Summary: SSH secures remote management by encrypting VTY traffic; requires an RSA keypair, domain name, and SSHv2 enabled to replace Telnet.
SSH requires a hostname and domain name before keys can be generated:
hostname SWITCH-01
ip domain name example.com
crypto key generate rsa modulus 2048
Use a minimum of 2048 bits. SSHv2 requires 768-bit minimum; 2048 or 4096 recommended.
Verify:
show crypto key mypubkey rsa
To regenerate (e.g., after domain-name change):
crypto key zeroize rsa
crypto key generate rsa modulus 2048
ip ssh version 2
SSHv1 is deprecated and cryptographically weak — always enforce version 2.
ip ssh time-out 60
ip ssh authentication-retries 3
line vty 0 15
transport input ssh
login authentication default
exec-timeout 10 0
Removing Telnet access (transport input ssh replaces the default transport input all).
Force SSH management traffic to originate from a specific interface (useful with loopback):
ip ssh source-interface Loopback0
hostname SWITCH-01
ip domain name example.com
crypto key generate rsa modulus 2048
ip ssh version 2
ip ssh time-out 60
ip ssh authentication-retries 3
line vty 0 15
transport input ssh
login authentication default
exec-timeout 10 0
show ip ssh
show ssh
show users
Sample show ip ssh output:
SSH Enabled - version 2.0
Authentication timeout: 60 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
SSH not available after configuration:
show crypto key mypubkey rsashow run | include hostname|domainTelnet still accessible:
show run | section line vtytransport input ssh is applied to every rangeAuthentication failures:
show run | section aaatest aaa group tacacs+ username password legacy