Lori Hyde tells you how to create router menus that allow you to control user access to a limited set of commands.
The first time I ever heard of router "menus" was during a CCIE practice lab, and I have to admit that I had fun with them. I'd be the first to say that this is not the best way to control user interaction with a router in a corporate environment. But, I can see specific instances, such as in a lab or small office environment, where user menus may provide a perfect solution for allowing required access to a device while controlling that access to a limited subset of specific commands.
Menu creation capability has been part of the Cisco IOS since release 10.0. The commands associated with setting up a menu are pretty basic and consist of four key elements:
- Menu title: This names your menu and is displayed at the top of the user screen.
- Menu prompt: This text is also displayed to the user.
- Menu text: This text is the actual choices you are providing to the user.
- Menu command: This is the actual command that will be executed based on the user selection.
In my example, the Network Operations Center (NOC) needs to be able to look at the interfaces and run ping and trace commands on the lab test router. To do this, I'll create a nested menu of command options they are allowed to execute on the test router, and then I'll create a user account that is tied to this menu.
First I create the main menu. From this menu, the user will select the secondary menus based on their desired actions.
I first set up the title of the menu and create the prompt that the user will see:
menu NOC title ^ Menu for NOC users ^C
menu NOC prompt ^ Choose your selection: ^C
Next, I set up the user selectable options.
menu NOC text 1. Ping Menu
menu NOC text 2. Trace Menu
menu NOC text 3. Show Interface Menu
menu NOC text 4. Exit
Each of these options is followed by the actual command that will be executed, which, in this case, is to call the nested menus.
menu NOC command 1. menu ping
menu NOC command 2. menu trace
menu NOC command 3. menu interface
menu NOC command 4. exit
I want the users to be able to view the data before redrawing the menu, so I'll add a "pause" option after each command.
menu NOC options 1. pause
menu NOC options 2. pause
menu NOC options 3. pause
Then, I'll clear the screen and exit the menu:
menu NOC clear-screen
Next, I'll create the sub-menus using the same command structure as above.
menu ping title ^ Menu for ping ^C
menu ping prompt ^ Choose Your Ping Destination: ^C
menu ping text 1. SW05
menu ping command 1. ping 192.168.80.1
menu ping options 1. pause
menu ping text 2. SW06
menu ping command 2. ping 172.20.200.5
menu ping options 2. pause
menu ping text 3. SW07
menu ping command 3. ping 192.168.80.214
menu ping options 3. pause
menu ping text 4. Back
menu ping command 4. menu-exit
menu ping clear-screen
menu trace title ^ Menu for Traceroute ^C
menu trace prompt ^ Choose Your Traceroute Destination: ^C
menu trace text 1. SW05
menu trace command 1. trace 192.168.80.1
menu trace options 1. pause
menu trace text 2. SW06
menu trace command 2. trace 172.20.200.5
menu trace options 2. pause
menu trace text 3. SW07
menu trace command 3. trace 192.168.80.214
menu trace options 3. pause
menu trace text 4. Back
menu trace command 4. menu-exit
menu trace clear-screen
menu interface title ^ Show Interface Menu ^C
menu interface prompt ^ Choose Your Interface Option: ^C
menu interface text 1. Show IP Interface Brief
menu interface command 1. sh ip int brief
menu interface options 1. pause
menu interface text 2. Show Interface Ethernet0/0
menu interface command 2. sh int ethernet0/0
menu interface options 2. pause
menu interface text 3. Show Interface Ethernet0/1
menu interface command 3. sh int ethernet0/1
menu interface options 3. pause
menu interface text 4. Back
menu interface command 4. menu-exit
menu interface clear-screen
Finally, I need to create a local user account on the router. The "autocommand" option tells the router to execute our menu NOC when user NOC logs in.
username NOC password myoptions
username NOC autocommand menu NOC
There are other ways to do this. I could have tied the "autocommand" command directly to the VTY lines rather than to the user. The router must also be configured for local authentication either with the login local command on the VTY lines or with the appropriate aaa authentication commands.
Here are some screenshots of this new menu in action.
While this was a nested menu, the actual commands and structure are pretty basic. So, if you haven't tried creating menus yet, give it a whirl. And if you're already familiar with them, what have you used them for?
I wonder if a menu could make a call to a TCL script. Hmmm....haven't tried that yet. Have you?
Want to learn more about router and switch management? Automatically sign up for our free Cisco Technology newsletter, delivered each Friday!