CCNP Security

Protect remote access or virtual terminal access

It is important to use authentication on all VTY lines, to limit access by source IP address through ACLs applied to VTYs for both remote access via Telnet or Secure Shell (SSH).

In addition, always prefer SSH over Telnet, because although it is simple it is not safe to send messages in clear text, allowing the theft of users and passwords with privileged access.

SSH has encryption and is therefore more secure, but you need an IOS that supports this feature.

See example below where we will allow only two management servers to access the VTY lines, the server addresses are and

Be careful when implementing this configuration and actually apply it to all VTY lines, because sometimes the switches separate VTY 0 4 and 5 to 15 in the show running, creating confusion in the application of the command and leaving ports open for connection without checking the ACL.

The CCNP Security professional offers operational support identity and network access control. They will identify and troubleshoot the Cisco network security appliances and the Cisco IOS Software devices that comprise your network's security. The professional configures Cisco perimeter edge security solutions with the help of Cisco switches, Cisco routers, and Cisco Adaptive Security Appliance (ASA) firewalls. The Certified Expert is responsible for executing and managing the security of the Cisco switches, Cisco routers, and Cisco ASA firewalls.
Or visit this link or this one