Here’s Best Security Practice Template Configuration for Cisco IOS-XR for different services like AAA, SSH , NTP , SNMP and Syslog.
AAA (TACACS) |
aaa accounting exec default start-stop group <GROUPNAME> group tacacs+ aaa accounting commands default start-stop group <GROUPNAME> group tacacs+ aaa group server tacacs+ <GROUPNAME> vrf management server-private <ISE/TACACS IP#1> port 49 key 7 <TACACS KEY> ! server-private <ISE/TACACS IP#2> port 49 key 7 <TACACS KEY> ! aaa authorization exec default group <GROUPNAME> group tacacs+ none aaa authorization commands default group <GROUPNAME> group tacacs+ none aaa authorization eventmanager default group tacacs+ aaa authentication login default group <GROUPNAME> group tacacs+ local aaa default-taskgroup netadmin |
SSHv2 | ssh server v2 ssh server vrf default ssh server vrf management ssh server logging ssh timeout <in secs> line <LINE NAME>> secret 5 <Password> login authentication default timestamp exec-timeout 5 0 access-class ingress <ACL-SSH> session-timeout 5 transport input ssh ipv4 access-list <ACL-SSH> 10 permit ipv4 host <JUMPHOST IP#1> any 20 permit ipv4 host <JUMPHOST IP#2> any |
Control-Plane Filtering |
control-plane management-plane out-of-band interface MgmtEth0/RP0/CPU0/0 allow SSH peer address ipv4 <JUMPHOST IP#1> address ipv4 <JUMPHOST IP#2> ! allow SNMP peer address ipv4 <SNMP SERVER#1> address ipv4 <SNMP SERVER#2> ! interface MgmtEth0/RP1/CPU0/0 allow SSH peer address ipv4 <JUMPHOST IP#1> address ipv4 <JUMPHOST IP#2> ! allow SNMP peer address ipv4 <SNMP SERVER#1> address ipv4 <SNMP SERVER#2> |
NTP | ntp server vrf management <NTP SERVER#1> server vrf management <NTP SERVER#2> access-group ipv4 peer <ACL-NTP-PEER> access-group ipv4 query-only <ACL-NTP-QUERY> access-group ipv6 peer <ACL-NTP-PEER-IPv6> access-group ipv6 query-only <ACL-NTP-QUERY-IPv6> update-calendar ipv4 access-list <ACL-NTP-PEER> 10 permit ipv4 host <NTP SERVER#1> any 20 permit ipv4 host<NTP SERVER#2> any ipv4 access-list <ACL-NTP-QUERY> 10 deny ipv4 any any ipv6 access-list <ACL-NTP-PEER-IPv6> 10 deny ipv6 any any ipv6 access-list <ACL-NTP-QUERY-IPv6> 10 deny ipv6 any any |
SNMPv3 | snmp-server user <SNMP-USER> <SNMP-GROUP> v3 auth <md5/sha> encrypted <password> priv <aes> <128/192/256> encrypted <privacy password> IPv4 <SNMP-ACL> snmp-server view ALL_VIEW 1.3 included snmp-server group SNMP_GROUP v3 priv notify ALL_VIEW read ALL_VIEW IPv4 <SNMP-ACL> |
SNMP Traps v2 | snmp-server traps <traps name> snmp-server vrf management host <TRAPSERVER#1> traps <TRAPS Password> host <TRAPSERVER#2> traps <TRAPS Password> |
SYSLOG | logging facility local6 logging <SYSLOG#1> vrf <VRFNAME> severity <Severity>port default logging <SYSLOG#1> vrf <VRFNAME> severity <Severity> port default logging hostnameprefix <HOSTNAME> |
Be First to Comment