Router Default Transport Input?
CertifiedMonkey
Member Posts: 172 ■■□□□□□□□□
in CCNA & CCENT
I'm currently going over Odom's new 100-105 book and he states that routers have a default transport input of "none". This might be a silly question, but is this true for all routers?
Comments
-
Sy Kosys Member Posts: 105 ■■■□□□□□□□I believe it is, yes, and I can surmise that this default setting should not allow random vty connections straight out of the box. Which is why we set the transport input on the vty lines for "ssh" or "telnet" or an order of access accordingly, for security porpoises.
Makes sense to me that it is this way, just like all ports router or switch are not in a shutdown state by default.
Hope this helps ya"The size of your dreams must always exceed your current capacity to achieve them. If your dreams do not scare you, they are not big enough.”
― Ellen Johnson Sirleaf -
CertifiedMonkey Member Posts: 172 ■■□□□□□□□□I agree that it's more secure by not allowing vty access by default. However, I don't understand what the point is of putting transport input "none" rather than specifying transport input all (or transport input telnet ssh) like we do on a switch. If I understand correctly, a switch allows transport input all because the "login" command on the vty lines prevents access until a password is set. Why can't the same thing be done on a router? Is there some sort of exploit that can be performed on the router's vty lines if the default is set to transport input all, with the login command set and no password set (just like the switch's default)?
Hmm. Just thought of something while typing this: Maybe the router's vty line is set to transport input none because a router, by its nature (Layer 3 device), is more exposed to the network (and network attacks) than a layer 2 switch is. Just a thought. Pretty interesting. -
GDaines Member Posts: 273 ■■■□□□□□□□CertifiedMonkey wrote: »Hmm. Just thought of something while typing this: Maybe the router's vty line is set to transport input none because a router, by its nature (Layer 3 device), is more exposed to the network (and network attacks) than a layer 2 switch is. Just a thought. Pretty interesting.
Exactly that. Switches are local devices so someone can only attack from within, whereas routers are generally connected to the internet so could be attacked from outside. By default all interfaces are shut down on a router, but enabled on a switch. I guess this is because of the potential security issues open ports pose on a router if you don't close them, whereas for a switch having all ports disabled wouldn't be much use, so out of the box they allow basic switching without additional configuration. -
james43026 Member Posts: 303 ■■□□□□□□□□The default transport method on Cisco devices, would be all supported protocols. Just checked on a Cisco 3725 running IOS 12.4, and the default is to allow all supported protocols on any of the VTY lines. Also a CCIE confirmed this on a Cisco forum post here.
-
carterw65 Member Posts: 318 ■■■□□□□□□□james43026 wrote: »The default transport method on Cisco devices, would be all supported protocols. Just checked on a Cisco 3725 running IOS 12.4, and the default is to allow all supported protocols on any of the VTY lines. Also a CCIE confirmed this on a Cisco forum post here.
That's what I was thinking also, but I didn't have an opportunity to test it on real equipment yet.