Also, if using an AAA solution to allow for local authentication as a fallback method in case the link is down and you need the FM engineer to access. Another option would be to have an out-of-band connection (e.g. modem) to the console of the router and you can dial-in and get the necessary outputs.
in addition to James´ and Sankar´s posts, you could also configure a menu, which is sort of a user-friendly screen with options from which your firewall engineer can choose. In the sample configuration below, the firewall engineer would logon to the router with the following command:
telnet x.x.x.x 3001
where x.x.x.x is the IP address of the router. Only one VTY (Telnet) line is reserved for the firewall engineer, leaving the other 4 VTY lines for you to access. Just make sure that when you try to telnet to the router, you specify another port (e.g. telnet x.x.x.x 3002).
When your firewall engineer logs on to the router with the username FW and the corresponding password, he (or she) will automatically be presented with the menu.
Obviously you will need to tell your engineer to use the (port 3001 in this example) correct syntax when telnetting, in order for the access to work correctly.
username FW password 0 cisco
username FW autocommand menu LOCALSITE
menu LOCALSITE title "Menu for FW engineers"
menu LOCALSITE prompt "Choose your selection: "
menu LOCALSITE text 1. Show interface serial0/0
menu LOCALSITE command 1. show interfaces serial0/0
menu LOCALSITE options 1. pause
menu LOCALSITE text 2. Show ip accounting output
menu LOCALSITE command 2. show ip accounting output
menu LOCALSITE options 2. pause
menu LOCALSITE text 3. Show interface bri0/0
menu LOCALSITE command 3. show interfaces bri0/0
menu LOCALSITE options 3. pause
menu LOCALSITE text 4. Show isdn active
menu LOCALSITE command 4. show isdn active
menu LOCALSITE options 4. pause
menu LOCALSITE text 5. Exit
menu LOCALSITE command 5. exit
menu LOCALSITE clear-screen
line vty 0
Moving commands to a specific privilege level, as mentioned by James, would look like this (again, only one VTY line is reserved for your firewall engineer). In this sample configuration, the commands you specified are moved to the lowest exec level (0). When your firewall engineer telnets to the router with:
telnet x.x.x.x 3001
the engineer would remain in user mode, but be able to execute the commands that have been moved to that exec level:
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...