“welcome” or any other familiar greeting that may be misconstrued as an invitation to use the network. Banners are disabled by default and must be explicitly enabled by the administrator. As shown in Figure , use the banner command from global configuration mode to specify appropriate messages. Figure shows the command syntax and an example. Figure shows the parameters for the banner command. There are four valid tokens that you can use within the message section of the banner command:

$(hostname): Displays the hostname for the router
$(domain): Displays the domain name for the router
$(line): Displays the vty or tty (asynchronous) line number
$(line-desc): Displays the description attached to the line

Content 5.6 Configuring Role-Based CLI 5.6.1 Role-Based CLI Overview Although users can control CLI access via both privilege levels and enable mode passwords, these functions do not provide the necessary level of detail needed when working with Cisco IOS routers and switches. The Role-Based CLI Access feature allows you to define “views,” which are a set of operational commands and configuration capabilities that provide selective or partial access to Cisco IOS EXEC and configuration mode commands. Views restrict user access to Cisco IOS CLI and configuration information; that is, a view can define what commands are accepted and what configuration information is visible. CLI views provide a more detailed access control capability for network administrators, thereby improving the overall security and accountability of Cisco IOS software. As of Cisco IOS Release 12.3(11)T, you can also specify an interface or a group of interfaces to a view, thereby allowing access on the basis of specified interfaces. Access to a view is protected with a password. This protection is similar to the concept that the privilege levels use. To simplify the view management, views can be grouped to superviews to create large sets of commands and interfaces. A superview encompasses several individual views, resulting in wider administrative privileges. Figure summarizes this overview. Role-Based CLI Details
Figure lists details of the role-based CLI feature. When a system is in root view, it has all of the access privileges as a user who has level 15 privileges. If you wish to configure any view to the system, the system must be in root view. The difference between a user who has level 15 privileges and a root view user is that a root view user can configure a new view and add or remove commands from the view. When you are in a CLI view, you only have access to the commands that have been added to that view by the root view user. View authentication can be performed by an external AAA server via the new cli-view-name attribute. AAA authentication associates only one view name to a particular user; that is, only one view name can be configured for a user in an authentication server. Note
AAA provides access to an external user database that is used for authentication, authorization, and accounting tasks. Without the external AAA server, all network devices would need to maintain a local copy of the user database, which may have a severe impact on scalability and functionality of the system. The maximum number of CLI views and superviews, including one lawful intercept view, that can be configured is 15. (This does not include the root view.) Like a CLI view, a lawful intercept view restricts access to specified commands and configuration information. Specifically, a lawful intercept view allows a user to secure access to lawful intercept commands that are held within the TAP-MIB, which is a special set of simple network management protocol (SNMP) commands that store information about calls and users.

Content 5.6 Configuring Role-Based CLI 5.6.2 Getting Started with Role-Based CLI Figure describes the configuration steps that are related to role-based CLI. Before you enter or create a view, you must enable AAA via the aaa new-model command. Next, you use the enable command with the view parameter to enter the root view. You are prompted for authentication, if authentication is configured. Use the privilege 15 password. Note
If AAA is not enabled, you will receive this error message: router#enable view
% AAA must be configured Figure describes the parameters for the enable command.

Content 5.6 Configuring Role-Based CLI 5.6.3 Configuring CLI Views After aaa new-model has been enabled and you enter the root view, create a view and enter the view configuration mode using the parser view command shown in Figure . You need to specify the name of the view that you want to create or the existing view that you want to modify. Next, protect access to the CLI view with a secret using the password command. The only available encryption algorithm is MD5, represented by the number 5 in the first parameter field. Then provide a password that will be required to enter this view. You must issue this command before you can configure additional attributes for the view. Finally, add commands or interfaces to a view using the commands command. Figure describes the parameters for the commands command.

Content 5.6 Configuring Role-Based CLI 5.6.4 Configuring Superviews Role-based CLI facilitates the concept of grouping CLI views into view supersets, called superviews. A superview consists of one or more CLI views, which allow users to define which commands are accepted and what configuration information is visible. Superviews allow you to easily assign all users within configured CLI views to a superview instead of having to assign multiple CLI views to a group of users. Superviews have these characteristics:

A CLI view can be shared among multiple superviews.
Commands cannot be configured for a superview; that is, you must add commands to the CLI view and add that CLI view to the superview.
Users who are logged in to a superview can access all of the commands that are configured for any of the CLI views that are part of the superview.
Each superview has a password that is used to switch between superviews or from a CLI view to a superview.
If a superview is deleted, all CLI views associated with that superview are not also deleted.

To configure a superview, use the parser view command, shown in Figure , and configure a password for that superview. Then, add a normal CLI view to the superview using the view command. Issue this command for each CLI view that you want be add to the superview. Note
Before adding a CLI view to a superview, ensure that the CLI views that are added to the superview are valid views in the system; that is, the views have been successfully created via the parser view command.

Content 5.6 Configuring Role-Based CLI 5.6.5 Role-Based CLI Monitoring When monitoring role-based CLI, use the command show parser view to display information about the view that the user is currently in. The option all displays information for all views configured on the router. Figure shows the command syntax for the show parser view command. Note
The all keyword is available only to root users. However, the all keyword can be configured by a user in root view to be available for users in any CLI view. To display debug messages for all views, use the debug parser view command in privileged EXEC mode.

Content 5.6 Configuring Role-Based CLI 5.6.6 Role-Based CLI Configuration Example In the example shown in Figure , the CLI view first is created and configured to include the commands show version, configure terminal, and all