In this tutorial, you will learn how to configure SSH for remote access to a Cisco Switch or Router.
SSH is the preferred remote access method as it includes authentication and encrypts the communication. Telnet is insecure as it sends everything in plaintext.
For this tutorial, I will use the following topology:
- Switch management IP is configured on Vlan 100 with IP address 10.100.0.1.
- I will SSH to the switch from the computer that is plugged into port Gi0/1.
- I will use the putty ssh client to connect to the switch from my workstation.
Step 1: Configure Username and Password
If you don’t have a username and password configured, follow these steps.
switch1#config t Enter configuration commands, one per line. End with CNTL/Z. switch1(config)#username matt password Football22
The above creates the user matt with read-only access (Level 1).
Now set the enable secret password. This will be the password used to move from User Exec mode to Privileged Exec mode.
switch1#config t switch1(config)#enable secret Football33
It’s recommended to enable the password-encryption service. This will encrypt username passwords, enable passwords, authentication keys, and so on. This will ensure any password that is in clear text will be encrypted.
switch1#config t switch1(config)#service password-encryption
Step 2: Set hostname and domain name
You need to set a hostname and domain name on your switch.
switch1(config)#hostname switch1 switch1(config)#ip domain-name netlinko.com
Step 3: Generate SSH Keys
Your switch or router will need to have RSA keys that will be used during the SSH connection process. Generate RSA keys with the following commands.
switch1(config)#crypto key generate rsa
You will get prompted for bit size, I entered 2048. You can enter higher or lower depending on your requirements.
Step 4: Enable SSH Version 2
If you run the command sh ip ssh and it returns version 1.99 this means SSHv1 and SSHv2 are enabled.
switch1#sh ip ssh SSH Enabled - version 1.99
SSHv2 is much more secure so it is best if you disable v1 and only allow v2. This can be done with the ip ssh version 2 command.
switch1(config)#ip ssh version 2
Step 5: Enable SSH on VTY lines
Configure the VTY lines to enable local authentication and SSH.
switch1#config t Enter configuration commands, one per line. End with CNTL/Z. switch1(config)#line vty 0 4 switch1(config-line)#transport input ssh switch1(config-line)#login local
You should now be able to SSH into your switch. I’ll test my connection using putty.
In putty change the IP to your switch IP, set port to 22 and select SSH for connection type then click the open button.
You will get a warning about the RSA fingerprint. This is expected, click accept. You won’t see the warning every time unless something changes (new computer or new RSA keys generated).
Enter the username and password and I’m now connected over SSH to my switch.
Secure Remote Access (optional step)
I recommend setting an ACL (access control list) on the VTY lines to limit only authorized hosts. Bob’s computer in the Finance department has no need for SSH access to your switch so it is best to block these connections.
I typically access equipment from a dedicated secure computer or my laptop. For this example, I’m going to limit SSH access to my computer with IP 10.100.0.5, all other IPs will be blocked from SSH access.
switch1(config)#ip access-list extended VTY_ACCESS switch1(config-ext-nacl)#10 permit tcp host 10.100.0.5 any eq 22
The above commands created the access list “VTY_ACCESS” and permits the source IP 10.100.0.5 to any destination on port 22.
You can add IP ranges or an entire network or multiple single hosts. The next step is to apply this ACL to the VTY lines.
switch1(config)#line vty 0 4 switch1(config-line)#access-class VTY_ACCESS in
Save the configuration and you are done. Now if I attempt to SSH from any other IP besides 10.100.0.5 the connection will be refused.
Summary
In this article, I showed you how to enable SSH on your Cisco switch or router. SSH is the best remote access protocol as it encrypts the network communication. The telnet protocol sends data over the network in clear text, making it insecure and vulnerable to attacks. To learn more about telnet vs ssh see my article on the difference between telnet and ssh.
Resources
- Configuring Secure Shell on Routers and Switches – Cisco documentation