enable ssh on switch but keep telnet until i can log in ssh

robertkwild · ‎02-14-2024

hi all,

i want to enable ssh on some switches but still keep telnet until i can login ssh and then i will disable telnet, is this a good how to to follow

https://networkproguide.com/how-to-enable-ssh-on-cisco-catalyst-switch-router/

but when it comes to step 9 i imagine i do this

transport input ssh telnet

and then i can log in ssh and if all good i can chage it back to

transport input ssh

is that correct?

Aref Alsouqi · ‎02-14-2024

Yeah that's the way how it works. When you remove "telnet" keyword, the VTY lines won't allow telnet accesses.

robertkwild · ‎02-14-2024

and i imagine as my user is enable/privilege i can disable the enable password?

liviu.gheorghe · ‎02-14-2024

Yes, if your user is configured with privilege 15, you basically don't need the enable secret password.

It it where my network, I would keep the enable secret password configured. It may come in handy in some situations.

Regards, LG
*** Please Rate All Helpful Responses ***

Aref Alsouqi · ‎02-14-2024

I don't think you can unless you configure "privilege level 15" under the VTY lines, that will bypass the need to go through the enable secret.

liviu.gheorghe · ‎02-14-2024

Priviledge level 15 under the line vty is not necessary:

username cisco privilege 15 secret 9 $9$yCcRSAYE3Apcik$wHbANizGotpOoGE/nBJvl5aTkvdpLKZ7XknGXlzwbHc

line vty 3 4
login local
transport input telnet ssh

liviu@Livius-iMac:~$ telnet 172.25.25.97
Trying 172.25.25.97...
Connected to 172.25.25.97.
Escape character is '^]'.

User Access Verification

Username: Kerberos: No default realm defined for Kerberos!
cisco
Password:
C8000v#

Regards, LG
*** Please Rate All Helpful Responses ***

Aref Alsouqi · ‎02-14-2024

Do you have the enable secret configured on that device?

MHM Cisco World · ‎02-14-2024

You can use two different vty line

One you can access via telnet and other via ssh'

These two different vty line can separate by rotary number.

MHM

robertkwild · ‎02-14-2024

good point so one vty line for ssh and another for telnet ie

transport input ssh

transport input telnet

instead of this

transport input ssh telnet

so then if ssh is all good, to disable telnet i just do

no transport input telnet

MHM Cisco World · ‎02-14-2024

No friend complete isolated vty lines

Line vty 0 2

Transport input telnet

Rotary 1

Line vty 3 4

Transport input ssh

Rotary 2

https://brbccie.blogspot.com/2014/01/mini-vty-rotary_5.html?m=1

Note:- make sure you always have enable password in device and double check config before WR the config if there is anything wrong you can reload the device and return to point before config is modified

MHM

meryrob · ‎02-14-2024

Yes, your approach is correct. Here's a breakdown of the steps:

Follow the guide you provided to enable SSH on your Cisco Catalyst switch/router.
In step 9, when configuring the VTY lines, use the command transport input ssh telnet. This allows both SSH and Telnet access to the device.
Once SSH is successfully configured and tested, you can update the VTY lines to only allow SSH access by using the command transport input ssh. This will disable Telnet access while keeping SSH enabled.
Make sure to test SSH access thoroughly before removing Telnet access to avoid any potential connectivity issues.

By following this approach, you can enable SSH while still retaining Telnet access temporarily until you're confident in SSH functionality. Once SSH is confirmed to be working correctly, you can then disable Telnet access for improved security.

robertkwild · ‎02-14-2024

so i cant have it like this

Switch9k(config)# line vty 0 15
Switch9k(config-line)# login local
Switch9k(config-line)# transport input ssh
Switch9k(config-line)# exit
Switch9k(config)#

and...

Switch9k(config)# line vty 0 15
Switch9k(config-line)# login local
Switch9k(config-line)# transport input telnet
Switch9k(config-line)# exit
Switch9k(config)#

as 0-15 is already being used by ssh, i cant have another 0-15 for telnet, i need to do 0-7 for ssh and 8-15 for telnet?

or just have one for everything which is much better

Switch9k(config)# line vty 0 15
Switch9k(config-line)# login local
Switch9k(config-line)# transport input ssh telnet
Switch9k(config-line)# exit
Switch9k(config)#

Aref Alsouqi · ‎02-14-2024

You will have to split the VTY lines if you want to use the rotary feature. However, as this is a temporary solution I would keep it simple and stick with the last option.

robertkwild · ‎02-15-2024

thanks all, so this is to enable ssh on the IOS ie the cat switches and i imagine the SB and SG switches its just a case of doing this in CLI

ip ssh server

much more simpler than the cat switches

robertkwild · ‎02-21-2024

what about if i already have vty lines, how do i get rid of all of them and just have one vty line 0-15