In this 7th video of the CCNA R&S Prep video series, we will discuss privilege levels on the Cisco IOS CLI which is a way of configuring authorization for users that will be managing the Cisco IOS device.
New tutorial videos are posted every Monday, so keep checking back!
If you have any questions, or would like to suggest topics for future videos, please leave them in the comments section below.
CCNA Exam: Security Topics Hands-on (Part 2): http://resources.intenseschool.com/ccna-exam-security-topics-hands-on-part-2/
Privilege Levels: https://learningnetwork.cisco.com/docs/DOC-15878
Welcome back to this CCNA Prep video series where we have been looking at the configuration and verification objectives of the 200-120 exam.
In the last video, we discussed remote access connectivity and saw how to use Telnet and SSH to remotely manage Cisco routers. That video was mostly about authentication. In this video, we will discuss authorization, from a privilege level point of view.
By default, the Cisco IOS CLI has two privilege levels enabled, level 1 and level 15. Level 1 is the User EXEC mode while level 15 is the Privileged EXEC mode. However, there are actually 16 privilege levels available on the CLI, from 0 to 15 and you can assign users to any of those levels as you deem fit.
An application of this is where you have different users who will be logging into a device but who have different job roles and some of those users require access to more commands than others.
Let’s consider two ways by which we can configure privilege levels on the Cisco routers. The first is on the terminal lines. By default when we connect remotely to a device via Telnet and the login command is configured under the terminal lines, then the user is placed at the user EXEC level, privilege level 1.
Let’s confirm this.
We can use the “show privilege” command to verify our privilege level.
We can change the privilege level under the line using the “privilege level” command. Let’s use something like 15.
Now if we login again, we are placed at privilege level 15.
The second method is to configure privileges on usernames themselves. The default privilege level when you configure a username is level 1 but we can specify a privilege levels per user.
Let’s use an example, we will configure three users: a help desk user that should only be able to ping; a support user that should be able to configure interfaces; and an administrator that should have full access.
For this example, we will configure the help desk user on a privilege level of 1, the support user on a level of say 5 and the administrator at a level of 15.
Now let’s log into the router and use the usernames one after the other.
Cool. As a bonus, we can use the “privilege” command to move commands between different privilege levels. You can read more about it in the further reading list.
Moving commands between privilege levels is not really scalable so you may want to use the role-based CLI feature instead. You can also read about that in the further reading list.
This brings us to the end of this video where we have have looked at privilege levels on the Cisco IOS CLI.
I hope you have found this video informative and I look forward to the next video in the series.