With the parser view feature, you can create a “view” that is a collection of all the commands that someone who has the password to that view is allowed to execute. A view is a contained shell environment that limits their view of the router. Unlike access granted via privilege levels where someone with level 10 access also has access to commands authorized at levels 1–9, role-based CLI is more modular. Access that is granted within one view is separate from other views. We’ll go through it step-by-step in a moment, but sometimes it’s better to take a look at an example first and use intuition. Here’s an example of how views may be used in real life. Let’s say our router is managed by an ISP.
Summary Steps
1. enable view
2. configure terminal
3. parser view (view-name)
4. secret 5 (encrypted-password)
5. commands parser-mode {include | include-exclusive | exclude}
6. exit
7. exit
8. enable [privilege-level] [view view-name]
9. show parser view [all]
Detailed Steps
|
|
Command or Action |
Purpose |
|
Step 1 |
enable view Example: Router> enable view |
Enables root view. •Enter your privilege level 15 password (for example, root password) if prompted. |
|
Step 2 |
configure terminal Example: Router# configure terminal |
Enters global configuration mode. |
|
Step 3 |
parser view view-name Example: Router(config)# parser view first |
Creates a view and enters view configuration mode. |
|
Step 4 |
secret 5 encrypted-password Example: Router(config-view)# secret 5 secret |
Associates a command-line interface (CLI) view or superview with a password. Note You must issue this command before you can configure additional attributes for the view. |
|
Step 5 |
commands parser-mode{include | include-exclusive| exclude} [all] [interfaceinterface-name | command] Example: Router(config-view)# commands exec include show version |
Adds commands or interfaces to a view. •parser-mode—The mode in which the specified command exists. •include—Adds a command or an interface to the view and allows the same command or interface to be added to an additional view. •include-exclusive—Adds a command or an interface to the view and excludes the same command or interface from being added to all other views. •exclude—Excludes a command or an interface from the view; that is, customers cannot access a command or an interface. •all—A “wildcard” that allows every command in a specified configuration mode that begins with the same keyword or every subinterface for a specified interface to be part of the view. •interface interface-name— Interface that is added to the view. •command—Command that is added to the view. |
|
Step 6 |
exit Example: Router(config-view)# exit |
Exits view configuration mode. |
|
Step 7 |
exit Example: Router(config)# exit |
Exits global configuration mode. |
|
Step 8 |
enable [privilege-level] [view view-name] Example: Router# enable view first |
Prompts the user for a password, which allows the user to access a configured CLI view, and is used to switch from one view to another view. After the correct password is given, the user can access the view. |
|
Step 9 |
show parser view [all] Example: Router# show parser view |
(Optional) Displays information about the view that the user is currently in. •all—Displays information for all views that are configured on the router. Note Although this command is available for both root and lawful intercept users, the all keyword is available only to root users. However, the all keyword can be configured by a user in root view to be available for users in lawful intercept view and CLI view. |
1.1 Secure the Cisco IOS image and configuration file
The Cisco IOS resilient configuration feature enables a router to secure and maintain a working copy of the running image and configuration so that those files can withstand malicious attempts to erase the contents of persistent storage (NVRAM and flash storage).
A great challenge for network operators is the total downtime that is experienced after a router has been compromised and its operating software and configuration data are erased from its persistent storage. The operator must retrieve an archived copy (hopefully one is available) of the configuration and a working Cisco IOS image to restore the router. Recovery must then be performed for each affected router, adding to the total network downtime.
The Cisco IOS resilient configuration feature is intended to speed up the recovery process. This feature maintains a secure working copy of the router image and the startup configuration at all times. The user cannot remove these secure files. This set of Cisco IOS image and router running configuration files is referred to as the bootset.
For example, the show flash command will not show the secure image file. If a router has been compromised, the resulting down time is reduced because the router maintains secure archives of the required files and there is no need to search for backups of these files elsewhere.
The command sequence to save a primary bootset to a secure archive in persistent storage is as follows:
|
Step 1. |
Router> enable |
|
Step 2. |
Router# configure terminal |
|
Step 3. |
Router(config)# secure boot-image |
|
Step 4. |
Router(config)# secure boot-config |
|
Step 5. |
Router(config)# end |
|
Step 6. |
Router# show secure bootset |