Configuring SSH on a Cisco Switch

Nerd Cafe

PreviousConfiguring 802.1Q Trunking NextConfiguring Router-on-a-stick (ROAS) for VLANs

Last updated 1 month ago

Configuring SSH on a Cisco Switch

Nerd Cafe

As a CCNA instructor, I'll walk you through the step-by-step process of configuring SSH on a Cisco switch using practical scenarios and technical explanations.

Why Configure SSH?

SSH (Secure Shell) encrypts remote management sessions, protecting login credentials and data from attackers. Unlike Telnet, which sends data in plain text, SSH provides secure authentication and encrypted communication over a network.

Lab Scenario

Objective: Configure SSH on a Cisco switch for secure remote access.
Device: Cisco switch (e.g., Cisco Catalyst 2960).
Software: Cisco Packet Tracer, GNS3, or a real switch with Console access.
Topology:
- A PC (Host) is connected to the switch via Ethernet.
- The switch has a management VLAN (VLAN 1) with an IP address.
- The Cloud will use an SSH client (e.g., PuTTY) to access the switch.

Step 1: Set a Hostname

A unique hostname improves device identification and is required for SSH configuration.

Command:

Switch#configure terminal
Switch(config)#hostname SW1
SW1(config)#

Step 2: Configure a Domain Name

SSH requires a domain name for generating encryption keys.

Command:

SW1(config)#ip domain-name nerd-cafe.ir

Explanation:

This domain name is used for SSH key generation.
It does not need to be a real internet domain.

Step 3: Generate SSH Keys

To enable SSH, the switch needs RSA key pairs for encryption.

Command:

SW1(config)#crypto key generate rsa
The name for the keys will be: SW1.nerd-cafe.ir
Choose the size of the key modulus in the range of 360 to 4096 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 0 seconds)

SW1(config)#

Explanation:

RSA keys enable SSH encryption.
A key length of 1024 bits or more is recommended for security.
If you use 4096, it’s more secure but can slow down performance.

Step 4: Create a Local User for Authentication

SSH requires a username and password.

Command:

SW1(config)#username admin secret Cisco@123

Explanation:

admin → Username.
secret → Uses an encrypted password (stronger than password).
Cisco@123 → The password (should be complex).

Step 5: Enable SSH and Restrict Remote Access

Enable SSH on the VTY Lines (Virtual Terminal Lines):

SW1(config)#line vty 0 4
SW1(config-line)#transport input ssh
SW1(config-line)#login local
SW1(config-line)#exit
SW1(config)#

Explanation:

line vty 0 4 → Configures remote access on ports 0-4.
transport input ssh → Restricts access to only SSH (disables Telnet).
login local → Uses local usernames and passwords for authentication.

Step 6: Set an IP Address for Remote Access

SSH requires an IP on the switch’s management VLAN (VLAN 1 by default).

Command:

SW1(config)#interface vlan 1
SW1(config-if)#ip address 192.168.202.254 255.255.255.0
SW1(config-if)#no shutdown

Explanation:

interface vlan 1 → Selects the management VLAN.
ip address 192.168.1.100 255.255.255.0 → Assigns an IP to VLAN 1.
no shutdown → Activates VLAN 1.

Step 7: Verify SSH Configuration

Check SSH Version:

SW1#show ip ssh
SSH Enabled - version 1.99
Authentication methods:publickey,keyboard-interactive,password
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCxa5e5yo0bcMkYGaJXQaJVnanvxdy+CBLiLXKZbZiT
MPLEJj94ykhIheYAG52cN68fUXnrl5PIbHcQHsaJorZawlUebdPiVAceNpbO2TiwXdrwkuTUNuHaaS9H
LEteOI7L45CtMMgDksDJZrF7MK0U5TSayPoF7kZp8FpatIwM9Q==
SW1#

Verify SSH Users:

SW1#show users
    Line       User       Host(s)              Idle       Location
*  0 con 0                idle                 00:00:00

  Interface    User               Mode         Idle     Peer Address

SW1#

Check SSH on VTY Lines:

SW1#show running-config | include vty
line vty 0 4
SW1#

Step 8: Test SSH Access from a PC

Now, use a PC with an SSH client (e.g., PuTTY) to access the switch. On the Cloud, Open PuTTY.

