In today's enterprise networks, securing remote management access is non-negotiable. Telnet sends all data—including passwords—in cleartext, making it trivial for attackers to intercept. SSH (Secure Shell) encrypts the entire session, protecting credentials and configuration commands. For the CCNA 200-301 exam (objective 4.7), you must know how to configure SSH, disable Telnet, and verify secure access. This lab walks through the exact IOS steps to harden your devices.
Jump to a section
Imagine you need to send instructions to a remote office assistant. You have two choices: a postcard or a sealed letter. A postcard (Telnet) is written in plain view—any postal worker, nosy neighbor, or thief can read your instructions, including the password to the office safe. The sealed letter (SSH) is placed inside a tamper-evident envelope, locked with a unique key that only you and your assistant possess. Even if the letter is intercepted, the contents remain hidden. But the sealed letter process is more involved: first, you must exchange keys securely (key generation), then you encrypt your message using those keys (cipher negotiation), and finally your assistant decrypts it with the matching key. Similarly, SSH uses asymmetric keys to establish a secure channel, then symmetric encryption for the session. The postcard is fast and requires no setup—just write and send—but it's insecure. The sealed letter takes extra steps but guarantees privacy and integrity. In networking, Telnet is the postcard—simple but dangerous. SSH is the sealed letter—essential for protecting your network's control plane.
What is SSH and Why Does It Exist?
SSH (Secure Shell) is a cryptographic network protocol used for secure remote login and command execution. It was developed as a replacement for Telnet, rlogin, and rsh, which transmit data—including passwords—in plaintext. On the CCNA 200-301 exam, SSH configuration is a core skill under objective 4.7 (Configure and verify device management access using SSH).
SSH provides three key security functions: - Authentication: Verifies the identity of the client and/or server using passwords or public keys. - Encryption: Encrypts the entire session to prevent eavesdropping. - Integrity: Ensures data is not modified in transit using HMAC.
How SSH Works Step by Step
SSH operates over TCP port 22. The connection setup involves several phases:
TCP Handshake: The client initiates a TCP connection to the server on port 22. The three-way handshake completes.
SSH Version Exchange: Both sides announce their SSH version (e.g., SSH-2.0). Cisco IOS supports SSH version 1 and 2, but version 2 is preferred and required for many features.
Key Exchange (Algorithm Negotiation): The client and server agree on encryption algorithms, integrity algorithms, and key exchange methods. Common choices include:
- Key exchange: diffie-hellman-group14-sha1 - Encryption: aes128-ctr, aes256-ctr - HMAC: hmac-sha1
Diffie-Hellman Key Exchange: Both sides generate a shared session key without sending it over the wire. This key is used for symmetric encryption of the session.
Server Authentication: The server sends its public key (host key). The client verifies this key (typically by checking a known_hosts file). In Cisco IOS, the server's host key is generated from the RSA key pair.
User Authentication: The client authenticates the user. Methods include password, public key, or keyboard-interactive. Cisco IOS typically uses password authentication via AAA or local username/password.
Encrypted Session: All subsequent data is encrypted and integrity-checked.
SSH Configuration on Cisco IOS
To enable SSH on a Cisco device, follow these steps:
#### Step 1: Set a Hostname and Domain Name SSH requires a hostname and domain name to generate the RSA key pair.
Router(config)# hostname R1
R1(config)# ip domain-name courseiva.com#### Step 2: Generate RSA Keys
R1(config)# crypto key generate rsa general-keys modulus 2048The modulus size must be at least 768 bits for SSHv2; 2048 is the current best practice. The command creates a public/private key pair stored in NVRAM.
#### Step 3: Configure Authentication Create a local user or use AAA. For local authentication:
R1(config)# username admin secret cisco123
R1(config)# line vty 0 4
R1(config-line)# login local
R1(config-line)# transport input sshNote: transport input ssh allows only SSH connections. To disable Telnet entirely, omit telnet from the transport input command.
#### Step 4: Enable SSH Version 2
R1(config)# ip ssh version 2This ensures only SSHv2 connections are accepted.
#### Step 5: (Optional) Configure Timeouts and Retries
R1(config)# ip ssh time-out 60
R1(config)# ip ssh authentication-retries 3Disabling Telnet
To fully disable Telnet, remove it from the VTY transport input:
R1(config-line)# transport input sshAlso ensure no other lines (e.g., AUX) allow Telnet. To verify, use:
R1# show lineVerification Commands
Check SSH status:
R1# show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 60 secs; Authentication retries: 3
Minimum expected Diffie-Hellman key size: 1024 bitsCheck active SSH sessions:
R1# show ssh
Connection Version Mode Encryption Hmac State Username
0 2.0 IN aes128-ctr hmac-sha1 Session started adminCheck RSA keys:
R1# show crypto key mypubkey rsa
% Key pair was generated at: 03:10:25 UTC Mar 1 2023
Key name: R1.courseiva.com
Usage: General Purpose Key
Key is not exportable.
