Wednesday, April 13, 2011

Configuring Dell 54xx and 62xx switches for https.

At work, we recently acquired 3 Dell switches, a 6248P, a 5424 and a 5448.  Based on some older Dell switches we own, Dell has come a long way with their switches.

Hopefully everyone knows that plaintext protocols are terrible for securely managing devices.  These switches are capable of SSH, telnet, http and https.  SSH is sufficient for remote management of  the switch, but if you need or want a GUI (girls use it) interface, https is the only way to go.  Since Dell doesn't have anything in their documentation about setting it up, and I wasn't able to find a complete configuration guide for enabling https, I thought I'd share what it took for me to get it going.  This guide assumes you have already configured the switch for ssh access, or that you are managing the switch from the console cable.

Once you've logged into your switch, you will see a prompt like this:  hostname#, where hostname is the name you've assigned to your switch.

First you need to verify that the time is set correctly.  Show clock will tell us if it is. 
Dell5424#show clock
*00:58:11 (UTC+0)  Jan 1 2000
No time source
My switch was not set.  You can set it manually with the clock set command.
Dell5424# clock set 15:37:00 apr 13 2011
Alternatively, you can configure the switch for simple network time protocol, or sntp.
 Dell5424(config)# clock source sntp
Dell5424(config)# sntp server x.x.x.x poll  where x.x.x.x is the ip address of the server you want to get sntp info from
Dell5424(config)# sntp client enable vlan 1 
Dell5424(config)# clock timezone -5 zone EST
Dell5424(config)# clock summer-time recurring usa zone EDT
Dell5424(config)# sntp unicast client enable
Dell5424(config)# sntp unicast client poll

Now we can verify that the time settings took

Dell5424(config)# exit
Dell5424# show clock detail
 11:47:30 EDT(UTC-5)  Apr 13 2011
Time source is sntp

Time zone:
Acronym is EST
Offset is UTC-5

Acronym is EDT
Recurring every year.
Begins at 02 01 03 02:00.
Ends at 01 01 11 02:00.
Offset is 60 minutes.
Dell5424#show sntp status

Client Mode:                       Unicast
Last Update Time:                  APR 13 15:40:00 2011

Unicast servers:
Server          Status                 Last response
--------------- ---------------------- --------------------------
x.x.x.x    Success                15:40:00 Apr 13 2011


Now we need to generate the certificate for the web server to use to secure the connection.

Dell5424# conf
Dell5424(config)# crypto certificate 1 generate generate-key  here I'm generating a certificate for slot 1, but you can use either 1 or 2 after certificate.
We need to assign the newly generated certificate to the https server, turn the server on and disable the http server.

Dell5424(config)# ip https certificate 1
Dell5424(config)# ip https server
Dell5424(config)# no ip http server

Of course, don't forget to save your work!

 Dell5424# copy running-config startup-config
Overwrite file [startup-config] ?[Yes/press any key for no]....13-Apr-2011 16:05:55 %COPY-I-FILECPY: Files Copy - source URL running-config destination URL flash://startup-config
13-Apr-2011 16:06:01 %COPY-N-TRAP: The copy operation was completed successfully
Copy succeeded

On the 62xx series switches, the commands are slightly different.

Dell6248P(config)#sntp server x.x.x.x poll
Dell6248P(config)#sntp unicast client enable
Dell6248P(config)#clock timezone hours-offset -5 EST
Dell6248P(config)#clock timezone -5 zone EST
Dell6248P(config)#clock summer-time recurring usa zone EDT
Dell6248P#show clock
16:18:38 EDT(UTC-4:00) Apr 13 2011
Time source is SNTP

Dell6248P(config)#crypto certificate 1 generate
Dell6248P(config-crypto-cert)# exit

Dell6248P(config)# ip https certificate 1
Dell6248P(config)# ip https server
Dell6248P(config)# no ip http server

Dell6248P#copy running-config startup-config
This operation may take a few minutes.
Management interfaces will not be available during this time.
Are you sure you want to save? (y/n) y
Configuration Saved!

Coming from the Cisco world where typing "ip http secure-server" generates the certificate, assigns it to the web server and enables the web server, this was a bit more complicated.  Hopefully this will help someone else configure their gear to be more secure.

NOTE:  Following the steps in this tutorial will generate self-signed certificates on your switches.  Because the certificates are issued by a non-trusted CA, your browser will display an error when you navigate to those pages.  Because of that, these certificates may not be appropriate in your environment.  There are commands to generate certificate requests that can be used to obtain certificates from a trusted authority, I'll publish a tutorial about that sometime in the future.


  1. Hey Brian, how come a 6248 doesn't ask for a password at the CLI prompt after i entered the command username somebody password 123456 level 15

    Is there something I'm missing to activate this?

    1. Yes, there is something missing. If you want to require a login while connected to the switch via the console cable, you need to add this command: aaa authentication login default local. This sets the switch to require a login for everything, and uses the local username database for authentication.

      Thanks for reading and commenting.

  2. Thx for this settings, it's very useful, even now I use it in this format.

    Best regards
    Toby, data room m&a

  3. Similarly as with the Dell Dimension you have to expel the jumpers from the first and second sticks. Put them on pins 2 and 3. Following a moment or somewhere in the vicinity, you can return it on pins 1 and 2. visit here


Tell me what you think!