Solved: SSH to Cisco Catalyst Switch

Lakeram Harrypersaud · ‎08-20-2011

Can someone please tell the commands to setup SSH to a Catalyst 3560 switch? This will be to the private IP Address

Any help will be greatly appreciated.

Thanks,

Lake

Jon Marshall · ‎08-20-2011

Lake

See this document for details on configuring ssh -

http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml

basic steps -

configure hostname

configure domain name

configure username

create crypto key

enable vty lines for ssh

note that your image name must have a k9 in it as this is the image version that supports ssh.

switch# dir flash:

will show you the image name

Jon

View solution in original post

Richard Michael · ‎08-21-2011

Hi Lakeram,

SSH needs the K9 image in the switches. Please go ahead and download the K9 image of the c3560-ipbasek9.mz(exact version) from the Cisco software download page to enable SSH. You could easily upgrade to an IOS with Krypto Image as it doesn't need purchasing any license(Most of the times). It is only required when you upgrade from to a different feature set for example from IPBASE to IPSERVICES.

Thanks,

Ricky Micky

*Pls rate useful posts

View solution in original post

Jon Marshall · ‎08-21-2011

Lake

You have downloaded the new IOS image but you are still running the old image ie. from your output -

System image file is "flash:c3560-ipbase-mz.122-25.SEE2/c3560-ipbase-mz.122-25.SEE2.bin"

so you need to tell the switch to boot the new image. Firstly you need to locate the new image ie. it will be in flash but if you notice from the above the actual .bin file is in a directory

directory = c3560-ipbase-mz.122-25.SEE2/

actual image file = c3560-ipbase-mz.122-25.SEE2.bin

if you do a "dir flash:" you will see the directory and in that directory is the actual image file.

It depends on how you loaded the new k9 image. If you loaded he whole directory then you need to use the directory/filename but if you just loaded the actual image file ie. the .bin file then you just use the image name.

To tell the switch which image to boot add this to your config -

boot system flash flash:c3560-ipbasek9-mz.122-25.SEE2/c3560-ipbasek9-mz.122-25.SEE2.bin

the above would be if the new image was in a directory. If it's just file then don't include the directory bit. Note be very careful when entering the above as it needs to match exactly.

One last point. There may already be a boot system flash command in your running config. If there is -

1) remove it with the "no boot system flash ......" command

2) then put the new one in and then add the old string after that separating with a semicolon eg.

boot system flash flash:c3560-ipbasek9-mz.122-25.SEE2/c3560-ipbasek9-mz.122-25.SEE2.bin;flash:c3560-ipbase-mz.122-25.SEE2/c3560-ipbase-mz.122-25.SEE2.bin

Jon

View solution in original post

Reza Sharifi · ‎08-21-2011

Lake,

The command is

crypto key generate rsa

ip ssh time-out 60
ip ssh authentication-retries 2

Here is doc to that goes over the SSH installation and how to configure your PC for SSH access

http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml

HTH
Reza

View solution in original post

Fabio Francisco · ‎08-21-2011

line vty 0 15

transport input ssh or all...

I usually set to ssh only...

Cheers,

Fabio

View solution in original post

Fabio Francisco · ‎08-21-2011

if I were you I would do this

username xxx privilege 15 secret xxxxx

line vty 0 15

no password password

login local

Cheers,

Fabio

View solution in original post

Jon Marshall · ‎08-20-2011

Lake

See this document for details on configuring ssh -

http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml

basic steps -

configure hostname

configure domain name

configure username

create crypto key

enable vty lines for ssh

note that your image name must have a k9 in it as this is the image version that supports ssh.

switch# dir flash:

will show you the image name

Jon

Lakeram Harrypersaud · ‎08-20-2011

Hi Jon,

I will test and let you know.

Thanks,

Lake

Lakeram Harrypersaud · ‎08-21-2011

Jon

When i enter the dir flash: It says c3560-ipbase-mz. How can i upgrade to k9?

Thanks,

Lake

Richard Michael · ‎08-21-2011

Hi Lakeram,

SSH needs the K9 image in the switches. Please go ahead and download the K9 image of the c3560-ipbasek9.mz(exact version) from the Cisco software download page to enable SSH. You could easily upgrade to an IOS with Krypto Image as it doesn't need purchasing any license(Most of the times). It is only required when you upgrade from to a different feature set for example from IPBASE to IPSERVICES.

Thanks,

Ricky Micky

*Pls rate useful posts

Lakeram Harrypersaud · ‎08-21-2011

I will do that.

Thanks,

Lake

Lakeram Harrypersaud · ‎08-21-2011

There is no crypto command on the 3560 switch even though k9 software. Can someone please help me with this?

Thanks,

Lake

Jon Marshall · ‎08-21-2011

Lake

Are you sure you are running the k9 image. Can you post a "sh ver" ?

Jon

Jon Marshall · ‎08-21-2011

Lake

You have downloaded the new IOS image but you are still running the old image ie. from your output -

System image file is "flash:c3560-ipbase-mz.122-25.SEE2/c3560-ipbase-mz.122-25.SEE2.bin"

so you need to tell the switch to boot the new image. Firstly you need to locate the new image ie. it will be in flash but if you notice from the above the actual .bin file is in a directory

directory = c3560-ipbase-mz.122-25.SEE2/

actual image file = c3560-ipbase-mz.122-25.SEE2.bin

if you do a "dir flash:" you will see the directory and in that directory is the actual image file.

It depends on how you loaded the new k9 image. If you loaded he whole directory then you need to use the directory/filename but if you just loaded the actual image file ie. the .bin file then you just use the image name.

To tell the switch which image to boot add this to your config -

boot system flash flash:c3560-ipbasek9-mz.122-25.SEE2/c3560-ipbasek9-mz.122-25.SEE2.bin

the above would be if the new image was in a directory. If it's just file then don't include the directory bit. Note be very careful when entering the above as it needs to match exactly.

One last point. There may already be a boot system flash command in your running config. If there is -

1) remove it with the "no boot system flash ......" command

2) then put the new one in and then add the old string after that separating with a semicolon eg.

boot system flash flash:c3560-ipbasek9-mz.122-25.SEE2/c3560-ipbasek9-mz.122-25.SEE2.bin;flash:c3560-ipbase-mz.122-25.SEE2/c3560-ipbase-mz.122-25.SEE2.bin

Jon

Lakeram Harrypersaud · ‎08-21-2011

Jon

That worked

Thank you very much.

Regards,

Lake

Lakeram Harrypersaud · ‎08-21-2011

Can you please tell me the full crypto key command?

Thanks,

Lake

Reza Sharifi · ‎08-21-2011

Lake,

The command is

crypto key generate rsa

ip ssh time-out 60
ip ssh authentication-retries 2

Here is doc to that goes over the SSH installation and how to configure your PC for SSH access

http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml

HTH
Reza

Lakeram Harrypersaud · ‎08-21-2011

That worked.

what is the command to enable vty lines for ssh? Can someone please help me with this one more question?

Thanks,

Lake

Fabio Francisco · ‎08-21-2011

line vty 0 15

transport input ssh or all...

I usually set to ssh only...

Cheers,

Fabio

Lakeram Harrypersaud · ‎08-21-2011

That worked, but it does not like my password.

This is my command:

conf t

username admin password password

I even did:

line vty 0 15

password password

I don't know what is missing

Thanks,

Lake