So how are ssh communications able to be established from remote equipment other than connecting to them with a console cable?  If a failure happens and the configuration must be completely re-written, is it always required that a person physically touch the device?  Thanks for your input on this.

when you erase your start up config, you are basically wiping out everything including the management IP address of the device.  When this happens, the device goes back to default config, and the only way to access it is by using a console cable.

I agree.  What we would do is wr er to remove the old configuration, and then copy in the new configuration.  Is it possible to copy in a new configuration onto the old one so that the rsa key remains through a reboot? 

In situations for which you want to start fresh, you should

!---------Get rid of the old RSA key--------

crypto key zeroize rsa

!---------Get rid of old config-----------

wr erase

!---------Reload------------

!----------Paste the new config-------

!----------Generate a new key--------

crypto key generate rsa general-keys modulus 1024

Message was edited by: Antonio Knox

Absolutely.  Because during the wr erase process our crypto key gets erased as well.  This makes it impossible to then reconnect to the device once it has been reloaded remotely.  What I am looking for is a way to reload a configuration, reboot the switch and still have a standing crypto key to reconnect with.  Otherwise, a technician wil have to actually connect to the device each time a new configuration is required.  So I guess the main question is how after a wr er, a upload of a new configuration and a reload, do you force the switch to generate a new key or hold on to the one that is currently being used.  This is being forced on us because the only management workstations are desktops and are not laptops that can be taken to the device and connected via console.  Thanks in advance to both of you for your patience and help.

Charles

Rick,

That is exactly what we are trying to do.  But when we just spell out the generate command at the end of the configuration, while there is no error from the device, no crypto key gets generated.  It is only when you actually go in via console and re-enter the command does an rsa key get generated.  This is mainly an issue on either 2960g or 3750 switches.  Routers seem to store the rsa keys in different locations.

You may be able to push the key generation via SNMP.  Simply upload the config, and then access the switch via SNMP and generate the key.

Is there any other way?  We do not run SNMP on our systems.  I was hoping that i was just doing something wrong in my configuration when I reinstalled it.  Unfortunately, I am trying to also make this friendly for users that aren't highly trained in Cisco devices. 

Have you tried just putting it as the last command in your config text file.   It should with just " crypto key gen my rsa 1024" as the last command in your config file.

I thought of that to, but it didn't seem to work.  There were no errors but an rsa key was not generated.

I could think of a couple of different ways to do this, but one involves using telnet first via the config push then enabling SSHv2, and the other involves what could easily become an overly complex EEM applet.  But I don't really see a supremely simple way to do it outside of the suggestions posted here.