[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

What IOS version are supporting SSH access and setup on Cisco switches

Posted on 2009-07-01
10
Medium Priority
?
2,809 Views
Last Modified: 2012-05-07
There are up to 30+ switches deployed in my company. They are Cisco catalyst switch models: 2950, 2960, 3550, 3560, and 3750. Recently, there is a security policy that all switch access is restricted to SSH (preferably version 2). I want to know what is the minimum requirement on IOS version in order to support ssh?
0
Comment
Question by:Balack
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 34

Accepted Solution

by:
Istvan Kalmar earned 1000 total points
ID: 24760925
If you don't upgrade the switchs software you not able to use this feature! If you want the SSH, use Crypto image!
I advise you must use to protect the remote access access-list on the vty:

access-list 1 permit x.x.x.x y.y.y.y  ----> where you want to access
access-list 1 deny   any

line vty 0 4

If you a registered user, you able to download directly from cco web!

The legal procedure is: you buy the new sofware from your service integrator, or cisco partner, and after you upgrade the switches!

 transport input ssh
  access-class 1 in
end

0
 

Author Comment

by:Balack
ID: 24760969
Hi ikalmaar,

What is crypto image? Can you elaborate?



0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 24761019
For example:

2960 switches have Lan base, or Lan base crypto images, the crypto image able to use ssh, the non crypto only telnet!



The latast version:
LAN LITE W/O CRYPTO c2960-lanlite-mz.122-50.SE2.bin
Release Date: 19/May/2009 Size: 6564.96 KB  (6722515 bytes) Minimum Memory: DRAM:64 MB  Flash:32 MB  
 
LAN LITE W/O CRYPTO WITH WEB BASED DEV MGR c2960-lanlite-tar.122-50.SE2.tar Release Date: 19/May/2009 Size: 10220.00 KB  (10465280 bytes) Minimum Memory: DRAM:64 MB  Flash:32 MB  

IP BASE W/O CRYPTO c3560-ipbase-mz.122-50.SE1.bin
Release Date: 14/Apr/2009 Size: 9027.33 KB  (9243981 bytes) Minimum Memory: DRAM:128 MB  Flash:16 MB  
 
IP BASE W/O CRYPTO WITH WEB BASED DEV MGR c3560-ipbase-tar.122-50.SE1.tar Release Date: 14/Apr/2009 Size: 11750.00 KB  (12032000 bytes) Minimum Memory: DRAM:128 MB  Flash:16 MB
0
What’s Wrong with Your Cloud Strategy ?

Even as many CIOs are embracing a cloud-first strategy, the reality is that moving to the cloud is a lengthy process and the end-state is likely to be a blend of multiple clouds—public and private. Learn why multicloud solutions matter in this webinar by Nimble Storage.

 
LVL 16

Assisted Solution

by:Aaron Street
Aaron Street earned 1000 total points
ID: 24772060
Balack,

the crypto image is simply an image that included encryption.

Some countries such as China do not allow people to encrypte data so that it is visibabel to the goverment.

and becasue SSH is encrypted it is not allowed in some countries.

Cisco there for make two (in fact often 4) images for each featuer set fora router / switch

One is a non crypto image, meaning it has no encryption on it at all, either SSH or the ability to encrypte network data it is routing or switching...

One is a crypto image (identical in feature set but with the addition of encryption)

they then may provided two more images

these are ones that have a web based interface for managment. again same feature set as thoses with out web services, and one with crypto and one with out.

You want a crypto image

so a sh flash: on you router and see if you image is a .bin (non web based) or .tar (webbased)

the upgrade between crypto or non crypto is free, you may need to contact cisco to get hold of image.
0
 
LVL 16

Expert Comment

by:Aaron Street
ID: 24772123
so basicaly you want a crypto image :)

Also all feature sets from the basic one to the most advanced will have a crypto image (As long as hard ware suports it)

so there is not going to be any cost for this.
0
 
LVL 3

Expert Comment

by:apd32123
ID: 24778114
Get an image with K9 in the name and you can support SSH.  By default devices normally ship without due to weird export laws.
0
 

Author Comment

by:Balack
ID: 24778647
Hi all,

Many thanks to all of you of providing all the valuable information.

Now, I got the idea on how the thing work. I got a cisco login account, that tied to my company. I managed to go the Cisco download website for switches. Pls see the attached document where I can download for the 2950 crypto and non-crypto images.

Does it means that I only have to download c2950-i6k2l2q4-mz.121-22.EA13.bin (Crypto image) OR c2950-i6k2l2q4-tar.121-22.EA13.tar (Crypto image with SDM), and then upgrade to all my 2950 switches?

Does it also means that If I am eligible to download the above crypto images, I actually not need to but any Cisco contract in order to upgrade it?

How about how to upgrade the crypto image with SDM to my 2950 switches?

Appreciate your help!
CISCO-Switch---2950-IOS-Download.pdf
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 24780331
0
 
LVL 16

Expert Comment

by:Aaron Street
ID: 24783326
if you want the crypto image with SDM the simplest way to do this is..

first delete the .bin image in the flash of the router/switch

then run the

#archive download-sw tftp:   and enter the name of the image and the Tftp server.

this will pull down the tar file and decompress it to the correct directories in the flash. to upgrade your image to the SDM/ Web version

It will also update the boot conf to imnsure the correct ios is booted.

Again the crypto and non crypto image fall under the same licence (you DO NOT!! need an upgrade) , if you are licenced for on you can use the others. It is only becasue in places like china you are not allowed due to there laws to run crypto images that cisco provided an image wiht out crypto....


That download atachment you attached shows the same image feature set, with + with out web  and with and with out Crypto.

You only need an upgrade either to incress feature sets. IE with a router you may have "IP base set" and "ip Advanced set"
or when moving between major version releases ie version 11.26(15) and 12.25(45) for example. If you have a suport contract you are normaly covered for all minor release upgrades.

See image below all the ios images circled in red are one licence/ feature set. all thoses in blue are a difference licence / feature set.

If I am licenced for any ip base I can change between the different ones free. I only have to pay if I want to upgrade to the ip services set..

Hope that makes it a bit clearer.

3750.png
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The worst thing when starting a new job is when the previous Network Administrator left behind no documentation. How do you get into the devices? If you've been in this situation or just accidently mistyped your password, this article will hopefully…
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question