Secure Cisco IOS XR/XE and NX-OS with cnspec
Scan Cisco IOS XR/XE and NX-OS network devices against security and compliance best practices with cnspec.
Scan your Cisco IOS XR/XE and NX-OS network devices to find security risks before they become incidents. cnspec evaluates SSH configuration, user access controls, SNMP, BGP, and dozens of other Cisco controls, and flags end-of-life software releases.
Cisco is one of the network devices cnspec can assess. For the full list of supported devices, see the network device scanning overview. New to cnspec? Start with the quickstart.
Prerequisites
To scan a Cisco device with cnspec, you must have:
- cnspec installed on your workstation
- SSH access to the device
- Valid credentials (username/password or SSH key) for authentication
- A privileged user account (privilege level 15) or the device enable password to enter privileged exec mode
Scanning Cisco IOS and NX-OS devices is not currently supported from Windows systems.
Give cnspec access to your Cisco device
To scan a Cisco device, cnspec connects over SSH. Ensure that SSH is enabled on the device and that your workstation can reach the device's management interface.
Test your connection
Before running a full scan, verify that cnspec can connect by opening a cnspec shell:
cnspec shell nd-ssh USER_NAME@DEVICE_IP --ask-passIf cnspec connects successfully and shows a prompt, you're ready to scan.
To connect using an SSH private key:
cnspec shell nd-ssh USER_NAME@DEVICE_IP --private-key-path ~/.ssh/id_rsaConnection options
| Option | Description |
|---|---|
--password, -p | SSH password for authentication |
--ask-pass | Prompt for the SSH password |
--enable-password | Privileged exec (enable) password |
--private-key-path | Path to SSH private key file |
--private-key-passphrase | Passphrase for the SSH private key |
Scan Cisco devices
To scan a Cisco device, use the cnspec scan command. For USER_NAME, substitute the SSH username. For DEVICE_IP, substitute the device's IP address:
cnspec scan nd-ssh USER_NAME@DEVICE_IP --ask-passProvide the password when prompted.
If the SSH user is not a level 15 admin user, you also need to specify the enable password with --enable-password:
cnspec scan nd-ssh USER_NAME@DEVICE_IP --ask-pass --enable-password YOUR_ENABLE_PASSWORDWhen the scan completes, cnspec prints a pass or fail result for each check and an overall risk score. To output results in other formats such as JSON, JUnit, or SARIF, read Report Results.
Scan with Mondoo Cisco security policies
Mondoo maintains out of the box security policies for Cisco IOS XE, Cisco IOS XR, and Cisco NX-OS that check device hardening, access controls, and configuration best practices.
Mondoo Platform users: Enable the policies in your space. In the Mondoo App, go to Findings > Policies, search for "Cisco", and add the relevant policies for your device platforms. All future scans automatically evaluate against them. To learn more, read Manage policies in Mondoo Platform.
| Policy | Platform |
|---|---|
| Mondoo Cisco IOS XE Security | IOS XE |
| Mondoo Cisco IOS XR Security | IOS XR |
| Mondoo Cisco NX-OS Security | NX-OS |
Open source users: Pass the policy bundle URL directly to cnspec. For IOS XE devices:
cnspec scan nd-ssh USER_NAME@DEVICE_IP --ask-pass \
--policy-bundle https://raw.githubusercontent.com/mondoohq/cnspec/refs/heads/main/content/mondoo-cisco-iosxe-security.mql.yamlFor IOS XR devices:
cnspec scan nd-ssh USER_NAME@DEVICE_IP --ask-pass \
--policy-bundle https://raw.githubusercontent.com/mondoohq/cnspec/refs/heads/main/content/mondoo-cisco-iosxr-security.mql.yamlFor NX-OS devices:
cnspec scan nd-ssh USER_NAME@DEVICE_IP --ask-pass \
--policy-bundle https://raw.githubusercontent.com/mondoohq/cnspec/refs/heads/main/content/mondoo-cisco-nxos-security.mql.yamlYou can also create your own policies to meet your specific requirements.
Example checks
You can interactively explore and test checks using the cnspec shell. To open a shell connected to your Cisco device:
cnspec shell nd-ssh USER_NAME@DEVICE_IP --ask-passBelow are some example queries and checks you can run from the shell.
IOS XE
Retrieve the device hostname and version:
cnspec> cisco.iosxe.hostname
cisco.iosxe.hostname: "router1"
cnspec> cisco.iosxe.version
cisco.iosxe.version: "17.3.4"List interfaces and their status:
cnspec> cisco.iosxe.interfaces { name ipAddress linkStatus }
cisco.iosxe.interfaces: [
0: {
name: "GigabitEthernet0/0"
ipAddress: "192.168.1.1"
linkStatus: "up"
}
...
]List local user accounts:
cnspec> cisco.iosxe.users { username privilegeLevel }
cisco.iosxe.users: [
0: {
username: "admin"
privilegeLevel: 15
}
...
]Check NTP configuration:
cnspec> cisco.iosxe.ntp
cisco.iosxe.ntp: {
servers: ["10.0.0.1", "10.0.0.2"]
...
}NX-OS
Retrieve the device hostname:
cnspec> cisco.nxos.hostname
cisco.nxos.hostname: "nexus-switch1"List interfaces and their status:
cnspec> cisco.nxos.interfaces { name ipAddress linkStatus }
cisco.nxos.interfaces: [
0: {
name: "Ethernet1/1"
ipAddress: "10.0.0.1"
linkStatus: "up"
}
...
]Retrieve local user accounts and roles:
cnspec> cisco.nxos.users { username }
cnspec> cisco.nxos.roles { name }IOS XR
Retrieve the device hostname:
cnspec> cisco.iosxr.hostname
cisco.iosxr.hostname: "xr-router1"List interfaces:
cnspec> cisco.iosxr.interfaces { name ipAddress linkStatus }Check BGP routing configuration:
cnspec> cisco.iosxr.routerBgp
cisco.iosxr.routerBgp: {
asNumber: "65001"
...
}Retrieve SNMP configuration:
cnspec> cisco.iosxr.snmpUsers
cnspec> cisco.iosxr.runSnmpCommunities
cnspec> cisco.iosxr.runSnmpGroupsLearn more
-
To learn about all the network device resources and properties you can query, read the Network Devices Resource Pack Reference.
-
To learn more about how the MQL query language works, read Write Effective MQL.