Internetworks offers a comprehensive collection of articles and tutorials on computer networks, covering basic to advanced concepts such as data link layer, network layer, network security, and more. It’s a great starting point for beginners and a useful reference for advanced learners. A+ N+ CCNA CCNP CCIE
by Edgar C Francis
What is RBAC Role Based Access Control? | What are RBAC Views? | What is the Concept behind Role Based Access Control? | How to configure RBAC on gns3?
What is Role-Based Access Control?
RBAC (Role Based Access Control), is also known as Role-Base security.
RBAC assigns access permission to users on their role in IT. Only the admin has
complete access to the network while the other network engineers do not need full
access, some of them just need to monitor and crosscheck the configuration with
show commands. Admin can define what user can access as per the user roles.
Why do we need RBAC?
RBAC reduces the risk of cybersecurity and protects against human error, RBAC
ensures that admin define users can only access the information and perform actions
they need to do as per the role. RBAC is good for large organizations.
What is the Concept behind Role Based Access Control
Admin creates a set of permissions and assigns that permission to
the user. For example, user-1 is a junior engineer L-1 and the role is just to
monitor interface state. Admin will allow user-1 to only show ip
interface brief command to user-1 and now user-1 only access show ip interface
brief command not show ip route not configure any and delete anything on the
device. Now the security level has been increased because only the admin can
configure and delete the configuration.
What are RBAC Views?
Admin creates the Views and views define the commands that a user
can access. Mainly we have two types of view. Root view is an admin view where
you configure views and superview in
this view admin assigns multiple views (users) in superview. Superview can access
all the commands that the admin configures the views. Remember these views should be
in superview.
(configure the password before configuring any view, if you
configure configure then you can lock yourself )
configure telnet and ensure the computer in our LAN network can access the router.
configure root view and password admin and username admin
configure Parser view user1 and allow ping and show IP int br commands password user1
configure Parser view user2 and allow show IP int br, show IP route, show IP protocol and trace commands only.
configure super view and allow user1 and user2 in superview
ensure computer can access all views
Router-one-(config)#int fa 0/0 Router-one-(config-if)#ip add 192.168.1.1 255.255.255.0 Router-one-(config-if)#no shutdown Router-one-(config-if)#exit
Router-one-(config)#int fa 1/0 Router-one-(config-if)#ip address 10.1.1.1 255.255.255.0 Router-one-(config-if)#no shutdown Router-one-(config-if)#exit
Router-one-(config)#int fa 1/1 Router-one-(config-if)#ip address 192.168.2.1 255.255.255.0 Router-one-(config-if)#no shut Router-one-(config-if)#exit
*Feb 1 22:20:42.979: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up *Feb 1 22:20:43.059: %LINK-3-UPDOWN: Interface FastEthernet1/0, changed state to up *Feb 1 22:20:43.099: %LINK-3-UPDOWN: Interface FastEthernet1/1, changed state to up
Telnet and ensure the computer in our LAN network can access the router.
%PARSER-6-VIEW_SWITCH: successfully set to view 'user1'.
Router-one-#show parser view
Current view is 'user1'
Router-one-#show ip route
^
% Invalid input detected at '^' marker.
Router-one-#traceroute 192.168.1.2
^
% Invalid input detected at '^' marker.
(From the above you see user-1 is not able to access show ip route and traceroute command because of admin only two commands to user-1. show ip int br and ping)
Router-one-#show ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.1.1 YES manual up up
FastEthernet1/0 10.1.1.1 YES manual up up
FastEthernet1/1 192.168.2.1 YES manual up up
Router-one-#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 20/37/56 ms
configure Parser view user2 and allow show IP int br, show IP route, show IP protocol and trace commands only.
Router-one-(config)#parser view user2
Router-one-(config-view)#secret user2
Router-one-(config-view)#command exec in
Router-one-(config-view)#command exec include show ip int br
Router-one-(config-view)#command exec include show ip route
Router-one-(config-view)#command exec include show ip protocol
Router-one-(config-view)#command exec include traceroute
Router-one-(config-view)#command exec include ping
Router-one-#show ip route ^ % Invalid input detected at '^' marker.
Router-one-#show ip int br
Interface IP-Address OK? Method Status Prot ocol FastEthernet0/0 192.168.1.1 YES manual up up FastEthernet1/0 10.1.1.1 YES manual up up FastEthernet1/1 192.168.2.1 YES manual up up
(user-1 allows only two commands ping and show ip int br)
2 comments:
Anonymous
said...
comment on this , using router 2911 on cisco packet tracer why is command " command parser view supuser superview " is rejected when attempting to create a super view.
2 comments:
comment on this , using router 2911 on cisco packet tracer why is command " command parser view supuser superview " is rejected when attempting to create a super view.
Try on gns3.. if you don't have the image.. configure router to act as a switch.. then it will work..
Post a Comment