Cisco Privilege Levels – Explanation and

Configuration
It is important to secure your Cisco devices by configuring and implementing username
and password protection and assigning different Cisco privilege levels to control and
restrict access to the CLI. Hence, protecting the devices from unauthorized access. In
this article, we will discuss how to configure user accounts and how to associate them
to the different Cisco privilege levels. Then, we’ll take a deep dive into their purposes
and functions, as well as their importance in network security design.

Privilege Level Security

Cisco IOS devices use privilege levels for more granular security and Role-Based
Access Control (RBAC) in addition to usernames and passwords. There are 16 privilege
levels of admins access, 0-15, on the Cisco router or switch that you can configure to
provide customized access control. With 0 being the least privileged and 15 being the
most privileged. These are three privilege levels the Cisco IOS uses by default:

 Level 0 – Zero-level access only allows five commands- logout, enable, disable, help
and exit.
 Level 1 – User-level access allows you to enter in User Exec mode that provides very
limited read-only access to the router.
 Level 15 – Privilege level access allows you to enter in Privileged Exec mode and
provides complete control over the router.

NOTE
By default, Line level security has a privilege level of 1 (con, aux, and vty lines ).

Cisco Privilege Level Configuration

To assign the specific privilege levels, we include the privilege number when indicating
the username and password of the user.

Router(config)#username admin1 privilege 0 secret Study-CCNA1

Router(config)#username admin2 privilege 15 secret Study-CCNA2

Router(config)#username admin3 secret Study-CCNA3

In this example, we assign user admin1 a privilege level of 0. Then, we assign user
admin2 to privilege level 15, which is the highest level. For admin3, we did not specify
any privilege level, but it will have a privilege level of 1 by default.

Let’s try to verify the output of our configuration by logging in to each user. Enter the
username and the corresponding password, starting with admin1.

User Access Verification

Username: admin1

Password:

Router>?

Exec commands:

disable Turn off privileged commands

enable Turn on privileged commands

exit Exit from the EXEC

help Description of the interactive help system

logout Exit from the EXEC

Router>

Notice in the output above that the user admin1 is under User Exec mode and has only
five commands- logout, enable, disable, help, and exit. Now, let’s log in as admin2.

User Access Verification

Username: admin2

Password:

Router#show privilege

current privilege level is 15

Router#

The output above shows that user admin2 is currently in level 15, and we verified that
by typing the ‘show privilege’ command on the CLI. Notice also that we are in
Privileged Exec mode. Lastly, let’s log in as admin3.

User Access Verification

Username: admin3

Password:

Router>show privilege

current privilege level is 1

Router>

When we logged in as admin3, we verified that it was in level 1 by typing the ‘show
privilege’ command on the CLI. Notice that we are in User Exec mode.

Privilege Levels 2-14

You can increase the security of your network by configuring additional privileges from 2
to 14 and associating them to usernames to provide customized access control. This is
suitable when you are designing role-based access control for different users and
allowing only certain commands for them to execute. Hence, giving them restrictions to
unnecessary commands and increasing the layers of security on the device.

Let’s now assign privilege level 5 to a user. After that, we will configure privilege level 5
users to be in User Exec mode and allow them to use the ‘show running-
config’ command.

Router(config)#username admin4 privilege 5 secret Study-CCNA4

Router(config)#privilege exec level 5 show running-config

All level 5 users now will be automatically accessing the User Exec mode and can now
use the User Exec commands such as ‘show running-config’ on the CLI. Let’s log in
as user admin4 to verify that.

User Access Verification

Username: admin4

Password:

Router#show running-config

Building configuration...

Current configuration : 57 bytes

boot-start-marker

boot-end-marker

end

Router#

Enable Secret Command Privilege

We can also configure different privilege levels to passwords. Here, we will allow
the ‘enable secret’ command to access the Privileged Exec level. Use the ‘enable
secret level {level} {password}’ syntax as shown below. The command sets the
enable secret password for privilege level 5.

Router(config)#enable secret level 5 Study-CCNA5

We can verify our configuration as shown below:

User Access Verification

Username: admin5

Password:

Router>show running-config

% Invalid input detected at ‘^’ marker.

Router>enable 5

Password:

R4#show privilege

Current privilege level is 5

Router#show running-config

Building configuration...

Current configuration : 57 bytes

boot-start-marker

boot-end-marker

end

Router#
In our first attempt, notice in the example above that we do not have access to
the ‘show running-configuration’ command. That is because we are currently under
privilege level 0. However, we can log in as a privilege level 5 user with the ‘enable
{privilege level}’ command, and from there, we can now access the ‘show running-
configuration’ command.