Saturday, September 11, 2021

Extreme Switch - How to enable SSH in EXOS


By default, SSH is not enabled in EXOS. In order to enable SSH, you need to know your EXOS version first.

If your switch's EXOS version is lower than 16.2, you must install a separate module for SSH. Please follow CASE 2 to install the SSH module. Otherwise, follow CASE 1 in general.

  • CASE 1. EXOS version is 16.2 or higher


Step 1. Check whether SSH is enabled or not


The command “show switch management” will show whether SSH is enabled or not. Check 'SSH access' part.

EXOS-switch # show switch management
CLI idle timeout                 : Enabled (20 minutes)
CLI max number of login attempts : 3
CLI max number of sessions       : 8
CLI paging                       : Enabled
CLI space-completion             : Disabled (this session only)
CLI configuration logging        : Disabled (without expansion)
CLI journal size                 : 100
CLI password prompting only      : Disabled
CLI display moved-keywords       : Hidden
CLI moved-keywords hidden release: 30.7
CLI RADIUS cmd authorize tokens  : 2
CLI scripting                    : Disabled (this session only)
CLI scripting error mode         : Ignore-Error (this session only)
CLI persistent mode              : Persistent (this session only)
CLI prompting                    : Enabled (this session only)
CLI screen size                  : 24 Lines 80 Columns (this session only)
CLI refresh                      : Enabled
CLI history expansion            : Disabled
Current system port notation     : port
Configured system port notation  : port
Telnet access                    : Enabled (tcp port 23 vr all)
                                 : Access Profile : not set
SSH access                       : Disabled (Key invalid, tcp port 22 vr all)
                                 : Secure-Mode    : Off
                                 : Access Profile : not set
SSH2 idle time                   : 60 minutes
SSH2 rekey interval              : 4096 MB and no time limit
Web access                       : Enabled (tcp port 80)
                                 : Access Profile : not set
Total Read Only Communities      : 0
Total Read Write Communities     : 0
RMON                             : Disabled
SNMP access                      : Enabled
                                 : Access Profile : not set
SNMP Notifications               : Enabled
SNMP Notification Receivers  : None
SNMP stats:     InPkts 0       OutPkts   0       Errors 0       AuthErrors 0
                Gets   0       GetNexts  0       Sets   0       Drops      0
SNMP traps:     Sent   0       AuthTraps Enabled
SNMP inform:    Sent   0       Retries   0       Failed 0


Step 2. Enable ssh2


The command “enable ssh2” will start the key generation process and have the SSH ready for remote access. The key generation would take about a minute to complete.

EXOS-switch # enable ssh2
WARNING: Generating new server host key
This could take up to 1 minute and cannot be cancelled.  Continue? (y/N) Yes

Key Generated.


Step 3. Verify enabled SSH access


The command "show switch management" will show 'SSH access' status as 'Enabled' and "show ssh2" command will show key type, ciphers, public key algorithms, etc.

EXOS-switch # show switch management
CLI idle timeout                 : Enabled (20 minutes)
CLI max number of login attempts : 3
CLI max number of sessions       : 8
CLI paging                       : Enabled
CLI space-completion             : Disabled (this session only)
CLI configuration logging        : Disabled (without expansion)
CLI journal size                 : 100
CLI password prompting only      : Disabled
CLI display moved-keywords       : Hidden
CLI moved-keywords hidden release: 30.7
CLI RADIUS cmd authorize tokens  : 2
CLI scripting                    : Disabled (this session only)
CLI scripting error mode         : Ignore-Error (this session only)
CLI persistent mode              : Persistent (this session only)
CLI prompting                    : Enabled (this session only)
CLI screen size                  : 24 Lines 80 Columns (this session only)
CLI refresh                      : Enabled
CLI history expansion            : Disabled
Current system port notation     : port
Configured system port notation  : port
Telnet access                    : Enabled (tcp port 23 vr all)
                                 : Access Profile : not set
SSH access                       : Enabled (Key valid, tcp port 22 vr all)
                                 : Secure-Mode    : Off
                                 : Access Profile : not set
SSH2 idle time                   : 60 minutes
SSH2 rekey interval              : 4096 MB and no time limit
Web access                       : Enabled (tcp port 80)
                                 : Access Profile : not set
Total Read Only Communities      : 0
Total Read Write Communities     : 0
RMON                             : Disabled
SNMP access                      : Enabled
                                 : Access Profile : not set
SNMP Notifications               : Enabled
SNMP Notification Receivers  : None
SNMP stats:     InPkts 0       OutPkts   0       Errors 0       AuthErrors 0
                Gets   0       GetNexts  0       Sets   0       Drops      0
SNMP traps:     Sent   0       AuthTraps Enabled
SNMP inform:    Sent   0       Retries   0       Failed 0


After setting, you can check the configured TCP port and Ciphers by using the show ssh2 command.

EXOS-switch # show ssh2
SSH module configuration details:
SSH Access            : Enabled
Key validity          : Valid
Key type              : RSA 2048
TCP port              : 22
VR                    : all
Access profile        : not set
Secure Mode           : Off
Diffie-Hellman Groups : 14 (2048 bits), 16 (4096 bits), 18 (8192 bits)
Max Auth Tries        : 3
Idle time             : 60 minutes
Rekey Interval        : 4096 MB and no time limit
Ciphers               : [email protected], aes128-ctr, aes192-ctr, aes256-ctr
Macs                  : [email protected], [email protected], [email protected], hmac-sha2-256, hmac-sha2-512, hmac-sha1
Public key algorithms : ssh-rsa, x509v3-sign-rsa, x509v3-sign-dss
Login grace timeout   : 120 seconds


Step 4 (Optional). Additional Options


4-1. Enable ssh only on VR-Mgmt
Use the following command if you want to enable ssh only on Mgmt Virtual Router (VR-Mgmt).
enable ssh2 vr VR-Mgmt

4-2. Change SSH port
Use the following command if you want to change SSH port from the default TCP/22.
enable ssh2 port TCP_port_number

4-3. Restrict SSH access
Use the following command to restrict SSH access from specific IP addresses.
enable ssh2 access-profile policy_name.pol

For more details, refer to this article:
Extreme Switch - How to create an ACL to restrict Telnet, SSH, SNMP, HTTP access in EXOS


  • CASE 2. EXOS version is lower than 16.2


▶ Install the SSH module:


1. Download the module image to your TFTP server.

2. Determine the active partition for your switch by typing: "show switch"

3. The display shows the current selected and booted image partition.

4. Download and install the module image to the active partition by typing the following command (specify the virtual router you are using to connect to the TFTP server): "download image XXX-ssh.xmod vr (vr-mgmt or vr-default) (primary or secondary)"

5. The system displays the following message: "Do you want to install image after downloading" (y - yes, n - no, - cancel)

6. Type y, for yes, so that the image will be installed after downloading.

7. Once install is complete type "run update"

8. To verify that the SSH module is running, issue the following command: "show process"

9. You will see a process named “exsshd” listed. You can then configure and "enable ssh" on the switch.

10. To verify that the SSH module is installed, issue the following command: "show management"

11. The system displays the following message: SSH access : Enabled(Key valid, tcp port 22 vr all)

12. If the SSH module is not installed, the system displays a message similar to: SSH Access : ssh module not loaded.


* Related posts:

No comments:

Post a Comment