10-11-2012 09:16 AM - edited 03-07-2019 09:24 AM
Hi,
Is there any document that describe which commands are allowed in each privilege level in cisco routers and switches?
Solved! Go to Solution.
10-12-2012 02:52 AM
Hi Omer,
There are 16 levels, 0-15. By default, privilege level 15 users can issue all commands, while a privilege level 1 user can issue most show commands, and many other commands (not including configure terminal). Context help can be used to see many of the commands available in a specific privilege level.
What everyone calls "user mode" is privilege level 1. What everyone calls "privileged mode" is privilege level 15. By default, a user can issue any commands that have been assigned to the level they are currently in, or lower.
Alain is right on the money. Traditionally, we would carve out and use custom levels 2-14 if needed. If not using TACACS+ to control what commands are available, one of the best options is the Parser View, When in a specific View, we can control what the commands user is able to issue, even if they are at level 15.
NDC-R1>show privilege
Current privilege level is 1
NDC-R1>?
Exec commands:
access-enable Create a temporary Access-List entry
access-profile Apply user-profile to interface
clear Reset functions
connect Open a terminal connection
credential load the credential info from file system
crypto Encryption related commands.
disable Turn off privileged commands
disconnect Disconnect an existing network connection
dot11 IEEE 802.11 commands
emm Run a configured Menu System
enable Turn on privileged commands
ethernet Ethernet parameters
exit Exit from the EXEC
help Description of the interactive help system
lock Lock the terminal
login Log in as a particular user
logout Exit from the EXEC
modemui Start a modem-like user interface
mrinfo Request neighbor and version information from a multicast
router
mstat Show statistics after multiple multicast traceroutes
mtrace Trace reverse multicast path from destination to source
name-connection Name an existing network connection
pad Open a X.29 PAD connection
ping Send echo messages
ppp Start IETF Point-to-Point Protocol (PPP)
radius radius exec commands
release Release a resource
renew Renew a resource
resume Resume an active network connection
rlogin Open an rlogin connection
set Set system parameter (not config)
show Show running system information
slip Start Serial-line IP (SLIP)
ssh Open a secure shell client connection
systat Display information about terminal lines
tclquit Quit Tool Command Language shell
telnet Open a telnet connection
terminal Set terminal line parameters
traceroute Trace route to destination
trm Trend Registration Module
tunnel Open a tunnel connection
udptn Open an udptn connection
webvpn WebVPN exec command
where List active connections
x28 Become an X.28 PAD
x3 Set X.3 parameters on PAD
NDC-R1>enable
NDC-R1#show privilege
Current privilege level is 15
NDC-R1#?
Exec commands:
access-enable Create a temporary Access-List entry
access-profile Apply user-profile to interface
access-template Create a temporary Access-List entry
archive manage archive files
audio-prompt load ivr prompt
auto Exec level Automation
beep Blocks Extensible Exchange Protocol commands
bfe For manual emergency modes setting
calendar Manage the hardware calendar
call Voice call
ccm-manager Call Manager Application exec commands
cd Change current directory
clear Reset functions
clock Manage the system clock
cns CNS agents
configure Enter configuration mode
connect Open a terminal connection
copy Copy from one file to another
credential load the credential info from file system
crypto Encryption related commands.
debug Debugging functions (see also 'undebug')
delete Delete a file
dir List files on a filesystem
disable Turn off privileged commands
disconnect Disconnect an existing network connection
dot11 IEEE 802.11 commands
dot1x IEEE 802.1X Exec Commands
emadmin Extension Mobility Commands
emm Run a configured Menu System
enable Turn on privileged commands
eou EAPoUDP
ephone-hunt ephone hunt exec command
erase Erase a filesystem
ethernet Ethernet parameters
event Event related commands
exit Exit from the EXEC
file-acct File mode accounting exec command
flush File mode accounting flush options
format Format a filesystem
help Description of the interactive help system
if-mgr IF-MGR operations
isdn Run an ISDN EXEC command on an ISDN interface
license License information
lock Lock the terminal
login Log in as a particular user
logout Exit from the EXEC
microcode microcode commands
modemui Start a modem-like user interface
monitor Monitoring different system events
more Display the contents of a file
mpls MPLS commands
mrinfo Request neighbor and version information from a multicast
router
mrm IP Multicast Routing Monitor Test
mstat Show statistics after multiple multicast traceroutes
mtrace Trace reverse multicast path from destination to source
name-connection Name an existing network connection
no Disable debugging functions
pad Open a X.29 PAD connection
partition Partition disk
ping Send echo messages
ppp Start IETF Point-to-Point Protocol (PPP)
pwd Display current working directory
radius radius exec commands
redundancy Redundancy Facility (RF) exec commands
release Release a resource
reload Halt and perform a cold restart
rename Rename a file
renew Renew a resource
restart Restart Connection
resume Resume an active network connection
rlogin Open an rlogin connection
rsh Execute a remote command
send Send a message to other tty lines
set Set system parameter (not config)
setup Run the SETUP command facility
show Show running system information
slip Start Serial-line IP (SLIP)
spec-file format spec file commands
squeeze Squeeze a filesystem
ssh Open a secure shell client connection
start-chat Start a chat-script on a line
systat Display information about terminal lines
tarp TARP (Target ID Resolution Protocol) commands
tclquit Quit Tool Command Language shell
tclsafe Tool Command Language shell SAFE mode
tclsh Tool Command Language shell
telnet Open a telnet connection
terminal Set terminal line parameters
test Test subsystems, memory, and interfaces
traceroute Trace route to destination
trm Trend Registration Module
tunnel Open a tunnel connection
udptn Open an udptn connection
undebug Disable debugging functions (see also 'debug')
upgrade Upgrade commands
verify Verify a file
vlan Configure VLAN parameters
voice Voice Commands
vtp Configure global VTP state
webvpn WebVPN exec command
where List active connections
which-route Do OSI route table lookup and display results
write Write running configuration to memory, network, or terminal
x28 Become an X.28 PAD
x3 Set X.3 parameters on PAD
xconnect Xconnect EXEC commands
NDC-R1#enable 0
NDC-R1>?
