What IOS version are supporting SSH access and setup on Cisco switches

Posted on 2009-07-01
Last Modified: 2012-05-07
There are up to 30+ switches deployed in my company. They are Cisco catalyst switch models: 2950, 2960, 3550, 3560, and 3750. Recently, there is a security policy that all switch access is restricted to SSH (preferably version 2). I want to know what is the minimum requirement on IOS version in order to support ssh?
Question by:Balack
  • 4
  • 3
  • 2
  • +1
LVL 34

Accepted Solution

Istvan Kalmar earned 250 total points
ID: 24760925
If you don't upgrade the switchs software you not able to use this feature! If you want the SSH, use Crypto image!
I advise you must use to protect the remote access access-list on the vty:

access-list 1 permit x.x.x.x y.y.y.y  ----> where you want to access
access-list 1 deny   any

line vty 0 4

If you a registered user, you able to download directly from cco web!

The legal procedure is: you buy the new sofware from your service integrator, or cisco partner, and after you upgrade the switches!

 transport input ssh
  access-class 1 in


Author Comment

ID: 24760969
Hi ikalmaar,

What is crypto image? Can you elaborate?

LVL 34

Expert Comment

by:Istvan Kalmar
ID: 24761019
For example:

2960 switches have Lan base, or Lan base crypto images, the crypto image able to use ssh, the non crypto only telnet!

The latast version:
LAN LITE W/O CRYPTO c2960-lanlite-mz.122-50.SE2.bin
Release Date: 19/May/2009 Size: 6564.96 KB  (6722515 bytes) Minimum Memory: DRAM:64 MB  Flash:32 MB  
LAN LITE W/O CRYPTO WITH WEB BASED DEV MGR c2960-lanlite-tar.122-50.SE2.tar Release Date: 19/May/2009 Size: 10220.00 KB  (10465280 bytes) Minimum Memory: DRAM:64 MB  Flash:32 MB  

IP BASE W/O CRYPTO c3560-ipbase-mz.122-50.SE1.bin
Release Date: 14/Apr/2009 Size: 9027.33 KB  (9243981 bytes) Minimum Memory: DRAM:128 MB  Flash:16 MB  
IP BASE W/O CRYPTO WITH WEB BASED DEV MGR c3560-ipbase-tar.122-50.SE1.tar Release Date: 14/Apr/2009 Size: 11750.00 KB  (12032000 bytes) Minimum Memory: DRAM:128 MB  Flash:16 MB
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

LVL 34

Expert Comment

by:Istvan Kalmar
ID: 24761098
LVL 16

Assisted Solution

by:Aaron Street
Aaron Street earned 250 total points
ID: 24772060

the crypto image is simply an image that included encryption.

Some countries such as China do not allow people to encrypte data so that it is visibabel to the goverment.

and becasue SSH is encrypted it is not allowed in some countries.

Cisco there for make two (in fact often 4) images for each featuer set fora router / switch

One is a non crypto image, meaning it has no encryption on it at all, either SSH or the ability to encrypte network data it is routing or switching...

One is a crypto image (identical in feature set but with the addition of encryption)

they then may provided two more images

these are ones that have a web based interface for managment. again same feature set as thoses with out web services, and one with crypto and one with out.

You want a crypto image

so a sh flash: on you router and see if you image is a .bin (non web based) or .tar (webbased)

the upgrade between crypto or non crypto is free, you may need to contact cisco to get hold of image.
LVL 16

Expert Comment

by:Aaron Street
ID: 24772123
so basicaly you want a crypto image :)

Also all feature sets from the basic one to the most advanced will have a crypto image (As long as hard ware suports it)

so there is not going to be any cost for this.

Expert Comment

ID: 24778114
Get an image with K9 in the name and you can support SSH.  By default devices normally ship without due to weird export laws.

Author Comment

ID: 24778647
Hi all,

Many thanks to all of you of providing all the valuable information.

Now, I got the idea on how the thing work. I got a cisco login account, that tied to my company. I managed to go the Cisco download website for switches. Pls see the attached document where I can download for the 2950 crypto and non-crypto images.

Does it means that I only have to download c2950-i6k2l2q4-mz.121-22.EA13.bin (Crypto image) OR c2950-i6k2l2q4-tar.121-22.EA13.tar (Crypto image with SDM), and then upgrade to all my 2950 switches?

Does it also means that If I am eligible to download the above crypto images, I actually not need to but any Cisco contract in order to upgrade it?

How about how to upgrade the crypto image with SDM to my 2950 switches?

Appreciate your help!
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 24780331
LVL 16

Expert Comment

by:Aaron Street
ID: 24783326
if you want the crypto image with SDM the simplest way to do this is..

first delete the .bin image in the flash of the router/switch

then run the

#archive download-sw tftp:   and enter the name of the image and the Tftp server.

this will pull down the tar file and decompress it to the correct directories in the flash. to upgrade your image to the SDM/ Web version

It will also update the boot conf to imnsure the correct ios is booted.

Again the crypto and non crypto image fall under the same licence (you DO NOT!! need an upgrade) , if you are licenced for on you can use the others. It is only becasue in places like china you are not allowed due to there laws to run crypto images that cisco provided an image wiht out crypto....

That download atachment you attached shows the same image feature set, with + with out web  and with and with out Crypto.

You only need an upgrade either to incress feature sets. IE with a router you may have "IP base set" and "ip Advanced set"
or when moving between major version releases ie version 11.26(15) and 12.25(45) for example. If you have a suport contract you are normaly covered for all minor release upgrades.

See image below all the ios images circled in red are one licence/ feature set. all thoses in blue are a difference licence / feature set.

If I am licenced for any ip base I can change between the different ones free. I only have to pay if I want to upgrade to the ip services set..

Hope that makes it a bit clearer.


Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This tutorial will go through the steps required to write a script that will back up the configuration settings of a HP-ProCurve switch. You will need to get the following things to follow this tutorial: Telnet Scripting Tool e.g. TST10.exe …
I eventually solved a perplexing problem setting up telnet for a new switch.  I installed a new Cisco WS-03560X-24P switch connected to an existing Cisco 4506 running a WS-X4013-10GE Sup II-Plus. After configuring vlans and trunking,  I could no…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit If you want to manage em…

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question