How to Enable SSH on Cisco IOS

You can enable secure shell (SSH) on Cisco routers both with and without AAA (Authentication, Authorization, and Accounting)

If you wish to use SSH on a Cisco router without AAA in IOS release 12.4 and above, you can configure local username and password authentication and use enhanced password security.

Here are the two methods for enabling SSH.

Configuring SSH with AAA

This configuration will only allow connections from the subnet via access list 99.

hostname CISCO877
aaa new-model

username nick privilege 15 secret 5 XXX

access-list 99 permit

line vty 0 4
 access-class 99 in
 privilege level 2
 transport input ssh
 transport output none

Configuring SSH without AAA

This is the minimum configuration needed to support inbound SSH sessions on a router:

hostname CISCO877
ip domain-name
crypto key generate rsa
! define local usernames, use passwords or secrets
username a password b
username x secret y
ip ssh version 2
line vty 0 4
 login local

I hope this post helps you get SSH set up on Cisco IOS for your router.

Here’s another way to do it:

It is recommended that Secure Shell (SSH) is used for remote administration of Cisco Routers and Switches.

To see if SSH is already enabled

CISCO877# show ip ssh%SSH has not been enabled

To enable SSH on your Cisco Switch or Router, do the following from the global configuration mode:

Configure the Hostname on the Switch or Router

Router(config)# hostname CISCO877

Configure the Domain name for the Cisco Switch or Router

CISCO877(config)# ip domain-name

Generate a RSA Key Pair

CISCO877(config)# crypto key generate rsa

This enables SSH on the Cisco switch or the router.

The following optional commands are recommended but are not mandatory:

Set the SSH Negotiation phase timeout interval (in seconds)

CISCO877(config)# ip ssh time-out 120

This sets the time period for the Cisco Router or Switch to wait for 120 seconds before timing out the client during the SSH Negotiation phase.

Set the Maximum retry attempts

CISCO877(config)# ip ssh authetication-retries 3

This sets the maximum number of the Authentication retires to be 3 times before the interface (vty) is reset.

To change the default port for SSH (default is 22) connection

CISCO877(config)# ip ssh port 3536

This sets the port number to listen for SSH connections to be 3536.

Try to logon and logoff the Cisco IOS Router or switch to ensure it works OK and then disable Telnet access to the switch. This can be done by making SSH as the only transport agent.

CISCO877(config)# line vty 0 4CISCO877(config)# transport input ssh

This makes SSH as the only way to connect to the Cisco Routers or Switches remotely.

Write the config changes to the startup-config:

CISCO877# wr mem

To see the status of the SSH on the Cisco switch or the router

CISCO877# show ip sshSSH Enabled – version 1.5Authentication timeout: 120 secs; Authentication retries: 3

To view the status of SSH connections

CISCO877# show ssh

Connection      Version     Encryption State   Username

 0                1.5       3DES    Session Started  guest

If at any time, you want to disable SSH on the Cisco Router or Switch, from the Global Configuration

CISCO877(config)# crypto key zeroize rsa

This deletes the RSA key-pair. Once you delete the RSA key-pair, it disables the SSH server.

In this case, if you had ssh as the only transport mode then this needs to be changed to default

CISCO877(config)# line vty 0 4CISCO877(config)# transport input telnet 

The Mortality of Technology

We have a lot in common with modern computing technologies, most notably that we’ll both end up “shutting down” at some point.  Even the best technologies, trends and frameworks come and go. A good example of this is the transformation of centralised computing in the form of mainframes to the distributed computing network that now powers the web.  I am reluctant to call it cloud computing as this buzzword is overused and is simply a new term for “computers connected together.”

The transformation of traditional “software” to “software as a service” is good example of the evolution of technologies. I’ve been thinking recently about whether it actually matters? If the software solves the business challenges, does it really matter if it’s hosted on or off site?

I am a firm believer that products delivered as a service and traditional installed software can live in harmony for at least the next 5 years. Think about it at a consumer level. Whether I sign up for a Sky HD account, or order an e-mail address, the delivery method doesn’t really matter to me. I’m concerned about the service itself, and not the infrastructure.

The exact same applies to SAAS products. Most services offer high hardware and network guarantees. This is essential for companies using the system to run their day-to-day business operations.

As technological capability increases, companies increasingly expecect solutions “right now.” This is where the SAAS model can deliver several crucial benefits with its agile approach.

The example above focuses on improving the return on investment and less on the actual technology itself. Although SAAS is just another way to deliver solution to a problem, when deployed properly, it’s agile and extensible and completely relavant for a large proportion of industries.

How to Make a Cat 5E Cable

Based on recent experience, there are few things more irritating than spending time diagnosing network problems to find out that it was a faulty cable. This short post is designed to act as a pinout guide for terminating Cat 5E cables.

The diagrams below show how to crimp an RJ-45 end in 568-A and 586-B configurations.  See the notes below for guidelines and tips.

Cat 5E (568-A)

568 Wiring Diagram
Pair Wire Pin
1-White & Blue White & Blue 5
Blue & White 4
2-White & Green White & Green 1
Green & White 2
3-White & Orange White & Orange 3
Orange & White 6
4-White & Brown White & Brown 7
Brown & White 8

Cat 5E (568-B)


Pair Wire Pin
1-White & Blue White & Blue 5
Blue & White 4
2-White. & Orange White & Orange 1
Orange White 2
3-White & Green White & Green 3
Green & White 6
4-White & Brown White & Brown 7
Brown & White 8



  • 568-B wiring is the most common method for patching
  • There is no difference in connectivity between 568B and 568A cables. Either wiring should work fine on any system.
  • For a straight through cable, wire both ends identical.
  • For a crossover cable, wire one end 568A and the other end 568B.
  • Do not confuse pair numbers with pin numbers. A pair number is used for reference only (eg: 10BaseT Ethernet uses pairs 2 & 3). The pin numbers indicate actual physical locations on the plug and jack.