nerdexam
Cisco

350-401 · Question #1235

Lab Simulation 17 Guidelines This is a lab item in which tasks will be performed on virtual devices. - Refer to the Tasks tab to view the tasks for this lab item. - Refer to the Topology tab to access

Lab 17 - R2 VTY Line Security Configuration Overall Goal The task hardens remote access to R2 by ensuring only authenticated users with the right privilege level can connect via Telnet or Rlogin, and that idle sessions are automatically terminated. This is a foundational AAA (Aut

Submitted by ricky.ec· Mar 6, 2026Security

Question

Lab Simulation 17 Guidelines This is a lab item in which tasks will be performed on virtual devices. - Refer to the Tasks tab to view the tasks for this lab item. - Refer to the Topology tab to access the device console(s) and perform the tasks. - Console access is available for all required devices by clicking the device icon or using the tab(s) above the console window. - All necessary preconfigurations have been applied. - Do not change the enable password or hostname for any device. - Save your configurations to NVRAM before moving to the next item. - Click Next at the bottom of the screen to submit this lab and move to the next question. - When Next is clicked, the lab closes and cannot be reopened. Topology Tasks Answer: Default int range et0/0-1 Int range e0/0 - 1 Sw trunk encap dot1 Switch mode trunk Channel-group 2 mode passive No shut Spanning-tree vlan 10 priority 0 Spanning-tree vlan 30 priority 0

Exhibits

350-401 question #1235 exhibit 1
350-401 question #1235 exhibit 2
350-401 question #1235 exhibit 3
350-401 question #1235 exhibit 4

Explanation

Lab 17 - R2 VTY Line Security Configuration

Overall Goal

The task hardens remote access to R2 by ensuring only authenticated users with the right privilege level can connect via Telnet or Rlogin, and that idle sessions are automatically terminated. This is a foundational AAA (Authentication, Authorization, Accounting) pattern on Cisco IOS.


Step-by-Step Breakdown

1. config t Enters global configuration mode. All substantive changes require this - you cannot create users or configure lines from privileged EXEC mode alone.

2. username NetworkAdmin privilege 15 password CiscoENCOR Creates a local user account in the router's local database.

  • privilege 15 grants full administrative access (the highest level - equivalent to enable mode). Without this, the user would land in restricted EXEC mode after login.
  • This must come before configuring login local on the VTY lines. If you configure login local first with no users defined, you lock yourself out of VTY access.

3. line vty 0 4 Selects VTY lines 0 through 4 (the 5 default virtual terminal lines that handle remote sessions like Telnet/SSH). All subsequent commands apply to these lines.

4. login local Tells the router to authenticate remote users against the local user database (created in step 2).

  • Without this, the line either uses no authentication (login with no password set = open access) or prompts for a line password. login local is what ties the VTY lines to the username you created.

5. transport input telnet rlogin Explicitly permits Telnet and Rlogin protocols on the VTY lines.

  • By default, some IOS versions allow all transports; others allow none. Being explicit is required by this task and is best practice.
  • If omitted, Telnet connections may be refused depending on the IOS version.

6. exec-timeout 1200 0 Sets the idle session timeout to 1200 minutes and 0 seconds - wait, actually: the syntax is exec-timeout <minutes> <seconds>.

  • exec-timeout 1200 0 = 1200 minutes 0 seconds... but the task says "20 minutes (1200 seconds)."
  • Correct interpretation: 1200 seconds = 20 minutes, so the intended command is likely exec-timeout 20 0. However, if the exam answer key shows exec-timeout 1200 0, follow it literally for exam purposes - but know that exec-timeout 20 0 is the technically correct way to express 20 minutes.

Clarification: exec-timeout <min> <sec>. To set 20 minutes: exec-timeout 20 0. The "1200 seconds" figure in the task description is likely explaining why 20 minutes, not the literal argument.


What Goes Wrong if Steps Are Skipped

Skipped StepConsequence
Step 2 (create user)login local has no accounts to authenticate against -> VTY access denied to everyone
Step 4 (login local)No authentication enforced -> anyone can telnet in without credentials
Step 5 (transport input)Telnet/Rlogin may be blocked depending on IOS defaults
Step 6 (exec-timeout)Idle sessions stay open indefinitely -> security risk, line exhaustion

Memory Tip

Think of it as: "Who, Where, How, What, Timeout"

  1. Who can log in -> username
  2. Where they log in -> line vty 0 4
  3. How they authenticate -> login local
  4. What protocols are allowed -> transport input
  5. Timeout idle sessions -> exec-timeout

Always create the user before enabling local login - otherwise you build a locked door before making the key.

Topics

#User Authentication#VTY Configuration#Session Management#Router Security

Community Discussion

No community discussion yet for this question.

Full 350-401 Practice