Cisco CRS-1 - Carrier Routing System Router Configuration Manual
  1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Network Router
  5. CRS-1 - Carrier Routing System Router
  6. Configuration manual
Cisco CRS-1 - Carrier Routing System Router Configuration Manual

Cisco CRS-1 - Carrier Routing System Router Configuration Manual

Ios xr system security configuration guide
Hide thumbs Also See for CRS-1 - Carrier Routing System Router:
Table of Contents

Quick Links

See also: Troubleshooting Manual, Administration Manual
Enlarged version
Cisco IOS XR System Security
Configuration Guide for the Cisco CRS-1
Router
Cisco IOS XR Software Release 3.9
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Text Part Number: OL-20382-01
Table of Contents
loading

Related Manuals for Cisco CRS-1 - Carrier Routing System Router

Summary of Contents for Cisco CRS-1 - Carrier Routing System Router

  • Page 1 Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router Cisco IOS XR Software Release 3.9 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883...
  • Page 2 OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks.
  • Page 3 Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-iii...
  • Page 4 Contents Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-iv OL-20382-01...

  • Page 5: Obtaining Documentation And Submitting A Service Request

    Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html...
  • Page 6 Preface Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-vi OL-20382-01...
  • Page 7 Software This module describes the implementation of the administrative model of task-based authorization used to control user access in the Cisco IOS XR system. The major tasks required to implement task-based authorization involve configuring user groups and task groups. User groups and task groups are configured through the Cisco IOS XR software command set used for authentication, authorization and accounting (AAA) services.
  • Page 8 To enable interoperability based on Cisco IOS software, tasks must be • marked as an optional attribute. Support was added on Cisco IOS XR to allow you to specify task IDs • as an attribute in the external RADIUS or TACACS+ server. If the server is also shared by non-Cisco IOS XR systems, these attributes are marked as optional as indicated by the server documentation.
  • Page 9 Information About Configuring AAA Services This section lists all the conceptual information that a Cisco IOS XR software user must understand before configuring user groups and task groups through AAA or configuring Remote Authentication Dial-in User Service (RADIUS) or TACACS+ servers. Conceptual information also describes what AAA is and why it is important.
  • Page 10 Configuring AAA Services on Cisco IOS XR Software Information About Configuring AAA Services User, User Groups, and Task Groups Cisco IOS XR software user attributes form the basis of the Cisco IOS XR software administrative model. Each router user is associated with the following attributes: •...

  • Page 11: User Groups

    User Groups Cisco IOS XR software allows the system administrator to configure groups of users and the job characteristics that are common in groups of users. Groups must be explicitly assigned to users. Users are not assigned to groups by default. A user can be assigned to more than one group.
  • Page 12 Each SDR has its own AAA configuration including, local users, groups, and TACACS+ and RADIUS configurations. Users created in one SDR cannot access other SDRs unless those same users are configured in the other SDRs. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-6 OL-20382-01...
  • Page 13 Configuring authentication that uses remote AAA servers that are not available, particularly • authentication for the console. The none option without any other method list is not supported in Cisco IOS XR software. Note Removing the flash card from disk0:, or a disk corruption, may deny auxiliary port authentication, •...

  • Page 14: Aaa Configuration

    If a method list is not specified, the application tries to use a default method list. If a default method list does not exist, AAA uses the local database as the source. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-8 OL-20382-01...
  • Page 15 If the user is member of a root-sdr group, the user is authenticated as an owner secure domain router user. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01...
  • Page 16 Ksh authentication cannot be turned off or bypassed after the card is booted. To bypass • authentication, a user needs a reload of the card. (See the “Bypassing ksh Authentication” section for details). Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-10 OL-20382-01...
  • Page 17 Task-Based Authorization AAA employs “task permissions” for any control, configure, or monitor operation through CLI or API. The Cisco IOS software concept of privilege levels has been replaced in Cisco IOS XR software by a task-based authorization system. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router...

  • Page 18: Task Ids

    Information About Configuring AAA Services Task IDs The operational tasks that enable users to control, configure, and monitor Cisco IOS XR software are represented by task IDs. A task ID defines the permission to run an operation for a command. Users are associated with sets of task IDs that define the breadth of their authorized access to the router.
  • Page 19 Configuring AAA Services on Cisco IOS XR Software Information About Configuring AAA Services RP/0/RP0/CPU0:router# show redundancy Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-13...
  • Page 20 = “permissions:taskid name, #usergroup name, ...” Cisco IOS XR allows you to specify task IDs as an attribute in the external RADIUS or TACACS+ Note server. If the server is also shared by non-Cisco IOS XR systems, these attributes are marked as optional as indicated by the server documentation.
  • Page 21 EXEC mode to display all the tasks user1 can perform. For example: Username:user1 Password: RP/0/RP0/CPU0:router# show user tasks Task: basic-services :READ WRITE EXECUTEDEBUG Task: :READ WRITE EXECUTE Task: :READ Task: diag :READ Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-15...
  • Page 22 13. For privilege level 15, the root-system user group is used; privilege level 14 maps to the user group owner-sdr. For example, with the Cisco freeware tac plus server, the configuration file has to specify priv_lvl in its configuration file, as shown in the following example:...

  • Page 23: About Radius

    “smart card” access control system. In one case, RADIUS has been used with Enigma security cards to validate users and grant access to network resources. Networks already using RADIUS. You can add a Cisco router with RADIUS to the network. This •...
  • Page 24 • Router-to-router situations. RADIUS does not provide two-way authentication. RADIUS can be used to authenticate from one router to a router other than a Cisco router if that router requires RADIUS authentication. Networks using a variety of services. RADIUS generally binds a user to one service model.
  • Page 25 Each task group is associated with one or more task IDs selected from the Cisco CRS-1 set of available task IDs. The first configuration task in setting up an the Cisco CRS-1 authorization scheme is to configure the task groups, followed by user groups, followed by individual users.
  • Page 26 • Specific task IDs can be removed from a task group by specifying the no prefix for the task command. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-20 OL-20382-01...

  • Page 27: Configuring User Groups

    Only users associated with the WRITE:AAA task ID can configure user groups. User groups cannot inherit properties from predefined groups, such as root-system and owner-sdr. SUMMARY STEPS configure usergroup usergroup-name Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-21...
  • Page 28 The user group takes on the configuration attributes Example: • (task ID list and permissions) already defined for the RP/0/RP0/CPU0:router(config-ug)# taskgroup beta entered task group. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-22 OL-20382-01...

  • Page 29: Configuring Users

    {0 | 7} password secret {0 | 5} secret group group-name Repeat Step for each user group to be associated with the user specified in Step Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-23...
  • Page 30 RP/0/RP0/CPU0:router(config-un)# group sysadmin groups. • Each user must be assigned to at least one user group. A user may belong to multiple user groups. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-24 OL-20382-01...
  • Page 31 Configuring Router to RADIUS Server Communication This task configures router to RADIUS server communication. The RADIUS host is normally a multiuser system running RADIUS server software from Cisco (CiscoSecure ACS), Livingston, Merit, Microsoft, or another software provider. Configuring router to...
  • Page 32 (The RADIUS host entries are tried in the order they are configured.) A RADIUS server and a Cisco router use a shared secret text string to encrypt passwords and exchange responses.To configure RADIUS to use the AAA security commands, you must specify the host running the RADIUS server daemon and a secret text (key) string that it shares with the router.
  • Page 33 Sets the number of seconds a router waits for a server host radius-server timeout seconds to reply before timing out. In the example, the interval timer is set to 10 seconds. Example: • RP/0/RP0/CPU0:router(config)# radius-server timeout 10 Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-27...
  • Page 34 Example: RP/0/RP0/CPU0:router# show radius What to Do Next After configuring router to RADIUS server communication, configure RADIUS server groups. (See the “Configuring RADIUS Server Groups” section.) Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-28 OL-20382-01...
  • Page 35 SUMMARY STEPS configure radius-server deadtime minutes radius-server dead-criteria time seconds radius-server dead-criteria tries tries commit show radius dead-criteria host ip-addr [auth-port auth-port] [acct-port acct-port] Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-29...
  • Page 36 [auth-port auth-port] [acct-port acct-port] has been requested for a RADIUS server at the specified IP address. Example: RP/0/RP0/CPU0:router# show radius dead-criteria host 172.19.192.80 Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-30 OL-20382-01...
  • Page 37 “cisco-avpair ” The value is a string of the following format: protocol : attribute sep value * “Protocol” is a value of the Cisco “protocol ” attribute for a particular type of authorization. “Attribute” and “value” are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and “sep”...
  • Page 38 RP/0/RP0/CPU0:router(config-sg-radius)# Both auth-port and acct-port keywords enter server-private 10.1.1.1 timeout 5 RP/0/RP0/CPU0:router(config-sg-radius)# RADIUS server-group private configuration mode. server-private 10.2.2.2 retransmit 3 Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-32 OL-20382-01...
  • Page 39 [0 | 7] auth-key tacacs-server host host-name single-connection tacacs source-interface type instance Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-33...
  • Page 40 (Optional) Entering 7 indicates that an encrypted key • will follow. • The auth-key argument specifies the encrypted or unencrypted key to be shared between the AAA server and the TACACS+ server. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-34 OL-20382-01...
  • Page 41 Example: RP/0/RP0/CPU0:router# show tacacs What to Do Next After configuring TACACS+ servers, configure TACACS+ server groups. (See the “Configuring TACACS+ Server Groups” section.) Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-35...

  • Page 42: Configuring Radius Server Groups

    After the server group is configured, it can be • Example: referenced from the AAA method lists (used while RP/0/RP0/CPU0:router(config-sg-radius)# server configuring authentication, authorization, or 192.168.20.0 accounting). Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-36 OL-20382-01...
  • Page 43 Step 8 (Optional) Displays information about each RADIUS show radius server-groups [group-name [detail]] server group that is configured in the system. Example: RP/0/RP0/CPU0:router# show radius server-groups Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-37...
  • Page 44 TACACS+ server. • When configured, this group can be referenced from the Example: AAA method lists (used while configuring RP/0/RP0/CPU0:router(config-sg-tacacs+)# server 192.168.100.0 authentication, authorization, or accounting). Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-38 OL-20382-01...
  • Page 45 This section contains the following procedures: Configuring Authentication Method Lists, page SC-40 (required) • Configuring Authorization Method Lists, page SC-42 (required) • Configuring Accounting Method Lists, page SC-46 (required) • Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-39...
  • Page 46 Use the aaa group server radius or aaa group server tacacs+ command to create a named group of servers. SUMMARY STEPS configure aaa authentication {login | ppp} {default | list-name | remote} method-list Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-40 OL-20382-01...
  • Page 47 – for authentication line—Use line password or user group for – authentication The example specifies the default method list to be • used for authentication. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-41...
  • Page 48 The Cisco IOS XR software uses the first method listed to authorize users for specific network services; if that method fails to respond, the Cisco IOS XR software selects the next method listed in the method list. This process continues until there is successful communication with a listed authorization method, or until all methods defined have been exhausted.
  • Page 49 Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services The Cisco IOS XR software attempts authorization with the next listed method only when there is no Note response or an error response (not a failure) from the previous method. If authorization fails at any point in this cycle—meaning that the security server or local username database responds by denying the user...
  • Page 50 PPP or IKE. The default keyword causes the listed authorization • methods that follow this keyword to be the default list of methods for authorization. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-44 OL-20382-01...
  • Page 51 Use the commit command to save the configuration • changes to the running configuration file and remain within the configuration session. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-45...
  • Page 52 Note Accounting Configuration Currently, Cisco IOS XR software supports both the TACACS+ and RADIUS methods for accounting. The router reports user activity to the TACACS+ or RADIUS security server in the form of accounting records. Each accounting record contains accounting AV pairs and is stored on the security server.
  • Page 53 • The example defines a default command accounting method list, in which accounting services are provided by a TACACS+ security server, with a stop-only restriction. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-47...
  • Page 54 Generating Interim Accounting Records This task enables periodic interim accounting records to be sent to the accounting server. When the aaa accounting update command is activated, Cisco IOS XR software issues interim accounting records for all users on the system.
  • Page 55 Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/RP0/CPU0:router# configure Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-49...
  • Page 56 Use the commit command to save the • configuration changes to the running configuration file and remain within the configuration session. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-50 OL-20382-01...
  • Page 57 Enters global configuration mode. configure Example: RP/0/RP0/CPU0:router# configure Step 2 Enters line template configuration mode. line {aux | console | default | template template-name} Example: RP/0/RP0/CPU0:router(config)# line console Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-51...
  • Page 58 What to Do Next After applying authorization method lists by enabling AAA authorization, apply accounting method lists by enabling AAA accounting. (See the “Enabling Accounting Services” section.) Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-52 OL-20382-01...
  • Page 59 This task enables accounting services for a specific line of group of lines. SUMMARY STEPS configure line {aux | console | default | template template-name} accounting {commands | exec} {default | list-name} commit Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-53...
  • Page 60 • Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. What to Do Next Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-54 OL-20382-01...
  • Page 61 Enters global configuration mode. configure Example: RP/0/RP0/CPU0:router# configure Step 2 Specifies a line to configure and enters line template line template template-name configuration mode. Example: RP/0/RP0/CPU0:router(config)# line template alpha Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-55...
  • Page 62 The default method list for PPP is configured to use local method. aaa authentication ppp default local Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-56 OL-20382-01...
  • Page 63 Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-57...

