Appendix C
Notes for Catalyst 6500 Series Switches
Prerequisites for FIPS Configuration
•
•
•
Guidelines and Limitations for FIPS
•
•
•
•
Default Settings for FIPS
The default is FIPS mode disabled, RADIUS keywrap disabled.
OL-22192-01
Disable Telnet. Users should log in using Secure Shell (SSH) only.
Disable SNMPv1 and v2. Any existing user accounts on the device that have been configured for
SNMPv3 should be configured only with SHA for authentication and AES/3DES for privacy.
Delete all SSH server RSA1 key-pairs.
The RADIUS keywrap feature works only with Cisco Identity Services Engine 1.1 or Cisco ACS
Release 5.2 or later releases.
HTTPS/TLS access to the module is allowed in FIPS approved mode of operation, using
SSLv3.1/TLSv1.0 and a FIPS approved algorithm.
SSH access to the module is allowed in FIPS approved mode of operation, using SSHv2 and a FIPS
approved algorithm. Many SSH clients provide cryptographic libraries that can be set to FIPS Mode,
making all cryptographic operations FIPS 140-2 Level 2 compliant.
Your passwords must have a minimum of eight alphanumeric characters including at least one letter
and at least one number character.
Cisco TrustSec Configuration Guide
FIPS Support
C-5