Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
868
Views
0
Helpful
0
Replies

Netconf security

wojciechlubas
Level 1
Level 1

‎07-01-2021 02:13 AM - edited ‎07-01-2021 02:14 AM

Hello,

 

On my ASR907 IOSXE I need to deploy netconf, but I see different problems.

If I activate netconf, router answer on any IP (public also). I tried to secure it by command:

netconf ssh acl 80

it does nothing...

 

(of course called acls like numbered 80 or named netconf-named-acl below are configured)

 

 

then:

netconf-yang ssh ipv4 access-list name netconf-named-acl

It works better, but still allows three-way-handshake and then ends:

allows SYN, SYN-ACK, ACK and then SYN which I see as potential DDoS vulnerability.

 

ssh secured by following commands:

line vty 5 15
access-class 80

 

makes immediate answer RST on any SYN on port 22

 

The best what I expect is no sendind RST at all on 830 and 22 port if IP defined in access-list does not permit connection.

 

Due to a lot of configured public IPs on router, which I don't want to expose in Internet with such management interface like port 830 with netconf, I am looking for any more secure solution...

 

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents