Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
688
Views
0
Helpful
4
Replies

SSH config

glen.grant
VIP Alumni
VIP Alumni

‎10-24-2007 10:12 AM - edited ‎03-05-2019 07:17 PM

When configuring ssh on a router and it creates the keys etc.. . I don't see anything in the config that indicates ssh was enabled other than the vty "transport" parameters . Say you had to replace a router and you use a backup tftp file to config the box how does it know to create the key if there is nothing in the config file to tell it to do this . Is this a manual process if you have to replace the box where you have to add the "crypto key generate rsa" command ? Somehow it knows over reboots to config a key I just don't see anything in the config to tell it to do that . Trying to get a process down if equipment has to be replaced. Is placed somewhere in nvram in a different filename ??

Labels:
0 Helpful
4 Replies 4

bvsnarayana03
Level 5
Level 5

‎10-24-2007 10:34 AM

The crypto key is unique, u may not copy from 1 device to other. So u have to configure ssh on each device separately.

0 Helpful

glen.grant
VIP Alumni
VIP Alumni
In response to bvsnarayana03

‎10-24-2007 10:39 AM

I understand that , I just don't see it in the config . If you have to replace the device how does it know to create the key from the config file if there is nothing in the file to say to create it . My question i guess , after loading the config file into the replacement supervisor or router do you have to manually add the "crypto key generate rsa" command as it does not show up in your running config. Maybe I am missing something simple here.

0 Helpful

bvsnarayana03
Level 5
Level 5
In response to glen.grant

‎10-24-2007 10:56 AM

There you are, u may have to generate the keys separately on each device.

how different is "show crypto" commands on the 2 routers.

however,on high end routers/switches When you use the redundancy force-failover main-cpu (Catalyst 8540 MSR) command to manually force the secondary route processor to take over as the primary route processor the SSH RSA key-pair is automatically generated on the new primary route processor. This ensures that the SSH server is enabled on the switch router even after route processor switchover and allows you to start configuring the new primary route processor using a new SSH connection without reloading the switch router. (content taken from whitepaper)

0 Helpful

glen.grant
VIP Alumni
VIP Alumni
In response to bvsnarayana03

‎10-24-2007 11:34 AM

I think I found my answer , the crypto key is not stored in startup config , it apparently stored in the private-config file in nvram so that does not get saved so when you config the replacement device you will have to manually config the keys again with the crypto key generate rsa command.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card