Move SSH port on Cisco devices

Per default Cisco uses for SSH the TCP/22 port (like any other device using SSH). For example it’s easy to setup in openSSH any other TCP port on GNU/Linux, but it’s a bit more complicated for Cisco devices like routers or switches.

A move of the SSH port can be accomplished on Cisco devices with a rotary group and an access list.

        ip ssh port 8022 rotary 1
Create rotary group for SSH
        ip access-list extended DenySsh22
            deny tcp any any eq 22
            permit ip any any
Create access list to deny SSH at TCP/22
        line vty 0 15
            rotary 1
            access-class DenySsh22 in
Apply rotary group and access list on VTY’s

After the rotary ground and access list the SSH login should be verified with the new TCP port 8022. Of course any other TCP port like 22022 can be used.