Networking

Understand the levels of privilege in the Cisco IOS

The Cisco IOS actually offers 16 different privilege levels. David Davis discusses these different levels and introduces you to the main commands you'll need to configure these privileges.

Did you know that the Cisco IOS offers 16 privilege levels for access to different commands? Many network administrators who work with the Cisco IOS never bother to think about the level of privilege they're using or the meaning of level.

When it comes to the different privilege levels in the Cisco IOS, the higher your privilege level, the more router access you have. But most users of Cisco routers are familiar with only two privilege levels:

  • User EXEC mode -- privilege level 1
  • Privileged EXEC mode -- privilege level 15

When you log in to a Cisco router under the default configuration, you're in user EXEC mode (level 1). From this mode, you have access to some information about the router, such as the status of interfaces, and you can view routes in the routing table. However, you can't make any changes or view the running configuration file.

Because of these limitations, most Cisco router users immediately type enable to get out of user EXEC mode. By default, typing enable takes you to level 15, privileged EXEC mode. In the Cisco IOS, this level is equivalent to having root privileges in UNIX or administrator privileges in Windows. In other words, you have full access to the router.

For networks maintained by just a few people, everyone typically has the password to get to privileged mode. But at some point, those small and midsize companies may likely grow, and that's when privileges become more complicated.

Many times, it starts with having a support group or less senior administrator who needs less access to something on the router. Perhaps they need to connect to routers to view the running configuration or reset interfaces.

In such cases, the person would need some level of access between level 1 and level 15. Remember the principle of least privilege -- only give access to what's necessary and no more.

There are so many possible ways to configure IOS users and privileges that I can't possibly go into detail about each approach in a single article. Instead, let's focus on the basic commands you need to configure privileges.

  • Show privilege: This command displays the current privilege. Here's an example:
router# show privilege
Current privilege level is 3
  • Enable: Administrators typically use this command to go to privileged EXEC mode. However, it can also take you to any privileged mode. Here's an example:
router# show privilege

Current privilege level is 3

router# enable 1

router> show privilege

Current privilege level is 1

router>
  • User: While this command configures users, it can also tell the IOS which privilege level the user will have when logging in. Here's an example:
router(config)# username test password test privilege 3
  • Privilege: This command configures certain commands to be available only at certain levels. Here's an example:
router(config)# enable secret level 5 level5pass
  • Enable secret: By default, this command creates the password to get to privilege mode 15. However, you can also use it to create passwords to get into other privilege modes that you create.

Let's look at an example. Suppose you want to create a support user who can log in to the router and view the startup configuration (as well as anything else at level 1). The commands you would enter would look something like this:

router(config)# user support privilege 3 password support
router(config)# privilege exec level 3 show startup-config

Note that the enable secret command is not required unless you want to require users who log in at level 1 to use the password in order to move up to level 3. In our example, the new user (support) is already at level 3 and needs no additional enable secret password to get there.

In addition, note that this configuration assumes that you already have a router configured to use usernames and passwords on your lines. The example also assumes that you've defined the enable secret command for level 15, that you have a superuser who's already at level 15, and that you have saved a startup-config file under the superuser.

For more information on Cisco IOS privilege levels, check out Cisco's Configuring Passwords and Privileges documentation. To learn how Cisco has recently enhanced the privilege command, check out Cisco's Privilege Command Enhancement documentation.

Editor's Note: This article was originally published on TechRepublic April 14, 2005. For your convenience, I'm republishing it in the blog to be part of the Cisco Routers and Switches archive.

0 comments

Editor's Picks