Abubuwan da ke ciki boye
1 CISCO SD-WAN Yana Sanya Ma'aunin Tsaro
2 Sanya Ma'aunin Tsaro
3 Sanya Ma'aunin Tsaron Jirgin Sama Mai Sarrafa
4 Sanya DTLS a cikin Cisco SD-WAN Manager
5 Sanya Ma'aunin Tsaro na Jirgin Bayanai
6 Saita Nau'in Tabbatar da Haihuwa
7 Canja lokacin Rekeying
8 Canja Girman Tagar Anti-Replay
9 Sanya hanyar IPsec Static Route
10 Sanya ma'auni na rami na IPsec
11 Gyara Ganewar IKE Matattu-Peer
12 Saita Sauran Abubuwan Haɗin Mu'amala
13 Kashe Algorithms masu rauni na SSH akan Cisco SD-WAN Manager
14 Takardu / Albarkatu
14.1 Magana

CISCO-LOGO

CISCO SD-WAN Yana Sanya Ma'aunin Tsaro

CISCO-SD-WAN-Sanya-Tsaro-Ma'auni-KYAUTA

Sanya Ma'aunin Tsaro

Lura

Don cimma sauƙaƙawa da daidaito, Cisco SD-WAN bayani an sake sawa azaman Cisco Catalyst SD-WAN. Bugu da ƙari, daga Cisco IOS XE SD-WAN Release 17.12.1a da Cisco Catalyst SD-WAN Release 20.12.1, waɗannan canje-canjen ɓangaren suna aiki: Cisco vManage zuwa Cisco Catalyst SD-WAN Manager, Cisco vAnalytics to Cisco Catalyst SD-WAN Nazarin, Cisco vBond zuwa Cisco Catalyst SD-WAN Validator, da Cisco vSmart zuwa Cisco Catalyst SD-WAN Controller. Dubi sabon bayanin kula na Sakin don cikakken jerin duk abubuwan da suka canza sunan alama. Yayin da muke canzawa zuwa sababbin sunaye, wasu rashin daidaituwa na iya kasancewa a cikin saitin takaddun saboda tsarin da aka tsara don sabunta mu'amalar mai amfani na samfurin software.

Wannan sashe yana bayyana yadda ake canza sigogin tsaro don jirgin sama mai sarrafawa da kuma bayanan jirgin sama a cikin cibiyar sadarwar Cisco Catalyst SD-WAN mai rufi.

  • Saita Ma'aunin Tsaron Jirgin Sama, Kunnawa
  • Sanya Ma'aunin Tsaro na Jirgin Bayanai, a kunne
  • Sanya IKE-Enabled IPsec Tunnels, a kunne
  • Kashe Algorithms masu rauni na SSH akan Cisco SD-WAN Manager, a kunne

Sanya Ma'aunin Tsaron Jirgin Sama Mai Sarrafa

Ta hanyar tsoho, jirgin sama mai sarrafawa yana amfani da DTLS a matsayin ka'idar da ke ba da keɓancewa akan duk ramukan sa. DTLS yana gudana akan UDP. Kuna iya canza tsarin tsaro na jirgin sama mai sarrafawa zuwa TLS, wanda ke gudana akan TCP. Babban dalilin amfani da TLS shine, idan kayi la'akari da Cisco SD-WAN Controller don zama uwar garken, Firewalls suna kare sabobin TCP fiye da sabar UDP. Kuna saita ka'idar ramin jirgin sama mai sarrafawa akan Mai Kula da Sisiko SD-WAN: vSmart(daidaita)# ka'idar kula da tsaro tls Tare da wannan canjin, duk ramukan sarrafa jirgin sama tsakanin Cisco SD-WAN Controller da masu amfani da hanyoyin sadarwa da tsakanin Cisco SD-WAN Controller da Cisco SD-WAN Manager suna amfani da TLS. Matsakanin jirgin sama na sarrafawa zuwa Cisco Catalyst SD-WAN Validator koyaushe suna amfani da DTLS, saboda dole ne UDP ta sarrafa waɗannan haɗin. A cikin yanki mai yawan Cisco SD-WAN Controllers, lokacin da kuka saita TLS akan ɗayan Cisco SD-WAN Controllers, duk hanyoyin sarrafa jirgin sama daga wannan mai sarrafawa zuwa sauran masu sarrafawa suna amfani da TLS. Ya ce wata hanya, TLS koyaushe yana fifiko akan DTLS. Koyaya, daga hangen sauran masu kula da Sisiko SD-WAN, idan baku saita TLS akan su ba, suna amfani da TLS akan ramin jirgin sama kawai zuwa wancan Cisco SD-WAN Controller, kuma suna amfani da ramukan DTLS ga duk sauran. Cisco SD-WAN Controllers da kuma ga duk masu amfani da hanyar sadarwa. Don samun duk Cisco SD-WAN Controllers suna amfani da TLS, saita shi akan duka. Ta hanyar tsoho, Cisco SD-WAN Controller yana sauraron tashar jiragen ruwa 23456 don buƙatun TLS. Don canza wannan: vSmart(config)# security control tls-port number tashar tashar jiragen ruwa na iya zama lamba daga 1025 zuwa 65535. Don nuna bayanan tsaro na jirgin sama, yi amfani da umarnin haɗin haɗin nuni akan Cisco SD-WAN Controller. Don misaliample: vSmart-2# nuna haɗin haɗin kai

CISCO-SD-WAN-Sanya-Tsaro-Tsaro-FIG-1

Sanya DTLS a cikin Cisco SD-WAN Manager

Idan ka saita Cisco SD-WAN Manager don amfani da TLS azaman ka'idar tsaro ta jirgin sama, dole ne ka ba da damar tura tashar jiragen ruwa akan NAT naka. Idan kana amfani da DTLS azaman ka'idar tsaro ta jirgin sama, ba kwa buƙatar yin komai. Adadin tashar jiragen ruwa da aka tura ya dogara da adadin hanyoyin vdaemon da ke gudana akan Cisco SD-WAN Manager. Don nuna bayanai game da waɗannan matakai da game da adadin tashoshin jiragen ruwa da ake turawa, yi amfani da umarnin taƙaitawar sarrafawa yana nuna cewa matakan daemon guda huɗu suna gudana:CISCO-SD-WAN-Sanya-Tsaro-Tsaro-FIG-2

Don ganin tashoshin sauraron sauraro, yi amfani da umarnin ikon mallakar gida-gida: vManage# nuna ikon mallakar gida-gida

CISCO-SD-WAN-Sanya-Tsaro-Tsaro-FIG-3

Wannan fitowar tana nuna cewa tashar tashar TCP mai sauraron ita ce 23456. Idan kuna gudanar da Cisco SD-WAN Manager a bayan NAT, ya kamata ku buɗe tashoshin jiragen ruwa masu zuwa akan na'urar NAT:

  • 23456 (tushe - misali 0 tashar jiragen ruwa)
  • 23456 + 100 (tushe + 100)
  • 23456 + 200 (tushe + 200)
  • 23456 + 300 (tushe + 300)

Lura cewa adadin lokuta iri ɗaya ne da adadin muryoyin da kuka sanya wa Manajan Cisco SD-WAN, har zuwa matsakaicin 8.

Sanya Ma'aunin Tsaro Ta Amfani da Samfuran Siffofin Tsaro

Yi amfani da samfurin fasalin Tsaro don duk na'urorin Cisco vEdge. A kan masu ba da hanya ta gefe da kuma a kan Cisco SD-WAN Validator, yi amfani da wannan samfuri don saita IPsec don amincin jirgin sama. A kan Cisco SD-WAN Manager da Cisco SD-WAN Controller, yi amfani da samfurin fasalin Tsaro don saita DTLS ko TLS don sarrafa tsaron jirgin sama.

Sanya Ma'aunin Tsaro

  1. Daga Cisco SD-WAN Manager menu, zaɓi Kanfigareshan> Samfura.
  2. Danna Feature Samfura sannan danna Ƙara Samfura.
    Lura A cikin Cisco vManage Release 20.7.1 da farkon fitowar, Samfuran Fasaloli ana kiransa Feature.
  3. Daga lissafin na'urori a sashin hagu, zaɓi na'ura. Samfuran da suka shafi na'urar da aka zaɓa suna bayyana a cikin madaidaicin aiki.
  4. Danna Tsaro don buɗe samfurin.
  5. A cikin Samfurin Sunan filin, shigar da suna don samfurin. Sunan na iya zama har haruffa 128 kuma yana iya ƙunsar haruffa haruffa kawai.
  6. A cikin filin Siffar Samfura, shigar da bayanin samfuri. Bayanin na iya zama har zuwa haruffa 2048 kuma yana iya ƙunsar haruffa haruffa kawai.

Lokacin da ka fara buɗe samfurin fasali, ga kowane ma'aunin da ke da ƙimar tsoho, ana saita iyakar zuwa Default (wanda aka nuna ta alamar dubawa), kuma ana nuna saitunan tsoho ko ƙima. Don canza tsoho ko don shigar da ƙima, danna madaidaicin menu na ƙasa zuwa hagu na filin siga kuma zaɓi ɗaya daga cikin masu zuwa:

Tebur 1:

Siga Iyakar Siffar Iyalin
Specific na'ura (wanda aka nuna ta gunkin mai masaukin baki) Yi amfani da takamaiman ƙimar na'ura don siga. Don takamaiman sigogi na na'ura, ba za ku iya shigar da ƙima a cikin samfurin fasalin ba. Kuna shigar da ƙimar lokacin da kuka haɗa na'urar Viptela zuwa samfurin na'urar.

Lokacin da ka danna Specific na Na'ura, akwatin Shigar yana buɗewa. Wannan akwatin yana nuna maɓalli, wanda shine keɓaɓɓen kirtani wanda ke gano siga a cikin CSV file cewa ka halitta. Wannan file maƙunsar rubutu ne na Excel wanda ya ƙunshi shafi ɗaya don kowane maɓalli. Layin taken yana ƙunshe da maɓallai sunaye (maɓalli ɗaya a kowane shafi), kuma kowane jere bayan haka ya dace da na'ura kuma yana bayyana ƙimar maɓallan na'urar. Kuna loda CSV file lokacin da kuka haɗa na'urar Viptela zuwa samfurin na'urar. Don ƙarin bayani, duba Ƙirƙirar Fayil ɗin Maɓallin Samfura.

Don canza maɓalli na tsoho, rubuta sabon kirtani kuma matsar da siginan kwamfuta daga cikin akwatin Shigar da maɓallin.

ExampƘimar takamaiman sigogi na na'ura sune adireshin IP na tsarin, sunan mai masauki, wurin GPS, da ID na rukunin yanar gizo.
Siga Iyakar Siffar Iyalin
Duniya (alamar duniya ta nuna) Shigar da ƙima don ma'aunin, kuma amfani da wannan ƙimar ga duk na'urori.

ExampSiffofin da za ku iya amfani da su a duniya zuwa rukuni na na'urori sune uwar garken DNS, uwar garken syslog, da MTUs masu dubawa.

Saita Tsaron Jirgin Sama Sarrafa

Lura
Sashen Tsaro na Tsabtace Jirgin Sama ya shafi Cisco SD-WAN Manager da Cisco SD-WAN Controller kawai.Don daidaita ka'idar haɗin jirgin sama akan misalin Cisco SD-WAN Manager ko Cisco SD-WAN Controller, zaɓi yankin Kanfigareshan na asali. kuma saita sigogi masu zuwa:

Tebur 2:

Siga Suna Bayani
Yarjejeniya Zaɓi ƙa'idar don amfani akan haɗin haɗin jirgin sama zuwa Cisco SD-WAN Controller:

• DTLS (Datagram Transport Layer Tsaro). Wannan shi ne tsoho.

• TLS (Tsaron Layer jigilar kaya)
Sarrafa tashar TLS Idan kun zaɓi TLS, saita lambar tashar jiragen ruwa don amfani:Kewaye: 1025 zu65535Na baya: 23456

Danna Ajiye

Sanya Tsaron Jirgin Bayanai
Don saita tsaron jirgin sama akan Cisco SD-WAN Validator ko Cisco vEdge na'ura mai ba da hanya tsakanin hanyoyin sadarwa, zaɓi Shafukan Nau'in Kanfigareshan da Tabbatarwa, kuma saita sigogi masu zuwa:

Tebur 3:

Siga Suna Bayani
Lokacin Rekey Ƙayyade sau nawa Cisco vEdge na'ura mai ba da hanya tsakanin hanyoyin sadarwa ke canza maɓallin AES da ake amfani da shi akan amintaccen haɗin DTLS zuwa Cisco SD-WAN Controller. Idan OMP alherin sake kunnawa ya kunna, lokacin sake buɗewa dole ne ya zama aƙalla sau biyu ƙimar darajar OMP mai ƙima ta sake kunnawa.Kewaye: 10 zuwa 1209600 seconds (kwanaki 14)Na baya: 86400 seconds (24 hours)
Maimaita taga Ƙayyade girman taga sake kunnawa mai zamewa.

Darajoji: 64, 128, 256, 512, 1024, 2048, 4096, 8192 fakitiNa baya: 512 fakitoci
IPsec

biyu-keying

 Ana kashe wannan ta tsohuwa. Danna On don kunna shi.
Siga Suna Bayani
Nau'in Tabbatarwa Zaɓi nau'ikan tabbatarwa daga Tabbatarwa Jerin, kuma danna kibiya mai nuni dama don matsar da nau'ikan tabbatarwa zuwa ga Jerin da aka zaɓa shafi.

Nau'o'in tabbatarwa suna goyan bayan Sakin Cisco SD-WAN 20.6.1:

•  esp: Yana ba da damar ɓoye ɓoyayyiyar ƙimar Tsaro (ESP) da kuma duba mutunci akan taken ESP.

•  ip-udp-esp: Yana kunna ɓoyayyen ESP. Bugu da ƙari ga ƙididdigar mutunci akan kan ESP da kayan biya, cak ɗin sun haɗa da na waje IP da masu kai UDP.

