Privilege level - tuning the commands

Unanswered Question
Sep 10th, 2007

This example allows users with level 10 privileges to configure an interface ip address...

privilege exec level 10 configure terminal

privilege configure level 10 interface

privilege interface level 10 ip address

My question is how to configure users in level 10 to ping ONLY ONE ip address..


privilege exec level 10 ping

But it seems that I can ping anyway?

Router2#sh run | be privilege

privilege interface level 10 ip address

privilege interface level 10 ip

privilege configure level 10 interface

privilege configure level 10 hostname

privilege exec level 10 ping !!!!!!!!!!!!!!!!

privilege exec level 10 configure terminal

privilege exec level 10 configure

privilege exec level 10 no

When I telnet into Router2 with the level 10 password I automatically get to the privileged mode

and I have the following exec commands...

Router2>en 10



Exec commands:

<1-99> Session number to resume

access-enable Create a temporary Access-List entry

access-profile Apply user-profile to interface

clear Reset functions

configure Enter configuration mode

connect Open a terminal connection

disable Turn off privileged commands

disconnect Disconnect an existing network connection

enable Turn on privileged commands

exit Exit from the EXEC

help Description of the interactive help system

lock Lock the terminal

login Log in as a particular user

logout Exit from the EXEC

modemui Start a modem-like user interface

mrinfo Request neighbor and version information from a multicast


mstat Show statistics after multiple multicast traceroutes

mtrace Trace reverse multicast path from destination to source

name-connection Name an existing network connection

no Disable debugging functions

pad Open a X.29 PAD connection

ping Send echo messages

ppp Start IETF Point-to-Point Protocol (PPP)

resume Resume an active network connection

rlogin Open an rlogin connection

show Show running system information

slip Start Serial-line IP (SLIP)

systat Display information about terminal lines

tclquit Quit Tool Command Language shell

telnet Open a telnet connection

terminal Set terminal line parameters

tn3270 Open a tn3270 connection

traceroute Trace route to destination

tunnel Open a tunnel connection

udptn Open an udptn connection

where List active connections

x28 Become an X.28 PAD

x3 Set X.3 parameters on PAD

How can I select only the commands I really want from this list??

ie how can I allow only one specific ping command?

Thanks !

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
didyap Fri, 09/14/2007 - 12:55

Privilege levels can be configured on basis of commands allowed to be executed on that privilege level. It is not possible to restrict the execution of commands which are allowed based on its parameters. So you cannot make it to allow a ping to only one specific IP address and block the ping to others. You can use an access list to block ping to other IP addresses, however the access list will be applicable to all the users at any privilege level.


This Discussion