Best Security Practices for Remote Access (Secure Shell) in Cisco and Juniper Devices

1.Remote access should be via SSH and telnet is disabled
IOS-XR:
no telnet ipv4 server

Nexus OS:
no feature telnet
feature ssh
feature tacacs+

JunOS:
delete system services 

 

2. SSH should be version 2 or higher. Do not run v1.
IOS-XR:
ssh server v2
ssh server vrf management

Nexus OS:
ssh server v2
ssh server vrf management
ssh timeout 60

JunOS:
set system services ssh protocol-version v2

3. Configure SSH logging 

IOS-XR:
ssh server logging

4. Configure Login Banner

IOS-XR:
banner login ^C

*************************************************************************

        UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED

You must have explicit, authorized permission to access or configure this 

device.Unauthorized attempts and actions to access or use this system may

result in civil and/or criminal penalties. 

All activities performed on this device are logged and monitored.

*************************************************************************

^C

Nexus OS:

banner motd ^

*************************************************************************

        UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED

You must have explicit, authorized permission to access or configure this 

device.Unauthorized attempts and actions to access or use this system may

result in civil and/or criminal penalties. 

All activities performed on this device are logged and monitored.

*************************************************************************

^

JunOS:

set system login message "\n*************************************************************************\n       UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED\n\nYou must have explicit, authorized permission to access or configure this \ndevice.Unauthorized attempts and actions to access or use this system may \nresult in civil and/or criminal penalties.\nAll activities performed on this device are logged and monitored.\n\n*************************************************************************\n\n"

For more info, pls. refer to this --> https://mynetworkbio.blogspot.com/2020/06/configuring-banner-or-login-message-in.html

5. Configure   timestamp, login authentication (exec and session) timeout, ssh only transport input, with ACL configured to allow only authorized IPs and secret password in case tacacs/radius is down

IOS-XR:

line default
 secret 5 $1$dAr.$win1P9yOuG1CSvO6v8tAL4
 login authentication default
 timestamp
 exec-timeout 5 0
 access-class ingress SSH-ACCESS
 session-timeout 5
 transport input ssh
 

ipv4 access-list SSH-ACCESS
 10 permit tcp host 192.168.1.100 any eq ssh
 20 permit tcp host 192.168.1.101 any eq ssh
 30 deny ipv4 any any log
 

 Nexus OS:
interface mgmt0
  ip access-group SSH-ACCESS in
  vrf member management
  ip address 192.168.10.100/24

ip access-list SSH-ACCESS
  10 permit tcp 192.168.1.100/32 any eq 22
  20 permit tcp 192.168.1.101/32 any eq 22
  30 deny ip any any log

line vty
  exec-timeout 5
  access-class SSH-ACCESS in

 6. SSH inactivity timeout should be configured
IOS-XR:
ssh timeout 60

7. Enforce 2FA(2-factor authentication) and configure centralized AAA. Complex password/passphrase should be enforce in Tacacs/Radius Servers.

IOS-XR:
aaa authorization exec default group TACACS group tacacs+ none
aaa authorization commands default group TACACS group tacacs+ none
aaa authorization eventmanager default group tacacs+
aaa authentication login default group TACACS group tacacs+ local

aaa group server tacacs+ TACACS
 vrf management
 server-private 192.168.1.111 port 49
  key 7 143413081E1E0B203F3F213A

 Nexus OS:

aaa authentication login default group tacacs
aaa authentication login console group tacacs
aaa authorization config-commands default group tacacs local
aaa authorization commands default group tacacs local
aaa accounting default group tacacs

tacacs+ distribute
ip tacacs source-interface mgmt0
tacacs-server host 192.168.1.111 key 7 "enc_ryptedkey"
tacacs+ commit

