Hello everyone, today we’re going to talk about certain privileges when it comes to using the CLI. The CLI means command line interface and this is how you tell network devices such as routers or switches how to behave via protocols and configurations. The CLI has different user privileges that can be used for stuff like basic security, preventing unauthorized users from changing device configurations. Having different user exec modes is kind of like the principle of least privilege lite.
We’ll dive into user exec mode first. If you’ve ever done any labs on cisco IOS, you have probably seen something like this: Router1>. The > symbol is a clear signal that you are in user exec mode. This mode is very limited as to what you can do. Yes you are able to still do things like telnet, ping, traceroute, or some basic show commands but you will not be able to change any configuration at all. At user exec you can’t even see the full running configuration. User exec is for basic troubleshooting, telnet, and being able to see a couple show commands. If there’s a password in order to leave this mode, it would provide great security from accidental or intentional configuration changes.
Privilege exec mode is where you get pretty much access to do everything. If you’ve ever used a CLI on a cisco device it looks like this: Router#. The # is a clear sign that you are operating on privilege exec mode. Unlike user exec, in this mode you are able to show running configurations, startup configurations, use every single show command, use ssh, make users and passwords, and configure routing protocols and layer 2 protocols such as CDP, STP and LLDP. As you can see you can pretty much do everything which is why I said it was the principle of least privilege “light”, meaning there is less nuance when going from user exec to privilege exec. Privilege exec is the only mode that allows you to enter global configuration mode. Global configuration mode is a type of mode on the CLI that gives you the ability to make device-wide changes or configure sub-components. For example if I change the hostname or add a VLAN, these will all show up in the running configuration. Global configuration also allows you to make granular configurations such as assigning an IP address to only 1 interface, assigning a DNS server for a DHCP pool, or choosing a subnet for an OSPF process. When you see this (config), this usually means you are in global configuration mode. If you see (config-if)# for interfaces or (config-router)# for routing protocols, you are still in global configuration mode but you are making changes to a specific process not device wide changes. The steps for entering a CLI is:
- User EXEC
- Privileged EXEC
- Global Configuration Mode
- Sub-configuration modes
Leave a Reply