Lab 1
IOS User Commands and Cisco Privilege Levels
Lab Objective:
The objective of this lab exercise is for you to learn and understand how implement different privilege levels for users and commands within the Cisco IOS software.
Lab Purpose:
It is important to understand that the Cisco IOS software provides the capability to restrict certain commands from being executed by different users based on their privilege levels.
Lab Difficulty:
This lab has a difficulty rating of 7/10.
Readiness Assessment:
When you are ready for your certification exam, you should complete this lab in no more than 15 minutes.
Lab Topology:
Please use the following topology to complete this lab exercise:
Lab 1 Configuration Tasks
Task 1:
Configure the hostnames and IP addresses on R1 and R2 as illustrated in the network diagram. Configure R2 to send R1 clocking information at a rate of 512Kbps. Ping between R1 and R2 to verify your configuration and ensure that the two routers have IP connectivity.
Task 2:
Configure R2 with the following command restrictions:
| Command | Privilege Level |
| ping | 15 |
| traceroute | 15 |
| show ip route | 15 |
| show version | 15 |
| show | 1 |
| show ip | 1 |
Task 3:
Configure the following users and corresponding privilege levels on R2:
| Username | Privilege Level | Secret |
| beginner | 1 | Cisco123 |
| intermediate | 7 | Cisco456 |
| expert | 15 | Cisco789 |
Task 4:
Configure Telnet access to R2 so that the router authenticates users based on locally configured usernames and passwords.
Task 5:
Configure R2 so that when the user named intermediate logs into the router, R2 immediately issues the output of the show ip interface brief command and logs them out automatically.
Task 6:
Telnet into R2 from R1 using username beginner and validate the following:
- You cannot issue the ping command
- You cannot issue the show version command
- You cannot issue the traceroute command
- You cannot issue the show ip route command
Telnet into R2 from R1 using username intermediate and validate the following:
- The router prints the output of the show ip interface brief command and logs you out
Telnet into R2 from R1 using username expert and validate the following:
- You can issue the ping command
- You can issue the show version command
Lab 1 Configuration and Verification
Task 1:
| Router(config)#hostname R1
R1(config)#interface serial0/0 R1(config-if)#no shutdown R1(config-if)#ip address 10.1.1.1 255.255.255.0 R1(config-if)#end R1# |
| Router(config)#hostname R2
R2(config)#interface serial0/0 R2(config-if)#no shutdown R2(config-if)#clock rate 512000 R2(config-if)#ip address 10.1.1.2 255.255.255.252 R2(config-if)#exit R2(config)#exit R2# R2#ping 10.1.1.1
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms |
Task 2:
| R2(config)#privilege exec level 1 show ip
R2(config)#privilege exec level 1 show R2(config)#privilege exec level 15 ping R2(config)#privilege exec level 15 traceroute R2(config)#privilege exec level 15 show ip route R2(config)#privilege exec level 15 show version R2(config)#exit R2# |
Task 3:
| R2(config)#username beginner privilege 1 secret cisco123
R2(config)#username intermediate privilege 7 secret cisco456 R2(config)#username expert privilege 15 secret cisco789 R2(config)#exit R2# |
Task 4:
| R2(config)#line vty 0 4
R2(config-line)#login local R2(config-line)#exit R2(config)#exit R2# |
Task 5:
| R2(config)#username intermediate autocommand show ip interface brief
R2(config)#exit R2# |
Task 6:
Because the default privilege level of these commands has been changed from 0 to 15, the user beginner – who has restricted only to level 0 commands – will be unable to execute these commands. However, any other commands (that have a privilege level of 0) will still work.
| R1#telnet 10.1.1.2
Trying 10.1.1.2 … Open
User Access Verification
Username: beginner Password:
R2>ping 10.1.1.1 ^ % Invalid input detected at ‘^' marker.
R2>show version ^ % Invalid input detected at ‘^' marker.
R2>traceroute 10.1.1.1 ^ % Invalid input detected at ‘^' marker.
R2>show ip route ^ % Invalid input detected at ‘^' marker.
|
The username [name] autocommand [line] command is used to execute the specified command immediately after the user logs in and then automatically disconnect the user session. This security mechanism can be used to restrict the information certain users can get from routers.
| R1#telnet 10.1.1.2
Trying 10.1.1.2 … Open
User Access Verification
Username: intermediate Password:
Interface IP-Address OK? Method Status Protocol FastEthernet0/0 172.16.1.2 YES NVRAM up up Serial0/0 10.1.1.2 YES manual up up [Connection to 10.1.1.2 closed by foreign host] R1# |
Level 15 users have complete access to the entire suite of Cisco IOS commands.
| R1#telnet 10.1.1.2
Trying 10.1.1.2 … Open
User Access Verification
Username: expert Password:
R2#ping 10.1.1.1
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms R2# R2#show version Cisco IOS Software, C2600 Software (C2600-ADVSECURITYK9-M), Version 12.4(15)T9, RELEASE SOFTWARE (fc5) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2009 by Cisco Systems, Inc. Compiled Tue 28-Apr-09 11:35 by prod_rel_team
ROM: System Bootstrap, Version 12.2(7r) [cmong 7r], RELEASE SOFTWARE (fc1)
R2 uptime is 11 hours, 48 minutes System returned to ROM by power-on System image file is “flash:c2600-advsecurityk9-mz.124-15.T9.bin”
This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to export@cisco.com.
Cisco 2650XM (MPC860P) processor (revision 1.0) with 127627K/3445K bytes of memory. Processor board ID JAE07170JUQ M860 processor: part number 5, mask 2 1 FastEthernet interface 1 Serial interface 32K bytes of NVRAM. 32768K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
R2# R2#exit [Connection to 10.1.1.2 closed by foreign host] |
Lab 1 Configurations
R1 Configuration
| R1#show run
Building configuration…
Current configuration : 2421 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R1 ! boot-start-marker boot-end-marker ! no logging console ! no aaa new-model no network-clock-participate slot 1 no network-clock-participate wic 0 ip cef ! ! ! ! ! multilink bundle-name authenticated ! ! crypto pki trustpoint TP-self-signed-533650306 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-533650306 revocation-check none rsakeypair TP-self-signed-533650306 ! ! crypto pki certificate chain TP-self-signed-533650306 certificate self-signed 02 30820238 308201A1 A0030201 02020102 300D0609 2A864886 F70D0101 04050030 30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 35333336 35303330 36301E17 0D303230 33303130 31343234 395A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3533 33363530 33303630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 BFA77FF5 5DA56F31 10110D3C 4FD35D6D 73FCECF4 4CA7C9E3 9D74F273 32C32446 5037C8DF 3E8C9E91 8BDB70A4 777D4123 5EE29FAF 0B242DE0 90CAAD02 3511FC48 60F48E39 9F2CBA37 FE3D3A7F 0840F41E DB785FE7 1F45FF1F 58E93C0B D443E328 D8C0E8C2 7896916E 0B094B2E EBEC9368 C89FC2E1 02468E00 B9B6E9A1 0D4778DB 02030100 01A36230 60300F06 03551D13 0101FF04 05300301 01FF300D 0603551D 11040630 04820252 31301F06 03551D23 04183016 80146187 D2B080E6 4CA4B596 C026BA5E 13E1EA03 A064301D 0603551D 0E041604 146187D2 B080E64C A4B596C0 26BA5E13 E1EA03A0 64300D06 092A8648 86F70D01 