How to configure SSH on Cisco Routers and Switches

Updated on 03rd February 2015

Once you complete initial setup and configuration of your Cisco switch or router using a console, you may want to manage the device remotely. Using Telnet is a security risk because passwords and commands are sent over the network in cleartext and can easily be hacked. So you would want to disable Telnet and enable only SSH for remote management.

Assuming you have already completed initial configuration of your Cisco device by console, the steps for SSH configuration on a Cisco Switch are:

1) Set the hostname and domain name

   switch# config t
   switch(config)# hostname OTGswitch
   OTGswitch(config)# ip domain-name

2) Generate RSA keys for encryption

  OTGswitch(config)# crypto key generate rsa
  The name for the keys will be:
   Choose the size of the key modulus in the range of 360 to 2048 for your
     General Purpose Keys. Choosing a key modulus greater than 512 may take
     a few minutes.
  How many bits in the modulus [512]: 

Choose 1024 if you want higher security.

3) Configure VTYs (Virtual Terminal Lines)

  OTGswitch(config)# line vty 0 4
  OTGswitch(config-line)# login local
  OTGswitch(config-line)# transport input ssh
  OTGswitch(config-line)# exit

This means we will use local database on this switch for authentication and disable Telnet by specifying SSH only on VTYs 0 to 4.

If your device supports 16 VTYs amend the command as follows:

 OTGswitch(config)# line vty 0 15
 OTGswitch(config-line)# login local
 OTGswitch(config-line)# transport input ssh
 OTGswitch(config-line)# exit

4)Create an account

  OTGswitch(config)# username OTGuser privilege 15 secret OTGpass

Here username is OTGuser, password is OTGpass and privilege 15 means the user has full access rights.

5)Set time-out interval

  OTGswitch(config)# line vty 0 4
  OTGswitch(config-line)# exec-timeout 5

This sets a timeout interval of 5 minutes so your session expires in 5 minutes if you left it idle.

Also extend this to VTYs 0 to 15 if your device supports 16 VTYs.

Now you can check SSH from a remote client. Optionally you can use access control lists to limit the sub-networks from which remote access is permitted.

The above procedure to enable SSH works on Cisco Switches running on IOS. The same can be applied to Cisco Routers as well. The key thing to bear in mind is to find out how many simultaneous remote sessions(VTY)are supported in your IOS version.

Post a comment


Your Comment

Email (We dont publish it)


haggai | October 2, 2016 5:22 PM |


Robin | February 16, 2017 5:42 PM |


doctor | March 14, 2017 12:38 PM |

Keep in mind that some folks are running old equipment...which means ssh may not be supported. If crypto command does not work , there is your answer...or you can verify the running ios .example c3750e-universalk9-tar.122-35.SE5.tar is a k9 (crypto) image. NOTE: krypto K9