ip ssh


ip ssh

no ip ssh


Enables SSH for on the switch for both IPv4 and IPv6, and activates the connection with a configured SSH server (RADIUS or TACACS+). The no form of the command disables SSH on the switch.


cipher cipher-type

Specify a cipher type to use for connection.

Valid types are:

  • aes128–cbc

  • 3des-cbc

  • aes192–cbc

  • aes256–cbc

  • rijndael-cbc@lysator.liu.se

  • aes128–ctr

  • aes192–ctr

  • aes256–ctr

Default: All cipher types are available.

Use the no form of the command to disable a cipher type.


Enables SSH on the switch to connect to an SCP or SFTP client application to transfer files to and from the switch over IPv4 or IPv6.

Default: Disabled


Enabling filetransfer automatically disables TFTP client and TFTP server functionality.

mac MAC-type

Allows configuration of the set of MACs that can be selected. Valid types are:

  • hmac-md5

  • hmac-sha1

  • hmac-sha1–96

  • hmac-md5–96

Default: All MAC types are available.

Use the no form of the command to disable a MAC type.

port [1 - 65535|default]

TCP port number used for SSH sessions in IPv4 and IPv6 connections

Default: 22.

Valid port numbers are from 1 to 65535, except for port numbers 23, 49, 80, 280, 443, 1506, 1513, and 9999, which are reserved for other subsystems.

public-key [manager|operator]keystring

Store a client-generated key for public-key authentication.


Allows manager-level access using SSH public-key authentication.


Allows operator-level access using SSH public-key authentication.


A legal SSHv2 (RSA or DSA) public key. The text string for the public key must be a single-quoted token. If the keystring contains double quotes, it can be quoted with single quotes ('key-string'). The following restrictions for a keystring apply:-

  • A keystring cannot contain both single and double quotes.

  • A keystring cannot have extra characters, such as a blank space or a new line. (To improve readability, you can add a backlash at the end of each line.)

For more information on configuring and using SSH public keys to authenticate SSH clients connecting to the switch, see chapter "Configuring Secure Shell" in the latest Access Security Guide for your switch.

timeout 5 - 120

Time out value allowed to complete an SSH authentication and login on the switch.

Default: 120 seconds.

listen [oobm|data|both]

The listen parameter is available only on switches that have a separate OOBM port. Values for this parameter are:


Inbound SSH access is enabled only on the OOBM port.


Inbound SSH access is enabled only on the data ports.


Inbound SSH access is enabled on both the OOBM port and on the data ports. This is the default value.


For both IPv4 and IPv6, the switch supports only SSH version 2. You cannot set up an SSH session with a client device running SSH version 1.

The listen parameter is not available on switches that do not have a separate OOBM port.