diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/cisco_iosxr.md | 103 | ||||
| -rw-r--r-- | docs/configuration.md | 17 |
2 files changed, 113 insertions, 7 deletions
diff --git a/docs/cisco_iosxr.md b/docs/cisco_iosxr.md new file mode 100644 index 0000000..de6c51c --- /dev/null +++ b/docs/cisco_iosxr.md @@ -0,0 +1,103 @@ +# Looking Glass: Cisco IOS XR configuration and tips. + +Cisco IOS XR support is rather straightforward thanks to the tasks mecanism. + +## Security and user access + +As security by least privilege is quite efficient, using a restricted user to +execute the commands is advised. + +A root-system access is not necessary, a read-only-tg user is not sufficient +though. So it is better to define a new group of users with access to +specific commands to restrict the looking glass user to what it actually needs +(no more, no less). This is done using **taskgroup** and **usergroup**. + +## Configuration: Task and User Groups + +Log in your Cisco router and type the following commands: + +``` +RP/0/0/CPU0:router#configure +RP/0/0/CPU0:router(config)# taskgroup looking-glass +RP/0/0/CPU0:router(config-tg)#description "Looking Glass required tasks" +RP/0/0/CPU0:router(config-tg)#task read bgp +RP/0/0/CPU0:router(config-tg)#task read basic-services +RP/0/0/CPU0:router(config-tg)#task write basic-services +RP/0/0/CPU0:router(config-tg)#task execute basic-services +RP/0/0/CPU0:router(config-tg)#exit +RP/0/0/CPU0:router(config)#usergroup looking-glass +RP/0/0/CPU0:router(config-ug)#description "Looking Glass users" +RP/0/0/CPU0:router(config-ug)#taskgroup looking-glass +RP/0/0/CPU0:router(config-ug)#exit +RP/0/0/CPU0:router(config)#username <username> +RP/0/0/CPU0:router(config-un)#group looking-glass +RP/0/0/CPU0:router(config-un)# password <password> +RP/0/0/CPU0:router(config-un)#exit +RP/0/0/CPU0:router(config)#commit +RP/0/0/CPU0:router(config)#exit +``` + +Here is the formal configuration for simple copy/paste. +``` +taskgroup looking-glass +taskgroup looking-glass task read bgp +taskgroup looking-glass task read basic-services +taskgroup looking-glass task write basic-services +taskgroup looking-glass task execute basic-services +taskgroup looking-glass description "Looking Glass required tasks" +usergroup looking-glass +usergroup looking-glass taskgroup looking-glass +usergroup looking-glass description "Looking Glass users" +username <username> +username <username> group read-only-tg +username <username> group looking-glass +username <username> secret <password> +``` + +SSH pubkey based authentication is preferred too even if it is pretty boring +to setup with IOS XR. + +The first thing to do is checking the size of the key to use. There are +limitations depending on the hardware. ASR router supports 1024 bit key size +or smaller contrary to what the manual says (supporting up to 2048 bit). + +Supposing that the key is located in `~/.ssh/id_rsa.pub`, a binary base64 file +of the key must be created to be imported inside the router. + +``` +cut -d" " -f2 ~/.ssh/id_rsa.pub | base64 -d >| id_rsa.pub.b64 +``` + +This file can be uploaded on the router in order to be imported. Here is how to do this : + +``` +RP/0/0/CPU0:router#admin +RP/0/0/CPU0:router(admin)#crypto key import authentication rsa username lg id_rsa.pub.b64 +RP/0/0/CPU0:router(admin)#exit +``` + +And to check that the key has been imported properly: + +``` +RP/0/0/CPU0:router#admin +RP/0/0/CPU0:router(admin)#show crypto key authentication rsa username lg +Key label: lg +Type : RSA public key authentication +Size : 1024 +Imported : 00:00:00 UTC Tue Oct 11 2016 +Data : + ... +``` + +And that should be enough. + +## Debug + +Test the SSH connection from the server where the looking glass is installed +and you should see some outputs in your logs. Be careful to potential SSH +connections rate limit if you do heavy testing. + + +## References + + * [1] https://supportforums.cisco.com/document/61306/asr9000xr-using-task-groups-and-understanding-priv-levels-and-authorization diff --git a/docs/configuration.md b/docs/configuration.md index bb1a210..7b7a543 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -117,11 +117,13 @@ interact with it. ```php $config['routers']['router1']['type'] = 'juniper'; ``` -The router type can be Juniper, Cisco, Quagga or BIRD. You can take a look at -the specific documentation for your router. Possible values are: +The router type can be Juniper, Cisco (IOS or IOS-XR), Quagga or BIRD. You can +take a look at the specific documentation for your router. Possible values +are: * juniper **or** junos * cisco **or** ios + * ios-xr **or** iosxr * bird * quagga **or** zebra @@ -132,14 +134,15 @@ with: ```php $config['routers']['router1']['source-interface-id'] = 'lo0'; ``` -for Cisco and Juniper routers (change lo0 with your interface), and with: +for Cisco (except IOS XR) and Juniper routers (change lo0 with your +interface), and with: ```php -$config['routers']['router1']['source-interface-id']['ipv4'] = '192.168.1.1'; $config['routers']['router1']['source-interface-id']['ipv6'] = '2001:db8::1'; +$config['routers']['router1']['source-interface-id']['ipv4'] = '192.168.1.1'; ``` -for BIRD and Quagga routers (use your own IP addresses). Omitting the IPv4 or -the IPv6 version of the source address will result in the router trying to use -the best IP address to contact the destination. +for Cisco IOS XR, BIRD and Quagga routers (use your own IP addresses). +Omitting the IPv6 or the IPv4 version of the source address will result in the +router trying to use the best IP address to contact the destination. After that you need to set the authentication information for the looking glass to be able to log into the router. For this you select a type of |