Lab5-7.net file for Dynamips:
##################################################
#
# CCNP Version 5.0: Implementing Secure Converged Wide-Area Networks
# Lab 5.7 Configuring Role-Based CLI Views
# By Happy Peter http://blog.xuite.net/juilin77/happy
#
##################################################
autostart=false
[localhost:7200]
workingdir = /opt/dynamips/dynagen-0.10.1/UTS/CCNP2/Lab5-7/workingconfig
[[3725]]
# Specify 3725 IOS image on Linux here:
image = /opt/dynamips/images/c3725-ad.bin
ram = 256
idlepc =0x60bf8d58
mmap = true
ghostios = true
confreg = 0x2102
###########################
#
# Define router instances 1
#
###########################
[[Router R1]]
model = 3725
console = 2001
Objectives
‧ Configure prerequisites to role-based views
‧ Enable AAA on a router
‧ Change views on a router
‧ Create views and superviews
Scenario:
In this lab, you will configure role-based CLI views, a newer method of controlling which Cisco IOS commands a user can execute.
Basic Configuration:
enable
configure terminal
!
no ip domain lookup
!
line console 0
logging synchronous
exec-timeout 0 0
!
host R*
Step 1: Configure an Enable Secret Password
R1(config)#enable secret cisco
Step 2: Enable AAA
R1(config)#username cisco password cisco
R1(config)#aaa new-model
R1(config)#aaa authentication login default local
Step 3: Change to the Root View
To show the current view, use the show parser view command. Compare this output to that of the show privilege command.
R1#show privilege
Current privilege level is 15
R1#show parser view
No view is active ! Currently in Privilege Level Context
In order to configure the views feature, you must first access the root view, which is not the same as being privilege level 15.
R1#enable view root
Password: cisco
*Mar 1 00:13:08.235: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'.
R1#show privilege
Currently in View Context with view 'root'
R1#show parser view
Current view is 'root'
R1#
Step 4: Create Views
Create a view named INTVIEW, which has monitoring capabilities for physical and logical interfaces.
R1(config)#parser view INTVIEW
Before defining the view’s command set, you must set a password for the view using the view configuration secret password command. The password is stored as an MD5 hash value.
R1(config-view)#secret iv
Assign this view access to two commands: show interface and clear counters.
R1(config-view)#commands exec include show interface
R1(config-view)#commands exec include clear counters
R1#show running-config | section view
parser view INTVIEW
secret 5 $1$58C5$auTTDMuzK.ty257WAFLeV/
commands exec include show interfaces
commands exec include show
commands exec include clear counters
commands exec include clear
R1#
Log in to the INTVIEW view with the enable view name command using the “iv” password, and then enter ? to view the available command set.
R1#enable view INTVIEW
Password: iv
*Mar 1 00:21:32.027: %PARSER-6-VIEW_SWITCH: successfully set to view 'INTVIEW'.
R1#?
Exec commands:
clear Reset functions
credential load the credential info from file system
enable Turn on privileged commands
exit Exit from the EXEC
show Show running system information
R1#show ?
flash: display information about flash: file system
interfaces Interface status and configuration
parser Show parser commands
slot0: display information about slot0: file system
R1#clear ?
counters Clear counters on one or all interfaces
Log out of the INTVIEW view and log in to the root view before proceeding.
R1#enable view root
Password: cisco
*Mar 1 00:22:55.331: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'.
Create another view named INTSHUT, and assign this view access to the shutdown and no shutdown commands for the Fast Ethernet interfaces and the menus necessary to configure these commands. Make the password for this view “is”.
R1(config)#parser view INTSHUT
*Mar 1 01:28:04.803: %PARSER-6-VIEW_CREATED: view 'INTSHUT' successfully created.
R1(config-view)#secret is
R1(config-view)#commands exec include configure terminal
R1(config-view)#commands configure include interface
R1(config-view)#commands configure include interface fastethernet0/0
R1(config-view)#commands configure include interface fastethernet0/1
R1(config-view)#commands interface include shutdown
R1(config-view)#commands interface include no shutdown
Enter this new view to test out its privileges.
