Home » Dell Manuals » Hubs & Switches » Dell PowerSwitch S4820T » Manual Viewer

Dell PowerSwitch S4820T Configuration Guide for the S4820T System 9.112.0P1 - Page 1099

Syslog over TLS, Online Certificate Status Protocol (OSCP), Configuring OCSP setting on CA

View all Dell PowerSwitch S4820T manuals

Add to My Manuals
Save this manual to your list of manuals

Page 1099 highlights

TLS_ECDH_RSA_WITH_AES_256_CBC_SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHA TLS_DH_RSA_WITH_AES_256_CBC_SHA TLS_DH_RSA_WITH_AES_128_CBC_SHA TLS compression is disabled by default. TLS session resumption is also supported to reduce processor and traffic overhead due to public key cryptographic operations and handshake traffic. However, the maximum time allowed for a TLS session to resume without repeating the TLS authentication or handshake process is configurable with a default of 1 hour. You can also disable session resumption. Syslog over TLS Syslog over TLS mandates that a client certificate must be presented, to ensure that all Syslog entries written to the server are from a trusted client. Online Certificate Status Protocol (OSCP) Use the Online Certificate Status Protocol (OSCP) to obtain the revocation status of a X.509v3 certificate. A device or a Certificate Authority (CAs) can check the status of a X.509v3 certificate by sending an OCSP request to an OCSP server or responder. An OCSP responder, a server typically run by the certificate issuer, returns a signed response signifying that the certificate specified in the request is 'good', 'revoked', or 'unknown'. The OCSP response indicates whether the presented certificate is valid. OCSP provides a way for Certificate Authorities to revoke signed certificates before the expiration date. In a CA certificate, OCSP Responder information is specified in the authorityInfoAccess extension. A CA can verify the revocation status of a certificate with multiple OCSP responders. When multiple OCSP responders exist, you can configure the order or preference the CA takes while contacting various OCSP responders for verification. Upon receiving a presented certificate, the system sends an OCSP request to an OCSP responder through HTTP. The system then verifies the OCSP response using either a trusted public key or the OCSP responder's own self-signed certificate. This self-signed certificate installs on the device's trusted location even before an OCSP request is made. The system accepts or rejects the presented certificate based on the OCSP response. In a scenario where all OCSP responders are unreachable, the switch accepts the certificate. This action is the default behavior. You can also configure an alternate system behavior when all OCSP responders are unreachable. However, the switch may become vulnerable to denial-of-service attack if you configure the system to deny the certificate when OCSP responders are not reachable. The system creates logs for the following events: • Failures to reach OCSP responders • Invalid OCSP responses-for example, cannot verify the signed response with an installed CA certificate. • Rejection of a certificate due to OCSP Configuring OCSP setting on CA You can configure the CA to contact multiple OCSP servers. To configure OCSP server for a CA, perform the following step: In the certificate mode, enter the following command: ocsp-server URL [nonce] [sign-requests] X.509v3 1099

