What IOS version are supporting SSH access and setup on Cisco switches

There are up to 30+ switches deployed in my company. They are Cisco catalyst switch models: 2950, 2960, 3550, 3560, and 3750. Recently, there is a security policy that all switch access is restricted to SSH (preferably version 2). I want to know what is the minimum requirement on IOS version in order to support ssh?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Istvan KalmarHead of IT Security Division Commented:
If you don't upgrade the switchs software you not able to use this feature! If you want the SSH, use Crypto image!
I advise you must use to protect the remote access access-list on the vty:

access-list 1 permit x.x.x.x y.y.y.y  ----> where you want to access
access-list 1 deny   any

line vty 0 4

If you a registered user, you able to download directly from cco web!

The legal procedure is: you buy the new sofware from your service integrator, or cisco partner, and after you upgrade the switches!

 transport input ssh
  access-class 1 in


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
BalackAuthor Commented:
Hi ikalmaar,

What is crypto image? Can you elaborate?

Istvan KalmarHead of IT Security Division Commented:
For example:

2960 switches have Lan base, or Lan base crypto images, the crypto image able to use ssh, the non crypto only telnet!

The latast version:
LAN LITE W/O CRYPTO c2960-lanlite-mz.122-50.SE2.bin
Release Date: 19/May/2009 Size: 6564.96 KB  (6722515 bytes) Minimum Memory: DRAM:64 MB  Flash:32 MB  
LAN LITE W/O CRYPTO WITH WEB BASED DEV MGR c2960-lanlite-tar.122-50.SE2.tar Release Date: 19/May/2009 Size: 10220.00 KB  (10465280 bytes) Minimum Memory: DRAM:64 MB  Flash:32 MB  

IP BASE W/O CRYPTO c3560-ipbase-mz.122-50.SE1.bin
Release Date: 14/Apr/2009 Size: 9027.33 KB  (9243981 bytes) Minimum Memory: DRAM:128 MB  Flash:16 MB  
IP BASE W/O CRYPTO WITH WEB BASED DEV MGR c3560-ipbase-tar.122-50.SE1.tar Release Date: 14/Apr/2009 Size: 11750.00 KB  (12032000 bytes) Minimum Memory: DRAM:128 MB  Flash:16 MB
Learn Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

Istvan KalmarHead of IT Security Division Commented:
Aaron StreetTechnical infrastructure architectureCommented:

the crypto image is simply an image that included encryption.

Some countries such as China do not allow people to encrypte data so that it is visibabel to the goverment.

and becasue SSH is encrypted it is not allowed in some countries.

Cisco there for make two (in fact often 4) images for each featuer set fora router / switch

One is a non crypto image, meaning it has no encryption on it at all, either SSH or the ability to encrypte network data it is routing or switching...

One is a crypto image (identical in feature set but with the addition of encryption)

they then may provided two more images

these are ones that have a web based interface for managment. again same feature set as thoses with out web services, and one with crypto and one with out.

You want a crypto image

so a sh flash: on you router and see if you image is a .bin (non web based) or .tar (webbased)

the upgrade between crypto or non crypto is free, you may need to contact cisco to get hold of image.
Aaron StreetTechnical infrastructure architectureCommented:
so basicaly you want a crypto image :)

Also all feature sets from the basic one to the most advanced will have a crypto image (As long as hard ware suports it)

so there is not going to be any cost for this.
Get an image with K9 in the name and you can support SSH.  By default devices normally ship without due to weird export laws.
BalackAuthor Commented:
Hi all,

Many thanks to all of you of providing all the valuable information.

Now, I got the idea on how the thing work. I got a cisco login account, that tied to my company. I managed to go the Cisco download website for switches. Pls see the attached document where I can download for the 2950 crypto and non-crypto images.

Does it means that I only have to download c2950-i6k2l2q4-mz.121-22.EA13.bin (Crypto image) OR c2950-i6k2l2q4-tar.121-22.EA13.tar (Crypto image with SDM), and then upgrade to all my 2950 switches?

Does it also means that If I am eligible to download the above crypto images, I actually not need to but any Cisco contract in order to upgrade it?

How about how to upgrade the crypto image with SDM to my 2950 switches?

Appreciate your help!
Istvan KalmarHead of IT Security Division Commented:
Aaron StreetTechnical infrastructure architectureCommented:
if you want the crypto image with SDM the simplest way to do this is..

first delete the .bin image in the flash of the router/switch

then run the

#archive download-sw tftp:   and enter the name of the image and the Tftp server.

this will pull down the tar file and decompress it to the correct directories in the flash. to upgrade your image to the SDM/ Web version

It will also update the boot conf to imnsure the correct ios is booted.

Again the crypto and non crypto image fall under the same licence (you DO NOT!! need an upgrade) , if you are licenced for on you can use the others. It is only becasue in places like china you are not allowed due to there laws to run crypto images that cisco provided an image wiht out crypto....

That download atachment you attached shows the same image feature set, with + with out web  and with and with out Crypto.

You only need an upgrade either to incress feature sets. IE with a router you may have "IP base set" and "ip Advanced set"
or when moving between major version releases ie version 11.26(15) and 12.25(45) for example. If you have a suport contract you are normaly covered for all minor release upgrades.

See image below all the ios images circled in red are one licence/ feature set. all thoses in blue are a difference licence / feature set.

If I am licenced for any ip base I can change between the different ones free. I only have to pay if I want to upgrade to the ip services set..

Hope that makes it a bit clearer.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.