Solved

How to configure SSH access to Cisco 2960 and 3560 switches?

Posted on 2009-06-30
8
21,487 Views
Last Modified: 2016-09-22
There are quite a big number of the above switch types in my company. I'm thinking restrict the access to SSH ONLY. Alternatively, some may allow SSH and telnet access. How to do?
0
Comment
Question by:Balack
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 23

Accepted Solution

by:
that1guy15 earned 125 total points
ID: 24743552
0
 
LVL 2

Assisted Solution

by:infoseccons
infoseccons earned 125 total points
ID: 24743560
I guess you could set up your switches to allow ssh access by default and, for the ones that need it, create a seperate configuration that allows telnet access also.
See this excellent guide on the Cisco web site to read up on how to enable/disable telnet access and/or ssh access: http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_44_se/configuration/guide/swauthen.html

0
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 125 total points
ID: 24744205

ip domain-name xxxx.com
crypto key generate rsa ! you'll be prompted for the key length
ip ssh version 2
line vty 0 4
 login local
 transport input ssh

Open in new window

0
Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 24746392
If you don't upgrade the switchs software you not able to use this feature! If yuu want the SSH, use Crypto image!
I advise you must use to protect the remote access access-list on the vty:

access-list 1 permit x.x.x.x y.y.y.y  ----> where you want to access
access-list 1 deny   any

line vty 0 4
 transport input ssh
  access-class 1 in
end
0
 

Author Comment

by:Balack
ID: 24751322
What is the minimal requirements on IOS version? My co-worker try to key in "crypto key generate rsa", and being prompted "invalid command".

For your info, he tried on switches with 12.1(32) and 12.0(5.3).
0
 

Author Comment

by:Balack
ID: 24751325
BTW, what is latest version I can upgrade to the above switches?
0
 
LVL 34

Assisted Solution

by:Istvan Kalmar
Istvan Kalmar earned 125 total points
ID: 24751730
Hi Balack,

You must upgrade the switches, if you want to enable SSH!
If you a registered user, you able to download directly from cco!

The legal procedure is: you buy the new sofware from your service integrator, or cisco partner, and after you upgrade the switches!
 The latast version: LAN LITE W/O CRYPTO c2960-lanlite-mz.122-50.SE2.bin Release Date: 19/May/2009 Size: 6564.96 KB  (6722515 bytes) Minimum Memory: DRAM:64 MB  Flash:32 MB    LAN LITE W/O CRYPTO WITH WEB BASED DEV MGR c2960-lanlite-tar.122-50.SE2.tar Release Date: 19/May/2009 Size: 10220.00 KB  (10465280 bytes) Minimum Memory: DRAM:64 MB  Flash:32 MB   IP BASE W/O CRYPTO c3560-ipbase-mz.122-50.SE1.bin Release Date: 14/Apr/2009 Size: 9027.33 KB  (9243981 bytes) Minimum Memory: DRAM:128 MB  Flash:16 MB    IP BASE W/O CRYPTO WITH WEB BASED DEV MGR c3560-ipbase-tar.122-50.SE1.tar Release Date: 14/Apr/2009 Size: 11750.00 KB  (12032000 bytes) Minimum Memory: DRAM:128 MB  Flash:16 MB
 
0
 

Expert Comment

by:Ravi Kant
ID: 41810498
Hi

I am not able to generate crypto keys on Cisco 2960. This shows "% Unrecognized command".
0

Featured Post

Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The worst thing when starting a new job is when the previous Network Administrator left behind no documentation. How do you get into the devices? If you've been in this situation or just accidently mistyped your password, this article will hopefully…
Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question