Section	Page
Dell Configuration Guide for the S4820T System 9.11(2.0P1)	3
About this Guide	34
Audience	34
Conventions	34
Related Documents	34
Configuration Fundamentals	35
Accessing the Command Line	35
CLI Modes	35
Navigating CLI Modes	37
The do Command	40
Undoing Commands	40
Obtaining Help	41
Entering and Editing Commands	41
Command History	42
Filtering show Command Outputs	42
Example of the grep Keyword	42
Multiple Users in Configuration Mode	43
Getting Started	44
Console Access	45
Serial Console	45
Accessing the CLI Interface and Running Scripts Using SSH	46
Entering CLI commands Using an SSH Connection	46
Executing Local CLI Scripts Using an SSH Connection	46
Default Configuration	47
Configuring a Host Name	47
Accessing the System Remotely	47
Accessing the System Remotely	47
Configure the Management Port IP Address	47
Configure a Management Route	48
Configuring a Username and Password	48
Configuring the Enable Password	48
Configuration File Management	49
Copy Files to and from the System	49
Mounting an NFS File System	50
Save the Running-Configuration	51
Configure the Overload Bit for a Startup Scenario	52
Viewing Files	52
Managing the File System	53
Enabling Software Features on Devices Using a Command Option	53
View Command History	54
Upgrading Dell Networking OS	54
Using HTTP for File Transfers	54
Verify Software Images Before Installation	55
Management	57
Configuring Privilege Levels	57
Creating a Custom Privilege Level	58
Removing a Command from EXEC Mode	58
Moving a Command from EXEC Privilege Mode to EXEC Mode	58
Allowing Access to CONFIGURATION Mode Commands	58
Allowing Access to Different Modes	58
Applying a Privilege Level to a Username	60
Applying a Privilege Level to a Terminal Line	60
Configuring Logging	60
Audit and Security Logs	61
Configuring Logging Format	63
Display the Logging Buffer and the Logging Configuration	63
Setting Up a Secure Connection to a Syslog Server	64
Log Messages in the Internal Buffer	65
Configuration Task List for System Log Management	65
Disabling System Logging	65
Sending System Messages to a Syslog Server	65
Configuring a UNIX System as a Syslog Server	66
Track Login Activity	66
Restrictions for Tracking Login Activity	66
Configuring Login Activity Tracking	66
Display Login Statistics	67
Limit Concurrent Login Sessions	68
Restrictions for Limiting the Number of Concurrent Sessions	68
Configuring Concurrent Session Limit	68
Enabling the System to Clear Existing Sessions	69
Enabling Secured CLI Mode	70
Changing System Logging Settings	70
Display the Logging Buffer and the Logging Configuration	71
Configuring a UNIX Logging Facility Level	71
Synchronizing Log Messages	72
Enabling Timestamp on Syslog Messages	73
File Transfer Services	73
Configuration Task List for File Transfer Services	74
Enabling the FTP Server	74
Configuring FTP Server Parameters	74
Configuring FTP Client Parameters	75
Terminal Lines	75
Denying and Permitting Access to a Terminal Line	75
Configuring Login Authentication for Terminal Lines	76
Setting Timeout for EXEC Privilege Mode	77
Using Telnet to get to Another Network Device	78
Lock CONFIGURATION Mode	78
Viewing the Configuration Lock Status	78
Recovering from a Forgotten Password	79
Recovering from a Forgotten Enable Password	80
Recovering from a Failed Start	81
Restoring the Factory Default Settings	81
Important Points to Remember	81
Restoring Factory Default Environment Variables	82
802.1X	84
Port-Authentication Process	86
EAP over RADIUS	86
Configuring 802.1X	87
Related Configuration Tasks	87
Important Points to Remember	87
Enabling 802.1X	88
Configuring MAC addresses for a do1x Profile	89
Configuring Request Identity Re-Transmissions	90
Configuring a Quiet Period after a Failed Authentication	90
Forcibly Authorizing or Unauthorizing a Port	91
Re-Authenticating a Port	92
Configuring Timeouts	93
Configuring Dynamic VLAN Assignment with Port Authentication	94
Guest and Authentication-Fail VLANs	95
Configuring a Guest VLAN	95
Configuring an Authentication-Fail VLAN	95
Configuring dot1x Profile	96
Configuring the Static MAB and MAB Profile	97
Configuring Critical VLAN	98
Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM)	99
Optimizing CAM Utilization During the Attachment of ACLs to VLANs	99
Guidelines for Configuring ACL VLAN Groups	100
Configuring ACL VLAN Groups and Configuring FP Blocks for VLAN Parameters	100
