How to Enable SSH on Cisco Switch & Router

by

In this tutorial, you will learn how to configure SSH for remote access to a Cisco Switch or Router.

SSH is the preferred remote access method as it includes authentication and encrypts the communication. Telnet is insecure as it sends everything in plaintext.

For this tutorial, I will use the following topology:

  • Switch management IP is configured on Vlan 100 with IP address 10.100.0.1.
  • I will SSH to the switch from the computer that is plugged into port Gi0/1.
  • I will use the putty ssh client to connect to the switch from my workstation.

Step 1: Configure Username and Password

If you don’t have a username and password configured, follow these steps. 

switch1#config t
Enter configuration commands, one per line.  End with CNTL/Z.
switch1(config)#username matt password Football22

The above creates the user matt with read-only access (Level 1).

Now set the enable secret password. This will be the password used to move from User Exec mode to Privileged Exec mode. 

switch1#config t
switch1(config)#enable secret Football33

It’s recommended to enable the password-encryption service. This will encrypt username passwords, enable passwords, authentication keys, and so on. This will ensure any password that is in clear text will be encrypted. 

switch1#config t
switch1(config)#service password-encryption

Step 2: Set hostname and domain name

You need to set a hostname and domain name on your switch. 

switch1(config)#hostname switch1
switch1(config)#ip domain-name netlinko.com

Step 3: Generate SSH Keys

Your switch or router will need to have RSA keys that will be used during the SSH connection process. Generate RSA keys with the following commands.

switch1(config)#crypto key generate rsa

You will get prompted for bit size, I entered 2048. You can enter higher or lower depending on your requirements.

cisco generate rsa keys

Step 4: Enable SSH Version 2

If you run the command sh ip ssh and it returns version 1.99 this means SSHv1 and SSHv2 are enabled. 

switch1#sh ip ssh
SSH Enabled - version 1.99

SSHv2 is much more secure so it is best if you disable v1 and only allow v2. This can be done with the ip ssh version 2 command. 

switch1(config)#ip ssh version 2

Step 5: Enable SSH on VTY lines

Configure the VTY lines to enable local authentication and SSH. 

switch1#config t
Enter configuration commands, one per line.  End with CNTL/Z.
switch1(config)#line vty 0 4
switch1(config-line)#transport input ssh
switch1(config-line)#login local

You should now be able to SSH into your switch. I’ll test my connection using putty.

In putty change the IP to your switch IP, set port to 22 and select SSH for connection type then click the open button.

cisco ssh putty

You will get a warning about the RSA fingerprint. This is expected, click accept. You won’t see the warning every time unless something changes (new computer or new RSA keys generated).

putty ssh warning

Enter the username and password and I’m now connected over SSH to my switch.

connect cisco switch sshe

Secure Remote Access (optional step)

I recommend setting an ACL (access control list) on the VTY lines to limit only authorized hosts. Bob’s computer in the Finance department has no need for SSH access to your switch so it is best to block these connections.

I typically access equipment from a dedicated secure computer or my laptop. For this example, I’m going to limit SSH access to my computer with IP 10.100.0.5, all other IPs will be blocked from SSH access.

switch1(config)#ip access-list extended VTY_ACCESS
switch1(config-ext-nacl)#10 permit tcp host 10.100.0.5 any eq 22

The above commands created the access list “VTY_ACCESS” and permits the source IP 10.100.0.5 to any destination on port 22.

You can add IP ranges or an entire network or multiple single hosts. The next step is to apply this ACL to the VTY lines. 

switch1(config)#line vty 0 4
switch1(config-line)#access-class VTY_ACCESS in

Save the configuration and you are done. Now if I attempt to SSH from any other IP besides 10.100.0.5 the connection will be refused.

Summary

In this article, I showed you how to enable SSH on your Cisco switch or router. SSH is the best remote access protocol as it encrypts the network communication. The telnet protocol sends data over the network in clear text, making it insecure and vulnerable to attacks. To learn more about telnet vs ssh see my article on the difference between telnet and ssh.

Resources

Recommended Tool: SolarWinds Network Performance Monitor (NPM)

SolarWinds NPM is a powerful and easy-to-use software that can help you monitor, troubleshoot, and optimize your network performance.

Reduce network downtime, monitor network performance and availability, discover and map your network devices, analyze network capacity and hardware health, and much more.

You can start a free trial of NPM today and see for yourself how it can help you monitor your network more effectively. Just click on the link below to download NPM and get started.

Download Free Trial