Configure Telnet and SSH

Telnet and SSH
Older switches may not support secure communication with Secure Shell (SSH). This topic will help you choose between the Telnet and SSH methods of communicating with a switch.
There are two choices for remotely accessing a vty on a Cisco switch.
Telnet is the original method that was supported on early Cisco switch models. Telnet is a popular protocol used for terminal access because most current operating systems come with a Telnet client built in. However, Telnet is an insecure way of accessing a network device, because it sends all communications across the network in clear text. Using network monitoring software, an attacker can read every keystroke that is sent between the Telnet client and the Telnet service running on the Cisco switch. Because of the security concerns of the Telnet protocol, SSH has become the preferred protocol for remotely accessing virtual terminal lines on a Cisco device.
SSH gives the same type of access as Telnet with the added benefit of security. Communication between the SSH client and SSH server is encrypted. SSH has gone through a few versions, with Cisco devices currently supporting both SSHv1 and SSHv2. It is recommended that you implement SSHv2 when possible, because it uses a more enhanced security encryption algorithm than SSHv1.

Configuring Telnet
Telnet is the default vty-supported protocol on a Cisco switch. When a management IP address is assigned to the Cisco switch, you can connect to it using a Telnet client. Initially, the vty lines are unsecured allowing access by any user attempting to connect to them.
In the previous topic, you learned how to secure access to the switch over the vty lines by requiring password authentication. This makes running the Telnet service a little more secure.
Because Telnet is the default transport for the vty lines, you do not need to specify it after the initial configuration of the switch has been performed. However, if you have switched the transport protocol on the vty lines to permit only SSH, you need to enable the Telnet protocol to permit Telnet access manually.
If you need to re-enable the Telnet protocol on a Cisco 2960 switch, use the following command from line configuration mode: (config-line)#transport input telnet or (config-line)#transport input all.
By permitting all transport protocols, you still permit SSH access to the switch as well as Telnet access.
Configuring SSH
SSH is a cryptographic security feature that is subject to export restrictions. To use this feature, a cryptographic image must be installed on your switch.
The SSH feature has an SSH server and an SSH integrated client, which are applications that run on the switch. You can use any SSH client running on a PC or the Cisco SSH client running on the switch to connect to a switch running the SSH server.
The switch supports SSHv1 or SSHv2 for the server component. The switch supports only SSHv1 for the client component.
SSH supports the Data Encryption Standard (DES) algorithm, the Triple DES (3DES) algorithm, and password-based user authentication. DES offers 56-bit encryption, and 3DES offers168-bit encryption. Encryption takes time, but DES takes less time to encrypt text than 3DES. Typically, encryption standards are specified by the client, so if you have to configure SSH, ask which one to use. (The discussion of data encryption methods is beyond the scope of this course.)
To implement SSH, you need to generate RSA keys. RSA involves a public key, kept on a public RSA server, and a private key, kept only by the sender and receiver. The public key can be known to everyone and is used for encrypting messages. Messages encrypted with the public key can only be decrypted using the private key. This is known as asymmetric encryption and will be discussed in greater detail in the Exploration: Accessing the WAN course.
You need to generate the encrypted RSA keys using the crypto key generate rsa command.
This procedure is required if you are configuring the switch as an SSH server. Beginning in privileged EXEC mode, follow these steps to configure a hostname and an IP domain name and to generate an RSA key pair.
Step 1. Enter global configuration mode using the configure terminal command.
Step 2. Configure a hostname for your switch using the hostnamehostname command.
Step 3. Configure a host domain for your switch using the ip domain-namedomain_name command.
Step 4. Enable the SSH server for local and remote authentication on the switch and generate an RSA key pair using the crypto key generate rsa command.
When you generate RSA keys, you are prompted to enter a modulus length. Cisco recommends using a modulus size of 1024 bits. A longer modulus length might be more secure, but it takes longer to generate and to use.
Step 5. Return to privileged EXEC mode using the end command.
Step 6. Show the status of the SSH server on the switch using the show ip ssh or show ssh command.
To delete the RSA key pair, use the crypto key zeroize rsa global configuration command. After the RSA key pair is deleted, the SSH server is automatically disabled.
Configuring the SSH Server
Beginning in privileged EXEC mode, follow these steps to configure the SSH server.
Step 1. Enter global configuration mode using the configure terminal command.
Step 2. (Optional) Configure the switch to run SSHv1 or SSHv2 using the ip ssh version [1 | 2] command.
If you do not enter this command or do not specify a keyword, the SSH server selects the latest SSH version supported by the SSH client. For example, if the SSH client supports SSHv1 and SSHv2, the SSH server selects SSHv2.
Step 3. Configure the SSH control parameters:
Specify the time-out value in seconds; the default is 120 seconds. The range is 0 to 120 seconds. For a SSH connect to be established, a number of phases must be completed, such as connection, protocol negotiation, and parameter negation. The time-out value applies to the amount of time the switch allows for a connection to be established.
By default, up to five simultaneous, encrypted SSH connections for multiple CLI-based sessions over the network are available (session 0 to session 4). After the execution shell starts, the CLI-based session time-out value returns to the default of 10 minutes.
Specify the number of times that a client can re-authenticate to the server. The default is 3; the range is 0 to 5. For example, a user can allow the SSH session to sit for more than 10 minutes three times before the SSH session is terminated.
Repeat this step when configuring both parameters. To configure both parameters use the ip ssh {timeoutseconds | authentication-retriesnumber} command.
Step 4. Return to privileged EXEC mode using the end command.
Step 5. Display the status of the SSH server connections on the switch using the show ip ssh or the show ssh command.
Step 6. (Optional) Save your entries in the configuration file using the copy running-config startup-config command.
If you want to prevent non-SSH connections, add the transport input ssh command in line configuration mode to limit the switch to SSH connections only. Straight (non-SSH) Telnet connections are refused.
For a detailed discussion on SSH, visit:
For an overview of RSA technology, visit
For a detailed discussion on RSA technology, visit:


Post a Comment


NBA Live Streaming. Copyright 2008 All Rights Reserved Revolution Two Church theme by Brian Gardner Converted into Blogger Template by Bloganol dot com | Distributed by Blogger Templates Blog