Viewing CAM Usage	102
Allocating FP Blocks for VLAN Processes	103
Access Control Lists (ACLs)	105
IP Access Control Lists (ACLs)	106
CAM Usage	107
Implementing ACLs on Dell Networking OS	107
IP Fragment Handling	109
IP Fragments ACL Examples	109
Layer 4 ACL Rules Examples	109
Configure a Standard IP ACL	110
Configuring a Standard IP ACL Filter	111
Configure an Extended IP ACL	112
Configuring Filters with a Sequence Number	112
Configuring Filters Without a Sequence Number	113
Configure Layer 2 and Layer 3 ACLs	114
Assign an IP ACL to an Interface	115
Applying an IP ACL	115
Counting ACL Hits	116
Configure Ingress ACLs	116
Configure Egress ACLs	116
Applying Egress Layer 3 ACLs (Control-Plane)	117
IP Prefix Lists	118
Implementation Information	118
Configuration Task List for Prefix Lists	118
ACL Resequencing	122
Resequencing an ACL or Prefix List	122
Route Maps	124
Implementation Information	124
Important Points to Remember	124
Configuration Task List for Route Maps	124
Configuring Match Routes	126
Configuring Set Conditions	128
Configure a Route Map for Route Redistribution	129
Configure a Route Map for Route Tagging	129
Continue Clause	130
Logging of ACL Processes	130
Guidelines for Configuring ACL Logging	131
Configuring ACL Logging	131
Flow-Based Monitoring Support for ACLs	132
Behavior of Flow-Based Monitoring	132
Enabling Flow-Based Monitoring	133
Bidirectional Forwarding Detection (BFD)	135
How BFD Works	135
BFD Packet Format	136
BFD Sessions	137
BFD Three-Way Handshake	138
Session State Changes	140
Important Points to Remember	140
Configure BFD	140
Configure BFD for Physical Ports	141
Configure BFD for Static Routes	142
Configure BFD for OSPF	145
Configure BFD for OSPFv3	149
Configure BFD for IS-IS	151
Configure BFD for BGP	153
Configure BFD for VRRP	160
Configuring Protocol Liveness	163
Troubleshooting BFD	163
Border Gateway Protocol IPv4 (BGPv4)	165
Autonomous Systems (AS)	165
Sessions and Peers	167
Establish a Session	167
Route Reflectors	168
BGP Attributes	169
Best Path Selection Criteria	169
Weight	171
Local Preference	171
Multi-Exit Discriminators (MEDs)	172
Origin	173
AS Path	174
Next Hop	174
Multiprotocol BGP	174
Implement BGP with Dell Networking OS	175
Additional Path (Add-Path) Support	175
Advertise IGP Cost as MED for Redistributed Routes	175
Ignore Router-ID in Best-Path Calculation	176
Four-Byte AS Numbers	176
AS4 Number Representation	176
AS Number Migration	178
BGP4 Management Information Base (MIB)	179
Important Points to Remember	179
Configuration Information	180
BGP Configuration	180
Enabling BGP	181
Configuring AS4 Number Representations	184
Configuring Peer Groups	186
Configuring BGP Fast Fall-Over	188
Configuring Passive Peering	190
Maintaining Existing AS Numbers During an AS Migration	190
Allowing an AS Number to Appear in its Own AS Path	191
Enabling Graceful Restart	192
Enabling Neighbor Graceful Restart	193
Filtering on an AS-Path Attribute	193
Regular Expressions as Filters	195
Redistributing Routes	196
Enabling Additional Paths	197
Configuring IP Community Lists	197
Configuring an IP Extended Community List	198
Filtering Routes with Community Lists	199
Manipulating the COMMUNITY Attribute	200
Changing MED Attributes	201
Changing the LOCAL_PREFERENCE Attribute	201
Configuring the local System or a Different System to be the Next Hop for BGP-Learned Routes	202
Changing the WEIGHT Attribute	203
Enabling Multipath	203
Filtering BGP Routes	203
Filtering BGP Routes Using Route Maps	205
Filtering BGP Routes Using AS-PATH Information	205
Configuring BGP Route Reflectors	206
Aggregating Routes	207
Configuring BGP Confederations	207
Enabling Route Flap Dampening	208
Changing BGP Timers	210
Enabling BGP Neighbor Soft-Reconfiguration	210
Enabling or disabling BGP neighbors	211
Route Map Continue	213
Enabling MBGP Configurations	213
Configure IPv6 NH Automatically for IPv6 Prefix Advertised over IPv4 Neighbor	214
BGP Regular Expression Optimization	214
Debugging BGP	214
Storing Last and Bad PDUs	215
Capturing PDUs	216
PDU Counters	217
Sample Configurations	217
Content Addressable Memory (CAM)	224
CAM Allocation	224
Test CAM Usage	226
View CAM Profiles	226
View CAM-ACL Settings	227
View CAM Usage	229
CAM Optimization	229
Troubleshoot CAM Profiling	229
QoS CAM Region Limitation	229
Control Plane Policing (CoPP)	230
Configure Control Plane Policing	231
Configuring CoPP for Protocols	232
