SLX Device Configuration

As part of security hardening of the SLX device, several configurations are supported from EFA. These configurations are applicable only for the SLX versions 20.3.2 and above. Any SSH server settings change need SSHD to be restarted ,and hence any client connected via SSH needs to reconnect..

The following configuration are applied on the SLX device during registration in EFA.

  1. SSH Server restarts on the device after the SSH configuration is completed.
    Setting Default Value
    SSHD MAC Algorithms hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
    SSHD Key Exchange Algorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
    Cipher non-cbc

    The following SLX command is for the SSH configuration on SLX devices:

    SLX# config
    Entering configuration mode terminal
    SLX(config)# ssh server mac hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
    % Info: Configuration is successful.For this config to take effect immediately, restart SSH server via exec command ssh-server restart or save the config and reload.
    SLX(config)# ssh server key-exchange curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
    % Info: Configuration is successful.For this config to take effect immediately, restart SSH server via exec command ssh-server restart or save the config and reload.
    SLX(config)# ssh server cipher 
    SLX(config)# ssh server cipher non-cbc
    % Info: Configuration is successful.For this config to take effect immediately, restart SSH server via exec command ssh-server restart or save the config and reload.
    SLX(config)# exit  
    SLX# ssh-server restart 
    
    Warning: This operation will disconnect all active SSH sessions.
    
    Are you sure you want to restart the SSH server [y/n]? y
    SSH server is going down for restart NOW !!
    
  2. The following command shows the SSH configuration parameters on SLX:

    SLX# show ssh server status 
    SSH Kex Exchange Algorithm: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
    SSH Server Rekey Volume: 1024
    SSH Server Auth Tries: 6
    SSH Server Login Timeout: 120
    SSH Server Cipher: non-cbc
    SSH Server Mac : hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
    VRF-Name: mgmt-vrf	Status: Enabled
    VRF-Name: default-vrf	Status: Enabled
  3. The following SLX command disables the Telnet server on mgmt-vrf:

    SLX# config
    Entering configuration mode terminal
    SLX(config)# telnet server use-vrf mgmt-vrf shutdown
  4. The following command shows the Telnet configuration on SLX:

    SLX# show telnet server status
    VRF-Name: default-vrf	Status: Enabled
    VRF-Name: mgmt-vrf	Status: Disabled
  5. The following attributes on the SLX devices (applicable for versions above 20.3.1) are applicable for password configuration:

    Setting Default Value
    Max Password Age 90
    Force Default Password Change Disabled

    The following SLX command configures the password attributes on SLX devices:

    SLX# config
    Entering configuration mode terminal
    SLX(config)# password-attributes max-password-age 365
    SLX(config)# password-attributes force-default-password-change
  6. The following command shows the password configuration on SLX:

    SLX# show running-config password-attributes                              
    password-attributes force-default-password-change
    password-attributes max-password-age 365
  7. The following SLX command configures TLS on SLX devices: (applicable for versions above 20.3.2):

    The minimum version of TLS Configuration on the server is set to 1.2.

    SLX# config
    Entering configuration mode terminal
    SLX(config)# management-security 
    SLX(mgmt-security)# ssl-profile server 
    SLX(mgmt-sec-ssl-profile-server)# tls min-version 1.2
    To view the configuration on SLX,
    SLX# show running-config management-security ssl-profile server tls            
    management-security
     ssl-profile server
      tls min-version 1.2
     !
    !
    • The configutration attributes described above are the default values that are available in EFA on installation.
    • The settings are ‘enabled‘ by default. On device registration, the settings are applied on SLX based on the supported versions.
    • When you update the settings before device registration, the same values are applied on the device.
    • If the settings are changed after device registration, you must manually apply the settings on the specific devices.
    • On a device update, if there is any deviation, the AppState will be in ‘cfg-refresh'.
    • When the device is unregistered from EFA, these settings are removed from the device.