Quick and Simple Ways to Manage Cisco Router Privilege Level

ByImran Ullah Khan

The Cisco router Privilege level is a way a network administrator defines the level of commands, the normal user will run. Privilege Level defines the number of commands a user can run. By default, three privilege levels are configured on the Cisco router: level 0, level 1, and level 15. The user exec mode is level 1, while the privilege exec mode is level 15. There are a total of sixteen levels available in the Cisco router. There are various commands which will run at that specific privilege level.  Enter the command “show privilege”, then it will tell you the privilege level of that mode. After this just put the “?” mark, then it will list, all the available commands that will run at that level of that mode. Normally, we jump from level 1 to level 15 and skip the remaining mid-levels from 2-14.

If we want to go to privilege level 0, write the command “enable 0” in privilege level 15. It will enter into privilege level 0. In privilege level 0, you can run only the 5 commands (disable, enable, exit, help, logout). Suppose you want to go to privilege level 15, then write the command “Router>enable 15”, you will jump to level 15:

Lab topology for Cisco router Privilege Levels

Lab topology for Cisco Privilege Levels

You can view the privilege level through “show privilege”:

show privilege levels

Level 0 runs only 5 commands which are, [enable, disable, exit, help, logout].

Level 1 runs almost all show commands. Normally, we use this level for troubleshooting and monitoring purposes.

show level 1

Level 15 runs all privilege-level commands as well as global configuration commands.

Suppose we want to go to level 0 or level 1 and then want to go to level 2 by running the command “Router>enable 2”, then it will generate an error by specifying “Error in authentication”. As we didn’t specify level 2, so it generated an error, but if we specify level 2, then it will not generate any error and will go directly to level 2.

enable level 2

We must specify users to work with a specific privilege level. Also, users should enter their username and password. For this, we are creating local authentication at console level 0.  So, users will work with their privilege level.

authenticate line console 0

If we create any user without a specific privilege level for him, then it will access privilege level 15. But, if we bind any user with any privilege level during its creation time or after creation, then it will access that specific privilege level.

Suppose we create two users, user1 and user2. We don’t specify any privilege level for user1, while we specify privilege level 2 for user2. User1 will access privilege level 15 while, user2 will access only privilege level 2.

create user1 and user2

Check the privilege level 2 commands that user2 can run:

user2

Now, how to specify the command for user2 at privilege level 2. As we can’t specify the commands at privilege level 2 for user2. Only administrators with privilege level 15 can specify it. So, login as an administrator to complete this task.

assign commands to user2

Now verify whether the user2 at privilege level 2 can access global configuration mode. Also, check which commands in global configuration mode are available.

show level 2

There are only [do, end, and exit] commands in global configuration mode. Add some other commands to privilege level 2 at global configuration.

Router(config)#privilege configure level 2 interface fastethernet 0/0

Now check it in the router, and also run the command “interface fastethernet 0/0”. Moreover, configure the IP address of the interface, whether the IP address command is valid or invalid for privilege level 2.

configure level 2 for configure terminal

As we didn’t specify the IP address command, it detected it as invalid.

Router(config)#privilege interface level 2 IP address

Router(config)#privilege interface level 2 no shutdown

Check the commands in the router for verification purposes:

assign IP in level 2

The ‘IP address’ and ‘no shutdown’ commands ran successfully.

One point must be noted: there is no password for each privilege level in this article. A normal user, user2, can switch between different Cisco router privilege levels. When the user2 logs in to the router with their privilege set to 2, they he can easily shift to privilege level 15 without any password. Similarly, if a user is in privilege level 2, then he/she can easily shift to each level without asking for a password for him/her. It will be a security collapse if we set our router in this way. You can see the user2’s activity in the below screenshot:

switch between level 2 without password

That’s why we must set a password for each privilege level.  It will enhance the security of the router.

Check its output in the router:

Assign passwords to each level

This time it prompts for a password. It should be pointed out that going from a lower level to a higher level, It prompts for the password. But, going from a higher level to a lower level, it doesn’t prompt for the password. Normally, a higher level has additional rights plus those rights that are included in the lower level. As you see from the above screenshot, that privilege level 15 can go to level 2 without a password. Similarly, level 2 went to level 1 without a password. But, shifting from privilege level 1 to level 2, it asks for a password. Moreover, from privilege level 2 to privilege level 15, it also asked for a password.

Imran Ullah Khan

Hey, I'm Imran Ullah Khan, an IT enthusiast from Lakki Marwat, Pakistan. I hold a BSCS degree and wear a tech-belt with certifications like CCNA, CCNP, MCSE, RHCSA, RHCE, FIREWALL, and VMWARE.

With 8 years of tech exploration, I'm currently an I.T instructor and the force behind CCNA Practical Labs. My blog is your gateway to practical CCNA insights. Let's simplify networking! WhatsApp at 0092313-9492026. Let's connect and tech-chat!

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *