In this lesson, we will configure SSH on Cisco IOS XR enabled router. Earlier we have configured SSH on Cisco IOS, if you want to check that article, then click SSH on Cisco IOS devices.

How to configure SSH on Cisco IOS XR

SSH on Cisco IOS XR

First of all, you should create hostname and domain name just like IOS or IOS-XE.
(NOTE: Unlike regular IOS, IOS-XR doesn’t require hostname and domain-name to generate RSA key.)

RP/0/0/CPU0:ios(config)#hostname IOS-XR
RP/0/0/CPU0:ios(config)#domain name ios-xr.local

Creating RSA is a little bit different then regular IOS. You need to do this on EXEC mode. You need to use crypto key generate rsa command and hit ENTER to use bits 2048 which is the default in IOS-XR.

RP/0/0/CPU0:IOS-XR#crypto key generate rsa
Wed Jan 29 10:21:54.667 UTC
The name for the keys will be: the_default
  Choose the size of the key modulus in the range of 512 to 4096 for your General Purpose Keypair. Choosing a key modulus greater than 512 may take a few minutes.

How many bits in the modulus [2048]:
Generating RSA keys ...
Done w/ crypto generate keypair
[OK]

RP/0/0/CPU0:IOS-XR#

To verify the RSA key use show crypto key mypubkey rsa command.

RP/0/0/CPU0:IOS-XR#show crypto key mypubkey rsa
Wed Jan 29 10:24:51.315 UTC
Key label: the_default
Type     : RSA General purpose
Size     : 2048
Created  : 10:22:19 UTC Wed Jan 29 2020
Data     :
 30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
 00953D06 8133BAC3 D6A2FAA7 D50AE7C2 3BD4A5EF 495E2022 3AA0A59E 8FF6BCEF
 9783BA10 8518B5E0 C3E11616 5E1814E7 048A5A0B 7157C88E AF413D99 AA69DE91
 9FB9B796 67378912 44FB6073 FFD153CE 19B364F4 6F9CCCF7 135DF7DD BF22C1EE
 48A32171 D9D2C004 9FF18E93 58AEEFF6 72B5EF60 30F4D4B4 A1493960 D4D5A9F7
 3E2553BC 17D3395C C28EC8F2 A78EBF1E DB092783 C71C1579 34829D1B 8E933F8B
 9A71BBD7 CB84DF90 F3F59557 4368DC5B 9D2528AA 5FEC4CED D5C9F73C 0303BC24
 CA01C6C8 D622A269 12C915F6 3246A624 C72AF20F 2DFBCBEA 9C4C339C 8BB607A3
 BEBCC6CC 1C4E4460 81B21716 3AD7DF98 C71D7AD2 1CB7DA59 03FAD3DF 776A96A0
 3D020301 0001

Let’s enable SSH version 2 and also allow ssh for remote access.

RP/0/0/CPU0:ios(config)#ssh server v2
RP/0/0/CPU0:ios(config)#line default transport input ssh

This is how you configure ssh on Cisco IOS-XR devices.

Now what if, you want to restrict SSH login. To do this, you need to go control-plane management-plane. This is where you select inbound or outbound management option.

RP/0/0/CPU0:ios(config)#control-plane management-plane
RP/0/0/CPU0:ios(config-mpp)#?
....
  inband              Configure an inband interface/protocol
....
  out-of-band         Configure an out-of-band interface/protocol
....
RP/0/0/CPU0:ios(config-mpp)#

In our case, it’s inbound because we are using gigabitEthernet 0/0/0/0. So, the final configuration will be below where we are allowing only 10.1.1.0/24 block.

RP/0/0/CPU0:ios(config)#control-plane management-plane
RP/0/0/CPU0:ios(config-mpp)#inband interface gigabitEthernet 0/0/0/0
RP/0/0/CPU0:ios(config-mpp-inband-if)#allow SSH peer address ipv4 10.1.1.0/24
RP/0/0/CPU0:ios(config-mpp-inband-if)#commit

Verification:

To verify, we can SSH own IP (192.168.3.100 is the management IP for our example).

RP/0/0/CPU0:IOS-XR#ssh 192.168.3.100

Please login with any configured user/password, or cisco/cisco

Password:

“show ssh session details” command will show our ssh session details.

RP/0/0/CPU0:IOS-XR#show ssh session details
Wed Jan 29 10:28:02.322 UTC
SSH version : Cisco-2.0

id  key-exchange  pubkey  incipher  outcipher  inmac   outmac
-------------------------------------------------------------------
Incoming Session
0  diffie-hellman  ssh-rsa  aes256-cb  aes256-cb  hmac-sha1  hmac-sha1

Outgoing connection
RP/0/0/CPU0:IOS-XR#

Written by Rajib Kumer Das

I am Rajib Kumer Das, a network engineer with 8+ years of experience in multi-vendor environment. In my current position, I am responsible to take care critical projects and it's support cases. I do have several vendor certificates and have plans to go further.

This article has 3 comments

  1. Frank Reply

    Hi,
    Tried your setup but receive an error – “No Host Key configured”. I think since you named your RSA key, you must somehow tie this named key to the SSH process just like in IOS and IOS-XE. If you do not name your RSA key and just use the default, -cry key gen rsa- all works fine.

    Happy Day
    Frank

Leave a Comment

Your email address will not be published. Required fields are marked *