Published 6月 11, 2018 by with 0 comment

CCNP-ISCW-v5.0 Lab 5-7: Configuring Role-Based CLI Views


Lab5-7.net file for Dynamips:

##################################################
#
# CCNP Version 5.0: Implementing Secure Converged Wide-Area Networks
# Lab 5.7 Configuring Role-Based CLI Views
# By Happy Peter  http://blog.xuite.net/juilin77/happy
#
##################################################

autostart=false
[localhost:7200]
 workingdir = /opt/dynamips/dynagen-0.10.1/UTS/CCNP2/Lab5-7/workingconfig

[[3725]]
# Specify 3725 IOS image on Linux here:
 image = /opt/dynamips/images/c3725-ad.bin
 ram = 256
 idlepc =0x60bf8d58
 mmap = true
 ghostios = true
 confreg = 0x2102

###########################
#
# Define router instances 1
#
###########################
 
[[Router R1]]
 model = 3725
 console = 2001

Objectives
‧ Configure prerequisites to role-based views
‧ Enable AAA on a router
‧ Change views on a router
‧ Create views and superviews


Scenario:
In this lab, you will configure role-based CLI views, a newer method of controlling which Cisco IOS commands a user can execute.


Basic Configuration:
enable
configure terminal
!
no ip domain lookup
!
line console 0
 logging synchronous
 exec-timeout 0 0
!
host R*


Step 1: Configure an Enable Secret Password
R1(config)#enable secret cisco


Step 2: Enable AAA
R1(config)#username cisco password cisco
R1(config)#aaa new-model
R1(config)#aaa authentication login default local


Step 3: Change to the Root View
To show the current view, use the show parser view command. Compare this output to that of the show privilege command.
R1#show privilege
Current privilege level is 15
R1#show parser view
No view is active ! Currently in Privilege Level Context

In order to configure the views feature, you must first access the root view, which is not the same as being privilege level 15.
R1#enable view root
Password: cisco
*Mar  1 00:13:08.235: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'.
R1#show privilege
Currently in View Context with view 'root'
R1#show parser view
Current view is 'root'
R1#


Step 4: Create Views
Create a view named INTVIEW, which has monitoring capabilities for physical and logical interfaces.
R1(config)#parser view INTVIEW

Before defining the view’s command set, you must set a password for the view using the view configuration secret password command. The password is stored as an MD5 hash value.
R1(config-view)#secret iv

Assign this view access to two commands: show interface and clear counters.
R1(config-view)#commands exec include show interface
R1(config-view)#commands exec include clear counters

R1#show running-config | section view
parser view INTVIEW
 secret 5 $1$58C5$auTTDMuzK.ty257WAFLeV/
 commands exec include show interfaces
 commands exec include show
 commands exec include clear counters
 commands exec include clear
R1#

Log in to the INTVIEW view with the enable view name command using the “iv” password, and then enter ? to view the available command set.
R1#enable view INTVIEW
Password: iv

*Mar  1 00:21:32.027: %PARSER-6-VIEW_SWITCH: successfully set to view 'INTVIEW'.
R1#?
Exec commands:
  clear       Reset functions
  credential  load the credential info from file system
  enable      Turn on privileged commands
  exit        Exit from the EXEC
  show        Show running system information

R1#show ?
  flash:      display information about flash: file system
  interfaces  Interface status and configuration
  parser      Show parser commands
  slot0:      display information about slot0: file system

R1#clear ?
  counters  Clear counters on one or all interfaces

Log out of the INTVIEW view and log in to the root view before proceeding.
R1#enable view root
Password: cisco
*Mar  1 00:22:55.331: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'.

Create another view named INTSHUT, and assign this view access to the shutdown and no shutdown commands for the Fast Ethernet interfaces and the menus necessary to configure these commands. Make the password for this view “is”.
R1(config)#parser view INTSHUT
*Mar  1 01:28:04.803: %PARSER-6-VIEW_CREATED: view 'INTSHUT' successfully created.
R1(config-view)#secret is
R1(config-view)#commands exec include configure terminal
R1(config-view)#commands configure include interface
R1(config-view)#commands configure include interface fastethernet0/0
R1(config-view)#commands configure include interface fastethernet0/1
R1(config-view)#commands interface include shutdown
R1(config-view)#commands interface include no shutdown

Enter this new view to test out its privileges.
R1#enable view INTSHUT
Password: is

*Mar  1 01:43:29.859: %PARSER-6-VIEW_SWITCH: successfully set to view 'INTSHUT'.
R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#?
Configure commands:
  do         To run exec commands in config mode
  exit       Exit from configure mode
  interface  Select an interface to configure

R1(config)#interface fastEthernet 0/0
R1(config-if)#?
Interface configuration commands:
  channel-group      Add this interface to an Etherchannel group
  custom-queue-list  Assign a custom queue list to an interface
  delay              Specify interface throughput delay
  exit               Exit from interface configuration mode
  load-interval      Specify interval for load calculation for an interface
  locaddr-priority   Assign a priority group
  no                 Negate a command or set its defaults
  priority-group     Assign a priority group to an interface
  sap-priority       Assign a priority group
  shutdown           Shutdown the selected interface



Step 5: Create a Superview
A superview is the union of one or more regular views. It is created like a regular view, but you use the superview keyword to define it. Name this superview INTADMIN with the password “ia”.
R1#enable view root
Password: cisco

*Mar  1 02:09:23.739: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'.
R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#parser view INTADMIN superview
R1(config-view)#
*Mar  1 02:09:52.759: %PARSER-6-SUPER_VIEW_CREATED: super view 'INTADMIN' successfully created.
R1(config-view)#secret ia
R1(config-view)#view INTVIEW
*Mar  1 02:10:10.343: %PARSER-6-SUPER_VIEW_EDIT_ADD: view INTVIEW added to superview INTADMIN.
R1(config-view)#view INTSHUT
*Mar  1 02:10:21.191: %PARSER-6-SUPER_VIEW_EDIT_ADD: view INTSHUT added to superview INTADMIN.


On the router, exit privileged EXEC mode, and then reenter it using the enable command.
R1#disable
*Mar  1 00:21:13.471: %SYS-5-PRIV_AUTH_PASS: Privilege level set to 1 by unknown on console
R1>enable
*Mar  1 00:21:18.291: %SYS-5-PRIV_AUTH_PASS: Privilege level set to 15 by unknown on console
R1#show parser view all
Views/SuperViews Present in System:
 INTVIEW
 INTSHUT
 INTADMIN *
-------(*) represent superview-------

R1#enable view INTADMIN
Password: ia

*Mar  1 02:14:28.139: %PARSER-6-VIEW_SWITCH: successfully set to view 'INTADMIN'.
R1#?
Exec commands:
  clear       Reset functions
  configure   Enter configuration mode
  credential  load the credential info from file system
  enable      Turn on privileged commands
  exit        Exit from the EXEC
  show        Show running system information



Final Configurations
R1:
hostname R1
!
enable secret 5 $1$.LCb$RYGBp8WcmzrFmYsqzesPt.
!
aaa new-model
!
aaa authentication login default local
!
no ip domain lookup
!
username cisco password 0 cisco
!
line con 0
 exec-timeout 0 0
 logging synchronous
!
parser view INTVIEW
 secret 5 $1$58C5$auTTDMuzK.ty257WAFLeV/
 commands exec include show interfaces
 commands exec include show
 commands exec include clear counters
 commands exec include clear
!
parser view INTSHUT
 secret 5 $1$hTqF$jXZCU/zxGxogWhf6/kOOb0
 commands interface include shutdown
 commands interface include no shutdown
 commands interface include no
 commands configure include interface
 commands exec include configure terminal
 commands exec include configure
 commands configure include interface FastEthernet0/0
 commands configure include interface FastEthernet0/1
!
parser view INTADMIN superview
 secret 5 $1$4zvJ$JjDS7E106hV3yOnI8qAoe0
 view INTVIEW
 view INTSHUT
!
end


Reference:
Cisco Networking Academy
http://www.cisco.com/web/learning/netacad/index.html

CCNP Version 5.0: Implementing Secure Converged Wide-Area Networks
Student Lab Manual


最初發表 / 最後更新: 2008.10.06 / 2018.06.11

0 comments:

張貼留言