Telnet (Teletype Network) is a protocol used to remotely access the CLI of a remote device on the same LAN or over the Internet. Developed in 1969, Telnet is a predecessor to Secure Shell (SSH) and has largely fallen to disuse due to its lack of security.

Telnet sends its data in plain text (no encryption!) making it trivial for someone to intercept traffic and read sensitive data, like passwords. While not ‘obsolete’ per se, SSH is greatly preferred for remotely accessing devices due to its enhanced security.

Telnet listens for traffic on TCP port 23.


  • (config)#enable secret password
    • If enable password/secret isn’t configured, you won’t be able to access privileged exec mode when connecting via Telnet
  • (config)#username name secret password
    • Not strictly necessary, but useful. You can configure Telnet to accept logins based on configured users.
  • (config)#access-list acl permit host ip-address
    • Again, not necessary, but it’s not a bad idea to limit which devices are allowed to connect to the VTY Lines
  • (config)#line vty low-number high-number
    • Enter line configuration for the selected range of VTY lines. There are 16 lines (0-15) available, i.e. up to 16 people can connect to the same device with Telnet/SSH at once.
    • It is recommended that all VTY Lines have the same configuration (e.g. (config)#line vty 0 15)
  • (config-line)#login {local}
    • Enables password verified login. local option will set the device to use configured usernames for login, instead of a global password.
  • (config-line)#exec-timeout minutes seconds
    • Set an auto-logout timer. You should do this.
  • transport input [telnet | ssh | telnet ssh | all | none]
    • Configure what protocols are allowed to connect to the VTY Lines. Options select the particular protocols.
  • (config-line)#access-class acl in
    • Applies an ACL to the VTY Lines
    • Obnoxiously different from ip access-group (applying an ACL to an interface) and access-list (configuring an ACL)