Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

Professional Opinions
Ask a Question
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

troubleshooting Question

Help creating a custom privilege level in a Cisco switch or router

Avatar of ndalmolin_13
ndalmolin_13Flag for United States of America asked on
Switches / HubsCiscoNetwork Management
3 Comments1 Solution765 ViewsLast Modified:
Hello Experts,

I have been asked to create an account on my network equipment that will be used by a security appliance that our security team is putting in to check the equipment for vulnerabilities.  The utility is going to SSH into each device and needs to be able to run the following commands:
•      Terminal length 0
•      Enable
•      Show running-config
•      Show arp
•      Show interfaces
•      Show mac address-table
•      Show interfaces trunk
•      Show ip route
•      Show ip route vrf *
•      Show access-list (aci_name)

My thought is I will create a custom privilege level and assign that privilege level to a local account (we don’t have a RADIUS or TACACS+ server).  I have done quite a bit of reading on this and the configuration that I think I will use is given below.  However I don’t have any test equipment to run this on and I don’t have any IOS images to load into GNS3, so I thought I would post it here for review.

SW1> en
SW1# config t
SW1(config)# user SEC-APP-SHOWONLY privilege 3 password Cisco123
SW1(config)# privilege exec level 3 terminal length 0
SW1(config)# privilege exec level 3 enable
SW1(config)# privilege exec level 3 show running-config
SW1(config)# privilege exec level 3 show arp
SW1(config)# privilege exec level 3 show interfaces
SW1(config)# privilege exec level 3 show mac address-table
SW1(config)# privilege exec level 3 show interfaces trunk
SW1(config)# privilege exec level 3 show ip route
SW1(config)# privilege exec level 3 show ip vrf *
SW1(config)# privilege exec level 3 show access-list (aci_name)

My questions are these:
1.       Will the configuration above work?  By work, I mean could I log into a switch or router with this configuration using the username and password given in the config above and only be able to run these commands?  I definitely don’t want the security team or their appliance to be able to get into global configuration mode.
2.      If the configuration above will not work, I have read that I can create different views in the Cisco IOS.  If I have to go this route, do I create a user and custom privilege level as above and then the view and somehow assign the view to the user?

Thanks in advance for your help and expertise on this.

Avatar of Andy Bartkiewicz
Andy BartkiewiczNetwork Analyst

Our community of experts have been thoroughly vetted for their expertise and industry experience.

This problem has been solved!
Unlock 1 Answer and 3 Comments.
See Answers