Wifi router in an office background. 3d illustration

9 Query Commands for Huawei Switches

How to Configure SSH on Cisco Switch: Complete Step-by-Step Guide

Introduction to SSH Configuration on Cisco Switches

Configuring SSH on a Cisco switch ensures secure remote access to your network device, protecting sensitive data and management tasks from unauthorized access. Unlike Telnet, which transmits data in plain text, Secure Shell (SSH) encrypts communications, making it the preferred method for managing Cisco switches. This step-by-step guide provides a comprehensive walkthrough for enabling and configuring SSH on a Cisco switch, tailored for network administrators and IT professionals. By following these instructions, you’ll enhance the security and efficiency of your network management.

Why Configure SSH on a Cisco Switch?

SSH (Secure Shell) is essential for secure remote management of Cisco switches. It provides encrypted communication, protecting against eavesdropping and man-in-the-middle attacks. According to Cisco’s 2025 Network Security Report, 85% of enterprises now mandate SSH for device management to comply with cybersecurity standards. Properly configuring SSH on a Cisco switch ensures compliance, improves network reliability, and simplifies remote troubleshooting.

Learn more about Cisco IOS basics in our Cisco IOS Configuration Guide.

Prerequisites for SSH Configuration

Before configuring SSH, ensure the following:

  • Cisco Switch with SSH Support: The switch must run an IOS version that supports SSH (e.g., IOS 12.1(19)EA1 or later with a cryptographic image).
  • Administrative Access: You need privileged EXEC mode access (via console or Telnet).
  • IP Connectivity: The switch must have an IP address configured and be reachable.
  • Basic Configuration Knowledge: Familiarity with Cisco IOS commands is helpful.

Step-by-Step Guide to Configure SSH on a Cisco Switch

Follow these steps to enable and configure SSH on your Cisco switch. The commands are based on Cisco IOS, widely used across Cisco Catalyst and other switch series.

Step 1: Access the Switch and Enter Global Configuration Mode

Connect to the switch via a console cable or Telnet and enter privileged EXEC mode:

enable

Then, access global configuration mode:

configure terminal

Step 2: Configure a Hostname and Domain Name

SSH requires a hostname and domain name to generate cryptographic keys. Set a unique hostname:

hostname Switch1

Configure a domain name (replace example.com with your organization’s domain):

ip domain-name example.com

Step 3: Generate RSA Key Pair

Generate an RSA key pair for SSH encryption. Specify a key length of at least 2048 bits for enhanced security:

crypto key generate rsa

When prompted, enter a key modulus (e.g., 2048):

The name for the keys will be: Switch1.example.com
Choose the size of the key modulus in the range of 360 to 4096 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus [512]: 2048

Step 4: Configure a Local Username and Password

For SSH authentication, create a local user account:

username admin privilege 15 secret YourStrongPassword

Replace admin with your desired username and YourStrongPassword with a secure password. The privilege 15 grants full administrative access.

Step 5: Enable SSH and Disable Telnet

Configure the switch to use SSH for remote access. Enable the SSH protocol on the VTY lines (virtual terminal lines):

line vty 0 4
transport input ssh
login local

This restricts VTY access to SSH only and uses the local username database for authentication. To disable Telnet explicitly, ensure transport input telnet is not configured.

Step 6: Configure the Management Interface

Assign an IP address to the VLAN interface (e.g., VLAN 1) for remote access:

interface vlan 1
ip address 192.168.1.10 255.255.255.0
no shutdown

Replace 192.168.1.10 and 255.255.255.0 with your network’s IP address and subnet mask.

Step 7: Enable SSH Version 2

For enhanced security, explicitly enable SSH version 2 (SSHv2):

ip ssh version 2

SSHv2 provides stronger encryption and is recommended over SSHv1.

Step 8: Save the Configuration

Save your changes to ensure they persist after a reboot:

write memory

Or:

copy running-config startup-config

Step 9: Verify SSH Configuration

Verify that SSH is enabled and functioning:

show ip ssh

Sample output:

SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3

Check the RSA key:

show crypto key mypubkey rsa

Test SSH connectivity from a remote device using an SSH client (e.g., PuTTY or OpenSSH):

ssh admin@192.168.1.10

Enter the configured password when prompted.

Troubleshooting Common SSH Issues

  • SSH Connection Refused: Ensure the switch’s IP address is reachable and the VTY lines are configured for SSH (transport input ssh).
  • Key Generation Fails: Verify that a hostname and domain name are set before generating the RSA key.
  • Authentication Errors: Confirm the username and password are correct, and login local is configured on the VTY lines.
  • IOS Version Issue: If SSH commands are unavailable, check the IOS version using show version. Upgrade to a cryptographic IOS image if needed.

Refer to Cisco’s official documentation for IOS upgrades.

Facebook
LinkedIn
X
Email
Latest Article
Related Article
Get support
Services
Products
Company
Copyright © 2025 Moxchannel, All rights reserved. Powered by MoxCreative.