Configuring CoPP for CPU Queues	234
CoPP for OSPFv3 Packets	235
Configuring CoPP for OSPFv3	238
Displaying CoPP Configuration	238
Data Center Bridging (DCB)	241
Ethernet Enhancements in Data Center Bridging	241
Priority-Based Flow Control	242
Enhanced Transmission Selection	243
Data Center Bridging Exchange Protocol (DCBx)	244
Data Center Bridging in a Traffic Flow	245
Enabling Data Center Bridging	245
DCB Maps and its Attributes	246
Data Center Bridging: Default Configuration	247
Configuring Priority-Based Flow Control	247
Configuring Lossless Queues	248
Configuring PFC in a DCB Map	249
PFC Configuration Notes	249
PFC Prerequisites and Restrictions	250
Applying a DCB Map on a Port	250
Configuring PFC without a DCB Map	251
Configuring Lossless QueuesExample:	251
Priority-Based Flow Control Using Dynamic Buffer Method	253
Pause and Resume of Traffic	253
Buffer Sizes for Lossless or PFC Packets	253
Behavior of Tagged Packets	254
Configuration Example for DSCP and PFC Priorities	254
Using PFC to Manage Converged Ethernet Traffic	255
Configure Enhanced Transmission Selection	255
ETS Prerequisites and Restrictions	255
Creating an ETS Priority Group	255
ETS Operation with DCBx	257
Configuring Bandwidth Allocation for DCBx CIN	257
Configuring ETS in a DCB Map	258
Hierarchical Scheduling in ETS Output Policies	259
Using ETS to Manage Converged Ethernet Traffic	260
Applying DCB Policies in a Switch Stack	260
Configure a DCBx Operation	260
DCBx Operation	260
DCBx Port Roles	261
DCB Configuration Exchange	262
Configuration Source Election	262
Propagation of DCB Information	263
Auto-Detection and Manual Configuration of the DCBx Version	263
DCBx Example	264
DCBx Prerequisites and Restrictions	264
Configuring DCBx	264
Verifying the DCB Configuration	268
Sample DCB Configuration	276
PFC and ETS Configuration Command Examples	278
QoS dot1p Traffic Classification and Queue Assignment	278
Configuring the Dynamic Buffer Method	279
Dynamic Host Configuration Protocol (DHCP)	281
DHCP Packet Format and Options	281
Assign an IP Address using DHCP	283
Implementation Information	284
Configure the System to be a DHCP Server	284
Configuring the Server for Automatic Address Allocation	285
Specifying a Default Gateway	286
Configure a Method of Hostname Resolution	286
Using DNS for Address Resolution	286
Using NetBIOS WINS for Address Resolution	287
Creating Manual Binding Entries	287
Debugging the DHCP Server	287
Using DHCP Clear Commands	288
Configure the System to be a Relay Agent	288
Configure the System to be a DHCP Client	290
DHCP Client Operation with Other Features	290
DHCP Client on a Management Interface	291
Configure the System for User Port Stacking (Option 230)	292
Configure Secure DHCP	292
Option 82	292
DHCP Snooping	293
Configuring the DHCP secondary-subnet	296
Drop DHCP Packets on Snooped VLANs Only	296
Dynamic ARP Inspection	297
Configuring Dynamic ARP Inspection	298
Source Address Validation	299
Enabling IP Source Address Validation	299
DHCP MAC Source Address Validation	300
Enabling IP+MAC Source Address Validation	300
Viewing the Number of SAV Dropped Packets	301
Clearing the Number of SAV Dropped Packets	301
Equal Cost Multi-Path (ECMP)	302
ECMP for Flow-Based Affinity	302
Configuring the Hash Algorithm	302
Enabling Deterministic ECMP Next Hop	302
Configuring the Hash Algorithm Seed	303
Link Bundle Monitoring	303
Managing ECMP Group Paths	304
Creating an ECMP Group Bundle	304
Modifying the ECMP Group Threshold	304
RTAG7	305
Flow-based Hashing for ECMP	306
FIP Snooping	309
Fibre Channel over Ethernet	309
Ensure Robustness in a Converged Ethernet Network	309
FIP Snooping on Ethernet Bridges	311
FIP Snooping in a Switch Stack	313
Using FIP Snooping	313
FIP Snooping Prerequisites	313
Important Points to Remember	313
Enabling the FCoE Transit Feature	314
Enable FIP Snooping on VLANs	315
Configure the FC-MAP Value	315
Configure a Port for a Bridge-to-Bridge Link	315
Configure a Port for a Bridge-to-FCF Link	315
Impact on Other Software Features	315
FIP Snooping Restrictions	316
Configuring FIP Snooping	316
Displaying FIP Snooping Information	317
FCoE Transit Configuration Example	322
FIPS Cryptography	324
Configuration Tasks	324
Preparing the System	324
Enabling FIPS Mode	325
Generating Host-Keys	325
Monitoring FIPS Mode Status	325
Disabling FIPS Mode	326
Force10 Resilient Ring Protocol (FRRP)	327
Protocol Overview	327
