Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1217
Views
5
Helpful
1
Replies

Netconf Security

rthakker
Level 1
Level 1

‎06-09-2020 12:56 PM

Apology for the basic question, I am enabling Netconf on XR & XE platform but I am bit worried about security aspect of the Netconf so trying to grant least privilege access to the client.

 

  • When configuring CoPP or any other way to restrict specific IP to only allow Netconf? 
  • My Netconf user is authenticated / authorised by TACACS or ISE so is there anyway to restrict what can User do? for example user should be able to do get and get-config but shouldn't be able to run edit-config, reload chassis, etc..?
  • Is there any way to monitor from XR and XE device what Netconf activity (get, get-config, edit-config, etc..)  using SNMP polling (Any OIDs) or Trap or Syslog message to assist in Audit trail? 
  • Looking at the "show netconf-yang trace" I can see lot of activity but not sure how to convert some of these in to Syslog message for audit?

 

Any advice is greatly appreciated,

Ritesh

Labels:
0 Helpful
1 Reply 1

gschudel
Cisco Employee
Cisco Employee

‎06-10-2020 06:48 AM - edited ‎06-10-2020 06:49 AM

Hi 

This seems like a "how do i configure my router" question (meaning, what locks down the packets _inside my box_) as opposed to a "how does NSO communicate NETCONF securely to its soutbound devices..."
There are quite a few Cisco resources available for CoPP, and of course each implementation is OS-specific (XE/XR/NX) and in many cases "platform" specific (i.e. exact HW... because of forwarding behavior inside a platform (mainly on punt-paths of control plane/management plane packets) -- so really, your question about CoPP seems likely better addressed first. 

Maybe these help:

https://tools.cisco.com/security/center/resources/copp_best_practices
https://www.cisco.com/en/US/docs/general/Test/dwerblo/broken_guide/copp.html
https://networklessons.com/cisco/ccie-routing-switching-written/copp-control-plane-policing
https://www.oreilly.com/library/view/router-security-strategies/9781587053368/

 

hth -

gregg

Polls
AI-powered tools for network troubleshooting are likely to be part of everyone’s workflow sooner or later. What is the single biggest challenge or concern you see with adopting these tools in your organization?
Show Choices
Hide Choices
Customers Also Viewed These Support Documents