Hi!

to my knowledge, the only way to prevent the Switch from offering weak algorithms is the following:

(example) conf#ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr

You can add all the algorithms you want to use in the command, just chain them after another.
This way you tell the Switch to only use those anymore.

Does this answer the question?

Let me know.
Best regards!

Hello,

on a side note, you could create a menu that would allow users to only configure the encryption algorithms that you want to allow. So, effectively, a 'weak' algorithm could never be configured. Not sure in how far that would comply with the audit...

Hi Very interesting question. I would like to know which cipher is weak? I received message which says its cipher is weak in the switch. Its configuration shows nothing over there by command "show run | i ssh server". That means at least one of cipher is weak, But the question is we do not know which one is weak among these cipher so that we cannot just indicate strong one instead of weak. Please see the below. If all of them are strong one, why it says weak? Thank you

IDF1-Switch#ip ssh server algorithm encryption ?
3des-cbc Three-key 3DES in CBC mode
aes128-cbc AES with 128-bit key in CBC mode
aes128-ctr AES with 128-bit key in CTR mode
aes192-cbc AES with 192-bit key in CBC mode
aes192-ctr AES with 192-bit key in CTR mode
aes256-cbc AES with 256-bit key in CBC mode
aes256-ctr AES with 256-bit key in CTR mode