JunOS:

set system authentication-order tacplus
set system tacplus-server 192.168.1.111 routing-instance mgmt_junos
set system tacplus-server 192.168.1.111 secret "$9$Gq.5WLGi.56/veLHvYJZjkmTGDLN4oWLXV"
set system tacplus-server 192.168.1.111 timeout 30
set system tacplus-server 192.168.1.111 single-connection
set system tacplus-server 192.168.1.111 source-address 192.168.1.2

set system accounting destination tacplus server 192.168.1.111 secret "$9$-4dHm8XUGiqPQT/9M8Xxb2Z2aZGi.mT"
set system accounting destination tacplus server 192.168.1.111 single-connection
set system accounting destination tacplus server 192.168.1.111 source-address192.168.1.2

For more info, pls. refer to this --> https://mynetworkbio.blogspot.com/2019/08/tacacs-aaa-configuration-in-juniper-and.html

8. Configure control-plane management for SSH if possible

IOS-XR:

control-plane
 management-plane
  out-of-band
   interface MgmtEth0/RP0/CPU0/0
    allow SSH peer
     address ipv4 192.168.1.100
     address ipv4 192.168.1.101

JunOS:

set firewall family inet filter IPv4-PROTECT-RE term SSH from source-prefix-list ALLOWED-IP
set firewall family inet filter IPv4-PROTECT-RE term SSH from protocol tcp
set firewall family inet filter IPv4-PROTECT-RE term SSH from port ssh
set firewall family inet filter IPv4-PROTECT-RE term SSH then count SSH
set firewall family inet filter IPv4-PROTECT-RE term SSH then accept

set policy-options prefix-list ALLOWED-IP 192.168.1.100/32
set policy-options prefix-list ALLOWED-IP 192.168.1.101/32

Sample IS-IS Configuration in Cisco IOS-XR, IOS and Nexus OS

 

Fig.1

 

IOS-XR

Configure Loopback

 interface Loopback0
 ipv4 address 172.16.2.1 255.255.255.255
 ipv6 address fdfe:abcd:ef12:0:172:16:2:1/128
 ipv6 enable
 

Configure P2P IP 

interface Gi0/0/0/0
 description Connection to IOS Fa0/0
 ipv4 address 172.17.0.1 255.255.255.252
 ipv4 verify unicast source reachable-via any
 ipv4 unreachables disable
 ipv6 nd suppress-ra
 ipv6 verify unicast source reachable-via any
 ipv6 address fdfe:ab12:cd34:a00:1::/127
 ipv6 enable
 ipv6 unreachables disable
 load-interval 30
 dampening

interface Gi0/0/0/1
 description Connection to NX-OS E1/1
 ipv4 address 172.18.0.1 255.255.255.252
 ipv4 verify unicast source reachable-via any
 ipv4 unreachables disable
 ipv6 nd suppress-ra
 ipv6 verify unicast source reachable-via any
 ipv6 address fdfe:ab12:cd34:a00:2::/127
 ipv6 enable
 ipv6 unreachables disable
 load-interval 30
 dampening

Configure IS-IS

router isis ABC
 is-type level-2-only
 net 49.0000.1720.1600.2001.00
 nsf ietf
 log adjacency changes
 address-family ipv4 unicast
  metric-style wide
  maximum-paths 8
 address-family ipv6 unicast
  metric-style wide
  maximum-paths 8
 

 interface Loopback0
  passive
  address-family ipv4 unicast
  address-family ipv6 unicast
 

 interface Gi0/0/0/0
  point-to-point
  address-family ipv4 unicast
  address-family ipv6 unicast

 interface Gi0/0/0/1
  point-to-point
  address-family ipv4 unicast
  address-family ipv6 unicast

IOS

Configure Loopback

interface Loopback0
 ip address 172.16.2.2 255.255.255.255
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ipv6 address fdfe:abcd:ef12:0:172:16:2:2/128
 ipv6 enable
 no ipv6 redirects

 Configure P2P IP

interface Fa0/0
 description Connection to IOS-XR Gi0/0/0/0
 dampening
 ip address 172.17.0.2 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip router isis ABC
 load-interval 30
 ipv6 address fdfe:ab12:cd34:a00:1::1/127
 ipv6 enable
 ipv6 nd ra suppress
 no ipv6 redirects
 ipv6 router isis ABC