  • Page 64: Related Documents

    MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router...

  • Page 65: Technical Assistance

    Registered Cisco.com users can log in from this page to access even more content. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-59...
  • Page 66 Configuring AAA Services on Cisco IOS XR Software Additional References Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-60 OL-20382-01...
  • Page 67 Socket Layer (SSL), and Secure Shell (SSH) protocols. CA interoperability permits Cisco IOS XR devices and CAs to communicate so that your Cisco IOS XR device can obtain and use digital certificates from the CA. Although IPSec can be implemented in your network without the use of a CA, using a CA provides manageability and scalability for IPSec.
  • Page 68 (SCEP) (formerly called certificate enrollment protocol [CEP]). Restrictions for Implementing Certification Authority Cisco IOS XR software does not support CA server public keys greater than 2048 bits. Information About Implementing Certification Authority To implement CA, you need to understand the following concepts: Supported Standards for Certification Authority Interoperability, page SC-62 •...

  • Page 69: Certification Authorities

    The receiver verifies the signature by decrypting the message with the sender’s public key. The fact that the message could be decrypted using the sender’s Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01...
  • Page 70 IPSec Without CAs Without a CA, if you want to enable IPSec services (such as encryption) between two Cisco routers, you must first ensure that each router has the key of the other router (such as an RSA public key or a shared key).
  • Page 71 Some CAs have a registration authority (RA) as part of their implementation. An RA is essentially a server that acts as a proxy for the CA so that CA functions can continue when the CA is offline. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01...
  • Page 72 Command or Action Purpose Step 1 Enables global configuration mode. configure Example: RP/0/RP0/CPU0:router# configure Step 2 Configures the hostname of the router. hostname name Example: RP/0/RP0/CPU0:router(config)# hostname myhost Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-66 OL-20382-01...
  • Page 73 SUMMARY STEPS crypto key generate rsa [usage keys | general-keys] [keypair-label] crypto key zeroize rsa [keypair-label] show crypto key mypubkey rsa Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-67...
  • Page 74 A public key is imported to the router to authenticate the user. SUMMARY STEPS crypto key import authentication rsa [usage keys | general-keys] [keypair-label] show crypto key mypubkey rsa Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-68 OL-20382-01...
  • Page 75 This task declares a CA and configures a trusted point. SUMMARY STEPS configure crypto ca trustpoint ca-name enrollment url CA-URL query url LDAP-URL enrollment retry period minutes enrollment retry count number rsakeypair keypair-label commit Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-69...
  • Page 76 (Optional) Specifies how many times the router continues to enrollment retry count number send unsuccessful certificate requests before giving up. • The range is from 1 to 100. Example: RP/0/RP0/CPU0:router(config-trustp)# enrollment retry count 10 Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-70 OL-20382-01...
  • Page 77 CA by contacting the CA administrator to compare the fingerprint of the CA certificate. SUMMARY STEPS crypto ca authenticate ca-name show crypto ca certificates Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-71...
  • Page 78 If you previously generated special usage RSA keys, your router has two RSA key pairs and needs two certificates. SUMMARY STEPS crypto ca enroll ca-name show crypto ca certificates Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-72 OL-20382-01...
  • Page 79 SUMMARY STEPS configure crypto ca trustpoint ca-name enrollment terminal commit crypto ca authenticate ca-name crypto ca enroll ca-name crypto ca import ca-name certificate show crypto ca certificates Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-73...
  • Page 80 Use the ca-name argument to specify the name Example: • of the CA. Use the same name that you entered RP/0/RP0/CPU0:router# crypto ca authenticate myca Step Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-74 OL-20382-01...
  • Page 81 Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keypair Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [1024]: Generating RSA keys ... Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-75...
  • Page 82 Re-enter Password: Fingerprint: 17D8B38D ED2BDF2E DF8ADBF7 A7DBE35A ! The following command displays information about your certificate and the CA certificate. show crypto ca certificates Trustpoint :myca ========================================================== Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-76 OL-20382-01...

  • Page 83: Where To Go Next

    Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software module, IPSec in the Implementing IPSec Network Security on Cisco IOS XR Software module, and SSL in the Implementing Secure Socket Layer on Cisco IOS XR Software module.
  • Page 84 Additional References MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs RFCs...

  • Page 85: Cisco Ios Xr Software

    For a complete description of the IPSec network security commands used in this chapter, see the IPSec Note Network Security Commands on Cisco IOS XR Software module of Cisco IOS XR System Security Command Reference. To locate documentation of other commands that appear in this chapter, use the command reference master index, or search online.

  • Page 86: Table Of Contents

    How to Implement IPSec Network Security for Locally Sourced and Destined Traffic, page 97 • Configuration Examples for Implementing IPSec Network Security for Locally Sourced and • Destined Traffic, page 101 Additional References, page 103 • Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-80 OL-20382-01...

  • Page 87: Prerequisites For Implementing Ipsec Network Security

    Global Lifetimes for IPSec Security Associations, page 84 Checkpointing, page 85 • For information about IPSec quality of service (QoS), refer to Cisco IOS XR Modular Quality of Service Note Configuration Guide. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router...
  • Page 88 IPSec SA with the router. Dynamic crypto profiles are also used in evaluating traffic. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-82 OL-20382-01...

  • Page 89: Transform Sets

    The transform set defined in the crypto profile entry is used in the IPSec SA negotiation to protect the data flows specified by that crypto profile entry’s access list. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01...

  • Page 90: Perfect Forward Secrecy

    SA database. For more information, see the documentation of the clear crypto ipsec sa command in Cisco IOS XR System Security Configuration Guide. IPSec SAs use one or more shared secret keys. These keys and their SAs time out together.

  • Page 91: How To Implement General Ipsec Configurations For Ipsec Networks

    This task sets global lifetimes for IPSec security associations. SUMMARY STEPS configure crypto ipsec security-association lifetime {seconds seconds | kilobytes kilobytes} commit clear crypto ipsec sa {sa-id | all} Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-85...
  • Page 92 This form of the command causes the SA to time out after the specified amount of traffic (in kilobytes) has passed through the IPSec “tunnel” using the SA. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-86 OL-20382-01...
  • Page 93 You may also specify the sa-id argument to clear an SA with a specific ID. For more information, see the clear crypto ipsec sa command. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-87...

  • Page 94: Creating Crypto Access Lists

    Only IPv4 access list configuration mode is relevant Note Example: to creation of a crypto access list, not IPv6 access RP/0/RP0/CPU0:router(config)# ipv4 access-list InternetFilter list configuration mode. RP/0/RP0/CPU0:router(config-ipv4-acl)# Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-88 OL-20382-01...
  • Page 95 0 to 14, with a destination address in the range of from 30.0.0.0 to 30.0.255.255, and using any destination port in the range of from 2000 to 2050. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-89...

  • Page 96: Defining Transform Sets

    Defining Transform Sets This task defines a transform set. SUMMARY STEPS configure crypto ipsec transform-set name transform-set submode transform protocol transform-set submode mode {transport | tunnel} commit Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-90 OL-20382-01...
  • Page 97 This task configures static or dynamic crypto profiles. SUMMARY STEPS configure crypto ipsec profile name match acl-name transform-set transform-set-name set pfs {group1 | group2 | group5} set type {static | dynamic} Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-91...
  • Page 98 The description for this command is similar to the set transform-set command but used on a different interface. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-92 OL-20382-01...
  • Page 99 RP/0/RP0/CPU0:router(config-new)# set security-association idle-time 800 the default peer is used. The valid values are 600 to 86400. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-93...
  • Page 100 Use the hex-key-data argument to specify the session • key; enter in hexadecimal format. This is an arbitrary hexadecimal string of 8, 16, or 20 bytes. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-94 OL-20382-01...
  • Page 101 Use the hex-key-data argument to specify the session • key; enter in hexadecimal format. This is an arbitrary hexadecimal string of 8, 16, or 20 bytes. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-95...
  • Page 102 • Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-96 OL-20382-01...

  • Page 103: How To Implement Ipsec Network Security For Locally Sourced And Destined Traffic

    Then, all inbound packets that lack IPSec protection are silently dropped, including packets for routing protocols, NTP, echo, and echo response. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01...
  • Page 104 Step 4 Specifies the tunnel source IP address. tunnel source ip-address This command is required for both static and dynamic • profiles. Example: RP/0/RP0/CPU0:router(config-if)# tunnel source 10.0.0.2 Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-98 OL-20382-01...
  • Page 105 SA negotiation on behalf of traffic to be protected by crypto. SUMMARY STEPS configure crypto ipsec transport profile profile-name commit Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-99...
  • Page 106 Use the commit command to save the configuration • changes to the running configuration file and remain within the configuration session. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-100 OL-20382-01...

  • Page 107: Configuration Examples For Implementing Ipsec Network Security For Locally Sourced And Destined Traffic

    10.0.0.0 0.0.0.255 10.2.2.0 0.0.0.255 A transform set defines how the traffic is protected. In this example, transform set myset2 uses DES encryption and SHA for data packet authentication: Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-101...
  • Page 108 A crypto profile named toRemoteSite is created and joins the IPSec access list and transform set: crypto ipsec profile toRemoteSite match sample3 transform-set myset2 The toRemoteSite profile is applied to a transport: crypto ipsec transport profile toRemoteSite Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-102 OL-20382-01...

  • Page 109: Additional References

    MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router...
  • Page 110 Registered Cisco.com users can log in from this page to access even more content. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-104 OL-20382-01...
  • Page 111 For a complete description of the IKE commands used in this chapter, see the Internet Key Exchange Note Security Protocol Commands on Cisco IOS XR Software module of the Cisco IOS XR System Security Command Reference. To locate documentation of other commands that appear in this module, use the command reference master index, or search online.

  • Page 112: Prerequisites For Implementing Internet Key Exchange

    You must install and activate the package installation envelope (PIE) for the security software. • For detailed information about optional PIE installation, see Cisco IOS XR System Management Configuration Guide. Information About Implementing IKE Security Protocol Configurations for IPSec Networks...

  • Page 113: Information About Implementing Ike Security Protocol Configurations For Ipsec Networks

    IPSec is used to protect one or more data flows between a pair of hosts, a pair of security gateways, or a security gateway and a host. For more information on IPSec, see the Implementing IPSec Network Security on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.

  • Page 114: Concessions For Not Enabling Ike

    Concessions for Not Enabling IKE IKE is disabled by default in Cisco IOS XR software. If you do not enable IKE, you must make these concessions at the peers: You must manually specify all IPSec security associations in the crypto profiles at all peers.
  • Page 115 (If the lifetimes are not identical, the shorter lifetime—from the remote peer’s policy—is used.) Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01...
  • Page 116 IPSec gateway. Because the Cisco VPN client does not allow users to choose which policy (and therefore which encryption algorithm) to use, these users may instead configure policy sets that in effect create such restrictions.
  • Page 117 (The lifetime parameter need not necessarily be the same; see details in the “IKE Peer Agreement for Matching Policies” section on page 109.) Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-111...

  • Page 118: Isakmp Identity

    If RSA encryption is not configured, it just requests a signature key. ISAKMP Identity You should set the ISAKMP identity for each peer that uses preshared keys in an IKE policy. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-112 OL-20382-01...

  • Page 119: Isakmp Profile Overview

    Configure AAA (you must set up an authentication list). See the Configuring AAA Services on • Cisco Cisco IOS XR Software module of Cisco IOS XR System Security Configuration Guide. Configure a static crypto ISAKMP profile (required). For configuration details, see the “How to...

