Defining Per Port Privileges

Problem

You want to set the privilege level according to which port you use to access the router.

Solution

To configure the privilege level of a particular line, use the following configuration command:

Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#line aux 0 Router1(config-line)#privilege level 5 Router1(config-line)#exit Router1(config)#privilege exec level 5 show ip route Router1(config)#privilege exec level 1 show ip Router1(config)#privilege exec level 1 show Router1(config)#end Router1#

 

Discussion

By default, every access line has a privilege level of 1. You can change the privilege level assigned to a particular line with the privilege level command. The following example shows what happens when we connect to the AUX port when it is configured with privilege level 5:

Press RETURN to get started. Router1#show privilege Current privilege level is 5 Router1#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is 172.22.1.3 to network 0.0.0.0 C 172.22.1.0 is directly connected, FastEthernet1/0 O*E1 0.0.0.0/0 [110/3] via 172.22.1.3, 1w2d, FastEthernet1/0 Router1#disable Router1>show ip route ^ % Invalid input detected at '^' marker. Router1>

You will notice that no username or password is needed to log in, and the privilege level defaults to 5. This permits us to issue a show ip route command. We have raised the privilege of this command to the same level, so it works. When we use the disable command to set the privilege level back to 1 and attempt to issue the show ip route command again, it fails.

Although we have just shown how to increase the privilege level of a router port, this command is more commonly used to lower the level to 0. Lowering the privilege level provides greater security on insecure lines and provides greater flexibility in restricting commands. For instance, you can use this method to restrict the commands available to a user connected on a particular port down to just Telnet, preventing all other commands. You can accomplish this by configuring a port to privilege level 0 and lowering the privilege level of the Telnet command to the same level. This is useful when the router is acting as a terminal server.

See Also

Recipe 3.21; Recipe 3.22

Категории