Ssl and enhanced stacking – Allied Telesis AT-S62 User Manual
Page 709

AT-S62 Management Software Menus Interface User’s Guide
Section VII: Management Security
709
SSL and
Enhanced
Stacking
Secure Sockets Layer (SSL) is supported in an enhanced stack, but only 
when all switches in the stack are using the feature.
A web server can operate in one of two modes -- HTTP or HTTPS. When a 
switch’s web server is operating in HTTP, management packets are 
transmitted in plaintext. When it operates in HTTPS, management packets 
are sent encrypted. 
The web server on an AT-8500 Series switch, and also an AT-8400 Series 
switch, can operate in either mode. Enhanced stacking switches that do 
not support SSL, such as the AT-8000 Series switches, use HTTP 
exclusively.
A web browser management session of the switches in an enhanced stack 
cannot change its security mode during a session. The management 
session assumes that the web server mode that the master switch is using 
is the same for all the switches in the stack. 
As an example, if the master switch is using HTTPS, a web browser 
management session assumes that all the other switches in the stack are 
also using HTTPS, and it will not allow you to manage any switches 
running HTTP.
For those networks that consist of enhanced stacking switches where 
some switches support SSL and others do not, there are two approaches 
you can take. One is to create different enhanced stacks for the different 
switches. You could create one enhanced stack for those switches that 
support SSL and another stack for those that do not. You create different 
enhanced stacks by assigning switches to different Management VLANs, 
as explained in “Specifying a Management VLAN” on page 579.
Another approach is to leave the switches in one enhanced stack, but 
designate two master switches. One master switch could be using HTTP 
and the other HTTPS. When you want to use your web browser to manage 
those switches that support SSL, you would start the management session 
on the master switch whose server mode is set to HTTPS. To manage 
those switch not supporting SSL, you would start the management session 
on the master switch whose web server is set to HTTP.
In order to implement SSL in an enhanced stack, each switch in the stack 
must be given its own encryption key pair and certificate. Switches cannot 
share keys and certificates. When you start a web browser management 
session on the master switch of an enhanced stack, the management 
session uses the certificate and key pair on the master switch. When you 
change to another switch in the stack, the management session starts to 
use the certificate and key pair on that switch, and so forth.
