Cisco Command Line Interface User Exec Mode and Privileged Exec Mode

Most of you guys know that almost people whom work with networking device used to live with Command line interface (CLI). It is more simple and powerfull to do every job like configuring devices such as router or switch and troubleshoot any fault. And almost all networking devices always use CLI as interface for us to do interact with them, without exception to Cisco. In this article, I will try to explain basic of cisco privilege mode. I hope this basic knowledge can help you to understand the Cisco CLI world more.

Before I explain the privilege mode, here I will introduce you the system configuration dialog. It’ll show you up for the first time when you turn on cisco router and ask you if you want to be led to configure the basic configuration of the router such as hostname, root password, ip address etc.
Here is the System configuration dialog, it ask you weather you want to continue with configuration dialog or not

- System Configuration Dialog ---
Continue with configuration dialog? [yes/no]: no



press RETURN to get started!
router>

If you choose ‘no’ you will be instructed to press any key (usually I press ENTER) and then it will directly enter to User-EXEC mode. User-EXEC mode has angle bracket sign “>”, and befor the sign it has name “router” which is hostname of your router.

Below is example of system configuration dialog when you choose “yes”.





All you have to do just follow the dialog and answer the question until finish.

OK, now let’s explain the Privilege mode. By default, Cisco routers have three level of privilege-zero, user, and privileged. Zero level access allows four command (other says five include help command “?”)- enable, disable, exit and logout. User-level access or user-Exec mode allows you more command like show configuration command and basic network testing command. The last, privileged-level access or privileged-Exec mode gives you root access and complete control of the router. Cisco ranges this privilege mode from 0 until 15 level, zero level is 0 level, user level is level 1 and privileged level is level 15. We can make another level user such level 2 ,3 until 14 and add some command as we wish.

All the level mode have same sign except privileged mode. For zero and 1 level mode, the sign is “>” angle bracket and the privileged level mode (2 to 15 level) uses “#” hash sign. To enter privileged exec mode from user exec mode use enable command and use disable to back from privileged exec mode to user exec mode.

Router> enable
Router#
Router#disable
Router>

If you want to display current privilege, use command show privilege.

Router>show privilege
Current privilege level is 1

We now know how to enter default mode or user exec mode and root mode or privileged exec mode, but how we enter another user exec mode like level 2, 3, 4 or 14?. It is like before but you add numeric level you target, for example
Router>enable 2
password: (type password)
Router#show privilege
Current privilege level is 2

But before you can enter this privilege-mode, you have to set password first with command enable secret level [0-15] [your password]

Router#configure terminal
Router(config)#enable secret level 2 cisco

or you can use password

Router#configure terminal
Router(config)#enable password level 2 cisco
% Converting to a secret. Please use “enable secret” in the future

it shows some message to use secret than password, maybe password will be deleted in the future”

If you don’t configure that privilege mode, it will show you error message like

Router>enable 2
% Error in authentication.

So, if you meet this condition don’t be panic, maybe you forget setting password for that level mode. Here, you also meet with new prompt Router(config)# this state is called global configuration.

Okay then. Before I explain how to enter privileged-EXEC mode from User-EXEC mode, just simply hit command enable. This is unsecure, but you can add another security here. There are two kind of security password and secret. The difference of those two is password is plintext and secret is encrypted. Here is to set the security

Password
router#configure terminal
router(config))#enable password (your password)


Secret
router#configure terminal
router(config)enable secret (your passsowrd)

To check the difference of them. Just show the running configuration using this command at privileged-exec mode

router#show running-config

enable password (password)
enable secret 5 $cqw3wv132rbf9q3bfq9(#@% ←encrypted

you see, enable secret “5”. This 5 means the security uses md5 security standard.

Ok, guys. That’s all from me, hope you understand and please correct me if I am wrong including my english.

Thanks to the sources:

Comments

Post a Comment

Popular posts from this blog

Virtual Teletype for Telnet and SSH

Talk about devices configuration (router, switch, hub, server), for the first time, all of them have to be configured directly via console before it can be reconfigured or managed remotely via Telnet or SSH. In order to manage device remotely, first, we have to create gate at the device. In this case, we have something named vty or virtual teletype. Actually, This gate has axis in the router or switch but if we don’t set the password of them we will be rejected automatically by the device when we try to access to them via Telnet or SSH. “ Virtual teletype ( VTY ) is a command line interface (CLI) created in a router and used to facilitate a connection to the daemon via Telnet, a network protocol used in local area networks.” (techopedia.com) Let’s get started to configure the vty. It is very simple actually, just enter to global configuration and then execute line vty than set the password. router>enable router#configure terminal router(config)#line vty 0 5 rou...
Read more

Local Login Security Global security

In this tutorial, I would like to introduce you to global security configuration. This is the configuration that can be used to all over security access like vty, console, and auxiliary. First, let’s set the securtiy than we implement to the line accesses. Router#configuration terminal Router(config)#username cisco password cisco Router(config)#username cisco privilege 2 That’s all. Now, You can use this security configuration as global configuration for vty (telnet or ssh), auxiliary, and console. Enter the line configuration and use login local as login security. router#configuration terminal router(config)#line vty 0 5 router(config-line)#login local the procedure is same for auxiliary and console, you just enter to the line than set login to login local router#configuration terminal router(config)#line console 0 router(config-line)#login local router#configuration terminal router(config)#line aux 0 router(config-line)login local Now,...
Read more