Disable TLS 1.1 on Catalyst 9000 Switches

Available Languages

Download Options

  • PDF     (22.4 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (79.6 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (64.9 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:June 13, 2025
Document ID:223097

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to disable Transport Layer Security(TLS) 1.1 on Catalyst 9000 switches in LAN networks.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • LAN switching concepts
    • Basic command line interface (CLI) navigation
    • Understanding of TLS protocols

    Components Used

    The information in this document is based on these software and hardware versions:

    • Catalyst 9000 Series Switch
    • Software Version: 17.6.5

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information

    This document provides a technical guide for locating and disabling TLS 1.1 on Catalyst 9000 switches.

    Problem

    The problem involves TLS 1.1 being detected on the switch. This is flagged for several anti vulnerabilities scan,

    Step 1: Verify the Presence of TLS 1.1

    Switch#show ip http server secure status
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite:  rsa-aes-cbc-sha2 rsa-aes-gcm-sha2
        dhe-aes-cbc-sha2 dhe-aes-gcm-sha2 ecdhe-rsa-aes-cbc-sha2
        ecdhe-rsa-aes-gcm-sha2 ecdhe-ecdsa-aes-gcm-sha2 tls13-aes128-gcm-sha256
        tls13-aes256-gcm-sha384 tls13-chacha20-poly1305-sha256
HTTP secure server TLS version:  TLSv1.3 TLSv1.2 TLSv1.1                    <<< Presense of TLSv1.1 in the HTTP Server
HTTP secure server client authentication: Disabled
HTTP secure server PIV authentication: Disabled
HTTP secure server PIV authorization only: Disabled
HTTP secure server trustpoint: TP-self-signed-3889524895
HTTP secure server peer validation trustpoint:
HTTP secure server ECDHE curve: secp256r1
HTTP secure server active session modules: ALL

    Switch#show ip http client secure status
HTTP secure client ciphersuite:  rsa-aes-cbc-sha2 rsa-aes-gcm-sha2
        dhe-aes-cbc-sha2 dhe-aes-gcm-sha2 ecdhe-rsa-aes-cbc-sha2
        ecdhe-rsa-aes-gcm-sha2 ecdhe-ecdsa-aes-gcm-sha2 tls13-aes128-gcm-sha256
        tls13-aes256-gcm-sha384 tls13-chacha20-poly1305-sha256
HTTP secure client TLS version:  TLSv1.3 TLSv1.2 TLSv1.1                   <<< Presence of TLSv1.1 in the HTTP client  
HTTP secure client trustpoint:

    Solution

    Take these steps to disable TLS 1.1 on a Catalyst 9000 switches:

    Step 1: Disable TLS 1.1 for HTTP Server

    Switch#configure terminal
    Switch(config)#no ip http tls-version TLSv1.1

    Step 2: Disable TLS 1.1 for HTTP Client

    Switch#configure terminal
    Switch(config)#no ip http client tls-version TLSv1.1

    These commands ensure that TLS 1.1 is disabled on both the server and client sides of the switch, mitigating any security concerns associated with outdated protocols.

    Related Information

    Revision History

    Revision Publish Date Comments
    1.0
    13-Jun-2025
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Alejandro Caral Ferro
      Technical Consulting Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products