Guidelines – Allied Telesis AT-S63 User Manual

AT-S63 Management Software Menus Interface User’s Guide

Section VIII: Management Security

785

that the master switch is using is the same for all the switches in the stack.
As an example, if the master switch is using HTTPS, a web browser
management session assumes that all the other switches in the stack are
also using HTTPS, and it does not allow you to manage any switches
running HTTP.

For those networks that consist of enhanced stacking switches where
some switches support SSL and others do not, there are two approaches
you can take. One is to create different enhanced stacks for the different
switches. You could create one enhanced stack for those switches that
support SSL and another stack for those that do not. You create different
enhanced stacks by assigning switches to different Management VLANs.
For information, refer to “Specifying a Management VLAN” on page 633.

Another workaround is to leave the switches in one enhanced stack, but
designate two master switches. One master switch could be using HTTP
and the other HTTPS. When you want to use your web browser to manage
those switches that support SSL, you would start the management session
on the master switch whose server mode is set to HTTPS. To manage
those switch not supporting SSL, you would start the management session
on the master switch whose web server is set to HTTP.

To implement SSL in an enhanced stack, you must create an encryption
key pair and a certificate on each switch. When you start a web browser
management session on the master switch of an enhanced stack, the
management session uses the certificate and key pair on the master
switch. When you change to another switch in the stack, the management
session starts to use the certificate and key pair on that switch, and so
forth.

Guidelines

The guidelines for creating certificates are:

ˆ

A certificate can have only one key.

ˆ

A switch can use only those certificates that contain a key that was
generated on the switch.

ˆ

You can create multiple certificates on a switch, but the device uses
the certificate whose key pair has been designated as the active key
pair for the switch’s web server.

ˆ

Most web browsers support both unsecured (plaintext) and secured
(encrypted) operation. These modes are referred to as HTTP and
HTTPS, respectively. If you choose to use encryption when you
manage a switch, the web browser you use must support HTTPS.