Manualshelf

API Guide

ManualsBrandsDell ManualsAccess PlatformsEMC Networking MX9116n
21222324252627282930
!
neighbor 1.1.1.1
password 9 9ee88a6225a049667a2e5294d8b0808c2ac2141a2930c06e431bf40cfcf685b1
....
Configure OSPF authentication if OSPF is used
Rationale: Configure OSPF, and secure the session with a password on both OSPF peers.
Configuration:
OS10(conf-if-eth1/1/1)# ip ospf message-digest-key 2 md5 password
OS10(conf-if-eth1/1/1)# end
OS10# write memory
View what OSPF neighbor authentication is enabled
Use the following to view what OSPF neighbor authentication is enabled on the system:
OS10# show running-configuration ospf
!
ip ospf 100 area 0.0.0.0
ip ospf message-digest-key 2 md5 sample12345
...
Disable proxy ARP
Rationale: Proxy ARP is a technique that network devices use to acquire the MAC address of a device which is not present in
the network on behalf of other devices. DoS attacks are possible with misconfigured network devices.
Configuration:
OS10(config)# interface interface-name
OS10(conf-if-eth1/1/1)# no ip proxy-arp
OS10(conf-if-eth1/1/1)# end
OS10# write memory
X.509v3 certificates
OS10 supports X.509v3 certificates to secure communications between the switch and a host, such as a RADIUS server. Both
the switch and the server exchange a public key in a signed X.509v3 certificate issued by a certificate authority (CA) to
authenticate each other. The certificate authority uses its private key to sign host certificates.
Generate a certificate signing request and private key
Rationale: To use X.509v3 certificates for secure communication and user authentication on OS10 switches in a network, a
public key infrastructure (PKI) with a certificate authority (CA) is required. The CA signs certificates that prove the
trustworthiness of network devices.
Configuration:
Create a private key and a CSR in EXEC mode. Store the CSR file in the home directory or flash: so that you can later copy
it to a CA server. Specify a keypath to store the device.key file in a secure persistent location, such as the home directory,
or use the private option to store the key file in a private hidden location in the internal file system that is not visible to
users.
OS10# crypto cert generate request cert-file cert-path key-file {private | keypath}
country 2-letter code state state locality city organization organization-name
orgunit unit-name cname common-name email email-address validity days length length
altname alt-name]
requestCreate a certificate signing request to copy to a CA.
cert-file cert-path(Optional) Enter the local path where the self-signed certificate or CSR is stored. You can
enter a full path or a relative path; for example, flash://certs/s4810-001-request.csr or usb://
s4810-001.crt. If you do not enter the cert-file option, the system interactively prompts you to enter the
remaining fields of the certificate signing request. Export the CSR to a CA using the copy command.
OS10 security best practices
23