Show running output incomplete

Manoj Wadhwa · ‎01-17-2010

Hi Champs,

I recently configured a username with priviledge level 5 for the below commands. Though everything seems to work fine, the output of "show running-config" only shows up a couple of lines and not the complete config. However "show start" and "show config" works fine. I would like to know if this is because of the priviledge level access or something else. What priviledge is required to view the complete show running output. Waiting for your replies. Thanks in advance.

privilege exec level 5 traceroute
privilege exec level 5 ping
privilege exec level 5 show ip
privilege exec level 5 show startup-config
privilege exec level 5 show running-config
privilege exec level 5 show configuration
privilege exec level 5 show
privilege exec level 5 clear counters
privilege exec level 5 clear

Router#show run
Building configuration...

Current configuration : 197 bytes
!
! Last configuration change at 16:28:18 IST Sun Jan 17 2010 by ABCD
! NVRAM config last updated at 16:27:34 IST Sun Jan 17 2010 by ABCD
!
boot-start-marker
boot-end-marker
!
!
!
!
!
!
end

Router#

Ganesh Hariharan · ‎01-17-2010

Hi Manoj,

When it comes to the different privilege levels in the Cisco IOS, the higher your privilege level, the more router access you have.When you log in to a Cisco router under the default configuration, you're in user EXEC mode (level 1). From this mode, you have access to some information about the router, such as the status of interfaces, and you can view routes in the routing table. However, you can't make any changes or view the running configuration file.

Check out the below link on privilege levels hopw that clear out your query!!

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftprienh.html

If helpful do rate the valuable post.

Regards

Ganesh.H

Giuseppe Larosa · ‎01-17-2010

Hello Manoj,

try to use the complete command

show running-config

I think there is an issue when using the short form of command.

when commands are mapped to a privilege you need to use the exact words in the privilege command

>> privilege exec level 5 show running-config

Hope to help

Giuseppe

manoj-wadhwa · ‎01-17-2010

Hi Ganesh/ Giuseppe,

Thanks for your replies. First of all, giving the complete command "show running-config" gives the same output as earlier.

Ganesh, can you tell me if there is any minimum priviledge level required to view the "show running-config" command. I have tried creating a test user with priviledge level 9 as well but still end up with the same output. Thanks again.

Regards,

Manoj

Peter Paluch · ‎01-17-2010

Manoj, Giuseppe, Ganesh,

The privilege system in Cisco IOS is somewhat clumsy. It is not sufficient to assign the show running-config command into a particular privilege level, rather if a person should be eligible to see a particular section of the configuration file, the particular commands must also be included in the respective privilege level.

So for example, consider the following set of privileges:

privilege interface level 5 shutdown
privilege interface level 5 ip address
privilege interface level 5 ip
privilege interface level 5 bandwidth
privilege configure level 5 interface
privilege exec level 5 show running-config
privilege exec level 5 show

The command show running-config will now display:

Current configuration : 425 bytes
!
boot-start-marker
boot-end-marker
!
!
!
!
!
interface Loopback0
ip address 10.255.255.1 255.255.255.255
!
interface FastEthernet0/0
no ip address
!
interface FastEthernet0/1
no ip address
shutdown
!
interface Serial1/0
bandwidth 512
ip address 10.0.0.1 255.255.255.0
!
interface Serial1/1
no ip address
shutdown
!
interface Serial1/2
no ip address
shutdown
!
interface Serial1/3
no ip address
shutdown
!
!
end

As you can see, the command output contains only the specific commands from the configuration that have been explicitely allowed using the privilege commands. Using the 'all' keyword in the privilege specification may help in simplifying the explicit list of sections that should be visible in the output, for example, privilege configure all level 5 interface - this will allow all interfaces and their internal configuration to be seen. However, I do not know any easy way to make the entire running-config to be visible in privilege levels less than 15.

Best regards,

Peter

Giuseppe Larosa · ‎01-17-2010

Hello Peter, Edison,

we can say that this makes not practical to give access to show run for privilege level under 15!

I had never tried to see a sh run with lesser privilege, I just remembered that abbrevations looked like to not work

To give access to running or saved configurations without having privilege 15 we give access to CiscoWorks configuration archive.

Hope to help

Giuseppe

Peter Paluch · ‎01-17-2010

Hi Giuseppe,

The article that the Edison recommended actually contains a solution - but it is a "hack"

username inout privilege 15 autocommand show running-config

Obviously, when this user logs in, he will get the complete listing of the running configuration and he will be immediately logged off after that. Not exactly what Manoj was looking for but nevertheless a practical approach!

Best regards,

Peter

Edison Ortiz · ‎01-17-2010

Expected behavior, please refer to this link

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml

for more information.

Regards,

Edison.

Edison Ortiz · ‎01-17-2010

Expected behavior, please refer to the following link

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml

for more info.

Regards,

Edison.