1-1 User Interfaces

A router supports user access by command-line interface (CLI) or by a Web browser. A router also provides a user interface to the ROM monitor bootstrap code.
Users can execute IOS commands from a user level or from a privileged level. User level offers basic system information and remote connectivity commands. Privileged level offers complete access to all router information, configuration editing, and debugging commands.
A router offers many levels of configuration modes, allowing the configuration to be changed for a variety of router resources.
A context-sensitive help system offers command syntax and command choices at any user prompt.
A history of IOS commands executed can be kept. Command lines can also be edited and reused.
The output from a command can be searched and filtered so that useful information can be found quickly.
Parameters for the CLI connection to the router can be set to preferred values.
Asynchronous ports on a router can be connected to other serial devices. You can open reverse-Telnet connections to the external devices for remote access.
Banners can be defined and displayed at various points in the login process.
Menus can be defined to give terminal session users easy access to other functions or remote systems.
Access to the router can be configured for Secure Shell (SSH) version 1.

Configuration

User interface modes.
1. User EXEC mode.
  
  Users can connect to a router via the console port, auxiliary port, or Telnet session. By default, the initial access to a router places the user in user EXEC mode and offers a limited set of commands. When connecting to the router, a user-level password might or might not be required.
2. Privileged EXEC mode:
```
 (exec)  enable  password: [  password  ] 
```
  As soon as a user gains access in user EXEC mode, the enable command can be used to enter privileged EXEC or enable mode. Full access to all commands is available. To leave privileged EXEC mode, use the disable or exit commands.
3. Configuration mode:
```
 (exec)  configure terminal  
```
  From privileged EXEC mode, configuration mode can be entered. Router commands can be given to configure any router feature that is available in the IOS software image. When you are in configuration mode, you are managing the router's active memory. Anytime you enter a valid command in any configuration mode and press Enter, the memory is immediately changed. Configuration mode is organized in a hierarchical fashion. Global configuration mode allows commands that affect the router as a whole. Interface configuration mode allows commands that configure router interfaces. There are many other configuration modes that you can move into and out of, depending on what is being configured. To move from a lower-level configuration mode to a higher level, type exit. To leave global configuration mode and return to privileged EXEC mode, type exit at the global configuration prompt. To leave any configuration mode and return to privileged EXEC mode, type end or press Ctrl-z.
User interface features.
1. Entering commands:
```
 (any mode)  command  (any mode)  no   command  
```
  Commands can be entered from any mode (EXEC, global, interface, subinterface, and so on). To enable a feature or parameter, type the command and its options normally, as in command. To disable a command that is in effect, begin the command with no, followed by the command. You can see the commands that are in effect by using the show running-config command. Note that some commands and parameters are set by default and are not shown as literal command lines in the configuration listing.
  
  Commands and their options can also be abbreviated with as few letters as possible without becoming ambiguous. For example, to enter the interface configuration mode for ethernet 0, the command interface ethernet 0 can be abbreviated as int e 0.
  
  A command line may be edited using the left and right arrow keys to move within the line. If additional characters are typed, the remainder of the line to the right is spaced over. The Backspace and Delete keys may be used to make corrections.
  
  NOTE
  
  If the router displays a console informational or error message while you are typing a command line, you can press Ctrl-l or Ctrl-r to redisplay the line and continue editing. You can also configure the lines (console, vty, or aux) to use logging synchronous. This causes the router to automatically refresh the lines after the router output. If you issue debug commands with logging synchronous enabled, you might have to wait for the router to finish the command (such as a ping) before you see the output.
2. Context-sensitive help.
  
  You can enter a question mark ( ? ) anywhere in a command line to get additional information from the router. If the question mark is typed alone, all available commands for that mode are displayed. Question marks can also be typed at any place after a command, keyword, or option. If the question mark follows a space, all available keywords or options are displayed. If the question mark follows another word without a space, a list of all available commands beginning with that substring is displayed. This can be helpful when an abbreviated command is ambiguous and flagged with an error.
  
  An abbreviated command may also be typed, followed by pressing the Tab key. The command name is expanded to its full form if it is not ambiguous.
  
  If a command line is entered but doesn't have the correct syntax, the error "% Invalid input detected at '^' marker" is returned. A caret (^) appears below the command character where the syntax error was detected .
3. Command history.
  - (Optional) Set the number of commands to save (default 10). To set the history size for the current terminal session, enter
```
 (exec)  terminal history  [  size   lines  ] 
```
    To set the history size for all sessions on a line, enter
```
 (line)  history  [  size   lines  ] 
```
  - Recall commands to use again.
    
    From any input mode, each press of the up arrow ( ) or Ctrl-p recalls the next older command. Each press of the down arrow ( ) or Ctrl-n recalls the next most recent command. When commands are recalled from history, they can be edited as if you just typed them. The show history command displays the recorded command history.
    
    NOTE
    
    The up- and down-arrow keys require the use of an ANSI-compatible terminal emulator (such as VT100).
4. Search and filter command output.
  - Sift through output from a show command:
```
 (exec)  show   command  ...  {  begin   include   exclude  }  reg-expression  
```
    A show command can generate a long output listing. If the listing contains more lines than the terminal session can display (set using the length parameter), the output is displayed a screenful at a time with a --More-- prompt at the bottom. To see the next screen, press the spacebar. To advance one line, press the Enter key. To exit to the command line, press Ctrl-c, q, or any key other than Enter or the spacebar.
    
    To search for a specific regular expression and start the output listing there, use the begin keyword. This can be useful if your router has many interfaces in its configuration. Rather than using the spacebar to eventually find a certain configuration line, you can use begin to jump right to the desired line. To display only the lines that include a regular expression, use the include keyword. To display all lines that don't include a regular expression, use the exclude keyword.
  - Sift through output from a more command:
```
 (exec)  more   file-url  {  begin   include   exclude  }  reg-expression  
```
    The more command displays the contents of a file on the router. A typical use is to display the startup ( more nvram:startup-config ) or running ( more system:running-config ) configuration file. By default, the file is displayed one screen at a time with a -- More-- prompt at the bottom.
    
    To search for a specific regular expression and start the output listing there, use the begin keyword. To display only the lines that include a regular expression, use the include keyword. To display all lines that don't include a regular expression, use the exclude keyword.
  - Search through the output at a -- More-- prompt:
```
 (--More--) {  /   +   -  }  regular-expression  
```
    At a -- More-- prompt, you can search the output by typing a slash ( / ) followed by a regular expression. To display only lines that include the regular expression, type a plus ( + ). To display only lines that don't include the regular expression, type a minus ( - ).
  - What is a regular expression?
    
    A regular expression can be used to match lines of output. Regular expressions are made up of patternseither simple text strings (such as ethernet or ospf ) or more-complex matching patterns. Typically, regular expressions are regular text words that offer a hint to a location in the output of a show command.
    
    A more-complex regular expression is made up of patterns and operators. Table 1-1 lists the characters that are used as operators.

Table 1-1. Operator Characters

Character	Meaning
.	Matches a single character.
*	Matches zero or more sequences of the preceding pattern.
+	Matches one or more sequences of the preceding pattern.
?	Matches zero or one occurrence of the preceding pattern.
^	Matches at the beginning of the string.
$	Matches at the end of the string.
-	Matches a comma, braces, parentheses, beginning or end of a string, or a space.
[ ]	Defines a range of characters as a pattern.
()	Groups characters as a pattern. If this is used around a pattern, the pattern can be recalled later in the expression using a backslash (\) and the pattern occurrence number.

Terminal sessions.
1. Start a new session:
```
 (exec)  telnet   host  
```
  This initiates a Telnet connection to host (either an IP address or a host name). Then, from the router CLI, you can continue communicating with the remote host.
2. Name a session:
```
 (exec)  name-connection  (exec) Connection number:  number  (exec) Enter logical name:  name  
```
  An active session can be assigned a text string name to make the session easier to identify with the show sessions or where command.
3. Suspend a session to do something else.
  
  During an active Telnet session to a host, press the escape sequence Ctrl-Shift-6 x, also written as Ctrl-^ x. Ctrl-^ is the IOS escape sequence, and the additional x tells the router to suspend a session. This suspends the Telnet session and returns you to the local router command-line prompt.
  
  NOTE
  
  It is possible to have nested Telnet sessions open. For example, from the local router, you can Telnet to another router A, then Telnet to another router B, and so forth. To suspend one of these sessions, you must also nest your escape sequences. Pressing a single Ctrl-^x suspends the session to router A and returns you to the local router. Pressing Ctrl-^ Ctrl-^x suspends the session to router B and returns you to router A's prompt. (Press the x only at the final escape sequence.)
4. Show all active sessions:
```
 (exec)  show sessions  
```
  All open sessions from your connection to the local router are listed, along with connection numbers . You can also use the where command to get the same information.
5. Return to a specific session.
  
  First, use the show sessions command to get the connection number of the desired session. Then, just type the connection number by itself on the command line. The session is reactivated. You can also just press Return or Enter at the command-line prompt, and the last active connection in the list is reactivated. The last active connection in the list is denoted by an asterisk (*). This makes toggling between the local router and a single remote session easier.
  
  NOTE
  
  When you resume the connection, you are prompted with the message "[Resuming connection 2 to Router ]". You must press Enter again to actually resume the connection.
6. End an active session:
```
 (remote session)  Ctrl-^ x  (exec)  disconnect   connection-number  
```
  As soon as the remote session is suspended , you can use the disconnect command to end the session and close the Telnet connection. Otherwise, your session remains open until the remote host times out the connection (if at all).
7. Terminal screen format.
  - Set the screen size for the current session only:
```
 (exec)  terminal length   lines  (exec)  terminal width   characters  
```
  - Set the screen size for all sessions:
```
 (line)  length   lines  (line)  width   characters  
```
    The screen is formatted to characters wide by lines high. When the number of lines of output from a command exceeds lines, the -- More-- prompt appears. If you don't want the output displayed by page with -- More --, use length 0. The default length for sessions is 24 lines, and the default width for settings is 80 characters.
8. Reverse Telnet connections.
  - Connect an asynchronous serial router line.
    
    Any asynchronous line on a router can be used to support remote connections to external devices (that is, console ports on other Cisco routers or switches). Using a console "rollover" cable or a high-density access server cable, connect an async line on the local router to an asynchronous serial port on the external device. The AUX port or any async serial line on a Cisco access server can be used for this purpose.
  - Enable the Telnet protocol on a line:
```
 (line)  transport input telnet  (line)  no login  (line)  no exec  
```
    To choose the appropriate line, use either line aux 0 or line number, where number is the async line number. Because this line is used as a transparent connection between the external device and a remote user, no interactive process should be running on the local router that would interfere. Therefore, the no login command should be used to stop any local login prompting process, and no exec should be used to stop the executive process from interacting with any local character interpretation from devices attached to the line.
  - Set the async serial parameters:
```
 (line)  speed   baud  (line)  databits  {  5   6   7   8  } (line)  stopbits  {  1   1.5   2  } (line)  parity  {  none   even   odd   space   mark  } 
```
    The async line should be set to match the characteristics of the remote device. speed sets both receive and transmit baud rates, baud. Common values are 300, 1200, 2400, 4800, 9600, 19200, 38400, and 115200. To view the default or current line settings, use the show line line command.
  - Open a reverse Telnet connection to the line:
```
 (exec)  telnet   ip-address port  
```
    From a remote location (or from the local router if desired), open a Telnet session to the IP address of the local router. In addition, a TCP port number must be given, as port. Reverse Telnet connections to async lines use TCP port numbers, beginning with 2000. You determine the port number by adding the line number (in decimal) to 2000 (also in decimal). For example, line 1 is port 2001, and line 15 is port 2015.
    
    NOTE
    
    You will be Telnetting to an active IP address on the router. Although this can be any address on the router, it is a common practice to configure a loopback address on the router. See Chapter 2, "Interface Configuration," for more information on loopback addresses.
    