Exec commands:
disable Turn off privileged commands
enable Turn on privileged commands
exit Exit from the EXEC
help Description of the interactive help system
logout Exit from the EXEC
NDC-R1>
NDC-R1>show privilege
^
% Invalid input detected at '^' marker.
NDC-R1>
Privilege 0 doesn't even have the ability to issue the show command.
Best wishes,
Please rate if it helps.
10-16-2012 12:41 AM
Hi Omer,
form priviliage 6 you can: Telnet in and execute the show run command, but the resulting configuration is virtually blank because this user cannot configure anything (configure terminal is at level 8, not at level 6). The user is not permitted to see usernames and passwords of the other users, or to see Simple Network Management Protocol (SNMP) information.
if you want to see that, which command i can use in privilage 7 then do like this:
first confiure a swicth or router (username test privilage 7 password test).
login via test username and then put ? this.
you will see very few comamnd which u can use.
Regards
Please rate if it helps.
10-11-2012 09:20 AM
Hi omer,
Follow these two links.
http://www.techrepublic.com/article/understand-the-levels-of-privilege-in-the-cisco-ios/5659259
http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_cfg_sec_4cli.html
Regards
Please rate if it helps.
10-11-2012 10:08 AM
Sorry,
But this isn't helping.
I need to know what the diffrent between the privilidge levels not what is the privilidge levels.
Thanks anyway
10-11-2012 10:35 AM
Hi,
level1: user exec level, you can do some show commands and ping and a few other limited commands but can't do show run nor configure anything
level15: privileged level= like root in Unix so you can do anything
In between it's you who decide which commands you want to tie to this privilege, basically level 15 commands that will also be available in this level but you can also move up commands
It's esier and more powerful to use role-based CLI instead if you got the right IOS version:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html
Regards.
Alain
Don't forget to rate helpful posts.
10-12-2012 02:52 AM
Hi Omer,
There are 16 levels, 0-15. By default, privilege level 15 users can issue all commands, while a privilege level 1 user can issue most show commands, and many other commands (not including configure terminal). Context help can be used to see many of the commands available in a specific privilege level.
What everyone calls "user mode" is privilege level 1. What everyone calls "privileged mode" is privilege level 15. By default, a user can issue any commands that have been assigned to the level they are currently in, or lower.
Alain is right on the money. Traditionally, we would carve out and use custom levels 2-14 if needed. If not using TACACS+ to control what commands are available, one of the best options is the Parser View, When in a specific View, we can control what the commands user is able to issue, even if they are at level 15.
NDC-R1>show privilege
Current privilege level is 1
NDC-R1>?
Exec commands:
access-enable Create a temporary Access-List entry
access-profile Apply user-profile to interface
clear Reset functions
connect Open a terminal connection
credential load the credential info from file system
crypto Encryption related commands.
disable Turn off privileged commands
disconnect Disconnect an existing network connection
dot11 IEEE 802.11 commands
emm Run a configured Menu System
enable Turn on privileged commands
ethernet Ethernet parameters
exit Exit from the EXEC
help Description of the interactive help system
lock Lock the terminal
login Log in as a particular user
logout Exit from the EXEC
modemui Start a modem-like user interface
mrinfo Request neighbor and version information from a multicast
router
mstat Show statistics after multiple multicast traceroutes
mtrace Trace reverse multicast path from destination to source
name-connection Name an existing network connection
pad Open a X.29 PAD connection
ping Send echo messages
ppp Start IETF Point-to-Point Protocol (PPP)
radius radius exec commands
release Release a resource
renew Renew a resource
resume Resume an active network connection
rlogin Open an rlogin connection
set Set system parameter (not config)
show Show running system information
slip Start Serial-line IP (SLIP)
ssh Open a secure shell client connection
systat Display information about terminal lines
tclquit Quit Tool Command Language shell
telnet Open a telnet connection
terminal Set terminal line parameters
traceroute Trace route to destination
trm Trend Registration Module
tunnel Open a tunnel connection
udptn Open an udptn connection
webvpn WebVPN exec command
where List active connections
x28 Become an X.28 PAD
x3 Set X.3 parameters on PAD
NDC-R1>enable
NDC-R1#show privilege
Current privilege level is 15
NDC-R1#?
