Dòng cuối cùng là cần thiết để di chuyển các lệnh show trở lại xuống đến cấp độ 1. Nó cũng có thể thiết lập mức độ đặc quyền trung gian. Ví dụ, một tổ chức có thể muốn thiết lập thêm hơn hai cấp độ truy cập quản trị trên các router của họ. | Router Security Configuration Guide shows how to move the commands to the privileged mode which in most configurations should be protected better. Central config Central config Central config Central config Central config Central config Central config Central config Central config privilege privilege privilege privilege privilege privilege if SSH is supported. privilege exec level 15 exec exec exec exec exec exec level level level level level level 15 15 15 15 15 15 connect telnet rlogin show ip access-lists show access-lists show logging ssh privilege exec level 1 show ip The last line is required to move the show command back down to level 1. It is also possible to set up intermediate privilege levels. For example an organization might want to set up more than the two levels of administrative access on their routers. This could be done by assigning a password to an intermediate level like 5 or 10 and then assigning particular commands to that privilege level. Deciding which commands to assign to an intermediate privilege level is beyond the scope of this document. But if an attempt was made to do something like this there are a few things to be very careful about. First do not use the username command to set up accounts above level 1 use the enable secret command to set a level password instead see next sub-section . Second be very careful about moving too much access down from level 15 this could cause unexpected security holes in the system. Third be very careful about moving any part of the configure command down once a user has write access they could leverage this to acquire greater access. Passwords There are two password protection schemes in Cisco IOS. Type 7 uses the Ciscodefined encryption algorithm which is known to the commercial security community to be weak. Type 5 uses an iterated MD5 hash which is much stronger. Cisco recommends using Type 5 encryption instead of Type 7 where possible see Configuring Passwords and Privileges in the IOS 12 Security