Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
INTERFACE ACCESS
DENISE HELFRICH
MARCH 2004
Role-Based CLI Access 03/04 © 2004 Cisco Systems, Inc. All rights reserved. 1
Agenda
Role-Based CLI Access 03/04 © 2004 Cisco Systems, Inc. All rights reserved. 2
ROLE-BASED CLI ACCESS
Role-Based CLI Access 03/04 © 2004 Cisco Systems, Inc. All rights reserved. 3
Role-Based User Views
Operational Needs
Role-Based CLI Access 03/04 © 2004 Cisco Systems, Inc. All rights reserved. 4
Role-Based CLI Access Benefits
• Security
Enhances the security of a device by defining the set of CLI
commands accessible to a user
• Availability
Avoids unintentional executions of CLI commands by
unauthorized personnel
• Operational Efficiency
Greatly improves usability by prohibiting users from
viewing CLI commands that are inaccessible to them
Role-Based CLI Access 03/04 © 2004 Cisco Systems, Inc. All rights reserved. 5
Role-Based CLI Access Functions
Role-Based CLI Access 03/04 © 2004 Cisco Systems, Inc. All rights reserved. 6
How it Works
Role-Based CLI Access 03/04 © 2004 Cisco Systems, Inc. All rights reserved. 7
CLI VIEWS CONFIGURATION
Role-Based CLI Access 03/04 © 2004 Cisco Systems, Inc. All rights reserved. 8
How CLI View Relates to Other
Configurations
Role-Based CLI Access 03/04 © 2004 Cisco Systems, Inc. All rights reserved. 9
CLI View Configuration Tasks
• Prerequisite Configuration
• Task 1: login to Root view
• Task 2: configure a new view
• Task 3: access a CLI view
• Task 4: assign username view level
Role-Based CLI Access 03/04 © 2004 Cisco Systems, Inc. All rights reserved. 10
Prerequisite Configuration
Role-Based CLI Access 03/04 © 2004 Cisco Systems, Inc. All rights reserved. 11
Task 1: Login to Root View
Router#
enable view
Router# enable view
Password: |enter enable or enable secret password
Role-Based CLI Access 03/04 © 2004 Cisco Systems, Inc. All rights reserved. 12
Task 2: Configure a New View
Router(config)#
parser view view-name
Router# configure terminal
Router(config)# parser view Admin123
*Mar 18 01:07:56.167: %PARSER-6-VIEW_CREATED:
view ‘Admin123' successfully created.
Router(config-view)#
Notes:
• The no form of parser view view-name is used to delete the view
• View name is case sensitive
Role-Based CLI Access 03/04 © 2004 Cisco Systems, Inc. All rights reserved. 13
Task 2: Configure a New View (Cont.)
Role-Based CLI Access 03/04 © 2004 Cisco Systems, Inc. All rights reserved. 14
Task 2: Configure a New View (Cont.)
Role-Based CLI Access 03/04 © 2004 Cisco Systems, Inc. All rights reserved. 16
Example: Acme Company Access Roles
Role-Based CLI Access 03/04 © 2004 Cisco Systems, Inc. All rights reserved. 17
Acme Company Operator View Sample
Configuration
Role-Based CLI Access 03/04 © 2004 Cisco Systems, Inc. All rights reserved. 18
Acme Company Network Administrator
View Sample Configuration
Router(config)# parser view NetOps
Router(config-view)#password 5 NetOps@Pswd
Router(config-view)#commands exec include clear
Router(config-view)#commands exec include copy
Router(config-view)#commands exec include ping
Router(config-view)#commands exec include all show
Router(config-view)#commands exec include configure
Router(config-view)#commands configure include access-list
Router(config-view)#commands configure include clock
Router(config-view)#commands configure include hostname
Router(config-view)#commands configure include interface
Router(config-view)#commands configure include ip
Router(config-view)#commands configure include line
Router(config-view)#exit
Router(config)#
Role-Based CLI Access 03/04 © 2004 Cisco Systems, Inc. All rights reserved. 19
Acme Company Security Administrator
View Sample Configuration
Router(config)# parser view SecOps
Router(config-view)#password 5 SecOps@Pswd
Router(config-view)#commands exec include copy running-config
Router(config-view)#commands exec include login
Router(config-view)#commands exec include all show
Router(config-view)#commands exec include-exclusive show crypto
Router(config-view)#commands exec include-exclusive show key
Router(config-view)#commands exec include configure terminal
Router(config-view)#commands configure include access-list
Router(config-view)#commands configure include-exclusive crypto
Router(config-view)#commands configure include-exclusive key
Router(config-view)#commands configure include-exclusive li-
view
Router(config-view)#exit
Router(config)#
Role-Based CLI Access 03/04 © 2004 Cisco Systems, Inc. All rights reserved. 20
Acme Company Security Engineer Sample
Configuration
Role-Based CLI Access 03/04 © 2004 Cisco Systems, Inc. All rights reserved. 21
View Capabilities
Operator NetOps SecOps
Router#enable view operator Router#enable view NetOps Router#enable view SecOps
Password: Oper@torPswd Password: NetOps@Pswd Password: SecOps@Pswd
*…view 'operator' *…view ‘NetOps' *…view ‘SecOps'
Router# ? Router# ? Router# ?
Exec commands: Exec commands: Exec commands:
exit clear configure
ping configure copy
show copy enable
Router#show ? enable exit
hardware exit login
interfaces ping ping
version show show
Router#show ? Router#show ?
controllers controllers
hardware crypto
interfaces hardware
version interfaces
Router#configure terminal key
Router(config)#? version
access-list Router#configure terminal
clock Router(config)#?
hostname access-list
interface crypto
ip key
line li-view
Role-Based CLI Access 03/04 © 2004 Cisco Systems, Inc. All rights reserved. 22
Task 4: Assign Username View Level
Router(config)#
username name {privilege privilege-level | view
view-name] password password}
Role-Based CLI Access 03/04 © 2004 Cisco Systems, Inc. All rights reserved. 23
Example: Login and Views for Admin_o
User
Role-Based CLI Access 03/04 © 2004 Cisco Systems, Inc. All rights reserved. 24
LAWFUL INTERCEPT VIEW
CONFIGURATION
Presentation_ID
Role-Based CLI Access 03/04 © 2004, Cisco Systems, Inc.Cisco
© 2004 All rights reserved.
Systems, Inc. All rights reserved. 25
Lawful Intercept View
Role-Based CLI Access 03/04 © 2004 Cisco Systems, Inc. All rights reserved. 26
Lawful Intercept Configuration Tasks
Role-Based CLI Access 03/04 © 2004 Cisco Systems, Inc. All rights reserved. 27
Task 1: Login to Root View
Router#
enable view
Router# enable view
Password: |enter enable or enable secret password
Role-Based CLI Access 03/04 © 2004 Cisco Systems, Inc. All rights reserved. 28
Task 2: Configure a Lawful Intercept View
Notes:
• Only level fifteen privilege user can initialize a Lawful Intercept view
• At least one user must be specified
Role-Based CLI Access 03/04 © 2004 Cisco Systems, Inc. All rights reserved. 29
Task 2: Configure a Lawful Intercept View
(Cont.)
Role-Based CLI Access 03/04 © 2004 Cisco Systems, Inc. All rights reserved. 30
Task 2: Configure a Lawful Intercept View
(Cont.)
Role-Based CLI Access 03/04 © 2004 Cisco Systems, Inc. All rights reserved. 31
Task 3: Access Lawful Intercept View
Router#
Role-Based CLI Access 03/04 © 2004 Cisco Systems, Inc. All rights reserved. 32
Monitoring Views and View Users
Role-Based CLI Access 03/04 © 2004 Cisco Systems, Inc. All rights reserved. 33
Resources
Role-Based CLI Access 03/04 © 2004 Cisco Systems, Inc. All rights reserved. 34
Role-Based CLI Access 03/04 © 2004 Cisco Systems, Inc. All rights reserved. 35