Options

Confused Between Different Types Of Login

foreverlearningforeverlearning Member Posts: 42 ■■■□□□□□□□
in CCNA Security
Is console a type of local login?
What is the difference between "line vty login local" and "aaa local-user".

Basically I am confused between these 3 types of login methods:
1) console
2) line vty login local
3) aaa local user login

They all seem "local" to me.
I cant tell the difference. 
· Share on FacebookShare on Twitter

Comments

  • Options
    TechGromitTechGromit Member Posts: 2,156 ■■■■■■■■■□
    edited July 2022
    1) console

    you have to be physically "local" to the switch to login via a console cable. 

    2) line vty login local

    this allows IP connections to connect via ethernet, you can be in China and still connect, but your using local user name and password to access the switch. 

    3) aaa local user login

    this allows IP connections to connect via ethernet, you can be in China and still connect, but your using local user name and password to access the switch. This is very important to set up if your using an authentication server, without this line, you can lock yourself out of the switch if your authentication server is down. Or the switch loses connection to the network. Recovery would require local access, console cable, rebooting the switch into rommon mode. 
    Still searching for the corner in a round room.
    · Share on FacebookShare on Twitter
  • Options
    foreverlearningforeverlearning Member Posts: 42 ■■■□□□□□□□
    TechGromit said:
    1) console

    you have to be physically "local" to the switch to login via a console cable. 

    2) line vty login local

    this allows IP connections to connect via ethernet, you can be in China and still connect, but your using local user name and password to access the switch. 

    3) aaa local user login

    this allows IP connections to connect via ethernet, you can be in China and still connect, but your using local user name and password to access the switch. This is very important to set up if your using an authentication server, without this line, you can lock yourself out of the switch if your authentication server is down. Or the switch loses connection to the network. Recovery would require local access, console cable, rebooting the switch into rommon mode. 
    Hi,
    I am still confused because this statement is repeated for both "line vty login local" and "aaa local user login":

    "this allows IP connections to connect via ethernet, you can be in China and still connect, but your using local user name and password to access the switch. "

    If so, what is the difference between them?
    · Share on FacebookShare on Twitter
  • Options
    TechGromitTechGromit Member Posts: 2,156 ■■■■■■■■■□
    edited July 2022
    foreverlearning said:

    I am still confused because this statement is repeated for both "line vty login local" and "aaa local user login":

    line vty login local - this allows a virtual remote session via ethernet. This is where you can telnet to the switch from anywhere on your network, or outside your network via a VPN. Your using the local username and Password to log in.

    aaa local user login - this allows a virtual remote session via ethernet, but only if the aaa server isn't reachable. If the aaa server is available, your account on either a TACAC or Radius server will be used. Your using the local username and Password to log in, but this local account is disabled if the aaa server is available / reachable. 


    Preferably ssh should be used to access the switch remotely. If you use ssh, you must add the following lines to your config

    ip ssh version 2
    crypto key generate rsa modulus X

    X = a number can be 512, 1024, 2048, etc.

    line vty 0 15
     access-class acl-vty-session in
     transport input ssh

    (this restricts up to 16 virtual sessions to only allow ssh remote connections.  Yes, you can have 16 simultaneous management connections to one switch, not really sure why this level of support is provided.)







    Still searching for the corner in a round room.
    · Share on FacebookShare on Twitter
  • Options
    foreverlearningforeverlearning Member Posts: 42 ■■■□□□□□□□
    TechGromit said:
    foreverlearning said:

    I am still confused because this statement is repeated for both "line vty login local" and "aaa local user login":

    line vty login local - this allows a virtual remote session via ethernet. This is where you can telnet to the switch from anywhere on your network, or outside your network via a VPN. Your using the local username and Password to log in.

    aaa local user login - this allows a virtual remote session via ethernet, but only if the aaa server isn't reachable. If the aaa server is available, your account on either a TACAC or Radius server will be used. Your using the local username and Password to log in, but this local account is disabled if the aaa server is available / reachable. 


    Preferably ssh should be used to access the switch remotely. If you use ssh, you must add the following lines to your config

    ip ssh version 2
    crypto key generate rsa modulus X

    X = a number can be 512, 1024, 2048, etc.

    line vty 0 15
     access-class acl-vty-session in
     transport input ssh

    (this restricts up to 16 virtual sessions to only allow ssh remote connections.  Yes, you can have 16 simultaneous management connections to one switch, not really sure why this level of support is provided.)







    Now I understand what "aaa local user login" is. Thank you very mch!
    · Share on FacebookShare on Twitter
Sign In or Register to comment.