  • Page 120: Call Admission Control

    The Call Admission Control (CAC) for IKE feature describes the application of CAC to the IKE protocol in Cisco IOS XR software. The main function of CAC is to protect the router from severe resource depletion and to prevent crashes. Therefore, the CAC limits the number of simultaneous IKE security associations (SAs, or calls to CAC) that a router can establish.

  • Page 121: Ipsec Dead Peer Detection Periodic Message Option

    Peers can lose their IP connection to other peers due to routing problems, peer reloading, or other situations, resulting in a loss of packet traffic (sometimes called a “black hole”). Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01...

  • Page 122: How To Implement Ike Security Protocol Configurations For Ipsec Networks

    Purpose Step 1 Enters global configuration mode. configure Example: RP/0/RP0/CPU0:router# configure Step 2 Globally enables IKE at the peer router. crypto isakmp Example: RP/0/RP0/CPU0:router(config)# crypto isakmp Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-116 OL-20382-01...

  • Page 123: Configuring Ike Policies

    Encryption Standard (128 bit keys) | des DES - Data Encryption Standard (56 bit keys)} hash {sha | md5} authentication {pre-share | rsa-sig | rsa-encr} group {1 | 2 | 5} lifetime seconds commit show crypto isakmp policy Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-117...
  • Page 124 RP/0/RP0/CPU0:router(config-isakmp)# group 5 Step 7 Specifies the lifetime of the security association. The range, lifetime seconds in seconds, is from 60 to 86400. Example: RP/0/RP0/CPU0:router(config-isakmp)# lifetime 50000 Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-118 OL-20382-01...
  • Page 125 To limit an IKE peer to use a specific policy set, you must also configure the policy set or sets. See Configuring IKE Policies, page 117. SUMMARY STEPS configure crypto isakmp policy-set policy-name policy policy number Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-119...
  • Page 126 4, as needed, to You may use either multiple ISAKMP policies or configure additional policy sets for specific IP addresses. multiple IP addresses to create the match. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-120 OL-20382-01...
  • Page 127 Configuring RSA Public Keys of All the Other Peers, page 123 • Importing a Public Key for RSA based User Authentication, page 125 • Deleting an RSA Public Key from the Router, page 126 Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-121...
  • Page 128 IP address or by hostname. See the crypto isakmp identity command description for guidelines for when to use the IP Example: address and when to use the hostname. RP/0/RP0/CPU0:router(config)# crypto isakmp identity address Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-122 OL-20382-01...
  • Page 129 [vrf fvrf-name] rsa-pubkey {address address | name fqdn} [encryption | signature] address ip-address key-string key-string quit commit show crypto key pubkey-chain rsa [name key-name | address key-address] Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-123...
  • Page 130 When you have finished specifying the remote peer’s • RSA key, return to global configuration mode by entering quit at the public key configuration prompt. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-124 OL-20382-01...
  • Page 131 This task imports the RSA public key to the router. SUMMARY STEPS configure crypto key import authentication rsa {address address | name fqdn} commit show crypto key import authentication rsa {address address | name fqdn} Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-125...
  • Page 132 RP/0/RP0/CPU0:router# show crypto key import your router. authentication rsa Deleting an RSA Public Key from the Router This task deletes the RSA public key from the router. SUMMARY STEPS configure Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-126 OL-20382-01...
  • Page 133 Use the optional name or address keyword to display • Example: details about a particular RSA public key stored on RP/0/RP0/CPU0:router# show crypto pubkey-chain your router. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-127...
  • Page 134 (Optional) Use the vrf keyword to specify that the front • vpnkeyring door virtual routing and forwarding (FVRF) name is the RP/0/RP0/CPU0:router(config-keyring)# keyring that is referenced. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-128 OL-20382-01...

  • Page 135: Configuring Call Admission Control

    Configuring the IKE Security Association Limit This task configures the IKE security admission limit. SUMMARY STEPS configure crypto isakmp call admission limit {in-negotiation-sa number | sa number} Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-129...
  • Page 136 Use the sa keyword to specify the maximum • number of active IKE SAs that the router can establish. The range for the number argument is from 1 to 100000. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-130 OL-20382-01...
  • Page 137 This task configures the system resource limit. SUMMARY STEPS configure crypto isakmp call admission limit {cpu {total percent | ike percent}} commit show cyrpto isakmp call admission statistics Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-131...
  • Page 138 Step 4 Monitors crypto CAC statistics. show cyrpto isakmp call admission statistics Example: RP/0/RP0/CPU0:router# show cyrpto isakmp call admission statistics Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-132 OL-20382-01...
  • Page 139 {address address [mask] | hostname hostname} key key rsa-pubkey {address address | name fqdn} [encryption | signature] key-string key-string quit commit Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-133...
  • Page 140 10.72.23.11 key vpnkey Use the hostname keyword to specify the fully • qualified domain name (FQDN) of the peer. Use the key keyword to specify the secret. • Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-134 OL-20382-01...
  • Page 141 • Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-135...
  • Page 142 Adds a line of description for an IKE peer. description string Description of peer may be up to 80 characters. • Example: • RP/0/RP0/CPU0:router(config-isakmp-peer)# description citeA Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-136 OL-20382-01...

  • Page 143: How To Configure The Isakmp Profile

    The Cisco CRS-1 Router supports only tunnel interfaces. Note SUMMARY STEPS configure crypto isakmp profile [local ] profile-name description string Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-137...
  • Page 144 Lets the gateway send DPD messages to the keepalive disable Cisco IOS XR peer. • Use the disable keyword to disable the Example: keepalive global declarations. RP/0/RP0/CPU0:router(config-isa-prof)# keepalive disable Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-138 OL-20382-01...
  • Page 145 Use the keyring-name argument to specify the • keyring name, which must match the keyring Example: name that was defined in the global RP/0/RP0/CPU0:router(config-isa-prof)# keyring vpnkeyring configuration. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-139...
  • Page 146 ID_USER_FQDN. When the user domain keyword is present, all users having identities of the type ID_USER_FQDN and ending with domain-name are matched. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-140 OL-20382-01...
  • Page 147 • intf-index argument range differs based on whether you configure a tunnel or a service: – tunnel = 0 - 429496729 – service = 1-65535 Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-141...

