diff options
Diffstat (limited to 'docs/cisco_iosxr.md')
| -rw-r--r-- | docs/cisco_iosxr.md | 103 |
1 files changed, 103 insertions, 0 deletions
diff --git a/docs/cisco_iosxr.md b/docs/cisco_iosxr.md new file mode 100644 index 0000000..de6c51c --- /dev/null +++ b/docs/cisco_iosxr.md @@ -0,0 +1,103 @@ +# Looking Glass: Cisco IOS XR configuration and tips. + +Cisco IOS XR support is rather straightforward thanks to the tasks mecanism. + +## Security and user access + +As security by least privilege is quite efficient, using a restricted user to +execute the commands is advised. + +A root-system access is not necessary, a read-only-tg user is not sufficient +though. So it is better to define a new group of users with access to +specific commands to restrict the looking glass user to what it actually needs +(no more, no less). This is done using **taskgroup** and **usergroup**. + +## Configuration: Task and User Groups + +Log in your Cisco router and type the following commands: + +``` +RP/0/0/CPU0:router#configure +RP/0/0/CPU0:router(config)# taskgroup looking-glass +RP/0/0/CPU0:router(config-tg)#description "Looking Glass required tasks" +RP/0/0/CPU0:router(config-tg)#task read bgp +RP/0/0/CPU0:router(config-tg)#task read basic-services +RP/0/0/CPU0:router(config-tg)#task write basic-services +RP/0/0/CPU0:router(config-tg)#task execute basic-services +RP/0/0/CPU0:router(config-tg)#exit +RP/0/0/CPU0:router(config)#usergroup looking-glass +RP/0/0/CPU0:router(config-ug)#description "Looking Glass users" +RP/0/0/CPU0:router(config-ug)#taskgroup looking-glass +RP/0/0/CPU0:router(config-ug)#exit +RP/0/0/CPU0:router(config)#username <username> +RP/0/0/CPU0:router(config-un)#group looking-glass +RP/0/0/CPU0:router(config-un)# password <password> +RP/0/0/CPU0:router(config-un)#exit +RP/0/0/CPU0:router(config)#commit +RP/0/0/CPU0:router(config)#exit +``` + +Here is the formal configuration for simple copy/paste. +``` +taskgroup looking-glass +taskgroup looking-glass task read bgp +taskgroup looking-glass task read basic-services +taskgroup looking-glass task write basic-services +taskgroup looking-glass task execute basic-services +taskgroup looking-glass description "Looking Glass required tasks" +usergroup looking-glass +usergroup looking-glass taskgroup looking-glass +usergroup looking-glass description "Looking Glass users" +username <username> +username <username> group read-only-tg +username <username> group looking-glass +username <username> secret <password> +``` + +SSH pubkey based authentication is preferred too even if it is pretty boring +to setup with IOS XR. + +The first thing to do is checking the size of the key to use. There are +limitations depending on the hardware. ASR router supports 1024 bit key size +or smaller contrary to what the manual says (supporting up to 2048 bit). + +Supposing that the key is located in `~/.ssh/id_rsa.pub`, a binary base64 file +of the key must be created to be imported inside the router. + +``` +cut -d" " -f2 ~/.ssh/id_rsa.pub | base64 -d >| id_rsa.pub.b64 +``` + +This file can be uploaded on the router in order to be imported. Here is how to do this : + +``` +RP/0/0/CPU0:router#admin +RP/0/0/CPU0:router(admin)#crypto key import authentication rsa username lg id_rsa.pub.b64 +RP/0/0/CPU0:router(admin)#exit +``` + +And to check that the key has been imported properly: + +``` +RP/0/0/CPU0:router#admin +RP/0/0/CPU0:router(admin)#show crypto key authentication rsa username lg +Key label: lg +Type : RSA public key authentication +Size : 1024 +Imported : 00:00:00 UTC Tue Oct 11 2016 +Data : + ... +``` + +And that should be enough. + +## Debug + +Test the SSH connection from the server where the looking glass is installed +and you should see some outputs in your logs. Be careful to potential SSH +connections rate limit if you do heavy testing. + + +## References + + * [1] https://supportforums.cisco.com/document/61306/asr9000xr-using-task-groups-and-understanding-priv-levels-and-authorization |