How to configure SSH access to Cisco 2960 and 3560 switches?

There are quite a big number of the above switch types in my company. I'm thinking restrict the access to SSH ONLY. Alternatively, some may allow SSH and telnet access. How to do?
BalackAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

that1guy15Commented:
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
infosecconsCommented:
I guess you could set up your switches to allow ssh access by default and, for the ones that need it, create a seperate configuration that allows telnet access also.
See this excellent guide on the Cisco web site to read up on how to enable/disable telnet access and/or ssh access: http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_44_se/configuration/guide/swauthen.html

0
Don JohnstonInstructorCommented:

ip domain-name xxxx.com
crypto key generate rsa ! you'll be prompted for the key length
ip ssh version 2
line vty 0 4
 login local
 transport input ssh

Open in new window

0
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Istvan KalmarHead of IT Security Division Commented:
If you don't upgrade the switchs software you not able to use this feature! If yuu want the SSH, use Crypto image!
I advise you must use to protect the remote access access-list on the vty:

access-list 1 permit x.x.x.x y.y.y.y  ----> where you want to access
access-list 1 deny   any

line vty 0 4
 transport input ssh
  access-class 1 in
end
0
BalackAuthor Commented:
What is the minimal requirements on IOS version? My co-worker try to key in "crypto key generate rsa", and being prompted "invalid command".

For your info, he tried on switches with 12.1(32) and 12.0(5.3).
0
BalackAuthor Commented:
BTW, what is latest version I can upgrade to the above switches?
0
Istvan KalmarHead of IT Security Division Commented:
Hi Balack,

You must upgrade the switches, if you want to enable SSH!
If you a registered user, you able to download directly from cco!

The legal procedure is: you buy the new sofware from your service integrator, or cisco partner, and after you upgrade the switches!
 The latast version: LAN LITE W/O CRYPTO c2960-lanlite-mz.122-50.SE2.bin Release Date: 19/May/2009 Size: 6564.96 KB  (6722515 bytes) Minimum Memory: DRAM:64 MB  Flash:32 MB    LAN LITE W/O CRYPTO WITH WEB BASED DEV MGR c2960-lanlite-tar.122-50.SE2.tar Release Date: 19/May/2009 Size: 10220.00 KB  (10465280 bytes) Minimum Memory: DRAM:64 MB  Flash:32 MB   IP BASE W/O CRYPTO c3560-ipbase-mz.122-50.SE1.bin Release Date: 14/Apr/2009 Size: 9027.33 KB  (9243981 bytes) Minimum Memory: DRAM:128 MB  Flash:16 MB    IP BASE W/O CRYPTO WITH WEB BASED DEV MGR c3560-ipbase-tar.122-50.SE1.tar Release Date: 14/Apr/2009 Size: 11750.00 KB  (12032000 bytes) Minimum Memory: DRAM:128 MB  Flash:16 MB
 
0
Ravi KantCommented:
Hi

I am not able to generate crypto keys on Cisco 2960. This shows "% Unrecognized command".
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.