How to Configure SSH on a Cisco device!

Secure Shell(SSH)  – Is a protocol that helps us provide secure access connections to remote network devices.

The advantage of SSH over Telnet is that it encrypts the data between the SSH client and the SSH server. SSH uses TCP as the transport protocol and a well-known TCP port 22 for establishing session to a SSH server.

SSH comes in handy with automation as well as you can configure multiple devices with SSH  management addresses and run your scripts to push out configuration commands to these multiple devices. (E.g Python, Ansible.)

Let’s use a simple (Router on a Stick) diagram to represent the configuration Below:


SSH Diagram

In this scenario I created two Vlan’s to seperate our Management Vlan from the Data Vlan, the reason I wanted to do this is to show how we can use an access-list to make sure only users from the Management Vlan could log into our devices via SSH, everyone else should be rejected.

Router Configuration

First configure the Hostnames on the devices that you want to ssh to. (This is a requirement else you wont be able to configure ssh)

R1(config)#enable secret cisco

R1(config)#username cisco secret cisco

R1(config)#line vty 0 4

R1(config)#transport input ssh

R1(config)# login local


R1(config)#ip ssh version 2

R1(config)#ip domain-name

R1(config)#crypto key generate rsa

Type 1024 or above (The higher the better the encryption )

Configure the Subinterfaces of the Router, we will be using Int Gig 0/0/0.1 and Gig 0/0/0.99

R1(config)#interface gig 0/0/0.1

R1(config)#ecapsulation dot1q 1

R1(config-subif)# ip address

R1(config-subif)#no shut

R1(config)#interface gig 0/0/0.99

R1(config)#ecapsulation dot1q 99

R1(config-subif)# ip address

R1(config-subif)#no shut

  • Create an Access List to only allow traffic from Management Vlan

R1(config)#access-list 1 permit (permits traffic from this network – there is an implicit deny after this so no need to type it)

R1(config)#line vty 0 4

R1(config-line)#access-class 1 in

Switch Configuration

R1(config)#enable secret cisco

SW1(config)#username cisco secret cisco

SW1(config)#line vty 0 4

SW1(config)#transport input ssh

SW1(config)# login local


SW1(config)#ip ssh version 2

SW1(config)#ip domain-name

SW1(config)#crypto key generate rsa

Type 1024 or above (The higher the better the encryption )

  • Create Vlans (for this example im only creating one – no need to create another as I will use vlan 1 which is the default vlan)

SW1(config)#vlan 99

SW1(config-vlan)#name Management_VLAN

  • Assign Vlan 99 – ip address /24

SW1(config)#int vlan 99

SW1(config-if)#ip address

SW1(config-if)#no shut

  • Configure the trunk port and access ports
SW1(config)#interface fastethernet 0/1
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 99
SW1(config)#interface fastethernet 0/2
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 1
SW1(config)#interface fastethernet 0/24
SW1(config-if)#switchport mode trunk
SW1(config-if)#switchport trunk allowed vlan all (In this scenario we only have the two vlans
  • Assign Static IP addresses to PC’s

PC(A) /24 – Default Gateway –

PC(B) /24 – Default Gateway –

  • TEST our Configuration

Lastly lets us test our configuration by pinging PC(A) to its gateway. Do the same for PC(B)

Then Ping PC(A) to PC(B)

Now that we have confirmed all is working we can try ssh from PC(A) to the Router – (we have access)

C:\>ssh -l cisco





we can test the same on connecting to the switch – (we will also have access)

If we try and connect from PC(B) through SSH we are greeted with the following: (This is because our access list is blocking all traffic besides /24)

C:\>ssh -l cisco

% Connection refused by remote host