Do you know why Cisco IOS provides 16 permission levels with different commands? Many network administrators who work in the Cisco IOS environment have never bothered to consider the meaning of their use of permission levels or these levels. this article describes the IOS access permissions for CISCO routers in detail.
When you enter different permission levels in Cisco IOS, the higher your permission level is, the more operations you can perform on the vro. However, most Cisco routers are familiar with only two permission levels:
User EXEC mode-Permission Level 1
Privileged EXEC mode-Permission level 15
When you log on to the Cisco router in the default configuration, you are in user EXEC mode level 1. In this mode, you can view some information about the vro, such as the interface status, and view the routes in the route table. However, you cannot make any modifications or view the running configuration file.
Due to these restrictions, most Cisco routers immediately enter enable to exit user EXEC mode. By default, the input enable will enter the level 15, that is, the Privileged EXEC mode. In Cisco IOS, this level is equivalent to having root permissions on UNIX or administrator permissions on Windows. In other words, you can fully control the vro.
Because the network is only maintained by a few people, each of them usually has a password to enter the privileged mode. However, in some cases, small or medium-sized companies will grow further, and permission issues will become more complex.
In many cases, the problem arises when there is a support group or an inexperienced administrator who does not need to perform too many access on the vro. Maybe they just need to connect to the vro to view the running configuration or reset the interface.
In this case, these users need to perform operations at a certain level between Grade 1 and grade 15. Keep in mind the minimum permission principle: only grant the required minimum access permissions.
There are many feasible methods to configure IOS users and permissions. I cannot describe each method in detail in an article. Therefore, we will focus on the basic commands you use when configuring permissions.
Show privilege: This command displays the current permissions. Here is an example:
Router # show privilege
Current privilege level is 3
Enable: the Administrator usually uses this command to enter the Privileged EXEC mode. However, it can also take you into any privileged mode. Here is an example:
Router # show privilege
Current privilege level is 3
Router # enable 1
Router> show privilege
Current privilege level is 1
Router>
User: This command not only sets the User, but also tells IOS what level of permissions the User will have when logging on. Here is an example:
Router (config) # username test password test privilege 3
Privilege: This command sets certain commands to be used only at a certain level. Here is an example:
Router (config) # enable secret level 5 level5pass
Enable secret: by default, this command creates a password for privileged mode 15. However, you can also use it to create passwords for other privileged modes that you can create.
Let's look at an example. Suppose you want to create a maintenance user who can log on to the vro and view the startup information and any other information of level 1 ). The command you will enter may be:
Router (config) # user support privilege 3 password support
Router (config) # privilege exec level 3 show startup-config
Note that the enable secret command is not required unless you want to allow the user logging in with level 1 to use the password to upgrade to Level 3. In our example, new users are maintained) and there is no additional enable secret password to log on.
Note that this configuration assumes that you already have a CISCO router with a configured user name and password. In this example, you have defined the enable secret command for Level 15, you have a super user with a grade of 15, and you have saved the startup configuration file under the Super User permission.