One of the concepts that is mentioned in the IINS Blueprint in the “Security and Cisco Routers” section is securing the management plane. A key concept dealing with management plane security is the “privilege level”. Over the next few weeks, we will dig into this topic from three different perspectives. Today’s article deals with the concept and the default levels. In two upcoming articles, we will first discuss how to configure and log into different privilege levels. Finally, we will discuss how to move commands around so they are accessible from different levels of users.
So what are privilege levels and how do they relate to command access? Privilege levels are a way to give some granularity of control to administrators of Cisco IOS devices. For example, network administrators who have more experience or training may be trusted with more functions or areas of configuration in a router or switch. However, it may be necessary to give users with less experience access to a subset of functions in order to quickly respond to issues. A working example may be the case that a help desk employee could see the status of an interface but not modify the routing protocols.
The privilege level is a number that is assigned to the exec process for a user. The user will have access to all the commands that are assigned to a privilege level that is equal to or less than the privilege level for the user’s exec process. The range of possibilities for the privilege level is 0 to 15. Therefore if the user is at privilege level 15, he or she has access to all commands. If the user is at privilege level 1, access will be granted only to level 1 and level 0 commands.
Cisco IOS Devices have three privilege levels by default. Two of these privilege levels are commonly used and will be immediately familiar to most network administrators. The two common levels are level 1 and level 15. Level 1 is the non-privileged level that a typical user gets when logging into a router. The prompt looks like a “hostname>”. Level 15 is the typical “enable” or “privilege exec” mode. The prompt for level 15 typically looks like “hostname#”.
The third default level is privilege level 0. According to Cisco, this level is rarely used but contains the enable, disable, help and logout commands. Since these are at the lowest possible level, all users have access to them.
That leaves levels 2 through 14 as custom levels. A network administrator can move commands and users around to varying levels achieve the desired results. There are various methods to get users to a particular levels and quite a bit of discussion that can be had around moving commands around. We’ll cover these in some detail over the next couple of weeks.
One more question that we should answer is how to determine at what privilege level we are logged into the router. To determine the privilege level the currently logged in user has, he or she can enter the “show privilege” command.
R1#show priv Current privilege level is 7 R1#
In the above example, we can see that the user is logged in as the non-default privilege level 7. Access will be granted to all commands that are at level 7 or below.
This article is an introduction to the concept of privilege levels. In next week’s article, we will demonstrate how to configure and access the command line interface at varying command levels. Then we’ll look at some of the nuances surrounding the concept of moving commands into different privilege levels.