In this lesson, we will configure SSH on Cisco IOS XR enabled router. Earlier we have configured SSH on Cisco IOS, if you want to check that article, then click SSH on Cisco IOS devices.
SSH on Cisco IOS XR
First of all, you should create hostname and domain name just like IOS or IOS-XE.
(NOTE: Unlike regular IOS, IOS-XR doesn’t require hostname and domain-name to generate RSA key.)
RP/0/0/CPU0:ios(config)#hostname IOS-XR RP/0/0/CPU0:ios(config)#domain name ios-xr.local
Creating RSA is a little bit different then regular IOS. You need to do this on EXEC mode. You need to use crypto key generate rsa command and hit ENTER to use bits 2048 which is the default in IOS-XR.
RP/0/0/CPU0:IOS-XR#crypto key generate rsa Wed Jan 29 10:21:54.667 UTC The name for the keys will be: the_default Choose the size of the key modulus in the range of 512 to 4096 for your General Purpose Keypair. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [2048]: Generating RSA keys ... Done w/ crypto generate keypair [OK] RP/0/0/CPU0:IOS-XR#
To verify the RSA key use show crypto key mypubkey rsa command.
RP/0/0/CPU0:IOS-XR#show crypto key mypubkey rsa Wed Jan 29 10:24:51.315 UTC Key label: the_default Type : RSA General purpose Size : 2048 Created : 10:22:19 UTC Wed Jan 29 2020 Data : 30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101 00953D06 8133BAC3 D6A2FAA7 D50AE7C2 3BD4A5EF 495E2022 3AA0A59E 8FF6BCEF 9783BA10 8518B5E0 C3E11616 5E1814E7 048A5A0B 7157C88E AF413D99 AA69DE91 9FB9B796 67378912 44FB6073 FFD153CE 19B364F4 6F9CCCF7 135DF7DD BF22C1EE 48A32171 D9D2C004 9FF18E93 58AEEFF6 72B5EF60 30F4D4B4 A1493960 D4D5A9F7 3E2553BC 17D3395C C28EC8F2 A78EBF1E DB092783 C71C1579 34829D1B 8E933F8B 9A71BBD7 CB84DF90 F3F59557 4368DC5B 9D2528AA 5FEC4CED D5C9F73C 0303BC24 CA01C6C8 D622A269 12C915F6 3246A624 C72AF20F 2DFBCBEA 9C4C339C 8BB607A3 BEBCC6CC 1C4E4460 81B21716 3AD7DF98 C71D7AD2 1CB7DA59 03FAD3DF 776A96A0 3D020301 0001
Let’s enable SSH version 2 and also allow ssh for remote access.
RP/0/0/CPU0:ios(config)#ssh server v2 RP/0/0/CPU0:ios(config)#line default transport input ssh
This is how you configure ssh on Cisco IOS-XR devices.
Now what if, you want to restrict SSH login. To do this, you need to go control-plane management-plane. This is where you select inbound or outbound management option.
RP/0/0/CPU0:ios(config)#control-plane management-plane RP/0/0/CPU0:ios(config-mpp)#? .... inband Configure an inband interface/protocol .... out-of-band Configure an out-of-band interface/protocol .... RP/0/0/CPU0:ios(config-mpp)#
In our case, it’s inbound because we are using gigabitEthernet 0/0/0/0. So, the final configuration will be below where we are allowing only 10.1.1.0/24 block.
RP/0/0/CPU0:ios(config)#control-plane management-plane RP/0/0/CPU0:ios(config-mpp)#inband interface gigabitEthernet 0/0/0/0 RP/0/0/CPU0:ios(config-mpp-inband-if)#allow SSH peer address ipv4 10.1.1.0/24 RP/0/0/CPU0:ios(config-mpp-inband-if)#commit
Verification:
To verify, we can SSH own IP (192.168.3.100 is the management IP for our example).
RP/0/0/CPU0:IOS-XR#ssh 192.168.3.100 Please login with any configured user/password, or cisco/cisco Password:
“show ssh session details” command will show our ssh session details.
RP/0/0/CPU0:IOS-XR#show ssh session details Wed Jan 29 10:28:02.322 UTC SSH version : Cisco-2.0 id key-exchange pubkey incipher outcipher inmac outmac ------------------------------------------------------------------- Incoming Session 0 diffie-hellman ssh-rsa aes256-cb aes256-cb hmac-sha1 hmac-sha1 Outgoing connection RP/0/0/CPU0:IOS-XR#
Hi,
Tried your setup but receive an error – “No Host Key configured”. I think since you named your RSA key, you must somehow tie this named key to the SSH process just like in IOS and IOS-XE. If you do not name your RSA key and just use the default, -cry key gen rsa- all works fine.
Happy Day
Frank
Hi Frank, you are right. Thanks for correcting me.
Very informative, like the blog.