Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4345
Views
0
Helpful
4
Replies

Disabling SSH CBC cipher on Cisco routers/switches

sulaimangd
Level 1
Level 1

‎12-09-2018 10:36 PM - edited ‎03-10-2019 01:08 AM

hi,

 

is there a way to disable weak ciphers on Cisco Switches, i know we can enable strong ciphers through

 

ip ssh server algorithm encryption aes128-ctr aes256-ctr

 

but is there a way to completely disable them. same goes for weak MAC algorithms?

 

1 person had this problem
Labels:
0 Helpful
4 Replies 4

sulaimangd
Level 1
Level 1

‎12-19-2018 04:33 AM

Just to update on the issue.

 

it seems that the command 

ip ssh server algorithm encryption aes128-ctr aes256-ctr

is not available on this switch.

im using 4500-x with IOS-XE 03.04.06.SG.

 

any ideas?

Thanks 

 

0 Helpful

Rob Ingram
VIP
VIP
In response to sulaimangd

‎12-19-2018 04:45 AM

Hi,
To answer your original question, if you define only aes256-ctr aes128-ctr (you would want to define the strongest first) then only those encryption ciphers will be allowed, therefore the weaker ciphers will be disabled. Combine that will an ACL on the VTY lines to further secure access to the devices.

That IOS firmware version is pretty old, I would be surprised if a newer IOS version did not support those commands.

HTH
0 Helpful

sulaimangd
Level 1
Level 1
In response to Rob Ingram

‎12-19-2018 06:10 AM

Thanks for the reply

 

which version does likely include those commands?

 

Thanks 

0 Helpful

Rob Ingram
VIP
VIP
In response to sulaimangd

‎12-19-2018 01:01 PM

I think it was introduced in IOS 15.5(2), reference here...but unfortunately I don't think the 4500-X latest version appears to go up to 15.5.

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents