How to Configure SSH on Cisco Router & Switch

One of the fundamentals of configuring a Cisco router or switch is enabling a secure management protocol. Telnet sends everything in clear text which makes it vulnerable to anyone sniffing network traffic.

The solution is to utilize SSH, a cryptographic protocol. It is a secure shell providing confidentiality of data being transmitted from your workstation to a router or switch.

Here is our simple topology:

SSH Lab Topology

Let’s say we’re consoled into the router and would like to enable SSH so we can manage the router from our desk.

Once you’re are in global configuration mode we hop right in with the following configuration:

conf t
!
!! Configure a username with privilege 15 and a secret password of cisco
username admin priv 15 secret cisco
!
!
!! Before configuring SSH we need to define the domain name for the purpose of generating our key
ip domain-name rowelldionicio.com
!
!
!! Configure the rya keys with a key length 1024
crypto key generate rsa general-keys mod 1024
!
!
!! Enter the vty line configuration to enable ssh as the input protocol leaving out telnet
line vty 0 15
transport input ssh
!
!! The login local command tells the router to prompt for a username and password verification against the local database of the router
login local
exit

Now we test with our Linux client using the command:

ssh -l admin 10.1.1.100

You’ll be prompted for the admin password since the username was defined in the ssh command. Because the admin account is configured with privilege 15 we are automatically put into the global configuration mode, bypassing the enable password.

SSH To Cisco Router

Here’s what our communication with R1 looks like over the network using SSH:

Encrypted Traffic Over SSH

To compare our traffic with Telnet we will remove SSH:

conf t
!
!! Enter line configuration
line vty 0 15
!
!! To remove SSH, do not specify the protocol
transport input telnet
end

In Wireshark I will follow the TCP Stream of the packet that appears to be sending username and password traffic:

Telnet Traffic Captured in Wireshark

We can see the username and password in plain text and also see what commands are being entered:

Wireshark Capturing Plain Text over Telnet

Conclusion

Follow best practices and manage your routers and switches over SSH. Even if you’re using a dedicated management network I would still recommend encrypting your traffic. It’s simple to configure and your traffic will be encrypted from prying eyes.

Related Posts

STAY UP TO DATE

Get tips on certifications, networking, systems administration, & more.

SUBSCRIBE TO THE BLOG VIA EMAIL

About Rowell

I am Rowell Dionicio, an IT Manager with a coffee addiction, an advocate of WordPress, with a passion about networking as a Cisco Champion, physical server assassin with virtualization, and a padawan of security. Follow me on Twitter, Google+, & LinkedIn.