Apology for the basic question, I am enabling Netconf on XR & XE platform but I am bit worried about security aspect of the Netconf so trying to grant least privilege access to the client.
- When configuring CoPP or any other way to restrict specific IP to only allow Netconf?
- My Netconf user is authenticated / authorised by TACACS or ISE so is there anyway to restrict what can User do? for example user should be able to do get and get-config but shouldn't be able to run edit-config, reload chassis, etc..?
- Is there any way to monitor from XR and XE device what Netconf activity (get, get-config, edit-config, etc..) using SNMP polling (Any OIDs) or Trap or Syslog message to assist in Audit trail?
- Looking at the "show netconf-yang trace" I can see lot of activity but not sure how to convert some of these in to Syslog message for audit?
Any advice is greatly appreciated,
Ritesh