Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2516
Views
1
Helpful
16
Replies

enable ssh on switch but keep telnet until i can log in ssh

robertkwild
Spotlight

‎02-14-2024 03:36 AM

hi all,

i want to enable ssh on some switches but still keep telnet until i can login ssh and then i will disable telnet, is this a good how to to follow

https://networkproguide.com/how-to-enable-ssh-on-cisco-catalyst-switch-router/

but when it comes to step 9 i imagine i do this

transport input ssh telnet

and then i can log in ssh and if all good i can chage it back to

transport input ssh

is that correct?

Labels:
0 Helpful
16 Replies 16

Aref Alsouqi
VIP
VIP

‎02-14-2024 03:50 AM

Yeah that's the way how it works. When you remove "telnet" keyword, the VTY lines won't allow telnet accesses.

0 Helpful

robertkwild
Spotlight
In response to Aref Alsouqi

‎02-14-2024 05:24 AM

and i imagine as my user is enable/privilege i can disable the enable password?

0 Helpful

liviu.gheorghe
VIP
VIP
In response to robertkwild

‎02-14-2024 05:56 AM

Yes, if your user is configured with privilege 15, you basically don't need the enable secret password.

It it where my network, I would keep the enable secret password configured. It may come in handy in some situations.

Regards, LG
*** Please Rate All Helpful Responses ***
0 Helpful

Aref Alsouqi
VIP
VIP
In response to robertkwild

‎02-14-2024 06:15 AM

I don't think you can unless you configure "privilege level 15" under the VTY lines, that will bypass the need to go through the enable secret.

0 Helpful

liviu.gheorghe
VIP
VIP
In response to Aref Alsouqi

‎02-14-2024 08:58 AM

Priviledge level 15 under the line vty is not necessary:

username cisco privilege 15 secret 9 $9$yCcRSAYE3Apcik$wHbANizGotpOoGE/nBJvl5aTkvdpLKZ7XknGXlzwbHc

line vty 3 4
login local
transport input telnet ssh

liviu@Livius-iMac:~$ telnet 172.25.25.97
Trying 172.25.25.97...
Connected to 172.25.25.97.
Escape character is '^]'.


User Access Verification

Username: Kerberos: No default realm defined for Kerberos!
cisco
Password:
C8000v#

Regards, LG
*** Please Rate All Helpful Responses ***

Aref Alsouqi
VIP
VIP
In response to liviu.gheorghe

‎02-14-2024 09:18 AM

Do you have the enable secret configured on that device?

0 Helpful

MHM Cisco World
VIP
VIP
In response to robertkwild

‎02-14-2024 06:23 AM

You can use two different vty line 

One you can access via telnet and other via ssh' 

These two different vty line can separate by rotary number.

MHM

0 Helpful

robertkwild
Spotlight

‎02-14-2024 06:38 AM

good point so one vty line for ssh and another for telnet ie

transport input ssh
transport input telnet 

instead of this

transport input ssh telnet

so then if ssh is all good, to disable telnet i just do

no transport input telnet   

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to robertkwild

‎02-14-2024 06:43 AM

No friend complete isolated vty lines

Line vty 0 2

Transport input telnet 

Rotary 1

Line vty 3 4 

Transport input ssh

Rotary 2

https://brbccie.blogspot.com/2014/01/mini-vty-rotary_5.html?m=1

Note:- make sure you always have enable password in device and double check config before WR the config if there is anything wrong you can reload the device and return to point before config is modified

MHM

0 Helpful

meryrob
Level 1
Level 1

‎02-14-2024 09:06 AM

Yes, your approach is correct. Here's a breakdown of the steps:

  1. Follow the guide you provided to enable SSH on your Cisco Catalyst switch/router.
  2. In step 9, when configuring the VTY lines, use the command transport input ssh telnet. This allows both SSH and Telnet access to the device.
  3. Once SSH is successfully configured and tested, you can update the VTY lines to only allow SSH access by using the command transport input ssh. This will disable Telnet access while keeping SSH enabled.
  4. Make sure to test SSH access thoroughly before removing Telnet access to avoid any potential connectivity issues.

By following this approach, you can enable SSH while still retaining Telnet access temporarily until you're confident in SSH functionality. Once SSH is confirmed to be working correctly, you can then disable Telnet access for improved security.

0 Helpful

robertkwild
Spotlight

‎02-14-2024 11:11 AM - edited ‎02-14-2024 11:20 AM

so i cant have it like this

Switch9k(config)# line vty 0 15
Switch9k(config-line)# login local
Switch9k(config-line)# transport input ssh
Switch9k(config-line)# exit
Switch9k(config)#

and...

Switch9k(config)# line vty 0 15
Switch9k(config-line)# login local
Switch9k(config-line)# transport input telnet
Switch9k(config-line)# exit
Switch9k(config)#

 as 0-15 is already being used by ssh, i cant have another 0-15 for telnet, i need to do 0-7 for ssh and 8-15 for telnet?

or just have one for everything which is much better

Switch9k(config)# line vty 0 15
Switch9k(config-line)# login local
Switch9k(config-line)# transport input ssh telnet
Switch9k(config-line)# exit
Switch9k(config)#
0 Helpful

Aref Alsouqi
VIP
VIP
In response to robertkwild

‎02-14-2024 01:21 PM

You will have to split the VTY lines if you want to use the rotary feature. However, as this is a temporary solution I would keep it simple and stick with the last option.

0 Helpful

robertkwild
Spotlight

‎02-15-2024 03:04 AM

thanks all, so this is to enable ssh on the IOS ie the cat switches and i imagine the SB and SG switches its just a case of doing this in CLI

ip ssh server

much more simpler than the cat switches

0 Helpful

robertkwild
Spotlight

‎02-21-2024 02:58 AM

what about if i already have vty lines, how do i get rid of all of them and just have one vty line 0-15

0 Helpful
li.common.scroll-to.top