Enabling SSH and Disabling Telnet

By certskills September 17, 2015 12:05

Many of us start out learning about the simplest Cisco security option: one password for all users to reach user mode, with no per-user login. By today’s standards, that security method is archaic. Today’s lab lets you upgrade from that simple beginning point to allow only the more secure SSH login, disallow Telnet, and require each user to use a separate username/password.


You will configure a Cisco Catalyst switch to support SSH and not support Telnet. From the user perspective, an attempt when using Telnet should be rejected so that the user never sees a prompt for a password or username. SSH users should be allowed in if they supply a correct username and password. For this lab, the switch already has been configured to support IP, and it has been configured with simple passwords; your job is to update the configuration to support SSH only for remote users.

The specific rules for this lab are as follows:

  1. Configure SSH to use an encryption key
  2. Create the SSH key so that it relies on domain name example.com as input.
  3. Create a username/password pair of Barney/Rubble with the best encryption possible for the password.
  4. Enable support for SSH, but only SSH, using the locally-created usernames/passwords.

Figure 1: Network Used in this Lab


Initial Configuration

This lab begins with a switch that has been configured to allow both Telnet and SSH into the switch, both using a simple IP address. The management IP address and the CLI access passwords for user mode and enable mode have been set. Example 1 shows that configuration.

Example 1: SW1 Initial Config


Answer on Paper, and Maybe Test in Lab

Write your answer on paper. If you do have a place to test this lab, configure the switch, and then try to both SSH and Telnet into the switch. You should hopefully be rejected when trying to Telnet, without even being asked for a username or password. With SSH, you should be prompted for a username and password, with username Barney/Rubble working.

I’ll post the answer post in a few days. Note that it will be linked at the bottom of the page.


Do this Lab with Cisco’s VIRL

You can do these labs on paper and still get a lot out of the lab. As an extra help, we have added files for the Virtual Internet Routing Lab (VIRL) software as well. The .VIRL file found here is a file that when used with VIRL will load a lab topology similar to this lab’s topology, with the initial configuration shown in the lab as well. This section lists any differences between the lab exercise and the .VIRL file’s topology and configuration.

Download this lab’s VIRL file!


Network Device Info:

This table lists the interfaces changed in this lab to work well in VIRL.

Device Lab Port VIRL Port
SW1 G0/1 G0/1
SW1 F0/1 G0/2
SW1 F0/2 G0/3


Host device info:

This table lists host information pre-configured in VIRL, information that might not be required by the lab but may be useful to you.

Device IP Address Mac Address User/password
PC 02:00:11:11:11:11 cisco/cisco
S 02:00:22:22:22:22 cisco/cisco


Handy Host Commands:

To see PC IP address: ifconfig eth1

Ping example: ping -c 4

Trace example: tracepath



Answers: Basic NetFlow 1
Answer: Enabling SSH and Disabling Telnet
By certskills September 17, 2015 12:05
Write a comment


  1. Carlos September 17, 13:02

    SW1(config)#ip domain name example.com
    SW1(config)#crypto key generate rsa
    size of the key 1024
    SW1(config)#username Barney secret Rubble
    line vty 0 4
    login local
    transport input ssh
    line vty 0 4
    login local
    transport input ssh

    Regards Wendell


    Reply to this comment
  2. Carlos September 17, 13:03

    line vty 5 15

    ooops !!

    Reply to this comment
  3. Dexter September 17, 18:42

    Good job Carlos !
    just to add this (I am pretty sure you know it!)

    to log in here is the command : ssh -l Barney
    when prompted for password, enter Rubble

    Reply to this comment
  4. Murray bown September 18, 19:01

    Am I right in thinking that you also need to configure the hostname before you can configure the RSA key?

    Reply to this comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email


Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.