Enabling the FIPS mode
You must reboot the switch after you enable or disable the FIPS mode to make your configuration take effect. If you change the FIPS mode for an IRF fabric, you must reboot all IRF member devices.
Do not disable the password control function when the switch operates in FIPS mode. Otherwise, users might be unable to log in.
To enable the FIPS mode:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enable the FIPS mode. | fips mode enable | Disabled by default. |
After you enable the FIPS mode and reboot the switch, the switch works in FIPS mode after it starts up and the following changes occur.
FTP/TFTP is disabled.
Telnet is disabled.
The HTTP server is disabled.
Cluster management is disabled.
SNMPv1 and SNMPv2c are disabled. Only SNMPv3 is available.
The SSL server only supports TLS1.0.
The SSH server does not support SSHv1 clients.
SSH only supports RSA.
The generated RSA key pairs must have a modulus length of 2048 bits. The generated DSA key pair must have a modulus of at least 1024 bits.
SSH, SNMPv3, IPsec, and SSL do not support DES, 3DES, RC4, or MD5.