  • Page 148: How To Configure A Dead Peer Detection Message

    How to Configure a Dead Peer Detection Message This task configures a keepalivedead peer detection (DPD) message. SUMMARY STEPS configure crypto isakmp keepalive seconds retry-seconds [periodic | on-demand] commit Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-142 OL-20382-01...
  • Page 149 Use the commit command to save the • configuration changes to the running configuration file and remain within the configuration session. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-143...

  • Page 150: Configuration Examples For Implementing Ike Security Protocol

    Limiting an IKE Peer to a Particular Policy Set Based on Local IP Address: Example, page 145 • Configuring Cisco Easy VPN with a Local AAA-Method Server: Example, page 146 • Configuring Cisco Easy VPN with a Remote AAA-Method Server: Example, page 147 •...
  • Page 151 The service-ipsec interface is supported only on the Cisco XR 12000 Series Router. Note Limiting an IKE Peer to a Particular Policy Set Based on Local IP Address: Example The first part consists of selecting an ISAKMP policy related to the encryption method and identifying the SVI tunnel source.
  • Page 152 RP/0/RP0/CPU0:router(config-isakmp-pol-set)# exit RP/0/RP0/CPU0:router(config-isakmp)# Configuring Cisco Easy VPN with a Local AAA-Method Server: Example The following example shows how to configure Cisco Easy VPN with a local method-AAA server: aaa authorization network author-net-local local aaa authentication login authen-net-local local local pool ipv4 pool-1 20.20.20.4 20.20.20.255...
  • Page 153 Cisco Easy VPN is supported only on the Cisco XR 12000 Series Router. Note Configuring Cisco Easy VPN with a Remote AAA-Method Server: Example On the remote AAA server, system administrators configures two lists, one for authentication and another for authorization.
  • Page 154 TUNNEL_IPSEC set type static match TUNNEL_IPSEC transform-set TRANSFORM_SET reverse-route The reverse-route command is not supported on the Cisco CRS-1 Router, and it can be omitted. Note crypto keyring TUNNEL_IPSEC vrf default local-address 1.1.1.5 pre-shared-key address 1.1.1.6 255.255.255.255 key cisco123 pre-shared-key address 20.0.7.210 255.255.255.255 key cisco123...
  • Page 155 0/2/0 profile ipsec-prof16 tunnel vrf FVRF tunnel source 10.20.100.16 tunnel destination 10.0.85.2 router static address-family ipv4 unicast 1.7.0.3/32 service-ipsec15 1.7.0.4/32 service-ipsec15 vrf FVRF address-family ipv4 unicast Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-149...

  • Page 156: Additional References

    IPSec-related object tracking commands: Cisco IOS XR System Management Command Reference complete command syntax, command modes, command history, defaults, usage guidelines, and examples Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-150 OL-20382-01...
  • Page 157 MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs...
  • Page 158 Registered Cisco.com users can log in from this page to access even more content. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-152 OL-20382-01...
  • Page 159 Implementing Keychain Management onCisco IOS XR Software This module describes how to implement keychain management on Cisco IOS XR software. Keychain management is a common method of authentication to configure shared secrets on all entities that exchange secrets such as keys, before establishing trust with each other. Routing protocols and network management applications on Cisco IOS XR software often use authentication to enhance security while communicating with peers.

