Ssl and enhanced stacking – Allied Telesis AT-S63 User Manual

AT-S63 Management Software Features Guide

Section IX: Management Security

469

SSL and Enhanced Stacking

Secure Sockets Layer (SSL) is supported in an enhanced stack, but only
when all switches in the stack are using the feature.

When a switch’s web server is operating in HTTP, management packets
are transmitted in plaintext. When it operates in HTTPS, management
packets are encrypted. The web server on the AT-9400 Switch operate in
either mode. Enhanced stacking switches that do not support SSL, such
as the AT-8000 Series switches, use HTTP exclusively.

A web browser management session of the switches in an enhanced stack
cannot alternate between the different security modes during a session.
The management session assumes that the web server mode that the
master switch is using is the same for all the switches in the stack. As an
example, if the master switch is using HTTPS, a web browser
management session assumes that all the other switches in the stack are
also using HTTPS, and it does not allow you to manage any switches
running HTTP.

For those networks that consist of enhanced stacking switches where
some switches support SSL and others do not, there are two approaches
you can take. One is to create different enhanced stacks for the different
switches, with one enhanced stack for those switches that support SSL
and another for those that do not. You create different enhanced stacks by
connecting the switches with different common VLANs.

Another workaround is to create one enhanced stack of all the switches
and designate two master switches, where one master switch uses HTTP
and the other HTTPS. When you need to manage those switches in the
stack supporting SSL, you would start the management session on the
master switch whose server mode is set to HTTPS. And when you want to
manage those switch not supporting SSL, you would start the
management session on the master switch whose web server is set to
HTTP.

Each switch in a stack must have its own key pair and certificate. They
cannot share keys and certificates. When you start a web browser
management session on the master switch of an enhanced stack, the
management session uses that switch’s certificate and key pair. When you
change to another switch in the stack, the management session starts to
use the certificate and key pair on that switch, and so forth.