IOS relies on privilege levels. Privilege levels (0-15) defines locally what level of access a user has when logged into an IOS device, i.e. what commands are permitted. This only applies in the absence of AAA being configured. There are 3 default privilege levels on IOS, but really only two that are relevant:
- Privilege Level 1 — Normal level on Telnet; includes all user-level commands at the router> prompt.
- Privilege Level 15 — Includes all enable-level commands at the router# prompt.
NX-OS uses a different concept for the same purpose, known as User Roles. User Roles contain rules that define the operations allowed for a particular user assigned to a role. There are default User Roles:
- Network-Admin—Complete read-and-write access to the entire NX-OS device (only available in the default VDC).
- Network-Operator—Complete read access to the entire NX-OS device (Default User Role).
- VDC-Admin—Read-and-write access limited to a VDC (VDCs are not yet available on Nexus 5000).
- VDC-Operator—Read access limited to a VDC (Default User Role).
A VDC (Virtual Device Context) is a logical separation of control plane hardware resources into virtualized layer3 switches. Don’t worry to much about what a VDC is for now, it is not really relevant to the purpose of this post.
When a NX-OS device is setup for the first time, during the first login, a Network-Admin account must be specified and subsequently be used to login. Arguably a bit more secure that IOS.