Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.
Training Camp • Cybersecurity Glossary
A virtual terminal line on Cisco devices that enables remote SSH or Telnet management. Default 'line vty 0 4' gives 5 sessions; up to 16 (0-15).
Line VTY Definition: A virtual terminal line on Cisco devices that enables remote SSH or Telnet management. Default 'line vty 0 4' gives 5 sessions; up to 16 (0-15).
A VTY (Virtual Teletype) line is a logical, software-defined terminal line on a router, switch, or other network device that provides remote command-line access over the network. Unlike physical console or auxiliary ports, VTY lines have no hardware; they exist purely to accept inbound Telnet or SSH sessions for device configuration and management.
VTY lines are entered in IOS configuration with the line vty command followed by a range. The classic line vty 0 4 enables five simultaneous lines (numbered 0 through 4), a default rooted in early Cisco hardware, while modern platforms support up to sixteen lines (0 through 15). Within line configuration, transport input ssh restricts connections to SSH only, login local or an AAA method enforces authentication, exec-timeout sets idle disconnects, and an access-class applies an ACL to limit which source addresses may connect.
For security, VTY lines are a primary remote-attack surface: they are how an administrator, or an intruder, reaches the control plane of the device. Leaving them on cleartext Telnet exposes credentials to sniffing, and weak or absent authentication can hand an attacker full configuration control. Hardening VTY lines with SSH-only transport, strong AAA, source-IP access-class ACLs, and short idle timeouts is a standard requirement in CIS benchmarks and Cisco device-hardening guidance.
A concrete example: an engineer secures a router by entering line vty 0 15, then applies transport input ssh, login local, exec-timeout 5 0, and access-class MGMT-ACL in to permit only the management subnet. As a result, only SSH sessions originating from authorized administrative hosts, authenticated against the local user database, can manage the device, and idle sessions drop after five minutes, sharply reducing the chance of hijacked or unauthorized remote access.
Turn knowledge into credentials with our instructor-led cybersecurity boot camps.
View All Courses →