 Configure IS-IS

router isis ABC
 net 49.0000.1720.1600.2002.00
 metric-style wide
 set-overload-bit on-startup 20
 log-adjacency-changes
 nsf ietf
 passive-interface default
 no passive-interface Fa0/0

address-family ipv6
  multi-topology
 exit-address-family

NX-OS

Configure P2P IP

interface Eth1/1
  description Connection to IOS-XR Gi0/0/0/1
  no cdp enable
  no ip redirects
  ip address 172.18.0.2/30
  ip verify unicast source reachable-via any rx
  ipv6 address fdfe:ab12:cd34:a00:2::1/127
  ipv6 verify unicast source reachable-via rx
  no ipv6 redirects
  ip router isis ABC
  ipv6 router isis ABC
  isis network point-to-point
  no isis passive-interface level-2
  no shutdown

router isis ABC
  net 49.0000.1720.1600.2003.00
  is-type level-2
  metric-style transition
  set-overload-bit on-startup 20
  log-adjacency-changes
  address-family ipv4 unicast
  address-family ipv6 unicast
    multi-topology transition
  passive-interface default level-2

VERIFICATION

IOS-XR:

RP/0/RP0/CPU0:IOS-XR#show isis adjacency | i IOS
Wed Dec 23 14:22:14.273 SST
IOS           Gi0/0/0/0       *PtoP*        Up    27   1y07w    Yes Up   Up
NX-OS     Gi0/0/0/1       *PtoP*        Up    27   1y06w    Yes Up   Up

IOS:
IOS#show isis neighbors

Tag ABC:
System Id       Type Interface     IP Address      State Holdtime Circuit Id
IOS-XR        L2   Te0/3/0         172.17.0.2          UP    28       00

NX-OS:

NX-OS# show isis adjacency
IS-IS process: ABC VRF: default
IS-IS adjacency database:
Legend: '!': No AF level connectivity in given topology
System ID       SNPA            Level  State  Hold Time  Interface
IOS-XR        N/A             2      UP     00:00:22   Ethernet1/1

Troubleshooting (Debugging) BGP in Juniper using Traceoptions

 

"traceoptions" statement in Juniper let you debug BGP protocol issues. If cannot connect BGP peering, you can set the "traceoptions" to understand further about the issue.

1. Configure "traceoptions" and name the log as debug-bgp

set protocols bgp group BGP-GROUP1 traceoptions file debug-bgp
set protocols bgp group BGP-GROUP1traceoptions file size 1m
set protocols bgp group BGP-GROUP1 traceoptions file files 2
set protocols bgp group BGP-GROUP1 traceoptions flag all

commit

where:
max trace file size = 1m
max trace files = 2
flag all = trace everything

It will look something like this:

user1@QFX-re0> show configuration protocols bgp group BGP-GROUP1

type external;
traceoptions {
    file debug-bgp size 1m files 2;
    flag all;

2. View the trace file to verify

user1@QFX-re0> file list /var/log/debug-bgp
/var/log/debug-bgp

3. View the contents

user1@QFX-re0> file show /var/log/debug-bgp
Dec 16 13:37:36 trace_on: Tracing to "/var/log/debug-bgp" started

4. Monitor the log 

user1@QFX-re0> monitor start debug-bgp

[SAMPLE OUTPUT]

Dec 16 14:02:13.411153 bgp_connect_start: peer 192.168.10.200 (External AS 65510)

Dec 16 14:02:13.411158 bgp_event: peer 192.168.10.200 (External AS 65510) old state Active event ConnectRetry new state Connect

Dec 16 14:02:13.411355 task_get_socket: domain AF_INET  type SOCK_STREAM  protocol 0  socket 99

Dec 16 14:02:13.411370 task_set_option_internal: task BGP_65510_65520.192.168.10.200 socket 99 option RecvBuffer(0) value 16384

Dec 16 14:02:13.411378 task_set_option_internal: task BGP_65510_65520.192.168.10.200 socket 99 option SendBuffer(1) value 16384

Dec 16 14:02:13.411381 task_set_socket: task BGP_65510_65520.192.168.10.200 socket 99

