How to Configure SSH on a Cisco device!

Secure Shell(SSH) – Is a protocol that helps us provide secure access connections to remote network devices.

The advantage of SSH over Telnet is that it encrypts the data between the SSH client and the SSH server. SSH uses TCP as the transport protocol and a well-known TCP port 22 for establishing session to a SSH server.

SSH comes in handy with automation as well as you can configure multiple devices with SSH management addresses and run your scripts to push out configuration commands to these multiple devices. (E.g Python, Ansible.)

Let’s use a simple (Router on a Stick) diagram to represent the configuration Below:

In this scenario I created two Vlan’s to seperate our Management Vlan from the Data Vlan, the reason I wanted to do this is to show how we can use an access-list to make sure only users from the Management Vlan could log into our devices via SSH, everyone else should be rejected.

Router Configuration

First configure the Hostnames on the devices that you want to ssh to. (This is a requirement else you wont be able to configure ssh)

R1(config)#enable secret cisco

R1(config)#username cisco secret cisco

R1(config)#line vty 0 4

R1(config)#transport input ssh

R1(config)# login local

R1(config)#exit

R1(config)#ip ssh version 2

R1(config)#ip domain-name test.com

R1(config)#crypto key generate rsa

Type 1024 or above (The higher the better the encryption )

Configure the Subinterfaces of the Router, we will be using Int Gig 0/0/0.1 and Gig 0/0/0.99

R1(config)#interface gig 0/0/0.1

R1(config)#ecapsulation dot1q 1

R1(config-subif)# ip address 192.168.0.99 255.255.255.0

R1(config-subif)#no shut

R1(config)#interface gig 0/0/0.99

R1(config)#ecapsulation dot1q 99

R1(config-subif)# ip address 10.0.0.99 255.255.255.0

R1(config-subif)#no shut

Create an Access List to only allow traffic from Management Vlan

R1(config)#access-list 1 permit 10.0.0.0 0.0.0.255 (permits traffic from this network – there is an implicit deny after this so no need to type it)

R1(config)#line vty 0 4

R1(config-line)#access-class 1 in

Switch Configuration

R1(config)#enable secret cisco

SW1(config)#username cisco secret cisco

SW1(config)#line vty 0 4

SW1(config)#transport input ssh

SW1(config)# login local

SW1(config)#exit

SW1(config)#ip ssh version 2

SW1(config)#ip domain-name test.com

SW1(config)#crypto key generate rsa

Type 1024 or above (The higher the better the encryption )

Create Vlans (for this example im only creating one – no need to create another as I will use vlan 1 which is the default vlan)

SW1(config)#vlan 99

SW1(config-vlan)#name Management_VLAN

Assign Vlan 99 – ip address 10.0.0.88 /24

SW1(config)#int vlan 99

SW1(config-if)#ip address 10.0.0.88 255.255.255.0

SW1(config-if)#no shut

Configure the trunk port and access ports

SW1(config)#interface fastethernet 0/1

SW1(config-if)#switchport mode access

SW1(config-if)#switchport access vlan 99

SW1(config)#interface fastethernet 0/2

SW1(config-if)#switchport mode access

SW1(config-if)#switchport access vlan 1

SW1(config)#interface fastethernet 0/24

SW1(config-if)#switchport mode trunk

SW1(config-if)#switchport trunk allowed vlan all (In this scenario we only have the two vlans

Assign Static IP addresses to PC’s

PC(A)

10.0.0.5 /24 – Default Gateway – 10.0.0.99

PC(B)

192.168.0.2 /24 – Default Gateway – 192.168.0.99

TEST our Configuration

Lastly lets us test our configuration by pinging PC(A) to its gateway. Do the same for PC(B)

Then Ping PC(A) to PC(B)

Now that we have confirmed all is working we can try ssh from PC(A) to the Router – 10.0.0.99 (we have access)

C:\>ssh -l cisco 10.0.0.99

Password:

R1>enable

Password:

R1#

we can test the same on connecting to the switch – 10.0.0.88 (we will also have access)

If we try and connect from PC(B) through SSH we are greeted with the following: (This is because our access list is blocking all traffic besides 10.0.0.0 /24)

C:\>ssh -l cisco 10.0.0.88

% Connection refused by remote host

C:\>