    If you have a router with many async lines, it might be difficult to determine the correct line number for a specific line. Use show users all to display all available lines on the router, including the console, AUX line, and vty or Telnet lines. The physical line number is displayed in the leftmost column of the output, under the heading "Line." Usually, the console is line 0 (but it can't be used for reverse Telnet), and the AUX line is line 1, followed by other async lines and/or vty lines.
    
    Also, you might sometimes receive a response that the port is unavailable. In this case, either another user has an active Telnet session open on that port, or the physical line needs to be reset. To reset the line, use the clear line line-number command on the local router.
  - Close the reverse-Telnet session:
```
 (session)  Ctrl-^ x  (exec)  disconnect   session  
```
    To suspend the current reverse-Telnet session and return to the local router prompt, press the escape sequence (the default is Ctrl-^ x or Ctrl-Shift-6 x ). To end the reverse-Telnet session, use the disconnect command along with the session number. If you forget the session number of the reverse-Telnet session, use the show sessions or where command.
9. Send a message to another terminal session:
```
 (exec)  send  {  line-number   *   aux   number   console   number   tty   number   vty   number  } 
```
  Sometimes it is convenient to send quick messages to users who are Telnetted into a router. For example, you and a colleague might be logged into the same router but be located in different cities. A text message can be sent to either a specific line number ( line-number ), all lines ( * ), the AUX line ( aux number ), the router console ( console number ), a specific tty line ( tty number ), or a specific vty line ( vty number ). To find a user on a specific line, use the show users command. The router prompts for a text message to send. After typing the message, end with Ctrl-z.
10. Configure session timeout values.
  - Define an absolute timeout for a line:
```
 (line)  absolute-timeout   minutes  
```
    All active sessions on the line are terminated after minutes have elapsed. (The default is 0 minutes, or an indefinite session timeout.)
  - Define an idle timeout for a line:
```
 (line)  session-timeout   minutes  [  output  ] 
```
    All active sessions on the line are terminated only if they have been idle for minutes. (The default is 0 minutes, or an indefinite idle timeout.) The output keyword causes the idle timer to be reset by outbound traffic on the line, keeping the connection up.
  - Define an idle timeout for all EXEC-mode sessions:
```
 (line)  exec-timeout   minutes  [  seconds  ] 
```
    Active EXEC mode sessions are automatically closed after an idle period of minutes and seconds (the default is 10 minutes). To disable idle EXEC timeouts on the line, use the no exec-timeout or exec-timeout 0 0 command.
  - Enable session timeout warnings:
```
 (line)  logout-warning  [  seconds  ] 
```
    Users are warned of an impending logout seconds before it occurs. By default, no warning is given. If the seconds field is left off, it defaults to 20 seconds.
Secure Shell connections.

NOTE

Cisco IOS supports only SSH version 1, with User ID and Password authentication. To use SSH, you must have an IPSec encryption software image. A DES (56-bit) image supports only DES encryption, and a 3DES (168-bit) image supports either DES or 3DES. (See Appendix A, "Cisco IOS Software Release and Filename Conventions," for details on determining what feature sets your software image supports.)

SSH uses UDP and TCP port number 22.
1. Configure a host name and a domain name for the router:
```
 (global)  hostname   hostname  (global)  ip domain-name   domain  
```
  The router must have both a host name and an IP domain name assigned, although the router does not have to be entered in a domain name server. The host name and domain name are used during encryption key computation.
2. Generate the RSA key pair for authentication:
```
 (global)  crypto key generate rsa  
```
  A public and private key pair is generated for authentication to a remote session. This command is executed once at the time it is entered. Neither the command nor the keys are shown as part of the router configuration, although the keys are stored in a private NVRAM area for security. This command prompts for a modulus length (360 to 2048 bits; the default is 512). The higher the modulus, the better the encryption and the longer the computation time. Cisco recommends a minimum modulus of 1024 bits.
  