•  ip-udp-esp-no-id: Yayi watsi da filin ID a cikin taken IP don Cisco Catalyst SD-WAN zai iya aiki tare da na'urorin da ba na Cisco ba.

•  babu: Yana juyar da tabbatar da gaskiya akan fakitin IPSec. Ba mu ba da shawarar amfani da wannan zaɓin ba.

 

Nau'o'in tabbatarwa suna goyan baya a cikin Sakin Cisco SD-WAN 20.5.1 da baya:

•  ah - ba - id: Kunna ingantaccen sigar AH-SHA1 HMAC da ESP HMAC-SHA1 wanda yayi watsi da filin ID a cikin fakitin IP na waje.

•  ah-sha1-hmacKunna AH-SHA1 HMAC da ESP HMAC-SHA1.

•  babu: Zaɓi babu tabbaci.

•  sha1-hmacKunna ESP HMAC-SHA1.

 

Lura              Don na'urar gefen da ke gudana akan Cisco SD-WAN Release 20.5.1 ko baya, ƙila kun saita nau'ikan tantancewa ta amfani da Tsaro samfuri. Lokacin da ka haɓaka na'urar zuwa Cisco SD-WAN Release 20.6.1 ko kuma daga baya, sabunta nau'ikan tantancewar da aka zaɓa a cikin Tsaro samfuri zuwa nau'ikan tabbatarwa da ke goyan bayan Sakin Cisco SD-WAN 20.6.1. Don sabunta nau'ikan tantancewa, yi masu zuwa:

1.      Daga Cisco SD-WAN Manager menu, zaɓi Kanfigareshan >

Samfura.

2.      Danna Samfuran fasali.

3.      Nemo Tsaro samfuri don sabuntawa kuma danna… kuma danna Gyara.

4.      Danna Sabuntawa. Kada ku canza kowane tsari.

Cisco SD-WAN Manager yana sabunta Tsaro samfuri don nuna goyan bayan nau'ikan tabbatarwa.

Danna Ajiye.

Sanya Ma'aunin Tsaro na Jirgin Bayanai

A cikin jirgin bayanai, IPsec yana kunna ta tsohuwa akan duk masu amfani da hanyar sadarwa, kuma ta hanyar tsoho IPsec haɗin rami yana amfani da ingantaccen sigar ka'idar Encapsulating Security Payload (ESP) don tantancewa akan ramukan IPsec. A kan masu amfani da hanyar sadarwa, zaku iya canza nau'in tantancewa, IPsec rekeying timer, da girman taga IPsec anti-replay.

Saita Nau'in Tabbatar da Haihuwa

Nau'in Tabbatarwa a cikin Sisik SD-WAN Sakin 20.6.1 da Daga baya
Daga Cisco SD-WAN Release 20.6.1, ana tallafawa nau'ikan mutunci masu zuwa:

  • esp: Wannan zaɓi yana ba da damar ɓoyayyun Tsaro Payload (ESP) ɓoyewa da duba mutunci akan taken ESP.
  • ip-udp-esp: Wannan zaɓi yana ba da damar ɓoye ESP. Bugu da ƙari, bincikar mutunci akan kan ESP da nauyin biyan kuɗi, cak ɗin sun haɗa da na waje IP da masu kai UDP.
  • ip-udp-esp-no-id: Wannan zaɓin yayi kama da ip-udp-esp, duk da haka, filin ID na waje na IP ba a kula da shi ba. Sanya wannan zaɓi a cikin jerin nau'ikan mutunci don samun software na Cisco Catalyst SD-WAN yayi watsi da filin ID a cikin taken IP domin Cisco Catalyst SD-WAN zai iya aiki tare da na'urorin da ba na Cisco ba.
  • babu: Wannan zaɓin yana juya tabbatar da gaskiya akan fakitin IPSec. Ba mu ba da shawarar amfani da wannan zaɓin ba.

Ta hanyar tsoho, hanyoyin haɗin rami na IPsec suna amfani da ingantaccen sigar ka'idar Encapsulating Security Payload (ESP) don tantancewa. Don canza nau'ikan tsaka-tsaki da aka yi shawarwari ko don musaki rajistan amincin, yi amfani da umarni mai zuwa: nau'in mutunci { babu | ip-udp-esp | ip-udp-esp-no-id | esp}

Nau'o'in Tabbatarwa Kafin Cisco SD-WAN Sakin 20.6.1
Ta hanyar tsoho, hanyoyin haɗin rami na IPsec suna amfani da ingantaccen sigar ka'idar Encapsulating Security Payload (ESP) don tantancewa. Don canza nau'ikan tantancewar da aka yi shawarwari ko don musaki tantancewa, yi amfani da umarni mai zuwa: Na'ura (daidaita)# nau'in amincin ipsec (ah-sha1-hmac | ah-no-id | sha1-hmac | babu) Ta hanyar tsohuwa, IPsec Hanyoyin haɗin rami suna amfani da AES-GCM-256, wanda ke ba da ɓoyayyen ɓoyewa da tabbatarwa. Saita kowane nau'in tantancewa tare da takamaiman umarnin nau'in tantancewar ipsec tsaro. Taswirar zaɓuɓɓukan umarni zuwa nau'ikan tabbatarwa masu zuwa, waɗanda aka jera su a jere daga mafi ƙarfi zuwa ƙarami:

Lura
Ana amfani da sha1 a cikin zaɓuɓɓukan sanyi don dalilai na tarihi. Zaɓuɓɓukan tantancewa suna nuna nawa ne aka yi binciken ingancin fakiti. Ba su ƙididdige algorithm da ke bincika amincin ba. Ban da boye-boye na zirga-zirgar watsa labarai da yawa, algorithms na tabbatarwa da Cisco Catalyst SD WAN ke goyan bayan ba sa amfani da SHA1. Koyaya a cikin Sisiko SD-WAN Sakin 20.1.x da gaba, duka unicast da multicast ba sa amfani da SHA1.

  • ah-sha1-hmac yana ba da damar ɓoyewa da ɓoyewa ta amfani da ESP. Duk da haka, ban da bincikar mutunci akan kan ESP da kuma biyan kuɗi, cak ɗin sun haɗa da na waje IP da kan UDP. Don haka, wannan zaɓin yana goyan bayan bincika amincin fakitin kama da ƙa'idar Tabbaci Header (AH). Ana yin duk mutunci da ɓoyewa ta amfani da AES-256-GCM.
  • ah-no-id yana ba da damar yanayin da yayi kama da ah-sha1-hmac, duk da haka, an yi watsi da filin ID na waje na IP. Wannan zaɓin yana ɗaukar wasu na'urori waɗanda ba Cisco Catalyst SD-WAN ba, gami da Apple AirPort Express NAT, waɗanda ke da bug ɗin da ke haifar da filin ID a cikin taken IP, filin da ba mai canzawa ba, don canzawa. Sanya zaɓin ah-no-id a cikin jerin nau'ikan tabbatarwa don samun software ta Cisco Catalyst SD-WAN AH ta yi watsi da filin ID a cikin taken IP domin Cisco Catalyst SD-WAN software ta iya aiki tare da waɗannan na'urori.
  • sha1-hmac yana ba da damar ɓoyayyen ESP da bincika amincin.
  • babu taswira zuwa babu tabbaci. Ya kamata a yi amfani da wannan zaɓin kawai idan ana buƙatar shi don gyara kurakurai na ɗan lokaci. Hakanan zaka iya zaɓar wannan zaɓi a cikin yanayi inda tantancewar jirgin sama da amincin ba su da damuwa. Cisco baya ba da shawarar amfani da wannan zaɓi don cibiyoyin sadarwar samarwa.

Don bayani game da waɗanne filayen fakitin bayanai ke shafar waɗannan nau'ikan tabbatarwa, duba Integrity Plane Data. Cisco IOS XE Catalyst SD-WAN na'urorin da na'urorin Cisco vEdge suna tallata nau'ikan tantancewar su a cikin kaddarorinsu na TLOC. Masu ba da hanya tsakanin hanyoyin sadarwa guda biyu a kowane gefen hanyar haɗin ramin IPsec suna yin shawarwarin tantancewa don amfani da alaƙar da ke tsakanin su, ta amfani da nau'in tantancewa mafi ƙarfi wanda aka saita akan duka na'urorin. Don misaliampTo, idan na'ura mai ba da hanya tsakanin hanyoyin sadarwa guda ɗaya ya tallata nau'ikan ah-sha1-hmac da ah-no-id, kuma na biyu ya tallata nau'in ah-no-id, na'urorin biyu sun yi shawarwari don amfani da ah-no-id akan hanyar haɗin IPsec tsakanin su. su. Idan ba a daidaita nau'ikan tantancewa na gama gari akan takwarorinsu biyu ba, ba a kafa rami IPsec a tsakanin su ba. Algorithm na ɓoyewa akan hanyoyin haɗin rami na IPsec ya dogara da nau'in zirga-zirga:

  • Don zirga-zirgar unicast, algorithm na ɓoyewa shine AES-256-GCM.
  • Don zirga-zirgar multicast:
  • Cisco SD-WAN Sakin 20.1.x kuma daga baya- ɓoyayyen algorithm shine AES-256-GCM
  • Abubuwan da suka gabata - algorithm na ɓoyewa shine AES-256-CBC tare da SHA1-HMAC.

Lokacin da aka canza nau'in tantancewar IPsec, ana canza maɓallin AES don hanyar bayanai.

Canja lokacin Rekeying

Kafin Cisco IOS XE Catalyst SD-WAN na'urorin da na'urorin Cisco vEdge su iya musanya zirga-zirgar bayanai, sun kafa ingantacciyar hanyar sadarwa a tsakanin su. Masu amfani da hanyar sadarwa suna amfani da ramukan IPSec a tsakanin su azaman tashar, da kuma AES-256 cipher don yin ɓoyewa. Kowane na'ura mai ba da hanya tsakanin hanyoyin sadarwa yana haifar da sabon maɓallin AES don hanyar bayanan sa lokaci-lokaci. Ta hanyar tsoho, maɓalli yana aiki na daƙiƙa 86400 (awanni 24), kuma kewayon lokacin ƙidayar shine daƙiƙa 10 zuwa 1209600 (kwanaki 14). Don canza ƙimar rekey mai ƙima: Na'ura(config)# security ipsec rekey seconds Tsarin yayi kama da haka:

  • tsaro ipsec rekey seconds!

Idan kuna son samar da sabbin maɓallan IPsec nan da nan, zaku iya yin hakan ba tare da canza tsarin na'ura mai ba da hanya tsakanin hanyoyin sadarwa ba. Don yin wannan, ba da umarnin tsaro ipsecrekey na buƙatar akan na'ura mai ba da hanya tsakanin hanyoyin sadarwa. Don misaliampHar ila yau, fitarwa mai zuwa yana nuna cewa SA na gida yana da Ma'aunin Tsaro na Tsaro (SPI) na 256:CISCO-SD-WAN-Sanya-Tsaro-Tsaro-FIG-4

Maɓalli na musamman yana haɗe da kowane SPI. Idan wannan maɓalli ya lalace, yi amfani da umarnin tsaro ipsec-rekey don samar da sabon maɓalli nan da nan. Wannan umarnin yana ƙara SPI. A cikin tsohon muample, SPI ya canza zuwa 257 kuma maɓalli mai alaƙa da shi yanzu ana amfani da shi:

  • Na'ura# neman tsaro ipsecrekey
  • Na'ura# nuna ipsec local-sa

CISCO-SD-WAN-Sanya-Tsaro-Tsaro-FIG-5

Bayan an ƙirƙiro sabon maɓalli, na'ura mai ba da hanya tsakanin hanyoyin sadarwa tana aika shi nan take zuwa Cisco SD-WAN Controllers ta amfani da DTLS ko TLS. Cisco SD-WAN Controllers suna aika maɓalli zuwa ga masu amfani da takwarorinsu. Masu amfani da hanyar sadarwa suna fara amfani da shi da zarar sun karɓa. Lura cewa maɓallin da ke da alaƙa da tsohuwar SPI (256) za a ci gaba da amfani da shi na ɗan gajeren lokaci har sai ya ƙare. Don dakatar da amfani da tsohon maɓalli nan da nan, ba da buƙatar tsaro umarnin ipsec-rekey sau biyu, a jere. Wannan jerin umarni yana cire duka SPI 256 da 257 kuma ya saita SPI zuwa 258. Mai na'ura mai ba da hanya tsakanin hanyoyin sadarwa yana amfani da maɓalli mai alaƙa na SPI 258. Lura, duk da haka, za a jefar da wasu fakiti na ɗan lokaci kaɗan har sai duk hanyoyin sadarwa na nesa sun koya. sabon makullin.CISCO-SD-WAN-Sanya-Tsaro-Tsaro-FIG-6

Canja Girman Tagar Anti-Replay

Tabbatar da IPsec yana ba da kariya ta sake kunnawa ta hanyar sanya lamba ta musamman ga kowane fakiti a cikin rafin bayanai. Wannan jerin lambobi yana karewa daga maharin da ke kwafin fakitin bayanai. Tare da kariyar hana sake kunnawa, mai aikawa yana ba da lambobi masu haɓaka su kaɗai, kuma wurin da aka nufa yana bincika waɗannan lambobin don gano kwafi. Saboda fakiti sau da yawa ba sa zuwa cikin tsari, wurin da aka nufa yana riƙe da taga mai zamewar lambobi waɗanda zai karɓa.CISCO-SD-WAN-Sanya-Tsaro-Tsaro-FIG-7

Fakiti masu jerin lambobi waɗanda suka faɗo zuwa hagu na kewayon taga mai zamewa ana ɗaukar tsofaffi ko kwafi, kuma wurin da aka nufa ya sauke su. Wurin da aka nufa yana bin mafi girman jerin lambar da ya karɓa, kuma yana daidaita taga mai zamewa lokacin da ya karɓi fakiti mai ƙima mafi girma.CISCO-SD-WAN-Sanya-Tsaro-Tsaro-FIG-8

Ta hanyar tsoho, an saita taga mai zamewa zuwa fakiti 512. Ana iya saita shi zuwa kowace ƙima tsakanin 64 da 4096 wanda shine ikon 2 (wato, 64, 128, 256, 512, 1024, 2048, ko 4096). Don canza girman taga anti-replay, yi amfani da umarnin sake kunnawa-taga, ƙayyade girman taga:

Na'ura(config)# security ipsec lambar sake kunnawa-taga

Tsarin tsari yayi kama da haka:
lambar tsaro ipsec sake kunnawa-taga ! !

Don taimakawa tare da QoS, ana kiyaye windows daban-daban don kowane tashoshi takwas na farko na zirga-zirga. An daidaita girman taga sake kunnawa zuwa takwas ga kowane tashoshi. Idan an saita QoS akan na'ura mai ba da hanya tsakanin hanyoyin sadarwa, wannan na'ura mai ba da hanya tsakanin hanyoyin sadarwa na iya samun mafi girma fiye da tsammanin fakitin fakitin fakiti sakamakon tsarin hana sake kunnawa na IPsec, kuma yawancin fakitin da aka jefar na halal ne. Wannan yana faruwa saboda QoS yana sake yin odar fakiti, yana ba da fifikon fakiti mafi girma da jinkirin fakiti masu mahimmanci. Don rage girman ko hana wannan yanayin, kuna iya yin haka:

  • Ƙara girman taga anti-replay.
  • Injiniya zirga-zirga zuwa tashoshi takwas na farko don tabbatar da cewa ba a sake yin odar zirga-zirga a cikin tashar ba.

Sanya IKE-Enabled IPsec Tunnels
Don amintacce canja wurin zirga-zirga daga cibiyar sadarwar mai rufi zuwa cibiyar sadarwar sabis, zaku iya saita ramukan IPsec waɗanda ke tafiyar da ka'idar Musayar Maɓalli ta Intanet (IKE). Tunnels na IPsec masu kunna IKE suna ba da tabbaci da ɓoyewa don tabbatar da amintaccen jigilar fakiti. Kuna ƙirƙiri ramin IPsec mai kunna IKE ta hanyar daidaita hanyar sadarwa ta IPsec. Abubuwan musaya na IPsec su ne musaya masu ma'ana, kuma kuna saita su kamar kowane mahaɗar yanayi. Kuna saita sigogin yarjejeniya na IKE akan mahaɗin IPsec, kuma kuna iya saita sauran kaddarorin dubawa.

Lura Cisco yana ba da shawarar yin amfani da IKE Version 2. Daga Cisco SD-WAN 19.2.x saki gaba, maɓallin da aka rigaya ya buƙaci ya zama akalla 16 bytes a tsawon. Ƙirƙirar rami na IPsec ya gaza idan girman maɓalli bai wuce haruffa 16 ba lokacin da aka haɓaka na'ura mai ba da hanya tsakanin hanyoyin sadarwa zuwa sigar 19.2.

Lura
Software na Cisco Catalyst SD-WAN yana goyan bayan IKE Version 2 kamar yadda aka ayyana a cikin RFC 7296. Amfani ɗaya don tunnels na IPsec shine ba da damar vEdge Cloud na'ura mai ba da hanya tsakanin hanyoyin sadarwa VM da ke gudana akan Amazon AWS don haɗawa da girgije mai zaman kansa na Amazon (VPC). Dole ne ku saita IKE Version 1 akan waɗannan hanyoyin sadarwa. Na'urorin Cisco vEdge suna goyan bayan VPNs na tushen hanya kawai a cikin tsarin IPSec saboda waɗannan na'urorin ba za su iya ayyana masu zaɓin zirga-zirga a cikin yankin ɓoyewa ba.

Sanya rami na IPsec
Don saita hanyar haɗin rami na IPsec don amintaccen zirga-zirgar zirga-zirga daga hanyar sadarwar sabis, kuna ƙirƙiri ƙirar IPsec mai ma'ana:CISCO-SD-WAN-Sanya-Tsaro-Tsaro-FIG-9

Kuna iya ƙirƙirar rami na IPsec a cikin VPN na sufuri (VPN 0) kuma a cikin kowane sabis na VPN (VPN 1 ta 65530, ban da 512). Ƙididdigar IPsec yana da suna a cikin tsarin ipsecnumber, inda lamba zai iya kasancewa daga 1 zuwa 255. Kowace IPsec yana da adireshin IPv4. Dole ne wannan adireshin ya zama prefix /30. Duk zirga-zirgar da ke cikin VPN da ke cikin wannan prefix na IPv4 ana tura shi zuwa keɓaɓɓen dubawa ta zahiri a cikin VPN 0 don aika shi amintacce akan ramin IPsec. Don saita tushen ramin IPsec akan na'urar gida, zaku iya saka ko dai adireshin IP na na'ura mai ba da hanya tsakanin hanyoyin sadarwa (a cikin umarnin tushen rami) ko sunan mahaɗan mahaɗan (a cikin umarnin tunnel-source-interface). Tabbatar cewa an daidaita yanayin haɗin jiki a cikin VPN 0. Don saita maƙasudin ramin IPsec, saka adireshin IP na na'urar nesa a cikin umarnin ramin-makomar. Haɗin adireshin tushen (ko sunan mu'amalar tushen tushe) da adireshin maƙasudi yana bayyana ramin IPsec guda ɗaya. Ramin IPsec ɗaya ne kawai zai iya wanzuwa wanda ke amfani da takamaiman adireshin tushe (ko sunan dubawa) da adireshi biyu.

Sanya hanyar IPsec Static Route

Don jagorantar zirga-zirga daga sabis ɗin VPN zuwa ramin IPsec a cikin VPN ɗin sufuri (VPN 0), kuna saita takamaiman takamaiman hanyar IPsec a cikin sabis ɗin VPN (VPN ban da VPN 0 ko VPN 512):

  • vEdge(config)# vpn vpn-id
  • vEdge(config-vpn)# ip ipsec-route prefix/length vpn 0 interface
  • ipsecnumber [ipsecnumber2]

ID na VPN shine na kowane sabis na VPN (VPN 1 zuwa 65530, ban da 512). prefix/tsawon shine adireshin IP ko prefix, a cikin ƙayyadaddun ƙididdiga masu ɗigo huɗu, da tsayin prefix na takamaiman hanyar IPsec. Ƙaddamarwa ita ce hanyar sadarwa ta IPsec a cikin VPN 0. Za ka iya saita musaya na ramin IPsec ɗaya ko biyu. Idan kun saita biyu, na farko shine farkon IPsec tunnel, na biyu kuma shine madadin. Tare da musaya guda biyu, duk fakiti ana aika su zuwa rami na farko kawai. Idan wannan rami ya gaza, ana aika duk fakiti zuwa rami na biyu. Idan rami na farko ya dawo sama, ana mayar da duk zirga-zirga zuwa babban rami na IPsec na farko.

Kunna IKE Sigar 1
Lokacin da ka ƙirƙiri rami na IPsec akan na'ura mai ba da hanya tsakanin hanyoyin sadarwa na vEdge, IKE Version 1 ana kunna shi ta tsohuwa a kan mahallin rami. Hakanan ana kunna kaddarorin masu zuwa ta tsohuwa don IKEv1:

  • Tabbatarwa da boye-boye-AES-256 madaidaicin ɓoyayyen ɓoyayyen ɓoyayyen CBC tare da HMAC-SHA1 saƙon hash keyed-hash code algorithm don mutunci
  • Diffie-Hellman lambar rukuni-16
  • Tazarar lokacin sake buɗewa - sa'o'i 4
  • Yanayin kafa SA-Main

Ta hanyar tsoho, IKEv1 yana amfani da babban yanayin IKE don kafa IKE SAs. A cikin wannan yanayin, ana musayar fakitin shawarwari shida don kafa SA. Don musanya fakitin shawarwari guda uku kawai, kunna yanayin tashin hankali:

Lura
Yanayin tashin hankali na IKE tare da maɓallan da aka riga aka raba yakamata a guji duk inda zai yiwu. In ba haka ba ya kamata a zaɓi maɓalli mai ƙarfi da aka riga aka raba.

  • vEdge(config)# vpn vpn-id interface ipsec lamba ike
  • vEdge(config-ike) # yanayin m

Ta hanyar tsoho, IKEv1 yana amfani da ƙungiyar Diffie-Hellman 16 a cikin musayar maɓallin IKE. Wannan rukunin yana amfani da ƙungiyar 4096-bit ƙarin madaidaicin juzu'i (MODP) yayin musayar maɓallin IKE. Kuna iya canza lambar rukuni zuwa 2 (don 1024-bit MODP), 14 (2048-bit MODP), ko 15 (3072-bit MODP):

  • vEdge(config)# vpn vpn-id interface ipsec lamba ike
  • vEdge(config-ike)# lambar rukuni

Ta hanyar tsohuwa, musayar maɓallin IKE tana amfani da daidaitaccen ɓoyayyen ɓoye na AES-256 daidaitaccen ɓoyewar CBC tare da lambar tantance saƙon hash-keyed-sha1 algorithm don mutunci. Kuna iya canza amincin:

  • vEdge(config)# vpn vpn-id interface ipsec lamba ike
  • vEdge(config-ike)# cipher-suite suite

Rukunin tantancewa na iya zama ɗaya daga cikin masu zuwa:

  • aes128-cbc-sha1-AES-128 madaidaicin ɓoyayyen ɓoyayyiyar CBC tare da HMAC-SHA1 saƙon maɓalli-hash lambar algorithm don mutunci
  • aes128-cbc-sha2-AES-128 madaidaicin ɓoyayyen ɓoyayyiyar CBC tare da HMAC-SHA256 saƙon maɓalli-hash lambar algorithm don mutunci
  • aes256-cbc-sha1-AES-256 madaidaicin ɓoyayyen ɓoyewa na CBC tare da HMAC-SHA1 saƙon keyed-hash lambar algorithm don mutunci; wannan shine tsoho.
  • aes256-cbc-sha2-AES-256 madaidaicin ɓoyayyen ɓoyayyiyar CBC tare da HMAC-SHA256 saƙon maɓalli-hash lambar algorithm don mutunci

Ta hanyar tsoho, ana sabunta maɓallan IKE kowane awa 1 (3600 seconds). Kuna iya canza tazarar sake buɗewa zuwa ƙima daga daƙiƙa 30 zuwa kwanaki 14 (1209600 seconds). Ana ba da shawarar cewa tazarar sake buɗewa ta kasance aƙalla awa 1.

  • vEdge(config)# vpn vpn-id interface ipsec lamba kamar
  • vEdge(daidaita-ike)# sakanni mai maimaitawa

Don tilasta ƙirƙirar sabbin maɓallai don zaman IKE, ba da buƙatar ipsec ike-rekey umurnin.

  • vEdge(config)# vpn vpn-id interfaceipsec lamba ike

Don IKE, Hakanan zaka iya saita ingantaccen maɓalli (PSK) tantancewar:

  • vEdge(config)# vpn vpn-id interface ipsec lamba ike
  • vEdge(config-ike)# kalmar sirri-nau'in pre-shared-key pre-shared-asirce kalmar sirri kalmar sirri shine kalmar sirri don amfani da maɓallin da aka riga aka share. Zai iya zama igiyar ASCII ko hexadecimal daga haruffa 1 zuwa 127 tsayi.

Idan abokin IKE mai nisa yana buƙatar ID na gida ko na nesa, zaku iya saita wannan mai ganowa:

  • vEdge(config)# vpn vpn-id interface ipsec lamba ike-authentication-type
  • vEdge(nau'in daidaitawa-authentication-nau'in)# id na gida-id
  • vEdge(nau'in daidaitawa-authentication-nau'in)# ramut-id id

Mai ganowa na iya zama adireshin IP ko kowane zaren rubutu daga tsayin haruffa 1 zuwa 63. Ta hanyar tsoho, ID na gida shine adireshin IP na tushen rami kuma ID mai nisa shine adireshin IP na alkiblar rami.

Kunna IKE Sigar 2
Lokacin da kuka saita rami na IPsec don amfani da IKE Version 2, ana kunna kaddarorin masu zuwa ta tsohuwa don IKEv2:

  • Tabbatarwa da boye-boye-AES-256 madaidaicin ɓoyayyen ɓoyayyen ɓoyayyen CBC tare da HMAC-SHA1 saƙon hash keyed-hash code algorithm don mutunci
  • Diffie-Hellman lambar rukuni-16
  • Tazarar lokacin sake buɗewa - sa'o'i 4

Ta hanyar tsoho, IKEv2 yana amfani da ƙungiyar Diffie-Hellman 16 a cikin musayar maɓallin IKE. Wannan rukunin yana amfani da ƙungiyar 4096-bit ƙarin madaidaicin juzu'i (MODP) yayin musayar maɓallin IKE. Kuna iya canza lambar rukuni zuwa 2 (don 1024-bit MODP), 14 (2048-bit MODP), ko 15 (3072-bit MODP):

  • vEdge(config)# vpn vpn-id interface ipsecnumber ike
  • vEdge(config-ike)# lambar rukuni

Ta hanyar tsohuwa, musayar maɓallin IKE tana amfani da daidaitaccen ɓoyayyen ɓoye na AES-256 daidaitaccen ɓoyewar CBC tare da lambar tantance saƙon hash-keyed-sha1 algorithm don mutunci. Kuna iya canza amincin:

  • vEdge(config)# vpn vpn-id interface ipsecnumber ike
  • vEdge(config-ike)# cipher-suite suite

Rukunin tantancewa na iya zama ɗaya daga cikin masu zuwa:

  • aes128-cbc-sha1-AES-128 madaidaicin ɓoyayyen ɓoyayyiyar CBC tare da HMAC-SHA1 saƙon maɓalli-hash lambar algorithm don mutunci
  • aes128-cbc-sha2-AES-128 madaidaicin ɓoyayyen ɓoyayyiyar CBC tare da HMAC-SHA256 saƙon maɓalli-hash lambar algorithm don mutunci
  • aes256-cbc-sha1-AES-256 madaidaicin ɓoyayyen ɓoyewa na CBC tare da HMAC-SHA1 saƙon keyed-hash lambar algorithm don mutunci; wannan shine tsoho.
  • aes256-cbc-sha2-AES-256 madaidaicin ɓoyayyen ɓoyayyiyar CBC tare da HMAC-SHA256 saƙon maɓalli-hash lambar algorithm don mutunci

Ta hanyar tsoho, ana sabunta maɓallan IKE kowane awa 4 (14,400 seconds). Kuna iya canza tazarar sake buɗewa zuwa ƙimar daga daƙiƙa 30 zuwa kwanaki 14 (1209600 seconds):

  • vEdge(config)# vpn vpn-id interface ipsecnumber ike
  • vEdge(daidaita-ike)# sakanni mai maimaitawa

Don tilasta ƙirƙirar sabbin maɓallai don zaman IKE, ba da buƙatar ipsec ike-rekey umurnin. Don IKE, Hakanan zaka iya saita ingantaccen maɓalli (PSK) tantancewar:

  • vEdge(config)# vpn vpn-id interface ipsecnumber ike
  • vEdge(config-ike)# kalmar sirri-nau'in pre-shared-key pre-shared-asirce kalmar sirri kalmar sirri shine kalmar sirri don amfani da maɓallin da aka riga aka share. Yana iya zama igiyar ASCII ko hexadecimal, ko kuma yana iya zama maɓallin rufaffen AES. Idan abokin IKE mai nisa yana buƙatar ID na gida ko na nesa, zaku iya saita wannan mai ganowa:
  • vEdge(config)# vpn vpn-id interface ipsecnumber ike-authentication-type
  • vEdge(nau'in daidaitawa-authentication-nau'in)# id na gida-id
  • vEdge(nau'in daidaitawa-authentication-nau'in)# ramut-id id

Mai ganowa na iya zama adireshin IP ko kowane zaren rubutu daga tsayin haruffa 1 zuwa 64. Ta hanyar tsoho, ID na gida shine adireshin IP na tushen rami kuma ID mai nisa shine adireshin IP na alkiblar rami.

Sanya ma'auni na rami na IPsec

Tebur 4: Tarihin Siffar

Siffar Suna Bayanin Saki Bayani
Ƙarin Cryptographic Sakin Cisco SD-WAN 20.1.1 Wannan fasalin yana ƙara tallafi don
Taimakon Algorithmic don IPSec   HMAC_SHA256, HMAC_SHA384, da
Tunnels   HMAC_SHA512 algorithms don
    inganta tsaro.

Ta hanyar tsoho, ana amfani da sigogi masu zuwa akan rami na IPsec wanda ke ɗaukar zirga-zirgar IKE:

  • Tabbatarwa da ɓoyewa-AES-256 algorithm a cikin GCM (Yanayin Galois/counter)
  • Tazarar sake buɗewa - sa'o'i 4
  • Tagar sake kunnawa - fakiti 32

Kuna iya canza boye-boye akan rami na IPsec zuwa cipher AES-256 a cikin CBC (yanayin sarkar sarkar sikirin, tare da HMAC ta amfani da ko dai SHA-1 ko SHA-2 keyed-hash ingantacciyar saƙon ko a soke tare da HMAC ta amfani da SHA-1 ko SHA-2 maɓalli-hash ingantaccen saƙo, don kar ɓoyayyen rami na IPsec da aka yi amfani da shi don zirga-zirgar maɓalli na IKE:

  • vEdge(config-interface-ipsecnumber)# ipsec
  • vEdge(config-ipsec)# cipher-suite (aes256-gcm | aes256-cbc-sha1 | aes256-cbc-sha256 | aes256-cbc-sha384 | aes256-cbc-sha512 | aes256-null-sha1 | aes256 | aes256-null-sha256 | aes384-null-sha256)

Ta hanyar tsoho, ana sabunta maɓallan IKE kowane awa 4 (14,400 seconds). Kuna iya canza tazarar sake buɗewa zuwa ƙimar daga daƙiƙa 30 zuwa kwanaki 14 (1209600 seconds):

  • vEdge(config-interface-ipsecnumber)# ipsec
  • vEdge(config-ipsec)# rekey seconds

Don tilasta ƙirƙirar sabbin maɓallai don rami na IPsec, ba da buƙatar ipsec ipsec-rekey umurnin. Ta hanyar tsoho, ana kunna cikakkiyar sirrin gaba (PFS) akan ramukan IPsec, don tabbatar da cewa ba a shafar zaman da suka gabata idan an lalata maɓallan gaba. PFS ta tilasta sabon musayar maɓallin Diffie-Hellman, ta tsohuwa ta amfani da 4096-bit Diffie-Hellman prime module group. Kuna iya canza saitin PFS:

  • vEdge(config-interface-ipsecnumber)# ipsec
  • vEdge(config-ipsec)# cikakken-gaba-sirrin pfs-saitin

pfs-saitin iya zama ɗaya daga cikin masu zuwa:

  • rukuni-2-Yi amfani da 1024-bit Diffie-Hellman prime modulus group.
  • rukuni-14-Yi amfani da 2048-bit Diffie-Hellman prime modulus group.
  • rukuni-15-Yi amfani da 3072-bit Diffie-Hellman prime modulus group.
  • rukuni-16-Yi amfani da 4096-bit Diffie-Hellman prime modulus group. Wannan shi ne tsoho.
  • babu - Kashe PFS.

Ta hanyar tsoho, taga sake kunnawa na IPsec akan ramin IPsec shine 512 bytes. Kuna iya saita girman taga sake kunnawa zuwa 64, 128, 256, 512, 1024, 2048, ko 4096 fakiti:

  • vEdge(config-interface-ipsecnumber)# ipsec
  • vEdge(config-ipsec)# lambar sake kunnawa-taga

Gyara Ganewar IKE Matattu-Peer

IKE yana amfani da tsarin gano matattu don tantance ko haɗin kai da ɗan IKE yana aiki kuma yana iya isa. Don aiwatar da wannan tsari, IKE ta aika da fakitin Hello ga takwarorinta, kuma takwarorinsu suna aiko da sanarwa don amsawa. Ta hanyar tsoho, IKE yana aika fakitin Hello kowane daƙiƙa 10, kuma bayan fakiti uku da ba a san su ba, IKE ya bayyana maƙwabcinsa ya mutu kuma ya yage ramin ga takwarorinsa. Bayan haka, IKE lokaci-lokaci yana aika fakitin Sannu zuwa ga takwarorinsu, kuma ya sake kafa rami lokacin da takwarorinsu suka dawo kan layi. Kuna iya canza tazarar gano rayuwa zuwa ƙima daga 0 zuwa 65535, kuma zaku iya canza adadin sakewa zuwa ƙima daga 0 zuwa 255.

Lura

Don jigilar VPNs, ana canza tazarar gano rayuwa zuwa daƙiƙa ta amfani da dabara mai zuwa: Tazarar don sake aikawa da lambar N = tazara * 1.8N-1For ex.ample, idan an saita tazara zuwa 10 kuma aka sake komawa zuwa 5, tazarar ganowa tana ƙaruwa kamar haka:

  • Ƙoƙari 1: 10 * 1.81-1 = 10 seconds
  • Ƙoƙari 2: 10 * 1.82-1 = 18 seconds
  • Ƙoƙari 3: 10 * 1.83-1 = 32.4 seconds
  • Ƙoƙari 4: 10 * 1.84-1 = 58.32 seconds
  • Ƙoƙari 5: 10 * 1.85-1 = 104.976 seconds

vEdge(config-interface-ipsecnumber)# matattu-tsara-gano tazara ta sake gwada lamba

Saita Sauran Abubuwan Haɗin Mu'amala

Don hanyoyin musaya na rami na IPsec, zaku iya saita ƙarin kaddarorin dubawa kawai masu zuwa:

  • vEdge(config-interface-ipsec)# mtu bytes
  • vEdge(config-interface-ipsec)# tcp-mss-daidaita bytes

Kashe Algorithms masu rauni na SSH akan Cisco SD-WAN Manager

Tebur 5: Teburin Tarihi na Siffar

Siffar Suna Bayanin Saki Siffar Bayani
Kashe Algorithms masu rauni na SSH akan Cisco SD-WAN Manager Sakin Cisco vManage 20.9.1 Wannan fasalin yana ba ku damar musaki algorithms SSH masu rauni akan Cisco SD-WAN Manager wanda ƙila ba zai bi wasu ƙa'idodin tsaro na bayanai ba.

Bayani Game da Kashe Algorithms masu rauni mara ƙarfi na SSH akan Cisco SD-WAN Manager
Cisco SD-WAN Manager yana ba da abokin ciniki na SSH don sadarwa tare da abubuwan haɗin yanar gizon, gami da masu sarrafawa da na'urorin gefen. Abokin ciniki na SSH yana ba da hanyar haɗin kai don amintaccen canja wurin bayanai, dangane da nau'ikan algorithms na ɓoyewa. Ƙungiyoyi da yawa suna buƙatar ɓoyayyen ɓoyewa fiye da abin da SHA-1, AES-128, da AES-192 suka bayar. Daga Cisco vManage Release 20.9.1, za ku iya musaki waɗannan algorithms masu rauni masu rauni ta yadda abokin ciniki SSH bai yi amfani da waɗannan algorithms ba:

  • SHA-1
  • Saukewa: AES-128
  • Saukewa: AES-192

Kafin kashe waɗannan algorithms na ɓoyewa, tabbatar da cewa na'urorin Cisco vEdge, idan akwai, a cikin hanyar sadarwar, suna amfani da sakin software daga baya Cisco SD-WAN Release 18.4.6.

Fa'idodin Kashe Algorithms masu rauni mara ƙarfi na SSH akan Cisco SD-WAN Manager
Kashe mafi raunin ɓoye ɓoyayyen SSH algorithms yana inganta tsaro na sadarwar SSH, kuma yana tabbatar da cewa ƙungiyoyi masu amfani da Cisco Catalyst SD-WAN suna bin ƙa'idodin tsaro masu ƙarfi.

Kashe Algorithms masu rauni na SSH akan Cisco SD-WAN Manager Amfani da CLI

  1. Daga Cisco SD-WAN Manager menu, zaɓi Kayan aiki> Tashar SSH.
  2. Zaɓi na'urar Manajan Cisco SD-WAN wacce a cikinta kuke son musaki mafi raunin algorithms SSH.
  3. Shigar da sunan mai amfani da kalmar sirri don shiga cikin na'urar.
  4. Shigar da yanayin uwar garken SSH.
    • vmanage(config)# tsarin
    • vmanage(tsarin-tsarin) # ssh-uwar garken
  5. Yi ɗaya daga cikin masu zuwa don musaki ɓoyayyen algorithm na SSH:
    • Kashe SHA-1:
  6. sarrafa (config-ssh-server)# no kex-algo sha1
  7. sarrafa (config-ssh-server) # aikata
    Ana nuna saƙon faɗakarwa mai zuwa: An ƙirƙiri gargaɗin masu zuwa: 'System ssh-server kex-algo sha1': GARGAƊI: Da fatan za a tabbatar da cewa duk gefuna suna gudanar da sigar lambar> 18.4.6 wanda ke yin shawarwari fiye da SHA1 tare da vManage. In ba haka ba waɗannan gefuna na iya zama a layi. Ci gaba? [i, no] iya
    • Tabbatar cewa kowane na'urorin Cisco vEdge a cikin hanyar sadarwar suna gudana Cisco SD-WAN Release 18.4.6 ko kuma daga baya kuma shigar da eh.
    • Kashe AES-128 da AES-192:
    • vmanage(config-ssh-server)# babu cipher aes-128-192
    • vmanage(config-ssh-uwar garken) # aikata
      Ana nuna saƙon gargaɗi mai zuwa:
      An haifar da gargaɗin masu zuwa:
      'System ssh-server cipher aes-128-192': GARGAƊI: Da fatan za a tabbatar da cewa duk gefuna suna gudanar da sigar lambar> 18.4.6 wanda ke yin shawarwari fiye da AES-128-192 tare da vManage. In ba haka ba waɗannan gefuna na iya zama layi. Ci gaba? [a, ba] iya
    • Tabbatar cewa kowane na'urorin Cisco vEdge a cikin hanyar sadarwar suna gudana Cisco SD-WAN Release 18.4.6 ko kuma daga baya kuma shigar da eh.

Tabbatar da cewa Abubuwan Algorithms masu rauni na SSH suna kashe akan Cisco SD-WAN Manager Ta amfani da CLI

  1. Daga Cisco SD-WAN Manager menu, zaɓi Kayan aiki> Tashar SSH.
  2. Zaɓi na'urar Manajan Cisco SD-WAN da kuke son tabbatarwa.
  3. Shigar da sunan mai amfani da kalmar sirri don shiga cikin na'urar.
  4. Gudun umarni mai zuwa: nuna tsarin ssh-server mai gudana
  5. Tabbatar da cewa fitarwa yana nuna ɗaya ko fiye daga cikin umarnin da ke musaki ɓoyayyen algorithms masu rauni:
    • babu ajiya aes-128-192
    • babu kex-algo sha1

Takardu / Albarkatu

CISCO SD-WAN Yana Sanya Ma'aunin Tsaro [pdf] Jagorar mai amfani
SD-WAN Yana Sanya Ma'aunin Tsaro, SD-WAN, Sanya Ma'aunin Tsaro, Ma'aunin Tsaro

Magana

Bar sharhi

Ba za a buga adireshin imel ɗin ku ba. Ana yiwa filayen da ake buƙata alama *