# Configuring SSH on a Cisco Switch As a **CCNA instructor**, I'll walk you through the **step-by-step process** of configuring SSH on a Cisco switch using **practical scenarios** and **technical explanations**. ### **Why Configure SSH?** SSH (Secure Shell) encrypts remote management sessions, protecting login credentials and data from attackers. Unlike Telnet, which sends data in **plain text**, SSH provides **secure authentication** and **encrypted communication** over a network. ### **Lab Scenario** * **Objective:** Configure SSH on a Cisco switch for secure remote access. * **Device:** Cisco switch (e.g., **Cisco Catalyst 2960**). * **Software:** Cisco Packet Tracer, GNS3, or a real switch with Console access. * **Topology:** * A **PC (Host)** is connected to the switch via Ethernet. * The **switch** has a management VLAN (VLAN 1) with an IP address. * The **Cloud** will use an SSH client (e.g., PuTTY) to access the switch.

Topology

### **Step 1: Set a Hostname** A unique hostname improves device identification and is required for SSH configuration. #### **Command:** ```bash Switch#configure terminal Switch(config)#hostname SW1 SW1(config)# ``` ### **Step 2: Configure a Domain Name** SSH requires a **domain name** for generating encryption keys. #### **Command:** ```bash SW1(config)#ip domain-name nerd-cafe.ir ``` #### **Explanation:** * This domain name is used for SSH key generation. * It **does not** need to be a real internet domain. ### **Step 3: Generate SSH Keys** To enable SSH, the switch needs **RSA key pairs** for encryption. #### **Command:** ```bash SW1(config)#crypto key generate rsa The name for the keys will be: SW1.nerd-cafe.ir Choose the size of the key modulus in the range of 360 to 4096 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 0 seconds) SW1(config)# ``` #### **Explanation:** * RSA keys enable **SSH encryption**. * A key length of **1024 bits or more** is recommended for security. * If you use **4096**, it’s more secure but can slow down performance. ### **Step 4: Create a Local User for Authentication** SSH requires a **username** and **password**. #### **Command:** ```bash SW1(config)#username admin secret Cisco@123 ``` #### **Explanation:** * `admin` → Username. * `secret` → Uses an **encrypted password** (stronger than `password`). * `Cisco@123` → The password (should be complex). ### **Step 5: Enable SSH and Restrict Remote Access** #### **Enable SSH on the VTY Lines** (Virtual Terminal Lines): ```bash SW1(config)#line vty 0 4 SW1(config-line)#transport input ssh SW1(config-line)#login local SW1(config-line)#exit SW1(config)# ``` #### **Explanation:** * `line vty 0 4` → Configures **remote access** on ports **0-4**. * `transport input ssh` → Restricts access to **only SSH** (disables Telnet). * `login local` → Uses **local usernames and passwords** for authentication. ### **Step 6: Set an IP Address for Remote Access** SSH requires an IP **on the switch’s management VLAN (VLAN 1 by default)****.** #### **Command:** ```bash SW1(config)#interface vlan 1 SW1(config-if)#ip address 192.168.202.254 255.255.255.0 SW1(config-if)#no shutdown ``` #### **Explanation:** * `interface vlan 1` → Selects the management VLAN. * `ip address 192.168.1.100 255.255.255.0` → Assigns an IP to VLAN 1. * `no shutdown` → Activates VLAN 1. ### **Step 7: Verify SSH Configuration** #### **Check SSH Version:** ```bash SW1#show ip ssh SSH Enabled - version 1.99 Authentication methods:publickey,keyboard-interactive,password Authentication timeout: 120 secs; Authentication retries: 3 Minimum expected Diffie Hellman key size : 1024 bits IOS Keys in SECSH format(ssh-rsa, base64 encoded): ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCxa5e5yo0bcMkYGaJXQaJVnanvxdy+CBLiLXKZbZiT MPLEJj94ykhIheYAG52cN68fUXnrl5PIbHcQHsaJorZawlUebdPiVAceNpbO2TiwXdrwkuTUNuHaaS9H LEteOI7L45CtMMgDksDJZrF7MK0U5TSayPoF7kZp8FpatIwM9Q== SW1# ``` #### Verify SSH Users: ```bash SW1#show users Line User Host(s) Idle Location * 0 con 0 idle 00:00:00 Interface User Mode Idle Peer Address SW1# ``` #### Check SSH on VTY Lines: ```bash SW1#show running-config | include vty line vty 0 4 SW1# ``` ### **Step 8: Test SSH Access from a PC** Now, use a **PC with an SSH client** (e.g., PuTTY) to access the switch. On the **Cloud**, Open **PuTTY**.

Putty

### Keywords `configure SSH`, `Cisco switch`, `SSH setup`, `secure remote access`, `enable SSH`, `SSH authentication`, `RSA key`, `SSH encryption`, `Cisco CLI`, `VLAN IP address`, `VTY lines`, `SSH security`, `SSH login`, `domain name`, `SSH version 2`, `SSH verification`, `SSH troubleshooting`, `PuTTY SSH`, `access control`, `network security`, `سیسکو` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://netsec.nerd-cafe.ir/network-engineering/ccna/configuring-ssh-on-a-cisco-switch.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.