SLX Device Configuration
As part of security hardening of the SLX device, several configurations are supported from EFA. These configurations are applicable only for the SLX versions 20.3.2 and above. Any SSH server settings change need SSHD to be restarted ,and hence any client connected via SSH needs to reconnect..
The following configuration are applied on the SLX device during registration in EFA.
- SSH Server restarts on the device
after the SSH configuration is completed.
Setting Default Value SSHD MAC Algorithms hmac-sha2-512-etm@openssh
.com
,
hmac-sha2-256-etm@openssh.com
,hmac-sha2-512,hmac-sha2-256
SSHD Key Exchange Algorithms curve25519-sha256,
curve25519-sha256@libssh.org
,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
Cipher non-cbc
The following SLX command is for the SSH configuration on SLX devices:
SLX# config Entering configuration mode terminal SLX(config)# ssh server mac hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256,hmac-sha2-512 % Info: Configuration is successful.For this config to take effect immediately, restart SSH server via exec command ssh-server restart or save the config and reload. SLX(config)# ssh server key-exchange curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 % Info: Configuration is successful.For this config to take effect immediately, restart SSH server via exec command ssh-server restart or save the config and reload. SLX(config)# ssh server cipher SLX(config)# ssh server cipher non-cbc % Info: Configuration is successful.For this config to take effect immediately, restart SSH server via exec command ssh-server restart or save the config and reload. SLX(config)# exit SLX# ssh-server restart Warning: This operation will disconnect all active SSH sessions. Are you sure you want to restart the SSH server [y/n]? y SSH server is going down for restart NOW !!
-
The following command shows the SSH configuration parameters on SLX:
SLX# show ssh server status SSH Kex Exchange Algorithm: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 SSH Server Rekey Volume: 1024 SSH Server Auth Tries: 6 SSH Server Login Timeout: 120 SSH Server Cipher: non-cbc SSH Server Mac : hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256,hmac-sha2-512 VRF-Name: mgmt-vrf Status: Enabled VRF-Name: default-vrf Status: Enabled
-
The following SLX command disables the Telnet server on mgmt-vrf:
SLX# config Entering configuration mode terminal SLX(config)# telnet server use-vrf mgmt-vrf shutdown
-
The following command shows the Telnet configuration on SLX:
SLX# show telnet server status VRF-Name: default-vrf Status: Enabled VRF-Name: mgmt-vrf Status: Disabled
-
The following attributes on the SLX devices (applicable for versions above 20.3.1) are applicable for password configuration:
Setting Default Value Max Password Age 90 Force Default Password Change Disabled The following SLX command configures the password attributes on SLX devices:
SLX# config Entering configuration mode terminal SLX(config)# password-attributes max-password-age 365 SLX(config)# password-attributes force-default-password-change
-
The following command shows the password configuration on SLX:
SLX# show running-config password-attributes password-attributes force-default-password-change password-attributes max-password-age 365
-
The following SLX command configures TLS on SLX devices: (applicable for versions above 20.3.2):
The minimum version of TLS Configuration on the server is set to 1.2.
SLX# config Entering configuration mode terminal SLX(config)# management-security SLX(mgmt-security)# ssl-profile server SLX(mgmt-sec-ssl-profile-server)# tls min-version 1.2 To view the configuration on SLX, SLX# show running-config management-security ssl-profile server tls management-security ssl-profile server tls min-version 1.2 ! !
- The configutration attributes described above are the default values that are available in EFA on installation.
- The settings are ‘enabled‘ by default. On device registration, the settings are applied on SLX based on the supported versions.
- When you update the settings before device registration, the same values are applied on the device.
- If the settings are changed after device registration, you must manually apply the settings on the specific devices.
- On a device update, if there is any deviation, the AppState will be in ‘cfg-refresh'.
- When the device is unregistered from EFA, these settings are removed from the device.