Views and what it can provide for you.

October 26, 2009
Technology
CCIE
Security
Views

This small post will be about a little feature called “views”.

This feature is used to create a sort of profile, for which you could have a certain user do certain things. As you might know, the only way to do this previously was to use the priviledge level command. This command would in effect set the command to be available at a certain priviledge level. This can be very cumbersome to maintain, especially if you work in a large enterprise environment or a service provider.

I will use an example of such a scenario to demonstrate the goal of the view feature. First off, a very small topology to ease our life a bit when trying out different commands:

View Topology

First of, a small config snippet on R1 to allow the telnet from R2:

R1(config-if)#line vty 0 4
R1(config-line)#pass cisco
R1(config-line)#login
R1(config-line)#

Check out that it works before we start anything:

R2#telnet 192.168.12.1
Trying 192.168.12.1 … Open
User Access Verification
Password:

R1>

Okay, great! we have a working telnet session.

Scenario:

Lets imagine that we work in an enterprise where we have multiple network folks around. Some of them are senior engineers, others are junior engineers. We might have a company policy that states that junior engineers are only allowed to login and view a routers interface status, view the local logging buffer and bounce the interfaces. Nothing else, nothing more.

Back in the day, you would have to create a set of rules governing your policy regarding what priviledge level you wanted certain commands in. Administratively this is a nightmare.

Lets accomplish the above criteria using views!

First of, AAA is required in order to use views, lets enable it:

R1(config)#aaa new-model

Secondly, to start off with, you need an enable password:

R1(config)#enable secret blah

Then you enable the root view using the enable password:

R1#enable view root
Password:

R1#

Now, what we can do is to issue commands to the parser. Lets create a new profile:

R1(config)#parser view Junior
R1(config-view)#
*Mar 1 00:15:20.415: %PARSER-6-VIEW_CREATED: view ‘Junior’ successfully created.

So, we created the Junior view. Lets assign a password to enter this new view:

R1(config-view)#secret imajunior

Great. Now lets see what the effect is, if we telnet into R1 from R2:

R2#telnet 192.168.12.1
Trying 192.168.12.1 … Open
User Access Verification
Username:

Oops! Remember that we enabled AAA on R1. This means that we must now have a username/password combination. Lets fix this on R1:

R1(config-line)#
R1(config-line)#username jeng secret Weee

Lets try R2 again 🙂 :

R2#telnet 192.168.12.1
Trying 192.168.12.1 … Open
User Access Verification
Username: jeng
Password:
R1>

Cool. We are onto the router. Now this is where the views come into play:

R1>ena view Junior
Password:

Now we are logged into the router, with the view Junior. Lets see what commands are available to us:

R1#?
Exec commands:
<1-99>      Session number to resume
credential load the credential info from file system
enable      Turn on privileged commands
exit        Exit from the EXEC
show        Show running system information

Not a whole lot 🙂

Lets add some functionality so the Junior Engineer can actually get some work done:

R1(config)#parser view Junior

R1(config-view)#commands exec include show interfaces

What this means, is that from the exec level prompt, the command “show interfaces” is allowed.

Lets try again from R2:

R1#show interfaces
FastEthernet0/0 is administratively down, line protocol is down
Hardware is Gt96k FE, address is c200.0ed4.0000 (bia c200.0ed4.0000)
MTU 1500 bytes, BW 10000 Kbit/sec, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Half-duplex, 10Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00

Great! that was one of our objectives. Now for the remaining two (show local logging and bounce interfaces):

R1(config-view)#commands exec include show logging

R1(config-view)#commands exec include configure terminal

R1(config-view)#commands configure include interface

R1(config-view)#commands interface include shutdown
R1(config-view)#commands interface include no shutdown

R1(config-view)#commands configure include interface s0/0

Next, include the command “show logging” from the exec prompt. Allow us to use the command “configure terminal”, again from the exec prompt. Now from the configure prompt lets be able to use the interface command. This command needs both the “interface” by itself, and also the interface you will allow it to include commands under. At the interface level, we want to include both a shutdown and a no shutdown command.

And now, lets verify it:

R1#sh logging
Syslog logging: enabled (12 messages dropped, 0 messages rate-limited,
0 flushes, 0 overruns, xml disabled, filtering disabled)

R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#int s0/0
R1(config-if)#?
Interface configuration commands:
exit Exit from interface configuration mode
no Negate a command or set its defaults
shutdown Shutdown the selected interface
R1(config-if)#

Great! thats it. We can now create any username/password combination and tell the Junior engineer to use the view Junior in able to do the tasks at hand.

Please note that this is in my opinion a pretty buggy feature at times. For some commands, you must log out and back in again, and others you dont need to. It seems inconsistent sometimes, so use with care.

Hope that sheds some light on the View feature. Take care!