Published On: August 3ʳᵈ, 2020 08:22

Security Configuration Guide, Cisco IOS XE Amsterdam 17.3.x (Catalyst 9500 Switches)

Secure Shell (SSH) provides support for IPv6 addresses that enable a Cisco device to accept and establish secure, encrypted connections with remote IPv6 nodes over an IPv6 transport.

Prerequisites for SSH Support over IPv6

  • An IPsec (Data Encryption Standard [DES] or 3DES) encryption software image is loaded on your device. IPv6 transport for the SSH server and SSH client requires an IPsec encryption software image.

  • A hostname and host domain are configured for your device.

  • A Rivest, Shamir, and Adelman (RSA) key pair, which automatically enables SSH, is generated for your device.

  • A user authentication mechanism for local or remote access is configured on your device.

  • To authenticate SSH clients, configure TACACS+ or RADIUS over an IPv4 transport and then connect to an SSH server over an IPv6 transport.

The basic restrictions for SSH over an IPv4 transport apply to SSH over an IPv6 transport. The use of locally stored usernames and passwords is the only user authentication mechanism supported by SSH over an IPv6 transport. TACACS+ and RADIUS user authentication mechanisms are not supported over an IPv6 transport.

Information About SSH Support over IPv6

SSH over an IPv6 Transport

Secure shell (SSH) SSH in IPv6 functions the same and offers the same benefits as SSH in IPv4. The SSH server feature enables an SSH client to make a secure, encrypted connection to a Cisco device, and the SSH client feature enables a Cisco device to make a secure, encrypted connection to another Cisco device or to any other device running an SSH server. IPv6 enhancements to SSH consist of support for IPv6 addresses that enable a Cisco device to accept and establish secure, encrypted connections with remote IPv6 nodes over an IPv6 transport.

How to Configure SSH Support over IPv6

Enabling SSH on an IPv6 Device

This task is optional. If you do not configure SSH parameters, then the default values will be used.

Procedure

  Command or Action Purpose
Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 3

ip ssh [timeout seconds | authentication-retries integer ]

Example:


Device(config)# IP ssh timeout 100 authentication-retries 2

Configures SSH control variables on your device.

Step 4

exit

Example:


Device(config)# exit

Exits global configuration mode, and returns to privileged EXEC mode.

Step 5

ssh [ -v { 1 | 2 } | c { 3des | aes128-cbc | aes192-cbc | aes256-cbc } | -l userid | -l userid:vrfname number ip-address ip-address | -l userid:rotary number ip-address | -m { hmac-md5 | hmac-md5-96 | hmac-sha1 | hmac-sha1-96 } | -o numberofpasswordprompts n | -p port-num] { ip-addr | hostname} [ command | -vrf]

Example:


Device# ssh -l userid1 2001:db8:2222:1044::72 

Starts an encrypted session with a remote networking device.

Additional References for SSH Support over IPv6

Related Documents

Related Topic

Document Title

Cisco IOS commands

Cisco IOS Master Commands List, All Releases

SSH Version 1 and Version 2 Support

Configuring Secure Shell and Secure Shell Version 2 Support chapters of the Security Configuration Guide.

Standards and RFCs

Standard/RFC

Title

RFCs for IPv6

IPv6 RFCs

Technical Assistance

Description Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/support

Feature History for SSH Support over IPv6

This table provides release and related information for features explained in this module.

These features are available on all releases subsequent to the one they were introduced in, unless noted otherwise.

Release

Feature

Feature Information

Cisco IOS XE Everest 16.5.1a

SSH Support over IPv6

SSH provides support for IPv6 addresses that enable a Cisco device to accept and establish secure, encrypted connections with remote IPv6 nodes over an IPv6 transport.

Support for this feature was introduced on all the models of the Cisco Catalyst 9500 Series Switches.

Cisco IOS XE Fuji 16.8.1a

SSH Support over IPv6

Support for this feature was introduced on the C9500-32C, C9500-32QC, C9500-48Y4C, and C9500-24Y4C models of the Cisco Catalyst 9500 Series Switches.

Use Cisco Feature Navigator to find information about platform and software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn.