As a CCNA instructor, I'll walk you through the step-by-step process of configuring SSH on a Cisco switch using practical scenarios and technical explanations.
Why Configure SSH?
SSH (Secure Shell) encrypts remote management sessions, protecting login credentials and data from attackers. Unlike Telnet, which sends data in plain text, SSH provides secure authentication and encrypted communication over a network.
Lab Scenario
Objective: Configure SSH on a Cisco switch for secure remote access.
Device: Cisco switch (e.g., Cisco Catalyst 2960).
Software: Cisco Packet Tracer, GNS3, or a real switch with Console access.
Topology:
A PC (Host) is connected to the switch via Ethernet.
The switch has a management VLAN (VLAN 1) with an IP address.
The Cloud will use an SSH client (e.g., PuTTY) to access the switch.
Topology
Step 1: Set a Hostname
A unique hostname improves device identification and is required for SSH configuration.
Command:
Step 2: Configure a Domain Name
SSH requires a domain name for generating encryption keys.
Command:
Explanation:
This domain name is used for SSH key generation.
It does not need to be a real internet domain.
Step 3: Generate SSH Keys
To enable SSH, the switch needs RSA key pairs for encryption.
Command:
Explanation:
RSA keys enable SSH encryption.
A key length of 1024 bits or more is recommended for security.
If you use 4096, it’s more secure but can slow down performance.
Step 4: Create a Local User for Authentication
SSH requires a usernameand password.
Command:
Explanation:
admin → Username.
secret → Uses an encrypted password (stronger than password).
Cisco@123 → The password (should be complex).
Step 5: Enable SSH and Restrict Remote Access
Enable SSH on the VTY Lines (Virtual Terminal Lines):
Explanation:
line vty 0 4 → Configures remote access on ports 0-4.
transport input ssh → Restricts access to only SSH (disables Telnet).
login local → Uses local usernames and passwords for authentication.
Step 6: Set an IP Address for Remote Access
SSH requires an IP on the switch’s management VLAN (VLAN 1 by default).
Command:
Explanation:
interface vlan 1 → Selects the management VLAN.
ip address 192.168.1.100 255.255.255.0 → Assigns an IP to VLAN 1.
no shutdown → Activates VLAN 1.
Step 7: Verify SSH Configuration
Check SSH Version:
Verify SSH Users:
Check SSH on VTY Lines:
Step 8: Test SSH Access from a PC
Now, use a PC with an SSH client (e.g., PuTTY) to access the switch. On the Cloud, Open PuTTY.
SW1(config)#crypto key generate rsa
The name for the keys will be: SW1.nerd-cafe.ir
Choose the size of the key modulus in the range of 360 to 4096 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 0 seconds)
SW1(config)#
