SLX Device Configuration

As part of security hardening of the SLX device, several configurations are supported from XCO. These configurations are applicable only for the SLX versions 20.3.2 and above. Any SSH server settings change need SSHD to be restarted, and hence any client connected via SSH needs to reconnect..

The following configuration are applied on the SLX device during registration in XCO.

1. SSH Server restarts on the device after the SSH configuration is completed.

   Setting	Default Value
   SSHD MAC Algorithms	hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
   SSHD Key Exchange Algorithms	curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
   Cipher	non-cbc

   The following SLX command is for the SSH configuration on SLX devices:

   

   SLX# config
   Entering configuration mode terminal
   SLX(config)# ssh server mac hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
   % Info: Configuration is successful.For this config to take effect immediately, restart SSH server via exec command ssh-server restart or save the config and reload.
   SLX(config)# ssh server key-exchange curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
   % Info: Configuration is successful.For this config to take effect immediately, restart SSH server via exec command ssh-server restart or save the config and reload.
   SLX(config)# ssh server cipher 
   SLX(config)# ssh server cipher non-cbc
   % Info: Configuration is successful.For this config to take effect immediately, restart SSH server via exec command ssh-server restart or save the config and reload.
   SLX(config)# exit  
   SLX# ssh-server restart 
   
   Warning: This operation will disconnect all active SSH sessions.
   
   Are you sure you want to restart the SSH server [y/n]? y
   SSH server is going down for restart NOW !!
   

2. The following command shows the SSH configuration parameters on SLX:

   

   SLX# show ssh server status 
   SSH Kex Exchange Algorithm: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
   SSH Server Rekey Volume: 1024
   SSH Server Auth Tries: 6
   SSH Server Login Timeout: 120
   SSH Server Cipher: non-cbc
   SSH Server Mac : hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
   VRF-Name: mgmt-vrf	Status: Enabled
   VRF-Name: default-vrf	Status: Enabled

3. The following SLX command disables the Telnet server on mgmt-vrf:

   

   SLX# config
   Entering configuration mode terminal
   SLX(config)# telnet server use-vrf mgmt-vrf shutdown

4. The following command shows the Telnet configuration on SLX:

   

   SLX# show telnet server status
   VRF-Name: default-vrf	Status: Enabled
   VRF-Name: mgmt-vrf	Status: Disabled

5. The following attributes on the SLX devices (applicable for versions above 20.3.1) are applicable for password configuration:

   Setting	Default Value
   Max Password Age	90
   Force Default Password Change	Disabled

   The following SLX command configures the password attributes on SLX devices:

   

   SLX# config
   Entering configuration mode terminal
   SLX(config)# password-attributes max-password-age 365
   SLX(config)# password-attributes force-default-password-change

6. The following command shows the password configuration on SLX:

   

   SLX# show running-config password-attributes                              
   password-attributes force-default-password-change
   password-attributes max-password-age 365

7. The following SLX command configures TLS on SLX devices: (applicable for versions above 20.3.2):

   The minimum version of TLS Configuration on the server is set to 1.2.

   

   SLX# config
   Entering configuration mode terminal
   SLX(config)# management-security 
   SLX(mgmt-security)# ssl-profile server 
   SLX(mgmt-sec-ssl-profile-server)# tls min-version 1.2
   To view the configuration on SLX,
   SLX# show running-config management-security ssl-profile server tls            
   management-security
    ssl-profile server
     tls min-version 1.2
    !
   !

   • The configuration attributes described above are the default values that are available in XCO on installation.
   • The settings are ‘enabled‘ by default. On device registration, the settings are applied on SLX based on the supported versions.
   • When you update the settings before device registration, the same values are applied on the device.
   • If the settings are changed after device registration, you must manually apply the settings on the specific devices.
   • On a device update, if there is any deviation, the AppState will be in ‘cfg-refresh'.
   • When the device is unregistered from XCO, these settings are removed from the device.