !
    interface FastEthernet0/1
    !
    interface FastEthernet0/2
    !
    interface FastEthernet0/3
    !
    interface FastEthernet0/4
    !
    interface FastEthernet0/5
    !
    interface FastEthernet0/6
    !
    interface FastEthernet0/7
    !
    interface FastEthernet0/8
    !
    interface FastEthernet0/9
    !
    interface FastEthernet0/10
    !
    interface FastEthernet0/11
    !
    interface FastEthernet0/12
    !
    interface FastEthernet0/13
    !
    interface FastEthernet0/14
    !
    interface FastEthernet0/15
    !
    interface FastEthernet0/16
    !
    interface FastEthernet0/17
    !
    interface FastEthernet0/18
    !
    interface FastEthernet0/19
    !
    interface FastEthernet0/20
    !
    interface FastEthernet0/21
    !
    interface FastEthernet0/22
    !
    interface FastEthernet0/23
    !
    interface FastEthernet0/24
    !
    interface Vlan1
    ip address 10.0.0.1 255.0.0.0
    !
    !
    line con 0
    !
    line vty 0
    password cisco
    login
    line vty 1 4
    login
    line vty 5 15
    login
    !
    !
    end

  • mushumba

    we give thanks to all of who west your time by writing this for showing same of real information.

  • jordan

    oo yes