分类:
2012-08-17 14:48:56
Privilege
cisco的设备上对用户的访问是分级别的,0--15一共16个级别,其中level 0和level 15是系统预定义的。默认情况在用户模式下是level 1,enable后进入特权EXEC模式下是level 15。其中1--14是可以让用户自定义的级别。需要注意的是实际的数字名没有任何实际意义,只是表示可以创建14种级别而已
命令privilege用来给每个定制化级别增加经授权的IOS命令,可能需要为每个特权等级使用多次 privilege命令。enable secret level为相应的级别设置密码。
下面举一个例子来说明
假设现在让level 3的用户可以设置接口IP,而不能做其他的配置
配置如下:
R1(config)#privilege exec level 3 conf t //设置在特权EXEC下可以执行conf t命令
R1(config)#privilege configure level 3 inter //设置在全局配置模式下可以执行命令
R1(config)#privilege interface level 3 add //设置在接口配置模式下可以执行 address命令
R1(config)#privilege interface level 3 no sh //设置在接口配置模式下可以执行no shutdown命令
R1(config)#enable secret level 3 333 //设置level 3的密码
以上前面4条命令缺一不可,否则就不能成功配置ip地址并且开启接口。
下面sh run来看看刚才的配置:
privilege interface level 3 shutdown
privilege interface level 3 ip address
privilege interface level 3 ip
privilege interface level 3 no shutdown
privilege interface level 3 no ip address
privilege interface level 3 no ip
privilege interface level 3 no
privilege configure level 3 interface
进入level 3:
R1>enable 3
Password:
R1#sh privilege
Current privilege level is 3
如果需要进入level 15,直接输入enable就可以了,因为如果enable后不加参数默认进入 level 15.
Privilege有以下限制:
1.级别高的权限会自动继承级别低的权限的所有命令。例如上例中对level 3进行了设置使其可以配置接口ip,那么4--14级别的权限也可以配置接口ip:
R1>enable 4
R1#sh privilege
Current privilege level is 4
R1#conf terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#int
R1(config)#interface f0/1
R1(config-if)#ip address 2.2.2.2 255.255.255.0
R1(config-if)#no sh
2.不能做到精确控制。比如要控制level 2的用户只能执行show ip route,而不能执行任何其他命令,这点privilege是做不到的。
3.每个IOS命令都只能在一个特权级别中使用:
privilege interface level 3 shutdown
privilege interface level 3 ip address
privilege interface level 3 ip
privilege interface level 3 no shutdown
privilege interface level 3 no ip address
privilege interface level 3 no ip
privilege interface level 3 no
privilege configure level 3 interface
privilege exec level 4 configure terminal
privilege exec level 4 configure
在上面增加了level 4的配置,最后两条命令设置level 4可以进入全局配置模式。这时这条命令自动从level 3中移除,导致level 3不能进入全局配置模式,从而无法配置接口ip。
由于privilege有以上一些缺陷,cisco引进了基于角色(Role-Based)的CLI
View
实现基于角色的CLI的方法就是创建View,每种view都包含一个IOS命令列表。与privilege不 同,IOS命令可以出现在多个view,多个view可以组成superview。view中的命令可以比特权级别更精确。
注意只能在root view下创建view,在privilege 15下都无法创建view,这也是root view和privilege 15的唯一区别。而要使用view,就必须首先开启aaa new-model,否则系统会弹出如下提示:
R1>ena view //进入root view直接输入enable view,如果要进入其他视图就在enable view后接view的名字
% AAA must be configured.
进入privilege 15开启aaa new-model后再次进入root view:
R1>en view
Password:
% Authentication failed
发现会要求输入密码验证,这里的密码是privilege 15的enable密码。因此必须设置privilege 15的enable密码,否则还是无法进入root view。(是否需要验证和IOS版本有关,有的IOS不需要输入密码验证就可进入root view)
成功进入root view后会有如下提示:
*Mar 1 01:08:31.031: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'.
