Configuration Example
SSH Server:
To configure the non-default SSH port for the SSH server on the router, use the ssh server port command in the XR Config mode.
Router#configure
Router(config)#ssh server port 5520
Router(config)#commit
SSH Client:
Similarly, the port option is available for the SSH client also, to initiate a connection to another SSH server that listens on a non-default
SSH port number.
This example shows how to connect to an SSH server, with IP address 198.51.100.1, that is listening on non-default SSH port
5525.
Router#ssh 198.51.100.1 port 5525 username user1
Verification
Use the following show commands to verify the SSH server configuration and LPTS entries for SSH connections.
In this example, the SSH port field displays the port number, '5520', that you have configured for the SSH server.
Router#show ssh server
Fri May 20 07:22:57.579 UTC
---------------------
SSH Server Parameters
---------------------
Current supported versions := v2
SSH port := 5520
SSH vrfs := vrfname:=default(v4-acl:=, v6-acl:=)
Netconf Port := 830
Netconf Vrfs :=
Algorithms
---------------
Hostkey Algorithms := x509v3-ssh-rsa,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dsa,ssh-ed25519
Key-Exchange Algorithms := ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1,curve25519-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,curve25519-sha256@libssh.org
Encryption Algorithms := aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
Mac Algorithms := hmac-sha2-512,hmac-sha2-256,hmac-sha1
Authentication Method Supported
------------------------------------
PublicKey := Yes
Password := Yes
Keyboard-Interactive := Yes
Certificate Based := Yes
Others
------------
DSCP := 16
Ratelimit := 60
Sessionlimit := 64
Rekeytime := 60
Server rekeyvolume := 1024
TCP window scale factor := 1
Backup Server := Disabled
Host Trustpoint :=
User Trustpoint :=
Port Forwarding := Disabled
Max Authentication Limit := 20
Certificate username := Common name(CN)
OpenSSH Host Trustpoint :=
OpenSSH User Trustpoint :=
In the following example, the Port field in the Local-Address,Port column for the TCP entry for SSH displays the port number as '5520'. This is the port on which the SSH server listens for client connections.
Router#show lpts bindings brief
Fri May 20 07:23:21.416 UTC
@ - Indirect binding; Sc - Scope
Location Clnt Sc L3 L4 VRF-ID Interface Local-Address,Port Remote-Address,Port
---------- ---- -- ---- ------ --------- ------------ --------------------------------------
0/RP0/CPU0 IPV4 LO IPV4 ICMP * any any,ECHO any
0/RP0/CPU0 IPV4 LO IPV4 ICMP * any any,TSTAMP any
0/RP0/CPU0 IPV4 LO IPV4 ICMP * any any,MASKREQ any
0/RP0/CPU0 IPV6 LO IPV6 ICMP6 * any any,ECHOREQ any
0/RP0/CPU0 IPV6 LO IPV6 ICMP6 * any any,NDRTRSLCT any
0/RP0/CPU0 IPV6 LO IPV6 ICMP6 * any any,NDRTRADV any
0/RP0/CPU0 IPV6 LO IPV6 ICMP6 * any any,NDNBRSLCT any
0/RP0/CPU0 IPV6 LO IPV6 ICMP6 * any any,NDNBRADV any
0/RP0/CPU0 IPV6 LO IPV6 ICMP6 * any any,NDREDIRECT any
0/RP0/CPU0 BFD LO IPV4 UDP * any any any
0/0/CPU0 IPV4 LO IPV4 ICMP * any any,ECHO any
0/0/CPU0 IPV4 LO IPV4 ICMP * any any,TSTAMP any
0/0/CPU0 IPV4 LO IPV4 ICMP * any any,MASKREQ any
0/0/CPU0 IPV6 LO IPV6 ICMP6 * any any,ECHOREQ any
0/0/CPU0 IPV6 LO IPV6 ICMP6 * any any,NDRTRSLCT any
0/0/CPU0 IPV6 LO IPV6 ICMP6 * any any,NDRTRADV any
0/0/CPU0 IPV6 LO IPV6 ICMP6 * any any,NDNBRSLCT any
0/0/CPU0 IPV6 LO IPV6 ICMP6 * any any,NDNBRADV any
0/0/CPU0 IPV6 LO IPV6 ICMP6 * any any,NDREDIRECT any
0/0/CPU0 BFD LR IPV4 UDP * any any 128.64.0.0/16
0/RP0/CPU0 TCP LR IPV6 TCP default any any,5520 any
0/RP0/CPU0 TCP LR IPV4 TCP default any any,5520 any
0/RP0/CPU0 UDP LR IPV6 UDP default any any,33433 any
0/RP0/CPU0 UDP LR IPV4 UDP default any any,33433 any
0/RP0/CPU0 RAW LR IPV4 IGMP default any any any
0/RP0/CPU0 RAW LR IPV4 L2TPV3 default any any any
0/RP0/CPU0 RAW LR IPV6 ICMP6 default any any,MLDLQUERY any
0/RP0/CPU0 RAW LR IPV6 ICMP6 default any any,LSTNRREPORT any
0/RP0/CPU0 RAW LR IPV6 ICMP6 default any any,MLDLSTNRDN any
0/RP0/CPU0 RAW LR IPV6 ICMP6 default any any,LSTNRREPORT any
Router#
If the non-default port was not configured, then the SSH server listens on the default SSH port 22, and the above Port field displays '22'.
If a session was already established through the default port, and if you change the ssh server port to a non-default port,
then the output still displays an entry for that session on the default port, 22. Another entry shows that the SSH server
is listening on the newly configured non-default port. New connections establish through the non-default port, 5520, in this
example.
Location Clnt Sc L3 L4 VRF-ID Interface Local-Address,Port Remote-Address,Port
---------- ---- -- ---- --- --------- --------- ----------------- ------------------
.
.
.
0/RP0/CPU0 TCP LR IPV4 TCP default any 192.0.2.1,5520 198.51.100.1,37764
0/RP0/CPU0 TCP LR IPV4 TCP default any any,5520 any
0/RP0/CPU0 TCP LR IPV6 TCP default any any,5520 any
0/RP0/CPU0 TCP LR IPV4 TCP default any 192.0.2.1,22 198.51.100.1,45722
.
.
.