The following command displays the security settings that are configured on the SLX devices:
These settings are common across all devices registered on the XCO installation.
efa inventory device secure settings show +--------------------------+---------------------------------------+ | NAME | VALUE | +--------------------------+---------------------------------------+ | Min-tls-version | 1.2 | +--------------------------+---------------------------------------+ | Mac-algorithm | hmac-sha2-512-etm@openssh.com | | | hmac-sha2-256-etm@openssh.com | | | hmac-sha2-512 | | | hmac-sha2-256 | +--------------------------+---------------------------------------+ | Key-exchange-algorithm | curve25519-sha256 | | | curve25519-sha256@libssh.org | | | diffie-hellman-group14-sha256 | | | diffie-hellman-group16-sha512 | | | diffie-hellman-group18-sha512 | | | diffie-hellman-group-exchange-sha256 | +--------------------------+---------------------------------------+ | Cipher | non-cbc | +--------------------------+---------------------------------------+ | Telnet | Disable | +--------------------------+---------------------------------------+ | Max-password-age | 365 | +--------------------------+---------------------------------------+
The following command updates a security setting applicable for the SLX devices:
efa inventory device secure settings update --min-tls-version 1.2 efa inventory device secure settings update --mac-algorithm hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 efa inventory device secure settings update --key-exchange-algorithm curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256 efa inventory device secure settings update --telnet enable --cipher non-cbc --max-password-age 365
After updating any of the settings, you must manually apply those settings on the devices or fabric. These changes are not automatically updated on any device.
The following command resets the security setting to the default value on the SLX devices:
efa inventory device secure settings reset --telnet --cipher --max-password-age
--min-tls-version Reset minimum TLS version to the default value
--mac-algorithm Reset MAC Algorithms to the default values
--key-exchange-algorithm Reset Key-Exchange Algorithms to the default values
--cipher Reset Ciphers to the default values
--telnet Reset telnet to the default value of disabled
--max-password-age Reset the maximum number of days before password expiry to the default value
--force-default-password-change Reset force a change in the default password to the default value
The following command enables or disables the security settings on the SLX devices:
If you do not want to configure any security hardening settings on the device, disable the secure settings before device registration.
$ efa inventory device secure settings disable Device secure settings have been disabled. --- Time Elapsed: 57.000421492s ---
Note
If you disable the security settings after device registration, there will not be any change done on the device.