Read-Only Cisco Router Config
Many internet hardware products offer a read-only access mode, which I’m guessing is to keep Mr. Slacky from screwing up the config - ahem, no router bgp 6078 - on your live core router. But that’s the problem, Cisco doesn’t offer an elegant solution for read-only access to their routers. You can modify the exec level for show running-config, although the output ends up being completely useless because you didn’t supply a new exec level for all of the associated commands that are necessary to gather the configuration.
What I needed to do was allow our client to have the ability to view the running configuration of all of their Cisco routers. While they didn’t need or want to modify any of the configurations, because they were a branch of the federal government they wanted to audit the configurations on a scheduled basis. As mentioned above, I tried modifying the exec level although the configuration was completely blank because the associated commands weren’t allowed.
After searching Cisco’s web site for a few minutes, I came across this article on how to run commands automatically on user login and then disconnect that user.
I added the following configuration to all of our client’s routers:
username client password clientpasswd username client privilege 15 autocommand show running
This sets the client username to privilege 15, the highest level of privilege on a Cisco router, and then is configured to run the show running command automatically on router login. The connection to the router is then closed as soon as the command is finished.
It seems to be working great for our client!
Originally written in January, 2005
Leave a Reply of Your Own