Configuration Guidelines
Follow these guidelines before enabling FIPS mode:
-
Make your passwords a minimum of eight characters in length.
-
Keep Telnet disabled. Users should log in using SSH only.
-
Disable remote authentication through RADIUS/TACACS+. Only users local to the switch can be authenticated.
-
Disable SNMP v1 and v2. Any existing user accounts on the switch that have been configured for SNMPv3 should be configured only with SHA for authentication and AES/3DES for privacy.
-
Disable VRRP.
Note
This step is applicable to Cisco NX-OS software release 8.3(1) or older versions.
-
Do not configure FIPS and IPsec together on a switch. With FIPS enabled, if you configure IKE, then FCIP links will not come up.
-
Delete all SSH Server RSA1 keypairs.
-
If FIPS is enabled and you upgrade from Cisco MDS NX-OS Release 8.1(x) to Cisco MDS NX-OS Release 8.2(1) or later release, then you cannot disable FIPS in the upgraded 8.2(x) release.
-
Fibre Channel Security Protocol (FCSP) and Network Time Protocol (NTP) are not FIPS compliant in Cisco MDS devices. This is because both protocols are not cryptographically secure and don't meet FIPS 140-2 standards. Using non-FIPS compliant components like FCSP and NTP with MD5 in Cisco MDS devices can potentially lead to vulnerabilities.