A useful management tool available in IOS is the one that gives you the ability to assign levels of
privilege. Privilege levels are assigned to both users and commands. The privilege levels range
from 0 to 15. By default, commands are assigned either level 1 or level 15. Those commands that
need to be executed in privileged EXEC mode are level 15 commands. With a few exceptions,
those commands that can be executed in user EXEC mode are level 1 command. A small number
of commands are level 0 commands. These commands include enable, disable, exit, logout, and
help. Level 0 commands can be executed at any level.
A user operating in privileged EXEC mode is a level 15 user. A user operating in user EXEC
mode is a level 1 user. Commands and users can be assigned a privilege level different from their
default. The way the privileges work is a higher level has the same rights as the lower levels
beneath it. For instance, a level 10 user (if you set one up) can do everything users at levels 9
through 0 can do. Level 15 users can execute all commands.
Commands can be reassigned a different level of privilege as well. You can raise or lower the
level of privilege on any command. Privilege levels on commands are assigned using the
Privilege command; the command syntax is as follows. Use global configuration mode for this
This feature is quite useful as it allows us to create various levels of users with custom rights to
IOS commands. Imagine if you had a number of administrators with limited knowledge of the
workings of IOS. But you need their help with certain specific tasks such as shutting down and
re-enabling an interface or adding users to an access server. You can configure the router or
access server so that depending upon the password provided, the user will be assigned a specific
level of privilege and will only be allowed to use commands assigned to that level and below.
Privilege levels for users can be set in a number of ways via the IOS. They can be set
permanently on a line using the privilege level command; at the command prompt using the
enable command; or when logging in using the username command.
To set the default privilege level for a line, use the privilege level command in line configuration
mode. The syntax is as follows: privilege level <0 – 15>.
To interactively reset the level of privilege from the command line, use the enable command.
The command syntax is enable <0 – 15>. The command can be executed in any EXEC mode. If
you leave off the level number, the router assumes you mean 15. It is advisable to set up an
“enable secret” password for each level of privilege. Be sure each level’s password is different
and that the passwords are only known to users within the appropriate level. The syntax for this
command is enable secret level <1-15>
The most common way to assign levels of privilege is to do so based on the user’s username.
The IOS allows you to create and use username/password pairs in your router configuration for
authentication purposes. Along with the authentication process, the user can be assigned as level
In the example below, we have created three custom user levels using level numbers 2, 3, and 4.
Level 2 users can do show commands as well as all commands in levels below. By default, level
1 users can do most show commands. But after issuing the command privilege exec level 2
show in our configuration, it will no longer be possible. Level 3 users are permitted to issue the
command show ip route, but level 2 users cannot. Level 4 and above users can issue the show
access-list command as well as any command in levels below.
Router(config)# privilege exec level 2 show
Router(config)# privilege exec level 3 show ip route
Router(config)# privilege exec level 4 show access-list
The example below shows us assigning level 2 to any user that enters the router via telnet. It
assigns level 3 to any user that enters via the auxiliary port. And it assigns level 4 to anyone that
enters via the console port.
Router(config)# line vty 0 4
Router(config-line)# privilege level 2
Router(config-line)# line aux 0
Router(config-line)# privilege level 3
Router(config-line)# line console 0
Router(config-line)# privilege level 4
The example below creates a separate password for each custom level of privilege. If a user
issues the command enable 2, that user will be prompted for the password “twopass”. A level
three request will require the level three password and so on.
Router(config)# enable secret level 2 twopass
Router(config)# enable secret level 3 threepass
Router(config)# enable secret level 4 fourpass
The example below creates three users: bob, fred, and sam. Bos is a level 2 user. Fred is a level 3
user. Sam is a level 4 user. To have the router prompt for username and password when logging
in, use the command login local in your line configuration mode.
Router(config)# username bob privilege 2 password bobpass
Router(config)# username fred privilege 3 password fredpass
Router(config)# username sam privilege 4 password sampass
Router(config)# line vty 0 4
Router(config-line)# login local
Tags: Cisco IOS