Key data:
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 020100
...Interaction with Related Protocols
SSH can be used with AAA (TACACS+ or RADIUS) for centralized authentication. It also works with SCP (Secure Copy) for file transfer. SSH does not replace SNMPv3 for monitoring, but both provide encryption.
Set hostname and domain
Begin by assigning a hostname and domain name to the router or switch. These are required for RSA key generation. Use the `hostname` command in global configuration mode to set the device name, and `ip domain-name` to set the domain. Example: ``` Router(config)# hostname R1 R1(config)# ip domain-name courseiva.com ``` The domain name is appended to the hostname to form the fully qualified domain name (FQDN), which is used as the key label. Without a domain name, the `crypto key generate rsa` command will fail.
Generate RSA key pair
Generate an RSA key pair with a modulus of at least 2048 bits. The command is: ``` R1(config)# crypto key generate rsa general-keys modulus 2048 ``` You will be prompted to confirm. The router will generate a public and private key pair, stored in NVRAM. For SSHv2, the minimum modulus is 768 bits, but 2048 is recommended for security. If you already have keys, you can overwrite them. To delete existing keys, use `crypto key zeroize rsa`.
Create local user accounts
Create at least one local username and password for SSH authentication. Use the `username` command with the `secret` keyword (which encrypts the password using MD5): ``` R1(config)# username admin secret cisco123 ``` Alternatively, you could use AAA with TACACS+ or RADIUS, but for the lab, local authentication is simpler. The `secret` keyword provides stronger encryption than `password`. Remember, the password is case-sensitive.
Configure VTY lines for SSH
Access the VTY lines (typically 0-4) and configure them to use local authentication and accept only SSH connections: ``` R1(config)# line vty 0 4 R1(config-line)# login local R1(config-line)# transport input ssh ``` `transport input ssh` restricts incoming connections to SSH only, effectively disabling Telnet. To also allow Telnet, you would use `transport input telnet ssh`, but that is insecure. The `login local` command tells the router to use the local username database for authentication.
Enable SSH version 2 and set parameters
Optionally, configure SSH version 2 and set timeout and retry limits: ``` R1(config)# ip ssh version 2 R1(config)# ip ssh time-out 60 R1(config)# ip ssh authentication-retries 3 ``` SSHv2 is more secure than v1 and is the default on newer IOS versions. The timeout sets the maximum time (in seconds) for the authentication phase. The retries limit the number of failed authentication attempts before the connection is closed.
Verify SSH configuration
Use `show ip ssh` to verify the SSH configuration: ``` R1# show ip ssh SSH Enabled - version 2.0 Authentication timeout: 60 secs; Authentication retries: 3 Minimum expected Diffie-Hellman key size: 1024 bits ``` Also verify the RSA keys with `show crypto key mypubkey rsa`. To test SSH, attempt to connect from a client using `ssh -l admin 192.168.1.1`. If successful, you have hardened the device.
Disable Telnet completely
To ensure Telnet is fully disabled, check all VTY lines and the AUX port. For the VTY lines, ensure `transport input ssh` is set (no `telnet` option). For the AUX line, you can disable it with: ``` R1(config)# line aux 0 R1(config-line)# no exec R1(config-line)# transport input none ``` This prevents any inbound connections on the AUX port. Also verify that no Telnet access is possible by attempting a Telnet connection. A successful Telnet attempt indicates a misconfiguration.
In enterprise networks, SSH is the standard for managing routers, switches, and firewalls. Telnet is almost universally banned due to security policies. For example, a multinational corporation with hundreds of devices uses SSH with AAA (TACACS+) to centralize authentication and authorization. Each network engineer has a unique username and password, and all commands are logged for auditing. SSH keys are often used for automated scripts and network automation tools like Ansible or Python scripts using Netmiko.
A common deployment scenario is a data center with hundreds of switches. The network team configures SSHv2 with a 2048-bit RSA key, local authentication as a fallback, and TACACS+ for primary authentication. They also set the VTY lines to accept only SSH and configure ACLs to restrict SSH access to management subnets only. This prevents unauthorized access even if someone gains physical access to the network.
Performance considerations: SSH encryption adds CPU overhead, especially during key generation and session establishment. On older devices, using a modulus larger than 2048 may cause delays. However, once the session is established, the CPU impact is minimal. Misconfigurations can lead to lockouts: if you forget to set a username or misconfigure the VTY lines, you might lose remote access. Always test SSH from a console session before disconnecting.
Another scenario: a service provider manages customer edge routers. They use SSH with public key authentication for automated provisioning. The customer generates a key pair, sends the public key to the provider, and the provider configures it on the router. This eliminates the need for passwords and reduces the risk of credential theft.
For CCNA 200-301 exam objective 4.7, you must be able to configure SSH and disable Telnet. The exam will test your understanding of the required steps and the specific commands. Common wrong answers include:
Using `transport input telnet ssh` and thinking it disables Telnet: This command allows both Telnet and SSH. To disable Telnet, you must use transport input ssh only.
Forgetting to set a hostname and domain name before generating RSA keys: The crypto key generate rsa command will fail without these, but the exam may show a scenario where the command is attempted and fails. The correct sequence is hostname, domain name, then key generation.
Confusing `ip ssh version 2` with `crypto key generate rsa`: The key generation is separate from the version command. You need both.
Assuming SSH is enabled by default: It is not. You must configure it explicitly.
Specific values to remember:
Minimum RSA modulus for SSHv2: 768 bits (but 2048 is common)
Default SSH version on modern IOS: version 2 (but verify)
Default authentication timeout: 120 seconds (but can be changed)
Default authentication retries: 3
Decision rule: If a question asks how to secure remote management, the answer is always SSH. Look for steps: hostname, domain, key generation, username, VTY transport input ssh, and optionally ip ssh version 2. If the question asks how to disable Telnet, the answer is transport input ssh on the VTY lines.
Elimination strategy: Eliminate any answer that includes Telnet in the transport input if the goal is to disable Telnet. Eliminate answers that skip hostname/domain. Eliminate answers that use password instead of secret for user accounts (though password works, secret is more secure and preferred).
SSH uses TCP port 22; Telnet uses TCP port 23.
To configure SSH, you must set a hostname and domain name, then generate RSA keys with `crypto key generate rsa general-keys modulus 2048`.
Disable Telnet by setting `transport input ssh` on VTY lines, not `transport input telnet ssh`.
Enable SSH version 2 with `ip ssh version 2`.
Verify SSH with `show ip ssh` and `show ssh`.
Minimum RSA modulus for SSHv2 is 768 bits; 2048 is recommended.
Always test SSH from a console session before disconnecting to avoid lockout.
These come up on the exam all the time. Here's how to tell them apart.
Telnet
TCP port 23
No encryption – plaintext
No authentication options beyond password
Easy to configure (no keys needed)
Vulnerable to eavesdropping and MITM attacks
SSH
TCP port 22
Encrypts entire session (symmetric cipher)
Supports password, public key, and keyboard-interactive authentication
Requires RSA key generation and configuration
Secure against eavesdropping and MITM (with proper key verification)
Mistake
Telnet is secure if you use a strong password.
Correct
Telnet sends all data, including passwords, in cleartext. Anyone on the network can capture it with a packet sniffer. SSH encrypts the entire session, protecting credentials and data.
Many beginners think encryption is only for passwords, but Telnet exposes everything.
Mistake
You can enable SSH by just typing `ip ssh version 2`.
Correct
You must first generate RSA keys using `crypto key generate rsa`. Without keys, SSH cannot establish encrypted sessions. The version command only sets the protocol version, not enables SSH.
The phrase 'enable SSH' is misleading; it's a multi-step process.
Mistake
`transport input ssh` allows both SSH and Telnet.
Correct
`transport input ssh` allows ONLY SSH. To allow both, you use `transport input telnet ssh`. The keyword `ssh` alone restricts to SSH only.
Candidates often misread the syntax, thinking 'ssh' is an addition, not a restriction.
Mistake
You need a separate command to disable Telnet after enabling SSH.
Correct
Setting `transport input ssh` implicitly disables Telnet on that line. No further command is needed. However, you should also check other lines (AUX, VTY) to ensure Telnet is disabled everywhere.
Some think disabling is a separate action, but it's inherent in the transport input configuration.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
SSHv1 has known security vulnerabilities, including weak integrity checking and susceptibility to man-in-the-middle attacks. SSHv2 introduces stronger encryption algorithms, Diffie-Hellman key exchange, and improved integrity using HMAC. Cisco recommends using SSHv2. On the exam, you may need to know that `ip ssh version 2` enables SSHv2 and that it requires a minimum RSA modulus of 768 bits.
Yes. `transport input ssh` restricts the VTY lines to only SSH connections (and disables Telnet). `ip ssh version 2` sets the SSH protocol version to 2. Without the version command, the router may negotiate SSHv1 if the client requests it. Both commands are independent and both are needed for a secure configuration.
Yes. You can configure AAA authentication for login. For example, `aaa new-model`, `aaa authentication login default group tacacs+ local`. Then on the VTY lines, use `login authentication default`. This centralizes authentication. The exam does not require detailed AAA configuration, but you should know it's possible.
The `crypto key generate rsa` command will fail with an error like "% Please define a hostname and domain name first". You must configure both `hostname` and `ip domain-name` before generating keys. This is a common exam trap.
Go to line configuration mode for the VTY lines (e.g., `line vty 0 15`) and issue `transport input ssh`. This allows only SSH. Also check the AUX line and console line (though console is physical). To ensure no Telnet access, you can also apply an ACL that denies TCP port 23, but the transport input method is standard.
Yes, by configuring `transport input telnet ssh` on the VTY lines. This allows both protocols. However, for security, it's best to disable Telnet. The exam may test that `transport input ssh` disables Telnet, while `transport input telnet ssh` keeps it enabled.
On modern IOS versions (15.x and later), the default is SSH version 2. However, you should still configure `ip ssh version 2` to ensure consistency and to override any previous configuration. Older IOS versions may default to SSHv1.
You've just covered Lab: Harden with SSH and Disable Telnet — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?