I believe that all of you are familiar with privilege levels (0-15) on Cisco IOS. The most useful for network engineers is level 15 and the highest one as it will allow you full access to all IOS features, but in most networks only a few persons have this privilege level. In my opinion is normal to be like this, as with this limitation in, the risk that somebody will login and configure something that will lead to a system failure is minimized. Also true is that this will limit the troubleshooting on the network in case of an issue.
Let’s take the following scenario:
– you are the network engineer and you have privilege level 15 access;
– somewhere in your remote network there is a device that has a failure and you need somebody on site to tell you some informations about the device;|
– the local administrator does not have access (e.g to read running-config) on that Cisco device as you don’t want him to break something by some misconfiguration that she / he applies;
In this scenario you are either stuck with the problem and you have to travel to remote location to fix the problem or to give user access. I will chose from this a middle path. Give a user limited access just to read information that might be useful for you like IP address assigned on interfaces, access-lists or routing table (of course you have to do this before you have a problem on some remote device and possible a connection lost).
In the example below I will show you how you can configure an user with limited access just to read the running-config and in this file just the following information: hostname, interfaces (and here only IP addresses assigned to the interfaces) and routing protocols (with networks advertised into specific network protocol). This is just a basic example, but the privilege levels can be customized as you need.
Please check the presentation below: