How to Set Up SSH on Cisco IOS Devices

Last updated: 25-01-2026

Introduction

In a world where network security is increasingly critical, managing your Cisco devices remotely requires a secure and reliable method. Secure Shell (SSH) offers an encrypted channel for accessing and configuring your network equipment, ensuring that sensitive information remains protected from unauthorized access. This guide will walk you through the essential steps to configure SSH on Cisco IOS devices, enabling you to securely manage your network infrastructure with confidence.

Prerequisites

Before configuring SSH on Cisco IOS devices, make sure you have the following prerequisites in place:

  • Access to the device: Ensure you have console or Telnet access to the Cisco switch or router for initial configuration.
  • Administrative privileges: You need privileged EXEC access (enable mode) to configure hostname, domain name, and SSH settings.
  • Basic IOS knowledge: Familiarity with Cisco CLI commands, VLANs, and interface configuration is recommended.
  • SSH client: Have an SSH client installed (e.g., PuTTY, OpenSSH, SecureCRT) to test remote access once configured.
  • Network connectivity: Ensure the device has a reachable IP address on the management VLAN or interface.
  • Strong passwords: Prepare secure passwords for local user accounts to prevent unauthorized access.

Steps to Configure SSH

Step 1: Assign a Hostname to the Switch

Start by assigning a hostname to your switch. The hostname is used in generating cryptographic keys for SSH.

Switch(config)# hostname MySwitch
MySwitch(config)#

Step 2: Set the Domain Name

Next, configure the domain name for your switch. For this guide, we will use "switchfirewall.com" as the domain name.

MySwitch(config)# ip domain-name switchfirewall.com

Step 3: Create an Interface VLAN and Assign an IP Address

For SSH access, your switch must have an IP address assigned to an interface. Typically, this is done by configuring a VLAN interface (SVI) with an IP address.

MySwitch(config)# interface vlan 1
MySwitch(config-if)# ip address 192.168.1.10 255.255.255.0
MySwitch(config-if)# no shutdown
MySwitch(config-if)# exit

Step 4: Generate RSA Key Pair

SSH relies on RSA keys for encryption. Generate an RSA key pair with a modulus of 1024 bits or higher for strong encryption.

MySwitch(config)# crypto key generate rsa
The name for the keys will be: MySwitch.switchfirewall.com
Choose the size of the key modulus in the range of 360 to 4096 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.
How many bits in the modulus [512]: 1024

Step 5: Configure SSH Version

It's recommended to use SSH version 2 for enhanced security. Set your switch to use this version by running the following command:

MySwitch(config)# ip ssh version 2

Step 6: Create a Local User Account

Create a local user account with a password that will be used for SSH authentication.

MySwitch(config)# username admin privilege 15 secret StrongPassword123

Step 7: Enable SSH on VTY Lines

Enable the VTY (Virtual Teletype) lines for SSH access, and set the login method to use the local user database.

MySwitch(config)# line vty 0 4
MySwitch(config-line)# transport input ssh
MySwitch(config-line)# login local
MySwitch(config-line)# exit

Step 8: Configure SSH Timeout and Retry Settings

For added security, configure the SSH timeout and the number of authentication retries.

MySwitch(config)# ip ssh time-out 60
MySwitch(config)# ip ssh authentication-retries 2

Step 9: Verify SSH Configuration

To confirm that SSH is correctly configured, use the following command to check its status:

MySwitch# show ip ssh

Step 10: Access the Switch via SSH

Finally, you can access your switch remotely using an SSH client like Putty.

Troubleshooting SSH Access

If you encounter issues while connecting to your Cisco device via SSH, consider the following troubleshooting steps:

  • Verify IP connectivity: Ping the device IP from your workstation to ensure network reachability.
  • Check VTY configuration: Ensure that the lines are set to accept SSH and use the local login: 
    line vty 0 4
 transport input ssh
 login local
  • Confirm SSH version: Ensure the device is set to use SSH version 2: 
    ip ssh version 2
  • Validate RSA keys: Make sure RSA keys are generated properly: 
    show crypto key mypubkey rsa
  • Check user credentials: Verify the username and password in the local database: 
    show running-config | include username
  • Firewall or ACLs: Ensure no access-lists or firewalls are blocking SSH port 22.
  • Debugging: Enable debug to see SSH connection attempts: 
    debug ip ssh

Following these steps usually resolves the most common SSH connection issues on Cisco devices.

Conclusion

Setting up SSH on your Cisco switch is an essential step in securing your network infrastructure. By following these steps, you can ensure that your remote management sessions are encrypted and protected from unauthorized access.