Cisco IPv6 Training

Enabling SSH on a Cisco IPv6 Router

By Charles Ross CCNP #CSCO10444244

Secure Shell or “SSH” is an Application layer protocol that uses a secure channel; the secure channel ensures that the data being exchanged between two IP devices is totally secure (encrypted).

A Cisco IPv6 router can either act like a SSH server or a SSH client. When a Cisco IPv6 router is acting like a SSH server, it allows a SSH client (IP device) to make a secure, encrypted connection to the Cisco router; and when a Cisco IPv6 router is acting like a SSH client, it is able to make a secure, encrypted connection to another Cisco router or to any other IP device running as a SSH server.

Now, before you can enable Secure Shell or “SSH” on a Cisco IPv6 router, the router must meet certain requirements and those requirements are:

The router must be imaged with either an IPsec Data Encryption Standard (DES) or a Triple Data Encryption Standard (3DES) encryption software image.

It should be running Cisco IOS Release 12.1(3)T or higher.

It should be configured with a host name (by using the global configuration command hostname) and a host domain (by using the global configuration command ip domain-name).

It should already have a Rivest, Shamir, and Adelman (RSA) key pair generated. The RSA key pair is used to automatically enable SSH on the router; to generate a RSA key pair use the “crypto key generate rsa” global configuration command.

It should already have a user authentication mechanism configured for local or remote access. Currently, with SSH over an IPv6 transport; the only user authentication mechanism supported, is locally stored usernames and passwords. The TACACS+ and RADIUS user authentication mechanisms are not supported over an IPv6 transport. But, if you are in an IPv6 network environment and would like to have either TACACS+ or RADIUS authenticate SSH clients; you must configure TACACS+ or RADIUS over an IPv4 transport and then connect to an SSH server over an IPv6 transport.

Here are the steps to enable SSH (SSH server) on an IPv6 router:

Router>enable
Router#configure terminal
Router(config)#ip ssh [timeout seconds | authentication-retries integer]
Router(config)#exit
Router#copy run start

Steps Explained

Step #1

1. Router>enable

Puts router into Privileged EXEC mode.

Step #2

2. Router#configure terminal

Puts router into Global configuration mode.

Step #3

3. Router(config)#ip ssh timeout 100 authentication-retries 2

Configures the SSH (server) control variables on the router.

Step #4

4. Router(config)#exit

Causes router to exit global configuration mode and re-enters into Privileged EXEC mode.

Step #5

5. Router#copy run start

Saves the contents of the running-config to local Non -Volatile Random Access Memory (NVRAM).

Here are the steps that allow a Cisco IPv6 router that is acting like a SSH client to initiate an encrypted SSH session with a remote networking device.

Router>enable

Router#ssh [-v {1 | 2}] [-c {3des | aes128-cbc | aes192-cbc | aes256-cbc}] [-l userid | -l userid:{number}{ip-address} | -l userid:rotary{number} {ip-address}] [-m {hmac-md5 | hmac-md5-96 |

hmac-sha1 | hmac-sha1-96}] [-o numberofpasswordprompts n] [-p port-num] {ip-addr |

hostname} [command]

Steps Explained

Step #1

1. Router>enable

Puts router into Privileged EXEC mode.

Step #2

2. Router#ssh

Initiates an encrypted session with a remote networking device.

To your success,

Charles Ross

CCNP #CSCO10444244