SLX Device Configuration

As part of security hardening of the SLX device, several configurations are supported from EFA. These configurations are applicable only for the SLX versions 20.3.2 and above. Any SSH server settings change need SSHD to be restarted ,and hence any client connected via SSH needs to reconnect..

The following configuration are applied on the SLX device during registration in EFA.

SSH Server restarts on the device after the SSH configuration is completed.


Setting	Default Value
SSHD MAC Algorithms	`hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256`
SSHD Key Exchange Algorithms	`curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256`
Cipher	`non-cbc`

The following SLX command is for the SSH configuration on SLX devices:

SLX# config
Entering configuration mode terminal
SLX(config)# ssh server mac hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
% Info: Configuration is successful.For this config to take effect immediately, restart SSH server via exec command ssh-server restart or save the config and reload.
SLX(config)# ssh server key-exchange curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
% Info: Configuration is successful.For this config to take effect immediately, restart SSH server via exec command ssh-server restart or save the config and reload.
SLX(config)# ssh server cipher 
SLX(config)# ssh server cipher non-cbc
% Info: Configuration is successful.For this config to take effect immediately, restart SSH server via exec command ssh-server restart or save the config and reload.
SLX(config)# exit  
SLX# ssh-server restart 

Warning: This operation will disconnect all active SSH sessions.

Are you sure you want to restart the SSH server [y/n]? y
SSH server is going down for restart NOW !!

The following command shows the SSH configuration parameters on SLX:

SLX# show ssh server status 
SSH Kex Exchange Algorithm: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
SSH Server Rekey Volume: 1024
SSH Server Auth Tries: 6
SSH Server Login Timeout: 120
SSH Server Cipher: non-cbc
SSH Server Mac : hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
VRF-Name: mgmt-vrf	Status: Enabled
VRF-Name: default-vrf	Status: Enabled

The following SLX command disables the Telnet server on mgmt-vrf:

SLX# config
Entering configuration mode terminal
SLX(config)# telnet server use-vrf mgmt-vrf shutdown

The following command shows the Telnet configuration on SLX:

SLX# show telnet server status
VRF-Name: default-vrf	Status: Enabled
VRF-Name: mgmt-vrf	Status: Disabled

The following attributes on the SLX devices (applicable for versions above 20.3.1) are applicable for password configuration:


Setting	Default Value
Max Password Age	90
Force Default Password Change	Disabled

The following SLX command configures the password attributes on SLX devices:

SLX# config
Entering configuration mode terminal
SLX(config)# password-attributes max-password-age 365
SLX(config)# password-attributes force-default-password-change

The following command shows the password configuration on SLX:

SLX# show running-config password-attributes                              
password-attributes force-default-password-change
password-attributes max-password-age 365

The following SLX command configures TLS on SLX devices: (applicable for versions above 20.3.2):

The minimum version of TLS Configuration on the server is set to 1.2.
```
SLX# config
Entering configuration mode terminal
SLX(config)# management-security 
SLX(mgmt-security)# ssl-profile server 
SLX(mgmt-sec-ssl-profile-server)# tls min-version 1.2
To view the configuration on SLX,
SLX# show running-config management-security ssl-profile server tls            
management-security
 ssl-profile server
  tls min-version 1.2
 !
!
```
- The configutration attributes described above are the default values that are available in EFA on installation.
- The settings are ‘enabled‘ by default. On device registration, the settings are applied on SLX based on the supported versions.
- When you update the settings before device registration, the same values are applied on the device.
- If the settings are changed after device registration, you must manually apply the settings on the specific devices.
- On a device update, if there is any deviation, the AppState will be in ‘cfg-refresh'.
- When the device is unregistered from EFA, these settings are removed from the device.

Switching

Routing

Wireless

Management & Automation

Analytics & Visibility

Security & Access Control

Remote

Cloud

Security

Machine Learning

Campus Fabric

Data Center Fabric

Internet of Things

Wi-Fi 6

Primary & Secondary Education (K-12)

Retail

Service Providers

Federal Government

Manufacturing

Higher Education

Healthcare

Hospitality

State & Local Government

Sports & Public Venues

Support Portal

Knowledge Base

Documentation

End of Sale

Policies & Warranties

Training & Courses

Maintenance Services

Premier Services

Professional Services

Managed Services

SLX Device Configuration