09-10-2007 12:01 PM - edited 03-09-2019 06:47 PM
This example allows users with level 10 privileges to configure an interface ip address...
privilege exec level 10 configure terminal
privilege configure level 10 interface
privilege interface level 10 ip address
My question is how to configure users in level 10 to ping ONLY ONE ip address..
eg
privilege exec level 10 ping 192.168.11.10
But it seems that I can ping anyway?
Router2#sh run | be privilege
privilege interface level 10 ip address
privilege interface level 10 ip
privilege configure level 10 interface
privilege configure level 10 hostname
privilege exec level 10 ping !!!!!!!!!!!!!!!!
privilege exec level 10 configure terminal
privilege exec level 10 configure
privilege exec level 10 no
When I telnet into Router2 with the level 10 password I automatically get to the privileged mode
and I have the following exec commands...
Router2>en 10
Password:
Router2#?
Exec commands:
<1-99> Session number to resume
access-enable Create a temporary Access-List entry
access-profile Apply user-profile to interface
clear Reset functions
configure Enter configuration mode
connect Open a terminal connection
disable Turn off privileged commands
disconnect Disconnect an existing network connection
enable Turn on privileged commands
exit Exit from the EXEC
help Description of the interactive help system
lock Lock the terminal
login Log in as a particular user
logout Exit from the EXEC
modemui Start a modem-like user interface
mrinfo Request neighbor and version information from a multicast
router
mstat Show statistics after multiple multicast traceroutes
mtrace Trace reverse multicast path from destination to source
name-connection Name an existing network connection
no Disable debugging functions
pad Open a X.29 PAD connection
ping Send echo messages
ppp Start IETF Point-to-Point Protocol (PPP)
resume Resume an active network connection
rlogin Open an rlogin connection
show Show running system information
slip Start Serial-line IP (SLIP)
systat Display information about terminal lines
tclquit Quit Tool Command Language shell
telnet Open a telnet connection
terminal Set terminal line parameters
tn3270 Open a tn3270 connection
traceroute Trace route to destination
tunnel Open a tunnel connection
udptn Open an udptn connection
where List active connections
x28 Become an X.28 PAD
x3 Set X.3 parameters on PAD
How can I select only the commands I really want from this list??
ie how can I allow only one specific ping command?
Thanks !
09-14-2007 12:55 PM
Privilege levels can be configured on basis of commands allowed to be executed on that privilege level. It is not possible to restrict the execution of commands which are allowed based on its parameters. So you cannot make it to allow a ping to only one specific IP address and block the ping to others. You can use an access list to block ping to other IP addresses, however the access list will be applicable to all the users at any privilege level.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: