SSH Configuration — IOS-XE

Cisco IOS-XE SSH Configuration Guide

Everything you need to configure SSH correctly on Cisco IOS-XE switches — from basic setup to brute-force protection and management ACLs.

Generate SSH-hardened config →

Why SSH configuration matters

Telnet sends every keystroke — including your password — in cleartext across the network. Any packet capture between you and the switch will reveal your credentials instantly. SSH encrypts the entire session, but not all SSH configurations are equally secure: SSHv1 has well-documented cryptographic weaknesses and should never be used in production.

A misconfigured SSH setup leaves your management plane exposed. Default IOS-XE allows both SSH and Telnet on VTY lines, uses short session timeouts, and has no brute-force protection. Getting SSH configuration right is one of the highest-impact, lowest-effort hardening steps you can take on any Cisco switch.

Complete SSH configuration for IOS-XE

Step 1 — Enable SSH v2 only
Global configuration
ip domain-name company.local
crypto key generate rsa modulus 2048
ip ssh version 2
no ip ssh v1-compat
A domain name must be configured before generating RSA keys — the key pair name is derived from it. Use modulus 2048 minimum. no ip ssh v1-compat explicitly disables SSHv1 fallback.
Step 2 — Set timeout and retries
Global configuration
ip ssh time-out 60
ip ssh authentication-retries 3
The SSH negotiation timeout (not the session idle timeout) and the number of authentication attempts before the connection is dropped. Lower values reduce the window for attacks.
Step 3 — Restrict VTY lines to SSH only
Line configuration
line vty 0 15
 transport input ssh
 exec-timeout 10 0
 logging synchronous
 login local
transport input ssh disables Telnet entirely. exec-timeout 10 0 kills idle sessions after 10 minutes. Always configure all VTY lines (0 through 15) — leaving any unconfigured creates a Telnet backdoor.
Step 4 — Brute-force protection
Global configuration
login block-for 120 attempts 3 within 60
login on-failure log
login on-success log
Blocks all login attempts for 120 seconds if 3 failures occur within 60 seconds. login on-failure log sends a syslog message for every failed attempt — visible in your SIEM.
Step 5 — Management ACL
ACL + VTY restriction
ip access-list standard MGMT-ACCESS
 permit 10.10.99.0 0.0.0.255
 deny any log
line vty 0 15
 access-class MGMT-ACCESS in
Restricts SSH access to your management subnet only. Any IP outside the permitted range is denied — and logged. This is the single most effective control for protecting the management plane.

Common SSH configuration mistakes

Forgetting ip domain-name before generating RSA keyscrypto key generate rsa will fail with an error or generate a key with a useless name. Always set the domain name first.
Using modulus 1024 — 1024-bit RSA is considered weak. Use 2048 minimum. Use 4096 for high-security environments, keeping in mind it may slow down key generation on older hardware like the 2960X.
Leaving Telnet enabled alongside SSH — the default transport input all or transport input telnet ssh allows cleartext Telnet. Always set transport input ssh exclusively.
No management ACL — without an access-class on VTY lines, any IP address on any reachable network can attempt SSH. Restrict to your management subnet with a standard ACL.

Frequently Asked Questions

Use 2048 minimum. 4096 provides stronger security but may slow down key generation on older hardware like the 2960X. For Catalyst 9300 and 9200 series, 2048 is the standard recommendation and provides adequate security for the foreseeable future.

It automatically blocks all SSH login attempts for 120 seconds if 3 failed attempts occur within 60 seconds. This prevents brute-force attacks on your management plane by introducing a mandatory lockout period. The switch enters "quiet mode" and rejects all new connections during the lockout.

Best practice is TACACS+ with local authentication as a fallback. If your TACACS server is unreachable, local credentials ensure you can still access the switch for emergency recovery. Never rely on local authentication alone in a production environment — it creates a shared credential that is difficult to rotate across a large estate.

Generate a properly configured SSH config now

SSH v2, timeout, brute-force protection and management ACL — all applied automatically.

Generate my config →