Cisco Privilege Levels

Per Cisco , there are 3 privileges:
•privilege level 0 — Includes the disable, enable, exit, help, and logout commands.
•privilege level 1 — Normal level on Telnet; includes all user-level commands at the router> prompt.
•privilege level 15 — Includes all enable-level commands at the router# prompt

However it is not clear what each level can do on Cisco device. I believe level 15 can do anything on the device. Correct me if I am wrong.

but Level 0 and Level 1, it is not clear what they can do ...

Thank you
jskfanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MiftaulCommented:
Level 1 is when we logon to a device and are in > prompt.
Level 15 is when enter EN, and at # prompt.
Level 2-14 can be customized.

Level 0 is least privilege one and hardly in use.

Here is the related document - https://learningnetwork.cisco.com/docs/DOC-15878
0
jskfanAuthor Commented:
I saw that link before I posted the question. Itt that  is poorly written.
If any Expert that understands well Privileges, they can just summarize it here.
For Instance:
Level 0: can do this and that but cannot do this and that ...etc...
etc...
...
....
0
jskfanAuthor Commented:
In Microsoft , if you give a user Account Operator or Backup Operator, or Domain Admins, each can do separate tasks, and sometimes there is an overlap....
in Cisco you can give specific commands to a specific Level.
For Instance if you hire a Junior Network administrator, and you want him to view configuration to Ping the network, but cannot make any changes or reload the Device, what Level would you give them.??

If you want to give a user Level 15 on Switches but not on routers, would you go to each Router and Switch and assign privileges, or there is a central console where you can do that ?

Thanks
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

AkinsdNetwork AdministratorCommented:
Unfortunately, there is no level above 0 that prohibits ping that I am aware of. It may be possible to configure that but I have never searched for it. The results of show commands are even more harmful than ability to ping anyways and that's why I paid no attention to it. In my opinion, ping should be the least any tech should have on any device if nothing else is granted.

I agree with you in a way because I tried in the past to find the same information to no avail. The answer is actually embedded in the article. New commands get introduced very frequently and some taken out. Some commands are only available to a version of IOS even on the same platform while some commands are only available on certain platforms. All of these factors make a comprehensive list a cumbersome task. Cisco therefore came up with None (0), Least (1) and Most (15) to simplify the matter. Most administrators may never even use 10% of all commands on a device anyways.

http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfpass.html#wp1000907

By default, the Cisco IOS software command-line interface (CLI) has two levels of access to commands: user EXEC mode (level 1) and privileged EXEC mode (level 15). However, you can configure additional levels of access to commands, called privilege levels, to meet the needs of your users while protecting the system from unauthorized access. Up to 16 privilege levels can be configured, from level 0, which is the most restricted level, to level 15, which is the least restricted level.

You as an administrator has to configure and assign users the other levels as desired. Let me digress a little. The 1st line of an ACL if unspecified is 10, then 20, then 30.
Cisco gives you the opportunity to go back and insert lines if need be.
The same concept here,
0 is no console access, 1 is least access and 15 is the highest access.
Notice "no console access". Your remote access VPN users need to be able to connect but should not be given access to view configurations or edit configurations. By default, they are assigned privilidge level 0 unless you specify otherwise.

I should add also that the enable command from user EXEC mode elvates the Default Cisco user to Privilege Mode Level 15.

You asked also how to make the login info avaiable accross devices. You can create templates or create a base configuration to be applied to all devices. You can also tie user logins to LDAP but you will still have to manually assign privileges to users.


I hope this helps
0
jskfanAuthor Commented:
So if I need to give someone permissions just to view the configuration , to PING , then Level 1 will be the right choice ? or is it too much ?
I am assuming Level 1, they cannot do any modification or reload the device..
0
mikebernhardtCommented:
You can't give someone permission to just view the configuration unless you create a custom privilege level for that, because anything to do with configs is at 15 by default. But other than that level 1 is the correct place for most people.

The risk in giving everyone the ability to view the configuration is that it contains passwords and SNMP strings which can be used to go further than you intended. So I don't recommend it.
0
AkinsdNetwork AdministratorCommented:
So if I need to give someone permissions just to view the configuration , to PING , then Level 1 will be the right choice ? or is it too much ?
I am assuming Level 1, they cannot do any modification or reload the device..
Correct!
Level 1 allows ping but disallows reload.
That should suffice for you if that's all you want to grant access to.

The following prompt is an example of Level 1 access (USER EXEC MODE)
R6>

In this case, you can give users the console login but not the enable password. Or create local username and password with privilege 1 and then enable login local on VTY and Console ports.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jskfanAuthor Commented:
I will look at this later..
Thank you
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.