Configuring Access Levels
You can configure access levels on the routers so the junior administrators do not have complete access to the router. Cisco routers have 16 different privilege levels that you can configure. The 16 levels range from 0 to 15, where 15 is equal to full access. You can customize levels 2 to 15 to provide monitoring abilities to the secondary administrators. Here is a sample configuration for privilege levels on the router:
کد:
Central(config)#username junioradmin privilege 3 password 0 s3cUr!tY
.
.
.
Central(config)#privilege exec level 3 ping
Central(config)#privilege exec level 3 traceroute
Central(config)#privilege exec level 3 show ip route
Central(config-line)#line vty 0 4
Central(config-line)#password CisC0r0cK5
Central(config-line)#login local
Above displays the configuration of a privilege level for specific commands and applying local authentication to the VTY lines. Notice that in addition to the login local command a password is configured on the VTY lines. However, users will need to use the local router database to log in to the VTY lines because the login local command takes precedence over the password command.
Looking at the config, whenever junioradmin logs into the router, he or she is allowed only three commands: ping, traceroute, and show ip route. Using the privilege command, you can provide another layer of security to your network backbone.
Also you can find more info in this chapter:
http://searchsecurity.techtarget.com...PSecur_Ch3.pdf