How to create a read only user in Cisco devices

Here is the thing, can you believe there is no straight forward way to configure a read only user in Cisco devices. If you know any way to do it please correct me here.

Scenario: my manager asked me to create a read only user in 90 networking devices (Routers, Switches, Load balancers, Firewalls) for transitioning company. We have two environments and those two environments are configured differently. Again for security reasons I can not tell you more details.

Initial Planning: First thing came to my mind is KiwiCat Tools and run a batch update for all the devices. Before actually building the implementation I thought just try the commands in a DR switch. After spending few hours on the commands I figured out there no way to create a read only user.

By default, there are three command levels on the router:

            • privilege level 0 — Includes the disable, enable, exit, help, and logout commands.

            • privilege level 1 — Normal level on Telnet; includes all user-level commands at the router> prompt.

            • privilege level 15 — Includes all enable-level commands at the router# prompt.

If I use privilege level 0 or 1 it will not allow to do any show commands such as #show run or #show config. And if I use privilege level 15 it’s going to be power user. So my research continues… Link below helped me a lot and saved my research time. Also official CCNA Security book, page 123, AAA configuration helped me to understand how this run levels and AAA works in Cisco devices.

My solution: There are two things you can do to out come this problem.

a) Create a new user add a custom run level and specify each exec command this user can run [This is not really what I was looking for]. In this way when the user do a show run it will show only the items/sections that he can modify in exec level.

username john privilege 9 password cisco
privilege configure level 8 configure terminal
privilege configure level 8 interface

login as the user created in my case its “John” and do a show run.

b) Create a new user and a custom run level and allow Show Configuration command for this user. In this way the user can run show configuration command which is very similar to Show Running-Configuration

username john privilege 9 password cisco
privilege exec level 7 show config

login as the user created in my case its “John” and do a show config.

For both methods you need to enable AAA on each device. If you dont understand AAA model please read them at Cisco knowledge base.

aaa new-model
aaa authentication login default local
aaa authorization exec default local

Note: You can not add Show Running-Configuration in this manner. [Don’t ask my why]

Note: If you have specify any privilege levels in line vty’s it will overwrite what ever the values you specified in user level. 

line vty 0 3
privilege level 15
login authentication Company-RLogin

Additional Note: in order to prompt for a user name in all Cisco devices you need to specify it. You could do that by either saying login local or creating an authentication string

line vty 0 3 
login local


Ravindu Denawaka [Bachelor of Network Computing, CCNA, MCSE]


How to setup the ScriptManager for JQuery and MS Ajax Framework

Quick note of how to set up JS frameworks using ScriptManager server control.

Nmap Official Book is Out

Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (Paperback)

by Gordon Fyodor Lyon (Author)

The book that we all being waiting for. It seems like it has included all the techniques in port scanning and enumeration. You can buy this in Amazon;

Return to product information

VLANs and Trunks (CCNA,CCNP)

What is a VLAN?

VLAN Diagram

What is a Native VLAN?

Native VLAN must be the same on both trunk ends?

What is a TRUNK?

What is DTP (Dynamic Trunking Protocol)

Basic Configuration of a VLAN 

Show commands associated

Switch Port Security

What is port security?

The Port Security feature remembers the Ethernet MAC address connected to the switch port and allows only that MAC address to communicate on that port. If any other MAC address tries to communicate through the port, port security will disable the port. Most of the time, network administrators configure the switch to send a SNMP trap to their network monitoring solution that the port’s disabled for security reasons.


How to enable port security


Switch)# config t

Switch(config)# int fa0/18

Switch(config-if)# switchport port-security ?

            aging                            Port-security aging commands

            mac-address                             Secure mac address

            maximum                      Max secure addresses

            violation                         Security violation mode



Switch(config-if)# switchport port-security




You can also configure port security on a range of ports.


Switch)# config t

Switch(config)# int range fastEthernet 0/1 – 24

Switch(config-if)# switchport port-security




SNMP Trap?







Show port security status of switch ports


Switch)# show port-security address

The output should look something like this.


Switch#sh port-security address


Secure Mac Address Table


Vlan    Mac Address                Type                            Ports

116       0013.d333.9007             SecureSticky                 Fa1/1     

116       001a.6b61.5274             SecureSticky                 Fa1/2     

990       0000.0000.0001             SecureConfigured         Fa1/4     

116       0016.41ef.4b5b              SecureSticky                 Fa1/5     

148       0000.74ad.e544             SecureSticky                 Fa1/6     

136       0013.d333.9bef              SecureSticky                 Fa1/7     

990       0000.0000.0002             SecureConfigured         Fa1/8     

116       0013.d333.955f              SecureSticky                 Fa1/9     

990       0000.0000.0003             SecureConfigured         Fa1/10    

116       0016.1789.9d9f              SecureSticky                 Fa1/12    

116       000d.60c1.f423              SecureSticky                 Fa1/14    

116       0013.d333.ab4d             SecureSticky                 Fa1/15    

Clear port security


There are few ways you can clear port securities.


Console> (enable) clear port security 4/1 00-11-22-33-44-55


00-11-22-33-44-55 cleared from secure address list list for port 4/1.


Console> (enable) clear port security sticky interface fa 0/1



Note: When port is in the disable mode (err- disable), in most cases you need to shutdown the interface and bring it up.


Note: if a MAC address is registered on a port and if you still want to assign this MAC address to another port in the same switch, I got in to so much trouble by doing this. In my experience you can not allocate 2 ports the same MAC address. You need to clear the port security and shut down one interface and assign the MAC address to the other port.


Cisco Reference:

Command-Line Editing Keystrokes




Jumps to the first character of the command line


Jumps to the end of the current command line


Moves the cursor forward one character


Moves the cursor back one character

Esc B

Moves the cursor back one word



Esc D

Deletes all from the cursor position to the end of the word


Deletes the character at the cursor


Deletes everything from the cursor position to the end of the line


Deletes the last word typed

Ctrl-U, Ctrl-X

Deletes everything from the cursor position to the beginning




Displays the next command line in the history buffer


Displays the previous command line in the history buffer




Repeats the current command line on a new line


Escapes and terminates prompts and tasks

YaY ! I am CCNA Certified

It was a stressful day, stressful week, stressful months. Yes I passed my final CCNA exam today, Ehuuuuuu it’s big relief. I can enjoy my weekend freely with my friends and loved onces. I dont know about other poeple, but getting certified and passing the CCNA exam and going through all 4 semesters at Monash and RMIT Cisco Academies wasn’t easy for me. It took me nearly 6-8 months to fully understand the concepts of networking, and Cisco devices, Switching, Routing etc….

But now I have a commanding knowledge to enter to next steps in my career.

I though of sharing my CCNA Experience with other people. Please see my Cisco Note Book Blog for more information.