  NOTE
  
  In order to delete the RSA key pair, use the crypto key zeroize command.
3. Configure user authentication.
  - Local user authentication:
```
 (global)  username   username   password   password  
```
    Users can be authenticated locally on the router, provided that both a username and password are configured. The password is entered as a cleartext string containing up to 80 alphanumeric characters, including embedded spaces. Passwords are case-sensitive.
  - AAA user authentication.
    
    Users can be authenticated by a remote AAA (Authentication, Authorization, and Accounting) server. For more information on configuring a AAA server, see Section 13-2.
4. Configure SSH parameters:
```
 (global)  ip ssh  {[  timeout   seconds  ]  [  authentication-retries   retries  ]} 
```
  The timeout keyword defines the maximum time for SSH negotiation with the remote device (the default is 120 seconds). The number of authentication retries can be defined with the authentication-retries keyword (the maximum is 5 retries; the default is 3).
5. Telnet to the router from an SSH-capable device.
  
  All inbound SSH sessions to the router are opened to the VTY (Telnet) lines. The number of concurrent Telnet sessions (both non-SSH and SSH) is limited by the number of VTY lines that are configured.
6. (Optional) Open an outbound SSH session from the router:
```
 (exec)  ssh  [  -l   userid  ] [  -c  {  des   3des  }] [  -o numberofpasswdprompts   prompts  ] [  -p   port  ] {  ip-address   hostname  } [  command  ] 
```
  An SSH session is opened to the host given by ip-address or hostname. By default, the current username on the local router is used for authentication on the remote device. This can be overridden by the -l userid keyword. The type of encryption is specified as either DES or 3DES using the -c keyword. The number of prompts for a password can be set by the -o numberofpasswdprompts keyword (1 to 5; the default is 3). The port number used for the SSH session can be set using the -p port keyword (the default is 22). The command field specifies the command to be run on the remote device, assuming that the authenticated user has access to that command. If embedded spaces are needed, enclose the command string in double quotation marks.
Configuring access to the router.
1. (Optional) Set up authentication for users.
  - Define a username and password:
```
 (global)  username   name  {  password   password   password   encrypt-type   encrypted-password  } 
```
    Enable authentication for a specific username name. The password keyword can define a text string password to be used at login time. An encrypted password from a previous router configuration can be copied and pasted into this command using the encrypt-type encrypted-password fields. An encrypt-type of 0 means that the password is unencrypted and is in clear text, and 7 means that the password is already encrypted.
  - Define a username to run a command automatically:
```
 (global)  username   name   nopassword autocommand   command  
```
    The username name is defined as a login name. When it is used, no password is required, and the router command command is run automatically. Afterward, the user is logged out and disconnected.
  - Alter a user's access privileges:
```
 (global)  username   name  [  access-class   acc-list  ] [  noescape  ] [  nohangup  ]   [  privilege   level  ] 
```
    The access-class keyword specifies an access list for the username that overrides one used in a line's access-class command. The noescape keyword prevents the user from using the escape sequence to suspend the session. The nohangup keyword returns the user to EXEC mode after an automatic command completes. A user's default privilege level (1) can be set using the privilege keyword.
2. Configure login authentication.
  First, you must choose a line for incoming users.
  
  For an asynchronous port (line), enter the following command:
```
 (global)  line  {  console 0   aux 0   number  } 
```
  Asynchronous ports are called lines in the router configuration. Lines are identified by number. If you aren't sure of the line number on an async port, use the show users all command to display all lines and their numbers. You can configure the following lines: console port ( line console 0 ), auxiliary port ( line aux 0 ), and async lines on an access server ( line number ).
  
  For a virtual terminal line (vty) for Telnet access, enter the following command:
```
 (global)  line vty   first  [  last  ] 
```
  vty ports are also called lines in the router configuration. Several vty lines can be configured so that more than one Telnet session can be active to the router. A range of vty lines can be configured at one time by using both first and last vty numbers.
  
  NOTE
  
  VTY lines require a password to be configured before user access is enabled. Otherwise, the router closes any incoming Telnet sessions immediately.
  
  To enable login authentication without a username, enter the following command sequence:
```
 (line)  login  (line)  password   password  
```
  Users are prompted for a password on the specified line. The password text string can be up to 80 alphanumeric characters with embedded spaces. The first character cannot be a number.
  
  To enable login authentication with a router-defined username, enter the following command:
```
 (line)  login local  
```
  Individual usernames must first be configured as shown in Step 5a. The router then authenticates users on the specified line against the locally defined usernames and passwords.
  
  To enable logins with TACACS authentication, enter the following command:
```
 (line)  login tacacs  
```
  The router authenticates users by interacting with a standard or extended TACACS (not TACACS+) server.
  
  To enable logins with AAA/TACACS+, enter the following command:
```
 (line)  login authentication  
```
  The router authenticates users by interacting with an external AAA server. Refer to Section 13-2 for more information on configuring AAA features.
3. Privileged mode (enable mode):
```
 (global)  enable secret   enable-password  
```
  To access privileged mode, you must enter the enable password. This password can be set to enable-password. The password is encrypted using a strong nonreversible encryption algorithm and is then stored in a special secure location in NVRAM. The password must have 1 to 25 alphanumeric characters. The first character cannot be a number, and embedded spaces are accepted.
  
  The enable password can also be set using the enable password command. Cisco recommends using the enable secret command instead, because the password has a stronger encryption and is not stored in the router configuration.
  
  The enable secret [ level level ] enable-password command can be used to set the password required for entering the privilege level specified. Levels range from 0 to 15, where 1 is the normal EXEC level and 15 is enable mode.
  
  NOTE
  
  An enable or enable secret password is not required for the router. If you don't have one configured, you are not prompted for the password when you issue the enable command from the console. If you do not have an enable or enable secret password, however, you can't access privileged EXEC mode from any Telnet or other line into the router.
  
  Access to specific IOS commands can be granted to privilege levels so that you can create user communities with varying capabilities. For example, you might want to allow a group of users to access the show cdp neighbors command without being in enable mode at level 15. Use the following command to allow a privilege level to run a command:
```
 (global)  privilege   mode  [  level   level command   reset   command  ] 
```
  Here, mode is the basic mode of the user-level interface. There are many modes to choose from, but the most common ones are configure (global configuration mode) and exec (EXEC mode). The desired privilege level is given as level and the IOS command as command. The reset keyword can be used to reset the command's privilege level to the default.
4. Encrypt passwords displayed in the router configuration:
```
 (global)  service password-encryption  
```
  By default, passwords on lines and usernames, as well as the enable password, are displayed as clear text (not encrypted) in the router configuration. This command can be used to cause the passwords to be displayed in a basic encrypted form. (The passwords themselves are not stored encrypted; rather, they are only displayed encrypted with commands such as show running-config. )
(Optional) Configure system banners:
```
 (global)  banner  {  motd   login   exec   incoming  }  delimiter  (global) ...  text  ... (global)  delimiter  
```
The message-of-the-day banner is defined with the motd keyword. It is displayed before the router login prompt. The login banner, defined with the login keyword, is displayed after the message of the day and just before the login prompt. The exec banner, defined with the exec keyword, is displayed just after a user logs into the router. The reverse-Telnet banner, defined with the incoming keyword, is displayed after the message-of-the-day banner when a user connects to the router using reverse Telnet.

The banner text can be one or more lines. It is bounded by the delimiter character. Choose an uncommon character as the delimiter (such as ~ or %). The message-of-the-day banner is useful when important network news or an access policy or legal warnings must be presented to potential users. The remaining banners can relay specific information about the system, such as the name, location, or access parameters.

The following built-in tokens can be used to include other configured information in a banner:
- $(hostname) The host name of the router (from hostname )
- $(domain) The domain name of the router (from ip domain-name )
- $(line) The line number of the async or vty line
- $(line-desc) The line description (from the description command on the async interface associated with the line)
(Optional) Configure session menus.
1. (Optional) Configure a title message:
```
 (global)  menu   name   title   delimiter  (global) ...  text...  (global)  delimiter  
```
  A title or banner can be defined and displayed prior to menu options. The title can be used to display a welcome message and instructions on making menu choices. All commands pertaining to a menu must be linked to the menu name. Title text can be one or more lines, bounded by the delimiter character. To clear the screen prior to the menu title, use the menu name clear-screen command.
2. Configure a prompt:
```
 (global)  menu   name   prompt   delimiter  (global) ...  text...  (global)  delimiter  
```
  The menu prompt displays a text message after the menu items, as the user is being prompted for a response.
3. Configure menu items.
  
