Courseiva
AAAGlobal Config

privilege exec level [0-15] [command]

Assigns a specific privilege level (0-15) to a Cisco IOS command, allowing granular control over which commands users at different privilege levels can execute.

Syntax·Global Config
privilege exec level [0-15] [command]

When to Use This Command

  • Restricting 'show running-config' to privilege level 15 so junior admins cannot view sensitive configurations.
  • Granting 'ping' and 'traceroute' at privilege level 5 for help desk staff to perform basic troubleshooting.
  • Allowing 'reload' only at privilege level 15 to prevent accidental router reboots by lower-level users.
  • Creating custom privilege levels for different teams (e.g., level 10 for network engineers, level 5 for NOC technicians).

Command Examples

Grant ping and traceroute at privilege level 5

privilege exec level 5 ping

No output is generated upon successful configuration. The command simply modifies the privilege database.

Restrict show running-config to privilege level 15

privilege exec level 15 show running-config

No output is generated. This ensures only users with privilege level 15 can execute 'show running-config'.

Understanding the Output

This command does not produce any output when executed. It silently updates the internal privilege table. To verify the configuration, use 'show privilege' or 'show running-config | include privilege'. The 'show privilege' command displays the current privilege level of the session, while 'show running-config' will show the configured privilege statements.

CCNA Exam Tips

1.

Remember that privilege levels 0-15 exist; level 1 is the default user EXEC mode, and level 15 is privileged EXEC (enable) mode.

2.

The 'privilege exec level' command only affects commands in EXEC mode; for configuration commands, use 'privilege configure level'.

3.

CCNA exam may ask which privilege level allows 'show running-config' by default (level 15).

4.

Know that 'enable secret' sets the password for level 15, but you can also set passwords for other levels with 'enable secret level <level>'.

Common Mistakes

Mistake: Applying privilege to a command that does not exist or is misspelled — the command is accepted but has no effect.

Mistake: Forgetting to also set the enable password for the custom level — users cannot authenticate to that level.

Mistake: Using 'privilege exec level' for configuration commands — those require 'privilege configure level'.

Related Commands

enable secret [password]

Sets an encrypted password for privileged EXEC access, replacing the less secure 'enable password' command.

show privilege

Displays the current privilege level of the user session, used to verify access rights and confirm the effective privilege level after authentication or privilege escalation.

username [name] privilege [1-15]

Assigns a privilege level (1-15) to a local username, controlling command access for that user.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions