From: Mike Harrison (michael.h4@blueyonder.co.uk)
Date: Sun Jun 01 2008 - 08:55:58 ART
Thor
Thanks for the link - very usefull.
I think I am forgetting that show commands are at level 1 by default - and
need to be raised not lowered?
I dont think that you can have access to just show ip route or something
similar, as you have to raise show and show ip and this raises all the
commands that start this way.
Mike
----- Original Message -----
From: Thor Kopp
To: Mike Harrison
Cc: Cisco certification
Sent: Sunday, June 01, 2008 11:08 AM
Subject: Re: Privilege Levels
Remember that when you set a command to a certain level, you will get all of
the commands at the lower level by default. So if you are setting 'show ip
route' to level 5, then level 5 automatically gives you to non-priveledged
commands as well (most of which come with the default level of 2). default
priv level is 1 so you will get all of the commands at that level ie sho ver,
show interface etc. If you didn't want all of the other commands then i assume
you would need to increase their security to something higher than 5. I don't
know of any way to see what the commands are at level 1 or 15 to know which
ones you would need to change though and i don't think it's possible to change
the default level ie make the default level for level 1 commands 6 etc.
In terms of your issue with increasing the security level to 5 for 'show ip
route' and the effect that this has, I found the below which provides an
explaination. I'm not sure if it's technically correct but it sounds good to
me.
'The privilege level information is stored internally in the keyword nodes
of a parse tree of all possible commands. To be able to parse "ip address" you
have to be able to get past "ip", so putting level 5 privileges on the
"address" keyword in "ip address" means that the "ip" had better also have
level 5 access. Similarly, to be able to get past "debug" to "debug
frame-relay autoinstall", the keyword "debug" has to be at level 5.
In general, suppose the command "aaa bbb ccc" is set to privilege level X.
Then the commands "aaa" and "aaa bbb" must also be at privilege level X, or
the parser can't GET to "aaa bbb ccc" at level X.
http://www.netcraftsmen.net/welcher/papers/priv.htm
- Thor
On Sat, May 31, 2008 at 10:27 PM, Mike Harrison
<michael.h4@blueyonder.co.uk> wrote:
Is there any way to allow certain show coamands to lower privilege
levels?
Example - Need to give level 5 show ip route but nothing else?
Command;
privilege exec level 5 show ip route
Auto creates the following;
privilege exec level 5 show ip
privilege exec level 5 show
And in level 5 we can show anything.
If i increase the level of the show and show ip commands;
privilege exec level 5 show ip route
privilege exec level 15 show ip
privilege exec level 15 show
But now in level 5 we cant show anything?
I guess because the show command is level 15, then no other show commands
are allowed.
Is there a way just to allow the sh ip route command and no others ?
TIA
Mike
_______________________________________________________________________
Subscription information may be found at:
http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:20 ART