Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2097
Views
0
Helpful
2
Replies

Privilege Exec vs. Privilege Configure vs. Privilege "Interface"

Go to solution
GillverK
Level 1
Level 1

‎05-17-2019 09:12 AM

Hello all,

 

Just trying to understand the differences between various Privilege level associated commands.

In the screenshot below I just wanted to understand what exactly "Exec" vs. "Configure" vs. "Interface" are doing per each line.

Privilege_Commands_Question.JPG

 

- I'm thinking the line "privilege exec level 9 configure terminal" moves "config t" from the level 15 privilege level to level 9? Is that accurate?

- I'm lost regarding what "privilege configure level 9 interface" is doing. Is that also assigning the interface command to privilege level 9? If it is, why not just copy and paste what was done above and do "privilege exec level 9 interface"?

- And I'm assuming that each of the lines that begin with "privilege interface level 9 [sub-command]" are assigning the sub commands to privilege level 9 as well although they could also be set to level 8 or lower so something like "privilege interface level 9 ip address" could have been legitimate?

 

I'm kind of confused so any help would be appreciated.

 

Thank you guys in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎05-17-2019 11:20 AM - edited ‎05-17-2019 11:25 AM

Hello GilverK,

privilege levels allows for some customization

 

  >> I'm thinking the line "privilege exec level 9 configure terminal" moves "config t" from the level 15 privilege level to level 9? Is that accurate?

Yes, in other words it allows a user with privilege level 9 to access device configuration. The following commands specify in more detail what a user with privilege level 9 can do.

 

>> I'm lost regarding what "privilege configure level 9 interface" is doing. Is that also assigning the interface command to privilege level 9? If it is, why not just copy and paste what was done above and do "privilege exec level 9 interface"?

 

This command allows a user with privilege to access interface level configuration using simply interface gi0/0 enter. [ R1(config-if)# context ]

All the following commands specify a subset of allowed commands in interface mode that are available at privilege level 9.

Just looking at the list we can say that:

The user at level 9 can shutdown the interface or enable it again with no shut. The user can assign an IPv4 address (overriding current IP address) the user can assign an IPv6 address (that is added to existing ones if any)

the user can remove an IPv6 address or the IPv4 address.

 

To make two examples the user cannot apply an IP ACL in input or output direction and it cannot apply a QoS service policy. The user with privilege level 9 cannot execute a lot of other commands.

 

The user cannot access other configuration sections like for example router bgp.

The user cannot execute any configuration command at global level just exit.

 

Hope to help

Giuseppe

 

 

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎05-17-2019 11:20 AM - edited ‎05-17-2019 11:25 AM

Hello GilverK,

privilege levels allows for some customization

 

  >> I'm thinking the line "privilege exec level 9 configure terminal" moves "config t" from the level 15 privilege level to level 9? Is that accurate?

Yes, in other words it allows a user with privilege level 9 to access device configuration. The following commands specify in more detail what a user with privilege level 9 can do.

 

>> I'm lost regarding what "privilege configure level 9 interface" is doing. Is that also assigning the interface command to privilege level 9? If it is, why not just copy and paste what was done above and do "privilege exec level 9 interface"?

 

This command allows a user with privilege to access interface level configuration using simply interface gi0/0 enter. [ R1(config-if)# context ]

All the following commands specify a subset of allowed commands in interface mode that are available at privilege level 9.

Just looking at the list we can say that:

The user at level 9 can shutdown the interface or enable it again with no shut. The user can assign an IPv4 address (overriding current IP address) the user can assign an IPv6 address (that is added to existing ones if any)

the user can remove an IPv6 address or the IPv4 address.

 

To make two examples the user cannot apply an IP ACL in input or output direction and it cannot apply a QoS service policy. The user with privilege level 9 cannot execute a lot of other commands.

 

The user cannot access other configuration sections like for example router bgp.

The user cannot execute any configuration command at global level just exit.

 

Hope to help

Giuseppe

 

 

 

0 Helpful

Go to solution
GillverK
Level 1
Level 1
In response to Giuseppe Larosa

‎05-19-2019 06:36 PM

My power and internet at home went out. Ugh.

Cool. I would also take it a step further. I found out that for certain commands "privilege exec level [level_number] [command]" doesn't seem to work (like if I included "interface" as the command) so some commances have to use "privilege configure level [level_number] interface". 

 

It was a whoozy, but now I'm on to something even more challenging -- EIGRP unbalanced load balancing haha. Iwill study for a few days and ask if I have questions.

 

Thanks a lot.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card