Ring Status	328
Multiple FRRP Rings	328
Important FRRP Points	329
Important FRRP Concepts	330
Implementing FRRP	331
FRRP Configuration	331
Creating the FRRP Group	331
Configuring the Control VLAN	332
Configuring and Adding the Member VLANs	333
Setting the FRRP Timers	334
Clearing the FRRP Counters	334
Viewing the FRRP Configuration	334
Viewing the FRRP Information	334
Troubleshooting FRRP	335
Configuration Checks	335
Sample Configuration and Topology	335
FRRP Support on VLT	336
Example Scenario	337
Important Points to Remember	338
GARP VLAN Registration Protocol (GVRP)	339
Important Points to Remember	339
Configure GVRP	340
Related Configuration Tasks	340
Enabling GVRP Globally	341
Enabling GVRP on a Layer 2 Interface	341
Configure GVRP Registration	341
Configure a GARP Timer	342
RPM Redundancy	342
High Availability (HA)	344
Component Redundancy	344
RPM Redundancy	344
Automatic and Manual Stack Unit Failover	346
Support for RPM Redundancy by Dell Networking OS Version	347
Synchronization between Management and Standby Units	347
Configuring RPM Redundancy	347
Online Insertion and Removal	348
RPM Online Insertion and Removal	348
Linecard Online Insertion and Removal	349
Hitless Behavior	350
Graceful Restart	350
Software Resiliency	351
Software Component Health Monitoring	351
System Health Monitoring	351
Failure and Event Logging	351
Hot-Lock Behavior	352
Process Restartability	352
Enabling Process Restartability	352
Internet Group Management Protocol (IGMP)	354
IGMP Implementation Information	354
IGMP Protocol Overview	354
IGMP Version 2	354
IGMP Version 3	356
Configure IGMP	359
Related Configuration Tasks	359
Viewing IGMP Enabled Interfaces	360
Selecting an IGMP Version	360
Viewing IGMP Groups	360
Adjusting Timers	361
Adjusting Query and Response Timers	361
Enabling IGMP Immediate-Leave	362
IGMP Snooping	362
IGMP Snooping Implementation Information	362
Configuring IGMP Snooping	362
Removing a Group-Port Association	363
Disabling Multicast Flooding	363
Specifying a Port as Connected to a Multicast Router	364
Configuring the Switch as Querier	364
Fast Convergence after MSTP Topology Changes	365
Egress Interface Selection (EIS) for HTTP and IGMP Applications	365
Protocol Separation	365
Enabling and Disabling Management Egress Interface Selection	366
Handling of Management Route Configuration	367
Handling of Switch-Initiated Traffic	368
Handling of Switch-Destined Traffic	368
Handling of Transit Traffic (Traffic Separation)	369
Mapping of Management Applications and Traffic Type	369
Behavior of Various Applications for Switch-Initiated Traffic	370
Behavior of Various Applications for Switch-Destined Traffic	371
Interworking of EIS With Various Applications	372
Designating a Multicast Router Interface	372
Interfaces	374
Basic Interface Configuration	374
Advanced Interface Configuration	374
Interface Types	375
View Basic Interface Information	375
Resetting an Interface to its Factory Default State	377
Enabling Energy Efficient Ethernet	378
View EEE Information	378
Clear EEE Counters	382
Enabling a Physical Interface	383
Physical Interfaces	383
Configuration Task List for Physical Interfaces	384
Overview of Layer Modes	384
Configuring Layer 2 (Data Link) Mode	384
Configuring Layer 2 (Interface) Mode	385
Configuring Layer 3 (Network) Mode	385
Configuring Layer 3 (Interface) Mode	386
Egress Interface Selection (EIS)	386
Important Points to Remember	386
Configuring EIS	387
Management Interfaces	387
Configuring Management Interfaces	387
Configuring a Management Interface on an Ethernet Port	389
VLAN Interfaces	389
Loopback Interfaces	390
Null Interfaces	391
Port Channel Interfaces	391
Port Channel Definition and Standards	391
Port Channel Benefits	391
Port Channel Implementation	391
Interfaces in Port Channels	392
Configuration Tasks for Port Channel Interfaces	392
Creating a Port Channel	393
Adding a Physical Interface to a Port Channel	393
Reassigning an Interface to a New Port Channel	395
Configuring the Minimum Oper Up Links in a Port Channel	395
Adding or Removing a Port Channel from a VLAN	396
Assigning an IP Address to a Port Channel	397
Deleting or Disabling a Port Channel	397
Load Balancing Through Port Channels	397
Changing the Hash Algorithm	398
Bulk Configuration	399
Interface Range	399
Bulk Configuration Examples	399
Defining Interface Range Macros	401
Define the Interface Range	401

