How to Role Based Access Control (RBAC)

How to limit access to cisco comand line for group of users using enable .



Demo will grant limited access to Cisco Router for troubleshoopting only. User will be unable to view current running config. Onlu troubleshooting commands will be avaliabe.









macedonia_rt1#configure terminal

macedonia_rt1(config)#enable secret cisco

macedonia_rt1(config)#aaa new-model

macedonia_rt1(config)#exit

macedonia_rt1#



! Enter to 'root' parser

macedonia_rt1#enable view

Password:cisco



! Create new View

macedonia_rt1(config)#parser view Troubleshooting

 macedonia_rt1(config-view)#secret TroubleshootingSecret

 macedonia_rt1(config-view)#command exec include all show ip

 macedonia_rt1(config-view)#command exec include show version

 macedonia_rt1(config-view)#command exec include show

 macedonia_rt1(config-view)#command exec include logout

 macedonia_rt1(config-view)#command exec include show

 macedonia_rt1(config-view)#end

macedonia_rt1#disable



! enter Troubleshooting view

macedonia_rt1>enable view Troubleshooting

Password:[TroubleshootingSecret]



! Avaliable commands

show ip interface brie

show version

logout



! unavaliable commands

sh run



macedonia_rt1#

How to Configure DHCP snooping without using DHCP option 82

Configure DHCP snooping without using DHCP option 82

Network Diagram

RT1:

interface GigabitEthernet3/1



switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10-20
switchport mode trunk
switchport nonegotiate
logging event link-status
spanning-tree link-type point-to-point
spanning-tree guard root

interface GigabitEthernet4/1

switchport trunk encapsulation dot1qswitchport trunk allowed vlan 10-20switchport mode trunkswitchport nonegotiatelogging event link-statusspanning-tree link-type point-to-pointspanning-tree guard root 

SW1

config)#
no ip dhcp snooping information option   # Disable option 82
ip dhcp snooping vlan 11                 # Define Vlan for DHCP snooping
ip dhcp snooping                   # Enable DHCP snooping on a switch

interface GigabitEthernet0/46

 description uplink toward rt1  switchport mode trunk ip dhcp snooping trust              # Define trusted port

interface GigabitEthernet0/48

description uplink toward sw1
switchport mode trunk
ip dhcp snooping trust # Define trusted port

interface GigabitEthernet0/1

 description Access port Client switchport access vlan 10 switchport mode access ip dhcp snooping limit rate 10    # Rate Limit DHCP messages

SW2

(config)#

no ip dhcp snooping information option # Disable option 82ip dhcp snooping vlan 11 # Define Vlan for DHCP snoopingip dhcp snooping # Enable DHCP snooping on a switch

interface GigabitEthernet0/46

description uplink toward rt1 switchport mode trunk ip dhcp snooping trust # Define trusted port

interface GigabitEthernet0/48

description uplinc toward sw1 switchport mode trunk ip dhcp snooping trust # Define trusted port

Verify



#sh ip dhcp snooping binding




MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface

------------------  ---------------  ----------  -------------  ----  --------------------

00:11:0A:94:FD:01   10.10.1.20       687184      dhcp-snooping   11    GigabitEthernet0/1



Total number of bindings: 1





#show ip dhcp snooping statistics


 Packets Forwarded                                     = 253

 Packets Dropped                                       = 6 # drooped packets from

                                                             rogue dhcp server

 Packets Dropped From untrusted ports                  = 0

debub ip dhcp snooping events

debug ip dhcp packets