SSH Configuration Examples in Cisco (IOS,IOS-XE,NX-OS,IOS-XR)


SSH Configuration Examples in Cisco (IOS,IOS-XE,NX-OS,IOS-XR)
Here are the configuration examples:
whereas:
192.168.100.100 = Jumphost IP (Allowed IP to SSH into the device)Prerequisites in configuring SSH for Cisco devices include SSH key generation, please refer to Cisco Official Documentation.
command: crypto key generate rsaPreferably, RSA key bits at least 2048, else use 1024 for better securityIOS:

ip ssh version 2
line vty 0 4
access-class 101 in
exec-timeout 5 0
password 7 01234ABC
login authentication VTY
transport input ssh

access-list 101 permit tcp host 192.168.100.100 any eq 22

IOS-XE:

ip ssh version 2
login quiet-mode access-class SSH-ACL
ip access-list extended SSH-ACL
permit tcp host 192.168.100.100 any eq 22
deny   tcp any any eq 22

line vty 0 4
access-class SSH-ACL in
exec-timeout 5 0
password 7 01234ABCDEF
login authentication VTY
transport input ssh

NEXUS OS:

feature ssh
interface mgmt0
ip access-group acl_101 in
vrf member management

ip access-list acl_101
10 permit tcp 192.168.100.100/32 any eq 22
20 deny ip any any log

IOS-XR:

ssh client source-interface Loopback0
ssh server v2

line template VTYTEMPLATE
secret 5 $encrpytedlocalpass
users group root-system
users group cisco-support
accounting exec VTY
accounting commands VTY
authorization exec VTY
authorization commands VTY
login authentication VTY
exec-timeout 5 0
access-class ingress SSH-VTY
transport input ssh

vty-pool default 0 4 line-template VTYTEMPLATE

or (simpler)

line default
secret 5 $encrpytedlocalpass
login authentication default
timestamp
exec-timeout 5 0
access-class ingress SSH-VTY
session-timeout 5
transport input ssh

ipv4 access-list SSH-VTY
10 permit tcp host 192.168.100.100 any eq ssh
20 deny ipv4 any any log
!
control-plane
management-plane
inband
interface all
allow SSH peer
address ipv4 192.168.100.100

4 Comments

Leave a Reply to Best Security Practices for Cisco IOS and IOS-XE (Part 1) - Free Network Cancel reply

Your email address will not be published. Required fields are marked *