Buy or Renew
Buy or Renew
Cisco + Splunk: Itā€™s a new day for your data. Learn more.
Ā 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
585
Views
5
Helpful
1
Replies

Netconf Security

rthakker
Level 1
Level 1

ā€Ž06-09-2020 12:56 PM

Apology for the basic question, I am enabling Netconf on XR & XE platform but I am bit worried about security aspect of the Netconf so trying to grant least privilege access to the client.

 

  • When configuring CoPP or any other way to restrict specific IP to only allow Netconf? 
  • My Netconf user is authenticated / authorised by TACACS or ISE so is there anyway to restrict what can User do? for example user should be able to do get and get-config but shouldn't be able to run edit-config, reload chassis, etc..?
  • Is there any way to monitor from XR and XE device what Netconf activity (get, get-config, edit-config, etc..)  using SNMP polling (Any OIDs) or Trap or Syslog message to assist in Audit trail? 
  • Looking at the "show netconf-yang trace" I can see lot of activity but not sure how to convert some of these in to Syslog message for audit?

 

Any advice is greatly appreciated,

Ritesh

Labels:
0 Helpful
1 Reply 1

gschudel
Cisco Employee
Cisco Employee

ā€Ž06-10-2020 06:48 AM - edited ā€Ž06-10-2020 06:49 AM

Hi 

This seems like a "how do i configure my router" question (meaning, what locks down the packets _inside my box_) as opposed to a "how does NSO communicate NETCONF securely to its soutbound devices..."
There are quite a few Cisco resources available for CoPP, and of course each implementation is OS-specific (XE/XR/NX) and in many cases "platform" specific (i.e. exact HW... because of forwarding behavior inside a platform (mainly on punt-paths of control plane/management plane packets) -- so really, your question about CoPP seems likely better addressed first. 

Maybe these help:

https://tools.cisco.com/security/center/resources/copp_best_practices
https://www.cisco.com/en/US/docs/general/Test/dwerblo/broken_guide/copp.html
https://networklessons.com/cisco/ccie-routing-switching-written/copp-control-plane-policing
https://www.oreilly.com/library/view/router-security-strategies/9781587053368/

 

hth -

gregg

Customers Also Viewed These Support Documents