Best Security Template of Cisco IOS-XR for AAA,SSH,NTP,SNMP and Syslog

Here’s Best Security Practice Template Configuration for Cisco IOS-XR for different services like AAA, SSH , NTP , SNMP and Syslog.

AAA
(TACACS)
aaa accounting exec default start-stop group <GROUPNAME> group tacacs+
aaa accounting commands default start-stop group <GROUPNAME> group tacacs+
aaa group server tacacs+ <GROUPNAME>
 vrf management
 server-private <ISE/TACACS IP#1> port 49
  key 7 <TACACS KEY>
 !
 server-private <ISE/TACACS IP#2> port 49
  key 7 <TACACS KEY>
 !
aaa authorization exec default group <GROUPNAME> group tacacs+ none
aaa authorization commands default group <GROUPNAME> group tacacs+ none
aaa authorization eventmanager default group tacacs+
aaa authentication login default group <GROUPNAME> group tacacs+ local
aaa default-taskgroup netadmin
SSHv2 ssh server v2
ssh server vrf default
ssh server vrf management
ssh server logging
ssh timeout <in secs>

line <LINE NAME>>
 secret 5 <Password>
 login authentication default
 timestamp
 exec-timeout 5 0
 access-class ingress <ACL-SSH>
 session-timeout 5
 transport input ssh

ipv4 access-list <ACL-SSH>
 10 permit ipv4 host <JUMPHOST IP#1> any 
 20 permit ipv4 host <JUMPHOST IP#2> any
Control-Plane
Filtering
control-plane
 management-plane
 out-of-band
   interface MgmtEth0/RP0/CPU0/0
allow SSH peer
     address ipv4 <JUMPHOST IP#1>
address ipv4 <JUMPHOST IP#2>
!
    allow SNMP peer
     address ipv4 <SNMP SERVER#1>
     address ipv4 <SNMP SERVER#2>
!
  interface MgmtEth0/RP1/CPU0/0
allow SSH peer
     address ipv4 <JUMPHOST IP#1>
address ipv4 <JUMPHOST IP#2>
!
    allow SNMP peer
     address ipv4 <SNMP SERVER#1>
     address ipv4 <SNMP SERVER#2>
NTP ntp
  server vrf management <NTP SERVER#1>
  server vrf management <NTP SERVER#2>
  access-group ipv4 peer <ACL-NTP-PEER>
  access-group ipv4 query-only <ACL-NTP-QUERY>
  access-group ipv6 peer <ACL-NTP-PEER-IPv6>
 access-group ipv6 query-only <ACL-NTP-QUERY-IPv6>
  update-calendar

ipv4 access-list <ACL-NTP-PEER>
 10 permit ipv4 host <NTP SERVER#1> any
 20 permit ipv4 host<NTP SERVER#2> any

ipv4 access-list <ACL-NTP-QUERY>
 10 deny ipv4 any any 

ipv6 access-list <ACL-NTP-PEER-IPv6>
 10 deny ipv6 any any 

ipv6 access-list <ACL-NTP-QUERY-IPv6>
 10 deny ipv6 any any
SNMPv3 snmp-server user <SNMP-USER> <SNMP-GROUP> v3 auth <md5/sha> encrypted <password> priv <aes> <128/192/256> encrypted <privacy password> IPv4 <SNMP-ACL>
snmp-server view ALL_VIEW 1.3 included
snmp-server group SNMP_GROUP v3 priv notify ALL_VIEW read ALL_VIEW IPv4 <SNMP-ACL>
SNMP Traps v2 snmp-server traps <traps name> 

snmp-server vrf management
 host <TRAPSERVER#1> traps <TRAPS Password>
 host <TRAPSERVER#2> traps <TRAPS Password>
SYSLOG logging facility local6
logging <SYSLOG#1> vrf <VRFNAME> severity <Severity>port default
logging <SYSLOG#1> vrf <VRFNAME> severity <Severity> port default
logging hostnameprefix <HOSTNAME>

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *