Configuration Guidelines
Follow these guidelines before enabling FIPS mode:
-
Make your passwords a minimum of eight characters in length.
-
Disable Telnet. Users should log in using SSH only.
-
Disable remote authentication through RADIUS/TACACS+. Only users local to the switch can be authenticated.
-
Disable SNMP v1 and v2. Any existing user accounts on the switch that have been configured for SNMPv3 should be configured only with SHA for authentication and AES/3DES for privacy.
-
Disable VRRP.
-
Do not configure FIPS and IPsec together on a switch. With FIPS enabled, if you configure IKE, then FCIP links will not come up.
-
Delete all SSH Server RSA1 keypairs.
-
If FIPS is enabled and you upgrade from Cisco MDS NX-OS Release 6.x, 7.x, or 8.1(x) to Cisco MDS NX-OS Release 8.2(1) or later release, then you cannot disable FIPS in the upgraded 8.2(x) release.