Module 5 Flashcards

1
Q

Cisco IOS software has two methods of providing infrastructure access:

Both methods help determine who should be allowed to connect to the device and what that person should be able to do with it.

A

privilege level and role-based CLI.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

___ access provides more granularity and control.

A

Role-based CLI

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

By default, the Cisco IOS software CLI has two levels of access to commands:

A

User EXEC mode (privilege level 1)
Privileged EXEC mode (privilege level 15)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

This provides the lowest EXEC mode user privileges and allows only user-level commands available at the Router> prompt.

A

User EXEC mode (privilege level 1)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

This includes all enable-level commands at the Router# prompt.

A

Privileged EXEC mode (privilege level 15)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

There are __ privilege levels in total.

A

16

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

The ___ the privilege level, the more router access a user has.

A

higher

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Commands that are available at ____ privilege levels are also executable at ____ levels.

A

lower - higher

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Predefined for user-level access privileges. Seldom used, but includes five commands: disable, enable, exit, help, and logout.

A

Level 0:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

The default level for login with the router prompt Router >. A user cannot make any changes or view the running configuration file.

A

Level 1:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

May be customized for user-level privileges. Commands from lower levels may be moved up to another higher level, or commands from higher levels may be moved down to a lower level.

A

Levels 2 -14:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Reserved for the enable mode privileges (enable command). Users can change configurations and view configuration files.

A

Level 15:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

To assign commands to a custom privilege level, use the privilege global configuration mode command

A

Router(config)# privilege mode {level level(italic)|reset} command

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Specifies the configuration mode. Use the privilege ? command to see a complete list of router configuration modes available on your router.

A

mode

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

(Optional) Enables setting a privilege level with a specified command.

A

level

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

(Optional) The privilege level that is associated with a command. You can specify up to 16 privilege levels, using numbers 0 to 15.

A

level italic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

(Optional) Resets the privilege level of a command.

A

reset

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

(Optional) Argument to use when you want to reset the privilege level.

A

command

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

To configure a privilege level with specific commands, use the

A

privilege exec level level [command].

example

R1(config)# privilege exec level 5 ping
R1(config)# privilege exec level 10 reload

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

There are two methods for assigning passwords to the different privilege levels:

A

To a user that is granted a specific privilege level, use the username namei privilege leveli secret passwordi global configuration mode command

To the privilege level, use the enable secret level leveli passwordi global configuration mode command

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Note: Both the username secret and the enable secret commands are configured for encryption.

A

type 9

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Use the __ command to assign a privilege level to a specific user.

A

username

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Use the ____ command to assign a privilege level to a specific EXEC mode password.

A

enable secret

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Limitations of privilege levels

A

There is no access control to specific interfaces, ports, logical interfaces, and slots on a router.

Commands available at lower privilege levels are always executable at higher levels.

Commands specifically set at a higher privilege level are not available for lower privileged users.

Assigning a command with multiple keywords allows access to all commands that use those keywords. For example, allowing access to show ip route allows the user access to all show and show ip commands.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

If an administrator must create a user account that has access to most but not all commands, privilege exec statements need to be configured for every command that must be executed at a privilege level lower than 15.

A

True

26
Q

Cisco introduced the access feature in Cisco IOS Release 12.3(11)T. This feature provides finer, more granular access by controlling which commands are available to specific roles. ____ access enables the network administrator to create different views of router configurations for different users. Each view defines the CLI commands that each user can access.

A

role-based CLI

27
Q

Role-based CLI access enhances the security of the device by defining the set of CLI commands that are accessible by a specific user. Additionally, administrators can control user access to specific ports, logical interfaces, and slots on a router. This prevents a user from accidentally or purposely changing a configuration or collecting information to which they should not have access.

A

Security

28
Q

Role-based CLI access prevents unintentional execution of CLI commands by unauthorized personnel and minimizes downtime.

A

Availability

29
Q

Users only see the CLI commands applicable to the ports and CLI to which they have access. Therefore, the router appears to be less complex, and commands are easier to identify when using the help feature on the device.