Exec commands:
access-enable Create a temporary Access-List entry
access-profile Apply user-profile to interface
access-template Create a temporary Access-List entry
archive manage archive files
audio-prompt load ivr prompt
auto Exec level Automation
beep Blocks Extensible Exchange Protocol commands
bfe For manual emergency modes setting
calendar Manage the hardware calendar
call Voice call
ccm-manager Call Manager Application exec commands
cd Change current directory
clear Reset functions
clock Manage the system clock
cns CNS agents
configure Enter configuration mode
connect Open a terminal connection
copy Copy from one file to another
credential load the credential info from file system
crypto Encryption related commands.
debug Debugging functions (see also 'undebug')
delete Delete a file
dir List files on a filesystem
disable Turn off privileged commands
disconnect Disconnect an existing network connection
dot11 IEEE 802.11 commands
dot1x IEEE 802.1X Exec Commands
emadmin Extension Mobility Commands
emm Run a configured Menu System
enable Turn on privileged commands
eou EAPoUDP
ephone-hunt ephone hunt exec command
erase Erase a filesystem
ethernet Ethernet parameters
event Event related commands
exit Exit from the EXEC
file-acct File mode accounting exec command
flush File mode accounting flush options
format Format a filesystem
help Description of the interactive help system
if-mgr IF-MGR operations
isdn Run an ISDN EXEC command on an ISDN interface
license License information
lock Lock the terminal
login Log in as a particular user
logout Exit from the EXEC
microcode microcode commands
modemui Start a modem-like user interface
monitor Monitoring different system events
more Display the contents of a file
mpls MPLS commands
mrinfo Request neighbor and version information from a multicast
router
mrm IP Multicast Routing Monitor Test
mstat Show statistics after multiple multicast traceroutes
mtrace Trace reverse multicast path from destination to source
name-connection Name an existing network connection
no Disable debugging functions
pad Open a X.29 PAD connection
partition Partition disk
ping Send echo messages
ppp Start IETF Point-to-Point Protocol (PPP)
pwd Display current working directory
radius radius exec commands
redundancy Redundancy Facility (RF) exec commands
release Release a resource
reload Halt and perform a cold restart
rename Rename a file
renew Renew a resource
restart Restart Connection
resume Resume an active network connection
rlogin Open an rlogin connection
rsh Execute a remote command
send Send a message to other tty lines
set Set system parameter (not config)
setup Run the SETUP command facility
show Show running system information
slip Start Serial-line IP (SLIP)
spec-file format spec file commands
squeeze Squeeze a filesystem
ssh Open a secure shell client connection
start-chat Start a chat-script on a line
systat Display information about terminal lines
tarp TARP (Target ID Resolution Protocol) commands
tclquit Quit Tool Command Language shell
tclsafe Tool Command Language shell SAFE mode
tclsh Tool Command Language shell
telnet Open a telnet connection
terminal Set terminal line parameters
test Test subsystems, memory, and interfaces
traceroute Trace route to destination
trm Trend Registration Module
tunnel Open a tunnel connection
udptn Open an udptn connection
undebug Disable debugging functions (see also 'debug')
upgrade Upgrade commands
verify Verify a file
vlan Configure VLAN parameters
voice Voice Commands
vtp Configure global VTP state
webvpn WebVPN exec command
where List active connections
which-route Do OSI route table lookup and display results
write Write running configuration to memory, network, or terminal
x28 Become an X.28 PAD
x3 Set X.3 parameters on PAD
xconnect Xconnect EXEC commands
NDC-R1#enable 0
NDC-R1>?
Exec commands:
disable Turn off privileged commands
enable Turn on privileged commands
exit Exit from the EXEC
help Description of the interactive help system
logout Exit from the EXEC
NDC-R1>
NDC-R1>show privilege
^
% Invalid input detected at '^' marker.
NDC-R1>
Privilege 0 doesn't even have the ability to issue the show command.
Best wishes,
Please rate if it helps.
10-14-2012 12:39 AM
Thanks,
What about other priv like 6/7?
10-16-2012 12:41 AM
Hi Omer,
form priviliage 6 you can: Telnet in and execute the show run command, but the resulting configuration is virtually blank because this user cannot configure anything (configure terminal is at level 8, not at level 6). The user is not permitted to see usernames and passwords of the other users, or to see Simple Network Management Protocol (SNMP) information.
if you want to see that, which command i can use in privilage 7 then do like this:
first confiure a swicth or router (username test privilage 7 password test).
login via test username and then put ? this.
you will see very few comamnd which u can use.
Regards
Please rate if it helps.
10-16-2012 10:51 AM
so what is the diffrent between priv 8 to 15?
(is there any document weach describe the differences between each priv level?)
02-25-2020 11:18 AM
I have two custom html pages that are stored on my 2911 router. Is there any way that a user could open their web browser, put in the <IP address>/custom1.html, press return, and get to those pages WITHOUT having to enter a username and password?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide