Let's make a parser view called "user". One requirement needed is to enable first the "root" view. The hierarchy is similar to Unix/Linux wherein there should be a root. Secondly AAA must be enabled and thirdly, there should be an enable secret configured on the router.
It would need to be in the privilege exec mode to access the root view.
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#aaa new
Router(config)#aaa new-model
Router(config)#enable view root
Routerconfig)#enable secret cisco
Router#sh parser view
No view is active ! Currently in Privilege Level Context
Router#enable view root
Password:
*May 2 00:50:51.283: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'.
Router#show parser view
Current view is 'root'Now from the root view, this is where we create all other views and define the commands that can be included or excluded per view.
Router(config)#parser view user
Router(config-view)#
*May 2 00:52:54.999: %PARSER-6-VIEW_CREATED: view 'user' successfully created.
We can set a password for the parser view "user".
Router(config-view)#secret cisco
Great! Our parser view is done. Lets say, we exclude the reload command for this view. Pretty dangerous if someone not authorize will reload the router!
Router(config-view)#commands exec exclude reload
Lets dissect what the command above does. The word command is literally for the commands allowed. "Exec" is for the privilege exec mode since reload is done on the mode and "reload" is basically the command itself. We can see its the same hierarchy as configuration.
For testing, we will go to parser view and try reloading the router.
Router#enable view user
Password:
Router#reload
^
% Invalid input detected at '^' marker.
Cool! Now reload command doesn't work on that mode anymore. I have my online hopping server which I configured with parser view so my friends won't do any cpu or performance intensive commands in the routers.
commands configure exclude aaa
commands exec include all telnet
commands exec include all write
commands exec include all traceroute
commands exec include all ping
commands exec include all enable
commands exec include all configure
commands exec include all send
commands exec exclude reload
commands exec exclude undebug ip packet
commands exec include undebug ip
commands exec exclude undebug all
commands exec include all undebug
commands exec include all show
commands exec include all set
commands exec exclude debug ip packet
commands exec include debug ip
commands exec exclude debug all
commands exec include all debug
commands configure exclude interface FastEthernet0/0
The router's behavior regarding parser view is that it adds command opposite to the one you excluded. Lets say for example "commands exec exclude debug ip packet". Since this command is excluded the undebug part also should be excluded. The router automatically generated this command "commands exec exclude undebug ip packet".
There you have it. Enjoy and try configuring some parser views.
Posts
how to associate a parser view to a specific user ? Also how it is differetn from creating a user with different priv level ?
To associate a view to a user, we use the syntax similar to this: "username pete view parserviewname". Difference: using parser view we can customize which commands are allowed.
"To associate a view to a user, we use the syntax similar to this: "username pete view parserviewname". Difference: using parser view we can customize which commands are allowed."
I can never get this to work.
whenever I login with a username that has a view associated with it, it does not work.
It always logs me into privileged mode
show parser view just gives an error:
No view is active ! Currently in Privilege Level Context