A

Operational Efficiency

30
Q

Role-based CLI provides three types of views that dictate which commands are available:

A

Root view
CLI view
Superview

31
Q

To configure any view for the system, the administrator must be in ____. __ has the same access privileges as a user who has level 15 privileges. However, a ___ is not the same as a level 15 user. Only a ___ user can configure a new view and add or remove commands from the existing views.

A

Root View

32
Q

A specific set of commands can be bundled into a _____ . Unlike privilege levels, a ____ has no command hierarchy and no higher or lower views. Each view must be assigned all commands associated with that view. A view does not inherit commands from any other view. Additionally, the same commands can be used in multiple views.

A

CLI View

33
Q

A _____ consists of one or more CLI views. Administrators can define which commands are accepted and which configuration information is visible. ____ allow a network administrator to assign users and groups of users multiple CLI views at once, instead of having to assign a single CLI view per user with all commands associated with that one CLI view.

A

Superview

34
Q

Superviews have several specific characteristics:

A

A single CLI view can be shared within multiple superviews.

Commands cannot be configured for a superview. An administrator must add commands to the CLI view and add that CLI view to the superview.

Users who are logged into a superview can access all the commands that are configured for any of the CLI views that are part of the superview.

Each superview has a password that is used to switch between superviews or from a CLI view to a superview.

Deleting a superview does not delete the associated CLI views. The CLI views remain available to be assigned to another superview.

35
Q

Configure Role-Based Views

A

Step 1. Enable AAA with the aaa new-model global configuration mode command. Exit and enter the root view with the enable view command.

Step 2. Create a view using the parser view view-name global configuration mode command. This enables the view configuration mode. Excluding the root view, there is a maximum limit of 15 views in total.

Step 3. Assign a secret password to the view using the secret password view configuration mode command.

Step 4. Assign commands to the selected view using the commands parser-mode command in view configuration mode.

Step 5. Exit view configuration mode by typing the exit command.

36
Q

Step 1. Enable AAA with the aaa new-model global configuration mode command. Exit and enter the root view with the enable view command.

A

Router# enable [view [view-name]]

37
Q

This parameter enters root view if no view-name is specified, which enables an administrator to configure CLI views. The view parameter is required to configure a CLI view.

A

view

38
Q

(Optional) This parameter enters or exits a specified CLI view. This parameter can be used to switch from one CLI view to another CLI view.

A

view-name

39
Q

Step 2. Create a view using the parser view view-name global configuration mode command. This enables the view configuration mode. Excluding the root view, there is a maximum limit of 15 views in total.

A

Router(config)# parser view view-name

40
Q

Step 3. Assign a secret password to the view using the secret password view configuration mode command.

A

Router(config-view)# secret password

41
Q

Step 4. Assign commands to the selected view using the commands parser-mode command in view configuration mode.

A

Router(config-view)# commands parser-mode {include | include-exclusive | exclude} [all] [interface interface-name | command]

42
Q

Step 5. Exit view configuration mode by typing the exit command.

A

exit

43
Q

Configure Role-Based CLI Superviews

A

Step 1. Create a view using the parser view view-name superview command and enter superview configuration mode. Appending the keyword superview to parser view creates a superview and enters configuration mode.

Step 2. Assign a secret password to the view using the secret password command. This sets a password to protect access to the superview. The password must be created immediately after creating a view; otherwise an error message will appear.

Step 3. Assign an existing view using the view view-name command in view configuration mode. This adds a CLI view to superview. Multiple views can be added. Views may be shared between superviews.

Step 4. Exit superview configuration mode by typing the exit command.

44
Q

Step 1. Create a view using the parser view view-name superview command and enter superview configuration mode. Appending the keyword superview to parser view creates a superview and enters configuration mode.

A

Router(config)# parser view view-name superview

45
Q

Step 2. Assign a secret password to the view using the secret password command. This sets a password to protect access to the superview. The password must be created immediately after creating a view; otherwise an error message will appear.

A

Router(config-view)# secret password

45
Q

Step 3. Assign an existing view using the view view-name command in view configuration mode. This adds a CLI view to superview. Multiple views can be added. Views may be shared between superviews.

A

Router(config-view)# view view-name

45
Q

To access existing views, enter the ____ command in user mode and enter the password that was assigned to the custom view. Use the same command to switch from one view to another.

