Privilege Levels
Jul 06,2009 00:00 by alperen


Cisco devices numbered 0 through 15 have 16 privilege levels. By default, any user who can furnish the user-level password or user name/password combination can gain User exec mode access to the device, which is privilege level 1. From there, if the user knows the enable secret password, they can access the Privilege exec mode, or privilege level 15. The three predefined privilege levels on Cisco devices include the following:

  • 1 User exec mode only (prompt is router>), the default level for login

  • 15 Privileged exec mode (prompt is router#), the Enable mode

  • 0 Seldom used, but includes five commands: disable, enable, exit, help, and logout

To determine or confirm the current privilege level, type the show privilege command. It would look like this in Privilege mode:

Rtr1#show privilege
Current privilege level is 15
Rtr1#

Privilege levels 2 through 14 can be defined by the admin to provide limited features to some users by assigning specific commands to the level using the privilege command.

The syntax is

privilege mode {level level command | reset command}, where

mode

Indicates the configuration level being assigned. This includes all router configuration modes, including exec, configure, and interface.

level

Indicates the level being defined.

command

Indicates the command to be included. If you specify exec mode, then the command must be an exec mode command.

reset

Resets the privilege level of the command to the default privilege level.

A possible application of this feature might look like the following lines, which are creating a new Privilege mode for a part-time administrator.

Rtr1(config)#privilege exec level 7 ping
Rtr1(config)#privilege exec level 7 show startup-config
Rtr1(config)#privilege exec level 7 show ip route
Rtr1(config)#privilege exec level 7 show ip int brief
Rtr1(config)#enable secret level 7 tESt7

The following lines show how the new privilege level would be accessed and a confirmation of the new level:

Rtr1>enable 7
Password:
Rtr1#show privilege
Current privilege level is 7
Rtr1#

Any attempt to run a command other than those specifically defined for this privilege level returns the same error message as any attempt to run a command from the wrong mode. As you will see in Chapter 4, AAA authentication provides some additional options for this feature.

Note that the privilege feature only limits user access if the user only knows the enable secret password for the defined level. If the user knows any other level password, then they can go there as well.


p1c2 using