  • Page 160: Administrator For Assistance

    If a time period occurs during which no key is activated, neighbor authentication cannot occur; therefore, routing updates can fail. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-154 OL-20382-01...
  • Page 161 This task configures a name for the keychain. You can create or modify the name of the keychain. SUMMARY STEPS configure key chain key-chain-name commit show key chain key-chain-name Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-155...
  • Page 162 RP/0/RP0/CPU0:router# show key chain isis-keys What to Do Next After completing keychain configuration, see the Configuring a Tolerance Specification to Accept Keys section. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-156 OL-20382-01...
  • Page 163 Step 1 Enters global configuration mode. configure Example: RP/0/RP0/CPU0:router# configure Step 2 Creates a name for the keychain. key chain key-chain-name Example: RP/0/RP0/CPU0:router(config)# key chain isis-keys Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-157...
  • Page 164 This task configures a key identifier for the keychain. You can create or modify the key for the keychain. SUMMARY STEPS configure key chain key-chain-name key key-id commit Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-158 OL-20382-01...
  • Page 165 After configuring a key identifier for the keychain, see the Configuring the Text for the Key String section. Configuring the Text for the Key String This task configures the text for the key string. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-159...
  • Page 166 Creates a name for the keychain. key chain key-chain-name Example: RP/0/RP0/CPU0:router(config)# key chain isis-keys Step 3 Creates a key for the keychain. key key-id Example: RP/0/RP0/CPU0:router(config-isis-keys)# key 8 RP/0/RP0/CPU0:router(config-isis-keys-0x8)# Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-160 OL-20382-01...
  • Page 167 This task determines the valid keys for local applications to authenticate the remote peers. SUMMARY STEPS configure key chain key-chain-name key key-id accept-lifetime start-time [duration duration-value | infinite | end-time] commit Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-161...
  • Page 168 • Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-162 OL-20382-01...
  • Page 169 Creates a name for the keychain. key chain key-chain-name Example: RP/0/RP0/CPU0:router(config)# key chain isis-keys Step 3 Creates a key for the keychain. key key-id Example: RP/0/RP0/CPU0:router(config-isis-keys)# key 8 RP/0/RP0/CPU0:router(config-isis-keys-0x8)# Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-163...
  • Page 170 This task allows the keychain configuration to accept the choice of the cryptographic algorithm. SUMMARY STEPS configure key chain key-chain-name key key-id cryptographic-algorithm [HMAC-MD5 | HMAC-SHA1-12 | HMAC-SHA1-20 | MD5 | SHA-1] Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-164 OL-20382-01...
  • Page 171 Creates a name for the keychain. key chain key-chain-name Example: RP/0/RP0/CPU0:router(config)# key chain isis-keys RP/0/RP0/CPU0:router(config-isis-keys)# Step 3 Creates a key for the keychain. key key-id Example: RP/0/RP0/CPU0:router(config-isis-keys)# key 8 RP/0/RP0/CPU0:router(config-isis-keys-0x8)# Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-165...
  • Page 172 Use the commit command to save the • configuration changes to the running configuration file and remain within the configuration session. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-166 OL-20382-01...
  • Page 173 Keychain Management Commands on Cisco IOS XR Software module in command syntax, command modes, command Cisco IOS XR System Security Command Reference history, defaults, usage guidelines, and examples Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-167...
  • Page 174 MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs...
  • Page 175 IDs required for each command. If you suspect user group assignment is preventing you from using a command, contact your AAA • administrator for assistance. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-169...
  • Page 176 The mediation device uses the CISCO-TAP2-MIB to set up the communications between the router acting as the content IAP and the MD. The MD uses the CISCO-IP-TAP-MIB to set up the filter for the IP addresses and port numbers to be intercepted and derived from the SDP.
  • Page 177 Such alternatives include the MAC address and the acct-session-id. Restrictions for Implementing Lawful Intercept Lawful intercept does not provide support for the following features in Cisco IOS XR Software Release 3.8.0: RTP encapsulation •...
  • Page 178 • Periodically audits the elements in the network to ensure that all authorized intercepts are in place and that only authorized intercepts are in place. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-172 OL-20382-01...
  • Page 179 LI is enabled by default on each supported router. To disable LI, enter the command lawful-intercept disable in global configuration mode. • To reenable it, use the no form of this command. • Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-173...
  • Page 180 In such a case only, you must specifically configure MPP as an inband interface to allow SNMP commands to be accepted by the router, using a specified interface or using all interfaces. If you have recently migrated to Cisco IOS XR software from Cisco IOS and you had MPP configured Note for a given protocol, you may still need to perform this task.
  • Page 181 SNMP to use, the security level of the notifications, and the recipient (host) of the notifications. Example: RP/0/RP0/CPU0:router(config)# snmp-server host 223.255.254.224 traps version 3 priv bgreen udp-port 2555 Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-175...
  • Page 182 Step 10 Displays information about each SNMP username in show snmp users the SNMP user table. Example: RP/0/RP0/CPU0:router# show snmp users Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-176 OL-20382-01...
  • Page 183 RP/0/RP0/CPU0:router(config-ctr)# exit RP/0/RP0/CPU0:router(config)# exit RP/0/RP0/CPU0:router# show mgmt-plane inband interface loopback0 Management Plane Protection - inband interface interface - Loopback0 snmp configured - All peers allowed RP/0/RP0/CPU0:router(config)# commit Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-177...
  • Page 184 Protocol/Internet Protocol (TCP/IP) protocol suite. MIBs MIBs MIBs Link CISCO-TAP2-MIB, version 2 To locate and download MIBs using Cisco IOS XR software, use the • Cisco MIB Locator found at the following URL and choose a CISCO-IP-TAP-MIB • platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml...
  • Page 185 Registered Cisco.com users can log in from this page to access even more content. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-179...
  • Page 186 Implementing Lawful Intercept on Cisco IOS XR Software Additional References Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-180 OL-20382-01...
  • Page 187 Implementing Management Plane Protection on Cisco IOS XR Software The Management Plane Protection (MPP) feature in Cisco IOS XR software provides the capability to restrict the interfaces on which network management packets are allowed to enter a device. The MPP feature allows a network operator to designate one or more router interfaces as management interfaces.
  • Page 188 Inband Management Interface, page SC-183 • Out-of-Band Management Interface, page SC-183 • Peer-Filtering on Interfaces, page SC-183 Control Plane Protection Overview, page SC-183 • Management Plane, page SC-183 • Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-182 OL-20382-01...
  • Page 189 Benefits of the Management Plane Protection Feature, page SC-184 • Inband Management Interface An inband management interface is a Cisco IOS XR physical or logical interface that processes management packets, as well as data-forwarding packets. An inband management interface is also called a shared management interface.
  • Page 190 How to Configure a Device for Management Plane Protection This section contains the following tasks: Configuring a Device for Management Plane Protection for an Inband Interface, page SC-185 • Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-184 OL-20382-01...
  • Page 191 RP/0/RP0/CPU0:router(config)# control-plane RP/0/RP0/CPU0:router(config-ctrl)# Step 3 Configures management plane protection to allow management-plane and disallow protocols and enters management plane protection configuration mode. Example: RP/0/RP0/CPU0:router(config-ctrl)# management-plane RP/0/RP0/CPU0:router(config-mpp)# Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-185...
  • Page 192 IPv4 address in which management RP/0/RP0/CPU0:router(config-telnet-peer)# address traffic is allowed on the interface. ipv4 10.1.0.0/16 Use the peer ip-address/length argument to • configure the prefix of the peer IPv4 address. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-186 OL-20382-01...
  • Page 193 Configure the interface under the out-of-band VRF. • Configure the global out-of-band VRF. • In the case of Telnet, configure the Telnet VRF server for the out-of-band VRF. • Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-187...
  • Page 194 (VRF) reference of an out-of-band interface. Example: Use the vrf-name argument to assign a name to • RP/0/RP0/CPU0:router(config-mpp-outband)# vrf target a VRF. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-188 OL-20382-01...
  • Page 195 IPv6 address in which management RP/0/RP0/CPU0:router(config-tftp-peer)# address ipv6 traffic is allowed on the interface. 33::33 Use the peer ip-address/length argument to • configure the prefix of the peer IPv6 address. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-189...
  • Page 196 • (Optional) Use the vrf keyword to display the Virtual Private Network (VPN) routing and forwarding reference of an out-of-band interface. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-190 OL-20382-01...
  • Page 197 - All peers allowed telnet configured - peer v4 allowed - 10.1.0.0/16 all configured - All peers allowed interface - GigabitEthernet0_6_0_1 telnet configured - Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-191...
  • Page 198 MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router...
  • Page 199 Registered Cisco.com users can log in from this page to access even more content. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-193...
  • Page 200 Implementing Management Plane Protection on Cisco IOS XR Software Additional References Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-194 OL-20382-01...
  • Page 201 Configuring Software Authentication Manager on Cisco IOS XR Software Software Authentication Manager (SAM) is a component of the Cisco IOS XR software operating system that ensures that software being installed on the router is safe, and that the software does not run if its integrity has been compromised.
  • Page 202 To set up the Prompt Interval, perform the following tasks. SUMMARY STEPS configure sam prompt-interval time-interval {proceed | terminate} commit Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-196 OL-20382-01...
  • Page 203 Use the commit command to save the configuration • changes to the running configuration file and remain within the configuration session. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-197...
  • Page 204 Configuring Software Authentication Manager on Cisco IOS XR Software How to set up a Prompt Interval for the Software Authentication Manager Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-198 OL-20382-01...
  • Page 205 (DSA) keys. Cisco IOS XR software supports both SSHv1 and SSHv2. This module describes how to implement Secure Shell on the Cisco IOS XR Software. For a complete description of the Secure Shell commands used in this chapter, see the Secure Shell Note Commands module of the Cisco IOS XR System Security Command Reference publication.
  • Page 206 Download the required image on your router. The SSH server and SSH client require you to have a • a crypto package (data encryption standard [DES], 3DES and AES) from Cisco downloaded on your router. To run an SSHv2 server, you must have a VRF. This may be the default VRF or a specific VRF. VRF •...

  • Page 207: Ssh Server

    RSA Based User Authentication, page SC-203 SSH Server The SSH server feature enables an SSH client to make a secure, encrypted connection to a Cisco router. This connection provides functionality that is similar to that of an inbound Telnet connection. Before SSH, security was limited to Telnet security.

  • Page 208: Ssh Client

    The SSH client feature is an application running over the SSH protocol to provide device authentication and encryption. The SSH client enables a Cisco router to make a secure, encrypted connection to another Cisco router or to any other device running the SSH server. This connection provides functionality that is similar to that of an outbound Telnet connection except that the connection is encrypted.
  • Page 209 Currently, only SSH version 2 and SFTP server support the RSA based authentication. For more information on how to import the public key to the router, see the Implementing Certification Authority Interoperability on CiscoIOS XR Software chapter in this guide. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-203...

  • Page 210: Configuring Ssh

    Authentication, Authorization, and Accounting (AAA) is a suite of network security services that provide the primary framework through which access control can be set up on your Cisco router or access server. For more information on AAA, see the Authentication, Authorization, and Accounting...
  • Page 211 RP/0/RP0/CPU0:router(config)# ssh timeout 60 If no value is configured, the default value of • 30 seconds is used. The range is from 5 to 120. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-205...
  • Page 212 Step 12 (Optional) Displays a detailed report of the SSHv2 show ssh session details connections to and from the router. Example: RP/0/RP0/CPU0:router# show ssh session details Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-206 OL-20382-01...

  • Page 213: Configuring The Ssh Client

    SSH clients only. If the hostname argument is used and the host has both • IPv4 and IPv6 addresses, the IPv6 address is used. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-207...
  • Page 214 After SSH has been configured, the SFTP feature is available on the router. configure hostname router1 domain name cisco.com exit crypto key generate dsa configure ssh server Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-208 OL-20382-01...
  • Page 215 MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router...
  • Page 216 Registered Cisco.com users can log in from this page to access even more content. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-210 OL-20382-01...
  • Page 217 For a complete description of the Public Key Infrastructure (PKI) commands used in this chapter, see the Public Key Infrastructure Commands on Cisco IOS XR Software module of Cisco IOS XR System Security Command Reference. For information on SSL commands, see the Secure Socket Layer Protocol Commands on Cisco IOS XR Software module of Cisco IOS XR System Security Command Reference.
  • Page 218 For more information on the commands required to perform these tasks, see the crypto key generate rsa, crypto key generate dsa, crypto ca enroll, and crypto ca authenticate commands in the Public Key Infrastructure Commands on Cisco IOS XR Software module of the Cisco IOS XR System Security Command Reference.
  • Page 219 Configuring Secure Socket Layer, page SC-213 (required) Configuring Secure Socket Layer This task explains how to configure SSL. SUMMARY STEPS crypto key generate rsa [usage-keys | general-keys] [keypair-label] Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-213...
  • Page 220 Configures a trusted point with a selected name so that your crypto ca trustpoint ca-name router can verify certificates issued to peers. Enters trustpoint configuration mode. • Example: RP/0/RP0/CPU0:router(config)# crypto ca trustpoint myca Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-214 OL-20382-01...
  • Page 221 CA certificate, which contains the public key for the CA. Example: When prompted, type y to accept the certificate. • RP/0/RP0/CPU0:router# crypto ca authenticate myca Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-215...
  • Page 222 10.0.0.5 crypto ca trustpoint myca enrollment url http://xyz-ultra5 crypto ca authenticate myca crypto ca enroll myca show crypto ca certificates Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-216 OL-20382-01...
  • Page 223 MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs...
  • Page 224 Registered Cisco.com users can log in from this page to access even more content. Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-218 OL-20382-01...
  • Page 225 SC-19 declaring SC-69 user groups SC-21 description SC-63, SC-213 database SC-7 domain names, configuring (example) SC-66 interim accounting records, generating SC-48 host names SC-66 Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-219...
  • Page 226 SC-195 See IKE, algorithms config-isakmp command mode, how to enable SC-118 hitless key rollover configuring accept-tolerance command SC-157 outbound traffic (key chain) SC-163 Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-220 OL-20382-01...
  • Page 227 IKE (Internet Key Exchange Security Protocol) parameters SC-110 Advanced Encryption Standard (AES) purpose SC-108 definition SC-107 viewing SC-119 algorithms Public Key Cryptographic Protocol encryption SC-118 Diffie-Hellman SC-107 hash SC-118 Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-221...
  • Page 228 SC-91 IKE policy parameter SC-109 dynamic crypto profile description SC-82 key-string command SC-161 PFS (perfect forward secrecy) description SC-84 prerequisites for implementation SC-81 Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-222 OL-20382-01...
  • Page 229 RFC 2408, ISAKMP SC-107 RFC 2409, The Internet Key Exchange SC-107 RFC 2409, The Internet Key Exchange SC-107 Oakley key exchange protocol SC-107 RSA (Rivest, Shamir, and Adelman) Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-223...
  • Page 230 VPN monitoring SC-92 set security-association lifetime command SC-92 crypto session, how to clear SC-115, SC-137 set security-association replay disable command enhancements SC-92 SC-114 Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-224 OL-20382-01...
  • Page 231 SC-115 summary status SC-115 vrf (AAA) command SC-32 vrf (MPP) command SC-188 VSAs (vendor-specific attributes) per VRF AAA SC-31 supported VSAs SC-31 Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router OL-20382-01 SC-225...
  • Page 232 Index Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router SC-226 OL-20382-01...

Table of Contents