Keywords

configure SSH, Cisco switch, SSH setup, secure remote access, enable SSH, SSH authentication, RSA key, SSH encryption, Cisco CLI, VLAN IP address, VTY lines, SSH security, SSH login, domain name, SSH version 2, SSH verification, SSH troubleshooting, PuTTY SSH, access control, network security, سیسکو

PreviousConfiguring 802.1Q Trunking NextConfiguring Router-on-a-stick (ROAS) for VLANs

Last updated 1 month ago

As a CCNA instructor, I'll walk you through the step-by-step process of configuring SSH on a Cisco switch using practical scenarios and technical explanations.

Why Configure SSH?

Lab Scenario

Objective: Configure SSH on a Cisco switch for secure remote access.
Device: Cisco switch (e.g., Cisco Catalyst 2960).
Software: Cisco Packet Tracer, GNS3, or a real switch with Console access.
Topology:
- A PC (Host) is connected to the switch via Ethernet.
- The switch has a management VLAN (VLAN 1) with an IP address.
- The Cloud will use an SSH client (e.g., PuTTY) to access the switch.

Step 1: Set a Hostname

A unique hostname improves device identification and is required for SSH configuration.

Command:

Switch#configure terminal
Switch(config)#hostname SW1
SW1(config)#

Step 2: Configure a Domain Name

SSH requires a domain name for generating encryption keys.

Command:

SW1(config)#ip domain-name nerd-cafe.ir

Explanation:

This domain name is used for SSH key generation.
It does not need to be a real internet domain.

Step 3: Generate SSH Keys

To enable SSH, the switch needs RSA key pairs for encryption.

Command:

SW1(config)#crypto key generate rsa
The name for the keys will be: SW1.nerd-cafe.ir
Choose the size of the key modulus in the range of 360 to 4096 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 0 seconds)

SW1(config)#

Explanation:

RSA keys enable SSH encryption.
A key length of 1024 bits or more is recommended for security.
If you use 4096, it’s more secure but can slow down performance.

Step 4: Create a Local User for Authentication

SSH requires a username and password.

Command:

SW1(config)#username admin secret Cisco@123

Explanation:

admin → Username.
secret → Uses an encrypted password (stronger than password).
Cisco@123 → The password (should be complex).

Step 5: Enable SSH and Restrict Remote Access

Enable SSH on the VTY Lines (Virtual Terminal Lines):

SW1(config)#line vty 0 4
SW1(config-line)#transport input ssh
SW1(config-line)#login local
SW1(config-line)#exit
SW1(config)#

Explanation:

line vty 0 4 → Configures remote access on ports 0-4.
transport input ssh → Restricts access to only SSH (disables Telnet).
login local → Uses local usernames and passwords for authentication.

Step 6: Set an IP Address for Remote Access

SSH requires an IP on the switch’s management VLAN (VLAN 1 by default).

Command:

SW1(config)#interface vlan 1
SW1(config-if)#ip address 192.168.202.254 255.255.255.0
SW1(config-if)#no shutdown

Explanation:

interface vlan 1 → Selects the management VLAN.
ip address 192.168.1.100 255.255.255.0 → Assigns an IP to VLAN 1.
no shutdown → Activates VLAN 1.

Step 7: Verify SSH Configuration

Check SSH Version:

SW1#show ip ssh
SSH Enabled - version 1.99
Authentication methods:publickey,keyboard-interactive,password
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCxa5e5yo0bcMkYGaJXQaJVnanvxdy+CBLiLXKZbZiT
MPLEJj94ykhIheYAG52cN68fUXnrl5PIbHcQHsaJorZawlUebdPiVAceNpbO2TiwXdrwkuTUNuHaaS9H
LEteOI7L45CtMMgDksDJZrF7MK0U5TSayPoF7kZp8FpatIwM9Q==
SW1#

Verify SSH Users:

SW1#show users
    Line       User       Host(s)              Idle       Location
*  0 con 0                idle                 00:00:00

  Interface    User               Mode         Idle     Peer Address

SW1#

Check SSH on VTY Lines:

SW1#show running-config | include vty
line vty 0 4
SW1#

Step 8: Test SSH Access from a PC

Now, use a PC with an SSH client (e.g., PuTTY) to access the switch. On the Cloud, Open PuTTY.