show privilege如下:
R1#sh privilege
Currently in View Context with view 'root' 说明当前模式是root view
进入root view后就可以创建view了
下面举一个例子来说明View
假设view A允许配置F0/0和S1/0接口ip,并且只能用命令show ip interface查看接口状态。view B可以设置F0/0,S1/0和S1/1接口ip和配置路由进程,并且只能使用show ip route 和sh ip interface命令查看相关信息。
配置如下:
parser view A //通过该命令来创建view A并且进入view A配置模式
secret 5 $1$e1by$0mA5eKveuLHQmopqJb/HS0
commands interface include shutdown
commands interface include ip address
commands interface include ip
commands interface include no shutdown
commands interface include no ip address
commands interface include no ip
commands interface include no
commands configure include interface
commands configure include no interface
commands exec include configure terminal
commands exec include configure
commands exec include show ip interface brief
commands exec include show ip interface
commands exec include show ip
commands exec include show
commands configure include interface FastEthernet0/0
commands configure include interface Serial1/0
parser view B
secret 5 $1$8FIO$kI2FO3e59aHRs7qAsFo2o0
commands router include network
commands interface include shutdown
commands interface include ip address
commands interface include ip
commands interface include no shutdown
commands interface include no ip address
commands interface include no ip
commands interface include no
commands configure include router
commands configure include interface
commands configure include no router
commands configure include no interface
commands configure include no
commands exec include configure terminal
commands exec include configure
commands exec include show ip route
commands exec include show ip interface brief
commands exec include show ip interface
commands exec include show ip
commands exec include show
commands configure include interface FastEthernet0/0
commands configure include interface Serial1/0
commands configure include interface Serial1/1
进入view A以验证配置:
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#int f0/0
R1(config-if)#ip add 100.100.100.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#exit
R1(config)#int s1/0
R1(config-if)#ip add 111.111.11.111 255.255.255.0
R1(config-if)#no sh
R1(config-if)#exit
R1(config)#int s1/1
^
% Invalid input detected at '^' marker.
R1(config)#router eigrp
^
% Invalid input detected at '^' marker.
R1(config)#exit
R1#
*Mar 1 00:35:33.483: %SYS-5-CONFIG_I: Configured from console by console
R1#sh ip int bri
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 100.100.100.1 YES manual up up
FastEthernet0/1 unassigned YES unset administratively down down
Serial1/0 111.111.11.111 YES manual up up
Serial1/1 192.168.1.1 YES manual up down
Serial1/2 unassigned YES unset administratively down down
Serial1/3 unassigned YES unset administratively down down
R1#sh ip route
^
% Invalid input detected at '^' marker.
R1#sh ip ?
interface IP interface status and configuration
R1#sh ?
flash: display information about flash: file system
ip IP information
parser Display parser information
slot0: display information about slot0: file system
slot1: display information about slot1: file system
由此可见A确实只拥有给定的权限
下面再进入view B来验证:
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#int f0/0
R1(config-if)#ip add 10.1.1.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#int s1/0
R1(config-if)#ip add 10.2.2.2 255.255.255.0
R1(config-if)#no sh
R1(config-if)#int s1/1
R1(config-if)#ip add 10.3.3.3 255.255.255.0
R1(config-if)#no sh
R1(config-if)#int f0/1
^
% Invalid input detected at '^' marker.
R1(config)#router ?
bgp Border Gateway Protocol (BGP)
eigrp Enhanced Interior Gateway Routing Protocol (EIGRP)
isis ISO IS-IS
iso-igrp IGRP for OSI networks
mobile Mobile routes
odr On Demand stub Routes
ospf Open Shortest Path First (OSPF)
rip Routing Information Protocol (RIP)
R1(config)#router eigrp 100
R1(config-router)#net 0.0.0.0 255.255.255.255
R1(config-router)#exit
R1(config)#exit
R1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 2 subnets
C 10.2.2.0 is directly connected, Serial1/0
C 10.1.1.0 is directly connected, FastEthernet0/0
R1#sh ip int bri
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.1.1.1 YES manual up up
FastEthernet0/1 unassigned YES unset administratively down down
Serial1/0 10.2.2.2 YES manual up up
Serial1/1 10.3.3.3 YES manual up down
Serial1/2 unassigned YES unset administratively down down
Serial1/3 unassigned YES unset administratively down down
R1#sh ip ?
interface IP interface status and configuration
route IP routing table
R1#sh ?
flash: display information about flash: file system
ip IP information
parser Display parser information
slot0: display information about slot0: file system
slot1: display information about slot1: file system
由此可见B也只拥有相应的权限
通过上面的例子可以看见view比privilege有更高的灵活性和可控性。
不过也可以看见,不管使用哪一种方法,都比较麻烦,仅完成一个简单的需求就需要输入大量的命令,不过为了安全,这些 付出还是值得的。
