In preparation of your CCNA Security 640-553 exam, we want to make sure we cover topics that you are very likely to encounter on your Cisco CCNA exam. So to assist you, below we will discuss Secure administrative access to Cisco routers by configuring role based CLI.

The Role-Based CLI Access feature allows the network administrator to define "views," which are a set of operational commands and configuration capabilities that provide selective or partial access to Cisco IOS EXEC and configuration (Config) mode commands. Views restrict user access to Cisco IOS command-line interface (CLI) and configuration information; that is, a view can define what commands are accepted and what configuration information is visible. Thus, network administrators can exercise better control over access to Cisco networking devices.

With the parser view feature, you can create a “view” that is a collection of all the commands that someone who has the password to that view is allowed to execute. A view is a contained shell environment that limits their view of the router. Unlike access granted via privilege levels where someone with level 10 access also has access to commands authorized at levels 1–9, role-based CLI is

more modular. Access that is granted within one view is separate from other views. We’ll go through it step-by-step in a moment, but sometimes it’s better to take a look at an example first and use intuition.

Here’s an example of how views may be used in real life. Let’s say our router is managed by an ISP.

SUMMARY STEPS

1. enable view

2. configure terminal

3. parser view view-name

4. secret 5 encrypted-password

5. commands parser-mode {include | include-exclusive | exclude} [all] [interface interface-name | command]

6. exit

7. exit

8. enable [privilege-level] [view view-name]

9. show parser view [all]

DETAILED STEPS

2.6    Secure the Cisco IOS image and configuration file

The Cisco IOS resilient configuration feature enables a router to secure and maintain a working copy of the running image and configuration so that those files can withstand malicious attempts to erase the contents of persistent storage (NVRAM and flash storage).

A great challenge for network operators is the total downtime that is experienced after a router has been compromised and its operating software and configuration data are erased from its persistent storage. The operator must retrieve an archived copy (hopefully one is available) of the configuration and a working Cisco IOS image to restore the router. Recovery must then be performed for each affected router, adding to the total network downtime.

The Cisco IOS resilient configuration feature is intended to speed up the recovery process. This feature maintains a secure working copy of the router image and the startup configuration at all times. The user cannot remove these secure files. This set of Cisco IOS image and router running configuration files is referred to as the bootset.

For example, the show flash command will not show the secure image file. If a router has been compromised, the resulting down time is reduced because the router maintains secure archives of the required files and there is no need to search for backups of these files elsewhere.

The command sequence to save a primary bootset to a secure archive in persistent storage is as follows:

Hopefully you found this Cisco CCNA Security 640-533 article helpful as you progress toward your CCNA certification. You will find that the hands-on experience you gain with our CCNA certification kits is the best way to really solidify the various CCNA concepts in your brain. So please check out our various kits and other free CCNA certification material.