Implementing Parser Views
To restrict users without having to create custom privilege levels, you can use a parser view, also referred to as simply a view. A view can be created with a subset of privilege level 15 commands, and when the user logs in using this view, that same user is restricted to only being able to use the commands that are part of his current view.
To create a view, an enable secret password must first be configured on the router. AAA must also be enabled on the router (aaa new-model command).
Example 11-7 shows the creation of a view.
Example 11-7 Creating and Working with Parser Views
! Set the enable secret, and enable aaa new-model (unless already in
! place)
R2(config)# enable secret aBc!2#&iU
R2(config)# aaa new-model
R2(config)# end
! Begin the view creation process by entering the "default" view, using the
! enable secret
R2# enable view
Password: [aBc!2#&iU] note password not shown when typed
R2#
%PARSER-6-VIEW_SWITCH: successfully set to view 'root'.
R2# configure terminal
! As the administrator in the root view, create a new custom view
R2(config)# parser view New_VIEW
%PARSER-6-VIEW_CREATED: view 'New_VIEW' successfully created.
! Set the password required to enter this new view
R2(config-view)# secret New_VIEW_PW
! Specify which commands you want to include as part of this view.
! commands "exec" refer to commands issued from the command prompt
! commands "configure" refer to commands issued from privileged mode
R2(config-view)# commands exec include ping
R2(config-view)# commands exec include all show
R2(config-view)# commands exec include configure
! This next line adds the ability to configure "access-lists" but nothing
! else
R2(config-view)# commands configure include access-list
R2(config-view)# exit
R2(config)# exit
! Test the view, by going to user mode, and then back in using the new view
R2# disable
R2>enable view New_VIEW
Password: [New_VIEW_PW] Password not shown when typed in
! Console message tells us that we are using the view
%PARSER-6-VIEW_SWITCH: successfully set to view 'New_VIEW'.
! This command reports what view we are currently using
R2# show parser view
Current view is 'New_VIEW'
! We can verify that the commands assigned to the view work
! Note: we only assigned configure, not configure terminal so we have to
! use the configure command, and then tell the router we are configuring
! from the terminal. We could have assigned the view "configure terminal"
! to avoid this
R2# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
! Notice that the only configuration options we have are for access-list,
! per the view
R2(config)# ?
Configure commands:
access-list Add an access list entry
do To run exec commands in config mode
exit Exit from configure mode
We could also assign this view to a user account, so that when users log in with their username and password, they are automatically placed into their view, as shown in Example 11-8.
Example 11-8 Associating a User Account with a Parser View
R2(config)# username Lois view New_VIEW secret cisco123
Note
This creation of a username and assigning that user to a view needs to be done by someone who is at privilege level 15.