Está en la página 1de 3

Configuring Privilege levels in Cisco IOS

Document
Thu, 10/17/2013 - 20:28
/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyl-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; msostyle-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margn-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in;
line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","san-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-fot-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-fot-family:Calibri; mso-hansi-theme-font:minor-latin;}
It is possible to change the privilege level of show run and assign it to something other than
level 15. You can change the privilege level but you are likely to be surprised at the result
when you do. A person executing show run can only see things that they have the ability to
change. So someone executing the command at privilege level 8 would not have the ability to
change anything and basically would see only an empty configuration.
Refer the document IOS Privilege Levels Cannot See Complete Running Configuration [1] for
more information.
The default configuration for Cisco IOS based networking devices uses privilege level 1 for user EXEC
mode and privilege level 15 for privileged EXEC. The commands that can be run in user EXEC mode at
privilege level 1 are a subset of the commands that can be run in privileged EXEC mode at privilege
15.
In Cisco IOS, the higher your privilege level, the more router access you have. When you log in to a
Cisco router under the default configuration, you're in user EXEC mode (level 1). From this mode, you
have access to some information about the router, such as the status of interfaces, and you can view
routes in the routing table. However, you can't make any changes or view the running configuration file.

It is not sufficient to assign the show running-config command into a particular privilege level, rather
if a person should be eligible to see a particular section of the configuration file; the particular
commands must also be included in the respective privilege level.
So for example, consider the following set of privileges:

privilege interface level 5 shutdown


privilege interface level 5 ip address
privilege interface level 5 ip
privilege interface level 5 bandwidth
privilege configure level 5 interface
privilege exec level 5 show running-config
privilege exec level 5 show

The command show running-config will now display:

Current configuration : 425 bytes


!
boot-start-marker
boot-end-marker
!
!
!
!
!
interface Loopback0
ip address 10.255.255.1 255.255.255.255
!
interface FastEthernet0/0
no ip address
!
interface FastEthernet0/1
no ip address
shutdown
!
interface Serial1/0
bandwidth 512
ip address 10.0.0.1 255.255.255.0
!
interface Serial1/1
no ip address
shutdown
!
interface Serial1/2
no ip address
shutdown
!

interface Serial1/3
no ip address
shutdown
!
!
end
As you can see, the command output contains only the specific commands from the configuration that
have been explicitly allowed using the privilege commands. Using the 'all' keyword in the privilege
specification may help in simplifying the explicit list of sections that should be visible in the output, for
example, privilege configure all level 5 interface - this will allow all interfaces and their internal
configuration to be seen. There is no easy way to make the entire running-config to be visible in
privilege levels less than 15.

The privilege command can also be used to assign a privilege level to a username so that when a user
logs in with the username, the session will run at the privilege level specified by the privilege
command. For example if you want your technical support staff to view the configuration on a
networking device to help them troubleshoot network problems without being able to modify the
configuration, you can create a username, configure it with privilege level 15, and configure it to run
the show running-config command automatically. When a user logs in with the username the running
configuration will be displayed automatically.

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyl-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; msostyle-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margn-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in;
line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","san-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-fot-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-fot-family:Calibri; mso-hansi-theme-font:minor-latin;}

https://supportforums.cisco.com/document/56496/configuring-privilege-levels-cisco-ios