Cisco Support Community




SSH stands for “Secure Shell”. SSH commonly uses port 22 to connect your computer to another computer on the Internet. It is most often used by network administrators as a remote login / remote control way to manage their business servers. Examples would be: your email administrator needs to reboot the company email server from his home, or your network administrator needs to reset your office password while she is away at a conference.


If remote access to a switch is necessary, then consider using SSH instead of telnet. SSH provides encrypted connections remotely. However, only IOS versions that include encryption support SSH. Also, to include SSH capability the switch may need to have its IOS updated.


Before using SSH on the switch, the administrator must configure the switch with the following commands: hostname, ip domain-name, and crypto key generate rsa.


Configuring SSH on an IOS device


With aaa new-model

ip domain-name
crypto key generate rsa general-keys modulus 1024
user cisco priv 15 pass cisco
aaa authentication login default local
aaa authentication enable default none
line vty 0 15
login authentication default


You can also restrict vty access to SSH (not allowing telnet).

line vty 0 15
transport input ssh


Without aaa new-model

Switch(config)# crypto key generate rsa


The crypto key generate rsa command depends on the hostname and ip domain-name commands. This crypto command generates a Rivest, Shamir, Adleman (RSA) key pair, which includes one public RSA key and one private RSA key.


To restrict SSH access to the switch, configure an extended access-list (e.g., 101) that allows only the administrators’ systems to make these connections and apply this access-list to the virtual terminal lines. Allow only SSH connections to these lines by using the transport input ssh command. Set the privilege level to 0, and set the exec-timeout period to 9 minutes and 0 seconds to disconnect idle connections to these lines. Finally, use the login local command to enable local account checking at login that will prompt for a username and a password.


The following commands show the example configuration for SSH on the virtual terminal lines.


Switch(config)# no access-list 101

Switch(config)# access-list 101 remark Permit SSH access from

administrators’ systems

Switch(config)# access-list 101 permit tcp host any eq 22 log

Switch(config)# access-list 101 permit tcp host any eq 22 log

Switch(config)# access-list 101 deny ip any any log

Switch(config)# line vty 0 4

Switch(config-line)# access-class 101 in

Switch(config-line)# transport input ssh

Switch(config-line)# privilege level 0

Switch(config-line)# exec-timeout 9 0

Switch(config-line)# login local