cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
718
Views
5
Helpful
1
Replies

Netconf Security

rthakker
Level 1
Level 1

Apology for the basic question, I am enabling Netconf on XR & XE platform but I am bit worried about security aspect of the Netconf so trying to grant least privilege access to the client.

 

  • When configuring CoPP or any other way to restrict specific IP to only allow Netconf? 
  • My Netconf user is authenticated / authorised by TACACS or ISE so is there anyway to restrict what can User do? for example user should be able to do get and get-config but shouldn't be able to run edit-config, reload chassis, etc..?
  • Is there any way to monitor from XR and XE device what Netconf activity (get, get-config, edit-config, etc..)  using SNMP polling (Any OIDs) or Trap or Syslog message to assist in Audit trail? 
  • Looking at the "show netconf-yang trace" I can see lot of activity but not sure how to convert some of these in to Syslog message for audit?

 

Any advice is greatly appreciated,

Ritesh

1 Reply 1

gschudel
Cisco Employee
Cisco Employee