Using Parser View In Cisco Routers

What exactly is a parser view? In simple terms, its like creating user accounts with certain filtering of commands. Parser views can be used to customize which command are allowed for a certain user depending on their privileges. Its simple to create parser views but doing the command filtering takes a while to learn.

Let's make a parser view called "user". One requirement needed is to enable first the "root" view. The hierarchy is similar to Unix/Linux wherein there should be a root. Secondly AAA must be enabled and thirdly, there should be an enable secret configured on the router.


Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#aaa new
Router(config)#aaa new-model
Router(config)#enable view root
Routerconfig)#enable secret cisco

It would need to be in the privilege exec mode to access the root view.


Router#sh parser view
No view is active ! Currently in Privilege Level Context
Router#enable view root
Password:
*May 2 00:50:51.283: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'.

Router#show parser view
Current view is 'root'

Now from the root view, this is where we create all other views and define the commands that can be included or excluded per view.


Router(config)#parser view user
Router(config-view)#
*May 2 00:52:54.999: %PARSER-6-VIEW_CREATED: view 'user' successfully created.

We can set a password for the parser view "user".


Router(config-view)#secret cisco

Great! Our parser view is done. Lets say, we exclude the reload command for this view. Pretty dangerous if someone not authorize will reload the router!


Router(config-view)#commands exec exclude reload

Lets dissect what the command above does. The word command is literally for the commands allowed. "Exec" is for the privilege exec mode since reload is done on the mode and "reload" is basically the command itself. We can see its the same hierarchy as configuration.

For testing, we will go to parser view and try reloading the router.


Router#enable view user
Password:
Router#reload
^
% Invalid input detected at '^' marker.

Cool! Now reload command doesn't work on that mode anymore. I have my online hopping server which I configured with parser view so my friends won't do any cpu or performance intensive commands in the routers.


commands configure exclude aaa
commands exec include all telnet
commands exec include all write
commands exec include all traceroute
commands exec include all ping
commands exec include all enable
commands exec include all configure
commands exec include all send
commands exec exclude reload
commands exec exclude undebug ip packet
commands exec include undebug ip
commands exec exclude undebug all
commands exec include all undebug
commands exec include all show
commands exec include all set
commands exec exclude debug ip packet
commands exec include debug ip
commands exec exclude debug all
commands exec include all debug
commands configure exclude interface FastEthernet0/0

The router's behavior regarding parser view is that it adds command opposite to the one you excluded. Lets say for example "commands exec exclude debug ip packet". Since this command is excluded the undebug part also should be excluded. The router automatically generated this command "commands exec exclude undebug ip packet".

There you have it. Enjoy and try configuring some parser views.

Comments

3 Responses to "Using Parser View In Cisco Routers"

Anonymous said... November 26, 2009 at 5:11 PM

how to associate a parser view to a specific user ? Also how it is differetn from creating a user with different priv level ?

Pete said... November 26, 2009 at 5:50 PM

To associate a view to a user, we use the syntax similar to this: "username pete view parserviewname". Difference: using parser view we can customize which commands are allowed.

Christian said... May 25, 2011 at 8:49 AM

"To associate a view to a user, we use the syntax similar to this: "username pete view parserviewname". Difference: using parser view we can customize which commands are allowed."

I can never get this to work.

whenever I login with a username that has a view associated with it, it does not work.

It always logs me into privileged mode

show parser view just gives an error:

No view is active ! Currently in Privilege Level Context

Post a Comment

Certifications

Certifications

The Dreamer

A fun loving person who enjoys learning new things. Currently working as a Network Engineer supporting the global network of a Fortune 500 company. This blog serves as my notes for the labs I created for my CCIE journey. I can guarantee there are errors in my posts. If you spot them, please let me know.

Join my Facebook Page I WANT TO BE A CCIE

Donate to the Cause

My aim is to create materials for free and possibly a free lab. If you wish to help out, please send any amount. Thanks.

Join my Bandwagon

Blogs that I Read