Cisco devices numbered 0 through 15 have 16 privilege levels. By default, any user who can furnish the user-level password or user name/password combination can gain User exec mode access to the device, which is privilege level 1. From there, if the user knows the enable secret password, they can access the Privilege exec mode, or privilege level 15. The three predefined privilege levels on Cisco devices include the following:
- 1 User exec mode only (prompt is router>), the default level for login
- 15 Privileged exec mode (prompt is router#), the Enable mode
- 0 Seldom used, but includes five commands: disable, enable, exit, help, and logout
To determine or confirm the current privilege level, type the
show privilege command. It would look like this in Privilege mode:
Rtr1#show privilege
Current privilege level is 15
Rtr1#
Privilege levels 2 through 14 can be defined by the admin to provide limited features to some users by assigning specific commands to the level using the
privilege command.
The syntax is
privilege mode {level level command | reset command}, where
mode
Indicates the configuration level being assigned. This includes all router configuration modes, including exec, configure, and interface.
level
Indicates the level being defined.
command
Indicates the command to be included. If you specify exec mode, then the command must be an
exec mode command.
reset
Resets the privilege level of the command to the default privilege level.
A possible application of this feature might look like the following lines, which are creating a new Privilege mode for a part-time administrator.
Rtr1(config)#privilege exec level 7 ping
Rtr1(config)#privilege exec level 7 show startup-config
Rtr1(config)#privilege exec level 7 show ip route
Rtr1(config)#privilege exec level 7 show ip int brief
Rtr1(config)#enable secret level 7 tESt7
The following lines show how the new privilege level would be accessed and a confirmation of the new level:
Rtr1>enable 7
Password:
Rtr1#show privilege
Current privilege level is 7
Rtr1#
Any attempt to run a command other than those specifically defined for this privilege level returns the same error message as any attempt to run a command from the wrong mode. As you will see in
Chapter 4, AAA authentication provides some additional options for this feature.
Note that the privilege feature only limits user access if the user only knows the enable secret password for the defined level. If the user knows any other level password, then they can go there as well.