Dec 16 14:02:13.411396 task_set_option_internal: task BGP_65510_65520.192.168.10.200 socket 99 option NonBlocking(8) value 1

Dec 16 14:02:13.411404 task_set_option_internal: task BGP_65510_65520.192.168.10.200 socket 99 option ReUsePort(38) value 1

Dec 16 14:02:13.411474 task_set_option_internal: task BGP_65510_65520.192.168.10.200 socket 99 option PathMTUDiscovery(26) value 0

Dec 16 14:02:13.411484 task_set_option_internal: task BGP_65510_65520.192.168.10.200 socket 99 option TOS(16) value 192

Dec 16 14:02:13.411493 task_set_option_internal: task BGP_65510_65520.192.168.10.200 socket 99 option DontRoute(5) value 1

Dec 16 14:02:13.411499 task_set_option_internal: task BGP_65510_65520.192.168.10.200 socket 99 option IifRestrict(36) value 1

Dec 16 14:02:13.411506 task_set_option_internal: task BGP_65510_65520.192.168.10.200 socket 99 option TTL(15) value 1

Dec 16 14:02:13.411518 Eval BFD turn-on, currently off for peer 192.168.10.200 (External AS 65510)(fl:)instance master (kern-id 0)

Dec 16 14:02:13.411595 task_set_option_internal: task BGP_65510_65520.192.168.10.200 socket 99 option TcpAggressiveTransmission(59) value 0

Dec 16 14:02:13.411608 task_set_option_internal: task BGP_65510_65520.192.168.10.200 socket 99 option EnableTcpNoDelay(63) value 0

Dec 16 14:02:13.411691 task_timer_reset: reset BGP_65510_65520.192.168.10.200_Connect

Dec 16 14:02:13.411698 task_timer_set_oneshot_latest: timer BGP_65510_65520.192.168.10.200_Connect interval set to 2:28

5. Stop monitoring using this command

user1@QFX-re0> monitor stop

6. Deactivate traceoptions if finished

user1@QFX-re0> deactivate protocols bgp group BGP-GROUP1 traceoptions

user1@QFX-re0> show configuration protocols bgp group BGP-GROUP1

type external;

inactive: traceoptions {

    file debug-bgp size 1m files 2;

    flag all;

IPv4 and IPv6 Static Route Configuration in Juniper

 

Configuration:

IPv4:

Route the block (1.1.1.0/24) to next hop  2.2.2.1 with metric 255

user@MX-re0>configure
#set routing-options static route 1.1.1.0/24 next-hop 2.2.2.1
#set routing-options static route 1.1.1.0/24 metric 255

Optional: Set comment using annotate command

#edit routing-options static
#annotate route  1.1.1.0/24  "/* STATIC ROUTE IPv4*/"

Commit
#commit

It will look something like this:

user@MX-re0>> show configuration routing-options static

/* STATIC ROUTE IPv4*/

route 1.1.1.0/24  {

    next-hop 2.2.2.1;

    metric 255;

IPv6:

Route the block (2000:2000:2000::/56 ) to next hop 2006:3006:1:234:5:6:78:90ab with metric 255

user@MX-re0>configure

#set routing-options rib inet6.0 static route 2000:2000:2000::/56 next-hop 2006:3006:1:234:5:6:78:90ab

#set routing-options rib inet6.0 static route 2000:2000:2000::/56  metric 255

Optional: Set comment using annotate command

#edit routing-options  rib inet6.0 static 
#annotate route  2000:2000:2000::/56 "/* STATIC ROUTE IPv6*/"

It will look something like this:

user@MX-re0> show configuration routing-options rib inet6.0

    /*  STATIC ROUTE IPv6 */
    route 2000:2000:2000::/56 {
        next-hop 2006:3006:1:234:5:6:78:90ab;
        metric 255;

Verification:

user@MX-re0> show route table inet.0 | match static
1.1.1.0/24     *[Static/5] 03:05:57, metric 255

user@MX-re0> show route table inet6.0 | match static
2000:2000:2000::/56*[Static/5] 00:59:37, metric 255