Sunday, July 06, 2014

Enabling SSH and block Telnet in Cisco Routers/Switches

SSH protocol encrypts the traffic between client and server in a remote session. So for network security purpose, we should enable only SSH access to networking devices.

Before enabling SSH, make sure we configured hostname and domain name properly. This will be used to store the name of the RSA key pair generated.  All the configurations are to be done in Global config mode.

hostname Router1
ip domain name

Change hostname and '' domain name to your organization domain name. Now generate the RSA keys for SSH

crypto key generate rsa

This will ask the number of bits required for modulus function. Default is 512 bits but if we want to enable SSH version 2, bits should be more than 768. So, better keep 1024 bits.

Now enable SSH version 2
ip ssh version 2
So we are done with SSH. Now make sure that in the line vty we enabled SSH and disabled Telnet
line vty 0 4
transport input ssh
This will enable only SSH. Telnet will be blocked. If we want both SSH and Telnet, add change the last commands as "transport input all". Now the SSH server is ready and running in the router.

You can confirm this by "show ip ssh " command.

Accessing Router/ Switch using SSH:

To remote access the router, Use any SSH client - PuTTy for windows , in-built ssh client in Linux etc.

PuTTy SSH client for Windows