Lab 8
Role-Based CLI Access
Lab Objective:
The objective of this lab exercise is for you to learn and understand how implement Role Based CLI access on Cisco IOS routers.
Lab Purpose:
The Role-Based CLI Access feature allows the network administrator to define “views,” which are a set of operational commands and configuration capabilities that provide selective or partial access to EXEC and configuration mode commands. This allows administrators to exercise better control over access to Cisco networking devices.
Lab Difficulty:
This lab has a difficulty rating of 8/10.
Readiness Assessment:
When you are ready for your certification exam, you should complete this lab in no more than 15 minutes.
Lab Topology:
Please use any single router to complete this lab
Lab 8 Configuration Tasks
Task 1:
Configure the hostname of the router as illustrated in the following diagram.
Task 2:
Configure an enable secret of c?sco on R1.
Task 3:
Configure the IOS Role-Based CLI Access on R1 as follows:
View Name | View Password | View Commands |
BASIC | basic | 1. The show hardware command
2. The show version command 3. The show inventory command |
EXPERT | expert | 1. All show commands |
CONFIG | config | 1. All configure commands |
Task 4:
Create a view named SUPER. This View should contain all possible show and configure commands contained in all other views that were previously created.
Task 5:
Verify your configuration by logging into the router using different credentials.
Lab 8 Configuration and Verification
Task 1:
Router(config)#hostname R1
R1(config)#end R1# |
Task 2:
To complete this Task, it is important that you remember that you must use the CTRL/V keystrokes to be able to use the question mark in a password on Cisco IOS devices.
R1(config)#enable secret c?sco
R1(config)#exit R1# |
Task 3:
R1(config)#aaa new-model
R1(config)#exit R1#disable R1>enable view Password:
R1# R1#show parser view Current view is ‘root' R1# R1# R1#config t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#parser view BASIC R1(config-view)#secret basic R1(config-view)#commands exec include show hardware R1(config-view)#commands exec include show version R1(config-view)#commands exec include show inventory R1(config-view)#exit R1(config)#parser view EXPERT R1(config-view)#secret expert R1(config-view)#commands exec include all show R1(config-view)#exit R1(config)#parser view CONFIG R1(config-view)#secret config R1(config-view)#commands exec include all configure R1(config-view)#exit R1(config)#exit R1# |
Task 4:
R1(config)#parser view SUPER superview
R1(config-view)#secret super R1(config-view)#view BASIC R1(config-view)#view EXPERT R1(config-view)#view CONFIG R1(config-view)#exit R1(config)#exit R1# |
Task 5:
The first view we will validate is the BASIC view as configured on R1. This view will be limited to just a select few show commands.
R1#disable
R1> R1> R1>enable view BASIC Password:
R1# R1# R1#? Exec commands: enable Turn on privileged commands exit Exit from the EXEC show Show running system information R1# R1#show ? flash: display information about flash: file system hardware Hardware specific information inventory Show the physical inventory parser Show parser commands version System hardware and software status R1# R1#show parser view Current view is ‘BASIC' |
The second view we will validate is the EXPERT view as configured on R1. This view will have access to the entire range of show commands.
R1>enable view EXPERT
Password:
R1# R1# R1#show parser view Current view is ‘EXPERT' R1# R1#? Exec commands: enable Turn on privileged commands exit Exit from the EXEC show Show running system information R1# R1#show ? aaa Show AAA values accounting Accounting data for active sessions alarm-interface Display information about a specific Alarm Interface Card alignment Show alignment information appfw Application Firewall information archive Archive of the running configuration information arp ARP table auto Show Automation Template backup Backup status —-[Truncated Output]—- |
The third view we will validate is the CONFIG view as configured on R1. This view will have only configuration commands.
R1>enable view CONFIG
Password:
R1#? Exec commands: configure Enter configuration mode enable Turn on privileged commands exit Exit from the EXEC show Show running system information
R1#show ip int brie ^ % Invalid input detected at ‘^' marker.
R1#configure Configuring from terminal, memory, or network [terminal]? terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)# R1(config)#exit R1# R1#show parser view Current view is ‘CONFIG' |
The final view we will validate is the SUPER view as configured on R1. This view will have all possible show and configure commands that are supported in the Cisco IOS software. However, this view will not have any debug commands available!! Those will be available to the ROOT.
R1>enable view SUPER
Password:
R1#? Exec commands: configure Enter configuration mode enable Turn on privileged commands exit Exit from the EXEC show Show running system information R1# R1#show ip interface brief Interface IP-Address OK? Method Status Protocol FastEthernet0/0 unassigned YES manual up up Serial0/0 unassigned YES manual up up R1# R1#configure Configuring from terminal, memory, or network [terminal]? terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)#exit R1# R1#show parser view Current view is ‘SUPER |
Lab 8 Configurations
R1 Configuration
R1#show run
Building configuration…
Current configuration : 1295 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R1 ! boot-start-marker boot-end-marker ! no logging console enable secret 5 $1$bj1Q$6UA5t8qk8xaXVH0vZC3WB/ ! aaa new-model ! ! ! ! aaa session-id common no network-clock-participate slot 1 no network-clock-participate wic 0 ip cef ! ! ! ! ! multilink bundle-name authenticated ! ! ! ! ! archive log config hidekeys ! ! ! ! ! ! ! interface FastEthernet0/0 no ip address duplex auto speed auto ! interface Serial0/0 no ip address ! ip forward-protocol nd ! ! ip http server no ip http secure-server ! ! ! ! ! control-plane ! ! ! line con 0 line aux 0 line vty 0 3 line vty 4 parser view BASIC secret 5 $1$oi7H$u4u8IrhImpWVXHs2nfDKp0 commands exec include show inventory commands exec include show version commands exec include show hardware commands exec include show ! parser view EXPERT secret 5 $1$aPyv$Oq/lUadCBjEG5HyNo09Qu1 commands exec include all show ! parser view CONFIG secret 5 $1$g/3P$kazl6S9zkjDNV.Fsc4AWe/ commands exec include configure ! parser view SUPER superview secret 5 $1$tZZl$UW/C0ZeJ/rn6C3ntutJo01 view BASIC view EXPERT view CONFIG ! ! ! end |