  Next you configure your menu items. You can have up to 18 menu items. To create them, repeat Steps d through f that follow for each item.
4. Define an item title:
```
 (global)  menu   name   text   item text  
```
  Each item in the menu named name has a key that the user must press to select the item. This is defined as item. It can be a character, number, or word. The item key is displayed to the left of the item text in the menu.
5. Define an item command:
```
 (global)  menu   name   command   item command  
```
  When a menu item is selected by the item key, the command string is executed. For example, the command could open a Telnet session to a remote system. A command can also be defined as a "hidden" command such that no item text is displayed for the user to see. To do this, configure the menu command but don't configure the companion menu text.
  
  Menus can also be nested so that a menu selection can invoke an entirely different menu of choices. To do this, use the keyword menu as the command string (such as menu name command item menu name2 ). Then define the new nested menu with the menu text and menu command lines.
  
  NOTE
  
  You can also define a menu item that allows the user to return to a command prompt or a higher-level menu and end the current menu. Define a menu item with menu-exit as the command (that is, menu name command item menu-exit ).
6. Define a default menu item:
```
 (global)  menu   name   default   item  
```
  If the user presses the Enter key without specifying an item, the item is selected by default.
7. Execute a menu.
  - Execute from the command line:
```
 (exec)  menu   name  
```
    The menu called name is executed at the command-line prompt. In this case, remember to include a menu item that allows the menu to terminate ( menu name command item menu-exit ). Otherwise, you will be caught in an endless loop of menu choices.
  - Execute automatically on a line:
```
 (line)  autocommand menu   name  
```
    The menu name is executed automatically as soon as a user accesses the line with a terminal session. In this case, it would be wise to keep the user in a menu loop so that he or she won't end up in an unknown or potentially dangerous state, such as the command-line prompt.
  - Execute automatically for a user:
```
 (global)  username   user   autocommand menu   name  
```
    The menu name is executed automatically as soon as the user named user successfully logs into the router.
Web browser interface.
1. Enable the Web interface:
```
 (global)  ip http server  
```
  The Web interface server is started, allowing users to monitor or configure the router through a Web browser.
  
  NOTE
  
  The router Web interface should not be used, especially for access from a public (Internet) network, due to a major vulnerability with the HTTP server service. This vulnerability is documented as Cisco Bug ID CSCdt93862. To disable the HTTP server, use the no ip http-server command. In addition to this bug, the default authentication uses cleartext passwords. If you must use the Web interface, be sure to configure a stronger authentication method and limit access in Steps c and d, which follow.
2. (Optional) Set the Web browser port number:
```
 (global)  ip http port   number  
```
  HTTP traffic for the Web interface can be set to use TCP port number (default 80).
3. (Optional) Limit access to the Web interface:
```
 (global)  ip http access-class   access-list  
```
  A standard IP access list (specified by either number or name) can be used to limit the source IP addresses of hosts accessing the Web interface. This should be used to narrow the range of potential users accessing the router's Web interface.
4. (Optional) Choose a method for user authentication:
```
 (global)  ip http authentication  {  aaa   enable   local   tacacs  } 
```
  Users attempting to access the router's Web interface can be challenged and authenticated with several different mechanisms. By default, the enable method (the cleartext enable password must be entered) is used for authentication. You should use one of the stronger authentication methods : aaa (AAA/TACACS+; see Section 13-2 for more information), local (authentication is performed locally on the router, using usernames and passwords), and tacacs (standard or extended TACACS authentication).
5. View the router's home page.
  
  From a Web browser, use the URL http:// router / where router can be the router's IP address or host name. The default router home page is available to users with a privilege level of 15. Only IOS commands available to lesser privilege levels are available to users who are limited to a privilege level less than 15.