A

enable view view-namei

46
Q

Step 4. Exit superview configuration mode by typing the exit command.

A

exit

47
Q

From the root view, use the _____ command to see a summary of all views.

A

show parser view all

48
Q

What must be done before any role-based CLI views can be created?

A

issue the aaa new-model command

There are five steps involved to create a view on a Cisco router.
1) AAA must be enabled.
2) The view must be created.
3) A secret password must be assigned to the view.
4) Commands must be assigned to the view.
5) View configuration mode must be exited.

49
Q

Which three statements describe limitations in using privilege levels for assigning command authorization? (Choose three.)

A

no access control to specific interfaces on a router
commands set on a higher priv level are not available for lower priv user
creating user acc that needs access to most but not all commands can be a tedious process

An administrator can create customized privilege levels and assign different commands to each level. However, this method of controlling he level of access to the router has limitations. Using privilege levels access to specific interfaces or ports cannot be controlled and availability of commands cannot be customized across levels.

50
Q

Which two router commands can a user issue when granted privilege level 0? (Choose two.)

A

help and disable

The privilege level 0 in Cisco IOS software is predefined for user-level access privileges. It is seldom used, but includes five commands: disable, enable, exit, help, and logout.

51
Q

What does level 5 in the following enable secret global configuration mode command indicate?

Router(config)# enable secret level 5 csc5io

A

grants access to priv exec level 5

There are two methods for assigning passwords to the different privilege levels:
To a user that is granted a specific privilege level, use the username name privilege level secret password global configuration mode command.
To the privilege level, use the enable secret level level password global configuration mode command.

52
Q

What are three network enhancements achieved by implementing the Cisco IOS software role-based CLI access feature? (Choose three.)

A

Cisco IOS software role-based CLI access feature provides benefits for network functions including:

Security - Role-based CLI access enhances the security of the device by defining the set of CLI commands that are accessible by a specific user. This prevents a user from accidentally or purposely changing a configuration or collecting information to which they should not have access.

Availability - Role-based CLI access prevents unintentional execution of CLI commands by unauthorized personnel and minimizes downtime.

Operational Efficiency - Users only see the CLI commands applicable to the ports and CLI to which they have access. Therefore, the router appears to be less complex, and commands are easier to identify.

53
Q

A network administrator wants to create a new view so that a user only has access to certain configuration commands. In role-based CLI, which view should the administrator use to create the new view?

A

root view

In role-based CLI access implementation, a network administrator must be in root view to create a new role-based view, such as a CLI view or a superview.

54
Q

A network administrator enters the command R1# enable view adminview. What is the purpose of this command?

A

to enter a clie view named adminview

The enable view privileged EXEC command is used to enter the root view. The optional view-name, in this case adminview, is used to enter a CLI view named adminview directly.

55
Q

Which range of custom privilege levels can be configured on Cisco routers?

A

The privilege levels 2 -14 in Cisco IOS software may be customized for user-level privileges. Commands from lower levels may be moved up to another higher level, or commands from higher levels may be moved down to a lower level.

56
Q

Which command will move the show interface command to privilege level 10?

A

router(config)# privilege exec level 10 show interface

To configure a privilege level with specific commands, use the privilege exec level level [command].

57
Q

What is the default privilege level of user accounts created on Cisco routers?

A

1

There are 16 privilege levels that can be configured as part of the username command, ranging from 0 to 15. By default, if no level is specified, the account will have privilege level 1.

58
Q

An administrator assigned a level of router access to the user ADMIN using the commands below.

Router(config)# privilege exec level 14 show ip route
Router(config)# enable algorithm-type scrypt secret level 14 cisco-level-10
Router(config)# username ADMIN privilege 14 algorithm-type scrypt secret cisco-level-10

Which two actions are permitted to the user ADMIN? (Choose two.)​

A

the user can issue the show version command

the user can execute all subcommands under the show ip interfaces command

Assigning a command such as show ip route to a specific privilege level automatically assigns all commands associated with the first few keywords to the specified privilege level. So, the show and the show ip commands are automatically set to the privilege level where show ip route is set, which is necessary because the show ip route command cannot be executed without access to the show and show ip commands. Assigning the show ip route command allows the user to issue all show commands, such as show version.​