What IOS version are supporting SSH access and setup on Cisco switches

Posted on 2009-07-01
Last Modified: 2012-05-07
There are up to 30+ switches deployed in my company. They are Cisco catalyst switch models: 2950, 2960, 3550, 3560, and 3750. Recently, there is a security policy that all switch access is restricted to SSH (preferably version 2). I want to know what is the minimum requirement on IOS version in order to support ssh?
Question by:Balack
  • 4
  • 3
  • 2
  • +1
LVL 34

Accepted Solution

Istvan Kalmar earned 250 total points
ID: 24760925
If you don't upgrade the switchs software you not able to use this feature! If you want the SSH, use Crypto image!
I advise you must use to protect the remote access access-list on the vty:

access-list 1 permit x.x.x.x y.y.y.y  ----> where you want to access
access-list 1 deny   any

line vty 0 4

If you a registered user, you able to download directly from cco web!

The legal procedure is: you buy the new sofware from your service integrator, or cisco partner, and after you upgrade the switches!

 transport input ssh
  access-class 1 in


Author Comment

ID: 24760969
Hi ikalmaar,

What is crypto image? Can you elaborate?

LVL 34

Expert Comment

by:Istvan Kalmar
ID: 24761019
For example:

2960 switches have Lan base, or Lan base crypto images, the crypto image able to use ssh, the non crypto only telnet!

The latast version:
LAN LITE W/O CRYPTO c2960-lanlite-mz.122-50.SE2.bin
Release Date: 19/May/2009 Size: 6564.96 KB  (6722515 bytes) Minimum Memory: DRAM:64 MB  Flash:32 MB  
LAN LITE W/O CRYPTO WITH WEB BASED DEV MGR c2960-lanlite-tar.122-50.SE2.tar Release Date: 19/May/2009 Size: 10220.00 KB  (10465280 bytes) Minimum Memory: DRAM:64 MB  Flash:32 MB  

IP BASE W/O CRYPTO c3560-ipbase-mz.122-50.SE1.bin
Release Date: 14/Apr/2009 Size: 9027.33 KB  (9243981 bytes) Minimum Memory: DRAM:128 MB  Flash:16 MB  
IP BASE W/O CRYPTO WITH WEB BASED DEV MGR c3560-ipbase-tar.122-50.SE1.tar Release Date: 14/Apr/2009 Size: 11750.00 KB  (12032000 bytes) Minimum Memory: DRAM:128 MB  Flash:16 MB
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 24761098
LVL 16

Assisted Solution

by:Aaron Street
Aaron Street earned 250 total points
ID: 24772060

the crypto image is simply an image that included encryption.

Some countries such as China do not allow people to encrypte data so that it is visibabel to the goverment.

and becasue SSH is encrypted it is not allowed in some countries.

Cisco there for make two (in fact often 4) images for each featuer set fora router / switch

One is a non crypto image, meaning it has no encryption on it at all, either SSH or the ability to encrypte network data it is routing or switching...

One is a crypto image (identical in feature set but with the addition of encryption)

they then may provided two more images

these are ones that have a web based interface for managment. again same feature set as thoses with out web services, and one with crypto and one with out.

You want a crypto image

so a sh flash: on you router and see if you image is a .bin (non web based) or .tar (webbased)

the upgrade between crypto or non crypto is free, you may need to contact cisco to get hold of image.
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

LVL 16

Expert Comment

by:Aaron Street
ID: 24772123
so basicaly you want a crypto image :)

Also all feature sets from the basic one to the most advanced will have a crypto image (As long as hard ware suports it)

so there is not going to be any cost for this.

Expert Comment

ID: 24778114
Get an image with K9 in the name and you can support SSH.  By default devices normally ship without due to weird export laws.

Author Comment

ID: 24778647
Hi all,

Many thanks to all of you of providing all the valuable information.

Now, I got the idea on how the thing work. I got a cisco login account, that tied to my company. I managed to go the Cisco download website for switches. Pls see the attached document where I can download for the 2950 crypto and non-crypto images.

Does it means that I only have to download c2950-i6k2l2q4-mz.121-22.EA13.bin (Crypto image) OR c2950-i6k2l2q4-tar.121-22.EA13.tar (Crypto image with SDM), and then upgrade to all my 2950 switches?

Does it also means that If I am eligible to download the above crypto images, I actually not need to but any Cisco contract in order to upgrade it?

How about how to upgrade the crypto image with SDM to my 2950 switches?

Appreciate your help!
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 24780331
LVL 16

Expert Comment

by:Aaron Street
ID: 24783326
if you want the crypto image with SDM the simplest way to do this is..

first delete the .bin image in the flash of the router/switch

then run the

#archive download-sw tftp:   and enter the name of the image and the Tftp server.

this will pull down the tar file and decompress it to the correct directories in the flash. to upgrade your image to the SDM/ Web version

It will also update the boot conf to imnsure the correct ios is booted.

Again the crypto and non crypto image fall under the same licence (you DO NOT!! need an upgrade) , if you are licenced for on you can use the others. It is only becasue in places like china you are not allowed due to there laws to run crypto images that cisco provided an image wiht out crypto....

That download atachment you attached shows the same image feature set, with + with out web  and with and with out Crypto.

You only need an upgrade either to incress feature sets. IE with a router you may have "IP base set" and "ip Advanced set"
or when moving between major version releases ie version 11.26(15) and 12.25(45) for example. If you have a suport contract you are normaly covered for all minor release upgrades.

See image below all the ios images circled in red are one licence/ feature set. all thoses in blue are a difference licence / feature set.

If I am licenced for any ip base I can change between the different ones free. I only have to pay if I want to upgrade to the ip services set..

Hope that makes it a bit clearer.


Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Location of Servers in Network Design 14 50
HP 1920-16 switch 10 51
VLAN ip for Cisco switch 11 57
Cisco layer 3 ring topology 1 55
I see many questions here on Experts Exchange regarding switch port configurations and trunks. This article is meant for beginners in the subject to help to get basic knowledge about Virtual Local Area Network (VLAN (…
This tutorial will go through the steps required to write a script that will back up the configuration settings of a HP-ProCurve switch. You will need to get the following things to follow this tutorial: Telnet Scripting Tool e.g. TST10.exe …
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now