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1,000
1,001
1,002
1,003
1,004
1,005
1,006
1,007
1,008
1,009
1,010
1,011
1,012
1,013
1,014
1,015
1,016
1,017
1,018
1,019
1,020
1,021
1,022
1,023
1,024
1,025
1,026
1,027
1,028
1,029
1,030
1,031
1,032
1,033
1,034
1,035
1,036
1,037
1,038
1,039
1,040
1,041
1,042
1,043
1,044
1,045
1,046
1,047
1,048
1,049
1,050
1,051
1,052
1,053
1,054
1,055
1,056
1,057
1,058
1,059
1,060
1,061
1,062
1,063
1,064
1,065
1,066
1,067
1,068
1,069
1,070
1,071
1,072
1,073
1,074
1,075
1,076
1,077
1,078
1,079
1,080
1,081
1,082
1,083
1,084
1,085
1,086
1,087
1,088
1,089
1,090
1,091
1,092
1,093
1,094
1,095
1,096
1,097
1,098
1,099
1,100
1,101

Match case Limit results 1 per page

TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

TLS_ECDH_RSA_WITH_AES_128_CBC_SHA

TLS_DH_RSA_WITH_AES_256_CBC_SHA

TLS_DH_RSA_WITH_AES_128_CBC_SHA

TLS compression is disabled by default. TLS session resumption is also supported to reduce processor and

traﬃc

overhead due to public

key cryptographic operations and handshake

traﬃc.

However, the maximum time allowed for a TLS session to resume without repeating

the TLS authentication or handshake process is

conﬁgurable

with a default of 1 hour. You can also disable session resumption.

Syslog over TLS

Syslog over TLS mandates that a client

certiﬁcate

must be presented, to ensure that all Syslog entries written to the server are from a

trusted client.

Online

Certiﬁcate

Status Protocol (OSCP)

Use the Online

Certiﬁcate

Status Protocol (OSCP) to obtain the revocation status of a X.509v3

certiﬁcate.

A device or a

Certiﬁcate

Authority (CAs) can check the status of a X.509v3

certiﬁcate

by sending an OCSP request to an OCSP server or

responder. An OCSP responder, a server typically run by the

certiﬁcate

issuer, returns a signed response signifying that the

certiﬁcate

speciﬁed

in the request is 'good', 'revoked', or 'unknown'. The OCSP response indicates whether the presented

certiﬁcate

is valid.

OCSP provides a way for

Certiﬁcate

Authorities to revoke signed

certiﬁcates

before the expiration date. In a CA

certiﬁcate,

OCSP

Responder information is

speciﬁed

in the authorityInfoAccess extension.

A CA can verify the revocation status of a

certiﬁcate

with multiple OCSP responders. When multiple OCSP responders exist, you can

conﬁgure

the order or preference the CA takes while contacting various OCSP responders for

veriﬁcation.

Upon receiving a presented

certiﬁcate,

the system sends an OCSP request to an OCSP responder through HTTP. The system then

veriﬁes

the OCSP response using either a trusted public key or the OCSP responder’s own self-signed

certiﬁcate.

This self-signed

certiﬁcate

installs on the device's trusted location even before an OCSP request is made. The system accepts or rejects the presented

certiﬁcate

based on the OCSP response.

In a scenario where all OCSP responders are unreachable, the switch accepts the

certiﬁcate.

This action is the default behavior. You can

also

conﬁgure

an alternate system behavior when all OCSP responders are unreachable. However, the switch may become vulnerable to

denial-of-service attack if you

conﬁgure

the system to deny the

certiﬁcate

when OCSP responders are not reachable.

The system creates logs for the following events:

•

Failures to reach OCSP responders

•

Invalid OCSP responses—for example, cannot verify the signed response with an installed CA

certiﬁcate.

•

Rejection of a

certiﬁcate

due to OCSP

Conﬁguring

OCSP setting on CA

You can

conﬁgure

the CA to contact multiple OCSP servers.

conﬁgure

OCSP server for a CA, perform the following step:

In the

certiﬁcate

mode, enter the following command:

ocsp-server

URL

[nonce] [sign-requests]

X.509v3

1099