System information
ISR Overview and Providing Secure Administrative Access 93
Configuring Privilege Levels
Larger enterprise environments might need to support multiple administrative privilege
levels for router configuration. For example, help desk staff might need access to a subset
of the IOS commands available to the primary router configuration team.
Cisco IOS routers normally use two of the 16 supported privilege levels. Specifically, Cisco
IOS routers support privilege levels in the range 0 to 15. By default, when you attach to a
router, you are in user mode, which has a privilege level of 0. After entering the enable
command and providing appropriate credentials, you are moved to privileged mode, which
has a privilege level of 15.
However, for a finer granularity of administrative privileges, you can configure privilege
levels in the range 1 to 14 using the privilege mode {level level command | reset command}
command in global configuration mode. reset is used to reset the privilege level of a
command to its original privilege level. To illustrate, Example 3-10 shows how to configure
the debug command to be a privilege level 5 command and how to set the enable secret
password for level 5 administrative access.
After additional privilege levels are configured, an administrator can specify the privilege
level she wants to change to using the enable level command. For example, for an
administrator to switch to the previously configured privilege level of 5, she would enter the
enable 5 command. After switching to a privilege level of 5, the administrator would have
access to all commands associated not only with privilege level 5, but also all lower
privilege levels.
Creating Command-Line Interface Views
Similar to making different commands available to different administrators using privilege
levels, role-based command-line interface (CLI) views can be used to provide different sets
of configuration information to different administrators. However, unlike making
commands available via privilege levels, using role-based CLI views you can control
NOTE Although it isn’t recommended, you can disable the inactivity timer by entering
a 0 for both the minutes and seconds arguments in the exec-timeout command (that is,
exec-timeout 0 0).
Example 3-10 Configuring a Privilege Level
R1# cc
cc
oo
oo
nn
nn
ff
ff
ii
ii
gg
gg
tt
tt
ee
ee
rr
rr
mm
mm
R1(config)# pp
pp
rr
rr
ii
ii
vv
vv
ii
ii
ll
ll
ee
ee
gg
gg
ee
ee
ee
ee
xx
xx
ee
ee
cc
cc
ll
ll
ee
ee
vv
vv
ee
ee
ll
ll
55
55
dd
dd
ee
ee
bb
bb
uu
uu
gg
gg
R1(config)# ee
ee
nn
nn
aa
aa
bb
bb
ll
ll
ee
ee
ss
ss
ee
ee
cc
cc
rr
rr
ee
ee
tt
tt
ll
ll
ee
ee
vv
vv
ee
ee
ll
ll
55
55
LL
LL
33
33
vv
vv
33
33
ll
ll
55
55
PP
PP
@@
@@
55
55
55
55
R1(config)# ee
ee
nn
nn
dd
dd