01040500 03818100 1643A58E DD5E53CC 19252661 1958B313 5E658456 13686B9E 46EF2D9E DB273F0A AAB16242 FA41F7DD CF4B006A 86C93C42 33DF5494 9269A702 1515EA22 71F36292 FDFBF0CA 2DAA158D 94759BF0 96BE918C 598A936D 73F743D0 A0B2C415 B5220ECC 720BD0D2 C9AD4DA1 72201C52 C7011ECF 1B5CF261 31AE28E8 86A6C8DD 9E2B87AD quit ! ! archive log config hidekeys ! ! ! ! ! ! ! interface FastEthernet0/0 no ip address duplex auto speed auto ! interface Serial0/0 ip address 10.1.1.1 255.255.255.0 ! ip forward-protocol nd ! ! ip http server ip http authentication local ip http secure-server ! ! ! ! ! control-plane ! ! ! line con 0 line aux 0 line vty 0 4 password cisco login local ! ! end |
R2 Configuration
| R2#show run
Building configuration…
Current configuration : 2924 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R2 ! boot-start-marker boot-end-marker ! no logging console ! no aaa new-model no network-clock-participate slot 1 no network-clock-participate wic 0 ip cef ! ! ! ! no ip domain lookup ! multilink bundle-name authenticated ! ! crypto pki trustpoint TP-self-signed-3473940174 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-3473940174 revocation-check none rsakeypair TP-self-signed-3473940174 ! ! crypto pki certificate chain TP-self-signed-3473940174 certificate self-signed 03 3082023A 308201A3 A0030201 02020103 300D0609 2A864886 F70D0101 04050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 33343733 39343031 3734301E 170D3032 30333031 30313436 30345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34373339 34303137 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100C824 4F0BABB6 A557E3A3 3EE6D399 5A495CF6 8F7E131A 62670291 9710DF0F CB6918CB D3B817C8 51D4648C 79B882A8 637804CB 8984FB80 D9F1D86B E79C8292 E1617724 252490F4 BE0322C0 5C984515 3E0A4550 75E9BCC7 7A19900C 0084F632 19643491 5C0E821D 5442E1C8 FB4BE8A3 034E2954 01B4377C DC14AF72 0F4C92DC 70A90203 010001A3 62306030 0F060355 1D130101 FF040530 030101FF 300D0603 551D1104 06300482 02523230 1F060355 1D230418 30168014 4020A082 2373EFEF CD379B8C 2A1A4D13 43842D59 301D0603 551D0E04 16041440 20A08223 73EFEFCD 379B8C2A 1A4D1343 842D5930 0D06092A 864886F7 0D010104 05000381 81001AAA E85188C2 E95DE2CF D61FA051 5E1D4C7D C0BC58CB CB80016D 658BBD4B B686C4B2 1B843186 2D80A25E 345FBFF9 B9976FE3 415FDA67 822C640D D01E1890 6E127888 5CF59396 BA35884D 1713DE91 6F3EA49C 2BA819FF 80B2861B 04E25605 C10FCC78 B42586D5 34259EA9 82A1662E 62A5BDD8 8AB52BA4 B9721200 795E512B 9559 quit ! ! username beginner privilege 1 secret 5 $1$Yeha$jl.KYeF5h5MTK7UH7LOtN1 username intermediate privilege 7 secret 5 $1$5sxC$SDQbUDJIpKfHbST8wsPcf. username intermediate autocommand show ip interface brief username expert privilege 15 secret 5 $1$KW5c$2aN9EWbsUpfY.FchBr2df1 archive log config hidekeys ! ! ! ! ! ! ! interface FastEthernet0/0 no ip address duplex auto speed auto ! interface Serial0/0 ip address 10.1.1.2 255.255.255.252 clock rate 512000 ! ip forward-protocol nd ! ! ip http server ip http authentication local ip http secure-server ! ! ! ! ! control-plane ! ! privilege exec level 15 traceroute privilege exec level 15 ping privilege exec level 15 show ip route privilege exec level 1 show ip privilege exec level 15 show version privilege exec level 1 show ! line con 0 line aux 0 line vty 0 4 login local ! ! end |
