Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
587
Views
10
Helpful
7
Replies

Restrict users to execute command no ip vrf

alihashmi43
Level 1
Level 1

‎09-04-2021 08:47 AM - edited ‎09-04-2021 08:53 AM

Hello,

How can I restrict all users from executing no IP vrf command in cisco 7206 router?. Below are the configurations for the reference: 

 

R1(config-if)#ip vrf jaylink
R1(config-vrf)#no ip vrf jaylink

Labels:
7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

‎09-04-2021 11:06 AM

you need to create a Role based access with Limited commands, best is use TACACS / Radius ?

 

do you have one or is the user local ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

alihashmi43
Level 1
Level 1
In response to balaji.bandi

‎09-04-2021 11:09 AM

Its a local user.
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to alihashmi43

‎09-04-2021 03:32 PM

if the local user you need to add manually, what command for the user to give access Look at the example : (this is for IOX XE, simlar command should work for IOS)

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/xe-16/sec-usr-cfg-xe-16-book/sec-role-base-cli.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Georg Pauwen
VIP
VIP
In response to balaji.bandi

‎09-04-2021 03:46 PM

@balaji.bandi On a side note, the document you linked does not fully work the same on older IOS routers. E.g. the secret password for the parser view cannot be encrypted...

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to Georg Pauwen

‎09-04-2021 04:38 PM

Agreed...It's been a while I use VXR for more than 10 years I guess. (thanks for the heads up, that is the reason mentioned note - similar commands "may work" (missed that on the post) on IOS).

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Georg Pauwen
VIP
VIP

‎09-04-2021 11:39 AM

Hello,

 

here is a configuration example:

 

Let's say you want a user with username 'security' to not be able to execute the 'ip vrf' or 'no ip vrf' commands (you can tweak this in whichever way you want). First you have to go into root view and create the new view (also named 'security' for the sake of simplicity:

 

R1#enable view
Password: enable_secret
R1#conf t
R1(config)#parser view security
R1(config-view)#secret password
R1(config-view)#commands configure include all interface
R1(config-view)#commands configure exclude ip vrf
R1(config-view)#commands configure include all ip
R1(config-view)#commands exec include all configure terminal

 

The user can now execute all 'configure terminal' and subsequent 'ip' and 'interface' commands (add more depending on what that user needs). All 'ip vrf' commands are blocked.

 

Here is what the entire configuration would look like:

 

R1

 

hostname R1
!
enable secret 5 $1$wHIN$LLnMPn6NJri7/NIf20eLI1
!
aaa new-model
!
aaa authentication login default local
!
username cisco privilege 15 password 0 cisco
username root privilege 15 view root password 0 cisco
username security view security password 0 cisco
!
parser view security
secret 5 $1$jwYr$0UigFzC8bU8EWrhBZcI0M1
commands configure include all interface
commands configure exclude ip vrf
commands configure include all ip
commands exec include all configure terminal
!
line vty 0 4
login authentication default

 

 

0 Helpful

paul driver
VIP
VIP

‎09-06-2021 03:41 AM - edited ‎09-06-2021 03:41 AM

Hello
You can use privilege level to control users cli or you can use RBCLI if applicable which can be more definitive, given you mention 7206 rtr i am assuming it supports both features and options are numerous.

Two basic examples below:

Basic local AAA
username ROOT privilege 15 algorithm-type scrypt secret xxxxxx
username RBCLIuser algorithm-type scrypt secret xxxxxx
username PRIVuser privilege 5 algorithm-type scrypt secret xxxxxx
password encryption aes

aaa new-model
aaa authentication login default local
aaa authorization exec default local if-authenticated
aaa authorization console

 

RBCLI
parser view RBCLI
secret xxxxxx
commands configure include interface
commands configure include ip
commands configure exclude vrf

commands exec include configure terminal
commands exec include configure
commands exec include show ip interface brief
commands exec include show ip interface
commands exec include show ip
commands exec include show version
commands exec include show running-config
commands exec include show
commands exec include logout
commands configure include interface GigabitEthernet0/0

commands interface include shutdown
commands interface include ip address
commands interface include ip

 

Logon using RBACLIuser enter password then:
enable view RBCLI
<enrer parser view password>


Privilege cli
privilege exec level 15 ssh
privilege exec level 15 telnet
privilege exec level 15 reload
privilege configure level 15 ip
privilege configure level 15 vrf
privilege exec level 5 configure terminal
privilege exec level 5 configure
privilege configure level 5 interface
privilege configure level 5 interface no shutdown

Logon using PRIVuser enter password
(user will then be in its assigned privlege level)


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card