Summary: Privilege levels 0–15 control command access on IOS-XE; levels 0, 1, and 15 are predefined, while 2–14 are customisable for role-based delegation.
| Level | Mode | Default Commands |
|---|---|---|
| 0 | — | logout, enable, disable, exit, help |
| 1 | User EXEC | show, ping, traceroute, ssh, telnet |
| 15 | Privileged EXEC | All commands including configure, debug, reload, erase |
Users log in at level 1. Entering enable (with correct password) elevates to level 15.
privilege exec level 5 show running-config
privilege exec level 5 show interfaces
privilege exec level 5 ping
privilege exec level 10 configure terminal
privilege config level 10 interface
privilege config level 10 ip address
Users authenticated at level 5 can run the assigned show and ping commands but cannot enter configuration mode. Level 10 users can make interface changes but not access higher-privilege commands.
username monitor privilege 1 secret Mon1t0r!
username operator privilege 5 secret 0p3r@tor!
username netadmin privilege 15 secret @dm1nP@ss!
When ISE or another TACACS+ server handles authorisation, the server returns the privilege level in the priv-lvl attribute. No local privilege assignment needed for TACACS+ users.
In ISE, configure the Shell Profile:
Name: Operator-Shell
Default Privilege: 5
Maximum Privilege: 5
The IOS-XE device honours this level automatically:
aaa authorization exec default group ISE_SERVERS local
enable [level]
Example — elevate to level 5 (requires enable password for that level):
Switch> enable 5
Password: ****
Switch>
Set the enable secret for a specific level:
enable secret level 5 L3v3l5P@ss!
show privilege
Output:
Current privilege level is 5
show run | include privilege
show run | include username
show privilege
Privilege levels control access by command name only — they cannot restrict by object (e.g., allow interface GigabitEthernet but not interface Vlan).
priv-lvl attributesBasic parser view example:
parser view READONLY
secret 5 $1$...
commands exec include show
commands exec include ping
commands exec exclude configure