Defining Per Port Privileges
Problem
You want to set the privilege level according to which port you use to access the router.
Solution
To configure the privilege level of a particular line, use the following configuration command:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#line aux 0
Router1(config-line)#privilege level 5
Router1(config-line)#exit
Router1(config)#privilege exec level 5 show ip route
Router1(config)#privilege exec level 1 show ip
Router1(config)#privilege exec level 1 show
Router1(config)#end
Router1#
Discussion
By default, every access line has a privilege level of 1. You can change the privilege level assigned to a particular line with the privilege level command. The following example shows what happens when we connect to the AUX port when it is configured with privilege level 5:
Press RETURN to get started.
Router1#show privilege
Current privilege level is 5
Router1#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 172.22.1.3 to network 0.0.0.0
C 172.22.1.0 is directly connected, FastEthernet1/0
O*E1 0.0.0.0/0 [110/3] via 172.22.1.3, 1w2d, FastEthernet1/0
Router1#disable
Router1>show ip route
^
% Invalid input detected at '^' marker.
Router1>
You will notice that no username or password is needed to log in, and the privilege level defaults to 5. This permits us to issue a show ip route command. We have raised the privilege of this command to the same level, so it works. When we use the disable command to set the privilege level back to 1 and attempt to issue the show ip route command again, it fails.
Although we have just shown how to increase the privilege level of a router port, this command is more commonly used to lower the level to 0. Lowering the privilege level provides greater security on insecure lines and provides greater flexibility in restricting commands. For instance, you can use this method to restrict the commands available to a user connected on a particular port down to just Telnet, preventing all other commands. You can accomplish this by configuring a port to privilege level 0 and lowering the privilege level of the Telnet command to the same level. This is useful when the router is acting as a terminal server.