R1#enable view INTSHUT
Password: is
*Mar 1 01:43:29.859: %PARSER-6-VIEW_SWITCH: successfully set to view 'INTSHUT'.
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#?
Configure commands:
do To run exec commands in config mode
exit Exit from configure mode
interface Select an interface to configure
R1(config)#interface fastEthernet 0/0
R1(config-if)#?
Interface configuration commands:
channel-group Add this interface to an Etherchannel group
custom-queue-list Assign a custom queue list to an interface
delay Specify interface throughput delay
exit Exit from interface configuration mode
load-interval Specify interval for load calculation for an interface
locaddr-priority Assign a priority group
no Negate a command or set its defaults
priority-group Assign a priority group to an interface
sap-priority Assign a priority group
shutdown Shutdown the selected interface
Step 5: Create a Superview
A superview is the union of one or more regular views. It is created like a regular view, but you use the superview keyword to define it. Name this superview INTADMIN with the password “ia”.
R1#enable view root
Password: cisco
*Mar 1 02:09:23.739: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'.
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#parser view INTADMIN superview
R1(config-view)#
*Mar 1 02:09:52.759: %PARSER-6-SUPER_VIEW_CREATED: super view 'INTADMIN' successfully created.
R1(config-view)#secret ia
R1(config-view)#view INTVIEW
*Mar 1 02:10:10.343: %PARSER-6-SUPER_VIEW_EDIT_ADD: view INTVIEW added to superview INTADMIN.
R1(config-view)#view INTSHUT
*Mar 1 02:10:21.191: %PARSER-6-SUPER_VIEW_EDIT_ADD: view INTSHUT added to superview INTADMIN.
On the router, exit privileged EXEC mode, and then reenter it using the enable command.
R1#disable
*Mar 1 00:21:13.471: %SYS-5-PRIV_AUTH_PASS: Privilege level set to 1 by unknown on console
R1>enable
*Mar 1 00:21:18.291: %SYS-5-PRIV_AUTH_PASS: Privilege level set to 15 by unknown on console
R1#show parser view all
Views/SuperViews Present in System:
INTVIEW
INTSHUT
INTADMIN *
-------(*) represent superview-------
R1#enable view INTADMIN
Password: ia
*Mar 1 02:14:28.139: %PARSER-6-VIEW_SWITCH: successfully set to view 'INTADMIN'.
R1#?
Exec commands:
clear Reset functions
configure Enter configuration mode
credential load the credential info from file system
enable Turn on privileged commands
exit Exit from the EXEC
show Show running system information
Final Configurations
R1:
hostname R1
!
enable secret 5 $1$.LCb$RYGBp8WcmzrFmYsqzesPt.
!
aaa new-model
!
aaa authentication login default local
!
no ip domain lookup
!
username cisco password 0 cisco
!
line con 0
exec-timeout 0 0
logging synchronous
!
parser view INTVIEW
secret 5 $1$58C5$auTTDMuzK.ty257WAFLeV/
commands exec include show interfaces
commands exec include show
commands exec include clear counters
commands exec include clear
!
parser view INTSHUT
secret 5 $1$hTqF$jXZCU/zxGxogWhf6/kOOb0
commands interface include shutdown
commands interface include no shutdown
commands interface include no
commands configure include interface
commands exec include configure terminal
commands exec include configure
commands configure include interface FastEthernet0/0
commands configure include interface FastEthernet0/1
!
parser view INTADMIN superview
secret 5 $1$4zvJ$JjDS7E106hV3yOnI8qAoe0
view INTVIEW
view INTSHUT
!
end
Reference:
Cisco Networking Academy
http://www.cisco.com/web/learning/netacad/index.html
CCNP Version 5.0: Implementing Secure Converged Wide-Area Networks
Student Lab Manual
最初發表 / 最後更新: 2008.10.06 / 2018.06.11
0 comments:
張貼留言