enable ssh2

enable ssh2 {access-profile [access_profile | none]} {port tcp_port_number} {vr [vr_name | all | default]}


Enables SSH2 server to accept incoming sessions from SSH2 clients.

Syntax Description

access_profile Specifies an ACL policy.
none Cancels a previously configured ACL policy.
port Specifies a TCP port number. The default is port 22.
vr_name Specifies a virtual router name.
Note: User-created VRs are supported only on the platforms listed for this feature in the Switch Engine 32.2 Feature License Requirements document.
all Specifies that SSH is enabled on all virtual routers.
default Specifies that SSH is enabled on the default virtual router.


The SSH2 feature is disabled by default.

Usage Guidelines

SSH2 enables the encryption of session data. You must be logged in as an administrator to enable SSH2.

Use the port option to specify a TCP port number other than the default port of 22. You can only specify ports 22 and 1024 through 65535.

Using ACLs to Control SSH Access

You can specify a list of predefined clients that are allowed SSH2 access to the switch. To do this, you configure an ACL policy to permit or deny a specific list of IP addresses and subnet masks for the SSH port. You must create an ACL policy file before you can use the access-profile option. If the ACL policy file does not exist on the switch, the switch returns an error message indicating that the file does not exist.

Use the none option to cancel a previously configured ACL.

In the ACL policy file for SSH2, the source-address field is the only supported match condition. Any other match conditions are ignored.

Policy files can also be configured using the following command:

configure ssh2 access-profile [ access_profile | [[addrule ] [first | [[before | after]previous_rule]]] | delete rule | none ]

Creating an ACL Policy File

To create an ACL policy file, use the edit policy command. For more information about creating and implementing ACL policy files, see Policy Manager and ACLs.

If you attempt to implement a policy that does not exist on the switch, an error message similar to the following appears:

 Error: Policy /config/MyAccessProfile_2.pol does not exist on file system 

If this occurs, make sure the policy you want to implement exists on the switch. To confirm the policies on the switch, use the ls command. If the policy does not exist, create the ACL policy file.

Viewing SSH Information

To view the status of SSH2 sessions on the switch, use the show management command. This command displays information about the switch including the enable/disable state for SSH2 sessions and whether a valid key is present.


The following command enables the SSH2 feature:

enable ssh2

The next example assumes you have already created an ACL to apply to SSH.

The following command applies the ACL MyAccessProfile_2 to SSH:

enable ssh2 access-profile MyAccessProfile_2


This command was first available in the ExtremeXOS 11.0

The access-profile and none options were added in ExtremeXOS 11.2.

Platform Availability

This command is available on ExtremeSwitching 5320, 5420, 5520, and 5720 series switches.